Japan Security Analyst Conference 2019 -Part 1-

JPCERT/CC organised Japan Security Analyst Conference 2019 (JSAC2019) on 18 January 2019 in Ochanomizu, Tokyo. This conference targets front-line security analysts who deal with cyber incidents on a daily basis, with an aim to create a venue for sharing technical information which helps them better handle ever-evolving cyber attacks. This is the second run of the event following the first one in 2018, and 291 participants attended. In this event, we invited 8 speakers that are chosen through the Call for Papers process, of which we invited two groups from abroad. Some of the materials presented are available on our website. (Note that they are mostly Japanese only.) We will introduce how the conference went in this blog entry and one that follows.

"Opening talk – Looking back on the incidents in 2018 –"

by Takayoshi Shiigi (JPCERT/CC)

Presentation material (Japanese)

The opening talk presented JPCERT/CC’s perspectives on the incidents that occurred in 2018 with the focus on targeted attacks and distributed campaigns.

For targeted attacks, JPCERT/CC confirmed incidents against Office365 and cases where Github was exploited as part of the attack infrastructure. In terms of malware, RedLeaves and TSCookie have been continuously used, while new malware Wellmess, compatible with multi platforms, was observed for the first time during 2018.

On the other hand, a wide range of websites were affected by suspicious CoinMiner embedded, and banking trojan (Shiotob, Ursnif) was distributed via email, which left many users infected. A campaign distributing fake Android malware sagawa.apk is still ongoing.

Mr. Shiigi concluded his presentation by stressing the needs for analysts to absorb knowledge on various types of attack methods and malware in order to deal with them in a flexible manner.

"What do you do on the weekend? Are you busy? Will you analyze DbD?"

by Rintaro Koike (NEC Corporation) and Shota Nakajima (Cyber Defense Institute, Inc.) *also known as "nao_sec"

Presentation material (Japanese)

They both spoke and the last year’s JSAC and came back this year to present the trends and observation in Drive-by Download attack in comparison to the previous year.

They demonstrated that many of the campaigns observed in 2018 were "Seamless", "HookAds", and there was also a new one called "BlackTDS". "RIG Exploit Kit" which was most commonly seen in the 2017 trends has now been replaced by "GrandSoft Exploit Kit" and "Underminer Exploit Kit". The new feature of the Exploit Kits is that they leverage Flash and VBScript vulnerabilities such as CVE-2018-4878 and CVE-2018-8174. The Shellcode’s function observed in the previous attacks were limited to download and execute malware, however, the ones after June 2018 have a different behaviour; It downloads encrypted malware and decodes before executing.

They also explained about GandCrab, the ransomware delivered by the Exploit Kit, especially on the different ransom messages depending on the malware versions.

Left: Rintaro Koike (NEC Corporation) Right: Shota Nakajima (Cyber Defense Institute, Inc.)

"A lesson that should be learned from the cyber-attack in Korea" (Details undisclosed)

by CHA Minseok ‘Jacky’, LEE Myeong-Su (AhnLab)

The analysts from AhnLab introduced kinds of attacks observed during the recent international sport events in Korea. Examples include attacks where PowerShell script was used as a downloader, or where Active Directory admin user account was compromised to conduct lateral movement activities. They emphasised that providing training, sharing indicators and creating systems that can roll back in case of cyber attacks are important.

AhnLab CHA Minseok (Jacky)
AhnLab LEE Myeong-Su

"Deep Dive Into The Cyber Enemy : Various Case Study" (Details undisclosed)

by Park Moonbeom (Trusted Third Party Agency)

He introduced about cyber attack activities conducted by a nation state, in particular the attack motivation and methods by different adversary groups. The attack vectors included the use of distinctive web shells and zero-day vulnerabilities, as well as compromised PMS (Patch Management System).

"Security Log Analysis Moving Towards the Endpoint – Battles behind Windows –"

by Shogo Hayashi (NTT Security (Japan) KK)

Presentation material (Japanese)

This presentation introduced attacks identified through EDR (Endpoint Detection and Response) log analysis and how to detect these cases based on custom signatures.

Examples that his team has analysed revealed that malware used in targeted attacks (such as Taidoor and ANEL) leverages Windows standard commands and legitimate files (e.g. certutil, InstallUtil). Mr. Hayashi came up with the idea that events indicating that malware executed Windows standard commands can be used for detecting anomalies via EDR. He created a custom signature to detect the event where ANEL executes certutil, and this is currently used in their EDR log monitoring.

He demonstrated that it is important to monitor and analyse endpoint logs and that attackers often use Windows standard commands during the attack phase. Given that attackers may change their attack method from time to time, analysts are required to understand the details of Windows standard commands and foresee which one could be leveraged for future attacks. He suggested that creating custom signatures can be one of the measures to detect such attacks.

In closing

We have introduced the first 4 presentations that were delivered at JSAC2019. We will come back with the rest of the presentation details.

(Translated by Yukako Uchida)