In a world plagued with Ransomware, you would be forgiven for thinking that Cybercriminals just do the same thing over and over again. The reality however is quite different - with a sophisticated, and efficient, service industry propping up crime online. Over the last year this ecosystem has evolved further, with new Criminal Business Models emerging - in particular as criminals have steadily increased their usage of AI. These changes will continue to test our defences, and force us to evolve also.

But AI in particular is not an even technology - while it is a great enabler for all industries, crime included, it stands to enhance some more than others. Of all these industries, Cybersecurity - and Law Enforcement who focus on it - are possibly the most ready to take advantage of the unique benefits it brings. 

In this talk, we'll dive into recent Criminal evolutions, and show why this time is a period where those on the defensive side of CyberSecurity stand to gain the biggest advantage in this never ending conflict.

LLMs are one of the most powerful inventions since the birth of computers. Not only are they a crucial piece in transforming information into knowledge, but they also serve as the foundation for building the AI-driven world. In just three to four years, LLMs have taken the world by storm, igniting a series of frenzied AI revolutions that have pushed the boundaries of technological advancement. However, with every leap in technology comes new challenges.

Unlike conventional software, LLMs are highly unpredictable, behaving more like "singularities" that do not conform to traditional information systems. Standard software quality control methods and testing tools are nearly ineffective in this domain, and existing cybersecurity frameworks struggle to adapt. We cannot approach LLM security as merely another software issue.

In this talk, we will explore the new cybersecurity challenges posed by AI applications from a security professional’s perspective. Join us as we delve into the risks and strategies needed to prepare for this transformative wave in the information industry! 

We conducted a research project on communications resilience for Taiwan. We asked a simple question: If in conflict, can Taiwan's people, private sector, and government demonstrate the same kinds of resilience we saw conducted by Zelensky in Ukraine? This proposal will tell the story of our research process, our findings, and how we created a war game / table top exercise to conduct at DefCon and Blackhat Las Vegas in 2024 to try to answer our simple question.

After breaching the internal network, attackers exploit network devices as footholds to compromise switches, ultimately taking control of core network infrastructure to enable lateral movement. This presentation will analyze the attack chain and technical methodologies involved, while also exploring actionable strategies to prevent network devices from being weaponized by attackers.

Infostealers commit close to a perfect cybercrime tool. They sneak into the computer, grab the passwords, anything of value (like cookies that help to bypass MFA) and the victim doesn’t even know they’ve been robbed. Let’s discuss how this threat impacts any size business in any industry worldwide.

Oh no… Windows Update again? System updates have long been a headache for users, disrupting workflows and breaking control over their machines. But what if we told you that top-tier security solutions share the same pain?

Inspired by the Black Hat USA research "Windows Downgrade Attacks using Windows Updates", we conducted an in-depth analysis of how real-world security solutions handle these attack techniques, revealing a critical gap in protection: inconsistencies in how security products interpret and enforce defenses across three key layers—registry settings, running processes, and disk files—ultimately exposing an entirely new attack surface.

In this talk, we’ll take a deep dive into Windows 11’s latest Trusted Installer-based update architecture, exposing its structural weaknesses and the security blind spots between upgrade mechanisms and endpoint protection. We'll analyze how adversaries manipulate event logs to exploit misalignments in system-to-security communications, ultimately forging unprotected registry and disk artifacts to hijack the upgrader’s identity. The result? A fully weaponized "arbitrary update" technique, allowing attackers to repurpose antivirus software as a backdoor execution tool.

As time goes by, vulnerabilities in various products emerge in an endless stream, and the malwares used for attacks are also varied. We collected and analyzed the malicious traffic generated in Taiwan, and especially found several vulnerabilities that attackers often exploit. In addition, we conducted a complete analysis of the malwares that attackers sent in these malicious traffic to control and compromise the target environment. We identified various types of variants and found common characteristics among these malicious programs, such as subsequent triggered attacks or methods of persistence in the target environment, etc.

In recent findings, Cisco Talos has uncovered a new threat actor, dubbed “CoralRaider,” believed to originate from Vietnam and driven by financial motivations. Operating since at least 2023, CoralRaider has targeted victims primarily across Asian and Southeast Asian countries, focusing on the theft of credentials, financial data, and social media accounts, including business and advertisement profiles.The group employs sophisticated tactics, leveraging customized variants of known malware such as RotBot (a modified version of QuasarRAT) and the XClient stealer as primary payloads in their campaigns. Notably, CoralRaider utilizes the dead drop technique, utilizing legitimate services to host C2 configuration files and uncommon living-off-the-land binaries (LoLBins) like Windows Forfiles.exe and FoDHelper.exe.

In a recent discovery made by Talos in February 2024, CoralRaider has initiated a new campaign distributing renowned infostealer malware, including Cryptbot, LummaC2, and Rhadamanthys. Employing innovative tactics, the threat actor embeds PowerShell command-line arguments within LNK files to evade antivirus detection and facilitate payload downloads onto victim hosts.Furthermore, the campaign utilizes Content Delivery Network (CDN) cache domains as download servers for hosting malicious HTA files and payloads, adding another layer of complexity to their operations. Talos assesses with moderate confidence that CoralRaider is behind this campaign, noting overlaps in tactics, techniques, and procedures (TTPs) observed in previous Rotbot campaigns. These include the utilization of Windows Shortcut files as initial attack vectors, intermediate PowerShell decryptors, and FoDHelper techniques to bypass User Access Controls (UAC) on victim machines.

