Dispatches From the Desert: DEF CON Day Two

Welcome to day four of Dispatches from the Desert! This week, Immersive’s Container 7 team is in the desert city of Las Vegas, sharing daily highlights from two of the world's largest security events: Black Hat and DEF CON. 

Catch up with the previous blogs here:

‍Dispatches from the Desert: Black Hat day one

Dispatches from the Desert: Black Hat day two

Dispatches from the Desert: DEF CON day one

Kev Breen: Senior Director, Cyber Threat Research

The routine is fairly established now. Wake up, get ready, meet for breakfast, and then head over to the convention center. The first talks don’t begin until 10 AM, but when we arrived a little after nine, a “Line CON” had already formed. 

Brits are famous for knowing how to form an orderly queue, but the DEF CON goons (yes, that’s what they’re actually called) do a great job at herding people into long queues that span the full length of the convention center. Everyone was waiting patiently for the most part, but there was plenty of anticipation for the day’s sessions. 

My session of the day was “Binary Facades: Reversing approaches to extract embedded scripts in macOS malware”. It was given by Patrick Wardle, founder of Objective-See, a non-profit that creates security tooling for Apple operating systems. 

Most malware is created to target Windows devices, the most popular operating system for large enterprises, or Linux, which is the operating system of choice for running headless services. But that’s not to say that we don’t see malware created for Apple operating systems. 

It typically falls into one of two buckets. It can be platform agnostic, usually something like Go or Java-based that can be compiled or run on Windows, Linux, or macOS. Or, it can be specifically designed to target Mac users – there are still plenty of organizations or departments within organizations that use Macs. 

Unwrapping rather than reverse engineering

The premise of Patrick’s talk was: “Why reverse engineer when you can simply unwrap?”. Traditional reverse engineering of malware binaries can be a time-consuming process, and if you’re at the start of an incident, time is a huge factor. The quicker you can validate if there’s malware and what it’s doing, the quicker you can respond.

This was at the heart of the session. It talked about taking a step back and seeing if you can identify whether the malware you’re looking at is just a set of scripts wrapped up in a packager like PyInstaller, Electron apps, Taurus, or Platypus. If you can identify that, you could then quickly extract the payloads themselves instead of dealing with the binary. 

The tools used aren’t new, but Patrick shared real examples of malware targeting Macs to showcase how these tools can be used in a real-world setting. 

Finally, while talks are often spent sitting quietly and focusing on the speaker, the afternoon is set aside for something more social – we all sit around a table and work as a team on a CTF challenge or two.

Rob Reeves: Principal Cyber Security Engineer

Day two of DEF CON has been a blast, with the team getting stuck into talks, CTFs, workshops, and more. I spent a good chunk of this afternoon in the Red Team Village, learning how to integrate AI with existing red team tooling to help identify significant information. 

During a red team engagement, it’s common to steal and loot files as you move through a customer network, seeking valuable information as well as anything that can further an attack or increase levels of access. 

 Depending on the customer environment, this can mean sifting through a huge number of files to find that one key piece of information. A wise man once told me that successful red team operators need to have a high boredom threshold! 

This makes it a perfect task for AI – but using AI during a red team engagement could be quite a contentious topic, given that most organizations wouldn’t approve of their sensitive data being sent to an unauthorized third party.

This workshop was put on by two red team engineers, Gabi Joseph and Josh Millsap, who gave participants the opportunity to set up a Mythic C2 server, attack a target hosted inside a GCP lab, and then use a tool called RAGnarok to analyze information collected from the target using a locally hosted AI model. 

By using RAGnarok’s retrieval-augmented generation chatbot frontend, it’s possible to sift through troves of data to identify what’s useful. It was an amazing workshop and a real pleasure to learn from Gabi and Josh.

Vulnerabilities in ZTNA services

The most interesting talk of the day was given by AmberWolf, a UK-based security consultancy that has been researching vulnerabilities in zero trust network access (ZTNA) services and client applications. 

Researchers managed to find extensive vulnerabilities, ranging from authentication bypasses in the services themselves to local privilege escalation vulnerabilities in the clients installed on Windows machines.

