Security

Visiting The Bear Den

A Journey in the Land of (Cyber-)Espionage
Saal 6
Jessy Campos
Sednit, a.k.a Fancy Bear/APT28/Sofacy, is a group of attackers operating since at least 2004 and whose main objective is to steal confidential information from specific targets. Over the past two years, this group's activity increased significantly, in particular with numerous attacks against foreign affairs ministries and embassies all over the world. They are supposedly behind the DNC hack, and the WADA hack, which happened earlier this year. This talk presents the results of a two-year hunt after Sednit, during which we dug up and analyzed many of their software.
Technically speaking, Sednit is probably one of the best espionage group out there. Not only have they created a complex software ecosystem -- composed of tens of different components --, but they also regularly come out with 0-day exploits. Also remarkable is their ability to very quickly integrate newly published techniques in their toolkit. In particular, we will explain how they tend to operate and we will dive into technical details of their most impressive components: - DOWNDELPH, a mysterious downloader deployed in very rare cases and with advanced persistence methods. In particular, we found a Windows bootkit dropping this component, and also a Windows rootkit, both never documented. - XTUNNEL, a network proxy tool able to transform an infected machine into a pivot to contact computers normally unreachable from the Internet. Heavily obfuscated, and based on a custom encrypted protocol, XTUNNEL is a major asset in Sednit post-infection toolkit. - XAGENT, the flagship Sednit backdoor, for which Windows, Linux and iOS versions have been developed. Built as a modular framework around a so-called "kernel", it allows to build flexible backdoors with, for example, the ability to switch between various network protocols. - SEDKIT, a full-fledged exploit-kit, which depending on the target's configuration may drop 0-day exploits or revamped exploits. And also, during our tracking, we also gained a great visibility on Sednit post-infection modus operandi, a world full of Mimikatz and various custom hacking tools.

Additional information

Type lecture
Language English

More sessions

12/27/16
Security
Martin Schmiedecker
Saal 6
Certificate transparency - what is it, and what can be done with it?
12/27/16
Security
Saal G
Hardware is often considered as an abstract layer that behaves correctly, just executing instructions and outputting a result. However, the internal state of the hardware leaks information about the programs that are executing. In this talk, we focus on how to extract information from the execution of simple x86 instructions that do not require any privileges. Beyond classical cache-based side-channel attacks, we demonstrate how to perform cache attacks without a single memory access, as well as ...
12/27/16
Security
Yannay Livneh
Saal 6
PHP-7 is a new version of the most prevalent server-side language in use today. Like previous version, this version is also vulnerable to memory corruptions. However, the language has gone through extensive changes and none of previous exploitation techniques are relevant. In this talk, we explore the new memory internals of the language from exploiters and vulnerability researchers point of view. We will explain newly found vulnerabilities in the 'unserialize' mechanism of the language and ...
12/27/16
Security
Chris Gerlinsky
Saal 2
Follow the steps taken to crack a conditional access and scrambling system used in millions of TV set-top-boxes across North America. From circuit board to chemical decapsulation, optical ROM extraction, glitching, and reverse engineering custom hardware cryptographic features. This talk describes the techniques used to breach the security of satellite and cable TV systems that have remained secure after 15+ years in use.
12/27/16
Security
Trammell Hudson
Saal 1
Heads is an open source custom firmware and OS configuration for laptops and servers that aims to provide slightly better physical security and protection for data on the system. Unlike Tails, which aims to be a stateless OS that leaves no trace on the computer of its presence, Heads is intended for the case where you need to store data and state on the computer. It targets specific models of commodity hardware and takes advantage of lessons learned from several years of vulnerability research. ...
12/27/16
Security
Mathy Vanhoef
Saal 6
We analyze the generation and management of WPA2 group keys. These keys protect broadcast and multicast Wi-Fi traffic. We discovered several issues and illustrate their importance by decrypting all group (and unicast) traffic of a typical Wi-Fi network.
12/27/16
Security
Sebastian Schinzel
Saal 2
We present DROWN, a novel cross-protocol attack on TLS that uses a server supporting SSLv2 as an oracle to decrypt modern TLS connections. Using Internet-wide scans, we find that 33% of all HTTPS servers are vulnerable to this protocol-level attack.