After breaching the internal network, attackers exploit network devices as footholds to compromise switches, ultimately taking control of core network infrastructure to enable lateral movement. This presentation will analyze the attack chain and technical methodologies involved, while also exploring actionable strategies to prevent network devices from being weaponized by attackers.

Infostealers commit close to a perfect cybercrime tool. They sneak into the computer, grab the passwords, anything of value (like cookies that help to bypass MFA) and the victim doesn’t even know they’ve been robbed. Let’s discuss how this threat impacts any size business in any industry worldwide.

Oh no… Windows Update again? System updates have long been a headache for users, disrupting workflows and breaking control over their machines. But what if we told you that top-tier security solutions share the same pain?

Inspired by the Black Hat USA research "Windows Downgrade Attacks using Windows Updates", we conducted an in-depth analysis of how real-world security solutions handle these attack techniques, revealing a critical gap in protection: inconsistencies in how security products interpret and enforce defenses across three key layers—registry settings, running processes, and disk files—ultimately exposing an entirely new attack surface.

In this talk, we’ll take a deep dive into Windows 11’s latest Trusted Installer-based update architecture, exposing its structural weaknesses and the security blind spots between upgrade mechanisms and endpoint protection. We'll analyze how adversaries manipulate event logs to exploit misalignments in system-to-security communications, ultimately forging unprotected registry and disk artifacts to hijack the upgrader’s identity. The result? A fully weaponized "arbitrary update" technique, allowing attackers to repurpose antivirus software as a backdoor execution tool.

As time goes by, vulnerabilities in various products emerge in an endless stream, and the malwares used for attacks are also varied. We collected and analyzed the malicious traffic generated in Taiwan, and especially found several vulnerabilities that attackers often exploit. In addition, we conducted a complete analysis of the malwares that attackers sent in these malicious traffic to control and compromise the target environment. We identified various types of variants and found common characteristics among these malicious programs, such as subsequent triggered attacks or methods of persistence in the target environment, etc.

In recent findings, Cisco Talos has uncovered a new threat actor, dubbed “CoralRaider,” believed to originate from Vietnam and driven by financial motivations. Operating since at least 2023, CoralRaider has targeted victims primarily across Asian and Southeast Asian countries, focusing on the theft of credentials, financial data, and social media accounts, including business and advertisement profiles.The group employs sophisticated tactics, leveraging customized variants of known malware such as RotBot (a modified version of QuasarRAT) and the XClient stealer as primary payloads in their campaigns. Notably, CoralRaider utilizes the dead drop technique, utilizing legitimate services to host C2 configuration files and uncommon living-off-the-land binaries (LoLBins) like Windows Forfiles.exe and FoDHelper.exe.

In a recent discovery made by Talos in February 2024, CoralRaider has initiated a new campaign distributing renowned infostealer malware, including Cryptbot, LummaC2, and Rhadamanthys. Employing innovative tactics, the threat actor embeds PowerShell command-line arguments within LNK files to evade antivirus detection and facilitate payload downloads onto victim hosts.Furthermore, the campaign utilizes Content Delivery Network (CDN) cache domains as download servers for hosting malicious HTA files and payloads, adding another layer of complexity to their operations. Talos assesses with moderate confidence that CoralRaider is behind this campaign, noting overlaps in tactics, techniques, and procedures (TTPs) observed in previous Rotbot campaigns. These include the utilization of Windows Shortcut files as initial attack vectors, intermediate PowerShell decryptors, and FoDHelper techniques to bypass User Access Controls (UAC) on victim machines.

This research sheds light on the evolving tactics of CoralRaider and underscores the importance of continuous threat intelligence to combat emerging cyber threats effectively. Understanding the modus operandi of such threat actors is crucial for bolstering defenses and mitigating risks in today’s cybersecurity landscape.

Hyper-V in Windows endpoint detection, has always been regarded as the crown jewel that is difficult for the red team to conquer. Therefore, in the underground economy, online game anti-cheat protection heavily utilize Intel VT as the last line of defense to avoid classic BYOVD kernel-level attacks to bypass the protection; However, SOTA anti-cheat protection, in order to achieve better system threat protection than Microsoft's standard design, gradually introduce Hyper-V technology to make numerous kernel-level protection via EXPLOIT AND MANIPULLATION to Windows 10+ NT Kernel objects, under the premise of "effectively bypassing Microsoft's kernel driver-level protection " to beawre the game cheating. But this technology as detection, malicious and effective?

Know yourself and your enemy, you will never be defeated in a hundred battles! In this session, we will guide the audience to play with the Hypervisor detection defences and the system's architectural relationship with them, from dismantling the architecture of Microsoft's VT-based Hyper-V platform to how the anti-cheat protection can manipulate Microsoft's VBS (Virtualisation-Based Security) and Patch Guard to achieve the desired results to forge memory pages in both user/kernel mode. In the end of the session, provides recommendations and guidance on the methods and risks of endpoint detection to introduce such kernel patches as endpoint detection.

