Talks 2024



Thursday, April 25thth

Time CAMPUS
(AUDITORIUM B)
CLOUD
(AUDITORIUM C)
GARDEN
(ROOM 1ABC)
09:00
-
09:50
KEYNOTE
It’s time for (r)evolution

by Charl van der Walt
CLOSED
10:00 - 10:30 COFFEE
10:30 - 11:20 FuzzyAI: Attacking LLMs with Coverage-Guided Fuzzing
by Eran Shimony & Mark Cherp
You Gotta Fight For Your Right To Third-Party
by Mat Caplan
CLOSED
11:30 - 12:20 Your NVMe Had Been Syz'ed
by Alon Zahavi
How (not) to implement secure digital identity - case study of Poland's Digital ID system
by Szymon Chadam
Malware Development & Abusing .NET for Initial Access
by Suraj Khetani (Palo Alto Networks)
12:30 - 13:30 LUNCH
13:30 - 14:20 Why so optimized?
by Ege BALCI
Enhancing AWS Security: A Holistic Approach to Organization Management
by Bogdan Nicorici
Don’t flatten yourself: restoring malware with Control-Flow Flattening obfuscation
by Geri Revay (Fortinet)
14:30 - 15:20 Uncommon process injection pattern
by Yoann DEQUEKER (@OtterHacker)
Standing on the Shoulders of Giant(Dog)s: A Kubernetes Attack Graph Model
by Julien Terriac
Operation Triangulation – attacks on iPhones/iPads
by Marco Preuss (Kaspersky)
15:30 - 16:00 COFFEE
16:00 - 16:50 Hijacking the Java Virtual Machine (JVM) and Bypassing Runtime Application Self-Protection (RASP)
by Mouad Kondah
How to Break into Organizations with Style: Hacking Access Control Systems
by Julia Zduńczyk
CLOSED
17:00 - 17:50 Diving into JumpServer: The public key unlocking your whole network
by Oskar Zeino-Mahmalat
Smart toy vulnerabilities can put your child at risk of abuse by strangers
by Nikolay Frolov
CLOSED



Friday, April 26th

Time CAMPUS
(AUDITORIUM B)
CLOUD
(AUDITORIUM C)
GARDEN
(ROOM 1ABC)
09:00 - 09:50 KEYNOTE
Threats and Mitigations Landscape in the Age of Generative AI

by Andrei Kucharavy
CLOSED
10:00 - 10:30 COFFEE
10:30 - 11:20 The tale of Rhadamanthys and the 40 thieves - the nuts, bolts, and lineage of a multimodular stealer
by Hasherezade & Ben Herzog
From keyless to careless: Abusing misconfigured OIDC authentication in cloud environments
by Christophe Tafani-Dereeper
CLOSED
11:30 - 12:20 When Malware Becomes Creative: A Survey of Advanced Android Detection Evasion Tactics
by Dimitrios Valsamaras
Microsoft 365's BEC - Detection Engineering Challenges and Opportunities
by Eliraz Levi
CLOSED
12:30 - 13:30 LUNCH
13:30 - 14:20 ADDS Persistance - Burn it, burn it all
by Shutdown (Charlie BROMBERG) & Volker
What Can We Do About Cryptocurrency Scams?
by Keven Hendricks
TBA
14:30 - 15:20 The Accessibility Abyss: Navigating Android Malware Waters
by Axelle Apvrille
Patch Different on *OS
by John McIntosh
Beating the Sanitizer: Why you should add mXSS to your Toolbox
by Paul Gerste & Yaniv Nizry
15:30 - 16:00 COFFEE
16:00 - 16:50 Secret web hacking knowledge - CTF authors hate these simple tricks
by Philippe Dourassov
Current Affairs: IoT Security 101
by Iana Peix
Choose your own adventure - Red team edition
by Nicolas Heiniger
17:00 - 17:50 An Uninvited House Guest: How PROXYLIB Overstayed its Welcome on Android Devices
by Lindsay Kaye
Living off the Land and Attacking Operational Technology with Surgical Precision
by Ric Derbyshire
mFT: Malicious Fungible Tokens
by Mauro Eldritch

It’s time for (r)evolution

Charl van der Walt

SPEAKER BIO

Charl van der Walt is the Global Head of Security Research at Orange Cyberdefense. He leads a team of independent researchers that works on behalf of the company and its community to pick at the intractable challenges in security, seeking to understand the what, where and why of real challenges the industry wrestles with. Their work is widely recognized and featured frequently in forums like BlackHat, RSAC and elsewhere.

Before being acquired by Orange, Charl was a co-founder and CEO at SensePost, where he spent 16 years in professional penetration testing and offensive cyber training.

Charl is yhe father of a young boy and lives in Cape Town, South Africa. He spends his free time seeking adventure through surfing, climbing, ultra-endurance racing and, most recently, ocean yacht racing.

ABSTRACT
The system isn’t broken, its working exactly as designed.

I feel so angry! It’s a cynical scheme. It’s almost impossible for me to find a product at the grocery story that isn’t individually packaged in some kind of plastic. So I dutifully work away to do my bit for the environment by sorting my trash, but all of our efforts to recycle really come to nothing. Meanwhile, oil, retail and other big industries, with the support of governments worldwide, will produce and use more plastic than ever. Because they’re allowed to, and it earns them more profit.

Recycling is a deception designed to keep us busy and distracted by our own sense of guilt and duty, while the system on the whole does what it was always designed to do – generate profits for shareholders – regardless of the impact on the environment and the societies that depend on it.

This is also how the security industry has felt to me lately: We’re all frantically busy discovering, detecting, mitigating or dealing with vulnerabilities in security products – doing our best to do our part for the good of the ‘community’ - while the ‘system’ continues to produce products we don’t need, services that don’t help, and security software that introduces more problems than it solves.

But the system isn’t broken, its working exactly as designed. Because, we’re an industry built to generate profit, not a community dedicated to building a safer society. If that’s ever going to change, we need to end the evolution, and start a revolution. And the revolution needs to begin with us.

