Thursday, April 25thth
Friday, April 26th
It’s time for (r)evolution
Charl van der Walt
SPEAKER BIOCharl van der Walt is the Global Head of Security Research at Orange Cyberdefense. He leads a team of independent researchers that works on behalf of the company and its community to pick at the intractable challenges in security, seeking to understand the what, where and why of real challenges the industry wrestles with. Their work is widely recognized and featured frequently in forums like BlackHat, RSAC and elsewhere.
Before being acquired by Orange, Charl was a co-founder and CEO at SensePost, where he spent 16 years in professional penetration testing and offensive cyber training.
Charl is yhe father of a young boy and lives in Cape Town, South Africa. He spends his free time seeking adventure through surfing, climbing, ultra-endurance racing and, most recently, ocean yacht racing.
The system isn’t broken, its working exactly as designed.
I feel so angry! It’s a cynical scheme. It’s almost impossible for me to find a product at the grocery story that isn’t individually packaged in some kind of plastic. So I dutifully work away to do my bit for the environment by sorting my trash, but all of our efforts to recycle really come to nothing. Meanwhile, oil, retail and other big industries, with the support of governments worldwide, will produce and use more plastic than ever. Because they’re allowed to, and it earns them more profit.
Recycling is a deception designed to keep us busy and distracted by our own sense of guilt and duty, while the system on the whole does what it was always designed to do – generate profits for shareholders – regardless of the impact on the environment and the societies that depend on it.
This is also how the security industry has felt to me lately: We’re all frantically busy discovering, detecting, mitigating or dealing with vulnerabilities in security products – doing our best to do our part for the good of the ‘community’ - while the ‘system’ continues to produce products we don’t need, services that don’t help, and security software that introduces more problems than it solves.
But the system isn’t broken, its working exactly as designed. Because, we’re an industry built to generate profit, not a community dedicated to building a safer society. If that’s ever going to change, we need to end the evolution, and start a revolution. And the revolution needs to begin with us.
To change the system we need to ascend beyond our daily routine of ‘recycling’ the same tired old security narratives that keep us busy and distracted with tasks and duties that don’t really change anything. We need to engage and act at the level where the system is designed and developed, to describe and demand a new system that is truly dedicated to deliver the free and safe digital world we all want to live in.
This is a talk about why our industry doesn’t work, and why its fundamentally designed to be that way. It’s a call to revolution. A challenge to all of us to be part of the solution, not part of the problem.
Threats and Mitigations Landscape in the Age of Generative AI
Andrei Kucharavy
SPEAKER BIOAndrei Kucharavy has been bladerunning rogue Generative AIs in the wild, launched forth to advance goals of attackers in cyber-space, be it bored teenager hackers, or APTs.
Swiss Cyber-Defence Campus ex-fellow, he is now looking for all the ways LLMs accentuate existing cyber-threats or create new ones, and all the ways they can be mitigated before it is too late.
While LLMs have been a technology slowly developing since 2019, it wasn't until the public demo of ChatGPT in late 2022 that the general public became aware of its true potential, launching a global push to integrate LLMs into workflows across different domains and industries and a proliferation of different models released publicly.
However, there is a dark side to the LLM proliferation. In the same way, they can be used as tools for legitimate purposes, they can also be used for nefarious purposes, notably by cyber-criminals.
Not only that, but even their legitimate usage, be it as components of programs or to generate code and documentation, creates new, vast, and poorly understood attack surfaces.
This keynote will take you on a ride to the darkest parts of the LLM-generated cyber-security horrors, raising your awareness, hopefully without scarring you.
Enhancing AWS Security: A Holistic Approach to Organization Management
Bogdan Nicorici
SPEAKER BIO
Over time, my role has evolved towards the position of a Cloud Security Architect. In my current capacity, I am actively engaged in enhancing Nexthink's cloud security posture, ensuring that our digital environment remains robust and secure.
In the ever-evolving landscape of AWS, navigating security across a sprawling organization with diverse accounts presents a unique set of challenges. This presentation offers a candid and practical exploration of our experiences, triumphs, and setbacks in securing large-scale AWS deployments.
Join us as we unveil the strategies employed to fortify our AWS infrastructure, including the implementation of centralized logging for enhanced visibility. Dive into the intricacies of our just-in-time access portal, designed to streamline user access with an approval system and time-bound constraints. This session aims to demystify the complexities of securing a vast AWS ecosystem, providing actionable insights for both seasoned professionals and those embarking on their cloud journey.
Discover firsthand the real-world considerations, unexpected twists, and invaluable lessons learned in the pursuit of a resilient and secure AWS organization. Whether you're a seasoned cloud architect or a novice in the field, this presentation promises to shed light on the pragmatic aspects of safeguarding AWS environments at scale.
Microsoft 365's BEC - Detection Engineering Challenges and Opportunities
Eliraz Levi
SPEAKER BIO
My core areas of expertise are detection engineering, incident response, and digital forensics.
I’ve been working on large-scale incident response investigations, including ransom, data theft, financial frauds, and more.
Furthermore, I've collaborated with global enterprises on reinforcing their security infrastructure, fine-tuning threat hunting operations, and mentoring SOC analysts.
With a $3B annual financial toll reported in the US alone, BEC remains a significant security concern.
This talk highlights a typical attack flow in the 365 ecosystem, followed by an in-depth discourse on practical hunting and the challenges they present.
Discussions will also extend to visibility gaps, events correlation, noise reduction, and licensing limitations, providing both context and solutions
FuzzyAI: Attacking LLMs with Coverage-Guided Fuzzing
Eran Shimony&Mark Cherp
SPEAKER BIO
Mark Cherp is a Vulnerability Team Leader at CyberArk with a special interest in AI and low-level, kernel-space attack vectors and a strong interest in fuzzing and other automation techniques for bug discovery. Mark has previously worked for Microsoft, Checkpoint, and several other companies in the Israeli cyber industry. He had the chance to tackle multiple vulnerability research domains such as cloud, network, mobile, and other endpoints.
With Large Language Models (LLMs) like ChatGPT, Bard, and Claude swiftly establishing themselves as keystones in our digital ecosystem, the inevitable is on the horizon: an explosion of adversarial attacks targeting these systems, leading to severe data leaks and misguided outputs. Leveraging our profound experience in vulnerability research and a robust background in the bug bounty community, our team has pivoted to address the nuances of LLMs. Our intent doesn't halt at mere identification; we're pioneering the generation of these potential adversarial attacks. Central to our strategy is the amalgamation of GaN-based fuzzers and attention-centric detection tools. In this session, attendees will be offered an immersive journey, marrying traditional vulnerability research techniques with the evolving demands of LLM security, thereby sketching a roadmap for the future of adversarial defense strategies.
Smart toy vulnerabilities can put your child at risk of abuse by strangers
Nikolay Frolov
SPEAKER BIO
Principal Security Researcher at Kaspersky ICS CERT. Has extensive professional experience in Cryptography and Computer Security, with a special interest in reverse engineering and hardware.
Smart devices are becoming an increasingly integral part of our lives with each passing year, and this trend extends to our children as well. Intelligent robot assistants, for instance, have found their way into our homes and are now interacting with our kids on a regular basis. However, amidst this digital revolution, cyber security challenges continue to loom large. As these smart devices become more interconnected and involved in our daily routines, it is crucial to address the vulnerabilities and safeguard our children's privacy and online safety.
A small Android-based robot for kids ages 5 to 9, uses a wide-angle HD camera and hi-tech sensors to map distance and edges, facilitating movement. The manufacturers assert that the smart toy, equipped with a video camera and microphone, utilizes artificial intelligence that enables it not only to recognize and address children by name but also to respond to their mood, getting to know them better over time. Parents also need to download the appropriate app to take full advantage of the toy, which can entertain and educate through various gaming applications.
Researchers from Kaspersky have discovered vulnerabilities in a popular smart toy robot, which could potentially allow cybercriminals to take control and misuse it to secretly communicate with children through video chat, without the knowledge of their parents. The companion app for this robot risks compromising sensitive information including children's names, genders, ages and even their locations.
In this session, we will present the results of our in-depth research into the security issues of this popular robot.
From keyless to careless: Abusing misconfigured OIDC authentication in cloud environments
Christophe Tafani-Dereeper
SPEAKER BIO
In cloud environments, static and long-lived credentials are discouraged as they often get leaked. To solve this problem, cloud providers such as AWS, Azure and Google Cloud support "keyless authentication" through OpenID Connect (OIDC), allowing you to exchange JSON Web Tokens (JWTs) signed by trusted identity providers for cloud credentials. Keyless authentication is especially popular for CI/CD, and enables pipelines to seamlessly authenticate to a cloud environment.
Keyless authentication is easy to configure — and unfortunately, to misconfigure. In this talk, we demonstrate that AWS IAM roles using keyless authentication are, in many cases, insecurely configured allowing unauthenticated attackers to retrieve cloud credentials and further compromise the environment. We share our research where we identified dozens of vulnerable roles in the wild; in particular, we were able to compromise AWS credentials of an account belonging to the UK government, and pivot from there to an internal code repository. Finally, we showcase not only how to identify vulnerable roles in your environment, but also how to use higher-level guardrails to ensure that a human mistake doesn't turn into a data breach.
