Effects of Malware Hunting in Cloud Environments

It's a pleasure to be here once again. So let me share my screen here.

So yeah, I'm looking here. Cool, thank you. Thank you so much again. So usually I talk to personally, but today I'm online and we are gonna talk about the effective and moer hunting. So the idea is to explain more about the impact that the cloud and environment cloud can suffering.

Okay, So this is my contact at Twitter and, and I have some account, so if you would like to send up a message or follow me. So on Linkin, in my ub, you can find your other research that I'm doing now and that I did in the past. So that's some information. So who is the Phillip? So who am I? So I'm security research at support, Support. It's a company from Switzerland. So I'm responsible for developing, actually attack modules from our product.

But my mainly focus in this company is to discovery actually, and not only this, but to figure out how the attacker using different permissions in the cloud. Not only the cloud, but in on premise as well.

So, or in the cross platform, let's say this way. And how the attacker using this intelligence to explore this. There's not only vulnerability, but the permission to explore those environments in this chaos. Because as you know, so we in the cloud we have a different access, different user, different groups, different permissions. So it's very difficult to manage all those things. So the idea behind of this is to understand how we can achieve the, the good point here.

So, and I'm responsible for developing these things. So at this year I found actually I I, I'm on one of those actually. I'm a founder of the black and white technology aing company here in Portugal and in Brazil, by the way, I'm Brazil and, but I'm living here in Portugal now. And I'm developer advocate. Those three brand, let's say this way, hack is not a crime. I really like to talk about this project.

Basically the project, the idea behind of this project is to explain more about this hacking concept because for us, hacking is not a really, is not a crime is a concept and or a lifestyle when you see something and how you using your creative, you know, your creativity actually. And because usually you know, the newspaper on tv, the people like to chose one person to call the bad person, right?

So usually the is easier to use in this pronounce like a hacker do something, but the correct pronunciation or pronunciation, but the correct word is the threat actor, you know, the or the cracker or the attacker. And that's the idea behind of this ura, I think you know this, this organization, it's a company responsible for providing tons solutions. And my idea is to explore and to spread the message about how it's important you manage your access. And is n is a very ambassador of this.

N is nick is a company responsible for providing solutions for a security code, actually a statistical analysis code performing before to executing to creating the applications in the cloud or in whatever environment you prefer, right? And I'm a structured writer. I hero of those, this three magazine in Europe and yeah. So let's talk about our main topic. So very fast. So what is threat? Just a simple explanations.

So if you, if you are first time here, so according this iso, it's a is a specifically potential incident that cause specifically r system organization. It means a software attack, theft, intellectual property. We are talking during the event about the identities about the cloud. So something about this is about the threat identity theft is not kind of threat sub and information distortion like a RESO attack is a threat. Okay? Just as summarize is very important to clarify this just as simple like this a the part.

So usually if you see or how you can create a specifically ha in the cloud, I really like to using this specifically flow. So first of all, when you collect this artifact in my presentations, as you can see, the first part is more theoric part in, in the end of the, the, the presentation is more technical. Okay? So first of all, we need to identify if this artifact in the cloud, not only, but of course in on privacy environment is almost the same. But in the cloud we have different services connected between, so it's almost different.

But in the end of the day, the artifact or the attack is almost the same. The only difference is based on how the attacker using different permissions to escalate ing side of the cloud. So this is the key here. So first of all, we need to identify notification step is very important. So when you analyze this or when you as a cutting specifically hunting in the cloud, we need to define what is the best methodology. We can apply statistical analysis or the name canals.

When you describe these, when you perform specifically hunting or specifically analysis or research, I recommend you create a specifically report. Actually the report is basically the step by step that you as could, that you as executed when you analyze something because you can understand those steps. What kind of, you know, what is the path, path by the attacker. That's the key here. And you need, you can prepare a report present your manager, your coordinator, your tech lead.

And of course if you describe this in a specifically way, you can prepare for example, an article and you can publish this article of course when you have some specifically sensitive data, of course you, you don't, you know, share this information, but you of course the idea the intelligence behind of this is very important. Not only that, but you can improve your defense's mechanism because you will understand what is, where is the exactly step that what that attacker bypass, the security sensor, what kind of services the attacker enable inside of the cloud. So this is the key here.

And you can create a specifically cyber threat intelligence and you can use of course many different tools to automate the process and you can training the cyber resilience in your, in your environment by the way. And the last event that I participate in person in burley, I talked about the difference between the cyber resilience and cyber resistance. It's very interesting because one of those things is about the policy management and other thing is based on, so how you can increase your security posture, right? So that's the very interesting.

So you probably, if you are registered in the copier website, you can see this explanation for the last event. Okay, so what is the statist analysis? Very simple. Usually it's the first step in the MA hunting maad. Why? Because describe the process of the program code and the structure and the code. What kind of function is imported by the binary And usually this program itself doesn't run it at this time because of that it's more safe. Okay? And the second one is the name canals. It means that is is a difference. So the analysis only base on behavior.

So you was good, the binary and you see how is the behavior inside of this environment. Okay? Of course you can use in different tools to help you to give the information like a sandbox. You need to have different S inside of descend box to understand what is exactly these steps executed by this binary side of this specifically environment. Okay? So when you talk about the cloud, of course you already heard about that. So about the shared security responsibility, it's very interesting because usually you have two different layers. Okay? It's very important to clarify this.

This is a very important thing, responsibility here is to the customer, okay? And here is based on the cloud service provider. I like to explain this because it's very, for the technology, it's important here is the security by availability. Okay? So you have a compute storage database and network actually the specifically foundation of the server or even availability of zones of the data centers that will install your applications. But here is the key, the applications in this specifically layer, in this case it's customer data platforms, applications and identity and access management.

That is very, very important because it is based on that here the attacker can use in this identity and this access to gain the access in your cloud environment. So because of that, it's very important to see this, not only this, but for example to as a could specifically updates and patches in your operation systems or system operations, your network and fire. So this is responsibility to the customer. Here is the responsibility actually important, okay? And what AWS told us about the shared responsibility model.

So as you can see here, it's not definitions from Phillip, there's definitions from aws. So as you can see we have the shared responsibility and if you see Azure is the same case, of course it depends of the, the services that you will pay, okay? But as you can see here, so the customer has a specifically responsibility here is important esap because as you can see, so it's totally shared, okay? So we understand what is exactly the power, the what kind of methodology we can analyze. But now I would like to explain about this specifically vulnerability.

So let's suppose that you have a specific applications, okay? Or enable that support that you have specifically for example, HDR program or a foundation program. And probably if you have this, you have an specifically bottom like this. Like as you can see here in, you can, as you can see here, probably if you had, if you have this specific applications for a financial or you know, for hr. So you can upload here specifically resume or invoice, depends of the area. Let's suppose, so I you share this demo basically.

So explaining specifically vulnerability that you about the file upload vulnerability that your application can have inside of the specifically cloud environment. So as we can see here is specifically share, it's a simple attack in PHP because this program is in php. So it's specifically PHP script.

Very, very simple. Okay. Just to explain the pact actually. So are you requesting specifically get, so I can is it could specifically comment here. So I you upload the file. So let's suppose that you have a specifically, again ATR team. So you will receive many resume per day. For example, if you have specifically opportunities or if you are a financial, you receive an invoice, Okay? So your customer can upload informations here. So as you can see here, I simple upload and specifically file and php and as you can see here, upload inside of the servers at the server in the cloud.

And basically here of course is a simple lab of course. And but we can see specifically failures or, or, or flows actually how the developer using the application in a bad way. Okay? So as you can see here, you can see the path inside of the server. So based on that, the attacker can see what is the exactly place that the attacker upload this file. And as you can see here, I upload the file inside of the server and if you see here I set CMD and I put equal LS is a comment to list informations. But I'm executing comment inside of the server.

This is another vulnerability, call it comment injection because I can as could specifically comment inside of the servers and this specifically service. So I sat here, you name a as you can see just to understand what is the system operation and this specifically environment PWD is a password. So I will see the, the, the not password, sorry, is the pwd is the, the path inside of the my server. So as you can see, this is the first vulnerability here. So I will share to you now the second example. And if you see I try to upload in PHP and take a look, what is the reference?

