Modern detection engines implement auto-sandbox or AI classification to classify input samples into specific malware types, such as virus, dropper etc. However, due to the complex landscape of modern warfare, attackers tend to design more sophisticated malware to evade detection. Furthermore, malware may incorporate multiple attack behaviors, making it inappropriate to classify them into specific categories. According to USENIX research in 2022, IT managers will receive more than 100K daily alerts, but 99% of them are false alerts by AV/EDR which makes it difficult to be aware of the real 1% attack happened without enough expert knowledge.

Due to the lack of explanation, detection engines often misclassify benign programs as malicious, further making end users untrust in detection results, leading them to manually override the detection result of AV/EDR and executed under a trusted status.

According to this pain point, we propose a new method of building an AI reversing expert based on Llama GPT. We let ChatGPT capture the decompilation knowledge as chain-of-thoughts (CoT) and leveraged Llama's inference intelligence for contextual comprehension of binary assembly, to build a reversing expert that successfully learned those reverse engineering strategies. Our AI model can identify specific malicious behaviors and explain the potential consequences and risks underlying. We demonstrate its effectiveness in large-scale threat hunting on VirusTotal, successfully detecting complex samples that are hard to defy as simple classification. At the end of this briefing, we will share a practical demo of our Neural Reversing Expert's capabilities in analyzing real-world samples.

The popularity of low-orbit satellites for enterprise, civil and critical infrastructures has made the security of satellite communications a growing global concern. As a result, many satellite solution providers are facing the issue and trying to solve it by traffic encryption between user ground devices and high altitude satellites to avoid possible from the ground jamming attacks or even man-in-the-middle hijacking and manipulation, but does encryption really equal to secure?

In this session, we will go along with the audience on a journey to explore terrestrial broadcasting attacks, starting from two academic studies to explore how hackers can find encryption flaws in the hardware and software design architecture of satellite modem products, inject malicious firmware upgrades through man-in-the-middle hijacking and take down the remote execution again after dismantling the satellite communication equipment in a practical manner. We will explore the security costs of modern satellite modulation and demodulation process with its high firmware data transfer capability, the difficulties of man-in-the-middle identification for practical datacom-satellite communication, and how attackers can abuse the combination of these techniques and the possible threats.

"Attacks on rail systems have increased by 220%." Last August, a retired official from the U.S. National Security Agency (NSA) pointed out that threats to railways have become the spark that ignites warfare in regional conflicts. In recent years, incidents such as train hijackings, railway paralysis, and the cutting off of supply lines have emerged as new national security concerns worldwide. In response, the U.S. National Institute of Standards and Technology (NIST) and the Transportation Security Administration (TSA) jointly issued more stringent rail safety standards in October 2022 to counter these threats and protect critical transportation systems like subways, railways, and train networks.

However, due to the early development of railway and train control systems, many insecure train signaling systems have been widely adopted around the world and have become the mainstream choice for both public transportation and freight operations.

To fully explore the scope of these threats, this session will consolidate and review the six major systems used in global railways and public transportation (e.g., CBTC, ATP, ATC, and PZB) and examine their underlying track signaling control systems. We will begin with a research on ATS (Automatic Train Stop) presented at CODE BLUE 2024—a classic system that has been extensively deployed in Japan and Europe. Its signaling design is intended to automatically stop a train in the event of an emergency, without requiring human intervention. However, once attackers gain sufficient understanding, they can exploit this mechanism to control train operations; even the modern ATC (Automatic Train Control) systems used in North American railways carry similar risks.

The session will cover topics including braking devices, automated signal-based braking, and the communication design and security risks associated with HOTT (Head of Train Telemetry) and EOTT (End of Train Telemetry), along with real-world replay signal attacks. It will conclude with recommendations for preventive measures, aimed at guiding the future development and planning of rail cybersecurity systems to safeguard critical rail infrastructure.