We were glad to announce that TeamT5 was again accepted at Black Hat USA. And this time, our vulnerability research team, D39, presented their latest exploit research on Samsung S10 secure bootloader at the Black Hat Briefings. We were very honored to share our research findings with researchers and security experts all over the world in this annual flagship conference.

![BHUSA_cover](https://uploads.teamt5.org/upload/original/pic1-black-hat-s-talk-d39-shares-their-research-on-breaking-samsung-secure-boot-at-black-hat-usa-2020.jpg)
_TeamT5's vulnerability researcher presented on Black Hat USA 2020._

## About D39's Vulnerability Research Finding

D39 has been focusing on vulnerability research and has identified several critical security flaws. We have found several vulnerabilities in Samsung Secure boot, which can break through Samsung Knox protections. In Black Hat USA 2020, we elaborated how did we discover and exploit the vulnerabilities in detail, demonstrated the exploit on a Samsung Galaxy S10 smartphone, and had a discussion on the possible impact of these vulnerabilities.

![Disclosure timeline](https://uploads.teamt5.org/upload/original/pic2-black-hat-s-talk-d39-shares-their-research-on-breaking-samsung-secure-boot-at-black-hat-usa-2020.jpg)
_Timeline of the vulnerability disclosure, patch release and assignment of SVE IDs._

## About Black Hat
Black Hat is the world’s leading information security event, and remains the best and biggest event of its kind. It provides attendees with cutting-edge security research, development and trends, and has the ability to define tomorrow’s information security landscape. Black Hat USA 2020 went fully virtual this year, held over the same dates from 1 to 6 August, in light of the coronavirus pandemic.

*Image courtesy of Black Hat from https://www.blackhat.com/us-20/

Black Hat’s Talk: D39 Shares Their Research on Breaking Samsung Secure Boot at Black Hat USA 2020

TeamT5はBlack Hat USAへ再度招かれたことを発表させていただきます。今回、当社の脆弱性調査チームであるD39が、Black HatのブリーフィングでSamsung S10セキュアブートローダーで起こった侵害に関する最新の調査結果を発表しました。当社はこのメジャーな年次カンファレンスで、世界中の研究者やセキュリティ専門家へ調査結果を発表できることを光栄に感じています。

![BHUSA_cover](https://uploads.teamt5.org/upload/original/pic1-black-hat-s-talk-d39-shares-their-research-on-breaking-samsung-secure-boot-at-black-hat-usa-2020.jpg)
_TeamT5の脆弱性専門家がBlack Hat USA 2020で調査結果を発表しました。_

## D39の脆弱性調査結果について

D39は脆弱性の調査に焦点を当てており、数種類の深刻なセキュリティの脆弱性を見つけています。当社はSamsungセキュアブートで複数の脆弱性を発見し、Samsung Knoxの保護を突破できることが判明しました。Black Hat USA 2020では、脆弱性を見つけた方法と侵害方法を詳細に解説し、Samsung Galaxy S10スマートフォンで侵害を実演し、こうした脆弱性が与える影響について話し合いました。

![Disclosure timeline](https://uploads.teamt5.org/upload/original/pic2-black-hat-s-talk-d39-shares-their-research-on-breaking-samsung-secure-boot-at-black-hat-usa-2020.jpg)
_Timeline of the vulnerability disclosure, patch release and assignment of SVE IDs._

## Black Hatについて
Black Hatは世界的な情報セキュリティイベントであり、同種では最高レベルかつ最大規模のイベントです。セキュリティで最先端の調査、開発、状況を参加者に伝えるため、将来の情報セキュリティ環境を整えることが可能です。COVID-19のパンデミックを受け、Black Hat USA 2020は今年度すべてバーチャルにて同じ8月1日～6日に開催されました。

*画像のソース: Black Hat, from https://www.blackhat.com/us-20/

Black Hatでの講演：D39がBlack Hat USA 2020にて、Samsungのセキュアブートへの侵害に関する調査結果を披露します。

> We are honored to be interviewed by  [Cybernews](https://cybernews.com/), a research-based online publication that helps people navigate a safe path through their increasingly complex digital lives. In the interview, we share how TeamT5 originated with our cyber threat intelligence researches and how we do to help clients fight against ransomware. The whole interview report is below or can be viewed at [Cybernews](https://cybernews.com/security/sung-ting-tsai-teamt5-companies-shouldnt-claim-themselves-as-100-secured-or-unhackable/)。

**A ransomware attack may be a once-in-a-lifetime event for some, while for others, it is more so of an evergoing battle of wits, technology, and speed, which requires constant diligence and preparations.**

While more and more companies invest in proper cybersecurity measures, both by investing in professional infrastructures and [relying on commercial privacy and data protection management tools](https://cybernews.com/best-password-managers/), not many are involved in actively hunting threats that may as well have already penetrated their defenses.

To discuss such issues, Cybernews sat down with Sung-ting Tsai, the Chief Executive Officer of [TeamT5](https://teamt5.org/en/) – a cybersecurity intelligence firm. We talked about the dos and don’ts in the event of a ransomware attack and what cybersecurity measures are most important to take.

### Tell us about your story. How did TeamT5 originate?

Previously, I worked in a big cybersecurity company and led a research team. I found that clients often got hacked even though we made great solutions. I think the key is we didn’t have insights on attackers’ TTP (tactics, techniques, and procedures) so our defense couldn’t protect clients from those attackers.

Therefore, I became interested in cyber threat intelligence (CTI) research and decided to build TeamT5 to do CTI research. Back then, our team already discovered that the latest and advanced cyberattacks happened in Taiwan first. It gives us advantages to publish in-depth analysis and research.

Our niche is that we have focused on cyberattacks and cyber espionage for a long time. As not many people focus on this area, our research results are even more valuable and help many people and organizations around the world, especially in the US, Japan, and Korea.

Then, we made our reports of cyber threat intelligence into a solution – ThreatVision, a portal to see through the chaos. In 2017, we developed ThreatSonar which is an engine to hunt down intruders. It helps clients to defend against cyberattacks. When others can’t catch malicious cyberattacks – we can.

Since we established, we consider cyber threat intelligence research as the most important task. We have published more than 30 research papers in international cybersecurity seminars and conferences, including Black Hat Asia, SANS Institute – CTI Summit, Virus Bulletin (VT), and CodeBlue. Our findings are recognized by many clients, including one of the top five international banks, top telecom and business groups in Japan, and governmental critical infrastructures in Taiwan.

### Can you tell us a little bit about what you do? What challenges do you help navigate?

Our mission is to become the best partner to defend against advanced persistent threats (APTs).

Clients are facing two challenges:

1. While attackers know a lot about clients, our clients know a little about what they’re facing.
2. Clients don’t have sufficient technology to defend against attackers.

To help a client beat ransomware and cyber espionage, we provide three types of solutions:

1. **Threat Intelligence** – let clients know the enemies well and plan defense strategies.
2. **Defense Technology **– let clients be equipped with good tools in order to hunt down the enemies.
3. **Professional Service** – we work with clients to help them deal with various cyber threats.

### You often emphasize the importance of proactive threat hunting. Can you briefly describe this practice?

Traditionally, the idea of cybersecurity protection is to do multi-layered defense. However, the current problem is that enterprises don’t know whether attackers are already on the intranet.

So, we suggest that “proactive threat hunting” is a better idea for cyber protection nowadays. It means enterprises use our tool ThreatSonar Anti-Ransomware to do active and aggressive scans on logs from SIEM (security information and event management). Enterprises can even apply new screening rules on previous logs to discover previous malicious activities.

### How do you think the recent global events influenced the ways in which threat actors operate?

Looking into cyber attackers' behaviors, you can see that cyberattacks are effective and their impacts are bigger than ever. These impacts can be categorized into two types – one is leaking important information, while the other is data sabotage and ransom.

We observe that more operations with more power are conducted by many countries. Countries are also focusing on information operations (InfoOps). They invest more resources in public opinion operations, social media operations, and media operations. Their goal is to achieve impacts with certain purposes.

Recently, Ukraine conducts such operations really well. It indicates that if there are wars or disputes between counties in the future, such InfoOps will be common scenes.

### In the age of frequent cyberattacks, do you think small businesses and big enterprises require the same security measures?

In fact, it’s unlikely that small businesses apply the same cybersecurity measures as big enterprises. Our suggestion is for small businesses to use the same cybersecurity framework and ideas as big enterprises do. And small businesses shall prioritize each task and start with the most important parts.

We found that the most challenges that small businesses are not willing to invest in are cybersecurity measures. However, it’s important to do that in order to make business operations go smoothly.

### Since ransomware is one of your main fields of focus, could you give us a few tips on what should and shouldn't be done in the event of such an attack?

I advise companies to do defense in four steps:

1. **Threat awareness** – catch up on the latest cyber intelligence to understand the potential threats.

2. **Before attack** – deploy tools and measures to be prepared, e.g. backup your data and deploy anti-ransomware solutions.

3. **During attack** – have tools to see attacks that are happening (which means to make attacks visible); if there are attacks happening, enterprises shall have response measures.

4. **After attack** – companies shall have a standard operation procedure (SOP) on how to recover files and services. If companies prepare well, they may return to normal operations within a day; otherwise, they may still be shut down for a week, or even have to pay a ransom. Companies shall prepare for a negotiation. Some professional teams can help with that and lower the ransom amount.

Other things one should and shouldn't do:

1. Should – backup your files and patch up security

2. Shouldn't – threaten attackers

### In your opinion, what are the worst cybersecurity habits that make companies attractive targets for ransomware hackers?

Do not provoke actors! They are more capable than you think. Companies shouldn’t claim themselves as 100% secured or unhackable as tall trees catch much wind. For ransomware prevention, the most important thing is to do backups and put them offline.

### What new threats do you think the public should be ready to take on in the next few years? What security tools should be implemented by every internet user?

Firstly, there will be more ransomware attacks. The reason is that attackers are protected and hidden behind various technologies, such as the dark web (run on Tor), cryptocurrencies, and secured instant messengers. And victims are willing to pay to get files back. It makes ransomware attacks a profitable business.

The second threat is that countries will invest more in cyberattacks, including developing cyber weapons, increasing the power of cyberattacks, and recruiting more talents.

We suggest enterprises and government units invest more in cybersecurity in order to defend against the threats mentioned above. We think the key is cyber threat intelligence rather than tools. When enterprises and government units know more about attackers, they can defend better. As the old saying goes – know the enemy and know yourself in a hundred battles, and you will never be in peril.

### Share with us, what’s next for TeamT5?
We hope to increase our influence through cyber threat intelligence research. We believe our experience, research, and technology shared with more people can help them deal with APT threats.

【Cybernews】Sung-ting Tsai, TeamT5: “companies shouldn’t claim themselves as 100% secured or unhackable”

> 我們很高興受到  [Cybernews](https://cybernews.com/) 專訪，該線上媒體以資安研究為核心，協助人們在日益複雜的數位生活中，走出一條安全的道路。在本次專訪中，執行長蔡松廷(Sung-ting Tsai)分享公司成立的緣起，乃是基於威脅情資研究；並分享我們如何協助客戶防禦勒索軟體入侵。完整訪問內容可參考下方轉載，或至 CyberNews 官網閱讀 ([全文連結](https://cybernews.com/security/sung-ting-tsai-teamt5-companies-shouldnt-claim-themselves-as-100-secured-or-unhackable/)).

**A ransomware attack may be a once-in-a-lifetime event for some, while for others, it is more so of an evergoing battle of wits, technology, and speed, which requires constant diligence and preparations.**

While more and more companies invest in proper cybersecurity measures, both by investing in professional infrastructures and [relying on commercial privacy and data protection management tools](https://cybernews.com/best-password-managers/), not many are involved in actively hunting threats that may as well have already penetrated their defenses.

To discuss such issues, Cybernews sat down with Sung-ting Tsai, the Chief Executive Officer of [TeamT5](https://teamt5.org/en/) – a cybersecurity intelligence firm. We talked about the dos and don’ts in the event of a ransomware attack and what cybersecurity measures are most important to take.

### Tell us about your story. How did TeamT5 originate?

Previously, I worked in a big cybersecurity company and led a research team. I found that clients often got hacked even though we made great solutions. I think the key is we didn’t have insights on attackers’ TTP (tactics, techniques, and procedures) so our defense couldn’t protect clients from those attackers.

Therefore, I became interested in cyber threat intelligence (CTI) research and decided to build TeamT5 to do CTI research. Back then, our team already discovered that the latest and advanced cyberattacks happened in Taiwan first. It gives us advantages to publish in-depth analysis and research.

Our niche is that we have focused on cyberattacks and cyber espionage for a long time. As not many people focus on this area, our research results are even more valuable and help many people and organizations around the world, especially in the US, Japan, and Korea.

Then, we made our reports of cyber threat intelligence into a solution – ThreatVision, a portal to see through the chaos. In 2017, we developed ThreatSonar which is an engine to hunt down intruders. It helps clients to defend against cyberattacks. When others can’t catch malicious cyberattacks – we can.

Since we established, we consider cyber threat intelligence research as the most important task. We have published more than 30 research papers in international cybersecurity seminars and conferences, including Black Hat Asia, SANS Institute – CTI Summit, Virus Bulletin (VT), and CodeBlue. Our findings are recognized by many clients, including one of the top five international banks, top telecom and business groups in Japan, and governmental critical infrastructures in Taiwan.

### Can you tell us a little bit about what you do? What challenges do you help navigate?

Our mission is to become the best partner to defend against advanced persistent threats (APTs).

Clients are facing two challenges:

1. While attackers know a lot about clients, our clients know a little about what they’re facing.
2. Clients don’t have sufficient technology to defend against attackers.

To help a client beat ransomware and cyber espionage, we provide three types of solutions:

1. **Threat Intelligence** – let clients know the enemies well and plan defense strategies.
2. **Defense Technology **– let clients be equipped with good tools in order to hunt down the enemies.
3. **Professional Service** – we work with clients to help them deal with various cyber threats.

### You often emphasize the importance of proactive threat hunting. Can you briefly describe this practice?

Traditionally, the idea of cybersecurity protection is to do multi-layered defense. However, the current problem is that enterprises don’t know whether attackers are already on the intranet.

