In November 2019, I started monitoring the Bitcoin operation by the adversaries who hid IP addresses of their C&C server in the blockchain. In June 2020, I started collaborating with Professor Christian Doerr of the Hasso Plattner Institute based on the idea of redirecting C&C server communication to a sinkhole server (called takeover), and we successfully achieved this in August. However, the adversaries quickly took evasive action, where they managed to implement an evasion mechanism in only two weeks and restarted their attack. Although we could not conduct our takeover, our monitoring system could worked well. The end of their attack was brought upon by the surge in Bitcoin prices. Due to the fees for the Bitcoin miners, a transaction had reduced the adversaries' profits, and we confirmed the last C&C update was in January 2021 and the abandonment of the attack infrastructure came in March. Since then, no similar attacks have been observed by my monitoring system.
Although this attack has already concluded and is unlikely to restart unless the value of Bitcoin declines, I would like to share the know-how I have learned through the direct confrontation with the adversaries. That is, at the time of the confrontation with them, this attack was highly novel, and the adversaries themselves did not fully understand the best solution for its' operation. They needed to evolve their tactics, techniques, and procedures (TTPs) while operating the system. We carefully analyzed their TTPs and tried to catch them off their guard. Even more troublesome was the need to understand as quickly as possible what they intended to do each time they were affected by the Bitcoin halving or making a simple operational error. This presentation is a culmination my insights learned from interactions with these adversaries and I am looking forward to sharing this information with everyone.
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
We are swamped with new types of malware every day. The goal of malware analysis is not to reveal every single detail of the malware. It is more important to develop tools for efficiency or introduce automation to avoid repeating the same analysis process. Therefore, malware analysts usually actively develop tools and build analysis systems. On the other hand, it costs a lot for such tool developments and system maintenance. Incident trends change daily, and malware keeps evolving. However, it is not easy to keep up with new threats. Malware analysts spend a long time maintaining their analysis systems, and it results in reducing their time for necessary analysis of new types of malware.
To solve these problems, we incorporate DevOps practices into malware analysis to reduce the cost of system maintenance by using CI/CD and Serverless. This presentation shares our experience on how CI/CD, Serverless, and other cloud technologies can be used to streamline malware analysis. Specifically, the following case studies are discussed.
* Malware C2 Monitoring
* Malware Hunting using Cloud
* YARA CI/CD system
* Malware Analysis System on Cloud
* Memory Forensic on Cloud
Through the above case studies, we will share the benefits and tips of using the cloud and show how to build a similar system using Infrastructure as Code (IaC). The audience will learn how to improve the efficiency of malware analysis and build a malware analysis system using Cloud infrastructure.
Blockchain as a Foundation for Industrial IoT | Dr Craig S. WrightLiz Louw
At the International Conference on Internet of Things and Intelligence System (IoTAIS) from 24 to 26 November 2022, Dr Craig S. Wright, inventor of Bitcoin, delivered the keynote address. His talk introduced Bitcoin SV as a scalable blockchain and thus also as a network protocol set up to be the optimal solution for IoT devices to communicate on a global scale.
Internet of Things (IoT) two-factor authentication using blockchainDavid Wood
Presented at the Ethereum Engineering Group Meetup in Brisbane, Australia, on 13 Nov 2019. We report on research to use an Ethereum blockchain as an MFA and/or MPA device to secure command channels on IoT networks, even when the underlying network may be compromised.
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
We are swamped with new types of malware every day. The goal of malware analysis is not to reveal every single detail of the malware. It is more important to develop tools for efficiency or introduce automation to avoid repeating the same analysis process. Therefore, malware analysts usually actively develop tools and build analysis systems. On the other hand, it costs a lot for such tool developments and system maintenance. Incident trends change daily, and malware keeps evolving. However, it is not easy to keep up with new threats. Malware analysts spend a long time maintaining their analysis systems, and it results in reducing their time for necessary analysis of new types of malware.
To solve these problems, we incorporate DevOps practices into malware analysis to reduce the cost of system maintenance by using CI/CD and Serverless. This presentation shares our experience on how CI/CD, Serverless, and other cloud technologies can be used to streamline malware analysis. Specifically, the following case studies are discussed.
* Malware C2 Monitoring
* Malware Hunting using Cloud
* YARA CI/CD system
* Malware Analysis System on Cloud
* Memory Forensic on Cloud
Through the above case studies, we will share the benefits and tips of using the cloud and show how to build a similar system using Infrastructure as Code (IaC). The audience will learn how to improve the efficiency of malware analysis and build a malware analysis system using Cloud infrastructure.
Blockchain as a Foundation for Industrial IoT | Dr Craig S. WrightLiz Louw
At the International Conference on Internet of Things and Intelligence System (IoTAIS) from 24 to 26 November 2022, Dr Craig S. Wright, inventor of Bitcoin, delivered the keynote address. His talk introduced Bitcoin SV as a scalable blockchain and thus also as a network protocol set up to be the optimal solution for IoT devices to communicate on a global scale.
Internet of Things (IoT) two-factor authentication using blockchainDavid Wood
Presented at the Ethereum Engineering Group Meetup in Brisbane, Australia, on 13 Nov 2019. We report on research to use an Ethereum blockchain as an MFA and/or MPA device to secure command channels on IoT networks, even when the underlying network may be compromised.
Istio ambient mesh uses a sidecar-less data plane that focuses on ease of operations, incremental adoption, and separation of security boundaries for applications and mesh infrastructure.
