SECUINSIDE 2018 @ Singularity
SECUINSIDE is a cyber security / hacking conference held in Repulic of Korea.
Affecting the strength of cyber security and focusing on recent issues of hacking / security problem.
Knowledge sharing and communication through the active participation of experts from global communities.
All strength and knowledge is given by Hackers.
In this year, SECUINSIDE is held in GANGNAM as below.
14th, July, 2018
| 10:00 - 11:00
| 11:00 - 11:30
|| All is hacking (KEYNOTE)
|| Junbo Shim(aka passket)
| 11:30 - 12:30
|| Making Browser 1-day
|| Jeonghun Shin(aka singi)
| 12:30 - 13:30
|| Lunch Time
| 13:30 - 14:30
|| Cyber Threat Intelligence CHINA
|| Jeanha Park (CN Security)
| 14:30 - 15:30
|| Good old dorks or what we still can find with log search
|| Cyril Quitevis, Nikolay Akatyev
| 15:30 - 16:30
|| Deep dive analysis of hwp malware targeting crytocurrency exchanges
|| Hyoje jo, Heeju Lee
| 16:30 - 17:30
|| Target attack analysis (Gangnam style)
|| Anthony Lai
| 17:30 - 18:30
|| From stealing confidential data to revenue-generating attacks
|| Minseok Cha(aka Jacky)
| 18:30 - 19:00
|| Ceremony for Hacker's Night
| 19:00 - 22:00
|| KOSEC Party
| 22:00 - 24:00
|| DJ Session for hackers
| 00:00 ~ 04:00 (next day)
|| Hacker's Night
All is hacking (KEYNOTE) - Junbo, Shim(aka passket)
Junbo, Shim is a cheif of HARU(hackers reunion). He is well known hacker and cyber security researcher in Korea.
He talks about why we looking forward to answer of hacking and cyber security. He says "ALL is hacking".
Making browser 1day - Jeonghun, Shin(aka singi)
Singi is a famous hacker and security researcher. He won many CTFs and hacking competitions, have many 0day vulnerabilities. Nowadays, he focus on his life and children but he is still a good hacker. He works on Teori in Korea, also.
He presents for making 1day exploit for browsers.
Cyber threat intelligence CHINA - Jeanha Park(CN Security)
CN Security has a speciality in cyber intelligence for 12 years. CN Security spread a solution for monitoring unknown cyber terrors, analyzing recent hacking technics and trends. Jeanha park is working on CN Security as commnucation president.
This talk says which is contents for recent Korean cyber accidents from china targeted in government, banks, portals and disclosures privacy information through in black markets. This talks also says what is cyber intelligence in right means.
Good old dorks or what we still can find with log search - Cyril Quitevis, Nikolay Akatyev
Cyril is a Software Engineer at Horangi Cyber Security and a 4th year college student at the University of the Philippines. He contributes to the backend server of Horangi and to the research team of Horangi by creating analyzer scripts and helps in data collection. He has a hobby of breaking servers in an attempt to find vulnerabilities. He also has background in Deep Learning, where he developed an algorithm to group malicious data from a log file to separate them from harmless ones.
Nikolay is VP of Engineering at Horangi Cyber Security and a digital forensics mentor at the “Best of the Best” security education program in South Korea. He builds a cybersecurity platform and researches threat intelligence, digital forensics, security of IoT systems and international relations in cyberspace. He publishes academic papers and presents at academic and hacking conferences. His team’s recent research of Korean dark web was presented at Hitcon Pacific and VXCon.
As a technocrat and active supporter of a community, he manages a group of international tech enthusiasts, Seoul Tech Society.
This talk will reintroduce dorks (search queries) and will show intersting statistics and findings from our observations since March 2018.
We enhanced old good dorks with generic strings from contents of files and we took on the challenge to reduce false positives. Our findings show interesting numbers of misconfigured websites which grow on a weekly basis, and not in favor of good guys. We started our discovery with misconfigured awstats and expanded to other popular tools including wordpress. Our method includes searching generic strings which are present across versions of log files and "readme.txt" of popular tools.