Why so optimized?
Ege BALCI
SPEAKER BIO
In the ever-evolving landscape of cybersecurity, attackers are continuously exploring innovative techniques to outsmart security products and their detection mechanisms. This presentation offers a comprehensive exploration into a novel approach – the de-optimization of compiler-generated machine code instructions – to bypass security products without resorting to conventional evasion techniques.
The talk delves into how we can use mathematical methods such as arithmetic partitioning, logical inverse, polinomial ditribution, and logical partitioning, for re-creating the target binary by transforming its instructions. Through these mathematical approaches, the speaker demonstrates the capability to mutate or transform approximately 95% of the instructions, presenting a significant challenge to traditional static rule-based detection mechanisms employed by security products.
Notably, this presentation introduces a paradigm shift by showcasing the effectiveness of de-optimization tricks in circumventing security measures without the reliance on self-modifying code and Read-Write-Execute (RWE) memory regions. Attendees will gain a deep understanding of the intricacies involved in the de-optimization process and how these techniques can be strategically employed to evade detection.
Secret web hacking knowledge - CTF authors hate these simple tricks
Philippe Dourassov
SPEAKER BIO
As a student job, I do bug bounty hunting and penetration testing with my company Pentest by Dourassov. During my free time, I like getting nerd-sniped by various web-related concepts and exploring them.
In the world of web security, there are pitfalls people never stop falling in, even the hackers themselves. From HackTheBox challenges to Insomni'hack teaser ones, most can be solved with powerful yet straightforward techniques.
In this talk, we will explore these powerful and unknown techniques, going from the most trivial to the obscure and technical ones.
Standing on the Shoulders of Giant(Dog)s: A Kubernetes Attack Graph Model
Julien Terriac
SPEAKER BIO
He led the R&D department at XMCO for 5 years before joining Datadog as the Team Lead for Adversary Simulation Engineering (ASE) where his team aims at building offensive tools and frameworks that will automate the simulation of real life attacks against Datadog.
The Kubernetes attack surface within modern organizations is vast, with often tens or hundreds of thousands of containers. Understanding interdependencies in a system of this scale, in particular gaps left open by seemingly innocent configuration changes, is beyond human capability. As such, the current mental model of defense of Kubernetes assets remains list-based; attempting to identify vulnerable configurations of single resources. This illustrates the well-known adage: "Defenders think in lists, attackers think in graphs; as long as this is true, attackers win".
The aim of the KubeHound project is to pivot the mental model of Kubernetes defense from list-based thinking to graph-based thinking. A graph database of Kubernetes attack paths can answer crucial questions for attackers and defenders alike:
* What percentage of internet facing services have an exploitable path to a critical asset?
* What type of control would cut off the largest number of attack paths to a critical asset in a cluster?
* What percentage level of attack path reduction was achieved by the introduction of a given control?
In short, single point security findings have little traction e.g container X has Y dangerous privileges is challenging for defensive teams to prioritize and fix, particularly when the finding does not have a direct impact by itself (e.g over-privileged account). But with KubeHound being a queryable, graph database of attack paths makes reasoning about security problems via data-driven testing of hypotheses extremely efficient.
You Gotta Fight For Your Right To Third-Party
Mat Caplan
SPEAKER BIO
As a recognised trusted advisor, Mathew has led and advised many businesses on cybersecurity strategy, security governance, roadmap, and vision and is comfortable connecting at all levels in organisations from small and medium-sized enterprises to large multinationals across a broad spectrum of industries. Mathew enjoys finding sustainable solutions to challenging problems. He has worked in the Orange Group on many international projects being the go-to person on security and compliance matters for some very high-profile customers.
Mathew loves cats, music, and football and wherever possible will combine his audio-visual and photoshop skills to simplify complex topics and breathe life into cybersecurity.
https://www.linkedin.com/in/mathewcaplan/
Third-party relationships continue to expand rapidly as companies seek outsourced services and solutions to optimize performance. Consequently, threat surfaces have broadened leading to increased cyber-attacks on third parties both in terms of frequency and sophistication.
In 2021 there was a 300% increase in supply chain attacks and over half the security incidents in 2022 were third-party related. Both trends continue to increase.
Recent global events have demonstrated the need for resilient supply chains whilst Environmental, Social, and Governance (ESG) and compliance to regulations creates greater scrutiny on third-party practices.
This briefing is about how to cope with Third-Party Risk Management (TPRM) from both a customer and a supplier perspective.
