APNIC / FIRST Security 2 at APNIC 60

Cybersecurity professionals, researchers, and network operators from across the Asia Pacific gathered at APNIC 60 for two sessions co-organized by FIRST and APNIC. These sessions aimed to strengthen regional collaboration and share actionable insights on emerging threats.

This post covers highlights from the second session on Wednesday, 10 September 2025 (16:30-18:00 UTC +07:00), including presentations on collaborative responses to emerging threats (including remote code execution vulnerabilities), lateral movement risks in network architecture, and a train-the-trainer model for building cyber resilience in South East Asia.

Collaborative response to emerging critical RCE vulnerabilities in exposed assets

Speaker: Piotr Kijewski, The Shadowserver Foundation

Piotr brings 25 years of experience in operational security (OPSEC), including eight years at Shadowserver. Since 2004, Shadowserver has been run using a joint American and Dutch non-profit structure. Working with national Computer Security Incident Response Teams (CSIRTs), Law Enforcement Agencies (LEAs), and security researchers, Shadowserver offers monitoring and victim notification services, law enforcement assistance, large-scale 'weather reporting' and dashboard views of traffic to specific address ranges on demand.

For the good of the Internet

Sinkholing is a cybersecurity technique used to redirect malicious traffic away from its intended target to a controlled environment. Shadowserver participates in sinkholing, and has helped law enforcement and companies take down more than 400 malware families. They provide a 'Shodan -like' scanning service, deploy sensors as honeypots, and collect malware samples for detailed analysis.

Piotr describes Shadowserver's approach to data sharing as "responsible". Data is scaled and tuned to match the recipient, with economy-specific data provided to economy-wide organizations, address-space-specific data provided to network owners, and investigation-specific data provided to LEAs. According to Piotr there are currently over 9,000 vetted subscribers using Shadowserver network feeds. All for free!

Shadowserver also run daily scans over the Internet surface as unobtrusively as possible, including generic scans and targeted scans to identify exposed devices with remote code execution (RCE) vulnerabilities. The scans avoid being a traffic hazards and prevent excessive logging. On potentially affected devices, they avoid active write behaviour. Piotr likened it to hiking in the countryside: "Take nothing but pictures, leave nothing but footprints".

The Honeypot network permits Shadowserver to understand who is performing scans and attacks at scale. Piotr encouraged attendees to visit the service and review what Shadowserver is identifying in their networks and regions.

Scanning for specific vulnerabilities

Moving on to the attacks Shadowserver sees, Piotr showcased some RCEs and Common Vulnerabilities and Exposures (CVEs) seen in the wild. For example, in 2023 Cisco discovered 'BadCandy' infection risks in IOS XE. Shadowserver began scanning the day after Cisco published their vulnerability disclosure, and were able to see implants being deployed. When attackers modified their implants to avoid detection, Shadowserver responded within days by modifying scans to adapt to implant updates. This attack, related to the 'Typhoon' APT, is still active today, with high levels of infection worldwide.

Another example is the Palo Alto PAN-OS management framework, which had over 10,000 infections, including significant infections in Thailand and Singapore. Shadowserver helped to identify the threat, and according to Piotr, reduced the threat level by a factor of ten. What's more, they were able to find left over signs of compromise after the initial wave of infection broke, and raise alerts on them.

Slides: Collaborative Response to Critical RCE (5MB)

Watch Piotr's APNIC 60 presentation now:

The network is the battlefield

Speaker: A. S. M. Shamim Reza, TheTeamPhoenix

With over 12 years of industry experience, APNIC Community Trainer Shamim Reza presented an overview of how legacy defences are failing against modern threats. A significant problem in South Asian defences is the lack of control over 'lateral movement' from firewalls, which only protect the external boundary.

Shamim presented some recent statistics that show weak password threats continue. While 98% of attacks are carried out by external actors, nearly 70% of attacks involve stolen credentials.

Basic hygiene not enough

Shamim noted that simplistic assumptions about network structure - such as the belief that Virtual Local Area Networks (VLANs) provide effective segmentation - can allow significant lateral movement once an external vulnerability is exploited.

