When connecting to the Internet we immediately receive traffic from unknown sources. We should consider testing our infrastructure using active pentest methods, to verify robustness. This talk will be about doing port scans for discovery of infrastructures and detailed advice how to perform active DDoS simulation to find bottlenecks in the network. The attack tools will be already known tools like Nmap and Hping3 with IPv6 patches. The focus is on the process and experiences doing this over many years.

Networks are insecure, and often not as robust as we wish. There is a high risk that networks are vulnerable to one or more DDoS attack vectors, if not tested and verified. When setting up networks we often ignore the built-in features available, and we often have to select which features to enable on specific devices. The vendors tell us they can do everything in every box, but the truth is that attackers can often use more resources than we have available.

This presentation will take a holistic view on networking infrastructure, but due to time limits focus on hosting web services and providing services to the Internet. The process and advice would transfer to other services and can thus be applied by a practitioner afterwards on their own.

The main content in this presentation is about performing structured DDoS testing, what to attack, what to expect, how to reduce the number of vulnerable scenarios – with existing infrastucture devices. The presentation will provide some specific configurations and recommendations using example devices found in normal networks.

What happens if one day you have control of all the parking meters in your city? In this talk we will talk about a problem that I encountered in a parking system in my city, and then you discover many cities with the same system! That talk includes nfc, sql, reverse engineering, and other herbs.

Phishing e-Mails are very important for hackers to gain access to networks and information. But employees are trained to identify such mails. So … the next step of phishing techniques needs to show up. In his talk, Tobias will demonstrate some of them LIVE. How easy is it to fake the voice of your boss and send a voice message? And how easy is it to set up a deep fake video system to fool “your” employees in a video conference? Tobias will talk about this LIVE in a video call with Elon Musk – but … can we be sure, that it is the REAL Elon Musk and not a deep fake?

State of the art related to ransomware is one of the principal concerns for either private & public organizations. Since the ransomware transitioned to a RaaS model, we could spot how the different groups adapted their TTPs to that evolution.
Be aware of the TTPs of these ransomware groups; it will be the glue that can bind together multiple diverse teams operating at different
levels with different priorities. The Global Research and Analysis team, also known as the GReAT team from Kaspersky, analyzed thousands of operations made by the other RaaS groups and drew conclusions regarding how these operations are conducted and on which TTPs should the industry focus to either track them or defend the different organizations.
We drew on our statistics to select the most popular groups, analyzed the attacks they perpetrated in detail, and employed techniques and tactics described in MITRE ATT&CK to identify a large number of shared TTPs. By tracking all the groups and detecting attacks, we see that the core techniques remain the same throughout the cyber kill chain. The attack patterns thus revealed are not accidental because this class of attack requires the hackers to go through certain stages, such as penetrating the corporate network or the victim’s computer, delivering malware, further discovery, account hijacking, deleting shadow copies, removing backups, and finally, achieving their objective.

The IT development world has become so spoiled by the “it just works” mentality that old problems start to resurface and if you are quick to test those, you could have a niche in bug bounties. Join us a quick talk on numbers and how we could abuse them in today’s world.

The Wireless Application Protocol billing (WAP Billing) is a payment mechanism that enables consumers to subscribe to paid services and get charged directly to their mobile phone bill. To initiate a subscription process the user has to navigate to a website that offers the service, while the device is registered to a cellular network, and click on a designated subscription button. As a verification step, a one-time password is sent to the user which has to be submitted back to the service provider in order to confirm the subscription.

Billing fraud is one of the most prevalent types of Android malware that leverages weaknesses in the aforementioned process in order to automatically subscribe the users to paid services. With revenue reaching up to $10 billion dollars annually, it monopolizes the media spotlight since it found its way to a wider audience through the Google Play Store back in 2017. Up to this day it is still among the Potential Harmful Applications (PHA) with the highest install rate according to Google Play’s transparency report.

This paper focuses on Toll Fraud, a Billing Fraud subcategory and tries to shed some light on its behavioral model from a solid technical perspective. More specifically, we are investigating the evasion techniques used and the actions taken from the malware’s side in order to imitate the user and perform a fraudulent subscription. Finally, we propose improvements with regard to Antivirus detection as well as improvements to the operating system level in order to mitigate the issue.

DNS saga continues. This time we will review most interesting cases of DNS protocol usage by threat actors in 2021 and beyond. Attack targeting Ukraine, first malware for AWS Lambda, bots switching to C2 over DNS over HTTPS, malicious payload in software packages exfiltrating data over DNS and who knows what more….

Bank security is a fascinating and less researched field of it.
Normally you don’t get visibility into the internal applications or you don’t have access to the services mandatory for a real bug hunt or research.
Are you interested in a chain of bugs that could have been used to empty a bank account?
The presentation focuses on some old and hopefully long-fixed issues and interesting facts.

Vulnerability Management can be a tedious and time consuming job of trying to sift through a never ending stream of new, old or undefined CVEs. It can be challenging to prioritize severity-based SLAs when default assessments are inaccurate: they don’t factor in the criticality of the affected asset, or understand custom infrastructure and existing mitigations and/or gaps. Ultimately, having low confidence in scanning results and reported vulnerabilities leads to alert fatigue and diminishes trust in the security team.

In our talk, we will lay out our team’s approach towards automating vulnerability management for our infrastructure and why standard industry approaches were lacking. We will discuss our work of centralizing all vulnerabilities and automating detection, risk assessment, vulnerability reporting, and vulnerability fix verification in a scalable manner. We want to share how we developed internal tooling that allows us to be vendor agnostic, not rely on default risk severities, and reduce operational work as much as possible.

Built-in application whitelisting solution greatly improves the security of the Windows operating system. But are you aware it relies on the cached data to make its operations faster? Manipulation of the cache content may lead to the protection bypass. The session focuses on the mechanism, its bypasses and mitigations.

Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate. It provides a great free and capable alternative to IDA Pro and Binary Ninja for manual static binary analysis. A lesser-known fact is, that Ghidra also provides a great API and an even better SDK for writing Ghidra scripts. It also has an intermediate language called P-Code. P-Code lies between the assembly code and the decompiled code that the Ghidra UI shows.

In this talk, we are going to focus on the combination of these two features and start building binary analysis tools using Ghidra P-Code. This setup has some significant benefits. Just to mention one, if you are only working with P-Code and never look at the assembly, then your script will be architecture-independent and will support all architecture that is supported by the Ghidra decompiler.

OpenSSL has supported the Diffie-Hellman (DHE) key exchange in TLS 1.3 since its latest major version, 3.0. The DHE key exchange is an old but good algorithm, apart from the fact that it has a know performance issue (CVE-2002-20001 aka. DHEat), which attackers can use in a DoS attack very effectively. With larger key sizes, only a few requests per second throughput is enough to overload a CPU core. In the case of OpenSSL 1.1, system administrators had to explicitly enable DHE key exchange by adding DHE cipher suites to the configuration and generating DH parameters. In TLS 1.3, the parameters are negotiated, and DHE ciphers (even with the largest 8192-bit key size) are enabled by default, causing a significant DoS potential due to the upgrade to OpenSSL 3.0. On top of that, there is significant performance degradation in DHE key exchange compared to OpenSSL 1.1. This causes a few ten times lower throughputs, which have been relatively low so far, and can cause the same CPU load.

While investigating deployments of the infamous PlugX backdoor, we identified the beginnings of another, more surprising deployment: a previously unknown malicious .NET framework that we dubbed GamePlayerFramework. In our talk, we will discuss all the nuts and bolts of this complex malware. We will tell about how this framework is deployed to victims and describe how attackers use installed on-premises administration software to spread the malicious implants across the network.

The related PlugX implants were signed with a valid digital signature from a company that develops secure messaging applications. This specific variant also contains a few interesting functions and unique characteristics.

We will also reveal a curious case when adversaries obtained information about the floor plans of one of the victim’s offices and then used the gathered data to perform framework installations in a stealthier way. Apart from that, we will provide details about unique sandbox evasion techniques that we encountered in GamePlayerFramework, look into its architecture and functionalities, and discuss attribution challenges.

A new ransomware family called EpsilonRed made its debut just before last summer. It relied on a set of different PowerShell scripts for distribution, which, at the time, was becoming a more common way for ransomware affiliates to deploy ransomware into corporate environments. Apart from being written in the Go programming language, EpsilonRed showcased some unique attributes and seemed to disappear just as quickly as it came; no one reportedly seen it after the first confirmed attack.

In this talk we will present how different ransomware families – such as EpsilonRed, BlackCocaine and more – share the very same roots on the binary level, we’ll discuss which current obfuscation technics they utilize, and show how they’ve started to develop a method of combining C and Golang together to make analysis even more challenging.

New ransomware strains appearing on the scene, doing their fair share of infection rounds, then quickly fading away was nothing new last year. The renewed interest shown by law enforcement agencies and some fruitful efforts resulting in raids, often made affiliates and creators of ransomware reconsider their actions. Officially, they seized operations, except often they really did not.

We can observe huge increase in the number of attacks on third party libraries and tools used in software development in the last few years.
Typosquatting attacks, dependency confusion, malicious changes in popular dependencies (UAParser.js, coa, node-ipc…), protestware, issues in popular dev tools (Codecov, Homebrew, npm, Ruby Gems…) or incidents (PHP, GitHub…).

During my talk I will show a lot of interesting, recent examples of such attacks, discuss causes and effects and explain how to stay secure when developing software.

AV/EDR bypass is always a pain point but a must have of Red Team operations.

In this presentation we’ll try to understand how modern EDRs try to detect malicious activities, what are their common methodologies, and we’ll see how Red Teams (and Threat Actors) could bypass these.

I’ll show a couple of practical techniques working against current EDR softwares, and present how these techniques could be integrated into Red Teams’ favorite C2 framework (Cobalt Strike) for making operators’ life easier.

I’ll also present an attack chain from initial compromise (partly stolen from ongoing attacks in the wild) using a stealthy staging technique, this time with the new hotness: the open source C2 Sliver.

Security is a daunting task for all organisations, no matter the size, maturity, industry or the budget. When you are hired as a security decision maker, you are expected to learn the ropes quickly. People expect you to hit the ground running, make impactful changes and bring in quick wins to prove your worth.

In his talk, Jozsef will share some insight on how one could approach their first 90 days as a security decision maker. How to build relationships with key stakeholders, find security gaps quickly, understand priorities, and make new friends (or enemies) along the way.

By the end of the talk you should have an understanding of different resources, tools and processes that can help you make impact early. You will be able to assess the maturity of your organisation and build a plan that can grow your cybersecurity program.

Legacy code is side effect of any successful company. The longer your grow, the older your code is.

How can we deal with it? Rewrite? Gradual refactoring? Hire external developer team with legacy skills?

In 2022 there are tools that can handle like composer updates your dependencies. Any company or developer can refactor their huge legacy code in a couple of weeks. Switch framework? Bump PHP 5.3 to PHP 8.1? From PHPUnit 4 to 10?

You don’t have to know a thing about the BC breaks and how-to-chagen it. I will show you, how you can become master of change with simple command line.

In today’s world, we have a modern and stable web application framework to develop on. That is already so much secured from the attacks, regardless of the OS. If you design the system properly, attacker cannot injection the system. Or attacker cannot attack the website with common attacks like XSS, CSRF, SSRF, SSTI, etc. On the other hand, we have sophisticated scanners which scan the website dynamically with the interactive logins as well, it scans the website along with the internal pages. And we have secure coding practices as well along with the scanners which can scan the source code regardless of the programming language. They are necessary tools while developing a secure application.

But what all these are missing is “Business Logic Flaws”, which are the reason for the highest-paid bounties on Hackerone, bugcrowd, etc. Business Logic Flaws are the attacks, which neither the source-code analysis tool nor dynamic web application scanner can detect.

