Lessons Learned from Changes in Activities Related to Amadey Malware
Abstract
It is crucial to understand malware behaviour and C2 server activity in terms of taking cyber security countermeasure. While investigations into malware behaviour and micro-perspective attack trends over a short period of time have been conducted by security researchers, few studies mention the actual activity of C2 servers over a period of one year or more. This is because the communication between malware and the servers may change with malware version updates and encryption makes it difficult to figure out the content of communication. Nevertheless, understanding long-term trends of malware is useful for preparing security countermeasures. The more information we gather on different types of malware, the more extensive measures we can take.
The presentation shows Amadey malware’s long-term activity trends by implementing an emulator that replicates its communications with C2 and analysing the responses. Starting in October 2019, the speaker collected data from emulators implemented in a total of 511 Amadey C2 servers over a period of approximately 47 months, and he obtained 4,885 unique additional payloads distributed using this malware. Although there was no outstanding activity when Amadey first emerged, the analysis reveals that from the second half of 2022, there have been sharp rises in the use of Amadey and in the number of additional payloads distributed at the same time. This result suggests malware that was not noticeably active when it first emerged can become a threat that cannot be ignored over the course of several years. The presentation also covers trends in the additional payloads’ distribution, the domains used for storing payloads, and the association with other malware families.
Speaker
Masaki Kasuya
NSPX30: a Sophisticated AitM-Enabled Implant Evolving Since 2005
Abstract
In 2020, we detected a surge of malicious activity on a targeted system located in China, it had become what we commonly refer to as a “magnet of threats” when attackers attempted to use four different toolkits to compromise this system. This resulted in the discovery of a sophisticated implant we named NSPX30, which it turns out has been evolving since 2005. We attribute NSPX30 to a China-aligned threat actor, which we named Blackwood, that targets Japanese and Chinese companies and individuals.
NSPX30’s initial dropper is delivered to its victims through software updates, and deploys several components on the machine: multiple loaders, an installer, and an orchestrator that downloads the backdoor. Both of the latter are modular, loading plugins designed to spy on its victims.
In this presentation, we will dive into the technical details of the NSPX30 implant, from the attacker’s network capabilities to compromise their victims through AitM to how NSPX30’s orchestrator and backdoor use those capabilities to download components using HTTP requests to Baidu, a legitimate Chinese search engine and software provider. We will analyze the passive backdoor, and how it exfiltrates collected data in DNS requests that are intercepted and sent to attacker-controlled servers.
Speaker
Facundo Munoz
Email Breach Analysis and Response Tips to Eliminate Risks
Abstract
Multi-factor authentication is becoming increasingly popular as a response to Business Email Compromise (BEC), causing financial damage worldwide. However, as attackers have updated their methods of evading the authentication, a growing number of accounts have been compromised by adversary-in-the-middle (AiTM) attacks since around 2021.
Recommendations and defensive countermeasures against these attacks have not been compiled yet, and practitioners spend a large amount of time in log investigation and response to these incidents. An inadequate response may even increase the damage by failing to remove the risks caused by the breaches.
In this presentation, based on the analysis of actual incidents caused by AiTM attacks on Microsoft 365 environments, the traces of attackers and the tips for response will be summarised and shared. This will contribute to improving response efficiency and reducing any remaining risks.
Speaker
Yumi Iida
Operation So-seki: You Are a Threat Actor. As Yet You Have No Name.
Abstract
This presentation shares the findings and learnings on how to deal with a certain pro-Russian hacktivist group, tentatively called X. Since it became active in 2022, X has launched DDoS attacks which target countries around the world. In Japan, organisations related to critical infrastructure have also been targeted, such as railways, finance, government, and administrative services. We have been tracking the DDoS attacks by X for nearly a year and carrying out “Operation So-seki” to alert and provide knowledge to the targeted organisations.
The contributions of this presentation are as follows:
1. Information gathering/analysis/observation from multiple perspectives over a long period of time.
We gathered, analysed and tracked information on X from several aspects.
- Messages on Telegram
- C2 information (DDoS target information)
- Flow information
Based on the cross-analysis on the above information, the session presents our observations about the operators behind the X and DDoS countermeasure techniques.
2. Latest IoCs and tracking methods
X changes the internal structure of the tools and C2 infrastructure each time when a detailed analysis report is published by a security organisation, and the latest status of the infrastructure is not publicly available. This presentation shares unpublished IoC information on the C2 infrastructure at the time of writing this session outline, as well as methods for identifying C2 servers in consideration of OPSEC.
3. Observations about responses to hacktivists
During our long-term activities, we observed many cases where information sharing activities in media reports and social media were used for propaganda, encouraging X to launch more attacks and change the TTPs. We summerise the advantages and disadvantages of disclosing and sharing information and its significance.
In view of the potential negative consequences related to the release of the hacktivist information, the actor’s name will not be mentioned here. The contents will only be available to the attendees.
Speaker
Ryo Minakawa
Atsushi Kanda
Kaichi Sameshima
ESXi: Detect the Future A0acker’s Playground at Ring -1
Abstract
According to VMware, the ESXi Hypervisor, which consists of the vmkernel operating system with the selected Busybox utilities, is secured by design and has a “share nothing” approach for using the virtualization technology. The wide range of Hypervisor usage from hosting enterprise infrastructure has made the system a lucrative target for threat actors. Recently many cybercriminal groups, including the latest Abyss Locker, launched ransomware campaigns targeting this VMWare’s proprietary Hypervisor. On the other hand, Mandiant discovered that APT actors used stealthy techniques to gain critical information and privilege credentials by targeting high-value guest virtual machines (VMs). The defenders are neither provided a defensive solution (such as endpoint detection and response or EDR) nor equipped with sufficient internal knowledge of the vmkernel to protect the Hypervisor. While most systems administrators deploy their ESXi hosts behind a firewall, some leave the VMware vCenter (the server management components for all connected ESXi hosts) exposed to the Internet. Other administrators found securing the credentials and changing the root password unnecessary after the system installation. We as systems administrators talk ourselves into believing the misconception is that this proprietary commercial bare-metal hypervisor is self-protected because no one knows how it works. This presentation explores the detection opportunities and demonstrates the possibilities of developing a live-forensic script to collect relevant artifacts for an incident response investigating similar attacks. Based on past attacks, we discovered more interesting offensive use cases on the Hypervisor. Additionally, we identified bigger risks because sophisticated attackers can implant malware with stealthy techniques on the guest VMs, create untraceable backdoors on the Hypervisor, and even harvest credentials from a Windows domain controller running as a guest VM. If an organization heavily utilizes VMWare ESXi to host server infrastructure with thousands of VMs discovered of a dormant backdoor (e.g. a named pipe created by a piece of Python code once used by ransomware operators), defenders do not just presume that it was only a mistake caused by a previous in-experience systems administrator as huge threat is imminent meaning threat actors may have gained controls of your infrastructure.
Speaker
Frankie Li
Michael Ching
Victor Chan
Lazarus Group's Large-scale Threats via WateringHole and Financial Software
Abstract
The Lazarus Group is one of the major threat actors targeting South Korea. In this announcement, we will cover the activities of Lazarus Group's threat campaigns in South Korea from 2023.
We investigated the campaign by examining over 60 companies and more than 200 hosts in Korea to identify the threat actors' TTPs.
This campaign was carried out through a large-scale infection method using vulnerabilities in financial security solutions and watering hole techniques.
In this announcement, we will provide more detailed information and TTPs to trace and respond to the threat actors involved in the "large-scale infection campaign using vulnerabilities in financial security solutions and watering hole techniques" campaign conducted by Lazarus Group.
we will be presenting based on case studies with a focus on the remaining artifacts from attacks. Additionally, we will introduce common attack techniques observed when the Lazarus Group has targeted South Korea from the past to the present.
Speaker
Dongwook Kim
Seulgi Lee
The Secret Life of RATs: Connecting the Dots by Dissecting Multiple Backdoors
Abstract
TBA
Speaker
TBA
Unveiling TeleBoyi: Chinese APT Group Targeting Critical Infrastructure Worldwide
Abstract
Cyberattacks on critical infrastructure have increased in recent years, posing a significant threat to the stability and security of the affected nations. In this presentation, TeamT5 will introduce TeleBoyi, a Chinese-nexus APT that has not been disclosed previously. Based on our research findings, TeleBoyi shows a strong preference for targeting critical infrastructure, with a particular focus on the telecommunication sectors. The group has been active since at least 2014 and is currently still active. Their scope of targeting extends across numerous countries worldwide, including APAC, Americas, and Europe. Our presentation will cover TeleBoyi’s Tactic Techniques and Procedures (TTPs) including their new weapons such as DoubleShell, TripleZero, and FakeWorker. Moreover, we will discuss overlapping TTPs with other notorious APT groups including Amoeba (APT41), DirtyFuxi (Earth Berberoka), and FamousSparrow. As the activities by TeleBoyi have not yet been documented, we believe the techniques and tactics disclosed in this presentation can help blue teams prevent, detect, and respond to Teleboyi's attacks more efficiently and effectively.
