Professional Documents
Culture Documents
Ransomware Detection Preview
Ransomware Detection Preview
Editor-in-Chief
Joanna Kretowicz
Proofreaders
joanna.kretowicz@eforensicsmag.com
Lee McKenzie
Editors:
Hammad Arshed
Marta Sienicka
sienicka.marta@hakin9.com Ali Abdollahi
Senior Consultant/Publisher:
Paweł Marciniak
CEO:
Joanna Kretowicz
joanna.kretowicz@eforensicsmag.com
Marketing Director:
Joanna Kretowicz
joanna.kretowicz@eforensicsmag.com
DTP
Marta Sienicka
sienicka.marta@hakin9.com
Cover Design
Hiep Nguyen Duc
Joanna Kretowicz
Publisher
Hakin9 Media Sp. z o.o.
02-676 Warszawa
ul. Bielawska 6/19
Phone: 1 917 338 3631
www.hakin9.org
In this month’s edition, we decided to focus on Ransomware, so you will read about various examples of ransomware
attacks that happened in the past (WannaCry, for example), and how to protect your system by detecting this threat. Let’s
To better understand ransomware, we recommend reading the Ransomware Campaign article, where you will see how
those deadly attacks are performed, how encryption and decryption are used by attackers. For a more practical approach,
Case Study of Ransomware Detection will be perfect reading for you. In this article, authors present how Machine
Learning is used to uncover ransomware, what’s the best methodology for ransomware detection, and how to secure your
A different approach is offered by Android Applications: Ransomware Detection, where the focus is on mobile phones and
the Android system. It’s a very detailed research paper, which shows how vulnerable your device can be. We also have a
As always, we also prepared articles about other topics! We start with BARBARUS Pi Raspberry Pi: Attacking Robot, which
is a great tutorial for hardware fans. In the article Advanced research and use of modules with Metasploit the author’s
main goal is to automate penetration testing tools in Python. As you can guess, their focus is on Metasploit.
While on the topic of penetration testing, you will take a closer look at Gathers - a tool that enhances information
gathering. Gathers is a fairly new project, it features a user-friendly graphic interface allowing easy approach, even for less
experienced users. While reading this edition you will also explore vulnerabilities in Register files and see how hardware
trojans can inject faults during reading or retention mode. Spring Security Framework and OAuth2 To Protect Microservice
We would like to send a big thank you to all contributors that joined this edition! Without you, this amazing issue wouldn’t
be possible. Special thanks to all the reviewers and proofreaders involved in the process of creating this issue.
Summertime is slowly approaching and despite the still active threat from COVID-19, we hope that you will have a chance
to relax and enjoy your free time. Stay safe and positive!
massinissa.immoun@etu.parisdescartes.fr
7
ALEXANDRE BERESKI
alexandre.bereski@free.fr
8
BARBARUS Piaspberry Pi: Attacking Robot
Introduction
Cyber security is an increasingly important issue for companies. Every year, computer attacks represent a significant sum
lost for companies.
In this article, we will take you through the different steps to perpetrate one of these attacks by putting ourselves into the
position of an employee being fired who wants to harm his ex-company.
To reach our objective, we have programmed a software framework for an attacking robot to trigger payback and revenge
operations through automated actions triggered by a Python-based Raspberry Pi piggybacked by a smart car (Reboot car
shown in Figure 2).
We will finally propose a response action to stop the attacks and mitigate the risks.
Material used
As illustrated in figure 3, our robot is built to attack the target using two different methods, first by scanning the hosts for
vulnerabilities and the second by social engineering.
9
BARBARUS Piaspberry Pi: Attacking Robot
1. Hosts discovering
First, we will scan the local network that our robot is connected to, to identify all living hosts by using python-Nmap.
10
RANSOMWARE
CAMPAIGN
OUALID BOUCHENAK &
AHMED BENCHEIKH
Oualid Bouchenak and Ahmed Bencheikh, two computer science students
degree.
Contact us:
oualid.bouchenak@etu.parisdescartes.fr
ahmed.bencheikh@etu.parisdescartes.fr
12
Ransomware Campaign
Introduction
Ransomware is a malicious software that stealthily gets installed in our computer or mobile device and displays messages
demanding a fee to be paid in order for your system to work again and get back your encrypted files. As with every malware,
ransomware can be installed through deceptive links in an email message, instant message or a website.
Ransomware attacks are nowadays a trend because they’re very easy to create and dissimulate and hardly detectable for the
victims, and, of course, people and companies actually pay the ransom.
For the creation of our ransomware, we took an example of the well known “wannaCry” that encrypts data on a computer
that has been infected and then tells the user that their files have been locked and displays information on how much is to
be paid and when payment is taken through Bitcoin (a payment medium). That is how most ransomware works.
Encryption:
In order to quickly encrypt and decrypt files, ransomware uses two kinds of cryptography combined, symmetric and
asymmetric. This is called a “hybrid encryption scheme”.
• When the ransomware starts running, it generates a pair of keys for the client (C_pub & C_prv).
13
RF-TROJAN:
LEAKING
KERNEL DATA
USING REGISTER
FILE TROJAN
MOHAMMAD NASIM
IMTIAZ KHAN
Non-Volatile Memorie.
15
ASMIT DE
security applications.
16
SWAROOP GHOSH
Swaroop Ghosh received the B.E. (Hons.) from IIT, Roorkee, India, the
M.S. degree from the University of Cincinnati, Cincinnati, and the Ph.D.
nanometer technologies.
17
RF-Trojan: Leaking Kernel Data Using
Register File Trojan
Register Files (RFs) are the most frequently accessed memories in a microprocessor for fast and efficient computation and
control logic. Segment registers and control registers are especially critical for maintaining the CPU mode of execution that
determines the access privileges. In this work, we explore the vulnerabilities in RF and propose a class of hardware Trojans
that can inject faults during read or retention mode. The Trojan trigger is activated if one pre-selected address of L1
data-cache is hammered a certain number of times. The trigger evades post-silicon test since the required number of
hammering to trigger is significantly high even under process and temperature variation. Once activated, the trigger can
deliver payloads to cause Bitcell Corruption (BC) and inject read error by Read Port (RP) and Local Bitline (LBL). We
model the Trojan in GEM5 architectural simulator performing a privilege escalation. We propose countermeasures such as
the read verification leveraging multi-port feature, securing control and segment registers by hashing and L1 address
obfuscation.
1. INTRODUCTION
Hardware Trojan [1] is a malicious modification in a circuit that causes a chip to perform undesirable operations. Ideally,
these modifications made to an Integrated Circuit (IC) should be detected during pre-Silicon verification and post-Silicon
testing. In order to evade such structural and functional testing, an adversary designs the Trojan to activate only under
certain rare conditions and to remain undetected during the test phase. For example, the analog Trojan trigger proposed in
[2] charges a capacitor every time an instruction is being executed. After a few cycles, the capacitor charges up and asserts a
signal used to flip some specific bits of control logic and can escalate the adversary’s user privilege.
Hardware Trojan is composed of two parts: Trigger and Payload [3], [4]. A Trojan trigger similar to [5] has been considered
in this work (details in Section II.A). Once triggered, the Trojan delivers payloads to the Register File (RF) such as Bitcell
Corruption (BC), Read Port (RP) and Local Bitline (LBL) Trojans. The RP and LBL Trojans inject read errors. Note that we
have considered the trigger proposed in [5] (over [2]) since it, i) is robust against process and temperature variation; ii)
evades post silicon testing and system level detection mechanisms; and, iii) incurs less area overhead.
We note that RF stores security critical information and tampering can lead to leakage of sensitive data. For example, a
code segment (CS) register file contains a Current Privilege Level (CPL) field that determines whether the CPU is currently
executing in user mode or kernel mode. User mode processes are restricted from accessing data from the kernel space
based on the CPL set in the CS register. The adversary can take control of the kernel mode by manipulating the RF entry
that stores the execution mode and run unauthorized operations.
Attack Model: We have assumed that the Trojan trigger and payload has been either inserted by the designer or by the
untrusted fabrication house. The adversary is a user who is sponsored by the fabrication house and is aware of the trigger
requirements. After the deployment of the chip in the market, an adversary can launch a malicious program to activate the
trigger. The adversary can then deploy the desired payloads using the proposed BC/RP/LBL Trojans. Note that even if the
trigger is activated, BC/RP/LBL Trojans can remain dormant (until payload deployment conditions are met) and the
system functions normally. The Trojan payload changes the CPL field in the CS register from 3 (user mode) to 0 (kernel
mode). This essentially escalates the privilege of the adversary’s process and allows access to kernel space.
18
CASE STUDY OF
RANSOMWARE
DETECTION
CHIH-YUAN YANG
Security and Privacy Research, Intel Labs, Hillsboro, Oregon, USA
20
RAVI SAHITA
Ravi Sahita is a principal engineer in Intel Labs. He is experienced in
21
Case Study of Ransomware Detection
The damage caused by crypto-ransomware, due to encryption, is difficult to revert and causes data losses. In this article, a
machine learning (ML) classifier was built to early detect ransomware (called crypto-ransomware) that uses cryptography
by program behavior. If a signature-based detection was missed, a behavior-based detector can be the last line of defense to
detect and contain the damages. We find that input/output activities of ransomware and the file-content entropy are
unique traits to detect crypto-ransomware. A deep-learning (DL) classifier can detect ransomware with a high accuracy and
a low false positive rate. We conduct adversarial research against the models generated. We use simulated ransomware
programs to launch a gray-box analysis to probe the weakness of ML classifiers to improve model robustness. In addition to
accuracy and resiliency, trustworthiness is the other key criteria for a quality detector. Making sure that the correct
information was used for inference is important for a security application. The Integrated Gradient method was used to
explain the deep learning model and also to reveal why false negatives evade the detection. The approaches to build and to
evaluate a real-world detector were demonstrated and discussed.
I. INTRODUCTION
Ransomware is a type of malware that hijacks a user’s resource or machine and demands a ransom. It was estimated to cost
business more than $75 billion in 2019 and continues to be a problem for enterprises [1]. Ransomware can be divided into
two main categories, the locker- and the crypto- ransomware [10]. The locker-ransomware hijacks resources without using
encryption, but crypto-ransomware does. Due to the encryption, the file encrypted by the crypto-ransomware, in most
cases, is difficult to revert or decrypt. Even with a proper backup, there is still a chance to miss partial data between
ransomware strike and the last backup. An endpoint protection software based on binary signature may not be able to block
an unseen ransomware. The behavior-based detection [19], combined with a proper backup mechanism, was proposed to
be one of the mitigation solutions.
In this article, machine learning (ML) and deep learning (DL) classifiers were proposed to early detect the
crypto-ransomware based on its behaviors. These classifiers can monitor the pattern of input/output (I/O) activities and
can minimize the damages by an early detection. The detector could be a part of an endpoint protection application and
help to find a new ransomware if static-based detection can’t catch it (Figure 1). Although few files may get encrypted
before the detection, the dynamic-based classifier would still be valuable if most of the data can be saved for an enterprise
user with lots of data in shared drives.
To collect the behavior data, the ransomware was executed in a Windows sandbox system and their file I/O activities were
logged. The time-series data was analyzed by the DL algorithm, long short term memory (LSTM), and ML algorithm,
N-gram featured linear support vector machine (SVM). We found that a naive trained classifier, even with good accuracy
(˜98%) and low false positive rate (˜1-3%), didn’t perform well at real-world deployment. Issues include: 1. Ransomware
can’t be detected early; 2. The accuracy is sensitive to the size of the sliding window and 3. False alarms from some
applications, etc.
22
ADVANCED
RESEARCH AND
USE OF
MODULES WITH
METASPLOIT
FLORIAN HOFF
23-year-old cyber security student at Université de Paris, France. He
Florianhoff9@gmail.com
24
ADRIEN ROGLIANO
rogliano.adrien@gmail.com
25
CASSIOPÉE VANNIER
her friends.
Cassiopee.vannier@gmail.com
26
Advanced research and use of modules with
Metasploit
In this article, our aim is to automate penetration testing tools in Python. We will focus on improving one of those tools -
Metasploit - in order to use autopwn, which fires all penetration testing tools at once. Those tools are called modules. They
can be offensive ones, such as exploits and payloads, or supportive, like auxiliaries.
Metasploit enables you to research compatible modules for each remote target before deployment. Every tool has its pros
and cons. One of the major inconveniences of Metasploit is its module searching algorithm. Indeed, searches are not precise
enough and, hence we get many unwanted and incompatible modules compared to the initial searching criteria. That is why
we created this project. We wanted to provide a solution to use autopwn in a smooth and optimal way.
Prerequisite
$ python3 --version
27
USING PYTHON
FOR
RANSOMWARE
CREATION
PART 1
NIMA DABBAGHI
I am Nima Dabbaghi.
penetration testing and I try to learn new things every day. I am currently
testing discussion.
My other hobbies:
29
Using Python for Ransomware Creation Part 1
What is ransomware?
Ransomware is malware that employs encryption to hold a victim’s information at ransom. A user or organization’s critical
data is encrypted so that they cannot access files, databases, or applications. A ransom is then demanded to provide access.
Ransomware is often designed to spread across a network and target database and file servers, and can thus quickly
paralyze an entire organization. It is a growing threat, generating billions of dollars in payments to cybercriminals and
inflicting significant damage and expenses for businesses and governmental organizations.
Ransomware uses asymmetric encryption. This is cryptography that uses a pair of keys to encrypt and decrypt a file. The
public-private pair of keys is uniquely generated by the attacker for the victim, with the private key to decrypt the files
stored on the attacker’s server. The attacker makes the private key available to the victim only after the ransom is paid,
though as seen in recent ransomware campaigns, that is not always the case. Without access to the private key, it is nearly
impossible to decrypt the files that are being held for ransom.
Many variations of ransomware exist. Ransomware (and other malware) is often distributed using email spam campaigns
or through targeted attacks. Malware needs an attack vector to establish its presence on an endpoint. After presence is
established, malware stays on the system until its task is accomplished.
After a successful exploit, ransomware drops and executes a malicious binary on the infected system. This binary then
searches and encrypts valuable files, such as Microsoft Word documents, images, databases, and so on. The ransomware
may also exploit system and network vulnerabilities to spread to other systems and possibly across entire organizations.
Once files are encrypted, ransomware prompts the user for a ransom to be paid within 24 to 48 hours to decrypt the files, or
they will be lost forever. If a data backup is unavailable or those backups were themselves encrypted, the victim is faced
with paying the ransom to recover personal files.
Let’s find out which libraries can help us to make ransomware with sweetie Python.
Moshe Zadka says: The first rule of cryptography club is: never invent a cryptography system yourself. The second rule of
cryptography club is: never implement a cryptography system yourself: many real-world holes are found in the
implementation phase of a cryptosystem as well as in the design.
• PyCryptodome
• PyNaCl
30
AUTOMATED
PENTESTING
TOOL
TASSADIT AIT RAMDANE
Cybersecurity master's program student at Paris Descartes
32
KRYSTIAN LUCZYSZYN
Cybersecurity master's program student at Paris Descartes
33
Automated Pentesting Tool
This article will discuss a new Python tool that we have implemented to perform information gathering more efficiently.
Whatever type of hack you plan, the first step is always to collect information, the quality of which will be decisive to
achieve your goal. In fact, it involves gathering publicly available information about the target, network scanning and
vulnerability assessments. Now, how about a tool designed to automate pen testing steps? Gathers is a new Python tool that
can be used by a cybersecurity beginner or an expert to perform recon and scanning of IT systems.
Like many other pentesting tools, we chose Python to implement in this project. Python is a hugely useful programming
language for cybersecurity. It can perform a multitude of functions such as malware analysis, scanning and penetration
testing. It is used not only by pentesters but also by hackers to develop script kiddies. This tool uses known and powerful
Python libraries like Nmap, Shodan, and Nessus. However, the use of those libraries requires highly specialized skills in
cybersecurity and programming.
Gathers is a new project aiming to simplify the use of these Python libraries. It features a user-friendly graphic interface
allowing easy approach, even for less experienced users. Indeed, this tool can perform Whois lookup, search engine,
network scanning and much more in only a few clicks. Gathers also guides the user step-by-step through the first two
stages of pentesting: Reconnaissance and Scanning.
Pentesting begins with information gathering. The goal of this phase is to gain as much information as possible about the
target. Information could be employees’ emails, Internet protocol addresses, details about the target’s organizations,
systems and processes. Needless to say, during this stage, pentesters proceed to a network mapping and target
identification.
Reconnaissance can be divided into two main phases: footprinting and fingerprinting.
In the passive information gathering (footprinting) process, we are collecting information about the targets using publicly
published resources. This can be used with Google Dorks, Whois information or in emails harvesting. We can then use
these emails to initiate, for example, a social engineering attack.
In active Information Gathering (fingerprinting), we can gather more information by actively interacting with the target.
Since fingerprinting makes a direct connection to the target, doing this without authorization can be illegal. It involves
34
ANDROID
APPLICATIONS:
RANSOMWARE
DETECTION
DR. IMAN ALMOMANI
Associate Professor, Lab Leader of the Security
Engineering Lab
36
SAMAH ALSOGHYER
Samah Alsoghyer currently works at the C4C, King Abdulaziz City for
Reliability.
37
Android Applications: Ransomware Detection
Android ransomware is one of the most threatening attacks nowadays. Ransomware in general encrypts or locks the files on
the victim’s device and requests a payment in order to recover them. The available technologies are not enough as new
ransomware employ a combination of techniques to evade antivirus detection. Moreover, the literature counts only a few
studies that have proposed static and/or dynamic approaches to detect Android ransomware in particular. Additionally,
there are plenty of open-source malware datasets; however, the research community is still lacking ransomware datasets. In
this paper, the state-of-the-art of Android ransomware detection approaches were investigated. A deep comparative
analysis was conducted which shed the key differences among the existing solutions. An application programming interface
(API)-based ransomware detection system (API-RDS) was proposed to provide a static analysis paradigm for detecting
Android ransomware apps. API-RDS focuses on examining API packages’ calls as leading indicators of ransomware activity
to discriminate ransomware with high accuracy before it harms the user’s device. API packages’ calls of both benign and
ransomware apps were thoroughly analyzed and compared. Significant API packages with corresponding methods were
identified. The experimental results show that API-RDS outperformed other recent related approaches. API-RDS achieved
97% accuracy while reducing the complexity of the classification model by 26% due to features reduction. Moreover, this
research designed a proactive mechanism based on a high quality unique ransomware dataset without duplicated samples.
Alomst 3,000 ransomware samples were collected, tested and reduced by almost 83% due to sample duplication. This
research also contributes to constructing an up-to-date, unique dataset that covers the majority of existing Android
ransomware families and recent clean apps that could be used as a labeled reference for the research community.
1. Introduction
Computers and electronic devices are vulnerable to viruses and all kinds of attacks. In the early days of computers, users
used to suffer from different malicious attacks like viruses, spywares, trojan horses, worms, etc. But the first ransomware
documented in 1989 was a new variant of trojan called AIDS (Aids Info Disk) Trojan. That trojan hid the directories and
encrypted the names of the files. Then, it displayed a notification to “renew the license” of a fake software and required a
payment to unlock it [1]. It is important to note, however, that even if the victim pays the requested ransom, it is not
guaranteed that the captive data will be reachable again.
A pronounced trend in recent years has been shifted towards ransomware [2,3]. In 2016, due to a vulnerability in the
Windows operating system, the ransomware WannaCry affected more than 150 countries and an estimated 300,000 people
worldwide over a weekend [4,5]. The estimates for the potential costs from this hack was $4 billion [6]. Furthermore,
Verizon’s 2017 data breach investigations report 2017 [7] announced that 72% of all healthcare malware attacks in 2017
were ransomware.
It is known that ransomware mostly targets Windows computers but, as stated by SophosLabs 2018 Malware Forecast [8],
this year witnessed an amount of crypto-attacks on different devices and operating systems including Android. According to
the same report, Android ransomware is expected to continue to increase and dominate as the primary type of malware on
Android platform in the coming year. Also, Android ransomware is especially severe because private information and
photos are kept on Android mobiles. Android noticeably continues to increase its sizable lead over iOS and other operating
systems in the world [9,10] as it occupied 76.61% of the market share in 2018 [11]. The share of the Android platform
38
APPLYING SPRING
SECURITY FRAMEWORK
AND OAUTH2 TO
PROTECT MICROSERVICE
ARCHITECTURE API
QUY NGUYEN
Southern Institute of Technology · Department of Information Technology
40
ORAS F. BAKER
Oras Baker received his PhD in artificial intelligence from the University of
41
Applying Spring Security Framework and OAuth2 To
Protect Microservice Architecture API
Since 2014, Microservice Architecture (MSA) has been widely applied and deployed by big companies such as Google,
Netflix and Twitter. This is a way of architecting software systems in which the services of a single application are
decomposed then deployed and executed separately. This research examines the possibility of applying Spring Security
Framework and OAuth2 to secure microservice APIs that are built on top of Spring Framework. By developing a Proof of
Concept (POC) of an Inventory Management System using MSA on top of Spring Framework, Spring Security Framework
and OAuth2, we have conducted security tests over the POC using unit testing and manual testing techniques to examine if
there are any vulnerabilities and we were able to show and confirm the effectiveness of the Spring Security Framework and
OAuth2 in securing Spring-based APIs.
1. Introduction
The traditional monolithic approach of software architecture requires the entire application stack to be bundled together
for each deployment. This concept creates many drawbacks for the application, especially the inflexible scalability, the high
cost of resources and refactoring effort, and difficulties of the DevOps between distributed teams [1]. Microservice
Architecture (MSA) is supposed to address these problems by decomposing the application into separated services; each
service takes responsibility for a single business capability and is deployed and executed independently.
Applications communicate with each other via the network communication protocols and the Internet, so that this
architectural style heavily depends on the Application Programming Interfaces (API). Given that, APIs in a microservice
application are required to be appropriately secured to protect the application and its resources against the threats that deal
with API invocations.
The aim of this research is to reduce the knowledge gap on MSA and API security by developing a Proof of Concept (POC) of
an MSA application using Spring Framework, Spring Security, and OAuth2, then performs security testing using Unit
Testing and Manual Testing techniques over the POC.
Since the very first assessments by enterprises for the effectiveness and the impact of MSA to enterprises by 2012 [2],
interest in MSA has significantly increased over recent years, according to Google Trends statistics [3]. MSA are being
implemented by big companies to scale their applications in the cloud in an efficient way, to reduce complexity, to quickly
expand development teams and to achieve agility [4]-[6]. Netflix, Amazon, and SoundCloud are just some of the big firms
that have adopted MSA for their enterprise and web applications and deliver their services all over the world [7], [8].
Regardless of the vital role of API security in MSA, the literature review shows that the studies that focus on MSA at API
endpoint level are just a few. There is a study conducted by Salibindla (2018) on Microservice API security; however, this
study focused on security for the communication protocols and did not provide an implementation guide for any specific
language. Xie, Han et al. (2017) [10], also performed a study on the design and implementation of Spring Security.
Nevertheless, these studies were conducted separately, and there exists no study that confirms the effectiveness of Spring
Framework (SF), Spring Security Framework (SSF), and OAuth 2.0 (OAuth2) when these technologies are applied to
42
PACKET
SNIFFING:
INTRODUCTION
ISMAIL AHMED
Ismail is a telecommunication Engineer who recently graduated from
HUST University in Wuhan and has been involved in pen-testing for web
44
Packet Sniffing: Introduction
INTRODUCTION
These days, most people are paranoid of the words “CYBERATTACK”, “HACKING”, but not me. It’s one of my biggest
dreams to become a Cybersecurity specialist (or Cybersecurity PRO) one day because I have found no privacy at all on the
internet in our daily life. After I did so many legal and illegal tests on the networks and I discovered so many failures, for
instance misconfigurations, security breaches, human errors and much more. Thus, I have decided to solve one of the most
common attacks called (PACKET SNIFFING) or (MITM) aka “Man In The Middle” attack.
Sniffing in general terms refers to investigating something covertly in order to find confidential information. From an
information security perspective, sniffing refers to tapping the traffic or routing the traffic to a target (shown in fig.1) where
it can be captured, analyzed, and monitored. Sniffing is usually performed to analyze the network usage, troubleshooting
network issues, monitoring the session for development and testing purposes.
○ Intrusion detection
45