Hackfest 2018

Hackfest has to be one of my favourite security and hacker conferences. Located in beautiful Quebec City, Quebec, it’s the perfect opportunity to meet up with friends old and new over a good beer, sugar pie and of course poutine.

2018 marked the 10th anniversary of Hackfest, and the second year of the extremely popular Social Engineering CTF. There was a special epic edition of The French Connection podcast – yours truly was invited to join the group to talk about all the things in both French and English, as the glasses kept getting topped up.

Hackfest is known for its excellent trainings before the event, and people come yearly just to participate in the legendary CTF. However, there was so much more to do, and attendees brought their kids along to join in the fun of makerspaces and badges.  I loved getting to try my hand at soldering.

And of course there were the talks. Kudos to my friends Cypher and Pam for an excellent talk on analyzing hacked data services and their tool Breach Analytica.

I shared my thoughts on the evolution of botnets from DDoS annoyances to malware-laden weapons of mass disruption. You can enjoy my talk here:



The Power of Our Community

A few short weeks ago, a dream of mine came true. I spoke at DerbyCon.  Twice, infact – I’m still pinching myself. But best of all was that I got to speak about something that matters so very much to all of us – community. Our infosec community.


2018 has been an extraordinary year of opportunity and personal goals realized, and I don’t want to take any of it for granted. Over the past four years since falling down the rabbit hole of wonder known as InfoSec, I’ve been very fortunate to have given talks at many conferences, and it matters because speaking at “hacker” cons is how I have really been able to grow and develop, where I get to build meaningful connections with our community by giving and receiving knowledge. My badges are a powerful tangible timeline for me, starting my journey from when I first came here with nothing,  during an awful period in my life. Each badge is a foothold on that mountain I climbed, imbued with what I learned, strength from those who helped me, pain from those who didn’t, and my desire to learn more, try harder. I see the faces of people I’ve come to know and love, places that are now familiar, memories filled with amazement and laughter. All of that fills me with gratitude and hope and a childlike wish to reach for the stars.


I have never expected anyone to pay my way, and I never will.  For my first trip to Vegas, and my first ever talk, I came down with a box of cereal bars and the good will of friends who let me crash in their rooms. Thanks to BSidesLV Proving Ground, and working as a volunteer, I had food, shelter and enough to get a pass to Defcon.  It was more than I ever dreamed of, and everything I ever wanted. I met people who believed in me, who shared the same passion for InfoSec I had.  I am forever grateful to the friends I made who welcomed and supported me during those early days, and for the doors BSidesLV opened up. What I get from giving talks and going to infosec cons has been life changing, and it’s made me a better human because I think how I can help, what I can give back, what I can share. I’m sharing this to encourage anyone who thinks they can’t get there from here, who’s faltering just now and needs someone to say “I believe in you.” Yes you can!

This is my way of saying “Thank You”.  There is profound joy in discovering your passion, and being able to follow it.It is a gift to be part of a community of learning, and I have learned so much from so many of you, even those who think they are new, or have nothing much to share. I wandered a very long time before I found my way here, but when I did, I knew I was home, I belonged here in all the ways I had never belonged in the rest of my life. And gathered along the way during my journey here I bring experience, humility, compassion, determination and so much more to help us build, strengthen and grow this wonderful community we are.

This is the talk I gave at DerbyCon about all we are, and the potential we have. I hope you can see yourselves in the reflection of the respect and appreciation I have for you.  We are beautiful in our imperfections. We are infinite in our possibility. We are better together. I believe in us.



A Bevy of Botnets

Trickbot & Mirai & VPNFilter
Botnets do more than put things out of kilter
Ransomware, miners & banking crime rings
These are a few of my favourite things

Ah botnets – they scare and fascinate me, like a really good horror movie.  And given the horror show that IoT has become, that is rather apropos.  At the beginning of January I became fascinated with what we have all seen develop into The Year of the Botnet.  That fascination led to research which led to talks and now to this blog post.  Because there are just so many good stories here to tell.

Something wicked this way comes …

Imagine a zombie apocalypse … of crockpots? Welcome to the connected hell of IoT, where “set it and forget it” really is a best practice. Default passwords are de rigeur. And embedded system vulnerabilities are everywhere. Have we even factored in the tsunami of unsecured connected devices being acquired by the developing world?
Botnets have moved beyond the realm of script kiddies playing the Grinch at Christmas with Playstations & X Boxes. We need to look at these as more than an attack of annoyance or inconvenience. They have become one more weapon in a digital arsenal for the games nationstates play, no referee, no playbook.

biggest ddos recorded

At the beginning of January, we saw a flurry of activity as Mirai variants got busy out there. More importantly, 2018 is to coinminers what 2016 was to ransomware. And coinminers go together with bots like peanut butter goes with jelly.

My hit list of the biggest and baddest:

Smominru: Holy carp but this one was a giant mining rig that opened the floodgates in January and caught my attention by the sheer size. This is one of the biggest, most successful cryptojacking botnets currently active.  It netted $2.3 billions by leveraging EternalBlue to find and enslave more devices. Superpower: evades sinkholes.

Necurs: The hits just keep on coming. The largest spam botnet in the world discovered ransomware just in time for Thanksgiving last year. Necurs is known for delivering some of the nastiest stuff out there. And serves as a pointed reminder that threats don’t disappear forever.

Mirai and its spawn: Mirai was a watershed moment, bringing the east coast to its knees with an unprecedented prolonged outage. That source code was released, and has been manipulated like playdough in the hands of attackers. The past six months have brought about significant evolutions in what the botnets target and what the botnets can do. Progeny include Satori, Matsuta, Okiru.

Satori: This is an attack bot, hijacks cryptocurrency miners, steals funds, launches SSoS attacks. It survived a takedown attempt in December. Then it went after those tasty GPON routers. Port 8000 sure was busy in June. Lots of port scanning for devices with that open via their WAN interface in response to the XionMai PoC , a buffer overflow vuln CVE-2018-10088. That’s a lightweight web server package often embedded in the firmware of some Chinese routers and IoT equipment. Then the botnet authors added support for a second exploit. (See  Bleeping Computer June 15) This had a PoC also online for D-Link DSL-2750B routers, exploitable via ports 80 and 8080.

I’ll spend a little more time on Satori because it showcases how the release of the Mirai code has pushed the evolution of botnets.  Satori selectively scans for vulnerable IoT devices, and exploits – no surprises here, Huawei. And … the code for Satori was posted on Pastebin for free.


Hide n Seek: Persistence pays off. Here’s the pivot we’ve been waiting for. This is the first time a botnet has achieved persistence, and I don’t have to tell you that’s a bad thing. There are a few other interesting enhancements that indicate attackers are looking beyond what we see bots currently used for: a custom built peer-to-peer communications set up; multiple anti-tampering techniques so that nobody can interfere; leveraging exploits.  This bot has had three updates, increasing its capabilities significantly each time. It moved from basic IoT cameras to a host of other IoT connected devices and a range of architectures. Now, it can go after Android devices. For a botnet whose sole purpose thus far has been to go forth and grow, they just seriously upped their game.

VPNFILTER:  Who didn’t get the notification from the FBI about turning off their SoHo routers to flush this malware.  This hit around June, with all the bells and whistles than come with a Nationstate backed investment. TLS – ha! bypassed that security. Man in the middle attacks on incoming web traffic. What had security folks doing a double take was that this malware wasn’t about just co-opting these devices for a routing attack but to actually pwn the device completely and take ALL the data going through it – yes, attention online shoppers. According to the Talos team, the attacks were extremely targeted, pinpointing credentials. This went after ALL the routers, 500,000 in 54 countries, gobbling up those vulnerabilities. It hasn’t gone away, it’s just gotten better at what it does and added even more routers to its growing collection. And yes, it most definitely has persistence.

PROWLI:  This infected 40,000 web servers, modems and IoT devices in what is described as a “diverse operation” that leverages known vulnerabilities and brute force attacks for credentials. Targets of choice included Drupal, WordPress and Joomla sites, hitting exposed SMB ports.  The malware spread via the R2R2 worm to load a Monero miner, and infected the CMS platforms with a backdoor.

Mylobot:  Evasion. Infection. Propogation. There’s a whole lot of upscale tricks this new malware came loaded with. AntiVM, ant-sandboxing, anti-debugging, process hollowing, code injection. This botnet is multipurpose, ready to be loaded with keyloggers and trojans, or cause a DDoS. Superpower: seek and destroy other malware.

Anarchy:  Rome wasn’t built in a day but Anarchy botnet sure was. 18,000 devices were tracked when security researchers saw a serious uptick in scanning Huawei devices on July 18. Yeah, no problems with those. They were looking for CVE-2017-17215, which is a critical flaw that can be exploited through port 37215. Attackers can send packets of maliciousness in attacks and remotely execute code to enslave and control these zombies. A hacker called Anarchy has declared this their creation per security researcher Ankit Anubhav on twitter. This vulnerability was leaked in Dec 2017 and used in the Satori botnet. The code to compromise the Huawei routers was made public in January and used in both the Satori and Brickerbot botnets, as well as spawn of Mirai botnets.

And I think I saved the best for last …

Torii: New on the scene, this one joins the hall of infamy as only the 3rd botnet to achieve persistence, Torii does not appear intended for the mundane purposes of DDoS or cryptomining.  It uses no less than 6 techniques for persistence, and is designed for a dizzying array of CPU architectures. Torii has a modular design so that it can be multipurpose, designed to do the dirty work under layers of encrypted communications. Nobody knows what its actual purpose is or who made it, but thoughts are this could be the backdoor to something even bigger. Time will tell …

BYOD and IoT  
We all know about Shadow IT. And the joys of trying to manage BYOD. Everyone brings their own stuff in. Or uses their own stuff remotely. The intermingling of unregulated tech and sensitive data is terrifying but real. SOHO routers are heart of botnets, enslaving attached devices. What does this look like if it goes beyond routers and webcams flooding access?

Bad bad bad bad things …

What aren’t we taking into consideration that attackers could leverage next? I have a few theories for you about ICS and sensors working overtime.


Most botnets have tasks to fulfil. Which means they need to call home, and that reveals the C+C servers so that you can eventually track them down. So here’s the next pivot: what if they don’t have to call home? What if they have one job: to go forth, infect and grow. We’re talking about a wormable botnet, self-propogating, that leverages some of the best available exploits out there, like EternalBlue. With no human required. Up to now, botnets have mostly been monetized for DDoS and sold on the darknet, unless they being used to amuse skiddies. The exception was Mirai, which was used as retribution in targeted attacks against Brian Krebs, and a major provider in France. DDoS became a weapon, not just an outage.

The fact is that attacks evolve. Where could attackers go with this? What if attackers level up to nationstates? The devices that make up an army don’t need to be sophisticated. In this game it’s about quantity, not quality.

How much damage can they do? Weaponized botnets are no mere annoyance. Their capacity to create extensive outages or deliver malicious and damaging payloads is far beyond inconvenience.

What do you get when you combine unpatched vulnerabilities, existing nation-state exploits, millions of enslaveable, inherently insecure devices and self-propogating malware? What if you could use time delay, to evade notice and make less noise? Leverage multiple attack methods, based on operating system? Establish persistence? Oh – and it’s all automated.





























An Epidemic of Healthcare Breaches

Isn’t it ironic? Following the massive Equifax breach of 2017, and the fallout from the OPM breach in 2016, how is that there are still monolithic breaches in 2018?  How the #@*^&$ does this keep happening? I started charting a breakdown by sector and severity here. And I’ll also show disclosure dates because the time discovered vs the time revealed has huge impact to those caught up in a breach. It’s time used by the bad guys to sell the data and use that data for fraud. Victims deserve to know as soon as possible so they can choose what action they take to protect themselves, rather then rely on someone else to do that – badly – for them. A year of credit monitoring just doesn’t cut it.

What disturbs me is the amount of healthcare data out there, and the number of breaches, which exposes some very sensitive information of some very vulnerable victims. I’m going to continue to dig into this and show what I find. A special shout out to folks who are working hard to secure healthcare: I am the Cavalry, @JoshCorman, @_j3lena_, @_odddie_, @beauwoods to name but a few.

Here is the link to the spreadsheet Breach Report I am keeping and you are welcome to use what I share with the reminder to always be sure to cite your sources   This is just the tip of the iceberg. I’ll do my best to share updates and links.