Speaker
Yi-Chin Chuang
Yu-Tung Chang
Threat Intelligence of Abused Public Post-Exploitation Frameworks
Abstract
Post-Exploitation Frameworks are used by attackers to continue their activities after compromising a target environment. Several of them are available on the Internet through GitHub and other sources. As they are readily available with no financial cost, many cases of exploitation by attackers have been reported.
The analysis of the frameworks brings more accurate threat intelligence including file paths and task names during persistence, protocols used for C&C communication, etc. Some findings have already been reported, and security analysts can use them for incident investigation and attack detection. However, these studies often do not reflect updates on the framework.
The IIJ SOC defined Post-Exploitation Frameworks that fulfil the following conditions as potentially exploitable and analysed the source code of each framework's functions and indicators.
- Exploitation for attacks has been reported.
- At least five of the “Tactics” in MITRE ATT&CK apply to its function.
In this presentation, the following items will be presented.
- Functionality of the Post-Exploitation Framework
- Indicators obtained from the analysis
- Use case of indicators for incident investigations
Speaker
Masafumi Takeda
Tomoya Furukawa
Title
Abstract
TBA
Speaker
TBA
Deception-Based Approach to Phishing Sites
Abstract
The number of phishing sites has been increasing rapidly in recent years. Attackers' main target is the “seeds of gold” such as credit card information or online account credentials.
There are two common approaches to responding to phishing sites.
1. Takedown
2. User awareness raising
That said, whether a phishing site can be taken offline depends on each operator, and it can be limited by the attacker’s choice of infrastructure. Raising awareness among users is not something that can be done overnight.
As the endless takedowns are somewhat discouraging, the speakers investigated what could be done other than the above and tried a deception-based approach. In this presentation, speakers describe the approach to phishing sites created by two attack groups. It also presents the problems and countermeasures during the work.
Speaker
Yuji Ino
Masaki Yoshikawa
Title
Abstract
TBA
Speaker
TBA
Introduction to Investigation of Unauthorised Access to Cloud
Abstract
Public cloud is now becoming an essential part of the enterprise and rapidly gaining popularity both in Japan and the world. Compared to a traditional on-premise environment, it enables immediate securing of resource, rapid development and deployment, as well as efficient system operation by increasing or decreasing resources according to demand. However, a number of incidents related to this relatively new technology occur frequently due to its quick and easy implementation and a lack of user knowledge and awareness of its security.
Since it differs from traditional on-premise technologies in basic elements such as access control and log formats, specific security measures are required. To establish truly effective security, we believe it is important to learn about the way the cloud works and the threats it faces. This should be done before considering solutions such as those offered by vendors. This workshop is based on an actual security incident, explaining the cloud mechanism and attack methods against the cloud, as well as a hands-on log investigation. The goal of the session is to provide a foundation for learning more about cloud security.
Speaker
Hayate Hazuru
Norihide Saito
Daisuke Miyashita
Takahiro Yamamoto
Requirements
- Analysis Machine
- VM
Advance Preparation
- TBA
Skills
- TBA
Investigation Techniques and Practice on External Attack Surface
Abstract
This workshop is a lecture and hands-on training to learn the techniques for EASM (External Attack Surface Management). EASM refers to efforts to understand and manage externally exposed network appliances, servers, and other assets, which have been often the starting point for breaches, particularly ransomware attacks and other cyber crimes recently.
This workshop explains why EASM is necessary, what kind of servers are frequently targeted and exploited recently, and then shares an EASM investigation technique to comprehensively identify the most important assets for an organization that are exposed to the public.
The workshop also introduces perspectives on risk assessment after assets are identified, efficient risk investigation methods, and how to determine whether or not critical vulnerabilities exist. Unfortunately, many vulnerability scanners have been unable to identify vulnerabilities in network appliances such as VPN products except credential scans. However, depending on the products, vulnerabilities can sometimes be identified through referring to a specific part of the server response to infer the server's version information, and this technique is also introduced.
