Talks

A new secret stash for fileless malware
by: Denis Legezo

Today, attacks using fileless malware have become more complex and the actors behind them have created new advanced means of implementing them. In 2022, Kaspersky discovered the new methods used to keep the code hidden from prying eyes. For the first time, we’ve discovered that Windows’ event logs participate in the infection chain. This is concerning, as the event logging exist in any installation of the most widely used operating system on the globe.

These informational messages might keep the additional binary data. The dropper saves the shellcode into the Key Management System’s (KMS) event sources information, assigning a specific category ID and incremented message IDs. Auxiliary malicious modules can then gather 8KB pieces from logs, turn these into a complete shellcode and run them.

Nevertheless, the actor’s interest in the event logs isn’t limited to just keeping the shellcodes. To hide the infection process, Go droppers also patch the ntdll.dll Windows API functions related to logging (like EtwEventWriteFull, etc.).

In our presentation, we will share the results of our in-depth research into the infection chain, containing:
- commercial pentesting frameworks
- a number of anti-detection decryptor-launchers, written in different languages
- last stage fully-fledged trojans for C2 communications and lateral movement


Alternative ways to detect mimikatz
by: Balazs Bucsay / @xoreipeip

mimikatz is detected by AVs and EDRs in different ways, mostly based on signatures and behavior analysis. These techniques are well known, but we looked into a few other things to find more exotic ways. Turns our that mimikatz by default talking to USB devices, so I created an emulated device as a user-mode driver for Windows, which is capable to detect most mimikatz variants out-of-the-box. Other technique was implemented and will be part of the presentation, where the console communication is "sniffed", but this technique can be applied to other malware as well. Both techniques will be published and code will be opensourced after the con.


AWSGoat : A Damn Vulnerable AWS Infrastructure
by: Jeswin Mathai, Shantanu Kale, and Sanjeev Mahunta

Compromising an organization's cloud infrastructure is like sitting on a gold mine for attackers. And sometimes, a simple misconfiguration or a vulnerability in web applications, is all an attacker needs to compromise the entire infrastructure. Since cloud is relatively new, many developers are not fully aware of the threatscape and they end up deploying a vulnerable cloud infrastructure. When it comes to web application pentesting on traditional infrastructure, deliberately vulnerable applications such as DVWA and bWAPP have helped the infosec community in understanding the popular web attack vectors. However, at this point in time, we do not have a similar framework for the cloud environment.

In this talk, we will be presenting AWSGoat, a vulnerable by-design infrastructure on AWS featuring the latest released OWASP Top 10 web application security risks (2021) and other misconfiguration based on services such as IAM, S3, API Gateway, Lambda, EC2, and ECS. AWSGoat mimics real-world infrastructure but with added vulnerabilities. The idea behind AWSGoat is to provide security enthusiasts and pen-testers with an easy-to-deploy/destroy vulnerable infrastructure where they can learn how to enumerate cloud applications, identify vulnerabilities, and chain various attacks to compromise the AWS account.


Building defensive playbooks from others misfortune
by: Chester Wisniewski

Building defensive strategies is difficult at the best of times and too often is confused by what we read in the headlines, instead of from real hands-on experience. The problem with getting the experience is that you must be victimized to gain the experience necessary to craft your defensive plans. We must learn from others to gain the experience we need before it happens to us.

Sadly, most victims don't share their stories as they are often embarrassing or show some level of negligence in keeping their data secured. This talk will condense the experience of those victims into actionable advice for defenders to use in creating their own up-to-date defensive strategies. Using the data from 144 distinct attacks in 2021, I will demonstrate the most common tools, tactics, and procedures (TTPs) used to gain access to networks and the behaviours to watch for that indicate compromise. This information was gathered by the Sophos Rapid Response team, a group of incident responders who are called in to assist victims during attacks worldwide.


China’s Cyber Capabilities: Espionage, Warfare, and Implications
by: Aaron Aubrey Ng

Over the past decade, there has been an alarming rise in the frequency and sophistication of China’s state-sponsored and state-affiliated cyberespionage activity, as well as its scope of targeting. China-Nexus Adversaries have deliberately and aggressively pursued targets across a spectrum of industries, including technology, defense, energy, healthcare, education, and other key sectors in pursuit of trade secrets and of sensitive information.

Of note, in early 2021, the China-Nexus Adversaries rapidly and effectively exploited a series of vulnerabilities in Microsoft Exchange — now collectively known as ProxyLogon and ProxyShell — to compromise email servers and consequently the sensitive information of tens of thousands of organizations around the world. Over the duration of the pandemic, Chinese cyberespionage campaigns continue to target hospitals and research institutions for data that could confer competitive advantages in science and technology, and at the same time, demonstrating emphasis on COVID-19 related research.

Coupling these recent prolific intrusions with the longstanding campaign of targeting a wide swarth of industries, including insurance, travel & hospitality, government, for the purpose of acquiring sensitive personnel data, the threat that China-Nexus Adversaries pose to organizations today cannot be understated.

This session will provide insight into China’s intent and capabilities for cyberespionage and importantly what organizations can do to address this challenge effectively.


DDexec
by: Carlos Polop (@carlospolopm) and Yago Gutiérrez

Running binaries in memory from a reverse shell on the target machine is very common in Windows environments, there are dozens of different ways to achieve this and many of them very simple. However, in Linux environments it is not so common, nor so easy to load things into memory from a simple bash session, for example.

In this talk we will present and show a novel technique for loading binaries and shellcodes into memory from a linux session without the need to touch the disk, allowing not only to be potentially more stealthy, but also to bypass measures such as mounting the filesystem protected with read only and/or noexec.


Gazing into the Crystal Ball - The Fog of Cyberwarfare Escalations
by: Harshit Agrawal (@harshitnic)

Every new technology presents the possibility of new weapons, and for every new weapon, there’s a soldier hoping it will yield the ultimate advantage, although few ever do. The nature of war is never gonna change. But the character of war is changing before our eyes–with the introduction of a lot of technology, a lot of societal changes with urbanization, and a wide variety of other factors. In order to have a robust discussion about how emerging technologies may affect the proliferation of modern cyberwar, it is vital to understand these technologies. In this session, ISR techniques (intelligence, surveillance, reconnaissance), and counter-drone security serve as productive examples of technologies that we have witnessed in recent conflicts playing the role of a potential tool of exploit and will be greatly escalated in the future as well. This session provides the background and context required to assess potential challenges to this emerging cyber threat. As will be demonstrated with case studies, advancements in these areas are especially relevant because they have made it increasingly easy for Infosys to leverage these technologies to achieve its objectives and threaten the global IT/ICS ecosystem.


How Did I Get Here? I still don’t know what I’m doing: Getting into The Lifelong Adventure of Learning Cybersecurity & Incident Response
by: James Kainth (@j3st3rjames)

Where will your journey take you? My adventures have taken me from feeling confident about knowing what is normal for our computers or in our networks, to never feeling that way again and daring to innovate. Incident Response is an ever-growing field, with not enough people who can do the work. Heck, most jobs that require some form of cybersecurity are suffering from lack of support. The skills gap is REAL! If you want to learn and stay up to date with the ever-expanding world of cybersecurity, then this talk is for you. In digital forensics/incident response (DF/IR) you can peek behind the scenes of technology and learn about an entire world you never even knew was there! Think you’ve cleaned up after your ultimate hack? Think again! By starting your adventure into DF/IR you get to sleuth and learn about the artifacts attackers leave behind! Join me on this journey of self-improvement as we discover the potential cyber detectives we know we can be! Learn what the necessary skills are to get into DF/IR with James Kainth who works on a Fortune 50 Incident Response Team! Develop an action plan to get started on your journey learning DF/IR Today! While attending this session, folks will:

* Learn about the field of digital forensics & incident response
* Learn about ways to stay up to date in the cybersecurity industry
* Learn skills to tackle the imposter syndrome that comes along with being in any technical field
* Realize that Imposter syndrome can be a productive feeling if managed well
* Learn about free/open-source resources like Wazuh, ZimmermanTools, Autopsy, FTK Imager, Elastic Stack, Wireshark, and more!
* Generate an action plan and outline next steps to continue learning DF/IR
* Don’t delay … Start threat hunting today!


