Threat Research

Hack in the Box GSEC Wrap Up

By Minh Tran | September 07, 2018

Hack in The Box (HITB) GSEC is a security conference that was held from the 27th to the 31st of August 2018 in Singapore. This was its 4th iteration, and this year it was split into two different sub-tracks: “GSec” and “CommSec.”

FortiGuard Labs papers were selected to be presented at this peer-reviewed conference, so naturally we attended the conference to present our work. This blog post summarizes and shares our thoughts about this year’s conference.

Overall Review of the Conference

Overall, the quality of the conference was high, as evidenced by the caliber of the speakers, which included such luminaries as the former Chief Information Security Officer for Twitter (Michael Coates), and a Vice President of Bank of America (Alexis Lavi). Additionally, since this is a famous security conference, you also find speakers from around the world, including from well-known security companies such as Kaspersky and F-Secure, as well as from security startups such as Crowdfense.

Likewise, the topics addressed were also well rounded and highly relevant. There were four talks on Machine Learning (yours truly included), along with many others on important emerging topics such as OT and IoT.

We briefly highlight some of the talks we found the most interesting below.

Summary of Some Interesting Talks

Deep Hooks: Monitoring Native Execution in WoW64 Applications

This talk detailed the challenges and difficulties of hooking 64-bit NTDLL (the file that contains NT kernel functions) in a WoW64 process (running Windows 32-bit applications on Windows 64-bit), particularly with API re-implementation.

More details can be found on SentinelOne’s blog.

Figure 1. Deep Hooks

KLara: Your New Friend

KLara is an interesting tool that addresses a common need of security researchers to search a large collection of samples using Yara rules. Thanks to its clever design, KLara can speed up that scanning. According to Kaspersky Lab, it can scan over 10TB worth of files in 40 minutes!

As icing on the cake, users can also receive notifications by e-mail when scan results are ready. The project is available on GitHub. 

GOD MODE UNLOCKED: Hardware Backdoors in x86 CPUs

Chris did it again with a new tool!

The author of the Sandsifter processor fuzzer (Christopher Domas) discovered a privilege escalation backdoor in Samuel 2 cores (which are used inside VIA C3 CPUs). This, of course, allows an unprivileged user to circumvent all processor security checks to escalate from ring 3 to ring 0. The stunning thing is that the exploit uses a special embedded RISC core inside a normal x86 core (CISC) to achieve those malicious ends.

The story of Sandsifter is nothing short of incredible, so we considered this presentation to be one to be the most interesting of the conference.

Figure 2. GOD MODE UNLOCKED

On a side note, this research again highlights the risk of hardware level attacks (e.g. hardware backdoors, hidden instructions, and bugs) brought to light earlier this year with the Meltdown and Spectre malware.

Fortinet’s Contributions

So as to not toot our own horn too loudly, we will only briefly summarize our two talks below.

Generic and Static Detection of Mobile Malware Using Machine Learning

Figure 3. Starting my talk on “Generic and Static Detection of Mobile Malware Using Machine Learning”

In this talk we detailed our research regarding generic and static detection of mobile malware using machine learning. Because Android is the more popular OS, our prototype focuses on Android, but it can be applied equally to the iOS platform without loss of functionality. More details can be found here.

Internet of Things: Battle of the Bots

Figure 4. Fortinet researcher Rommel Joven presenting “Internet of Things: Battle of the Bots”

Two years have passed since Mirai unleashed its wrath on the world by targeting high-profile victims. Many things have happened since then; the good (the author responsible has already been convicted), the bad (the source code was released to the public), and the not so bad (many organizations became aware of the threat and geared up their defenses for the possible next attack). The question now is, what will be the next Mirai?

Ever since the release of its source code, many cybercriminals have used, experimented with, and modified the code for their own purposes. These so-called Mirai copycats all want to a piece of the IoT pie, battling to compromise vulnerable IoT devices to grow their own army of bots in order to become Mirai’s possible heir. This research on the battle of which malware will becoming the next Mirai is focused on Mirai variants with their significant modifications, along with a genealogy of all Mirai variants identified so far. More details can be found here.

Final Thoughts

Our regular participation at conferences like Hack In The Box GSEC demonstrates that, in addition to our focus on protecting customers (certainly our top priority), we are also committed to giving back to the InfoSec community at large. The more the InfoSec community can share and collaborate, the safe we all will be.

-= FortiGuard Lion Team =-

 

 

Download our latest Global Threat Landscape Report to find out more detail about recent threat landscape trends.

Sign up for our weekly FortiGuard Threat Brief or for our FortiGuard Threat Intelligence Service.