Events

SOURCE Boston Security Conference and Training 2012 – Hacktivism, Duqu and Building Successful Security Programs

2012 SOURCE Boston kicked off the first of three days with an opening talk on hacktivism and the Anonymous movement, Costin Raiu and Vitaly Kamluk presented the latest in Duqu C2 research, and Vercode’s Shyama Rose talked about designing and building out strategic programs for complex organizations. It’s a difficult subject to get right, finding the right fit, the right competence, avoiding hype, and getting these folks to work together to build the right implementation requires all sorts of magic that fly over the heads of many technical solution focused folks.

There were many others, but I thought that the most interesting talks included the full assessment of the ~Duqu operators’ C2 infrastructure and a review of the comical mistakes and activities of this group of humans working under pressure. Kaspersky’s Vitaly Kamluk included a review of the ~Duqu targets and delivery, and binaries. I suppose that the most interesting thing here is the visualization providing more proof that ~Duqu is the 2008 precursor to ~Stuxnet, found in Iran, Sudan, and a few European countries. Costin Raiu focused on the C2 and infrastructure itself. Because Kaspersky Lab was able to gain access to 6 of the 10 C2 servers, our research team was able to comb through the trail of bits on these hard drives. Implications of the data left behind led to statements about login times, informed speculation of the location and workday schedule of the attackers, the (sometimes lack of) experience of the operators, and tools used to assess the data were all provided. If you haven’t seen this one, it’s really good. And who knew full on nation state cyber-conflict C2 operations could be so comical? The whole room was laughing along at the unexpected junior operator mistakes that turned up during the sensitive Duqu operation.

Also very interesting was the Shyama Rose presentation on strategically building a successful security program. It’s not often that security conference speakers include real world operational talks that discuss culture and fit within development and security teams. And it is operations that can break defender successes quickly. She discussed distributed vs. centralized security team models and their application, significant buy-in from executives and development teams, and how to get these strategic security programs done successfully.

I personally am most excited that Dan Geer is speaking tomorrow for the conference second day keynote. The guy developed a bit of a following on the DailyDave list with incredibly insightful comments on the world of technical and operational security that you don’t get anywhere else. He’s a wicked good thinker and speaker. We’ll have more later.

SOURCE Boston Security Conference and Training 2012 – Hacktivism, Duqu and Building Successful Security Programs

Your email address will not be published. Required fields are marked *

 

Reports

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox