Many different cyber-professional events take place around the world every year. Out of all of them I have one special favorite – our own special one for cybersecurity analysts: SAS (Security Analyst Summit). And every year they just get better and better and bigger and bigger. This time we had 320 guests from 30+ countries – mostly from the Americas and Europe, but also seven experts from Australia, and participants from Singapore, Japan, Taiwan, Malaysia and Saudi Arabia. Representatives of large companies were in strong attendance as usual (from Microsoft, Google, Apple, Cisco, Sony, Honeywell, Cloudflare, Pfizer, SWIFT, Chevron, Citibank and others), but there were also folks from the cyber-police of different countries, plus government agencies and departments from the UK, Netherlands, Canada, France, China, South Korea, Switzerland, Austria, Romania and Kazakhstan. There were non-commercial and educational organizations (like, among others, the Electronic Frontier Foundation and the University of Texas, respectively). And a big thanks to our conference partners and sponsors, namely: Qintel, Avast, Telstra, Microsoft, ThreatBook, Talos, Security Week and Threatpost. In short, folks from all over and from diverse fields, demonstrating the degree of trust in and respect for our company.
Like me, SAS likes to travel the world, avoiding the large Congress centers of big boring cities, preferring instead stunning exotic locations with a warm climate and in the immediate vicinity of warm ocean.
SAS has been held in Croatia, Cyprus and Malaga on the Mediterranean; in Mexico’s Cancun in 2012 and 2015; on the Spanish island of Tenerife; and the Dominican Republic, Puerto Rico and St. Maarten in the Caribbean. And here we are once again back in Cancun for this, our 10th SAS! Hooray!
It all began in the year 2009. 60 guests – 55 of which were KL staff! – each sharing their notes on research and experience in cybersecurity. Those humble beginnings quickly grew into large-scale industry events with more than 300 high-level delegates (only ~30% of which were from KL). This year’s event was extra special because of the jubilee, and the participants didn’t seem disappointed…
Disappointed they weren’t, despite many of them not making it down to the beach even once: it was impossible to break away from the formal program. Announcements, investigations, intrigue, networking, banter, sharing experiences, training sessions… all good cybersecurity stuff and lots of it. It’s one of the only conferences I attend – and that’s many – at which I don’t only speak up on stage but also sit in the audience a lot listening to all the other folks.
Now, a brief run through the most interesting topics of SAS-2018.
Large predators from the world of cyberthreats: advanced targeted attacks, usually nation-state-backed. The problem’s not going away – it’s only on the rise: we’re witnessing the development of both old and new cyber-operations which speak all sorts of different languages – but primarily English, Russian and Chinese. The right words are being said about the need for an international treaty limiting cyberweapons, but alas, it’s all just talk. Meanwhile, we see new tools and attack methods eventually falling into the wrong hands and causing global epidemics. And the high probability of incorrect attribution caused by digital counterfeiting, plus equating cyberattacks with acts of war… well, it could lead us into a real war – against the wrong ‘enemies’ and for the wrong reasons.
Our analysts submitted studies on three targeted attacks.
First, new technologies and tactics from the arsenal of the Russian hacker group Sofacy (accused of hacking the US Democratic Party’s Central Committee). By the way, we were the first to put the spotlight on these hackers, publishing a detailed study of their methods back in 2015. Two curious points: (i) we see a shift of Sofacy’s focus of interest toward the East; and (ii) they often ‘compete’ with hackers from other countries; for example, one of their infections was found on a server that was previously compromised by the English-speaking Lamberts. Read more here.
Second, the discovery of the English-speaking Slingshot – a highly sophisticated targeted attack with extremely complex tools and techniques, in particular through a Mikrotik router infection. Slingshot has been used for cyber-espionage in the Middle East and Africa at least as far back as 2012. The earliest samples detected by our experts have been marked as ‘version 6’, indicating that this threat has been in existence under the radar for a long time.
Third, the Olympic Destroyer worm, about which a lot has already been written. Used in attacks on the Olympic Winter Games in PyeongChang, Olympic Destroyer was attributed to almost all the usual suspects. We believe that this confusion may have been the intention of the attackers. Our analysis revealed that the hackers behind Olympic Destroyer managed to almost completely emulate the Lazarus hacking group. However, digging deeper into the details of the cyberattacks we came across traces of Chinese hackers, and even Sofacy, mentioned above. It’s also possible that someone just wants to set someone else up. Who and whom aren’t known, and it’s unclear if they’ll ever become known. Welcome to the attribution-hell!
Another hot topic at SAS-2018 was so-called supply chain attacks. It all started with an investigation by Avast (btw, thanks for sponsoring of the event!) on malicious code in CCleaner. That was followed up by research by our colleagues from Talos about the NotPetya/ExPetr/Nyetya attacks from last summer. And then our researchers from GReAT presented their analysis of the updated set of tools behind the ShadowPad malware; it turned out it was residing in software in the networks of many Fortune 500 companies.
A warning to would-be cybercriminals.
Unfortunately, cybercrime continues to attract many young tech-heads with its potential for easy money and impunity. But it only seems like impunity. Together with cyberpolice of different countries we track the cyber-crooks and catch them. At SAS-2018 the Dutch police gave a stunning presentation on the shutting down of the popular dark-web marketplace Hansa (read more here). And Danish experts from CSIS Security Group demonstrated a number of funny and very silly cybercriminal fails. We’re familiar with this kind of thing: cybercrime can look attractive to some… until they make a mistake and end up behind bars.
The Internet of harmful things.
What cybersecurity event these days doesn’t incorporate a critique of all things internet of things? Well SAS is no exception. Presentations covered vulnerabilities in: cars, gas stations, hospitals and clinics, and even yachts.
Our ICS Cert guys also presented the results of their studies of smart cameras – baby (video) monitors, and home and office surveillance devices that you can buy in a store for a hundred dollars. It turned out that some of these cameras aren’t just vulnerable to cyberattacks, they can give access to home or office networks to criminals. So if you think you’re safe after running the latest update for your router which connects all your smart devices to the net, think again (and read our investigation).
Talking about the safety of cars, Mark Rogers of Cloudflare gave a very powerful review of the current state of cybersecurity in the automotive industry, as well as provided a brief overview of the not-too-distant future therein. In short, everything in cars these days is a reason to be concerned. Pretty soon the situation will be slightly better because of measures taken by manufacturers, but we’re still only at the very beginning of a long journey to security from the point of view of the cyberindustry of means of transportation. As an example of this, I’d like to mention the work of researchers at IXIA, who discovered that the infotainment system of a popular brand of car collects and stores tons of personal data about its owner. Criminals accessing that data… – it’s only a matter of time.
We leave Cancun with tons of new knowledge and ideas about how to make the world a better and safer place, but also with renewed confidence and energy. Applause > standing ovation!
In short, another excellent conference, which many of our guests called ‘the best in the world!’ I couldn’t agree more. And we’re only too happy to keep on investing in it, especially when its motto is ‘business and fun, shake but don’t mix!’ (Please don’t correct me. I know Mr. Bond’s vodka martini preferences just as well as you:).
And to finish it all off, of course, it’s the obligatory, mandatory, vitally necessary, unmistakable, PARTAY!
And that was that. SAS-2018: done and dusted. Looking forward to SAS-2019 already…
In Mexico – it has to be tequila )
It was just as well it finished when it did, as the weather took a sharp turn for the worse, while the heavy tides brought in all manner of ocean dross and dumped it on the beach. Never mind: time to head to the airport…
The presentations and speeches will be published shortly, so stay tuned for announcements on Twitter.
P.S: For the first time in my life on the departures tableau I saw, in addition to the customary ‘On time’ and ‘Delayed’, etc., the totally unimaginable ‘Early’!!! If only they could have that in the major hub airports of the world )…