Gone Calishing: A Red Team Approach to Weaponizing Google Calendar and How to Stop It.
11-09, 11:00–11:25 (US/Pacific), Red Day

On Halloween, October 31, 2018, 2 Black Hills Security Researchers, Beau Bullock and Michael Felch disclosed, step-by-step to Google how anyone with a gmail account could add an event, as "accepted" to any Google Calendar via the Google Calendar API. Google called it a feature. Why, a year later is this not fixed? This talk will demonstrate how this "calishing" attack can be utilized in a Red Team operation where the target organization uses G-Suite. I will demonstrate this by leveraging an open source python tool that I have developed, G-Calisher, based on Beau Bullock's and Michael Felch's PowerShell module "Invoke-InjectGEventAPI" from their MailSniper tool. I will lead the audience through the entire kill chain from recon (How to determine if an organization is using G-suite for its email) through Command and Control. I will also discuss how the organization can stop this attack.


Outline:
I. Intro
II. What is “Calishing?”
III. Why Is This Talk Relevant to Red (and Blue) Teamers?
IV. Step-by-step Attack
a. Recon
b. Creating a new google account
c. Getting an API key
d. Calishing using my G-Calisher python tool
e. Command and Control (C2)
V. How do we stop this?
VI. Q&A

See also: Presentation Slides (13.5 MB)

Antonio Piazza, hailing from Austin, TX. USA, is an Offensive Security Engineer on the Box Red Team. Following his stint as a US Army Human Intelligence Collector he worked as a Defense contractor/operator on an NSA Red Team so he is intimately familiar with spies, hacking, and everything nerdy. Antonio is passionate about all things related to MacOS security and thus spends his days researching MacOS internals and security as well as writing free, open-source security tools to help protect Mac users.

This speaker also appears in: