LABScon 2023 | Security Research in Real Time – Talks Not to Miss, Part Two

The clock is ticking, and in case you hadn’t heard, LABScon is back!

Continuing the stellar success of last year’s inaugural event, the SentinelLabs team is once again hosting a bespoke, invite-only conference for the cybersecurity industry’s leading experts, threat investigators, journalists, academics and government partners. The con will meet in Scottsdale, Arizona from 20th September through to 24th and places are limited, but there’s still time to request an invite.

Showcasing cutting-edge research into cyber threat actors, hunting techniques, vulnerabilities, exploits and new tooling, LABScon offers a unique opportunity to interface with leading researchers and journalists without the distractions of vendor halls and product pitching.

This year’s lineup of speakers includes veterans of the cybersecurity landscape from Cisco Talos, ESET, Intezer, Mandiant, Microsoft, Red Canary, SentinelLabs, Sophos and more. In this post, we take another sneak peek into some of the research that will be presented at LABScon23.

For those that can’t make it, don’t forget to bookmark both the LABScon homepage and the SentinelLabs homepage to keep an eye out for the release of video recordings after the event. Many of the talks from last year are available here.

Alex Matrosov | Spectre Strikes Again: Introducing the Firmware Edition

The excitement surrounding speculative execution attacks may have subsided, but sadly, such threats remain. Binarly Research has discovered a vast attack surface still vulnerable to known issues like Spectre v1 and v2 on AMD silicon. Ineffective mitigations and the complexity of validation negatively impact the AMD device ecosystem. While the industry is currently concentrating on constructing confidential computing infrastructure, foundational design problems reveal a lack of basic security at the hardware level. This discovery was made possible due to the asynchronous nature of firmware and hardware security fixes development.

Throughout their lifecycle, devices are susceptible to security issues due to the asynchronous nature of firmware security fixes delivery from multiple parties and the asynchronous nature of the supply chain. The lack of transparency in vendor security advisories results in an opaque channel for informing customers about the criticality of released security fixes and leads to varying approaches to patching widespread vulnerabilities with industry-wide implications. Even major silicon vendors develop mitigations for side-channel attacks differently. This situation presents an opportunity for potential threat actors to exploit known speculative attacks like the 5-year-old Spectre or the 1-year-old Retbleed. A new perspective is needed to construct an attack vector that utilizes speculative attacks to target UEFI-specific firmware vulnerabilities.

In this presentation, we will discuss our research into the potential use of speculative attacks against the System Management Mode (SMM) on AMD-based devices and outline the methodologies we employed throughout our research investigation.

Hakan Tanriverdi | From Vulkan to Ryazan – Investigative Reporting from the Frontlines of Infosec

During the last couple of years, I have reported on several large-scale digital espionage and sabotage campaigns, from hacking groups that were later called out by the Department of Justice to companies targeting critical infrastructure in Germany and across Western Europe. In both cases, mistakes in how the attackers set up their infrastructure enabled our team to follow their tracks, in some cases right back to their employers. The resulting stories revealed the intersection where covert cyberoperations and overt organizational structures meet.

This talk will lay out the types of information we work with, how we follow and fact-check opaque leads, and turn them into portraits of the previously unknown actors pulling the strings in cyberspace.

Martin Wendiggensen | BLACK MAGIC – Influence Operations In The Open And At-Scale In Hungary

Influence operations are often thought of as clandestine meddling in other countries’ affairs. But what if it’s were insidious than that? What if, right in front of our eyes, a NATO ally and EU Member Staate had developed a system to consistently peddle Russian talking points at a large scale within its own borders and beyond? This is what our research uncovered in the case of Hungary.

Hungary’s media ecosystem is controlled by the state. Years of corrupt dealings brought hundreds of news outlets – print, radio, television, and internet – under the control of oligarchs loyal to the state. And the state is very friendly to Russia. In time, the vast majority of these outlets were gifted, free of charge, to a holding controlled by the prime minister’s close confidants.

