Conference:  Defcon 31

Authors: Andréanne Bergeron Cybersecurity Researcher, GoSecure, Olivier Bilodeau Cybersecurity Research Director at GoSecure

2023-08-01

The Remote Desktop Protocol (RDP) is a critical attack vector used by evil threat actors including in ransomware outbreaks. To study RDP attacks, we created PyRDP, an open-source RDP interception tool with unmatched capabilities which helped us collect more than 100 hours of video footage of attackers in action. To describe attackers’ behaviors, we characterized the various archetypes of threat actors in groups based on their traits through a Dungeon & Dragons analogy: 1) the Bards making obtuse search or watch unholy videos;2) the Rangers stealthily explore computers and perform reconnaissance; 3) the Thieves try to monetize the RDP access; 4)the Barbarians use a large array of tools to brute-force their way into more computers; and 5) the Wizardsuse their RDP access as a magic portal to cloak their origins. Throughout, we will reveal the attackers’ weaponry and show video recordings of interesting characters in action. This presentation demonstrates the tremendous capability in RDP interception for research benefitsand blue teams: extensive documentation of opportunistic attackers’ tradecraft. An engineer and a crime data scientist partner to deliver an epic story that includes luring, understanding and characterizing attackers which allows to collectively focus our attention on the more sophisticated threats.

Conference:  Black Hat Asia 2023

Authors: Vlad Babkin, Nate Warfield

2023-05-11

The global IT supply chain is under a heavy spotlight, amidst covid-impacted production shortages, work-from-home policies, geopolitical tensions, and an overall re-balkanization of technology design and production. The 2020 SolarWinds attacks brought the real-world risk of a supply chain attack to the forefront. More commonly overlooked, however, is the risk posed by enterprise devices and the firmware which controls them. These systems exist in highly privileged areas of the computing industry, and due to both their mission criticality and difficulty in patching are mostly forgotten - but not to attackers. We'll reveal new research which began with a ransomware group and ended with a significant coordinated disclosure effort to remediate vulnerabilities discovered at the top of the firmware supply chain. The vulnerabilities we found are in an industry-standard management API, easily exploitable but well-hidden, and it took a data exposure before they were discovered. The access afforded by the exploitation of these flaws can provide an attacker with permanent administrative access to millions of servers worldwide. We will discuss how low-level attacks, once relegated only to nation-states, are being added to the arsenal of cybercriminals and ransomware groups. The talk will also highlight the challenges posed to organizations in assessing their firmware risk and the importance of accountability for the modern technology supply chain.Please note that this will be a remote (virtual) presentation.