AI in the Hacking World War - Nestor Angulo

Slide 1

Slide 1 text

AI in the Hacking World War NESTOR ANGULO @ WC GREECE 2021

Slide 2

Slide 2 text

DISCLAIMER Any sensitive information has been protected or encoded to preserve privacy. Any similarity with the reality is just a coincidence. I’m responsible of what I say, not what you interpret. This talk is intended to be DIDACTIC. I don’t encourage any hacking attempt. Always ask to an expert if you have questions.

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

Philosophy applied “If you know both yourself and your enemy, you can win numerous battles without jeopardy.” - Sun Tzu (The Art of War)

Slide 7

Slide 7 text

Hackers vs Cyberterrorists •Curious person who loves to go beyond limits or conventions. Hacker •Computer Hacker, aligned to enrich himself in a zero-sum game situation. •The bad guy Cyberterrorist

Slide 8

Slide 8 text

Computer Hacker Hat Colours oBlack Hat Cyberterrorist, thief oGrey Hat White Hat one using illegal procedures oWhite Hat Security Analyst, ethical hacker

Slide 9

Slide 9 text

Some scary stats Hackers who do malware are 300k - 1.5M in the whole world There is a hacking attack attempt every 39 seconds. Russian computer hackers are the fastest. 300,000 new malware are created every day.

Slide 10

Slide 10 text

A WordPress site common targets USERS DATABASE CONTENT INFRASTRUCTURE BOT NET REPUTATION

Slide 11

Slide 11 text

AI (Artificial Intelligence) SIMULATION OF HUMAN INTELLIGENCE PROCESSES BY MACHINES, ESPECIALLY COMPUTER SYSTEMS.

Slide 12

Slide 12 text

The What: AI (Artificial Intelligence) Buzzword, with lots of sub-fields, approaches, goals and philosophies. Controversy: What is learning in this context?

Slide 13

Slide 13 text

The How: AI Phases SENSE (DATA) UNDERSTAND (FILTER- CONTEXT) DECIDE (STRATEGY) ACTION LEARN (KB)

Slide 14

Slide 14 text

Orientations of AI Assisted Intelligence Improve processes Augmented Intelligence Enables to do things otherwise can’t be done Autonomous Intelligence Self-Driving

Slide 15

Slide 15 text

Subsets of AI Machine Learning (ML) • Statistical technique • Data oriented (rather than explicitly programmed) • Specific tasks Deep Learning (DL) • Part of the ML methods • Data representations (rather than task-specific algorithms) Expert Systems (ES) • Fuzzy logic / rules-based reasoning • Solve problems within specialized domains Neural Networks (NN) • Biologically- inspired • Observational data

Slide 16

Slide 16 text

Wait, wait…. is there a World War currently happening?

Slide 17

Slide 17 text

No content

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

The Hacking World War • Side of the Cyber World War • Oriented to gain control of systems, websites, databases, infrastructure… Variety of players (e.g.): Individuals / freelancers Governs Companies Activists Different goals (e.g.): Information Money Industrial Interests Political interests Hacktivism

Slide 20

Slide 20 text

The AI/cybersecurity conundrum Cybercriminals also use AI The Training dependency The Overfit/Bias issue Big amount of computing resources needed

Slide 21

Slide 21 text

Some AI case uses in the CWW: BlackHat GPT 3 / DEEP LEARNING - PHISHING - FAKE NEWS - SOCIAL ENGINEERING EVOLUTIONARY ALGORITHMS (EA) - CRACKING PASSWORDS / MD5 / HASHES. RULE-BASED SYSTEM (RBS) - AUDITING - EXPERT SYSTEMS

Slide 22

Slide 22 text

Some AI case uses in the CWW: BlackHat GENERATIVE ADVERSARIAL NETWORK (GAN) - DEEP FAKES - CRACKING CAPTCHAS. NEURAL NETWORKS (NN) - IMAGE CLASSIFICATION - POI / OBJECTS IDENTIFICATION

Slide 23

Slide 23 text

A (theoretical) Black Hat Hacker journey

Slide 24

Slide 24 text

You got an email…

Slide 25

Slide 25 text

The offer: • Company wants to ruin a competitor’s innovative product launch day • Prize: 3BTC (~26,6k€) • Specific date • Specific URL

Slide 26

Slide 26 text

No content

Slide 27

Slide 27 text

How to ruin a launch campaign? THE PROBLEM

Slide 28

Slide 28 text

A DDoS attack! THE SOLUTION

Slide 29

Slide 29 text

A DDoS attack... Easy Peasy… right? THE SOLUTION

Slide 30

Slide 30 text

No content

Slide 31

Slide 31 text

The Expectations

Slide 32

Slide 32 text

The Reality

Slide 33

Slide 33 text

Uhm… where do I get enough minions now to conduct a DDoS attack?

Slide 34

Slide 34 text

Oh, wait… WordPress is used in the 40% of Internet Source: https://w3techs.com/

Slide 35

Slide 35 text

Let’s create a botnet of WordPress sites! THE PATH

Slide 36

Slide 36 text

Let’s create a botnet of WordPress sites! THE PATH

Slide 37

Slide 37 text

OK, OK, but… how I enroll WordPress sites to my fancy Botnet? THE PROCESS

Slide 38

Slide 38 text

Vulnerability Exploit Injection Final Code Backdoor Spam / defacement BotNode Code

Slide 39

Slide 39 text

FIRST STEP The vulnerability WordPress version distribution – Apr21

Slide 40

Slide 40 text

Vector of infection stats in WordPress sites

Slide 41

Slide 41 text

WPScan Vulnerability Database wpscan.com

Slide 42

Slide 42 text

We need quantity!

Slide 43

Slide 43 text

But how do I find those vulnerable WordPress installations to hack?

Slide 44

Slide 44 text

Spiders & AI THE TOOLS

Slide 45

Slide 45 text

Crawlers / bots / Spiders • An Internet bot that systematically browses the WWW. • Starts from a small group of URLs (seeds) • Collect links, add them to the queue and visit all of them, recursively

Slide 46

Slide 46 text

Adding AI to the Spider: 1st approach 1. When links are visited: 1. Identify if it is a WordPress and which version 2. List the plugins and themes 3. Compare with the wpvulndb.com database 4. Try to exploit all the vulnerabilities: 1. If any of them succeed, insert a backdoor and add to the botnet list 5. Repeat with the following URL 2. Optionally, store which vulnerabilities are faster to be exploited, and prioritise those (save time, optimise processes, less risk of being detected).

Slide 47

Slide 47 text

Adding AI to the Spider: 2nd approach 1. Select 3 vulnerabilities of WordPress and of plugins which has more installations and are more recent 2. Search sites only with those vulnerabilities (e.g. Google Dorks) 3. When links are visited: 1. Try to exploit all the vulnerabilities: 1. If any of them succeed, insert a backdoor and add to the botnet list 2. Repeat with the following URL 4. Optionally, store which vulnerabilities are faster to be exploited, and prioritise those (save time, optimise processes, less risk of being detected) 5. Include in the list new ones if the selected ones are having low success rates 6. Algorithm to find the optimal combination

Slide 48

Slide 48 text

Where to find this kind of tools? Develop yourself one Buy one in the Dark Market

Slide 49

Slide 49 text

The Dark Web THE MARKET

Slide 50

Slide 50 text

No content

Slide 51

Slide 51 text

No content

Slide 52

Slide 52 text

Protect yourself • No footprint browsing • Anonymous IP • Secure connections Tor + VPN

Slide 53

Slide 53 text

No content

Slide 54

Slide 54 text

The conclusion

Slide 55

Slide 55 text

No content

Slide 56

Slide 56 text

No content

Slide 57

Slide 57 text

DDoS attacking

Slide 58

Slide 58 text

No content

Slide 59

Slide 59 text

No content

Slide 60

Slide 60 text

No content

Slide 61

Slide 61 text

Countermeasures

Slide 62

Slide 62 text

Measures: Reactive vs Proactive Reactive: When bad things have already happened Pain mitigation Proactive: Before anything bad happens Risk mitigation

Slide 63

Slide 63 text

Reactive measures Scan your site Status: sitecheck.sucuri.net Blacklist: virustotal.com CRC: Check, Remove and Change Admins, plugins, themes, Passwords … * webpagetest.org Update EVERYTHING Including server software Restore a backup Possible lose of information Possible re-installation of malware

Slide 64

Slide 64 text

Proactive measures Reduce admins, plugins and themes Strong Passwords periodically change Backups Updates Invest in Hosting & Security WAF (Web Application Firewall)