To prove the existence of an at-scale and continuous influence operation, we collected all coverage of Ukraine from major news outlets and analyzed our dataset with Semi-Supervised Machine Learning. The picture that emerged was stark: an ensemble of striking narratives aligned with Russian interests in denigrating Ukraine and the West. Moreover, these narratives were present well before the start of the war in 2020.

Matching our findings with an archive of Russian media, we were able to how show the narratives aligned topically, tonally, and in bias. Crucially, we should show a clear temporal lag. In other words, vast sections of Hungarian actively pick up Russian narratives and amplify them. The effects of this reach beyond Hungary’s own borders, as hundreds of thousands of ethnic Hungarians live in the “near abroad” (neighboring countries) and in the diaspora, thereby giving the controllers of Hungarian media outsized political influence abroad. This dark alignment of narratives runs deeper than words, leading our investigation to the staged firebombing of a Hungarian cultural center in Ukraine, and an obscure Cold War-era “spy bank” that is actively circumventing sanctions on Russia.

Amitai Ben Shushan Ehrlich | DNS Tunnel Warfare

Tunnels have been utilized in armed conclicts since antiquity. Underground passages, dug beneath the surface, are still utilized to undermine fortifications and slip right into enemy territory. Today, however, underground tunnels are not the only tunnels used in armed conflicts, as new hidden pathways have proved to be quite effective.

DNS tunneling has emerged as a stealthy technique used to covertly transfer data over the DNS protocol, and has been adopted by a wide variety of threats actors, including those involved in ongoing armed conflicts.

In this talk, we will explore various aspects of DNS tunneling, understanding its advantages, drawbacks, and potential for detection. We will immerse ourselves in one particular actor, delving into the analysis of its DNS tunneling infrastructure, tools and targets. As we proceed, we will soon learn how DNS tunnels, much like their physical counterparts, are used to initiate surprise attacks and sabotage enemy infrastructure during times of war.

Boldizsar Bencsath | SIMBIoTA: Implementation of an IoT virus-scanner for limited resources environment

IoT devices flood our lives. There are multi-billion pieces of IoT devices around, and the number grows constantly. Malware problems are not something that can be avoided for these devices. However, anti-virus techniques, especially standalone ones (not cloud based) are currently basically unavailable for these, e.g., for routers, cameras, and Linux-based Raspberry PI devices. A user typically installs a device and does not intend to maintain it, and generally has no ways to find out if the device behaves in a bad way.

Together, CrySyS Lab and Ukatemi planned and developed a possible standalone solution against these threats that cannot be handled by traditional antivirus products due to resource limits. Our SIMBIoTA project aims at taking the advantage of extreme compression: it does not need to store sequences of millions of different binary files, but to accumulate detection based on similarity hashes, and only store minimal basis for the detection. I will show the main benefits of the approach of SIMBIoTA, and also will show how different ways of evasion efforts can be handled and same latest information of the actual implementation.

In addition to the details of the technical methods I’ll try to elaborate on the possible attacks on the method and also show new advancements to mitigate this problem.

Austin Larsen & John Palmisano | Across the Seven Seas: Unmasking a Global Espionage Campaign

In this talk, we unveil the intricacies of a sophisticated 8-month-long global espionage campaign that targeted government agencies and private sector companies across the world. By exploiting widely-used Email Security Gateways (ESG), the campaign left organizations vulnerable to espionage by UNC4841, a suspected Chinese actor operating in support of the People’s Republic of China.

For the first time, we will provide an inside look into the tactics, targeting, and tricks employed by UNC4841 during this espionage operation. Commencing in October 2022, the actor launched targeted attacks utilizing malicious emails cleverly disguised low quality spam emails to exploit a zero-day in ESG appliances. The actor employed These code families deceptively masqueraded as legitimate modules of the Email Security Gateway, enabling UNC4841 to gain initial access and establish a persistent presence on compromised appliances.

Throughout the 8-month duration, UNC4841 showcased remarkable sophistication, adaptability, responsiveness, and understanding of the appliance itself. Their activities leveraging the compromised appliances for extremely targeted data exfiltration, as well as lateral movement into victims networks. As the investigation progressed, the sophistication of UNC4841’s activities necessitated a collaborative effort between our team, the company impacted as well as US law enforcement.

This talk will offer insights into the modus operandi of UNC4841, the far-reaching consequences of the campaign, and the collaborative efforts involved in burning this espionage operation. We will discuss the broader implications of cyber espionage on national security, highlight key findings from the investigation, and provide actionable recommendations for bolstering defenses against similar threats in the future.

Emily Austin | Managed File Transfer or Miscreants’ Favorite Target? An internet-wide study of MFT exposures

Managed file transfer (MFT) tools are a popular, user-friendly evolution of FTP, facilitating data sharing between and within organizations. In 2021, Businesswire reported projected growth of the MFT market to $2.4 billion by 2027, further emphasizing how organizations have come to rely on these tools. While companies of all sizes may have a need for user-friendly file sharing, MFT tools tend to be geared toward enterprise organizations in highly regulated industries (e.g., finance, healthcare).

As the tech industry provides software and tooling to facilitate work, we often inadvertently provide new targets for threat actors, and MFT is no exception. In the first half of 2023 alone, we’ve seen a series of high-profile attacks against file transfer software including GoAnywhere, Faspex, and MOVEit.

In this talk, we’ll begin by exploring a timeline of attacks against file transfer software. We’ll discuss the Clop ransomware and extortion group, along with their attacks against tools like GoAnywhere and MOVEit. Specifically, we’ll examine exposure of these tools prior to and during the attack time frame, along with a look at affected industries and networks.

We’ll then examine the state of additional file transfer tool exposures across the internet to better understand potential impact of attacks against such tools. The recent string of attacks against this category of software, combined with how widespread they are across the internet, suggests that we may see more attacks of this kind in the near future. In closing, we’ll discuss implications of the rise of MFT software for companies and consumers.

Paul Rascagneres | Ongoing EvilEye Campaigns Targeting CCP Adversaries

Volexity has recently uncovered ongoing campaigns by EvilEye, a Chinese state-backed threat actor, targeting three of the five groups the Chinese Communist Party (CCP) refers to as the “Five Poisons”. The targeted groups are members of the Tibetan community, the Uyghur ethnic group, and Taiwanese nationals. Volexity’s research has identified both currently active and historic activity for these campaigns. Volexity also identified related campaigns from this threat actor specifically targeting the Uyghur ethnic group back in 2019 and 2020.

The ongoing campaigns consist of two elements, malicious mobile applications and fake websites, which are created by the attacker to facilitate exploitation of end users by way of zero or n-day exploits. The three Android malware families being deployed include new versions of BADBAZAAR, as well as two previously undocumented families. In addition to these Android malware families, there is compelling evidence that EvilEye has developed an iOS implant and tried to distribute it via the Apple App Store.

This presentation outlines the current, ongoing campaigns; delves into the technical details of the Android malware families involved; discusses the threat actor’s command-and-control (C2) infrastructure and configuration; and reveals how the threat actor builds communities to distribute their malware through trusted platforms. The presentation also explores overlaps between the campaigns and explains links to historic activity.

Nicole Fishbein & Ryan Robinson | Cryptovirology: Second Guessing The Cryptographic Underpinnings of Modern Ransomware

Ransomware has permeated our everyday lives to the point of becoming a household term, featured prominently in news headlines, and even entwined with international politics. However, it is crucial not to overlook the technical intricacies that make ransomware both intriguing and highly effective—the cryptographic foundations that enable attackers to seize files and hold them hostage until a ransom is paid. Surprisingly, implementing cryptography effectively remains a challenging task. In this talk, we will delve into the nitty-gritty details of the cryptographic implementations utilized in modern ransomware and shed light on their inherent flaws.

Through engaging visualizations and occasional explanations in ELI5 terms, we will keep you awake through the math for long enough to discuss the strengths, weaknesses, and, most importantly, the inevitable failures of these implementations. Our focus will center around utilizing the Hybrid Cryptosystem in the context of XData ransomware and the flaws found in the QNAPCrypt key generation algorithm. Furthermore, we will delve into recent ransomware strains, exposing cryptographic flaws that render their effectiveness. Ultimately, we will question whether we can trust these ransomware creators to implement robust cryptography when even we often hesitate to do so ourselves.

Dual Core | Stay Free: Tampering AWS CloudTrail

You have gained access to an AWS account and don’t want to go to prison. The all-seeing eyes of the Blue Team and SOC analysts attempt to monitor your every move via AWS CloudTrail. How can we tamper the defenders’ capabilities to complete our objectives and remain free?

This talk will present a set of techniques for tampering the premier telemetry facility in AWS, accompanied by anecdotes of adventures in cloud security. Attendees will learn new tricks for evasion in AWS environments, along with a methodology for evaluating potential evasion techniques. We will focus on perspectives of offense, defense, and engineering.

Donald McCarthy | Cheap Parking and Express Lanes Through Your Proxy Filters

Infrastructure as a service/code has taken root. With a few API calls and some minor orchestration, almost anyone is able to have a horde of servers at their disposal in seconds. This however doesn’t generally help bypass proxy filters and those looking for new infrastructure.

This presentation will focus on techniques and services that APTs and other cyber criminals are using to turn what used to be a months/years long process into something achievable on short timelines, how and where this has been used in the past, quantification of the problem (although incomplete), and who we need to get engaged in order to solve it.

Sergei Frankoff & Sean Wilson | Exploring the Impact of Dual-Use Obfuscation Libraries on Threat Intelligence

Code similarity analysis is a fundamental and widely used technique for identifying and attributing malware at the binary level. However, the rising prevalence of open source code obfuscation libraries and their adoption by malware developers impose challenges that must be addressed to maintain the reliability and accuracy of this technique and its associated tools.

In 2022, the leaked Conti ransomware developer chat logs and subsequent leak of the Conti source code, confirmed the use of both an open source string protection library (ADVObfuscator) and an open source code obfuscation library (Obfuscator-LLVM). While these obfuscation libraries had been employed in malware previously, the exposed Conti development process emerged as a defining moment in the malware development ecosystem. Subsequently, the use of open source obfuscation libraries has grown with ADVObfuscator and Obfuscator-LLVM becoming common in ransomware code, and the adoption of lesser known obfuscation projects such as xorstr introducing significant challenges when using code similarity analysis tools.

Our research examines the impact of these obfuscation libraries on popular analysis tools (e.g., Lumina, Bindiff, and Binlex) and the resulting challenges faced by the threat intelligence processes that employ them. To address these challenges, we propose the use of ground truth binaries, which can fine-tune existing tools and processes. Using real world case-studies we will work through the challenges posed by these obfuscation libraries and describe how our solution may mitigates the encountered issues.

Greg Lesnewich | Surveying Similarities in macOS Components used in North Korean CryptoHeists

While many state-aligned threats have dipped their toes into macOS Malware, North Korea has invested serious time and effort into compromising that operating system. Their operations in macOS environments include both espionage and financial gain. macOS malware analysis is an exciting space, but most blogs on the subject deal with functionality and capability, rather than how to find more similar samples. Analysts are forced to rely on string searching, based on disassembler output or a strings dump; comparatively, executables for Windows have “easy” pivots such as import hashing or rich headers, to find additional samples without much effort.

This talk will introduce some of those easy pivots for Mach-O files, using North Korean samples as an initial case study; along the way, attendees will get a tour of the North Korean clusters using Mach-O samples, how those clusters intersect, how their families relate to one another, and be shown how some simple pivots can link a group’s families together.