To change the system we need to ascend beyond our daily routine of ‘recycling’ the same tired old security narratives that keep us busy and distracted with tasks and duties that don’t really change anything. We need to engage and act at the level where the system is designed and developed, to describe and demand a new system that is truly dedicated to deliver the free and safe digital world we all want to live in.

This is a talk about why our industry doesn’t work, and why its fundamentally designed to be that way. It’s a call to revolution. A challenge to all of us to be part of the solution, not part of the problem.

Threats and Mitigations Landscape in the Age of Generative AI

Andrei Kucharavy

SPEAKER BIO

Andrei Kucharavy has been bladerunning rogue Generative AIs in the wild, launched forth to advance goals of attackers in cyber-space, be it bored teenager hackers, or APTs.

Swiss Cyber-Defence Campus ex-fellow, he is now looking for all the ways LLMs accentuate existing cyber-threats or create new ones, and all the ways they can be mitigated before it is too late.

ABSTRACT
While LLMs have been a technology slowly developing since 2019, it wasn't until the public demo of ChatGPT in late 2022 that the general public became aware of its true potential, launching a global push to integrate LLMs into workflows across different domains and industries and a proliferation of different models released publicly.

However, there is a dark side to the LLM proliferation. In the same way, they can be used as tools for legitimate purposes, they can also be used for nefarious purposes, notably by cyber-criminals.

Not only that, but even their legitimate usage, be it as components of programs or to generate code and documentation, creates new, vast, and poorly understood attack surfaces.

This keynote will take you on a ride to the darkest parts of the LLM-generated cyber-security horrors, raising your awareness, hopefully without scarring you.

Enhancing AWS Security: A Holistic Approach to Organization Management

Bogdan Nicorici
SPEAKER BIO

I'm Bogdan Nicorici, and my journey in IT has been a dynamic evolution. Commencing as an IT Support Technician in 2008, I navigated through different roles, progressing from Unix System Engineer to Senior Unix System Engineer. Notably, I contributed as a Security Engineer (Pentester) and, since 2019, have continued to grow at Nexthink, where I initially served as a Senior Security Engineer.

Over time, my role has evolved towards the position of a Cloud Security Architect. In my current capacity, I am actively engaged in enhancing Nexthink's cloud security posture, ensuring that our digital environment remains robust and secure.

ABSTRACT
In the ever-evolving landscape of AWS, navigating security across a sprawling organization with diverse accounts presents a unique set of challenges. This presentation offers a candid and practical exploration of our experiences, triumphs, and setbacks in securing large-scale AWS deployments.

Join us as we unveil the strategies employed to fortify our AWS infrastructure, including the implementation of centralized logging for enhanced visibility. Dive into the intricacies of our just-in-time access portal, designed to streamline user access with an approval system and time-bound constraints. This session aims to demystify the complexities of securing a vast AWS ecosystem, providing actionable insights for both seasoned professionals and those embarking on their cloud journey.

Discover firsthand the real-world considerations, unexpected twists, and invaluable lessons learned in the pursuit of a resilient and secure AWS organization. Whether you're a seasoned cloud architect or a novice in the field, this presentation promises to shed light on the pragmatic aspects of safeguarding AWS environments at scale.

Microsoft 365's BEC - Detection Engineering Challenges and Opportunities

Eliraz Levi
SPEAKER BIO

Senior Security Researcher with 15 years of experience in the cyber security field.

My core areas of expertise are detection engineering, incident response, and digital forensics.
I’ve been working on large-scale incident response investigations, including ransom, data theft, financial frauds, and more.

Furthermore, I've collaborated with global enterprises on reinforcing their security infrastructure, fine-tuning threat hunting operations, and mentoring SOC analysts.

ABSTRACT
With a $3B annual financial toll reported in the US alone, BEC remains a significant security concern.

This talk highlights a typical attack flow in the 365 ecosystem, followed by an in-depth discourse on practical hunting and the challenges they present.

Discussions will also extend to visibility gaps, events correlation, noise reduction, and licensing limitations, providing both context and solutions

FuzzyAI: Attacking LLMs with Coverage-Guided Fuzzing

Eran Shimony&Mark Cherp
SPEAKER BIO

Eran Shimony is a Principal Security Researcher at CyberArk with an extensive background in security research that includes years of experience in malware analysis and vulnerability research on multiple platforms. He previously spoke at RSAC, Nullcon, HITB Amsterdam, and many more. Shimony has discovered several dozen acknowledged vulnerabilities across major vendors including Microsoft, Intel, Samsung, Facebook, and many more. Besides finding security bugs, he enjoys mixing and, of course, drinking cocktails.
Mark Cherp is a Vulnerability Team Leader at CyberArk with a special interest in AI and low-level, kernel-space attack vectors and a strong interest in fuzzing and other automation techniques for bug discovery. Mark has previously worked for Microsoft, Checkpoint, and several other companies in the Israeli cyber industry. He had the chance to tackle multiple vulnerability research domains such as cloud, network, mobile, and other endpoints.
ABSTRACT
With Large Language Models (LLMs) like ChatGPT, Bard, and Claude swiftly establishing themselves as keystones in our digital ecosystem, the inevitable is on the horizon: an explosion of adversarial attacks targeting these systems, leading to severe data leaks and misguided outputs. Leveraging our profound experience in vulnerability research and a robust background in the bug bounty community, our team has pivoted to address the nuances of LLMs. Our intent doesn't halt at mere identification; we're pioneering the generation of these potential adversarial attacks. Central to our strategy is the amalgamation of GaN-based fuzzers and attention-centric detection tools. In this session, attendees will be offered an immersive journey, marrying traditional vulnerability research techniques with the evolving demands of LLM security, thereby sketching a roadmap for the future of adversarial defense strategies.

