post exploitation operations with cloud synchronization
play

Post Exploitation Operations with Cloud Synchronization Services - PowerPoint PPT Presentation

Jul 20, 2023 •530 likes •1.1k views

Post Exploitation Operations with Cloud Synchronization Services Jake Williams jwilliams@csr-group.com @MalwareJake Agenda The problem (cloud backup/synchronization) The solution (DropSmack) Next steps Insecure Authentication

  1. Post Exploitation Operations with Cloud Synchronization Services Jake Williams jwilliams@csr-group.com @MalwareJake

  2. Agenda • The problem (cloud backup/synchronization) • The solution (DropSmack) • Next steps • Insecure Authentication Case Study • Post Exploitation Activities • Where to go from here

  3. $whoami • Chief Scientist at CSRgroup – Incident Response/Forensics – Penetration Testing – Exploit Development • PhD Candidate (Computer Science) • Two time winner of the DC3 Forensics Challenge • SANS Instructor and author – Malware, Cloud Forensics, Offensive Forensics

  4. Disclaimer (damn lawyers made me do it) • Our lawyers said to tell you: – Dropbox isn’t broken, and neither are their competitors’ products – We don’t want you to stop using them – You should carefully evaluate your own security posture before cancelling service, changing contracts, etc. – DropSmack is NOT malware, it is designed to operate in authorized penetration testing scenarios ONLY

  5. Cloud Synchronization • Implies more than just online backup • Files placed in the ‘special folders’ get replicated to all configured machines – This may include smartphones – Think cross-platform attacks ☺ • Infecting files heading for cloud backup (like Mozy) would be neat too – But no command and control (C2)

  6. History of Insecurity • Dropbox authentication horribly broken – More on this later • Dropbox ‘no password day’ • Dropbox Mobile file metadata in the clear • Other service providers aren’t getting enough research cycles to make headlines

  7. Foundational Work • Dark Clouds on the Horizon (2011) detailed the idea of using cloud synchronization software for covert data exfiltration • Frank McClain and Derek Newton (2011) researched the Dropbox database format and published the details – Dropbox promptly changed them • Ruff and Ledoux (2012) reverse engineered Dropbox software to analyze security – Again, Dropbox quickly changed internal details

  8. A Case Study • A client wants a no-holds barred penetration test, long engagement time, completely black- box • No out of date patches on publicly facing servers, no poorly coded web portals • Social engineering fails due to awesomely trained employees – Don’t you wish that usually happened?

  9. A Case Study (2) • Physical security is rock solid • Guest wireless network is completely segmented from the production network • Production wireless network is properly secured

  10. Spam – the normal answer • Spam fails too • Some users actually hit our server with older browsers but we can never run a payload • Keep spamming just in case – I don’t like dogs anyway ☺

  11. Status • Social Engineering? Nope • Spam? Nogo • Web Apps? Negative • Vulnerable Network Services? Nein • Physical Security? HeT • Wireless? Non • Overall status???

  12. FAIL Time for Plan B…

  13. Found the CISO • We manage to exploit the CISO’s laptop at a local ISSA meeting – USB HID attack ☺ • Surprise! Your awesome corporate firewall sucks when your user isn’t behind it • Now to just pivot into the internal network over the VPN connection…

  14. No VPN? WTF? • No VPN software on the CISO’s laptop – But he had confidential corporate documents • No evidence of USB drive use • How is this stuff getting on his machine? – You guessed it, Dropbox – But could have been ANY cloud synch software – The title of the talk might have clued you in ☺

  15. What now? • It stands to reason that files in the Dropbox folder came through the cloud – And that means Dropbox may be installed inside the corporate network – And it is allowed out by the firewall! • We just need C2 over Dropbox – We can already deliver files • via Dropbox

  16. DropSmack is born • DropSmack communicates by monitoring the file synch folder for tasking files • It exfiltrates files using the same mechanism • Bonus: Many DLP applications see files placed in a Dropbox folder, especially a non-default folder as a LOCAL FILE COPY – No need for encrypted rar ☺

  17. DropSmack Comms

  18. DropSmack Longevity? • DropSmack is slow and kludgy – I’d prefer not to use it long term • Now that we have bi-directional C2, we can figure out how to get a more traditional C2 channel past the corporate firewall – Being able to observe results from failures always helps – Watch legitimate traffic leave the network from the inside

  19. DropSmack Features? • DropSmack implements the following commands: – PUT – GET – DELETE – EXECUTE – SLEEP – MOVE • We considered adding more, but this combination gets you everywhere you need to go – Everything else is just cake – But the cake is a lie!

  20. Deploying DropSmack • Use a file infector of your choice – Office macros are my favorite – Get victim to open by employing social engineering (or just wait) • You must maintain access to the original infection point to task the tool on the other side of the Dropbox service

  21. So what’s new? • DropSmack v1 only operated against Dropbox • But some victims use other synch services • We need a better mousetrap…

  22. DropSmack v2: a better mousetrap • DropSmack v2 works against: – Dropbox (of course) – Box – SkyDrive – Google Drive – Spider Oak – SugarSync – JustCloud (just because we can)

  23. Insecure Auth Case Study • When I started looking at synch applications, everything I saw was HTTPS • So I thought “Cool. These guys aren’t total idiots” • But I kept looking anyway…

  24. WTF??? Is it 1999? • And then I found this: • Which, by the way, is the default

  25. FAIL, tons of FAIL • Who the f%^$ cares how your files are transmitted if you auth using HTTP???? • One facepalm isn’t enough to do this justice

  26. Refer a friend! • Do you hate your coworkers? Your ex? Refer them to the service and get free storage!

  27. So who is this? • Who produced this Big Bag of Fail™ (BBoF)? • This one is branded as JustCloud, a company you’ve probably never heard of • But they have several different brandings that are part of BackupGrid • The ones I looked at use the same AWESOME, secure software

  28. How did I find JustCloud? • I searched Google for ‘skydrive’ looking for some pictures for another presentation • I thought “what the hell, I’ve got nothing better to do…”

  29. Is this really news?

  30. Responsible Disclosure Fail • This was great! No contact info. At all… • But the login form is, you guessed it, HTTP

  31. Cool, it let me log in • Wait… I can log in with my JustCloud account? • Ok, maybe I’ll contact support about these issues • Oops, they forgot the link to actually submit a support request… – Are they clowning me???

  32. This isn’t only JustCloud • Another service called ‘ZipCloud’ uses exactly the same software (and storage backend) • www.thetop10bestonlinebackup.com (my ‘go to’ source for advice on all things cloud) rates JustCloud as the #1 backup service!

  33. More clowns please!

  34. Are we done with JustCloud? • Nope. • If you are sitting on the mail server and see email from JustCloud, it might just be your lucky day!

  35. Email Links • Ok, good. They didn’t send the password in plaintext. That’s a step in the right direction… • Anything else stand out?

  36. HTTP Again??? • HTTP again? Really? • At least that link is only used to verify the email address I registered with. – Phew, we’re safe!

  37. Free Beer! • It actually logs you in! – Login link never expires, multiple use auth token

  38. Wow. I’m speechless…

  39. Anyone else? • We’re continuing to look at other applications and possible exploitation avenues they might provide • Nobody else we’ve seen was close to this bad

  40. General Post Exploitation • The obvious: – Pilfer files directly from the cloud – Upload infected files to the cloud • The interesting: – Find other connected devices • The Evil: – Cancel the account, deleting stored files from the cloud!