In this presentation, TeamT5 will share insights into the latest attack evolution and strategic changes of the North Korean APT group Kimsuky. We will provide an in-depth introduction to Kimsuky's subgroups, CloudDragon and KimDragon, analyzing their shifting attack targets and the technical evolution of their specialized backdoor tools. According to our research, the group's targeting scope has gradually expanded from early focuses on government sectors, think tanks, defense, and financial institutions to heavy industries, technology sectors, and cryptocurrency industries. Following Microsoft's default disablement of macro functionality, the group has progressively adopted various alternative approaches in their operations, demonstrating high flexibility and adaptability. Finally, we will thoroughly examine the group's arsenal and its evolutionary trajectory.

This talk explores eight C2 tools, analyzing their communication methods and detection strategies. Tools discussed include Metasploit, Mythic, Merlin, CobaltStrike, Sliver, BruteRatel, DropboxC2C, and SaucePot C2. Detection focuses on behavior-based methods, network traffic analysis, and machine learning. Practical defense techniques will also be covered to strengthen cyber resilience.

This presentation is about a malicious campaign operated by a Chinese-speaking threat actor, SneakyChef, targeting government agencies, likely the Ministry of External/ Foreign Affairs or Embassies of various countries since as early as 2023, using SugarGh0st RAT and SpiceRAT.  

Talos assesses with high confidence that SneakyChef operators are likely Chinese-speaking based on their language preferences, usage of the variants of Chinese’s popular malware of choice, Gh0st RAT, and the specific targets, which include the Ministry of External Affairs of various countries and other government entities with the motive of Espionage and data theft. 

Their notable TTPs include Spear-Phishing campaigns, DLL Side-Loading, custom c2 communication protocol, and abusing legitimate applications.

SneakyChef has used various techniques in this campaign with multi-staged attack chains to deliver the payload SugarGh0st and SpiceRAT. Throughout this presentation, I will discuss various attach-chains and the techniques the threat actor has employed to establish persistence, evade the detections, and implant the RATs successfully. 

Finally, I will share the indications of SneakyChef’s origin as a Chinese-speaking actor and the attribution of the SugarGh0st and SpiceRAT attacks to them. 

Residential Gateways (modems) have become a very common device around the world, usually provided by the ISP along with a broadband subscription. As consumer routers have frequently been compromised by botnets or exploited as infrastructure for nation-state attackers, RGs have seen little discussions yet on a position on par with consumer routers.

We reviewed popular broadband network standards (DSL, DOCSIS, xPON), remote management standards (TR-069/CWMP), and reverse engineered 14 different RGs from 11 ISPs, across 8 different countries, including from G7. We analyzed all RG's hardware components, dissected and inspected all firmware, using a set of firmware dissectors and decryptors that we developed to deal with the proprietary formats. We discovered most RGs are lacking in modern software and hardware protection mechanisms such as ASLR, TrustZone and secure boot, and commonly being vulnerable to low complexity attacks such as weak credentials, buffer overflows and command injections, enabling installation of undetectable, persistent backdoors on RGs.

Furthermore, we've found some ISP's infrastructure to be exposed directly to the Internet, often with either easily exploited, outdated or sanctioned devices, which we will demonstrate. Combined with vulnerabilities with low-to-mid attack complexities within RG and ISP's infrastructure, we're able to demonstrate one actual case of a full, permanent compromise, on estimated four million RGs of the largest ISP in a top-20 country. This was reported to the ISP and has been fixed since.

Taiwan is regularly targeted by cyberattacks from multiple sources due to its geopolitical situation. Recently, we observed cyberattacks targeting companies in Taiwan, including those in manufacturing, healthcare, information technology, and other sectors. The attacks involved phishing emails with identifiable characteristics, along with the distribution of multiple executable files. Among these attacks, Smokeloader's features are separated into multiple modules and AndeLoader delivers infostealer with Microsoft Office documents. Once the attacks succeed, the companies will be exposed to the risk of backdoor infections and data exfiltration. In this presentation, we will thoroughly reveal the attack chain and uncover the techniques employed during the attack.

You've probably all heard of EternalBlue. After The Shadow Brokers obtained and disclosed it in 2017, lots of Windows systems which cannot updates on time became victims. And the most famous malware is the WannaCry ransomware, which exploited through the disclosed EternalBlue to infect hundreds of thousands of computers in May at the same year, spreading widely and affecting factories and critical infrastructure in numerous countries.

In this session, we will approach the topic from the perspective of network threat researchers by examples of EternalBlue and the malware that spreading based on EternalBlue. We'll demonstrate that even seven years later, the attacks leveraging EternalBlue still persist. We'll explore how to utilize existing threat intelligence to develop network based detection for classifying the suspicious network packets we currently received. Furthermore, by applying these detection on our hunting engines, we'll present what kind of malware that we have collected, and examine the potential threats of EternalBlue attacks posed in today's environments.

Since the first known use of a UEFI Bootkit in 2018 by Lojax, a wave of similar threats has emerged, including MosaicRegressor, TrickBot, FinSpy, Especter, MoonBounce, CosmicStrand, and BlackLotus—sold on dark web marketplaces in 2022 and later open-sourced in 2023. This trend highlights the growing cybersecurity threat posed by UEFI Bootkits.

This presentation will provide an overview of Bootkit-related research, starting with fundamental UEFI background knowledge before focusing on how attackers bypass Secure Boot to execute malicious EFI applications and achieve persistence. Unlike BYOVD (Bring Your Own Vulnerable Driver) attacks, Bootkits intervene at the earliest stage of system startup, affecting the initialization of various OS components. Additionally, Bootkits can modify SPI Flash, allowing them to persist even after the operating system is reinstalled.

The session will also analyze the technical aspects of these attacks, including methods for bypassing security mechanisms and execution techniques during the Boot Loader phase. Potential detection and defense strategies will be explored, as well. While traditional antivirus solutions struggle to counter threats at the boot stage, attack preparation activities and post-exploitation behaviors can provide crucial detection opportunities. By shedding light on these threats, this presentation aims to raise awareness of UEFI Bootkits and their impact on modern cybersecurity.

Cisco Talos discover a new cyber threat known as "DragonRank." This sophisticated threat actor primarily targets countries in Asia and a select few in Europe, utilizing advanced malware such as PlugX and BadIIS for search engine optimization (SEO) rank manipulation.

DragonRank exploits vulnerabilities in web application services to deploy web shells, which are then used to gather system information and launch malicious payloads. Their arsenal includes the PlugX malware, which employs familiar sideloading techniques and leverages the Windows Structured Exception Handling (SEH) mechanism to ensure seamless and undetected execution. Additionally, they deploy BadIIS malware across compromised IIS servers, running various credential-harvesting utilities.

Our research has confirmed that over 35 IIS servers have been compromised in this campaign, with infections spreading across diverse geographic regions, including Thailand, India, Korea, Netherlands, and China. Furthermore, Talos has uncovered DragonRank’s commercial website, business model, and instant message accounts, leading us to assess with medium to high confidence that the group operates under a Simplified Chinese-speaking actor.

This session will delve into the tactics, techniques, and procedures (TTPs) employed by DragonRank, providing valuable insights into their operations and methods. We will also discuss the implications of this threat and offer guidance on how to bolster defenses against such sophisticated cyber attacks.

As attack techniques targeting the Windows platform continue to evolve, attackers are increasingly using LNK files as an attack vector. LNK files are a common shortcut file format in the Windows system, designed to point to applications or file locations, providing convenient access. However, this convenience also becomes a gateway for malicious attacks. This report delves into how attackers exploit LNK files to execute infections on the Windows platform and analyzes the prevalent attack methods currently in use.

This talk focuses on a review of high-risk vulnerabilities in Taiwan's 10 most common network device brands. The objective is to reveal the current state of vulnerabilities in these devices and the behavior patterns of attacker groups. The research is based on large-scale wide-area scanning, analyzing the number and types of device vulnerabilities, and further exploring their relationships with regional distribution and protocol characteristics. The presentation will delve into how attacker groups exploit these vulnerabilities, including their methods and common techniques, with a particular emphasis on trends in attack behavior and their impact on device security.

We present a User Impersonation Attack in multiple SSL VPNs, including Cisco, Palo Alto, Fortinet, SonicWall. Our attack allows the attacker to bypass any intended firewall and routing rules and therefore able to explore freely within an SSL VPN-protected network without restrictions, while being connected from the Internet. We dubbed this attack “VPN Gremlin” as if a gremlin has tampered with the intended firewalling and routing rules. We will also present our research behind this vulnerability which includes our analysis and reverse engineering of network firewalling and routing mechanisms of popular SSL VPNs.

Our findings stemmed from our research focused on multiple major SSL VPN implementations, as vendors has saw rapid expansion during the rise of need of teleworking, yet it’s another example of “security through obscurity” as breach incidents around SSL VPN gateways are unusual. We, however, are also astonished by the fact that we can demonstrate our attack using the same method on four different vendors.

We intend to shed light again by diving into implementation of routing and firewall rules on different vendors, from firmware extraction to reverse engineering of its networking stack and will demonstrate our methodology of fuzzing its VPN tunneling implementations. We will also demonstrate our (to-be open-sourced) tools for testing multiple SSL VPN tunneling protocols.

SCCM (Configuration Manager) is a solution provided by Microsoft to help enterprise centrally manage the configuration and software deployment of Windows computers, servers, and other devices. With the advancement of security research in AD CS, potential security risks in Microsoft's AD-related services have become a focus of attention. SCCM, due to its highly interactive nature with devices, has been found to have more than 20 known security concerns. These risks include, but are not limited to, low-privilege domain users potentially gaining control over Tier 0 assets such as MSSQL, SMS, and AD CS.

This session will focus on the security issues of SCCM, providing an in-depth analysis of its operational principles and common misconfigurations that might serve as entry points for attackers.