Get ready for LABScon 2024 – the premier, invite-only conference hosted by SentinelLabs for top minds from across the cybersecurity community. This year’s event takes place from September 18th to 21st with leading experts, threat investigators, academics, government partners, and journalists set to gather at the stunning Mountain Shadows Resort in Scottsdale, Arizona.
LABScon returns with a focus on showcasing the latest in threat hunting techniques, cutting-edge research, and new vulnerabilities, exploits, and tooling. As always, the event promises a unique opportunity for attendees to engage with our industry’s esteemed veterans from Cisco Talos, Mandiant, Microsoft, and our own SentinelLabs team.
Whether you’re able to attend in person or following remotely, LABScon 2024 is not to be missed. For those who can’t make it, stay tuned for video recordings and highlights after the event by bookmarking the LABScon and SentinelLabs homepages. A full schedule of the event is now available here. In this post, let’s put the spotlight on just a few of the anticipated presentations we’ve got lined up this week.
Eugenio Benincasa & Dakota Cary | A Walking Red Flag (With Yellow Stars)
This talk explores China’s diverse Capture The Flag (CTF) competition ecosystem, which has largely been overlooked. Since 2017, China has launched over 150 unique cybersecurity competitions, with more than 400 events held to date, many focused on talent cultivation and recruiting for the military and intelligence services. Notably, APT40 and Jiangsu MSS have leveraged CTFs to recruit hackers and source software vulnerabilities for operations. We will also provide insights into China’s CTF landscape, its major competitions, and participants, offering valuable context for defenders to enhance their cyber threat intelligence (CTI) collection efforts targeting individuals within China.
Dan Black & Luke Jenkins | Breaching the Battlefield: UNC4221’s Espionage for Military Advantage
As Russia’s war enters its third year, Mandiant has observed a shift in Russia’s cyber operations from disruption to espionage, aimed at gaining battlefield intelligence. While groups like APT44 (Sandworm) have drawn attention, the newly identified threat actor UNC4221 has emerged, targeting Ukraine’s military. This talk will examine UNC4221’s efforts to gather battlefield data through Android malware, phishing attacks posing as Ukrainian military apps, and targeting messaging platforms like Telegram and WhatsApp. These operations likely aim to provide intelligence that could influence conventional military actions on the ground.
Kristin Del Rosso & Madeleine Devost | Farmyard Gossip: The Foreign Footprint in U.S. Agriculture
Who owns America’s farmland, and why does it matter? This talk explores the rising trend of foreign investment in U.S. agricultural land, which has increased by 50% since 2017. Using USDA data, we’ll examine how foreign ownership impacts local economies and national security, particularly with controversial land purchases near sensitive military sites. We’ll also discuss how outdated data collection methods obscure the true extent of foreign ownership and highlight the role of the Committee on Foreign Investment in the United States (CFIUS) in safeguarding national interests. The session will offer actionable recommendations to improve transparency and security.
Alex Matrosov & Fabio Pagani | PKFAIL: Supply-Chain Failures in Secure Boot Key Management
Modern computing relies on trust, from hardware to software, with Secure Boot playing a key role in protecting UEFI firmware by ensuring only verified software runs during system startup. At the heart of Secure Boot is the Platform Key (PK), a root-of-trust key managing cryptographic validation. However, this talk unveils PKFAIL, a critical firmware supply-chain issue affecting hundreds of devices due to vendors shipping default test keys. Exploiting PKFAIL allows attackers to bypass Secure Boot and launch firmware-level threats, like bootkits and BlackLotus malware. The presentation will also provide an industry-wide analysis of PKFAIL using a decade’s worth of UEFI firmware data.
MJ Emanuel | Unearthing the Archaic: 25 Years of SSL VPNs and Their Lifecycle Vulnerability Footprints
Edge devices have become critical but vulnerable components in enterprise security, often overlooked in cybersecurity strategies. This talk focuses on long-standing vulnerabilities in SSL VPNs, which are frequently exploited through known CVEs and zero-day attacks. Using historical exploitation data and recent incidents, the talk examines the lifecycle vulnerabilities of specific SSL VPN product lines, revealing stagnant code bases dating back two decades. It explores whether certain vulnerabilities are more frequently abused and questions the effectiveness of Secure-By-Design principles in legacy systems. Key takeaways highlight the need to integrate lessons from past vulnerabilities into modern security strategies to better protect enterprise networks.
Blake Butler & Silas Cutler | Unveiling Hidden Infrastructure: Tracking Threats via SSH Public Keys
This presentation explores a cutting-edge technique using SSH public keys to track and correlate malicious activities across different systems. SSH keys, often used for secure remote access, leave identifiable fingerprints across networks. By analyzing these keys, security experts can identify linked infrastructure operated by threat actors. We will discuss the technical aspects of SSH key fingerprinting, mass internet scanning, and data collection, along with real-world case studies where this method exposed criminal networks. Attendees will learn practical tools and techniques for implementing SSH key tracking, overcoming challenges, and leveraging this approach to disrupt cybercriminal operations effectively.
Martin Wendiggensen | The Real AI Race: Disinformation In The Taiwanese Election
Despite concerns about AI-driven disinformation in elections, Taiwan’s recent election saw none of these threats materialize. Surprisingly, China’s anticipated AI disinformation efforts were absent, despite a focus on the election by Chinese authorities. After analyzing thousands of hours of footage and content through an AI pipeline, results showed minimal AI content, with no impact or engagement. Instead, the focus shifted to Taiwanese billionaires, many with ties to China, who set up or influenced local media outlets. This talk examines these disinformation campaigns, highlights key lessons for safeguarding future elections, and explores AI tools for countering disinformation efforts.
Elly Rostoum | Follow the Money: Uncovering the Incorporation and the CCP’s Ownership of Chinese Firms Investing in the USA
Chinese foreign direct investment (FDI) has fueled China’s technological revolution, positioning it as a strategic competitor to the U.S. This FDI has opened new markets, reshaped supply chains, and enabled advancements in critical technologies like AI and quantum computing. But who controls these Chinese firms driving global FDI? This talk reveals the ownership structures of 672 Chinese companies, exposing how the Chinese government bypasses U.S. national security reviews by using complex layers of subsidiaries, private equity, and holding companies. The research sheds light on China’s strategic manipulation of FDI to gain a global competitive edge while evading scrutiny.
Jean-Ian Boutin | Ebury: Public-Private Partnership Unveils the Full Scale of a Sophisticated Linux Threat
Detailing a joint investigation with European law enforcement into Ebury, a major Linux server threat, this talk discusses the new tools and capabilities used by Ebury, including its OpenSSH backdoor, which facilitates server-side threats such as web redirections, malware delivery, and spamming. Despite a temporary reduction in monetization following a 2015 arrest, Ebury continued to infect up to 400,000 servers annually since 2009. Our collaboration with law enforcement and custom honeypots revealed Ebury’s expansion into cryptocurrency and credit card theft. We also identified sophisticated tools in its arsenal, including userland rootkits and modified kernel modules, exposing significant gaps in Linux security and suggesting improvements.
Michael Horka | Raptor Train: China’s Multi-Year Mirai Facelift
Black Lotus Labs from Lumen Technologies has uncovered “Raptor Train,” a sophisticated botnet that has eluded detection for over four years. Targeting North American and Taiwanese networks in government, military, telecommunications, and defense sectors, this botnet, linked to the Chinese state-sponsored group Flax Typhoon, has infected over 100,000 SOHO and IoT devices in the past year. Raptor Train utilizes a custom Mirai variant called NOSEDIVE, which employs memory-only persistence for remote execution, covert data transfer, and DDoS attacks. This talk will detail the botnet’s multi-tiered architecture, evolution, NOSEDIVE functionality, and management infrastructure, including SPARROW and CONDOR, along with its high-level targeting.
Saher Naumaan | Following Frankenstein (and Friends): Hamas Cyber Operations In and Out Conflict
For over a decade, Hamas has conducted cyber operations targeting Palestinian factions, Israeli individuals, and organizations. These operations evolved from basic attacks to sophisticated social engineering and mobile malware campaigns. Following Hamas’ recent attack on Israel, speculation has arisen about ongoing cyber activities by Hamas-linked groups. While groups like Arid Viper and SysJoker have been inactive, the threat group Frankenstein remains active. This presentation explores Hamas’ cyber operations history, focusing on Frankenstein’s technical features, infrastructure, and malware evolution. It will also discuss possible destructive operations targeting Israel and identify gaps in the current understanding of Hamas’ cyber capabilities.
Emily Austin & Glenn Thorpe | Honeypots, HMIs, and Havoc? Investigating Internet-Exposed Control Systems
This research provides a comprehensive view of the threat landscape for internet-exposed industrial control systems (ICS) by combining Censys’ scan data with GreyNoise’s attack telemetry. Despite years of warnings about ICS vulnerabilities, recent attacks on human-machine interfaces (HMIs) in sectors like water and wastewater have highlighted the issue. While many ICS devices exposed online are often honeypots or lab settings, and not critical systems, actual threats may be targeting systems running on more common protocols like HTTP or VNC. This study explores whether the real-world threat landscape aligns with industry assumptions and what attacks are genuinely occurring.
