Elbsides 2025

Welcome and housekeeping statements

Mikko brings over 35 years of deep, firsthand experience in the ever-evolving computer security landscape. In this talk, he will guide us through the formative stages of the industry - when the first self-replicating malicious code emerged, and security professionals were just beginning to recognize and contain the computer virus threat.

Mikko will examine the transition from isolated virus outbreaks to organized, financially motivated cybercrime rings. He’ll recount his investigations of email-borne exploits, discuss the rise of botnets and distributed denial-of-service attacks, and share lessons learned about the interplay between attacker innovation and defender response.

Finally, Mikko will reflect on the current state of cybersecurity as a mature, multi-billion-dollar ecosystem and how governments entered the picture. He'll finish with some educated guesses about where we will go next.

Like steganographic techniques that embed messages in unstructured data, network-based covert channels exploit communication protocols to conceal data. By hijacking legitimate traffic, these channels provide a stealthy means of communication and data exfiltration.

The growing adoption of IPv6, driven by major ISPs and tech companies, introduces new security risks. One such risk is the ease of implementing covert channels within IPv6 communications, which remain undetected by common open-source IDS tools like Suricata, Zeek, and Snort.

Using high-level programming languages like Python and open-source libraries such as Scapy, it is possible to inject covert data into IPv6 packets without disrupting application-level communication. This technique applies to on-premises, hybrid-cloud, and commercial cloud environments, including AWS, Azure, and Vultr, leveraging an IPv6 network stack.

Six covert channels have been implemented and tested in virtual and cloud environments to evaluate their feasibility. To prevent interference with legitimate traffic, packets are cleaned before delivery, ensuring injected data is removed and restoring packets to their original form.

Various IPv6 fields and extension headers can carry covert messages without affecting overt communication. The Flow Label and Traffic Class fields, as well as the Authentication, Routing, Destination Options, and Fragment headers, can be exploited. The bandwidth of a covert channel depends on the bits that can be safely manipulated. For instance, the Flow Label field allows a bandwidth of 20 bits per packet, offering an efficient and hard-to-detect method when high bandwidth is not required. In contrast, the Authentication Header, introduced in this work, can carry 32 bits per packet while maintaining stealth. The Destination Options Header, though rarely used, can transport up to 256 bits per packet.

Ensuring successful message delivery while preserving communication integrity requires a communication strategy at both ends of the covert channel. Three strategies have been implemented: naive, marked, and reliable, each offering increasing levels of complexity, reliability, and efficiency.

The naive strategy simply transmits n covert-data packets followed by y legitimate packets, with both sender and receiver preconfigured accordingly. However, it lacks reliability in cases of packet loss or reordering. The marked strategy improves upon this by employing cryptographic marking to ensure correct packet identification and reassembly. The reliable strategy applies when TCP is used at Layer 6, allowing the sender to retransmit covert bits associated with missing TCP sequence numbers.

Beyond academic research, the proposed tool enables man-in-the-middle data exfiltration, allowing a compromised router to participate in an attack chain. Covert channel performance has been evaluated in terms of bandwidth and message loss rates. Their effectiveness has been tested against Suricata, Snort, and Zeek to assess whether standard detection rules trigger alerts when scanning IPv6 traffic modified to carry covert data.

Agility isn’t optional in cybersecurity. Engineering teams have to respond to emerging threats, shifting requirements, and constant technical change — often all at once. Many turn to Scrum to manage the chaos, drawn by its promise of speed, predictability, and team cohesion. But over time, that promise can wear thin: Teams suffer meeting overload, sprint fatigue, and a persistent tug-of-war between urgent fixes and long-term investment.

At Graylog, we’re experimented with something different: Shape Up, a cycle-based framework designed to give teams high autonomy in a healthier cadence and with clearer boundaries. It’s not a cure-all, but it’s helped us rethink ownership, improve planning, and better balance new feature work with technical debt.

This talk is part story, part strategy, and part invitation. I’ll give a quick method overview and share what’s worked (and what hasn’t) - depending on the team, the org and the context. Most importantly, I hope to kick off a conversation around how we structure technical work when the stakes are high, the timelines are short, and the backlog seems bottomless.

The crucial stopping-gap of wide-spread secure communication over Email clearly seems to be "usability". The difficult part arguably is "certificate management" which, at the core is the question of how to authenticate credentials. Many researchers and developers have taken their shot at improving the situation, while instant messenger applications seem to simply circumvent all obstacles and provide effortless end-to-end security — alas only for communication within their respective silos. And the situation for Email, i.e. combination of SMTP (RFC 5321) and Internet Text Messages, going back to RFC 724 and RFC 772, nowadays encapsulated by MIME, is anything but simple. But since 2015 ACME seemed to have solved the similar problem of distributing authenticated certificates for web-sites. In this work we take up the work on ACME for end-users and transfer the principles to OpenPGP and thus finally solving(?) this problem from the 1990s.

Auracast, the new Bluetooth LE Broadcast Audio feature has gained some publicity in the last few months. The Bluetooth SIG has been working on the specification of this feature set in the past few years and vendors are only now starting to implement it. Auracast enables broadcasting audio to multiple devices. These broadcasts can also be encrypted. Unfortunately, the security properties of the protocol are vague and insufficient. It has already been shown that these broadcasts can be hijacked by anyone when unencrypted.

This talk aims to explain the state of (in)security of the protocol and add to it by showing that even when encrypted, broadcasts can often be cracked easily. Once equipped with the passcode, attackers can eavesdrop and hijack even encrypted broadcasts. The Bluetooth specification is very vague in what security goals it tries to achieve for (encrypted) broadcasts. Security for Auracast is only ever mentioned in terms of confidentiality, which is supposedly achievable by encrypting a broadcast. On a higher level, this also shows how the specification seemingly added security to the protocol as an afterthought.

To examine whether the vague specification and the bad examples lead to real-world issues, we have surveyed several implementations of Auracast. We found that on popular devices the default configuration is weak and allows breaking the authenticity and confidentiality of the Auracast broadcast.

Unrestricted file uploads pose a significant threat to application security, allowing attackers to exploit various vulnerabilities and gain unauthorised access to systems and data. And there are some potential risks associated with unrestricted file uploads, such as: Triggering vulnerabilities in libraries/applications, abusing real-time security tools, executing malicious code and unauthorised access to sensitive files. In addition to the standard security best practices for file uploads, such as restricting file size, types, and extensions; experts recommends security controls to further enhance protection and validate files. These technologies include Content Disarm and Reconstruction (CDR), multi-AV scanning, sandboxing, and single-AV scanning. The aim of this presentation is to provide a detailed walkthrough of the risks and attacks associated with unrestricted file upload vulnerabilities, review the protective technologies available, outline proper mitigation strategies, and give practical examples on how to secure your environment against malicious uploads.

People talk a lot about defensive software architecture, but does it really make a difference?

In this presentation, I give an example from a security audit we performed, in which a simple misuse of a cryptographic primitive led to the compromise of an entire customer service tool for a payment provider, which would have allowed us full administrative access to their backends.

By stepping through the architecture of the system from the highest level down to the exact vulnerable code, this example allows us to illustrate the advantages of defensive software architectures with multiple layers of security. By the end of the presentation, you will have a new appreciation for defensive software architectures. As a bonus, you will also have learned about a neat cryptographic trick that exploits unauthenticated encryption.

GitHub Actions have become a critical part of CI/CD pipelines, but do you really know what's happening under the hood?

This talk will break down GitHub Actions concepts, explore their security risks, and highlight how third-party actions in the supply chain can introduce vulnerabilities. We'll examine real-world examples of misconfigurations, critical security risks, and unexpected workflow behaviors that attackers can exploit.

We'll also discuss the recent security issue with tj-actions/changed-files, and we'll analyze how attackers can exploit these risks and what security best practices can help to mitigate them.

Additionally, we'll compare existing security tools, from static analysis scanners to runtime monitoring solutions, and discuss how teams can integrate them into their CI/CD pipelines. Finally, I'll introduce a new tool designed to help identify and analyze transitive actions, making it easier to assess their impact and reduce security risks.

Attendees will gain a deeper understanding of GitHub Actions' security landscape, real-world case studies, and practical techniques for proactively securing their workflows, alongside a new tool to simplify the process.

Increasing supply chain attacks have highlighted the need for greater transparency in software. As a result, more regulations now require software vendors to provide SBOMs (Software Bills of Materials) for their products. In this talk, we’ll take you on a journey into the world of CISOs and managers who hope that SBOMs can solve many problems in the areas of cybersecurity and cyber resilience. Our brave architect will address questions such as: Do SBOMs actually make products more secure? Can they help mitigate situations like Log4Shell? What exactly do they need to contain? Along the way, they’ll debunk inflated expectations and outline the prerequisites for using SBOMs effectively.

Phishing attacks are evolving faster than traditional defenses can adapt. Despite significant investments in Secure Email Gateways (SEGs) and email security stacks, phishing remains one of the most effective initial access vectors. This session examines why phishing continues to succeed and introduces a practical, high-impact strategy to strengthen defenses.

SEGs typically rely on a layered architecture that includes header analysis, policy enforcement, static anti virus (AV) signature checks, link reputation services, and even lightweight sandboxing. As SEGs must process high volumes of email with minimal latency, they are optimized for speed and scale rather than for depth of inspection and comprehensive analysis. This can create exploitable detection blind spots. Sophisticated phishing campaigns take advantage of these limitations using tactics such as multi-stage redirect chains, geolocation- or time-based payload activation, QR codes, SVG images, and HTML smuggling

What can be done?

