Cybellum - another pseudo security company from Israel

All off-topic discussion goes here.
Post Reply
User avatar
EP_X0FF
Global Moderator
Posts: 4811
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Cybellum - another pseudo security company from Israel

Post by EP_X0FF » Thu Mar 23, 2017 3:38 am

We already have SentinelOne (http://www.kernelmode.info/forum/viewto ... =16&t=3388), Cymmetria (http://www.kernelmode.info/forum/viewto ... =16&t=4420) and now brand new company again from Israel joins our elite club.

This time it is not relabeling Urasy/Carberp as NationState APT (SentinelOne) and not hyping on copy-paste from blogs as NationState APT (Cymmetria).
This time it is Cybellum (https://cybellum.com/) and their marketing target is CVEs database.

"Microsoft's 'Application Verifier' bug-finder is easily pwnable", https://www.theregister.co.uk/2017/03/2 ... _problems/

and original source hxxps://cybellum.com/doubleagent-taking-full-control-antivirus/ and hxxps://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique/

TL;DR Cybellum discovered Application Verifier (http://www.kernelmode.info/forum/viewto ... =15&t=3418) and immediately labeled it as another unfixable Windows hole.

They even created few CVE entries

Avast (CVE-2017-5567)
AVG (CVE-2017-5566)
Avira (CVE-2017-6417)
Bitdefender (CVE-2017-6186)
Trend Micro (CVE-2017-5565)

"pwning" above with AppVerif dll.

How does their (https://github.com/Cybellum/DoubleAgent) code work? Aside from elite buffer overrun in PATH_Combine it just drop dll to system32 (their application running with full administrator rights) and then register it as Application Verifier dll writing to HKLM IFEO key.

As you can read from their article they think it is something not known and "undocumented". While this feature is not officially documented it is well-known maybe since 2004 year and even MS blogged details about it (see links above).

This is when one facepalm is not enough.

What is Cybellum?

It is a typical Israeli based fake shit.

hxxps://cybellum.com/about/

Just a copy-paste from site.
The Cybellum team is comprised of highly-advanced cyber security experts, with experience in the offensive side of the elite technology unit in the intelligence corps of the Israel Defense Forces. Together they set out to solve one of the most problematic issues in Cybersecurity today from the cybercriminals perspective, The Zero-Day problem.
All four common Israeli fake companies triggers in place.

1) Self-proclaimed experts always unbelieveable advanced -> compare to "elite team" from Sentinel (http://www.kernelmode.info/forum/viewto ... =16&t=3388) and "elite unit, veteran" from Cymmetria (http://www.kernelmode.info/forum/viewto ... =16&t=4420)
2) "Elite", all known Israeli fake companies use this word often. Don't know why, must be sort of inferiority complex. Well you know, elite, 1337, 0days, apt, mom coommmon I want to play in cyber security analyst 10 more minutes.
3) Israel Defense Forces - all three companies especially highlight that they have ex-military staff, like if this make any big deal. Lol and what? Actually this doesn't give you any advantage in anything, only working as PR for imbeciles who are believing you.
4) All three companies offer ultra super-elite-expert prevention/detection product. Trust us, bro, we are elite.

Just to note on future Cybellum discoveries. Windows have plenty of widely not really known features that can be used to inject your code, especially when running as full admin. So I'm enjoying this new pet and awaiting more entertainment from Cybellum.
Ring0 - the source of inspiration

frame4-mdpro
Posts: 40
Joined: Wed Jul 13, 2011 1:53 am

Re: Cybellum - another pseudo security company from Israel

Post by frame4-mdpro » Thu Mar 23, 2017 5:00 am

Heh, agreed -- all valid observations :)

I saw that Alex Ionesco was indicating on Twitter that they ripped off his research from 2015:
hxxps://twitter.com/aionescu/status/844585650238107648

Video here:
hxxps://youtu.be/pHyWyH804xE

And his research/slides are here:
hxxps://github.com/ionescu007/HookingNirvana

p4r4n0id
Posts: 126
Joined: Thu Sep 22, 2011 11:36 am
Location: Israel
Contact:

Re: Cybellum - another pseudo security company from Israel

Post by p4r4n0id » Thu Mar 23, 2017 7:15 am

So "Undocumented" that even Microsoft published about it https://blogs.msdn.microsoft.com/reiley ... -verifier/

:shock:
Keep Low. Move Fast. Kill First. Die Last. One Shot. One Kill. No Luck. Pure Skill.
http://p4r4n0id.com/

User avatar
0b3liks
Posts: 6
Joined: Mon Jun 09, 2014 4:50 am

Re: Cybellum - another pseudo security company from Israel

Post by 0b3liks » Thu Mar 23, 2017 8:04 am

Well indeed not so new, this Russian blog post is already mentioning the issue and it's from 2011...... :shock:
http://kitrap08.blogspot.nl/2011/04/app ... r.html?m=1

Seems to be normal nowadays as a startup that you have to create a lot of noise and
at least mention the name 'elite' somewhere on your webpage.

User avatar
Brock
Posts: 204
Joined: Wed Apr 28, 2010 3:13 am
Location: Valparaiso, Florida USA
Contact:

Re: Cybellum - another pseudo security company from Israel

Post by Brock » Thu Mar 23, 2017 8:28 am

Look at Yang's example hook within his verifier module here https://blogs.msdn.microsoft.com/reiley ... -verifier/ and then at Ionescu's example, 3 years later! https://github.com/ionescu007/HookingNi ... ll/verif.c

Ionescu shouldn't be crying foul on Twitter but instead he should be citing his reference *ahem* especially when the same function is hooked, variable names are virtually identical as well as the procedural layout even :roll:
Accept nothing less than STATUS_SUCCESS

User avatar
EP_X0FF
Global Moderator
Posts: 4811
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Cybellum - another pseudo security company from Israel

Post by EP_X0FF » Thu Mar 23, 2017 9:35 am

If we speak about who was the first to publish it, it is dated back to 2004 (source lost) and to 2010 detailed post by Indy Clerk on wasm.ru
Long before Ionescu, MS or TSS blogposts.

hxxps://wasm.in/threads/avrf.25044/#post-297911 (warning untrusthworthy wasm.ru clone, use with caution).

It wasn't new in 2010, not new in 2011 or 2015 or 2017. Cybellum either clinical idiots in their attempt to do hype or their company banned in google.
0b3liks wrote:Well indeed not so new, this Russian blog post is already mentioning the issue and it's from 2011...... :shock:
http://kitrap08.blogspot.nl/2011/04/app ... r.html?m=1

Seems to be normal nowadays as a startup that you have to create a lot of noise and
at least mention the name 'elite' somewhere on your webpage.
Brock wrote:Look at Yang's example hook within his verifier module here https://blogs.msdn.microsoft.com/reiley ... -verifier/ and then at Ionescu's example, 3 years later! https://github.com/ionescu007/HookingNi ... ll/verif.c

Ionescu shouldn't be crying foul on Twitter but instead he should be citing his reference *ahem* especially when the same function is hooked, variable names are virtually identical as well as the procedural layout even :roll:
Ring0 - the source of inspiration

aionescu
Posts: 13
Joined: Sun Aug 14, 2011 1:55 pm

Re: Cybellum - another pseudo security company from Israel

Post by aionescu » Thu Mar 23, 2017 4:15 pm

Brock, I referenced the Microsoft blog post on my Twitter... and the TSS post in my slides.

I didn't know about the wasm.ru post, but it makes sense. I've known about this technique since XP, I'm sure others too. I was calling them out on bullshit of saying it's "new", regardless of where they took it from.

User avatar
Brock
Posts: 204
Joined: Wed Apr 28, 2010 3:13 am
Location: Valparaiso, Florida USA
Contact:

Re: Cybellum - another pseudo security company from Israel

Post by Brock » Thu Mar 23, 2017 8:20 pm

@aionescu,

Yes, Cybellum is a joke. As soon as any of us saw them claiming "0-day" it became a comical matter. A grab your popcorn and soda type of event for the masses in the security industry.
My point about your post is if you've based your Appverifier example on another's work cite the source/reference in your code module as they deserve credit, not a Twitter post well after the fact (years later?). TSS example and your Github code look nothing alike, only the MS example which you apparently forgot to mention during your presentation, I guess. Regardless, nobody will take Cybellum seriously so there's really nothing to argue here. A tech startup securing some funds and wanting to make some waves in PR based on nonsensical statements and buzz words such as "unpatchable", "0-day" etc., jargon and terminology they likely don't understand themselves. Good day
Accept nothing less than STATUS_SUCCESS

dumb110
Posts: 108
Joined: Tue Jun 05, 2012 1:29 pm

Re: Cybellum - another pseudo security company from Israel

Post by dumb110 » Fri Mar 24, 2017 3:16 am

if you look at this "attack", you can see that this is a PR action of another "next-gen" "security" company, they took an idea from a Recon 2015 presentation and turned it into a PR media-hack, the technique they describe is so "undocumented"

if you want to use this "attack", you need to write into a registry key that is write-able only with admin rights, so on modern (non WinXP) systems it means that you have to elevate your code, either with a Local Escalation of Privilege or with a UAC prompt that will be confusing enough to trick the user to click on it

User avatar
Brock
Posts: 204
Joined: Wed Apr 28, 2010 3:13 am
Location: Valparaiso, Florida USA
Contact:

Re: Cybellum - another pseudo security company from Israel

Post by Brock » Fri Mar 24, 2017 3:36 am

They're calling this a post-breach attack. You know, the kind that aren't practical unless your system is actually breached and the compromised user account is in the Administrators group :lol:
Accept nothing less than STATUS_SUCCESS

Post Reply