In this webinar, we'll explore:
- The forces of modernization and compliance pressures,
- How Zero Trust Architecture (ZTA) can help, and
- How Istio ambient mesh lowers the barrier for establishing the properties necessary to achieve Zero Trust and compliance
As the pioneer of the decentralized platform as a service (dPaaS), Provide Technologies is the maker of the blockchain acceleration platform. Our focus is to accelerate blockchain adoption in the enterprise by slashing the complexities of delivering distributed ledger technologies (DLTs) at scale.
We are the foundation for how the most important companies are reshaping markets today through decentralization.
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...NoNameCon
Talk byStanislav Kolenkin & Igor Khoroshchenko at NoNameCon 2019.
https://nonamecon.org
https://cfp.nonamecon.org/nnc2019/talk/3EXNKX/
We will try to describe the most interesting security problems with Kubernetes environments from a DevOps and Security side.
We'll discuss the actual cloud security threats and trends for 2019.
Look behind the curtain of modern data breaches, weak identity and access management and incident response flaws.
The rise of Serverless and Kubernetes as Enterprise solutions and lack of related security expertise during SDLC.
Summarize the analytics and practical researches on adversaries techniques and tactics, a mass scan of cloud services and the uncertainty of business impacts behind them.
Provide materials for further education.
[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...CODE BLUE
Tons of insecure IoT devices are out there and ready to be compromised to join next IoT botnet or misused in even more serious threats. Since many of them are unmanaged, the situation does not seem to improve naturally in a short term. This talk will focus on series of efforts on discovery, monitoring, analysis, and notification of these devices trying to clean up "the mess".
Commit to the Cause, Push for Change: Contributing to Call for Code Open Sour...Daniel Krook
Materials for the OPEN TALK: Commit to the Cause, Push for Change: Contributing to Call for Code Open Source Projects session at DeveloperWeek Virtual on February 18, 2020
https://www.developerweek.com/conference/
Daniel Krook
IBM, Chief Technology Officer for the Call for Code Global Initiative
Andres Meira
Grillo, Founder & CEO
Lakshyana K.C.
Build Change, Technology Consultant
Call for Code is a multi-year program that calls on developers to create practical, effective, and high-quality applications based on one or more IBM Cloud services (for example, web, mobile, data, analytics, AI, IoT, or weather) or Red Hat platforms (including OpenShift) to build a solution that can have an immediate and lasting impact on humanitarian issues as open source projects. In this session you'll learn more about the solutions built to tackle natural hazards, climate change, and the pandemic. What sets Call for Code apart from other technology-for-good competitions is the commitment to deploy the winning solutions with the IBM Service Corps and to help teams build sustainable open source communities through The Linux Foundation. Join us at this talk to hear about the most recent winning projects, get an update on previous year's progress, and learn about how to contribute to two projects directly from the developers.
Growing up fast: Kubernetes and Real-Time Analytic ApplicationsDoKC
Kubernetes is turning into a preferred platform for real-time analytic app that crunch billions of events per day and return insights in seconds. In this talk we'll introduce the standard analytic app design pattern of fast event streams coupled with low-latency data warehouses, using open source projects. We'll then walk through deploying the pipeline on Kubernetes from ingest to end user access. We'll touch on use of operators, scaling, monitoring, upgrade, security, and approaches to adding custom components. Attendees can expect to leave with concrete lessons about how to stand up low-latency analytics quickly on Kubernetes.
This talk was given by Robert Hodges for DoK Day Europe @ KubeCon 2022.
Security and Authentication of Internet of Things (IoT) DevicesSanjayKumarYadav58
The proposed scheme deals with an authentication and security model for IoT applications. It is based on protecting the network from the intruders, decrease the authentication complexity and increase the communication efficiency of network devices. A signature based authentication scheme proposed for mutual authentication among users and devices in the network. The output of proposed scheme gives the better output compare to existing solutions in terms of End-To-End (E2E), Throughput, and Packet Delivery ratio. The proposed scheme implemented on Network Simulator (NS2).
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...apidays
apidays LIVE New York 2021 - API-driven Regulations for Finance, Insurance, and Healthcare
July 28 & 29, 2021
Simplify Open Policy Agent with Styra DAS
Tim Hinrichs, Co-Founder & CTO at Styra
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
It started with computer hacking and Japanese linguistics as a kid. Zach Mathis has been based in Kobe, Japan, and has performed both red team services as well as blue team incident response and defense consultation for major Japanese global Japanese corporations since 2006. He is the founder of Yamato Security, one of the largest and most popular hands-on security communities in Japan, and has been providing free training since 2012 to help improve the local security community. Since 2016, he has been teaching security for the SANS institute and holds numerous GIAC certifications. Currently, he is working with other Yamato security members to provide free and open-source security tools to help security analysts with their work.
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
Most 5G networks are built in fundamentally new ways, opening new hacking avenues.
Mobile networks have so far been monolithic systems from big vendors; now they become open vendor-mixed ecosystems. Networks are rapidly adopting cloud technologies including dockerization and orchestration. Cloud hacking techniques become highly relevant to mobile networks.
The talk dives into the hacking potential of the technologies needed for these open networks. We illustrate the security challenges with vulnerabilities we found in real-world networks.
More Related Content
Similar to [cb22] What I learned from the direct confrontation with the adversaries who hid C&C server information in the blockchain en by Tsuyoshi Taniguchi
Istio ambient mesh uses a sidecar-less data plane that focuses on ease of operations, incremental adoption, and separation of security boundaries for applications and mesh infrastructure.
In this webinar, we'll explore:
- The forces of modernization and compliance pressures,
- How Zero Trust Architecture (ZTA) can help, and
- How Istio ambient mesh lowers the barrier for establishing the properties necessary to achieve Zero Trust and compliance
As the pioneer of the decentralized platform as a service (dPaaS), Provide Technologies is the maker of the blockchain acceleration platform. Our focus is to accelerate blockchain adoption in the enterprise by slashing the complexities of delivering distributed ledger technologies (DLTs) at scale.