Smart toy vulnerabilities can put your child at risk of abuse by strangers

Nikolay Frolov
SPEAKER BIO

Nikolay Frolov is a cybersecurity expert with over a decade of experience in the field. Currently serving as a Senior Researcher at Kaspersky's ICS CERT since 2021, he specializes in assessing and analyzing Industrial Control Systems. Nikolay's expertise extends to identifying threats targeting industrial automation systems, Industrial Internet of Things, and addressing security challenges in the automotive and mobile sectors. Alongside his impactful research, he imparts knowledge by teaching reverse engineering at the Moscow Engineering Physics Institute, contributing to the next generation of cybersecurity professionals.
Principal Security Researcher at Kaspersky ICS CERT. Has extensive professional experience in Cryptography and Computer Security, with a special interest in reverse engineering and hardware.
ABSTRACT
Smart devices are becoming an increasingly integral part of our lives with each passing year, and this trend extends to our children as well. Intelligent robot assistants, for instance, have found their way into our homes and are now interacting with our kids on a regular basis. However, amidst this digital revolution, cyber security challenges continue to loom large. As these smart devices become more interconnected and involved in our daily routines, it is crucial to address the vulnerabilities and safeguard our children's privacy and online safety.

A small Android-based robot for kids ages 5 to 9, uses a wide-angle HD camera and hi-tech sensors to map distance and edges, facilitating movement. The manufacturers assert that the smart toy, equipped with a video camera and microphone, utilizes artificial intelligence that enables it not only to recognize and address children by name but also to respond to their mood, getting to know them better over time. Parents also need to download the appropriate app to take full advantage of the toy, which can entertain and educate through various gaming applications.
Researchers from Kaspersky have discovered vulnerabilities in a popular smart toy robot, which could potentially allow cybercriminals to take control and misuse it to secretly communicate with children through video chat, without the knowledge of their parents. The companion app for this robot risks compromising sensitive information including children's names, genders, ages and even their locations.
In this session, we will present the results of our in-depth research into the security issues of this popular robot.

From keyless to careless: Abusing misconfigured OIDC authentication in cloud environments

Christophe Tafani-Dereeper
SPEAKER BIO

Christophe lives in Switzerland and works on cloud security research and open source at Datadog. He previously worked as a software developer, penetration tester and cloud security engineer. Christophe is the maintainer of several open-source projects such as Stratus Red Team, GuardDog, CloudFlair, Adaz, and the Managed Kubernetes Auditing Toolkit (MKAT).
ABSTRACT
In cloud environments, static and long-lived credentials are discouraged as they often get leaked. To solve this problem, cloud providers such as AWS, Azure and Google Cloud support "keyless authentication" through OpenID Connect (OIDC), allowing you to exchange JSON Web Tokens (JWTs) signed by trusted identity providers for cloud credentials. Keyless authentication is especially popular for CI/CD, and enables pipelines to seamlessly authenticate to a cloud environment.

Keyless authentication is easy to configure — and unfortunately, to misconfigure. In this talk, we demonstrate that AWS IAM roles using keyless authentication are, in many cases, insecurely configured allowing unauthenticated attackers to retrieve cloud credentials and further compromise the environment. We share our research where we identified dozens of vulnerable roles in the wild; in particular, we were able to compromise AWS credentials of an account belonging to the UK government, and pivot from there to an internal code repository. Finally, we showcase not only how to identify vulnerable roles in your environment, but also how to use higher-level guardrails to ensure that a human mistake doesn't turn into a data breach.

Why so optimized?

Ege BALCI
SPEAKER BIO

Ege BALCI is a dedicated cyber security researcher who is currently working as Threat Intelligence Division Manager at PRODAFT. His main research areas include malware anti-detection, de-anonymization, exploit development, and reverse engineering. Throughout his career, Ege has successfully reported critical threats and vulnerabilities to large vendors, conducted multiple threat intelligence operations across the world, and taken a critical part in multiple forensic investigations. Additionally, he is an active member of the open-source community and has authored and contributed to various offensive security projects, such as Metasploit and Sliver. Ege is also a frequent speaker at several globally recognized cyber security conferences, including BotConf, HackInParis, Confidence, NopCon, Hackerconf, and more. His contributions to the industry have been recognized and appreciated by his peers.
ABSTRACT
In the ever-evolving landscape of cybersecurity, attackers are continuously exploring innovative techniques to outsmart security products and their detection mechanisms. This presentation offers a comprehensive exploration into a novel approach – the de-optimization of compiler-generated machine code instructions – to bypass security products without resorting to conventional evasion techniques.

The talk delves into how we can use mathematical methods such as arithmetic partitioning, logical inverse, polinomial ditribution, and logical partitioning, for re-creating the target binary by transforming its instructions. Through these mathematical approaches, the speaker demonstrates the capability to mutate or transform approximately 95% of the instructions, presenting a significant challenge to traditional static rule-based detection mechanisms employed by security products.

Notably, this presentation introduces a paradigm shift by showcasing the effectiveness of de-optimization tricks in circumventing security measures without the reliance on self-modifying code and Read-Write-Execute (RWE) memory regions. Attendees will gain a deep understanding of the intricacies involved in the de-optimization process and how these techniques can be strategically employed to evade detection.

Secret web hacking knowledge - CTF authors hate these simple tricks

Philippe Dourassov
SPEAKER BIO

My name is Philippe Dourassov (@pilvar222), and I am an EPFL student passionate about web exploitation. During my time in polygl0ts (the EPFL CTF team), /mnt/ain (the Swiss national hacking team for the ECSC), and organizers (the CTF team organizers, not to be confused with the organizers of the CTF), I actively participated in numerous CTFs during which I developed an expert level of knowledge in web hacking.

As a student job, I do bug bounty hunting and penetration testing with my company Pentest by Dourassov. During my free time, I like getting nerd-sniped by various web-related concepts and exploring them.

ABSTRACT
In the world of web security, there are pitfalls people never stop falling in, even the hackers themselves. From HackTheBox challenges to Insomni'hack teaser ones, most can be solved with powerful yet straightforward techniques.

In this talk, we will explore these powerful and unknown techniques, going from the most trivial to the obscure and technical ones.

