We released the first T9 Data of the T9 Project on July 17, 2024, and the second T9 Data (Attack/Data) on December 17 of this year. This post describe the second T9 Data (Attack/Data) and outline our plans to research AI detection models for countering cyber threats. [Go to the previous blog].
Pick the second T9 Data
The second T9 Data in the T9 Project mimics the latest attacks that have occurred over the past two years, as before. We selected three network attacks, three endpoint attacks, and three combination attacks, categorizing them by the areas where they can be detected, resulting in a total of nine attacks, as shown in Table 1.
Table 1. T9 Project 2024 Attack List (2024-02)
| No | T9 Attack ID | Domain | Name / Method |
| 1 | T1-24–02–S–N–CIKM | Network | Jenkins Args4j |
| 2 | T2-24–02–S–N–CL | Network | JNDI Injection RCE |
| 3 | T3-24–02–S–N–CL | Network | Apache2 HTTP Path Traversal RCE |
| 4 | T4-24-02-S-E-M | End Point | Cl0p Ransomware |
| 5 | T5-24-02-S-E-DL | End Point | Backdoor(with ARCANUS Tool) |
| 6 | T6-24-02-S-E-DEGN | End Point | Tedy Spyware |
| 7 | T7-24-02-M-NE-CDEGLN | Network End Point | SMBGhost(T2-24–01–S–N–CL) + Tedy Spyware(T6-24-02-S-E-DEGN) |
| 8 | T8-24-02-M-NE-CDL | Network End Point | JNDI Injection RCE(T2-24–02–S–N–CL) + Backdoor(with ARCANUS Tool)(T5-24-02-S-E-DL) |
| 9 | T9-24-02-M-NE-CLH | Network End Point | Apache2 HTTP Path Traversal RCE(T3-24–02–S–N–CL) + Cl0p Ransomware(T4-24-02-S-E-M) |
In Table 1, T9 Data 1 to 3, which can be detected in the Network zone, are attacks that exploit the Jenkins Args4j vulnerability to browse files on the server for information exfiltration. The Apache2 HTTP Path Traversal RCE attack is a bit older, disclosed in 2021. An analysis of this attack’s logs may mislead one into thinking it’s simple directory access rather than remote command execution. Therefore, we selected it to validate using our attack detection model.
Attack data from 4 to 6 detectable in the End Point area were selected to collect and analyze the latest malware behavior. The Backdoor (using ARCANUS Tool) attack used malware generated by our team, which was designed to allow remote commands to be executed by the actual malware via a reverse shell connection to the attacker’s server. Tedy Spyware was also chosen because it will enable us to obtain meaningful behavior logs that collect system settings and information.
Attack data 7 to 9 is a combination attack that fuses attacks detected in both the network and endpoint domains into a single attack. Based on the single attacks implemented in the T9 Project, we automated linked attacks based on scenarios from infiltration to infection. In attack #7 (SMBGhost + Tedy Spyware), SMBGhost refers to an attack released in the first half of 2024 [T2-24-01-S-N-CL] and implemented a combination attack in conjunction with the Tedy Spyware malware, which was released in the second half of this year.
Demo T9 Data
Let’s take a closer look at the combination attack, T8-24-02-M-NE-CDL, from the T9 Data published in this post to understand how the T9 Project generates attack data.
The T8-24-02-M-NE-CDL attack is a scenario-based combination attack that exploits JNDI Injection RCE and Backdoor (using the ARCANUS Tool) attacks. The JNDI Injection RCE attack is a Remote Code Execution (RCE) vulnerability caused by a JNDI injection issue in the Apache Kafka software, a streaming platform, identified as CVE-2023-25194. The Backdoor (using the ARCANUS Tool) is malware in the form of an ELF (Executable and Linkable Format) file, which executes malicious behavior via a reverse shell connection when executed. The defined scenario links these two attacks by exploiting the JNDI Injection RCE vulnerability to download and execute additional malware from the command and control (C&C) server, thereby establishing a remote session. The overall behavioral architecture is illustrated in Figure 1.
