APT cases exploiting vulnerabilities in region-specific software

Wednesday 2 October 12:00 - 12:30, Red room

Shusei Tomonaga (JPCERT/CC)
Tomoaki Tani (JPCERT/CC)
Hiroshi Soeda (JPCERT/CC)
Wataru Takahashi (JPCERT/CC)



APT attacks often leverage software vulnerabilities to infect victims with malware. Software that is often targeted includes Microsoft Office, IE and Adobe Flash Player, which are commonly used everywhere. However, in some APT campaigns, attacks are carried out by exploiting vulnerabilities in region-specific software. Government agencies frequently use such local software, and this tends to be the target of attackers. These attack cases are rarely discussed at international conferences as the issue is always exclusive to a specific country.

In Japan, there are many cases where attacks have been carried out by exploiting vulnerabilities in software that is only used in Japan. In addition, the malware used in the attacks is unique to Japan. In this presentation, we will describe the TTPs of attack groups in recent years. Furthermore, we will explain the APT group exploiting vulnerabilities in local software. This presentation will provide insights into intelligence analysis and APT handling by grasping attack characteristics (shellcode, malware etc.) in different campaigns.

 

 Related links

 

Shusei-Tomonaga-web.jpg

Shusei Tomonaga

Shusei Tomonaga is a member of the Analysis Center of JPCERT/CC. Since December 2012, he has been engaged in malware analysis and forensics investigation. In particular, he spearheads the analysis of targeted attacks affecting Japanese critical industries. In addition, he has written blog posts on malware analysis and technical findings (https://blogs.jpcert.or.jp/en/). Prior to joining JPCERT/CC, he was engaged in security monitoring and analysis operations at a foreign-affiliated IT vendor. He has presented at CODE BLUE, BsidesLV, Botconf, PacSec, FIRST Conference, BlackHat USA Arsenal and more.

 

Tomoaki-Tani-web.jpg

Tomoaki Tani

Tomoaki Tani works as a forensic analyst in the Incident Response Group of JPCERT/CC. His primary responsibility is in providing coordination and assistance for cybersecurity incidents related to Japanese constituents.  With his technical insight, he is also in charge of analysing incident trends and attack methods. He has presented at CODE BLUE, BsidesLV, BlackHat USA Arsenal and more. Outside of work, he is a senior coach at one of the top rowing clubs in Japan and develops motion sensing devices and biomechanical analysis systems to cultivate the athletes' talents. Prior to joining JPCERT/CC, he was engaged in security analysis operations and incident handling at a major Japanese telco.

 

Hiroshi-Soeda-web.jpg

Hiroshi Soeda

Hiroshi Soeda has worked as an information security analyst in the Incident Response Group, JPCERT/CC since 2009. His primary responsibility is in providing coordination and assistance for cybersecurity incidents related to Japanese networks. With his technical insight, he is also in charge of analysing incident trends and attack methods, as well as developing in-house tools.

 

 

Wataru-Takahashi-web.jpg

Wataru Takahashi

Wataru Takahashi was previously engaged in security system integration and service development at an IT vendor where he honed his expertise in securing servers and access controls against servers. He joined JPCERT/CC in October 2016 and since then has been committed to malware analysis and forensics, especially dealing with ever-evolving malware and attack techniques.


   Read paper    Watch video

Back to VB2019 Programme page

Other VB2019 papers

Abusing third-party cloud services in targeted attacks

Daniel Lunghi (Trend Micro)
Jaromir Horejsi (Trend Micro)

Keynote address: The security products we deserve

Haroon Meer (Thinkst)
Adrian Sanabria (Thinkst)

Who is SandCat: an unveiling of a lesser-known threat actor

Brian Bartholomew (Kaspersky)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.