In the hands-on session, participants can actually use the investigation techniques to search for assets of a specific organization and conduct a risk assessment. Participants will also work on tasks to check their understanding, and thus those new to the field can learn and understand the workshop.
Participants in this workshop will eventually be able to identify the External Attack Surfaces of their organizations, domestic and international branches, and affiliates, and then implement countermeasures against those risks, which improves the security and governance of their own organizations or group companies.
Speaker
Kenzo Masamoto
Takeya Yamazaki
Yutaka Sejiyama
Takeshi Teshigawara
Requirements
- TBA
Advance Preparation
- TBA
Skills
- TBA
Title
Abstract
TBA
Speaker
TBA
Requirements
- TBA
Advance Preparation
- TBA
Skills
- TBA
Dongwook Kim
KRCERT/CC
Dongwook Kim have been working for KRCERT/CC since 2013 as Computer Incident Analyst. He has a lot of experiences related to internet security incident response(Supply Chain Attacks, cryptocurrency exchange hacking and so on). Recently, He is tracking and analyzing specific hacking group targeting Korea.
Seulgi Lee
KRCERT/CC
Seulgi Lee is currently a malware analyst at Korea Internet & Security Agency. He carried out research into cyber security such as cyber threat intelligence, SIEM for 7 years from 2012 in the R&D department. After moving to KrCERT/CC position, He has been analyzing threats targeting Korea and sharing insights based on the results to prevent the infringement cases and minimize the damage in Korea.
Facundo Munoz
ESET
Facundo Munoz is a malware researcher, working for ESET since 2021. Facundo focuses on hunting and analyzing advanced persistent threat malware from China-aligned threat actors, and writing reports for ESET’s threat intelligence services. Facundo has presented at conferences such as BotConf and NorthSec.
Kenzo Masamoto
Macnica, Inc.
Kenzo is the head of Macnica, Inc.'s Security Research Center. He has been researching cyber attack and countermeasures since 2013, with experience in IDS/IPS, WAF, Sandbox, EDR, and other security products. He has been interested in security since he saw cyber crimes during the time of Win95.
Takeya Yamazaki
Macnica, Inc.
Takeya is a researcher at Macnica, Inc.'s Security Research Center. He used to be a product manager for DDoS attack and targeted attack countermeasures and security evangelist. Currently, he develops and provides original services for Attack Surface Management and cyber defense competitions. He is the organizer of the security study group "Hamasec" an organizer of Mini Hardening, and a lecturer at Security Camp 2023.
Yutaka Sejiyama
Macnica, Inc.
Yutaka is a researcher at Macnica, Inc.'s Security Research Center. He focuses on researching threats related to ransomware and vulnerabilities and spreading information on cyber security countermeasures through Attack Surface Management to reduce the number of cyber-attacks against Japanese companies as much as possible. His daily routine includes checking vulnerability information published and investigating servers by OSINT, frequently using Shodan. His X account is @nekono_nanomotoni.
Takeshi Teshigawara
Macnica, Inc.
Takeshi is a researcher at Macnica, Inc.'s Security Research Center. He is involved in a variety of activities, including providing and developing Attack Surface Management services, researching new products, and giving presentations. His primary focus for the Attack Surface Management Service is researching information that uniquely identifies the product and its version.
Masafumi Takeda
Internet Initiative Japan Inc.
Masafumi is a malware analyst at SOC in Internet Initiative Japan Inc. since 2018. He has experience in building and operating SOC infrastructure and EDR verification.
Tomoya Furukawa
Internet Initiative Japan Inc.
Tomoya is a malware analyst at SOC in Internet Initiative Japan Inc. since 2017. He is a SOC expert from management of the SOC detection rule to operation of analysis system infrastructure.
Yi-Chin Chuang
TeamT5
Yi-Chin Chuang is a Threat Intelligence Researcher at TeamT5. She is interested in reverse engineering and malware analysis. Currently, her research focuses on the APT threat in the APAC region.
Yu-Tung Chang
TeamT5
Yu-Tung Chang is a Threat Intelligence Researcher from TeamT5. He is interested in reverse engineering, vulnerability exploiting and malware analysis. He is engaged in network attacks research and rule writing. Currently, his research focuses on cyber threat intelligence in the East Asia region. He has spoken at Code Blue 2022.
Yumi Iida
ITOCHU Cyber & Intelligence Inc.
TBA
Ryo Minakawa
N.F.Laboratories Inc.
