When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code...
Transcript of When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code...
![Page 1: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/1.jpg)
When GovernmentsHack Opponents
Bill Marczak
![Page 2: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/2.jpg)
![Page 3: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/3.jpg)
![Page 4: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/4.jpg)
First, Bahraini jailers armed with stiff rubber hoses beat the 39-year-old school administrator and human rights activist in a windowless room... Then, they dragged him upstairs for questioning by a uniformed officer armed with another kind of weapon: transcripts of his text messages and details from personal mobile phone conversations...
Abdul Ghani al-KhanjarBahraini Activist
![Page 5: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/5.jpg)
![Page 6: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/6.jpg)
Activist communication tools...
![Page 7: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/7.jpg)
![Page 8: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/8.jpg)
![Page 9: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/9.jpg)
![Page 10: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/10.jpg)
“Cred”
![Page 11: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/11.jpg)
![Page 12: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/12.jpg)
![Page 13: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/13.jpg)
If you get a suspicious email or message, send it to me!
![Page 14: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/14.jpg)
If you get a suspicious email or message, send it to me!
Ahmed MansoorUAE Activist
Hey Bill, I got a weird email!
![Page 15: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/15.jpg)
The Data
![Page 16: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/16.jpg)
![Page 17: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/17.jpg)
![Page 18: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/18.jpg)
Order to uncover the user of an IP address of @alkawarahnews
Mohammed Salah
Acting Chief Prosecutor, Capital Region
Batelco (residential ISP)
![Page 19: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/19.jpg)
“It is a secret investigation involving private methods of our department that cannot be disclosed”
Col. Fawaz al-SumaimBahrain Cyber Crime Unit
![Page 20: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/20.jpg)
Greetings, I am a translator of the revolution. Do you need translation of this?
(Arrested activist)
![Page 21: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/21.jpg)
Greetings, I am a translator of the revolution. Do you need translation of this?
(Arrested activist)
![Page 22: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/22.jpg)
(Arrested activist)
![Page 23: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/23.jpg)
(Arrested activist)
![Page 24: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/24.jpg)
![Page 25: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/25.jpg)
![Page 26: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/26.jpg)
Sketch: Social Engineering
![Page 27: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/27.jpg)
Ahmed MansoorUAE Activist
“New secrets about torture of Emiratis in state prisons”
![Page 28: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/28.jpg)
Nice Bait, we’ll take it!
![Page 29: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/29.jpg)
Factory-Reset iPhone
(Wi-Fi Only)
Nice Bait, we’ll take it!
![Page 30: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/30.jpg)
Factory-Reset iPhone
(Wi-Fi Only)
Wi-Fi
Intercept & record Internet
traffic
Nice Bait, we’ll take it!
![Page 31: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/31.jpg)
Factory-Reset iPhone
(Wi-Fi Only)
Intercept & record Internet
trafficThe Internet
Wi-Fi
Nice Bait, we’ll take it!
![Page 32: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/32.jpg)
Type in the link from Mansoor...
Factory-Reset iPhone
(Wi-Fi Only)
Intercept & record Internet
trafficThe Internet
Wi-Fi
Nice Bait, we’ll take it!
![Page 33: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/33.jpg)
… and what happens next will SHOCK YOU!
Safari window closes!
![Page 34: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/34.jpg)
… and what happens next will SHOCK YOU!
Safari window closes!
Tring [sic] to download bundle!
![Page 35: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/35.jpg)
CVE-2016-4657Visiting a maliciously crafted website may lead to arbitrary code executionCVE-2016-4655An application may be able to disclose kernel memoryCVE-2016-4656An application may be able to execute arbitrary code with kernel privileges
![Page 36: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/36.jpg)
CVE-2016-4657Visiting a maliciously crafted website may lead to arbitrary code executionCVE-2016-4655An application may be able to disclose kernel memoryCVE-2016-4656An application may be able to execute arbitrary code with kernel privileges
![Page 37: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/37.jpg)
![Page 38: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/38.jpg)
![Page 39: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/39.jpg)
![Page 40: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/40.jpg)
Attribution
![Page 41: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/41.jpg)
![Page 42: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/42.jpg)
When we clicked again, redirect to: https://sms.webadv.co/redirect.aspx
![Page 43: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/43.jpg)
When we clicked again, redirect to: https://sms.webadv.co/redirect.aspx
<html><head><meta http-equiv='refresh'
content='0;url=http://www.google.com' /><meta http-equiv='refresh'
content='1;url=http://www.google.com'
/><title></title></head><body></body></html>
![Page 44: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/44.jpg)
When we clicked again, redirect to: https://sms.webadv.co/redirect.aspx
<html><head><meta http-equiv='refresh'
content='0;url=http://www.google.com' /><meta http-equiv='refresh'
content='1;url=http://www.google.com'
/><title></title></head><body></body></html>
Wow, that's weird!
