This document discusses the results of long-term scanning and analysis of Winnti 4.0 and ShadowPad malware command and control (C2) protocols. It finds that Winnti 4.0 C2s primarily use TLS, HTTPS, and HTTP, while ShadowPad variants primarily use TCP, HTTPS, and HTTP. Analysis of the protocols reveals encryption methods, packet structures, and server-side functionality. Over time, the number and distribution of active C2s changed, likely in response to research publications and incident response actions. The document advocates for anonymization techniques and merits and risks of future research publications.
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
We are swamped with new types of malware every day. The goal of malware analysis is not to reveal every single detail of the malware. It is more important to develop tools for efficiency or introduce automation to avoid repeating the same analysis process. Therefore, malware analysts usually actively develop tools and build analysis systems. On the other hand, it costs a lot for such tool developments and system maintenance. Incident trends change daily, and malware keeps evolving. However, it is not easy to keep up with new threats. Malware analysts spend a long time maintaining their analysis systems, and it results in reducing their time for necessary analysis of new types of malware.
To solve these problems, we incorporate DevOps practices into malware analysis to reduce the cost of system maintenance by using CI/CD and Serverless. This presentation shares our experience on how CI/CD, Serverless, and other cloud technologies can be used to streamline malware analysis. Specifically, the following case studies are discussed.
* Malware C2 Monitoring
* Malware Hunting using Cloud
* YARA CI/CD system
* Malware Analysis System on Cloud
* Memory Forensic on Cloud
Through the above case studies, we will share the benefits and tips of using the cloud and show how to build a similar system using Infrastructure as Code (IaC). The audience will learn how to improve the efficiency of malware analysis and build a malware analysis system using Cloud infrastructure.
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...CODE BLUE
Since 2010 Stuxnet caused substantial damage to the nuclear program of Iran, ICS security issues have been raised. Lots of researchers dig into the hacking skills and path and those known attacks in the history and more malwares and events happened. Enterprises need an efficient way to find vulnerabilities but they might not have the budget for ICS pentesters , which need strong background knowledge , and all the fields they have. To solve this problem, we try to make a rare OT targeting , open source adversary emulation tool as a plugin on MITRE open source tool - Caldera. Users can easily combine IT attacks with our OT adversaries and change steps of attacks or send manual commands in the process.
We summarize the experience of reviewing over 20 factories traffic and analyzing 19 MITRE defined ICS malwares, PIPEDREAM/Incontroller in 2022. We found the main trend of ICS malwares changes from single protocol targeting to modularized , multiple protocols supporting. The actions in malwares can be summarized as a 4 stages attacking flow, We will explain it with the real attacks from malwares. We use the above conclusions to build automatic adversary emulation tool.
Now the tool already supports 10 common protocols and over 23 techniques on the MITRE ICS matrix , which is able to reproduce over 80% of defined ICS malware actions in OT. We also follow the 4 stages conclusion to add some attacks havent been used by any malwares. We have tested it on real oil ,gas ,water, electric power factory devices , protocol simulations for SCADA developers and honeypot. We will have a demo in this presentation.
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
From ATT&CKcon 3.0
By Jason Wood and Justin Swisher, CrowdStrike
When it comes to understanding and tracking intrusion tradecraft, security teams must have the tools and processes that allow the mapping of hands-on adversary tradecraft. Doing this enables your team to both understand the adversaries and attacks you currently see and observe how these adversaries and attacks evolve over time. This session will explore how a threat hunting team uses MITRE ATT&CK to understand and categorize adversary activity. The team will demonstrate how threat hunters map ATT&CK TTPs by showcasing a recent interactive intrusion against a Linux endpoint and how the framework allowed for granular tracking of tradecraft and enhanced security operations. They will also take a look into the changes in the Linux activity they have observed over time, using the ATT&CK navigator to compare and contrast technique usage. This session will provide insights into how we use MITRE ATT&CK as a powerful resource to track intrusion tradecraft, identify adversary trends, and prepare for attacks of the future.
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
Printer has become one of the essential devices in the corporate intranet for the past few years, and its functionalities have also increased significantly. Not only print or fax, cloud printing services like AirPrint are also being supported as well to make it easier to use. Direct printing from mobile devices is now a basic requirement in the IoT era. We also use it to print some internal business documents of the company, which makes it even more important to keep the printer safe.
Nowadays, most of the printers on the market do not have to be connected with USB or traditional cable. As long as you are using a LAN cable connected to the intranet, the computer can find and use the printer immediately. Most of them are based on protocols such as SLP and LLMNR. But is it really safe when vendors adopt those protocols? Furthermore, many printers do not use traditional Linux systems, but use RTOS(Real-Time Operating System) instead, how will this affect the attacker?
In this talk, we will use Canon ImageCLASS MF644Cdw and HP Color LaserJet Pro MFP M283fdw as case study, showing how to analyze and gain control access to the printer. We will also demonstrate how to use the vulnerabilities to achieve RCE in RTOS in unauthenticated situations.
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
We are swamped with new types of malware every day. The goal of malware analysis is not to reveal every single detail of the malware. It is more important to develop tools for efficiency or introduce automation to avoid repeating the same analysis process. Therefore, malware analysts usually actively develop tools and build analysis systems. On the other hand, it costs a lot for such tool developments and system maintenance. Incident trends change daily, and malware keeps evolving. However, it is not easy to keep up with new threats. Malware analysts spend a long time maintaining their analysis systems, and it results in reducing their time for necessary analysis of new types of malware.
To solve these problems, we incorporate DevOps practices into malware analysis to reduce the cost of system maintenance by using CI/CD and Serverless. This presentation shares our experience on how CI/CD, Serverless, and other cloud technologies can be used to streamline malware analysis. Specifically, the following case studies are discussed.
* Malware C2 Monitoring
* Malware Hunting using Cloud
* YARA CI/CD system
* Malware Analysis System on Cloud
* Memory Forensic on Cloud
Through the above case studies, we will share the benefits and tips of using the cloud and show how to build a similar system using Infrastructure as Code (IaC). The audience will learn how to improve the efficiency of malware analysis and build a malware analysis system using Cloud infrastructure.
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...CODE BLUE
Since 2010 Stuxnet caused substantial damage to the nuclear program of Iran, ICS security issues have been raised. Lots of researchers dig into the hacking skills and path and those known attacks in the history and more malwares and events happened. Enterprises need an efficient way to find vulnerabilities but they might not have the budget for ICS pentesters , which need strong background knowledge , and all the fields they have. To solve this problem, we try to make a rare OT targeting , open source adversary emulation tool as a plugin on MITRE open source tool - Caldera. Users can easily combine IT attacks with our OT adversaries and change steps of attacks or send manual commands in the process.
We summarize the experience of reviewing over 20 factories traffic and analyzing 19 MITRE defined ICS malwares, PIPEDREAM/Incontroller in 2022. We found the main trend of ICS malwares changes from single protocol targeting to modularized , multiple protocols supporting. The actions in malwares can be summarized as a 4 stages attacking flow, We will explain it with the real attacks from malwares. We use the above conclusions to build automatic adversary emulation tool.
Now the tool already supports 10 common protocols and over 23 techniques on the MITRE ICS matrix , which is able to reproduce over 80% of defined ICS malware actions in OT. We also follow the 4 stages conclusion to add some attacks havent been used by any malwares. We have tested it on real oil ,gas ,water, electric power factory devices , protocol simulations for SCADA developers and honeypot. We will have a demo in this presentation.
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
From ATT&CKcon 3.0
By Jason Wood and Justin Swisher, CrowdStrike
When it comes to understanding and tracking intrusion tradecraft, security teams must have the tools and processes that allow the mapping of hands-on adversary tradecraft. Doing this enables your team to both understand the adversaries and attacks you currently see and observe how these adversaries and attacks evolve over time. This session will explore how a threat hunting team uses MITRE ATT&CK to understand and categorize adversary activity. The team will demonstrate how threat hunters map ATT&CK TTPs by showcasing a recent interactive intrusion against a Linux endpoint and how the framework allowed for granular tracking of tradecraft and enhanced security operations. They will also take a look into the changes in the Linux activity they have observed over time, using the ATT&CK navigator to compare and contrast technique usage. This session will provide insights into how we use MITRE ATT&CK as a powerful resource to track intrusion tradecraft, identify adversary trends, and prepare for attacks of the future.
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
Printer has become one of the essential devices in the corporate intranet for the past few years, and its functionalities have also increased significantly. Not only print or fax, cloud printing services like AirPrint are also being supported as well to make it easier to use. Direct printing from mobile devices is now a basic requirement in the IoT era. We also use it to print some internal business documents of the company, which makes it even more important to keep the printer safe.
Nowadays, most of the printers on the market do not have to be connected with USB or traditional cable. As long as you are using a LAN cable connected to the intranet, the computer can find and use the printer immediately. Most of them are based on protocols such as SLP and LLMNR. But is it really safe when vendors adopt those protocols? Furthermore, many printers do not use traditional Linux systems, but use RTOS(Real-Time Operating System) instead, how will this affect the attacker?
In this talk, we will use Canon ImageCLASS MF644Cdw and HP Color LaserJet Pro MFP M283fdw as case study, showing how to analyze and gain control access to the printer. We will also demonstrate how to use the vulnerabilities to achieve RCE in RTOS in unauthenticated situations.
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...CODE BLUE
MUSHIKAGO is an automatic penetration testing tool using game AI, MUSHIKAGO focuses on the verification of post-exploitation. A post-exploitation is an attack that an attacker carries out after invading the target environment. By focusing on post-exploitation verification, we can understand how far an attacker can actually penetrate and what kind of information is collected. MUSHIKAGO uses the GOAP (Goal-Oriented Action Planning), which is game AI commonly used in NPC (Non Player Character). To using GOAP, we can flexibly change the content of the attack according to the environment like NPC, and mimic the attacks by real APT attackers and testers. The operation and verification results of MUSHIKAGO can be checked on the dedicated web page. Moreover, MUSHIKAGO supports ICS (Industrial Control System), and can be used for penetration testing across IT and OT (Operation Technology).
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CKMITRE ATT&CK
From ATT&CKcon 3.0
By Gert-Jan Bruggink, Venation
Since it's inception in 2015, the ATT&CK framework has achieved widespread adoption, with recent studies suggesting over 80 percent of companies using the framework for cyber security. Over the last seven years, a variety of use cases has been explored with different measures of success. In this presentation, Gert-Jan will explore applying the ATT&CK framework in scenario-based defense.
