back to article Shout-out to whoever went to Black Hat and had North Korean malware on their PC

The folks tasked with defending the Black Hat conference network see a lot of weird, sometimes hostile activity, and this year it included malware linked to Kim Jong-un's agents. In their second year of helping protect the infosec event's Network Operations Center (NOC), IronNet's team said it flagged 31 malicious alerts and …

  1. ThatOne Silver badge
    WTF?

    Malware at Black Hat?

    Well, I'm not of the profession, but I think if I was a malware creator I would definitely configure my tools to lay low and stay silent at and around events like Black Hat. After all its the place they're most likely to get discovered, analyzed and dissected, and you'd certainly prefer your precious tools remain under the radar and thus operational for as long as possible, isn't it?

    Sounds to me like trying to pick pockets during a police charity.

    1. iron Silver badge

      Re: Malware at Black Hat?

      > Sounds to me like trying to pick pockets during a police charity.

      A police charity what? Ball, gala, fun run, minority beating contest?

      1. ThatOne Silver badge

        Re: Malware at Black Hat?

        Whatever, any event full of policepeople likely to pounce at the slightest sign of a misdemeanor.

      2. Anonymous Coward
        Anonymous Coward

        Re: Malware at Black Hat?

        > minority beating contest?

        I wasn't expecting that one. Up voted for inappropriate humour.

        1. ICL1900-G3 Bronze badge

          Inappropriate

          I think recent events all over the world have shown it not to be at all inappropriate.

    2. An_Old_Dog Silver badge

      Re: Malware at Black Hat?

      An alternative view is that BlackHat would be a great place to test the effectiveness of a new piece of malware.

      1. ThatOne Silver badge

        Re: Malware at Black Hat?

        > test the effectiveness of a new piece of malware

        The proof of the pudding is in the eating, and the effectiveness of malware is in the money it makes you when you use it.

        The only reason to taunt researchers with it would be bragging rights, and I think we're past that childish behavior nowadays: Now it's all about profitability, and that dictates you keep your money maker as far from those researchers as possible, for as long as possible. I'd assume. *shrug*

        1. An_Old_Dog Silver badge

          Re: Malware at Black Hat? -- Not Taunting

          No, the point would not be to taunt the BH participants. The point would be to infect the BH-goers' machines and have the infection go unnoticed. If it was noticed, the malware-writers know they've failed, and go back to the drawing board to make the next, more-effective version.

          The reason for them not simply unleashing their v1.0 version on their target is that if they fail, the target is alerted, and would prepare for version 2.0, making the malware writers' job harder.

          This all presumes the malware writers are targeting their malware at specific organizations, vs doing just a "spray and pray" attempt to infect as many random PCs they can.

          1. ThatOne Silver badge

            Re: Malware at Black Hat? -- Not Taunting

            > The point would be to infect the BH-goers' machines and have the infection go unnoticed.

            What for? You've spent an awful lot of time and brain on something, and instead of using it to make a profit, you simply go on a gratuitous ego trip? Nah, 20 years ago maybe, but nowadays hackers are professionals thinking about their bottom line, and they don't really need to bulletproof their tools, after all their prey is totally clueless people. If you swim around the sharks you can effortlessly eat as many sardines as you want.

            As for the people targeting people/organizations higher on the food chain, they have even more reason to not reveal their tricks before the final showdown.

      2. Anonymous Coward
        Anonymous Coward

        Re: Malware at Black Hat?

        Easy way to get your laptop top-class malware-checked for the price of a conference ticket (how much was that again?)

    3. General Purpose Silver badge

      Re: Malware at Black Hat?

      Does anyone knows how malware could detect being at an event like Black Hat? And if so, can we make all our servers look like they're at Black Hat?

      1. The Oncoming Scorn Silver badge
        Thumb Up

        Re: Malware at Black Hat?

        ARTHUR:

        It’s an intelligence test!

      2. Anonymous Coward
        Anonymous Coward

        Re: Malware at Black Hat?

        wifi nw "BLACKHAT-GUEST" "BH-PUBLIC" or similar

      3. doublelayer Silver badge

        Re: Malware at Black Hat?

        I guess you hard-code the time that the conferences will happen and find the IP blocks used by hotels or conference locations likely to host them (if not already announced), and then you just check your host's address and clock against that list. I don't really think most malware authors are going to go to that effort when they would probably be better able to hide by finding a less identifiable C&C method. If you'd still like to try it, try putting your machines into a hotel in Las Vegas and mess with your clock so it always shows a time in mid August.

    4. Clausewitz4.0
      Devil

      Re: Malware at Black Hat?

      I would likely bring a discardable laptop to connect to their network.

      Given the high value of tools and exploits produced by the attendees of such conference, most likely a firmware exploit in the NIC would be deployed by a capable party.

    5. Dog11

      Re: Malware at Black Hat?

      Back in the days when pickpocketing was a hanging offense, and hangings attracted crowds looking for entertainment, I understand pickpockets did work those crowds.

      1. Kane Silver badge
        Joke

        Re: Malware at Black Hat?

        "Back in the days when pickpocketing was a hanging offense, and hangings attracted crowds looking for entertainment, I understand pickpockets did work those crowds."

        Growth industry?

    6. steviebuk Silver badge

      Re: Malware at Black Hat?

      The funniest story was the guy looking into home drone security and the one he had he knew had massive flaws and open ports. He turned it on very early in the lobby to do testing at which point someone was already awake and took it over :)

  2. Anonymous Coward
    Anonymous Coward

    Equifax, anyone?

    Equifax - bad actors exfiltrating data for months (or years) before anyone noticed!

    SolarWinds - where developers had never heard about the so called "Ken Thompson Hack"!!

    So.....I'm always curious when the "good guys" say things like "We also did not see as much malicious activity ... as we expected this year."

    1. Mike 137 Silver badge

      Re: Equifax, anyone?

      I suspect it's a different set of 'good guys' with different approaches and priorities. The Black Hat folks are operating at a technology level, whereas most corporate data breaches are down to process failure. If one studies the Equifax breach (the last big one) it shows that the fundamental problem was not technical - it was an almost complete absence of management and monitoring of processes. The expired certificate in the intrusion detection system (that rendered it inoperative for many months) was due to a failure to renew it - a simple administrative procedure that just hadn't been done. The failure to identify the vulnerable instance of Apache Struts was directly due to absence of a service inventory and failure to maintain a critical contact list current. Equally, it took at least a month of 'management meetings' for the vulnerability to be at last taken seriously, despite a timely CERT notification of a critical hazard. This is all management failure and nothing to do with the technical side of the problem at all. If Equifax had been able to identify the vulnerable system and had applied the patch immediately the breach would never have occurred, but as it was they just couldn't see that they had a problem until too late.

  3. Anonymous Coward
    Anonymous Coward

    Jeremy Miller

    Any relation to the creator of XMPP?

  4. John Brown (no body) Silver badge

    20,000 attendees?

    I'm amazed there wasn't a LOT more actual malware infections. With 20,000 attendees, there'd very likely be a quite a few "junior" net-secutity people there and quite probably a few highly inexperienced "wannabees".

    1. Anonymous Coward
      Anonymous Coward

      Re: 20,000 attendees?

      If my experience of party conferences is anything to go by, computer infections isn't their sole worry.

      1. Anonymous Coward
        Anonymous Coward

        Re: 20,000 attendees?

        Monkeypox?

        1. arachnoid2
          FAIL

          Monkeypox

          Detected, disected and anti virus code distributed.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like