SLIDE 1
When Governments Hack Opponents Bill Marczak First, Bahraini - - PowerPoint PPT Presentation
When Governments Hack Opponents Bill Marczak First, Bahraini - - PowerPoint PPT Presentation
When Governments Hack Opponents Bill Marczak First, Bahraini jailers armed with stifg rubber hoses beat the 39-year-old school administrator and human rights activist in a windowless room... Then, they dragged him upstairs for questioning by
SLIDE 2
SLIDE 3
SLIDE 4
First, Bahraini jailers armed with stifg rubber hoses beat the 39-year-old school administrator and human rights activist in a windowless room... Then, they dragged him upstairs for questioning by a uniformed offjcer armed with another kind of weapon: transcripts of his text messages and details from personal mobile phone conversations...
Abdul Ghani al-Khanjar Bahraini Activist
SLIDE 5
SLIDE 6
Activist communication tools...
SLIDE 7
SLIDE 8
SLIDE 9
SLIDE 10
“Cred”
SLIDE 11
SLIDE 12
SLIDE 13
If you get a suspicious email or message, send it to me!
SLIDE 14
If you get a suspicious email or message, send it to me! Ahmed Mansoor UAE Activist Hey Bill, I got a weird email!
SLIDE 15
The Data
SLIDE 16
SLIDE 17
SLIDE 18
Order to uncover the user of an IP address of @alkawarahnews Mohammed Salah Acting Chief Prosecutor, Capital Region Batelco (residential ISP)
SLIDE 19
“It is a secret investigation involving private methods
- f our department that
cannot be disclosed”
- Col. Fawaz al-Sumaim
Bahrain Cyber Crime Unit
SLIDE 20
Greetings, I am a translator of the revolution. Do you need translation of this? (Arrested activist)
SLIDE 21
Greetings, I am a translator of the revolution. Do you need translation of this? (Arrested activist)
SLIDE 22
(Arrested activist)
SLIDE 23
(Arrested activist)
SLIDE 24
SLIDE 25
SLIDE 26
Sketch: Social Engineering
SLIDE 27
Ahmed Mansoor UAE Activist
“New secrets about torture of Emiratis in state prisons”
SLIDE 28
Nice Bait, we’ll take it!
SLIDE 29
Factory-Reset iPhone (Wi-Fi Only)
Nice Bait, we’ll take it!
SLIDE 30
Factory-Reset iPhone (Wi-Fi Only) Wi-Fi Intercept & record Internet traffjc
Nice Bait, we’ll take it!
SLIDE 31
Factory-Reset iPhone (Wi-Fi Only) Intercept & record Internet traffjc The Internet Wi-Fi
Nice Bait, we’ll take it!
SLIDE 32
Type in the link from Mansoor...
Factory-Reset iPhone (Wi-Fi Only) Intercept & record Internet traffjc The Internet Wi-Fi
Nice Bait, we’ll take it!
SLIDE 33
… and what happens next will SHOCK YOU! Safari window closes!
SLIDE 34
… and what happens next will SHOCK YOU! Safari window closes! Tring [sic] to download bundle!
SLIDE 35
CVE-2016-4657 Visiting a maliciously crafted website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656 An application may be able to execute arbitrary code with kernel privileges
SLIDE 36
CVE-2016-4657 Visiting a maliciously crafted website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656 An application may be able to execute arbitrary code with kernel privileges
SLIDE 37
SLIDE 38
SLIDE 39
SLIDE 40
Attribution
SLIDE 41
SLIDE 42
When we clicked again, redirect to: https://sms.webadv.co/redirect.aspx
SLIDE 43
When we clicked again, redirect to: https://sms.webadv.co/redirect.aspx
<html><head><meta http-equiv='refresh' content='0;url=http://www.google.com' /><meta http-equiv='refresh' content='1;url=http://www.google.com' /><title></title></head><body></body></html>
SLIDE 44
When we clicked again, redirect to: https://sms.webadv.co/redirect.aspx
<html><head><meta http-equiv='refresh' content='0;url=http://www.google.com' /><meta http-equiv='refresh' content='1;url=http://www.google.com' /><title></title></head><body></body></html>
Wow, that's weird!
