New and Emerging Threats/Vulnerabilities
Jasiel Spelman is a vulnerability analyst and exploit developer for the Zero Bio: Day Initiative (ZDI) program. His primary role involves performing root cause analysis on ZDI submissions to determine exploitability, followed by developing exploits for accepted cases. Prior to being part of ZDI, Jasiel was a member of the Digital Vaccine team where he wrote exploits for ZDI submissions, and helped develop the ReputationDV service from TippingPoint. Jasiel's focus started off in the networking world but then shifted to development until transitioning to security. He has a BA in Computer Science from the University of Texas at Austin.
Twitter: @WanderingGlitch
Cars have become increasingly more complex and interconnected Abstract: through the years, and Tesla's Model 3 is no exception. As part of the partnership for Pwn2Own 2019 in Vancouver, Tesla provided a head unit - the brains of the infotainment system - from a Tesla Model 3 to the Zero Day Initiative team. I then went about seeing what sort of mischief I could make. The presentation begins by explaining the various attack surfaces exposed by the Model 3. Next, I will dive into the architecture of the Infotainment system. I'll also talk about the many missteps, including the difference between 110 and 220 volts, as well as the areas where Tesla did things that significantly increased the amount of effort involved in the exploitation of the Infotainment system. Finally, we wrap up with the details and demonstration of the exploits against the Infotainment system.
Hossein Lotfi is a senior vulnerability researcher at Trend Micro’s Zero Day : Bio Initiative (ZDI). In this role, Hossein analyzes and performs root-cause analysis on hundreds of vulnerabilities submitted to the ZDI program, which is the world's largest vendor-agnostic bug bounty program. His focus includes performing rootcause analysis, finding vulnerability in top products via fuzzing, source code auditing, and reverse engineering and exploit development. Prior to joining ZDI, Hossein worked as a senior information security specialist at Secunia Research where he was responsible for vulnerability analyzing and assessment. Hossein’s recent research on Microsoft Windows GDI and font processing resulted more than a dozen CVE assignments and vulnerability disclosures. He is in the list of Microsoft Security Response Center most valuable security researchers for 2018 and 2019.
Twitter: @hosselot
In this presentation I will be talking about day-to-day case Abstract: handling routine in the ZDI, how an incoming case looks like, and the tools we typically use to analyze cases. In the end I will be analyzing a real world case step by step. In the end I will provide some insights about steps to take if you find a vulnerability as a vulnerability researcher and steps to take if you need to handle a vulnerability report as a developer or vulnerability analyst.
Alfredo Oliveira, Senior Security Researcher at Trend Micro, with 10+ years Bio working in cybersecurity, focusing on open source software, experience in reverse engineering, malware analysis, honeypot deployment and data analysis, containers being a recent addition on the researching topics.
What I learned investigating DevOps honeypots for 6 monthsIn this talk I guide the audience through the findings and Abstract: investigations of the cyber-attacks that our Docker honeypots receives During this 6 months we were able to find dozens of clever attacks, majority of them involving some kind of Linux malware, huge number of Linux coinminers and rogue containers. This talk also approaches the reasons that made those attacks possible, like vulnerabilities and security gaps.
Malware Analyst and Reverse engineer from Trend Micro Toronto. As part of the Trend Research Lab I'm hunting and reverse-engineer malware samples to identify malware communication mechanisms and analyze malware to develop signature and produce documentation describing malware behaviour and detection strategies.
Threat detection with open source Intelligence/Malware Market Title: Analysis and accelerate the incident response
Staying abreast on the latest in malware developments is an Abstract: important aspect of how cybersecurity is in turn developed. Changes in malware behavior and its structure are crucial considerations in creating effective defenses against them. While moving outward and analyzing its trade and activity in the wild can help in planning strategies for prevention, mitigation and response.