When adopting a scenario approach, security teams collaborate to fuse their understanding of certain situations into scenarios. For example, addressing different hypotheses that can be explained to leadership and specialist teams alike. This approach requires more than "just" breaking down everything into tactics, techniques, and procedures. Some stakeholders might not understand that. For example, some might want to tell a good story about adversaries while others want to translate their understanding of intrusions into a sequential pattern.
The objective of this talk is to explore how the granularity of the framework supports creation of scenarios, the limitations in the current approach to ATT&CK when building scenarios across different stakeholders, and addressing potential areas the "language of ATT&CK" can evolve towards over the next 5 years.
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...CODE BLUE
As the security industry has grown we've seen every aspect of our world become more complicated and more overwhelming. We're consistently promised solutions and technology to make our lives easier, to stop the attacker, to catch them quicker, to automate the pain away, but the reality falls flat. Frankly, it's underwhelming. Understanding where your program stands today, where you should spend time and resources, and how best to reduce risk to your organization are key aspects of any program. Join us to discuss and discover what some of the largest organizations in the world are doing to try to make sense of it all, and how they got there.
[cb22] Understanding the Chinese underground card shop ecosystem and becoming...CODE BLUE
Personal Identifiable Information (PII) leaks have become more frequent in recent years, and losses from credit card fraud in 2021 have set records respectively in Taiwan and Japan. Where did this information get leaked and sold in the first place?
The term "Dark web" refers to websites inaccessible without the use of Tor protocol, and given added privacy and anonymity while using Tor, and marketplaces in it are proven to be very attractive to criminals.
An anonymous researcher will share experiences of dealing with vendors from card shops on marketplaces among dark web, focused on insights of shops selling Taiwanese and Japanese PIIs, and therefore, TTPs of hackers from these card shops.
We hope to inspire audiences to rethink how to reduce credit card frauds.
From ATT&CKcon 3.0
By Matt Snyder, VMWare
Insider threats are some of the most treacherous and every organization is susceptible: it's estimated that theft of Intellectual Property alone exceeds $600 billion a year. Armed with intimate knowledge of your organization and masked as legitimate business, often these attacks go unnoticed until it's too late and the damage is done. To make matters worse, threat actors are now trying to lure employees with the promise of large paydays to help carry out attacks.
These advanced attacks require advanced solutions, and we are going to demonstrate how we are using the MITRE ATT&CK framework to proactively combat these threats. Armed with these tactics and techniques, we show you how to build intelligent detections to help secure even the toughest of environments.
Landing on Jupyter: The transformative power of data-driven storytelling for ...MITRE ATT&CK
From ATT&CKcon 3.0
By Jose Barajas and Stephan Chenette, AttackIQ
Every cybersecurity leader wants visibility into the health of their security program. Yet teams suffer with disparate data streams - CTI teams and the SOC often use separate Excel spreadsheets, an anachronistic practice - and silos constrain their ability to operate effectively. Enter the Jupyter notebook, an open-source computational notebook that researchers use to combine code, computing output, text, and media into a single interface. In this talk, we share three stories of how organizations use Jupyter notebooks to align ATT&CK-based attack flows to the security program, generating data about detection and prevention failures, defensive gaps, and longitudinal performance. By using Jupyter notebooks in this way, teams can better leverage ATT&CK for security effectiveness. It becomes less of a bingo card and more of a strategic tool for understanding the health of the program against big tactics (I.e., lateral movement), defensive gaps (I.e., micro-segmentation), and the team's performance.
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
View webinar: "Cyber Threat Hunting: Identify and Hunt Down Intruders": https://www2.infosecinstitute.com/l/12882/2018-11-29/b9gwfd
View companion webinar:
"Red Team Operations: Attack and Think Like a Criminal": https://www2.infosecinstitute.com/l/12882/2018-11-29/b9gw5q
Are you red team, blue team — or both? Get an inside look at the offensive and defensive sides of information security in our webinar series.
Senior Security Researcher and InfoSec Instructor Jeremy Martin discusses what it takes to be modern-day threat hunter during our webinar, Cyber Threat Hunting: Identify and Hunt Down Intruders.
The webinar covers:
- The job duties of a Cyber Threat Hunting professional
- Frameworks and strategies for Cyber Threat Hunting
- How to get started and progress your defensive security career
- And questions from live viewers!
Learn about InfoSec Institute's Cyber Threat Hunting couse here: https://www.infosecinstitute.com/courses/cyber-threat-hunting/
Mapping ATT&CK Techniques to ENGAGE ActivitiesMITRE ATT&CK
From ATT&CKcon 3.0
By David Barroso, CounterCraft
When an adversary engages in a specific behavior, they are vulnerable to expose an unintended weakness. By looking at each ATT&CK technique, we can examine the weaknesses revealed and identify an engagement activity or activities to exploit this weakness.
During the presentation we will see some real examples of how we can use different ATT&CK techniques in order to plan different adversary engagement activities.
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
From ATT&CKcon 3.0
By Jonny Johnson, Red Canary and Olaf Hartong, FalconForce
As defenders, we often find ourselves wanting "more" data. But why? Will this new data provide a lot of value or is it for a very niche circumstance? How many attacks does it apply to? Are we leveraging previous data sources to their full capability? Within this talk, Olaf and Jonny will walk through different data sources they leverage more than most when analyzing data within environments, why they do, and what these data sources do and can provide in terms of value to a defender.
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamMITRE ATT&CK
From ATT&CKcon 3.0
By Brian Donohue, Red Canary
This presentation will highlight the Atomic Red Team project's efforts to define and increase the test coverage of MITRE ATT&CK techniques. We'll describe the challenges we encountered in defining what "coverage" means in the context of an ATT&CK-based framework, and how to use that definition to improve an open source project that's used by a diverse audience of practitioners to satisfy an equally diverse array of needs. The audience will learn how the Atomic Red Team maintainers standardize and categorize atomic tests, perform gap analysis to achieve deep technique-level coverage and broad matrix-level coverage, and quickly fill those gaps with new tests.
Threat Modelling - It's not just for developersMITRE ATT&CK
From ATT&CKcon 3.0
By Tim Wadhwa-Brown, Cisco
The purpose of this session will be to look at how you can take public information about threat actors, vulnerabilities, and incidents and use them to build better defenses, utilizing ATT&CK along the way to align your security organization to the people and assets that matter.
Stories are critical to how humans learn, so this session will leverage a story book approach to give the audience some ideas on approaches they could use. Tim will take the audience through 3 real world examples where he has leveraged ATT&CK to drive operational improvement. The premise of each story will be real, although some of the details will be apocryphal to protect the innocent.
One story will focus on defending a network, one will look at adversary detection, while the final one will look at responding to an active attack and in each case, Tim will guide the audience to think about the kinds of data sources that ATT&CK tracks, that they might call upon to achieve a successful outcome.
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...CODE BLUE
MUSHIKAGO is an automatic penetration testing tool using game AI, MUSHIKAGO focuses on the verification of post-exploitation. A post-exploitation is an attack that an attacker carries out after invading the target environment. By focusing on post-exploitation verification, we can understand how far an attacker can actually penetrate and what kind of information is collected. MUSHIKAGO uses the GOAP (Goal-Oriented Action Planning), which is game AI commonly used in NPC (Non Player Character). To using GOAP, we can flexibly change the content of the attack according to the environment like NPC, and mimic the attacks by real APT attackers and testers. The operation and verification results of MUSHIKAGO can be checked on the dedicated web page. Moreover, MUSHIKAGO supports ICS (Industrial Control System), and can be used for penetration testing across IT and OT (Operation Technology).
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CKMITRE ATT&CK
From ATT&CKcon 3.0
By Gert-Jan Bruggink, Venation
Since it's inception in 2015, the ATT&CK framework has achieved widespread adoption, with recent studies suggesting over 80 percent of companies using the framework for cyber security. Over the last seven years, a variety of use cases has been explored with different measures of success. In this presentation, Gert-Jan will explore applying the ATT&CK framework in scenario-based defense.
When adopting a scenario approach, security teams collaborate to fuse their understanding of certain situations into scenarios. For example, addressing different hypotheses that can be explained to leadership and specialist teams alike. This approach requires more than "just" breaking down everything into tactics, techniques, and procedures. Some stakeholders might not understand that. For example, some might want to tell a good story about adversaries while others want to translate their understanding of intrusions into a sequential pattern.
The objective of this talk is to explore how the granularity of the framework supports creation of scenarios, the limitations in the current approach to ATT&CK when building scenarios across different stakeholders, and addressing potential areas the "language of ATT&CK" can evolve towards over the next 5 years.
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...CODE BLUE
As the security industry has grown we've seen every aspect of our world become more complicated and more overwhelming. We're consistently promised solutions and technology to make our lives easier, to stop the attacker, to catch them quicker, to automate the pain away, but the reality falls flat. Frankly, it's underwhelming. Understanding where your program stands today, where you should spend time and resources, and how best to reduce risk to your organization are key aspects of any program. Join us to discuss and discover what some of the largest organizations in the world are doing to try to make sense of it all, and how they got there.
[cb22] Understanding the Chinese underground card shop ecosystem and becoming...CODE BLUE
Personal Identifiable Information (PII) leaks have become more frequent in recent years, and losses from credit card fraud in 2021 have set records respectively in Taiwan and Japan. Where did this information get leaked and sold in the first place?
The term "Dark web" refers to websites inaccessible without the use of Tor protocol, and given added privacy and anonymity while using Tor, and marketplaces in it are proven to be very attractive to criminals.
An anonymous researcher will share experiences of dealing with vendors from card shops on marketplaces among dark web, focused on insights of shops selling Taiwanese and Japanese PIIs, and therefore, TTPs of hackers from these card shops.
We hope to inspire audiences to rethink how to reduce credit card frauds.
From ATT&CKcon 3.0
By Matt Snyder, VMWare
Insider threats are some of the most treacherous and every organization is susceptible: it's estimated that theft of Intellectual Property alone exceeds $600 billion a year. Armed with intimate knowledge of your organization and masked as legitimate business, often these attacks go unnoticed until it's too late and the damage is done. To make matters worse, threat actors are now trying to lure employees with the promise of large paydays to help carry out attacks.
These advanced attacks require advanced solutions, and we are going to demonstrate how we are using the MITRE ATT&CK framework to proactively combat these threats. Armed with these tactics and techniques, we show you how to build intelligent detections to help secure even the toughest of environments.
Landing on Jupyter: The transformative power of data-driven storytelling for ...MITRE ATT&CK
From ATT&CKcon 3.0
By Jose Barajas and Stephan Chenette, AttackIQ
Every cybersecurity leader wants visibility into the health of their security program. Yet teams suffer with disparate data streams - CTI teams and the SOC often use separate Excel spreadsheets, an anachronistic practice - and silos constrain their ability to operate effectively. Enter the Jupyter notebook, an open-source computational notebook that researchers use to combine code, computing output, text, and media into a single interface. In this talk, we share three stories of how organizations use Jupyter notebooks to align ATT&CK-based attack flows to the security program, generating data about detection and prevention failures, defensive gaps, and longitudinal performance. By using Jupyter notebooks in this way, teams can better leverage ATT&CK for security effectiveness. It becomes less of a bingo card and more of a strategic tool for understanding the health of the program against big tactics (I.e., lateral movement), defensive gaps (I.e., micro-segmentation), and the team's performance.
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
View webinar: "Cyber Threat Hunting: Identify and Hunt Down Intruders": https://www2.infosecinstitute.com/l/12882/2018-11-29/b9gwfd
View companion webinar:
"Red Team Operations: Attack and Think Like a Criminal": https://www2.infosecinstitute.com/l/12882/2018-11-29/b9gw5q
Are you red team, blue team — or both? Get an inside look at the offensive and defensive sides of information security in our webinar series.
Senior Security Researcher and InfoSec Instructor Jeremy Martin discusses what it takes to be modern-day threat hunter during our webinar, Cyber Threat Hunting: Identify and Hunt Down Intruders.
The webinar covers:
- The job duties of a Cyber Threat Hunting professional
- Frameworks and strategies for Cyber Threat Hunting
- How to get started and progress your defensive security career
- And questions from live viewers!
Learn about InfoSec Institute's Cyber Threat Hunting couse here: https://www.infosecinstitute.com/courses/cyber-threat-hunting/
Mapping ATT&CK Techniques to ENGAGE ActivitiesMITRE ATT&CK
From ATT&CKcon 3.0
By David Barroso, CounterCraft
When an adversary engages in a specific behavior, they are vulnerable to expose an unintended weakness. By looking at each ATT&CK technique, we can examine the weaknesses revealed and identify an engagement activity or activities to exploit this weakness.
During the presentation we will see some real examples of how we can use different ATT&CK techniques in order to plan different adversary engagement activities.
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
From ATT&CKcon 3.0
By Jonny Johnson, Red Canary and Olaf Hartong, FalconForce
As defenders, we often find ourselves wanting "more" data. But why? Will this new data provide a lot of value or is it for a very niche circumstance? How many attacks does it apply to? Are we leveraging previous data sources to their full capability? Within this talk, Olaf and Jonny will walk through different data sources they leverage more than most when analyzing data within environments, why they do, and what these data sources do and can provide in terms of value to a defender.
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamMITRE ATT&CK
From ATT&CKcon 3.0
By Brian Donohue, Red Canary
This presentation will highlight the Atomic Red Team project's efforts to define and increase the test coverage of MITRE ATT&CK techniques. We'll describe the challenges we encountered in defining what "coverage" means in the context of an ATT&CK-based framework, and how to use that definition to improve an open source project that's used by a diverse audience of practitioners to satisfy an equally diverse array of needs. The audience will learn how the Atomic Red Team maintainers standardize and categorize atomic tests, perform gap analysis to achieve deep technique-level coverage and broad matrix-level coverage, and quickly fill those gaps with new tests.
Threat Modelling - It's not just for developersMITRE ATT&CK
From ATT&CKcon 3.0
By Tim Wadhwa-Brown, Cisco
The purpose of this session will be to look at how you can take public information about threat actors, vulnerabilities, and incidents and use them to build better defenses, utilizing ATT&CK along the way to align your security organization to the people and assets that matter.
Stories are critical to how humans learn, so this session will leverage a story book approach to give the audience some ideas on approaches they could use. Tim will take the audience through 3 real world examples where he has leveraged ATT&CK to drive operational improvement. The premise of each story will be real, although some of the details will be apocryphal to protect the innocent.
One story will focus on defending a network, one will look at adversary detection, while the final one will look at responding to an active attack and in each case, Tim will guide the audience to think about the kinds of data sources that ATT&CK tracks, that they might call upon to achieve a successful outcome.
Your app lives on the network - networking for web developersWim Godden
Our job might be to build web applications, but we can't build apps that rely on networking if we don't know how these networks and the big network that connects them all (this thing called the Internet) actually work.
I'll walk through the basics of networking, then dive a lot deeper (from TCP/UDP to IPv4/6, source/destination ports, sockets, DNS and even BGP).
Prepare for an eye-opener when you realize how much a typical app relies on all of these (and many more) working flawlessly... and how you can prepare your app for failure in the chain.
Positive Hack Days. Sklyarov. Vulnerabilities in the Systems of Authenticity ...Positive Hack Days
The report considers practical aspects of reliability of existing systems allowing authentication of photographic evidence originality. The reporter examines a vulnerability in the Canon Original Data Security system of image authenticity verification, which was designed to authenticate originality of images captured by the Canon digital reflex still cameras.
This slide describes IMS authentication with AKAv1 and AKAv2 protocol in detail based on the Verizon White paper.
The white paper is available on SlideShare: https://lnkd.in/gkujTRV
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
It started with computer hacking and Japanese linguistics as a kid. Zach Mathis has been based in Kobe, Japan, and has performed both red team services as well as blue team incident response and defense consultation for major Japanese global Japanese corporations since 2006. He is the founder of Yamato Security, one of the largest and most popular hands-on security communities in Japan, and has been providing free training since 2012 to help improve the local security community. Since 2016, he has been teaching security for the SANS institute and holds numerous GIAC certifications. Currently, he is working with other Yamato security members to provide free and open-source security tools to help security analysts with their work.
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
Most 5G networks are built in fundamentally new ways, opening new hacking avenues.
Mobile networks have so far been monolithic systems from big vendors; now they become open vendor-mixed ecosystems. Networks are rapidly adopting cloud technologies including dockerization and orchestration. Cloud hacking techniques become highly relevant to mobile networks.
The talk dives into the hacking potential of the technologies needed for these open networks. We illustrate the security challenges with vulnerabilities we found in real-world networks.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
Yuuma Taki is enrolled in the Hokkaido Information University Information Media Faculty of Information Media (4th year).
At university he is focusing on learning about security for lower-level components, such OS and CPU. In his third year of undergraduate school, he worked on trying to implement the OS security mechanism "KASLR", at Sechack365.
Currently, he is learning about ROP derivative technology and embedded equipment security.
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...CODE BLUE
In October 2021, we published the first analysis of Wslink – a unique loader likely linked to the Lazarus group. Most samples are packed and protected with an advanced virtual machine (VM) obfuscator; the samples contain no clear artifacts and we initially did not associate the obfuscation with a publicly known VM, but we later managed to connect it to CodeVirtualizer. This VM introduces several additional obfuscation techniques such as insertion of junk code, encoding of virtual operands, duplication of virtual opcodes, opaque predicates, merging of virtual instructions, and a nested VM.
Our presentation analyzes the internals of the VM and describes our semi automated approach to “see through” the obfuscation techniques in reasonable time. We demonstrate the approach on some bytecode from a protected sample and compare the results with a non-obfuscated sample, found subsequent to starting our analysis, confirming the method’s validity. Our solution is based on a known deobfuscation method that extracts the semantics of the virtual opcodes, using symbolic execution with simplifying rules. We further treat the bytecode chunks and some internal constructs of the VM as concrete values instead of as symbolic ones, enabling the known deobfuscation method to deal with the additional obfuscation techniques automatically.
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
Kimsuky is a North Korean APT possibly controlled by North Korea's Reconnaissance General Bureau. Based on reports from the Korea Internet & Security Agency (KISA) and other vendors, TeamT5 identified that Kimsuky's most active group, CloudDragon, built a workflow functioning as a "Credential Factory," collecting and exploiting these massive credentials.
The credential factory powers CloudDragon to start its espionage campaigns. CloudDragon's campaigns have aligned with DPRK's interests, targeting the organizations and key figures playing a role in the DPRK relationship. Our database suggested that CloudDragon has possibly infiltrated targets in South Korea, Japan, and the United States. Victims include think tanks, NGOs, media agencies, educational institutes, and many individuals.
CloudDragon's "Credential Factory" can be divided into three small cycles, "Daily Cycle," "Campaign Cycle," and "Post-exploit Cycle." The"Daily Cycle" can collect massive credentials and use the stolen credentials to accelerate its APT life cycle.
In the "Campaign Cycle," CloudDragon develops many new malware. While we responded to CloudDragon's incidents, we found that the actor still relied on BabyShark malware. CloudDragon once used BabyShark to deploy a new browser extension malware targeting victims' browsers. Moreover, CloudDragon is also developing a shellcode-based malware, Dust.
In the "Post-exploit Cycle," the actor relied on hacking tools rather than malicious backdoors. We also identified that the actor used remote desktop software to prevent detection.
In this presentation, we will go through some of the most significant operations conducted by CloudDragon, and more importantly, we will provide possible scenarios of future invasions for defense and detection.
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...CODE BLUE
Social media is no doubt a critical battlefield for threat actors to launch InfoOps, especially in a critical moment such as wartime or the election season. We have seen Bot-Driven Information Operations (InfoOps, aka influence campaign) have attempted to spread disinformation, incite protests in the physical world, and doxxing against journalists.
China's Bots-Driven InfoOps, despite operating on a massive scale, are often considered to have low impact and very little organic engagement. In this talk, we will share our observations on these persistent Bots-Driven InfoOps and dissect their harmful disinformation campaigns circulated in cyberspace.
In the past, most bots-driven operations simply parroted narratives of the Chinese propaganda machine, mechanically disseminating the same propaganda and disinformation artifacts made by Chinese state media. However, recently, we saw the newly created bots turn to post artifacts in a livelier manner. They utilized various tactics, including reposting screenshots of forum posts and disguised as members of “Milk Tea Alliance,” to create a false appearance that such content is being echoed across cyberspace.
We particularly focus on an ongoing China's bots-driven InfoOps targeting Taiwan, which we dub "Operation ChinaRoot." Starting in mid-2021, the bots have been disseminating manipulated information about Taiwan's local politics and Covid-19 measures. Our further investigation has also identified the linkage between Operation ChinaRoot and other Chinese state-linked networks such as DRAGONBRIDGE and Spamouflage.
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...CODE BLUE
Malwares written in Go is increasing every year. Go's cross-platform nature makes it an opportune language for attackers who wish to target multiple platforms. On the other hand, the statically linked libraries make it difficult to distinguish between user functions and libraries, making it difficult for analysts to analyze. This situation has increased the demand for Go malware classification and exploration.