Human-Controlled Fuzzing With AFL
by: Maxim Grishin / Igor Korkin (@IgorKorkin)

Early detection of new bugs is crucial for all modern software products. Fuzzing techniques are applied to reveal different types of bugs and vulnerabilities. American Fuzzy Lop (AFL) is a free most popular software fuzzer used by many other fuzzing frameworks. However, AFL has some disadvantages, the key one is that AFL verifies the program code without human intervention. However, involved security expert can make the fuzzing process more focused. On the one hand, AFL simplifies applying fuzzing systems, but, on the other hand, the flexibility of AFL is limited. Fuzzing is based on sending generated data as input to the target application and recording how the instrumented app processes this data. Using the output of the instrumented app, AFL can regenerate new input data to go deep inside the application into the next step.

As a result of such an autonomous mode of operation, a fuzzer spends a lot of time analyzing minor code sections. To solve this question, the paper proposes a new approach that can fuzz only the specified functions. As a result, the chosen ones will be inspected more meticulously by a fuzzer, without wasting the time on inspecting minor code sections. Another new feature is to provide feedback about the inspected functions and controls, so that an expert can change which code functions need work in runtime. The developed module has been integrated with AFL and successfully responds to this challenge. This expert-controlled fuzzing with AFL shows positive test results.


Microsoft Defender Will Be Defended: MemoryRanger Prevents Blinding Windows AV
by: Igor Korkin (@IgorKorkin) and Denis Pogonin

Windows OS is facing a huge rise in kernel attacks. An overview of popular techniques that result in loading kernel drivers will be presented. One of the key targets of modern threats is disabling and blinding Microsoft Defender, a default Windows AV. The analysis of various attackers’ techniques that can disable and blind Microsoft Defender will be given. One of the recently published attackers’ techniques abuses Mandatory Integrity Control (MIC) and Security Reference Monitor (SRM) by modifying Integrity Level and Privileges for the Defender application via syscalls. However, this user-mode attack can be blocked via the Windows “trust labels” mechanism.

The presented research discovers the internals of MIC and SRM, including the analysis of Microsoft Defender during malware detection. We show how attackers can achieve the same result using a kernel-mode driver. The driver modifies the fields of the Token structure allocated for the Microsoft Defender application. The experiments prove that Microsoft Defender is disabled without triggering any Windows security features, such as PatchGuard. The customized MemoryRanger was used to protect the Windows Defender kernel structures. The experiments show that MemoryRanger successfully restricts access to kernel data from illegal access attempts with affordable performance degradation.


Pwnppeteer - Phishing Post {Exploi/Automa}tion at Scale
by: Joffrey Czarny aka Sn0rkY

Phishing is well know attack but more and more company have implemented countermeasure to limit the efficiency of this kind of attack. For example, Multi-Factor Authentication (MFA) is being adopted to make password spraying and standard phishing ineffective. Countermeasures adopted raise the exploitation bar, for attacker.

But what happens if you can easily tamper MFA too? If you can proxy all traffic, directly steal sessions and automate malicious actions before the credentials are changed or the attack detected? What do you think if you phish an SSO portal and then you're able to instrument all applications granted with a SSO token...

The goal is to share my experience of a massive phishing campaign, how you can use Muraena/Necrobrowser at scale and show how we can phish and get a temporary access to steal enough data or add some persistents access in order to come back later. And of course before being detected and losing access.

Mureana/Necrobrowser tool and concept have been already presented in several conferences but what I plan to present here is Pwnppeteer - Necrobrowser Lambda implementation https://github.com/muraenateam/pwnppeteer. The focus will be done on targeting SSO portal and how this attack can be efficient.


Security Like the 80's : How I stole your RF
by: Ayyappan Rajesh

The issue about convenience vs. security has been spoken about for years now, with most devices having wireless capability now, it invites trouble, especially when it is not encrypted or secured. Right from our tap-to-pay cards to even unlocking and starting out car.

This talk discusses CVE-2022-27254 and the story of how we came about discovering it. The CVE exploits an issues wherein the remote keyless system on various Honda vehicles, allowing an attacker to access the cars, and potentially even let them drive away with it!


Signs, Signs, Everywhere There are Signs of a Ransomware Intrusion
by: Allan Liska

Threat hunting is great way for organizations with even a limited security budget to look for indications that a ransomware actor is in your network. However, there is an assumption that threat hunting is challenging and requires a large, well-funded security team to carry out. That is not always the case. There are some low-cost things organizations can do to conduct effective threat hunting missions in your network. This presentation will review some effective, relatively easy threat hunting missions that defenders can carry out to look for signs of a ransomware actor. Some of these include:
1. Alerting when security tools are disabled
2. Looking for remote desktop tools
3. Hunting through PowerShell logs
4. Traffic to mega.nz or one of its other domains
5. Looking for common file copy tools.


Streamline security with shift left: A cloud approach
by: Avinash Jain

In the agile world, continuous iteration of development and testing happens throughout the software development lifecycle involving constant collaboration with stakeholders and continuous improvement and iteration at every stage, engineers release their changes very frequently. All this makes the chances of potential security loopholes more and more real.

According to the most recent Secure Code Warrior report, more than 50% of organizations are still following reactive security practices, such as using tools on deployed applications and manually reviewing code for vulnerabilities. Even the DORA 2021 Accelerate State of DevOps report suggests that security can no longer be an afterthought. Top performers who have implemented security practices earlier in the software development life cycle are likely to exceed their reliability targets by 2x.

Companies often have the high-quality security scanning and detection signal for application security issues only once the app is running in production, but increasingly need to understand issues when the code is written so that they can have a scalable pipeline for identifying and preventing attacks early before they get into production and also when it is less expensive to fix them in terms of overall efforts and cost. Attacks like Solarigate (Zod) demonstrate how security hardening later in supply chain is shifting attacks earlier. This trend of moving towards prevention by including security from the early stages of SDLC with a proactive mindset is known as “Shift Left” and securing the development environment with DevSecOps controls. Here I seek to build the right framework to get a much-earlier security scanning and detections built within the CICD pipeline in a scalable way to productize testing, monitoring, and response to support security drift detection.

By integrating security in CICD, one can deliver secure and compliant application changes rapidly while running operations consistently with automation. In order to do this well, the most logical place security can be checked are code reviews. But now the series of questions raised -

How can it be achieved?

How can we make sure every release that goes to production has proper security sign-off?

How can we scan and test every piece of code that is changed from not just DAST or SAST point of view but also including wide custom and flexible security test cases?

Here we will talk about building such a solution and framework to integrate security in CICD and automating the complete process for continuous scanning of different kinds of potential security issues on every code change in Azure Pipeline.

Some of the improvements it brings -

Wide Variety of Security checks — Integration of standard and custom checks

Early Checks — Now security checks are performed as soon as any PR is raised or code is modified

Highly Flexible —The security checks are very modular. We can add more checks as we want and configure them to perform response-based action

Completely Automated — Automation is the key/let the machines do the work

Alerting - Integration of alerts for check success or failure

Reporting - Scan reports are shared across different communication channels

Framework as code - Any company having their CICD over Azure can use this framework by just running in-house built cloud formation template

Vulnerability Management - All the vulnerabilities and findings are logged in a single place - Azure Security Center


The Simple, Yet Lethal, Anatomy of a Software Supply Chain Attack
by: Yehuda Galb

Security teams nowadays are struggling to contain the risk of software supply chain attacks on their organizations, implementing control of that sort varies from internal controls hardening CI services /hardening developer workstations to demanding compliance to standards from vendors\contactors.

However, one of the places security teams having harder time is in the field of open-source software.

The use of third-party software components is part of the modern software development culture with over 90% of engineering teams worldwide building and shipping software that uses external code. While facilitating extreme agility, it also increases the attack surface of organizations as seen in the spike of recent major incidents .

It’s known in cybersecurity that you must understand the threat you are facing with. In this session, we will do an overview of the software supply chain flow and deep dive into each one’s weak spots.

We will also demonstrate the ease of conducting this sort of attack and our point of view as a defenders.


Uncovering 0-days in Healthcare Management Applications
by: Aden Yap Chuen Zhen, Sheikh Rizan and Muhammad Ali Akbar

OpenEMR is the most popular open-source medical practice management, electronic medical records, prescription writing and medical billing application used by Healthcare Professionals. Security researchers from Project Insecurity and SonarSource had reported numerous vulnerabilities in OpenEMR application prior to 2021.

However, BAE Systems Vulnerability Research team took up the challenge to uncover more vulnerabilities in the same application. To our surprise, we still found a huge number of high impact vulnerabilities inside the application recently. These vulnerabilities could potentially expose medical records and other sensitive patient data, to tampering of the billing information and administrator functionalities by unauthorized personnel. The security flaws were discovered by combining both manual source code analysis and white box testing.

In this talk we will share our experiences of uncovering over 60 vulnerabilities resulting in 8 public CVEs. We will share the key findings (subject to pending patch rollout) and challenges in hunting for OpenEMR VDP. It is our hope that this talk will enable other researchers to get involved in Vulnerability Research and help make the Internet a safer place.


Understanding and Re-creating Process Injection Techniques through Nimjector
by: Ariz Soriano / ar33zy

Process injection is one of the prominent techniques used by threat actors to execute malicious code and gain access inside the target’s system. It mostly aids in stealth and evasion to avoid common security defenses such as endpoint detection & response (EDRs) and antivirus (AV) softwares.

From a red teamer's perspective, being knowledgeable with different process injection techniques can be handy when crafting payloads that evade such defenses. On the other hand, blue teamers would understand better how a payload interacts and establishes a foothold inside a compromised machine. When either teams are unacquainted with this technique, they could have a hard time producing a working payload or improving the defenses of an organization by detecting indicators of compromise (IOCs).

Nimjector is a payload creation framework written in Nim which enables Penetration Testers and Red Team Operators to easily re-create or simulate process injection techniques based on a template. This tool also allows Security Operations Center (SOC) Analysts or Incident Responders (IRs) to understand and learn how different process injection techniques run and execute.

Inspired by existing repositories crafted with Nim such as OffensiveNim, Nimcrypt2, and NimHollow, this new tool was created to help both teams understand and learn more about Process Injection. It aims to open a collaboration between template creation from malware samples used by threat actors and using these to feed or tune security tools as well to detect such a technique.


Wild IoT Tales: from power grids to oil pipelines
by: Barak Sternberg

In this talk, we will analyze 3 of the wildest IoT attack stories happened last year - who was targeted? What Malware was used? What was the impact? First, We will dive & explore the recent attack over Ukranian power grids and show how it (almost) caused blackout for over 2 million people in Ukraine! We will further technically analyze "Industroyer2", the unique malware used in this attack, its unique ways of operation & cool techniques. Afterwards, We will describe the Conti-ransomware attack over Public Health Systems in Ireland (HSE) & see for how long attackers stayed hidden in their IT networks! Finally, we will shortly describe the Colonial Oil Pipelines Attack in US, the damage was done & how the FBI got involved in all that!? we will explore some of the unique technical techniques, attack vectors and lateral movement involved! This systematic review conclude the wild IoT attacks of the year, and will be based on multiple both-technical & public-reports!