This presentation offers an insightful exploration into how evolving cyber defense strategies have subtly influenced the adaptations of the Muddled Libra threat group. Gaining prominence in 2022, Muddled Libra's recent evolution in 2023 highlights the group's response to the changing landscape of cybersecurity. We will discuss the nuanced changes in their approach, including alterations in tools, targets, and criminal methodologies, prompted by the gradual advancements in cyber defense. This session aims to provide a balanced perspective on the interplay between attacker innovation and defender strategies, illustrating the ongoing, dynamic nature of cybersecurity. Join us for a thoughtful analysis of this continuous adaptation and its implications for the future of cyber threats and defenses.

Cyberattacks on critical infrastructure have increased in recent years, posing a significant threat to the stability and security of the affected nations. In this presentation, TeamT5 will introduce TeleBoyi, a Chinese-nexus APT that has not been disclosed previously. Based on our research findings, TeleBoyi shows a strong preference for targeting critical infrastructure, with a particular focus on the telecommunication sectors. The group has been active since at least 2014 and is currently still active. Their scope of targeting extends across numerous countries worldwide, including APAC, Americas, and Europe. Our presentation will cover TeleBoyi’s Tactic Techniques and Procedures (TTPs) including their weapons. Moreover, we will discuss overlapping TTPs with other notorious APT groups. We believe the techniques and tactics disclosed in this presentation can help blue teams prevent, detect, and respond to Teleboyi's attacks more efficiently and effectively.

We will be discussing wireless security in HID devices (e.g. mouse and keyboards) as some of the devices are now claiming to be using encrypted connections. The topic stems from MouseJack back in 2016, which unveiled a series of flaws in HID devices which is susceptible to either keystroke or movement injection and sniffing attacks, and we'll be demonstrating how such devices may be built insecure in the first place and how they've become in present days.

Many enterprises heavily rely on the Active Directory (AD) as the backbone for user and asset management, distributing software updates, and related unified control mechanisms. While AD offers rich and diverse functionalities, it also leads to security risks directly or indirectly due to improper configuration settings by administrators for convenience, among other reasons. Moreover, the internal network structure of large enterprises is relatively complex, making it difficult to promptly detect ongoing attacks in the absence of comprehensive detection mechanisms. This presentation will start with the blue team's perspective, sharing how the core authentication mechanism of domain services - the Kerberos protocol operates, the attack techniques closely related to the Kerberos protocol, and how to detect such attacks in order to prevent attackers from taking over the enterprise domain services effectively and promptly.

Since early 2022, we have been monitoring an APT campaign targeting several government entities worldwide, with a strong focus in Southeast Asia, but we have also seen targets in Europe, America, or Africa. Our research allowed us to identify multiple connections with China-nexus threat actors Earth Lusca and Luoyu. Despite this campaign still has an independent infrastructure and employed unique backdoors. We managed to retrieve multiple files from the threat actor's servers, including samples, configuration files and log files from their attack tools. By combining this data with our telemetry, we have gained a better understanding of their operation and build a clear view of Earth Krahang’s victimology and interests. In this presentation, we are going to disclose the details of their latest operations.

In 2023, a new cyberespionage campaign by a group we named Earth Estries was identified, indicating activity since at least 2020. Notably, similarities emerged between Earth Estries' tactics and those of the advanced persistent threat (APT) group, FamousSparrow. The tools and techniques used suggest the involvement of highly skilled threat actors wielding advanced resources, employing numerous backdoors and hacking tools to great effect, targeting organizations in the government and technology industries based in the Philippines, Taiwan, Malaysia, South Africa, Germany, and the US. In this topic, we discuss our detailed findings and technical analysis, including some backgrounds about Earth Estries and their motivations, attack methods and tools, C&C infrastructures, victimology and attribution.

This presentation will reveal a 0-day of edge device exploited in the wild by Chinese APT groups to spread disinformation and will share multiple case studies abused by Chinese threat actors. Additionally, we also disclose the new malware family implanted in edge devices, such as port-knocking backdoors and LoLbin attacks in edge devices. Lastly, this presentation also provides related approaches to mitigate related attacks.English Speech Summary。

Generative AI is the rage these days, with ChatGPT being a worldwide phenomenon. Did you know that threat actors are leveraging similar tools in the course of their attacks to everyday organizations? This session discusses how advanced nation state and eCrime adversaries are investing time and resources into developing tooling, and tradecraft leveraging ChatGPT and analogous AI engines.

The session deep dives into the myriad attacks where generative AI plays a key role in bartering sophisticated attacks, and the various methods adversaries employ generative AI to their advantage.Understand attacks where AI plays a pivotal role, and how AI tooling is rapidly evolving.

Finally, the use of generative AI is not just for adversaries! Cyber warriors can leverage this technology to make their jobs easier, faster, and more efficient. Generative AI is not just an adversary tool, but one the “good guys” can use as well

As cyber threats evolve, APT attacks demonstrate more sophisticated evasion techniques. This presentation delves into a case study of an APT attack targeting the high-tech industry, where the attackers interfered with and damaged the EDR system. Furthermore, the attackers employed a series of clever evasion tactics, making detection and defense more challenging. This presentation aims to provide an in-depth understanding of these techniques and current cybersecurity trends, assisting experts in more effectively preventing and responding to such threats.

Every hacker's wet dream has now become true: the ability to hack everywhere. I will present research that started from dumping firmware that led to me finding an attack chain being able to takeover and backdoor an entire nation’s FTTH modems by compromising the telecom’s infrastructure then to all of the modems via 6 0-days found within a week. It includes a story of a full teardown & analysis from a hardware attacker’s viewpoint, to how a nation-state actor might see the system as a whole. The presentation will interest both attackers and defenders in knowing how attackers could penetrate their systems, how to defend against such attacks even in worse scenarios, and also have an idea of the attack surface model of telecom equipment.

For defense on MacOS, Apple officially introduced Gatekeeper/Xprotect in 2012, a mechanism for real-time interception of user clicks on known malicious programs, unsigned, and unnotarized. However, does its defense really make it impervious to all threats? In fact, in recent years, attacks targeting Apple enterprise users have continued to emerge, such as the 3CX supply chain attack, TriangleDB, and the first-ever exposed macOS lockbit, which are enough to prove that attackers have long been adept at bypassing Apple's system security mechanisms. This session will delve into the design architecture of this mechanism through reverse engineering, we will introduce the exploitation techniques observed in recent years, and summarize their attack surface. Through actual attack cases, we will explore the latest attack trends, leading the audience to understand the security issues of the Apple system.

C2 communication plays an indispensable role in cyberattacks. In response to the ever-changing online environment, C2 techniques have evolved multiple times as attackers continuously seek new ways to evade defense mechanisms. According to MITRE ATT&CK T1102, attackers leverage cloud-based office services to evade detection of suspicious connections, increasing the difficulty of defending against network traffic exploitation. However, how can we effectively utilize network traffic to identify malicious connections to Google Calendar?

Qt Framework is one of the most popular C++ development frameworks in the world, and a deep understanding of its intricacies can enable developers to develop applications in a safer manner. Therefore, an in-depth discussion of the architecture of Qt Framework can help developers fully understand its advantages, disadvantages, and security risks. In addition, proactive defense through different security tests can further identify hidden risks in the Qt Framework.

This session will provide the audience with practical methods to systematically test and harden their applications against potential threats, thereby forming proactive security measures. In addition, this session will also discuss the vulnerabilities of Qt Framework and demonstrate its security threats through specific examples. Audiences will learn how to correctly develop Qt Framework applications and protect their applications from potential security risks, bringing valuable gains to developers and security practitioners.

In the ever-expanding global cyberspace, malicious activities coerce users into downloading harmful files from specific URLs, posing severe threats. Our research introduces an automated crawler agent as a countermeasure. It systematically analyzes malicious payloads captured by our threat hunting system, extracting vital intelligence on Command and Control (C&C) servers. Identified malicious files are efficiently downloaded for thorough scrutiny. The crawler agent has unveiled elusive files targeting diverse system architectures, surpassing traditional network payload analysis. Our integrated pipeline streamlines download and analysis, revealing specific network attack patterns in real time. This proactive approach empowers us to comprehend the latest malicious files within evolving network attack behaviors, enhancing cybersecurity against emerging threats.

Apart from the extensively exploited HTTP protocol, the DNS protocol plays a crucial role in network communication, capable of bypassing Layer-4 firewall restrictions commonly employed by many organizations. This presentation will delve into the misuse of DNS for establishing covert tunnels, circumventing L4 firewalls. We will explore several tunneling tools and Command and Control (C2) frameworks, uncovering how threat actors leverage DNS for unauthorized network access. Our analysis reveals persistent DNS abuse as an effective attack vector employed by malicious entities over an extended period. The session will conclude with practical strategies to fortify DNS security, providing concrete steps to mitigate potential threats.