This research sheds light on the evolving tactics of CoralRaider and underscores the importance of continuous threat intelligence to combat emerging cyber threats effectively. Understanding the modus operandi of such threat actors is crucial for bolstering defenses and mitigating risks in today’s cybersecurity landscape.

Digital sovereignty is a crucial aspect of modern democracy, determining a state's ability to control its digital infrastructure, regulate technology, and protect citizen data. In today’s world, data has become the most valuable resource, surpassing even oil and gold, as it enables those who control it to influence public perception and decision-making. Democratic states prioritize transparency, freedom of speech, and data protection, while autocratic regimes use digital tools for censorship, surveillance, and propaganda. The European Union (EU) and other democratic nations implement regulations such as GDPR, DSA, and DMA to ensure fair competition, secure personal data, and counter disinformation. However, the challenge remains: balancing security with fundamental freedoms. The global contest over digital sovereignty reflects the broader geopolitical struggle between democratic and authoritarian models. While democracies regulate digital platforms to protect citizens, autocratic states monopolize online spaces to control narratives. International collaboration, such as between the EU and Taiwan, is vital for strengthening cybersecurity, countering digital propaganda, and fostering technological independence. Ultimately, digital sovereignty must not lead to isolation but serve as a tool for democratic resilience. The future lies in cooperation, transparency, and the protection of fundamental rights in the digital realm.

An overview of cyber threat intelligence on current and near-term adversary use of artificial intelligence to generate cyber threats. Google Mandiant insights on ways to defend cloud infrastructure on which AI rests, and how generative AI can be used to enhance the capabilities of defensive cyber threat intelligence teams and network defenders.

Step into the eerie echoes of Charles Dickens' *The Signal-Man* to uncover a chillingly relevant parable for our age of AI and cybersecurity. In a world where AI systems power decisions at unprecedented speeds, are we, like the lonely signalman, misinterpreting critical warnings while hurtling toward disaster? Join Dimitri van Zantvliet, the Cybersecurity Director of Dutch Railways, for a keynote that fuses storytelling with cutting-edge insights into the rail sector’s digital transformation and cybersecurity strategies.

This session will unravel the lessons of Dickens' tragic tale, exploring the parallels between Victorian railways and today’s AI-driven systems. From opaque "black box" algorithms to over-reliance on automated defenses, we face a critical crossroads: embrace AI with responsibility or risk repeating the signalman’s fate.

Discover how the rail industry navigates waves of digitization, compliance tsunamis, and escalating threats while building ethical, transparent, and sustainable AI frameworks. You’ll learn practical strategies to balance human oversight with AI’s vast potential, ensuring trust, security, and resilience in an era where the stakes have never been higher.

Don’t miss this captivating blend of history, innovation, and foresight—a call to action for leaders who refuse to be overwhelmed by the warnings they cannot understand. Together, let’s rewrite the future and ensure the signals of tomorrow guide us to safety, not tragedy.

Security issues with Active Directory have been discussed for many years. It's been 18 years since the "Pass The Hash" attack technique emerged. Have we really completely eliminated these security issues? For example, starting with Windows 11 24H2, NTLM authentication is being phased out, but does that mean Kerberos cannot be attacked? As enterprise architectures gradually shift toward hybrid identity authentication (such as Entra ID and SAML), these vulnerabilities seem to be merging into a larger attack surface.

In this session, we will review the history of Active Directory attacks over the years and introduce related technologies. We will explore various attack methods that arise at the intersection of AD and cloud-based Azure & Entra ID hybrid identity authentication. Using more relaxed and simple concepts, we aim to help everyone quickly understand these potential vulnerabilities and attack vectors, hoping to provide a more comprehensive understanding of these weaknesses to manage related risks within enterprises.

In recent years, the rapid development of LLMs has brought opportunities for innovation in various areas of an organization from customer services to decision-making. However, organizations lacking comprehensive security strategies may face the risks of data breaches, compromised AI models, or even the consequences of non-compliance and damaged reputation. Therefore, organizations need to take a systematic approach to their security defenses. 

The “LEARN” framework is a 5-stage approach that provides comprehensive security management:  

The "Layer" stage focuses on clarifying system boundaries to allow teams to see the risks of each component clearly and implement corresponding controls. 

The "Evaluate" stage evaluates the potential impact on operations based on current workflows and confidentiality of data, taking into account regulatory requirements, to find out the areas where hardening should be prioritized. Creating inter-department communication channels early on can help resolve issues before they become bigger problems. 

The "Act" stage turns plans into actions, including updating security measures, optimizing workflows, etc. Since LLM applications usually involve external users and third-party integrations, it is necessary to ensure that security measures can work automatically and issue alerts when anomalies occur. 

The "Reinforce" stage verifies the effectiveness of security measures through continuous monitoring and regular testing. This includes collecting system usage logs, emulating attacks, etc. to ensure security defenses are working properly. 

Finally, the "Nurture" stage focuses on building a security culture that ensures security awareness permeates the organization from bottom to top. Organizations need to be able to adapt to changes in the external environment by quickly adjusting internal guidelines and establishing new standards in daily operations.  

With LEARN, organizations can innovate with LLMs while managing their risks properly, taking advantage of market opportunities while ensuring operational continuity. As technologies continue to evolve, this framework will also provide room for adjustment that helps organizations continuously improve their defenses in changing environments. 

In response to the increasingly complex and changing network threats, enterprise networks often exhibit high heterogeneity with diverse architectures, operating systems, and applications. This diversity challenges the application of a single detection logic. Detection Engineering has emerged as a crucial theme, enabling the design of flexible detection rules tailored to specific environments through systematic methods. By abstracting attack behaviors into characteristic patterns, this approach remains adaptable to rapid changes. This presentation explores the core concepts and practices of Detection Engineering, demonstrated with real-world cases. We'll also discuss using frameworks like MITRE ATT&CK to deconstruct and locate potential detection points in attack behaviors.

In this presentation, TeamT5 will share insights into the latest attack evolution and strategic changes of the North Korean APT group Kimsuky. We will provide an in-depth introduction to Kimsuky's subgroups, CloudDragon and KimDragon, analyzing their shifting attack targets and the technical evolution of their specialized backdoor tools. According to our research, the group's targeting scope has gradually expanded from early focuses on government sectors, think tanks, defense, and financial institutions to heavy industries, technology sectors, and cryptocurrency industries. Following Microsoft's default disablement of macro functionality, the group has progressively adopted various alternative approaches in their operations, demonstrating high flexibility and adaptability. Finally, we will thoroughly examine the group's arsenal and its evolutionary trajectory.

This talk explores eight C2 tools, analyzing their communication methods and detection strategies. Tools discussed include Metasploit, Mythic, Merlin, CobaltStrike, Sliver, BruteRatel, DropboxC2C, and SaucePot C2. Detection focuses on behavior-based methods, network traffic analysis, and machine learning. Practical defense techniques will also be covered to strengthen cyber resilience.

This talk will be based on TeamT5's extensive experience in providing Managed Detection and Response (MDR) services, exploring the challenges and pain points encountered during the threat hunting process. Through real-world case studies, we will discuss the obstacles faced in live environments and how threat hunting techniques can be leveraged to detect traces of Advanced Persistent Threat (APT) groups, especially in response to their evolving attack strategies.

Analyze the cybersecurity risks enterprises may face when managing both cloud and on-premises environments from a Blue Team perspective using real case study. Explore potential improvements based on relevant security frameworks and use the Cyber Defense Matrix (CDM) to assess applicable measures at each stage. Align real incidents with the CDM framework to illustrate actionable steps, helping security managers explore different aspects of hybrid cloud security governance.

This presentation is about a malicious campaign operated by a Chinese-speaking threat actor, SneakyChef, targeting government agencies, likely the Ministry of External/ Foreign Affairs or Embassies of various countries since as early as 2023, using SugarGh0st RAT and SpiceRAT.  

Talos assesses with high confidence that SneakyChef operators are likely Chinese-speaking based on their language preferences, usage of the variants of Chinese’s popular malware of choice, Gh0st RAT, and the specific targets, which include the Ministry of External Affairs of various countries and other government entities with the motive of Espionage and data theft. 

Their notable TTPs include Spear-Phishing campaigns, DLL Side-Loading, custom c2 communication protocol, and abusing legitimate applications.

SneakyChef has used various techniques in this campaign with multi-staged attack chains to deliver the payload SugarGh0st and SpiceRAT. Throughout this presentation, I will discuss various attach-chains and the techniques the threat actor has employed to establish persistence, evade the detections, and implant the RATs successfully. 

Finally, I will share the indications of SneakyChef’s origin as a Chinese-speaking actor and the attribution of the SugarGh0st and SpiceRAT attacks to them. 

In this presentation, I will share with the audience the process and significance of applying for membership in FIRST (Forum of Incident Response and Security Teams). As global information security threats become increasingly severe, ASUS is committed to providing secure and reliable products and services to our global users and partners.

Throughout this session, I will explain how to use the SIM3 v2 interim Self Assessment Tool to conduct a comprehensive self-evaluation, fully understanding the maturity of our CSIRT/PSIRT and devising improvement plans. I will also discuss how we identified suitable sponsors for recommendations and on-site visits, ensuring the completeness of membership application materials. Additionally, I will detail the process of filling out the FIRST Membership Interest Form and the New Full Member Team Application, from expressing interest to formally submitting the application, ensuring each step is carried out smoothly.

Finally, I will sharing after joining FIRST member, including leveraging the FIRST MISP threat intelligence platform, participating in Special Interest Groups (SIGs), and FIRST events. These resources and opportunities will greatly enhance our response capabilities and professional growth. Through this sharing, I hope to help everyone better understand the significance and process of joining FIRST.

Residential Gateways (modems) have become a very common device around the world, usually provided by the ISP along with a broadband subscription. As consumer routers have frequently been compromised by botnets or exploited as infrastructure for nation-state attackers, RGs have seen little discussions yet on a position on par with consumer routers.

We reviewed popular broadband network standards (DSL, DOCSIS, xPON), remote management standards (TR-069/CWMP), and reverse engineered 14 different RGs from 11 ISPs, across 8 different countries, including from G7. We analyzed all RG's hardware components, dissected and inspected all firmware, using a set of firmware dissectors and decryptors that we developed to deal with the proprietary formats. We discovered most RGs are lacking in modern software and hardware protection mechanisms such as ASLR, TrustZone and secure boot, and commonly being vulnerable to low complexity attacks such as weak credentials, buffer overflows and command injections, enabling installation of undetectable, persistent backdoors on RGs.

Furthermore, we've found some ISP's infrastructure to be exposed directly to the Internet, often with either easily exploited, outdated or sanctioned devices, which we will demonstrate. Combined with vulnerabilities with low-to-mid attack complexities within RG and ISP's infrastructure, we're able to demonstrate one actual case of a full, permanent compromise, on estimated four million RGs of the largest ISP in a top-20 country. This was reported to the ISP and has been fixed since.

As generative AI becomes increasingly popular, a myriad of applications are springing up rapidly. However, what severe consequences could arise if such powerful AI is exploited by hackers? The corresponding attack technique, Prompt Injection, has topped the OWASP AI security issues ranking for two consecutive years.

This presentation will delve deeply into the attack methods of Prompt Injection, from the users of generative AI to internal systems, analyzing which stages may be vulnerable to attacks, and how to safely use generative AI.

Taiwan is regularly targeted by cyberattacks from multiple sources due to its geopolitical situation. Recently, we observed cyberattacks targeting companies in Taiwan, including those in manufacturing, healthcare, information technology, and other sectors. The attacks involved phishing emails with identifiable characteristics, along with the distribution of multiple executable files. Among these attacks, Smokeloader's features are separated into multiple modules and AndeLoader delivers infostealer with Microsoft Office documents. Once the attacks succeed, the companies will be exposed to the risk of backdoor infections and data exfiltration. In this presentation, we will thoroughly reveal the attack chain and uncover the techniques employed during the attack.

The popularity of low-orbit satellites for enterprise, civil and critical infrastructures has made the security of satellite communications a growing global concern. As a result, many satellite solution providers are facing the issue and trying to solve it by traffic encryption between user ground devices and high altitude satellites to avoid possible from the ground jamming attacks or even man-in-the-middle hijacking and manipulation, but does encryption really equal to secure?

In this session, we will go along with the audience on a journey to explore terrestrial broadcasting attacks, starting from two academic studies to explore how hackers can find encryption flaws in the hardware and software design architecture of satellite modem products, inject malicious firmware upgrades through man-in-the-middle hijacking and take down the remote execution again after dismantling the satellite communication equipment in a practical manner. We will explore the security costs of modern satellite modulation and demodulation process with its high firmware data transfer capability, the difficulties of man-in-the-middle identification for practical datacom-satellite communication, and how attackers can abuse the combination of these techniques and the possible threats.

隨著醫療資訊數位化的快速發展，大型醫院正面臨前所未有的網路安全威脅與複雜的資料管理挑戰。本場次將深入探討大型醫院如何善用雲端技術，打造更靈活、高效且全方位安全的防護架構，確保病患隱私、系統穩定性及法規合規性，並透過實際案例分享最佳實踐策略。

Current corporate security measures or organizational structures are often planned from the perspective of products, information security governance frameworks, security policies, certifications, monitoring, or threat intelligence. This can lead to a focus on individual components without seeing the big picture, or vice versa. However, it overlooks the fact that the security planning of information systems or network designs is the key to strengthening the foundation and ensuring long-term security. This presentation will draw on 18 years of experience as a Security Architect in the InfoSec departments at Trend Micro and ASUS, to design a 'Secure by Design' and 'Security by Default' cloud security management framework.

As the cost-effectiveness of space technology increases, satellite networks are no longer exclusively used for scientific or military purposes. Low Earth Orbit (LEO) satellite technology is now more commonly used in OT environments for both private and government sectors. However, in 2024, global concerns over the Russia-Ukraine war and the Israel-Hamas conflict have resulted in a surge of aggressive attacks driven by geopolitical factors, with satellite networks becoming key targets influencing the outcome of these conflicts. The attack theories of the past are now practicing in reality.

This research studies the structure of the space industry. Due to performance limitations and specific development needs, the space industry faces attacks that are difficult to defend directly. In addition to explaining these attacks through the ongoing APT (Advanced Persistent Threat) war, this talk aims to mitigate the impact on satellite users' OT environments. This research collects security principles related to satellite networks from the U.S., Europe, and Japan in recent years. From this, we have derived objective principles applicable to satellite network users.

You've probably all heard of EternalBlue. After The Shadow Brokers obtained and disclosed it in 2017, lots of Windows systems which cannot updates on time became victims. And the most famous malware is the WannaCry ransomware, which exploited through the disclosed EternalBlue to infect hundreds of thousands of computers in May at the same year, spreading widely and affecting factories and critical infrastructure in numerous countries.

In this session, we will approach the topic from the perspective of network threat researchers by examples of EternalBlue and the malware that spreading based on EternalBlue. We'll demonstrate that even seven years later, the attacks leveraging EternalBlue still persist. We'll explore how to utilize existing threat intelligence to develop network based detection for classifying the suspicious network packets we currently received. Furthermore, by applying these detection on our hunting engines, we'll present what kind of malware that we have collected, and examine the potential threats of EternalBlue attacks posed in today's environments.

In this session, we’ll explore how Artificial Intelligence (AI) can enhance cybersecurity by extracting attack vector linked to vulnerabilities, offering a more proactive and efficient approach. Traditional methods of detecting vulnerabilities rely on security researchers manually reverse-engineering attack traffic and emulating potential attack behaviors. While effective, this process is time-consuming and exposes systems to risk during testing, increasing the likelihood of compromise in production environments.

