Speakers

Cars have become increasingly more complex and interconnected Abstract: through the years, and Tesla's Model 3 is no exception. As part of the partnership for Pwn2Own 2019 in Vancouver, Tesla provided a head unit - the brains of the infotainment system - from a Tesla Model 3 to the Zero Day Initiative team. I then went about seeing what sort of mischief I could make. The presentation begins by explaining the various attack surfaces exposed by the Model 3. Next, I will dive into the architecture of the Infotainment system. I'll also talk about the many missteps, including the difference between 110 and 220 volts, as well as the areas where Tesla did things that significantly increased the amount of effort involved in the exploitation of the Infotainment system. Finally, we wrap up with the details and demonstration of the exploits against the Infotainment system.

In this presentation I will be talking about day-to-day case Abstract: handling routine in the ZDI, how an incoming case looks like, and the tools we typically use to analyze cases. In the end I will be analyzing a real world case step by step. In the end I will provide some insights about steps to take if you find a vulnerability as a vulnerability researcher and steps to take if you need to handle a vulnerability report as a developer or vulnerability analyst.

In this talk I guide the audience through the findings and Abstract: investigations of the cyber-attacks that our Docker honeypots receives During this 6 months we were able to find dozens of clever attacks, majority of them involving some kind of Linux malware, huge number of Linux coinminers and rogue containers. This talk also approaches the reasons that made those attacks possible, like vulnerabilities and security gaps.

Staying abreast on the latest in malware developments is an Abstract: important aspect of how cybersecurity is in turn developed. Changes in malware behavior and its structure are crucial considerations in creating effective defenses against them. While moving outward and analyzing its trade and activity in the wild can help in planning strategies for prevention, mitigation and response.

We are living in a world where, all the knowledge/information are available to everyone within a click. It is the age of sharing knowledge. Some people use this information to build a better world that can help others. Nevertheless, some abuse this information to, for example, make a personal profit out of it. Malware authors from script kiddie are expert at adapting new techniques such as Hacking forums, GitHub, twitter, telegram channels, pastebin etc., are places where these techniques and codes are stored and freely available to the public. Simple malware to sophisticated ones, are using these resources to build their own malware with less cost (time and price wise). The above-mentioned resources are keep updating and growth every day. Some malware uses various obfuscation techniques meant to throw analysts off the trace and buy more time to remain in a victim system. The art of Incident repose is all about: Preparation, Identification, Response, Restore and Lesson Learned. As a threat researcher we can collects all these information, codes and techniques, organized them into the single place and categorizing them. By having a system which design for this purpose we can identify the threat very quickly and find a correlation and adapted techniques with a malware in very short amount of time at the code level.

For years, malware threats have been constantly evolving due to financial gains and valuable information that can be obtained. One of the most active threat actor groups who specialize in cryptomining is the Rocke group. Operating mainly in China, the group targeted Linux servers running vulnerable services to hijack their resources for cryptocurrency mining. It is well known for using the technique of installing a rootkit in order to hide malicious activities from system monitoring tools.

We first encountered the group in October 2018. Redis servers were infected by a cryptomining malware bundled with a userland rootkit component that hides the malicious process from common monitoring tools. The rootkit uses Linux’s .preload in order to hook specific libc ld.so functions. Pastebin was also used by the group for its C&C operations, using the site to host and roll out updates for its malware.

Around April 2019, we encountered another Rocke campaign with similar tactics and techniques as last year’s. The second campaign expanded its arrival methods by using multiple exploits to propagate itself. Its rootkit component was also heavily revamped: Not only was it able to hide the miner process, but it was also already capable of forging CPU usage statistics and network traffic information.

In this study, we will provide a comprehensive end-to-end technical analysis of the two Rocke campaigns. The various effective techniques used by the group to evade detection by threat analysts and system administrators will be thoroughly explored. More importantly, we will present the methods to circumvent those techniques.

For years, malware threats have been constantly evolving due to financial gains and valuable information that can be obtained. One of the most active threat actor groups who specialize in cryptomining is the Rocke group. Operating mainly in China, the group targeted Linux servers running vulnerable services to hijack their resources for cryptocurrency mining. It is well known for using the technique of installing a rootkit in order to hide malicious activities from system monitoring tools.

We first encountered the group in October 2018. Redis servers were infected by a cryptomining malware bundled with a userland rootkit component that hides the malicious process from common monitoring tools. The rootkit uses Linux’s .preload in order to hook specific libc ld.so functions. Pastebin was also used by the group for its C&C operations, using the site to host and roll out updates for its malware.

Around April 2019, we encountered another Rocke campaign with similar tactics and techniques as last year’s. The second campaign expanded its arrival methods by using multiple exploits to propagate itself. Its rootkit component was also heavily revamped: Not only was it able to hide the miner process, but it was also already capable of forging CPU usage statistics and network traffic information.

In this study, we will provide a comprehensive end-to-end technical analysis of the two Rocke campaigns. The various effective techniques used by the group to evade detection by threat analysts and system administrators will be thoroughly explored. More importantly, we will present the methods to circumvent those techniques.