SLIDE 45
SLIDE 46
plan: 1. Use zmap to Fetch /redirect.aspx from every ipv4 address (232 = 4,294,967,296 ) 2. Check which responses are the same as our fingerprint:
<html><head><meta http-equiv='refresh' content='0;url=http://www.google.com' /><meta http-equiv='refresh' content='1;url=http://www.google.com' /><title></title></head><body></body></html>
SLIDE 47
Result: 149 ip addresses New plan: look at historical internet scanning data for the 149 ip addresses
https://shodan.io/ https://censys.io/ https://opendata.rapid7.com/
SLIDE 48
Result: 19 ip addresses returned in response to a fetch for /
\xef\xbb\xbf<HTML><HEAD><META HTTP-EQUIV="refresh" CONTENT="0;URL=http://www.google.com/"> <TITLE></TITLE></HEAD><BODY> </BODY></HTML>
SLIDE 49
Result: 19 ip addresses returned in response to a fetch for /
\xef\xbb\xbf<HTML><HEAD><META HTTP-EQUIV="refresh" CONTENT="0;URL=http://www.google.com/"> <TITLE></TITLE></HEAD><BODY> </BODY></HTML>
New plan: what else returned this?
SLIDE 50
Result: 19 ip addresses returned in response to a fetch for /
\xef\xbb\xbf<HTML><HEAD><META HTTP-EQUIV="refresh" CONTENT="0;URL=http://www.google.com/"> <TITLE></TITLE></HEAD><BODY> </BODY></HTML>
New plan: what else returned this? Result: 89 IP addresses including:
Admin Organization: Nso Group Admin Street: P.O Box 4166 Admin City: Hertzelia Admin Country: IL Admin Email: IT@nsogroup.com
SLIDE 51
"NSO Group is a leader in the field of Cyber warfare."
“… a powerful and unique monitoring tool, called Pegasus, which allows remote and stealth monitoring and full data extraction from remote targets devices via untraceable commands."
"...exclusively for the use of Government, Law Enforcement and Intelligence Agencies."
SLIDE 52
Fingerprint #1
19 IPs
Fingerprint #2 2013-2014
Ahmed Mansoor
2016
SLIDE 53
SLIDE 54
Why do NSO servers return Google redirects?
<html><head><meta http-equiv='refresh' content='0;url=http://www.google.com' /><meta http-equiv='refresh' content='1;url=http://www.google.com' /><title></title></head><body></body></html> \xef\xbb\xbf<HTML><HEAD><META HTTP-EQUIV="refresh" CONTENT="0;URL=http://www.google.com/"> <TITLE></TITLE></HEAD><BODY> </BODY></HTML>
SLIDE 55
Why do NSO servers return Google redirects?
<html><head><meta http-equiv='refresh' content='0;url=http://www.google.com' /><meta http-equiv='refresh' content='1;url=http://www.google.com' /><title></title></head><body></body></html> \xef\xbb\xbf<HTML><HEAD><META HTTP-EQUIV="refresh" CONTENT="0;URL=http://www.google.com/"> <TITLE></TITLE></HEAD><BODY> </BODY></HTML>
Decoy Page: “redirect or customize undesired remote … landing on the server”
SLIDE 56
Fake Apache Decoy Pages (Hacking Team)
SLIDE 57
Fake Apache Decoy Pages (Hacking Team)
Apache Hacking Team
HTTP/1.1 404 Not Found Date: $DATE Server: $SERVER Content-Length: $LENGTH Connection:close Content-Type: text/html; charset=$CHARSET HTTP/1.1 404 NotFound Connection: close Content-Type: text/html Content-length: $LENGTH Server: Apache/2.4.4 (Unix) OpenSSL/1.0.0g
SLIDE 58
Apache FinFisher
HTTP/1.1 403 Forbidden Date: $DATE GMT Server: Apache Vary: Accept-Encoding Content-Length: 321 Content-Type: text/html; charset=iso-8859-1 HTTP/1.1 403 Forbidden Date: $DATE UTC Server: Apache Vary: Accept-Encoding Content-Length: 321 Content-Type: text/html; charset=iso-8859-1
Fake Apache Decoy Pages (FinFisher)
SLIDE 59
Apache FinFisher
<html><body><h1>It works!</h1></body></html> <!DOCTYPE HTML PUBLIC ``-//IETF//DTD HTML 2.0//EN''> <html><head> <title>200 OK</title> </head><body> <h1>It works!</h1> </body></html>
Fake Apache Decoy Pages (FinFisher)
SLIDE 60
Spyware Command-and-Control
SLIDE 61
Victim Victim
Command and Control
SLIDE 62
Proxy Proxy Proxy Victim
"The Cloud"
Victim
Command and Control
SLIDE 63
Gateway / Firewall
Government Agency Premises
Proxy Proxy Proxy C&C Server Victim
"The Cloud"
Victim
Command and Control
Monitoring Center
SLIDE 64
Gateway / Firewall
Government Agency Premises
Proxy Proxy Proxy C&C Server Victim
"The Cloud"
Victim
Command and Control
Monitoring Center Scanning finds these...
SLIDE 65
… but not these
Government Agency Premises
Gateway / Firewall Proxy Proxy Proxy C&C Server Victim
"The Cloud"
Victim
Command and Control
Monitoring Center Scanning finds these...