AI addresses this challenge by automating the detection of attack vector and behaviors tied to specific vulnerabilities. This capability enables security teams to identify suspicious activities without constant manual intervention or exposing live systems. By integrating AI into vulnerability prevention, organizations can reduce the risk of attacks in production environments. AI-driven systems can autonomously flag suspicious behaviors or protocols indicative of an active threat.

This AI-powered approach enhances vulnerability prevention, offering stronger and more automated protection, reducing the potential for system compromise and providing a higher level of security.

As hybrid cloud environments become increasingly prevalent, effectively managing and securing these diverse platforms has become a significant challenge. This session will focus on leveraging cloud governance solutions to enhance hybrid cloud security and help participants address current risks. Attendees will learn how to design and implement robust security policies and controls in hybrid cloud environments and explore practical approaches to integrating cloud security management solutions to improve security and visibility.

This talk will take the audience on an in-depth exploration of the current state and future trends of satellite networks and space cybersecurity. The focus will be on unveiling the security threats faced by modern satellite communication and control systems through offensive and defensive scenarios designed in CTF (Capture The Flag) competitions.

We will present case studies, technical analyses, and demonstrations to illustrate fundamental knowledge of satellite cybersecurity and common attack and defense techniques.

Through this talk, the audience will gain a deeper understanding of the importance of satellite cybersecurity, learn practical offensive and defensive techniques, and be inspired to explore further research in the field of satellite security.

There has been extensive discussion in Taiwan regarding the application of Artificial Intelligence (AI) in security defense. However, the security challenges faced by AI models have received comparatively less attention. This presentation will use the OWASP ML Top 10 to explore common security risks in machine learning, incorporating practical demonstrations of Deep Neural Network (DNN) attacks to thoroughly explain the principles behind each attack.

The presentation will cover the following topics: input data attacks (such as adversarial sample generation), data manipulation attacks (data poisoning), model inversion attacks, model stealing, and AI supply chain attacks. Through these cases, the audience will gain a clear understanding of how each security risk operates, enabling them to design effective defense and detection mechanisms.

Since the first known use of a UEFI Bootkit in 2018 by Lojax, a wave of similar threats has emerged, including MosaicRegressor, TrickBot, FinSpy, Especter, MoonBounce, CosmicStrand, and BlackLotus—sold on dark web marketplaces in 2022 and later open-sourced in 2023. This trend highlights the growing cybersecurity threat posed by UEFI Bootkits.

This presentation will provide an overview of Bootkit-related research, starting with fundamental UEFI background knowledge before focusing on how attackers bypass Secure Boot to execute malicious EFI applications and achieve persistence. Unlike BYOVD (Bring Your Own Vulnerable Driver) attacks, Bootkits intervene at the earliest stage of system startup, affecting the initialization of various OS components. Additionally, Bootkits can modify SPI Flash, allowing them to persist even after the operating system is reinstalled.

The session will also analyze the technical aspects of these attacks, including methods for bypassing security mechanisms and execution techniques during the Boot Loader phase. Potential detection and defense strategies will be explored, as well. While traditional antivirus solutions struggle to counter threats at the boot stage, attack preparation activities and post-exploitation behaviors can provide crucial detection opportunities. By shedding light on these threats, this presentation aims to raise awareness of UEFI Bootkits and their impact on modern cybersecurity.

Cisco Talos discover a new cyber threat known as "DragonRank." This sophisticated threat actor primarily targets countries in Asia and a select few in Europe, utilizing advanced malware such as PlugX and BadIIS for search engine optimization (SEO) rank manipulation.

DragonRank exploits vulnerabilities in web application services to deploy web shells, which are then used to gather system information and launch malicious payloads. Their arsenal includes the PlugX malware, which employs familiar sideloading techniques and leverages the Windows Structured Exception Handling (SEH) mechanism to ensure seamless and undetected execution. Additionally, they deploy BadIIS malware across compromised IIS servers, running various credential-harvesting utilities.

Our research has confirmed that over 35 IIS servers have been compromised in this campaign, with infections spreading across diverse geographic regions, including Thailand, India, Korea, Netherlands, and China. Furthermore, Talos has uncovered DragonRank’s commercial website, business model, and instant message accounts, leading us to assess with medium to high confidence that the group operates under a Simplified Chinese-speaking actor.

This session will delve into the tactics, techniques, and procedures (TTPs) employed by DragonRank, providing valuable insights into their operations and methods. We will also discuss the implications of this threat and offer guidance on how to bolster defenses against such sophisticated cyber attacks.

Historically, the high costs associated with satellite manufacturing, design, and launch limited satellite production to government agencies or research institutions. However, in recent years, the development and widespread use of small satellites have emerged due to the significant reduction in launch costs associated with their smaller size. Consequently, projects developing satellite protocols and DIY cub satellites have proliferated. This study shares insights into classic vulnerabilities identified in past satellite attack research, along with new security issues we have discovered. We focus on a recent open-source satellite project, SPACECAN, and the decade-old open-source satellite communication protocol, libcsp, which is already in use by satellites. Our research identifies three vulnerabilities in the SPACECAN project related to CAN bus message transmission and highlights a flaw in message verification within the libcsp project. By revealing these vulnerabilities, we aim to raise awareness about the security of satellite communication systems, advocate for secure implementations in open-source satellite projects, and provide actionable recommendations to mitigate these risks.

Using artificial intelligence to generate IPS rules has excellent potential to enhance network security, especially in detecting complex and evolving threats. However, it is not a panacea. AI models can generate too broad or specific rules, leading to false positives (over-alarming) or false negatives (missing threats). Many AI-generated rules may degrade the performance of IDS, especially in high-throughput networks. Based on the evaluation, a hybrid approach combining the strengths of AI and human expertise may be the most suitable approach for generating AI-driven IPS rules.

1.Experience Sharing on Cloud-Native System Sharded Encryption Backup Implementation:

In line with the cloud backup and recovery enhancement plan for critical administrative systems, a comprehensive cross-cloud sharded encryption backup architecture was constructed and exercised in 2024.

2.Future Outlook on Cloud-Native Application Protection Platform (CNAPP) and Cloud Governance Framework:

During the implementation of the above project, the cloud-native system adopted CNAPP for configuration compliance, security posture management, and vulnerability threat protection. Additionally, the plan aims to extend related results to other units utilizing public cloud services, ensuring effective implementation of cloud governance policies. The framework for two major Landing Zones within the department's cloud environment is also under development.

Red Goes Purple: CTEM, BAS & MITRE ATT&CK in Real-World Red Team Ops

This talk dives into next-level Red Teaming, where CTEM and BAS aren’t checkboxes but offensive weapons. With cyber threats evolving, it’s time to move past outdated pentesting and systematically identify, exploit, and reduce attack surfaces before adversaries do.

At the core is MITRE ATT&CK, but most teams still treat it as a checklist. I’ll show you how to weaponize ATT&CK, integrating CTEM and BAS to expose blind spots, disrupt blue teams, and stress-test real-world defenses.

We’ll also explore Generative AI (GenAI) in offensive security—attackers are already using AI-driven polymorphic malware, automated recon, and adaptive social engineering. If you're not integrating GenAI into your ops, you’re already behind.

Expect hard-hitting case studies on evasion tactics, AI-assisted attacks, and turning threat intel into real adversary emulation. No fluff, no compliance talk—just raw Red Team strategies to push security beyond its limits. If you’re ready to hack smarter, move faster, and break defenses the right way, this session is for you.

This session will take a neutral stance, exploring the management and technical risks associated with using cloud services from both the client's and provider's perspectives. Aimed at cybersecurity professionals looking to get started with cloud security, the discussion will consider the challenges and experiences faced in practical operations, given the finite resources available to enterprises.

We will delve into common cloud technology issues and their solutions, analyzing real-world scenarios to highlight various usage risks. Topics will include experiences with distributed and centralized cloud management, identity and access management security, virtual network architecture, workload security, relevant cybersecurity frameworks, cloud storage service misconfigurations, resource status considerations, and practical experiences. Our goal is to provide insights into architectural design, compliance, and technical solutions.

The rapid development of generative AI technology introduces new security and compliance challenges. Relying solely on model providers is insufficient to mitigate these risks. This talk will present real-world cases to highlight potential threats and introduce the latest model protection techniques, such as Llama Guard.

Additionally, the session will explore security and compliance frameworks for deploying generative AI, covering key design considerations, implementation details, and real-world adoption cases. Attendees will learn how to integrate AI protection measures into system design and gain valuable insights into managing compliance risks.

Whether you are a decision-maker, cybersecurity expert, or architect, this session will provide essential knowledge on building a secure foundation in the era of widespread generative AI adoption.

Cars and IoT devices have various cybersecurity attack surfaces, including mobile apps, radio signals, cloud servers, and physical access. As technology advances, these devices are increasingly connected, providing convenience while also expanding the potential attack vectors for malicious actors. This talk will explore security concerns in cars and IoT devices from an attacker's perspective, using real-world examples to illustrate potential vulnerabilities.

As attack techniques targeting the Windows platform continue to evolve, attackers are increasingly using LNK files as an attack vector. LNK files are a common shortcut file format in the Windows system, designed to point to applications or file locations, providing convenient access. However, this convenience also becomes a gateway for malicious attacks. This report delves into how attackers exploit LNK files to execute infections on the Windows platform and analyzes the prevalent attack methods currently in use.

In this AI revolution, various Transformer-based models have successfully brought AI intelligence into everyday life and commercial applications through GPT-powered chatbots. This surge has led top-tier cybersecurity solutions to demonstrate that automated forensics and network management assistant chatbots can effectively support security investigations and response needs in practice, such as Defender Copilot. However, LLMs still struggle with their inherent hallucination issue, and their abilities can't fully address unexpected attacks from real-world threats.

Therefore, can we develop an AI detection engine that operates without human interaction, enabling 24/7 full-scope monitoring without the need for network administrators or forensic analysts? The vision is to deploy a pre-trained, on-premises AI agent capable of autonomously performing reverse engineering, reasoning, identification, and automated response in real time—without human intervention. This concept represents a new approach to next-generation endpoint detection and protection. Can we absorb the expertise of reverse engineers into a specialized AI model by leveraging large-scale samples?"

In this session, we will take the audience on a journey through academic research in pursuit of autonomous reverse engineering. We will explore how to transition from classic Attention-based Neural Machine Translation (NMT) models to AI agents with symbolic understanding and reasoning capabilities, ultimately training them as practical endpoint detection and reverse reasoning engines.