In this talk, we will demonstrate the feasibility of computing similarity and classification of Go malware using a newly proposed method called gimpfuzzy. We have implemented "gimpfuzzy", which incorporates Fuzzy Hashing into the existing gimphash method. In this talk, we will verify the discrimination rate of the classification using the proposed method and confirm the validity of the proposed method by discussing some examples from the classified results. We will also discuss issues in Go-malware classification.
[cb22] What I learned from the direct confrontation with the adversaries who ...CODE BLUE
In November 2019, I started monitoring the Bitcoin operation by the adversaries who hid IP addresses of their C&C server in the blockchain. In June 2020, I started collaborating with Professor Christian Doerr of the Hasso Plattner Institute based on the idea of redirecting C&C server communication to a sinkhole server (called takeover), and we successfully achieved this in August. However, the adversaries quickly took evasive action, where they managed to implement an evasion mechanism in only two weeks and restarted their attack. Although we could not conduct our takeover, our monitoring system could worked well. The end of their attack was brought upon by the surge in Bitcoin prices. Due to the fees for the Bitcoin miners, a transaction had reduced the adversaries' profits, and we confirmed the last C&C update was in January 2021 and the abandonment of the attack infrastructure came in March. Since then, no similar attacks have been observed by my monitoring system.
Although this attack has already concluded and is unlikely to restart unless the value of Bitcoin declines, I would like to share the know-how I have learned through the direct confrontation with the adversaries. That is, at the time of the confrontation with them, this attack was highly novel, and the adversaries themselves did not fully understand the best solution for its' operation. They needed to evolve their tactics, techniques, and procedures (TTPs) while operating the system. We carefully analyzed their TTPs and tried to catch them off their guard. Even more troublesome was the need to understand as quickly as possible what they intended to do each time they were affected by the Bitcoin halving or making a simple operational error. This presentation is a culmination my insights learned from interactions with these adversaries and I am looking forward to sharing this information with everyone.
[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...CODE BLUE
Unlike traditional software, smart contracts have the unique organization in which a sequence of transactions shares persistent states. Unfortunately, such a characteristic makes it difficult for existing fuzzers to find out critical transaction sequences. To tackle this challenge, we employ both static and dynamic analyses for fuzzing smart contracts. First, we statically analyze smart contract bytecodes to predict which transaction sequences will lead to effective testing, and figure out if there is a certain constraint that each transaction should satisfy. Such information is then passed to the fuzzing phase and used to construct an initial seed corpus. During a fuzzing campaign, we perform a lightweight dynamic data-flow analysis to collect data-flow-based feedback to effectively guide fuzzing. We implement our ideas on a practical open-source fuzzer, named SMARTIAN. SMARTIAN can discover bugs in real-world smart contracts without the need for the source code. Our experimental results show that SMARTIAN is more effective than existing state-of-the-art tools in finding known CVEs from real-world contracts. SMARTIAN also outperforms other tools in terms of code coverage.
[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once ...CODE BLUE
Imagine a world where a security researcher becomes aware of a security vulnerability, impacting thousands of Open Source Software (OSS) projects, and is enabled to both identify and fix them all at once. Now imagine a world where a vulnerability is introduced into your production code and a few moments later you receive an automated pull request to fix it. Hundreds of thousands of human hours are invested every year in finding common security vulnerabilities with relatively simple fixes. These vulnerabilities aren't sexy, cool, or new, we've known about them for years, but they're everywhere!
The scale of GitHub and tools like CodeQL (GitHub's code query language) enable one to scan for vulnerabilities across hundreds of thousands of OSS projects, but the challenge is how to scale the triaging, reporting, and fixing. Simply automating the creation of thousands of bug reports by itself isn't useful, and would be even more of a burden on volunteer maintainers of OSS projects. Ideally, the maintainers would be provided with not only information about the vulnerability, but also a fix in the form of an easily actionable pull request.
When facing a problem of this scale, what is the most efficient way to leverage researcher knowledge to fix the most vulnerabilities across OSS? This talk will cover a highly scalable solution - automated bulk pull request generation. We'll discuss the practical applications of this technique on real world OSS projects. We'll also cover technologies like CodeQL and OpenRewrite (a style-preserving refactoring tool created at Netflix and now developed by Moderne). Let's not just talk about vulnerabilities, let's actually fix them at scale.
This work is sponsored by the new Dan Kaminsky Fellowship; a fellowship created to celebrate Dan's memory and legacy by funding open-source work that makes the world a better (and more secure) place.
[cb22] Lets Dance in the Cache Destabilizing Hash Table on Microsoft IIS by O...CODE BLUE
Hash Table, as the most fundamental Data Structure in Computer Science, is extensively applied in Software Architecture to store data in an associative manner. However, its architecture makes it prone to Collision Attacks. To deal with this problem, 25 years ago, Microsoft designed its own Dynamic Hashing algorithm and applied it everywhere in IIS, the Web Server from Microsoft, to serve various data from HTTP Stack. As Hash Table is everywhere, isn't the design from Microsoft worth scrutinizing?
We dive into IIS internals through months of Reverse-Engineering efforts to examine both the Hash Table implementation and the use of Hash Table algorithms. Several types of attacks are proposed and uncovered in our research, including (1) A specially designed Zero-Hash Flooding Attack against Microsoft's self-implemented algorithm. (2) A Cache Poisoning Attack based on the inconsistency between Hash-Keys. (3) An unusual Authentication Bypass based on a hash collision.
