Analysis on legit tools abused in human operated ransomware
Abstract
In recent targeted ransomware (Human Operated Ransomware) attacks, “legitimate tools*,” which can be used in general IT operations, are exploited in the attack process. This presentation focuses on cases in which commercially developed and marketed tools for general use, particularly on remote administration tools and cloud file-sharing tools, are exploited. The following three points are covered:
1. Incident response cases in which legitimate tools were exploited and Trend Micro helped responding are shared. The behavior and functionality of the tools are also introduced.
2. Traces of exploit are explained to help analysts in actual incident response.
3. Effective countermeasures against attacks that exploit such tools are explained so that they can be used as parameter for containment and prevention during incident response.
*This presentation focuses on commercially developed and marketed tools for general use (e.g., remote administration tools and cloud file-sharing tools), while more knowledge has been accumulated on cases in which tools of Microsoft and those used in penetration tests are exploited in attacks regarding how traces of exploit are left and countermeasures. Since these tools are often used in enterprises, they tend be difficult to detect and protect with security products. In addition, highly functional tools are increasing recently, and attackers like to exploit them. Although the number of case studies has increased, there is still little systematic knowledge of functions, traces of actual exploit, and countermeasures of such tools.
Speaker
Toru Yamashige
Yoshihiro Nakatani
Keisuke Tanaka
Slides
English
Catching the Big Phish: Earth Preta Targets Government, Educational, and Research Institutes Around the World
Abstract
Over the past few months, Trend Micro monitored and detected a large wave of spear phishing attacks targeting governmental, educational and research institutes around the world. Based on the lure documents we have observed in the wild, this is a large-scale cyberespionage campaign. We saw the first incident around this May, and we believe that it is an outbreak of targeted attacks all over the world after months of threat hunting and investigation. The victim countries include but not limited to Japan, Taiwan, Philippines, Myanmar, and Australia. The targeted industries consist of political entities, universities, research institutes and foundations. Moreover, we analyzed the malwares used in this campaign, and it can be attributed to a notorious APT (Advanced Persistent Threat) group, Earth Preta, which is also known as Mustang Panda. Some TTPs and infection chains also resemble what Earth Preta leveraged in previous incidents.
Speaker
Nick Dai
Sunny W Lu
Vickie Su
Slides
English
JITHook - from .NET JIT Compilation Hooking to Its Packer / Unpacker
Abstract
Recently, .NET Malware are more often to be used. To understand the details of our implementation, some background knowledge is required. First in the presentation, We’ll introduce basic .NET concepts, includes CIL, CLR, … and a technique called CLR hosting.
Then we’ll talk about JITHook. In the .NET framework, an important compilation method is responsible for compiles CIL to mechine code. JITHook is a technique that hooks the compilation method. Based on the JITHook, we implemented JITPacker that utilizes JITHook. And JITUnpacker, which against JITHook-based packers.
To verify the feasibility of JITUnpacker, we prepared two samples. One is packed by JITPacker and the other is packed by .NET Reactor, which is widely used in the real world malware. Then, we compared JITUnpacker with three other existing unpackers, namely de4dot, .NET Reactor Slayer and JITM. Only JITUnpacker was able to unpack these two samples successfully.
Implementations of JITPacker and JITUnpacker will be open source to provide ongoing development for interested researchers.
Speaker
Shu-Ming Chang
Slides
English
The Rule for Wild Mal-Gopher Families
Abstract
Since the first Golang malware was observed in 2012, its family has been growing every year. For efficient analysis of the malware, we proposed gimpfuzzy. This method extracts a part of the function name imported into Golang binaries and computes Fuzzy Hash. This method makes it possible to investigate the similarity of samples based on the extracted function names.
This presentation focuses on the use of gimpfuzzy in actual operation and analysis and discusses the followings:
①Introduction of YARA modules that allow classification using gimpfuzzy
②Accuracy evaluation by classification of analyzed samples
③Application of the method to unanalyzed samples, including non-malicious ones, uploaded on VirusTotal, and discussions on it
The presentation enables analysts to use gimpfuzzy in Golang malware analysis and perform actual classification.
Speaker
Kazuya Nomura
Sachito Hirao
Slides
Japanese
English
Fighting to LODEINFO: Investigation for Continuous Cyberespionage Based on Open Source
Abstract
LODEINFO is a RAT (Remote Access Tool) type malware used in APT attacks targeting Japan and Taiwan. It is confirmed that the malware has been used in attack campaigns targeting media, manufacturing, and think tanks since 2019. LODEINFO has been continuously updated in functionality and behavior since first observed, and according to public reports, its TTPs keeps changing as well. We have continuously observed attack campaigns in which LODEINFO were used, based on open source IoCs and reports. This presentation shares TTPs from our analysis of LODEINFO since FY2022 and insights into attackers based on them. The past studies on the attacker attribution concentrated on the main body file of LODEINFO. However, our investigation focused not only on the malware itself but also on decoy documents used as droppers. As a result, we found strange similarities with past attack campaigns targeting Japan. The discussion on this similarity provides a new perspective to the attribution.
One of the goals of this presentation is to encourage more analysts to use open source as a basis for analysis and defense of their own organizations. The presentation not only shares the analysis results of the LODEINFO malware but also how to create hunting rules and specific threat hunting techniques based on vendor reports.
Finally, decoding tools and the list of samples’ IoCs presented will be made publicly available for incident response.
Speaker
Ryo Minakawa
Daisuke Saika
Hiroki Kubokawa
Slides
Japanese
English
Demystifying China’s Supply Chain Attack Targeting Financial Sector
Abstract
In the past two years, we have observed a number of cyberattacks targeting Taiwan’s financial sector. Today, we share our findings on three incidents due to high impact, the financial damage caused, and attributing these attacks to China threat actors. We will also take a deep dive into the TTP and malware deployed.
The first incident disrupted online trading, causing an uproar in the Taiwan financial industry. This attack has been attributed to China-linked threat group TA410 with a medium-degree of confidence. The second incident resulted in the leakage of credit card information. In the last one, the financial sector was compromised, and the source code of their trading system was stolen.
These three incidents highlight the importance of supply chain security in the financial sector. We categorize supply chain attacks into three categories: island hopping attacks, data leaks from third parties, and supplier system vulnerabilities. The incidents we mentioned cover all three forms of attacks This shows how critical supply chain security is to financial sectors. We conclude by hearing from the security teams in the Taiwan financial sector and their thoughts on the general security posture currently used by the Taiwan financial sector.
Speaker
Shih-Min 'Minsky' Chan
Chung-Kuan 'Bletchley' Chen
Slides
English
New Research Methods to Predict Attack Trends Using Public Information
Abstract
Over the past several years, significant security incidents have continuously occurred. In addition to traditional targeted attacks, there has been an increase in the number and activity of attackers conducting ransomware attacks. Various security vendors and related organizations have announced that the cause of these serious incidents is not malicious files attached to emails as frequently seen in the past, but that poorly managed assets (servers/network devices) exposed to the public are becoming more common as an attack vector. Especially since around 2019, there have been strong warnings and repeated security alerts, and then what is the current situation after 3 years?
This presentation shares the following data and research methods based on various public information:
1:Current incident status
The recent status of security incidents based on public information such as ransom attackers’ leak sites, companies’ security incident press releases, and security vendors’ reports, is presented. Overall review of data on the number of incidents and the cause of compromise is also shared.
2:Management status of externally exposed assets by Japanese companies
Information about servers installed in Japan or owned by Japanese companies, which is collected through public information such as Shodan, is shared. High-risk ports such as SMB and RDP, and out-of-support operating systems are often used. Moreover, the speed of addressing vulnerabilities is slow, and it is clear that there is still room for significant improvement. For the time being, attackers have ample routes for intrusion, and security incidents will not decrease.