Our tests show that the number of websites that have their awstats indexed grew by 6 after 3 weeks, while the wordpress readme.txt files grew by 11 after 2 weeks. In total, we found 146 unique websites for awstats related searches and 35 for wordpress related searches. Finally, it is also possible to do filetype search to find server keys (including private keys), access logs, error logs and configuration files. With these methods, it is possible to get a list of websites that are misconfigured without scanning the websites themselves.
This talk is proceed in English.
Deep dive analysis of hwp malware targeting crytocurrency exchanges - Hyoje jo, Heeju lee
Hyoje jo is a malware analyst works on SECUI and Heeju lee is a malware analyst, too. They focus on only technic over malware, but they doesn't care why malware is created.
In recent years, as crytocurrency market has risen along with boom, APT attackers have naturally moved to.
This announcement describe the APT attack on crytocurrency exchange. However, we analyze the hwp-based malicious codes targeted at exchanges in detail about which codes and techniques are used.
Target Attack Analysis (Gangnam sytle) - Anthony Lai
Recent years, he have dealt with various target Attack and interesting incidents from political parties, NGOs and banks, he would like to brief over those cases in technical perspective, meanwhile, how he encounter those attackers.
This talk is proceed in English.
From stealing confidential data to revenue-generating attacks - Minseok Cha(aka Jacky)
Minseok(Jacky) Cha is a Senior Principal Malware Researcher at AhnLab. He joined AhnLab as a malware analyst in 1997. He is a member of AVAR(Association of Anti-Virus Asia Researches) and a reporter for the WildList Organization International. He has been appointed as a member of the Private/Public Cooperative Investigation Group and Cyber Expert Group in South Korea. He is a speaker at security conferences, including AVAR Conference, CARO Workshop, CodeEngn, CodeGate, ISCR(International Symposium on Cybercrime Response) and so on. When he has free time, he enjoys old video games and old anime.
The Andariel group, also known as the Labyrinth Chollima, is one of the subgroups of the notorious Lazarus Group. Unlike other subgroups, this group primarily focused on South Korean targets so it is not as well known in other countries. Surprisingly, this attack group has been active in Korea for over 10 years.
Andariel’s first attack was on the Korean military in 2007 and since then has expanded its attacks to the private sector, such as its DDoS attack in 2009 and the 3.4 DDoS attack in 2011. Andariel is associated with the 2013 DarkSeoul (3.20- cyber terror attack) and was responsible for Operation Black Mine in 2014, exploiting a vulnerability of Active X that is widely used in Korea. After 2015, it stole military secrets by attacking military defense companies, large corporations, and military units in Korea. However, in 2016, there was a change in the pattern of attacks from this group mainly targeting confidential information. The group distributed malware near the end of 2016 where they could view their opponents’ hand while playing a gambling game and in 2017 started an attack on the financial industry and also demanded a ransom from a hacked travel agency. Finally in 2018, they had attempted an attack on a cryptocurrency exchange. Judging from the pattern of unpublished attacks, we can see that they also have interests in various public services and ICT companies of Korea.
Andariel is familiar with the vulnerabilities of security programs and central management systems that are widely used in Korea.
For the attacks, they use backdoors they have developed, such as Andarat, Andaratm, Bmdoor, Rifdoor, and Phandoor, and they also have modified open source backdoors, such as Bozok, Ghostrat.
Malware analysts investigate malware using information gleaned from its activities, such as its attack target, attack method, malware type, web shell, and C2. Sometimes, however, a malware developer reveals internal information and tools used for development by mistake. And this became key information for malware analysts to profile the attack group. For example, malware with a Korean UI has a high likelihood of having a developer who is native or fluent in Korean.
In this presentation, I will talk to you about Andariel’s activities from 2015 to 2018, focusing on its main attack targets, infection vectors, codes, and the relation between the code and the attack.