We are the foundation for how the most important companies are reshaping markets today through decentralization.
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...NoNameCon
Talk byStanislav Kolenkin & Igor Khoroshchenko at NoNameCon 2019.
https://nonamecon.org
https://cfp.nonamecon.org/nnc2019/talk/3EXNKX/
We will try to describe the most interesting security problems with Kubernetes environments from a DevOps and Security side.
We'll discuss the actual cloud security threats and trends for 2019.
Look behind the curtain of modern data breaches, weak identity and access management and incident response flaws.
The rise of Serverless and Kubernetes as Enterprise solutions and lack of related security expertise during SDLC.
Summarize the analytics and practical researches on adversaries techniques and tactics, a mass scan of cloud services and the uncertainty of business impacts behind them.
Provide materials for further education.
[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...CODE BLUE
Tons of insecure IoT devices are out there and ready to be compromised to join next IoT botnet or misused in even more serious threats. Since many of them are unmanaged, the situation does not seem to improve naturally in a short term. This talk will focus on series of efforts on discovery, monitoring, analysis, and notification of these devices trying to clean up "the mess".
Commit to the Cause, Push for Change: Contributing to Call for Code Open Sour...Daniel Krook
Materials for the OPEN TALK: Commit to the Cause, Push for Change: Contributing to Call for Code Open Source Projects session at DeveloperWeek Virtual on February 18, 2020
https://www.developerweek.com/conference/
Daniel Krook
IBM, Chief Technology Officer for the Call for Code Global Initiative
Andres Meira
Grillo, Founder & CEO
Lakshyana K.C.
Build Change, Technology Consultant
Call for Code is a multi-year program that calls on developers to create practical, effective, and high-quality applications based on one or more IBM Cloud services (for example, web, mobile, data, analytics, AI, IoT, or weather) or Red Hat platforms (including OpenShift) to build a solution that can have an immediate and lasting impact on humanitarian issues as open source projects. In this session you'll learn more about the solutions built to tackle natural hazards, climate change, and the pandemic. What sets Call for Code apart from other technology-for-good competitions is the commitment to deploy the winning solutions with the IBM Service Corps and to help teams build sustainable open source communities through The Linux Foundation. Join us at this talk to hear about the most recent winning projects, get an update on previous year's progress, and learn about how to contribute to two projects directly from the developers.
Growing up fast: Kubernetes and Real-Time Analytic ApplicationsDoKC
Kubernetes is turning into a preferred platform for real-time analytic app that crunch billions of events per day and return insights in seconds. In this talk we'll introduce the standard analytic app design pattern of fast event streams coupled with low-latency data warehouses, using open source projects. We'll then walk through deploying the pipeline on Kubernetes from ingest to end user access. We'll touch on use of operators, scaling, monitoring, upgrade, security, and approaches to adding custom components. Attendees can expect to leave with concrete lessons about how to stand up low-latency analytics quickly on Kubernetes.
This talk was given by Robert Hodges for DoK Day Europe @ KubeCon 2022.
Security and Authentication of Internet of Things (IoT) DevicesSanjayKumarYadav58
The proposed scheme deals with an authentication and security model for IoT applications. It is based on protecting the network from the intruders, decrease the authentication complexity and increase the communication efficiency of network devices. A signature based authentication scheme proposed for mutual authentication among users and devices in the network. The output of proposed scheme gives the better output compare to existing solutions in terms of End-To-End (E2E), Throughput, and Packet Delivery ratio. The proposed scheme implemented on Network Simulator (NS2).
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...apidays
apidays LIVE New York 2021 - API-driven Regulations for Finance, Insurance, and Healthcare
July 28 & 29, 2021
Simplify Open Policy Agent with Styra DAS
Tim Hinrichs, Co-Founder & CTO at Styra
Arbor, Securing the Future
Visibility + Automation & Integration
Moncef ZID
Territory Manager North Africa
Similar to [cb22] What I learned from the direct confrontation with the adversaries who hid C&C server information in the blockchain en by Tsuyoshi Taniguchi (20)
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
It started with computer hacking and Japanese linguistics as a kid. Zach Mathis has been based in Kobe, Japan, and has performed both red team services as well as blue team incident response and defense consultation for major Japanese global Japanese corporations since 2006. He is the founder of Yamato Security, one of the largest and most popular hands-on security communities in Japan, and has been providing free training since 2012 to help improve the local security community. Since 2016, he has been teaching security for the SANS institute and holds numerous GIAC certifications. Currently, he is working with other Yamato security members to provide free and open-source security tools to help security analysts with their work.
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
Most 5G networks are built in fundamentally new ways, opening new hacking avenues.
Mobile networks have so far been monolithic systems from big vendors; now they become open vendor-mixed ecosystems. Networks are rapidly adopting cloud technologies including dockerization and orchestration. Cloud hacking techniques become highly relevant to mobile networks.
The talk dives into the hacking potential of the technologies needed for these open networks. We illustrate the security challenges with vulnerabilities we found in real-world networks.
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
Printer has become one of the essential devices in the corporate intranet for the past few years, and its functionalities have also increased significantly. Not only print or fax, cloud printing services like AirPrint are also being supported as well to make it easier to use. Direct printing from mobile devices is now a basic requirement in the IoT era. We also use it to print some internal business documents of the company, which makes it even more important to keep the printer safe.
Nowadays, most of the printers on the market do not have to be connected with USB or traditional cable. As long as you are using a LAN cable connected to the intranet, the computer can find and use the printer immediately. Most of them are based on protocols such as SLP and LLMNR. But is it really safe when vendors adopt those protocols? Furthermore, many printers do not use traditional Linux systems, but use RTOS(Real-Time Operating System) instead, how will this affect the attacker?
In this talk, we will use Canon ImageCLASS MF644Cdw and HP Color LaserJet Pro MFP M283fdw as case study, showing how to analyze and gain control access to the printer. We will also demonstrate how to use the vulnerabilities to achieve RCE in RTOS in unauthenticated situations.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
Yuuma Taki is enrolled in the Hokkaido Information University Information Media Faculty of Information Media (4th year).
At university he is focusing on learning about security for lower-level components, such OS and CPU. In his third year of undergraduate school, he worked on trying to implement the OS security mechanism "KASLR", at Sechack365.
Currently, he is learning about ROP derivative technology and embedded equipment security.
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...CODE BLUE
In October 2021, we published the first analysis of Wslink – a unique loader likely linked to the Lazarus group. Most samples are packed and protected with an advanced virtual machine (VM) obfuscator; the samples contain no clear artifacts and we initially did not associate the obfuscation with a publicly known VM, but we later managed to connect it to CodeVirtualizer. This VM introduces several additional obfuscation techniques such as insertion of junk code, encoding of virtual operands, duplication of virtual opcodes, opaque predicates, merging of virtual instructions, and a nested VM.
Our presentation analyzes the internals of the VM and describes our semi automated approach to “see through” the obfuscation techniques in reasonable time. We demonstrate the approach on some bytecode from a protected sample and compare the results with a non-obfuscated sample, found subsequent to starting our analysis, confirming the method’s validity. Our solution is based on a known deobfuscation method that extracts the semantics of the virtual opcodes, using symbolic execution with simplifying rules. We further treat the bytecode chunks and some internal constructs of the VM as concrete values instead of as symbolic ones, enabling the known deobfuscation method to deal with the additional obfuscation techniques automatically.
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
Kimsuky is a North Korean APT possibly controlled by North Korea's Reconnaissance General Bureau. Based on reports from the Korea Internet & Security Agency (KISA) and other vendors, TeamT5 identified that Kimsuky's most active group, CloudDragon, built a workflow functioning as a "Credential Factory," collecting and exploiting these massive credentials.
The credential factory powers CloudDragon to start its espionage campaigns. CloudDragon's campaigns have aligned with DPRK's interests, targeting the organizations and key figures playing a role in the DPRK relationship. Our database suggested that CloudDragon has possibly infiltrated targets in South Korea, Japan, and the United States. Victims include think tanks, NGOs, media agencies, educational institutes, and many individuals.
CloudDragon's "Credential Factory" can be divided into three small cycles, "Daily Cycle," "Campaign Cycle," and "Post-exploit Cycle." The"Daily Cycle" can collect massive credentials and use the stolen credentials to accelerate its APT life cycle.
In the "Campaign Cycle," CloudDragon develops many new malware. While we responded to CloudDragon's incidents, we found that the actor still relied on BabyShark malware. CloudDragon once used BabyShark to deploy a new browser extension malware targeting victims' browsers. Moreover, CloudDragon is also developing a shellcode-based malware, Dust.
In the "Post-exploit Cycle," the actor relied on hacking tools rather than malicious backdoors. We also identified that the actor used remote desktop software to prevent detection.
In this presentation, we will go through some of the most significant operations conducted by CloudDragon, and more importantly, we will provide possible scenarios of future invasions for defense and detection.
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...CODE BLUE
Social media is no doubt a critical battlefield for threat actors to launch InfoOps, especially in a critical moment such as wartime or the election season. We have seen Bot-Driven Information Operations (InfoOps, aka influence campaign) have attempted to spread disinformation, incite protests in the physical world, and doxxing against journalists.
China's Bots-Driven InfoOps, despite operating on a massive scale, are often considered to have low impact and very little organic engagement. In this talk, we will share our observations on these persistent Bots-Driven InfoOps and dissect their harmful disinformation campaigns circulated in cyberspace.
In the past, most bots-driven operations simply parroted narratives of the Chinese propaganda machine, mechanically disseminating the same propaganda and disinformation artifacts made by Chinese state media. However, recently, we saw the newly created bots turn to post artifacts in a livelier manner. They utilized various tactics, including reposting screenshots of forum posts and disguised as members of “Milk Tea Alliance,” to create a false appearance that such content is being echoed across cyberspace.
We particularly focus on an ongoing China's bots-driven InfoOps targeting Taiwan, which we dub "Operation ChinaRoot." Starting in mid-2021, the bots have been disseminating manipulated information about Taiwan's local politics and Covid-19 measures. Our further investigation has also identified the linkage between Operation ChinaRoot and other Chinese state-linked networks such as DRAGONBRIDGE and Spamouflage.
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...CODE BLUE
Malwares written in Go is increasing every year. Go's cross-platform nature makes it an opportune language for attackers who wish to target multiple platforms. On the other hand, the statically linked libraries make it difficult to distinguish between user functions and libraries, making it difficult for analysts to analyze. This situation has increased the demand for Go malware classification and exploration.
In this talk, we will demonstrate the feasibility of computing similarity and classification of Go malware using a newly proposed method called gimpfuzzy. We have implemented "gimpfuzzy", which incorporates Fuzzy Hashing into the existing gimphash method. In this talk, we will verify the discrimination rate of the classification using the proposed method and confirm the validity of the proposed method by discussing some examples from the classified results. We will also discuss issues in Go-malware classification.
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
Malware analysts normally obtain IP addresses of the malware's command & control (C2) servers by analyzing samples. This approach works in commoditized attacks or campaigns. However, with targeted attacks using APT malware, it's difficult to acquire a sufficient number of samples for organizations other than antivirus companies. As a result, malware C2 IOCs collected by a single organization are just the tip of the iceberg.
For years, I have reversed the C2 protocols of high-profile APT malware families then discovered the active C2 servers on the Internet by emulating the protocols. In this presentation, I will explain how to emulate the protocols of two long-term pieces of malware used by PRC-linked cyber espionage threat actors: Winnti 4.0 and ShadowPad.
Both pieces of malware support multiple C2 protocols like TCP/TLS/HTTP/HTTPS/UDP. It's also common to have different data formats and encoding algorithms per each protocol in one piece of malware. I'll cover the protocol details while referring to unique functions such as server-mode in Winnti 4.0 and multiple protocol listening at a single port in ShadowPad. Additionally, I'll share the findings regarding the Internet-wide C2 scanning and its limitations.
After the presentation, I'll publish over 140 C2 IOCs with the date ranges in which they were discovered. These dates are more helpful than just IP address information since the C2s are typically found on hosted servers, meaning that the C2 could sometimes exist on a specific IP only for a very limited time. 65% of these IOCs have 0 detection on VirusTotal as of the time of this writing.
0x01 - Newton's Third Law: Static vs. Dynamic AbusersOWASP Beja
f you offer a service on the web, odds are that someone will abuse it. Be it an API, a SaaS, a PaaS, or even a static website, someone somewhere will try to figure out a way to use it to their own needs. In this talk we'll compare measures that are effective against static attackers and how to battle a dynamic attacker who adapts to your counter-measures.
About the Speaker
===============
Diogo Sousa, Engineering Manager @ Canonical
An opinionated individual with an interest in cryptography and its intersection with secure software development.
This presentation, created by Syed Faiz ul Hassan, explores the profound influence of media on public perception and behavior. It delves into the evolution of media from oral traditions to modern digital and social media platforms. Key topics include the role of media in information propagation, socialization, crisis awareness, globalization, and education. The presentation also examines media influence through agenda setting, propaganda, and manipulative techniques used by advertisers and marketers. Furthermore, it highlights the impact of surveillance enabled by media technologies on personal behavior and preferences. Through this comprehensive overview, the presentation aims to shed light on how media shapes collective consciousness and public opinion.
Have you ever wondered how search works while visiting an e-commerce site, internal website, or searching through other types of online resources? Look no further than this informative session on the ways that taxonomies help end-users navigate the internet! Hear from taxonomists and other information professionals who have first-hand experience creating and working with taxonomies that aid in navigation, search, and discovery across a range of disciplines.
Acorn Recovery: Restore IT infra within minutesIP ServerOne
Introducing Acorn Recovery as a Service, a simple, fast, and secure managed disaster recovery (DRaaS) by IP ServerOne. A DR solution that helps restore your IT infra within minutes.
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Orkestra
UIIN Conference, Madrid, 27-29 May 2024
James Wilson, Orkestra and Deusto Business School
Emily Wise, Lund University
Madeline Smith, The Glasgow School of Art
This presentation by Morris Kleiner (University of Minnesota), was made during the discussion “Competition and Regulation in Professions and Occupations” held at the Working Party No. 2 on Competition and Regulation on 10 June 2024. More papers and presentations on the topic can be found out at oe.cd/crps.
This presentation was uploaded with the author’s consent.
Announcement of 18th IEEE International Conference on Software Testing, Verif...
[cb22] What I learned from the direct confrontation with the adversaries who hid C&C server information in the blockchain en by Tsuyoshi Taniguchi
1. CODE BLUE 2022
What I Learned from the Direct
Confrontation with the Adversaries
who Hid C&C Server Information in
the Blockchain
Tsuyoshi Taniguchi
Fujitsu System Integration Laboratories LTD.
October 27, 2022
Copy right 2022 Fujitsu System Integration Laboratories Limited
1
2. DNS Abuse vs Blockchain Abuse
Copy right 2022 Fujitsu System Integration Laboratories Limited
C&C server
C&C server
DNS
server
Blockchain
Detection of DNS abuse
Cyber Threat Intelligence, Passive
DNS, Active DNS, WHOIS history,
subdomain
CODE BLUE 2017 Day0
CODE BLUE 2018, 2020, 2021
Detection of blockchain abuse
Black Hat Asia 2021 Briefings
ACM ASIACCS 2021
International collaboration with Prof. Doerr
(Hasso Plattner Institute)
2
3. Tsuyoshi TANIGUCHI
⚫ Fujitsu System Integration Laboratories Researcher, Ph.D.
