Virtual Preview: Black Hat 2020

Let’s be honest: No one, and I mean no one, could have predicted 2020’s particular challenges. If you know anyone who says they knew it would all go down like this, please send them my way — I have a special present for them.

The vast majority of the population has had to make major changes to the way they live and work. Few were at all prepared for so many people to be working from home, needing to wear masks outside of the home, and lots more. With that said, one group seems almost immune to the pandemic and the changes surrounding it: cybercriminals.

Cybercrims always follow the users. Users switched to remote work, so cybercrims switched to attacking their remote work.
During the #coronavirus times we see bruteforce attacks against RDP
have rocketed across almost the entire planet.
Details ⇒ https://t.co/Fj0LtQ5UhO pic.twitter.com/IppsWAe9tT

— Eugene Kaspersky (@e_kaspersky) April 29, 2020

Crooks saw the pandemic as an opportunity not only to survive but to thrive. In April, we saw a spike in criminal activity that dropped off a bit in May only to return to April levels in June and July. To find out why that happened, we asked Eugene Kaspersky during a recent briefing with media. “Cybercriminals work from home — until they get caught and go to jail,” he summarized.

The panel Kaspersky was on was dedicated to the upcoming Black Hat conference (August 1–6) and also included Costin Raiu and Kurt Baumgartner of the company’s Global Research and Analysis Team (GReAT). Like our Security Analyst Summit, the annual hacker summer camp became a virtual event.

Most anticipated talks of Black Hat 2020

Virtual or not, we still expect Black Hat to be one of the biggest cybersecurity events of this year, and so we asked Raiu and Baumgartner about the Black Hat presentations they are most looking forward to this year. Here are some of the presentations they listed:

• Reversing the Root: Identifying the Exploited Vulnerability in 0-days Used In-The-Wild — Maddie Stone
• IoT Skimmer: Energy Market Manipulation through High-Wattage IoT Botnets — Tohid Shekari & Raheem Beyah
• Spectra: Breaking Separation Between Wireless Chips — Jiska Classen & Francesco Gringoli
• FASTCash and INJX_Pure: How Threat Actors Use Public Standards for Financial Fraud — Kevin Perlow
• Operation Chimera – APT Operation Targets Semiconductor Vendors — Chung-Kuan Chen, Inndy Lin & Shang-De Jiang

Bonus track: Most interesting APTs of 2020 so far

During the panel, we also asked our collective group what their “favorite” cyberespionage campaign was during the last year.

For Raiu, it was Wellmess, a group his team at Kaspersky has been observing for 1.5 years and that was mentioned in the recent GReAT Ideas session. He also added that hacker-for-hire operations are an interesting area to monitor as the cost barrier for entry continues to drop, ranging from $500 to $500,000.

As of July 6, CISA had no actor attributed to WellMess. July 6. Remember that. In 11 days, they were able to go from not knowing, to publicly backing direct attribution to an APT actor who hasn't been seen in over a year? https://t.co/h6udgjAPk8

— Brian Bartholomew (@Mao_Ware) July 17, 2020

For Baumgartner, the focus shifted to the East, “when I look back at this year, one of the campaigns that stick out for me, that we don’t always report on, has to do with a group that we call Two Sail Junk and their LightRiver malware implants, in part because it was so relevant. In January we saw some forums being used as watering holes, and these forums are being visited by Hong Kong activists — maybe some other people, but definitely activists are using these sites, and we saw a full chain; we were able to collect a full chain iOS or iPhone exploit and malware implant set that were targeting these activists (in all likelihood). We pulled it apart, and it was under development. You could tell that there were mods and changes made to this implant over time, over the next couple of months, and of course it turned out that Hong Kong is a very hot spot, especially for these activists. But the tech piece was very interesting because you don’t always see iPhones being targeted in this manner and being used actively.”

Eugene Kaspersky added that his “most interesting” were the ones that we do not know about or the ones that are still ongoing and have not yet been exposed. Perhaps, new information about them is also something we can look forward to at Black Hat 2020.

For those virtually attending Black Hat, be sure to visit our booth. To get there, visit the exhibition center tab on the app and then search for Kaspersky. Our team will be on hand to discuss how your organization can leverage threat intelligence to increase your internal efficiency in fighting advanced threats.