LABScon 2023 | Security Research in Real Time – Talks Not to Miss, Part One

LABScon is back – after last year’s stunning success, the bespoke, invite-only conference for the cybersecurity industry’s leading experts, threat investigators, journalists, academics and government partners returns for its second installment in Scottsdale, Arizona from 20th September through to 24th (places are limited, but it’s still possible to request an invite).

Showcasing cutting-edge research into cyber threat actors, hunting techniques, vulnerabilities, exploits and new tooling, LABScon offers a unique opportunity to interface with leading researchers and journalists without the distractions of vendor halls and product pitching.

This year’s lineup of speakers includes veterans of the cybersecurity landscape from Cisco Talos, ESET, Intezer, Mandiant, Microsoft, Red Canary, SentinelLabs, Sophos and more. In this post, we take a sneak peek into some of the research that will be presented at LABScon23.

For those that can’t make it, don’t forget to bookmark both the LABScon homepage and the SentinelLabs homepage to keep an eye out for the release of video recordings after the event. Many of the talks from last year are available here.

Who’s Speaking at LABScon 23?

The event will kick off with a keynote speech from Christiaan Tribert from the New York Times’ Visual Investigations team. Renowned for his work on exposing the Russian bombing of hospitals in Syria and Iran’s downing of a civilian airliner, Christiaan has earned multiple prestigious awards for his work, including two Pulitzer Prizes.

Christiaan’s keynote will be followed by an action-packed program of over 30 talks. We welcome back some of our distinguished speakers from LABScon 22 such as Kim Zetter, Kristin Del Rosso, MJ Emanuel, Paul Rascagneres, Greg Lesnewich and Alex Matrosov as well as extend a warm hand to a fantastic gallery of new LABScon speakers this year including Zuzana Hromcová from ESET, cyber lawyer Elizabeth Wharton, Bendik Hagan from PwC, Red Canary’s David Bogie, Adam Rawnsley from Rolling Stone and many more.

In addition, SentinelLabs researchers Juan Andrés Guerrero-Saade, Tom Hegel and Aleksandar Milenkoski will be presenting the latest on their research projects to the LABScon audience.

The full schedule for this year’s LABScon is now available here. In the meantime, enjoy this sneak peek of what we have on offer. Below, we spotlight a selection of presentations we have lined up to give you a flavor of what to expect at LABScon 2023.

Adam Rawnsley | Meet the Iranian Company Powering Russia’s Drone War on Ukraine

Adam RawnsleyOne day in 2021, a self-professed “hacktivist” popped into my direct messages, told me his “group” had noticed I’d done the most work on Mado, and dumped videos and documents allegedly hacked from the company’s network and CEO.

The material—painstakingly verified with the help of colleagues—fleshes out a portrait of the company I’d been sketching out for years. Thanks to the additional sourcing and some help from colleagues at the Middlebury Institute of International Studies (MIIS) and work by others, we can confirm that Mado’s are now powering the Iranian drones raining down on Ukraine and are likely in some of the cruise missiles Iran and its proxies have launched at Saudi Arabia, and the United Arab Emirates.

Using the hacked documents and videos along with court records, web registration information, business records, and other open sources, we can trace the rise of a key Iranian drone company from late 2000s aviation forum posts to contracts with some of the highest ranking generals in the Islamic Revolutionary Guard Corps. Mado’s trail starts in Iran but moves through China, Germany, Saudi Arabia, an Iranian motorcycle company, and finally Russia and Ukraine.

Elizabeth Wharton | Send Lawyers, ‘Garchs, and Money

Elizabeth WhartonAllegations of oligarch elections meddling and influence is old news as we head into 2024. While prosecutors focus on the money trail in building threat intelligence based cases for indictment, don’t overlook oligarch-funded lawyers with creative delay and distract defense tactics. From twisting data privacy laws to using funds for Slapp libel cases to leaking legal discovery, we’ll dissect a series of US and UK cases where oligarchs are throwing lawyers and money as curveballs to thwart influence and cybercrime prosecutions. We’ll also look at ways to further leverage these cases as opportunities for closing policy gaps and for open source intelligence data gathering.

