Threat Research

Fortinet at Insomni'hack 2018

By Axelle Apvrille | March 28, 2018

This year, Fortinet was again present at Insomni'hack in Geneva, Switzerland. I am particularly proud of Fortinet's Swiss Sales & SE team, which made a great effort to adjust to a hacking conference.

A Hacker's Booth

Fortinet's booth was equipped with a flipper and a retro-gaming recalbox console. There were attractive prizes to win: an iPad and a drone. Given the crowd around Fortinet's booth, I believe this was successful at attracting hackers, and hopefully at getting interesting leads.

The retro-gaming console was actually my own, unplugged from home for the event. It was hosted on a Raspberry Pi 3, and running Recalbox, a special RPi3 distribution for retro-gaming. It is easy to install, and easy to use. We plugged in 2 8bitdo NES 30 controllers, and the user interface to configure buttons is quite user-friendly. It should have worked by Bluetooth, but for some reason, I did not manage to get it working and didn't have much time to investigate the problem, as I wanted to jump in and follow the conference talks.

Hackers competed over a special version of Space Invaders, specifically hacked for the Ph0wn CTF last November. As far as I know, the high score was above 2300, some hackers remembering old tricks from their childhood to get more points by shooting the flying saucers at the right moment ;)

Hijacking the Boot Process - Ransomware style, Raul Alvarez

Fortinet also gave 2 technical talks at the conference this year. One of those was by my colleague, Raul Alvarez, a senior malware analyst in Vancouver. He explained how the Petya ransomware infected the boot sector of computers.

First, Raul provided some background on existing partitioning systems (MBR and GPT) and where boot sectors were to be found.

Then, he explained how Petya used that for:

  1. Overwriting the MBR with own boot code.
  2. Reboots that then display a fake chkdsk and encrypt the Master File Table.
  3. Displaying a red skull image asking for ransom.

For more details, see Raul's former blog post on Petya

Ph0wn CTF Behind the Scenes - by Phil Paget and myself

On my side, I gave a feedback talk with Philippe Paget on the smart devices dedicated CTF we organized last November (Note: CTF stands for Capture The Flag in an ethical hacking contest). The first part of the talk wasn't technical, but feedback on who attended, how long it takes to create a challenge, and the issues we encountered.

In the second part, we described the Making Of of some of the challenges. Most of our challenges derived from prior research work, and we also bumped in interesting hacks or vulnerabilities while preparing them. We did a live demo of an exploit of our weather station (the demo gods were kind to us and the demo worked perfectly), and also showed a small video of competitors trying to hack a flying drone to have it take off.

CTF talks are quite common at Insomni'hack, because the conference hosts one of the largest onsite CTFs at the end of the conference. So the audience is packed with people from renowned teams such as Dragon Sector, Eat Sleep Pwn Repeat, Shellphish, and int3pids, etc.

CTF

With @PagetPhil, I participated at the CTF competition at the end of the conference. His team scored far better than mine: they ranked 11th, while I was 44th at the time I left. But my team is far smaller and we all went to sleep at 1am. (Okay, that's a lame excuse!) Nevertheless, I believe both of our teams can be proud of our results, given the number of competitors: check out the room, certainly well over 300 people!

Some write-ups for the challenge are already being published. We personally flagged a challenge named guessflag and another one on VBA macros - this is quite ironic when you know that none of us use the Office suite ;)

  • Beback: an iOS application to hack
  • VBA01: we flagged that one ;)
  • VBA02
  • VBaby
  • PHuck
  • Spoke: an interesting VPN IKEv1 challenge, based on the logs and pcap of a FortiGate!

I can’t finish this blog post without forgetting to thank my Swiss colleagues & the Insomni'hack team (Michael, Sergio, Balda, Sandra...) who welcomed us so kindly. Thanks also to the mushd00m team for keeping a seat for me at their CTF table and kindly sharing knowledge.

-- the Crypto Girl