Virus Bulletin 2024 - Day II

The second day of the 34th edition of the Virus Bulletin Conference in Dublin was packed with great talks! It was one of those days when it was actually hard to decide which room to go to, as many good talks were happening simultaneously. Here are only four talks from today, and please know that I am missing as of now some good ones that I will describe later.

???? Day 1: https://lnkd.in/dpqf5uGw

???? Day 2: https://lnkd.in/dZ53ebiq

???? Day 3: https://lnkd.in/da5Hk2EC

???? Extra: https://lnkd.in/dKbvHGd9

CTA Threat Intelligence Practitioners' Summit: Bye bye WarZone RAT (for now); capturing cybercriminals through #CoordindatedDisruption, Part 2 by Sara Eberle (Sophos) & Mike Bordini (FBI Cybercrime)

This was a very interesting talk at the CTA Threat Intelligence Practitioners' Summit. The collaboration between law enforcement and the industry bore fruit and led to the takedown of the known infrastructure of WarZone RAT and the arrest of two individuals.

The talk covered the methodology and steps of the investigation, from a phishing email to uncovering the buyers of WarZone RAT and the team running the service.

Abstract: https://www.virusbulletin.com/conference/vb2024/abstracts/bye-bye-warzone-rat-now/

Reviewing the 2022 KA-SAT incident & implications for distributed communication environments by Joe Slowik (The MITRE Corporation)

In this presentation, Joe Slowik examined the 2022 attack against ViaSat-owned, Eutelsat, and Skylogic-operated KA-SAT network. If you remember, this attack happened just at the start of the Russian-Ukrainian war. The incident also affected wind turbines as collateral damage of the disruptive attack.

Joe's premise is that the KA-SAT incident was not as simple as described. The attack as he described it, consists of two overlapping parts, the Wiper Malware (AcidRain) and Rolling DDoS Activity. The timeline of events suggests that these two activities may - in reality - be related. Read the full paper when it's published, it's good.

Abstract: https://www.virusbulletin.com/conference/vb2024/abstracts/reviewing-2022-ka-sat-incident-implications-distributed-communication-environments/

An open-source cloud DFIR kit – Dredge! by Santiago Abastante (Solidarity Labs)

Organizations often struggle with incident response and containment because their preparedness is inadequate. Santiago Abastante presented Dredge, an open-source framework to streamline cloud incident investigations. Dredge makes it easy for admins to retrieve logs, perform threat hunting and incident response, and audit the cloud status.

One of the cool things about Dredge is that it allows you to gain visibility and perform threat hunting through integrations with Shodan and Virus Total. Check the tool and contribute at https://github.com/solidarity-labs/dredge-mvp.

Abstract: https://www.virusbulletin.com/conference/vb2024/abstracts/open-source-cloud-dfir-kit-dredge/

Automatically detect and support against anti-debug with IDA/Ghidra to streamline debugging process by Takahiro Takeda (LAC Corp)

Takahiro Takeda presented AntiDebugSeeker, a tool that allows researchers to speed up the identification of anti-debugging techniques in malware. In its current version, it allows the extraction of APIs used for anti-debugging, and it can consume a list of keywords that can be used to complement the extraction of anti-debugging techniques. The tool can be used both in IDA and Ghidra. Repositories hosted at https://github.com/LAC-Japan

Abstract: https://www.virusbulletin.com/conference/vb2024/abstracts/automatically-detect-and-support-against-anti-debug-idaghidra-streamline-debugging-process/

Much more...

There are at least three more talks to highlight from Day II, but that will come in another post tomorrow. Stay tuned!