  41. General Post Exploitation (2) • Log files stored on the client often show information about files previously sent to the cloud (files may no longer exist locally) – Ex. SkyDrive device log

  42. General Post Exploitation (3) • Databases stored on the client often show valuable information about files previously sent to the cloud – Ex. JustCloud mpcb_file_cache.db

  43. Post Exploitation (JustCloud) • Users may be enticed to enter phone numbers for free add-on storage – Phone numbers useful to social engineering or…

  44. Post Exploitation (JustCloud) • Web Interface allows file upload – With automatic synch back to clients • With the email link, you can move malware to the endpoint client – I’m thinking DropSmack!

  45. Post Exploitation (Dropbox) • An RSS interface for their Dropbox account? – Cyber stalk your victims! • RSS Feed Example – at least you have to auth to get the file…

  46. Post Exploitation (SpiderOak) • SpiderOak is sort of special because they don’t store anything unencrypted • Everything is encrypted client side – Like BoxCryptor • Prevents upload/download of files from web interface • But SpiderOak allows local network backup – With saved creds

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CLOUD POST EXPLOITATION Andrew Johnson @secprez | Sacha Faust @sachafaust | Cloud &

CLOUD POST EXPLOITATION Andrew Johnson @secprez | Sacha Faust @sachafaust | Cloud &

CLOUD POST EXPLOITATION Andrew Johnson @secprez | Sacha Faust @sachafaust | Cloud & Enterprise Red T eam ake Aways Azure Overview Key T Cloud Pivots Trends and Countermeasures 2 eam Red Team Success Culture Collective Growth

1.31k views • 27 slides
SE350: Operating Systems Lecture 6: Synchronization Outline Atomic operations Hardware

SE350: Operating Systems Lecture 6: Synchronization Outline Atomic operations Hardware

SE350: Operating Systems Lecture 6: Synchronization Outline Atomic operations Hardware atomicity primitives Different implementations of locks Synchronization Motivation When threads concurrently read from or write to shared

547 views • 39 slides
Cloud-Based File Synchronization Services Exploding in popularity Numerous providers:

Cloud-Based File Synchronization Services Exploding in popularity Numerous providers:

*-Box (star-box) Towards Reliability and Consistency in Dropbox-like File Synchronization Services Yupu Zhang , Chris Dragga, Andrea Arpaci-Dusseau, Remzi Arpaci-Dusseau University of Wisconsin - Madison 6/27/2013 1 Cloud-Based File

882 views • 31 slides
CSCI [4|6] 730 Synchronization Language/Definitions: What are race conditions? Operating

CSCI [4|6] 730 Synchronization Language/Definitions: What are race conditions? Operating

Process [& Thread] Synchronization Why is synchronization needed? CSCI [4|6] 730 Synchronization Language/Definitions: What are race conditions? Operating Systems What are critical sections? What are atomic operations?

253 views • 11 slides
Synchronization: Recap Why? Example The Critical Section Problem (recap!) Hardware

Synchronization: Recap Why? Example The Critical Section Problem (recap!) Hardware

CPSC-410/611 Operating Systems Process Synchronization: Recap Synchronization: Recap Why? Example The Critical Section Problem (recap!) Hardware Support for Synchronization Lock-free operations Semaphores Monitors

218 views • 17 slides
Synchronization: Recap Why? Example The Critical Section Problem (recap!) Hardware

Synchronization: Recap Why? Example The Critical Section Problem (recap!) Hardware

CPSC-410/611 Operating Systems Process Synchronization: Recap Synchronization: Recap Why? Example The Critical Section Problem (recap!) Hardware Support for Synchronization Lock-free operations Semaphores Monitors

209 views • 18 slides
Deadlock Prevention and Avoidance Synchronization is Difficult 7L. Higher level synchronization

Deadlock Prevention and Avoidance Synchronization is Difficult 7L. Higher level synchronization

4/29/2018 Deadlock Prevention and Avoidance Synchronization is Difficult 7L. Higher level synchronization recognizing potential critical sections 7M. Lock-Free operations potential combinations of events interactions with other

298 views • 11 slides
Migrating to the cloud with confidence Yasin Quareshy, GM Cloud Operations & Environments The