Over the last few years, the media were full of various “car hacking” related news. Keyless entry systems can be bypassed, components can be rooted, firmware can be manipulated, hidden features can be activated, car functionalities can be triggered or manipulated remotely, owners can be tracked, just to name some trivial examples.
While the public has increasing attention on automotive security, this has been already in focus of key industry players for several years.

Nowadays, vehicles are very complex systems, moreover they are part of an even more complex ecosystem. Therefore, answering questions like what car hacking really means, why it is important, how it is regulated, what the way of targeting a complete vehicle or an individual ECU (electronic control unit) is, what kind of technologies need to be addressed and what really should be tested in case of a car hacking project is not straightforward.

It is no longer a “capture and replay on CAN bus” or “control the vehicle through OBD-II port” game.

This presentation will provide you answers to the questions above and will also provide you insights into the typical automotive security testing project.

In February 2022, Internet accesses that are provided by the ViaSat-owned “KA-SAT” constellation suddenly started to massively fail in Europe, notably resulting in wind turbines operation disruption for an energy provider in Germany, or government communications disturbance in Ukraine. ViaSat dubbed the breakdown a “cyber-event”.
While more or less realistic theories were publicly discussed to explain such failure, before any official statement on its cause, it became clear for some users that ViaSat modems merely and abruptly stopped functioning.
In this talk, Pierre will humbly expose results of GREAT investigations that were conducted in March on one of the most substantial cyber-attack that affected Ukraine since the Russian invasion to date, uncovering possible motivations, firmware vulnerabilities, and a wiper for embedded devices. Oh, and the talk will also be an opportunity to learn a things or two about sewing…

There is no question about that safety is more than important in a modern vehicle.
In our presentation we have only one question: What about cybersecurity on a safety-critical system?
Thinking as bad-guys we will try to find ways of how to hack into a steering wheel system.
We will use a prepared steering unit for demonstration purposes for all steps.
There will be some challenges on the road: to identify, connect and communicate with a non-usual hacking target.
The next step will be to gain privileges and bypassing the security measures: finding vulnerabilities of the diagnostics services by some typical seed/key challenge issues on the keysize and bruteforcing possibilities.
Our final goal will be to show how hard to find exploitable vulnerabilities in a wrong implementation – in our case: spin that steering wheel.

The Dutch police has been trying to collaborate with ‘private partners’, including the Dutch hacker community in the Netherlands, for years now (the great Public Private Partnership or PPP), with mild succes. So when they asked us what they could organise to get to know us, we replied with “invite us to hack police shit and eat pizza’s”. We thought we would never hear of them again. Surprise surprise, they eventually invited us in. So we created a team consisting of brilliant hard- and software hackers from the Dutch hacking community and went to the Amsterdam police station to try and hack some of their obsolete bodycams. Did we succeed? Come and find out and prepare to laugh your ass off!

With the digitalization of factories, a new attack surface emerged: industrial control equipment is usually not designed to be secure against attackers. This use case is about the examination of an industrial firewall (both hardware and the software) where we found a critical vulnerability, which allowed us to inject arbitrary commands into the device, dump its file system, and bypass it altogether.

In this presentation we will discuss both theoretical and real-world examples of cybersecurity issues concerning space systems. There are many components and systems that may be targeted in a space system by adversaries including ground station systems, satellites and space vehicles. This presentation will step through attack trees for targeting space systems. Examples of real-world cybersecurity events involving space assets will be covered. Recommendations for improving the security of space systems will also be presented.

Most cryptocurrency-related scams are not sophisticated, yet they are paramount due to the damage they can cause. While researching the magical world of crypto scams, I have identified at least 25 different types of these scams. These can be cheap replicas from the “pre-Web3” world. Others are novel and specific to Web3 and smart contracts. Pump and dump or rug pull are not novel, but proof of weak hands or NFT airdrop scams are the products of the new Web3 world order. After categorizing the different scam types, I will close the presentation with tips and tricks on surviving the wild-wild west of the Web3 world and how simple, traditional ML-based phishing protection can protect against some Web3 scam sites. In 2022, there is rarely a week without a stolen JPEG worth 100K USD, yet most consumer-grade endpoint protection does not even know what a dApp looks like. Even ITSEC people do not understand or agree on what a dApp looks like or even what web3 is. Warning: this research includes blockchain mumbo jumbo, but I will turn down the hype factor.

