Stay tuned. Bless you all with good health always. Thank you so much for your support.
VXCON, the 10th Anniversary, we are glad to invite a few prominent speakers and researchers all over the world. They are frequent speakers of Blackhat, DEF CON, HITCON and in various global hacker and security conference. Meanwhile, some are very good at Malware Analysis, CTF and Exploitation and Hardware.
We focus on offensive security, threat and exploitation. Please enjoy and join us.
Adobe Reader Fast Break — the Tale of Two Exploits in TFCup 20/21
Web 3.0 is Bug Bounty 2.0
BROWSER HACKING WITH ANGLE
Boik, Ann and C K Chen
AD Attack Paths Demystification
Ken Wong and Ming
How well is it being fuzzed? A leisure fuzzing campaign toward a heavily fuzzed OSS project
PhD journey experience sharing
Hunting ghosts from incidents
Is the cloud secure? Bridging the skills gap in attacking and defending the cloud
Ghost Process - Hide Process In Kernel Evading PatchGuard
They doesn't need 0-day to spread RAT to internal network
Ma Sheng Hao, Mars Cheng, Hank Chen
A New Trend for the Blue Team - Using a Practical Symbolic Engine to Detect Evasive Forms of Malware/Ransomware
The Dark Tangent
Black Hat Founder and Director Jeff Moss is becoming one of the most sought-after voices in information security. He has spent the last 17 years as founder and director of Black Hat and DefCon, two of the most important security conferences in the world. Moss is uniquely qualified with his ability to bridge the gap between the underground researcher community and law enforcement, between the worlds of pure research and responsible application.
Moss speaks frequently before a wide range of audiences on the topic of computer and information security. Recently in 2009 Moss was appointed to the Homeland Security Advisory Council to provide advice and recommendations to the Secretary on matters related to homeland security. He moderated a panel at RSA 2009 on core infrastructure security threats. Moss also was a keynote speaker at the DOD Cybercrime Conference in St. Louis in 2009, spoke at the first CodeGate conference in South Korea in 2008, the first DeepSec conference in Vienna in 2007, as was a panelist at the Democracy, Terrorism and the Open Internet panel in 2005 in Madrid. He has also been a frequent panelist at RSA. Moss has been interviewed and appeared on TV shows ranging from CNN to G4 TechTV, in magazines Business Week to Computer World, as well as numerous documentaries dealing with internet, law, ethics, hacking, and privacy. In addition Moss has contributed to “Stealing the Network,” a series of books that combine stories that are fictional with technology that is real.
Prior to Black Hat Briefings, Jeff was a director at Secure Computing Corporation where he helped establish the Professional Services Department in the United States, Asia, and Australia. Jeff has also worked for Ernst & Young, LLP in their Information System Security division. Jeff graduated with a BA in Criminal Justice from Gonzaga University.
Topic: Adobe Reader Fast Break — the Tale of Two Exploits in TFCup 20/21
Adobe Reader is always a juicy target for attackers, but it seems mysterious for hackers like me who are not familiar with Windows ecosystems. In 2020, I tried to do a fast break of Adobe Reader for a hacking competition TianfuCup. Based on my previous experience of hacking other modern systems, I achieved remote code execution in Adobe Reader successfully. In this talk, I will share the path I went through for learning and hacking an old but new target like Adobe Reader.
slipper is a hacking game enthusiast.
He used to play in hacking games like Pwn2Own, DEF CON CTF, GeekPwn, Tianfu Cup… In 2013, He founded 0ops team, one of the most prestigious and powerful CTF team in China. From 2018 to 2021, he host DEF CON CTF (2018-2021) as a core member of Order Of Overflow(OOO).
He has pwned many targets in public hacking shows - iPhone8, iPhone13 Pro, PlayStation 4, Cisco ASA, QEMU, Safari, Firefox, macOS, Docker,Parallels Desktop, Cent OS, Ubuntu and Adobe Reader. Sometimes he livestreams hackings.
Topic: Web 3.0 is Bug Bounty 2.0
DeFi, NFT, Metaverse are the recent heated topics. Every hack on the blockchain can range from a few hundred bucks to half a billion dollar loss. It's no surprise the demand for blockchain security surges. In this talk, I'll talk about how to get into Web3 bug bounty hunting and showcase few bugs we found that easily add up to $200k+ bounty rewards.
Filedescriptor has been in the bug bounty scene for 8 years and counting, and has been the No.1 on Twitter's Bug Bounty program since 2016. Currently, he is transitioning to Web3 bug bounty hunting. He works at Cure53.
Topic: BROWSER HACKING WITH ANGLE
This presentation gives the basic knowledge of the ANGLE project and examines how to use ANGLE in WebGL/WebGL2 of web browsers. In this talk we analyze the types of vulnerabilities and root causes that occurred in ANGLE and we analyze exploitable vulnerabilities and explain how to obtain RCE in macOS (iOS is also affected, but PAC bypass is not covered in this presentation.)
We will start with a basic introduction to WebGL / WebGL2 component and how to use ANGLE in your web browser followed by a look at the following vulnerabilities -
Jeonghoon Shin is a mentor of KITRI BoB and is interested in browser bug hunting & exploitation.
Boik, Ann and C K Chen
Topic: AD Attack Paths Demystification
For decades, Windows AD has been something that every analyst has loved and hated. Used in over 90% of enterprises, various manufacturers and software developers prioritize being compatible. On the other hand, many old services still heavily rely on AD. Decoupling an AD environment is difficult when maintenance and operation personnel are overly dependent, resulting in some uncomfortable security settings with maintenance and operations. Due to these problems and other historical factors, numerous underground network administrators (or Shadow Admins) have often taken advantage of improper AD configurations. With the rising number of cyberattacks targeting and exploiting AD, enterprises can no longer afford to ignore AD security issues and the business-altering risk they can produce.
In this presentation, we'll review different AD security topics, explore practical errors, and look at the challenges faced by AD analysts today from real-world cases, such as permission inventory and insufficient permission separation. We aim to demystify ways for hackers to escalate their privileges by utilizing existing/proprietary tools to dissect attack incidents. In the end, we provide the audience with a deeper understanding of their own AD and guide them to approach their AD security.
Boik Su currently focuses on cloud security, AD security, web security, and threat hunting as a senior cyber security researcher at CyCraft Technology. He takes an active role in the cyber security community and has lectured at multiple cyber security conferences across the globe including HITCON, ROOTCON, and HackerOne. He still participates in CTF competitions including SECCON CTF in Japan and HITCON CTF in Taiwan. In addition, Boik has submitted multiple reports to bug bounty programs and open-source projects.
Ann Tsai is a cybersecurity researcher for CyCraft Technology and is currently focused on IoT security and vulnerability research. Since university, she has continued to contribute to the open-source community and cybersecurity seminars. In addition, she is a core member of HITCON GIRLS, the first female cybersecurity organization in Taiwan. She is also an open-source software enthusiast and enjoys fuzz testing and reviewing open-source software projects
Chung-Kuan Chen is currently a senior researcher in Cycraft, and responses for organizing their research team. He earned his PHD degree of Computer Science and Engineering from National Chiao-Tung University (NCTU). His research focuses on network attack and defense, machine learning, software vulnerability, malware and program analysis. He has published several academic journal and conference papers, and has involved in many large research projects from digital forensic, incident response and malware analysis. He also dedicates to security education. Founding of NCTU hacker research clubs, he trains students to participate world-class security contests, and has experience of participating DEFCON CTF (2016 in HITCON Team and 2018 as coach in BFS team). Besides, he has presented technical presentations in non-academic technique conferences, such as BlackHat(2020), HITB, HITCON, RootCon, CodeBlue OpenTalk, FIRST(2020) and VXCON. As an active member in Taiwan security community, he is in the review committee of HITCON conference, and ex-chief of CHROOT - the top private hacker group in Taiwan. He organized BambooFox Team to join some bug bounty projects and discover some CVEs in COTS software and several vulnerabilities in campus websites.
Ken Wong and Ming
Topic: How well is it being fuzzed? A leisure fuzzing campaign toward a heavily fuzzed OSS project
Well-fuzzed is a common impression of OSS-Project being enrolled in the OSS-fuzz program. However, is that the actual situation? In this presentation, we will share our experience on fuzzing a heavily fuzzed OSS-Project which is widely deployed to IoT and embedding systems, and yields 5 CVEs with 10+ 0days 🙈 within 2 weeks of the fuzzing campaign.
Ken Wong is a PhD student at Hong Kong University of Science and Technology. He is interested in software security, binary analysis and machine learning. He has presented his research in Blackhat Asia, Hitcon and VXcon.
Ming(@mjcpwns) is a first-year UNSW computer science student. He obtained his OSCP in 2021 and is interested in vulnerability research on browser and malware analysis.
Topic: PhD journey experience sharing
Anthony LAI focuses on threat analysis, incident response, and red/blue team testing. He likes hunting bugs and vulnerabilities. Currently, he is a PhD in Computer Science at HKUST. He spoke at Defcon, Blackhat USA and Asia. For community work, he found VXCON in 2010 and is an overseas mentor of the Best of the Best (BoB) program in South Korea. He is the CFP reviewer of Black Hat Asia and Hack In The Box.
Topic: Hunting ghosts from incidents
When dealing with incidents, one of the tasks is to contain, stopping it from running / speading / regenerating. However, when you think you have hunted down the source, actually it can still respawn. We are going to share some interesting cases when we deal with different incidents.
Alan Ho has over 15 years of experience in the information security field. He is the co-founder of VX Research Limited, as well as the red-blue team lab architect, he focuses on penetration testing, incident response, training and security operation planning for different clients. He is certified as an OSCP, also a SANS GCIH, GWAPT Holder and published the SANS Gold Paper - “Website Security For Mobile”.
Alan is recognized as the Honoree at the 11th Annual (ISC)² Information Security Leadership Achievements (ISLA) in 2017. He spoke at different conferences in the US, The Netherlands, Taiwan, Macau and Hong Kong (e.g. Blackhat Asia, Defcon Village, SANS DFIR, DFRWS EU, HITCON). He also has been active in the community by providing security awareness seminars to schools and NGOs.
Topic: Is the cloud secure? Bridging the skills gap in attacking and defending the cloud
Topic: Ghost Process - Hide Process In Kernel Evading PatchGuard
Antivirus software can scan malicious processes. By detecting each process, the antivirus collects the information of the target process like the image path.
Malware also needs to evade antivirus, one of the methods is to hide the process itself. Due to PatchGuard, operations such as kernel patch and hook are forbidden after 64-bit Windows XP and Windows Server 2003.
However, there still be other ways to bypass PatchGuard. For example, we can achieve the conditions that how PatchGuard detects the kernel patch, or leverage the unprotected area of PatchGuard to do kernel hook.
This talk will introduce how malware hides the process itself from the kernel by DKOM and infinity hook that can bypass PatchGuard and antivirus. Windows API to enumerate processes in user mode and kernel mode are also analyzed and found it losing its effect under the attack.
Zeze is currently a security researcher in TeamT5, dedicated to researching Windows security. He is studying at National Taiwan University and is a member of DCNS Lab. As a CTF player, he is a member of BambooFox and TSJ CTF teams.
Topic: Qiling Secret
Topic: They doesn't need 0-day to spread RAT to internal network
Moonbeom, he is a deputy general researcher in TTPA(Trusted Third Party Agency) of Korea, has 10 years of experience in hacking analysis, digital forensic, research on hacking and forensic for IoT device, profiling hacking source. He is not only one of experts among government and private sector in fields of forensic, hacking analysis, hacker profiling, counter-attack on hackers, but also mentor of Korea's next generation security leader training program ‘Best of the Best(a.k.a BoB)’. Also he has participated in various international security conference such as VXCON, TROOPERS, HITB-GSEC, HITCON, Ekoparty, and RedPill.
Ma Sheng Hao, Mars Cheng, Hank Chen
Topic: A New Trend for the Blue Team - Using a Practical Symbolic Engine to Detect Evasive Forms of Malware/Ransomware
Blue Teams and anyone on the defensive side face various challenges when it comes to reverse engineering suspected malware or ransomware binaries, especially ones with obfuscation techniques such as variants, embedded exploits and complex ransomware. First, identifying whether the sample is even worth the effort (what makes it unique/challenging/new), and second, choosing either static, dynamic analysis, or both! With static analysis, you give up the ability to detect obfuscated malicious programs only visible during run-time, and dynamic analysis is both labor and time intensive, and requires a high-degree of skill and experience, not to mention the threat of the binary escaping your sandbox emulation or virtualization environment.
We believe there may be a new tool in the Blue Team's toolbox, through the use of a symbolic execution engine to detect and analyze suspected malware/ransomware binaries. A practical symbolic engine can help by parsing through many of the possible execution paths of the binary, and having these pathways represented as symbols. This engine can help provide malicious execution paths analysis with relatively low computing resources, analyze contextual relationships based on instruction semantics, taint and fuzzy identification of obfuscated APIs.
Using our practical symbolic engine based on the combination and improvement of academic and practical research, you can identify and detect various exploit, techniques, and multiple malware/ransomware variants via symbolic signature attack techniques and ransomware behaviors in a fully static situation. Even if the malware binary is obfuscated, we can still statically analyze it and detect it effectively. Our plan is to make our engine available to the community via open source during Black Hat USA 2022, to help give back to the infosec community and help Blue Teams save time on an ongoing and difficult problem.
Sheng-Hao Ma(@aaaddress1) is currently working as a threat researcher at TXOne Networks, specializing in Windows reverse engineering analysis for over 10 years. In addition, he is currently a member of CHROOT, an information security community in Taiwan. He has also served as a speaker and instructor for various international conferences and organizations such as DEFCON, HITB, Black Hat, VXCON, HITCON, ROOTCON, Ministry of National Defense, and Ministry of Education. He is also the author of the popular security book "Windows APT Warfare - The Definitive Guide for Malware Researchers".
Mars Cheng (@marscheng_) is a manager of TXOne Networks PSIRT and threat research team, responsible for coordinating product security and threat research. Mars blends a background and experience in both ICS/SCADA and enterprise cybersecurity systems. Mars has directly contributed to more than ten CVE-IDs, and has had work published in three Science Citation Index (SCI) applied cryptography journals. Before joining TXOne, Cheng was a security engineer at the Taiwan National Center for Cyber Security Technology (NCCST). Mars is a frequent speaker and trainer at several international cyber security conferences such as Black Hat Europe, RSA Conference, DEFCON, SecTor, FIRST, HITB, ICS Cyber Security Conference Asia and USA, HITCON, SINCON, CYBERSEC, and CLOUDSEC. Mars is general coordinator of HITCON (Hacks in Taiwan Conference) 2022 and was coordinator of HITCON 2021 and vice general coordinator of HITCON 2020.
Hank Chen is a threat researcher at TXOne Networks. Hank is in charge of malware analysis, product security, and vulnerability research. Hank was a teaching assistant of Cryptography at Taiwan Tsing Hua University (NTHU) and instructor of the cyber security training course for Taiwan Ministry of Defense, as well as joined in many CTF competitions with BalsiFox and 10sec to focus on crypto, reverse, and pwn challenges, and won the 12th place in HITCON CTF 2019 finals. Hank also attended several cyber security conferences such as FIRST 2022 and CYBERSEC 2022.
Please contact info[at]vxcon.hk for arrangement
Supporting Organisations, CON and Friends
Ticket holders will be provided the entry URL and password
We recommend participants to use desktop / laptop browser to enter the conference for better experience