No PHP basically here, the developer putting inside of this applications about the specifically validations based on next station dot php. So as you can see here, if I try to upload and adopt PHP file, I cannot do that because the, the developer putting some blocker like this to protect the environment. But of course the attacker can change, can manipulate something as I manipulate here. So I changing the file.

So of course we don't have a time to explain all those details in, but I have, and you can see my, you can access my website and you can see other talks that I have more time to explain technically how this works. So if you see here, it's the same file I just changed here, the extension doc text, as you can see here, doc text, like this is the same comment, is the same thing as you can see here, I got the success inside of the server. I just changed the extension because in this specific application, the validation, it was based on extension station. So I just manipulate something here.

So of course it's more technical things, but I could talk about the, the magic number, how the magic number works and something like this. Okay, so let me go to the first example. As I show you here, here in this case, we don't have any validations inside of the applications, okay? Because of that, I, I got to upload the first file and the second example as you can see here.

So no php, but it's not a correct way to protect. So we could use in other validations to the first is we cannot show this information to the attacker in any applications. It's not a good way. Okay? So just to share here, what is the impact when you have this access? So after you have here the upload the show in the first example, as you can see here, I can set here I can using some specifically tools inside of my machine. In this case I just open a channel to the vic machine in this way here to the attacker machine here.

In this way I just set port for for three and I will listening in my machine, the attacker machine, and I try to access based on that, on this vulnerability. So if you see here, what is the impact? So now I can set different comments here in the Victor machine. So I'm using my machinery to attack these applications. So you can imagine now, so what, what kind of information I can list what I can access inside of the cloud. I can try to understand what kind of networks I can find inside of this environment.

I can try to see here, in this case I don't have any dockers for example or inside of this environment, but I could if you have for example. So it's impact.

It's very, it's very high. Okay, so let me go to explain, actually we don't have a time to explain, but the pdf, we have a four important part. The first header, the second is B, and cross reference table and trailer, just four parts important that the attacker usually using to putting specifically malicious things inside of this.

So, and because of that, you can imagine I talked in the beginning of these conversations about the ATR teams and financial teams. Usually they, they received many PDFs per day. So inside of the PDF you can put in many things malicious like and specifically JavaScript called inside of the, So let's combine those things. So pdf malish using JavaScript for example, and the applications vulnerable inside of the cloud. So imagine the attacker can gain the access inside of your cloud. You're using PDF militias. So as you can see is very, very dangerous.

So we don't have to explain this specifically demo, but here I just would like to finalize my, my presentations here is the some specific impact. So I'm using here the specifically open source tools to see the, the how the permissions works, basically.

But here, the important thing is we have different profiles here, like a co profile support guy and a specifically user, normal user and a specifically manager. As you can see, we have many edges in relationship between each user, each policy and different access. So remember the first demo that I show you about the impact. So when the attacker gain the access inside of this specifically user, like a, the attacker can move laterally inside of your network easier. So that's the point here.

So inside of the cloud, the attacker has many different privilege and usually when you are, if you are administrator, usually for example in AWS we have a policy management, it's more easier for us like administrator to put in enable all and that's it. So the guy can manage all those groups with all the access and that's it. But for the attacker perspective, they, he has here in this case very advantage between the defenses defensive team.

Okay, So I think as this, this is some books if you'd like to read more about this topic. And I finish here my presentation, Chris, I hope, past just two minutes and, and that's it. Perfect. Thank you very much Philippe. The Pleasure. And even if we have two minutes or we needed two minutes more than expected, there's a question from the audience in general, how would you evaluate the security posture of public cloud environments in comparison to on-premise? So really short an answer please, but I think that's an interesting quest to Philippe.

Yeah, yeah. If the people would like to ask me, they can send me a message, no problem. I can answer all those questions, but it's very simple actually, not simple, but we have here on GitHub, you can find a different tools open source to analyze, to make a specific assessment in the public cloud to performance scan, to understand how those permissions works based on a specifically security profile actually, and you can run this, you understand what is your posture inside of the cloud. And of course you can do this.

It's the same case and on primes, but all those things is based on, on and permissions actually and their identity's easier, not easy, but you can use an open source too. But it is, is a, is a not too simple topic to answer in two seconds, you know? Absolutely. Okay.

Again, thank you very much Philippi, great presentation and a good example of how to do it right or how to do it not. Thank you very much.