CYBERSEC 2022 uses cookies to provide you with the best user experience possible. By continuing to use this site, you agree to the terms in our Privacy Policy. I Agree

bg-inner
Sheng-Hao Ma

SPEAKER

Sheng-Hao Ma

TXOne Networks Threat Researcher

Sheng-Hao Ma (@aaaddress1) is currently working as a threat researcher at TXOne Networks, specializing in Windows reverse engineering analysis for over 10 years. In addition, he is currently a member of CHROOT, an information security community in Taiwan. He has also served as a speaker and instructor for various international conferences and organizations such as DEFCON, HITB, Black Hat USA, VXCON, HITCON, ROOTCON, Ministry of National Defense, and Ministry of Education. He is also the author of the popular security book "Windows APT Warfare: The Definitive Guide for Malware Researchers".

Speech

Red Team Forum

SEP 22

#

I Defend against Your Defense: LSALSASSUSELESS ;)

09/22 (Thu) 16:30 - 17:00 7F 701F
TXOne Networks Threat Researcher / Sheng-Hao Ma

It is a well-known story that hackers are moving laterally inside organizations through Mimikatz for password theft and Credential Dumping in large cyber-army APT operations across countries.


The specifics of this technique entail a variety of high-risk behaviors, including privilege escation, accessing LSASS, and memory dumping, and so on. The major endpoint security products will undoubtedly claim that they can detect and prevent such attacks, but this is not the case.


In this session, we will focus on the tactics of password theft and take an overview of the security solutions used by modern enterprises. And to demonstrate the attacker's point of view with the Project Zero attack practice How to break each one. The end of the session will provide multiple Proof of Concept, suggestions of mitigation, and advice on selecting protection solutions. 

Threat Research Forum

SEP 21

#

Type Confusion in the Wild: from the security Blindspot to Abuse

09/21 (Wed) 16:45 - 17:15 7F 701D
TXOne Networks Threat Researcher / Sheng-Hao Ma

Obfuscated File Extension (OFE) is a classic Web exploit technique. Hackers simply upload a JPG file to the server with arbitrary upload vulnerabilities, then use the contents of the image file as a PHP WebShell to execute. Boom! Take down the entire server.


However, in today's world of cyber attacks, has this technique never been used to attack non-Web enterprises and home computers? The answer is absolutely yes!


In this session, we will talk from the modern malware analyzer to the defense design of today's security solutions and their 1% defense blind spot. Then use several PoCs to explain how the attacker was able to increase the 1% to 100% blind spot for spoofing and winning the trust by security products by OFE tricks.

Threat Research Forum

SEP 20

#

Modern Malware Evasion Strategies: Bypass Real-Time Protection in Temporal Pincer Methods

09/20 (Tue) 14:45 - 15:15 7F 703
TXOne Networks Threat Researcher / Sheng-Hao Ma

Real-Time Protection is an essential design for all modern anti-virus and endpoint protection, which scans the executed binaries, detects and blocks the malware immediately. To achieve this protection, the security vendors have used APIs provided by Microsoft to embed their hooks at the Ring0 kernel level. However, is that game of cat and mouse over? ;)


In this session, we will reverse engineer the Windows OS. To understand the Process Creation, Userland IRP, and Kernel Driver design for learning the modern attacker's strategies to escape virus-scan.At the end of the session, we will use several PoC as examples used in the wild to demonstrate how attackers can abuse the issue of scanning timeline, to launch temporal pincher move to avoid anti-virus scan, and we will provide suggestions on mitigation measures and suggestions on select security products for users .

Threat Research Forum

SEP 22

#

Building Next-Generation Semantic-aware Signature Engine from Disassembly

09/22 (Thu) 14:45 - 15:15 4F 4A
TXOne Networks Threat Researcher / Sheng-Hao Ma
TXOne Networks Threat Researcher / Hank Chen

In the era of endless new exploits, Active Defense of Antivirus have already collapsed. Also, the efficient Static Scan is the most important feature of modern antivirus against malware, designed to provide AV/EDR with the ability to detect immediately when it discovers an unknown file that is or is not a known threat, so as to avoid infection.

This technique has evolved from the originally file hash fingerprint, to the now well-known pattern matching (YARA), and even the heuristic-based ML methods to produce patterns automatically against high variant samples as much as possible.

As a result, hackers have advanced their pattern-bypassing tactics to identify and remove anti-virus signature in no time. This allows variant-enhanced malware in the wild to increase rather than decrease even against state-of-the-art AI based detections. However, do we want such detection techniques that chase behind attackers? The blame goes to the fact that classic pattern matching design never considers semantics of execution behavior, making it easy for hackers to bypass.

In this session, we will talk about how the latest variant samples can beat the major pattern matching techniques heavily with simple tricks such as obfuscation, FLA (OLLVM) and RC4 encryption.

To fight against this, we will present a next-generation static scanning idea. Instead of optical scanning of files, a full set of decompilers will be built in to analyze all the static functions in a program file and use symbolic definition of malicious functions to achieve a semantic-aware malware detection engine. Researchers can elastically define malware templates and use this engine to perform excellent detection results on multiple heavily obfuscated samples.