Where should you look if you have been breached or suspect you have? I recommend “Have I Been Pwned” by Troy Hunt, and there are other resources out there. Lots of people are doing great work in this field to whom I give all credit. I like to check DataBreaches.net

The Diana Initiative 2018

diana banner

Like many, I am counting the sleeps until Hacker Summer Camp happens this year in Vegas. I am more excited for this than my kids ever were for sleep away camp!  Cons are where we reconnect with each other and do some major facetime irl. As someone special has told me, each year it becomes more about attending to see our people than to learn the things.

This year, I am volunteering at 3 events, speaking at 3 events, and trying to see all the events lol! (alas not Blackhat since I can’t pay my way there and am not a speaker). Most of all, I’ll be helping host an event for the second year. The Diana Initiative  is a two day conference where we celebrate diversity, women in InfoSec, and help attendees pursue a career in information security and technology.  The conference is all-inclusive, because we want everyone to learn to work better together.  If you want to attend please do – be sure to register online because we won’t be able to accept walk-ins.

Our theme this year is “Hacker Family: Our Diversity Unifies Us” which resonates with me the more I get to know our community. I think of our hacker family dinners – because as many of us will attest, this community has become our family. Each of us brings something unique to the table, and when we share that knowledge and experience, there is a feast of learning and growth.  I didn’t get here without some help and support along the way, and this is how I get to repay that and pay it forward. We build our future by nurturing and growing the next generation and those to come.

This year we have expanded our talks to two speaking tracks, featuring technical as well as non-technical so that our attendees can show all they know! The submissions were outstanding and I give huge congratulations to everyone – our list of talks is fantastic! Exploits, imposter syndrome, IoT, CFPs, python and cryptography to name some of the topics covered. Here is our Diana Initiative Schedule so you can see the list of talent.

But wait – there’s more.  We are thrilled to announce we are featuring four incredible keynote speakers:

Thursday 9:45 am Shannon Morse @snubbs  “Personal Branding as an Infosec Influencer – Building a Career from Scratch”.  Shannon is Hak5’s host, producer and lead editor, and and actively promotes security and women in tech.

Thursday 5:00 pm Elizabeth Wharton @LawyerLiz “The Skirt Shoots, Scores and Soars”. Liz actively speaks on IoT, drone, and aviation cyber security issues, as well as hosting the Lawyer Liz podcast.

Friday 9:45 am  Keirsten Brager @KeirstenBrager “Seconomics: How to Earn More Money and Influence in the Next 5 Years”. Keirsten is well respected as an author and speaker promoting strategies for success and helping to change the game.

Friday 6:00 pm Amanda Berlin @InfoSystir “Hackers, Hugs and Drugs – Mental Health in Infosec”. Amanda is well known for her involvement in the community, on the Braking Down Security podcast, and for her book with Lee Brotherston,  “The Defensive Security Handbook”.

Support and goodwill from the community has been more than we could wish for. Huge thanks to Risky Business Podcast host Patrick Gray and sponsors Signal Sciences, Remediant and Bugcrowd who are hosting a special mentorship cocktail hour from 6-7 pm at Alexxa’s Bar @ Paris on the Las Vegas Strip Tuesday, August 7th. They have invited Diana Initiative attendees along with Risky Business listeners who identify as women; registration details are on the Diana Initiative registration form.


Once again, Lockpick Extreme has offered to host our Lockpick Village, which was a tremendous success last year. This year, they will also be offering a lock pinning workshop, which you must pre-register for on our online form.

We want to help attendees follow their passion for infosec and build their careers so we’ll be holding a Career Fair with resume workshops, mock interviews and the opportunity for professional headshots. Some of the most talented and experienced folks in infosec will be giving their time in individual sessions to help our attendees who have registered online.

And this is Summer Camp so yes, it will be all fun and games for a little while. We are hosting a Quiet Party on Thursday night and a Loud Party on Friday night, with board games, challenges and opportunities to meet people and talk about our diverse interests in a relaxed, comfortable setting.

It takes a village. I am moved beyond words by the support, encouragement and caring expressed by our volunteers and sponsors – this would not be happening without you. Each of you is making a real difference, and helping us to build something that goes far beyond a two-day event. That is why we chose the word “initiative” – to embody the spirit of a movement, and represent change and progress as ongoing. And I am honoured to be part of this dedicated, talented team who have put their whole hearts and countless hours into doing the multitude of things required to bring our event to life. We are here because we share a belief in what we do, and we answered a call to help make things better.