Standing on the Shoulders of Giant(Dog)s: A Kubernetes Attack Graph Model

Julien Terriac
SPEAKER BIO

Julien Terriac a French senior security researcher with a strong background of pentesting with a special taste for Windows authentication, Active Directory inner working and reverse engineering. He developed several offensive tools to automate such as ProtonPack, Lycos, ExploitPack, IAMBuster.
He led the R&D department at XMCO for 5 years before joining Datadog as the Team Lead for Adversary Simulation Engineering (ASE) where his team aims at building offensive tools and frameworks that will automate the simulation of real life attacks against Datadog.
ABSTRACT
The Kubernetes attack surface within modern organizations is vast, with often tens or hundreds of thousands of containers. Understanding interdependencies in a system of this scale, in particular gaps left open by seemingly innocent configuration changes, is beyond human capability. As such, the current mental model of defense of Kubernetes assets remains list-based; attempting to identify vulnerable configurations of single resources. This illustrates the well-known adage: "Defenders think in lists, attackers think in graphs; as long as this is true, attackers win".

The aim of the KubeHound project is to pivot the mental model of Kubernetes defense from list-based thinking to graph-based thinking. A graph database of Kubernetes attack paths can answer crucial questions for attackers and defenders alike:

* What percentage of internet facing services have an exploitable path to a critical asset?
* What type of control would cut off the largest number of attack paths to a critical asset in a cluster?
* What percentage level of attack path reduction was achieved by the introduction of a given control?

In short, single point security findings have little traction e.g container X has Y dangerous privileges is challenging for defensive teams to prioritize and fix, particularly when the finding does not have a direct impact by itself (e.g over-privileged account). But with KubeHound being a queryable, graph database of attack paths makes reasoning about security problems via data-driven testing of hypotheses extremely efficient.

You Gotta Fight For Your Right To Third-Party

Mat Caplan
SPEAKER BIO

Mathew Caplan is Managing Consultant for Orange Cyberdefense based in London, England. He is a highly experienced information security specialist and SABSA Chartered Security Architect with over 25 years in the field and has a proven record in the implementation and maintenance of information risk management processes.

As a recognised trusted advisor, Mathew has led and advised many businesses on cybersecurity strategy, security governance, roadmap, and vision and is comfortable connecting at all levels in organisations from small and medium-sized enterprises to large multinationals across a broad spectrum of industries. Mathew enjoys finding sustainable solutions to challenging problems. He has worked in the Orange Group on many international projects being the go-to person on security and compliance matters for some very high-profile customers.

Mathew loves cats, music, and football and wherever possible will combine his audio-visual and photoshop skills to simplify complex topics and breathe life into cybersecurity.

https://www.linkedin.com/in/mathewcaplan/

ABSTRACT
Third-party relationships continue to expand rapidly as companies seek outsourced services and solutions to optimize performance. Consequently, threat surfaces have broadened leading to increased cyber-attacks on third parties both in terms of frequency and sophistication.

In 2021 there was a 300% increase in supply chain attacks and over half the security incidents in 2022 were third-party related. Both trends continue to increase.

Recent global events have demonstrated the need for resilient supply chains whilst Environmental, Social, and Governance (ESG) and compliance to regulations creates greater scrutiny on third-party practices.

This briefing is about how to cope with Third-Party Risk Management (TPRM) from both a customer and a supplier perspective.

The subject of third-party risk and supply chain security affects all organisations whether they be a supplier or a customer. These days organisations are typically both. This topic is very broad but relevant to everyone involved and interested in risk and security from application developers to CISO's.

This presentation is intended to be both entertaining and thought-provoking and includes a sprinkling of popular culture, music, and video.

Current Affairs: IoT Security 101

Iana Peix
SPEAKER BIO

Iana Peix is a recent graduate of the EPFL-ETH Cyber Security Masters program. Previously, she completed her Bachelor’s in Communication Systems at EPFL. Her six-month internship at the Cyber Defence Campus in Lausanne allowed her to combine two of her major interests: energy transition and looking for exploits, culminating in her master's thesis presented in the talk.

ABSTRACT
Hacking IoT is a child's game - at least to the most Insomnihacks attendees. But what if the IoTs in question add up to gigawatts of electricity and the hacker is not an Insomnihacks attendee but somebody with truly malicious intentions?

Beating the Sanitizer: Why you should add mXSS to your Toolbox

Paul Gerste&Yaniv Nizry
SPEAKER BIO

Paul Gerste (@pspaul95) is a vulnerability researcher on Sonar's R&D team. He has a proven talent for finding security issues, demonstrated by his two successful Pwn2Own participations and discoveries in popular applications like Proton Mail, Visual Studio Code, and Rocket.Chat. When Paul is not at work, he enjoys playing CTFs and organizing Hack.lu CTF.

Yaniv Nizry (@YNizry) is a Vulnerability Researcher at Sonar where he leverages his expertise to identify and mitigate vulnerabilities in complex systems. Starting his way as a software engineer, he shifted his focus while serving in the IDF's 8200 unit, where he gained experience in both offensive and defensive cybersecurity tactics.

ABSTRACT
Cross-Site Scripting (XSS) attacks and their risks to web applications are well-known. However, a lesser-known variant called mutation XSS (mXSS) has emerged over the last few years, adding a new dimension to this vulnerability type. This talk explores the underlying mechanisms and techniques mXSS uses to bypass security measures.

We will present real-world case studies of impactful mXSS vulnerabilities in popular applications, highlighting potential consequences like data leakage, account compromise, and remote code execution.

Participants gain a comprehensive understanding of mXSS, its root causes, and its impact on web application security. We will equip the audience with the knowledge on how to protect against mXSS attacks, and how to exploit it in real-world applications.

Patch Different on *OS

John McIntosh
SPEAKER BIO

John McIntosh ([@clearbluejar](https://twitter.com/clearbluejar)) is a security researcher at[@clearseclabs](https://www.clearseclabs.com/). He is passionate about learning and sharing knowledge on topics such as binary analysis, patch diffing, and vulnerability discovery. He is the creator of several open-source security tools and also blogs regularly about his research projects and experiments with Ghidra and patch diffing. With over a decade of offensive security experience, speaking and teaching at security conferences worldwide, he is always eager to learn new things and collaborate with other security researchers.
ABSTRACT
Binary diffing is a powerful technique for reverse engineering, vulnerability research, and malware analysis. It allows security researchers to compare two versions of a binary and identify the changes related to security patches. By doing so, they can gain insights into the root causes of the latest CVEs and patched vulnerabilities.

