So, this year I had the opportunity to participate in Microsofts conference BlueHatIL in Tel Aviv, it’s a two day event that is packed with 18 sessions and other activities, this year you could team up in building Zumo Boats in this amazing Maker Studio. Outside of that there was a CTF Challenge to get into a secret room and in there the CTF Continued.All sessions got their own poster that where available to get for delagates but they where also part of the amosphere in the venue where they here put on walls and places around the venue.
The AMDFlaws Story: Technical Deep Dive
To Kick off day one Ido Li On and Uri Farkas took us through their research on flaws, they had over 8 months and 7 engineers researched the platform and found 13 vulnerabilities. One of them was related to the PSP Controller. As the found out issues with how the firmware was signed they where able to patch the Firmware and get their code in there and more or less Game Over. For those of you who don’t know the PSP it’s the Platform Security Processor and it controls many things early on. So, with this they could actually bypass features like Credential Guard as they had ownership of the components. On stage they demoed a custom version of Mimikatz where they where able to extract Credentials from a machine running Credential Guard.
Supply Chain Security: “If I were a Nation State…”
To follow up on this intro Andrew “bunnie” Huang had a great session on Supply Chain Security. The session gave examples of different Supply Chain Attacks either by replacing components, implanting new components in the hardware and a very thorough example of different technicies to do this. Bunnie showed several x-ray pictures on how hard this could be to detect, and some are more or less impossible to spot with the your bare eye.
Here is a simple example of Memory Cards he had analyzed showing Memory Cards with different chips on them from the same vendor, some of them didn’t behave like expected 😉. Possible Supply Chain Attack from a Nation State?
So, with that said, what components do you have in your equipment? Vendor approved, or Nation State approved.
The hardware supply chain attack surface is huge, however the Bloomberg Supermicro story doesn’t pass the Occam Razor says @bunniestudios at #BlueHatIL pic.twitter.com/O7kdaWRiQM
— Costin Raiu (@craiu) February 6, 2019
After a a busy lunch with great food and some more work on the CTF it was time to listen to Benjamin Delpy and Ulf Frisk among others.
You (dis)liked mimikatz? Wait for kekeo
The man the myth the MimiKatz had a session on his tool Kekeo where he showed many cool features to impersonate users and how to exploit Kerberos. Some of the explotation included impersonation of users using smartcards, Changing password of a user without knowing the old password etc. A very good session with lots of humor and good insights on his tool Kekeo and Kerberos.
You can find the tools here https://github.com/gentilkiwi
@gentilkiwi Pyramid of Pain at #BlueHatIL pic.twitter.com/AU872HnQK1
— EzKtana (@EzKtana) February 6, 2019
Practical Uses for Hardware-assisted Memory Visualization
As far as I am aware I was the only Swedish delegate on BlueHatIL except for the speaker Ulf Frisk, I had a chance to sit down and talk to Ulf, its always nice to run into other Swedish people in the Security Community. Ulf has over the years built his tool PCILeech a open source tool to read and write System Memory on remote devices. This is something that is done over PCIe. During BlueHatIL he presented some new features where you remotely over the network could read and write to the System Memory on the remote machine. Some really scary and awesome stuff.
You can read some really amazing blog postes on DMA at Ulfs Blog http://blog.frizk.net/
Keynote – Offenses in Cyber Offense
The day ended with a Moderated Keynote with Citizen Lab and Associated Press on some of the recent cases of cyber espionage on citizens and public persons. Also a very loaded session with accusations flying back and forth on Nation State attacks.If you want to read up more on some of the reports Citizen Lab has produced you can find them here. https://citizenlab.ca/category/research-news/reports-briefings/. Some of their research covers the “Pegasus” Spyware that an Israeli company is selling to Nation States and others.
Keynote -Modern Day Hypnosis: Weaponizing Data to Influence the Public
After a brief Microsoft Intro, the Day two Keynote started with Christopher Wylie also know as the Cambridge Analytica Whistleblower in a moderated session on how Weaponizing of Data Can influence the Public.
A session where he explained how data is used to manipulate the public and how its used to target individuals and influence and build “bubbles”. Very interesting but became very political from time to time. A lesson i learnt here is that these bubbles are used way beyond Online but also flow down and are used to form offline influencing “bubbles”.
Day 2 of #BlueHatIL is on! Take a sit by 09:30 – you don’t want to miss our keynote, @chrisinsilico, Cambridge Analytica’s whistleblower. pic.twitter.com/AekSA0Z3WY
— BlueHat IL (@BlueHatIL) February 7, 2019
No Code No Crime: UPnP as an Off-the-Shelf Attacker’s Toolkit
x0rz showed some of his reasearch on UPnP, still in 2019 there are many devices out there that have UPnP available against the internet. An easy search on Shodan will give you thousands of devices that you remotely can control and trigger port openings on routers. And by doing this you could control the device to allow traffic in to the local LAN and you could even open up a session and establish your TCP IP Session and then close the port again so when someone checks for open ports they will not see any open ports but they could possibly have an TCP Session going through their router without their knowledge. Most of the devices where geographically in Asia but quite some devices in Europe still. Personally I think its very sad to see that this is still out there as vulnerabilities and risks around UPnP has been known for years, but still fascinating.
@x0rz on using UPnP to build a botnet here at #BlueHatIL #security pic.twitter.com/hU1NMDpAaD
— Stefan Schörling (@stefanschorling) February 7, 2019
PE-sieve: An Open-Source Process Scanner for Hunting and Unpacking Malware
In the session on PE-sieve Hasherezade showed how her tool could help in Malware Analysis and gave some helping guidance on how to use the tool. Simply the tool unpacks Malware and analysis changes to the system and gives you a summary of the changes and the files its
So if you are into Malware Analysis you can find the great tool here https://github.com/hasherezade/pe-sieve/
And what an impressive makerstudio, 3D Printers, Laser Cutting Machines, Tooling, Printers, Sewing Machines, Molding Machines. Electronics, Engines etc, basically everything you needed to make an awesome custom zumo boat to win the battle. A great activity, I saw many people team up and do 3D Cad Drawings, Code Arduino and build some really cool boats to win the battle.
So, to wrap it up, a great conference, great atmosphere the prep of everything was so cool and yeah finally the secret Casino Room was just so awesome! In other words, I hooked up with a guy Yitai and we completed the first part of the CTF that as to gather information from some QR Codes and then decrypted the code to get to a webpage where you could find the next steps in the CTF that I unfortunately didn’t have time to play more more on.
Big shout out to the Team that made it possible and by the way don’t miss BlueHat in Shanghai in May! My biggest take away for the week is humbleness, there is still so much to learn in different areas. When talking security you just need to expect unexpected things, things you think are impossible are very often possible. I have worked over 20 years in IT and Security and to be successful I would say you need curiosity, a mind that is thinking out of the box, allot of time and stubbornness is also some good things to put in the mix. And at last enjoy and have fun of what you are doing.
You can find more info on the Event at www.bluehatil.com or following and reading up on the twitter hashtag #bluehatil and why not watch the official aftermovie below.
That’s a wrap! If you missed it, you better rethink some of your life decisions. #BlueHatIL 2019 out. pic.twitter.com/vGPgIYiBYR
— BlueHat IL (@BlueHatIL) February 7, 2019
Cool. #BlueHat Shanghai announced! May 29-30. #BlueHatIL #BlueHatCN pic.twitter.com/tX0Y38KhdC
— Maarten Goet (@maarten_goet) February 6, 2019