Events

Blackhat 2013

This year’s Blackhat 2013 conference started off with a surprisingly detailed presentation from General Keith Alexander on his recently exposed programs, including even screenshots of what looked like a Windows XP GUI that an analyst would see when examining phone call metadata.

9126

Alexander’s keynote can be boiled down to a few points: 1. the program is built on identifying terrorist communications activity around the world and eventually tying these communications back to individuals in the US. In 2012, the program produced reports on under 500 total phone numbers in the US. 2. the communications intercept programs are under intense review, including a four year review by the Senate that found no wrongdoing within employee activities of the program (one of the things that makes the US program different from other countries is the rigid accountability regime) 3. every other country in the world has some form of legal communications intercept program. Unfortunately, there weren’t terribly many technical details or discussion of technical details. Mostly, discussion of any technical details revolved around limiting NSA analysts’ access to the data. But, he handled questions from the audience along with some pretty intense heckling.

Interesting talks included an examination of the new Blackberry 10 OS attack surface from Ralf Weinmann, one of the two individuals that exploited the Blackberry Torch at Pwn2Own 2011. While he was pretty impressed with their build tools, he found the collection of Adobe Air, QT and Python running on top of their new QNX OS “weird”. He discussed potential privilege escalation issues and QUIP, a so-called forensics service hidden away in the OS.

Other interesting talks included reviews of UEFI and BIOS level attacks, with bootkits and rootkits effective on Windows 8 systems demonstrated. It was interesting that these attacks focused on individual vendor implementations of firmware and handling. A team from Mitre demonstrated PoC called “Flea”, “Tick” and “Flash Hopper”, attacking Dell firmware packages. The code even persisted on the system across signed BIOS updates. Impressive stuff.

The guys behind Maltego delivered a new release of their research and data visualization tool, adding collaborative features like XMPP for real time chat and data synch’ing. They also put on display its integration with various reconnaissance and attack tools they call “Teeth” and “Kingfisher”, upping its offensive security capabilities. The tool can now scan and identify web services and accordingly apply brute force, SQLi and other web app attacks.

Afaik, no 0day was publicly dropped at any of the talks this year. Coordinated disclosure seemed to be used by all the researchers that I am aware of, so far this year.

Blackhat 2013

Your email address will not be published. Required fields are marked *

 

Reports

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox