Personal Identifiable Information (PII) leaks have become more frequent in recent years, and losses from credit card fraud in 2021 have set records respectively in Taiwan and Japan. Where did this information get leaked and sold in the first place?
The term "Dark web" refers to websites inaccessible without the use of Tor protocol, and given added privacy and anonymity while using Tor, and marketplaces in it are proven to be very attractive to criminals.
An anonymous researcher will share experiences of dealing with vendors from card shops on marketplaces among dark web, focused on insights of shops selling Taiwanese and Japanese PIIs, and therefore, TTPs of hackers from these card shops.
We hope to inspire audiences to rethink how to reduce credit card frauds.
2019/10/16
初心者向けCTFのWeb分野の強化法
CTFのweb分野を勉強しているものの本番でなかなか解けないと悩んでいないでしょうか?そんな悩みを持った方を対象に、私の経験からweb分野の強化法を解説します。
How to strengthen the CTF Web field for beginners !!
Although you are studying the CTF web field, are you worried that you can't solve it in production?
For those who have such problems, I will explain how to strengthen the web field based on my experience.
(study group) https://yahoo-osaka.connpass.com/event/149524/
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
Kimsuky is a North Korean APT possibly controlled by North Korea's Reconnaissance General Bureau. Based on reports from the Korea Internet & Security Agency (KISA) and other vendors, TeamT5 identified that Kimsuky's most active group, CloudDragon, built a workflow functioning as a "Credential Factory," collecting and exploiting these massive credentials.
The credential factory powers CloudDragon to start its espionage campaigns. CloudDragon's campaigns have aligned with DPRK's interests, targeting the organizations and key figures playing a role in the DPRK relationship. Our database suggested that CloudDragon has possibly infiltrated targets in South Korea, Japan, and the United States. Victims include think tanks, NGOs, media agencies, educational institutes, and many individuals.
CloudDragon's "Credential Factory" can be divided into three small cycles, "Daily Cycle," "Campaign Cycle," and "Post-exploit Cycle." The"Daily Cycle" can collect massive credentials and use the stolen credentials to accelerate its APT life cycle.
In the "Campaign Cycle," CloudDragon develops many new malware. While we responded to CloudDragon's incidents, we found that the actor still relied on BabyShark malware. CloudDragon once used BabyShark to deploy a new browser extension malware targeting victims' browsers. Moreover, CloudDragon is also developing a shellcode-based malware, Dust.
In the "Post-exploit Cycle," the actor relied on hacking tools rather than malicious backdoors. We also identified that the actor used remote desktop software to prevent detection.
In this presentation, we will go through some of the most significant operations conducted by CloudDragon, and more importantly, we will provide possible scenarios of future invasions for defense and detection.
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...CODE BLUE
Since 2010 Stuxnet caused substantial damage to the nuclear program of Iran, ICS security issues have been raised. Lots of researchers dig into the hacking skills and path and those known attacks in the history and more malwares and events happened. Enterprises need an efficient way to find vulnerabilities but they might not have the budget for ICS pentesters , which need strong background knowledge , and all the fields they have. To solve this problem, we try to make a rare OT targeting , open source adversary emulation tool as a plugin on MITRE open source tool - Caldera. Users can easily combine IT attacks with our OT adversaries and change steps of attacks or send manual commands in the process.
We summarize the experience of reviewing over 20 factories traffic and analyzing 19 MITRE defined ICS malwares, PIPEDREAM/Incontroller in 2022. We found the main trend of ICS malwares changes from single protocol targeting to modularized , multiple protocols supporting. The actions in malwares can be summarized as a 4 stages attacking flow, We will explain it with the real attacks from malwares. We use the above conclusions to build automatic adversary emulation tool.
Now the tool already supports 10 common protocols and over 23 techniques on the MITRE ICS matrix , which is able to reproduce over 80% of defined ICS malware actions in OT. We also follow the 4 stages conclusion to add some attacks havent been used by any malwares. We have tested it on real oil ,gas ,water, electric power factory devices , protocol simulations for SCADA developers and honeypot. We will have a demo in this presentation.
2019/10/16
初心者向けCTFのWeb分野の強化法
CTFのweb分野を勉強しているものの本番でなかなか解けないと悩んでいないでしょうか?そんな悩みを持った方を対象に、私の経験からweb分野の強化法を解説します。
How to strengthen the CTF Web field for beginners !!
Although you are studying the CTF web field, are you worried that you can't solve it in production?
For those who have such problems, I will explain how to strengthen the web field based on my experience.
(study group) https://yahoo-osaka.connpass.com/event/149524/
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
Kimsuky is a North Korean APT possibly controlled by North Korea's Reconnaissance General Bureau. Based on reports from the Korea Internet & Security Agency (KISA) and other vendors, TeamT5 identified that Kimsuky's most active group, CloudDragon, built a workflow functioning as a "Credential Factory," collecting and exploiting these massive credentials.
The credential factory powers CloudDragon to start its espionage campaigns. CloudDragon's campaigns have aligned with DPRK's interests, targeting the organizations and key figures playing a role in the DPRK relationship. Our database suggested that CloudDragon has possibly infiltrated targets in South Korea, Japan, and the United States. Victims include think tanks, NGOs, media agencies, educational institutes, and many individuals.
CloudDragon's "Credential Factory" can be divided into three small cycles, "Daily Cycle," "Campaign Cycle," and "Post-exploit Cycle." The"Daily Cycle" can collect massive credentials and use the stolen credentials to accelerate its APT life cycle.
In the "Campaign Cycle," CloudDragon develops many new malware. While we responded to CloudDragon's incidents, we found that the actor still relied on BabyShark malware. CloudDragon once used BabyShark to deploy a new browser extension malware targeting victims' browsers. Moreover, CloudDragon is also developing a shellcode-based malware, Dust.
In the "Post-exploit Cycle," the actor relied on hacking tools rather than malicious backdoors. We also identified that the actor used remote desktop software to prevent detection.
In this presentation, we will go through some of the most significant operations conducted by CloudDragon, and more importantly, we will provide possible scenarios of future invasions for defense and detection.
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...CODE BLUE
Since 2010 Stuxnet caused substantial damage to the nuclear program of Iran, ICS security issues have been raised. Lots of researchers dig into the hacking skills and path and those known attacks in the history and more malwares and events happened. Enterprises need an efficient way to find vulnerabilities but they might not have the budget for ICS pentesters , which need strong background knowledge , and all the fields they have. To solve this problem, we try to make a rare OT targeting , open source adversary emulation tool as a plugin on MITRE open source tool - Caldera. Users can easily combine IT attacks with our OT adversaries and change steps of attacks or send manual commands in the process.
We summarize the experience of reviewing over 20 factories traffic and analyzing 19 MITRE defined ICS malwares, PIPEDREAM/Incontroller in 2022. We found the main trend of ICS malwares changes from single protocol targeting to modularized , multiple protocols supporting. The actions in malwares can be summarized as a 4 stages attacking flow, We will explain it with the real attacks from malwares. We use the above conclusions to build automatic adversary emulation tool.
Now the tool already supports 10 common protocols and over 23 techniques on the MITRE ICS matrix , which is able to reproduce over 80% of defined ICS malware actions in OT. We also follow the 4 stages conclusion to add some attacks havent been used by any malwares. We have tested it on real oil ,gas ,water, electric power factory devices , protocol simulations for SCADA developers and honeypot. We will have a demo in this presentation.
CTF for ビギナーズのバイナリ講習で使用した資料です。
講習に使用したファイルは、以下のリンク先にあります。
https://onedrive.live.com/redir?resid=5EC2715BAF0C5F2B!10056&authkey=!ANE0wqC_trouhy0&ithint=folder%2czip
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
Malware analysts normally obtain IP addresses of the malware's command & control (C2) servers by analyzing samples. This approach works in commoditized attacks or campaigns. However, with targeted attacks using APT malware, it's difficult to acquire a sufficient number of samples for organizations other than antivirus companies. As a result, malware C2 IOCs collected by a single organization are just the tip of the iceberg.
For years, I have reversed the C2 protocols of high-profile APT malware families then discovered the active C2 servers on the Internet by emulating the protocols. In this presentation, I will explain how to emulate the protocols of two long-term pieces of malware used by PRC-linked cyber espionage threat actors: Winnti 4.0 and ShadowPad.
Both pieces of malware support multiple C2 protocols like TCP/TLS/HTTP/HTTPS/UDP. It's also common to have different data formats and encoding algorithms per each protocol in one piece of malware. I'll cover the protocol details while referring to unique functions such as server-mode in Winnti 4.0 and multiple protocol listening at a single port in ShadowPad. Additionally, I'll share the findings regarding the Internet-wide C2 scanning and its limitations.
After the presentation, I'll publish over 140 C2 IOCs with the date ranges in which they were discovered. These dates are more helpful than just IP address information since the C2s are typically found on hosted servers, meaning that the C2 could sometimes exist on a specific IP only for a very limited time. 65% of these IOCs have 0 detection on VirusTotal as of the time of this writing.
CTF for ビギナーズのバイナリ講習で使用した資料です。
講習に使用したファイルは、以下のリンク先にあります。
https://onedrive.live.com/redir?resid=5EC2715BAF0C5F2B!10056&authkey=!ANE0wqC_trouhy0&ithint=folder%2czip
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
Malware analysts normally obtain IP addresses of the malware's command & control (C2) servers by analyzing samples. This approach works in commoditized attacks or campaigns. However, with targeted attacks using APT malware, it's difficult to acquire a sufficient number of samples for organizations other than antivirus companies. As a result, malware C2 IOCs collected by a single organization are just the tip of the iceberg.
For years, I have reversed the C2 protocols of high-profile APT malware families then discovered the active C2 servers on the Internet by emulating the protocols. In this presentation, I will explain how to emulate the protocols of two long-term pieces of malware used by PRC-linked cyber espionage threat actors: Winnti 4.0 and ShadowPad.
Both pieces of malware support multiple C2 protocols like TCP/TLS/HTTP/HTTPS/UDP. It's also common to have different data formats and encoding algorithms per each protocol in one piece of malware. I'll cover the protocol details while referring to unique functions such as server-mode in Winnti 4.0 and multiple protocol listening at a single port in ShadowPad. Additionally, I'll share the findings regarding the Internet-wide C2 scanning and its limitations.
After the presentation, I'll publish over 140 C2 IOCs with the date ranges in which they were discovered. These dates are more helpful than just IP address information since the C2s are typically found on hosted servers, meaning that the C2 could sometimes exist on a specific IP only for a very limited time. 65% of these IOCs have 0 detection on VirusTotal as of the time of this writing.
Excellent Presentation done by Chris West, CDGcommerce owner. In this presentation Chris will educate you on how to better protect your business against fraudulent transactions using AVS scrubbing, VbV/MSC, among several others tools provided by CDGcommerce.
www.cdgcommerce.com
This slides shares some tips on how to identify credit card fraud - brought to you by FraudLabs Pro.com
Read the full article at https://www.fraudlabspro.com/resources/tutorials/how-to-identify-credit-card-fraud/#slideshare
OpenID and Information Cards are two of the most prominent emerging identity technologies. It is important that you understand the benefits, usage and differences between them in order prepare for the future, even when not ready to deploy them. During this presentation we will examine what digital identities are and specifically what each of these technologies is.
Tokenization Payment Data Out Securing Payment Data Storage- Mark - Fullbright
company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
I had amde this ppt for my college presentation. It doesnt cover the various faruds in minute detail but this presentation is a very good overview! Enjoy!
Cap Tech Talks Webinar April=l 2020 business email cybersecurity Bill Gibbs
Slides from a "Cap Tech Talks" webinar presented on April 21, 2020 by Dr. Nikki Robinson, an adjunct professor with Capitol Technology University. The presentations covers Business Email Compromise (BEC) and looks at both the problem and ways to mitigate vulnerabilities.
ICDL Secure Use of IT:
Key Concepts of data security; protect computer from malware and unauthorised access; types of networks; browse www and email securely; security issues of e-mail and instant messaging; back-up and restore data safely; securely dispose of data and devices.
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
It started with computer hacking and Japanese linguistics as a kid. Zach Mathis has been based in Kobe, Japan, and has performed both red team services as well as blue team incident response and defense consultation for major Japanese global Japanese corporations since 2006. He is the founder of Yamato Security, one of the largest and most popular hands-on security communities in Japan, and has been providing free training since 2012 to help improve the local security community. Since 2016, he has been teaching security for the SANS institute and holds numerous GIAC certifications. Currently, he is working with other Yamato security members to provide free and open-source security tools to help security analysts with their work.
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
Most 5G networks are built in fundamentally new ways, opening new hacking avenues.
Mobile networks have so far been monolithic systems from big vendors; now they become open vendor-mixed ecosystems. Networks are rapidly adopting cloud technologies including dockerization and orchestration. Cloud hacking techniques become highly relevant to mobile networks.
The talk dives into the hacking potential of the technologies needed for these open networks. We illustrate the security challenges with vulnerabilities we found in real-world networks.
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
Printer has become one of the essential devices in the corporate intranet for the past few years, and its functionalities have also increased significantly. Not only print or fax, cloud printing services like AirPrint are also being supported as well to make it easier to use. Direct printing from mobile devices is now a basic requirement in the IoT era. We also use it to print some internal business documents of the company, which makes it even more important to keep the printer safe.
Nowadays, most of the printers on the market do not have to be connected with USB or traditional cable. As long as you are using a LAN cable connected to the intranet, the computer can find and use the printer immediately. Most of them are based on protocols such as SLP and LLMNR. But is it really safe when vendors adopt those protocols? Furthermore, many printers do not use traditional Linux systems, but use RTOS(Real-Time Operating System) instead, how will this affect the attacker?
In this talk, we will use Canon ImageCLASS MF644Cdw and HP Color LaserJet Pro MFP M283fdw as case study, showing how to analyze and gain control access to the printer. We will also demonstrate how to use the vulnerabilities to achieve RCE in RTOS in unauthenticated situations.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
Yuuma Taki is enrolled in the Hokkaido Information University Information Media Faculty of Information Media (4th year).
At university he is focusing on learning about security for lower-level components, such OS and CPU. In his third year of undergraduate school, he worked on trying to implement the OS security mechanism "KASLR", at Sechack365.
Currently, he is learning about ROP derivative technology and embedded equipment security.
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...CODE BLUE
In October 2021, we published the first analysis of Wslink – a unique loader likely linked to the Lazarus group. Most samples are packed and protected with an advanced virtual machine (VM) obfuscator; the samples contain no clear artifacts and we initially did not associate the obfuscation with a publicly known VM, but we later managed to connect it to CodeVirtualizer. This VM introduces several additional obfuscation techniques such as insertion of junk code, encoding of virtual operands, duplication of virtual opcodes, opaque predicates, merging of virtual instructions, and a nested VM.
Our presentation analyzes the internals of the VM and describes our semi automated approach to “see through” the obfuscation techniques in reasonable time. We demonstrate the approach on some bytecode from a protected sample and compare the results with a non-obfuscated sample, found subsequent to starting our analysis, confirming the method’s validity. Our solution is based on a known deobfuscation method that extracts the semantics of the virtual opcodes, using symbolic execution with simplifying rules. We further treat the bytecode chunks and some internal constructs of the VM as concrete values instead of as symbolic ones, enabling the known deobfuscation method to deal with the additional obfuscation techniques automatically.
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...CODE BLUE
Social media is no doubt a critical battlefield for threat actors to launch InfoOps, especially in a critical moment such as wartime or the election season. We have seen Bot-Driven Information Operations (InfoOps, aka influence campaign) have attempted to spread disinformation, incite protests in the physical world, and doxxing against journalists.
China's Bots-Driven InfoOps, despite operating on a massive scale, are often considered to have low impact and very little organic engagement. In this talk, we will share our observations on these persistent Bots-Driven InfoOps and dissect their harmful disinformation campaigns circulated in cyberspace.
In the past, most bots-driven operations simply parroted narratives of the Chinese propaganda machine, mechanically disseminating the same propaganda and disinformation artifacts made by Chinese state media. However, recently, we saw the newly created bots turn to post artifacts in a livelier manner. They utilized various tactics, including reposting screenshots of forum posts and disguised as members of “Milk Tea Alliance,” to create a false appearance that such content is being echoed across cyberspace.
We particularly focus on an ongoing China's bots-driven InfoOps targeting Taiwan, which we dub "Operation ChinaRoot." Starting in mid-2021, the bots have been disseminating manipulated information about Taiwan's local politics and Covid-19 measures. Our further investigation has also identified the linkage between Operation ChinaRoot and other Chinese state-linked networks such as DRAGONBRIDGE and Spamouflage.
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...CODE BLUE
Malwares written in Go is increasing every year. Go's cross-platform nature makes it an opportune language for attackers who wish to target multiple platforms. On the other hand, the statically linked libraries make it difficult to distinguish between user functions and libraries, making it difficult for analysts to analyze. This situation has increased the demand for Go malware classification and exploration.
In this talk, we will demonstrate the feasibility of computing similarity and classification of Go malware using a newly proposed method called gimpfuzzy. We have implemented "gimpfuzzy", which incorporates Fuzzy Hashing into the existing gimphash method. In this talk, we will verify the discrimination rate of the classification using the proposed method and confirm the validity of the proposed method by discussing some examples from the classified results. We will also discuss issues in Go-malware classification.
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
We are swamped with new types of malware every day. The goal of malware analysis is not to reveal every single detail of the malware. It is more important to develop tools for efficiency or introduce automation to avoid repeating the same analysis process. Therefore, malware analysts usually actively develop tools and build analysis systems. On the other hand, it costs a lot for such tool developments and system maintenance. Incident trends change daily, and malware keeps evolving. However, it is not easy to keep up with new threats. Malware analysts spend a long time maintaining their analysis systems, and it results in reducing their time for necessary analysis of new types of malware.
To solve these problems, we incorporate DevOps practices into malware analysis to reduce the cost of system maintenance by using CI/CD and Serverless. This presentation shares our experience on how CI/CD, Serverless, and other cloud technologies can be used to streamline malware analysis. Specifically, the following case studies are discussed.
* Malware C2 Monitoring
* Malware Hunting using Cloud
* YARA CI/CD system
* Malware Analysis System on Cloud
* Memory Forensic on Cloud
Through the above case studies, we will share the benefits and tips of using the cloud and show how to build a similar system using Infrastructure as Code (IaC). The audience will learn how to improve the efficiency of malware analysis and build a malware analysis system using Cloud infrastructure.
[cb22] What I learned from the direct confrontation with the adversaries who ...CODE BLUE
In November 2019, I started monitoring the Bitcoin operation by the adversaries who hid IP addresses of their C&C server in the blockchain. In June 2020, I started collaborating with Professor Christian Doerr of the Hasso Plattner Institute based on the idea of redirecting C&C server communication to a sinkhole server (called takeover), and we successfully achieved this in August. However, the adversaries quickly took evasive action, where they managed to implement an evasion mechanism in only two weeks and restarted their attack. Although we could not conduct our takeover, our monitoring system could worked well. The end of their attack was brought upon by the surge in Bitcoin prices. Due to the fees for the Bitcoin miners, a transaction had reduced the adversaries' profits, and we confirmed the last C&C update was in January 2021 and the abandonment of the attack infrastructure came in March. Since then, no similar attacks have been observed by my monitoring system.
Although this attack has already concluded and is unlikely to restart unless the value of Bitcoin declines, I would like to share the know-how I have learned through the direct confrontation with the adversaries. That is, at the time of the confrontation with them, this attack was highly novel, and the adversaries themselves did not fully understand the best solution for its' operation. They needed to evolve their tactics, techniques, and procedures (TTPs) while operating the system. We carefully analyzed their TTPs and tried to catch them off their guard. Even more troublesome was the need to understand as quickly as possible what they intended to do each time they were affected by the Bitcoin halving or making a simple operational error. This presentation is a culmination my insights learned from interactions with these adversaries and I am looking forward to sharing this information with everyone.
[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...CODE BLUE
Unlike traditional software, smart contracts have the unique organization in which a sequence of transactions shares persistent states. Unfortunately, such a characteristic makes it difficult for existing fuzzers to find out critical transaction sequences. To tackle this challenge, we employ both static and dynamic analyses for fuzzing smart contracts. First, we statically analyze smart contract bytecodes to predict which transaction sequences will lead to effective testing, and figure out if there is a certain constraint that each transaction should satisfy. Such information is then passed to the fuzzing phase and used to construct an initial seed corpus. During a fuzzing campaign, we perform a lightweight dynamic data-flow analysis to collect data-flow-based feedback to effectively guide fuzzing. We implement our ideas on a practical open-source fuzzer, named SMARTIAN. SMARTIAN can discover bugs in real-world smart contracts without the need for the source code. Our experimental results show that SMARTIAN is more effective than existing state-of-the-art tools in finding known CVEs from real-world contracts. SMARTIAN also outperforms other tools in terms of code coverage.
Collapsing Narratives: Exploring Non-Linearity • a micro report by Rosie WellsRosie Wells
Insight: In a landscape where traditional narrative structures are giving way to fragmented and non-linear forms of storytelling, there lies immense potential for creativity and exploration.
'Collapsing Narratives: Exploring Non-Linearity' is a micro report from Rosie Wells.
Rosie Wells is an Arts & Cultural Strategist uniquely positioned at the intersection of grassroots and mainstream storytelling.
Their work is focused on developing meaningful and lasting connections that can drive social change.
Please download this presentation to enjoy the hyperlinks!
This presentation, created by Syed Faiz ul Hassan, explores the profound influence of media on public perception and behavior. It delves into the evolution of media from oral traditions to modern digital and social media platforms. Key topics include the role of media in information propagation, socialization, crisis awareness, globalization, and education. The presentation also examines media influence through agenda setting, propaganda, and manipulative techniques used by advertisers and marketers. Furthermore, it highlights the impact of surveillance enabled by media technologies on personal behavior and preferences. Through this comprehensive overview, the presentation aims to shed light on how media shapes collective consciousness and public opinion.
6. 0
50
100
150
200
250
300
350
2014 2015 2016 2017 2018 2019 2020 2021
Credit Card Fraud
Forged card Card number theft Total
Hundred million yen
Source: 日本クレジット協会
In Japan, credit card fraud in 2021 reached 33 billion yen,
the highest amount ever. Card number theft accounts for
94% of the total
94%
Card Number Theft
7. Japan is one of the main targets of credit card fraud
Japan is a fairly “ideal” market for the card
fraudsters
3DSecure is static password
High credit line
Lots of card fraud marketplaces in the dark
web (IRC/Forum → QQ/WeChat → TG)
Goal: to understand the value chain of Chinese carding fraud
Scope: The Chinese card shop ecosystem targeting
Japan
11. The community is a structured
organization providing training and
resources for beginners to start card-not-
present fraud
Subscribers > 96,000 users
Over 500+ active paid students in first
half year 2022
Entrance: One of the biggest credit card fraud
community targeting Japan
12. The community leader is
located in GMT+8 time zone
Cannot speak Japanese at all.
Using Google Translate a lot.
Had a revenue of 56 BTC in 3
years till June 2022
Got account takeover in June
by clicking some malware
porn file
More stories about the community leader..
Received 56 BTC
~ 1.6 億日本円
13. A new phone number to
create a new telegram
account
A new telegram account
A newly reformatted
laptop
Rental VPS / RDP server
VPN
Proxy
Persona Device Internet
Initial Setup: An unattributable research environment
14. 14
Tuition 3000 RMB paid in BTC
Training Courses Environment setup
Phishing mail lure sending
Phishing techniques
Credit card limit evaluation
Cash out demo
Resources Provided Basic knowledge and
guidelines
Environment setup resources
E-mail database
Phishing kits
Anti bot pool
Cash out websites and buyers
Training Program as an entrance
15. 15
Tuition 3000 RMB paid in BTC
Training Courses Environment setup
Phishing mail lure sending
Phishing techniques
Credit card limit evaluation
Cash out demo
Resources Provided Basic knowledge and
guidelines
Environment setup resources
E-mail database
Phishing kits
Anti bot pool
Cash out websites and buyers
Training Program as an entrance
Monitoring
> 300
Chinese Card Shop
Marketplaces
17. 17
Actor’s Value Chain
VPS / RDP setup
Residential Proxy
Check IP not in
blacklist
Change MAC or
hardware ID
Clean cookies / DNS
/ cache
Select monetization method
Credit limit evaluation
OTP authentication
disablement
Initial Setup
0 Phishing Setup
1 Start Phishing
2
Card Using Setup Use Card
4
3 Monetization
5
e-mail database
Phishing kit setup
Phishing e-mail lure setup
Email address domain
preparation / SMTP setup
Harvesting
Card testing
18. 18
Actor’s Value Chain
VPS / RDP setup
Residential Proxy
Check IP not in
blacklist
Change MAC or
hardware ID
Clean cookies / DNS
/ cache
Select monetization method
Credit limit evaluation
OTP authentication
disablement
Initial Setup
0 Phishing Setup
1 Start Phishing
2
Card Using Setup Use Card
4
3 Monetization
5
e-mail database
Phishing kit setup
Phishing e-mail lure setup
Email address domain
preparation / SMTP setup
Harvesting
Card testing
19. Set dynamic device ID to avoid device hardware being tracked
IP Setup
Time Zone /
Language
Clean Cookies /
DNS / cache
Initial Setup 0
Initial Setup to avoid triggering security rules
Change MAC or
hardware ID
Set IP near the targeted country / prefecture
Check IP not in
blacklist
Major payment & e-commerce services blocked public proxy already
→ Check if your IP is not in the blacklist
Set VPS time zone and language to be the same with the targeted location
Keep the browser environment as clean as possible
Virtual browser can be an alternative option
20. Initial Setup 0
Residential proxy covers actor identity and fakes card
holder location
Residential
Proxy Provider
Residential
IP Address Pool
Targeted
Destination
Actor
Major residential proxy used by fraudsters:
911 (China), oxylabs (Lithuania), BrightData (Israel)
21. 21
Initial Setup 0
911 used by Chinese fraudsters - 1/2
Residential proxy IP available
at city granularity
26. Ways to set up a Phishing Kit
1. Using compromised server
Pro: Higher website reputation
Con: Higher risk of being taken down
2. Using rental server (VPS)
Setup Apache/Nginx server and upload a Phishing kit
Bullet-proof hosting providers from Russia, etc.
Microsoft Azure needs months to take down phishing sites hosted
Phishing Setup 1
AWS has extremely strict security rules
Alert really soon right?
Go for Azure
Got banned after login with AWS
29. 29
Phishing Setup 1
Phishing Kit Component - 1/6 amazon.co.jp
Block all bots Block specific IP ranges
Block all non-human visitors
30. 30
Phishing Setup 1
Phishing Kit Component - 2/6
Resolve the IP address to domain name
and block famous security organizations
amazon.co.jp
Block all non-human visitors
31. 31
Phishing Setup 1
Phishing Kit Component - 3/6
If a user’s IP is not in China or
Japan, return error
If a victim is using Proxy,
try to get the real IP
amazon.co.jp
Filter visitors
32. 32
Phishing Setup 1
Phishing Kit Component - 4/6
Check if the card BIN inputted is valid
with an open-source API
If the length of inputted password is
shorter than 4, return error
amazon.co.jp
Validate inputted information
33. 33
Phishing Setup 1
Phishing Kit Component - 5/6
Returned format
Send the phished info to the actor’s
e-mail address; redirect the victim to
real Amazon website
amazon.co.jp
Return phished information
35. Change IP continuously: keep your IP as clean as possible
Avoid registering a domain name similar to famous websites:
big companies have automatic system detecting domains similar to
their brands
Register multiple domain names at the same time: to disperse the
risk of being fully blocked at once
Do not add SSL: adding SSL will attract Google police web crawler
and disclose your info
URL redirect: use redirect tools to generate a “seemingly more
normal URL” to bypass spam filtering rules
Environment
Phishing kit
domain server
Phishing URL
Phishing Setup 1
Tricks to bypass email spam filtering rules
Mindset
Always try to improve the contents / environments to bypass e-mail spam filtering rules
37. URL redirect tools make a URL looks more “normal”
starts with “HTTPS”, more trustworthy
Less suspicious domain names: domain name becomes the
domain of the redirection tool
Ends with less suspicious strings: the name after the domain
name can be customized
Phishing Setup 1
Benefits of using URL redirect
When blocked by e-mail spam filter mechanism or
phishing site domain, a URL redirect tool helps a
fraudster restart the phishing cycle faster.
38. 39
Actor’s Value Chain
VPS / RDP setup
Residential Proxy
Check IP not in
blacklist
Change MAC or
hardware ID
Clean cookies / DNS
/ cache
Select monetization method
Credit limit evaluation
OTP authentication
disablement
Initial Setup
0 Phishing Setup
1 Start Phishing
2
Card Using Setup Use Card
4
3 Monetization
5
e-mail database
Phishing kit setup
Phishing e-mail lure setup
Email address domain
preparation / SMTP setup
Harvesting
Card testing
39. 40
Start Phishing 2
Essential
Card number + CVV
Card holder name
Expiration Date
Billing Address
Date of Birth
Device Footprint & Browser Info
User IP
Optional
Phone number
3D ID & password
Website / Card Membership / Account
name & Password
Harvesting – Info acquired
40. Cryptocurrency / gift
card websites that
allows credit card
Card Using Setup 3
Monetization approaches
Deliver to domestic
receivers to convert into
money
1
2
website
e-commerce
product
local
receivers
41. Card Using Setup 3
Monetization approaches
Donate to malicious
Tiktok influencers to
turn the money into
legitimate earnings
3
TikTok
TikTok
coin
Malicious
TikTok
influencer
Money laundering
through intangible
goods such as NFT & e-
books etc.
4
Platform
Malicious
NFT / e-book
seller
42. 43
Context
For fraudsters, a credit card stands for a real person
with an unknown credit limit.
A fraudster’s goal is to steal as much as possible.
Card Using Setup 3
Expected usable
amount ~30% of
the total credit
limit
Credit card limit estimation
Evaluate from card
info
Social
Engineering
Confirm in Card
Website
3 Ways to estimate a credit card value
43. To know the card level
Card Using Setup 3
Estimate credit card limit evaluation with card info
4 Factors to evaluate a card’s credit limit
Card Bin
Mobile
Phone Number
Age
Card
Expiration Date
1950-1970 usually have the highest amount
Compared to IP phone numbers started with 03, 04, 090,
050 , Phone numbers started with 070, 080 means that the
card has been used for awhile
A more recent expiration date means
the card is older. Older cards tend to
have a higher credit limit
44. 45
Card Using Setup 3
account login
Get into card website to confirm credit limit - examples
EPOS Card
new account
registration
SAISON Card
45. Card Using Setup 3
Disable OTP authentication: social engineering
Make change
Pass
authentication
Call the card
company
Wait
Use card
online
Prepare questions
such as ages
Make an excuse to
change billing address
and phone number
Use the card after
4-5 days to bypass
security rules
Phone call
Steps
Details
46. Card Using Setup 3
Disable OTP authentication: removing mobile phone
numbers on the card membership website
Change
registered
e-mail address
Reset
account
password
Forgot
account ID &
password
Login
Disable mobile
phone number
Temp e-mail
address
New account
password
Phished
info
Input
Task
Account ID
Output
Now authentication
method becomes the
account password we set!
