Opening talk
Abstract
Introducing the 2021 security incident from the perspective of JPCERT/CC. In addition, we will introduce the highlights of JSAC2022.
Speaker
Takayoshi Shiigi
Slides
Japanese
English
Research on Unique Adversaries and its Attack Tools Targeting Widespread CMS in Japan
Abstract
Web application vulnerabilities leading to remote code execution are frequently targeted by attackers since these are often disclosed to the public and easy to exploit. CVE-2021-20837, the vulnerability in Movable Type (a Contents Management System) published in October 2021 was also commonly exploited by a large number of attackers as arbitrary code can be easily executed on the target host. In the process of monitoring and analysing this vulnerability, the speakers found that several malicious third parties carried out scan or attack soon after the Proof of Concept (PoC) was disclosed. Moreover, they also confirmed characteristic attackers who target hosts running Movable Type to upload a specific WebShell called FoxWSO.
Another noteworthy aspect is that Movable Type is used more concentratedly in Japan than in other regions, which means that the attack using the vulnerability was, in fact, a unique threat to Japan in 2021. This background resulted in the delay in the actions by foreign security vendors and rather urged Japanese local vendors to proactively collect and verify information as well as to alert users and provide measures. The speakers will show the related events with a timeline and highlight the importance of gathering information and taking defensive measures immediately. In addition, a series of IoC used in the attack will be shared.
Speaker
Ryosuke Tsuji
Naoaki Nishibe
Slides
Japanese
ma2tl: macOS Forensics Timeline Generator Using mac_apt Analysis Results
Abstract
mac_apt is one of the open-source software used for macOS forensic analysis. It has more than 40 plugins to analyze various artifacts and enables analysis without mounting the disk image. The software also supports disk images acquired with typical commercial products and provides sufficient functions for practical analysis.
When conducting forensic analysis, it is a common practice to create a timeline of events, such as program execution, obtained from the analysis results of each tool. SQLite database, in which mac_apt stores its analysis results, generates a table for each plugin. Creating a timeline therefore requires referring to a large number of tables. Investigation of Spotlight tables and Unified Logs database is particularly complicated. This is because Spotlight stores a variety of metadata such as files and emails, which inevitably means a large number of columns. Unified Logs, the main logging system on macOS, records tens of millions of lines, and the columns to be filtered vary depending on the purpose of the investigation. Moreover, the logged messages may change in accordance with the version of macOS.
ma2tl (mac_apt to timeline) is a tool that automates such complex tasks of creating a forensic timeline. Using ma2tl, it is possible to output a time series of events (program execution, persistence settings, volume mounts, etc.) that occurred during specific period of time.
This presentation explains the presenter’s motivation behind the creation of the tool and comparison with similar tools, followed by a demonstration of the tool's implementation and functionality.
Speaker
Minoru Kobayashi
Slides
Japanese
English
Combatting against malicious proxy services in Japan
Abstract
Residential IP Proxy (RESIP) is a proxy that provides traffic relay using a host of residential networks. As a countermeasure against cybercrimes such as fraudulent money transfer, unauthorized card use, and spoofed login, it is effective to check the source of accesses based on IP addresses. For domestic services, source IP addresses overseas or from a domestic VPS service can be detected as fraudulent because such accesses are different from those of normal users. However, in recent years, cybercrime via RESIP has become more common in Japan. When a cybercrime occurs, law enforcement agencies obtain a warrant against the ISP for investigation and identify the IP address user. However, they cannot detect the wrongdoer. They only find a malware-infected PC at the address where the RESIP exists and a normal user who has nothing to do with the incident. There is nothing special about the PC unless it is used for criminal activities, and thus it is difficult to grasp the whole picture of RESIPs. A complicated procedure is required to detect a single IP address in each RESIP case.
Therefore, the presenters created a database of IP addresses collected from the RESIP services and provided it on several occasions, and they received feedback from the database users in which IP addresses are strongly linked to criminal activities such as fraudulent money transfer, unauthorized card use, and spoofed logins. This presentation describes the results of the analysis of more than 500,000 pieces of RESIP data, which were collected over a year.
Speaker
Yuji Ino
Slides
Japanese
An Order of Magnitude Update
Abstract
Magnitude Exploit Kit has been frequently observed since around 2012 in specific countries and economies in East Asia, particularly in South Korea. It has been increasingly detected in Japan as well since October 2021, which indicates that the attackers are expanding their target. Magnitude Exploit Kit has been updated three times in 2021 alone and increases the number of vulnerabilities to exploit.
