Threat Research

A wrap up of HITCON 2017

By Wayne Chin Yick Low and Yongjian Yang | September 05, 2017

The 13th annual Hacks In Taiwan Conference (HITCON) took place August 25th and 26th at Academia Sinica, Taiwan’s national academy located in Taipei. Elite cyber security researchers from across the world gather at this annual conference to share their research and exchange ideas about the global threat landscape. Approximately 1000 people registered for the conference and, according to one of the HITCON crewmembers we met, one third of the attendees were undergraduates and fresh graduates. This is a good sign, given the current cyberskills gap, and indicates the enthusiasm that Taiwanese college students have to participate in the cyber security industry.

We were honored to present our research, The Dawn of AV Self-Protection, at HITCON. Our talk consisted of 2 parts; we first talked about how malware managed to bypass AV in the past, and then we shared our findings on the attack vectors of new AV self-protection features that could be leveraged by malware in order to disable the protections provided by many legacy security products. It was the emergence of the Dridex malware that drove us to this topic, which was first mentioned in a blog post published last year.

In this blog post, we will review some of the HITCON 2017 briefings that we enjoyed the most.

As security engineers who have been performing deep malware analysis for a decade, we are most interested in the latest anti-virus technology. One of our favorite talks was Neural Blacklisting presented by Sean Park, a senior malware scientist from Trend Micro. He presented his solutions, which are based on deep learning, to counteract the polymorphic URLs generated by notorious ransomware that aim to evade detection. In his presentation, he first explained the principle of polymorphic URL patterns that makes the automatic detection job extremely challenging, and the traditional way to match these URL patterns, such as regular expression and handcrafted algorithms. He then elaborated on how and why the state of the art use of Attention in Long Short-Term Memory (LSTM) in recurrent neural networks can separate different classes of URLs with high accuracy. He then provided a demo to show how he is able to manipulate his neural network in order to detect variable length patterns of malicious URLs. His talk demonstrated that deep learning not only works well in recognizing non-linear patterns, which can closely resemble the human brain’s neural network, but also works great at solving highly sophisticated engineering tasks.

There were also multiple talks regarding Internet of Things (IoT), which was not surprising to us given the rise in IoT-based attacks. One of our favorite IoT talks was Breaking Tizen by Amihai Neiderman from Azimuth Security. It’s worth mentioning that this was one of the three topics related to software “breaking” in addition to our own. The topic itself is not really technical, as Amihai was trying to emphasize his unpleasant experience with dealing with a vendor with affected IoT devices regarding the vulnerability reports he submitted to them. One of the highlights from Amihai is that he has been able to pinpoint over 40 trivial security issues found on multiple Tizen applications simply by performing a manual code audit. Uncovered security issues can be as trivial as classic buffer-overflow due to improper usage of the C function, like strcpy and memcpy, without proper user input sanitization. Finally, Amihai concluded that there could be other potential security issues that exist in Tizen that he simply hasn’t discovered yet.

Day Two of the conference started with the keynote by Orange Tsai. He talked about his exploitation technique used to turn Server Side Request Forgery (SSRF) to remote code execution (RCE), A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! He first showed an exploit chain that could lead to RCE by chaining four vulnerabilities on the GitHub Enterprise. He then elaborated on some new powerful approaches on exploiting SSRF, with a really impressive demonstration.

The keynote was followed by Nicolas Joly’s Mitigating the unknown, when your SMB exploit fails. As a quick background, the SMB exploit that Nicolas mentioned was first leaked by ShadowBroker and then leveraged by the infamous WannaCry ransomware that caused havoc for companies and individuals around the world. Nicolas started by explaining the exploitation techniques used by the leaked exploits and the root cause of the vulnerabilities. Before we attended his talk, we were expecting him to explain the techniques he used to discover other SMB vulnerabilities, which are part of his efforts as a security engineer from Microsoft Security Response Center (MSRC) to harden the SMB protocol after the WannaCry outbreak. Nicolas didn’t disappoint us, as he spent the last 10 minutes elaborating on the root cause of the SMB vulnerabilities that he reported internally.

In all, it was a great experience for us to be able to join this renowned cyber security conference, give our presentation, and meet with other security experts in the field. If you are interested to other topics that we were not able to cover in this blog post, you can check out HITCON’s official page for the full list of briefings with corresponding presentation slides.

-= FortiGuard Lion Team =-