Bendik Hagen & Adrien Bataille | Pulling the (KEY)PLUG: A dive into the ecosystem of yet another shared malware family

KEYPLUG has been publicly referenced on several occasions but never in great detail. Past analysis has associated this malware family with APT41 / Brass Typhoon and public reporting described activity in 2021 targeting US state governments. But is there more to it?

During the past year, we dug into KEYPLUG internals and related samples where we uncovered new loaders and plugins. We tracked its associated infrastructure and the protocols adversaries use in order to avoid detection and stay one step ahead. Throughout our analysis, we discovered several different users of KEYPLUG, which we will present here, each with distinct characteristics and victims.

In addition we will detail opportunities and challenges of detecting KEYPLUG from a network perspective and on the endpoint based on recent observations and discoveries of these new groups. We will show ways to attribute these activities differently solely based on how KEYPLUG is being used and how little details can make a difference. We hope to show the audience that although it can be difficult, attribution based on shared tooling or malware is still possible and brings important pieces to the bigger puzzle.

Dan Black & Luke Jenkins | BEATDROP: Spy, Burn, Rebuild, Repeat

The Russian government’s Foreign Intelligence Agency (SVR) is responsible for conducting nation state espionage against diplomatic entities globally. In the lead up to Ukraine’s pivotal counteroffensive, Mandiant observed APT29 substantially increase its targeting of foreign embassies in Ukraine, with new campaigns now being identified on a weekly basis alongside its typical targeting of other diplomatic entities in Europe and further afield.

Coupled with this shift in targeting, we also observed a major shift in APT29’s tooling and tradecraft. This shift in tooling is resulting in major innovations in the delivery chain in addition to new bespoke malware families responsible for persistence, data collection and subsequent malware delivery.

This presentation aims to discuss these new APT29 waves Mandiant identified in 2023, taking a look at the technical details of the capability and discussing the defensive changes made by APT29 to remain undetected by the threat intelligence community.

Dave Bogle | Entering the hive: Understanding eBPF-based malware

Dave BogleeBPF (extended Berkeley Packet Filter) is a rapidly growing technology that’s revolutionizing the Linux ecosystem. It allows developers to write code that can safely run in the kernel while handling much of the processing and analysis in userspace. As with most new and useful tech, adversaries will inevitably begin to leverage eBPF to implement common malware tradecraft.

This presentation explores how adversaries can leverage the power of eBPF to implement common tradecraft such as process hiding, file hiding, privilege escalation, and more. We’ll examine this emergent eBPF tradecraft from both the offensive and defensive perspective, analyzing the many ways that adversaries might abuse eBPF and diving into the identification, classification, and detection of eBPF malware — while also educating the audience about how the technology is also useful for endpoint and cloud security vendors.

Kristin Del Rosso & Matt Devost | Ghost in the Breach: Using breach intelligence to hunt hidden Russian assets

Following the invasion of Ukraine, increased sanctions against Russian individuals and entities led to an increase in large-scale, fully litigated judgments and the creation of international task forces focused on seizing assets from Russian oligarchs.

Russian individuals and entities have repeatedly employed extensive obfuscation techniques and utilized shell corporations in multiple jurisdictions globally, to successfully hide or transfer assets – this is, until their data got leaked. The ever growing amount of data leaks has proven to be a valuable tool for additional researcher context, as well as novel information sourcing, theory confirmation, and new asset discovery.

We will delve into two real-world use cases where breach data provided crucial insights, uncovering additional US assets belonging to a sanctioned oligarch, as well as another entity’s coordinated efforts to control assets based on insider knowledge of the Russian invasion, in a preemptive attempt to remain a beneficiary while avoiding impending sanctions.

