Events

Blackhat USA and Defcon 2015

Blackhat and Defcon 2015 are being held in Las Vegas this year in the Mandalay Bay and Paris hotels, with 9,000 people in Blackhat attendance and more at Defcon. While attending Blackhat is far more expensive, you are almost assured a spot at the talks you intend on attending. At Defcon, it appears that most attendees have been assured to wait in line to miss most of the talks they are interested in, with other folks yelling about it in the halls. The Defcon organizers chose a new venue for the conference this year, and it needs to be fixed.

bh_escalator

Blackhat had another fantastic lineup with some mind-blowing content, as in previous years. A wide range of topics were presented this year and we found several very interesting. You already may find tools on github and papers and slides for many the presentations on blackhat.com. We can expect videos of these talks on youtube in the near future. The Defcon organizers will upload a torrent of the talks as they have done in previous years:

  • four of the talks revolved around hypervisor implementations and related content, including strengths and weaknesses of current and upcoming Windows10 security architecture dependent on the hypervisor and system firmware. Pass-the-hash and golden and silver ticket defenses, Windows 10 Credential Guard and other services are all built on assumptions of a trusted boot
  • industrial PLC code injection with STL SOCKS proxy code and STL SNMP scanner for full industrial network compromise, abusing internet facing PLCs
  • unpatchable global vulnerabilities in the Globalstar GPS simplex satcom protocol, affecting military, SCADA networks, first response communications and transportation
  • a new class of escalation of privilege x86 ring -2 vulnerabilities only fixed in 2013+ intel processors, leaving 100,000,000’s that cannot be fixed

Of course, the hallway track is often as valuable as attending the talks themselves.

cabana

Blackhat USA and Defcon 2015

Your email address will not be published. Required fields are marked *

 

Reports

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox