One major presentation was «The Anatomy of China’s Hacker Ecosystem,» presented by Steve Su, Aragorn Tseng, and Chi-Yu You from Google Mandiant. They examined the operations of a Chinese Advanced Persistent Threat (APT) group that engages in both espionage and financially motivated cyberattacks. The speakers explored multiple campaigns involving different malware such as GRAYRABBIT and BLACKSTUDIO, focusing on methods of compromising systems, including SEO poisoning and phishing tactics targeting Chinese speakers. They concluded that the APT group’s adept use of modern technologies underscores their efficiency.
The presentation «Stealth in the Shadows» by Theo Chen and Leon Chang analyzed Earth Freybug, another Chinese APT active since 2012, which primarily targets the chemical and transportation industries in Asia, particularly Taiwan and Japan. The speakers provided insights into campaigns that exploited vulnerabilities in IBM Lotus Domino and Exchange servers, detailing the methods and tools used by attackers for lateral movement and data collection, emphasizing the need for network segmentation and privilege management to mitigate risks.
Yusuke Nakajima from NTT Data presented «IoC LIGHT,» sharing challenges faced in managing Indicators of Compromise (IoCs). He described issues like limited registration capacity for IoCs and the burden of outdated ones leading to false positives. Solutions included developing prioritization and deletion criteria based on the IoC lifecycle model to improve operational efficiency, thereby aiding the team in addressing emerging threats.
In «Evolution of Huapi Malware,» Yi-Chin Chuang and Yu-Tung Chan from TeamT5 discussed the long-running Huapi group’s evolving techniques, specifically targeting edge devices. They noted that these campaigns now refine Unix-based malware to better exploit compromised devices within the command-and-control (C2) infrastructure, which increases the sophistication of their operations.
Leon Chang and Theo Chen also presented on «Game of Emperor,» revealing the espionage activities of the Earth Estries group, which has targeted government and telecommunications sectors across multiple countries since at least 2019. Their analysis detailed two campaigns wherein the attackers exploited known vulnerabilities in public servers, deploying specific malware tools like DEMODEX and SNAPPYBEE to infiltrate and exfiltrate data.
Jeonggak Lyu from FSI shared insights from the platform lazarus.day, which consolidates North Korean threat intelligence. He discussed threat actor motivations, the CTI lifecycle, and the importance of automation in threat reporting. His presented findings highlight the need for clear objectives in threat intelligence utilization.
Dongwook Kim and Seulgi Lee from KrCERT/CC illustrated the TTPs of the North Korean group Andariel, which exploits centralized management solutions. They urged organizations to improve security around third-party solutions and conduct regular audits, particularly given the group’s focus on zero-day attacks.
The presentation from Hankuk Jo, Sangyoon Yoo, and Jeonghee Ha emphasized tactics used by Kimsuky to target individuals related to South Korea’s naval institutions using deceptive social engineering techniques.
Lastly, Amata Anantaprayoon and Rintaro Koike’s analysis of DarkPlum operations showcased tactics targeting Japanese academic institutions, including the use of decoy documents and malicious files through communication channels like Facebook Messenger.
In summary, JSAC 2025’s first day showcased a variety of complex cyber threats and the evolving tactics of various APT groups, underlining the necessity for advanced countermeasures and continuous education in cybersecurity practices. This overview serves as a prelude to the subsequent presentations scheduled for Day 2 of the conference.
Enlace de la fuente, haz clic para tener más información