Hello from Infiltrate 2013

Today is the second and last day of Infiltrate 2013 which is taking place in Miami Beach.
It’s my first time at Infiltrate and so far I’ve been really enjoying the conference.

The opening keynote by Chris Eagle definitely set the tone for the rest of the con, with a very clear focus on offense.
Chris shared his own view on various issues concerning how the US Armed Forces – and the Navy in particular – deal with educating people on cyber.
One of the bits I found particularly interesting was the title 10 issue. Many of the experts creating cyber-tools, which would make them best equipped to handle them, are civilians.
However under title 10 only military personnel can actually ‘pull the trigger’. You can see how this can be problematic.

An additional issue raised was the problem of getting – and retaining – people who are well-trained. One suggestion was to have the military pay for people’s education and have them serve a few years in return. This is similar to what the USAF does with the pilots it trains.
This is something I’ve suggested as well and frankly I think this approach can’t arrive soon enough.

Dave Aitel opening day two

Greg Hoglund is going to close the conference talking about the issues around “Hacking Back” and Active Defense.
There’s been quite a lot of talk about these topics as of late. It was one of the major topics at the Suits & Spooks conference which took place in D.C. a few months ago.
Surely we’ll be revisiting these topics some more at the bar tonight.

Hello from Infiltrate 2013

Your email address will not be published. Required fields are marked *



Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox