Dr. Jinpeng Wei is an Associate Professor in the Department of Software and Information Systems at UNC Charlotte. His research focuses on theory, methods, and tools that enhance the security of widely used systems software in a broad spectrum of computer systems, from OS kernels, to file systems, to cloud platforms. He has worked on several important topics, including active cyber defense, malware analysis, cyber threat hunting, cloud computing security, and systems software vulnerabilities. He is the winner of three best paper awards and the AFRL Visiting Faculty Research Program award. He has published in premier venues such as ACSAC, Computers & Security, DSN, ESORICS, ICDCS, IPDPS, USENIX Security, and USENIX ATC. His research has been supported by multiple agencies including ARO, AFRL, DHS, DOD, NSA, NSF, ONR, and industry.
Title: ShadowMove: A Stealthy Lateral Movement Strategy
Abstract: Advanced Persistent Threat (APT) attacks use various strategies and techniques to move laterally within an enterprise environment; however, the existing strategies and techniques have limitations such as requiring elevated permissions, creating new connections, performing new authentications, or requiring process injections. Based on these characteristics, many host and network-based solutions have been proposed to prevent or detect such lateral movement attempts. In this talk, I will present a novel stealthy lateral movement strategy, ShadowMove, in which only established connections between systems in an enterprise network are misused for lateral movements. It has a set of unique features such as requiring no elevated privilege, no new connection, no extra authentication, and no process injection, which makes it stealthy against state-of-the-art detection mechanisms. ShadowMove is enabled by a novel socket duplication approach that allows a malicious process to silently abuse TCP connections established by benign processes. We design and implement ShadowMove for current Windows and Linux operating systems. To validate the feasibility of ShadowMove, we build several prototypes that successfully hijack three kinds of enterprise protocols, FTP, Microsoft SQL, and Window Remote Management, to perform lateral movement actions such as copying malware to the next target machine and launching malware on the target machine. We also confirm that our prototypes cannot be detected by existing host and network-based solutions, such as five top-notch anti-virus products (McAfee, Norton, Webroot, Bitdefender, and Windows Defender), four IDSes (Snort, OSSEC, Osquery, and Wazuh), and two Endpoint Detection and Response systems (CrowdStrike Falcon Prevent and Cisco AMP).