Costin Raiu, Kaspersky Lab: The Things That Lurk in the Shadows

BlueHat Israel has multiple interesting presentations, including this one, one on AMDFlaws, bunnie on supply chain security, and more:

The Things That Lurk in the Shadows
Costin Raiu, Kaspersky Lab / Wednesday, Feb 6, 12:30-1:00 PM

Looking at the discussions and development of sophisticated attack techniques, it is immediately obvious there is significant gap between the theory and in-the-wild observations. One can easily come up with a list of techniques which have been demonstrated in the past, however, they are not very popular findings across APT researchers. It is especially hard to believe that sophisticated adversaries with huge budgets haven’t been able to implement techniques presented at major conferences 4-5 years ago, right? So, what is missing nowadays from all big APT research announcements?

Here are a few likely culprits:

Virtualization / hypervisor malware – although the infamous Blue Pill was discussed as far back as 2006, we haven’t seen any ItW attacks leveraging this
SMM malware – although Dmytro Oleksiuk aka Cr4sh developed an SMM backdoor as far back as 2015, this is something yet to be seen in real world attacks
UEFI malware – the hacking of HackingTeam revealed that a UEFI persistence module has been available since at least 2014, but we have still to observe real world UEFI malware (with the exception weaponized Absolute Computrace implants)
Malware for the Intel ME

In this talk we will look at the places which have been neglected in terms of APT research with a focus on UEFI. For the past year, Kaspersky’s Global Research and Analysis Team (GReAT) extracted and processed thousands of UEFI dumps, applying anomaly analysis and code similarity techniques in order to find the “things that lurk in the shadows”.


One thought on “Costin Raiu, Kaspersky Lab: The Things That Lurk in the Shadows

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s