The subject of third-party risk and supply chain security affects all organisations whether they be a supplier or a customer. These days organisations are typically both. This topic is very broad but relevant to everyone involved and interested in risk and security from application developers to CISO's.
This presentation is intended to be both entertaining and thought-provoking and includes a sprinkling of popular culture, music, and video.
Current Affairs: IoT Security 101
Iana Peix
SPEAKER BIO
Iana Peix is a recent graduate of the EPFL-ETH Cyber Security Masters program. Previously, she completed her Bachelor’s in Communication Systems at EPFL. Her six-month internship at the Cyber Defence Campus in Lausanne allowed her to combine two of her major interests: energy transition and looking for exploits, culminating in her master's thesis presented in the talk.
Hacking IoT is a child's game - at least to the most Insomnihacks attendees. But what if the IoTs in question add up to gigawatts of electricity and the hacker is not an Insomnihacks attendee but somebody with truly malicious intentions?
Beating the Sanitizer: Why you should add mXSS to your Toolbox
Paul Gerste&Yaniv Nizry
SPEAKER BIO
Paul Gerste (@pspaul95) is a vulnerability researcher on Sonar's R&D team. He has a proven talent for finding security issues, demonstrated by his two successful Pwn2Own participations and discoveries in popular applications like Proton Mail, Visual Studio Code, and Rocket.Chat. When Paul is not at work, he enjoys playing CTFs and organizing Hack.lu CTF.
Yaniv Nizry (@YNizry) is a Vulnerability Researcher at Sonar where he leverages his expertise to identify and mitigate vulnerabilities in complex systems. Starting his way as a software engineer, he shifted his focus while serving in the IDF's 8200 unit, where he gained experience in both offensive and defensive cybersecurity tactics.
Cross-Site Scripting (XSS) attacks and their risks to web applications are well-known. However, a lesser-known variant called mutation XSS (mXSS) has emerged over the last few years, adding a new dimension to this vulnerability type. This talk explores the underlying mechanisms and techniques mXSS uses to bypass security measures.
We will present real-world case studies of impactful mXSS vulnerabilities in popular applications, highlighting potential consequences like data leakage, account compromise, and remote code execution.
Participants gain a comprehensive understanding of mXSS, its root causes, and its impact on web application security. We will equip the audience with the knowledge on how to protect against mXSS attacks, and how to exploit it in real-world applications.
Patch Different on *OS
John McIntosh
SPEAKER BIO
Binary diffing is a powerful technique for reverse engineering, vulnerability research, and malware analysis. It allows security researchers to compare two versions of a binary and identify the changes related to security patches. By doing so, they can gain insights into the root causes of the latest CVEs and patched vulnerabilities.
However, patch diffing is not equal for all operating systems. While Windows provides convenient access to binaries, download links, and public symbols, \*OS poses several challenges for patch diffing. Apple has historically made its binaries less accessible, and even encrypted its software distributions in the IPSW (IPhone Software) format until later versions of iOS. Moreover, \*OS security updates vary across products (watchOS, tvOS, iOS, and MacOS) and the binaries are embedded in the dyld_shared_cache (DSC), complicating the diffing process.
In this talk, we will show you how to overcome these challenges and perform effective patch diffing on \*OS platforms in 2024. We will demonstrate how to use open-source reverse engineering tools (such as ipsw and Ghidra) to extract and analyze IPSW files, which contain the software updates for iOS and MacOS. We will also show you how to find the updated binaries, extract embedded binaries from the DSC, and how to use freely available binary diffing tools to compare them. Finally, we will walk you through 3 real-world examples of patch diffing on \*OS, and how to map the binary changes to recent CVEs. From there we will identify and reverse engineer the underlying vulnerabilities for each CVE.
This talk will not only teach you the skills and tools for patch diffing on modern \*OS platforms, but also inspire you to explore the untapped potential of this technique for discovering new vulnerabilities and understanding the Apple security ecosystem. You will discover what makes patch diffing on \*OS different and challenging, and how to overcome these obstacles with open-source tools and methods.
Uncommon process injection pattern
Yoann DEQUEKER (@OtterHacker)
SPEAKER BIO
While he mainly performs RedTeam operation on large-scale companies, he spends time developing custom C2 and malware to ease engagement and deployment of C2 beacon on secured environment.
In 2023, he presented most of his research to public conferences and workshop such as LeHack in Paris or Defcon31 in Las Vegas.
Process injections are popular techniques for executing malicious payloads without the knowledge of users or defense tools. However, EDR solutions have had a major impact on the reliability of these techniques.
The aim of this talk is to present a way out of the standard patterns of process injection by mixing several techniques such as Module Stomping, threadless injection to eliminate the use of certain Windows APIs and the use of HWBP to bypass EDR hooks.
All along the talk, some dive in the Windows internals and the impact of the different techniques on EDR alerts will be seen to understand the pros and cons of each technique.
The tale of Rhadamanthys and the 40 thieves - the nuts, bolts, and lineage of a multimodular stealer
Hasherezade&Ben Herzog
SPEAKER BIO
Hasherezade is a malware researcher & Open Source developer. Author of multiple applications related to malware analysis, such as PE-bear, PE-sieve, TinyTracer.
Ben is a security researcher. His technical work includes reverse engineering of Rust PL features and cryptanalysis of targeted ransomware. He has also published technical profiles of various malware strains, as well as many introductory texts and detailed reviews on the subjects of malware, cryptography and vulnerability research.
One of the most common missions of malware is information theft. From a long time the playing field had seemed tired, saturated and predictable. The same established actors like Redline, Vidar & Racoon would sometimes add a feature or fix a bug. No one expected innovation in this field, or asked for it.
However, in September of 2022, a new challenger broke into the market for infostealer malware - Rhadamanthys. A malware as a service (MaaS) with multilayer design on par with unusually complicated staged loaders. This malware's modular architecture allowed shipping a variety of targeted stealer components, attacking almost every application that a distributor could imagine - and some they probably couldn't. As we found out later, this complex piece of malware didn't come out of nowhere - it was based on the code of a different malware, developed for years, most likely by the same author: Hidden Bee coin miner, which has its own intriguing history.
In this talk we will take a deep dive into the history, design, implementation and many (many) features of Rhadamanthys stealer - including some of the more interesting tricks its prolific author came up with in their ambitious quest to create the most complex, comprehensive information stealer malware ever seen on the open market.
What Can We Do About Cryptocurrency Scams?
Keven Hendricks
SPEAKER BIO
Cryptocurrency is undoubtedly a polarizing topic, and those who harbor a negative opinion have likely been inspired by the myriad of scams and fraud that are reported. What can we all do to help stop and mitigate cryptocurrency facilitated scams?
Living off the Land and Attacking Operational Technology with Surgical Precision
Ric Derbyshire
SPEAKER BIO
Sophisticated attacks on operational technology (OT) require a unique tactic known as 'process comprehension', which helps adversaries understand how the OT and physical process are configured. Process comprehension is complex, requiring the exfiltration of a large range of data, and perhaps even physical infiltration of the victim. In this talk we’ll present a novel living off the land technique to perform process comprehension at a significantly reduced cost, over the network, while being extremely challenging to detect. We’ll then expand on this technique to show how it can be used for precise process manipulation and establishing PLC memory as a C2 conduit that breaks best practice network segregation. Finally, we’ll conclude the talk with a few words on the responsible disclosure process.
Your NVMe Had Been Syz'ed
Alon Zahavi
SPEAKER BIO
NVMe is a game-changing storage technology that delivers unparalleled speed and performance, making it crucial for cloud environments where intensive workloads and scalability, demand rapid data access and processing.
In recent years, NVMe-oF/TCP support was added to the Linux kernel, and with it a new attack surface was unlocked.
In this talk, we will present how we added the NVMe-oF/TCP subsystem support to syzkaller, the famous fuzzer, by modifying both the Linux kernel and syzkaller. Also, the multiple vulnerabilities found after running the modified fuzzer will be presented as well.
Hijacking the Java Virtual Machine (JVM) and Bypassing Runtime Application Self-Protection (RASP)
Mouad Kondah
SPEAKER BIO
I have a Bachelor’s degree in Mathematics from the University of Neuchâtel and a Master’s degree in Mathematics and Computer Science from the University of Geneva.
I have launched recently my own website: https://www.deep-kondah.com, where I'll be sharing in-depth knowledge about AI, cybersecurity, and software engineering.
Runtime Application Self-Protection (RASP) is a security technology introduced by Gartner in 2012, that offers an additional layer of security by monitoring applications in real-time to detect suspicious activity. Unlike conventional security mechanisms, such as WAF and AV/EDR, RASP is integrated within the application, enabling it to closely monitor the application's runtime environment and identify anomalies that may signal an attack. In this talk, we will explore how one can bypass RASP solutions, particularly for JVM-based applications.