3:Prediction of attack trends using public information
The exposed assets of the companies where security incidents occurred were continuously investigated using Shodan and other tools, and through this method, the presenter captured changes in attack trends. Since this technique is still being developed, it is shared widely for further improvements in the future.
Speaker
Yutaka Sejiyama
Slides
Japanese
English
First Step to Active Cyber Defence: The Significance of Profiling Attackers
Abstract
“Active cyber defence” in cyber security draws attention by the revisions to three key security documents approved by the Japanese government in 2022. The speaker will focus on what exactly the operation of active cyber defence is like in this presentation. The definition and transition of this term are detailed on a blog article (Japanese only) in JPCERT/CC’s official blog published in September 2022.
The purpose of this talk is not to examine the legal issues or policy implications of the “offensive” operations, which are often given much attention, but rather to discuss operational issues. It will address how stakeholders handling incidents on the front line, particularly analysts who track malicious activities and attackers, may be involved in future discussions of active cyber defence, and what kind of roles they may play.
To be specific,
- Summarising the point of argument about terms and concept
- Approach to impose cost on attackers
- Effectiveness and challenges of public attribution
- Effectiveness and challenges of blocking communication
- Effectiveness and challenges of “aggressive” operation
- Method of choosing effective countermeasures for each threat
- Re-recognition and redefinition of the significance of information sharing
The above topics will be mentioned based on domestic and international case studies and previous research, and the speaker will discuss how activities by analysts are related to these operations and their challenges, or what kind of roles may be required in the future. He will demonstrate that profiling APT groups and other attack groups, attributing and analysing on attack trends are the core of the active cyber defence.
Speaker
Hayato Sasaki
Slides
Japanese
English
Track Down Stealth Fileless Injection-based Nginx Backdoor in the Attack
Abstract
Nginx is a widely used Web Server in the industry, during an incident response, we found a Nginx-based backdoor stored in the server, which used a previously unseen attack vector: Injection, to achieve the fileless effect, and we called the backdoor - NginxStealth and NginxSpy.
In this presentation, we will introduce how the attacker gained initial access to the Nginx server, and how the malicious payload works. Furthermore, we will explain how the backdoor NginxStealth and NginxSpy are skillfully hidden in the system in detail, and compare the techniques used by NginxStealth with the existing Nginx-based backdoors.
Finally, we developed a Nginx module based on the hook method of the NginxStealth. This module can list the addresses of the hook. If the address does not exist in the normal Nginx memory space or the module memory space, there is a high possibility that the Nginx process is injected with NginxStealth.
Speaker
Peter Syu
Jr-Wei Huang
Slides
English
Localization of Ransomware, New Change or Temporary Phenomenon?
Abstract
Many ransomware gangs are incapable of carrying out the entire attack process on their own, so these groups operate via RaaS (Ransomware as a Service). They subdivide the roles into malware development, distribution, money laundering, etc. as their partners (affiliates) distribute the ransomware. These IABs (Initial Access Brokers) were well-versed in the target location's language and culture and were able to effectively distribute the ransomware. This was not an exception for Korea, where IABs composed of Koreans or people who know the country well have been active, causing much damage.
This presentation explains the characteristics and techniques of ransomware active in certain regions, locally active affiliates in Korea, and Gwisin and Masscan ransomware which are active only in Korea. It also includes a summary of ransomware used by threat actors suspected of government support, and damages from ransomware which do not seem to have connection to any previous cases.
The specific-region activity of some ransomware gangs could be a new change, but it may be possible that cybersecurity researchers have not found traces of their activity in other locations. Past cases have proven that Threat Actors that were only active in certain regions expand their scope of activity to other countries, indicating that ransomware gangs that are currently only active in some regions may become active in other areas in the future. Thus, users must be cautious about ransomware active in marginal countries as well.