Product security relies on several factors including firmware and hardware security, hence there are many ways to improve the overall security level, such as secure coding, hardware config hardening or security testing over the exposed communication interfaces. These steps can help identifying and eliminating issues that are likely to be targeted by the attackers.

But what if, the underlying hardware is prone to fault injection attacks? Will the hardened hardware configuration and the secure firmware provide enough protection against a malicious attacker?

This presentation will provide insight into the fault injection attacks, tools and techniques with practical demonstration on how FI attack can be used against real targets, like Trezor hardware wallets to extract sensitive data, or a CAN-bus connected embedded system to bypass a security feature implemented on the CAN interface.

Ma a világ sajtója kémszoftverektől és kiberfegyverektől hangos, a laikusok azonban ritkán vannak tisztában azzal, hogy ezek nem léteznének a szoftverek és a hardverek sebezhetőségei nélkül. Nagyon sok esetben ezeket a sérülékenységeket kormányoktól független hackerek fedezik fel és értékesítik azokat szürkezónás közvetítőcégeken keresztül, kikerülve még a lehetőségét is annak, hogy a fejlesztő értesüljön termékének hibájáról. Bár egyre több nagy fejlesztő indít bug bounty programot, ezek nem minden esetben érik el a céljukat, a hibákat megtalálóknak pedig sokszor lehetőségük sincsen felelősségteljesen bejelenteni találataikat a gyártóknak. A kerekasztal-beszélgetésben azt járjuk körbe, milyen tapasztalatok vannak a bug bounty programok és a responsible disclosure területeken hazánkban és nemzetközi szinten.

One of the major challenges of embedded security analysis is the accurate extraction of arbitrary firmware images.

In this talk we will share our struggles when reversing and unpacking enormous amounts of arbitrary firmware images of embedded devices and how we overcame them by building our own extraction framework. This definitely wasn’t a straight-forward endeavor, scattered with interesting observations, tons of surprises, WTFs, and three 0-days.

We are open-sourcing our tool unblob (https://github.com/onekey-sec/unblob) and encouraging fellow researcher to use it and extend.

Consumer IoT devices manifest in a variety of forms today, including fitness trackers, rings, smart-watches, pacemakers, and so on. Most short range, low power consuming IoT devices use BLE (Bluetooth Low Energy) protocol to communicate with a master device. This communication link can contain very personal information about the user. Several vulnerabilities and security attacks exist for BLE (Eavesdropping, Man in the Middle Attacks, Denial of Service & Fuzzing Attack). However, most of them do not go down to the lower layers of the protocol (L2CAP, link layer, Physical layer). In my presentation I deep dive into the structure of BLE protocol, explore some of the open-source tools for BLE exploitation (gatttool, bettercap, Ubertooth etc.) and introduce you to the world of software defined radio – how you can use it to analyse and potentially malform packets in the lowest layers of the protocol.

In this talk, we will analyze 3 of the wildest IoT attack stories happened last year – who was targeted? What Malware was used? What was the impact?
First, We will dive & explore the recent attack over Ukranian power grids and show how it (almost) caused blackout for over 2 million people in Ukraine!
We will further technically analyze “Industroyer2”, the unique malware used in this attack, its unique ways of operation & cool techniques.
Afterwards, We will describe the Conti-ransomware attack over Public Health Systems in Ireland (HSE) & see for how long attackers stayed hidden in their IT networks!
Finally, we will shortly describe the Colonial Oil Pipelines Attack in US, the damage was done & how the FBI got involved in all that!?
Whenever known – we will explore some of the unique technical techniques, attack vectors and lateral movement involved! This systematic review conclude the wild IoT attacks of the year, and will be based on multiple both-technical & public-reports!