Let’s make this happen again! Can’t wait to see you in Vegas!


2018: The rise of Cryptominers

They’re everywhere. Really. Everywhere. And if you don’t think they’re on your systems, think again. In the first 3 months of 2018, unique cryptominer types increased from 93,750 to over 127,000.  Compare that to ransomware, which was doing a booming business from 2016 into 2017.  New ransomware variants actually declined from 124,320 to 71,540.  Exploit kits are also down. That’s significant, because cybercrime is all about efficiency and profit. Illegal or malicious cyrptominers have evolved from a nuisance infecting individual systems to a pervasive threat on enterprise systems.

Per researchers at Cisco TALOS

“The number of ways adversaries are delivering miners to end users is staggering. It is reminiscent of the explosion of ransomware we saw several years ago. This is indicative of a major shift in the types of payloads adversaries are trying to deliver. It helps show that the effectiveness of ransomware as a payload is limited. It will always be effective to ransom specific organizations or to use in targeted attacks, but as a payload to compromise random victims its reach definitely has limits. At some point the pool of potential victims becomes too small to generate the revenue expected.”

The lure of easy money is unmistakable. Cryptominers offer “continuous passive income” versus the risk of not getting a ransom with ransomware.  And you can’t beat the return on investment. It’s pretty much pure profit, since the miners use somebody else’s resources.

The trend actually took hold in 2017, and has not stopped escalating. ZScaler reports it blocked more than 2.5 billion attempts over the past 6 months. On April 12, Infosecurity Magazine reported that cryptomining spiked 500% on corporate networks.  This is no longer a single-machine effort, but a massive, coordinated hunt by botnets for vulnerable systems. Researchers report that within the space of 24 hours, attackers tried to compromise 30% of networks globally using botnets to find vulnerable servers and web applications. PATCH people!

Mining is resource-intensive.   Monero has moved past what standard user systems can supply. Now, it requires graphics cards or preferably application specific integrated circuit ASIC chips.  We’re seeing miners shift to mining alternative currencies to Monero that can be mined using any CPU.

The impact is significant in terms of wear and tear on hardware. Miners usurp corporate bandwidth. They cause performance issues, and we know that uptime must be all the time. What enterprises should also take note of is that they could be at risk of compliance violations because of the unidentified activity on their corporate systems.

PIVOTS:  In 2016, we saw ransomware pivot and morph from attacking individuals to leveraging vulnerabilities on servers and networks and attacking institutions. We’re seeing the same thing happen with cryptominers, as criminals discover how to make better money, faster. They are hunting for web servers and applications they can exploit via unpatched vulnerabilities, both old and new.  Once they can compromise a system, they install the mining software.

Now, it appears that criminals are repurposing malware as miners, which is not a good thing when that malware happens to be ransomware. Case in point: XiaoBa. Researchers at Trend Micro report this new variation was not modified well, so that it is destructive. The sloppy code destroys files and crashes PCs. While his isn’t widespread, and will likely be reworked, the damage has been done to numerous systems. And raises the bigger issue: what will attackers rework next, and whose systems will be at risk?

MINERS: The one to watch for is Coinhive, as the most impact and pervasive.

BOTNETS:  Smominru: this is one of the biggest, most successful cryptojacking botnets active. So far, it’s netted $2.3 billion by leveraging the EternalBlue exploit to infect and enslave computers as part of the botnet. At more than half a million bots, the system is massive, and had evaded sinkhole attempts against it.

TARGETS: Because browsing time by users is high, nudity/porn sites, or those with streaming media, offer the most value for miners. However professional and marketing services are also rating high, bringing miners onto corporate networks.

Android and mobile systems: Kaspersky reports they found malicious mining apps in the Google Play store, imitating legitimate apps like games and VPNs, and notably sports streaming apps.  Some of these were downloaded over 100,000 times.  The criminals know this is a numbers game, because mobiles aren’t high performance and the risk of detection is higher.   Mining has become a frequent topic on darkweb forums, as members share knowledge, experiences and advice to improve their success.

Coinhive has evolved over time. Numerous compromised sites use JavaScript obfuscation and the final code presents itself as Google Analytics JS to viewers.

