Vitaly Kamluk
Last known affiliation: TitanHex
Bio: Vitaly Kamluk is a cybersecurity researcher with 20+ years of work experience in anti-malware industry. Previously he was a Principal Security Researcher and used to lead a cyber threat intelligence team in Asia-Pacific focusing on APT and targeted attack investigations. Vitaly spent 2 years working at INTERPOL Digital Crime Centre as a cybersecurity expert. In 2024, he founded TitanHex, a company focusing on threat intelligence, cybersecurity R&D, and targeted attack investigations. Vitaly participates in infosec mentorship initiatives, volunteers to deliver free talks for the next generation of researchers, he is one of BlackHat speaker coaches. Over the years, he presented at many international security conferences including BlackHat, Defcon, Hitcon, BSides, Ruxcon, Sincon, FIRST, Botconf, AVTokyo and many others, as well as numerous invite-only events such as BTF, DCC, SAS, UE among others. He is passionate about broad set of cybersecurity topics including reverse engineering, malware analysis, cyberthreat intelligence, computer forensics, cryptography, privacy, hardware hacking.
Vitaly Kamluk 🗣 | Nicolas Collery 🗣
Abstract (click to view)
This workshop aims to share knowledge of live triage and analysis of remote compromised systems to assist incident response, digital forensics, or malware discovery and in-place analysis. There are many other applications of the techniques and tools that the participants are encouraged to explore on their own.
Although the knowledge shared during the workshop can be applied independently of the tools proposed, it starts with the attendees building their own toolkit for remote threat reconnaissance. It features Bitscout, a project based on a collection of free open-source software for Linux, that is extendable with any set of tools the analyst wants to embed before or in the middle of the operation.
Incident response to live cyberattacks requires silent navigation through compromised assets, sometimes in large distributed networks. The popular approach relies on EDR or other live agent-based solutions. However, the activation of security agents and obvious activities on live compromised systems may trigger alerts of advanced threat actors. Once alerted, a clean-up operation and destruction of evidence can happen. Moreover, offline system analysis may not be easy due to the physical distance to the compromised system or scale of the network. This is where remote stealthy threat discovery with “scoutware”, software for threat hunting and instant system analysis, becomes incredibly useful. Bitscout, used for the workshop, is just one such toolkit.
In addition to working with local virtual machines during the workshop, the attendees will be provided with access to 60+ live servers to be analyzed simultaneously to simulate large-scale compromise – online access will therefore be required.
Nicolas Collery 🗣 | Vitaly Kamluk 🗣
Abstract (click to view)
This workshop aims to share knowledge of live triage and analysis of remote compromised systems to assist incident response, digital forensics, or malware discovery and in-place analysis. There are many other applications of the techniques and tools that the participants are encouraged to explore on their own.
Although the knowledge shared during the workshop can be applied independently of the tools proposed, it starts with the attendees building their own toolkit for remote threat reconnaissance. It features bitscout, a project based on a collection of free open-source software for linux, that is extendable with any set of tools the analyst wants to embed before or in the middle of the operation.incident response to live cyberattacks requires silent navigation through compromised assets, sometimes in large distributed networks. The popular approach relies on edr or other live agent-based solutions. However, the activation of security agents and obvious activities on live compromised systems may trigger alerts of advanced threat actors. Once alerted, a clean-up operation and destruction of evidence can happen. Moreover, offline system analysis may not be easy due to the physical distance to the compromised system or scale of the network. This is where remote stealthy threat discovery with “scoutware”, software for threat hunting and instant system analysis, becomes incredibly useful. Bitscout, used for the workshop is just one such toolkit.in addition to working with local virtual machines during the workshop, the attendees will be provided with access to 60+ live servers to be analysed simultaneously to simulate large-scale compromise – online access will therefore be required.
Vitaly Kamluk 🗣 | Kurt Baumgartner 🗣
Abstract (click to view)
ORB networks have been highlighted recently with several APT related campaigns such as VoltTyphoon, FlaxTyphoon, and few others, providing a layer of anonymity to the APT operators and complicating attribution based on netflow. This problem is quickly emerging worldwide leveraging multiple platforms – from personal computers, to servers and IoT devices.
According to recent media reports (https://www.bleepingcomputer.com/news/security/us-considers-banning-tp-link-routers-over-cybersecurity-risks/) the U.S. government is considering banning TP-Link routers starting 2025 if ongoing investigations find that their use in cyberattacks poses a national security risk.
We have conducted a teardown of several TP-Link devices and analyzed attack surface, architecture, internal API, privacy issues and general inspectability opportunities from the perspective of security researchers. We would like to share the latest findings of how a TP-Link device might get compromised and turned into an ORB. Our research covers conducting an IoT forensics to analyze potentially compromised IoT devices, as well as build your own ORB honeypot.