Japan Security Analyst Conference 2023

Japan Security Analyst Conference 2023 (JSAC2023) held on Jan. 25-26 with virtual & onsite talks. This annual cyber security conference hosted by JPCERT/CC, aimed to bring together security analysts and provide opportunities for them to share technical knowledge related to incident response and analysis. This year, TeamT5 had two sessions during the event.

One is TeamT5’s CTI Researcher Still Hsu gave a talk on “Brief History of MustangPanda and its PlugX Evolution”. He points out that Polaris/MustangPanda is continuing to evolve their TTPs. Frequent attacks are observed. Also, multiple campaigns focusing on a wide variety of targets.

The other session is presented by TeamT5’s research engineers Peter Syu and Jr-Wei Huang on the topic “Track Down Stealth Fileless Injection-based Nginx Backdoor in the Attack ”. The presentation focuses on Nginx, a widely used Web Server in the industry. During an incident response, they found a Nginx-based backdoor stored in the server, which used a previously unseen attack vector: Injection, to achieve the fileless effect, and we called the backdoor - NginxStealth and NginxSpy.

They introduced how the attacker gained initial access to the Nginx server, and how the malicious payload works. Furthermore, they explain how the backdoor NginxStealth and NginxSpy are skillfully hidden in the system in detail, and compare the techniques used by NginxStealth with the existing Nginx-based backdoors.

Finally, they developed a Nginx module based on the hook method of the NginxStealth. This module can list the addresses of the hook. If the address does not exist in the normal Nginx memory space or the module memory space, there is a high possibility that the Nginx process is injected with NginxStealth.

The slides of the speech can be downloaded on the official website.

📌Brief History of MustangPanda and its PlugX Evolution

📌Track Down Stealth Fileless Injection-based Nginx Backdoor in the Attack

Cyber attacks occur on a daily basis, and its techniques have been constantly changing. Engineers who analyze and respond to them are required to improve their skills to keep up with the ever-changing techniques of cyber attacks. However, there are few occasions in Japan where techniques and knowledge of incident analysis and response are shared among engineers. Security analysts are expected to get together and exchange their technical expertise on incident handling to develop their strength against cyber attacks both individually and as a whole.

To achieve this goal, JPCERT/CC hosts Japan Security Analyst Conference (JSAC), the annual conference for exchanging technical information on cyber security incident analysis and response. In this conference, security analysts who handle security incidents on a daily basis are encouraged to share information with each other to deal with ever-evolving cyber attacks today and in the future.

More information on JSAC website.

*Image courtesy of JSAC