【TeamT5 x CODE BLUE 2023】Because Security Matters

The biggest information security conference in Japan, CODE BLUE 2023, will be held in Tokyo on November 8-9. TeamT5, with its Taiwan headquarter & Japan subsidiary, is proud to support, sponsor and participate in this Asia top international cybersecurity event.

This year, our cyber threat analysts & cyber security researchers will share their latest study - “Enhanced Vulnerability Hunting in WDM Drivers with Symbolic Execution and Taint Analysis”, “Money Making or Camouflaging? Dissecting APT41's Ransomware Activities”, and “Winning from Within: Chinese InfoOp Targeting Overseas Diaspora”.

See below for highlights of our events at CODE BLUE 2023.

Detecting security vulnerabilities in WDM drivers can be difficult due to the closed-source nature of the drivers and the need for a specific environment to load them into the kernel. Symbolic execution and taint analysis are commonly used techniques in software security, but they can suffer from the "path explosion" and "taint explosion" problems, where the number of possible paths and potentially tainted inputs grows exponentially with program complexity.

This talk proposes a solution called IOCTLance, which uses symbolic execution and taint analysis to detect vulnerabilities in WDM drivers. By tainting the target input buffer and developing customizable options to mitigate the path explosion problem, IOCTLance can detect various types of vulnerabilities in WDM drivers. The discovery of 117 previously unknown vulnerabilities in 26 unique drivers led to the identification of 41 CVEs, including denial of service, insufficient access control, and elevation of privilege vulnerabilities.

It is not an exaggeration to say APT41 is among the most prolific and sophisticated Chinese state-sponsored groups. The US 2020 indictment did not hinder or even slow down APT41 from launching new attacks, as we observe its target scope and arsenal continue to expand. APT41 is also one-of-a-kind, since it has been known to conduct financially motivated cybercrime, which are not common practices among Chinese APT groups. What’s noteworthy is that our research suggests that APT41 has been actively engaged in ransomware attacks as early as 2019.

In this presentation, we will share our latest findings on APT41’s engagement in ransomware attacks. Over the past three years, we have found traces of APT41's ransomware campaign against at least 10 industries across 11 countries in Asia, Europe, and America.

We will also try to answer the question: Why did APT41 start deploying ransomware in their operations? Is it for camouflaging or money making? By comparing APT41's espionage and ransomware campaigns, we found that there were some differences in terms of malware usage and the level of sophistication, despite C2 and tactics overlaps. Notably, technical indicators suggest that APT41 might be connected to the Hades ransomware gang. Given that APT41 is a group of private contractors operating on behalf of the Chinese authorities, we assess that APT41 might be operating with multiple teams with different goals, therefore, the different aims of ransomware usage.

Their latest activities once again prove that the group still poses a significant risk to organizations worldwide. We believe threat intelligence and attribution process can help the defense side to make better strategy before APT41 strikes again.

With the turbulent political climate between China and the US, social media remains the primary battlefield for Chinese threat actors to influence public opinion. Evidence suggests that China combined different resources, including Chinese botnet, marketing firms, and overseas branches, in the influence operations (IO, or information operation). Notably, the IO content was tailored for the overseas Chinese. We assessed that China leverages its diaspora to further ferment the favorable narratives to win the public within the other countries.

In the first part of the presentation, we will dissect the recent evolution of the Chinese botnet. As generic AI becomes a heated concern at the end of 2022, Chinese botnets also adopted AI technologies in the campaigns to create related content. In "Operation WhitePaper," the Chinese botnet shared videos with VTubers' avatars criticizing the White Paper Revolution – a 2022 protest on Chinese strict covid policy.

In the second part of the presentation, we will introduce three notable campaigns to demonstrate the closer collaboration among the Chinese botnet, marketing firms, and overseas branches. First, we will detail how China's national police forces leverage the same botnet to operate disinformation campaigns in the US under the "912 Project". Then, we will share our exclusive investigation based on the UK-based PR company. Lastly, we will elaborate on a recent case in Taiwan, showing how the threat actors can potentially use local PR firms to conduct IO campaigns with more related content.

The Chinese IO campaigns aligned with its political agenda and often surged with important geopolitical events. In the last part of the talk, we will provide our assessment and the possible threat landscape for the rest of the year. Among all, as Taiwan will host the next presidential election in January 2024, we will provide our predictions on the potential IO campaigns ahead with policy recommendations to mitigate the potential impacts.

CODE BLUE is Japan's largest international information security conference, which aims to contribute to a better Internet world by connecting people through CODE (technology), beyond and across the BLUE (oceans). Every year, the world's top-class specialists and researchers gather together to share their latest findings and give cutting-edge talks. It is a place for all participants to exchange information and collaborate to respond to and solve information security problems.

More information on CODE BLUE 2023 Official Website.

*Image courtesy of CODE BLUE.