When Malware Becomes Creative: A Survey of Advanced Android Detection Evasion Tactics
Dimitrios Valsamaras
SPEAKER BIO
Android's rise to one of the world's most popular operating systems has expanded its reach to billions of devices worldwide. This massive footprint is a beacon for malware developers who seek to exploit the personal data of its expansive and diverse user base. As with any operating system, Android treat actors aim to distribute their malicious software as widely as possible. Yet, the methodologies for spreading in the Android ecosystem differ significantly from those in traditional desktop environments, which historically have relied on worm-type malware for rapid propagation.
In mobile, application markets serve as a prime channel for reaching this objective, given their role in distributing billions of apps annually. However, a significant hurdle exists: to be listed on prominent platforms such as the Play Store, an app must satisfy specific criteria and undergo thorough screenings for signs of malware, both prior to and post-publication.
During our review of Android malware samples in these markets, we uncovered a multitude of evasion techniques designed to circumvent both static and dynamic detection mechanisms. From simple yet clever methods like analyzing a device's battery level to gauge its legitimacy, to sophisticated technical tactics employing Java reflection, obfuscation, encryption, steganography, and dynamic code loading, these tactics illustrate the evolving nature of modern mobile malware.
This survey presents a thorough examination of the most advanced detection evasion techniques utilized by several of the most notorious Android malware families, with the infamous Joker and Hydra families as key examples. Our in-depth analysis elucidates the evolving sophistication of these techniques and their implications for the security of the Android ecosystem. Through this detailed exploration, we aim to provide insights that can aid in the development of more robust defense mechanisms to protect against such insidious software threats.
How to Break into Organizations with Style: Hacking Access Control Systems
Julia Zduńczyk
SPEAKER BIO
She has been selected as the top speaker at CONFidence Conference 2023 (Cracow, Poland) and best speaker at SEC-T 2023 (Stockholm, Sweden).
Have you ever wondered how Red Teamers manage to get access to high-security areas in buildings? This talk is your chance to learn about the tools, tactics, and techniques we use to break access control systems.
The presentation is based on the experience and examples collected during the Red Team assessments and gathers in one place the knowledge needed to gain access to places protected by access cards.
During the talk, I’m going to show you how I was able to break into organizations using techniques such as simple card cloning:
We'll discover the basics of RFID technology and learn how to use Proxmark3 for access card scanning and cloning with the demo of the device operation.
We'll explore some of the most common misconfigurations in access control systems and learn how to use them for gaining access and escalating privileges.
We’ll also delve into the technical and social engineering aspects of card scanning during a Red Team Assessment with an example of a complete kill chain, which enabled me to gain entry to highly secure areas within a building, starting from a position of zero access.
And last but not least - we'll talk about how to protect your organization from these types of attacks.
Let’s discover how to break into organizations with style.
The Accessibility Abyss: Navigating Android Malware Waters
Axelle Apvrille
SPEAKER BIO
In a prior life, Axelle used to implement cryptographic algorithms and security protocols.
Abusing Accessibility Services is a prevalent technique, notably use by various Android botnets such as BianLian, Cerberus, Chameleon, GodFather, Hook and Xenomorph.
Despite its prevalence, the technique remains relatively unfamiliar to the general audience. This leads to failing to recognize the specific permission dialog, which would save from infection.
At best, security-conscious individuals are acquainted with the concept of malicious overlays. But overlays are merely one facet of the malicious tasks malware can implement with a custom Accessibility Service. Malware can use the API to create a keylogger, turn off Play Protect, prevent application uninstall, clipboard manipulation, gesture and click emulation, stealing credentials or sensitive information of other applications etc.
Confronted to massive abuse, Google faced a dilemma: either permit the continued onslaught of attacks, or curtail the functionality of Accessibility Services, potentially limiting individuals with disabilities. In Android 13, Google introduced "Restricted Settings", which prevent side-loaded applications from getting the necessary Accessibility permissions. Regrettably, this security measure proved insufficient and was bypassed by recent Android malware.
Choose your own adventure - Red team edition
Nicolas Heiniger
SPEAKER BIO
This talk is an interactive game. In the game will walk through a realistic Red Team exercise from the perspective of the operator. We will face many choices and try to find our path into a fictive company and get access to their most precious secrets.
ADDS Persistance - Burn it, burn it all
Shutdown (Charlie BROMBERG)&Volker
SPEAKER BIO
Shutdown:
Creator of The Hacker Recipes and Exegol.
Creator or contributor to many other projects.
Leading ethical hacking offerings for Capgemini France.
Passionate about Active Directory.
Volker Carstein (he/they) is a cybersecurity professional, currently working as a Pentester and RTO at Bsecure. Passionate about social engineering, Active Directory and OSINT, he's also a regular speaker at events such as leHack, Barbhack and GreHack. When he's not tackling infosec related subjects, Volker is a TTRPG aficionado and a music production enthusiast. "Jack of all trades, nerd of all things", he brings a blend of expertise and enthusiasm to everything he does, always up for a challenge and ready to geek out over anything and everything!
