Japan Security Analyst Conference 2020 -Part 1-
JPCERT/CC organised Japan Security Analyst Conference 2020 (JSAC2020) on 17 January, 2020 in Ochanomizu, Tokyo. This conference targets front-line security analysts who deal with cyber incidents on a daily basis, with an aim to create a venue for sharing technical information which helps them better handle ever-evolving cyber attacks. This is the third event running annually since 2018, and 301 participants attended this year. In this event, we invited 8 speakers that are chosen through the Call for Papers process. Some of the materials presented are available on our website. We will introduce the summary of the talks presented at the conference in this blog entry and the one that follows.
Opening Talk - Looking back on the incidents in 2019
By Takayoshi Shiigi (Incident Response Group, JPCERT/CC)
Mr. Shiigi started the program by providing the overview of cyber security incidents in 2019 from JPCERT/CC’s perspectives with the close focus on targeted attacks and wide-spread attacks.
For targeted attacks, there were many cases where cloud services such as Microsoft Azure and Google Cloud were leveraged as a part of the attack infrastructure. Various types of malware were also used, including PoshC2 and QuasarRAT, which are available as open source, and new variants such as TSCookie, which were deployed by BlackTech.
For wide-spread attacks, on the other hand, multiple attack cases exploiting the vulnerability in Pulse Secure VPN were reported. In addition, starting in October 2019, there have been numerous reports regarding Emotet infection.
In terms of new analysis tools, a reverse engineering tool “Ghidra” was released from NSA in 2019. JPCERT/CC also released MalConfScan and MalConfScan with Cuckoo, which extract malware configuration data to help incident investigation.
GitHub JPCERTCC / MalConfScan
GitHub JPCERTCC / MalConfScan-with-Cuckoo
Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
By Kiyotaka Tamada, Keita Yamazaki (SecureWorks)
The presentation described the TTPs of targeted ransomware attacks, comparison to conventional targeted attacks, recommended countermeasures and future prediction of the threat.
Their analysis revealed that a series of attacks was conducted in a short period of time. In some incident cases, for example, the Domain Controller was compromised within 24 hours since the initial intrusion, and hosts were infected with ransomware. The severity of the incident explains the importance of both establishing the incident response plan from the viewpoint of business continuity and safety in a limited amount of time and also preparing incident response procedures well in advance in preparation for incidents that could happen anytime.
While the analysts admit that TTPs used in targeted ransomware attacks are partially the same as in the conventional type of targeted attack, they identified the following differences in particular:
- Attackers attempt to intrude into a wide range of organisations, and eventually targets those who operate under weak security measures
- The attacks are conducted in a less-stealthy manner
They pointed out that ransomware is just one of the tools for attackers to threaten victims and gain profit. For this reason, they suggest that “targeted ransomware attack” should not be a proper term for this type of attack, but another term that precisely describe the characteristics should be called for instead.
Their prediction on the future trends of this threat is as follows:
- Increase in malware infection via email (e.g. Emotet)
- Use of RAT for lateral movement
- Threaten victims in ways other than file encrypting
They assume that this type of incidents may be increasingly observed even in organisations who implement proper boundary protection and also that containment of the incidents would be even more difficult.
Audience asked questions on what user organisations should do to prevent the recurrent of the incident in case an EDR (Endpoint Detection and Response) cannot be implemented, and what they can do to respond to an ongoing incident.
Evil Hidden in Shellcode: The Evolution of Malware DBGPRINT
By TeamT5 CiYi "YCY" Yu, Aragorn Tseng
TeamT5 provided a detailed explanation on the evolution of the malware “DBGPRINT,” which is used by an attack group “HUAPI” (also known as BlackTech).
According to their analysis, DBGPRINT has been observed since 2009, and it has still been used until now with a series of extensions. While the payload itself was stored in the executable file in the initial version, the current version loads it by double DLL side loading. Additionally, the RC4 key used in the payload has also been changed.
The malware also has various features to prevent itself from being detected by security products – this includes deleting or self-modifying distinctive pattern strings. It also uses API hook to particular security products so that the malware cannot be detected.
Threat Information on the APT Group Conducting "Operation Bitter Biscuit"
By Hajime Takai, NTT Security Japan
The presentation revealed newly observed threats of “Operation Bitter Biscuit”.
While sources say that the operation’s target includes Japan, Mr. Takai indicated that there is only limited amount of information available regarding attacks against Japanese organisations and its post-exploitation activity.
To identify the adversary’s behaviour, he ran the malware that seems to be used by the adversary in a decoy environment simulating the actual victim’s environment.
The analysis revealed that the malware, running in the decoy environment, downloaded an additional backdoor program as well as other tools to harvest credentials and check for unpatched vulnerabilities. Although many of these tools are similar to open source tools, there was evidence that some modification has been made to them by the attacker. Other findings are that the attacker exploited an unknown backdoor program and the vulnerability (CVE-2018-20250) as a part of the activity.
He also analysed several Bisonal malware samples and identified that there were several variants with different features in command execution and encryption algorithm. He introduced that a recently-found variant uses a custom RC4 algorithm and predicted that attacks using this version is likely to continue for a while.
Audience raised many questions regarding the decoy environment, including its effectiveness in detecting attacker’s behaviour and tips for avoiding detection by the attackers.
100 more behind cockroaches? or how to hunt IoCs with OSINT
By Manabu Niseki, Hiroaki Ogawa (McAfee)
The two presenters lectured on how to actively detect attack infrastructure by using OSINT (Open Source INTelligence) techniques. In order to better trace the clue of attacks, the analysts aim to take advantage of the attackers’ “bad” habits as in reusing infrastructure, components and SSL server certificates. In particular, the following methods/tools were introduced with detailed explanation on how they are helpful in identifying attack infrastructure and malware:
- Domain Fuzzing
- HTTP fingerprint
- SSH host key fingerprint
- Certificate Transparency
- IoC feeds aggregation
They proved that the OSINT techniques can be useful in various ways as in identifying malware C&C server and phishing sites. With their day-to-day OSINT analysis, they have detected a number of suspicious activities and reported them to related agencies, which helps mitigating the impact of potential cyber security incidents.
In addition, the importance of automating part of the procedures was suggested to avoid oversight and reduce the workload. Some useful tools that they have developed on their own were also introduced.
The article covered the first 5 presentations delivered in JSAC 2020. We will come back with the rest of the presentation details.
- Kota Kino
(Translated by Yukako Uchida)