So, we suggest that “proactive threat hunting” is a better idea for cyber protection nowadays. It means enterprises use our tool ThreatSonar Anti-Ransomware to do active and aggressive scans on logs from SIEM (security information and event management). Enterprises can even apply new screening rules on previous logs to discover previous malicious activities.

### How do you think the recent global events influenced the ways in which threat actors operate?

Looking into cyber attackers' behaviors, you can see that cyberattacks are effective and their impacts are bigger than ever. These impacts can be categorized into two types – one is leaking important information, while the other is data sabotage and ransom.

We observe that more operations with more power are conducted by many countries. Countries are also focusing on information operations (InfoOps). They invest more resources in public opinion operations, social media operations, and media operations. Their goal is to achieve impacts with certain purposes.

Recently, Ukraine conducts such operations really well. It indicates that if there are wars or disputes between counties in the future, such InfoOps will be common scenes.

### In the age of frequent cyberattacks, do you think small businesses and big enterprises require the same security measures?

In fact, it’s unlikely that small businesses apply the same cybersecurity measures as big enterprises. Our suggestion is for small businesses to use the same cybersecurity framework and ideas as big enterprises do. And small businesses shall prioritize each task and start with the most important parts.

We found that the most challenges that small businesses are not willing to invest in are cybersecurity measures. However, it’s important to do that in order to make business operations go smoothly.

### Since ransomware is one of your main fields of focus, could you give us a few tips on what should and shouldn't be done in the event of such an attack?

I advise companies to do defense in four steps:

1. **Threat awareness** – catch up on the latest cyber intelligence to understand the potential threats.

2. **Before attack** – deploy tools and measures to be prepared, e.g. backup your data and deploy anti-ransomware solutions.

3. **During attack** – have tools to see attacks that are happening (which means to make attacks visible); if there are attacks happening, enterprises shall have response measures.

4. **After attack** – companies shall have a standard operation procedure (SOP) on how to recover files and services. If companies prepare well, they may return to normal operations within a day; otherwise, they may still be shut down for a week, or even have to pay a ransom. Companies shall prepare for a negotiation. Some professional teams can help with that and lower the ransom amount.

Other things one should and shouldn't do:

1. Should – backup your files and patch up security

2. Shouldn't – threaten attackers

### In your opinion, what are the worst cybersecurity habits that make companies attractive targets for ransomware hackers?

Do not provoke actors! They are more capable than you think. Companies shouldn’t claim themselves as 100% secured or unhackable as tall trees catch much wind. For ransomware prevention, the most important thing is to do backups and put them offline.

### What new threats do you think the public should be ready to take on in the next few years? What security tools should be implemented by every internet user?

Firstly, there will be more ransomware attacks. The reason is that attackers are protected and hidden behind various technologies, such as the dark web (run on Tor), cryptocurrencies, and secured instant messengers. And victims are willing to pay to get files back. It makes ransomware attacks a profitable business.

The second threat is that countries will invest more in cyberattacks, including developing cyber weapons, increasing the power of cyberattacks, and recruiting more talents.

We suggest enterprises and government units invest more in cybersecurity in order to defend against the threats mentioned above. We think the key is cyber threat intelligence rather than tools. When enterprises and government units know more about attackers, they can defend better. As the old saying goes – know the enemy and know yourself in a hundred battles, and you will never be in peril.

### Share with us, what’s next for TeamT5?
We hope to increase our influence through cyber threat intelligence research. We believe our experience, research, and technology shared with more people can help them deal with APT threats.

【Cybernews 專訪】TeamT5 執行長蔡松廷表示企業不宜宣稱自身100%不會被駭入

News

全球資安盛會「亞洲黑帽安全大會」（Black Hat Asia, BHASIA）今年以線上方式舉辦，自 2021 年 5 月 4 日至 7 日（新加坡時間 UTC+8），為期四天的精彩議程（Black Hat Briefing）、專業深入培訓（Training），以及最新開源駭客工具的展示（Black Hat Arsenal），由頂尖資訊安全專家們傳授最新、第一手的技術與研究發現。

TeamT5 威脅情資研究員們也登上今年的 BHASIA，發表兩場最新研究，與世界各地的資安研究人員交流最新的資訊安全風險、研究與趨勢。「[Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network](https://www.blackhat.com/asia-21/briefings/schedule/#memimg-memory-resident-malware-detection-via-convolution-neural-network-22262)」由 TeamT5 技術長 Charles 與惡意程式研究員 Aragorn 介紹過去一年間發現的 APT 新攻擊手法，並發表他們基於 Mem2Img 框架的研究如何面對日新月異的惡意程式變種與變形，以及可能面臨的攻擊。

![Mem2Img.png](https://uploads.teamt5.org/upload/original/pic1_teamt5-on-black-hat-asia-2021.png)
_TeamT5 研究員發表基於 Mem2Img 框架如何分類記憶體中的惡意程式，並提出該框架可能面臨的攻擊。_

 

另一場演講「[“We Are About to Land”: How CloudDragon Turns a Nightmare Into Reality](https://www.blackhat.com/asia-21/briefings/schedule/index.html#we-are-about-to-land-how-clouddragon-turns-a-nightmare-into-reality-22252)」，則由我們的資深威脅情資分析師 Linda 與惡意程式研究員 DuckLL，獨家揭露 TeamT5 持續追蹤的北韓 APT 攻擊族群 CloudDragon 的攻擊行為與入侵的防禦偵測手法，包括該族群如何分群的介紹，以及三大亮點：加密貨幣產業的供應鏈攻擊（supply chain attack）、跨平台的惡意軟體攻擊、自動化更新的釣魚網頁內容。

![who_is_CloudDragon_1.png](https://uploads.teamt5.org/upload/original/pic2_teamt5-on-black-hat-asia-2021.png)
_TeamT5 威脅情資研究員向大家介紹 CloudDragon 為何分群以及如何分群_

![clouddragon_2.png](https://uploads.teamt5.org/upload/original/pic3_teamt5-on-black-hat-asia-2021.png)
_CloudDragon 利用包括韓國本土與世界性的網路服務提供商進行惡意攻擊_

 

## 關於黑帽大會（Black Hat）

黑帽大會（Black Hat）每年聚集全球資訊安全專家、優秀研究人員於一堂，透過資安研究、開發與最新趨勢交流，鼓勵學術界、世界級研究人員與各領域決策及領導者間的合作、成長。黑帽簡報會（Black Hat Briefing）與培訓（Training）每年也都在美國、歐洲與亞洲舉行，匯集全球資安頂尖人員參與盛會。

 

*圖片來源：[Black Hat](https://www.blackhat.com/asia-21/)

[BlackHat Asia] TeamT5 研究員登上亞洲黑帽安全大會

世界的な情報セキュリティイベント「ブラックハットアジア（Black Hat Asia）」（BHASIA）が、今年は2021年5月4日から7日（シンガポール時間 UTC+8）までオンラインで開催されました。4日間の開催期間で素晴らしいブリーフィング（Black Hat Briefing）、専門的かつ詳細なトレーニング（Training）、最新のオープンソースハッキングツールの展示（Black Hat Arsenal）、トップクラスの情報セキュリティ専門家たちによる最新の技術や研究による発見の共有などが行われました。

