TeamT5 於台灣駭客年會 HITCON 2023分享多場技術演講

TeamT5 於台灣駭客年會 HITCON 2023 分享2場技術演講，本篇文章簡介各場演講，並提供活動官網的簡報下載連結。

WDM（Windows Driver Model）是一種 Windows 核心驅動程式的類型，利用 DDI（Device Driver Interfaces）的架構彼此傳遞資訊和與硬體溝通。如果驅動程式存在漏洞，攻擊者可能利用它們來提權。此外也可以被濫用來執行惡意程式，也就是所謂的 BYOVD（Bring Your Own Vulnerable Driver）攻擊。

在這個議程我將介紹五個與 AMD 的驅動程式相關的 CVE，分別為 CVE-2023-20556、CVE-2023-20561、CVE-2023-20562、CVE-2023-20560 和 CVE-2023-20564。透過模糊測試和逆向分析，在 AMD μProf 和 AMD Ryzen Master 中找到三個 DoS 與兩個 EoP 漏洞。DoS 是由於沒有驗證由攻擊者控制的輸入，導致可能存取到空指標。另外兩個 EoP 則是由於不足的訪問控制，讓攻擊者能夠寫入任意虛擬記憶體和物理記憶體。

在回報後經過幾個月與 AMD PSIRT 的溝通，已確認取得五個 CVE，並討論漏洞修復的日期。AMD PSIRT 對這些漏洞表現出正向的態度並積極解決問題。

The healthcare industry has become increasingly important to a country's overall well-being, especially after the COVID-19 pandemic. Unfortunately, the healthcare sector has also become a target for cybercriminals and Advanced Persistent Threat (APT) groups. These threat actors were particularly interested in targeting patients' personal information and confidential information such as vaccine development. One such group that has been making such a ruckus is the APT group CamoFei, better known as Chamelgang. In recent years, CamoFei has operated relatively unnoticed for several years. It gained notoriety after PT Security published a report back in September 2021, indicating that the group was specifically targeting Russia. Since then, the threat group has started focusing on Taiwan, performing spear-phishing attacks against multiple organizations whilst carrying large-scale attacks against multiple Taiwanese healthcare and government agencies. During our presentation, we will analyze CamoFei's Tactics, Techniques, and Procedures (TTPs), and the custom malware CamoFei had developed. We will also present several case studies highlighting the attack methods that CamoFei has employed against various healthcare and governmental organizations. By the end of the talk, the healthcare organizations and all the targeted organizations can use our mitigation and detection methods regarding the attacks.