≡ Menu
Home > Talks


There’s more “Un” To This Story | The Details We Did Not Share

PIVOTCON 2024

In this talk, we reveal previously undisclosed details about several North Korean APT activities we have unearthed over the past months. Our objective is to enrich the accumulated intelligence on the North Korean cyber threat landscape within the community and contribute to a deeper understanding of the evolving tactics used by its constituent groups.

This presentation begins by revealing deceptive lateral movement tactics observed during our investigation into an intrusion at NPO Mashinostroyeniya, a Russian missile engineering firm. We then explore ScarCruft's testing grounds — a collection of malware recovered during the planning and testing phases of the group's development cycle, likely intended for future campaigns. We disclose here our insights into ScarCruft's infrastructure, malware implementation processes, and experimentation with staging and evasive techniques. In concluding the technical discussion, we share curious relationships to cryptocurrency scams, highlighting North Korea's evolving interest in the cryptocurrency industry.

During times of major shifts in the North Korean foreign policy, the future trajectory of the country's cyber activities is uncertain. We conclude our presentation by speculating on potential changes in North Korea's cyber strategies and their implications for threat intelligence collection and effective defense.


Deceit Among Comrades | DPRK’s Intrusion Into Russian Defense Industrial Base

CYBERWARCON 2023

Based on a compelling data leak within Russia's defense sector, we recently unearthed an intrusion by DPRK-affiliated threat actors into the Russian missile engineering firm NPO Mashinostroyeniya. With an intensive public display of the strengthening military relationship between the two countries, our findings provide rare insight into DPRK’s clandestine operations against Russia.

This presentation begins by exploring the ties between DPRK and Russia during the period of the noted breach. We subsequently delve into our methods for pinpointing and recognizing the data breach at NPO Mashinostroyeniya and its significance in the Russian Defense Industrial Base. We then shed light on the organization's security challenges and highlight the threat activity we attribute to DPRK, amidst a slew of peculiar infections and abused network services. We finish by discussing the complexities and dilemmas we faced during this distinctive intrusion investigation.


The Grand Luau

LabsCon 2023

SentinelLabs has observed a new threat activity cluster by an unknown threat actor we have dubbed Sandman. Sandman has been primarily targeting telecommunication providers in the Middle East, Western Europe, and the South Asian subcontinent.

The activities are characterized by strategic lateral movements and minimal engagements, likely to minimize the risk of detection. Sandman has deployed a novel modular backdoor utilizing the LuaJIT platform, a relatively rare occurrence in the threat landscape. We refer to this malware as LuaDream. The implementation of LuaDream indicates a well-executed, maintained, and actively developed project of a considerable scale.

At this time, we don’t have a consistent sense of attribution. LuaDream does not appear to be related to any known threat actors. While the development style is historically associated with a specific type of advanced threat actor, inconsistencies between the high-end development of the malware and poor segmentation practices lead us towards the possibility of a private contractor or mercenary group similar to Metador.


The Wire on Fire: The Spies Who Loved Telcos

TROOPERS 2023

Telecommunication providers are frequent targets of espionage and cybercriminal activity due to the sensitive data they hold. From close-knit groups with strategic interests, such as LightBasin and APT41, to loosely affiliated assemblies, such as Lapsus$, the security of Telcos is under constant threat.

In this talk, we review recent targeted attacks against telecommunication providers. We provide insights into a variety of threat activities whose understanding is relevant for better defending against them - from initial infection vectors, detection evasion techniques at malware implementation- and network-level, to OPSEC awareness levels threat actors exhibit. We peek into the current Telco threat landscape to provide relevant takeaways for defenders and foster further discussions on the topic.