Our work has two main contributions: First, we developed a framework that can be used to emulate and fuzz TAs in OP-TEE, a popular, open and protable TEE implementation. Second, we developed a method to overcome difficulties of fuzzing applications that take their inputs from shared memory. Our work was inspired by a previous Hacktivity talk, where it was shown that emulators can be used to execute TAs and it is possible to connect such an emulator with a fuzzer. We extended this work to a degree that allows for emulating real-world TAs in OP-TEE that extensively use library functions and services provided by the trusted OS. We demonstarte the usage of our framework by fuzzing a security critical TA that we developed for the purpose of rootkit detection on embedded devices. This TA inspects the memory snapshot of the rich OS (which is Linux in our case), and tries to find anomalies in kernel data structures that could be caused by the presence of a rootkit. We fuzz this TA by providing input to it via its memory read function. However, in order to minimize the amount of irrelevant inputs, we developed a custom input mutation method that takes into account prior knowledge about the kernel data structures expected by tested TA.

Several industries have been implementing sustainability into their business strategies and taking actions; however, on average, the cybersecurity industry hasn’t even discussed climate change and its role towards contributing to it.In this talk, I address where we stand in climate change, how our industry is contributing to the problem, why we should care, and what every single company in our industry can do to cut down on emissions to become part of the growing community to make sure that this planet has a future beyond our generations.

Cars are (slowly) Changing from completely randomly produced building Blocks connected via protocols from the 80s to Software Defined products. Car Manufacturers using production cycles that are completely incompatible wirh this approach. we as Hackers understand what connectivity really is.
So we have a real ne playfield. Car-Hacking starts to get soo much better and easier now. We have access to Diagnosis Tools that are cheap The Car Hackers are already building the best AI-Driven Level 2 Autonomous Driving Aid.
In my Presentation I will give you the entry
points and show you what we can already do.
I will show Hard- and Software for Car-Hackers to start.

Cybersecurity is an ever-transforming realm. As vehicles become significantly more connected, the threat landscape increases exponentially. In the race between threat actors and security teams, the key is to remain ahead of your adversaries.
“Product Cybersecurity” focuses on protecting an organization’s products, as opposed to its IT infrastructure. IT practices are not enough for automotive product cyber security and product cybersecurity is critical in the OT and IoT world. In the Automotive Industry, it can be a matter of life and death.
Black-hat cyber attacks on connected vehicles are continuously on the rise. As described in detail in our 2022 Global Automotive Cyber Security Report, publicly reported Black-hat incidents accounted for more than 56% of all incidents in 2021. In comparison, in 2016 they accounted for only 22%. As proven time and again by security researchers, the required skills and corresponding vulnerabilities to enable widespread cyber crime are plentiful. The combination of the two does not signify good news for Automotive Stakeholders.

Since October of last year (2021) when Facebook changed the name of the parent company to Meta, we have heard the word Meta and Metavers a lot. For the first time, this talk wants to review all the vulnerabilities that threaten users and infrastructure owners at different layers.

In today’s world, by putting security boxes, we think that when we are secure but when we are hit by an attack, we put more security boxes. The truth is that we need human awareness as well to minimize these social engineering attacks. Social engineering is the weakest link in security as per some surveys. Humans are emotionally programmed.

I will be discussing a targeted attack on a hospital in a Red Teaming assessment, I tried every possible thing to get inside starting from WIFI hacking, to the main core email server hacking, reading emails, reading logs, monitoring traffic, putting devices with white-listing labels, to the core server farms & the physical data center with a cloned RFID.

The process starts from setting up a Rogue WIFI point for the students and the staff, connecting to that leads to some critical emails, where I found some critical configurations including a backup file of AD. In that, I found the golden ticket and some credentials that lead to the LOGs monitoring system. From there I tried the combinations of different attacks and monitored the logs & the email on which logs were sent altogether. Putting on a Doctors uniform, no one suspected that what I was doing in the lobby.