Ryo is engaged in threat intelligence generation and malware analysis at NFLabs. He also works with NTT Communications’ NA4Sec project to track targeted attacks and their threat infrastructures. He checks VirusTotal daily to catch and share information on targeted attacks on Japan. He gave a presentation at JSAC2023.
Atsushi Kanda
NTT Communications Corporation
Atsushi has established NA4Sec in NTT Communications Corporation. He leads the team but also works as a researcher with his unique viewpoint as a former network engineer, investigating and analysing the threat infrastructure. He is NTT Group Certified Security Principal.
Kaichi Sameshima
NTT Communications Corporation
Kaichi is a newbie at NTT Communications Corporation. During his time at university, he was involved in research on IoT malware, analysing vulnerabilities exploited by malware and monitoring C&C servers.
Frankie Li
Frankie is an independent researcher specializing in computer forensics and malware analysis. He published a research paper on “Evidence of Advanced Persistent Threat: A Case Study of Malware for political espionage.” His “APT Attribution and DNS Profiling” research was presented at the 2014 US Black Hat conference. He is also a frequent speaker at cybersecurity conferences in the APAC region, such as HTCIA APAC, ISSUMMIT, HITCON, (ISC)2 Security Congress, Cyber Security Consortium, and CyberCrimeCon. He also holds some certifications from the SANS Institute.
Michael Ching
PwC Hong Kong
Michael is a lead of cyber threat operations team with PwC Hong Kong's Dark Lab, with a strong focus in digital forensics and incident response. He takes an important role of assisting enterprises and organisations in their recovery from cyberattacks, utilizing knowledge in both cyber defense and offensive security methodologies. Michael is a proactive leader within the realm of cyber threat operations, conducting research on the tradecraft of threat actors, and combining these field experience from incidents response as well as threat intelligence into valuable insights and enhancements in offensive security, security operations, and cloud technologies within our team.
Victor Chan
Victor is a Dragon Advance Tech Consulting cyber security analyst specializing in Endpoint Detection and DFIR. He has a strong background in the field, demonstrated by completing a research paper with Frankie Li titled 'Collecting Forensic Evidence from SaaS Applications: A Study of Microsoft 365 Forensics'. In his previous assignments, he had helped with a possible APT investigation for an APAC hospitality chain. Victor's passion lies in advanced offensive techniques and knowledge in reversing malware, which enable him to more easily identify the root causes of security incidents from sophisticated attackers. With his expertise and dedication, he consistently strives to enhance security measures and protect against potential threats.
Yuji Ino
Recruit Co.
Yuji joined Recruit Technologies Co.,Ltd in 2016. As a member of Recruit-CSIRT, he leads security incident response in Recruit. In April 2021, he launched the Cybercrime Countermeasures Group, specializing in analysis and investigation of fraudulent credit card use and spoofed logins for the purpose of cybercrime countermeasures. CISSP, GCIH, GCTI, GNFA.
Masaki Yoshikawa
Recruit Co.
Masaki’s current work includes security incident response, monitoring, and threat hunting at Recruit-CSIRT. Before that, he was engaged in vulnerability assessment and penetration test in Recruit Technologies Co.,Ltd.
Masaki Kasuya
BlackBerry Japan
TBA
Hayate Hazuru
ITOCHU Cyber & Intelligence Inc.
Hayate joined ITOCHU Cyber & Intelligence Inc. in 2023. Previously, he worked for a major company's CERT, where he was involved in security product validation, policy development and incident response. Prior to that, he spent five years at a security company in Tokyo developing and operating WAFs and researching attack and defense techniques for web security. He also experienced in system development and operation in his hometown, Nagasaki.
Norihide Saito
Flatt Security Inc.
After graduating in 2020, Norihide joined Flatt Security Inc. He is currently a security engineer, mainly responsible for security diagnostics for web applications and public clouds. He has been involved in development and security since he was a student. He is also active outside the company, such as in ISOG-J WG1 and Security Camp.
Daisuke Miyashita
Sterra Security Co.,Ltd.
Daisuke is engaged in enhancing product security and corporate IT security at Akatsuki Games Inc. He is interested in improving the quality of vulnerability assessments.
Takahiro Yamamoto
ITOCHU Cyber & Intelligence Inc.
Takahiro works as an analyst at ITOCHU Cyber & Intelligence Inc. Previously, he experienced in proposing and building security solutions, as well as researching and validating the solutions for containers and public clouds in a Sier.
Name
Details
Details