Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ransomware in Web Apps OWASP Singapore.

Published byEdward Boone Modified over 6 years ago

Similar presentations

Presentation on theme: "Ransomware in Web Apps OWASP Singapore."— Presentation transcript:

1 Ransomware in Web Apps OWASP Singapore

2 What is Ransomware? A malware that blocks access to the computer until a ransom is paid Key features Encryption Advent of crypto currencies Effective infection vectors Ransomware as a service Malicious s Exploit kits Several recent big attacks disclosed, most people just pay and move on

3 Control over what is in your code has changed
From YOU to: developer tools open-source code 3rd party developers Reference :

4 Open-source libraries have exploded
Reference :

5 Complexity of libraries has exploded
For every one library you add to a Node.js project, 9 others are added For every 1 Java library you add to your projects, 4 others are added Reference : SourceClear customer scans

6 Before the open-source & DevOps era
Custom Code Are you introducing vulnerabilities in the code you are writing? (…once every few months)

7 In the open-source / DevOps era
Custom Code What libraries are you using? Where did it come from? What does it do? Is it being maintained? What vulnerabilities are present? (…many hundreds of times each day) Attack surface has changed

8

9

10 Different generations
Classical desktop based TeslaCrypt Locky Cryptolocker Newer variants FLocker Samsam

11 FLocker FLocker (short for "Frantic Locker") ransomware is now capable of locking up Android TV sets. While this variant of malware does not encrypt files on the infected device, it does lock the screen, preventing the user access to the TV. Additionally, this malware has the potential to steal data from the device. Source:

12 Ransomwear Existing Android ransomware (Android.Simplocker) are easily repackaged to work on Android wear devices

13 Samsam Used unpatched Java Application Servers (e.g. JBoss, Oracle WebLogic Server) Samsam also uses RSA public key cryptography (classical variants download the encryption key from a C&C server) Recent Muni system hacker exploited an old known remote object deserialization Java vulnerability Sources:

14 Ransomware in Web Apps New trend targeting business applications
Exploitation based on vulnerabilities Several public exploits are readily available

15 JBoss exploit kit

16 Ransomware targeting the software tool chain
Lot of trust placed in open source 3rd party libraries Most build systems already allow command execution See on how to npm packages can be abused for data exfiltration Web applications have access to critical business data

17 How to use dependencies to deliver ransomware?
Create a library that has provides some simple functionality that will want developers to download and use it Hide code to implement ransomware that can either be triggered remotely or at a fixed time or under production environment etc. Today we demonstrate two PoC/exploits: Spring MVC Ruby on Rails

18 Spring MVC Typical ransomware works by encrypting files, in case of web application important data is likely to be in the database itself. This presents two potential challenges How to determine the database connection settings for the web application? Once we have access to the database how should we encrypt and decrypt the data?

19 Search the Spring Application context
Locate the right Bean to get “dataSource”

20 Reflection We can access the ClassLoader hierarchy and find a class with a method which returns a DataSource of some kind.

21

22 Encryption Once we have the database connection:
Connect to database Dump all content into a file Encrypt it Drop all the tables For encryption we can use RSA public/private key pair where the public key is hardcoded in the application

23 Don’t forget to leave a ransom note

24 The entire process Model classes Controller classes View templates
Display a ransom note Spring classes Spring classes Use reflection to get DB connection settings Log in to DB, then dump and encrypt contents DB DB

25 Ruby on Rails Similar to the Spring MVC example
Due to the dynamic nature of Ruby it is much simpler to get access to the database connection settings

26 Simply get the database password from
ActiveRecord::Base.connection_config[:password]

27 Demos

28 Some thoughts on detection
In general quite hard to do it statically but we can profile the libraries and look for suspicious/malicious behaviors: Use of reflection On database connection object Use of hardcoded public keys For encryption

29 Conclusions Growing threat of ransomware
Increasingly targeting business applications, IoT devices etc. Use of novel infection vectors Vulnerabilities in open source libraries Build system, package managers More visibility and auditing needed across the software supply chain

30 Questions?

Download ppt "Ransomware in Web Apps OWASP Singapore."

Similar presentations

By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Day 4-1-1 anti-virus 3-3-1.anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
Trojan Horse Program Presented by : Lori Agrawal.

Trojan Horse Program Presented by : Lori Agrawal.
Customer confidential 1 Privilege Management Sean Moore Solutions Specialist.

Customer confidential 1 Privilege Management Sean Moore Solutions Specialist.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Viruses.

Viruses.
UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.

UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.
Open Web App. Purpose To explain Open Web Apps To explain Open Web Apps To demonstrate some opportunities for a small business with this technology To.

Open Web App. Purpose To explain Open Web Apps To explain Open Web Apps To demonstrate some opportunities for a small business with this technology To.
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
A Growing Threat Debbie Russ 1/28/2015. What is Ransomware? A type of malware which restricts access to the computer system that it infects, and demands.

A Growing Threat Debbie Russ 1/28/2015. What is Ransomware? A type of malware which restricts access to the computer system that it infects, and demands.
Peter Laird. | 1 Building Dynamic Google Gadgets in Java Peter Laird Managing Architect WebLogic Portal BEA Systems.

Peter Laird. | 1 Building Dynamic Google Gadgets in Java Peter Laird Managing Architect WebLogic Portal BEA Systems.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Advanced Persistent Threats (APT) Sasha Browning.

Advanced Persistent Threats (APT) Sasha Browning.
New Techniques in Application Intrusion Detection Al Huizenga, Mykonos Product Manager May 2010.

New Techniques in Application Intrusion Detection Al Huizenga, Mykonos Product Manager May 2010.
Title of Presentation DD/MM/YYYY © 2015 Skycure 1 1 1 Why Are Hackers Winning the Mobile Malware Battle.

Title of Presentation DD/MM/YYYY © 2015 Skycure Why Are Hackers Winning the Mobile Malware Battle.
Computer Security By Duncan Hall.

Computer Security By Duncan Hall.
1 #UPAugusta2016. 2 3 Today’s Topics What are Deadly IT Sins? Know them. Fear them. Fix them. #UPAugusta201 6.

1 #UPAugusta Today’s Topics What are Deadly IT Sins? Know them. Fear them. Fix them. #UPAugusta201 6.
©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.

©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.
Www.spiceworks.com. www.gntsolutions.com R ANSOMWARE CAN ORIGINATE FROM A MALICIOUS WEBSITE THAT EXPLOITS A KNOWN VULNERABILITY, PHISHING EMAIL CAMPAIGNS,

R ANSOMWARE CAN ORIGINATE FROM A MALICIOUS WEBSITE THAT EXPLOITS A KNOWN VULNERABILITY, PHISHING CAMPAIGNS,
Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.

Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.

Similar presentations

Ads by Google