Figure 1. T8-24-02-M-NE-CDL Behavioral Architecture
When running ‘run.py’ to execute the attack, the first step is automatically building the Victim and Attacker environments and sending ICMP packets before starting the attack. It then follows the defined scenario to exploit the vulnerability and perform malicious behavior. Finally, T8-24-02-M-NE-CDL downloads and executes an additional Backdoor (with ARCANUS Tool) on the Malware Hosting Server to establish a Reverse Shell connection with the Attacker. After completing the attack, ICMP packets are sent again to mark the start and end points of the attack data.
Figure 2. T8-24-02-M-NE-CDL Attack Execution
Figure 2 shows the tool executing. It prints out the attack execution procedure so you can see it in real-time and generates Network Packet (.pcap) and Sysmon Log (.xml) in the log directory as a result of the execution.
Figure 3. Network Packet (top), Sysmon Log (bottom) of T8-24-02-M-NE-CDL attack
Figure 3 presents a snippet of the T8-24-02-M-NE-CDL attack data, which allows us to analyze malicious behavior on the network and endpoints through network packets and Sysmon logs.
T9 Data can create composite and realistic threat scenarios using various single attacks. We expect this will serve as high-quality and adequate data for training AI cyber threats.
Cyber Threat Detection Model (T9 Detection)
The T9 Project is currently building an attack dataset utilizing vulnerability analysis and attack tools. We are developing an automated attack tool and building a dataset aiming to generate data similar to actual attack data through the latest attacks and known attacks. Subsequently, in the second half of 2025, we plan to develop an AI detection model specifically for cyber threats, as illustrated in Figure 4, by learning from the T9 data we have compiled to date and from normal data collected in the real world.
Figure 4. Development of AI detection models specialized for cyber threats
Conclusion
In this post, we briefly introduced the T9 Project’s second round of T9 Data and our plans to research AI detection models to defend against these attacks effectively. To date, we have released data from 18 automated attack tools, and we will continue to generate more attack data through continuous updates. We will also release various research results, including advanced threat scenarios, normal data, and AI detection models, so please stay tuned for more information.
References
[1] Jenkins 취약점 노출 국내 서버 현황 (CVE-2024-23897, CVE-2024-43044), https://asec.ahnlab.com/ko/82870/, 2024
[2] CVE-2023-25194 Detail, https://nvd.nist.gov/vuln/detail/CVE-2023-25194, 2023
[3] Medium – Victor Park [Apache Kafka 보안 업데이트 권고], https://medium.com/spitha-techblog/apache-kafka-%EB%B3%B4%EC%95%88-%EC%97%85%EB%8D%B0%EC%9D%B4%ED%8A%B8-%EA%B6%8C%EA%B3%A0-cve-2023-25194-23-02-08-a0cb5903c40e
[4] CVE-2021-42013 Detail, https://nvd.nist.gov/vuln/detail/cve-2021-42013, 2021
[5] Apache HTTP Server [CVE-2021-41773 / CVE-2021-42013 [Apache HTTP Server]], https://omoknooni.tistory.com/32
[6] Cl0p [Cl0p Ransomware: Active Threat Plaguing Businesses Worldwide], https://cyble.com/blog/cl0p-ransomware-active-threat-plaguing-businesses-worldwide/
[7] CTX [28AB56D70469C88E4DDE1241C1A2F742202757D4C7AC5259C4308DDD74337045], https://www.ctx.io/report/file/28AB56D70469C88E4DDE1241C1A2F742202757D4C7AC5259C4308DDD74337045
[8] Github – EgeBalci [ARCANUS], https://github.com/EgeBalci/ARCANUS
KAIST 사이버보안연구센터 사이버위협분석팀 연구원으로 블록체인 및 소프트웨어 테스팅 연구를 진행하고 있다.
KAIST 사이버보안연구센터 사이버위협분석팀 연구원으로 데이터 수집 및 분석, 소프트웨어 테스팅 연구를 주로 수행하고 있다.