However, patch diffing is not equal for all operating systems. While Windows provides convenient access to binaries, download links, and public symbols, \*OS poses several challenges for patch diffing. Apple has historically made its binaries less accessible, and even encrypted its software distributions in the IPSW (IPhone Software) format until later versions of iOS. Moreover, \*OS security updates vary across products (watchOS, tvOS, iOS, and MacOS) and the binaries are embedded in the dyld_shared_cache (DSC), complicating the diffing process.

In this talk, we will show you how to overcome these challenges and perform effective patch diffing on \*OS platforms in 2024. We will demonstrate how to use open-source reverse engineering tools (such as ipsw and Ghidra) to extract and analyze IPSW files, which contain the software updates for iOS and MacOS. We will also show you how to find the updated binaries, extract embedded binaries from the DSC, and how to use freely available binary diffing tools to compare them. Finally, we will walk you through 3 real-world examples of patch diffing on \*OS, and how to map the binary changes to recent CVEs. From there we will identify and reverse engineer the underlying vulnerabilities for each CVE.

This talk will not only teach you the skills and tools for patch diffing on modern \*OS platforms, but also inspire you to explore the untapped potential of this technique for discovering new vulnerabilities and understanding the Apple security ecosystem. You will discover what makes patch diffing on \*OS different and challenging, and how to overcome these obstacles with open-source tools and methods.

Uncommon process injection pattern

Yoann DEQUEKER (@OtterHacker)
SPEAKER BIO

Yoann DEQUEKER (@OtterHacker) is a security consultant at Wavestone OSCP and CRTO certified.

While he mainly performs RedTeam operation on large-scale companies, he spends time developing custom C2 and malware to ease engagement and deployment of C2 beacon on secured environment.

In 2023, he presented most of his research to public conferences and workshop such as LeHack in Paris or Defcon31 in Las Vegas.

ABSTRACT
Process injections are popular techniques for executing malicious payloads without the knowledge of users or defense tools. However, EDR solutions have had a major impact on the reliability of these techniques.

The aim of this talk is to present a way out of the standard patterns of process injection by mixing several techniques such as Module Stomping, threadless injection to eliminate the use of certain Windows APIs and the use of HWBP to bypass EDR hooks.

All along the talk, some dive in the Windows internals and the impact of the different techniques on EDR alerts will be seen to understand the pros and cons of each technique.

The tale of Rhadamanthys and the 40 thieves - the nuts, bolts, and lineage of a multimodular stealer

Hasherezade&Ben Herzog
SPEAKER BIO

Hasherezade is a malware researcher & Open Source developer. Author of multiple applications related to malware analysis, such as PE-bear, PE-sieve, TinyTracer.

Ben is a security researcher. His technical work includes reverse engineering of Rust PL features and cryptanalysis of targeted ransomware. He has also published technical profiles of various malware strains, as well as many introductory texts and detailed reviews on the subjects of malware, cryptography and vulnerability research.

ABSTRACT
One of the most common missions of malware is information theft. From a long time the playing field had seemed tired, saturated and predictable. The same established actors like Redline, Vidar & Racoon would sometimes add a feature or fix a bug. No one expected innovation in this field, or asked for it.

However, in September of 2022, a new challenger broke into the market for infostealer malware - Rhadamanthys. A malware as a service (MaaS) with multilayer design on par with unusually complicated staged loaders. This malware's modular architecture allowed shipping a variety of targeted stealer components, attacking almost every application that a distributor could imagine - and some they probably couldn't. As we found out later, this complex piece of malware didn't come out of nowhere - it was based on the code of a different malware, developed for years, most likely by the same author: Hidden Bee coin miner, which has its own intriguing history.

In this talk we will take a deep dive into the history, design, implementation and many (many) features of Rhadamanthys stealer - including some of the more interesting tricks its prolific author came up with in their ambitious quest to create the most complex, comprehensive information stealer malware ever seen on the open market.

What Can We Do About Cryptocurrency Scams?

Keven Hendricks
SPEAKER BIO

Keven Hendricks is a 17-year veteran detective with a municipal police department and has served as a task force officer for two separate federal agencies. He is a published author with the FBI Law Enforcement Bulletin and American Police Beat and currently works as an instructor for various training companies, teaching a class for law enforcement on dark web and cyber crime investigations. He is a certified cyber crime examiner and certified cyber crime investigator by the National White Collar Crime Center, a certified cryptocurrency investigator through the Blockchain Intelligence Group, and a certified digital asset professional through the Global Digital Asset & Cryptocurrency Alliance. He is a recognized Subject Matter Expert in cyber crime investigations by the CSIAC - Department of Defense. He has provided insight for pieces published in NPR, The Washington Post, and The Economist, and has been a featured speaker at HackCon, OSMOSISCon, FinancialCrime360, HTCIA Expo, etc. He is the founder of the Ubivis Project - StopDarkwebDrugs.com and sits on the Advisory Board for the Anti Human-Trafficking Intelligence Initiative.
ABSTRACT
Cryptocurrency is undoubtedly a polarizing topic, and those who harbor a negative opinion have likely been inspired by the myriad of scams and fraud that are reported. What can we all do to help stop and mitigate cryptocurrency facilitated scams?

Living off the Land and Attacking Operational Technology with Surgical Precision

Ric Derbyshire
SPEAKER BIO

Ric is a Senior Security Researcher at Orange Cyberdefense and an Honorary Researcher at Lancaster University, where he obtained his PhD in computer science. His research involves a pragmatic and practically applicable approach to both offensive and defensive elements of cyber security, with a focus on operational technology, critical national infrastructure, novel attack techniques, and quantitative cyber risk assessment.
ABSTRACT
Sophisticated attacks on operational technology (OT) require a unique tactic known as 'process comprehension', which helps adversaries understand how the OT and physical process are configured. Process comprehension is complex, requiring the exfiltration of a large range of data, and perhaps even physical infiltration of the victim. In this talk we’ll present a novel living off the land technique to perform process comprehension at a significantly reduced cost, over the network, while being extremely challenging to detect. We’ll then expand on this technique to show how it can be used for precise process manipulation and establishing PLC memory as a C2 conduit that breaks best practice network segregation. Finally, we’ll conclude the talk with a few words on the responsible disclosure process.

