JSAC2024 -Day 1-
JPCERT/CC held JSAC2024 on January 25 and 26, 2024. The purpose of this conference is to raise the knowledge and technical level of security analysts, and we aimed to bring them together in one place where they can share technical knowledge related to incident analysis and response. The conference was held for the seventh time and, unlike last year, returned to a completely offline format. 17 presentations, 3 workshops, and 6 lightning talks were presented in the 2-day programme, and most of the presentation slides are available on JSAC Website. JPCERT/CC Eyes introduces the conference in three parts. This article reports on the main track on Day 1, and a couple more articles will cover the rest of the event.
Lessons Learned from Changes in Activities Related to Amadey Malware
Speaker: Masaki Kasuya (BlackBerry Japan)
Slides (English)
Masaki gave a presentation on the analysis result and observation using an emulator that establishes long-term communication with the C2 servers of Amadey, an information-stealing malware.
The implemented emulator generates and sends fake requests to the C2 servers. He observed a total of 511 C2 servers associated with Amadey for about 50 months, starting in October 2019. Although there was no significant activity at the beginning, the observation revealed that the attacks became more active as the number of Amadey C2 servers gradually increased, and the malware’s features became more sophisticated, including its management tools and encryption schemes. The number of commits to VirusTotal also showed that Amadey was increasingly recognized, and attacks were becoming widespread. His analysis result on the samples and payloads associated with Amadey infections explained the average lifecycle of C2 servers, the distribution of payloads that exploit legitimate servers, and the attacker's intention to infect multiple types of malware. He considered the information-stealing malware Redline and Amadey are related due to the timing of their activity and the coordinated movements over multiple cycles. He also highlighted that the similarities in C2 server trends could lead to the identification of new attackers.
Finally, the importance of end-point defence, effective countermeasures and the significance of long-term observation were emphasised based on the presented attack trends and analysis results.
NSPX30: a Sophisticated AitM-Enabled Implant Evolving Since 2005
Speaker: Facundo Munoz (ESET)
Slides (English)
Facundo provided an in-depth analysis of an implant, NSPX30, with attack case studies.
NSPX30 was identified in 2020, but his research into the timestamps of related files and other information revealed that it has been continuously developed since 2005 based on backdoors ProjectWood and DCM. He assumed that the attack was made by Blackwood, a China-based threat actor, given the similarity between NSPX30 and PeerYouRat as well as the use of common special character strings. By referring to an attack associated with the group, he explained the TTPs using AiTM attack method, which intercepts communications between users and legitimate services and modifies the contents. Blackwood's features were described such as disguising itself as a legitimate application update, intercepting traffic, and whitelisting its own threads in certain security software. He also touched upon The Wizards and other threat actors, explaining each target sector, region and TTPs.
He will continue to investigate NSPX30 development trends and BlackWood's target.
Email Breach Analysis and Response Tips to Eliminate Risks
Yumi Iida (ITOCHU Cyber & Intelligence Inc.)
Slides (English)
Yumi gave a presentation on how to respond to AiTM attack.
The tactics of AiTM attacks bypasses multi-factor authentication and allows unauthorised logins. The damage may increase if the initial incident response is not appropriate. She detailed on the priorities to work in the event of an AiTM attack in a Microsoft365 environment. Stopping the damage, protecting traces, and identifying the scope of the breach should be carried out first, and in parallel, the type of logs that are required for investigation and the incident response policy should be sorted out. She added that it is important to understand the retention period and licence type of the logs and advised where to start the investigation. She gave specific examples of where in the logs traces of the attack would be left in the demonstrated scenario and what content would be reported to users.
Finally, she stressed the importance of understanding the key points in incident response in advance.
Operation So-seki: You Are a Threat Actor. As Yet You Have No Name
Speakers: Ryo Minakawa (N.F.Laboratories Inc.), Atsushi Kanda and Kaichi Sameshima (NTT Communications Corporation)
Slides (English)
Ryo, Atsushi and Kaichi investigated pro-Russian hacktivists from multiple perspectives over a long period of time.
The analysis covered their activities, organisational trends, and operations. The C2 servers were identified through analysis using botnet. They shared the results of a technical approach to analysing the attack source and the infrastructure used in the attack. Another noteworthy aspect of their presentation is that they mentioned the act of spreading attack information is favourable to the hacktivists and gives them a sense of success.
The presentation was concluded with the message that information sharing should be tailored to the nature of the attack actors and that effective information sharing should be conducted for the damage prevention.
ESXi: Detect the Future A0acker’s Playground at Ring -1
Speakers: Frankie Li, Victor Chan (Dragon Advance Tech Consulting Co., Ltd), Michael Ching (PwC Hong Kong)
Frankie, Michael, and Victor spoke about their investigation into the risks and opportunities for detecting attack behaviour on ESXi, a hypervisor offered by VMware, and their exploration of forensic scripts that can collect attack signatures.
They shared ESXi’s structure and possible concerns, including the example of cases where it was exploited as a kill chain. Compared to other products, the lack of security solutions and its password management feature makes it easy for attackers to target users on the Internet. The case elaborating the structural risks of ESXi was also shared. They proposed a live forensic tool and explained its usefulness in a ransomware attack scenario. The tool can apply forensic techniques in line with ESXi features and is compatible with Yara.
Finally, they urged the audience to manage access rights, limit functionality, and keep logs properly when using ESXi.
Lazarus Group's Large-scale Threats via Watering Hole and Financial Software
Speakers: Dongwook Kim, Seulgi Lee (KrCERT/CC)
Slides (English)
Dongwook and Seulgi addressed the findings of a large-scale attack campaign by the threat actor Lazarus targeting South Korean companies.
The attackers had multiple TTPs, including exploiting zero-day vulnerabilities in Korean financial software, phishing and watering hole attack techniques. The attacks were characterised by a hierarchical network of C2 servers, the extensive use of virtual servers and DLL side-loading. It was also confirmed that the C2 servers were operated at short intervals to ensure that no traces were left behind. It was important to check for the presence of malware based on the path traces both with or without files and also for suspicious files directly under C:\Windows\System32.
For effective countermeasures, they mentioned some key points including paying attention to vulnerabilities at the development stage, considering third-party infiltration, and zero-trust.
The Secret Life of RATs: Connecting the Dots by Dissecting Multiple Backdoors
Speakers: Hiroaki Hara (Trend Micro, Inc.), Shota Nakajima and Ryonosuke Kawakami (Cyber Defense Institute Inc.)
Slides (English)
Hiroaki, Shota, and Ryonosuke discussed the attack campaigns GroundPeony and Ratel Master and Earth Estries, as they found commonalities and similarities between the actors. The reasons for assuming this relationship are as follows:
- GroundPeony and Ratel Master have similar TTPs and matching loaders
- Earth Estries and Ratel Master have similar TTPs and partially matching malware code, and the infrastructure exploited in the past matches
- The domains exploited in the past in Earth Estries and GroundPeony match
They also identified a VirusTotal account uploading Mofu loader, a malware loader used by GroundPeony and Ratel Master. The account holder uploaded multiple pieces of malware, including HemiGate, a backdoor used by Earth Estries. It was possible that the account did not belong to a researcher, but to an attacker to test multiple types of malware. Finally, the speakers mentioned the timing of each actor's activities in the past to show that the three campaigns may have been carried out in cooperation among them.
Unveiling TeleBoyi: Chinese APT Group Targeting Critical Infrastructure Worldwide
Yi-Chin Chuang and Yu-Tung Chang (TeamT5)
Slides (English)
Yi-Chin and Yu-Tung delivered a talk on TeleBoyi, a threat actor reportedly based in China.
It had mainly affected the energy industry in India, but the number of countries and industries targeted has increased, showing a strong interest in critical infrastructure and intellectual property. Attack cases and several TTPs were described, including disguising malware as legitimate applications or document files containing macros and exploiting vulnerable servers. The attackers use tools that have been exploited in other attack campaigns and modify in their own way, such as PlugX, which contains meaningful strings in Chinese in parts of the code, and Double shell, which exploits external services. The analysis of the used infrastructure in the attacks confirmed that the domains contained the names of well-known companies.
The speakers examined the relationships between TeleBoyi and several threat actors based on the analysis and explained the connection with APT41, Earth Berberoka and SLIME40 (FamousSparrow), etc. It seems that APT groups based in China tend to share attack tools in recent years.
Threat Intelligence of Abused Public Post-Exploitation Frameworks
Speakers: Masafumi Takeda and Tomoya Furukawa (Internet Initiative Japan Inc.)
Slides (English)
Masafumi and Tomoya gave a presentation on Post-Exploitation Framework, an open-source framework with a detailed categorisation of the command and control tools and discussed the analysis result of their functions and behaviour as well as the advantages of using the categorisation.
The analysis, which covered the tools classified as 'Execution' and 'Persistence' in MITRE's ATT&CK, elaborated the details on the functionalities, outputs, and traces from the behaviour of tools. They focused on the tools with the following three conditions: publicly available source code, exploitation confirmed in the wild, and 5 or more associated 'Tactics'. They argued that it might be useful to categorise code by behaviour for detection and monitoring.
They would like to create actual detection rules and further analyse external tools used as modules in the future.
In Closing In this article, we introduced the presentations given on the first day of JSAC2024. The next article will cover the presentations on the second day.
Masumi Uno (Translated by Masa Toyama)