In the world of cybersecurity, spear-phishing attacks are becoming increasingly common and dangerous. Since March of 2022, we have been closely monitoring a significant wave of such attacks targeting various sectors, including government, academic, foundations, and research sectors across the globe. This seemingly wide outbreak of targeted attacks has affected not only countries like Myanmar, Australia, the Philippines, Japan, and Taiwan but also many other regions.

During our investigation, we have identified several malware families that have been used in these attacks, including TONEINS, TONESHELL, and PUBLOAD. These samples have been linked to a notorious advanced persistent threat (APT) group known as Earth Preta, which is also referred to as Mustang Panda and Bronze President. It is widely believed that this APT group is backed by a state actor, and their tactics, techniques, and procedures (TTPs) are highly sophisticated.

In recent times, we have noticed that the actors behind these spear-phishing attacks have become more creative and sophisticated in their approach. They have been actively changing their TTPs to bypass security solutions, which is making it challenging for security experts to detect and defend against their attacks. Moreover, we have also discovered that the attackers are using some intriguing tools for exfiltration, which can make it harder to track their movements.

As we continue to investigate these attacks, we will share the technical details of this campaign to help organizations better understand the nature and extent of the threat they face. We advise all organizations to remain vigilant and take the necessary steps to strengthen their cybersecurity posture to prevent any potential breaches. It is imperative that they stay up-to-date with the latest cybersecurity trends and invest in state-of-the-art security solutions to safeguard their digital assets.

Since the emergence of the DSE (Driver Signature Enforcement) mechanism, any driver to be loaded into the Windows Kernel requires a legal digital signature. As a corresponding attack, the number of BYOVD (Bring Your Own Vulnerable Driver) type attack cases has increased in recent years. APT weaponizes a driver program with vulnerabilities or exploits on the market, loads it after obtaining system permissions, and then attacks it, thereby bypassing anti-virus software, obtaining Kernel execution rights, burying backdoors to maintain permissions, and so on. The agenda will share how drivers that have been weaponized by malicious programs are abused, and the purpose of this type of attack, and finally provide driver developers and system administrators defense recommendations against this type of attack.

APT group is a special threat vector, typically consisting by a nation state or state-sponsored actors. APT group possess extraordinary skill and resources-enabling them to infiltrate and exfiltrate an organizations' network. In recent times, we found some valuable leads from APT cases which shows that the tactics and techniques are different from before. In this speech, we will highlight the differentiates by using MITRE ATT&CK framework and disclose the impact on defense. We will provide useful recommendations to assist every company and person to take the right response when they encountered APT attack.

The activity of APT41, since the prosecution by United States in 2020, is getting more complex, not only in the perspective of its TTPs but also attribution. In 2021, multiple security vendors disclosed new campaigns by several subgroups of APT41, such as Earth Baku, Sparkling Goblin, Blackfly, Amoeba and GroupCC, which is getting more confusing. Unfortunately, we will add one more subgroup into this hall of (in)fame, which we dubbed as “Earth Longzhi”. Earth Longzhi has several overlaps with existing APT41’s subgroups based on the code reuse and TTPs, but their long-running activities have not been fully revealed yet. As we observed, Earth Longzhi has been active since at least early 2020, and continues to change its targets and TTPs from time to time. Through analysis of their activities, we identified two major campaigns from 2020 to 2022. In this presentation, through the technical details of the two campaigns by Earth Longzhi, we will reveal how they has been campaign their TTPs to bypass detections. And adding to that, we will describe the detail process of "how we attribute". We believe that sharing the attribution process, not only technical details of malwares, will help other security researchers in future.

On the internet, the Chinese cyber army is an important force of the Chinese government. Its purpose is to influence the politics, economy, and society of other countries through online propaganda and operations.

TeamT5's research found that Chinese adversaries have compromised Taiwan's network and information systems by monitoring and attacking Taiwan's network. At the same time, our intelligence also shows that the Chinese army uses social media and other platforms to spread false news, slander the Taiwan government, and incite hatred, in order to interfere with Taiwan's political and social stability. We believe that the Chinese government can use the above-mentioned attack methods to try to monitor Taiwan's Internet and social media accounts, hacker attacks, and wash fake news, which will eventually have an impact on Taiwanese society.

Therefore, Taiwan needs to strengthen the prevention of network security, strengthen network monitoring and combat cyber crime. TeamT5 observed that the Chinese cyber army’s information warfare operations against Taiwan are serious and are constantly evolving. Therefore, Taiwan must continue to update relevant threat intelligence. At the same time, the people of Taiwan also need to increase their vigilance against fake news, and not easily believe information from unknown sources, so as not to be affected by the operation of the Chinese army.

Recently there have been several emerging and innovated social engineering attacks. Preventing from social engineering has been emphasized by governors a and security vendors. However, lack of secure implementation on standard or vendor-specific features in Office software let normal users vulnerable to social engineering attacks, which attackers could compose an fake but indistinguishable meeting invitations. Preventing from such social engineerings would be inevitable, regardless of IT or OT field. Organizations might suffer financial and even life loss once they expose to such cyber attacks. 

In this session, we start from reviewng some iCalendar(ICS) major features, which users should work with on daily basis. Next we demonstrate how to launch an attack by composing a phshing mail based on recently discovered vulnearilities. Finally we suppose some migitations and show the impotance of Zero-Trust. 

Although Blue team members have numerous malicious samples on hand, they often don't have enough time to analyze all of them. On the other hand, they may be interested in a particular malware family, but the number of samples at hand is insufficient. To solve these problems, this lecture will introduce a completely automated process to help blue team members convert these raw data into usable detection rules more efficiently and apply them in the real situation.

The process starts with connecting VirusTotal to our sandbox to obtain large amount of samples. At the same time, we summarize the common reasons for those samples which failed to run by the sandbox and improve the efficiency of the sandbox. Then, we will explain how to utilize these ready-made data for further analysis and research to generate practical intelligence. The intelligence includes various information such as API, Strings, and IoC. Finally, we will discuss how to convert the generated intelligence into detection rules like Yara, or Sigma to improve cyber resilience.