Basic network hygiene such as Resource Public Key Infrastructure (RPKI) and the Mutually Agreed Norms for Routing Security (MANRS) program are vital, but they aren't considered internal security unless applied to your Interior Gateway Protocol (IGP). For example, MANRS protections don't address internal threats against your Dynamic Host Configuration Protocol (DHCP) or Simple Network Management Protocol (SNMP) layers.

An example of risk Shamim shared was the 2020 FireEye 'Red Team tools' theft, which exposed an intrusion consultancy toolchain to attackers, including frameworks similar to Cobalt Strike and Metasploit. The company had to contact over 300 customers to offer review and assistance.

Shamim reviewed network layer attacks sourced from Bangladesh, Nepal and Viet Nam, with a significant peak in Domain Name System (DNS) amplification exploits, and User Datagram Protocol (UDP) flooding. The data illustrates that network layer attacks aren't limited to a specific economy.

Lateral movement risks

Shamim talked through a case study in which his team used Red Team exploits to execute a classical lateral movement attack. They exploited the fact that both office and production traffic were using the same guest VLAN to gain entry into the wider internal network.

Shamim recalled a quote from APNIC's Adli Wahid: "Prevention is an ideal, but detection is a must", and recommended a range of tools to apply in your own intrusion detection and network security risk mapping.

In summary, in the face of significant lateral movement risks, Shamim asserts 'if your network is flat, your security is fantasy' you need to understand your internal architecture and its risk profile.

Slides: The Network is the Battlefield(3 MB)

Watch Shamim's APNIC 60 presentation now:

From learners to leaders: A 'train-the-trainer' model for self-sufficient cyber resilience in South East Asia

Speaker: Keisuke Kamata, Armoris Inc

Kamata-san from Armoris has more than 24 years of experience in cybersecurity, starting in JPCERT/CC in 2002. He has been a part of the Japan International Cooperation Agency (JICA) project since 2008, with significant partnerships in South East Asia to help encourage, train, and motivate local leaders to run their own cyber defence exercises.

Hybrid training model

The core of JICA's 'train-the-trainer' model combines a virtual lab (Cyber Range) with tabletop exercises. Kamata-san says that the training empowers local engineers to design and build their own Cyber Range, while engaging managers through integrated tabletop exercises. JICA cybersecurity collaborations have focused on Indonesia, Cambodia, and the Philippines, working with academics and the Information and Communications Technology (ICT) Ministries.

Prior to the tabletop exercises, participants spend two months pretraining on Linux and networking skills. When they gather for the train-the-trainer session, they spend eight days setting up the Cyber Range, understanding the exercise planning method, and planning attack and defence scenarios. In the following two days, they take turns stepping into the roles of 'red' and 'blue teams'. Following completion of the train-the-trainer experience, they return home to run a four-day training in their own economies.

Technical and business perspectives

This hybrid approach invites participants to consider cybersecurity incidents from both technical and business perspectives. Attacks occur at the level of code, servers, and data. The impact of those attacks is often felt through interactions with customers, regulators, and law enforcement. As Kamata-san put it, cyber incidents "affect and are affected by what happens in the real world'".

For example, Kamata-san presented a scenario in which SQL injection risks found by scanning resulted in information leakage to the dark web, leading to outcomes in the business relationship with clients.

By exploring the expectations and responsibilities of different roles that would be involved in responding to a cybersecurity incident, and modelling how those roles interact with each other and with external stakeholders, participants gained practical experience to reduce friction when responding to real-world incidents.

Kamata-san noted challenges related to the uneven distribution of technical and leadership skills in the train-the-trainer cohort. The experience required to design and articulate a compelling and workable technical scenario, and the experience required to relate that scenario to the business environment are rarely found in a single individual. These challenges likely increase the level of support required from JICA by the trainers to create original new scenarios.

Slides: From Learners to Leaders: A "Train the Trainer" Model for Self-Sufficient Cyber Resilience in Southeast Asia (2MB)

Watch Kamata-san's APNIC 60 presentation now:

Watch, read, and dive deeper

This session highlighted practical approaches to threat detection, network defence, and capacity building across the region. To learn more, watch the embedded videos, explore the slides, and visit the APNIC 60 conference website for recordings of all sessions.

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.