DEFCON Switzerland
Area41 Security Conference 2014: Juriaan Bremer & Marion Marschalek: Curing A 15 Year Old Disease
updated 9 years ago
The injection of arbitrary code in a remote process is a well-know technique exploited by malwares. As defenders continue to intensify their efforts to uncover these actions, attackers must come up with new techniques and attack variations to evade detection. In this talk, I will present a novel approach to remote code injection that utilizes shared sections and handle inheritance between generations of processes to defeat behavior detection techniques. Additionally, I will be providing a detailed explanation and a proof of concept (PoC).
In an era where cloud computing is ubiquitous, the security of cloud environments has never been more critical. Our presentation delves into the intricate landscape of cloud security through an exhaustive analysis of data from CloudIntel, a comprehensive dataset of cloud-based attacks. This dataset, accessible at github.com/unknownhad/CloudIntel, offers a unique window into the types of attacks targeting public cloud platforms, the malware employed, and the tactics, techniques, and procedures (TTPs) used by adversaries. By dissecting incidents across various public clouds, we reveal the nuanced differences in attack methodologies, initial foothold, and exploitation tactics. Our
research not only sheds light on the current threats but also paves the way for enhanced defense
mechanisms against cloud-based vulnerabilities.
Microsoft Entra ID (formerly Azure AD) offers many options to harden your tenant against attackers.
Most of these options are enforced using Conditional Access policies, which for example allow you to restrict users to authenticate with only phishing resistant MFA methods such as Yubikeys and Windows Hello for Business. These MFA methods are resistant against common attacks, such as attacker-in-the-middle attacks via fake login pages, because they will only authenticate against the real Microsoft websites. There is however a catch: the provisioning of such MFA methods is often done from scenarios where such strong authentication cannot be enforced, such as during the device setup. In this talk we will see that by phishing for regular refresh tokens, using some tricks that Microsoft uses during the Windows installation, we can actually obtain a Primary Refresh Token and even provision these Phishing Resistant authentication methods by ourselves. The talk will also cover new mitigations that Microsoft introduced to combat these attacks, and what you can do to protect your tenant.
This presentation will be a bold attempt to highlight the primordial importance of actionable incident
response documentation for the overall response readiness of an organization. The audience will be
challenged to think critically about their attitudes towards the creation of procedures and
documentation, which are often associated with compliance audit checkboxes, and gain a new
perspective on the value generated by documents such as an incident response plan and a
ransomware playbook.
During this talk Gergana Karadzhova-Dangela, a Senior Incident Response Consultant with Cisco Talos IR, will share commonly observed mistakes when writing IR documentation and ways to avoid them. She will draw on her experiences as a responder who works with customers both during the proactive activities but also during actual cybersecurity breaches.
In March 2024 a backdoor was discovered in xz-utils packages of Debian and Fedora, originating from the upstream XZ project. This talk will take a deeper look into the techniques used by the backdoor to infect its primary target sshd and the different evasion techniques employed in an attempt to hide itself and why these ultimately led to the backdoors discovery.
In today's digital age, investigative journalists face unprecedented threats to their work and their
sources. As an IT Security Engineer working for the public Swiss radio and television (SRF) I’m working on privacy solutions and secure communication methods with potential sources. I'll share practical strategies for journalists to navigate the digital realm securely.
Topics include digital surveillance in Switzerland, threat modeling, secure communication tools, data
protection, source anonymity, digital footprint management, and legal/ethical considerations. Join me to empower journalists to safeguard their work and uphold freedom of press.
Malware continues to increase in prevalence and sophistication. VirusTotal reported a daily submission of 2M+ malware samples. Of those 2 million malware daily submissions, over 1 million were unique malware samples. Successfully exploiting networks and systems has become a highly profitable operation for malicious threat actors. Traditional detection mechanisms including antivirus software fail to adequately detect new and varied malware. Artificial Intelligence provides advanced capabilities that can enhance cybersecurity. The purpose of this talk is to deliver a new framework that uses Machine Learning models to analyze malware, produce uniform datasets for additional analysis, and classify malicious samples into malware families. Additionally, this research presents a new Ensemble Classification Facility we developed that leverages several Machine Learning models to enhance malware classification. To our knowledge, this is the first research that utilizes Machine Learning to provide enhanced classification of an entire 200+ gigabyte-malware family corpus consisting of 80K+ unique malware samples and 70+ unique malware families. New, labeled datasets are released to aid in future classification of malware. It is time we leverage the capabilities of Artificial Intelligence and Machine Learning to enhance detection and classification of malware. This talk provides a pathway to incorporate Artificial Intelligence into the automated malware analysis domain.
As organizations shift to cloud environments, they increasingly rely on tools like Microsoft Intune for
efficient endpoint management. This transition from traditional to cloud-based infrastructures
introduces a complex array of risks, including possible misconfigurations and new vulnerabilities.
This presentation encapsulates our comprehensive examination of transitioning to a modern cloud
platform. Our research reveals that configurations aimed at enhancing efficiency can, paradoxically,
turn into vulnerabilities, allowing adversaries to exploit and compromise the integrity of endpoints,
despite being originally designed to streamline IT operations. We will discuss in detail methods for
privilege escalation, addressing both the enrollment and device usage phases. Through real-world
examples, we plan to demonstrate the process of creating a backdoor, exemplified by the creation of a user account with administrative privileges. The backdoors not only bypasses device security controls, but also allow you to bypass the “known device” checks in Entra ID conditional access policies. Such vulnerabilities are particularly concerning in scenarios where internal threats collaborate with external actors, significantly increasing risk. The technical findings are translated into business risks, highlighting the critical need for a balance between endpoint security and operational usability. Attendees will acquire important knowledge about the nuances of cloud security for endpoints, the importance of vigilant configuration management, and strategies for securing against both internal and external threats in a cloud-centric world.
The RFCs for email addresses are surprisingly flexible in regards to what is considered a valid address - a fact that is most often overlooked by developers. In this talk, we will show that attackers can abuse assumptions of what developers consider safe input and how this can be exploited. Using a real-world example, we will disclose multiple vulnerabilities which we identified in a mail spam filter appliance used by governments, universities and healthcare institutions.
Everybody is talking about SBOM, attestation, MFA, signatures and other security measures - but who is actually implementing them?
This session will provide you with a technical overview of current cloud-native software supply chain security best-practices. Plus it will give you an idea of the adoption of said best-practices in the industry.
CTFs are a fantastic way to learn about and develop one’s skills into cybersecurity. They’re accessible, open-source most of the time, and consistently offer top-tier challenges to improve your hacking acumen. But are they realistic? When someone wants to make the jump into their cybersecurity career, they’ll often find themselves asking the same questions and wondering as to the answer. Jam (Vie) Polintan discusses her experiences and outlines some common techniques and methods that she learned from CTFs which prove to be effective in her starting and maintaining her career.
We often say in the cyber security world, you can’t detect what you can’t see. In the SOC, visibility is
everything, and the days of relying solely on the network perimeter and server-side monitoring is no
longer enough. Today, breaches are plenty and with it comes reputational damage and hefty fines. So as defenders, what can we do? Dive deep into the cyber battlefield where attackers, armed with cunning and creativity, launch indirect web skimming attacks through your digital supply chain. This high-stakes game often involves the exploitation of third-party javascript — the unsung heroes that power everything from your slick payment gateways to those addictive social media widgets and chic web fonts. Whilst your users are loving these new features, you’ve opened up yet another gap in visibility and posed a formidable challenge to SOC teams tasked with the herculean task of monitoring and neutralizing code modifications that could lead to disastrous data exfiltration. But we defenders can also get creative…walk with us in to the client side as we sift through a data set which likely already exists in your environment but you just don’t know it…yet. This is not your monitoring 101 class, and we’re not going to sit here and tell you about HTTP response codes. We're talking about the offensive side and defense; we're talking about strategies to spot exfiltration attempts through third-party code, turning your blindness into visibility and assurance. What's on the Agenda? Decrypting the code behind web skimming breaches via third-party integrations. Unveiling the tactics of attackers and their modus operandi in exploiting third-party code. Effective methods for collecting telemetry of third parties, including where and how to source it Analytical approaches to detect anomalies and correlate data Join the cyber guardians and elevate your security game to legendary status.
This session dives deep into the evolution of cyber defense tactics, laying bare the necessity of a
holistic approach where offensive and defensive techniques are harmoniously amalgamated. By
juxtaposing IT and OT, we unravel their innate intricacies and spotlight the compelling need for a
harmonized security blueprint, especially during those critical junctures of incident analysis and swift
breach detection. As we journey further, attendees will be introduced to the groundbreaking utility of
adversary emulation, spotlighting CALDERA's prowess for OT-specific plugins and submodules. This
enlightening segment not only showcases the tactics, techniques, and procedures (TTPs) of potential adversaries but also delineates how defenders can counteract, adapt, and prepare. Our exploration doesn’t stop there. The crux of defense, as we advocate, hinges on a potent blend of technology and architecture. Learn how a meticulously crafted architectural model can become the lighthouse, illuminating dark spots and enhancing visibility within sprawling OT terrains. Moreover, we dissect state- of-the-art detection technologies, detailing the operational capabilities and unique advantages of Microsoft Defender for IoT. The climax of our discourse is an immersive emulation exercise set within the confines of a virtualized electric plant. This ambitious endeavor is a precursor to our groundbreaking project—a tangible, physical firing range tailored for OT security testing. Experience firsthand the strategies deployed, challenges faced, and the riveting results of this emulation.
With current Bitcoin price increase, Crypto got more attention in the public, again - though underlying misuse, attacks and hacks are going on for many years. In this talk I will dig into different recent attacks, problems and common “how to behave”. I will cover starting from the more common attack methods to advanced and stepping into DeFi.
In this talk, we dive into the vulnerabilities discovered in various Unify desktop phones during a
research project. Insecure default settings and improper permission configurations expose these
devices to remote compromise. We will explore the step-by-step process of identifying and exploiting
these vulnerabilities. Additionally, the session will demonstrate how a seemingly benign screenshot
tool was leveraged to escalate privileges. Due to the vendor's insecure by default approach, we believe there are many vulnerable installations outside. We will also discuss considerations for securing these devices within your network infrastructure to prevent similar threats.
Advanced Persistent Threats (APTs) exploit gaps in traditional defenses, but their tactics, techniques, and procedures (TTPs) offer a roadmap for detection. This presentation reveals a proven methodology for uncovering and hunting APTs, leveraging the power of intelligence, frontline expertise, and deep TTP analysis. Gain actionable insights and learn how to apply these intelligence driven techniques to enhance your organization's threat hunting capabilities. This presentation will illustrate the methodology with real-world examples, including the identification of APT39 and APT41 cyber espionage campaigns.
Cookie tossing is a web attack that consists of injecting cookies from a vulnerable or malicious
subdomain in order to poison other websites under the same parent domain. As part of a coordinated vulnerability disclosure with the Swisscom Bug Bounty program and Project Jupyter, this talk will describe how such a technique can systematically turn Self-XSS into a high-impact bug and then explore how it also results in novel web attacks. Ultimately, the aim is to draw attention to the strong capabilities of cookie tossing and the many creative attack vectors it enables.
Adversary simulation and red team operations play a crucial role in fortifying defences against
sophisticated adversaries. As defences getting better and EDR systems being deployed everywhere,
malware development is becoming an important skill for red teamers.
Red teamers are often in need to develop custom loaders capable of bypassing these defences.
Developing a modern, customizable, and evasive loader involves multiple steps, which can be a time-
consuming and complex process. Often multiple existing malware techniques need to be combined
and adapted to the respective situation. This talk delves into my journey of automating malware
development to create loaders for red team operations and discusses the challenges I faced.
Shufflecake is a novel, free, open-source data encryption tool that allows the creation of hidden volumes on a storage device in such a way that it is very difficult, even under forensic inspection, to prove the existence of such volumes. This is useful for people whose freedom of expression is threatened by repressive authorities or dangerous criminal organizations, in particular: whistleblowers, investigative journalists, and activists for human rights in oppressive regimes. You can consider Shufflecake a "spiritual successor" of tools such as TrueCrypt and VeraCrypt, but vastly improved: it is fast, supports any filesystem of choice, and can manage multiple layers of nested decoy volumes, so to improve user experience and make deniability of the existence of these partitions really plausible. Shufflecake is the result of a multi-year research aimed at solving fundamental limitations of plausible deniability tools. It has been peer-reviewed and presented at top IT conferences such as DEF CON Demo Labs and ACM CCS. It is under active development, and the open source community is welcome to contribute. In this talk we will present the history and limitations of other existing solutions, we will show how Shufflecake works and solves such limitations, and we will see why Shufflecake is an indispensable tool in the arsenal of users facing violent or coercive investigation.
We are building an Open Source https://transparency.dev/ witness, in collaboration with Google. This
project entailed creating new hardware (USB armory LAN with PoE) software (Trusted OS and Applet)
leveraging on TamaGo and GoTEE frameworks. This presentation aims to discuss the journey of this
project, achievements (such as bare metal Go IRQ handlers in space!) and results.
