Greg Chen

Greg is the vulnerability researcher at TeamT5, specializing in vulnerability hunting and malware analysis. He currently focuses on hunting 0-day or CVEs exploited in the wild by APT threat actors. Greg also publishes research and presents at conferences such as Black Hat Asia, TAS, and CYBERSEC.

‍

Talk: KnockHuoDuo Unmasked: The Fruit of China's Evolving Zero-Day Exploitation Strategy [TLP:AMBER+STRICT]

In recent years, Chinese state actors have increasingly exploited zero-day vulnerabilities, surpassing all other nations combined. This surge reflects a deliberate policy shift since 2018, when China began systematically collecting vulnerabilities and treating them as national assets. Following this strategy, we identified an emerging Chinese state actor, KnockHuodou (UNC4841), specializing in vulnerability exploitation. Their expertise in pwning, binary exploitation, and reverse engineering has enabled some of the most sophisticated compromises. This presentation will reveal our research on KnockHuodou in 2024. We will start by introducing KnockHuodou and their recent campaigns, particularly their exploitation of zero-day vulnerabilities in edge devices. Next, we will present case studies to highlight the evolving threat they pose. KnockHuodou serves as a vivid example of how China-nexus actors can adopt the centralized vulnerability research in cyberattacks. In the last part of the speech, we will conclude with key implication based on our understanding of KnockHuodou, and how it represents the emerging Chinese cyber threats – because, as the saying goes, know the enemy and know yourself; in a hundred battles, you will never be in peril. We believe that intelligence is the best key for defending.