ATTACKS:  ZEALOT was discovered by researchers at F5 in late 2017.  This Monero cryptominer installed itself on vulnerable Apache Struts systems, leveraging the EternalBlue and EternalSynergy exploits.  PATCH, people!

A recent attack is leveraging an older ISS vulnerability on Windows servers. Microsoft was going to let IIS Internet Information Services 6.0 run its course and die. But there was a WebDAV exploit posted on GitHub in March 2017.  The vulnerability, CVE-2017-7269, is very similar to the NSA “Explodingcan” exploit that was part of the infamous Shadow Broker’s Good Friday dump. Attackers used that flaw to install cryptominers.  We all know that once a vulnerability is made known, attackers pounce and exploits follow.  In this case, the exploits has a new ASCII shellcode that contains a return ortiented programming ROP chain. This uses instructions that are already loaded in memory, so there is no need to write or execute further external code.  This enables the attackers to bypass security mechanisms, like executable space protections and code signing.

Lateral movement. Those two words should scare every security analyst. It’s what we fight to prevent. We don’t want the attacker to get to move through our networks and gather data. But this is the hallmark of sophisticated ransomware attacks on enterprises, and it’s now part of cryptominers.  In a report by Red Canary, they detail how an adversary mixed lateral movement with cryptomining on a Windows system. We know there are processes to watch over very, very carefully in Windows. In this case, they found numerous Windows command shells that were spawning from the Local Security Authority Subsystem process, lsass.exe.  This process handles user authentication for a system and typically does not have child processes. Authentication is a crown jewel so anything impacting this is critical.  The child processes that would spawn would inherit major privilege and have unrestricted access to the local system. Hello, lateral movement. This is the threat to enterprise systems we need to be monitoring.

PROTECTION:  Set up a web application firewall infront of all applications.  Keep your system patched and up to date. And monitor system performance for even small impacts.  There are numerous threat intel teams now tracking the mining bots and sharing IOCs, as in the link below from Proofpoint. That is the beauty of the security community at work.  Security teams can use this info to ensure their networks are not communicating with mining bots. Because all that glitters is not gold – it’s bitcoin.


ZDNet 04/05/2018 D. Palmer
Red Canary:  T. Lambert April 4
darkreading 4/5/2018 T. Kreikemeier
Comodo Cybersecurity Threat Research Labs Q1 Global Malware Report


Today’s Advisories

CISCO scores a perfect 10 on vulnerability. Fixes available. DO IT NOW!

This vulnerability is critical.  CVE-2018-0101 is ranked 10 out of 10 for severity. That means it can be easily exploited, remotely exploited and no authentication required. There are no workarounds “so customers must either disable the ASA VPN functionality or install updated OS versions”.  Get yer patches up now!

Cisco says that an attacker can send malformed XML packets to such devices and execute malicious code on the device. Depending on the code’s nature, an attacker can gain control over the device.

It affects any devices running ASA Adaptive Security Appliance software only if they have the “webvpn” feature is enabled in the OS settings. You can find more information about  ASA Software version numbers for fixed releases in Cisco’s CWE-415 security advisory.

Per Bleeping Computer https://www.bleepingcomputer.com/news/security/cisco-fixes-remote-code-execution-bug-rated-10-out-of-10-on-severity-scale/

New Ransomware GandCrab being delivered by RIG exploit kit. 

This one requests DASH cryptocurrency which is apparently harder to trace by law enforcement. Ransom is 1.54 DASH or $1170 USD. It apends .GDCB to files it encrypts. Here’s how victims will know it’s too late:

At some point, the ransomware will relaunch itself using the command “C:\Windows\system32\wbem\wmic.exe” process call create “cmd /c start %Temp%\[launched_file_name].exe”. If a user does not respond Yes to the below prompt, it will continuously display the UAC prompt.

Be advised: there is NO decryptor currently available for GandCrab.  Follow the standard security protocols to keep your data and systems safe.

  1. Use antimalware security software that incorporates behavioral detections to combat ransomware like Malwarebytes or Emsisoft Antimalware
  2. Scan attachments with tools like VirusTotal.
  3. Have all current updates, especially for Java, Adobe, Windows

Per Bleeping Computer https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/