Your NAS is not my BOT

中文現場演講威脅情資

NAS (Network Attached Storage) devices are widely deployed by enterprises and end customers world-wide, and they are becoming more powerful and convenient than ever. However, their security issue might not be valued as much as their accessibility and convenience.

Our recent tracking against APT attacks came across C2 (Command & Control) servers that appears to be linked with some NAS devices: Their passive DNS records shows some subdomains of synology.me (DDNS service provided by synology) or myqnapcloud.com (DDNS service provided by QNAP). After further investigations, we discover a variety of abuse methods among different threat actors. They are:

  • A NAS device was compromised and leveraged as a traffic relay server (hopping point) to hide threat actors’ real location
  • A NAS device was compromised and its DDNS service was hijacked by threat actors in their attacks

In this work, we propose a novel yet simple method. It does cross validation of the passive DNS records, digital certificate history as well as service history of a specific DDNS of NAS devices. This method can effectively identify a compromised NAS device by examining its DDNS profile. We will validate our method by examining thousands of real cases and publish our experiment results. We will also have some case studies showing how APT actors abusing these compromised devices.

Charles Li

Charles Li

Charles is the Chief Analyst at TeamT5. He leads the TeamT5 analyst team in threat intelligence research. He has been studying cyber attacks and campaign tracking for more than 10 years. His research interests include vulnerability research, reverse engineering and APT attacks. He often publishes research and gives training courses at security conferences.

Still Hsu

Still Hsu

Still is a cyber-threat intelligence researcher at TeamT5. They are highly passionate and active in community discussion surrounding topics of malware and APTs. Specifically, Still is very outspoken and loves to teach students how to get started in malware research and reverse engineering. Despite their English bachelor background, Still has become one of the core members of the malware research team at TeamT5.

所有非英語議程都將提供即時同步口譯翻英

議程表

Use event local timezone
TimeZone

00:30

  • 報到時間

01:20

  • 開幕式 - 貴賓致詞與活動介紹

02:10

03:00

  • Break

03:15

04:05

  • Lunch

05:00

05:45

  • Break

06:00

06:45

  • Tea Time

07:00

07:25

08:10

  • Break

08:25

09:10

  • Closing

09:25