MJ Emanuel | Where have all the APTs gone – a discussion of tradecraft accelerationism or counter-counter-counter

Activity in cyberspace has gone through a massive transformation over the last few decades, with cyber threat intelligence emerging, and then evolving alongside with it. Despite maturing as an industry, it is harder than ever before to consistently detect, track, and cluster known intrusion sets and identify new activity.

This presentation will describe the relationships between actor activity and discuss challenges in maintaining visibility as adversaries have changed their behavior over time. It will also examine the cascading effects of disclosure on adversary activity as a public good, including burning defenders ability to discover new activity as adversary’s reaction times continue to shorten, and strategic consequences on the closing window of our ability to detect the highest tier actors. Deterrence is one of the core tenets of cyber warfare strategy, and publicly outing campaigns to “impost cost” remains high on the list of options for response. However, this presentation will challenge the idea that public dissemination of information will operationally impact the perpetrators, and in fact, may end up harming our overall ability to detect and defend against them.

Filip Jurčacko | Deadglyph: Covertly preying over Middle Eastern skies

The Middle East has been known for years to be a fertile land for APTs. During our routine monitoring of suspicious activities in government entities of the region, we stumbled upon a very sophisticated and unknown backdoor that we have named Deadglyph.

Deadglyph’s main components are protected with encryption using a machine-specific key, which usually prevents further analysis. Its architecture is unusual as it consists of a native x64 and .NET component that cooperate. The traditional backdoor commands are not implemented in the Deadglyph binary; instead, they are dynamically received from its C&C server in the form of additional modules that exist in memory only briefly, to perform the commands. Without the modules, the full capabilities of the backdoor are unknown. Deadglyph also features a number of capabilities to avoid being detected, including the ability to uninstall itself, preventing discovery. After initial investigation, we could not attribute the Deadglyph backdoor to an existing threat actor, but later we found another piece of the puzzle – a multistage shellcode downloader that pointed us in the right direction. Finally, we will describe how we pivoted on various indicators to arrive at attributing Deadglyph backdoor to an existing threat actor, active in the Middle East for years.

Gabriel Bernadett-Shapiro | Demystifying LLMs: Power Plays in Security Automation

As the popularity of Large Language Models (LLMs) continues to grow, there’s a clear divide in perception: some believe LLMs are the solution to everything – a ruthlessly efficient automaton that will take your job and steal your dance partner. Others remain deeply skeptical of their potential – and have strictly forbidden their use in corporate environments.

This presentation seeks to bridge that divide, offering a framework to better understand and incorporate LLMs into the realm of security work. We will delve into the most pertinent capabilities of LLMs for defensive use cases, shedding light on their strengths (and weaknesses) in summarization, data labeling, and decision task automation. Our discourse will also address specific tactics with concrete examples such as ‘direction following’—guiding LLMs to adopt the desired perspective—and the ‘few-shot approach,’ emphasizing the importance of precise prompting to maximize model efficiency. The presentation will also outline the steps to automate tasks and improve analytical processes and provide attendees with access to basic scripts which they can customize and test according to their specific requirements.

And There’s More!

In addition to all the goodness highlighted above and the LABSCon 2023 talks we highlighted last week, this power event will feature presentations by award-winning journalist Kim Zetter, receiver of the Gold Presidential Volunteer Service Award (PVSA) and Senior Director of SentinelLabs, Juan Andres Guerrero-Saade, Automox’s Jason Kitka, Robert Ghilduta from Nuand LLC, and SentinelLabs’ researchers Tom Hegel and Aleksandar Milenkowski.

Request an Invite

We are hugely excited about LABScon 2023, a premier event where the brightest minds in cybersecurity come together to share their insights. It’s still not too late to request an invite. A limited number of tickets remain available, so hurry and click that button if you’d like to come and join us.