New account
password
Example - A Japanese Credit Card
Membership Website
47. 48
Card Using Setup 3
Disable OTP authentication – example
Select “no mobile phone” Authentication method
changed to account
password
48. 49
Actor’s Value Chain
VPS / RDP setup
Residential Proxy
Check IP not in
blacklist
Change MAC or
hardware ID
Clean cookies / DNS
/ cache
Select monetization method
Credit limit evaluation
OTP authentication
disablement
Initial Setup
0 Phishing Setup
1 Start Phishing
2
Card Using Setup Use Card
4
3 Monetization
5
e-mail database
Phishing kit setup
Phishing e-mail lure setup
Email address domain
preparation / SMTP setup
Harvesting
Card testing
49. Use Card 4
Cards are used to buy goods that can be easily resold
Popular Goods:
Electric Appliance
Brand Bag
Ticket & Gift Card
Brand Cosmetics
Liquor
Watch
Nike Shoes
50. Use Card 4
Cards are used to buy goods that can be easily resold
You can actually get a cheaper Tokyo
Disneyland ticket on Taobao!
Disney – 8,400 yen Taobao – 6,708 yen
Popular Goods:
Electric Appliance
Brand Bag
Ticket & Gift Card
Brand Cosmetics
Liquor
Watch
Nike Shoes
51. 52
Receiver Addresses – example
Use Card 4
Dealers usually hand out a list
of addresses located
dispersedly in Japan to
match a card victim’s
location
52. 53
Use Card 4
To bypass AVS (Address
Verification System) check,
fraudsters change the
delivery address after
an order is accepted
via the delivery company’s
webpage
53. 54
Use Card 4
Any JP delivery addresses can be changed?
Change Addresses after an order is accepted – example
Kuroneko is common
These are the addresses changed
Other delivery companies allow you to
change in several kilometers, and Kuroneko
you can change to several thousands
Kilometer, but half of them got hold up
58. 59
Phisher
Card User
Monetization
Dealer
Roles broke down to avoid legal sanctions
VPS / RDP setup
Residential Proxy
Check IP not in
blacklist
Change MAC or
hardware ID
Clean cookies / DNS
/ cache
Select monetization method
Credit limit evaluation
OTP authentication
disablement
Initial Setup
0 Phishing Setup
1 Start Phishing
2
Card Using Setup Use Card
4
3 Monetization
5
e-mail database
Phishing kit setup
Phishing e-mail lure setup
Email address domain
preparation / SMTP setup
Harvesting
Card testing
59. 60
Firsthand e-mail
databases for sending
phishing mails
Legit phishing kits and
anti-bot mechanisms to
bypass security rules
Adequate e-mail
contents to increase the
ratio of successful
delivery
Phisher Card User Monetization Dealer
Honest card info supplier
Patience and solid
environment setup to
fake user behavior
Recruit enough domestic
package receivers
Abundant cashflow
Cross-border money
laundering techniques
Summary – Key success factors for each role
60. 61
Relevant stakeholders shall collaborate to defend effectively
VPS / RDP setup
Residential Proxy
Check IP not in
blacklist
Change MAC or
hardware ID
Clean cookies / DNS
/ cache
Select monetization method
Credit limit evaluation
OTP authentication
disablement
Initial Setup
0 Phishing Setup
1 Start Phishing
2
Card Using Setup Use Card
4
3 Monetization
5
e-mail database
Phishing kit setup
Phishing e-mail lure setup
Email address domain
preparation / SMTP setup
Harvesting
Card testing
The parts we can defend
61. 62
First Step: Protect your customers
with SMS OTP & 3DSecure
Trigger SMS OTP / 3DSecure whenever any
of the following changed:
Device Fingerprint
Time Zone
Browser Language
User Agent
Delivery Address
Receiver Name
Reducing
> 60%
card-not-
present fraud
62. 63
All stakeholders shall collaborate together to defend
effectively and speedily.
Source: Security Certification in Payment Card Industry: Testbeds, Measurements, and Recommendations
Source: Security Certification in Payment Card Industry: Testbeds, Measurements, and Recommendations
Issuer Bank
User
Payment Network
Merchant POS
e-commerce
Visa / Mastercard / Amex
Delivery
Acquirer Bank
Payment Gateway
Stripe / Square
Merchant
Acquirer POS