TeamT5 Share Researches in HITCON 2023

TeamT5 shared 2 technical speeches at HITCON 2023, the annual hacker conference in Taiwan. This article introduces each speech and provides a download link to the official website of the event.

WDM (Windows Driver Model) drivers are a specific type of Windows kernel driver that utilizes DDI (Device Driver Interfaces) to facilitate communication between drivers. They are responsible for interacting with hardware components. However, if a kernel driver is vulnerable, it can be exploited by attackers to escalate privileges or execute malicious kernel code, which is commonly known as a BYOVD (Bring Your Own Vulnerable Driver) attack.

In this session, I will present five CVEs related to AMD's Windows kernel drivers, specifically CVE-2023-20556, CVE-2023-20561, CVE-2023-20562, CVE-2023-20560, and CVE-2023-20564. These vulnerabilities were discovered through a combination of fuzzing and manual reverse-engineering techniques. Among them, three are denial of service vulnerabilities, and two are elevation of privilege vulnerabilities found in AMD products, namely AMD μProf and AMD Ryzen Master, which are related to AMD's CPU. The denial of service vulnerabilities are caused by a lack of input buffer validation, controlled by an attacker, leading to null pointer dereference. The other two elevation of privilege vulnerabilities are a result of insufficient access control, allowing an attacker to write into arbitrary virtual and physical memory, respectively.

After months of communication with the AMD PSIRT, the assignment of five CVEs has been confirmed, and the date for public disclosure has been established. AMD PSIRT has displayed a commendable response to these security issues and has actively addressed them.

The healthcare industry has become increasingly important to a country's overall well-being, especially after the COVID-19 pandemic. Unfortunately, the healthcare sector has also become a target for cybercriminals and Advanced Persistent Threat (APT) groups. These threat actors were particularly interested in targeting patients' personal information and confidential information such as vaccine development. One such group that has been making such a ruckus is the APT group CamoFei, better known as Chamelgang. In recent years, CamoFei has operated relatively unnoticed for several years. It gained notoriety after PT Security published a report back in September 2021, indicating that the group was specifically targeting Russia. Since then, the threat group has started focusing on Taiwan, performing spear-phishing attacks against multiple organizations whilst carrying large-scale attacks against multiple Taiwanese healthcare and government agencies. During our presentation, we will analyze CamoFei's Tactics, Techniques, and Procedures (TTPs), and the custom malware CamoFei had developed. We will also present several case studies highlighting the attack methods that CamoFei has employed against various healthcare and governmental organizations. By the end of the talk, the healthcare organizations and all the targeted organizations can use our mitigation and detection methods regarding the attacks.