Bsides Munich 2023

Fahri Korkmaz
17 min readOct 25, 2023

--

I recently had the pleasure of attending the Bsides Munich conference this year (2023). It is an independently organized security event in Munich, Germany. Security Bsides events are community-driven conferences, which are hosted all over the world. So there might be one near to your place of living!

Got some gifts :p

The event started on 14/10/2023 with workshops and ended on 15/10/2023 with the conference containing the talks. The workshops were hosted at Munich University of Applied Sciences and the conference took place at The Westin Grand Munich. Unfortunately, I was not able to attend the workshops, but I know that Claudia Ully from NVISO did a very interesting workshop on Mobile Penetration Testing, which was called “The Hitchhacker’s Guide to the Mobile Galaxy”. I really would have loved to participate in that workshop, because I’d also like to expand my Penetration Testing knowledge on Mobile Apps. However, I am pretty sure there will be an opportunity to attend Claudia’s workshop anytime soon.

The conference started with a single keynote by Dr. Mario Heiderich and continued with at least two talks in parallel. The conference ended with a closing keynote by Ana Oprea. You can get the full agenda and the slides of the talks here. Furthermore, during the conference, there was also a hardware village, but unfortunately, I did not have the time to attend it :| Also, there were free snacks in the morning and lunch in the afternoon. The event organizers are listed on their web page. There were multiple organizations sponsoring the event, including NVISO, MED-EL, etc.

Some snacks during the conference

Talks

There were a lot of amazing talks, I basically was listening to talks all day long. There were also other great talks, which unfortunately I could not attend — sometimes you just wish to have more than 24 hours per day :| However, Lisi attended other talks, which I did not, and made a blog post about it, including her notes, which are really beautiful! She also attended the Workshop Day and shared her experience. You should definitely check her out.

In this section of the article, I’d like to share notes, which I have taken during the talks. I’ll also share what I liked and disliked about the talks.

The Seven Sins. And Virtues. Of IT Security. And how they affect our world.

The day started with none other than the cyber-high-priest himself, Dr. Mario Heiderich from Cure53. His talk was themed based on religion, which he also apologized for. However, I think that was not really necessary, as the theming made it unique, and nice to listen to and understand.

He mapped the seven sins, Lust, Gluttony, Greed, Sloth, Wrath, Envy, and pride, as well as the seven virtues, chastity, temperance, charity, diligence, patience, kindness, and humility to cyber security.

The sins

Lust in cyber security for him means that someone has the desire to access and control data, e.g. by unethically exploiting systems. Examples of the sin of gluttony would be the hoarding of a lot of data or over-consumption of resources. Also not spending money where it is needed results in that sin. In the case of greed, someone tries to achieve more profit at the expense of other things. This happens a lot in cyber, for example when managers cut security budgets. But another interesting habit, that results in this sin, is when just classic checkbox pentesting is done — just to say “We have done a pentest”, which shows that actual security is not a priority.

If you’re lazy or lack due diligence in maintaining systems, then you committed another sin: Sloth. Every time uncontrolled anger is faced, this means the sin of Wrath is committed, such behavior is observed in Hackbacks and other destructive actions with IT. Envy or jealousy is seen in Cyber in the case of industrial espionage, or just thinking that you are not an interesting target. The sin of pride gets committed, if you have a big ego and overconfidence in your security posture.

The virtues

You achieve the virtue of Chastity if you use tech and data in an ethical and responsible manner. Temperance can be achieved in a balanced approach to technology adoption. You achieve Charity by creating and sharing secure code. If you want to achieve Diligence then you should stay up-to-date with the latest security threats and defenses.

I think the next virtue is very important: Patience. Security of organizations is everyone’s job, not just the job of security professionals. Security is always depending on the weakest link — that’s often the human factor. I’ve worked in Blue Teaming, and it is always the same: Only because someone clicked on a phishing link, security folks (SOC Analysts, IT Admins, Incident Responders, etc.) assume the victim is dumb. But it is not like that. Social Engineering victims become victims because they are human! So always be patient with users and expect them to make mistakes. I would even say, that if an organization gets ransomwared because the adversary gained an initial foothold via Phishing, then that’s mainly the security folks' fault. Because there are much more points of failure, that got triggered before the objective of the ransomware operators has been achieved. And most of the time until objectives are achieved, there are many possibilities to catch and stop the adversary. It is always important to pursue a defense-in-depth approach. My philosophy is: I will blame myself first, before blaming others.

