Thursday 5 October 11:30 - 12:00, Red room
Simon Roses Femerling (VULNEX)
Web shells are post exploitation scripts used by different actors on the Internet as a mechanism to maintain access to and persistence in an organization once compromised. In short, they are powerful remote management tools.
Despite the mythical US-CERT alert (TA15-314A) published in November 2015 on the increased use of the web shells by attackers and how to detect them, the problem not only continues but has increased. In July 2016, IBM X-Force published several blogs on the rising use by attackers of powerful web shells known as C99 and B374K, but the reality is that there are hundreds of different web shells with all kinds of offensive capabilities. MITRE ATT&CK keeps a list of known APTs that use web shells to maintain access.
This talk is a vision of the current state of web shells: what they are, the different types, how to detect them and how to mitigate their impact on an organization, based on the study of hundreds of web shells in different programming languages such as PHP, ASP, Perl and Python to determine their offensive capabilities and obfuscation methods, perform attacker profiling and establish reliable methods of detection.
Attackers have used web shells for decades, but even today many security experts are not familiar with these post exploitation tools, much less how to detect and analyse them.
Given the proliferation of the use of web shells by attackers, knowing these tools and how to mitigate them is of vital importance from a defensive point of view.
|Simon Roses Femerling
Simon Roses holds a B.S. from Suffolk University (Boston), a postgraduate degree in e-commerce from Harvard University (Boston) and an Executive M.B.A. from IE Business School (IE, Madrid). Currently he is the CEO at VULNEX, driving security innovation. Formerly he worked at Microsoft, PricewaterhouseCoopers and @Stake. Simon has authored and cooperated in several open-source security projects such as OWASP Pantera and LibExploit. He has also published security advisories in commercial products. Simon was awarded with a DARPA Cyber Fast Track (CFT) grant to research on application security. Simon is a requent speaker at security industry events including Black Hat, DEF CON, RSA, HITB, OWASP, SOURCE. DeepSec and Microsoft Security Technets. Simon blogs at www.simonroses.com
John Graham-Cumming (Cloudflare)
In February 2017, Cloudflare was revealed to have been leaking private information including HTTP headers, cookies and POST data…
Thiago Marques (Kaspersky Lab)
Fabio Assolini (Kaspersky Lab)
Of all the forms of attack against financial institutions in the world, the ones that are most likely to combine traditional…
Juan Andres Guerrero-Saade (Kaspersky Lab)
Costin Raiu (Kaspersky Lab)
Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt…