CryptMove: Moving Stealthily through Legitimate and Encrypted Communication Channels
Wed Feb 25 11:30-12:30WWH 335Dr. Jinpeng WeiDepartment of Software and Information SystemsUNC Charlotte
Abstract: To move laterally inside an enterprise environment, Advanced Persistent Threat (APT) attacks have used multiple techniques. Due to the arms race between the attacks and the defenses, such techniques have evolved over time, with the latest one (ShadowMove) capable of reusing existing network connections for stealthy lateral movement. However, this technique has limited impact because it cannot reuse encrypted connections that are becoming the norm. In this talk, I will present CryptMove, a novel technique that can abuse existing and encrypted channels for lateral movement. CryptMove secretly accesses the memory of the target process to duplicate the security context that is used by the target process to perform encryption/decryption; it also secretly duplicates sockets owned by the target process and injects encrypted malicious commands through these sockets into the encrypted communication channels. Since the location of the security context is specific to the target application, CryptMove employs automated analysis of the target application’s binary code, in order to learn a path to reach the security context via a sequence of memory accesses. To demonstrate the feasibility of CryptMove, we built PoC attack tools (on both Windows and Linux) that successfully attacked popular applications (e.g., OpenSSH, PuTTY, WinSCP and WinRM) under 63 different cipher-protocol combinations. We also confirmed that the CryptMove PoC is not detectable by several popular Antivirus and Endpoint Detection and Response (EDR) systems.
Bio: Dr. Jinpeng Wei is an Associate Professor in the Department of Software and Information Systems at UNC Charlotte. His research focuses on theory, methods, and tools that enhance the security of widely used systems software in a broad spectrum of computer systems, from OS kernels, to file systems, to cloud platforms, and to emerging computing or Operational Technology environments such as Internet of Things and Power Grid. He has worked on several important topics, including active cyber defense, malware analysis, cyber threat hunting, cloud computing security, and systems software vulnerabilities. He is the winner of four best paper awards and the AFRL Visiting Faculty Research Program award. He has published in premier venues such as ACM TOPS, ACSAC, Computers & Security, DSN, ESORICS, ICDCS, IPDPS, SACMAT, USENIX Security, and USENIX ATC. His research has been supported by multiple agencies including ARO, AFRL, DHS, DOD, NSA, NSF, ONR, and industry.