Recent Espionage and Hacktivism Threats: A SentinelLabs Overview

Centre for Cybersecurity Belgium (CCB) - Connect & Share event QCTR-Q1 2023

This talk reviews recent espionage and hacktivism activities, most of which are aligned to Chinese and Russian interests. We discuss the growing trend of espionage actors using Cloud infrastructure for C2 purposes in an attempt to evade detection. We also delve into operation Tainted Love, an APT activity in the nexus of the Chinese cyberespionage groups Gallium and APT41. Next, we explore the Russian-aligned hacktivist group NoName057(16) targeting NATO's infrastructure and end up with an overview of the Russian Winter Vivern group, which has been conducting espionage campaigns in the US and Europe since at least 2018.


(Encryption) Time Flies When You're Having Fun: The Case of The Exotic BlackCat Ransomware

Virus Bulletin 2022

Time is critical for ransomware operators – the faster they encrypt the victim's files, the less likely they are to be detected in the process. Encryption can be a time-consuming process, and ransomware developers know this. That is why they get creative when programming encryption routines – the goal is to minimize the time spent on encryption and maximize the amount of encrypted file content. In this way, the greatest possible irretrievable damage is done in the shortest possible time.

BlackCat is a new and very high-profile player in the current ransomware scene. The way BlackCat performs encryption is highly customizable and ALPHV uses this as an advertising tool to attract affiliates. BlackCat operators can choose between six encryption modes and two encryption algorithms. Ransomware operators can further configure each encryption mode with mode-specific settings. Each encryption mode and algorithm occupies a specific position on the trade-off scale between encryption speed and completeness.

We reverse-engineered the BlackCat ransomware to provide a first look into the inner workings of the encryption modes that BlackCat implements. Our analysis provides a unique insight into the design decisions that ransomware developers make to achieve an optimal balance between encryption speed and encryption completeness. This work also tests the encryption modes and encryption algorithms that BlackCat implements. We conducted a series of experiments to measure in numbers the trade-off between encryption speed and completeness that the different modes achieve. We examine metrics such as encryption speed, time spent on encryption, and amount of file content encrypted.


The Mystery of Metador

LabsCon 2022

SentinelLabs researchers uncovered a never-before-seen advanced threat actor we’ve dubbed ‘Metador’. Metador primarily targets telecommunications, internet service providers, and universities in several countries in the Middle East and Africa. The operators are highly aware of operations security, managing carefully segmented infrastructure per victim, and quickly deploying intricate countermeasures in the presence of security solutions. Metador’s attack chains are designed to bypass native security solutions while deploying malware platforms directly into memory.

SentinelLabs researchers discovered variants of two long-standing Windows malware platforms, and indications of an additional Linux implant. At this time, there’s no clear, reliable sense of attribution. Traces point to multiple developers and operators that speak both English and Spanish, alongside varied cultural references including British pop punk lyrics and Argentinian political cartoons. While Metador appears primarily focused on enabling collection operations aligned with state interests, we’d point to the possibility of a high-end contractor arrangement not tied to a specific country. This release is a call to action for threat intelligence researchers, service providers, and defenders to collaborate on tracking an elusive adversary acting with impunity.


PowerShell: Under-the-radar attacks

Heise Security Tour 2019

This talk focusses on the malicious use of PowerShell in attack campaigns. In addition, this talk presents the architecture of PowerShell and how PowerShell integrates in the Windows operating system.


The Anatomy of Windows Telemetry

TROOPERS 2019

Telemetry, a mechanism for transmitting collected data to a remote location for analysis, is becoming increasingly ubiquitous in software. Its widespread presence raises concerns related to the content, the security, and the privacy of collected data. This makes telemetry an important target for analysis.

This talk focusses on the telemetry mechanism implemented in Windows 10 – Windows Telemetry. We first discuss the relevance of Windows Telemetry for analysis, with an emphasis on concerns critical to users of Windows 10 and of telemetry-enabled software in general. We then give an overview of its architecture. This includes the data sources, showing the extent of integration of Windows Telemetry in the operating system itself. In addition, we present on the communication interfaces of Windows Telemetry and characterize the network traffic originating from it. Finally, we discuss how the activity of Windows Telemetry can be reduced or stopped. We present the advantages and disadvantages of the different approaches for achieving this as well as relevant operational aspects.


Quantifying the Attack Detection Accuracy of Intrusion Detection Systems in Virtualized Environments

The 27th IEEE International Symposium on Software Reliability Engineering (ISSRE 2016)

With the widespread adoption of virtualization, intrusion detection systems (IDSes) are increasingly being deployed in virtualized environments. When securing an environment, IT security officers are often faced with the question of how accurate deployed IDSes are at detecting attacks. To this end, metrics for assessing the attack detection accuracy of IDSes have been developed. However, these metrics are defined with respect to a fixed set of hardware resources available to the tested IDS. Therefore, IDSes deployed in virtualized environments featuring elasticity (i.e., on-demand allocation or deallocation of virtualized hardware resources during system operation) cannot be evaluated in an accurate manner using existing metrics. In this paper, we demonstrate the impact of elasticity on IDS attack detection accuracy. In addition, we propose a novel metric and measurement methodology for accurately quantifying the accuracy of IDSes deployed in virtualized environments featuring elasticity. We demonstrate their practical use through case studies involving commonly used IDSes.


Evaluation of Intrusion Detection Systems in Virtualized Environments Using Attack Injection

The 18th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2015)

The evaluation of intrusion detection systems (IDSes) is an active research area with many open challenges, one of which is the generation of representative workloads that contain attacks. In this paper, we propose a novel approach for the rigorous evaluation of IDSes in virtualized environments, with a focus on IDSes designed to detect attacks leveraging or targeting the hypervisor via its hypercall interface. We present hInjector, a tool for generating IDS evaluation workloads by injecting such attacks during regular operation of a virtualized environment. We demonstrate the application of our approach and show its practical usefulness by evaluating a representative IDS designed to operate in virtualized environments. The virtualized environment of the industry-standard benchmark SPECvirt_sc2013 is used as a testbed, whose drivers generate workloads representative of workloads seen in production environments. This work enables for the first time the injection of attacks in virtualized environments for the purpose of generating representative IDS evaluation workloads.


An Analysis of Hypercall Handler Vulnerabilities

The 25th IEEE International Symposium on Software Reliability Engineering (ISSRE 2014)

Hypervisors are becoming increasingly ubiquitous with the growing proliferation of virtualized data centers. As a result, attackers are exploring vectors to attack hypervisors, against which an attack may be executed via several attack vectors such as device drivers, virtual machine exit events, or hypercalls. Hypercalls enable intrusions in hypervisors through their hypercall interfaces. Despite the importance, there is very limited publicly available information on vulnerabilities of hypercall handlers and attacks triggering them, which significantly hinders advances towards monitoring and securing these interfaces. In this paper, we characterize the hypercall attack surface based on analyzing a set of vulnerabilities of hypercall handlers. We systematize and discuss the errors that caused the considered vulnerabilities, and activities for executing attacks triggering them. We also demonstrate attacks triggering the considered vulnerabilities and analyze their effects. Finally, we suggest an action plan for improving the security of hypercall interfaces.


Invited Talks

Evaluation of Intrusion Detection Systems in Virtualized Environments. At Berlin-Brandenburg Academy of Sciences and Humanities, Berlin, Germany

2018


Intrusion Detection Systems. At University of Stuttgart, Stuttgart, Germany

2015


Evaluating Security Mechanisms in Dynamic Virtualized Environments. At Dagstuhl Seminar "Model-driven Algorithms and Architectures for Self-Aware Computing Systems", Dagstuhl, Germany

2015


Benchmarking Intrusion Detection Systems for Virtualized Environments at SPEC RG. At European Workshop on Dependable Computing (EWDC), Coimbra, Portugal

2013


Benchmarking VMM-based Intrusion Detection Systems and Cloud Research at SPEC. At INRIA Seminar "Software Engineering for Adaptive and Cloud Systems", Rennes, France

2013


Ensuring Dependability of Virtualized Cloud Infrastructures Through Reliable Intrusion Detection. At Charles University, Prague, Czech Republic

2012