Catch Me If you can - Detecting steganographic APTs Idioma: es
In red-team exercises or offensive tasks, payload masking is often done using steganography, especially to bypass network-level protections, with executables and powershell scripts being one of the most common payloads. Examples of recent malware and APTs that make use of some of these capabilities are: Lazarus/APT37, OceanLotus/APT32, Ke3chang/APT15, BRONZE BUTLER, Dukes/APT29, Turla, Platinum APT, Tropic Trooper, OilRig, MuddyWater, MyKings, Magecart, Duqu, Ursnif, Powload, Lokibot, IceID, MT3, DarkTrack, DarkComet, Zeus/ZBerp, RainDrop/SolarWinds, UNC2452/APT-29, TA551 - IceID/Shathak, etc.
In this talk we will show the main steganography techniques used in some of the modern APTs, mainly end-of-file and image structure techniques, HTML/CSS/PHP steganography, and the different variants of the LSB (least significant bit) technique. This information will allow us to identify steganographic TTPs to detect this elusive attack vector.
PhD in Telecommunications Engineering by Technical University of Madrid (UPM) and postdoc researcher in network security by Universidad Carlos III de Madrid (UC3M). He is a cybersecurity Tech Lead for more than 18 years and has published more than 60 academic publications (IEEE, ACM, JCR, hacking conferences…), books, patents and computer security tools. He has also worked in advanced projects with European Organisms, public bodies and multinational companies (global 500). For over a decade, he has been involved in security architecture design, penetration tests, forensic analysis, mobile and wireless environments, and information security research (leading technical and scientific teams). Alfonso frequently takes part as a speaker in hacking conferences (STIC CCN-CERT, DeepSec, HackInTheBox, Virus Bulletin, Ekoparty, BlackHat Europe, BSIDES Panama, RootedCon, 8.8, Cybersecurity Summer Bootcamp INCIBE, No cON Name, GSICKMinds, C1b3rwall academy, Cybercamp, Secadmin, JNIC, Ciberseg,X1RedMasSegura, Navaja Negra, T3chfest, Shellcon, H-c0n...) and commercial and academic security conferences (+60 talks). He is certified by CISA (Certified Information Systems Auditor), CISSP (Certified Information Systems Security Professional), CEHv8 (Certified Ethical Hacker), CHFIv8 (Computer Hacking Forensic Investigator), OSWP (Offensive Security Wireless Professional), CES (Certified Encryption Specialist) and CCSK (Certificate of Cloud Security Knowledge). Several academic and professional awards (Hall Fame Google,...). Professor in several Universities. He is co-editor of the Spanish Thematic Network of Information Security and Cryptography (CRIPTORED), where he develops and coordinates several projects about cybersecurity and advanced training, with great impact in Spain and Latam.