The speakers will begin this presentation by introducing some characteristic updates of Magnitude Exploit Kit observed in 2021 in chronological order. Then, analysis of current attack traffic and ransomware Magniber, which is executed by Magnitude Exploit Kit, will be elaborated. By referring to its source code, the speakers will show the characteristic behaviour of the kit, in particular the part that complicates the analysis and observation. In the end, the instruction on how to detect and research this kit will also be presented. This presentation will facilitate deep understanding of Magnitude Exploit Kit’s latest trends and behaviour so that those who work in SOC, IR, CSIRT, etc. will be able to take effective measures.
Speaker
Rintaro Koike
Hajime Takai
Nobuyuki Amakasu
Slides
Japanese
Emotet vs EmoCheck: The Fight against Emotet Developers
Abstract
Emotet is malware that has evolved from a banking trojan to a malware distribution platform since it first appeared in 2014. Spreading the infection worldwide, including Japan, from the second half of 2019, Emotet has been used as a distribution platform for various kinds of malware such as bots and ransomware, and it caused significant damage. The Emotet botnet was once taken down in January 2021. However, it came back in November 2021 and is about to rage again.
As part of the response to these attacks, JPCERT/CC developed EmoCheck, a tool for detecting Emotet, in February 2020 and released it on GitHub. EmoCheck contains five modules as Emotet evolves, and it can even detect the variant which came back in November 2021. This tool was initially released as OSS to provide all Windows users with a means to check whether their devices are infected with Emotet without relying on existing security products. However, because Emotet developers also could access the source of Emocheck, they quickly took countermeasures, and it resulted in prompting the developers to introduce binary obfuscation methods to Emotet. Due to this experience, the current EmoCheck has obfuscation that is equivalent or even superior to that of Emotet as well as obfuscated detection logic and is released as freeware.
This presentation shows the details of the detection logic implemented in EmoCheck, after explaining the updates of Emotet in its comeback in November 2021. In addition, the method to hide EmoCheck's detection logic is explained in detail. The logic is obfuscated with a C++ compilation tool chain. An example of how attackers obfuscate malware is also introduced. Finally, the presenters’ insights gained through developing an OSS malware detection tool is shared.
Speaker
Tomoaki Tani
Kota Kino
Ken Sajo
Slides
Japanese
Crazy Journey: Evolution of Smoky Camouflage
Abstract
Malsmoke is a Web-based, region-specific attack campaign that uses malvertising as an attack vector. This campaign targets users in specific countries and is becoming more active in Japan. Malsmoke uses social engineering techniques to have their malware executed, and it is rarely detected by anti-virus software because the malware has a valid digital signature. Furthermore, the attack flow and techniques are frequently updated. Several vendors have already released reports on Malsmoke, but each of them only describes a part of the attack campaign and does not accurately capture the whole picture of it. Therefore, the vendors cannot keep up with Malsmoke's frequently changing attack methods.
In the first half of this presentation, the attack flow and infrastructure of Malsmoke is described in detail. First, it describes what kind of attacks are conducted in each attack phase (Malsmoke has multiple attack phases). Then, the roles of the three types of servers used as the attack infrastructure are explained. This shows that Malsmoke is derived from past attack campaigns. The whole picture of the attack and its evolution are also presented. In the second half, the research and hunting methods that the presenters have used over the years to keep track of the attack campaign are shared. In addition, a system that automatically collects C2 server domains for Zloader, which is one of the latest samples of Malsmoke campaign, is introduced. This presentation aims to help deeply understand attacks by Malsmoke and implement practical countermeasures.
Speaker
Ryuichi Tanabe
Yuta Sawabe
Slides
Japanese
LuoYu: Continuous Espionage Activities Targeting Japan with the new version of WinDealer in 2021
Abstract
In 2021, we have focused on a recent campaign by the LuoYu group that compromised the Chinese branches of Japanese companies. Regarding to LuoYu group, three public information are already available from JPCERT/CC, Fortinet and a presentation at JSAC.
Then in our case, the LuoYu group utilized mainly WinDealer malware, as well as we observed approximately 50 samples including a new version of WinDealer and investigated their activities with some new TTPs.
