TeamT5 Share Researches in HITCON 2024

TeamT5 shared 2 technical speeches at HITCON 2024, the annual hacker conference in Taiwan. This article introduces each speech.

Named pipes have been an integral part of Windows operating systems since the early days of Windows NT, offering a robust mechanism for inter-process communication (IPC). They allow processes to communicate on the same machine or across networked systems using a client-server model. A key feature is impersonation, where a server temporarily adopts the security context of a client, enabling it to perform actions with the client's permission.

In my research, I developed a tool to analyze named pipe security. This tool combines a minifilter driver and a ring3 hook via DLL injection to monitor and intercept named pipe communications. The minifilter driver operates at a low level within the file system, while the ring3 hook intercepts user mode API calls related to named pipes. Using this tool, I identified vulnerabilities in named pipe implementations in software from Windscribe, CyberGhost, and OpenVPN. Specifically, vulnerabilities in Windscribe allow an attacker to achieve both Elevation of Privilege (EoP) (CVE-2024-6141) and Broken Access Control (BAC). In CyberGhost, vulnerabilities can be exploited to achieve BAC, and in OpenVPN, they can lead to EoP (CVE-2024-4877). These vulnerabilities present significant security risks, as EoP can allow attackers to gain higher privileges, and BAC can enable unauthorized access to sensitive resources.

By attending this talk, the audience will gain a deeper understanding of named pipes, their functionality, and associated security implications. The presentation will cover the methodology behind the analysis tool, the specific vulnerabilities discovered, and their potential impacts. Attendees will learn about named pipe security intricacies, common pitfalls, and mitigation strategies. This talk aims to equip security professionals and software developers with the knowledge to better secure their applications against similar threats, emphasizing vigilant security practices for IPC mechanisms.

Since the 2010s, Polaris (also known as Mustang Panda, Earth Preta, or Twill Typhoon) has maintained a persistent presence in various East Asian countries, including Vietnam, Myanmar, the Philippines, Thailand, Taiwan, and more. In late 2021, we discovered a new malware family that we had dubbed NoFive, characterized by its shellcode form and rudimentary features. Since then, we have observed an increasing number of backdoors utilizing NoFive as a base template. Although these malware variants initially seem disorganized, our telemetry and analysis indicate that Polaris strategically deploys them based on specific target countries and sectors. This presentation aims to provide deeper insights into Polaris' malware development strategies and deployment patterns through our comprehensive threat intelligence.

In this talk, we will provide a detailed technical analysis of the relationships among these various malware families, including NoFive, TOnePipeShell, QReverse, and others. We will examine how the developer(s) of these backdoors have been gradually modifying them by changing the traffic encoding/decoding mechanisms, continually shifting the features included within the backdoors, adding USB lateral movement abilities and more. Additionally, we will share our observations of Polaris’ recent activities and discuss our expectations for future developments.