Opening

Chiao-Lin Yu (Steven Yu)

Chiao-Lin Yu, also as known as Steven Yu, Steven Meow is a security researcher at Trend-Micro Taiwan. He completed his M.S. degree in Jul. 2022 in Electrical Engineering at the National Taiwan University of Science and Technology, Taipei, Taiwan. He specializes in Penetration Testing and Red Teaming skill. He has OSWE, OSCP, and LPT certificates and currently focuses on web security and honeypot development.

Jiann-Liang Chen

Prof. Chen was born in Taiwan on December 15, 1963. He received the Ph.D. degree in Electrical Engineering from National Taiwan University, Taipei, Taiwan in 1989. Since August 1997, he has been with the Department of Computer Science and Information Engineering of National Dong Hwa University, where he is a professor and Vice Dean of Science and Engineering College. Prof. Chen joins the Department of Electrical Engineering, National Taiwan University of Science and Technology, as a Distinguished professor now. His current research interests are directed at cellular mobility management, cybersecurity, personal communication systems and Internet of Things (IoT).

HoneyRASP - A Honeypot Powered by RASP Technology

This study uses the Runtime Application Self Protection (RASP) technique to build a honeypot system to capture unknown vulnerabilities. The system applies the microservices method to place each service into different containers, and it can prevent the attack, deploy and maintain easily. Through RASP techniques monitoring the PHP application’s control flow could target the various defense evasion tactics and reach the accuracy better than the Web Application Firewall (WAF). Unlike other open-source honeypots, they are easy to be discovered. The proposed system migrates easily to build the customization honeypot for all organizations. The proposed concept in this study can help enterprises to capture the threats in their products and not be limited by off-the-shelf products; the proposed system is also exempt from the current product weakness - easy to be discovered. According to OWASP Top 10 - 2021 and Common Weakness Enumeration (CWE), this study proposed five kinds of web application vulnerabilities in PHP: Directory Traversal, Local / Remote File Inclusion, Command Injection, Web Shell Uploading, and SQL injection. Map them into the Tactics and Techniques in MITRE ATT&CK Enterprise Matrix. In this study, the RESTful API Server receives the data from each honeypot node and throws a web interface to present the system. The data shown in the system contain the source IP, function debug call stack, raw request, and Tactics, Techniques, and Procedures (TTP). 25 CVE vulnerabilities applied from Exploit-DB, GitHub, and WPScan, and all of the PoC tests in our RASP Honeypot system were captured. Last but not least, to evaluate the system, we also wrote the obfuscated web shell and placed them into our system. The obfuscated web shell can bypass all of the anti-viruses systems in the VirusTotal, but it can be detected in our system.

Naoki Takayama

He is a student at the University of Tsukuba, Faculty of Informatics, Department of Computer Science. He is engaged in research and development of tools for malware analysis and reverse engineering. Lecturer at Security Camp National Conference 2022, etc.

Investigation and analysis of malware spreading via MSI package files

One of the most common methods used by attackers to spread malware is through the use of MSI package files. Although this method has been used for a long time, some attacks have become more sophisticated, such as disguising themselves as legitimate software installers or exploiting OS vulnerabilities. In this presentation, based on the internal structure of MSI package files, we will share the process of analyzing MSI package files actually used to spread malware infection, and the findings obtained from the analysis. Universal techniques useful for analysis, such as methods for removing obfuscation, will also be introduced.

Sh1n0g1

Belongs to Macnica Security Research Center. He is engaged in malware analysis, pen-testing tool development, and security service development. He enjoys evading detection of security products and has presented his own tools at Black Hat Arsenal and DEF CON Demo Labs.

Z9, the most powerful rogue Powershell script detection engine

PowerShell scripts are used in an increasing number of attacks each year for a variety of purposes, including malware downloaders, exploits, authentication information dumps, and backdoors. PowerShell is so widely used because it is easy to obfuscate, can be executed without files, can use the .NET framework and Windows APIs, and can execute native code. It uses multiple detection engines and de-obfuscation based on PowerShell execution logs. In this presentation, we will show the detection mechanism with a demonstration.

Break

Dennis Kengo Oka

Dr. Dennis Kengo Oka is a cybersecurity expert with more than 15 years of global experience in the automotive industry. He received his Ph.D. in automotive security focusing on solutions for the connected car. As a Principal Automotive Security Strategist at Synopsys, he focuses on security solutions for the automotive software development lifecycle and supply chain. Dennis has over 70 publications consisting of conference papers, journal articles and books, and is a frequent public speaker at international automotive and cybersecurity conferences and events. His latest published book is “Building Secure Cars: Assuring the Automotive Software Development Lifecycle” (Wiley, 2021).

Fuzz Testing Embedded Software in a CI Pipeline - A Practical Guide

Cybersecurity is becoming an integral part of the automotive industry. To this end, automotive organizations are performing various cybersecurity activities in the development process. For example, to detect unknown vulnerabilities in automotive software it is recommended to perform various types of testing such as fuzz testing and penetration testing. However, fuzz testing is often performed in a manual manner in the automotive industry today. This presentation outlines a practical step-by-step guide to building fuzz testing into a CI (continuous integration) pipeline using the Zephyr Project RTOS as an example. The Zephyr Project RTOS aims to be the first open-source real time operating system to achieve functional safety certifications making it applicable for use in automotive embedded systems. In terms of connectivity, Zephyr supports among others Bluetooth, Wi-Fi, IP, Ethernet and CAN. Our practical guide describes the various steps to build a fuzz testing process. These steps include identifying the target communication protocols to fuzz, defining a test strategy of when, what and how long to fuzz, executing fuzz testing on a continuous basis in an automated fashion, detecting exceptions on the target system, and managing the test results. Building fuzz testing into the CI pipeline enables automotive organizations to perform fuzz testing on a continuous basis and in an automated fashion. As a result, automotive organizations are able to detect and fix unknown vulnerabilities earlier in the development process which reduces the involved costs and overall improves the product quality.

Ta-Lun Yen

Ta-Lun Yen is a security researcher with interests in reverse engineering, protocol analysis, wireless security, embedded and IoT/ICS device security. He has been a member of a Taiwanese InfoSec community “UCCU Hacker” and has presented various research at well-known conferences and events, including Black Hat, CODE BLUE, HITCON and hardwear.io. Ta-Lun is currently working for TXOne Networks with a focus on offensive research.

Scanning the network for custom and complex services at scale: an example finding exposed The Data Distribution Service on the Internet

Back in Black Hat EU 2021, we introduced several remote accessible vulnerabilities for multiple implementations for the Data Distribution Service (DDS), a protocol used in industrial control, aerospace, maritime and military applications. Most vendors has fixed the vulnerabilities in recent months, however the users might not be updating their services in a timely manner. We built an internet-wide scanner to observe the overall distribution of DDS implementations, however as DDS is a complex protocol in its nature, and doesn’t run on any standard port number, we had to build our own scanner and implement a multi-tiered approach, while avoiding being detected as abusing the network at all. Our scanner identifies potential DDS nodes by scanning for possible exposed DDS ports according to the specifications. We then utilized a combination of techniques to verify the presence of DDS on the identified nodes. Once we had a list of confirmed DDS nodes, we can build a map of vulnerable nodes and their location. The results were alarming. We found that a significant portion of DDS nodes were vulnerable to at least one of the vulnerabilities we tested for. This means that attackers could potentially exploit these vulnerabilities to gain unauthorized access to the systems running DDS. In the future, we plan to continue our research into the security of DDS and other industrial control systems. We believe that it is important to raise awareness about the potential vulnerabilities in these systems, as they are often critical to the operation of infrastructure and services that we rely on in our daily lives. We also hope to work with vendors and users to improve the security of these systems and to ensure that they are properly secured against potential threats.

Richard Orman

Richard Orman is currently working as the SOC Lead at Paidy, the leading BNPL in Japan. Prior he worked as a security engineer at CACI and GDIT, two prominent US Defence contracting companies where he had direct experience deploying and managing Elasticsearch on a Kubernetes backend. He helped empower developers by bringing containerization and modernizing their development process with modern DevOps tooling.

Git Hooks for Improved Security in the Software Development Process

Git hooks are a powerful tool for automating tasks and enforcing policies in the software development process. In this presentation, we will explore how git hooks can be used to improve security in the development and deployment of software. We will cover the basics of git hooks, including different types and how they can be used. Through demos, we will show how to set up hooks to scan for vulnerabilities, run security tests, and block pushes of insecure code. By the end of the presentation, attendees will have a better understanding of how git hooks can be leveraged to improve the security of their software development processes.

Break

Tetsuya Takaoka

He mainly provides consulting services in the area of Offensive Security such as Red Team Operations and TLPT. He also teaches penetration testing training and shares his technical security knowledge on his blog. He currently holds certifications such as OSCP, CRTO, and Locksmith Level 2.

Kei Yoneyama

I work for a cybersecurity company evaluating security measures utilizing Red Team Operations and TLPT for major financial institutions and insurance companies. I switched from web development to the cyber security industry 8 years ago and have been involved in product evaluation, vulnerability assessment, penetration testing, web application security testing, Red Team Operations, and TLPT related to Offensive Security.

Holes in physical security that companies often overlook

In the RedTeam exercise, it is desirable to evaluate a company’s security posture by conducting simulated attacks from the three perspectives of cyber, social, and physical. However, few companies in Japan have undertaken physical assessments due to the need to coordinate with stakeholders in various fields, including building owners. Against this backdrop, we conducted an evaluation of several domestic companies from three perspectives, including physical, and found that physical-based attacks are easier than cyber or social attacks to penetrate a company and take away files that imitate confidential information. In this presentation, we will discuss the reasons why companies need to work on physical security and what they need to consider when conducting an assessment.

Hiroki Hada

Worked at SOC

Power Automate Packing

Power Automate is an RPA tool that runs in the cloud and has been known to be exploited by attackers because it is so useful. While it can be easily used by non-engineering users because it can execute flows with no code, it is not intuitive to implement bit processing and other functions provided by common programming languages. This presentation introduces the concept and demonstration of Power Automate Packing, which implements RC4 processing under these constraints and uses Power Automate Management to temporarily create and delete flows to execute payloads.

Closing