TeamT5の脅威インテリジェンス研究員たちも今年のBHASIAに参加して2つの最新の研究結果を発表し、世界各地の情報セキュリティ研究員と最新の情報セキュリティリスク、研究、トレンドについて交流しました。「[Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network](https://www.blackhat.com/asia-21/briefings/schedule/#memimg-memory-resident-malware-detection-via-convolution-neural-network-22262)」では、TeamT5のCharles技術長とマルウェア研究員のAragornが過去1年間に発見したAPT攻撃の手法のほか、日々変化するマルウェアの亜種や変種、起こりうる攻撃への対応方法について、Mem2Imgのフレームワークに基づいた研究を発表しました。

![Mem2Img.png](https://uploads.teamt5.org/upload/original/pic1_teamt5-on-black-hat-asia-2021.png)
_TeamT5の研究員は、Mem2Imgのフレームワークに基づいたメモリ内のマルウェアの分類方法および同フレームワークに対する攻撃の可能性を紹介しました_

 

もう一つの発表、「[“We Are About to Land”: How CloudDragon Turns a Nightmare Into Reality](https://www.blackhat.com/asia-21/briefings/schedule/index.html#we-are-about-to-land-how-clouddragon-turns-a-nightmare-into-reality-22252)」では、当社のシニア脅威インテリジェンスアナリストであるLindaとマルウェア研究員のDuckLLが、TeamT5が独自に追跡し続けてきた北朝鮮のAPT攻撃グループ「CloudDragon」の攻撃行動、侵入防御、検出方法を明らかにしました。内容には、グループ化の方法および3つのハイライト「暗号通貨業界におけるサプライチェーン攻撃（supply chain attack）、クロスプラットフォームのマルウェア攻撃、自動的にアップデートされるフィッシングサイトのコンテンツ」も含まれました。

![who_is_CloudDragon_1.png](https://uploads.teamt5.org/upload/original/pic2_teamt5-on-black-hat-asia-2021.png)
_TeamT5の脅威インテリジェンス研究員によるCloudDragonをグループ化する理由と方法の紹介_

![clouddragon_2.png](https://uploads.teamt5.org/upload/original/pic3_teamt5-on-black-hat-asia-2021.png)
_CloudDragonは韓国および世界のインターネットサービスプロバイダを利用してマルウェア攻撃をしている_

 

## ブラックハット（Black Hat）について

ブラックハット（Black Hat）では、毎年世界の情報セキュリティ専門家、優秀な研究員が一堂に会します。情報セキュリティの研究開発や最新のトレンドについて交流することで、学界、世界レベルの研究員、各分野における意思決定、リーダー同士の協力、成長が促進されます。ブラックハットブリーフィング（Black Hat Briefing）とトレーニング（Training）は、世界トップクラスの情報セキュリティ担当者が参加するイベントで、毎年アメリカ、ヨーロッパ、アジアで開催されます。

 

*画像のソース: [Black Hat](https://www.blackhat.com/asia-21/)

【Black Hat Asia】TeamT5の研究員がブラックハットアジア（Black Hat Asia）に参加

Events

In 2022 event, TeamT5’s cyber threat intelligence analysts Che Chang and Silvia Yeh present their research of 2 Chinese InfoOp campaigns in 2020/2021 (#StopXinjiangRumours and #PatriotGoverningHongKong) by using the Adversarial Misinformation and Influence Tactics and Techniques framework at CTI Summit.

The slides of the speech can be downloaded on the official website.
➡ [Download Link](https://www.sans.org/presentations/clip-addiction-a-threat-intelligence-approach-to-video-based-chinese-infoops/?utm_source=website&utm_medium=website)

The video is on the official channel now. 
➡ [Video Link](https://youtu.be/I2gMDEYo2Bo)

![CTI Summit 2022_pic.png](https://uploads.teamt5.org/upload/original/pic_sans-institute-cti-summit-2022.png)
<center>Diamond Model of Video-Based InfoOps Analysis</center>


## About CTI Summit

CTI Summit is organized by SANS Institute annually. It’s an international event that gathers experts to give talks. And it provides opportunities for professionals to connect and network with the threat intel community.


*Image courtesy of [SANS Institute](https://www.sans.org/apac/)

TeamT5 Presents Latest Analysis on Information Operation on CTI Summit 2022 

TeamT5 威脅情資分析師 Che Chang 與 Silvia Yeh 於今年度 CTI Summit 演講。本次演講從威脅情資的角度，分析2020~2021期間，充斥於網路社群空間的短影片，如何被用來作為中國資訊作戰(information operation)的武器。 

演講簡報現可於官網下載，連結[請點此](https://www.sans.org/presentations/clip-addiction-a-threat-intelligence-approach-to-video-based-chinese-infoops/?utm_source=website&utm_medium=website)

演講影片現可於 Youtube 觀賞，連結[請點此](https://youtu.be/I2gMDEYo2Bo)

![CTI Summit 2022_pic.png](https://uploads.teamt5.org/upload/original/pic_sans-institute-cti-summit-2022.png)
<center>資訊作戰之分析模型</center>




## 關於 CTI Summit
CTI Summit 由國際知名的資安研暨及學術教育組織 SANS Institute 主辦，為資訊安全專家、稽核員、網管系統管理人員等資安界專業人士，提供資訊安全教育課程與技術研討會。

*首圖來源: [SANS Institute](https://www.sans.org/apac/)

TeamT5 於 CTI Summit 2022 分享最新威脅情資研究

## Brief
In 2021, we discovered an open directory on Huapi’s C2. We found the source code contained an exploit aiming at Mikrotik routers. More specifically, our analysis found that the exploit would allow the attackers to send specially crafted payloads to achieve Remote Code Execution (RCE) via WAN without any authentications. The targeted RouterOS products include mikrotik-tile-6.46.8, mikrotik-vm-64.8, and mikrotik-vm-6.48.

TeamT5 alerted Mikrotik to patch this vulnerability upon discovery. The patch for this vulnerability was released on 2021/11/17 and can be downloaded from the official Mikrotik website. All affected organizations should update their RouterOS immediately to avoid actors’ exploitation.

HUAPI (aka BlackTech, Palmerworm, or PLEAD) has been active since 2007 and has been targeting Taiwan for over a decade. Huapi’s malwares are highly sophisticated, and some of them use unique anti-analysis packers. Some of Huapi’s malware utilized a modified RC4 algorithm to encrypt the malicious C2 communication. Huapi focused on governmental entities, technology or telecommunication industries, and think tanks. Our observation suggested that over half of the victims were governmental agencies in Taiwan, the United States, Japan, and South Korea.

### Attack vector
As a powerful and easy-to-use router, Mikrotik routerboard supports SCEP (Simple Certificate Enrollment Protocol), a service that was designed for simple certificate delivery. During transport, the binary data is encoded in Base64 via HTTP GET. Unfortunately, when processing the data from the payload, a miscalculation may occur if the payload is not properly formatted, potentially resulting in a Heap-based Buffer Overflow.

The open directory we had discovered contained exploit code that targeted ```mikrotik-tile-6.46.8```, ```mikrotik-vm-64.8``` and ```mikrotik-vm-6.48```, along with their corresponding shellcode snippets. In the following sections, we will be analyzing the exploit code that was designed for ```mikrotik-vm-6.46.8```.

#### Root cause analysis
By sending the following payload, we can cause the service ```www``` to crash and potentially trigger a Heap-based Buffer Overflow.

 ```GET /scep/{scep_server_name}?operation=PKIOperation&message={} HTTP/1.1\r\n```

The crash can be traced back to the function ```base64Decode```, located under ```ScepRequest::parseRequest``` from ```/nova/lib/www/scep.p```. When unpacking the Base64 request, the following code is used to calculate the output buffer size,

```output_buffer_length = 3 * (input_buffer_length >> 2)```

…which may cause a miscalculation of the output buffer, resulting in an insufficient memory allocation from ```malloc```, leading to a heap overflow.

![Mikrotik 1.png](https://uploads.teamt5.org/upload/original/pic1_vulnerability-mikrotik-cve-2021-41987.png)


#### What happened?

For instance, we assume that the our input data is ```xxxxxxxxxxxxxxxxhCE```, and the length of input buffer is 19. Based on the decompiled code, ```out_len = 3 * (input_len >> 2)``` which is ```out_len = 3 * (input_len // 4)``` (double slashes represent integer division), thereby allocating 12 bytes as decoded data buffer. However, the decoded data buffer should be 14 bytes instead of 12. This oversight allows the attacker to overwrite data in heap.

#### Overview of the exploit flow
According to the chunk-recycling mechanism, by overwriting the chunk size of a chunk in bins to a larger value (```0x4121```), the next ```malloc``` call will return a heap chunk overlapped with allocated chunks. This will lead to a heap overflow when writing to the chunk.

The part which will be overwritten is a vtable pointer in a destructor (```sub_8052E90```) function, and by setting the register ```edx``` to ```0x8061a74```, the instruction ```call [edx+4]``` will execute the gadget at ```0x8058e89``` ( ```xchg eax, ebp; ret;``` ) and execute the shellcode after pivoting the stack to the attacker-owned buffer.

![Mikrotik 2.png](https://uploads.teamt5.org/upload/original/pic2_vulnerability-mikrotik-cve-2021-41987.png)


#### Heap spray
The attacker can begin heap spraying by requesting 64 concurrent connections, and close some of them in order to let the vtable pointer be overwriten by the heap overflow later.

![Mikrotik 3.png](https://uploads.teamt5.org/upload/original/pic3_vulnerability-mikrotik-cve-2021-41987.png)

The function ```aaaa``` assembles the ROP gadgets, and the variable ```sc``` contains the shellcode for execution.
![Mikrotik 4.png](https://uploads.teamt5.org/upload/original/pic4_vulnerability-mikrotik-cve-2021-41987.png)

#### Trigger heap overflow
The function ```bbbb``` sends the payloads to the victim server in the aforementioned format.

![Mikrotik 5.png](https://uploads.teamt5.org/upload/original/pic5_vulnerability-mikrotik-cve-2021-41987.png)
![Mikrotik 6.png](https://uploads.teamt5.org/upload/original/pic6_vulnerability-mikrotik-cve-2021-41987.png)

The parameter message (```'x'*801*4+'hCE'```) in the function ```bbbb``` will overwrite the size of next chunk. Here in gdb , it shows that the parameter message has been decoded to ```c7 1c 71 84 21``` at ```0x80859f0```, and the last byte ```\x21``` has been written as the next chunk size at ```0x80859f4```.

![Mikrotik 7.png](https://uploads.teamt5.org/upload/original/pic7_vulnerability-mikrotik-cve-2021-41987.png)

#### Attempting to retrieve the oversized chunk on heap
![Mikrotik 8.png](https://uploads.teamt5.org/upload/original/pic8_vulnerability-mikrotik-cve-2021-41987.png)

In order to retrieve the overflowed chunk, we need to send out more request. At some point, the register ```edx``` will be set to ```0x8061a74``` when the attempt reaches ```i=3```.

![Mikrotik 9.png](https://uploads.teamt5.org/upload/original/pic9_vulnerability-mikrotik-cve-2021-41987.png)

#### Trigger destructor
The final step of the exploit, set off destructor  ```call [edx+4]``` by closing connections.
![Mikrotik 10.png](https://uploads.teamt5.org/upload/original/pic10_vulnerability-mikrotik-cve-2021-41987.png)

#### Fingers crossed
Thanks to the heap spraying at the initial phase of the exploit, the data in the address ```0x8061a74``` will be modified, thus the instruction ```call [edx+4]``` will end up calling ```0x8058e89``` instead (the address of gadget ```xchg eax, ebp; ret;```) and start executing our gadgets.

![Mikrotik 11.png](https://uploads.teamt5.org/upload/original/pic11_vulnerability-mikrotik-cve-2021-41987.png)

Once the gadgets have been hit, ```0x8058e89: xchg eax, ebp; ret``` and ```0x8052eb9: leave``` will allow us to pivot from the stack to the controllable buffer and start to execute our ROP chain from ```0x804fbfc```.

The ROP chain will try to increase the address of ```open``` to the address of ```mprotect```, and the ```0x804fc04: pop esp; ret;``` will set ```esp``` to ```0x8061a74+8``` to wrap up the ROP chain. Lastly, calling ```mprotect``` and jump right into the shellcode (```0x8061674```).

![Mikrotik 12.png](https://uploads.teamt5.org/upload/original/pic12_vulnerability-mikrotik-cve-2021-41987.png)

In the exploit, the shellcode can be interpreted as ```unlink('/nova/store/user.data') + sync() + reboot()```, after the target device has finished rebooting. The attacker should then be able to login into web service as admin without a password.

### Conclusion
To wrap up, let’s go over the exploit code once again:

**1. Low stability**

- Since ```add()``` does not work in our favor and that ASLR is enabled by default, the exploit chain may fail on the first try.
- Occasionally, even though the ```/nova/store/user.dat``` file will be deleted, the device does not end up rebooting. The shellcode may require extra improvements to make it more stable.
- Even in best case scenario, the success rate is only about 5~6%.
- Thankfully, in the event where the attack attempt fails, the watchdog process will restart the ```www``` service for us. This ensures stability and allows the attacker to not cause noticeable disruption during the attack.

**2. Strict prerequisites**

- The attacker must be aware of the path name ```scep_server_name``` before being able to begin such attack.