Active Directory Domain Services offer a wide range of lateral movement and privilege escalation techniques. Ethical offensive security professionals often appreciate AD-DS in this respect. But what about persistence? We will see together that when compromising an AD domain of a company, it's probably better to start from scratch. On the agenda: skeleton key, Golden gMSA, AdminSDHolder, DC Shadow, persistence via AD CS, etc. Limited budget for managing your AD? The attacker will do it for you 😉 (Note to CISOs and other corporate network managers, don't come to this talk, or at least not without a good dose of antidepressants, we might ruin the mood)
Diving into JumpServer: The public key unlocking your whole network
Oskar Zeino-Mahmalat
SPEAKER BIO
JumpServer is an open-source jump host popular among Chinese companies. It acts as a central access point to internal services in a company network, making access control management and monitoring easier. Users can use a convenient Web UI or an SSH gateway to access servers via SSH, database connections, remote desktop protocols, and more. The credentials for these connections stay with JumpServer, preventing leaks to end users.
This makes JumpServer a valuable target for attackers. Compromising it would give attackers the necessary credentials and network access to also compromise internal services. This motivated us to search for issues in JumpServer. We discovered critical vulnerabilities that allow outside attackers to fully take over JumpServer.
After giving an overview of JumpServer's microservice architecture, this talk shows the technical details and demos of the discovered vulnerabilities. We describe how the architecture lead to multiple API issues that allow authentication bypasses using only an SSH public key. Then we venture into the SSH authentication protocol and how a custom SSH server in JumpServer was vulnerable. At the end, we combine the authentication bypass with the web terminal feature of JumpServer to gain code execution on the host system.
An Uninvited House Guest: How PROXYLIB Overstayed its Welcome on Android Devices
Lindsay Kaye
SPEAKER BIO
Cybercriminal threat actors sell access to residential proxy networks to other threat actors who are looking to hide malicious behavior behind residential IPs, including credential stuffing attacks, password spraying or large-scale ad fraud. In May 2023, we identified a cluster of VPN apps available on the Google Play Store that transformed the user’s device into a proxy node without their knowledge. We’ve dubbed this operation PROXYLIB after the common library in each of the apps.
Researchers at IAS identified this malicious behavior in a single free VPN application — Oko VPN— on Google’s Play Store, and projected that the operators earned $2 million a month through conducting ad fraud prior to the app's removal from the Play Store. Based on further analysis of Oko VPN, Satori researchers uncovered nearly 40 applications related to PROXYLIB. These apps shared a common native library, written in Golang, that enrolls the device as a proxy node.
The team later uncovered a subsequent version of PROXYLIB, offered online via the LumiApps SDK, and other adaptations by the threat actor that used the same Golang library to turn the device into a proxy node. This talk will provide a technical deep-dive into the PROXYLIB Android malware and the related Windows binaries. We will also discuss the attribution of PROXYLIB and how the threat actor was able to use an online residential proxy seller to monetize the campaign. Finally, we will provide an overview of how defenders can mitigate the threat of residential proxies, malicious Android applications and ad fraud as it pertains to these threats.
How (not) to implement secure digital identity - case study of Poland's Digital ID system
Szymon Chadam
SPEAKER BIO
Digital identity solutions are on the rise in many countries. Is your identity card stored on your mobile phone in a safe and secure manner? What risks do digital identity solutions pose, and how easily can criminals exploit them? What to look out for when implementing and using a digital identity system implemented in your country?
During my talk I will:
• analyse security of digital ID systems based on Poland's latest digital ID solution,
• show how a digital ID system can be used to hijack your identity,
• showcase critical vulnerabilities in a system storing sensitive information of millions of Polish citizens,
• give tips on how to maintain security when implementing digital ID systems.
After this talk, the audience will understand the risks associated with national digital ID systems. They will also know what to look out for when using, implementing or testing such systems.
mFT: Malicious Fungible Tokens
Mauro Eldritch
SPEAKER BIO
He spoke at different conferences including DEF CON (ten times!), EC-Council Hacker Halted (two times!), ROADSEC (LATAM’s biggest security conference), DEVFEST Siberia, DragonJAR Colombia (biggest spanish-speaking conference in LATAM) among other events (35+).
In the past, he worked as cyberbodyguard for different governments and companies.
Discover how NFTs can be used as covert channels for malicious operations, taking advantage of the “permanent” nature of blockchain-backed assets and becoming “immortal” C2 servers. mFT is an open-source tool that automates this process, and comes with demo NFTs for attendants to try this at home!
