Full Report
Our BH09/DC17 presentation relied heavily on videos for the demos, and they’ve been blogged separately. Links below (will be made active once the upload is complete): [slides] [SugarSync] [SalesForce Clickjack] [SalesForce Sifto] [Amazon Web Services] [MobileME]
Analysis Summary
Based on the context provided, the article summarizes links to demonstration videos from a BlackHat presentation (BH09/DC17) conducted by SensePost. The content provided **does not detail specific malware families, malware variants, or specific attack tools with their technical specifications or MITRE ATT&CK mappings.** Instead, it lists the *topics* covered in the demonstrations.
Therefore, the summary below reflects the *subjects* of the demonstrations, framed using the required structure, while acknowledging the lack of deep technical details in the source text.
---
# Tool/Technique: SalesForce Clickjack
## Overview
This refers to a demonstration video showcasing a technique related to manipulating or exploiting interfaces within the SalesForce platform, specifically focusing on "clickjacking."
## Technical Details
- Type: Technique (Implied via demo topic)
- Platform: SalesForce Web Application
- Capabilities: Demonstration of exploiting user interface vulnerabilities on SalesForce.
- First Seen: Before August 2009 (BlackHat presentation date).
## MITRE ATT&CK Mapping
*Note: Mapping is based on the general concept of Clickjacking, as specific implementation details are unavailable.*
- [T1518 - Software Discovery] (Potentially relevant if reconnaissance is involved)
- [T1518.001 - Windows System Software Discovery] (Inapplicable - Web)
- [T1538 - Cross-Site Request Forgery] (Often utilized in conjunction with clickjacking)
- [T1538.001 - Cross-Site Request Forgery]
## Functionality
### Core Capabilities
- Exploiting visual elements within the SalesForce application to trick users into performing unintended actions.
### Advanced Features
- Specific advanced features cannot be determined from the high-level summary.
## Indicators of Compromise
- File Hashes: N/A (Demonstration topic)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: User interacting with a manipulated interface element.
## Associated Threat Actors
- Security researchers associated with SensePost (presenters).
## Detection Methods
- Detection primarily relies on preventing Cross-Site Request Forgery (CSRF) and implementing effective output encoding and frame-busting policies on the target application (SalesForce).
## Mitigation Strategies
- Implementing robust Anti-CSRF tokens.
- Utilizing HTTP response headers like `X-Frame-Options` (DENY or SAMEORIGIN) on the application server.
## Related Tools/Techniques
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
---
# Tool/Technique: SalesForce Sifto
## Overview
This refers to a demonstration video related to a technique or tool dubbed "Sifto" as it pertains to the SalesForce platform. "Sifto" might refer to a custom tool or a specific exploitation path within SalesForce.
## Technical Details
- Type: Tool or Custom Technique (Implied via demo topic)
- Platform: SalesForce
- Capabilities: Undetermined, but related to an exploit or information gathering on SalesForce.
- First Seen: Before August 2009.
## MITRE ATT&CK Mapping
*Note: Since "Sifto" is proprietary or custom to the presentation, direct mapping is speculative.*
- [T1016 - System Network Configuration Discovery] (If used to discover internal network structure via SalesForce integrations)
## Functionality
### Core Capabilities
- Specific core capabilities are not provided in the summary.
### Advanced Features
- Specific advanced features are not provided in the summary.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: N/A
## Associated Threat Actors
- Security researchers associated with SensePost (presenters).
## Detection Methods
- Detection methods are unknown without further technical details about the "Sifto" process.
## Mitigation Strategies
- Standard platform hardening for SalesForce environments.
## Related Tools/Techniques
- Generic Web Exploitation Tools.
---
*(Note: For the other listed topics—SugarSync, Amazon Web Services, MobileME—the same informational constraints apply. They represent demonstration subjects rather than detailed malware or tool analyses.)*