One often overlooked opportunity to address these advanced threats lies in integrating the organization’s User-Reported Phising (URP) program with advanced sandboxing technology. Unlike SEGs, these sandboxes operate outside real-time delivery constraints. They simulate realistic user interaction, follow complex redirect paths, and expose evasive payloads in a save analysis environment. This enables faster triage, higher-confidence verdicts, and improved detection of phishing threats that bypass gateway-level defenses.

This session will include real-world examples of advanced phishing techniques, such as redirect chains, QR code-based attacks, and SVG-based payloads, and show how advanced sandboxing can be used to detect them effectively.

I would like to give an insightful exploration into the impact of Cybercrime on the mental health of SOC-Analysts and related roles which are connected to the upper management.
As we delve into this critical topic, we recognize the increasing prevalence of cyberattacks and decresing availability in the workforce. SOC´s are at the forefront of defending organizations against these threats, yet the demanding nature of their work often leads to significant stress and burnout among SOC analysts and upper management dedicated in the field of Cybersecurity.

Most of the time, we try to reflect on the technical stability in this area. But we do not figure out how important structures and regulated processes are relevant in this area, similar to High-reliability organizations (e.g. Aviation or Medicine).

I want to give an inspirational approach to improve the workplace, keeping professionals more resilient and longer in their workplace. My approach reflects not just on mental health and wellbeing, it´s partly a management calculation which should be added in the consideration of defending risks from organizations.

We found HyTrack, a robust new tracking Android tracking technique.
It allows tracking providers to track you across multiple apps and the web.
It does not depend on the ad IDs or fingerprinting and can be hidden from you.
HyTrack is based on a new browser feature called Custom Tabs.
Additionally, it is hard to get rid of: It might survive browser purges and the re-installation of affected apps.

In short, HyTrack brings the full power of web tracking to native Android and is a danger to user privacy as it allows tracking across apps and the web.

In this talk, we will discuss the mechanisms behind it, check which browsers and devices are affected, and discuss mitigations.
Finally, we will recommend the next steps for you and the community to take to mitigate HyTrack and protect user privacy.

Pentesting is meant to uncover security weaknesses, but sometimes the process itself becomes an exercise in frustration. From unclear scopes and unresponsive clients to network misconfigurations and unexpected legal roadblocks, every pentester has war stories of engagements gone wrong. This talk dives into real-world pentesting pain points, sharing firsthand experiences of what makes assessments more difficult than they need to be—and how to avoid these pitfalls.

Whether you’re a seasoned pentester, a blue teamer trying to prepare for a test, or a purple teamer bridging the gap, understanding these challenges can help ensure your next engagement is smoother and more effective. We’ll cover the most common mistakes from all sides of the table, such as poor scoping, lack of communication, ineffective remediation, and unrealistic expectations.

Beyond just the horror stories, this session provides actionable lessons to help security teams and consultants work together more efficiently. Learn how to avoid common traps, improve collaboration, and turn painful experiences into opportunities for a more productive outcome.

With the move to cloud environments and Software as a Service (SaaS) offerings, digital identities are becoming more critical daily. Especially in the business context, these identities are connected to the business e-mail addresses and allow access to e-mails and documents via cloud applications in M365 and Google Workspaces.

With the increased importance of digital identities, they have become a target for criminals. Using adversary-in-the-middle (AitM) attacks, these criminals try to compromise business e-mail addresses, and after successfully obtaining valid credentials, the threat actor can access the user's cloud environment, launching business e-mail compromise (BEC) attacks. Additionally, these credentials allow a threat actor to access the user's cloud storage environments, like OneDrive. This access provides many opportunities for a threat actor, including:

1. Direct access to valuable information
2. A trusted repository to host malware for distribution
3. A trusted command and control (C2) channel
4. Data exfiltration via a trusted channel
5. Synchronisation misuse

Looking at the last tactic, sync misuse, we found a potential attack vector unknown to our knowledge. By combining sync misuse with another known tactic, replacing .lnk files, a threat actor can rapidly move from a compromised account to a compromised Windows host, from where they can move laterally to achieve their goals.

This talk will illustrate briefly how threat actors use AitM attacks to obtain access to Microsoft M365 credentials and show a proof-of-concept of how a threat actor can use these credentials to compromise a user's system via the OneDrives sync feature.

Artificial Intelligence is capable of creating malware. Fortunately, it is also capable of analyzing them, summarizing and decompiling them with surprising clarity. But how much can we trust it?

In this keynote, we'll explore moments where AI shines and fails. We'll also discuss MCP security (Model Context Protocol): a modern protocol with no/little security? As AI and malware evolve together, what does the future hold, in terms of malware and anti-malware?

It's a wrap! See you at the networking hour and next year.