Don’t flatten yourself: restoring malware with Control-Flow Flattening obfuscation
Geri Revay
SPEAKER BIOGeri has more than 13 years of experience in cybersecurity. He started on this path as he specialized in network and information security in his M.Sc. in computer engineering. Since then, he worked as a QA engineer for a security vendor, then changed to penetration testing, first as an external consultant for numerous companies and then as an internal consultant at Siemens. He is an ethical hacker at heart and a consultant by trade. He is experienced in executing penetration tests and security assessments both in IT and OT environments. Working at Siemens for 8 years allowed him to closely work with OT systems, often evaluating new features before they hit the market. It allowed him into environments that external consultants would not get into. He also worked on innovative ways to assess the security of higher-risk OT systems. Since he comes from the offensive security side, he deeply understands how hackers think and operate, which can be crucial to building defenses. His focus is now on security research in binary analyses and reverse engineering for malware analysis. Geri also regularly teaches highly technical topics such as hacking and reverse engineering.
Control-Flow Flattening (CFF) is an obfuscation/anti-analysis technique used by malware authors. Its goal is to alter the control flow of a function to hinder reverse engineering. Using CFF makes static analysis complex and increases the time investment for the analyst significantly. Malware authors have already discovered this, and a steady increase can be seen in malware samples that use CFF. Soon every analyst will have to face it daily, which calls for know-how and tooling to help them.
This presentation intends to provide the needed know-how and tooling. First, we will discuss the general approach to fighting CFF. We will discuss identifying CFF and which components are essential to restore the control flow.
We will compare three different approaches to fight CFF: basic pattern matching, emulation, and symbolic execution. Their implementation will be demonstrated as IDAPython scripts.
Malware Development & Abusing .NET for Initial Access
Suraj Khetani
SPEAKER BIOSuraj is a senior consultant at Unit 42 with more than 9 years of hands-on experience in offensive security. He specializes in performing Red Teaming, Purple Teaming, and Adversary Simulation. Before joining Unit 42, Suraj served as the Offensive Security Lead at a leading bank in the UAE where he spearheaded Red/Purple Teams, performed critical security control and infrastructure assessments.
He has previously spoken at various international security conferences, including Hack-In-the-Box, Shellcon, Antisyphon, and more. He has shared his expertise on a wide range of topics, such as Active Directory Attacks, EDR Evasion, and Container Security. Additionally, Suraj has demonstrated his skill in identifying zero-day vulnerabilities in notable platforms like Oracle, Netgear, and Pulse Secure, among others.
This presentation explores malware development within the .NET framework, addressing why understanding and creating custom loaders is important. It begins with an overview of malware and progresses to discuss the tools essential for malware creation, including a primer on Win32 APIs. The talk outlines the malware development lifecycle and delves into shellcode execution techniques, and methods to evade static detection. Attendees will learn about executing code by abusing .NET Appdomains and Signed ClickOnce, showcasing different approaches for achieving initial access in .NET environments. Participants will leave with a solid understanding of the complexities of malware development and the critical role this knowledge plays in building effective cybersecurity defenses. The session is designed for beginners interested in the technical aspects of cybersecurity and malware development within .NET.
Operation Triangulation – attacks on iPhones/iPads
Marco Preuss
SPEAKER BIOMarco Preuss (@marco_preuss) has been working in the area of networking and IT security since the early 2000s. Having a long time experience in his role, he is responsible for monitoring the threat landscape in Europe while specializing in threat intelligence, darknet research, password security, IoT security. and privacy. In addition to research-related projects, Preuss is a regular speaker at both closed and public events, and maintains close contact with security partners.
Let’s dive into the layers of “Operation Triangulation” - an advanced and complex attack targeting iOS.
In this talk, I will guide and describe the operation, aspects, interesting facts and insights observed.
Meet the latest innovations and startups in cybersecurity & How to become a cyber entrepreneur?
Trust Valley Startups
[/expand] ABSTRACTPART 1: Meet the latest innovations and startups in cybersecurity
- ResilientX Security, Jim Biniyaz, CEO
- Wakweli, Antoine Sarraute, CEO
- Seedata.io, Enrico Faccioli, Co-Founder and CEO
- Ystorian, Flavien Scheurer, Co-founder and CEO
- Mobai, Anders Ljungqvist, Partner Manager
PART 2 (PANEL): How to become a cyber entrepreneur?
- Usec - Roman Korkirian, Founder and CEO
- Integretee - Waldemar Scherer, Co-Founder and CEO
- TBC
Moderator: Lennig Pedron