As businesses transition to cloud environments, Kubernetes (K8s) has become an essential tool, offering scalable flexibility for container services, and forming the backbone of modern cloud infrastructure. However, its complexity introduces significant security challenges. Misconfigurations are a primary risk, potentially leading to unauthorized access, data breaches, and service disruptions. With stricter global regulations on data privacy and cybersecurity, organizations must ensure K8s deployments comply with legal requirements. This agenda examines compliance needs, common attack methods targeting K8s and container services, and provides actionable recommendations to help businesses build secure, reliable K8s environments, reducing risks and enhancing operational resilience.

This talk focuses on a review of high-risk vulnerabilities in Taiwan's 10 most common network device brands. The objective is to reveal the current state of vulnerabilities in these devices and the behavior patterns of attacker groups. The research is based on large-scale wide-area scanning, analyzing the number and types of device vulnerabilities, and further exploring their relationships with regional distribution and protocol characteristics. The presentation will delve into how attacker groups exploit these vulnerabilities, including their methods and common techniques, with a particular emphasis on trends in attack behavior and their impact on device security.

With the rapid iteration of Large Language Models (LLM) reasoning models and AI Agents, LLMs have been becoming critical technology components driving efficiency and innovation across industries. However, the complexity of the use cases and AI risks pose significant challenges for organizations adopting LLM technologies.

This sharing will explore the challenges of LLM risk evaluation and introduce the LLM-as-a-Judge framework—an innovative approach that leverages LLMs to evaluate, identify, and further mitigate risks of LLM systems. The speaker will provide an in-depth analysis of LLM-as-a-Judge’s architecture and key success factors, offering insights into how organizations can enhance AI system's security and trustworthiness through advanced LLM evaluation methodologies. This session aims to establish a solid foundation for organizations in AI risk management, ensuring safe, reliable and trustworthy AI system deployments.

With the rapid development of smart car technology, seamless connectivity between vehicles and various smart devices has become a major highlight in enhancing the driving experience. However, this also presents significant challenges to Bluetooth security. As the primary communication protocol between smart cars and devices such as smartphones, headphones, and entertainment systems, Bluetooth is vulnerable to hacker attacks, potentially leading to personal data leaks or remote control of vehicle systems. Therefore, strengthening the security of Bluetooth communication has become a critical issue in ensuring the safety of smart vehicles.

In this session, we will examine several recent Bluetooth vulnerabilities related to the automotive industry. We will begin by discussing implementation flaws in Bluetooth for several charging stations in 2024 as an entry point. Then, we will cover the Tesla combination attack in 2023, which resulted from implementation errors in a vendor SDK. Following that, we will explore vulnerabilities caused by implementation flaws in the Linux Bluetooth subsystem and undefined behaviors in the Bluetooth specification. Finally, we will conclude with key considerations for Bluetooth development and mitigation measures.

1. Traditional on-premises security protection strategies are no longer sufficient to handle the complexities of the cloud. Cloud environments are characterized by dynamic scaling, multi-tenancy, and other features that make security threats more difficult to predict and prevent. 

2. The security responsibility model in the cloud environment is vastly different from that of on-premises. You need to understand the scope of the cloud provider's security responsibilities and deploy additional monitoring measures tailored to your own business needs. This presentation will analyze the key differences between the two to help you develop a more comprehensive security strategy.

3. The MITRE ATT&CK framework is an effective tool for understanding and classifying attacker behavior. We will introduce how to use the MITRE ATT&CK cloud matrix to identify potential threats in the cloud environment and strengthen defense measures.

4. Effective cloud security monitoring relies on comprehensive log data. The presentation will explore the major log types that need to be collected in the cloud environment, such as cloud service activity logs, virtual machine system logs, network traffic logs, etc., and explain how to analyze these logs to identify abnormal activities.

5. Establishing effective monitoring rules is the key to timely threat detection. We will share practical experience, explaining how to set monitoring rules and alert thresholds, and how to combine automated tools to improve the response speed of security incidents.

Malware Rules - cornerstone of modern security solutions, also as researcher's nightmare. Although it has the characteristics of low false positives and high accuracy, but requires analysts to spend time WEARYGNG GLASSES to find unique strings in binary as pattern to write for detection. Such as it consumes expert time and has become a major pain point for the current security industry. Therefore, whether artificial intelligence can be introduced to solve the problem of writing patterns on large-scale malware has become a consensus issue that the industry is looking forward to, and has also become a hot academic topic of cybersecurity.

In this session, we will start with two innovative studies conducted by AAAAI based on NVIDIA's top-level seminar on how to slice malware binary into semantic sub-patterns from the perspective of Ngram, and extract those high-entropy and developer-specific strings as rules to be effectively detected by a convolutional vision strategy. with a detection rate of 98% in a double-blind test of 800,000 samples, as excellent semantic detection performance. At the end of the session, we summarised the advantages, disadvantages and limitations of this method in products to help the audience to have a strong interest and understanding of this kind of detection technology. 

Cloud platforms and SaaS applications have become the trend for enterprise deployments. Organizations typically adopt SSO solutions for centralized identity management and simplified user login processes. For enterprises with an Active Directory (AD) domain, a common approach is to synchronize or delegate authentication, passing on-premises identity to an Identity Provider (IdP) such as Entra ID or Okta, which then integrates with other cloud services (e.g., AWS, GCP) or SaaS applications.

The underlying protocols such as SAML and OIDC are also used for Workload Identity cross-platform resource access. However, the security of these protocols relies on the trust relationship between the IdP (including AD) and cloud service providers (CSPs). Once an IdP component is compromised, services would be exploited, posing an overall threat to the entire organization.

This talk provides an in-depth analysis of threats targeting on-premises IdP components, including Golden SAML and Agent Spoofing attacks, as well as potential weaknesses in Workload Identity within multi-cloud and hybrid environments. It also examines the impact of IdP misconfigurations (e.g., Silver SAML) and proposes Best Practices to strengthen security boundaries and mitigate cross-platform identity threats. 

This study reveals that Apple CarPlay dongles/adapters manufactured by large-scale OEM vendors in the market pose numerous security risks. Devices that are intended to provide convenience for users can potentially become entry points for hackers. This presentation will share the research motivation and process, explore methods for securely implementing IoT devices, and discuss ways to reduce the attack surface.

We present a User Impersonation Attack in multiple SSL VPNs, including Cisco, Palo Alto, Fortinet, SonicWall. Our attack allows the attacker to bypass any intended firewall and routing rules and therefore able to explore freely within an SSL VPN-protected network without restrictions, while being connected from the Internet. We dubbed this attack “VPN Gremlin” as if a gremlin has tampered with the intended firewalling and routing rules. We will also present our research behind this vulnerability which includes our analysis and reverse engineering of network firewalling and routing mechanisms of popular SSL VPNs.

Our findings stemmed from our research focused on multiple major SSL VPN implementations, as vendors has saw rapid expansion during the rise of need of teleworking, yet it’s another example of “security through obscurity” as breach incidents around SSL VPN gateways are unusual. We, however, are also astonished by the fact that we can demonstrate our attack using the same method on four different vendors.

We intend to shed light again by diving into implementation of routing and firewall rules on different vendors, from firmware extraction to reverse engineering of its networking stack and will demonstrate our methodology of fuzzing its VPN tunneling implementations. We will also demonstrate our (to-be open-sourced) tools for testing multiple SSL VPN tunneling protocols.

In recent years, the GenAI wave has swept across a wide range of industries, and the automotive sector is no exception. Whether it’s improving customer experience, enhancing driving safety, or detecting road hazards, many manufacturers are exploring ways to use LLMs or GenAI to boost product value. One major automotive chip maker—Qualcomm—painted a compelling vision at its Tech Day in October 2024 for integrating GenAI and other next-generation service models into future automotive platforms.

However, bringing GenAI—cultivated on large GPU clusters in the cloud—down to on-premises or even in-vehicle systems is no simple task, and it comes with a variety of new security risks. This presentation will be divided into two main parts. In the first part, we will discuss the architecture and solutions available for practically deploying GenAI into vehicles. In the second part, we will analyze the security risks of each approach, including functionalities that have already been shown to pose concerns, as well as a forward-looking security assessment for large-scale adoption of this technology. Finally, we will provide relevant security recommendations.

In this deep dive session, we'll explore fundamental yet often overlooked aspects of cloud security that every organization should address. Drawing from real-world consulting experiences, we'll discuss why many organizations struggle with cloud security, particularly in shared responsibility, security governance, and incident response readiness.

Through practical examples and lessons learned, attendees will learn how to move beyond compliance tick-box exercises to establish adequate cloud security controls. We'll examine the actual cost of security operations and demonstrate how proper preparation and automation can enhance security posture and operational efficiency. This session will provide actionable insights for organizations at any stage of their cloud journey, helping them build a robust security foundation aligned with industry best practices.

SCCM (Configuration Manager) is a solution provided by Microsoft to help enterprise centrally manage the configuration and software deployment of Windows computers, servers, and other devices. With the advancement of security research in AD CS, potential security risks in Microsoft's AD-related services have become a focus of attention. SCCM, due to its highly interactive nature with devices, has been found to have more than 20 known security concerns. These risks include, but are not limited to, low-privilege domain users potentially gaining control over Tier 0 assets such as MSSQL, SMS, and AD CS.

This session will focus on the security issues of SCCM, providing an in-depth analysis of its operational principles and common misconfigurations that might serve as entry points for attackers.

Large Language Models (LLMs) are increasingly being applied across diverse scenarios and platforms, reflecting their rising importance in today's technological landscape. Despite their growing prevalence, however, LLMs themselves remain relatively vulnerable at their core. Beyond the well-known attacks such as prompt injection and jailbreak, a variety of new offensive and defensive techniques targeting LLMs have emerged over the past year. Attackers continually devise innovative methods to circumvent model defenses, and even the original prompt injection and jailbreak attacks have evolved in new and unexpected ways.

These developments underscore the need for heightened vigilance when utilizing LLMs. The purpose of this talk is to convey up-to-date knowledge on LLM attacks and defenses, helping attendees gain a deeper understanding of how to protect these systems by implementing suitable security strategies. We will also briefly explore approaches for testing AI models, systems, and products. This is not merely a technical issue; it involves ensuring the security and reliability of LLMs in an ever-changing digital environment. By the end of this session, participants will have a clearer grasp of these challenges and be better prepared to handle various potential security concerns in their future work.