Colin Cowie & Paul Jaramillo | Down the BadHatch: Analysis of a Financially Motivated Access Broker
STAC4663 is a financially-driven threat cluster that Sophos has tracked since early 2023, known for exploiting new vulnerabilities. This presentation will explore STAC4663’s activities, focusing on its distinct malware, BadHatch/Sardonic Backdoor, and its role in the ransomware ecosystem. We will detail STAC4663’s core tools, techniques, and targeted vulnerabilities, as well as its use of SystemBC and collaboration with ransomware affiliates. Insights from command and control server data will be shared, including analyses of STAC4663’s tooling, bash history, and global reconnaissance methods, providing a comprehensive view of its operations and impact on the ransomware landscape.
Matthieu Faou | DigitalRecyclers: Yet Another Member of the APT15 Galaxy
DigitalRecyclers, a China-aligned cyberespionage group identified by ESET in 2021, has been active since at least 2018, targeting European governmental organizations. Likely linked to Ke3chang and BackdoorDiplomacy, DigitalRecyclers operates within the APT15 galaxy. They deploy the RClient implant, a variant of the Project KMA stealer. In September 2023, the group introduced a new backdoor, HydroRShell, which uses Google’s Protobuf and Mbed TLS for C&C communications. They also utilize a relay network, KMA VPN, for traffic anonymization. This talk will explore DigitalRecyclers’ TTPs, their connections within APT15, and strategies for defense.
Stav Shulman | UNC1860 & The Temple of Oats: Iran’s Hidden Hand in Middle Eastern Networks
This presentation will connect the dots of UNC1860, a covert Iranian state-sponsored threat actor, to reveal their full scope. Operating in the shadows since at least 2018, UNC1860 targeted governments, telecommunications, and critical infrastructure across the Middle East. Through detailed investigation, we have uncovered their advanced arsenal, including repurposed Iranian AV drivers, custom kernel implants, and tools for webshells and passive backdoors. Our research, based on real-world incident response by Google Cloud Mandiant, will expose the group’s sophisticated tactics and their role as an access broker for Iranian operations. This talk will highlight the group’s significant impact and broader implications for regional and global cybersecurity.
John Jarocki | Tracking the Cyber Space Ghost from Oast to Oast
This presentation will challenge the idea that living off the land (LotL) techniques are too subtle to detect. Instead, we’ll demonstrate how the unique and sometimes imperfect use of common tools by different actors can actually reveal distinct fingerprints and tracking opportunities. Focusing on Out-of-Band Application Security Testing (OAST) tools, we’ll illustrate how the idiosyncrasies in their use, including timing patterns and infrastructure signals, can be analyzed to uncover malicious activities. By flipping the conventional wisdom – where attackers only need to succeed once and defenders must stop every attempt – we propose that finding just one clue can be the key to tracking attackers effectively.
Austin Larsen | Avalanche: Unmasking UNC5537’s Campaign Targeting Snowflake Customer Instances
In April 2024, Mandiant tracked UNC5537, a threat actor that launched a global campaign compromising Snowflake customer instances, causing widespread data loss and extortion. This presentation offers an in-depth look at UNC5537’s attack strategies, focusing on their use of stolen credentials, data exfiltration with custom tools like FROSTBITE, and exploitation of common security gaps. I will share exclusive findings, including their personas, tactics, and interactions with victims and researchers. The talk will examine the campaign’s impact on cybersecurity, the evolving nature of financially motivated cybercrime, and ongoing issues with multi-factor authentication, shedding light on the broader implications for the industry.
Jim Walter | Kryptina RaaS: From Unsellable Cast-off to Enterprise Ransomware
Kryptina RaaS, a Linux-focused RaaS platform and service, started life as an unsellable giveaway. However, large-scale ransomware operations are now adopting the platform to extend their reach into Linux and cloud environments. A recent leak from a Mallox-affiliated actor’s staging server has provided us a great deal of insight into how Kryptina is being adapted for use in Enterprise attacks. This presentation will focus heavily on the more recent developments and provide an understanding of why threat actors are attracted to the Kryptina platform, and what this means in the context of victims and targeting. We will also dissect what was included in the May 2024 Mallox leak and any improvements and modifications that current threat actors have made to the Kryptina platform.