Speaker
CHA Minseok
Slides
English
How Do We Fight against Evolving Go Language Malware? Practical Techniques to Increase Analytical Skills
Abstract
Recently, Go language has often been used for malware development due to its high efficiency and ease of attack on multiple platforms. New types of Go malware such as Chaos and Nerbian were discovered in 2022, implying that Go is going to be used in future as well. We analysts will have more opportunities to see Go-language malware, and the techniques to analyse it efficiently will become more important.
However, binaries created in Go are very difficult to analyse. This is because the number of functions is huge, and the data structures and calling conventions are different from those of C/C++ binaries. For these reasons, there are tools to resolve function names and other information that help in the efficient analysis of Go malware. Despite the availability of such tools, Go language makes it difficult to use them for a long time, as version upgrades may change the data structures that the existing tools refer to. In addition, some samples of Go malware use Go-specific obfuscation methods which are difficult to analyse with existing tools. Go language malware analysis has many challenges as mentioned above, and therefore its methods and knowledge are not well shared.
In this talk, the speaker will discuss how to analyze Go language malware. First, the basic analysis flow and techniques will be shared for those who have little experience in Go language malware analysis. Then, how to deal with advanced Go malware in the long term will be introduced for those who already have experience in the analysis. He will explain how to modify the tools while incorporating structural information of binaries that the existing tools refer to.
The presentation will hopefully help increase analysts’ skills of fighting against Go language malware.
Speaker
Tsubasa Kuwabara
Slides
Japanese
English
Invitation to Secret Event: Uncovering campaigns targeting East Asia by Earth Yako
Abstract
Operation RestyLink, identified in 2022, is considered as a targeted attack campaign against Japan. We do not explicitly attribute the threat actor of this campaign to any existing one, but instead, we trace it as a new actor “Earth Yako.” We already know the TTPs and malware used in its initial intrusion, as Macnica and NTT Security Japan have already published blog articles on it. However, the number of incident cases shared publicly is not large enough to identify activities afterwards.
In this presentation, we will first show that researchers and other employees in academic institutions and think tanks in Japan and Taiwan were the target of the campaign, through introducing several incident cases we observed in 2022. Next, we will share the 3 incidents as examples to show the results of our detailed analysis on the malware used after the intrusion. Specifically, we will cover the 2 types of loaders MIRRORKEY and PULINK, which were observed in separate incidents respectively, and 3 types of malware TRANSBOX, PLUGBOX, and SHELLBOX, which leverage Dropbox API. In addition, we will discuss existing threat actors that may be related to Earth Yako, based on the similarities in the observed TTPs and malware codes.
Finally, IoCs obtained through our incident investigation will be shared to help other organizations with their threat hunting and incident response.
Speaker
Hiroaki Hara
Yuka Higashi
Masaoki Shoji
Slides
English
LIGHTNING TALK
List
Slot #1
Title: On the Eve of Code Signing Transformation
Speaker: Hitomi Kimura
PDF(Japanese)
PDF(English)
Slot #2
Title: Memory Forensics with VolWeb
Speaker: Félix Guyard
Slot #3
Title: New Threat Detection and Analysis Method Using Honeypots in Multiple Locations
Speaker: Ryosuke Yoshimura
PDF(Japanese)
Slot #4
Title: Brief History of MustangPanda and its PlugX Evolution
Speaker: Still Hsu
PDF(English)
Slot #5
Title: Latest Trends and Consideration in APT41-Related InfoOps
Speaker: Misaki Yoshida
PDF(Japanese)
PDF(English)
Slot #6
Title: Observation of Unauthorised Sign-in to Azure AD and Its Real-time Blocking
Speaker: Shoichi Ando
PDF(Japanese)
Slot #7
Title: Digging for Coper: Unseen findings of infamous Android malware
Speaker: Fernando Diaz Urbano
PDF(English)
Surviving the hurt locker: or How I Learned to Stop Worrying and Love the Bom
Abstract
The vulnerability in Log4j (CVE-2021-44228) has brought attention to Software Bill of Materials (SBOM). SBOM is like a software version of a food ingredient label. It is data which represents library components, etc. used by the software. There are a number of publicly available tools for generating SBOMs. However, if you do not understand what logic those tools use to generate SBOM, you will suffer from false positives and missed detections. The speakers run scripts, which they created by themselves, on more than 150,000 servers every day to collect SBOMs. This is used for daily vulnerability response. This SBOM workshop is presented based on the knowledge gained from the experience. In this workshop, participants will have a hands-on opportunity to create a program to generate SBOMs almost from scratch, using Python and Java. Through the hands-on, participants will learn the followings:
What SBOM is
How to Generate SBOM
Types of SBOM
Speaker
Simon Vestin
Manabu Niseki
Requirements
- Laptop (Windows, Mac, etc. with the setups listed below)
Advance Preparation
- VS Code
- Docker
- Python
- Git
Skills
- Basic knowledge of Linux
- Basic knowledge of Python (Participants will be required to write scripts in Python during the workshop.)