**3. Disclosure Timeline**

```2021/07/11```: Acquire exploit codes from the open directory

```2021/10/04```: Responsible disclosure to Mikrotik and reserved CVE-2021-41987

```2021/11/17```: Official patch released

```2022/03/01```: Full disclosure released

**4. Affected versions of RouterOS**
- ```6.46.8```
- ```6.47.9```
- ```6.47.10```

### About TeamT5 D39
D39 is committed to the field of vulnerability security and vulnerability discovery. The research scope includes systems and devices that are connected to the Internet, such as mobile devices, IoT devices, Linux, and Windows. Our team has held a number of critical or important vulnerabilities and has conducted presentations across various major security conferences, such as Blackhat, HITCON, etc.

Exploit research has always been one of the most advanced fields in network attack and defense. TeamT5 expects to invest resources to cultivate more talents to enter this field, and expects to have more and more world-leading vulnerability research talents in Taiwan. We welcome those who dare to face unknown challenges, are committed to vulnerability research and discovery, and have independent research capabilities to join us. 🤝

### Reference
- https://wiki.mikrotik.com/wiki/Manual:System/Certificates
- https://en.wikipedia.org/wiki/Base64

*Image courtesy of Pixabay

Vulnerability Exposure & Notification on Mikrotik (CVE-2021-41987) 

## 前言
APT 駭客組織 Huapi 自 2007 年開始活躍至今，攻擊台灣超過 10 年的時間。TeamT5 觀察到 Huapi 所開發的惡意程式，有時會使用加殼來阻擋研究人員分析，且通常會使用修改後的 RC4 演算法來加密傳輸。Huapi 長期攻擊政府、高科技、電信或研究智庫單位，根據 TeamT5 的統計結果，超過 5 成的受害單位為政府機關，受害國家包含台灣、美國、日本及南韓，其中針對台灣政府機關進行入侵攻擊為多。

仰賴於長期的追蹤及觀察，我們在一台中繼站發現公開目錄，目錄中存在一組針對 Mikrotik SCEP 服務的 0day 攻擊程式碼。在確定弱點存在後，我們也將弱點的相關成因回報給 Mikrotik 官方，讓官方可以在第一時間內進行修補開發，以避免該弱點繼續被惡意攻擊者進行利用。

Mikrotik 官方於 2021/11/17 釋出了修正版本，請有使用到受影響版本的用戶盡速升級，以免遭受危害。這裡我們將完整揭露攻擊程式的利用細節及漏洞原理，讓我們一窺 APT 駭客組織都是怎麼為達目的、不擇手段。

### 攻擊程式包分析
作為一個功能強大且簡單易用的路由器，Mikrotik routerboard 也支援簡單憑證註冊通訊協定(Simple Certification Enrolling Protocol, SCEP)，來讓其他終端裝置可以簡便的取得所需之憑證。在協定交互的過程中，所有二進位資訊都會使用 base64 編碼之後再進行傳送，但由於 Mikrotik SCEP 服務在進行 base64 解碼的時候計算錯誤，會導致 Heap-based buffer overflow 的發生。

攻擊程式碼(以下簡稱 exploit)總共包含了針對三個不同版本的 exploit code 分別是 ```mikrotik-tile-6.46.8```、```mikrotik-vm-64.8```與```mikrotik-vm-6.48```，及其相對應版本的 shellcode 用以攻擊成功之後執行額外的惡意指令。

以下是我們針對版本 ```mikrotik-vm-6.46.8``` 進行的exploit分析。

### 弱點根因
透過一個簡單的 HTTP 請求:

```GET /scep/{scep_server_name}?operation=PKIOperation&message={} HTTP/1.1\r\n```

將可以很容易的讓 ```www``` 這個負責 HTTP 服務的 binary 崩潰，並被 watchdog 重新啟動。

經過一番逆向工程後可以發現，位於 ```/nova/lib/www/scep.p``` 中的 ```ScepRequest::parseRequest```，在解開 base64 編碼的 ```message``` 參數時，由於計算解編碼後的資料長度出現錯誤，導致 malloc 分配出來的大小不足，進而造成 heap overflow：
![Mikrotik 1.png](https://uploads.teamt5.org/upload/original/pic1_vulnerability-mikrotik-cve-2021-41987.png)

### 讓 Base64 變成漏洞，是不是搞錯了什麼 ?
舉例來說，假設我們的輸入資料是 ```xxxxxxxxxxxxxxxxhCE``` 長度為 19，依照逆向後的程式邏輯來看，SCEP 計算出解編碼後的長度是12 ``` out_len = 3 * (in_len // 4)``` (這邊的 ```//``` 為整數除法)。但實際上解編碼後的資料長度為 14，這就直接導致了 heap 上的資料被覆蓋的問題。

### 漏洞利用
透過分析 exploit code 我們可以發現，攻擊者使用上述漏洞將 bins 中的某個 chunk size 改大 (0x4121)，之後再次 malloc 將會拿到這個過大的 chunk 屆時便可以覆寫 heap 上的內容。

覆蓋某個 destructor 中會用到的 vtable pointer，將 ```edx``` 改成 ```0x8061a74``` 使得 ```call [edx+4]``` 執行位於 ```0x8058e89``` 的 gadget (```xchg eax, ebp; ret;```)。

![Mikrotik 2.png](https://uploads.teamt5.org/upload/original/pic2_vulnerability-mikrotik-cve-2021-41987.png)

#### 堆噴灑
首先發起 64 個請求做 heap spray 將我們要的 gadget 與 shellcode 隨著連線請求灑到 heap 上，並將其中一些連線關閉來讓 heap chunk 可以被 overflow 覆蓋到 vtable pointer。

![Mikrotik 3.png](https://uploads.teamt5.org/upload/original/pic3_vulnerability-mikrotik-cve-2021-41987.png)

這裡用到的 function ```aaaa``` 會將後續所需要的 ROP gadgets 組合起來，function 中的變數 ```sc``` 表示後面會被執行到的 shellcode。

![Mikrotik 4.png](https://uploads.teamt5.org/upload/original/pic4_vulnerability-mikrotik-cve-2021-41987.png)

#### 觸發堆溢出
透過呼叫 function ```bbbb``` 會將我們的 payload 使用前面提過的型式送出用以觸發 heap overflow。

![Mikrotik 5.png](https://uploads.teamt5.org/upload/original/pic5_vulnerability-mikrotik-cve-2021-41987.png)
![Mikrotik 6.png](https://uploads.teamt5.org/upload/original/pic6_vulnerability-mikrotik-cve-2021-41987.png)

在 function 中的參數 message ```'x'*801*4+'hCE'```，會在 base64 解編碼的同時由於前述的計算錯誤，將導致下一個 chunk 的 size 會剛好被覆蓋到。
![Mikrotik 7.png](https://uploads.teamt5.org/upload/original/pic7_vulnerability-mikrotik-cve-2021-41987.png)


#### 嘗試重新取得被覆蓋到 size 的 chunk
後續透過繼續新增請求的方式，嘗試取得被改大的 chunk，overflow 的內容可以改到在 vtable 裡的 pointer。

![Mikrotik 8.png](https://uploads.teamt5.org/upload/original/pic8_vulnerability-mikrotik-cve-2021-41987.png)


在 ```i=3``` 時，會讓 ```edx``` 的值改成 ```0x8061a74```。
![Mikrotik 9.png](https://uploads.teamt5.org/upload/original/pic9_vulnerability-mikrotik-cve-2021-41987.png)


#### 觸發 destructor

最後透過關閉連線的方式，觸發 destructor ```call [edx+4]```
![Mikrotik 10.png](https://uploads.teamt5.org/upload/original/pic10_vulnerability-mikrotik-cve-2021-41987.png)


