GhostDNSbusters: Tracking and Responding to a Large Scale DNS Hijacking Campaign
Before 2020 many companies may not have considered a mostly remote workforce when designing networks and network defenses. Similarly, most workers may not have considered the possibility of a “work from home” situation. The vulnerability of home network devices has probably never been more of a threat to information security.
Attackers continue to compromise vulnerable SOHO routers by taking advantage of default or weak user-defined passwords, as well as the use of publicly available exploits.
GhostDNS is a platform developed to help attackers find vulnerable routers and change the DNS settings of those that are exploitable. Most notably, attackers have used GhostDNS to target Brazilian financial institutions and their customers, with 100,000+ routers compromised to date.
In this presentation, we will explain our methodology for hunting for the various elements of GhostDNS infrastructure, share what we have discovered to date and also speak about our efforts to collaborate with a national CSIRT to mitigate this threat.
ビジネスメール詐欺（BEC = Business Email Compromise）は、多額の資金が窃取される可能性のあるサイバー犯罪の一つです。FBIの調査では、米国内で被害額は年々増加しており、昨年は日本円で1,900億円に達したと報告されています。日本企業やその海外拠点においても、被害の全体像が見えていないものの、被害額は相当額に上ると推定されます。洗練されたビジネスメール詐欺の多くは、取引先のメールアカウントの侵害から発生しています。つまり、自組織において高度なセキュリティ対策が実装されていても、取引先で発生したメール内容の盗聴により、攻撃者は高度なソーシャルエンジニアリングを仕掛けることができるのです。本セッションでは、弊社が実際に対応した「取引先の侵害から発生したBEC」の事案を取り上げ、攻撃者の手口、インシデント対応の勘所などについて共有いたします。
Accelerating the Analysis of Offensive Security Techniques Using DetectionLab
While offensive security professionals enjoy the luxuries of having entire Linux distributions like Kali and endless code repositories dedicated to their craft, incident responders often find themselves building and rebuilding entire lab and malware analysis environments by hand in order to analyze attack techniques. This process is time consuming and repetitive. DetectionLab is an open source project that automates the process of building an Active Directory based lab environment on many different platforms and configures the lab hosts for maximum telemetry collection using tools like Sysmon and osquery. This talk will provide an overview of DetectionLab, show how it can be used to analyze modern attack techniques such as Zerologon, and discuss how it can be used to build detections for new and existing offensive security techniques.
Knock, knock, Neo. - Active C2 Discovery Using Protocol Emulation
LuoYu, the eavesdropper sneaking in multiple platforms
We will present our most recent research on a new Chinese APT group Luoyu, which has not yet been grouped by the public. Luoyu is originally a Chinese mythological creature which was a fish with wings. The creature can swim in the river and fly in the sky, similar to the group which can intrude multiple platforms.
We have first found attacks from Luoyu against China in 2014, and kept following the group. Later in 2017, we found this group starting to attack Japan, South Korea, and Taiwan. We believe the attacks were from China because the TTPs they used were popular among Chinese APT groups. However, instead of attacking government agencies, which are usually Chinese actors’ favorite target, the group aimed at messaging apps. We believe this indicates the group might try to censor the people who are using these messaging apps.
In this presentation, we seek to shed a light on Luoyu’s campaigns and provide an analysis on the tool they used. We will provide case studies of their attacks, showing different TTPs they deployed in various attacks. We will also introduce their self-developed malware, ReverseWindow, which can be found on multiple platforms. We hope our findings can help related industries to develop a better defense against the APT group.
Shuffle the SOC - automating anything, anytime, anywhere
Shuffle is an automation platform for and by security professionals, built to make it easy for anyone to automate their daily tasks. Our primary goal is to elevate the security community as a whole by getting everyone up to the level of the best. This workshop will explore all areas of Shuffle from getting started, to collaboration, architecture, app creation, python migration, how it's built for service providers, and the future of Shuffle.
Stuck doing the same thing day in, day out? Don't know where to focus your attention next? Jumping between 12 different windows during an investigation? Can't enrich your dataset with your new shiny threat intel provider? Are you "collaborating" using Outlook and Excel? Got a customer that doesn't know why they need the shiny new EDR? Did the SOC manager buy a new tool without thinking about integration?
Shuffle fixes all of these issues. You'll be able to automate anything within minutes, rather than days, weeks or months. Our community of automation enthusiasts is a growing, collaborative and helpful bunch. The silent heroes that make everything run smoothly behind the scenes. Join us by taking this four hour crash course in everything security automation!
Level - Beginner to expert
Hardware - A laptop with 10GB+ disk space and 8GB+ RAM
Minimum Software to Install - Linux, MacOS or Windows Subsystem for Linux 2 (WSL2) installed to be able to run Docker
Josh has been a member of Team Cymru’s threat intelligence team for the past 3.5 years, seeking to further the company’s mission of making the Internet a more secure and safe space. Prior to Team Cymru, he spent time working with BAE Systems, as well as 8 years in UK law enforcement.
Manabu works as an engineer in a company in Japan and also he researches some cyber threats topics, mainly focusing on OSINT, in his free time. He made presentations in several security conferences such as HITCON, JSAC, OBTS and Botconf.
Fredrik is a software engineer and entrepreneur with industry experience in DFIR, Automation, Pentesting and Open Source tool creation and collaboration. He started out in an MSSP environment, learning the secrets of the blue team, before quickly moving to a FinTech company to secure their assets from within. With this knowledge he set out on a mission to put all his knowledge to good use by building Shuffle. He's currently residing in Japan, integrating into the culture through language, travel and startups. Get in touch @frikkylikeme
Chris Long is a Senior Security Engineer at Netflix who has been specializing in Detection Engineering for the last decade and is the creator of DetectionLab. Although he's primarily focused on detection, he is an OSCP and OSCE certification holder and does his best to stay up to date with offensive security tooling and techniques. He is passionate about enabling defensive security practitioners to build more effective and robust countermeasures to protect against well known attack vectors.
株式会社サイバーディフェンス研究所でマルウェア解析、インシデントレスポンス業務、脅威情報の収集・分析業務に従事。JSAC、HITCON CMT、AVAR、CPRCon、Black Hat EUROPE Arsenal、CodeBlue BlueBoxなどで発表経験あり。技術系同人サークルAllsafeのプロデューサー。
Charles is the chief analyst of TeamT5. He leads the analyst team in TeamT5 for threat intelligence research. He has been studying cyber-attacks and campaign tracking for more than 10 years. His research interests include vulnerability research, reverse engineering and APT attacks. He often published researches and gives training courses in security conferences.
2008年、日本の研究員としてカスペルスキーに入社。マルウェア、スパム、フィッシングといったサイバー空間における脅威情報・検体の収集および分析を担当する。その後、Kaspersky Labのグローバル調査分析チーム（Global Research and Analysis Team）にマルウェアリサーチャーとして参画、グローバルでのAPTを含む最新の脅威動向の調査に従事。
Shui is a cyber threat Analyst working for TeamT5. Holding a master’s degree from Johns Hopkins SAIS, she has a keen eye for international affairs. She mainly works on Cyber Espionage campaign tracking and involves in the underground market research.
Leon Chang is a cyber threat analyst in the Cyber Threat Intelligence team at TeamT5, His major areas of research include APT campaign tracking, malware analysis. he has participated in information security diagnosis services for government and financial institutions and research on vulnerabilities in IoT devices in the past.