Repository
https://github.com/ninoseki/jsac2023-sbom-workshopDetection engineering with Sigma: Defend against APT targeting Japan
Abstract
In this workshop, participants will learn how to detect APT attacks, using some of the reported cases in the past one year in which Japanese companies and organizations were targeted. The participants will not attempt to detect “less painful” IoCs defined in Pyramid of Pain, such as file hash values and communication destinations, which are commonly referred to. Instead, the participants will focus on TTPs in higher level, which are harder for attackers to modify.
Each participant in the workshop will create their own Sigma rules to detect TTPs used by each actor. No prior experience is required, as we will explain how to create rules as well as how to use the tools necessary bare minimum during the workshop. However, participants with experience in creating detection logic for EDR products or malware analysis can try out more advanced tasks.
In the exercise, participants will repeat the trial-and-error process using the prepared logs, checking whether their rules can correctly detect the attacks without false positive or false negative. The rules for the example answer as well as the reason why we created such rules will later be explained. The participants will apply Sigma rules to the event logs obtained with Sysmon, which can be converted to detection rules for various security products. We hope each participant can use them at their company’s environment as well after this workshop.
Through this workshop, participants will learn how to use Sigma in security monitoring and incident response, as well as what analysts should focus on during incident response.
Speaker
Shota Nakajima
Rintaro Koike
Requirements
- A Windows PC that can be connected to the Internet
Advance Preparation
The participants are required to install the following tools in advance
- VS Code
- Timeline Explorer
- EvtxECmd
- Chainsaw
Skills
It is not required but ideal for the participants to have the following experiences
- Incident response and malware analysis
- Creating rules for EDR products and Sigma rules
Slides
Japanese
Toru Yamashige
Trend Micro Inc.
Toru joined the Incident Response team after working as a sales engineer at Trend Micro. He is engaged in assisting users affected by security incidents, including ransomware, to recover from them. He also develops detection logic for EDR products based on his knowledge of attack methods gained through incident response.
Yoshihiro Nakatani
Trend Micro Inc.
Yoshihiro previously worked as a web programmer before joining Trend Micro in 2007. After working in support desk, he has been engaged in threat research and malware analysis. Currently, he is mainly in charge of log analysis and forensic work for incidents in Japan.
Keisuke Tanaka
Trend Micro Inc.
He joined Trend Micro in 2007 and worked at the support desk for both personal and corporate products. In 2012, he became an account manager for the central governments, where he monitored threats, responded to incidents, and recommended countermeasures. He then became manager of the threat research team, and since 2019, he has been supervising incident response support services. In September 2021, he became a doctoral student (Uehara Laboratory) at the Graduate School of Information Science and Engineering, Ritsumeikan University.
Simon Vestin
LINE Corporation
Simon is a developer focusing mainly on the field of network security and security infrastructure. He is currently building a system to find vulnerabilities and misconfigurations hidden in LINE’s vast infrastructure. The process is like looking for a needle in a haystack.
Manabu Niseki
LINE Corporation
Manabu is involved in the development of anti-fraud, server-side SecCM and vulnerability auditing systems. He has presented at HITCON, Botconf, OBTS, and JSAC.
Nick Dai
Trend Micro Inc.
Nick Dai is a threat researcher in Trend Micro. He is devoted to tracking and detecting APT attacks within APAC region by malware analysis and threat intelligence. He also develops tools for threat hunting and malware analysis. He has published several publications regarding targeted attacks and malwares.
Sunny W Lu
Trend Micro Inc.
Sunny W Lu is a threat researcher at Trend Micro. She has been engaged in tracking and hunting APT malwares and attacks in APAC region.
Vickie Su
Trend Micro Inc.
Vickie Su is a threat researcher in Trend Micro. She is in charge of handling targeted attack cases around the Asia-Pacific region by malware analysis, performing correlating intelligence during the investigation, figuring out threat actors' Tactics, Techniques and Procedures (TTPs).
Shu-Ming Chang
National Yang Ming Chiao Tung University & CyCraft Technology
Shu-Ming Chang (@LJP-TW) is currently pursuing a master’s degree in cybersecurity at National Yang Ming Chiao Tung University, with an interest in binary exploitation and reverse engineering. He is a member of 10sec / TSJ CTF team and an intern at CyCraft.
Kazuya Nomura
NTT Security Japan
Kazuya is a SOC analyst at NTT Security Japan. His main responsibilities include alert monitoring with IPS/IDS/EDR. He has contributed articles on malware analysis and data visualization at the company and received the MWS2020 paper award. He is also a distinguished alumnus of SecHack2020.
Sachito Hirao
NTT Security Japan
Sachito is a SOC analyst at NTT Security Japan and in charge of NW/EDR alert monitoring as well as malware analysis. Formally, he was an infrastructure engineer at financial industry.
Ryo Minakawa
N.F.Laboratories Inc.
Ryo is engaged in threat intelligence generation and malware analysis at NFLabs. He also works with NTT Communications’ NA4Sec project to track targeted attacks and their threat infrastructures.
Daisuke Saika
N.F.Laboratories Inc.
Daisuke is engaged in threat intelligence generation and malware analysis at NFLabs. He is interested in the field of deception in active cyber defense, and he privately creates such environment and plays with it.
Hiroki Kubokawa
N.F.Laboratories Inc.
Hiroki is currently engaged in threat intelligence, malware analysis, and development at NFLabs, focusing on creating values for customers. While he has been recently focusing on improving his development and analysis skills, he is also planning to get involved in offensive security.
Shih-Min 'Minsky' Chan
CyCraft
Shih-Min Chan is currently a senior security analyst in CyCraft, mainly focuses on incident response, APT research, malware analysis and threat intelligence analysis. He has been the speaker in various training for practitioners and presented technical presentations in technical conferences, such as Infosec in the City, CodeBlue OpenTalk and FIRST.
Chung-Kuan 'Bletchley' Chen
CyCraft
Chung-Kuan Chen is currently a senior researcher in CyCraft, and responsible for organizing the research team, and Adjunct Assistant Professor in Soochow University, Taiwan. He earned his PHD degree of Computer Science and Engineering from National Chiao-Tung University (NCTU). His research focuses on cyber attack and defense, machine learning, software vulnerability, malware and program analysis. He also dedicates to security education. As the founder of NCTU hacker research clubs, he trained students to participate in world-class security contests, and has experience of participating DEFCON CTF (2016 in HITCON Team and 2018 as coach in BFS team). Besides, he has presented technical presentations in technique conferences, such as BlackHat, HITCON, HITB, RootCon, CodeBlue, FIRST and VXCON. As an active member in Taiwan security community, he is the chairman of HITCON review committee as well as a director of Association of Hacker In Taiwan, and member of CHROOT - the top private hacker group in Taiwan.
Yutaka Sejiyama
Macnica, Inc.
Yutaka is a member of Macnica's Security Research Center, where he works to reduce the damage to Japanese companies caused by cyber attacks. He mainly researches threat trends related to ransomware and vulnerabilities, and he also focuses on spreading information about countermeasures through Attack Surface Management. He checks vulnerability information and investigate servers with OSINT, frequently using Shodan, on a daily basis. His Twitter ID is @nenoko_nanomotoni.
Shota Nakajima
Cyber Defense Institute Inc.
Shota is engaged in malware analysis, incident response as well as threat research. He has presented at domestic conferences such as JSAC, HITCON, and Black Hat EUROPE Arsenal, and he also led some workshops at Security Camp and JSAC. He is learning social engineering recently.
Rintaro Koike
NTT Security Japan
Rintaro is engaged in threat research and malware analysis at NTT Security Japan. He is also a researcher at Team nao_sec. He has presented at VB, SAS, HITCON, and other conferences. A cat lover.
Hayato Sasaki
JPCERT/CC
Manager/Threat Analyst of Early Warning Group of JPCERT/CC. After working at the Information-technology Promotion Agency (IPA), Hayato was assigned to the Office of IT Security Policy in the Ministry of Economy, Trade and Industry (METI) in 2013. He has been engaging in publishing security alerts, incident response and sharing information among public and private sectors since he joined JPCERT/CC in 2016. The toughest work he did in 2022 was contribution to “Guidance on Information Sharing and Disclosure of Breaches Caused by Cyber Attacks”.
Peter Syu
TeamT5
Peter is a security researcher at TeamT5. Peter's research mainly focuses on incident response and malware analysis. Some of his work has been presented at international security conferences.
Jr-Wei Huang
TeamT5
Jr-Wei Huang is a product developer at TeamT5. His research interests are in the area of system security and threat hunting.
CHA Minseok
AhnLab
He is a Senior Principal Threat Intelligence Researcher at AhnLab. He joined AhnLab as a malware analyst in 1997. He research mainly focuses on cyberattacks and threat actors in East Asia. He has been appointed as a member of the Private/Public Cooperative Investigation Group and Cyber Expert Group in South Korea. He is a reporter for the WildList Organization International. He was a member of the board of directors of AVAR (Association of Anti-Virus Asia Researches) from 2018 to 2022. He was awarded the ISC2 ISLA Asia-Pacific Information Security Practitioner Award in 2018. He is a speaker at security conferences, including AVAR, AVTOKYO, CARO Workshop, CODE BLUE, HITB GSEC Commsec, JSAC, SECUINSIDE, Virus Bulletin. When he has free time, he enjoys old anime and video games.
Tsubasa Kuwabara
FFRI Security, Inc.
Tsubasa has worked on the development of malware detection logic for NGAV products at FFRI Security, Inc. He is now conducting malware analysis and development of its environment as a security engineer. He attended SecHack365 and the Security Camp 2019. He was a lecturer at the Security Camp 2021.
Hiroaki Hara
Trend Micro Inc.
He focuses on threat intelligence research in Asia-Pacific region. He specializes in threat hunting, incident response, malware analysis and targeted attack research. He spends most of time to work out funny name for newly found malwares. He has previously presented at JSAC 2021/2022 and HITCON 2022.
Yuka Higashi
Trend Micro Inc.
She specializes in the leverage of machine learning and data science for the cybersecurity field. She applies this expertise to Threat Hunting using a variety of data to find traces of attacks that are difficult to find using existing methods.
Masaoki Shoji
Trend Micro Inc.
He focuses on threat intelligence research and information sharing in Japan. He specializes in incident response, forensics, and attribution research related to intrusion set targeting Japanese organizations.
Name
Details
Details