#### 幸運爆擊
由於一開始的 heap spray，```0x8061a74``` 會變成某個一連線時填入的內容，因此 ```call [edx+4]``` 會變成呼叫 ```0x8058e89```。

![Mikrotik 11.png](https://uploads.teamt5.org/upload/original/pic11_vulnerability-mikrotik-cve-2021-41987.png)


一旦成功進到 ROP gadget，這個 ROP chain，會將 ```open@got``` 改成 ```mprotect```，使用 gadgets，嘗試把 ```open``` 變成 ```mprotect```。

![Mikrotik 12.png](https://uploads.teamt5.org/upload/original/pic12_vulnerability-mikrotik-cve-2021-41987.png)



```0x804fc04: pop esp; ret;``` 會把 ```esp``` 改成 0x8061a74+8，接回完整 ROP chain。 最後呼叫 ```mprotect``` 使執行流進到 shellcode (```0x8061674```) 上執行。

該份 exploit 中 shellcode 的內容為，```unlink('/nova/store/user.dat') + sync() + reboot()```。 等待重新啟動之後可以發現 Web 介面可以不使用密碼直接登入。

### 結論
透過上面的分析可以發現這個攻擊程式碼(exploit)有幾個侷限性：

**1. 穩定性較低**
- 由於 ```add()``` 沒有處理進位，又有 ASLR 的緣故，運氣不好的話將直接導致攻擊失敗。
- 在嘗試重現的過程中我們也發現到，有時候 shellcode 已經正常執行 (```/nova/store/user.dat``` 已經被刪除)，卻未如預期般重新啟動，這部分需要改進 shellcode 來增加成功機率。
- 在嘗試重現的同時，我們也試圖透過修改 exploit 及 shellcode 來增加其穩定性，但最後成功率仍只有約略為 5~6%。
- 唯一值得慶幸的是，倘若攻擊失敗也只是會造成 ```www``` crash 後被 watchdog 重新啟動，並不會對使用上造成太大困擾或是引起使用者注意。

**2. 攻擊前提嚴格**

如根因所述，```scep_server_name``` 須為已知，若沒有這個 path 基本上也無法進行攻擊。

**3. 回報時間軸**

- ```2021/07/11```: 在 C2 發現 exploit code
- ```2021/10/04```: 回報給 Mikrotik 官方, 保留編號 CVE-2021-41987
- ```2021/11/17```: Mikrotik 官方釋出更新修正該弱點
- ```2022/03/01```: 公開 CVE-2021-41987 相關細節

**4. RouterOS 受影響版本**

- ```6.46.8```
- ```6.47.9```
- ```6.47.10```

### 關於 TeamT5 D39 漏洞研究團隊
D39 致力於弱點安全與漏洞挖掘領域，研究範圍包含 Mobile、IOT、Linux、Windows 等有機會連網的系統與裝置都是我們的目標（笑），團隊擁有多項重大（Critical）或重要（Important）之安全漏洞，並於 Blackhat、HITCON、POC 等國際會議擔任講者。

攻擊程式碼(exploit)研究一直是網路攻防裡面最高深的技術之一，TeamT5 期許投入資源來培養更多人才進入這個領域，期待台灣能有越來越多世界頂尖的弱點研究人才。歡迎勇於面對未知挑戰，致力於漏洞研究、挖掘為目標，並具有獨立研究能力者一同加入我們 🤝

### 參考
- https://wiki.mikrotik.com/wiki/Manual:System/Certificates
- https://en.wikipedia.org/wiki/Base64

*首圖來源: Pixabay

Mikrotik 漏洞揭露與通報 (CVE-2021-41987)

## はじめに
APTのハッカー組織Huapiは、2007年から活動を開始し、10年以上台湾に攻撃を仕掛けています。TeamT5は、Huapiが開発したマルウェアについて、研究員の解析を防ぐためにパッキングされていることがあり、通常は変更されたRC4のアルゴリズムで暗号化して送信されることを確認しました。Huapiは長期にわたり政府、ハイテク、電気通信、研究、シンクタンク機関を攻撃しており、TeamT5の統計では、被害者の50%以上が政府機関となっています。台湾、アメリカ、日本、韓国などが被害を受けており、多くの侵入や攻撃が台湾の政府機関を狙ったものであることが確認されました。

長期的な追跡と観察により、当社はC&Cサーバでの公開ディレクトリにMikrotik SCEPサービスを対象とした0dayエクスプロイト一式が含まれていることを発見しました。脆弱性の存在を確認した後、当社は脆弱性が発生する原因をMikrotikに報告しました。これにより、直ちに修正パッチを開発し、この脆弱性を利用した継続的なマルウェアの攻撃を防ぐことができました。

Mikrotikは、2021年11月17に公式の修正バージョンを公開しています。影響を受けるバージョンを使用しているユーザーは、被害を避けるためにできるだけ早くアップデートしてください。当社はここで攻撃プログラムの詳細と脆弱性が生まれる原理の詳細を明らかにします。目的のためなら手段を選ばないAPTハッカー組織のやり方を見てみましょう。

### 悪意のあるパッケージの解析
Mikrotik routerboardは、強力な機能性と簡易性を備えたルーターとして、他の端末装置が必要な証明書を簡単に取得できるよう、SCEP（Simple Certification Enrolling Protocol）をサポートしています。プロトコルの相互作用において、すべてのバイナリデータはbase64エンコード後に送信されますが、Mikrotik SCEPサービスによるbase64デコードの計算エラーが、Heap-based buffer overflowを引き起こします。

エクスプロイト（exploit）には、3つのバージョンを対象としたexploit code```mikrotik-tile-6.46.8```、```mikrotik-vm-64.8```、```mikrotik-vm-6.48```および攻撃成功後にコマンドインジェクションを追加するため、バージョンに応じたshellcodeが含まれています。

以下は、当社がバージョン```mikrotik-vm-6.46.8```に対して行ったexploitの解析です。

### 脆弱性の根本的な原因

シンプルなHTTPリクエスト：

 ```GET /scep/{scep_server_name}?operation=PKIOperation&message={} HTTP/1.1\r\n``` 

```www``` というHTTPサービスを担うbinaryを簡単に破壊し、watchdogで再起動することができます。

リバースエンジニアリングにより、 ```/nova/lib/www/scep.p``` の ```ScepRequest::parseRequest``` がbase64エンコードの ```message``` パラメータをデコードする時、データの長さの計算にエラーが発生することでmallocの割り当てが不足し、heap overflowが発生することを発見しました。
 
![Mikrotik 1.png](https://uploads.teamt5.org/upload/original/pic1_vulnerability-mikrotik-cve-2021-41987.png)
 

### Base64が脆弱性になるのは、何かの間違いではないか
例えば、 ```xxxxxxxxxxxxxxxxhCE``` という長さ19のデータを入力した場合、リバースエンジニアリング後のプログラミングロジックの観点から、SCEPはデコード後の長さを12として計算します。 ``` out_len = 3 *（in_len // 4）``` （ここでの```//```は整数の除法です）。しかし、実際のデコード後のデータの長さは14で、これがheapのデータが上書きされる問題につながります。

### 脆弱性の利用
当社は、exploit codeの解析により、攻撃者は上記の脆弱性を利用してbinsの特定のchunk sizeをより大きなサイズの（0x4121）に変更し、続いてmallocが大きくなったchunkを取得する時にheapの内容を上書きすることを発見しました。