Since we were children we wanted to go to the arcade and play for hours and hours for free. How about we do it now? In this talk I’m Since we were children we wanted to go to the arcade and play for hours and hours for free. How about we do it now? In this talk I’m gonna show you some vulnerabilities that I discovered in the cashless system of one of the biggest companies in the world, with over 2,300 installations across 70 countries, from arcades in Brazil, amusement parks in the United Arab Emirates to a famous roller coaster in Las Vegas. We will talk about API security, access control and NFC among other things.
It has generally been accepted that vulnerabilities will endlessly be discovered and patched because
the humans developing the software or hardware are prone to making errors. Though this holds some truth, accepting it as a foregone conclusion has given vendors an easy excuse to sell vulnerable products and even profit from it.
During a vulnerability research project, my team and I discovered several vulnerabilities in McAfee (now Trellix) products, ranging from trivial Cross-Site Scripting issues to SQL injections and Admin account takeover in the ePolicy Orchestrator. Most of these issues were discovered within just a couple weeks of effort using command-line tools such as find and grep.
These vulnerabilities will be presented and used as a steppingstone to discuss why we so easily
discover SQL injections or even Buffer Overflows in the query strings of popular products.
Though it may seem utopian to have a vulnerability-free world, aligning incentives and allowing
customers to know how much vendors value the security of their own products (and ultimately that of their customers) could go a long way in improving on the current state and better protect everyone.
In the DevOps era of frequent releases, CI tools such as Github actions are powerful platforms to
enable secure and rapid software releases, but what additional attack surface do these often privileged components come with? This talk covers a recent research project from Snyk Security Labs to understand Github actions in depth and how they can be attacked to leak cloud environment access tokens, arbitrary secrets and result in a full compromise of the repository. Security engineers,
pentesters and bug hunters alike will come away knowing the threat landscape for Githubs CI platform, and through case studies of high impact vulnerabilities we have uncovered, be equipped to exploit and secure Github actions.
With the history of blackouts in the Ukraine and the appearance of the suspended nuclear plant
Muehleberg in the Vulkan leak its time to beef-up Swiss blue and red teamers with knowledge on the
Swiss electrical grid and substations in particular. This talk aims to pass-on what I learned about the
electrical grid along my hacker journey and to prevent you from blowing stuff and being outsmarted by OT devices. The presentation will provide an overview of the Swiss electrical grid, including its network levels and electrical substations. We will delve into the workings of substations, the protective equipment used, and the logical representation of such. The role of Intelligent Electronic Devices (IEDs) will be explored, along with the communication processes between these devices. We will also discuss the IEC 61850 and IEC 60870-5-104 protocols, which are integral to the functioning of these systems. Additionally, we will discuss the pentest tool landscape, the concept of interlocking, and important considerations when dealing with protocols. Essentially, a talk about electrical grids from a hacker perspective.
The transformation is gaining momentum! Over the last tumultuous years, investments in digital
transformation have been growing, with companies worldwide exploring its potential by introducing
new technologies, approaches and social changes. As more data than ever is put online, cybersecurity is now a major concern for everyone – large corporations, governments, and companies of all sizes. The transformation, however, also has its dark side. Thanks to it, the hackers are able to exploit vulnerabilities in the infrastructure with even greater precision than before.
As the financial, operational, legal, and reputational implications of neglecting cybersecurity risks
could be considerable, well-known analysis & protection methods should be developed and
complemented.
During this presentation, the most serious risks of 2024 will be explored and explained. Paula Januszkiewicz will demonstrate how hackers and cybercriminals identify and exploit threats using the most up-to-date techniques, so that you are able to observe them on your monitoring system and prevent them in the future. You will also become familiar with the most advanced phishing attacks, credential theft techniques, ransomware distribution methods, and ways of gaining access to vendor-controlled systems.
Join Paula to understand what actually is possible in the year of 2024. As the cyber transformation leads to better effectiveness of hackers' activities, there is no time to lose!
Timecryption - Clean Now, Malicious Later - Come listen to Ange´s latest research endeavours, warping our minds once more of his file format wizardry and what potential impacts they can have on things as we know. There will also be an opportunity for Q&A to pick his brain a little more...
Based On His Partnered Research From: eprint.iacr.org/2020/1456
Slides @ speakerdeck.com/ange/timecryption