DEV Community

Evan Lin
Evan Lin

Posted on • Originally published at evanlin.com on

BECKS.io #6 Meetup Notes: June 17, 2020

#community #devops #networking #security

Hello everyone, I am LINE Tech Evangelist – Evan Lin. LINE has been unremittingly improving information security. In addition to basing itself on the concept of DevSecOps, injecting the DNA of information security into LINE products and services, it is also actively promoting the growth of the overall information security ecosystem. And Beer is beautiful, hacks is amazing, BECKS is gold. BECKS is composed of the words Beer and Hacks. Through a series of BECKS.IO – Security Meetup information security community events, it provides opportunities for face-to-face exchanges and the establishment of good connections for outstanding information security talents in South Korea, Japan, Taiwan, and other places! This BECKS.IO meetup was held in Taipei's Avenue, inviting speakers from Taiwan to talk about the information security thinking and practical experience of different companies and individuals in a relaxed and open atmosphere, and to look forward to the future development of related technologies.

KKTIX event webpage: Event URL

The Silence of Incident Responders in Taiwan The realities , the difficulties and the future - Jack Chou/ISSDU Senior Technical Consultant

Here are some basic common sense found through searching: (The relevant information is all from the information security novice author's search)

IR (Incident Responders):

When threatened, it is necessary to use SOC to formulate the relevant first-stage response mechanisms and methods.

SOC (Security Operation Center):

A security operation center, an organization hired by the government to ensure the information security of government units and avoid information security-related threats and attacks.

SOC monitors and jointly provides contracts, which are divided into three services levels:

  • Low traffic: EPS: 900, IR: 3 times
  • Medium traffic: EPS: 2300 IR: 7 times
  • High traffic: EPS 4900 IR: 15 times

What SOC needs to do:

  • Hold meetings with customers (0800 roll call)
  • Sample analysis
  • High customer expectations

The reality of the situation

Although the ideal of IR is very beautiful, the speaker also shared what types of IR content are currently available in Taiwan. There are even: dynamic sales IR, mediation IR, Teacher Zhang-style IR, comforting IR, and intelligence IR, etc. In other words, although IR feels that it needs to make a lot of analysis and response in terms of goals, but in many cases, depending on the scene. IR will have different ways of handling things in different situations.

So how do you find unknown attacks (?) SOC & IR

Search for CVE data and attack three or more companies. This can usually be regarded as "a premeditated large-scale attack?".

Future:

A realistic situation: Government unit receives information security notification –> Receives notification that a problem has occurred in Taitung -> Whether it is necessary to go to the scene -> The location is too far to arrive at the first time -> Remotely set up the relevant environment –> Start to understand the problem –> Later, it can respond very quickly and take action.

According to this case, it can be known that "remote IR" will be a trend in the future.

Reference articles:

Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data - Joey Chen/Trend Micro Sr. Security Engineer

The speaker is a threat researcher, and this content is a research white paper reporting on a hacker organization: ENDTRADE PIC Research White Paper

What is ENDTRADE

Like a spy mission, many related missions actually revolve around a main goal.

There is a clear goal (Example: Japanese defense data)

Requires different stages of attack (preparatory activities)

First attack related partner manufacturers to obtain relevant information. (First attack mainland manufacturers, because Japanese OEM factories are in mainland China)

Main research organization: TICK

For companies that specialize in research reports

Attack targets through these research report companies (because the emails of research report companies are less guarded)

Attack chemical and public package contractors in this way

In 2018, many vulnerabilities were found, and related malware and related hacker tools were also developed.

- Even put the backdoor program in the antivirus software folder.

Antivirus software will not look for its own folder (or itself)

Strategic role

  • Put malicious programs in obvious places (easy to click)
  • Initially, websites that targets often use are invaded
  • Let malicious programs go to frequently used websites to download real malicious code

Related development tools:

  • Downloader
  • Dropper
  • And there are also integrated tools, so that the attack actions can be quite smooth and easy.

Attack types:

(First half of 2019)

  • Put malicious programs in photos and restore them to executable files through other methods. Download malicious programs through legitimate websites, so that the virus scanner cannot detect them.

- Put malicious programs as pdf –> Put backdoors –> Connect to legitimate websites –> Download malicious programs.

(Second half of 2019)

Pretend to be PDF executable files –> Connect to legitimate websites –> Control local files through PHP

Continuous R&D team

Features of the new downloader:

  • Can only run during working hours
  • Will delete antivirus software

- Attacks a specific range of users (Japanese and Simplified Chinese)

The data returned after the intrusion will be changed through AES and base-64 before being returned to confirm whether to continue the attack.

What to do after invading the intranet

  • Screenshot gadget
  • Load VB Script gadget

Conclusion (takeaway)

  • Each task will take one or two years to attack
  • Develop a variety of malicious programs
  • And constantly check and protect malicious programs
  • Also steal relevant information to confirm whether the target needs to continue the action.

Related Q&A

Q: If there is a malicious program in the antivirus software folder, does your unit have any precautions?

A: Before executing in the folder, relevant inspections will be done. Make sure that it has not been modified by malicious programs.

Related information

Event Summary

Tonight's gathering invited information security experts from home and abroad to share information security strategies and experiences without reservation, helping participants to understand the various possibilities of implementing information security from different angles in just a few hours. BECKS is composed of the words Beer and Hacks. Through this meetup, we once again gather the information security community, allowing information security experts to share the latest research, and allowing information security researchers in various fields to conduct face-to-face discussions. In addition to helping more people understand LINE's security design, we also hope that through exchanges, the diverse information security thinking can spark brilliant sparks!

Follow the "BECKS" event information immediately, and you can receive the first-hand push notifications of the latest Meetup event. ▼

"BECKS" event page: https://becks.io

About the "LINE Developer Community Program"

LINE launched the "LINE Developer Community Program" in Taiwan at the beginning of this year, and will invest manpower and resources in the long term to hold developer community gatherings, recruitment days, developer conferences, etc., both internally and externally, online and offline, in Taiwan, and has already held more than 30 events. Readers are welcome to continue to check back for the latest updates. For details, please see:

Recruitment Information

《LINE is strongly recruiting!》Join us to Close the Distance and connect the smart new world » Detailed job information

Top comments (0)