If you achieve patience you will have it easy to achieve kindness, by treating your users with respect. And also take your ego and kick it out of the door, so you can achieve humility.

By taking small steps towards the virtues and away from the sins, you will be able to achieve greater security and be a better security professional. But also keep in mind, that it is only possible to build security together.

(In)direct Syscalls: A journey from high to low

This talk was done by Daniel Feichter (Founder RedOps) and you can find him on Social Media via the handle @VirtualAllocEx. BTW: RedOps has an awesome knowledge base, where you can find more content by Daniel. Furthermore, the contents of the talk can be found in Daniel’s GitHub Repository. I really liked that talk because it was very technical and extremely relevant for any Red Teamer out there.

A normal program, e.g. your browser, executes in user space. However, sometimes these programs need access to lower-level functionality, for example, to save files on the disk. User Space programs can’t directly access low-level functionality. They have to do it via a syscall to switch to the kernel space. Each syscall has its unique ID, which is retrieved through NTDLL and is a process to get temporary privileged access. Syscalls are very interesting for Red Teamers, especially to execute shellcode with higher privileges or to dump credentials from lsass.exe.

Because syscalls can be used for malicious purposes they are heavily monitored through EDRs by hooking them. The following hooking techniques are used: SSDT Hooking, Inline API hooking, and Import Address Table Hooking. Often inline hooks are used in NTDLL, however other DLLs, such as Win32.dll, get hooked by EDR. Still, it is not possible for EDRs to hook everything, because it will result in performance issues, that’s why EDR hooking mainly targets API calls, such as NtAllocMemory. You can identify hooks with a debugger because hooks contain unconditional jump instructions.

The talk introduced 4 types of loaders that can bypass security measures depending on the use of hooking. In the following, we will look into them.

Win32-API Loader

This loader mainly uses the Windows API. First of all, you declare your shellcode, which will be executed later in a new thread. After that, the calling process will allocate memory with VirtualAlloc. The shellcode gets copied over to the newly allocated memory. Finally, a new thread gets created, which executes the shellcode. When the execution is finished the main thread will finish.

Native-API Loader

This loader doesn’t use the high-level API calls from the Windows API, but instead uses the Native APIs, which is considered medium level. It is done by directly accessing the Native APIs in ntdll.dll.

First of all, because these headers can’t be directly accessed, it is necessary to manually define the structure of the functions and manually load them. Afterwards, they can be used to execute the shellcode, by using NtWriteVirtualMemory, to allocate memory for the shellcode and NtCreateThreadEx to execute the shellcode.

Direct Syscall Loader

This low-level method directly uses syscalls without accessing NTDLL. The syscall stub is in the .text section of the assembly and the pointer to functions have to be defined manually. From there the malware will use NtAllocateVirtualMemory, NtWriteVirtualMemory, and NtCreateThreadEx to finally execute the payload. Even though you will bypass user-mode hooks in ntdll.dll, EDRs will most likely still catch you, because they use Event Tracing for Windows. This sequence uses very odd return addresses, which can be fixed via indirect syscalls.

Indirect Syscall Loader

This method will execute the syscalls in memory of ntdll.dll. In order to do that, first the malware has to retrieve a handle to ntdll.dll. After that, it gets the start address of the Native APIs inside ntdll.dll. When adding the appropriate offset to the Native API pointer, it is possible to get the memory address of the syscall instruction. Which can be used to execute the syscall and run the payload.

With indirect syscalls, it is possible to bypass user-mode hooks and checks based on Windows Event Tracing because the call stack is much more legitimate. But they can still be detected, because the entire call stack has to be spoofed, not such the syscalls. This can be done with Obfuscation/Encryption of functions, and import tables, as well as through thread call stack spoofing, which was recently introduced in a Defcon talk by Alessandro Magnosi.

Cracking the chaos ransomware family

This talk was done by Alexander Andersson from Truesec. You can watch the full talk on YouTube.

On the Darknet Forum “XSS”, this malware was first released with a GitHub link containing the source code. The authors claimed it to be ransomware, however, the encryption was implemented in Version 2, and in previous versions, it was just a Wiperware. This ransomware has been deployed in a steel plant in Ukraine but is also used by people trying to get Roblox money in exchange for the decryption keys. Alexander said in his talk, that cyber attacks that use this malware, range from kids playing around to cyber war. However, maybe threat actors use Roblox because they can easily launder money with the game?

The problem with the ransomware family is that they use the normal random function from C# to generate a seed for the encryption algorithm. However, this is not secure if your security relies on true randomness. Furthermore, the ransomware uses weak cryptographic modes, which makes them vulnerable to plaintext attacks. Based on these findings Truesec was able to create decryptors, which can be downloaded from their GitHub Repository. However keep in mind, that some variants of the malware have a persistence mechanism, so you should remove that before running the decryptor because otherwise your files will get encrypted again.

This is a really inspiring story. Truesec had exposure to this malware because they investigated an incident. During that incident, they were able to create a decryptor in 1.5 weeks, which is really amazing! Imagine being the victim and a cyber security company that comes to help you is able to fully recover your files by cracking the ransomware — that’s really cool!

Let me do it for you — Automating OSINT and Recon

This talk was done by Paul Zenker, you can find him on Twitter through the handle @Secbyaccident.

The talk focused on tools you can use during OSINT which help you to automate the time-consuming task of collecting intelligence. The OSINT cycle starts with publicly accessible information, such as from the Internet. That data has to be collected, then cleaned, and finally stored. Afterward, you can play with the data during the data presentation phase and extract useful intelligence.

Python Libraries

Useful Python libraries are requests , shodan , and regex . If you want to automate Google dorking, you should try out DuckDuckGo, as it has a Python library duckduckgo_search and is basically like Google dorking but on steroids. Furthermore, you can create bots as Python has libraries to communicate with the Discord or Slack API. This is also pretty useful for Bug Bounty hunting, for example, to start a DNS enumeration on a program. If you prefer to build your own API, then Paul recommended using Flask. However, I would recommend you use FastAPI , which makes building Rest APIs easy and creates swagger documentation automatically. In case you have to parse data from HTML, then use Beautifulsoup, or Selenium, if it is a Single Page application, that gets built via JavaScript.

Data Storage

For storing data, you can use SQL databases such as MongoDB or NoSQL ones such as MongoDB. However, some data is best represented in graph format, for example, social networks. In that case, it is recommended to use a graph database, such as Neo4J. For time series data, InfluxDB can be used. If you want to build dashboards on top of your data, then use Grafana. If you just need a fast key-value store, then use Redis.

Deployment

Your programs can be deployed in the cloud, for example by utilizing Docker. In order to manage your docker instances, you can use Portainer. Also, a lot of database providers have a free tier. You might also use Cloud services, such as AWS or Azure, but keep in mind, that it might push you towards poverty if you configure it wrong :)

Artificial Intelligence

Paul also mentioned artificial intelligence. ChatGPT can be used to assist you during coding. There are also other free language models at Huggingface. I’d also would like to add, that ChatGPT is perfectly suited for building regular expressions. Also, I’d like to add that GPT-4 has the ability to extract certain information from unstructured data, such as text, and transform it into machine-readable format. It can also map certain things to more standardized definitions. For example attack techniques to the MITRE ATT&CK framework.

OSINT Tools

Paul also mentioned cool OSINT Tools: Spiderfoot, ProjectDiscovery, n8n, Apache Airflow, BabyAGI, LangChain, Maltego, Netlas.io, search.t0.rocks, start.me, TomNomNom, Cipher387, and the GitHub Repository “Awesome selfhosted”.

I think Paul's talk was very valuable in regard, to getting to know certain tools. But it would be also nice if he had talked about use cases that chain these tools to reach a certain objective. I’ve already given him the feedback, and he will include this next time.

Bio-Lock: The future and ethics around DNA Cryptography

This talk was done by a rockstar speaker: Tayla Micael Sellschop. You can reach out to her via LinkedIn or Email (tayla@telspace.co.za). She has an awesome and entertaining way of presenting. It was hard to believe to me, when she said, that this was her first talk. And I also think this was the most unique talk on Bsides. It is a very interesting and young area of research (the first paper is from 2017), which seems promising for the future. In the future, when quantum computers are available, it won’t be possible to use our current cryptographic methods, which rely on elliptic-curve cryptography. Hence new cryptography methodologies have to be researched, that are secure against the computing power of quantum computers. That’s also why I really enjoyed the talk.

DNA is a long chain of molecules consisting of Adenine, Thymidine, Guanine, and Cydosine. DNA is millions of years old and has been used to store information about us humans. It can be used to encrypt data through a DNA sequence and can hold a lot of data, which makes it also suitable for storage: One gram of DNA can hold up to 108 TB of data.

The researchers have implemented the encryption library with Java. The Bio Java implementation uses several more steps of a substitution cipher. DNA can be used both for symmetric and asymmetric encryption. However, it also has some flaws. Research on DNA encryption is lacking and is incredibly expensive because specialized skills (Biology, Computer Science, Cryptography) and laboratories are required.

Furthermore, DNA has the problem that it can be changed through certain diseases, such as cancer, hepatitis, or HIV. Furthermore, identical twins have the same DNA, which makes it less practical for cryptography and storage.

Also, there are some ethical issues. What if our DNA gets leaked in a breach? What if companies sell our DNA for financial gain and advertising? On the other hand, our DNA is everywhere…

Rooting the Cradlepoint IBR600 and other Stories

The research from this talk is from Sebastien (Email: vegantransistor@mailbox.org) and Dawin (Twitter), while Sebastien has performed the talk at Bsides Munich. During the talk, they describe how they perform research on the Cradlepoint IBR600 router.

The Cradlepoint IBR600 router has an in-build WiFi, LTE, and Modem, which allows for LAN & WAN connection. Furthermore, it has a web server running as well as connected to a Cloud Service (Netcloud) for device management purposes, hence having a wide attack surface.

Previous related work was able to find hardcoded passwords, a privilege escalation vulnerability because of a backdoor account, as well as passwords that were encrypted by using a hardcoded key.

If you want to hack IoT devices, you have to look out for a UART interface. UART stands for Universal Asynchronous Receiver/Transmitter. It’s a hardware communication protocol used for serial communication between devices. Most of the time developers use UART for debugging purposes. In case of hardware hacking it is also very useful to get access to firmware. Furthermore, the device uses uboot as a boot loader, which is typical for embedded devices. Also, no secure boot was configured, so the researchers could modify environment variables, which helped them in further research. What was very unique for that device, is that they used a Python script for their middleware. The researchers have continued their research on the Python code.

The code was in bytecode, however, it can be easily decompiled to actual Python code. That script contained a function to enable silent mode during the boot process. Furthermore, there was also a custom, limited shell implementation with Python, called cpshell. The goal of the researchers was to patch the firmware to enable a root shell. They loaded an openWRT live image into the device in order to flash the manipulated firmware and get a root shell after reboot.

The next vulnerability that exploded was an insecure way of updating the firmware. Normally the firmware is encrypted, but the decryption key was on the root file system. So the researchers could recover the key. Furthermore, signature verification was skipped for versions below 7.0.0. Hence secure boot was completely broken because the version number can be specified by an attacker to load a malicious firmware on the device.

Next, they researched the cloud communication. The communication was encrypted with TLS. However as the researchers already had root access to the device, they could add a malicious Root CA to the trusted store, which enabled them to sniff the network communications with mitmproxy.

In the communication, they could spot a Base64 encoded string, which contained a pickled stream. Pickle is a serialization library for Python, which is not secure and can be exploited for RCE, as long as you control the data stream — which the researchers did.

Furthermore, they could also find a registration vulnerability, which could allow a malicious actor to disconnect any device. The Python code had a function called insecure_activation() . This function was used to activate devices based on MAC addresses. An attacker could just use the MAC address of another device to connect to Netcloud, which disconnects the legitimate device.

You can find the full research on GitHub.

Christmas Hancitor Campaign

Do you know what would be nice? Detecting a cyber-attack before it even happens! In this talk, Artem Artemov from Group-IB described an incident where they could prevent further damage to an organization by locating the Command and Control server just in time.

It started with a post on a DarkNet Forum, where a criminal tried to sell a SOCKS5 Backconnect Module. The analysts identified the systems via Shodan search. They could gain access to the admin panel of SystemBC, where they were able to identify victims. One of the victims was a Belgium company, hence they alerted the Belgium CERT, which started the incident response process.

During incident response, they were able to identify, that the threat actor is currently in the stage of lateral movement. The threat actor has already mapped the network and dumbed credentials, including admin credentials. They also tried to get insides into the network traffic with WinPcap. The treat actor started their actions on objective during the holiday season. First, they tried to remove the backups — which failed. Because of that, the threat actor sold their access on a DarkNet forum.

The second threat actor used Cobalt Strike for command and control. Because the C2 server was already known, it got blocked and the analysts could attribute the second threat actor to CUBA/Mlock ransomware operators.

This is a story where threat intelligence was really shining and helped shift the incident response process from investigating an attack to preventing an attack. Very inspiring story! If you want to read more about it, Group-IB has also published a blog post on it.

Honeypot Boo Boo: Better Breach Detection with Deception Inception

This was a very interesting approach to detecting an adversary. The talk was done by Security Philosopher, Justin Varner. You can reach out to him via Email (justin@radzen.io) and get further information via this website.

The goal is to set up honeytraps where an attacker might use them, which will trigger an alert and help detect the adversary with less alert fatigue — as someone who has worked in a SOC, I can for sure say that’s a real thing and I am grateful for any approach that helps to address that problem. In traditional Security Monitoring, you will monitor every endpoint and the network for malicious activity. This creates a lot of alerts and stress for SOC Analysts, why this role has a high rate of burnout and fluctuation. So it is necessary to make a low volume of high-fidelity alerts, where honeytraps are perfectly suitable. This helps to reduce the mean time to detect.

An example of a honeytoken would be an API token for example to AWS. This token won’t be used by anyone. If an attacker stumbles across the token, they will probably use it. When used an alert will be triggered. Other forms of tokens could be for Slack, GitHub, etc.

Another example is honeypots, for example, one that emulates a domain controller. Another one is by using domain names as honeytraps, so as to get alerted when they get queried. Web redirect tokens will redirect the attacker to a legitimate website, but will grab metadata, such as the user agent, source IP, etc. in the process before redirecting. Which might help attribute an adversary.

A very interesting way of using honeytokens is via a Wireguard VPN token, which will be placed on your phone. When an attacker uses that VPN, then you know that your phone got pwned. You can create such a token through https://canarytokens.org/generate for free.

Another interesting approach to active defense is by playing mind games. You can for example create a lot of database servers, that sound interesting but contain useless information, which frustrates the attacker. You can use LimaCharlie, which is a security automation platform, to send canary alerts and investigate them with it.

From a Red Teamers perspective, it is hard to detect such traps. You could look out for obvious patterns, or credentials/tokens that are known for certain honeytrap vendors.

Security by Design

In an interconnected world, it is very important to enable security by default. But how can it be achieved? Ana Oprea’s talk goes into the details of Security by Design.

First of all security risks should be managed accordingly. Start with proper risk assessment. Be sure, that you might be a target and begin implementing the basics of security. Never underestimate your adversary and they aren’t always afraid of being caught. Furthermore implement security design strategies with the least privilege, for example by using Zero Trust.

If you want to design for least privilege, start with auditing and detecting flaws. You should review all access logs and justifications to ensure that they are appropriate for your organizational needs. But keep in mind that auditors might miss context and/or objectives.

Furthermore, shifts security and reliability to the left side. They are central elements in the architecture of systems.

Ana also mentioned some resources for further reading: “The Site Reliability Workbook”, “Site Reliability Engineering”, and “Building Secure & Reliable Systems”.

Conclusion

I hope next time I will also be able to attend the workshops because there were really interesting ones. Nevertheless, I had a lot of fun during the talks. Most of them were done by very entertaining speakers, and there were very unique ones, as well as very technical ones, which I really appreciate! It was also an awesome event to network with like-minded folks. Even though it was a local event, it was still very international. People attended from the U.S., Turkey, Russia, Switzerland, Austria, and South Africa!

--

--