hack.lu 2023

To see our schedule with full functionality, like timezone conversion and personal scheduling, please enable JavaScript and go here.
11:00
11:00
30min
Sbud: infovis in infosec
Ange Albertini

Visualisations in Infosec tend to be moonshots: shiny but mostly one-shots.
What about something simpler, but useful on a daily basis ?

cti-summit
Salle Europe
11:30
11:30
20min
Detecting VPNs/proxies by analyzing their attack patterns over time
Emanuel Seemann

At Crowdsec we receive a lot of signals of users detecting attacks using our open source intrusion prevention system. We used these signals to detect whether attackers are behind anonymization services such as proxies or VPNs. We show that by monitoring changes in attack behavior over time we can reliably detect proxies and VPNs and use this data to improve our threat intelligence.

cti-summit
Salle Europe
11:50
11:50
30min
SBOMs: are they a threat or a menace?
Philippe Ombredanne

If you have not noticed the hype about ABOUT (Software Bill of Material) you must been living in a cave. They have been touted as the next best thing after sliced bread and the cure-it-all to all our security problems of the past many years. Join me to break through the hype and review the good, the bad and the ugly and determine if, how and when they may useful and when not.

cti-summit
Salle Europe
12:20
12:20
90min
Lunch
Salle Europe
14:00
14:00
5min
Token Smart Contract Analyzer
TGrandjean

A Tool to Detect Fraudulent Token Contracts on Ethereum Blockchain

cti-summit lightning talk
Salle Europe
14:05
14:05
5min
Cloaking malicious web content delivery
Jeroen Pinoy

Website cloaking is a technique that enables websites to deliver different content to
different clients, with the goal of hiding particular content from certain clients. Website
cloaking is based on client detection, which is achieved via browser fingerprinting. In an
attempt to hide their malicious web pages from detection, cyber criminals (can) use cloaking.
They use vulnerability detection to only target clients that seem vulnerable. On top
of that, they (can) also provide benign content in case they suspect someone or something is
trying to detect them. In this talk I quickly go over what cloaking is, how it works, and why I think it deserves some more attention from the cyber community.

cti-summit lightning talk
Salle Europe
14:10
14:10
5min
The composition analysis of binary Java, ELF, Go, and JavaScript apps
Philippe Ombredanne

The composition binary analysis of apps and libraries can be a complex thing mixing multiple techniques. Let's review the techniques and FOSS tools to automate this analysis for binary formats such as bytecode, native Go and C/C++ ELFs and minified JavaScript.

cti-summit lightning talk
Salle Europe
14:15
14:15
5min
Case Management
Cruciani

A Flexible case management

cti-summit lightning talk
Salle Europe
14:20
14:20
5min
GeoOpen and mmdb-server: A Comprehensive Open Source Solution for IP Address Geolocation
Alexandre Dulaunoy

GeoOpen and mmdb-server: A Comprehensive Open Source Solution for IP Address Geolocation

cti-summit lightning talk
Salle Europe
14:30
14:30
30min
CTI is dead, long live CTI!
David

Recently a CSIRT colleague said: "CTI is dead" which made us wonder and ponder.

cti-summit
Salle Europe
15:00
15:00
30min
FOSStering an ISAC: Enabling a Community with Open-Source Tools
JJ Josing

Defending against the latest threats requires timely, actionable intelligence. In an active sharing community that has members of varying maturity, resources, and team staffing, you need a way to collect, normalize, enrich, and vet the shared intelligence at scale. Most will have different intelligence requirements, so flexibility is demanded to tailor to the disparate use-cases and existing workflows they may have. This presentation shows how the Retail & Hospitality ISAC leverages MISP as a community instance for their members and incorporates other free and open-source software to address these topics and more!

cti-summit
Salle Europe
15:30
15:30
30min
Kunai: your new Threat Hunting tool for Linux
Quentin JEROME

Linux is an open-source OS; however, performing Threat Hunting on Linux using open-source software (OSS) is not easy, as only a few tools are available and maintained. A port of the well-known Sysmon tool, originally developed for MS Windows, has been made for Linux, but it suffers from several issues. In this presentation, I will introduce a brand-new open-source tool I have been working on for several months. This tool aims to be a Sysmon alternative for Linux and provides several features that Sysmon does not offer.

cti-summit
Salle Europe
16:00
16:00
20min
Why does the CTI industry struggle with communicating uncertainties?
Ondra Rojcik

Even reputable vendors sometimes have a hard time consistently communicating uncertainties in a single report. This talk will highlight the challenge at the individual analyst level of working with uncertainties and communicating them. Words of Estimative Probability (WEP) and confidence levels, which address intelligence gaps, assumptions, and conclusions, may appear abstract and difficult to grasp for individuals with technical backgrounds who have transitioned to CTI from working with concrete facts. The presentation will explore various approaches to communicating uncertainties, showcasing their respective advantages and disadvantages for different types of threat report consumers.

cti-summit
Salle Europe
16:30
16:30
30min
Ensuring IoC quality at CERT-FR
Barrault Victor

Keeping IoCs usable and the base where they are stored clean over time is an important challenge. ANSSI/CERT-FR will present the tooling developed internally and used by CTI analysts in order to verify their quality and normalization before they are pushed into MISP.

cti-summit
Salle Europe
17:00
17:00
30min
MISP updates
Andras Iklody

Another year has passed since the last CTI Summit, with MISP having gone through a long list of changes and extensions - this talk aims to summarise what has happened since October 2022 as well as giving a glimpse into what the core team has in store for the community in the near future.

cti-summit
Salle Europe
17:30
17:30
20min
Malware AV evasion tricks. Cryptography in malware
cocomelonc

Research in the field of bypassing AV solutions and the role of cryptography in malware development. Application of classical
cryptographic algorithms for payload and C2 communicate encryption. Practical research has been carried out: the results of
using Skipjack, TEA, Madryga, RC5, A5/1, Z85, DES, mmb, Kuznechik, etc. encryption algorithms have been analysed. The
application of cryptography based on elliptic curves is also being researched. How does all this affect the VirusTotal detection
score and how applicable is it for bypassing AV solutions (AV bypass). In some researched practical cases, we get FUD malware.
Bypass AV Kaspersky, Windows Defender. ESET NOD32 in some practical cases.
Reverse engineering and code reconstruction with malware development tricks from ransomware and malware like Conti, Snowyamber, Paradise Ransomware, CopyKittens, etc. Discover new tricks from Russian APT29 related malware.

cti-summit
Salle Europe
09:00
09:00
25min
Cratos - Use your bloody indicators
Dennis Rand

MISP is an amazing platform for collecting and maintaining your CTI data and context, but is can also be useful in daily hunting engagements, incident repone cases, standard SecOps and other scenarios; without giving your infrastructure, outsourcing partners access access to context from MISP.

cti-summit
Salle Europe
09:00
180min
Three Ways to Reverse-Engineering Cryptographic Functions
Finn Steglich

On basis of a proprietary crypto library that was used for "securely" storing medical history, I like to give an introduction into reverse engineering cryptographic functions by three different approaches: Blackbox, dynamic instrumentation with Frida and static analysis with Ghidra.

cti-summit
Hollenfels
09:30
09:30
30min
IPFS Unveiled: Exploring Data Collection, Analysis, and Security
Patrick Ventuzelo, Tanguy Laucournet

In this talk, we will dive into exclusive data collection and analysis techniques specific to this decentralized network. We'll also take a quick tour of IPFS's wide range of applications and provide practical tips and tricks to help you secure your organization.

cti-summit
Salle Europe
10:00
10:00
15min
Tea&Coffee
Salle Europe
10:15
10:15
30min
He is everywhere: A tale of Lazarus and his family
JeongGak Lyu, @lazarusholic

The threat groups from North Korea, known as Lazarus, are highly active and pose a significant danger to various industries worldwide. With over 20 years of experience in cybersecurity, I have focused on investigating incidents and providing detailed reports to my clients. Through my extensive research, I have accumulated a vast knowledge base concerning their TTPs and aliases.

Since the early 2000s, they have been primarily targeting South Korea and gained global recognition in 2014 during Operation Blockbuster. From 2015 onwards, they expanded their scope to focus on the financial and cryptocurrency sectors, carrying out large-scale ransomware attacks and extortion campaigns. Additionally, they have pursued sensitive information by targeting industries such as nuclear, defense, and aerospace. They exhibit exceptional skills in compromising supply chains, executing drive-by download attacks, exploiting remote services, and conducting phishing campaigns. They possess a remarkable ability to quickly adapt and optimize their attacks for specific targets.

The cybersecurity community, including myself, maintains a vigilant watch over their activities. As a supplementary initiative, I maintain a website(https://lazarus.day) that catalogs their various aliases and posts related to them. Since 2009, there have been over 1500 posts authored by almost 300. He is everywhere.

cti-summit
Salle Europe
10:30
10:30
90min
Dismantle the bomb
Stijn Tomme

Stop the countdown timer and dismantle the bomb by cutting the correct cable.

hack.lu
Echternach&Diekirch
10:45
10:45
15min
Cerebrate - learning to run
Andras Iklody

Cerebrate is just about to turn 2, since it’s 1.0 release in 2021 October. As most two year olds, it is finally free to roam around the living room and have a lasting impact on its surroundings.

Having undertaken a journey of transformation and becoming operational in most aspects it was originally intended, this talk aims to walk participants through the changes as well as giving some insights into how Cerebrate is changing how we manage our communities.

cti-summit
Salle Europe
11:00
11:00
30min
Digital Tug of War: Unraveling the Cyber Battle Between Ukraine and Russia
Ondrej Nekovar, Jan

In this presentation, we will delve into the interesting Ukraine-Russia conflict over the past year and uncover the emerging challenges in cyber threat intelligence and its critical importance to detection engineering, validation, and organizational resilience. Explore the impact of cyber warfare on global security dynamics and gain valuable insights into the intersection of geopolitics and cybersecurity. Join us for a brief but enlightening journey through this evolving landscape.

cti-summit
Salle Europe
11:30
11:30
30min
How to operationalize CTI - A real world example
Melanie Niethammer

In this talk we invite you to follow our journey from a small virtual team of CTI enthusiasts with other responsibilities to an established CTI function in a cyber defense organization of a large company.

cti-summit
Salle Europe
12:00
12:00
90min
Lunch
Salle Europe
13:30
13:30
5min
Liberate the CSAM hashsets!
Andras Iklody

Where are the CSAM hashsets?

cti-summit lightning talk
Salle Europe
13:35
13:35
5min
Cobalt Striked?
Vincent Hinderer

Cobalt Strike v 4.9 was released mid September, but leaked less than a month later. Let s dive into this presumed blow to the vendor.

cti-summit lightning talk
Salle Europe
13:40
13:40
5min
Are Leaked Credentials Dumps Used by Attackers?
Xavier Mertens

With all the leaked credentials found in the wild, most of them are outdated or just a compilation of smaller dumps. Are they really used against you?

cti-summit lightning talk
Salle Europe
13:45
13:45
5min
Lessons learned from sharing intel about potential fraud / compromise
Jeroen Pinoy

Some lessons learned and anecdotes from spending several years sharing threat intelligence related to potential fraud / compromise.

cti-summit lightning talk
Salle Europe
13:50
13:50
5min
Sigma Project News
Thomas Patzke

Recently Sigma got a bunch of updates, time to keep you updated!

cti-summit lightning talk
Salle Europe
13:55
13:55
5min
Do we consider this as a risks already
Vladimir Kropotov

Risks of some new precious connected devices

cti-summit lightning talk
Salle Europe
14:00
14:00
120min
An Introduction to ARM64 Assembly and Shellcode
Saumil Shah

An Introduction to ARM64 Assembly and Shellcode is a workshop for those interested in getting a quick start into the world of 64-bit ARM binary exploitation. ARM64 is in several ways vastly different than ARM32.

In this bring-your-own-laptop workshop, participants will get to learn the key differences between ARM32 and ARM64 from an assembly language perspective, get some hands-on introduction to writing simple ARM64 assembly code, working with a debugging environment and concluding with writing their own ARM64 shellcode.

cti-summit
Vianden&Wiltz
14:00
240min
Customize Your Own Command & Control: Design and Code Your Own Implant in a Real Infrastructure
Guillaume Prigent, Adrien Barchapt-Perrot

Command & Control is a cornerstone of any attacker's infrastructure, whether they are affiliated with state actors (APTs), cybercriminals, or legitimate Red Team operators.

"Customize Your Own C&C" is a 4-hour workshop designed for those interested in quickly diving into the world of Command & Control design and architecture, and learning how to develop their own implant using a well-known open-source framework.

In this bring-your-own-laptop workshop, participants will have the opportunity to learn about the architecture and design of a well-known open-source framework as an example. They will also receive a comprehensive, hands-on introduction to designing a simple custom implant. This will involve working with two already prepared virtual machines and culminating in the creation of their own integrated x64 implant (utilizing a C++/Python wrapper)

cti-summit
Hollenfels
14:00
90min
Dismantle the bomb
Stijn Tomme

Stop the countdown timer and dismantle the bomb by cutting the correct cable.

hack.lu
Echternach&Diekirch
14:00
30min
JTAN - data sharing network
Paweł Pawliński, Alexandre Dulaunoy

CIRCL, CERT.PL and other JTAN poject partners will present a data sharing network built in the JTAN project. The talk will showcase open source tools used as a backbone of the network and the operational value of the data exchanged.

cti-summit
Salle Europe
14:00
120min
Managing spam, phishing and other boring tasks with your users and constituents
Raphaël Vinot

It is time consuming and frankly moderately interesting to handle the submission and treatment of spams and phishing things people would like to report to you, either because it is your job or because your that person who knows computer in your family or friends group.

In this workshop, we will see show how to integrate opensource tools that will make your life easier, empower the people reporting thing to you, and hopefully reduce your work load.

cti-summit
Schengen 1 and 2
14:30
14:30
30min
Turbocharging IOC validation: Become a more efficient CTI analyst
Arwa Alomari

Cyber threat intelligence (CTI) analysts are inundated daily with new Indicators of Compromise
(IOC)s to analyze. Due to the ephemeral nature of IOCs, analysts must analyze IOCs promptly to
understand if an IOC is usable.
IOC validation is one of the most time-consuming and frustrating aspects of analyzing an IOC.
By optimizing IOC validation, an analyst can produce much more timely intelligence.
In this session, you will learn first-hand how to turbocharge the validation of IOCs, thus saving
you precious time and helping you prioritize your time to focus on high-value IOCs and creating
both timely and actionable intelligence.

cti-summit
Salle Europe
15:00
15:00
30min
Modern IOCs matching with Suricata
Eric Leblond, Peter Manev

This talk will present how Suricata, an open source IDS and NSM engine can provide high performance matching of IOCs on live traffic using a feature named dataset. It will also cover how the produced NSM events can be used to do IOC matching on past traffic data and will present the IOCMite tool that link Suricata and MISP.

cti-summit
Salle Europe
15:30
15:30
30min
PXF-X - A modular python framework to hunt, extract and enrich Post-Exploitation Framework artifacts
Joel Doenne

Post Exploitation Frameworks are not only the swiss army knife for Red Teamers, but also in heavy use by cybercriminals and even state actors. Many artifacts, like Beacons/Badgers or Stage Loaders end up on platforms like VirusTotal.
Tired of the many manual process steps needed to get decent insights about these hunted artifacts the PXF-X framework was born.

cti-summit
Salle Europe
16:00
16:00
15min
Tea&Coffee
Salle Europe
16:15
16:15
30min
Pyrrha: navigate easily into your system binaries
Eloïse Brocas

Nowadays structured firmwares can be a complete OS with thousands of files. It usually requires several hours to find the links between some components, and it is easy to get lost in this mass of information.
This talk will introduce how we have combined and extended already existing open-source solutions to solve this issue and help reversers in their daily tasks. The resulting tool, Pyrrha, allows users to visualize the different binaries and libraries of the firmware and their interactions in the form of several dependency graphs.

cti-summit
Salle Europe
16:30
16:30
120min
Cryptocurrency & Web3 OSINT Workshop
Patrick Ventuzelo, Tanguy Laucournet, Mohammed Benhelli

This workshop offers an introduction to Blockchain/Web3 OSINT, including extracting and analyzing on-chain and off-chain data.

cti-summit
Schengen 1 and 2
16:30
90min
Dismantle the bomb
Stijn Tomme

Stop the countdown timer and dismantle the bomb by cutting the correct cable.

hack.lu
Echternach&Diekirch
16:30
120min
Using systematic code reuse analysis to create robust YARA rules
Jonas Wagner, Carlos Rubio Ricote

YARA is a commonly used tool to detect and identify malware. There are roughly two types of YARA rules used on binary files: 1) based on metadata and strings and 2) based on code.
There are certain benefits by basing YARA rules on code. Since code reuse is frequent amongst binaries of a malware family, it offers plenty of options to base a YARA rule on. If the chosen code is heavily reused amongst the binaries, then it can result in very robust rules.
This approach comes with certain challenges. A key aspect is being able to find heavily reused code amongst many binaries of a malware family. Unless some sort of automation is at play, this quickly becomes difficult and time-consuming. Once suitable reused code is identified, it needs to be turned into a YARA rule, so that it works even when compiler differences, optimizations or instruction set changes are involved.
In this workshop we will create robust YARA rules for a handful of malware families based on automatically identifying shared code between many binaries of a family.

cti-summit
Vianden&Wiltz
16:45
16:45
30min
Threat actors & surveillance companies targeting telecom operators
Alexandre De Oliveira

Telecom operators are at the heart of our societies, and all the citizens have a mobile phone today, which makes the operators an ideal target. This presentation will get more in depth into specific threat actors which are supporting the work of global surveillance companies.

cti-summit
Salle Europe
17:15
17:15
20min
How Crowdsec is building a collaborative, trustable, and crowdsourced CTI to change the cybersecurity landscape
Matthieu Mazzolini

Crowdsec is building the largest CTI, crowdsourced by an open source security engine solution. With the help of machine learning algorithms, we analyze this data to detect and classify cyber threats in near real time.

cti-summit
Salle Europe
17:35
17:35
20min
MISP42: connecting CTI and SOC teams
Remi Seguy

In cybersecurity, CTI and SOC teams often seat next to each other. The CTI team accumulates impressive amount of threat intelligence including technical IOCs. On SOC side even more impressive amount of data is collected in data lakes even now data oceans (logs, telemetry, network flow or traffic, etc.).
MISP has been available for years as a Threat Intelligence platform and had highly facilitated sharing across the security community, mainly between CTI teams. In particular, MISP allows an organisation to have IOC data set ready to be used.
Still SOC teams rather often struggle to consume those IOCs into their monitoring and detection platforms and event more to feed back into MISP for new findings or sightings from the alerts or retro searches run on the SOC platforms.
MISP42 is an open-source app developed to help SOC teams using Splunk platform to make the use of IOCs in MISP an easy workflow that can be automated.

cti-summit
Salle Europe
17:55
17:55
30min
Yeti - old dog, new tricks
Sébastien Larinier, Thomas Chopitea

Yeti is an opensource platform dedicated to the curation and management of operational threat intelligence,
geared towards incident responders and forensic practitioners. It's written in Python and maintained since ~2017.

It consists of several modules:

  • a graph database & search engine
  • a threat feed ingestion engine
  • a data enrichment module (e.g. sandbox information, domain resolution, IOC extraction...)
  • Signature management (YARA, Sigma, etc.)
  • High-level entity management (Threat actors, TTPs, Campaigns) to tie everything together in a neat graph database.

Yeti has existed since 2017, and is used both in industry and academia, and has
recently been undergoing several big changes, which we would like to present at
CTI-Summit 2023:

cti-summit
Salle Europe
09:00
09:00
180min
Build your own malware analysis pipeline using open source tools
Michał Praszmo, psrok1, Jarosław Jedynak

During almost a decade of our malware analysis experience in cert.pl, we have tried many different approaches. Most of them failed but we have learned a lot about what works and what does not. Finally, after several years of development, we publicly released a bunch of projects that we are proud of: a complete open-source malware repository and analysis platform.
The workshop will provide practical hands-on introduction to all aspects of the platform:
mwdb: community-based online service for analysis and sharing of malware samples. The service is freely available to a white-hat researchers and provides fully-automated malware extraction and botnet tracking.
mwdb core: self-hosted repository of samples and all kinds of technical information related to malware configurations.
karton: microservice framework for highly scalable and fault-resistant malware analysis workflows. We will explain the installation and configuration quickly and spend the rest of time on adapting workflows to the karton framework.
malduck is our library for malware extraction and analysis. We will explain how to use it effectively and how to create your own modules.
All components are already available on our GitHub page: https://github.com/CERT-Polska/training-mwdb.

hack.lu
Vianden&Wiltz
09:00
90min
Dismantle the bomb
Stijn Tomme

Stop the countdown timer and dismantle the bomb by cutting the correct cable.

hack.lu
Echternach&Diekirch
09:00
30min
How Digital Technologies are Redefining Warfare and Why It Matters
Mauro Vignati

Cyber capabilities have been used for military purposes for more than two decades. But the digital operational area of States is no longer limited to cyber operations. In line with the global trend toward digitalization of our societies, armed forces around the world are developing innovative strategies to exploit the digital sphere in more complex ways than ever before. As a result of these developments, the line between civilians and combatants as well as between civilian objects and military targets, is in danger of becoming blurred. In particular, it is now easier than ever to involve civilians in military cyber operations and to harm them using these means. And the more the military is relying on cables, satellites or clouds that are originally designed for civilian use, the more likely it becomes that this infrastructure will be exposed to harm during armed conflicts, with significant adverse consequences on civilians.

hack.lu
Salle Europe
09:30
09:30
30min
Ongoing EvilEye Campaigns Targeting CCP Adversaries
Rascagneres Paul

Volexity has recently uncovered ongoing campaigns by EvilEye, a Chinese state-backed threat actor, targeting three of the five groups the Chinese Communist Party (CCP) refers to as the “Five Poisons”. The targeted groups are members of the Tibetan community, the Uyghur ethnic group, and Taiwanese nationals. Volexity's research has identified both currently active and historic activity for these campaigns. Volexity also identified related campaigns from this threat actor specifically targeting the Uyghur ethnic group back in 2019 and 2020.
The ongoing campaigns consist of two elements, malicious mobile applications and fake websites, which are created by the attacker to facilitate exploitation of end users by way of zero or n-day exploits. The three Android malware families being deployed include new versions of BADBAZAAR, as well as two previously undocumented families. In addition to these Android malware families, there is compelling evidence that EvilEye has developed an iOS implant and tried to distribute it via the Apple App Store.
This presentation outlines the current, ongoing campaigns; delves into the technical details of the Android malware families involved; discusses the threat actor's command-and-control (C2) infrastructure and configuration; and reveals how the threat actor builds communities to distribute their malware through trusted platforms. The presentation also explores overlaps between the campaigns and explains links to historic activity.

hack.lu
Salle Europe
10:00
10:00
120min
Analyzing Cobalt Strike Beacons, Servers and Traffic
Didier Stevens

In this 2 hour workshop, we will use new tools developed by Didier Stevens to deal with malicious Cobalt Strike beacons.

There used to be a time, that a blue teamer could say: "this sample I just analyzed is a Cobalt Strike beacon: I'm sure this is a pen test".
That is no longer the case: Cobalt Strike has become very popular with common criminals, and even some APT crews. Nowadays, if you encounter a Cobalt Strike sample, your organization is more likely to be under real attack than under simulated attack.

hack.lu
Hollenfels
10:00
30min
Defeating VPN Always-On
Maxime Clementz

VPN Always-On is a security control that can be deployed to mobile endpoints that remotely access corporate resources through VPN. It is designed to prevent data leaks and narrow attack surface of enrolled end-user equipment connected to untrusted networks. When it is enforced, the mobile device can only reach the VPN gateway and all connections are tunnelled.

We will review the relevant Windows API, the practicalities of this feature, look at popular VPN software ; we will then consider ridiculously complex exfil methods and... finally bypass it with unexpectedly trivial tricks. We will exploit design, implementation and configuration issues to circumvent this control in offensive scenarios. We will then learn how to fix or harden VPN Always-On deployment to further limit the risks posed by untrusted networks.

hack.lu
Salle Europe
10:00
120min
Managing spam, phishing and other boring tasks with your users and constituents
Raphaël Vinot

It is time consuming and frankly moderately interesting to handle the submission and treatment of spams and phishing things people would like to report to you, either because it is your job or because your that person who knows computer in your family or friends group.

In this workshop, we will see show how to integrate opensource tools that will make your life easier, empower the people reporting thing to you, and hopefully reduce your work load.

cti-summit
Schengen 1 and 2
10:30
10:30
90min
Dismantle the bomb
Stijn Tomme

Stop the countdown timer and dismantle the bomb by cutting the correct cable.

hack.lu
Echternach&Diekirch
10:30
30min
The Renaissance of Cyber Physical Offensive Capabilities
Daniel Kapellmann Zafra

Since the beginning of the Ukrainian invasion, we have seen a renaissance of innovation making threats to operational technology (OT) systems more streamlined than ever before. Such activity is reflected in a quick turnaround in the development of malware and capabilities to target OT systems. In this talk, I will provide an overview of the evolution of OT threats since the eve of Ukraine’s invasion and discuss its implications for defenders. Among other topics, I will share recent findings about documentation hinting on Russia’s development of OT cyber capabilities, and newly disclosed OT malware families such as INCONTROLLER, INDUSTROYER.V2 and COSMICENERGY.

hack.lu
Salle Europe
11:00
11:00
45min
Introduction to cyberwarfare: theory and practice
Lukasz Olejnik

This talk presents a strict analysis of technology, policy, international law, and cyberwarfare, focusing on the realities of armed conflict in cyberspace. Ukraine and other events in Central Eastern Europe will provide food for thoughts and a case study. The main premise is grounded in sound analysis of rules, strategies, and the mechanics of conflicts.

Some relevant points to consider follow. What’s the relevance to the armed conflict areas? What’s the relevance to the countries non-neutral in a conflict? Should companies prepare in any way, and if so, how? Are there particular risk to IT companies, IT administrators, developers, software engineers, security engineers?

hack.lu
Salle Europe
12:00
12:00
90min
Lunch
Salle Europe
13:30
13:30
5min
You can learn anything.
Pauline Bourmeau (Cookie)

It's made possible by today's open-source community, and a vast number of people are now rethinking the way we learn. Let's engage with this!

hack.lu lightning talk
Salle Europe
13:35
13:35
5min
Velocity Raptor: Accelerating Velociraptor Hunting with Tenzir Pipelines
Matthias Vallentin

In this talk we showcase how to interact with a Velociraptor server from Tenzir pipelines, speeding up DFIR work by flexibly processing the output of hunts.

hack.lu lightning talk
Salle Europe
13:40
13:40
5min
TIDeMEC : A Detection Engineering platform homegrown at the European Commission
Amine Besson

Introducing 🌊TIDeMEC : Threat Informed Detection Modelling and Engineering as Code , the platform powering DIGIT S2 CATCH Detection Engineering operations planned to go open source for the benefit of the European and beyond SOC community.

hack.lu lightning talk
Salle Europe
13:45
13:45
5min
Deming - ISMS Open Source
Didier Barzin

Deming is a tool for managing, planning, tracking and reporting the effectiveness of security controls.

hack.lu lightning talk
Salle Europe
13:50
13:50
5min
Belgian Cyber Reserve Forces
Christophe Vandeplas

Lightning Talk - A quick intro of the Belgian Military Cyber Reserve.

hack.lu lightning talk
Salle Europe
13:55
13:55
5min
Non vulnerable package dependency resolution
Philippe Ombredanne

Until now, two worlds have mostly ignored each others: the resolution of a software package dependency tree or graph to meet functional constraints and the search for package versions are not subject to known, published vulnerabilities (aka. CVEs) . What if we could combine the functional version range constraints from software developers with the known vulnerable version ranges from security specialist?

hack.lu lightning talk
Salle Europe
14:00
14:00
90min
Dismantle the bomb
Stijn Tomme

Stop the countdown timer and dismantle the bomb by cutting the correct cable.

hack.lu
Echternach&Diekirch
14:00
30min
Embedded Threats: A Deep Dive into the eSIM World
Markus Vervier

With the increasing adoption of the embedded SIM (eSIM) or embedded Universal Integrated Circuit Card (eUICC), new connectivity opportunities and conveniences are emerging for users. However, with these advances emerge new potential vulnerabilities and security implications. This presentation will shed light on the yet unexplored attack surface of eSIM technology and highlight the potential risks and challenges of this now widely deployed technology. Support for eSIM is now available in modern mobile phones and also in popular desktop devices such as Lenovo Thinkpads running Microsoft Windows 10 and 11. By exploring the intricacies of eSIM security, we aim to raise awareness to the potential for offensive operations serving as technology but also in terms of post compromise situations.

hack.lu
Salle Europe
14:00
90min
Non-state actors’ cyber activity in Armed Conflict: impact, implications and remediation
Deleted User, Elena Rückheim, Mauro Vignati

A modern armed conflict has an increasingly elaborate cyber dimension substituting or complementing conventional military operations and originating from both state and non-state parties. Often non-state groups are engaging alongside (and including on behalf of) states in international conflicts without sufficient knowledge of the international law designed to avoid unnecessary harm to civilians and often become victims themselves as de facto parties in a given conflict. They may also deliberately ignore the rules due to sufficiently plausible deniability. Yet, the results of their action to support any of the officially combatant parties, especially targeting civilian objects (including hospitals, schools, community centres etc) might lead to unnecessary casualties as well as otherwise undesirable escalation of the conflict.
With a rich choice of examples of such activities in the current conflict in Europe, it seems an important moment to discuss the understanding of ethical limits to non-state actor behaviour in the use of ICTs to ultimately reduce the activity targeting civilians and the chances of undesirable escalation.

hack.lu
Schengen 1 and 2
14:00
120min
The new Sigma Toolchain
Thomas Patzke

pySigma and Sigma CLI are complete rewrites of the legacy sigmatools and sigmac projects, which will be retired at the end of the year. In this workshop you will learn the new concepts introduced and how these new tools can be used and extended by new target query languages.

hack.lu
Hollenfels
14:30
14:30
30min
Building an evil phone charging station.
Stef van Dop, Tomás Philippart

An investigation of the risks of public charging stations, including a POC that charges a phone, mirrors HDMI, and extracts passwords being typed on the mobile device.

hack.lu
Salle Europe
15:00
15:00
30min
Do's and don'ts in file formats
Ange Albertini

Many file formats (like MP3) were designed around a great idea but a very bad format, leading to many hurdles, headaches and mistakes.
This talk will introducing the typical mistakes when conceiving a file format, and during its evolution.

hack.lu
Salle Europe
15:30
15:30
30min
ACME: benefits of deploying an Internet Security protocol inside your corporate network
Christophe Brocas

This talk will give a feedback on the deployment of an ACME proxy in front of a private Certificate Authority (CA). I will explain the caveats of our private CA setup and why we decided to add ACME to our corporate CA architecture. I will then expose the expected (and unexpected!) benefits of using this Internet Security protocol inside your corporate network. Finally, some new opportunities proposed by the industry and relying on ACME used inside corporate networks will be covered.

hack.lu
Salle Europe
16:00
16:00
15min
Tea&Coffee
Salle Europe
16:15
16:15
90min
Dismantle the bomb
Stijn Tomme

Stop the countdown timer and dismantle the bomb by cutting the correct cable.

hack.lu
Echternach&Diekirch
16:15
90min
Kunai workshop: your new Threat Hunting tool for Linux
Quentin JEROME

Linux is an open-source OS; however, performing Threat Hunting on Linux using open-source software (OSS) is not easy, as only a few tools are available and maintained. A port of the well-known Sysmon tool, originally developed for MS Windows, has been made for Linux, but it suffers from several issues. In this presentation, I will introduce a brand-new open-source tool I have been working on for several months. This tool aims to be a Sysmon alternative for Linux and provides several features that Sysmon does not offer.

hack.lu
Hollenfels
16:15
30min
Your unknown Twins: Identity in the era of Deepfakes, AI and mass Biometrics exposure
Vladimir Kropotov

With the growth of modern media and AI technologies, have you ever wondered what damage could be done if a picture of your eyes ends up in the hands of a malicious user?

In this presentation we dive into threats of exposed biometric data, show how the data can be obtained and abused by malicious users, and what damage can be done once their data is exposed. Such compromised identities are already used in financial crimes, to bypass modern security systems and procedures and also in public opinion manipulation campaigns - which can include critical events, street protests, and elections. But the impact of our exposed data is set to go beyond these in the coming years, and in this talk we discuss the difficulties and work-arounds for these emerging threats.

hack.lu
Salle Europe
16:45
16:45
30min
PHP filter chains: How to use it
Rémi Matasse (@_remsio_)

Local file inclusion methods in PHP evolved through time, there are 2 main objectives when exploiting them:
- Getting a remote code execution by including files containing PHP via include() or require() functions.
- Leak local files such as PHP sources or configuration files via file_get_contents() or file() functions for example.

In the past, the following requirements had to be met to exploit a local file inclusion.
To exploit a remote code execution you could inject information in log files and include them, or control a variable in your PHP session to poison the session file. But in most cases, you needed to be able to upload a file on the system.

To leak local files, it was required to either fully control the path pointing to the file to leak, or to have a path traversal to go up in the file tree. Most importantly, it was mandatory for the server to send you back its content in the response.

In both cases, the affected functions support several wrappers, the most iconic being file:// which is a prefix before a file path. Other wrappers such as php://filter can be passed on these methods and for example it was well known to allow leaking PHP sources by base64 encoding them (ex : php://filter/convert.base64-encode/resource=index.php).

In a 2021 CTF write-up by loknop , this wrapper was actually proven to be much more useful. Indeed, it allows setting the encoding of contents passing through it, and most importantly to chain an infinite number of encodings leading to the generation of arbitrary data at the start of a file. In this presentation, the full process will be explained with examples allowing, for instance, to generate interesting prefixes to a file content, such as '<?php system("id"); ?>', therefore removing the need to have a file upload when exploiting include() or require() functions to get remote code execution (if the full path is controlled).

In 2022, hash_kitten showed that it was also possible to use PHP filters chain as an error-base oracle when used in many built-in functions, such as file_get_contents(). Its method chains encodings that will make the content size of a file exponential, triggering a PHP memory_limit exhaustion. By using other filters, the first character of the file content can also be determined. By using other encodings it is also possible to rotate the chain order to retrieve characters that are located further away in the content.

Using this error-based oracle, it is therefore possible to leak the entire file content without having PHP to serve it in a server response.

hack.lu
Salle Europe
18:00
18:00
45min
Powerpoint Karaoke
Salle Europe
18:45
18:45
180min
Social Event
Salle Europe
22:00
22:00
120min
Movie projection
Salle Europe
09:00
09:00
90min
Dismantle the bomb
Stijn Tomme

Stop the countdown timer and dismantle the bomb by cutting the correct cable.

hack.lu
Echternach&Diekirch
09:00
30min
Internet exposure of satellite modems, and their vulnerabilities
Patrice Auffret, Arnaud Girault

ONYPHE & ESIEA partnered to create an assessment about satellite modems and their current state of vulnerabilities. We will speak about different brands, give some pictures about how many of them are exposed on the Internet, and give some numbers on their vulnerabilities.

hack.lu
Salle Europe
09:30
09:30
25min
Almost 2 years after log4j .. if your PSIRT has survived, Are the Lessons learned or not learned on security incident & vulnerability management ?
FrederiqueD, Thales

In Dec 2021, the media and public discovered the “famous” log4j vulnerability.
They realized that for every product or website using software or shared libraries and components , these products can become vulnerable to cyber attack.

Companies in technology sector producing «software » had to face the same « disease or scary movie ». A small library used everywhere has damaged almost all software & websites.

At this time a part of companies believed they were prepared with a PSIRT or a CSIRT or a CERT, the other part had to “improvise, resolve and learn”

Today’s main « key » questions which seems of interest:

  • Do we all remember (good and bad parts of the experience) ?

  • Have we realized it’s a miracle the PSIRT teams survived the experience ?

  • Have we learned the lessons of what happened with log4j ?

  • Are we now prepare when (‘and not if’) a new « vulnerability scary movie » will come back

hack.lu
Salle Europe
10:00
10:00
40min
Avoiding the basilisk's fangs: State-of-the-art in AI LLM detection
Jacob Torrey

The world is awash in large-language model (LLM) AI (e.g., ChatGPT) news, predictions, and of course, content (all for good and ill). This talk takes a step back from the posturing and hype to look at how these models work, and how to detect the content they produce. We will look at the fundamentals of LLM-generated text detection, compare the best in breed: GPTZero, Roberta, and OpenAI's detector with a novel detector, ZipPy.
ZipPy is a new, open-source LLM text detector developed by Thinkst Labs that is 60-100x faster than the competition, over 1000x smaller (< 200KB), and for many types of content, more accurate. We will explain the intuition behind ZipPy, show how it works, and they types of content it struggles with. Finally we look at where LLMs can improve their stealth, and fundamental shortcomings in their designs that enable detection long-term.

hack.lu
Salle Europe
10:00
120min
DFIRTrack - The Incident Response Tracking Application
Mathias Stuhlmacher, Lionne Stangier

DFIRTrack (Digital Forensics and Incident Response Tracking application) is an open source web application focused on handling major incidents with many affected systems. This workshop will show you how to use DFIRTrack in an efficient way using the various features.

hack.lu
Vianden&Wiltz
10:30
10:30
90min
Dismantle the bomb
Stijn Tomme

Stop the countdown timer and dismantle the bomb by cutting the correct cable.

hack.lu
Echternach&Diekirch
10:40
10:40
40min
Permissionless Universal Overlays
Dimitrios Valsamaras

Both Android and iOS operating systems interact with the users using a constrained graphical interface, typically occupied at its majority by one application at a time while many of them can run in the background. That being said, a user must rely on the GUI provided by the application itself to verify its legitimacy. This type of behavior has raised concerns within the security research community that have been proved to be well founded, judging from the fact that multiple malware campaigns use GUI confusion as their main attack vector.

In this paper we present a novel GUI attack that leverages the fact that an Android activity maintains its graphical state and can receive touches, while it's in the top of the back stack of the device home screen. Whilst most of the techniques that have been introduced so far require the SYSTEM_ALERT_WINDOW permission, the one we present is permissionless and makes use only of the FLAG_NOT_TOUCH_MODAL flag.

By using this technique, we were able to create overlapping views over system dialogues, luring the user to unintentionally approve dangerous permissions and access to system services. Third party applications are also at risk, as it is possible to garble their UI by projecting fraudulent views that ostensibly belong to the targeted application's context. For the latter to be successful, the PACKAGE_USAGE_STATS permission must be obtained in order to identify the application that is currently in the foreground.

Google addressed the issue (CVE-2021-39617) by not dispatching touches to critical decision windows which are fully or partially obscured, but 3rd party applications are still affected.

hack.lu
Salle Europe
11:20
11:20
30min
Raiders of the Lost Arts
Stefan Hager

Using outdated technologies and old methods to sabotage and engage companies and what can be done about it

hack.lu
Salle Europe
12:00
12:00
90min
Lunch
Salle Europe
13:30
13:30
5min
Token Smart Contract Analyzer
TGrandjean

A Tool to Detect Fraudulent Token Contracts on Ethereum Blockchain

hack.lu lightning talk
Salle Europe
13:35
13:35
5min
Suricata Language Server
Eric Leblond

Writing Suricata signatures is seen by some as a form of art and my most as a nightmare. This talk will introduce Suricata Language Server that is an implementation of LSP to get syntax checking and performance hints from your IDE when writing Suricata signatures.

hack.lu lightning talk
Salle Europe
13:40
13:40
5min
Wintermute: an LLM pen-testing buddy
Aaron Kaplan

The lightning talk will introduce an LLM-guided privilege-escalation tool designed for evaluating different LLMs and prompt strategies against a novel pen-testing benchmark.

TL;DR: you got a new pentesting buddy who can help you hack away.

hack.lu lightning talk
Salle Europe
13:45
13:45
5min
SLP DoS Amplification - someone is having fun
Pedro Umbelino

CVE-2023-29552 is a recent high profile vulnerability that allows for one of the most powerful and still working denial of service reflective amplification attack.
Someone has been having fun and we can see it.

cti-summit lightning talk
Salle Europe
13:50
13:50
5min
DER Editing, Easy-Peasy with asn1template
William Robinet

Edition of DER encoded ASN.1 structures is a pretty tedious work when done manually.
Solutions to this problem exist. For instance, der-ascii [0] is a tool written in Go that helps with back and forth conversions from/to DER structures to/from a textual representation using a custom defined language.
I present a somehow short Perl script [1] that leverages the OpenSSL configuration language along with the ASN1_generate_nconf(3) function in order to achieve the same goal with almost no dependencies apart from Perl and OpenSSL.
This tool can be used to ease the exploitation of CVE-2022-0778 [2] & [3].

[0] https://github.com/google/der-ascii
[1] https://github.com/wllm-rbnt/asn1template
[2] https://www.openssl.org/news/secadv/20220315.txt
[3] https://github.com/drago-96/CVE-2022-0778#using-asn1-templates

cti-summit lightning talk
Salle Europe
13:55
13:55
5min
Supply chain resilience: challenges & solutions
Saâd Kadhi

In today’s interconnected world, organisations rely on a complex network of suppliers, providers, and contractors to deliver software, hardware, and services. However, this very interconnectedness poses a significant cybersecurity risk – supply chain attacks. In this lightning talk, we will share some insights & thoughts on managing and securing an organisation’s supply chain.

cti-summit lightning talk
Salle Europe
14:00
14:00
180min
As We Are Many
Michael Hamm

On a Linux system we will prepare an USB stick with 3 little test files like 'test1.txt', 'test2.txt' and 'test3.txt' with some little test content inside. If connecting the spooky USB stick to a Windows based PC (VM guest) the USB stick is mounted and we see three '.txt' files. But the content is different and doesn't match the content we created on the Linux PC.

Analyzing the stick with different tools leads to confusing results. It does not help to understand what is going wrong here. The idea of this workshop is to provide the students with the knowledge to build their own spooky USB stick.

hack.lu
Vianden&Wiltz
14:00
120min
CyberChef: Enhancing Existing Operations and Adding New Operations
Didier Stevens

In this 2 hour workshop, Didier will start with a quick intro to CyberChef, with some simple exercises, and then we will setup a development environment for CyberChef.
In this environment, we will start with simple exercises (enhancing existing operations) and then move on to creating your own operations from scratch.
The operations will focus on blue team activities, like assisting with the analysis of malware.

hack.lu
Hollenfels
14:00
90min
Dismantle the bomb
Stijn Tomme

Stop the countdown timer and dismantle the bomb by cutting the correct cable.

hack.lu
Echternach&Diekirch
14:00
120min
Full Stack Forensics with FOSS
Sébastien Larinier, Thomas Chopitea

This workshop will showcase a suite of free and open source tools to leverage
threat intelligence in DFIR investigations. Participants will be setting up a
full forensics pipeline, including collection (GRR), processing
(Plaso) and analysis (Timesketch), and orchestration
(dfTimewolf). In addition to that, they'll be using Yeti to augment
their processing and analysis with threat intelligence.

Thw workshop will last two hours and is open for anyone to attend. Experience
installing packages on Linux and using the Linux CLI in general is required.
Experience running and managing Docker containers would be a nice addition.

Participants will be given an initial list of Docker containers to pull and set
up before the workshop

[UPDATE] Here's the list! https://docs.google.com/document/d/1TKqOleH2rdtPjybUt3PYybJ7RrH59kqaHnmywJhRPGk/preview

[UPDATE2] Here's the slides with the links to everything: https://docs.google.com/presentation/d/1_IIhazlZF4Nxa_fn4YJ0SieFPJGzP91OwuAO4LIUWOg/edit#slide=id.g24fcb0d3240_0_70

hack.lu
Schengen 1 and 2
14:00
30min
Open Wounds: The last 5 years have left Bluetooth to bleed
Xeno Kovah

Over the past 20 years there have been 3 waves of Bluetooth (BT) security research. The first wave peaked in 2004, and rather abruptly ended after 2005. Then for a long time there was very low interest and activity. That began to change around 2011 with the release of BT Low Energy (BLE) and the Ubertooth One. But that wave too petered out around 2015. But we are now living in the 3rd wave, and it's far larger than past ones.

In this talk I will be releasing a TiddlyWiki-based, semantically-tagged, timeline of BT security research. Talks have been tagged according to authorship, conferences, and dates. But also according to talk type (attack? defense? reverse engineering? overview?), attack surfaces (L2CAP? BLE LL? ACL-C?), execution environments (Android? Windows? Texas Instruments firmware?), etc. This organized data affords us interesting insights into the most important authors, tools, orgs, and attacks.

I will spend the majority of the time talking about some of the extremely critical vulnerabilities (especially protocol-level vulnerabilities) that have been released in the 3rd wave. These are vulnerabilities that, despite ostensibly being patched, in reality mean that anything with infrequent or non-existent firmware updates, are going to remain hackable indefinitely.

hack.lu
Salle Europe
14:30
14:30
30min
The rise of malicious MSIX file
Rintaro Koike, Shogo Hayashi

Since February 2023, we have observed an attack campaign using MSIX files. MSIX file is the successor format to MSI file, but many people are unaware of its existence and, needless to say, do not know of any abuse cases.

This session will first introduce basic information on MSIX file, such as the file format, basic behavior, and the creation method, followed by attack cases of MSIX file abuse. Specifically, we will detail attacks conducted by a financially motivated threat group called SteelClover. In particular, we will delve into the Package Support Framework (PSF). Our session will contribute to your better understanding of the attack flow and the behavior through specific attack cases abusing MSIX files.

Finally, we will discuss detection and defense techniques, including the detection logics available for EDR solutions, against attacks that exploit MSIX files. This session will enable SOC analysts, IR team members, CSIRT personnel, and others to gain a deep understanding of the specific attack cases and behavior abusing MSIX files and to take concrete countermeasures.

hack.lu
Salle Europe
15:00
15:00
20min
Reviving our oldest Tool - Using Bayesian inference to detect cyber attacks
Emanuel Seemann

Crowdsec is an open-source IDS/IPS and we recently added a detection capability that is based on Bayesian inference, a technique which has long been used to detect email spam. We show that this old and simple tool is still incredibly powerful and present how other threat analysts can improve their threat detection using Bayesian inference.

hack.lu
Salle Europe
15:30
15:30
30min
Using Apple Sysdiagnose for mobile forensics and integrity checks
David Durvaux, Aaron Kaplan

The talk will demonstrate how to use
Sysdiagnose for forensics purposes of Apple devices. Sysdiagnose is a tool which was originally intended for other purposes

The presenters will share with the audience hands-on experiences and share what works and what does not work with this approach.

Incident responders will leave the talk with a deeper understanding of Sysdiagnose and a novel tool in their IR arsenal.

hack.lu
Salle Europe
16:00
16:00
15min
Tea&Coffee
Salle Europe
16:15
16:15
30min
A deep dive into Maritime Cybersecurity.
JACQ

We propose to provide an overview of the maritime sector's cybersecurity, its strengths and weaknesses, the attacks that are taking place and the initiatives being taken to deal with them.

hack.lu
Salle Europe
16:15
90min
Building Your Own Workflows in MISP: Tutorial and Hands-on
Sami Mokaddem

MISP has been a widely used open source CTI platform for the past decade, with a long list of tools that allow users to customise the data models and contextualisation of the platform, yet true customisation of the actual workflows and processes had to be done externally using custom scripts.
With the introduction of MISP workflows, this has changed and the workshop aims to walk the audience through some of the potential ideas of how one could adapt the tool to their own CSIRT’s or SOC’s workflows by using some hands-on examples during the session.

hack.lu
Schengen 1 and 2
16:45
16:45
30min
Operation Duck Hunt - A peak behind the curtain of DuckTail
Pol Thill

This talk delves into the captivating story of DuckTail, a notorious infostealer operation that emerged as one of the prominent threats in 2022 and 2023. With a global reach, DuckTail effectively targeted both individuals and organizations, leveraging customized malware and innovative delivery techniques. Thriving in the remote work landscape driven by the COVID pandemic, DuckTail's success did not shield them from committing critical operational security (OPSEC) mistakes. These lapses ultimately led to the complete exposure of their operation and the individuals responsible for it. Join me as we explore the gripping pursuit of these cybercriminals, unraveling their intricate methods and providing an exceptional glimpse into the workings of a criminal enterprise.

hack.lu
Salle Europe
17:15
17:15
30min
Kunai: your new Threat Hunting tool for Linux
Quentin JEROME

Linux is an open-source OS; however, performing Threat Hunting on Linux using open-source software (OSS) is not easy, as only a few tools are available and maintained. A port of the well-known Sysmon tool, originally developed for MS Windows, has been made for Linux, but it suffers from several issues. In this presentation, I will introduce a brand-new open-source tool I have been working on for several months. This tool aims to be a Sysmon alternative for Linux and provides several features that Sysmon does not offer.

cti-summit
Salle Europe