In the last few years, a slew of high-profile, critical remote code execution vulnerabilities have been found, disclosed and then promptly exploited en-masse against the category of networking hardware known as load balancers. They run at the borders and cores of most cell carriers, banks, Fortune 500 companies, ISPs, cloud providers and have been specifically targeted by the threat actor UNC3524.
Since many of these devices function not only to balance traffic, but as VPN concentrators, WAFs and SSL proxies, they are generally installed in high-access parts of the network. Due to their mission criticality, they also frequently run outdated vendor code and, even worse, the Linux/BSD based operating systems they use are generally numerous versions behind current and due to the proprietary nature of their code, one does not simply ‘apt get upgrade -y’. Since they all run Linux/BSD as the management OS, once you’ve breached one with an ‘exploit that fits in a tweet’ the environment is ripe for lateral movement, persistence and further exploitation using commonly available open source tools.
In this talk, I will lean on a decade of experience working for one of the most prominent load balancing vendors and teach you the architecture, how the devices operate, how they’re deployed, what their management plane looks like and the access it affords you post-breach. You will learn how to avoid common mistakes which can interrupt traffic processing, trigger device failures and otherwise give away your presence on the system and I’ll show you multiple, vendor supported, ways which allow implants to persist beyond both reboots & upgrades.
While this talk is primary aimed at offensive operations, the information provided can also be leveraged by defenders to harden their environments and provide guidance on DFIR operations post-breach.
Speaker: Nate Warfield
Nate has been hacking networks since he got his first 2400 baud modem. After his first hack of a dial-up BBS at 12, he was hooked and over the following 25 years he sharpened his skills through jobs in network engineering, vulnerability response, endpoint research and side projects - hacking phones & researching network attack surface. After shipping the MS17-010, Spectre/Meltdown and Bluekeep patches in his 4.5yr tenure at the Microsoft Security Response Center, he is currently Director of Threat Research & Intelligence for Eclypsium. He was featured in WIRED magazines’ “25 people doing good in 2020” for his role in starting CTI League, a volunteer group of InfoSec professions who provided threat intelligence to hospitals during COVID-19 and has presented his research at conferences worldwide.