By understanding this talk, the audience won't be surprised why we can destabilize the Hash Table easily. The audience will also learn how we explore the IIS internals and will be surprised by our results. These results could not only make a default installed IIS Server hang with 100% CPU but also modify arbitrary HTTP responses through crafted HTTP request. Moreover, we'll demonstrate how we bypass the authentication requirement with a single, crafted password by colliding the identity cache!
Acorn Recovery: Restore IT infra within minutesIP ServerOne
Introducing Acorn Recovery as a Service, a simple, fast, and secure managed disaster recovery (DRaaS) by IP ServerOne. A DR solution that helps restore your IT infra within minutes.
0x01 - Newton's Third Law: Static vs. Dynamic AbusersOWASP Beja
f you offer a service on the web, odds are that someone will abuse it. Be it an API, a SaaS, a PaaS, or even a static website, someone somewhere will try to figure out a way to use it to their own needs. In this talk we'll compare measures that are effective against static attackers and how to battle a dynamic attacker who adapts to your counter-measures.
About the Speaker
===============
Diogo Sousa, Engineering Manager @ Canonical
An opinionated individual with an interest in cryptography and its intersection with secure software development.
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Orkestra
UIIN Conference, Madrid, 27-29 May 2024
James Wilson, Orkestra and Deusto Business School
Emily Wise, Lund University
Madeline Smith, The Glasgow School of Art
This presentation by Morris Kleiner (University of Minnesota), was made during the discussion “Competition and Regulation in Professions and Occupations” held at the Working Party No. 2 on Competition and Regulation on 10 June 2024. More papers and presentations on the topic can be found out at oe.cd/crps.
This presentation was uploaded with the author’s consent.
Have you ever wondered how search works while visiting an e-commerce site, internal website, or searching through other types of online resources? Look no further than this informative session on the ways that taxonomies help end-users navigate the internet! Hear from taxonomists and other information professionals who have first-hand experience creating and working with taxonomies that aid in navigation, search, and discovery across a range of disciplines.
5. Target
Summary
Winnti 4.0 ShadowPad
Prevalence Low High
First-observed
year
2016 (start-up
sequence),
2018 (new C2
protocol)
2015
Scanning start
year
2019 2021
Supported
protocols
TCP/TLS/HTTP(S)/
UDP
TCP/SSL/HTTP(S)/
UDP/DNS
Unique feature Server-mode Multiple protocol
listening at a single
port
8. Winnti Malware 4.0
Macnica Networks
version 4.0
CB 2022
Version 3.0 Version 4.0
Initial component Dropper Loader and DAT file
Initial encryption
algorithm
DES AES
Initial encryption key
cracking
Easy Hard
Worker encryption 1-byte XOR and nibble swap DPAPI or AES with host-
specific key
37. Samples Communicating with C2 IPs
CB 2022
Sample Malware
family
C2 IP address C2
Protocol/Port
used by sample
Sample
submission
date on VT
C2 first-seen
date by
scanner
C2 last-seen
date by
scanner
Spyder 156.240.104.149 TLS/443 2021/10/26 2021/10/16 2021/10/16
ReverseWindow 43.129.188.223 TCP/10333 2022/02/27 2021/10/17 2022/10/04
ShadowPad 213.59.118.124 UDP/443 2022/03/20 2022/03/06 2022/09/27
39. Spyder & Winnti 4.0: Command IDs
CB 2022
Command Spyder Winnti 4.0Worker
tag id cmd_ID dispatch_ID
Verify the client 1 1 1 1
Send victim information 5 3 5 1
Send plugins information 6 1 6 9 or 13
Save plugin parameters 6 2 6 2
Save plugin data 6 3 6 3
Load and run plugin entrypoint and
export function #1
6 4 6 6
Run plugin export function #4 and
unload the plugin
6 5 6 7
40. Spyder & Winnti 4.0: Command IDs (Cont.)
CB 2022
Command Spyder Winnti 4.0Worker
tag id cmd_ID dispatch_ID
Heartbeat 6 6 6 8
Run plugin export function #2 6 7 6 10
Run plugin export function #3 6 8 6 11
Send current connection information 7 2 - (no
command)
-
Run function pointer of the 2nd
parameter obtained by running
export function #1
11 - 11 -
41. Spyder & Winnti 4.0: Comparison
CB 2022
Spyder Winnti 4.0
Payload encoding /
encryption
single-byte XOR AES in CTR mode
(key given as a cmdline
argument)
C2 Protocol TLS TCP/TLS/HTTP(S)/UDP
Server-mode support No Yes
3rd-party library uthash, Mbed TLS uthash
Reported year 2020 2019
44. How to Get Input (Port Scan) Data
scanning target ports
CB 2022
ZMap Shodan CenSys
TCP/10333 4,940,037 4 1,306
TCP/55555 3,199,856 86 486,497
Note: The data was
collected in 2021/11
54. Research Publication Demerits:
Threat Actor’s Reaction
APT41
CB 2022
Protocol/Port
Stager-disabled/Total
in Sep 2021
Stager-disabled/Total
in Jul 2022
HTTP/80 217/559 (38%) 208/387 (53%)
HTTPS/443 210/928 (22%) 206/431 (47%)
DNS/53 46/150 (30%) 51/51 (100%)
Change in the result of a single scan