Your NVMe Had Been Syz'ed

Alon Zahavi
SPEAKER BIO

Alon Zahavi is a vulnerability researcher at CyberArk Labs, who focuses mainly on Linux kernel. He uses his knowledge of low-level systems to uncover bugs and vulnerabilities in complex attack surfaces, in order to help make them more secure.
ABSTRACT
NVMe is a game-changing storage technology that delivers unparalleled speed and performance, making it crucial for cloud environments where intensive workloads and scalability, demand rapid data access and processing.
In recent years, NVMe-oF/TCP support was added to the Linux kernel, and with it a new attack surface was unlocked.

In this talk, we will present how we added the NVMe-oF/TCP subsystem support to syzkaller, the famous fuzzer, by modifying both the Linux kernel and syzkaller. Also, the multiple vulnerabilities found after running the modified fuzzer will be presented as well.

Hijacking the Java Virtual Machine (JVM) and Bypassing Runtime Application Self-Protection (RASP)

Mouad Kondah
SPEAKER BIO

I’m Mouad Kondah, a Senior Software Engineer at Kudelski Security and I am based in Lausanne. My work, academical background and interest encompasses a multitude of topics, examined from diverse perspectives.

I have a Bachelor’s degree in Mathematics from the University of Neuchâtel and a Master’s degree in Mathematics and Computer Science from the University of Geneva.

I have launched recently my own website: https://www.deep-kondah.com, where I'll be sharing in-depth knowledge about AI, cybersecurity, and software engineering.

ABSTRACT
Runtime Application Self-Protection (RASP) is a security technology introduced by Gartner in 2012, that offers an additional layer of security by monitoring applications in real-time to detect suspicious activity. Unlike conventional security mechanisms, such as WAF and AV/EDR, RASP is integrated within the application, enabling it to closely monitor the application's runtime environment and identify anomalies that may signal an attack. In this talk, we will explore how one can bypass RASP solutions, particularly for JVM-based applications.

When Malware Becomes Creative: A Survey of Advanced Android Detection Evasion Tactics

Dimitrios Valsamaras
SPEAKER BIO

Dimitrios Valsamaras has participated in many International and local Projects increasing his experience in Mobile, Web and network penetration testing. Dimitrios holds a degree in Computer Science, with a major in Cryptography and Security. His prior experience in the IT industry spans from development and systems administration to IT Security services. He has a strong passion for reverse engineering and was a member of one of the first reverse engineering research groups in Greece. During the last five years, Dimitrios has been working with some of the largest companies in the industry, including Microsoft and Google, focusing on Android Ecosystem Security.
ABSTRACT
Android's rise to one of the world's most popular operating systems has expanded its reach to billions of devices worldwide. This massive footprint is a beacon for malware developers who seek to exploit the personal data of its expansive and diverse user base. As with any operating system, Android treat actors aim to distribute their malicious software as widely as possible. Yet, the methodologies for spreading in the Android ecosystem differ significantly from those in traditional desktop environments, which historically have relied on worm-type malware for rapid propagation.

In mobile, application markets serve as a prime channel for reaching this objective, given their role in distributing billions of apps annually. However, a significant hurdle exists: to be listed on prominent platforms such as the Play Store, an app must satisfy specific criteria and undergo thorough screenings for signs of malware, both prior to and post-publication.

During our review of Android malware samples in these markets, we uncovered a multitude of evasion techniques designed to circumvent both static and dynamic detection mechanisms. From simple yet clever methods like analyzing a device's battery level to gauge its legitimacy, to sophisticated technical tactics employing Java reflection, obfuscation, encryption, steganography, and dynamic code loading, these tactics illustrate the evolving nature of modern mobile malware.

This survey presents a thorough examination of the most advanced detection evasion techniques utilized by several of the most notorious Android malware families, with the infamous Joker and Hydra families as key examples. Our in-depth analysis elucidates the evolving sophistication of these techniques and their implications for the security of the Android ecosystem. Through this detailed exploration, we aim to provide insights that can aid in the development of more robust defense mechanisms to protect against such insidious software threats.

How to Break into Organizations with Style: Hacking Access Control Systems

Julia Zduńczyk
SPEAKER BIO

Julia performs penetration tests for a wide range of IT Projects as an IT Security Specialist at SecuRing. Her main area of interest revolves around Red Teaming, specifically access control systems assessments, RFID hacking, social engineering, and other related topics. As a Cybersecurity student at the Academy of Science and Technology in Cracow, she had the opportunity to learn a wide range of IT security aspects from the beginning of her academic education. In her free time, she enjoys playing CTFs and researching attacks on access control systems.
She has been selected as the top speaker at CONFidence Conference 2023 (Cracow, Poland) and best speaker at SEC-T 2023 (Stockholm, Sweden).
ABSTRACT
Have you ever wondered how Red Teamers manage to get access to high-security areas in buildings? This talk is your chance to learn about the tools, tactics, and techniques we use to break access control systems.
The presentation is based on the experience and examples collected during the Red Team assessments and gathers in one place the knowledge needed to gain access to places protected by access cards.

During the talk, I’m going to show you how I was able to break into organizations using techniques such as simple card cloning:
We'll discover the basics of RFID technology and learn how to use Proxmark3 for access card scanning and cloning with the demo of the device operation.
We'll explore some of the most common misconfigurations in access control systems and learn how to use them for gaining access and escalating privileges.
We’ll also delve into the technical and social engineering aspects of card scanning during a Red Team Assessment with an example of a complete kill chain, which enabled me to gain entry to highly secure areas within a building, starting from a position of zero access.
And last but not least - we'll talk about how to protect your organization from these types of attacks.

Let’s discover how to break into organizations with style.

The Accessibility Abyss: Navigating Android Malware Waters

Axelle Apvrille
SPEAKER BIO

Axelle Apvrille is a Principal Security Researcher at Fortinet, Fortiguard Labs. Her research interests are mobile and IoT malware. In addition, she is the lead organizer of Ph0wn CTF, a competition which focuses on hacking smart objects.
In a prior life, Axelle used to implement cryptographic algorithms and security protocols.
ABSTRACT
Abusing Accessibility Services is a prevalent technique, notably use by various Android botnets such as BianLian, Cerberus, Chameleon, GodFather, Hook and Xenomorph.
Despite its prevalence, the technique remains relatively unfamiliar to the general audience. This leads to failing to recognize the specific permission dialog, which would save from infection.

At best, security-conscious individuals are acquainted with the concept of malicious overlays. But overlays are merely one facet of the malicious tasks malware can implement with a custom Accessibility Service. Malware can use the API to create a keylogger, turn off Play Protect, prevent application uninstall, clipboard manipulation, gesture and click emulation, stealing credentials or sensitive information of other applications etc.

Confronted to massive abuse, Google faced a dilemma: either permit the continued onslaught of attacks, or curtail the functionality of Accessibility Services, potentially limiting individuals with disabilities. In Android 13, Google introduced "Restricted Settings", which prevent side-loaded applications from getting the necessary Accessibility permissions. Regrettably, this security measure proved insufficient and was bypassed by recent Android malware.

Choose your own adventure - Red team edition

Nicolas Heiniger
SPEAKER BIO

Nicolas is a husband and proud dad of three kids. He studied computer science, and rumor has it he's a geek. He is a lawful good hacker who has actively attacked banks, insurances, telcos, pharmas, lotteries, and more… These days he only hacks for Swiss Re as a Senior Red Teamer.
ABSTRACT
This talk is an interactive game. In the game will walk through a realistic Red Team exercise from the perspective of the operator. We will face many choices and try to find our path into a fictive company and get access to their most precious secrets.

ADDS Persistance - Burn it, burn it all

Shutdown (Charlie BROMBERG)&Volker
SPEAKER BIO

Shutdown:
Creator of The Hacker Recipes and Exegol.
Creator or contributor to many other projects.
Leading ethical hacking offerings for Capgemini France.
Passionate about Active Directory.

Volker Carstein (he/they) is a cybersecurity professional, currently working as a Pentester and RTO at Bsecure. Passionate about social engineering, Active Directory and OSINT, he's also a regular speaker at events such as leHack, Barbhack and GreHack. When he's not tackling infosec related subjects, Volker is a TTRPG aficionado and a music production enthusiast. "Jack of all trades, nerd of all things", he brings a blend of expertise and enthusiasm to everything he does, always up for a challenge and ready to geek out over anything and everything!

ABSTRACT
Active Directory Domain Services offer a wide range of lateral movement and privilege escalation techniques. Ethical offensive security professionals often appreciate AD-DS in this respect. But what about persistence? We will see together that when compromising an AD domain of a company, it's probably better to start from scratch. On the agenda: skeleton key, Golden gMSA, AdminSDHolder, DC Shadow, persistence via AD CS, etc. Limited budget for managing your AD? The attacker will do it for you 😉 (Note to CISOs and other corporate network managers, don't come to this talk, or at least not without a good dose of antidepressants, we might ruin the mood)

Diving into JumpServer: The public key unlocking your whole network

Oskar Zeino-Mahmalat
SPEAKER BIO

Oskar Zeino-Mahmalat is part of the vulnerability research team at Sonar where he hunts for bugs in web applications. As a cybersecurity student, he is currently working on his Master's thesis about Flutter security. Oskar is also an active CTF player on his university team.
ABSTRACT
JumpServer is an open-source jump host popular among Chinese companies. It acts as a central access point to internal services in a company network, making access control management and monitoring easier. Users can use a convenient Web UI or an SSH gateway to access servers via SSH, database connections, remote desktop protocols, and more. The credentials for these connections stay with JumpServer, preventing leaks to end users.

This makes JumpServer a valuable target for attackers. Compromising it would give attackers the necessary credentials and network access to also compromise internal services. This motivated us to search for issues in JumpServer. We discovered critical vulnerabilities that allow outside attackers to fully take over JumpServer.

After giving an overview of JumpServer's microservice architecture, this talk shows the technical details and demos of the discovered vulnerabilities. We describe how the architecture lead to multiple API issues that allow authentication bypasses using only an SSH public key. Then we venture into the SSH authentication protocol and how a custom SSH server in JumpServer was vulnerable. At the end, we combine the authentication bypass with the web terminal feature of JumpServer to gain code execution on the host system.

An Uninvited House Guest: How PROXYLIB Overstayed its Welcome on Android Devices

Lindsay Kaye
SPEAKER BIO

Lindsay Kaye is the Vice President of Threat Intelligence at HUMAN Security. Her technical specialty and passion is reverse engineering. Lindsay holds a BS in Engineering with a Concentration in Computing from Olin College of Engineering and an MBA from Babson College.
ABSTRACT
Cybercriminal threat actors sell access to residential proxy networks to other threat actors who are looking to hide malicious behavior behind residential IPs, including credential stuffing attacks, password spraying or large-scale ad fraud. In May 2023, we identified a cluster of VPN apps available on the Google Play Store that transformed the user’s device into a proxy node without their knowledge. We’ve dubbed this operation PROXYLIB after the common library in each of the apps.
Researchers at IAS identified this malicious behavior in a single free VPN application — Oko VPN— on Google’s Play Store, and projected that the operators earned $2 million a month through conducting ad fraud prior to the app's removal from the Play Store. Based on further analysis of Oko VPN, Satori researchers uncovered nearly 40 applications related to PROXYLIB. These apps shared a common native library, written in Golang, that enrolls the device as a proxy node.

