Last week, SentinelLabs launched the very first LABScon with the purpose of challenging the boundaries of threat understanding as we know it today. From September 21 to 24, we connected world-class researchers with top leaders from the infosec industry to share cutting-edge cyber research and learn about new ideas, tools, techniques, and trends.
While the inaugural LABScon was a premier, invite-only event, SentinelLabs will be sharing many of the research papers and video recordings in the weeks ahead. In the meantime, here’s a snappy digest of the main events and research findings presented at LABScon 2022.
Cybersecurity’s Leading Voices on Sharing and Collaboration
Russia’s war on Ukraine has been a major concern across cybersecurity as elsewhere this year, and it was inevitably a topic many wanted to hear more about at LABScon. Award-winning investigative journalist Kim Zetter sat down with Dmitri Alperovitch, Executive Chairman of the Silverado Policy Accelerator and Co-founder & CTO of Crowdstrike, for an in-depth discussion of the war in Ukraine, the involvement of cyber, and corollaries to a possible invasion of Taiwan.
Kim Zetter and Dmitri Alperovitch discussing cyberwar and effective policies at #LABScon22@KimZetter @DAlperovitch pic.twitter.com/QKihDjQOZ3
— LABScon (@labscon_io) September 22, 2022
LABScon also saw Morgan Adamski, Director of NSA’s Cyber Collaboration Center, deliver a keynote presentation sharing her views on the future of collaboration between researchers, vendors, and the public sector. By fostering collaborative relationships, the community can improve the way we secure the nation and co-create cybersecurity tradecraft, Morgan told the conference.
Chris Krebs, Founding Partner of Krebs Stamos Group and the First Director of the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA), drew on his time as former first director for the DHS and CISA to share in-the-trenches perspectives on modern cybersecurity and its associated government policies.
Mark Russinovich, CTO of Microsoft Azure and the founder of Sysinternals, talked tools, and presented the story of his seminal malware analysis toolkit from its inception to how it has transformed the current malware analysis and forensic investigation landscape. Mark took the opportunity to demo the latest version of Sysmon, 14.1, which has been enhanced in part to help foil Russian cyber activity in Ukraine.
I’m excited to demo Sysmon 14.1 at @labscon_io today with file shred blocking, a feature that’s been in the internal version since the start and that we enhanced to foil Russian activity in Ukraine. Public release is next week. pic.twitter.com/qOhuxS6sDO
— Mark Russinovich (@markrussinovich) September 22, 2022
Research & Discovery Highlights
LABScon is an intelligence-focused conference gathering together world-class security researchers to disseminate new ideas, findings, and the latest in threat hunting tools and techniques.
SentinelLabs’ own Juan Andres Guerrero-Saade, Amitai Ben Shushan Ehrlich, and Aleksandar Milenkoski introduced a previously unknown advanced threat actor dubbed ‘Metador’. This elusive adversary attacks high-value targets using novel malware frameworks and custom-built backdoors. Metador’s known targets include telecommunications, internet service providers, and universities.
The researchers have published a blog post about Metador here.
In Tracking Militants On the Ground Through Online Information, Bellingcat’s Michael Sheldon presented his research on using open source research techniques (OSINT) to track militant groups through the online presence of their members, official releases, and information released by third parties. These case studies show how OSINT has contributed to information collection processes on conflict actors. Michael’s engaging talk also won him best speaker award at LABScon.
Black Lotus Labs is currently tracking an advanced campaign leveraging infected small office/home office (SOHO) routers. In Whose Router Is It Anyway?, Danny Adamitis revealed how the campaign had operated undetected for two years while targeting North American and European networks. Danny’s presentation detailed the discovery of the multistage remote access trojan (RAT), currently dubbed “ZuoRat”, that has been pivoting into local networks and hijacking communications to gain access to additional systems on the LAN. For his efforts, Danny was also awarded “2nd Best Speaker” at LABScon.
Our winners, MJ Emanuel (CISA), Danny Adamitis (@dadamitis, Lumens) and Michael Sheldon (@Michael1Sheldon, Bellingcat) snagging the top prize 🙂 pic.twitter.com/5K1Q4tvF9J
— J. A. Guerrero-Saade (@juanandres_gs) September 27, 2022
In Demystifying Threats to Satellite Communications in Critical Infrastructure, MJ Emanuel delved into the fascinating world of satellite communications, an integral part of many industry control systems, and how their usage in critical infrastructure continues to be misunderstood by the industry. MJ’s session discussed how trust relationships between satellite provider ecosystems could be leveraged by a threat actor, and how attacks on these systems directly impact our critical infrastructure processes. MJ also snagged third place in our Best Speaker awards.
APTs, and More APTs
Donald ‘Mac’ McCarthy highlighted a case study showing how a state-sponsored RAT was designed to accept a C2 using CNAME records. His presentation, CNAME and Control | Open Source Context, examined the encoding and detection methodology which discovered the Chinese state actor’s attack on the Defense Industrial Base (DIB) and related entities.
In APT 42: Wild Kittens and Where to Find Them, Mandiant threat intelligence researchers Ashley Zaya and Emiel Haeghebaert teamed up to give a primer on APT42, a cluster of threat activity linked to the Iranian government. APT42 has focused on conducting credential theft operations against Western think tanks and academics, government officials, and high-profile individuals within Iran as well as in the United Kingdom, Israel, and the United States.
PwC lead researcher Kris McConkey delivered an exclusive exposé on Chinese-based advanced persistent threat actors in Chasing Shadows: The Rise of a Prolific Espionage Actor. The talk detailed the rise and operations of dominant players in the international corporate espionage world.
SentinelLabs’ own Tom Hegel rounded out the full day of talks on Thursday with new intel on a cyber mercenary group known as Void Balaur. Tom’s presentation, The Sprawling Infrastructure of Void Balaur revealed how the hack-for-hire gang has been expanding its infrastructure and focusing on a wide variety of industries that have political interests tied to Russia. Void Balaur often makes use of multi-factor authentication ploys to seek access to email and social media accounts. Tom has published his research here.
A full list of all the research papers and participants appears on the LABScon home page.
Event Specials | Awards & Gala Highlights
At LABScon, bringing together the brightest minds of the industry also meant taking a few moments to recognize the incredible efforts being made to keep our community secure. First, we were pleased to award Dmitri Alperovitch with the SentinelLabs MVP award in recognition of his continuing work to advance cyber policy and education through his Silverado Policy Accelerator and Hopkins Alperovitch Institute initiatives.
👉 Live from LABScon: @DAlperovitch awarded the SentinelLabs MVP Award for his contributions to cybersecurity. Dmitri has dedicated his career to making the world a safer place. Congratulations, Dmitri on behalf of all of us in the cybersecurity community!#labscon22 pic.twitter.com/eXlz980U0J
— SentinelOne (@SentinelOne) September 22, 2022
SentinelLabs was also delighted to present a Lifetime Achievement award to Mark Russinovich for his work in furthering malware analysis understanding.
So honored to be invited to speak at @labscon_io and to receive this lifetime achievement award. https://t.co/LBAVC8susd
— Mark Russinovich (@markrussinovich) September 22, 2022
No Burnout Here
LABScon is about threat intelligence, knowledge, and sharing, but it’s also about community. Building and maintaining relationships across the infosec industry is an essential part of successfully defending and protecting everyone against cyber threats. At LABScon, we found some innovative ways to help everyone feel like part of the family and share in some fun.
From a cybercrime-themed gala party to epic swag, here’s a glimpse into the after-hours activities that went on after a hard day’s learning and sharing!
I’ve been to my fair share of conference parties, but @labscon_io
NAILED it by getting what seemed like near total participation in the theme. Good times with great people, thank you again, *everyone* who was there! #labscon22 pic.twitter.com/bQjTkvYk4u— Joe Fitz (@securelyfitz) September 24, 2022
What a week! @labscon_io just became my favorite conference.
I’m happy that I got to hang out and have fun with so many friends again.
Some snapshots from the epic Cyber Crime theme party: #labscon22 pic.twitter.com/KiVS1veo7F
— Azeria (@Fox0x01) September 25, 2022
Why LABScon?
Security research events such as LABScon hold increasing significance in the infosec space. We hosted LABScon to provide a venue for advanced security collaboration and encourage practitioners, researchers and vendors alike to examine the threat landscape for what it is and then push past our current boundaries. Here’s what some of our guests thought about LABScon 2022:
New favorite conference by far is @labscon_io. Great crowd, amazing talks, awesome afterparty. pic.twitter.com/gS63JnV0ZF
— Marcus Hutchins (@MalwareTechBlog) September 24, 2022
And that’s a wrap on our very first LABScon event! SentinelOne would like to give a special thanks to all of our sponsors who helped make this very first LABScon event a successful one. LABScon 2022 was sponsored by Stairwell, Luta Security, Cisco Talos, GreyNoise, HP Wolf Security, Aesir, Binarly, Team Cymru, and ReversingLabs. We’ll see you next year! #LABScon23
Selected research papers from LABScon 2022 will be coming soon on SentinelLabs. Follow @LABScon to stay tuned!