Infosec In the City (IIC)
Tracking BlackTech Activities — Attacks to What You Trust & Blind Your Defense — by CK Chen & Minsky
Updated: Dec 28, 2020
SINCON 2020 Conference Deep-Tech Track
Day 2 (3 Jan 2021)
@ Main Stage
[SINCON 2020 Conference Full Schedule]
BlackTech is currently one of the more dangerous cyber espionage groups that continues to evolve and expand its attacks on East Asian targets. As a key player on the cyber defense forefront, we have been monitoring BlackTech’s attack campaigns continuously, especially attacks in the Taiwan sector. In this presentation, we will share our incident response (IR) methods and investigation experience of four cases conducted by BlackTech during the past two years: Compromised Outsoucer, Blinding Monitor and DLP System Hijacking.
From the Compromised Outsoucer and Blinding Monitor events, two innovative tactics were used by BlackTech:
Specific targeting at the enterprise’s trusted entities; and
Disarming the defense mechanism.
For the former, many companies and organizations have chosen to outsource their IT services, but minimal (or even no) security management and auditing are conducted on the outsourced vendors. Such vendors within the organization are thus prone to a malicious attack. For the Compromised Outsoucer case, BlackTech was able to first compromise low-security, but trusted third-party services (outsourced services) to serve as its initial point of entry to laterally move to the intended target and deploy malware and steal data. Additionally, BlackTech developed malware in shellcode to abuse legal applications, such as stealing data stored in Google Drive via the Google Drive Remote Access Trojan (GDRAT). Meanwhile, the DLP System Hijacking case highlighted that a trusted supply chain can be an easy target to exploit.
In the Blinding Monitor case, we discovered that BlackTech employed the “disarming the defense mechanism” technique to directly target and disarm the cybersecurity system. This technique targets and removes the functionality of specific defense systems and products. This may include customizing the in-memory PE loader for fileless and anti-memory forensics, and intercepting the API used by certain security systems. As a result, the security system will still appear to be running, but it has already lost the ability to respond to an attack. This stealthy technique involves the adversary investing tremendous effort to disarm the security system and product functions. In this presentation, this will be explored in great detail. The aforementioned tactics show that BlackTech was able to obtain a very good understanding of the internal infrastructure and the trusted entities, which included the partners and software that was used. Needless to say, security loopholes in any of these trusted entities can be an invitation to a malicious attack.
Finally, we will shed light on how we were able to successfully track BlackTech, and conduct the IR for a large number of endpoints (15k) within a very short time frame. This included creating process and network relation graphs and conducting a timeline analysis.
About the Speakers
C.K. CHEN (BLETCHLEY) is currently a senior researcher in CyCraft, and responses for organizing their research team. He earned his PhD degree of Computer Science and Engineering from National Chiao-Tung University (NCTU). His research focuses on network attack and defense, machine learning, software vulnerability, malware and program analysis. Founding of NCTU hacker research clubs, he trains students to participate in world-class security contests and has experience of participating DEFCON CTF (2016 in HITCON Team and 2018 as a coach in BFS team). Besides, he has presented technical presentations in non-academic technique conferences, such as HITCON, ROOTCON, CODE BLUE OpenTalk and VXCON. As an active member in Taiwan security community, he is in the review committee of HITCON conference, and chief of CHROOT — the top private hacker group in Taiwan. He organized BambooFox Team to join some bug bounty projects and discover some CVEs in COTS software and several vulnerabilities in campus websites.
MINSKY CHAN is currently a senior security analyst in CyCraft, mainly focuses on incident response, APT research, malware analysis and threat intelligence analysis. He has been the speaker in various training for practitioners.