Graphology of an exploit – hunting for exploits by looking for the author’s fingerprints

Itay Cohen (Check Point Research) & Eyal Itkin (Check Point Research)
live only
16:00 UTC on Day 3
FRIDAY 02 OCTOBER
Zero-days that are exploited in the wild always gain a lot of attention, and rightly so. But while the malware authors usually get all the credit, the exploit writers – those who work hard to find a vulnerability and develop their top-notch exploit – often remain out of the spotlight.

In the past months, our vulnerability and malware research teams joined efforts to focus on the exploits inside malware and, specifically, on the exploit writers themselves. Starting from a single incident response case, we built a profile of one of the most active exploit developers for Windows. Up until now, we managed to track down more than 10(!) of their Windows Kernel (LPE) exploits, most of which were zero-days at the time of development.

Just as programmers leave their fingerprints in their code, so do exploit developers. This allowed us to apply the same techniques we use to track and attribute malware authors and APT groups to draw a digital composite sketch of the exploit writer.

Join us as we follow our developers’ footsteps and watch their learning curve – starting from selling their 1-day exploits to criminal groups to eventually selling 0-days to nation-state APTs. We will also explain our process of converting exploit artifacts into more samples, identifying the author’s template, and briefly go over the distribution and business model of the attacker. The talk will demonstrate how exploits can be used to track their authors and give a technical peek into the world of in-the-wild exploits.
Itay Cohen
Check Point Research Itay Cohen (aka Megabeets) is a security researcher and reverse engineer in the malware and vulnerability research group at Check Point Research. Itay has vast experience in malware reverse engineering and other security-related topics. He is the author of https://megabeets.net, a security blog focused on making advanced security topics accessible for free.

Itay is a core developer of the open-source reverse engineering framework radare2 and the maintainer of Cutter, radare2’s official GUI. In his free time, he loves to participate in CTF competitions and to contribute to open-source projects.
Eyal Itkin
Check Point Research Eyal Itkin is a vulnerability researcher in the malware and vulnerability research group at Check Point Research. Eyal has an extensive background in security research that includes years of experience in embedded network devices and protocols, bug bounties from all popular interpreter languages, and an award by Microsoft for his CFG enhancement white paper. When not breaking RDP or FAX, he loves bouldering, swimming, and thinking about the next target for his research.
arrow left Back

Graphology of an exploit – hunting for exploits by looking for the author’s fingerprints

16:00 - 16:30 UTC Fri 2 Oct
Itay Cohen (Check Point Research) & Eyal Itkin (Check Point Research)
Zero-days that are exploited in the wild always gain a lot of attention, and rightly so. But while the malware authors usually get all the credit, the exploit writers – those who work hard to find a vulnerability and develop their top-notch exploit – often remain out of the spotlight.

In the past months, our vulnerability and malware research teams joined efforts to focus on the exploits inside malware and, specifically, on the exploit writers themselves. Starting from a single incident response case, we built a profile of one of the most active exploit developers for Windows. Up until now, we managed to track down more than 10(!) of their Windows Kernel (LPE) exploits, most of which were zero-days at the time of development.

Just as programmers leave their fingerprints in their code, so do exploit developers. This allowed us to apply the same techniques we use to track and attribute malware authors and APT groups to draw a digital composite sketch of the exploit writer.

Join us as we follow our developers’ footsteps and watch their learning curve – starting from selling their 1-day exploits to criminal groups to eventually selling 0-days to nation-state APTs. We will also explain our process of converting exploit artifacts into more samples, identifying the author’s template, and briefly go over the distribution and business model of the attacker. The talk will demonstrate how exploits can be used to track their authors and give a technical peek into the world of in-the-wild exploits.
Itay Cohen
Check Point Research Itay Cohen (aka Megabeets) is a security researcher and reverse engineer in the malware and vulnerability research group at Check Point Research. Itay has vast experience in malware reverse engineering and other security-related topics. He is the author of https://megabeets.net, a security blog focused on making advanced security topics accessible for free.

Itay is a core developer of the open-source reverse engineering framework radare2 and the maintainer of Cutter, radare2’s official GUI. In his free time, he loves to participate in CTF competitions and to contribute to open-source projects.
Eyal Itkin
Check Point Research Eyal Itkin is a vulnerability researcher in the malware and vulnerability research group at Check Point Research. Eyal has an extensive background in security research that includes years of experience in embedded network devices and protocols, bug bounties from all popular interpreter languages, and an award by Microsoft for his CFG enhancement white paper. When not breaking RDP or FAX, he loves bouldering, swimming, and thinking about the next target for his research.