It’s already the third and last day… Always a strange atmosphere after the gala dinner, and people are always joining late. It’s also challenging to be the first speakers! Ronan Mouchoux and François Moerman presented «From Words to Intelligence: Leveraging the Cyber Operation Constraint Principle, Natural Language Understanding, and Association Rules for Cyber Threat Analysis». This is a very long title that explain their research. All attacks are performed by humans. They have tools, objectives, targets, but they adapted with time. From a defender’s point of view, there can be ambiguity in terms. Two incident handlers can look at the same pieces of evidence and map them to different MITRE ATT&CK techniques. The idea behind Ronan & François’s research was to parse a lot of documents, extract «words » and, with the correlation of other sources, propose an analysis of the threat actors with « association rules ». Example:
The second talk was «Boss, our data is in Russia – a case-based study of employee criminal liability for cyberattacks » by Olivier Beaudet-Labrecque & Lucas Brunoni. This talk was not technical but legal but very entertaining and interesting. They are from the Haute Ecole ARC in Switzerland, which was targeted by a cyberattack. The initial infection vector was due to a student “mistake”. He found a crack for a well-known application and… executed it. Trickbot was in place! A password to the school VPN was stolen. Question: what was the responsibility of this student? He signed an IT chart and violated it. From a legal point of view, can the student was seen as a “co-perpetrator”. What about the “intent”? They explained different situations and behaviors. For example, the student was studying computer science so he should be more aware of risks of downloading such programs. In the second phase, they explained the legal risks associated with paying ransoms. Really great stuffs!
Then we followed Matthieu Faou with «Asylum Ambuscade: Crimeware or cyberespionage? ». The talk started with a review of classic articles in the news about a ransomware attack. In the same article, it was mentioned that the ransomware was implemented to “earn money” but, a bit below, “to support Russia & Poutine”. Attacks performed by this group start with a macro document abusing the Follina vulnerability to finally drop a Sunseed malware. This malware has many modules to handle cookies, screenshots, VNC connections, … An interesting one is “deletecookies” which will remove cookies for specific websites. This is helpful to force the user to re-authenticate and collect/intercept credentials.
After a welcomed coffee break, Erwan Chevalier & Guillaume Couchard presented “When a botnet cries: detecting botnets infection chains”. The first botnet reviewed was Qakbot (1M+ victims from 2022/02 to 2023/02). Used by many groups and dropped by many malware (Emotet, SmokeLoader, …). The second choice was IcedID (20K+ victims). There are multiple ways to deploy payload:
Detection rules were demonstrated based on Sigma. (ex: a scheduled task with a task name as GUID for persistence)
The next talk was “Tracking residential proxies (for fun and profit)” by Michal Praszmo & Pawe? Srokosz. This talk was flagged as TLP:Amber.
After the lunch break, the next talk was again TLP:Amber: “Bohemian IcedID” by Josh Hopkins & Thibaut Seret.
With the next talk, Alexandre Côté Cyr & Mathieu Lavoie spoke about “Life on a Crooked RedLine: Analyzing the Infamous InfoStealer’s Backend”. But again… TLP:Green!
The last one was “The Plague of Advanced Bad Bots : Deconstructing the Malicious Bot Problem” by Yohann Sillam. What happened to Vinted, the well-known sales platform? Targeted by credentials stuffing attack. Bots are not always bad. Some are legit, and their goal is to automate actions on the Internet (ex: crawlers). So, what are bad bots? Ex:
- OpenBullet is a credential-stuffing bot.
- AYCD is an account creation bot.
- NSB is a scalping bot
- OneClick bot
These bots are available via marketplaces (easy rentals, Bot Broker, …) and underground forums. Automation is performed via Webdriver protocol or CDP (Chrome Development Protocol). Bots won’t work without … proxies! They propose anti-captcha techniques: Human-based, AI-based, or hybrid. They released a tool called bot-monitor.
As usual, Eric closed the event with some remarks, numbers and, most important, he disclosed the location of the next event: We will meet in Nice in 2024!