🤝  Join us on DISCORD  🤝

Recon Village

Talks from Recon Village - 2020 (DEFCON 28)



Twitter Word Phrequency

Name: Master Chen


What you say can hurt you, but how? In this talk, I will take a deep dive into Twitter Word Phrequency analysis and the implications of the resulting data. I will cover data acquisition, curation, analysis, weaponization, and maybe even profit. What is revealed by everyday social media engagent? Predictive speech? Password lists? Automated trolling? Let's find out!

Burnout is real

Name: Chloé Messdaghi


Mental health is an ongoing issue within infosec before and during COVID-19. There's a fine balance between hacking and personal life. Majority of the time, they cross over. This talk shares an overview of the warning signs, symptoms, and practices to prevent burnout and how to deal with burnout to keep balanced.

Hunting for Blue Mockingbird Coinminers

Name: Ladislav B


During March-May 2020 the Blue Mockingbird group infected thousands of computer systems, mainly in the enterprise environments. There are known incidents in which they exploited the CVE-2019-18935 vulnerability in Telerik Web UI for ASP.NET, then they used various backdoors and finally, they deployed XMRig-based CoinMiners for mining Monero cryptocurrency. Interesting about these cases is the persistence which they used for CoinMiners - lot of techniques including scheduled tasks, services, but also WMI Event Subscription and COR Profilers.

During forensic analysis and incident response process it was possible to find these persistences and many coinminers artifacts, but malware samples responsible for their installation and persistence creation have been missing. However, when we enriched results of the standard malware analysis with the Threat Intelligence data and OSInt, we were able to find the missed pieces of puzzle and reconstruct the original attack chain including the initial exploitation, local privilege exploit, two backdoors, main payload and multiple persistence techniques. Moreover, this research reveal many about the tools, techniques and procedures (TTP) of Blue Mockingbird Threat Actor.
Finally, with more knowledge about the attackers it is possible to collect more samples of coinminers used by them. After next step of reconnaissance we can get insight into profit of their attacks and compare them with the damages caused by these attacks.

Ambly, the Smart Darknet Spider

Name: Levi

Combating cybercriminal activity requires quick turnover time between detecting indicators of attack and moving to protect or remediate the malicious activity. Currently, investigations slow down at the bottleneck of manual labor required to identify and evaluate cyber threat intelligence before making an actionable decision. While this can be an issue on the Clearnet, it becomes a more difficult problem for analysts on the Darknet. This leaves cybersecurity analysts in a position of constant responsiveness, rather than endorsing a position of preemptive protection.

To minimize the need for manual labor in the triage stage of cyber threat intelligence identification and preliminary evaluation on the darknet, Ambly, a smart darknet spider, is currently under development. Utilizing this tool will help identify darknet webpages containing cyber threat intelligence and produce a report ranking webpages for further human evaluation.
Ambly is a tool designed for interacting with the Tor network, hosted by the Tor Project. By connecting to the onion routers, Ambly is able to access ‘.onion’ URLs and begin crawling while gathering information. During the development cycle for Ambly, further layers of machine-learning modules are being added, including Natural Language Processing (NLP) classifications, language identification, and leading toward further development into cyber threat intelligence identification. This is an ongoing and dynamic research endeavor with future updates eminent.
Main Talking Points:
- OSINT into CTI
- Difficulties of CTI on the Darknet
- Ambly’s current abilities for intelligence gathering.
- The future of Ambly and Darknet CTI.

COVID 1984_ Propaganda and Surveillance during a Pandemic

Name: Mauro Eldritch

What does a propaganda apparatus look like from the inside? How do groups dedicated to setting trends and censoring the opposition act? What if your government forces you to install an app that tracks you during the pandemic? What if we infiltrate a sock puppet account to understand all this better?

The official political propaganda and digital surveillance in Argentina are not new. However, in the last fifteen years, both phenomena have adopted in their favor a new technological approach worthy of study, with the emergence of companies dedicated to manufacturing online trends; cyber militancy groups aimed at setting up debates, responding to them or denouncing rival trends in a coordinated way; the project to establish an exclusive social network for pro-government and “against the establishment” militants (sponsored by the Government itself); the rise of state digital surveillance after the implementation of a Cyber ​​Patrol Protocol, and the permanent monitoring of citizens through a mandatory mobile government application during the COVID-19 Pandemic. This work aims not only to review the previous events, but also to detail the two greatest milestones of political propaganda and digital surveillance in Argentina today: the political propaganda apparatus on social networks and the digital privacy abuses caused by the government application CUIDAR-COVID19  (ar.gob.coronavirus).

For the first case, a fictitious account (sock puppet) will be infiltrated within the propaganda apparatus on social networks to achieve a detailed technical dissection of its entire operation (including its interventions and actors). Our own cyber intelligence tool, Venator.lua, will be used to obtain and process data. The following section will be devoted to the study of privacy abuses caused by the mandatory government application CUIDAR-COVID19, reverse engineering it and analyzing its source code.