Blackhat USA 2013 Day 2

Blackhat 2013 day 2 brought 0day, a sad remembrance of young researcher Barnaby Jack, and ICS/SCADA security vulnerabilities and review.

Highlights of day 2 included a mind blowing talk from Mateusz “j00ru” Jurczyk and Gynvael Coldwind, further exploring the kernel level double fetch vulnerability research that attracted interest since at least 2008. It is interesting stuff considering buffer overflow code is particularly well audited, but race conditions simply are not. Race conditions like these enable EoP exploitation and other severe potential attacks. The two developed the Bochspwn framework to implement CPU level OS instrumentation to locate double fetch vulnerabilities, and have been cranking out substantial findings in the Windows and Linux kernel since. They dropped Windows 8 0day (although, reported to Microsoft) with yet more discoveries, releasing their Bochspwn project code during their talk “Identifying and Exploiting Windows Kernel Race Conditions via Memory Access Patterns”. It’s interesting that the FreeBSD code they examined has been audited before and thus doesn’t maintain these bugs, while Linux and Windows pours out related issues.

They are hoping that folks can port the code to assess interesting and exotic embedded platforms and contribute to the body of work. Unfortunately, a second part of their work, Hyperpwn, presented some unexpected technical challenges in the structure of the memory regions they are most interested in, and it was not ready for primetime. Research is like that, and the talk was fantastic without it. Their work also happened to win a well deserved “Most Innovative Research” Pwnie the night before.


“SCADA Device Exploitation” highlighted a large dependency in attacking ICS environments – “it’s all about the pivot”. Meaning, ICS environments are best infiltrated from the backoffice and down through the reporting and control ennvironment, historian servers and other Windows resources, potentially to the PLCs themselves. A later talk, “Compromising Industrial Environments from 40 Miles Away”, chipped away at that myth by exposing poor and insecure crypto implementations in various, heavily used ICS products. In addition, realities of present day ICS implementations certainly do not follow the generic network maps positioning PLC’s buried layers down in the network. Network resources are distributed, and operations and implementations poor and messy . But they had other interesting points and demos. They pointed out OPC as a DCOM based technology used “everywhere in the process control industry”, resulting in tons of firewall ports allowing access across LANs, and that 93,793 insecure Modbus based ICS services were listening on ports directly connected to the internet in 2012. They then demoed weaknesses in often used PLC devices, forcing a pump to overflow a tank while the reporting HMI claimed devices were operating properly, in another throwback to the Stuxnet incident.

“Compromising Industrial Environments from 40 Miles Away” outlined impressive audits of several unnamed vendors’ commonly used SCADA devices, showing that authentication and crypto schemes on these devices frequently fail to deliver on the marketing messages these vendors’ pitch. ICS radio encryption can enable remote access to insecure Modbus based devices, and the speakers demoed an animated small tank explosion. The guys even identified remote memory corruption 0day in a remote gateway device, resulting in system freeze, a significant problem in ICS environments.

Of course, Barnaby Jack’s slot “Implantable Medical Devices: Hacking Humans” was not replaced. Instead, the room was used to celebrate Jack and his work as an inspiration, a colleague, a friend and authentic hacker. The night before he was awarded the only “Pwnie for Lifetime Achievement”, “Awarded to those of us who have moved on to bigger and better things.”


Cheers to looking forward to another gathering in 2014…

Blackhat USA 2013 Day 2

Your email address will not be published. Required fields are marked *



Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox