hack.lu 2023
Visualisations in Infosec tend to be moonshots: shiny but mostly one-shots.
What about something simpler, but useful on a daily basis ?
At Crowdsec we receive a lot of signals of users detecting attacks using our open source intrusion prevention system. We used these signals to detect whether attackers are behind anonymization services such as proxies or VPNs. We show that by monitoring changes in attack behavior over time we can reliably detect proxies and VPNs and use this data to improve our threat intelligence.
If you have not noticed the hype about ABOUT (Software Bill of Material) you must been living in a cave. They have been touted as the next best thing after sliced bread and the cure-it-all to all our security problems of the past many years. Join me to break through the hype and review the good, the bad and the ugly and determine if, how and when they may useful and when not.
A Tool to Detect Fraudulent Token Contracts on Ethereum Blockchain
Website cloaking is a technique that enables websites to deliver different content to
different clients, with the goal of hiding particular content from certain clients. Website
cloaking is based on client detection, which is achieved via browser fingerprinting. In an
attempt to hide their malicious web pages from detection, cyber criminals (can) use cloaking.
They use vulnerability detection to only target clients that seem vulnerable. On top
of that, they (can) also provide benign content in case they suspect someone or something is
trying to detect them. In this talk I quickly go over what cloaking is, how it works, and why I think it deserves some more attention from the cyber community.
The composition binary analysis of apps and libraries can be a complex thing mixing multiple techniques. Let's review the techniques and FOSS tools to automate this analysis for binary formats such as bytecode, native Go and C/C++ ELFs and minified JavaScript.
A Flexible case management
GeoOpen and mmdb-server: A Comprehensive Open Source Solution for IP Address Geolocation
Recently a CSIRT colleague said: "CTI is dead" which made us wonder and ponder.
Defending against the latest threats requires timely, actionable intelligence. In an active sharing community that has members of varying maturity, resources, and team staffing, you need a way to collect, normalize, enrich, and vet the shared intelligence at scale. Most will have different intelligence requirements, so flexibility is demanded to tailor to the disparate use-cases and existing workflows they may have. This presentation shows how the Retail & Hospitality ISAC leverages MISP as a community instance for their members and incorporates other free and open-source software to address these topics and more!
Linux is an open-source OS; however, performing Threat Hunting on Linux using open-source software (OSS) is not easy, as only a few tools are available and maintained. A port of the well-known Sysmon tool, originally developed for MS Windows, has been made for Linux, but it suffers from several issues. In this presentation, I will introduce a brand-new open-source tool I have been working on for several months. This tool aims to be a Sysmon alternative for Linux and provides several features that Sysmon does not offer.
Even reputable vendors sometimes have a hard time consistently communicating uncertainties in a single report. This talk will highlight the challenge at the individual analyst level of working with uncertainties and communicating them. Words of Estimative Probability (WEP) and confidence levels, which address intelligence gaps, assumptions, and conclusions, may appear abstract and difficult to grasp for individuals with technical backgrounds who have transitioned to CTI from working with concrete facts. The presentation will explore various approaches to communicating uncertainties, showcasing their respective advantages and disadvantages for different types of threat report consumers.
Keeping IoCs usable and the base where they are stored clean over time is an important challenge. ANSSI/CERT-FR will present the tooling developed internally and used by CTI analysts in order to verify their quality and normalization before they are pushed into MISP.
Another year has passed since the last CTI Summit, with MISP having gone through a long list of changes and extensions - this talk aims to summarise what has happened since October 2022 as well as giving a glimpse into what the core team has in store for the community in the near future.
Research in the field of bypassing AV solutions and the role of cryptography in malware development. Application of classical
cryptographic algorithms for payload and C2 communicate encryption. Practical research has been carried out: the results of
using Skipjack, TEA, Madryga, RC5, A5/1, Z85, DES, mmb, Kuznechik, etc. encryption algorithms have been analysed. The
application of cryptography based on elliptic curves is also being researched. How does all this affect the VirusTotal detection
score and how applicable is it for bypassing AV solutions (AV bypass). In some researched practical cases, we get FUD malware.
Bypass AV Kaspersky, Windows Defender. ESET NOD32 in some practical cases.
Reverse engineering and code reconstruction with malware development tricks from ransomware and malware like Conti, Snowyamber, Paradise Ransomware, CopyKittens, etc. Discover new tricks from Russian APT29 related malware.
MISP is an amazing platform for collecting and maintaining your CTI data and context, but is can also be useful in daily hunting engagements, incident repone cases, standard SecOps and other scenarios; without giving your infrastructure, outsourcing partners access access to context from MISP.
On basis of a proprietary crypto library that was used for "securely" storing medical history, I like to give an introduction into reverse engineering cryptographic functions by three different approaches: Blackbox, dynamic instrumentation with Frida and static analysis with Ghidra.
In this talk, we will dive into exclusive data collection and analysis techniques specific to this decentralized network. We'll also take a quick tour of IPFS's wide range of applications and provide practical tips and tricks to help you secure your organization.
The threat groups from North Korea, known as Lazarus, are highly active and pose a significant danger to various industries worldwide. With over 20 years of experience in cybersecurity, I have focused on investigating incidents and providing detailed reports to my clients. Through my extensive research, I have accumulated a vast knowledge base concerning their TTPs and aliases.
Since the early 2000s, they have been primarily targeting South Korea and gained global recognition in 2014 during Operation Blockbuster. From 2015 onwards, they expanded their scope to focus on the financial and cryptocurrency sectors, carrying out large-scale ransomware attacks and extortion campaigns. Additionally, they have pursued sensitive information by targeting industries such as nuclear, defense, and aerospace. They exhibit exceptional skills in compromising supply chains, executing drive-by download attacks, exploiting remote services, and conducting phishing campaigns. They possess a remarkable ability to quickly adapt and optimize their attacks for specific targets.
The cybersecurity community, including myself, maintains a vigilant watch over their activities. As a supplementary initiative, I maintain a website(https://lazarus.day) that catalogs their various aliases and posts related to them. Since 2009, there have been over 1500 posts authored by almost 300. He is everywhere.
Stop the countdown timer and dismantle the bomb by cutting the correct cable.
Cerebrate is just about to turn 2, since it’s 1.0 release in 2021 October. As most two year olds, it is finally free to roam around the living room and have a lasting impact on its surroundings.
Having undertaken a journey of transformation and becoming operational in most aspects it was originally intended, this talk aims to walk participants through the changes as well as giving some insights into how Cerebrate is changing how we manage our communities.
In this presentation, we will delve into the interesting Ukraine-Russia conflict over the past year and uncover the emerging challenges in cyber threat intelligence and its critical importance to detection engineering, validation, and organizational resilience. Explore the impact of cyber warfare on global security dynamics and gain valuable insights into the intersection of geopolitics and cybersecurity. Join us for a brief but enlightening journey through this evolving landscape.
In this talk we invite you to follow our journey from a small virtual team of CTI enthusiasts with other responsibilities to an established CTI function in a cyber defense organization of a large company.
Where are the CSAM hashsets?
Cobalt Strike v 4.9 was released mid September, but leaked less than a month later. Let s dive into this presumed blow to the vendor.
With all the leaked credentials found in the wild, most of them are outdated or just a compilation of smaller dumps. Are they really used against you?
Some lessons learned and anecdotes from spending several years sharing threat intelligence related to potential fraud / compromise.
Recently Sigma got a bunch of updates, time to keep you updated!
Risks of some new precious connected devices
An Introduction to ARM64 Assembly and Shellcode is a workshop for those interested in getting a quick start into the world of 64-bit ARM binary exploitation. ARM64 is in several ways vastly different than ARM32.
In this bring-your-own-laptop workshop, participants will get to learn the key differences between ARM32 and ARM64 from an assembly language perspective, get some hands-on introduction to writing simple ARM64 assembly code, working with a debugging environment and concluding with writing their own ARM64 shellcode.
Command & Control is a cornerstone of any attacker's infrastructure, whether they are affiliated with state actors (APTs), cybercriminals, or legitimate Red Team operators.
"Customize Your Own C&C" is a 4-hour workshop designed for those interested in quickly diving into the world of Command & Control design and architecture, and learning how to develop their own implant using a well-known open-source framework.
In this bring-your-own-laptop workshop, participants will have the opportunity to learn about the architecture and design of a well-known open-source framework as an example. They will also receive a comprehensive, hands-on introduction to designing a simple custom implant. This will involve working with two already prepared virtual machines and culminating in the creation of their own integrated x64 implant (utilizing a C++/Python wrapper)
Stop the countdown timer and dismantle the bomb by cutting the correct cable.
CIRCL, CERT.PL and other JTAN poject partners will present a data sharing network built in the JTAN project. The talk will showcase open source tools used as a backbone of the network and the operational value of the data exchanged.
It is time consuming and frankly moderately interesting to handle the submission and treatment of spams and phishing things people would like to report to you, either because it is your job or because your that person who knows computer in your family or friends group.
In this workshop, we will see show how to integrate opensource tools that will make your life easier, empower the people reporting thing to you, and hopefully reduce your work load.
Cyber threat intelligence (CTI) analysts are inundated daily with new Indicators of Compromise
(IOC)s to analyze. Due to the ephemeral nature of IOCs, analysts must analyze IOCs promptly to
understand if an IOC is usable.
IOC validation is one of the most time-consuming and frustrating aspects of analyzing an IOC.
By optimizing IOC validation, an analyst can produce much more timely intelligence.
In this session, you will learn first-hand how to turbocharge the validation of IOCs, thus saving
you precious time and helping you prioritize your time to focus on high-value IOCs and creating
both timely and actionable intelligence.
This talk will present how Suricata, an open source IDS and NSM engine can provide high performance matching of IOCs on live traffic using a feature named dataset. It will also cover how the produced NSM events can be used to do IOC matching on past traffic data and will present the IOCMite tool that link Suricata and MISP.
Post Exploitation Frameworks are not only the swiss army knife for Red Teamers, but also in heavy use by cybercriminals and even state actors. Many artifacts, like Beacons/Badgers or Stage Loaders end up on platforms like VirusTotal.
Tired of the many manual process steps needed to get decent insights about these hunted artifacts the PXF-X framework was born.
Nowadays structured firmwares can be a complete OS with thousands of files. It usually requires several hours to find the links between some components, and it is easy to get lost in this mass of information.
This talk will introduce how we have combined and extended already existing open-source solutions to solve this issue and help reversers in their daily tasks. The resulting tool, Pyrrha, allows users to visualize the different binaries and libraries of the firmware and their interactions in the form of several dependency graphs.
This workshop offers an introduction to Blockchain/Web3 OSINT, including extracting and analyzing on-chain and off-chain data.
Stop the countdown timer and dismantle the bomb by cutting the correct cable.
YARA is a commonly used tool to detect and identify malware. There are roughly two types of YARA rules used on binary files: 1) based on metadata and strings and 2) based on code.
There are certain benefits by basing YARA rules on code. Since code reuse is frequent amongst binaries of a malware family, it offers plenty of options to base a YARA rule on. If the chosen code is heavily reused amongst the binaries, then it can result in very robust rules.
This approach comes with certain challenges. A key aspect is being able to find heavily reused code amongst many binaries of a malware family. Unless some sort of automation is at play, this quickly becomes difficult and time-consuming. Once suitable reused code is identified, it needs to be turned into a YARA rule, so that it works even when compiler differences, optimizations or instruction set changes are involved.
In this workshop we will create robust YARA rules for a handful of malware families based on automatically identifying shared code between many binaries of a family.
Telecom operators are at the heart of our societies, and all the citizens have a mobile phone today, which makes the operators an ideal target. This presentation will get more in depth into specific threat actors which are supporting the work of global surveillance companies.
Crowdsec is building the largest CTI, crowdsourced by an open source security engine solution. With the help of machine learning algorithms, we analyze this data to detect and classify cyber threats in near real time.
In cybersecurity, CTI and SOC teams often seat next to each other. The CTI team accumulates impressive amount of threat intelligence including technical IOCs. On SOC side even more impressive amount of data is collected in data lakes even now data oceans (logs, telemetry, network flow or traffic, etc.).
MISP has been available for years as a Threat Intelligence platform and had highly facilitated sharing across the security community, mainly between CTI teams. In particular, MISP allows an organisation to have IOC data set ready to be used.
Still SOC teams rather often struggle to consume those IOCs into their monitoring and detection platforms and event more to feed back into MISP for new findings or sightings from the alerts or retro searches run on the SOC platforms.
MISP42 is an open-source app developed to help SOC teams using Splunk platform to make the use of IOCs in MISP an easy workflow that can be automated.
Yeti is an opensource platform dedicated to the curation and management of operational threat intelligence,
geared towards incident responders and forensic practitioners. It's written in Python and maintained since ~2017.
It consists of several modules:
- a graph database & search engine
- a threat feed ingestion engine
- a data enrichment module (e.g. sandbox information, domain resolution, IOC extraction...)
- Signature management (YARA, Sigma, etc.)
- High-level entity management (Threat actors, TTPs, Campaigns) to tie everything together in a neat graph database.
Yeti has existed since 2017, and is used both in industry and academia, and has
recently been undergoing several big changes, which we would like to present at
CTI-Summit 2023:
During almost a decade of our malware analysis experience in cert.pl, we have tried many different approaches. Most of them failed but we have learned a lot about what works and what does not. Finally, after several years of development, we publicly released a bunch of projects that we are proud of: a complete open-source malware repository and analysis platform.
The workshop will provide practical hands-on introduction to all aspects of the platform:
mwdb: community-based online service for analysis and sharing of malware samples. The service is freely available to a white-hat researchers and provides fully-automated malware extraction and botnet tracking.
mwdb core: self-hosted repository of samples and all kinds of technical information related to malware configurations.
karton: microservice framework for highly scalable and fault-resistant malware analysis workflows. We will explain the installation and configuration quickly and spend the rest of time on adapting workflows to the karton framework.
malduck is our library for malware extraction and analysis. We will explain how to use it effectively and how to create your own modules.
All components are already available on our GitHub page: https://github.com/CERT-Polska/training-mwdb.
Stop the countdown timer and dismantle the bomb by cutting the correct cable.
Cyber capabilities have been used for military purposes for more than two decades. But the digital operational area of States is no longer limited to cyber operations. In line with the global trend toward digitalization of our societies, armed forces around the world are developing innovative strategies to exploit the digital sphere in more complex ways than ever before. As a result of these developments, the line between civilians and combatants as well as between civilian objects and military targets, is in danger of becoming blurred. In particular, it is now easier than ever to involve civilians in military cyber operations and to harm them using these means. And the more the military is relying on cables, satellites or clouds that are originally designed for civilian use, the more likely it becomes that this infrastructure will be exposed to harm during armed conflicts, with significant adverse consequences on civilians.
Volexity has recently uncovered ongoing campaigns by EvilEye, a Chinese state-backed threat actor, targeting three of the five groups the Chinese Communist Party (CCP) refers to as the “Five Poisons”. The targeted groups are members of the Tibetan community, the Uyghur ethnic group, and Taiwanese nationals. Volexity's research has identified both currently active and historic activity for these campaigns. Volexity also identified related campaigns from this threat actor specifically targeting the Uyghur ethnic group back in 2019 and 2020.
The ongoing campaigns consist of two elements, malicious mobile applications and fake websites, which are created by the attacker to facilitate exploitation of end users by way of zero or n-day exploits. The three Android malware families being deployed include new versions of BADBAZAAR, as well as two previously undocumented families. In addition to these Android malware families, there is compelling evidence that EvilEye has developed an iOS implant and tried to distribute it via the Apple App Store.
This presentation outlines the current, ongoing campaigns; delves into the technical details of the Android malware families involved; discusses the threat actor's command-and-control (C2) infrastructure and configuration; and reveals how the threat actor builds communities to distribute their malware through trusted platforms. The presentation also explores overlaps between the campaigns and explains links to historic activity.
In this 2 hour workshop, we will use new tools developed by Didier Stevens to deal with malicious Cobalt Strike beacons.
There used to be a time, that a blue teamer could say: "this sample I just analyzed is a Cobalt Strike beacon: I'm sure this is a pen test".
That is no longer the case: Cobalt Strike has become very popular with common criminals, and even some APT crews. Nowadays, if you encounter a Cobalt Strike sample, your organization is more likely to be under real attack than under simulated attack.
VPN Always-On is a security control that can be deployed to mobile endpoints that remotely access corporate resources through VPN. It is designed to prevent data leaks and narrow attack surface of enrolled end-user equipment connected to untrusted networks. When it is enforced, the mobile device can only reach the VPN gateway and all connections are tunnelled.
We will review the relevant Windows API, the practicalities of this feature, look at popular VPN software ; we will then consider ridiculously complex exfil methods and... finally bypass it with unexpectedly trivial tricks. We will exploit design, implementation and configuration issues to circumvent this control in offensive scenarios. We will then learn how to fix or harden VPN Always-On deployment to further limit the risks posed by untrusted networks.
It is time consuming and frankly moderately interesting to handle the submission and treatment of spams and phishing things people would like to report to you, either because it is your job or because your that person who knows computer in your family or friends group.
In this workshop, we will see show how to integrate opensource tools that will make your life easier, empower the people reporting thing to you, and hopefully reduce your work load.
Stop the countdown timer and dismantle the bomb by cutting the correct cable.
Since the beginning of the Ukrainian invasion, we have seen a renaissance of innovation making threats to operational technology (OT) systems more streamlined than ever before. Such activity is reflected in a quick turnaround in the development of malware and capabilities to target OT systems. In this talk, I will provide an overview of the evolution of OT threats since the eve of Ukraine’s invasion and discuss its implications for defenders. Among other topics, I will share recent findings about documentation hinting on Russia’s development of OT cyber capabilities, and newly disclosed OT malware families such as INCONTROLLER, INDUSTROYER.V2 and COSMICENERGY.
This talk presents a strict analysis of technology, policy, international law, and cyberwarfare, focusing on the realities of armed conflict in cyberspace. Ukraine and other events in Central Eastern Europe will provide food for thoughts and a case study. The main premise is grounded in sound analysis of rules, strategies, and the mechanics of conflicts.
Some relevant points to consider follow. What’s the relevance to the armed conflict areas? What’s the relevance to the countries non-neutral in a conflict? Should companies prepare in any way, and if so, how? Are there particular risk to IT companies, IT administrators, developers, software engineers, security engineers?
It's made possible by today's open-source community, and a vast number of people are now rethinking the way we learn. Let's engage with this!
In this talk we showcase how to interact with a Velociraptor server from Tenzir pipelines, speeding up DFIR work by flexibly processing the output of hunts.
Introducing 🌊TIDeMEC : Threat Informed Detection Modelling and Engineering as Code , the platform powering DIGIT S2 CATCH Detection Engineering operations planned to go open source for the benefit of the European and beyond SOC community.
Deming is a tool for managing, planning, tracking and reporting the effectiveness of security controls.
Lightning Talk - A quick intro of the Belgian Military Cyber Reserve.
Until now, two worlds have mostly ignored each others: the resolution of a software package dependency tree or graph to meet functional constraints and the search for package versions are not subject to known, published vulnerabilities (aka. CVEs) . What if we could combine the functional version range constraints from software developers with the known vulnerable version ranges from security specialist?
Stop the countdown timer and dismantle the bomb by cutting the correct cable.
With the increasing adoption of the embedded SIM (eSIM) or embedded Universal Integrated Circuit Card (eUICC), new connectivity opportunities and conveniences are emerging for users. However, with these advances emerge new potential vulnerabilities and security implications. This presentation will shed light on the yet unexplored attack surface of eSIM technology and highlight the potential risks and challenges of this now widely deployed technology. Support for eSIM is now available in modern mobile phones and also in popular desktop devices such as Lenovo Thinkpads running Microsoft Windows 10 and 11. By exploring the intricacies of eSIM security, we aim to raise awareness to the potential for offensive operations serving as technology but also in terms of post compromise situations.
A modern armed conflict has an increasingly elaborate cyber dimension substituting or complementing conventional military operations and originating from both state and non-state parties. Often non-state groups are engaging alongside (and including on behalf of) states in international conflicts without sufficient knowledge of the international law designed to avoid unnecessary harm to civilians and often become victims themselves as de facto parties in a given conflict. They may also deliberately ignore the rules due to sufficiently plausible deniability. Yet, the results of their action to support any of the officially combatant parties, especially targeting civilian objects (including hospitals, schools, community centres etc) might lead to unnecessary casualties as well as otherwise undesirable escalation of the conflict.
With a rich choice of examples of such activities in the current conflict in Europe, it seems an important moment to discuss the understanding of ethical limits to non-state actor behaviour in the use of ICTs to ultimately reduce the activity targeting civilians and the chances of undesirable escalation.
pySigma and Sigma CLI are complete rewrites of the legacy sigmatools and sigmac projects, which will be retired at the end of the year. In this workshop you will learn the new concepts introduced and how these new tools can be used and extended by new target query languages.
An investigation of the risks of public charging stations, including a POC that charges a phone, mirrors HDMI, and extracts passwords being typed on the mobile device.
Many file formats (like MP3) were designed around a great idea but a very bad format, leading to many hurdles, headaches and mistakes.
This talk will introducing the typical mistakes when conceiving a file format, and during its evolution.
This talk will give a feedback on the deployment of an ACME proxy in front of a private Certificate Authority (CA). I will explain the caveats of our private CA setup and why we decided to add ACME to our corporate CA architecture. I will then expose the expected (and unexpected!) benefits of using this Internet Security protocol inside your corporate network. Finally, some new opportunities proposed by the industry and relying on ACME used inside corporate networks will be covered.
Stop the countdown timer and dismantle the bomb by cutting the correct cable.
Linux is an open-source OS; however, performing Threat Hunting on Linux using open-source software (OSS) is not easy, as only a few tools are available and maintained. A port of the well-known Sysmon tool, originally developed for MS Windows, has been made for Linux, but it suffers from several issues. In this presentation, I will introduce a brand-new open-source tool I have been working on for several months. This tool aims to be a Sysmon alternative for Linux and provides several features that Sysmon does not offer.
With the growth of modern media and AI technologies, have you ever wondered what damage could be done if a picture of your eyes ends up in the hands of a malicious user?
In this presentation we dive into threats of exposed biometric data, show how the data can be obtained and abused by malicious users, and what damage can be done once their data is exposed. Such compromised identities are already used in financial crimes, to bypass modern security systems and procedures and also in public opinion manipulation campaigns - which can include critical events, street protests, and elections. But the impact of our exposed data is set to go beyond these in the coming years, and in this talk we discuss the difficulties and work-arounds for these emerging threats.
Local file inclusion methods in PHP evolved through time, there are 2 main objectives when exploiting them:
- Getting a remote code execution by including files containing PHP via include() or require() functions.
- Leak local files such as PHP sources or configuration files via file_get_contents() or file() functions for example.
In the past, the following requirements had to be met to exploit a local file inclusion.
To exploit a remote code execution you could inject information in log files and include them, or control a variable in your PHP session to poison the session file. But in most cases, you needed to be able to upload a file on the system.
To leak local files, it was required to either fully control the path pointing to the file to leak, or to have a path traversal to go up in the file tree. Most importantly, it was mandatory for the server to send you back its content in the response.
In both cases, the affected functions support several wrappers, the most iconic being file:// which is a prefix before a file path. Other wrappers such as php://filter can be passed on these methods and for example it was well known to allow leaking PHP sources by base64 encoding them (ex : php://filter/convert.base64-encode/resource=index.php).
In a 2021 CTF write-up by loknop , this wrapper was actually proven to be much more useful. Indeed, it allows setting the encoding of contents passing through it, and most importantly to chain an infinite number of encodings leading to the generation of arbitrary data at the start of a file. In this presentation, the full process will be explained with examples allowing, for instance, to generate interesting prefixes to a file content, such as '<?php system("id"); ?>', therefore removing the need to have a file upload when exploiting include() or require() functions to get remote code execution (if the full path is controlled).
In 2022, hash_kitten showed that it was also possible to use PHP filters chain as an error-base oracle when used in many built-in functions, such as file_get_contents(). Its method chains encodings that will make the content size of a file exponential, triggering a PHP memory_limit exhaustion. By using other filters, the first character of the file content can also be determined. By using other encodings it is also possible to rotate the chain order to retrieve characters that are located further away in the content.
Using this error-based oracle, it is therefore possible to leak the entire file content without having PHP to serve it in a server response.
Stop the countdown timer and dismantle the bomb by cutting the correct cable.
ONYPHE & ESIEA partnered to create an assessment about satellite modems and their current state of vulnerabilities. We will speak about different brands, give some pictures about how many of them are exposed on the Internet, and give some numbers on their vulnerabilities.
In Dec 2021, the media and public discovered the “famous” log4j vulnerability.
They realized that for every product or website using software or shared libraries and components , these products can become vulnerable to cyber attack.
Companies in technology sector producing «software » had to face the same « disease or scary movie ». A small library used everywhere has damaged almost all software & websites.
At this time a part of companies believed they were prepared with a PSIRT or a CSIRT or a CERT, the other part had to “improvise, resolve and learn”
Today’s main « key » questions which seems of interest:
-
Do we all remember (good and bad parts of the experience) ?
-
Have we realized it’s a miracle the PSIRT teams survived the experience ?
-
Have we learned the lessons of what happened with log4j ?
-
Are we now prepare when (‘and not if’) a new « vulnerability scary movie » will come back
The world is awash in large-language model (LLM) AI (e.g., ChatGPT) news, predictions, and of course, content (all for good and ill). This talk takes a step back from the posturing and hype to look at how these models work, and how to detect the content they produce. We will look at the fundamentals of LLM-generated text detection, compare the best in breed: GPTZero, Roberta, and OpenAI's detector with a novel detector, ZipPy.
ZipPy is a new, open-source LLM text detector developed by Thinkst Labs that is 60-100x faster than the competition, over 1000x smaller (< 200KB), and for many types of content, more accurate. We will explain the intuition behind ZipPy, show how it works, and they types of content it struggles with. Finally we look at where LLMs can improve their stealth, and fundamental shortcomings in their designs that enable detection long-term.
DFIRTrack (Digital Forensics and Incident Response Tracking application) is an open source web application focused on handling major incidents with many affected systems. This workshop will show you how to use DFIRTrack in an efficient way using the various features.
Stop the countdown timer and dismantle the bomb by cutting the correct cable.
Both Android and iOS operating systems interact with the users using a constrained graphical interface, typically occupied at its majority by one application at a time while many of them can run in the background. That being said, a user must rely on the GUI provided by the application itself to verify its legitimacy. This type of behavior has raised concerns within the security research community that have been proved to be well founded, judging from the fact that multiple malware campaigns use GUI confusion as their main attack vector.
In this paper we present a novel GUI attack that leverages the fact that an Android activity maintains its graphical state and can receive touches, while it's in the top of the back stack of the device home screen. Whilst most of the techniques that have been introduced so far require the SYSTEM_ALERT_WINDOW permission, the one we present is permissionless and makes use only of the FLAG_NOT_TOUCH_MODAL flag.
By using this technique, we were able to create overlapping views over system dialogues, luring the user to unintentionally approve dangerous permissions and access to system services. Third party applications are also at risk, as it is possible to garble their UI by projecting fraudulent views that ostensibly belong to the targeted application's context. For the latter to be successful, the PACKAGE_USAGE_STATS permission must be obtained in order to identify the application that is currently in the foreground.
Google addressed the issue (CVE-2021-39617) by not dispatching touches to critical decision windows which are fully or partially obscured, but 3rd party applications are still affected.
Using outdated technologies and old methods to sabotage and engage companies and what can be done about it
A Tool to Detect Fraudulent Token Contracts on Ethereum Blockchain
Writing Suricata signatures is seen by some as a form of art and my most as a nightmare. This talk will introduce Suricata Language Server that is an implementation of LSP to get syntax checking and performance hints from your IDE when writing Suricata signatures.
The lightning talk will introduce an LLM-guided privilege-escalation tool designed for evaluating different LLMs and prompt strategies against a novel pen-testing benchmark.
TL;DR: you got a new pentesting buddy who can help you hack away.
CVE-2023-29552 is a recent high profile vulnerability that allows for one of the most powerful and still working denial of service reflective amplification attack.
Someone has been having fun and we can see it.
Edition of DER encoded ASN.1 structures is a pretty tedious work when done manually.
Solutions to this problem exist. For instance, der-ascii [0] is a tool written in Go that helps with back and forth conversions from/to DER structures to/from a textual representation using a custom defined language.
I present a somehow short Perl script [1] that leverages the OpenSSL configuration language along with the ASN1_generate_nconf(3) function in order to achieve the same goal with almost no dependencies apart from Perl and OpenSSL.
This tool can be used to ease the exploitation of CVE-2022-0778 [2] & [3].
[0] https://github.com/google/der-ascii
[1] https://github.com/wllm-rbnt/asn1template
[2] https://www.openssl.org/news/secadv/20220315.txt
[3] https://github.com/drago-96/CVE-2022-0778#using-asn1-templates
In today’s interconnected world, organisations rely on a complex network of suppliers, providers, and contractors to deliver software, hardware, and services. However, this very interconnectedness poses a significant cybersecurity risk – supply chain attacks. In this lightning talk, we will share some insights & thoughts on managing and securing an organisation’s supply chain.
On a Linux system we will prepare an USB stick with 3 little test files like 'test1.txt', 'test2.txt' and 'test3.txt' with some little test content inside. If connecting the spooky USB stick to a Windows based PC (VM guest) the USB stick is mounted and we see three '.txt' files. But the content is different and doesn't match the content we created on the Linux PC.
Analyzing the stick with different tools leads to confusing results. It does not help to understand what is going wrong here. The idea of this workshop is to provide the students with the knowledge to build their own spooky USB stick.
In this 2 hour workshop, Didier will start with a quick intro to CyberChef, with some simple exercises, and then we will setup a development environment for CyberChef.
In this environment, we will start with simple exercises (enhancing existing operations) and then move on to creating your own operations from scratch.
The operations will focus on blue team activities, like assisting with the analysis of malware.
Stop the countdown timer and dismantle the bomb by cutting the correct cable.
This workshop will showcase a suite of free and open source tools to leverage
threat intelligence in DFIR investigations. Participants will be setting up a
full forensics pipeline, including collection (GRR), processing
(Plaso) and analysis (Timesketch), and orchestration
(dfTimewolf). In addition to that, they'll be using Yeti to augment
their processing and analysis with threat intelligence.
Thw workshop will last two hours and is open for anyone to attend. Experience
installing packages on Linux and using the Linux CLI in general is required.
Experience running and managing Docker containers would be a nice addition.
Participants will be given an initial list of Docker containers to pull and set
up before the workshop
[UPDATE] Here's the list! https://docs.google.com/document/d/1TKqOleH2rdtPjybUt3PYybJ7RrH59kqaHnmywJhRPGk/preview
[UPDATE2] Here's the slides with the links to everything: https://docs.google.com/presentation/d/1_IIhazlZF4Nxa_fn4YJ0SieFPJGzP91OwuAO4LIUWOg/edit#slide=id.g24fcb0d3240_0_70
Over the past 20 years there have been 3 waves of Bluetooth (BT) security research. The first wave peaked in 2004, and rather abruptly ended after 2005. Then for a long time there was very low interest and activity. That began to change around 2011 with the release of BT Low Energy (BLE) and the Ubertooth One. But that wave too petered out around 2015. But we are now living in the 3rd wave, and it's far larger than past ones.
In this talk I will be releasing a TiddlyWiki-based, semantically-tagged, timeline of BT security research. Talks have been tagged according to authorship, conferences, and dates. But also according to talk type (attack? defense? reverse engineering? overview?), attack surfaces (L2CAP? BLE LL? ACL-C?), execution environments (Android? Windows? Texas Instruments firmware?), etc. This organized data affords us interesting insights into the most important authors, tools, orgs, and attacks.
I will spend the majority of the time talking about some of the extremely critical vulnerabilities (especially protocol-level vulnerabilities) that have been released in the 3rd wave. These are vulnerabilities that, despite ostensibly being patched, in reality mean that anything with infrequent or non-existent firmware updates, are going to remain hackable indefinitely.
Since February 2023, we have observed an attack campaign using MSIX files. MSIX file is the successor format to MSI file, but many people are unaware of its existence and, needless to say, do not know of any abuse cases.
This session will first introduce basic information on MSIX file, such as the file format, basic behavior, and the creation method, followed by attack cases of MSIX file abuse. Specifically, we will detail attacks conducted by a financially motivated threat group called SteelClover. In particular, we will delve into the Package Support Framework (PSF). Our session will contribute to your better understanding of the attack flow and the behavior through specific attack cases abusing MSIX files.
Finally, we will discuss detection and defense techniques, including the detection logics available for EDR solutions, against attacks that exploit MSIX files. This session will enable SOC analysts, IR team members, CSIRT personnel, and others to gain a deep understanding of the specific attack cases and behavior abusing MSIX files and to take concrete countermeasures.
Crowdsec is an open-source IDS/IPS and we recently added a detection capability that is based on Bayesian inference, a technique which has long been used to detect email spam. We show that this old and simple tool is still incredibly powerful and present how other threat analysts can improve their threat detection using Bayesian inference.
The talk will demonstrate how to use
Sysdiagnose for forensics purposes of Apple devices. Sysdiagnose is a tool which was originally intended for other purposes
The presenters will share with the audience hands-on experiences and share what works and what does not work with this approach.
Incident responders will leave the talk with a deeper understanding of Sysdiagnose and a novel tool in their IR arsenal.
We propose to provide an overview of the maritime sector's cybersecurity, its strengths and weaknesses, the attacks that are taking place and the initiatives being taken to deal with them.
MISP has been a widely used open source CTI platform for the past decade, with a long list of tools that allow users to customise the data models and contextualisation of the platform, yet true customisation of the actual workflows and processes had to be done externally using custom scripts.
With the introduction of MISP workflows, this has changed and the workshop aims to walk the audience through some of the potential ideas of how one could adapt the tool to their own CSIRT’s or SOC’s workflows by using some hands-on examples during the session.
This talk delves into the captivating story of DuckTail, a notorious infostealer operation that emerged as one of the prominent threats in 2022 and 2023. With a global reach, DuckTail effectively targeted both individuals and organizations, leveraging customized malware and innovative delivery techniques. Thriving in the remote work landscape driven by the COVID pandemic, DuckTail's success did not shield them from committing critical operational security (OPSEC) mistakes. These lapses ultimately led to the complete exposure of their operation and the individuals responsible for it. Join me as we explore the gripping pursuit of these cybercriminals, unraveling their intricate methods and providing an exceptional glimpse into the workings of a criminal enterprise.
Linux is an open-source OS; however, performing Threat Hunting on Linux using open-source software (OSS) is not easy, as only a few tools are available and maintained. A port of the well-known Sysmon tool, originally developed for MS Windows, has been made for Linux, but it suffers from several issues. In this presentation, I will introduce a brand-new open-source tool I have been working on for several months. This tool aims to be a Sysmon alternative for Linux and provides several features that Sysmon does not offer.