9/11
直播連結:國際會議廳 R0
第一會議廳 R1
第二會議廳 R2
遠距會議室 R3
交誼廳 R4
報到時間
嘉賓致詞
總召致詞 & Opening
Industrial Cybersecurity Landscape in 2020: Trends, Challenges, and Opportunities
劉榮太
Break
[ HITCON 論壇 ] 金融業如何迎擊數位戰場的第一道烽火
翁浩正 蔡福隆 處長 郭建中 董事長 蘇清偉 資安長 劉培文 執行副總經理
A Million Boluses: Discovery and Disclosure of Vulnerabilities in an Insulin Pump
Julian Suleder
Lunch
[ HITCON 論壇 ] 主動式資安防禦策略,解決 OT 資安相依性風險
毛敬豪 所長 劉榮太 執行長 鄭嘉信 執行長 楊瑞祥 技術長 王仁甫 總監
APT Chimera - Operation targets Semiconductor Vendors
陳仲寬 Inndy Lin JohnThunder
人力徵才
Bug Bounty Competition
Break
[ HITCON 論壇 ] 如何兼顧疫情控制與隱私保護
李柏鋒 OCF 簡宏偉 處長 龐一鳴 處長 劉宇倫 醫師 Sherry Chung MyData Taiwan
網軍內網滲透之奇技淫巧 (Operation: I am Tom)
zha0 Tom Aragorn
Bug Bounty Competition
TDOH Village
Coffee Break
[ HITCON 論壇 ] 疫情後資安人才培育的挑戰與契機
Alan Lee 黃俊穎 博士 Tzong-Chen Wu Seungjoo Kim Kana Shinoda Yan Shoshitaishvili
Reversing In Wonderland: Neural Network Based Malware Detection Techniques
Sheng-Hao Ma Shin-Ming Cheng
Tropic Trooper’s Back: USBferry Attack Targets Air-gapped Environments
Joey Chen
5G Village Session
Break
A CTF-Style Escape Journey on VMware Workstation
Yanyu Zhang
5G Village Session
Closing
9/12
直播連結:國際會議廳 R0
第一會議廳 R1
第二會議廳 R2
遠距會議室 R3
交誼廳 R4
報到時間
Opening
Break
Breaking Samsung's Root of Trust: Exploiting Samsung S10 Secure Boot
Cheng-Yu Chao
Bug hunting from zero to 0(day) to ($)0
Anthony Lai Byron Wai Ken Wong
CTI Village
Break
From LNK to RCE: Finding bugs in Windows Shell Link Parser
Lays
Potential Security and Privacy Issues in Novel Taiwanese National eID system
何明洋
First step in the quest for manufacturing cyber-resilient IoT devices
Jun Sato 張智翔
CTI Village
Break
RE: 從零開始的 OOO DEF CON CTF & DEFCON 28 準備與競賽分享
ddaa yuawn
LEAYA: Last Exploitation 絢 - An Embedded System Detection and Response
cp zet freetsubasa
Exploit (Almost) All Xiaomi Routers Using Logical Bugs
Aobo Wang Jihong Zheng
CTI Village
Lunch
協會時間
Break
Development of Signaling Spoofing Attacks Using Function Containerization of Rogue Base Stations
Shin-Ming Cheng Bing-Kai Hong
Guarding the Factory Floor: Catching Insecure Industrial Robot Programs
Federico Maggi Davide Quarta Marcello Pogliani Stefano Zanero Marco Balduzzi
CTI Village
Break
-
Bug Bounty X Router X IP Cam X 電子支付
The Great Hotel Hack: Adventures in attacking hospitality industry
Etizaz Mohsin
CTI Village
Coffee Break
Lightning Talk / 閉幕 / 花絮與展望 HITCON 2021
APT Chimera - Operation targets Semiconductor Vendors
議程摘要 Abstract
This presentation provides an analysis of the advanced persistent threat (APT) attacks that have occurred during the past two years on the semiconductor industry. Our research shows that the majority of these attacks were concentrated on the Taiwan semiconductor sector. This is worthy of concern, as Taiwan's semiconductor industry plays a very crucial role in the world. Even a small disruption in the supply chain could have a serious ripple effect throughout the entire industry. Surprisingly, up until now, there has been less coverage on these attacks. In this presentation, we seek to shed light on the threat actors and campaigns of these attacks, where they are collectively referred to as Operation Chimera (a.k.a. Skeleton). Additionally, we provide a brief overview of the current information security status of Taiwan's semiconductor industry.
