2025-06-30 –, Room 2
Nation-state adversaries as well as occasionally eCrime actors have repeatedly leveraged trusted relationship or supply chain compromises in endpoint environments to achieve access to a large number of victims via compromising a single target and then moving laterally to downstream customers. While this initial access vector is largely known in the traditional threat landscape, there is only little open-source reporting except for COZY BEAR abusing trusted relationship compromises to obtain access to Entra ID environments.
In this talk we will look at two incident response cases in which threat actors compromised a Microsoft Cloud Solution Provider and a SaaS Provider and used these providers’ access to move laterally to downstream customers to obtain access to emails in O365. We will discuss how to hunt for the observed techniques, mitigations, and discuss the shortcomings in defending against these kinds of attacks.
Sebastian Walla is an expert for Cloud Threat Intelligence. He is the deputy manager of the Emerging Threats team (focusing on Cloud) and built the Cloud Threat Intelligence mission at CrowdStrike. Since 5 years Sebastian worked as a reverse engineer and has been focusing on cloud intrusions for 3 years.
Sebastian studied Cybersecurity, has a Masters in Computer Science, and published a paper on automatically identifying and exploiting tarpit vulnerabilities to fight malware. He further holds the GREM and GCLD certification and presented at Euro S&P 2019, Fal.Con 2023, fwd:cloudsec EU 2024, and BSides Bern 2024.