0410, 2022

DeepSec 2022 Talk: Malware And Exfiltration : A Telegram Story – Godwin Attigah

Sanna/ October 4, 2022/ Conference

Exfiltration and command and control are essential parts of the adversary’s kill chain. One of the primary goals of a malicious adversary is to exfiltrate data from an environment undetected and uninterrupted. As a result, several attackers have opted for third-party services typically sanctioned for most enterprises. The accepted status of such applications coupled with an established developer ecosystem makes services such as Slack and Telegram suitable for their exfiltration and command-and-control tool of choice. We have observed the usage of Telegram in different malicious activities including but not limited to ransomware, phishing, remote access trojans and stealers. We will discuss active samples found in the wild with a particular emphasis on stealers. Stealers are a class of malware that is primarily interested in gathering information on a host. Recent examples of Telegram in

Read More

0710, 2017

DeepSec 2017 Talk: XFLTReaT: A New Dimension In Tunnelling – Balazs Bucsay

Sanna/ October 7, 2017/ Conference, Security

“Our new tool XFLTReaT is an open-source tunnelling framework that handles all the boring stuff and gives users the capability to take care of only the things that matter”, says Balazs. “It provides significant improvements over existing tools. From now on there is no need to write a new tunnel for each and every protocol or to deal with interfaces and routing. Any protocol can be converted to a module, which works in a plug-and-play fashion; authentication and encryption can be configured and customised on all traffic, and it is also worth mentioning that the framework was designed to be easy to configure, use and develop.” We asked Balazs Bucsay a couple more questions about his talk: Please tell us the top 5 facts about your talk. Tunnelling is not new at all, but

Read More

1306, 2016

DeepSec 2015 Slides: Bridging the Air-Gap – Data Exfiltration from Air-Gap Networks! Much Slides! Very Animated! Wow!

Sanna/ June 13, 2016/ Conference, Security

The presentation titled Bridging the Air-Gap – Data Exfiltration from Air-Gap Networks was held at DeepSec 2015. Since the presentation format was not meant to be printed or viewed with generic documents viewers, the slide deck had to be converted. The slides in PDF format can be downloaded from this link: https://drive.google.com/file/d/0B_dwBl7uf6PdRndDa1Rad1dMdFk/view?usp=sharing For an animated version of the slides, use one of these links: http://prezi.com/mrzzjpzgvcr8/?utm_campaign=share&utm_medium=copy or in short http://goo.gl/mpCNWC Mind the gap and enjoy!

2501, 2016

DeepSec Video: Bridging the Air-Gap – Data Exfiltration from Air-Gap Networks

René Pfeiffer/ January 25, 2016/ Conference, Security

Isolation is a prime ingredient of information security. The air-gap is the best way to isolate systems. Only wireless communication can transport data across these gaps. Apart from Wi-Fi the signals of mobile radio communication are very common. At DeepSec we have seen a lot of hacking when it comes to mobile phones and their networks. Mordechai Guri and Yisroel Mirsky (both of Ben-Gurion University of the Negev) held a talk about how to overcome the air-gap barrier by means of cellular frequencies. Their presentation addresses the way of exfiltrating data across the air-gap: „Although the feasibility of invading such systems has been demonstrated in recent years, exfiltration of data from air-gapped networks is still a challenging task. In this talk we present GSMem, a malware that can exfiltrate data through an air-gap over

Read More

1806, 2011

Talk: Data Exfiltration – not just for Hollywood

René Pfeiffer/ June 18, 2011/ Security

Iftach Ian Amit discusses infiltration of networks and exfiltration of data. Imagine you have completed the infiltration, data targeting and acquisition phase. You have secured the data you were looking for. Now what? How do you get to „your“ data out of highly secured environments? You need to avoid data loss protection (DLP) tools, avoid IPS/IDS, avoid updating your payload frequently, need to design a control channel that can handle disconnected operation. The data itself needs to be protected from filters or pattern matching sensors. SSL/TLS comes to mind, but some infrastructures terminate SSL at proxies and inspect content. End-to-end encryption is a better method if combined with content obfuscation (there are patter matches for GPG/PGP and other ways, too). Transport needs to use a covert or back channel. This can be a talk page of

Read More