Reporting from Security Analyst Summit 2019
By Quentin Fois and Stefano Ortolani
We are just back from Singapore, where we attended the Security Analyst Summit organized by Kaspersky Lab. Believe us, it was a blast! Inspiring talks and perfect location made this event an effective forum to foster collaborations among security professionals.
Besides the pleasure (and the challenge given the number of parallel tracks) of disentangling a really packed agenda (see Figure 1), we also presented (see Figures 2 and 3) our latest research on Agent Drable, a DNSpionage implant we recently covered in one of our blog posts.
While a lot can be said about the overarching campaign, we decided to focus our presentation on the specific implant used during the last quarter of 2018. Our goal was to put a spotlight on a string of unexpected blunders that were not really fitting the profile of a sophisticated actor whose aim was to generate some TLS certificates by subverting the DNS resolutions. While the success of the DNSpionage campaign is undeniable, major questions remain: did the threat actor lower the technical level on purpose? Are there possibly multiple groups operating behind the same campaign?
While a tight schedule did not allow much time for questions, we did receive positive feedback from multiple researchers in the room and we are looking forward to furthering cooperation while facing these emerging advanced threats.
Kaspersky Lab disclosed a new APT platform used to compromise a central Asia diplomatic organization. Named TajMahal, the framework has over 80 modules and can be split into two main components: Tokyo and Yokohama. The former acts as the main backdoor and delivers the latter which is a second-stage implant that manages most of the modules.
These modules operate a wide range of offensive tasks, such as intercepting VoIP talks, extracting files from the printer queue, and stealing browsers artifacts. While it was discovered during fall 2018, the first compromised victim can be traced back to 2014 and compilation timestamps have been found going up to April 2018. Although only one victim has been found so far, it is very unlikely that such a huge investment will not be re-used in future compromises.
Besides threat-centric talks, folks from VirusTotal led a workshop detailing how to use VT to power up investigations. Even if most features are surely well-known by fellow researchers we wholeheartedly suggest everybody go through all the recently published slides (which include speaker notes!) uploaded here; we bet you will find at least one trick you did not know about.
Given the theme of this year’s conference (Ghost in the Shell), an obvious focus was given to the trendy concern of supply chain security (especially during the first day of the conference). Other talks included a variety of topics ranging from the worrying rise of stalkerware, to the technical analysis of Microsoft Office vulnerabilities. There were simply too many to track them all, and the temptation was to jump from room to room just to get the gist of what was being presented.
In all candor, our minds are still processing the whole event. It was a pleasure to meet so many people and explore new ways to further our collaboration with other researchers. What we can definitely say is that we are already looking forward to SAS 2020!
Latest posts by Quentin Fois (see all)
- Threat Research Report: Infostealers and self-compiling droppers set loose by an unusual spam campaign - January 30, 2020
- Reporting from Security Analyst Summit 2019 - April 18, 2019
- Threat Actor “Cold River”: Network Traffic Analysis and a Deep Dive on Agent Drable - January 11, 2019
Latest posts by Stefano Ortolani (see all)
- Evolution of Excel 4.0 Macro Weaponization - June 2, 2020
- InfoStealers Weaponizing COVID-19 - May 11, 2020
- Nemty Ransomware Scaling UP: APAC Mailboxes Swarmed by Dual Downloaders - February 18, 2020