LABScon | Security Research in Real Time – Talks Not To Miss, Part One

The speakers are pumped, the stunning venue is primed, and the guest list is (almost) complete. For the inaugural LABScon, the program committee has worked tirelessly on an incredible agenda showcasing fresh research from some of the sharpest minds in the industry.

LABScon, a SentinelLabs event presented by SentinelOne, will take place over three days from September 21-24th, showcasing bleeding-edge research into cyber threat actors, malware hunting techniques, vulnerabilities, exploits, and tools from the best cybersecurity researchers on the planet.

Hosted at Arizona’s premier resort, The Phoenician, LABScon is an intimate, invite-only conference. Want to know what’s going on and who else will be there? Here’s a first look showcasing the LABScon 2022 speaker lineup and some of the topics we are most excited about.

Who’s Speaking at LABScon

Arrival day will kick off with a casual and candid conversation between former Director of CISA and co-founder of Krebs Stamos Group, Chris Krebs and Thomas Rid, founding director of the Alperovitch Institute for Cybersecurity Studies at Johns Hopkins SAIS, to welcome guests and set the tone for the conference. The LABScon Keynote day will include distinguished speakers like Dmitiri Alperovitch, head of the Silverado Policy Accelerator, and co-founder of CrowdStrike, and veteran security journalist and author Kim Zetter.

In an homage to the foundations of malware analysis, we are honored to host Mark Russinovich, CTO of Microsoft Azure, as he shares the secret history of the essential SysInternals suite of tools we all use and love.

And that’s just for starters! There’s an exciting program with more than 30 talks and workshops at LABScon, packed into three full days of education, entertainment, and collaboration. The list of confirmed speakers for LABScon is already available here. Just keep an eye on the #LABScon Twitter feed for ongoing speaker and agenda updates.

In the meantime, enjoy this sneak peek at what’s on offer. Below, we proudly spotlight a selection from the presentations and workshops we have lined up to give you a flavor of what to expect at LABScon 2022.

Is CNVD ≥ CVE? A Look at Chinese Vulnerability Discovery and Disclosure – Kristin Del Rosso (Sophos)

The US is still lagging behind China in terms of vulnerability discovery and disclosure. While the gap between the US National Vulnerability Database (NVD) and the Chinese NVD (CNNVD) has slightly shrunk over the last 5 years, there are still hundreds of vulnerabilities registered in China that are yet to be listed on the US NVD. The CNNVD is a known subsidiary of the Chinese Ministry of State Security’s Technical Bureau, which drives Chinese cyber espionage, and has a history of altering CVE disclosure dates and providing APT groups with exploits.

This talk will walk through the discovery of a CNVD that is not listed on the US NVD, and the larger picture behind the discovery and disclosure of vulnerabilities in China. This will cover how and where they are sourced, including a newly discovered sourcing event, the scope of disparity between US and Chinese vulnerability reporting, and how researchers can proactively hunt to close this knowledge gap between US and Chinese CVEs.

Demystifying Threats to Satellite Communications in Critical Infrastructure – MJ Emanuel – CISA

Satellite communications are an integral part of many industrial control systems across many sectors, but their usage, specifically in critical infrastructure, continues to be misunderstood by the industry. While there have been multiple investigations into vulnerabilities and exploitation methods of satellite systems, less attention has been given to threat vectors and how they impact the environments that rely on them – much buzz was generated by the Viasat outages in February and their effect on European wind turbines, but not on how much the service disruption impacted these systems. Furthermore, a lot of guidance into securing satellite communication systems focuses heavily on military applications, which can have different architectures and needs than those deployed in critical infrastructure networks.

Drawing on lessons learned from recent incident responses involving satellite companies and systems, this talk will cover the basics of how different sectors rely on satellite communications, trust relationships of the satellite provider ecosystem that could be potentially abused by threat actors, how various attack methods could impact infrastructure processes, and potential detection methods of abuse.

Breaking Firmware Trust From The Other Side: Exploiting Early Boot Phases (Pre-Efi) – Alex Matrosov (Binarly)

Vulnerabilities in System Management Mode (SMM) and more general UEFI applications/drivers (DXE) are receiving increased attention from security researchers. Over the last 12 months, the Binarly efiXplorer team disclosed 107 high-impact vulnerabilities related to SMM and DXE firmware components. But newer platforms have significantly increased the runtime mitigations in the UEFI firmware execution environment (including SMM). The new Intel platform firmware runtime mitigations reshaped the attack surface for SMM/DXE with new Intel Hardware Shield technologies applied below-the-OS.

The complexity of the modern platform security features is growing every year. The general security promises of the platform consist of many different layers defining their own security boundaries. Unfortunately, in many cases, these layers may introduce inconsistencies in mitigation technologies and create room for breaking general security promises, allowing for  successful attacks.

In this presentation, we will share our work exploring recent changes in the UEFI firmware security runtime using one of the most recent Intel CPUs as an example. The  presentation will cover the evolution of firmware mitigations in SMM/DXE on x86-based CPUs and a discussion about  the new attacks on Intel Platform Properties Assessment Module (PPAM), which are often used in tandem with Intel SMI Transfer Monitor (STM).

These topics have never been publicly discussed from the offensive security research perspective.

Whose Router Is It Anyway? – Danny Adamitis (Black Lotus Labs)

Black Lotus Labs, the threat intelligence division within Lumen Technologies, is currently tracking elements of a sophisticated campaign that has been leveraging infected SOHO routers to target North American and European networks of interest undetected for nearly two years. We identified a multistage remote access trojan (RAT), dubbed ZuoRat, developed for SOHO devices that grants the actor the ability to pivot into the local network and gain access to additional systems on the LAN by hijacking network communications to maintain a foothold.

Chasing Shadows: The Rise Of A Prolific Espionage Actor – Kris McConkey (PwC UK)

The proliferation of tooling such as ShadowPad across China-based APT actors and the existence of digital quartermasters has long been a feature of public reporting and a strong indication of ultimate actor sponsorship, based on US indictments and adjacent research.

One of these actors, however, stands out for its technical capabilities, rapid operational tempo, and global reach. Red Scylla combines access to shared tools with sophisticated custom capabilities, aggressive scanning of targets across the globe, and substantial resources, enabling it to compromise public and private sector victims spanning three continents. This talk will detail the rise and operations of a dominant player in the international corporate espionage world.

InkySquid: The Missing Arsenal – Paul Rascagneres (Volexity)

InkySquid (aka Group123, APT37) is an infamous threat actor linked to North Korea that has been active for at least 10 years. This actor is known to use social engineering in order to breach targets and exploit n-day vulnerabilities in Hangul Word Processor (HWP), as well as browser-based technologies. One of the most documented intrusion sets used by this actor is RoKRAT, a Windows RAT using cloud providers as C2 servers. In this presentation, attendees will learn about an undocumented macOS port of RoKRAT. Paul will describe the internal mechanisms and different espionage features of the malware, as well as built-in attempts to bypass macOS security features and embedded exploit code based on n-day exploits.

Request an Invite

There are still a limited number of tickets available, so if you haven’t yet requested your invite, now is the time to push that button.