In this presentation, we would like to share case studies with examples of incidents related to Japan and will provide an update of the LuoYu group, a deep analysis of WinDealer. Also we'd like to tell Japanese companies that they need to be aware of these kinds of threats and take countermeasures against this campaign.
Speaker
Leon Chang
Yusuke Niwa
Suguru Ishimaru
Slides
Japanese
English
Ambiguously Black: The Current State of Earth Hundun's Arsenal
Abstract
Earth Hundun (a.k.a. BlackTech) is a threat actor known to primarily target companies and organizations in East Asia, including Japan and Taiwan. The group has been continuously updating its tools. This presentation discusses two Earth Hundun attack operations observed in 2021.
One of them is an operation in which BUSYICE (a.k.a. Flagpro) malware was used. This operation targeted Japanese companies, universities, and government officials. While the operation was previously mentioned by PwC and NTT Security Japan, this presentation focuses on undisclosed malware (TELESWORD/DELTABEEF) and the TTP. In addition, another threat actor Blackgear (a.k.a. Comnie) is discussed since they use the same malware LAMICE for initial penetration.
The other is an operation in which SPIDERPIG malware was used. This operation targeted a number of random users. It was first observed in at least early 2021, when it exploited ProxyLogon, but no connection to Earth Hundun has ever been mentioned. The speakers attribute this operation to Earth Hundun, and the reason is explained in this presentation based on the similarities and common existing infrastructures of the two. This operation is unique in that its target is different from other Earth Hundun operations: it does not seem to be an attack against a specific company or organization because the operation employs intrusion methods such as exploiting vulnerabilities to attack public servers and disguising their malware as legitimate application installers.
This presentation also shares the latest trends of Earth Hundun and discusses the attribution process and its challenges.
Speaker
Hiroaki Hara
Slides
English
What We Can Do against the Chaotic A41APT Campaign
Abstract
The A41APT campaign revealed in JSAC 2021 is considered to be a targeted attack activity that spreads compromise via VPN like intrusive ransomware. This attack activity did not disappear in the second half of 2021. Although it has been observed by several organizations including those in Japan, there is very little information available in public.
Therefore, we decided to compile the information obtained from each company's research and further analyze it from multiple perspectives in order to uncover common and new practices of the campaign as a whole, not as a single incident information. In this presentation, research results on A41APT campaign discovered in 2021 are compared with the TTPs revealed in JSAC 2021, and the details of the changes in the past year are described. The possible attacker image of A41APT is also discussed by comparing the characteristics of several attack groups that have common TTPs, such as APT10 (a.k.a. BRONZE RIVERSIDE) and LockFile. Finally, based on the characteristics in selection of their target and preferred attack methods in attacks in recent years, including A41APT campaign, suggestions on future countermeasures are presented.
Speaker
Hajime Yanagishita
Kiyotaka Tamada
You Nakatsuru
Suguru Ishimaru
Slides
Japanese
English
An Introduction to macOS Forensics with Open Source Software
Abstract
There are only fewer open-source tools available for macOS forensics compared with Windows, but some are practical in the actual analysis. One such tool is mac_apt.
mac_apt is developed as an open-source forensic analysis framework for macOS and enables analysis of various artifacts with more than 40 plugins. With its own file system parsers (HFS+ and APFS), it analyzes disk images without mounting them, regardless of the OS. This user-friendly tool performs an analysis by simply specifying a disk image. Nevertheless, not so much detailed instruction on how to comprehend the analysis results is publicly available. It is therefore especially difficult for beginners of macOS forensics to analyze effectively without prior knowledge of what kind of artifacts exist and how they are stored in the analysis results.
This workshop will begin with explaining the basics of macOS forensics and artifacts and share the know-how with hands-on using the mac_apt analysis result of a disk image created based on a simple scenario of malware infection.
The analysis focuses on Intel macOS as the lecturer does not own a Mac with Apple Silicon, and the malware sample is an Intel binary. However, the knowledge can be applied to Apple Silicon macOS as well.
Speaker
Minoru Kobayashi
Requirements
- A laptop PC
- Virtualization software (VMware Workstation/Fusion, Paralles, etc.)
Advance Preparation
- VM that can run zsh (macOS or Linux)
- jq (https://stedolan.github.io/jq/)
- If you would like to conduct dynamic analysis, install on VM earlier than Intel version macOS 10.15.5. ProcessMonitor, FileMonitor (https://objective-see.com/products/utilities.html)
- DB Browser for SQLite (https://sqlitebrowser.org/)
Skills
- Experienced in basic digital forensics. ※
- Able to install and run OSS Python scripts (including installation of required libraries).
- Able to understand the content of a short script (Shell script, Python script) roughly in a short time.
※ EX: Familiar with the terms used in forensics (e.g. artifacts, persistence). Able to retrieve, mount and unmount disk images. Familiar with basic file system concepts. Able to use tools such as The Sleuth Kit to access files and metadata in a disk image. Able to use analysis tools to analyse disk images and artifacts.
Slides
Japanese
English
Hands-on Data
Data
YARA Pretty Darby: Hunt the Spider like a Champ
Abstract
This workshop is based on the presentation “Ambiguously Black: The Current State of Earth Hundun's Arsenal” on JSAC2022 Day1. Through creating YARA rules to detect malware, participants will learn practical techniques for incident response and malware analysis.
Participants will try creating YARA rules for the malware which was used in the past APT. Beginners are welcome as lecturers will explain how to create rules and use necessary tools. Those who have experience in using Ghidra and analysing malware can work on more advanced tasks.
Participants will repeat applying their own rules on the prepared dataset to check if the malware is detectable by using the rules without false positive or false negative. In the end of the workshop, lecturers will elaborate their rules as an example and explain some key points in creating such rules.
By attending this workshop, participants will learn how to use YARA in incident response and what to focus on in malware analysis from analyst’s viewpoint.
※ Due to the spread of COVID-19, all exercises will be offered ONLINE whether you sign up as an onsite or an online participant.
Speaker
Shota Nakajima
Hiroaki Hara
Kohei Kawabata
Requirements
- A laptop PC with Internet access
Advance Preparation
- Windows OS on virtual environment
- Ghidra 10.1.1 (in the above virtual environment)
Skills
- Participants should attend "Ambiguously Black: The Current State of Earth Hundun's Arsenal" on JSAC2022 Day1.
- Malware analysis or reverse engineering skill is not necessary for this workshop, but experience in handling malware-related incidents is preferred.
Slides
Japanese
Name
Details
Leon Chang
TeamT5
Leon Chang is a cyber threat analyst in the Cyber Threat Intelligence team at TeamT5, his major areas of research include APT campaign tracking, malware analysis. He has participated in information security diagnosis services for government and financial institutions and research on vulnerabilities in IoT devices in the past.
Yusuke Niwa
Itochu Corporation
Yusuke Niwa is a Security Analyst at ITCCERT. At Itochu, he is engaged in ensuring cyber security for the corporation and its group companies, as well as research and analysis of threat trends including email spam, APT, and cybercrime. He was also engaged in security monitoring at his previous job at a security vendor. He presented at JSAC2020 and 2021.
Suguru Ishimaru
Kaspersky
Suguru Ishimaru joined Kaspersky as a Japanese researcher in 2008. He was responsible for collection and analysis of threat information and samples in cyberspace, including malware, spams, and phishing sites. He later joined Kaspersky Lab's Global Research and Analysis Team as a malware researcher and has been engaged in researching the latest threat trends including worldwide APT attacks.
Ryuichi Tanabe
NTT Security Japan
Ryuichi Tanabe is an SOC analyst at NTT Security Japan Corporation and mainly engaged in alert response and malware analysis in EDR. He used to work as a web programmer and changed his job to SOC engineer in 2012. Since then, he has been specializing in SOC-related work. He has spoken at VB, SAS, and CODE BLUE.
Yuta Sawabe
NTT Security Japan
Yuta Sawabe is an SOC analyst at NTT Security Japan Corporation and mainly engaged in log analysis and malware analysis. He used to research on malicious domain names. He was awarded the 2019 Information Processing Society of Japan JIP Special Paper Award.
Hiroaki Hara
Trend Micro Inc.
Hiroaki Hara is a Staff Threat Researcher at Trend Micro, engaged in malware analysis, incident response, and threat research. He is also a member of Allsafe, a technical doujin circle, and has written books including "Practical Guide to Reverse Engineering Tool Ghidra."
Yuji Ino
Recruit Co.
Yuji Ino joined Recruit Technologies in 2016. As a member of Recruit CSIRT, he leads security incident response in Recruit. In April 2021, he launched the Cybercrime Countermeasures Group, specializing in analysis and investigation of fraudulent card use and spoofed logins for the purpose of cybercrime countermeasures. CISSP, GCIH, GCTI, GNFA.