Between 2018 and 2019, we discovered several attacks on various semiconductor vendors located at the Hsinchu Science-based Industrial Park in Taiwan. As these attacks employed similar attack techniques and tactics, a pattern could be discerned from the malicious activities. From this pattern, we deduced that these attacks, which we dubbed Operation Chimera, were actually conducted by the same threat actor. The main objective of these attacks appeared to be stealing intelligence, specifically documents about IC chips, software development kits (SDKs), IC designs, the source code, etc. If such documents are successfully stolen, the impact can be devastating. The motive behind these attacks likely stems from competitors or even countries seeking to gain a competitive advantage over rivals. Since the similar techniques and tactics to previous attack activities, we suspect the attacker is China-based hacker group. We thus hope that this presentation will help semiconductor companies gain a better understanding of the dangers from such attacks. Additionally, as we have worked with several of the semiconductor vendors to improve their cyber security, we wish to share this valuable experience, and highlight the current challenges facing the entire industry.
In this presentation, we conduct a comprehensive analysis on the employed technologies, tactics, and customized malware of Operation Chimera. As this operation has not yet been documented, the techniques and tactics disclosed in this presentation can help blue teams design better defenses, and develop better detection and hunting methods. Below summarizes our findings of Operation Chimera.
A unique account manipulation malware - SkeletonKeyInjector – was used. SkeletonKeyInjector contained code extracted from Dumpert and Mimikatz. This malware implanted a skeleton key into domain controller (DC) servers to continuously conduct lateral movement (LM). Additionally, by making direct syscalls, the malware could bypass security products based on API hooking. This malware was discovered in the two cases mentioned in this presentation.
The threat actor utilized Cobalt Strike as their main remote-access Trojan (RAT). The mutated Cobalt Strike backdoor replaced and masqueraded as Google Update to confuse users. Additionally, as most corresponding (command and control) C2s were located in the Google Cloud Platform, it made it difficult to attribute the actor. Aside from the two cases mentioned in this presentation, we also detected the presence of this malware in other semiconductor vendors.
Chimera used an old and patched version of RAR for data exfiltration. The same binary was found in the two cases mentioned in this presentation.
陳仲寬
Bletchley 現為奧義智慧的資深研究員,負責協調資安研究團隊。他於國立交通大學網路安全實驗室取得博士學位。研究方向專注於網路攻防、惡意程式分析、漏洞分析與挖掘與自動化攻防。並利用機器學習等技術協助自動攻防系統之設計。他發表了多篇學術會議與期刊論文,並參與了許多大型資安研究計畫,主題包含:數位鑑識、事件處理及程式分析。在許多非學術技術會議,如:CodeBlue OpenTalk、HITB、FIRST(2020), HITCON 及 VXCON,亦積極參與並發表其研究。此外,他致力於資安教育,在交大創立交大網路安全策進會,鼓勵並培訓學生參與國際型 CTF 比賽。他為台灣資安社群相當活躍的成員,現為 Chroot 成員之一,並擔任 HITCON/荷蘭 HITB 資安會議的審查委員。
Inndy Lin
Inndy 是任職於奧義智慧科技的資訊安全研究員,專注於研究惡意程式、APT 攻擊以及 Windows 攻防。他喜愛鑽研逆向工程、Python以及分析惡意程式。曾經於 BlackHat、ROOTCON、SITCON 發表研究以及演講。
JohnThunder
姜尚德(John Jiang)奧義智慧研究員,他專注研究在 Incident Response 和 Endpoint Security 領域。