We are living in a world where, all the knowledge/information are available to everyone within a click. It is the age of sharing knowledge. Some people use this information to build a better world that can help others. Nevertheless, some abuse this information to, for example, make a personal profit out of it. Malware authors from script kiddie are expert at adapting new techniques such as Hacking forums, GitHub, twitter, telegram channels, pastebin etc., are places where these techniques and codes are stored and freely available to the public. Simple malware to sophisticated ones, are using these resources to build their own malware with less cost (time and price wise). The above-mentioned resources are keep updating and growth every day. Some malware uses various obfuscation techniques meant to throw analysts off the trace and buy more time to remain in a victim system. The art of Incident repose is all about: Preparation, Identification, Response, Restore and Lesson Learned. As a threat researcher we can collects all these information, codes and techniques, organized them into the single place and categorizing them. By having a system which design for this purpose we can identify the threat very quickly and find a correlation and adapted techniques with a malware in very short amount of time at the code level.
Augusto Remillano II graduated from the University of the Philippines Diliman with a Bachelor’s Degree in Computer Engineering. After graduating, he worked as a researcher for a DOST-funded project and was able to contribute to three published papers about multipath and mesh networks. He now works at Trend Micro as a malware researcher focusing on IoT botnets. Aside from research work, he has also presented at internal and external conferences regarding the current trends in the cyber threat landscape.
The Mining Ninja
For years, malware threats have been constantly evolving due to financial gains and valuable information that can be obtained. One of the most active threat actor groups who specialize in cryptomining is the Rocke group. Operating mainly in China, the group targeted Linux servers running vulnerable services to hijack their resources for cryptocurrency mining. It is well known for using the technique of installing a rootkit in order to hide malicious activities from system monitoring tools.
We first encountered the group in October 2018. Redis servers were infected by a cryptomining malware bundled with a userland rootkit component that hides the malicious process from common monitoring tools. The rootkit uses Linux’s .preload in order to hook specific libc ld.so functions. Pastebin was also used by the group for its C&C operations, using the site to host and roll out updates for its malware.
Around April 2019, we encountered another Rocke campaign with similar tactics and techniques as last year’s. The second campaign expanded its arrival methods by using multiple exploits to propagate itself. Its rootkit component was also heavily revamped: Not only was it able to hide the miner process, but it was also already capable of forging CPU usage statistics and network traffic information.
In this study, we will provide a comprehensive end-to-end technical analysis of the two Rocke campaigns. The various effective techniques used by the group to evade detection by threat analysts and system administrators will be thoroughly explored. More importantly, we will present the methods to circumvent those techniques.
Hazel Ann Poligratis is a threat analyst and researcher at Trend Micro's Core Tech PH Global Escalation Team. She graduated with special awards from Mapua Institute of Technology (now Mapua University) where she holds a bachelor degree in Computer Engineering. She does analysis and provide solution for malware arrivals, exploit kits, vulnerabilities and other related malicious activities in the system. She is capable of analyzing product and event logs, creating malware reports and performing in-depth analysis of malware families. Prior to this, she also did Quality Analysis involving test designs, automation, and evaluation of quality processes. In her free time, Hazel loves to travel, watch anime and play computer games.
The Mining Ninja
For years, malware threats have been constantly evolving due to financial gains and valuable information that can be obtained. One of the most active threat actor groups who specialize in cryptomining is the Rocke group. Operating mainly in China, the group targeted Linux servers running vulnerable services to hijack their resources for cryptocurrency mining. It is well known for using the technique of installing a rootkit in order to hide malicious activities from system monitoring tools.
We first encountered the group in October 2018. Redis servers were infected by a cryptomining malware bundled with a userland rootkit component that hides the malicious process from common monitoring tools. The rootkit uses Linux’s .preload in order to hook specific libc ld.so functions. Pastebin was also used by the group for its C&C operations, using the site to host and roll out updates for its malware.
Around April 2019, we encountered another Rocke campaign with similar tactics and techniques as last year’s. The second campaign expanded its arrival methods by using multiple exploits to propagate itself. Its rootkit component was also heavily revamped: Not only was it able to hide the miner process, but it was also already capable of forging CPU usage statistics and network traffic information.
In this study, we will provide a comprehensive end-to-end technical analysis of the two Rocke campaigns. The various effective techniques used by the group to evade detection by threat analysts and system administrators will be thoroughly explored. More importantly, we will present the methods to circumvent those techniques.