Minoru Kobayashi
Internet Initiative Japan Inc.
Minoru Kobayashi joined IIJ in May 2014 after working for a domestic security startup and a major domestic SI subsidiary company. He has been engaging in incident response and digital forensics as well as helping his fellow employees to improve their technical capabilities. He was a lecturer at the Security Camp National Conference (2017-2019), BlackHat USA Briefings (2018), and a speaker at FIRST TC and JSAC (2018/2020).
Rintaro Koike
NTT Security Japan
Rintaro Koike collects and analyses threat information and conducts malware analysis at NTT Security Japan. He is also a researcher at Team @nao_sec on Twitter. He has presented at JSAC, VB, SCS, and other conferences. A cat lover.
Hajime Takai
NTT Security Japan
Hajime Takai has been providing alert monitoring for security devices and malware analysis as a SOC analyst in NTT Security Japan. He has presented at JSAC and VB before. He likes playing Mahjong.
Nobuyuki Amakasu
NTT Security Japan
Nobuyuki Amakasu has been engaging in log and malware analysis as a SOC analyst at NTT Security Japan since 2018. Before that he was a SE in charge of system development.
Ryosuke Tsuji
LAC Co., Ltd.
Ryosuke Tsuji is a JSOC security analyst at LAC Co., Ltd. He is engaged in real-time security monitoring and incident analysis as well as giving lectures at LAC Security Academy and educational institutions.
Naoaki Nishibe
LAC Co., Ltd.
Naoaki Nishibe is a JSOC security analyst at LAC Co., Ltd. He was in charge of real-time security monitoring and incident analysis. Now he is engaged in verifying vulnerabilities, making custom signature, giving lectures at educational institutions and publishing reports on detection trends provided by JSOC. He has presented at JSAC 2019.
Tomoaki Tani
NTT Social Informatics Laboratories
Tomoaki Tani belongs to the Social Theory Research Project at NTT Social Information Laboratories. He is mainly engaged in research on malware analysis and vulnerability analysis technologies. He previously worked at JPCERT/CC, where he was involved in malware analysis and incident response. He has spoken at Virus Bulletin, CODEBLUE, BotConf, BsidesLV, BlackHat USA Arsenal, etc.
Kota Kino
JPCERT/CC
Kota Kino has been in his current position since 2019, after working for a domestic IT vendor to support the implementation of email security products. He is currently engaged in analysis of various incidents in Japan, including responses to targeted attacks. He has spoken at CODE BLUE, Botconf, etc.
Ken Sajo
JPCERT/CC
Ken Sajo used to be engaged in security monitoring at a financial company, and he is currently engaged in incident response, malware analysis, and threat information analysis. Apart from his mission at JPCERT/CC, he also analyzes and shares informaton on email spams. He is also a JSAC 2020 speaker and JSAC 2021 best speaker.
You Nakatsuru
SecureWorks Japan
As a member of the Counter Threat Unit, a research team at Secureworks, You Nakatsuru conducts research on the latest cyber attacks and is involved in incident response and analysis of related malware.
Kiyotaka Tamada
SecureWorks Japan
At a security vendor, Kiyotaka Tamada was engaged in device investigation, malware analysis, and forensic analysis as a part of the incident response service for companies and government agencies. He has been in his current position since July 2018, and he is engaged in malware analysis and forensic analysis, as well as collecting and analyzing threat information of cyber attacks mainly in Japan.
Hajime Yanagishita
MACNICA, Inc.
Hajime Yanagishita is a member of the Security Research Center. After involved in software development and support, he worked to assist customers in incident response using EDR products. Currently, he is engaged in malware analysis, threat information analysis, and breach investigation services.
Shota Nakajima
Cyber Defense Institute Inc.
Shota Nakajima conducts malware analysis, incident response as well as collecting and analyzing threat information at Cyber Defense Institute Inc. He has presented at JSAC, HITCON, AVAR, CPRCon, Black Hat EUROPE Arsenal and CODE BLUE BlueBox. He has also led some workshops at Security Camp and JSAC.
Kohei Kawabata
Trend Micro Inc.
Kohei Kawabata has been engaged in analysis of malware used in cybercrime and APT as well as vulnerability research at Trend Micro Inc. He presented at RSA Conference Asia Pacific & Japan and private conferences overseas before. He was a lecturer at the Security Camp 2021.