There is a growing importance of data leaks in augmenting OSINT investigations, and participants will leave aware of potential data leaks that can be used as invaluable resources, as well as best practices when sorting through the data.

Vitor Ventura & Michael Gentile | Intellexa and Cytrox: From fixer-upper to Intel Agency grade spyware

Vitor VenturaMercenary spyware companies need to evolve their spyware capabilities just like software from any other commercial company. This presentation details an account and timeline of one such mercenary organization, from almost bankrupt to having a fully working spyware targeting iOS and Android with one-click zero-day exploit.

Intellexa, a conglomerate of commercial spyware creators, was born out of the merger of existing mercenaries: Nexa Technologies, WiSpear and Cytrox, a Macedonian company focused on the Android platform. The spyware created by Intellexa consists of highly modular and versatile spyware, deployed via zero day attacks against a variety of victims targeted by unscrupulous state-related actors all over the world. From the moment Cytrox was “rescued” by Intellexa, it started to revamp their suite of spyware called ALIEN/PREDATOR. Based on code analysis and OSINT, this presentation will take the audience through a time travel describing key milestones for capability building, hiring, sales pitch and finally the delivery of their solution to potential customers.

Throughout our presentations we will share the fundamentals of our analyses providing the audience with insightful techniques that can be replicated in their own research, and eventually helping in the construction of timelines based on binary analysis.

We breakdown all major events in ALIEN and PREDATOR’s development cycle leading up to the first campaigns ever attributed to Cytrox, highlighting their operational tactics along the way.

Finally we will make a code level review through the different components of the spyware followed by high-level comparison between the ALIEN/PREDATOR tag team and the solo PREDATOR for iOS, the reasoning behind such platform specific differences while illustrating that ultimately the core and capabilities of the spyware are basically the same.

Zuzana Hromcová | They spilled oil in my health-boosting smoothie: How OilRig keeps access to healthcare orgs and Israeli local governments

Zuzana HromcováOilRig is a well-known Iran-aligned cyberespionage group, allegedly under the MOIS (Ministry of Intelligence and Security), that has been targeting Middle Eastern governments and a variety of business verticals since at least 2014. In this presentation, we study the group’s persistent attacks on Israeli healthcare and local governments, often with the same organizations targeted multiple times over the course of several years, suggesting that OilRig considers them to be of high espionage value.

We look at the group through the eyes of an Israeli local government organization and a group of healthcare organizations, that recovered from the Out to Sea compromise in 2021, only to find themselves retargeted by several versions of OilRig’s SC5k downloader, followed by the new OilBooster and Mango backdoors throughout 2022.

In the process, we disclose the previously undocumented 2021 Outer Space and 2022 Juicy Mix campaigns, notable for their new C# backdoors dubbed Solar and Mango, and a set of custom post-compromise tools that are used to collect credentials, cookies, and browsing history from major browsers and from the Windows Credential Manager. Although these are not sophisticated tools, they are tweaked frequently, and we inspect the added layers of obfuscation and detection evasion techniques.

Next, we discuss OilRig’s ongoing shift away from traditional C&C infrastructure towards Microsoft APIs. We look at the mechanism behind using the OneDrive API (OilBooster) and Microsoft Office 365 API (SC5k downloader) for their C&C communications, and the difficulty this presents for tracking OilRig.

Finally, we focus on the group’s characteristic TTPs that remain unchanged despite the constant stream of updated and newly developed tools – including their frequent coding mistakes, noisy presence on compromised systems, and other characteristics that allow us to keep a close eye on the group.

Request an Invite

These are just a few of the exciting talks coming up at LABScon 2023, a premier event where the brightest minds in cybersecurity come together to share their insights. We’ll be highlighting further upcoming talks soon, but in the meantime it’s still not too late to request an invite. A limited number of tickets remain available, so hurry and click that button if you’d like to come and join us.