With the increase in remote code execution (RCE) vulnerabilities in SSL VPNs in recent years, ZTNA has been touted as a more secure and manageable solution, and a number of organizations have moved away from traditional VPN access. 

However, AmberWolf’s research demonstrated that security products can invariably become an organization’s Achilles heel, giving attackers the access they need to complete their objectives. Thankfully, the worst of the issues identified by Dave Cash and Rich Warren have been patched before a real adversary could discover and exploit them.

Gaz Lockwood: Principal Cyber Security Engineer

I spent day two of DEF CON in the Blue Team Village, which has been my favorite spot at the conference so far. 

The atmosphere was perfect: good tracks playing in the background, the lighting dialed down to give everyone’s eyes a break from relentless 4K strip lighting, and a room full of people laser-focused on defending rather than breaking. 

‍Project Obsidian was the blue team CTF, structured around a multi-stage Kill Chain with Easy, Medium, and Hard levels. It also featured a few extras, which is where I spent most of my time. I really enjoyed working on the geo-location OSINT challenges with Ben, which I’m hoping to bring into the Immersive platform. 

Unfortunately, I didn’t get as much done as I would have liked. A top tip for future DEF CON attendees is to come prepared with the tools you’ll need pre-built. I wasted too much time in the morning trying to build a VM over the conference Wi-Fi, which was sub-optimal. 

Tomorrow is our last day, and I’m looking forward to returning to the Blue Team Village and continuing with the CTF. I’ve also got the Social Engineering Village on my list, which has been highly recommended.

Ben Hopkins: Cyber Threat Intelligence Researcher

I was particularly excited to get to DEF CON today because there were some great talks lined up. I attended four talks in the end, two of which stood out to me as they aligned with my interests and were things I can directly bring back to my work.

The first talk was hosted by Thomas Roccia, a security researcher at Microsoft. He discussed North Korea and how cryptocurrency is used in its operations, and shared some technical details of how the money is laundered. 

A stand-out part was about how we, as investigators, could use LLMs to build MCP servers that are trained to spot abnormalities in cryptocurrency transactions. It could identify how and at which point in the chain money is being laundered, with techniques like dispersing and DEX swaps and using mixers and CoinJoining. 

I’ve talked a lot about how much AI has been shoehorned into these events, but this was a rare time when I thought that AI would be applicable. It could be brilliant at shaving off the time it takes to figure out how a threat actor is transacting and using illicit funds.

Threat hunting and Telegram bots

The second talk that stood out to me was equally entertaining and informative. Ben Folland from Huntress talked about intercepting adversary communications and a good process for threat hunting an adversary’s serverless C2. 

He went into detail about his investigations while working on Huntress’s SOC, identifying infostealer malware on various clients’ machines that used Telegram bots. I myself have analyzed dozens of infostealer malware samples and have often found Telegram bot IDs buried inside them. These IDs are used to receive information from the malware, and that same bot pushes those logs to a closed chat controlled by the adversary. 

The talk discussed how digging into Telegram and other serverless C2s presents opportunities to identify operational security blunders. In Folland’s case, it led him to identify hundreds of screenshots from the threat actor’s own desktop. He was able to pick out payment history, credentials, tooling, email addresses, and personal information about the threat actor, as they did all of their development and C2 work on their daily driver machine.

Maritime cybersecurity

During small breaks in the day, I went and explored some villages that covered things I don’t get to do in my day job, like malware (joking!). 

One interesting topic was maritime cybersecurity, where I got a crash course on radars, global navigation satellite systems, and GPS, and how some of these could be compromised through jamming, spoofing, or attacking the operational technology used aboard the vessels. I plan to research this more when I return to the UK and don’t have to worry about my laptop dying.

For the rest of the day, Gaz, Kev, and I went to the Blue Team Village where there was a CTF event. 

Despite arriving fairly late in the afternoon after attending lots of talks, we managed to claw our way through dozens of challenges involving log analysis and cyber threat intelligence research. It’s a real shame that there weren’t any plug sockets available to charge our laptops, but we soldiered on all the same!

‍

‍That wraps up day four! If you’re an Immersive customer and weren’t able to make it out to Black Hat or DEF CON, keep an eye out. When we return, we’ll take some of the more interesting and novel tools and techniques we’ve seen here and turn them into practical labs.  

‍