![Page 45: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/45.jpg)
![Page 46: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/46.jpg)
plan:1. Use zmap to Fetch /redirect.aspx from every ipv4 address (232 = 4,294,967,296 )2. Check which responses are the same as our fingerprint:
<html><head><meta http-equiv='refresh'
content='0;url=http://www.google.com' /><meta http-equiv='refresh'
content='1;url=http://www.google.com'
/><title></title></head><body></body></html>
![Page 47: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/47.jpg)
Result: 149 ip addresses
New plan: look at historical internet scanning data for the 149 ip addresses
https://shodan.io/ https://censys.io/
https://opendata.rapid7.com/
![Page 48: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/48.jpg)
Result: 19 ip addresses returned in response to a fetch for /
\xef\xbb\xbf<HTML><HEAD><META HTTP-EQUIV="refresh"
CONTENT="0;URL=http://www.google.com/">
<TITLE></TITLE></HEAD><BODY>
</BODY></HTML>
![Page 49: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/49.jpg)
Result: 19 ip addresses returned in response to a fetch for /
\xef\xbb\xbf<HTML><HEAD><META HTTP-EQUIV="refresh"
CONTENT="0;URL=http://www.google.com/">
<TITLE></TITLE></HEAD><BODY>
</BODY></HTML>
New plan: what else returned this?
![Page 50: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/50.jpg)
Result: 19 ip addresses returned in response to a fetch for /
\xef\xbb\xbf<HTML><HEAD><META HTTP-EQUIV="refresh"
CONTENT="0;URL=http://www.google.com/">
<TITLE></TITLE></HEAD><BODY>
</BODY></HTML>
New plan: what else returned this?
Result: 89 IP addresses including:Admin Organization: Nso Group
Admin Street: P.O Box 4166
Admin City: Hertzelia
Admin Country: IL
Admin Email: [email protected]
![Page 51: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/51.jpg)
"NSO Group is a leader in the field of Cyber warfare."
“… a powerful and unique monitoring tool, called Pegasus, which allows remote and stealth monitoring and full data extraction from remote targets devices via untraceable commands."
"...exclusively for the use of Government, Law Enforcement and Intelligence Agencies."
![Page 52: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/52.jpg)
Fingerprint #1
19IPs
Fingerprint #2
2013-2014
Ahmed Mansoor
2016
![Page 53: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/53.jpg)
![Page 54: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/54.jpg)
Why do NSO servers return Google redirects?<html><head><meta http-equiv='refresh'
content='0;url=http://www.google.com' /><meta http-equiv='refresh'
content='1;url=http://www.google.com'
/><title></title></head><body></body></html>
\xef\xbb\xbf<HTML><HEAD><META HTTP-EQUIV="refresh"
CONTENT="0;URL=http://www.google.com/">
<TITLE></TITLE></HEAD><BODY>
</BODY></HTML>
![Page 55: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/55.jpg)
Why do NSO servers return Google redirects?<html><head><meta http-equiv='refresh'
content='0;url=http://www.google.com' /><meta http-equiv='refresh'
content='1;url=http://www.google.com'
/><title></title></head><body></body></html>
\xef\xbb\xbf<HTML><HEAD><META HTTP-EQUIV="refresh"
CONTENT="0;URL=http://www.google.com/">
<TITLE></TITLE></HEAD><BODY>
</BODY></HTML>
Decoy Page: “redirect or customize undesired remote … landing on the server”
![Page 56: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/56.jpg)
Fake Apache Decoy Pages (Hacking Team)
![Page 57: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/57.jpg)
Fake Apache Decoy Pages (Hacking Team)
Apache Hacking TeamHTTP/1.1 404 Not FoundDate: $DATEServer: $SERVERContent-Length: $LENGTHConnection:closeContent-Type: text/html; charset=$CHARSET
HTTP/1.1 404 NotFoundConnection: closeContent-Type: text/htmlContent-length: $LENGTHServer: Apache/2.4.4 (Unix) OpenSSL/1.0.0g
![Page 58: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/58.jpg)
Apache FinFisherHTTP/1.1 403 ForbiddenDate: $DATE GMTServer: ApacheVary: Accept-EncodingContent-Length: 321Content-Type: text/html; charset=iso-8859-1
HTTP/1.1 403 ForbiddenDate: $DATE UTCServer: ApacheVary: Accept-EncodingContent-Length: 321Content-Type: text/html; charset=iso-8859-1
Fake Apache Decoy Pages (FinFisher)
![Page 59: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/59.jpg)
Apache FinFisher<html><body><h1>It works!</h1></body></html>
<!DOCTYPE HTML PUBLIC ``-//IETF//DTD HTML 2.0//EN''><html><head><title>200 OK</title></head><body><h1>It works!</h1></body></html>
Fake Apache Decoy Pages (FinFisher)
![Page 60: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/60.jpg)
Spyware Command-and-Control
![Page 61: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/61.jpg)
Victim
Victim
Command and Control
![Page 62: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/62.jpg)
Proxy
Proxy
Proxy
Victim
"The Cloud"
Victim
Command and Control
![Page 63: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/63.jpg)
Gateway /Firewall
Government Agency Premises
Proxy
Proxy
Proxy
C&C Server
Victim
"The Cloud"
Victim
Command and Control
Monitoring Center
![Page 64: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/64.jpg)
Gateway /Firewall
Government Agency Premises
Proxy
Proxy
Proxy
C&C Server
Victim
"The Cloud"
Victim
Command and Control
Monitoring Center
Scanning finds these...
![Page 65: When Governments Hack Opponents - ICIR · 2020. 4. 11. · website may lead to arbitrary code execution CVE-2016-4655 An application may be able to disclose kernel memory CVE-2016-4656](https://reader036.fdocuments.in/reader036/viewer/2022071214/60422ebf5ae7672867470cd7/html5/thumbnails/65.jpg)
… but not these
Government Agency Premises
Gateway /Firewall
Proxy
Proxy
Proxy
C&C Server
Victim
"The Cloud"
Victim
Command and Control
Monitoring Center
Scanning finds these...