⚫Mar. 2008 - Hokkaido University Ph.D. (computer science)
⚫Apr. 2008 - Researcher, FUJITSU
⚫Apr. 2016 - Researcher, FUJITSU SYSTEM INTEGRATION LABORATORIES LTD
⚫Speaker
⚫ CODE BLUE 2017 Day0 Special Track Counter Cyber Crime Track
⚫ CODE BLUE 2018, 2020, 2021
⚫ Black Hat Asia 2021, ACM ASIACCS 2021
⚫ International collaboration with Prof. Doerr (Hasso Plattner Institute)
Copy right 2022 Fujitsu System Integration Laboratories Limited
Please search ACM Tsuyoshi Taniguchi
-> The table of C&C server IP addresses (Table 5)
-> You can find malware samples from VirusTotal by searching the IP addresses
(There is a case where malware samples not related to this attack are found)
3
4. Timeline
Copy right 2022 Fujitsu System Integration Laboratories Limited
2019 2020 2021
10 11 12 1 2 3 4 5 6 7 8 9 10 11 12 1 2 3 4 5 6
WS
Monitoring
start
Detection of
change of
Bitcoin
addresses
Collaboration
proposal
Fujitsu alone
Collaboration
start
International collaboration with HPI
4
5. Timeline
Copy right 2022 Fujitsu System Integration Laboratories Limited
2019 2020 2021
10 11 12 1 2 3 4 5 6 7 8 9 10 11 12 1 2 3 4 5 6
WS
Monitoring
start
Detection of
change of
Bitcoin
addresses
Collaboration
proposal
Collaboration start
Fujitsu alone International collaboration with HPI
Takeover
led C&C communication
to our sinkhole server
Implementation of the
evasive mechanism within
around two weeks
5
6. Timeline
Copy right 2022 Fujitsu System Integration Laboratories Limited
2019 2020 2021
10 11 12 1 2 3 4 5 6 7 8 9 10 11 12 1 2 3 4 5 6
WS
Monitoring
start
Detection of
change of
Bitcoin
addresses
Collaboration
proposal
Collaboration start
Fujitsu alone International collaboration with HPI
Takeover
Implementation of the
evasive mechanism
abandonment of the
attack infrastructure
Black Hat
Asia 2021
ASIACCS
2021
6
7. Today’s Presentation
Copy right 2022 Fujitsu System Integration Laboratories Limited
2019 2020 2021
10 11 12 1 2 3 4 5 6 7 8 9 10 11 12 1 2 3 4 5 6
WS
Monitoring
start
Detection of
change of
Bitcoin
addresses
Collaboration
proposal Collaboration start
Fujitsu alone International collaboration with HPI
Takeover Implementation of the
evasive mechanism
abandonment of the
attack infrastructure
The essence in (pre-)analysis in order to succeed in taking over
For CODE BLUE
2022
7
8. What I Learned from the Direct
Confrontation with the Adversaries who Hid
C&C Server Information in the Blockchain
1.
2.
3.
4.
5.
6.
Copy right 2022 Fujitsu System Integration Laboratories Limited
8
9. Overview of Our System and Division of Roles
Copy right 2022 Fujitsu System Integration Laboratories Limited
Defender
Bitcoin blockchain
Sinkhole
server
C&C server
Malware
(Pony)
Phishing
group
HPI: Analysis of
malware, sinkhole
server operation
Fujitsu:
Analysis of Bitcoin operation
Monitoring system
9
10. What I Learned from the Direct
Confrontation with the Adversaries who Hid
C&C Server Information in the Blockchain
1. Ethical Considerations
2.
3.
4.
5.
6.
Copy right 2022 Fujitsu System Integration Laboratories Limited
10
11. The Way of Hiding C&C Server Information
in the Blockchain
Copy right 2022 Fujitsu System Integration Laboratories Limited
C&C server
142.93.0.206
In recent two transactions related to
a particular Bitcoin address
11
12. The Principle of Takeover
-> Success on Aug. 14, 2020
⚫To send Bitcoin hidden the IP address of our sinkhole server
to the Bitcoin address controlled by the adversaries
Copy right 2022 Fujitsu System Integration Laboratories Limited
C&C
server
Ours
Ours
Sinkhole server
12
13. 1. Ethical Considerations: Exfiltrated Files
Copy right 2022 Fujitsu System Integration Laboratories Limited
Sinkhole
server
C&C server
⚫We must not download any exfiltrated files
Exfiltrated
files
13
14. Download DLL
Copy right 2022 Fujitsu System Integration Laboratories Limited
Sinkhole
server
C&C server
14
15. Deletion of Malware Itself by Self Protection
Mechanism
Copy right 2022 Fujitsu System Integration Laboratories Limited
Sinkhole
server
C&C server
⚫Extermination of the malware by our takeover
15
16. 1. Ethical Considerations
⚫Ethical considerations in cyber security
⚫Report to providers whose IP addresses abused by adversaries
⚫Report to software vendors whose products have vulnerabilities
⚫This case: exfiltrated files from infected clients
⚫If we download the exfiltrated files, we are colleagues of the
phishing group
⚫After takeover design, we had many considerations
⚫We realize both of disturbance of C&C communication and
extermination of malware
⚫Important point in order to protect ourselves from
ethical viewpoints
Copy right 2022 Fujitsu System Integration Laboratories Limited
16
17. What I Learned from the Direct
Confrontation with the Adversaries who Hid
C&C Server Information in the Blockchain
1. Ethical Considerations
2. The Importance of Hypothesis Verification
3.
4.
5.
6.
Copy right 2022 Fujitsu System Integration Laboratories Limited
17
18. Back to the Initial Stage of Monitoring from
the Highlight of International Collaboration
Copy right 2022 Fujitsu System Integration Laboratories Limited
2019 2020 2021
10 11 12 1 2 3 4 5 6 7 8 9 10 11 12 1 2 3 4 5 6
WS
Monitoring
start
Detection of
change of
Bitcoin
addresses
Collaboration
proposal Collaboration start
Fujitsu alone International collaboration with HPI
Takeover Implementation of the
evasive mechanism
abandonment of the
attack infrastructure
18
19. 2. The Importance of Hypothesis Verification
⚫A hypothesis verification in cyber security
⚫To anticipate vulnerabilities in an organization network, then verify the
ones by related tools
⚫To anticipate vulnerabilities of tools, then verify
⚫The hypothesis verification in this case
⚫Evasive behavior against our takeover
⚫Hypothesis: after identifying our takeover, the adversaries take an
evasive action
⚫Verification:
Copy right 2022 Fujitsu System Integration Laboratories Limited
19
20. The First Stage of Bitcoin Operation
⚫Three types of Bitcoin addresses
⚫Sender: disposable addresses through Bitcoin exchange services
⚫IP signal: static addresses made by the adversaries
⚫Collector
Copy right 2022 Fujitsu System Integration Laboratories Limited
Collector
Sender
IP signal
Sender
Sender
⋮
Sender
IP signal
20
21. Bitcoin Addresses for This Attack
⚫IP signal
⚫1BkeGqpo8M5KNVYXW3obmQt1R58zXAqLBQ: 1BkeG (Abbreviation)
⚫1CeLgFDu917tgtunhJZ6BA2YdR559Boy9Y: 1CeLg (Abbreviation)
⚫Collector
⚫1PFSS4kdTxvVhrti4fM3jK9FLhUt5zZf6i: 1PFSS (Abbreviation)
⚫Since transactions in the blockchain are open, you can verify
all transactions related to 1BkeG, 1CeLg, and 1PFSS
⚫Table1 in our ASIACCS paper
Copy right 2022 Fujitsu System Integration Laboratories Limited
21
22. My Hypothesis in the First Stage of Monitoring
⚫If the adversaries change IP signal, then I can detect the
changed IP signal in the circulation of Bitcoin operation
Copy right 2022 Fujitsu System Integration Laboratories Limited
IP signal 1
Sender A Sender B
C&C
server
IP signal 2
Sender X Sender Y
Collector
22
23. Bitcoin Operation: Nov. 15 to 30, 2019
Copy right 2022 Fujitsu System Integration Laboratories Limited
1BkeG
1CeLg
1PFSS
Gephi: https://gephi.org/ 23
24. Bitcoin Operation: Dec. 1 to 10, 2019
Copy right 2022 Fujitsu System Integration Laboratories Limited
1BkeG
1CeLg
• The adversaries changed
the IP signal from 1BkeG
to 1CeLg
• I confirmed malware
samples which
communicated with 1CeLg
24
25. Bitcoin Operation: Dec. 10 to 12, 2019
Copy right 2022 Fujitsu System Integration Laboratories Limited
1BkeG
1CeLg
1N94r
1PFSS
19hi8
Collected Bitcoin from 1BkeG and 1CeLg to 1PFSS
-> moved Bitcoin from 1PFSS to 1N94r
-> sent Bitcoin from 1N94r to 1BkeG and 19hi8
25
26. Newly Added Bitcoin Addresses
⚫IP signal
⚫19hi8BJ7HxKK45aLVdMbzE6oTSW5mGYC82: 19hi8 (Abbreviation)
⚫Collector
⚫1N94rYBBCZSnLoK56omRkAPRFrpr5t8C1y: 1N94r (Abbreviation)
Copy right 2022 Fujitsu System Integration Laboratories Limited
26
27. Bitcoin Operation in the Final Stage
⚫The functions of sender and collector were aggregated:
1N94r
⚫Back to 1BkeG from 1CeLg for IP signal
Copy right 2022 Fujitsu System Integration Laboratories Limited
1N94r
1BkeG
19hi8
27
28. The Design Mistake for Hiding C&C IP
Addresses in the Blockchain
Copy right 2022 Fujitsu System Integration Laboratories Limited
IP signal
Sender Our sender
Anybody could
send Bitcoin
hidden any IP
addresses
The adversaries
sent Bitcoin
hidden C&C IP
address
Malware did not
check where the
incoming Bitcoin
come from
28
29. Takeover Evasive Mechanism
Copy right 2022 Fujitsu System Integration Laboratories Limited
IP signal
Sender
Implementation of the takeover evasive mechanism within around
two weeks
Our sender
Accessed transactions
related to the sender
We could send Bitcoin
29
31. Against Takeover Evasive Mechanism
⚫ To send Bitcoin hidden our sinkhole server IP address to 1N94r
Copy right 2022 Fujitsu System Integration Laboratories Limited
1BkeG
1N94r
1BkeG
1N94r
Our sender
Our sender
1N94r
1N94r
1N94r
31
32. Detection Evasion by Changing Bitcoin Address
Copy right 2022 Fujitsu System Integration Laboratories Limited
IP signal
Sender
IP signal
Refuge
I detected IP signal change in
Dec. 2019
-> technically possible, but
the adversaries did not
change IP signal after evading
our takeover 32
33. 2. The Importance of Hypothesis Verification
⚫Hypothesis: detection evasion by changing IP signal
⚫Verification: the adversaries changed IP signal in Dec. 2019,
but did not change after evading our takeover
⚫Notice
⚫IP signal change: technically possible, much cost for synchronizing
malware implementation and changing Bitcoin addresses?
⚫In the process of the verification, I identified the issue from
adversary’s side
⚫The hypothesis verification process itself is important
Copy right 2022 Fujitsu System Integration Laboratories Limited
33
34. What I Learned from the Direct
Confrontation with the Adversaries who Hid
C&C Server Information in the Blockchain
1. Ethical Considerations
2. The Importance of Hypothesis Verification
3. Consciousness of the Relation Between the Cyberattacks
and the Worldwide Event
4.
5.
6.
Copy right 2022 Fujitsu System Integration Laboratories Limited
34
35. C&C Server Update Time Change
Copy right 2022 Fujitsu System Integration Laboratories Limited
Aug. 2019 May 2020
Aug. 2020
Jan. 2021
Mar. 2020
Daytime -> midnight (UTC)
Fee soar influenced by the
Bitcoin halving
Metabase: https://www.metabase.com/
35
36. 3. Consciousness of the Relation Between
the Cyberattacks and the Worldwide Event
⚫C&C server update time (Bitcoin trade time) in May 2020
⚫Daytime -> midnight (UTC)
⚫After conducting in-depth analysis from various viewpoints, I found fee
soar
⚫Examination regarding fee setting
⚫I identified the Bitcoin halving
⚫May 11, 2020 (UTC): 630, 000 blocks
⚫Fees tend to be low during midnight since the number of trades
decrease
⚫It is important to broaden your horizons including the
relation between cyberattacks and worldwide events
Copy right 2022 Fujitsu System Integration Laboratories Limited
36
37. What I Learned from the Direct
Confrontation with the Adversaries who Hid
C&C Server Information in the Blockchain
1. Ethical Considerations
2. The Importance of Hypothesis Verification
3. Consciousness of the Relation Between the Cyberattacks and
the Worldwide Event
4. Adversary’s Intention Behind Tactics, Techniques, and
Procedures (TTPs) Evolution
5.
6.
Copy right 2022 Fujitsu System Integration Laboratories Limited
37
38. 4. Adversary’s Intention Behind TTPs Evolution
⚫Behind TTPs evolution
⚫To improve methods
⚫To cope with troubles
⚫Change of trading time in May 2020
⚫To save fees of transactions for miners for avoiding the influence by the
Bitcoin halving
⚫Change of the strategy of selecting blocks in Jul. 2020
⚫The second case study in our Black Hat Asia 2021 presentation
⚫To explore the way of controlling the order of confirmations of two
transactions
Copy right 2022 Fujitsu System Integration Laboratories Limited
38
39. What I Learned from the Direct
Confrontation with the Adversaries who Hid
C&C Server Information in the Blockchain
1. Ethical Considerations
2. The Importance of Hypothesis Verification
3. Consciousness of the Relation Between the Cyberattacks and
the Worldwide Event
4. Adversary’s Intention Behind TTPs Evolution
5. Operational Error by the Adversaries
6.
Copy right 2022 Fujitsu System Integration Laboratories Limited
39
40. Mistakenly Send Bitcoin
⚫ Three transactions: change of Bitcoin addresses in Dec. 2019 (test?)
⚫ Others: mistakenly send Bitcoin
Copy right 2022 Fujitsu System Integration Laboratories Limited
1BkeG
Date Bitcoin IP Octet
5:33:19, Dec. 11, 2019 31,683 195.123
8:39:45, Jul. 24, 2020 10,818 66.42
19hi8
Date Bitcoin IP Octet
5:22:28, Dec. 11, 2019 31,683 195.123
9:39:13, Apr. 22, 2020 15,573 213.60
3:11:43, Jul. 22, 2020 27,052 172.105
1CeLg
Date Bitcoin IP Octet
12:9:19, Dec. 10, 2019 19,508 52.76
Test?
Test?
Test?
40
41. Mistakenly Send Bitcoin
Copy right 2022 Fujitsu System Integration Laboratories Limited
2020/7/24 5:46 31,366 Satoshi -> 134.122
2020/7/24 5:55 64,792 Satoshi -> 24.253
2020/7/24 8:39 10,818 Satoshi -> 66.42
2020/7/24 8:58 31,366 Satoshi -> 134.122
2020/7/24 9:02 64,792 Satoshi -> 24.253
134.122.24.253
-> Samples in
VirusTotal
66.42.134.122
-> No samples
⚫ Adversary’s side: no influence
⚫Soon after mistakenly sending Bitcoin, they sent correct two transactions again
⚫ Defender’s side: big influence
⚫When I traced back through the transactions, these wrong transactions were
no pair of any transactions
41
42. What I Learned from the Direct
Confrontation with the Adversaries who Hid
C&C Server Information in the Blockchain
1. Ethical Considerations
2. The Importance of Hypothesis Verification
3. Consciousness of the Relation Between the Cyberattacks and
the Worldwide Event
4. Adversary’s Intention Behind TTPs Evolution
5. Operational Error by the Adversaries
6. Long Term Data Collection
Copy right 2022 Fujitsu System Integration Laboratories Limited
42
43. 6. Long Term Data Collection
⚫C&C IP address update: around 200 times from Sep. 2019 to
Aug. 2020
⚫My data collection: from Sep. 2019 to Jan. 2021
⚫Design of the data collection
⚫Consideration of the limit of the number of transactions by blockchain
API
⚫Ex. 50 transactions
⚫Dealing with wrong transactions
⚫My implementation: skip reading wrong transactions
Copy right 2022 Fujitsu System Integration Laboratories Limited
43
44. What I Learned from the Direct
Confrontation with the Adversaries who Hid
C&C Server Information in the Blockchain
1. Ethical Considerations
2. The Importance of Hypothesis Verification
3. Consciousness of the Relation Between the Cyberattacks and
the Worldwide Event
4. Adversary’s Intention Behind TTPs Evolution
5. Operational Error by the Adversaries
6. Long Term Data Collection
Copy right 2022 Fujitsu System Integration Laboratories Limited
44
45. 3. Consciousness of the Relation Between
the Cyberattacks and the Worldwide Event
Copy right 2022 Fujitsu System Integration Laboratories Limited
IP signal
Sender
1,000,000 Satoshi 100,000 Satoshi
Sender
870,000 Satoshi
Fee
30,000 Satoshi -> 60,000 Satoshi
Fee soar influenced by
the Bitcoin halving
30,000 Satoshi: around $3 (as of Aug. 2020, 1BTC = $10,000)
-> around $18 (as of Mar. 2021, 1BTC = $60,000)
Bitcoin soar
-> abandonment of the attack infrastructure
970,000 Satoshi
45
46. Copy right 2022 Fujitsu System Integration Laboratories Limited
Thank you