Matthieu Faou Senior Malware Researcher, ESET
Matthieu Faou is a senior malware researcher at ESET where he specializes in researching targeted attacks. His main duties include threat hunting and reverse engineering of APTs. He finished his Master’s degree in computer science at École Polytechnique de Montréal and at École des Mines de Nancy in 2016. In the past, he has spoken at multiple conferences including Black Hat USA, BlueHat, Botconf, CYBERWARCON, NorthSec and Virus Bulletin.
Talk: Weaponizing XSS: Cyberespionage tactics in webmail exploitation
Talks will be streamed on YouTube and Twitch for free.
Cross-site scripting (XSS) vulnerabilities allow attackers to inject malicious script code into legitimate web pages. Identifying XSS vulnerabilities is a typical pentesting exercise, as they are commonly found in web applications that use user-provided, including attacker-controlled, data as output. The theory is well understood, but what do real-world attacks look like?
Our research team at ESET has spent the last two years investigating the exploitation of XSS vulnerabilities in webmail portals. These portals are particularly vulnerable: their main purpose is to display untrusted HTML content, in the form of email messages, in the context of their web applications, which run in their users’ web browsers. During our research, we discovered two zero-day vulnerabilities, one each in Roundcube and MDaemon, and identified the use of multiple N-day vulnerabilities in Roundcube, Zimbra, and Horde.
Our presentation showcases the webmail vulnerabilities we uncovered, and provides a detailed analysis of the exploits and JavaScript payloads used by three cyberespionage groups: Russia-aligned Sednit and GreenCube, and Belarus-aligned Winter Vivern. We demonstrate how these groups leveraged XSS vulnerabilities to steal email messages from government officials and other high-value targets.