The team later uncovered a subsequent version of PROXYLIB, offered online via the LumiApps SDK, and other adaptations by the threat actor that used the same Golang library to turn the device into a proxy node. This talk will provide a technical deep-dive into the PROXYLIB Android malware and the related Windows binaries. We will also discuss the attribution of PROXYLIB and how the threat actor was able to use an online residential proxy seller to monetize the campaign. Finally, we will provide an overview of how defenders can mitigate the threat of residential proxies, malicious Android applications and ad fraud as it pertains to these threats.

How (not) to implement secure digital identity - case study of Poland's Digital ID system

Szymon Chadam
SPEAKER BIO

IT Security Consultant at SecuRing. His key responsibilities are web and mobile application security testing. Throughout his career, Szymon has performed numerous penetration tests of critical infrastructure for a wide range of industries, such as banking, financial services, medical technologies, and telecommunications sectors. His main area of interest and expertise is Android application security. Occasional bug bounty hunter and university lecturer.
ABSTRACT
Digital identity solutions are on the rise in many countries. Is your identity card stored on your mobile phone in a safe and secure manner? What risks do digital identity solutions pose, and how easily can criminals exploit them? What to look out for when implementing and using a digital identity system implemented in your country?

During my talk I will:

• analyse security of digital ID systems based on Poland's latest digital ID solution,

• show how a digital ID system can be used to hijack your identity,

• showcase critical vulnerabilities in a system storing sensitive information of millions of Polish citizens,

• give tips on how to maintain security when implementing digital ID systems.

After this talk, the audience will understand the risks associated with national digital ID systems. They will also know what to look out for when using, implementing or testing such systems.

mFT: Malicious Fungible Tokens

Mauro Eldritch
SPEAKER BIO

Mauro Eldritch is an Argentine Hacker & Speaker, Founder of BCA and DC5411.

He spoke at different conferences including DEF CON (ten times!), EC-Council Hacker Halted (two times!), ROADSEC (LATAM’s biggest security conference), DEVFEST Siberia, DragonJAR Colombia (biggest spanish-speaking conference in LATAM) among other events (35+).

In the past, he worked as cyberbodyguard for different governments and companies.

ABSTRACT
Discover how NFTs can be used as covert channels for malicious operations, taking advantage of the “permanent” nature of blockchain-backed assets and becoming “immortal” C2 servers. mFT is an open-source tool that automates this process, and comes with demo NFTs for attendants to try this at home!

Don’t flatten yourself: restoring malware with Control-Flow Flattening obfuscation

Geri Revay

SPEAKER BIO

Geri has more than 13 years of experience in cybersecurity. He started on this path as he specialized in network and information security in his M.Sc. in computer engineering. Since then, he worked as a QA engineer for a security vendor, then changed to penetration testing, first as an external consultant for numerous companies and then as an internal consultant at Siemens. He is an ethical hacker at heart and a consultant by trade. He is experienced in executing penetration tests and security assessments both in IT and OT environments. Working at Siemens for 8 years allowed him to closely work with OT systems, often evaluating new features before they hit the market. It allowed him into environments that external consultants would not get into. He also worked on innovative ways to assess the security of higher-risk OT systems. Since he comes from the offensive security side, he deeply understands how hackers think and operate, which can be crucial to building defenses. His focus is now on security research in binary analyses and reverse engineering for malware analysis. Geri also regularly teaches highly technical topics such as hacking and reverse engineering.

ABSTRACT
Control-Flow Flattening (CFF) is an obfuscation/anti-analysis technique used by malware authors. Its goal is to alter the control flow of a function to hinder reverse engineering. Using CFF makes static analysis complex and increases the time investment for the analyst significantly. Malware authors have already discovered this, and a steady increase can be seen in malware samples that use CFF. Soon every analyst will have to face it daily, which calls for know-how and tooling to help them.

This presentation intends to provide the needed know-how and tooling. First, we will discuss the general approach to fighting CFF. We will discuss identifying CFF and which components are essential to restore the control flow.

We will compare three different approaches to fight CFF: basic pattern matching, emulation, and symbolic execution. Their implementation will be demonstrated as IDAPython scripts.

Malware Development & Abusing .NET for Initial Access

Suraj Khetani

SPEAKER BIO

Suraj is a senior consultant at Unit 42 with more than 9 years of hands-on experience in offensive security. He specializes in performing Red Teaming, Purple Teaming, and Adversary Simulation. Before joining Unit 42, Suraj served as the Offensive Security Lead at a leading bank in the UAE where he spearheaded Red/Purple Teams, performed critical security control and infrastructure assessments.
He has previously spoken at various international security conferences, including Hack-In-the-Box, Shellcon, Antisyphon, and more. He has shared his expertise on a wide range of topics, such as Active Directory Attacks, EDR Evasion, and Container Security. Additionally, Suraj has demonstrated his skill in identifying zero-day vulnerabilities in notable platforms like Oracle, Netgear, and Pulse Secure, among others.

ABSTRACT
This presentation explores malware development within the .NET framework, addressing why understanding and creating custom loaders is important. It begins with an overview of malware and progresses to discuss the tools essential for malware creation, including a primer on Win32 APIs. The talk outlines the malware development lifecycle and delves into shellcode execution techniques, and methods to evade static detection. Attendees will learn about executing code by abusing .NET Appdomains and Signed ClickOnce, showcasing different approaches for achieving initial access in .NET environments. Participants will leave with a solid understanding of the complexities of malware development and the critical role this knowledge plays in building effective cybersecurity defenses. The session is designed for beginners interested in the technical aspects of cybersecurity and malware development within .NET.

Operation Triangulation – attacks on iPhones/iPads

Marco Preuss

SPEAKER BIO

Marco Preuss (@marco_preuss) has been working in the area of networking and IT security since the early 2000s. Having a long time experience in his role, he is responsible for monitoring the threat landscape in Europe while specializing in threat intelligence, darknet research, password security, IoT security. and privacy. In addition to research-related projects, Preuss is a regular speaker at both closed and public events, and maintains close contact with security partners.

ABSTRACT

Let’s dive into the layers of “Operation Triangulation” - an advanced and complex attack targeting iOS.
In this talk, I will guide and describe the operation, aspects, interesting facts and insights observed.