特定のdestructorで使用されるvtable pointerを上書きして ```edx``` を ```0x8061a74``` に変更し、 ```call [edx+4]``` が ```0x8058e89``` のgadgetを実行するようにします（ ```xchg eax, ebp; ret;``` ）。
 
![Mikrotik 2.png](https://uploads.teamt5.org/upload/original/pic2_vulnerability-mikrotik-cve-2021-41987.png)
 
#### ヒープスプレー
はじめに、64のheap sprayをリクエストし、接続リクエストと同時に必要なgadgetとshellcodeをheapにスプレーします。heap chunkのoverflowによってvtable pointerが上書きされるように一部の接続は閉じられます。
 
![Mikrotik 3.png](https://uploads.teamt5.org/upload/original/pic3_vulnerability-mikrotik-cve-2021-41987.png)
 
ここで使用されるfunction ```aaaa``` は、後で必要となるROP gadgetsを組み合わせます。functionの変数```sc```は、後で実行されるshellcodeを示しています。
 
![Mikrotik 4.png](https://uploads.teamt5.org/upload/original/pic4_vulnerability-mikrotik-cve-2021-41987.png)
 
#### ヒープオーバーフローのトリガー
function ```bbbb``` を呼び出すと、前述のパターンでheap overflowをトリガーする当社のpayloadが送信されます。
 
![Mikrotik 5.png](https://uploads.teamt5.org/upload/original/pic5_vulnerability-mikrotik-cve-2021-41987.png)
![Mikrotik 6.png](https://uploads.teamt5.org/upload/original/pic6_vulnerability-mikrotik-cve-2021-41987.png)
 
functionのパラメータ message ```'x'*801*4+'hCE'``` は、base64デコードと同時に前述の計算エラーにより、次のchunkのsizeがちょうど上書きされます。
 
![Mikrotik 7.png](https://uploads.teamt5.org/upload/original/pic7_vulnerability-mikrotik-cve-2021-41987.png)
 

#### sizeが上書きされたchunkの再取得を試みる
続いて、リクエストを追加し続け、サイズを大きくされたchunkの取得を試みることで、overflowの内容をvtableのpointerに変更することができます。
 
![Mikrotik 8.png](https://uploads.teamt5.org/upload/original/pic8_vulnerability-mikrotik-cve-2021-41987.png)
 

```i=3``` の時、 ```edx``` の値が ```0x8061a74``` になります。
 
![Mikrotik 9.png](https://uploads.teamt5.org/upload/original/pic9_vulnerability-mikrotik-cve-2021-41987.png)
 

#### destructorのトリガー 


最後に接続を閉じることで、destructor ```call [edx+4]```をトリガーします。
![Mikrotik 10.png](https://uploads.teamt5.org/upload/original/pic10_vulnerability-mikrotik-cve-2021-41987.png)


#### 幸運を祈る
最初のheap sprayにより、 ```0x8061a74``` のデータアドレスが変更されるため、 ```call [edx+4]``` が ```0x8058e89``` を呼び出すようになります。
 
![Mikrotik 11.png](https://uploads.teamt5.org/upload/original/pic11_vulnerability-mikrotik-cve-2021-41987.png)
 

ROP gadgetへのアクセスが一度成功すると、このROP chainが ```open@got``` を ```mprotect``` に変更し、gadgetsを使用して ```open``` を ```mprotect``` に変更しようとします。

![Mikrotik 12.png](https://uploads.teamt5.org/upload/original/pic12_vulnerability-mikrotik-cve-2021-41987.png)



```0x804fc04: pop esp; ret;``` は ```esp``` を0x8061a74+8に変更し、完全なROP chainに再接続します。 最後に ```mprotect``` を呼び出し、shellcode ( ```0x8061674``` )にジャンプして実行します。

このexploitのshellcodeの内容は、 ```unlink('/nova/store/user.dat') + sync() + reboot()``` です。 再起動後、Webインターフェースでパスワードを使わなくてもログインできることが確認できます。


### 結論
上記の解析により、このエクスプロイト（exploit）には、いくつかの制限があることを確認しました：

**1. 安定性が低い**
- ```add()``` は、けた上げ数を処理せず、ASLRがあることから、運が悪ければ攻撃の失敗に直接つながります。
- 再現を試みる過程で、当社もshellcodeが正常に実行されているにも関わらず（ ```/nova/store/user.dat``` が削除されている）、予想通りに再起動しないことがあることを発見しました。この部分については、shellcodeを改良して成功率を上げる必要があります。
- 再現を試みながら、当社もexploitとshellcodeの修正により安定性を高めようとしましたが、最終的な成功率は約5～6%にすぎませんでした。
- 唯一幸いだったのは、攻撃が失敗しても ```www``` がcrashしてwatchdogが再起動されるだけで、使用上に大きな問題はなく、ユーザーの目につくこともないという点です。


**2. 攻撃のための厳しい前提条件**

根本的な原因として述べたように、 ```scep_server_name``` を認識している必要があり、このpathがなければ、基本的に攻撃することはできません。

**3. 開示のタイムライン**

- ```2021/07/11``` : C2でexploit codeを発見
- ```2021/10/04``` : Mikrotikに報告、識別番号CVE-2021-41987を予約
- ```2021/11/17``` : Mikrotikがこの脆弱性を修正するアップデートを公開
- ```2022/03/01``` : CVE-2021-41987に関する詳細を開示

**4. 影響を受けるRouterOSのバージョン**

- ```6.46.8``` 
- ```6.47.9``` 
- ```6.47.10``` 

### TeamT5 D39脆弱性研究チームについて
D39は脆弱性のセキュリティと脆弱性の発掘に取り組んでおり、研究範囲には、Mobile、IOT、Linux、Windowsなど、インターネットに接続されるシステムやデバイスのすべてが含まれます。重大（Critical）または重要（Important）なセキュリティ脆弱性に関する豊富な経験を有し、Blackhat、HITCON、POCなど国際的なカンファレンスで講演を行っています。

エクスプロイト（exploit）の研究は常にインターネットの攻防における最先端技術の一つとなっており、TeamT5は、台湾において世界トップクラスの脆弱性研究者がますます多くなることを目指し、より多くの人材を育成するためにリソースを投入しています。当社は、勇気を持って未知の挑戦に立ち向かい、脆弱性の研究や発見という目標に向かって力を注ぐ独自の研究能力を備えた人々の参加をお待ちしています。 🤝

### 参考文献
- https://wiki.mikrotik.com/wiki/Manual:System/Certificates
- https://en.wikipedia.org/wiki/Base64

*画像のソース: Pixabay

Black Hat’s Talk: D39 Shares Their Research on Breaking Samsung Secure Boot at Black Hat USA 2020

About D39's Vulnerability Research Finding

About Black Hat

Related Post

【Cybernews 專訪】TeamT5 執行長蔡松廷表示企業不宜宣稱自身100%不會被駭入

[BlackHat Asia] TeamT5 研究員登上亞洲黑帽安全大會

TeamT5 於 CTI Summit 2022 分享最新威脅情資研究

Mikrotik 漏洞揭露與通報 (CVE-2021-41987)