Migrating to the cloud with confidence Yasin Quareshy, GM Cloud Operations & Environments The

Migrating to the cloud with confidence Yasin Quareshy, GM Cloud Operations & Environments The worlds number one tourism group An overview 150 TUI Aircraft 381 hotels More than 10bn 20 million customers 16 cruise ships Market

455 views • 10 slides
through the exploitation of nonlinear post-buckling behavior Ariel Ibarra Pino Fifth deal.II

through the exploitation of nonlinear post-buckling behavior Ariel Ibarra Pino Fifth deal.II

UNIVERSITY OF MINNESOTA Aerospace Engineering and Mechanics COLLEGE OF SIENCE AND ENGINEERING Design of switchable many-state architectured materials through the exploitation of nonlinear post-buckling behavior Ariel Ibarra Pino Fifth deal.II

407 views • 3 slides
Synchronization Heechul Yun 1 Recap: Semaphore High-level synchronization primitive

Synchronization Heechul Yun 1 Recap: Semaphore High-level synchronization primitive

Synchronization Heechul Yun 1 Recap: Semaphore High-level synchronization primitive Designed by Dijkstra in 1960 Definition Semaphore is an integer variable Only two operations are possible: P() or wait() or down()

407 views • 25 slides
State of the Art Post Exploitation in Hardened PHP Environments Stefan Esser

State of the Art Post Exploitation in Hardened PHP Environments Stefan Esser

http://www.sektioneins.de State of the Art Post Exploitation in Hardened PHP Environments Stefan Esser <stefan.esser@sektioneins.de> Who am I? Stefan Esser from Cologne/Germany Information Security since 1998 PHP Core

716 views • 61 slides
! Current State of Exploitation ! Return-Oriented Exploitation ! Mac OS X x86 Return-Oriented

! Current State of Exploitation ! Return-Oriented Exploitation ! Mac OS X x86 Return-Oriented

! Current State of Exploitation ! Return-Oriented Exploitation ! Mac OS X x86 Return-Oriented Exploitation ! Techniques ! Demo ! Mac OS X x86_64 ! Conclusion ! Morris Worm (November 1988) ! Exploited a stack buffer overflow in BSD in.fingerd on VAX

1.02k views • 80 slides
Access A deeper look at RMA Outline Additional MPI RMA concepts - Synchronization modes -

Access A deeper look at RMA Outline Additional MPI RMA concepts - Synchronization modes -

Remote Memory Access A deeper look at RMA Outline Additional MPI RMA concepts - Synchronization modes - Types of epoch - Memory model The other two MPI synchronization calls - Post-Start-Complete-Wait (PSCW) - Locking and unlocking

426 views • 20 slides
The Black Art of Wireless Post-Exploitation: Bypassing Port-Based Access Controls Using Indirect

The Black Art of Wireless Post-Exploitation: Bypassing Port-Based Access Controls Using Indirect

The Black Art of Wireless Post-Exploitation: Bypassing Port-Based Access Controls Using Indirect Wireless Pivots GreHacks Gabriel Ryan (solstice) net user author /domain Gabriel Ryan Researcher @ Gotham Digital Science Worlds best Red

1.89k views • 125 slides
Content Synchronization Content Synchronization March 2nd 2005 Jukka Honkola T-110.456

Content Synchronization Content Synchronization March 2nd 2005 Jukka Honkola T-110.456

Content Synchronization Content Synchronization March 2nd 2005 Jukka Honkola T-110.456 Synchronization Synchronization Needed whenever multiple copies of an object may be updated independently After synchronization objects should be

413 views • 14 slides
Post Exploitation Bliss: Meterpreter for iPhone Charlie MIller Vincenzo Iozzo Independent

Post Exploitation Bliss: Meterpreter for iPhone Charlie MIller Vincenzo Iozzo Independent

Post Exploitation Bliss: Meterpreter for iPhone Charlie MIller Vincenzo Iozzo Independent Security Evaluators Zynamics & Secure Network cmiller@securityevaluators.com vincenzo.iozzo@zynamics.com Who we are Charlie First to hack the

885 views • 73 slides
parameterized regular expressions in JavaMOP CS 119 which file?

parameterized regular expressions in JavaMOP CS 119 which file?

parameterized regular expressions in JavaMOP CS 119 which file? http://fsl.cs.uiuc.edu/index.php/Monitoring-Oriented_Programming 2 What is MOP? (their own words) Framework for reliable software development Monitoring is basic

937 views • 72 slides
2016 FLSA OVERTIME CHANGES: WHAT EVERY BUSINESS NEEDS TO KNOW PRESENTED BY Kara Govro, JD, SPHR

2016 FLSA OVERTIME CHANGES: WHAT EVERY BUSINESS NEEDS TO KNOW PRESENTED BY Kara Govro, JD, SPHR

2016 FLSA OVERTIME CHANGES: WHAT EVERY BUSINESS NEEDS TO KNOW PRESENTED BY Kara Govro, JD, SPHR Todays Topics The FLSA put a ceiling over hours and a floor under wages - Frances Perkins, Secretary of Labor under FDR 1 2016 (adj.)

564 views • 12 slides
ODF Advanced Document Collaboration Svante.Schubert@gmail.com Freelancer Status: OASIS

ODF Advanced Document Collaboration Svante.Schubert@gmail.com Freelancer Status: OASIS

ODF Advanced Document Collaboration Svante.Schubert@gmail.com Freelancer Status: OASIS OpenDocument - Advanced Document Collaboration SC 1 st Proposal: Generic change tracking (by DeltaXML) Tracks every XML change in an ODF document

532 views • 20 slides
Boosting Power Effic iciency of HPC Applications with GEOPM Jonathan Eastep

Boosting Power Effic iciency of HPC Applications with GEOPM Jonathan Eastep

Boosting Power Effic iciency of HPC Applications with GEOPM Jonathan Eastep [jonathan.m.eastep@intel.com] Principal Engineer and PhD 29 August 2018 ALCF De Devel eloper Ses ession 1 Outline Challenges and Approach to Solving Them

516 views • 35 slides
A Highly Selective, Deeply Biased, and Mildly Heretical View of Software Engineering Jim

A Highly Selective, Deeply Biased, and Mildly Heretical View of Software Engineering Jim

A Highly Selective, Deeply Biased, and Mildly Heretical View of Software Engineering Jim Herbsleb School of Computer Science Carnegie Mellon University 1 Outline Software engineering isnt Our conception of software engineering is

420 views • 24 slides
Performance Tuning and Debugging Don Porter CSE/ISE 311:

Performance Tuning and Debugging Don Porter CSE/ISE 311:

CSE/ISE 311: Systems Administra5on Performance Tuning and Debugging Don Porter CSE/ISE 311: Systems Administra5on Why is my applica3on slow? No silver

606 views • 24 slides
Feedbacks on 10y of pentesting and DFIR How to increase your detection capabilities Julien

Feedbacks on 10y of pentesting and DFIR How to increase your detection capabilities Julien

Feedbacks on 10y of pentesting and DFIR How to increase your detection capabilities Julien Bachmann @milkmix_ 24 April 2017 OWASP, Geneva INTRO 1 24/04/2017 OWASP, Geneva ABOUT ME 3 Julien Bachmann Current CTO @ Hacknowledge Swiss

677 views • 40 slides
Highlights from Physics 2017 Dec 08 General notes Productive Physics Week last month .

Highlights from Physics 2017 Dec 08 General notes Productive Physics Week last month .

Highlights from Physics 2017 Dec 08 General notes Productive Physics Week last month . 71 attendees. Workshop / Hack days style meeting WGs continue to be guided by TDR timeline , with some notable milestones of - Jan 2018:

347 views • 6 slides

More recommend