8:45 am - 9:00 am PT 4:45 pm - 5:00 pm UTC | Opening Remarks |
9:00 am - 9:45 am PT 5:00 pm - 5:45 pm UTC | Keynote |Security Research: Not Just for Nation States Traditionally confined to the realms of nation states, the expertise and insights offered by groups like Project Zero are no longer exclusive. This talk will explore the compelling reasons why highly specialized security research has a place outside a SCIF.
Show More
|
9:45 am - 10:00 am PT 5:45 pm - 6:00 pm UTC | Break |
10:00 am - 10:35 am PT 6:00 pm - 6:35 pm UTC | Tales of AV/EDR Bypass: Ropping the Night Away The evolution of shellcode loaders over the last couple of years has been interesting: calling Windows APIs at the ntdll.dll layer, calling the underlying syscalls directly, and then indirect syscalls. However, some AV/EDR products have begun detecting the usage of direct and indirect syscalls in malware by: unwinding the call stack, checking for the location of the function's return address, and/or looking for hard-coded syscalls. But what if we didn't hard-code syscalls or even jump to a syscall region? This presentation is a deep dive into using a specific set of Windows callbacks, they're going to work within their own thread pools. Return-Oriented-Programming aims to gain control of the call stack to hijack control flow and execute specially crafted instructions by the developer. ROP gadgets are small pieces of assembly code that are executed dynamically without the help of the user. Using ROP gadgets, our code will call Windows APIs at the ntdll layer. From our RX region, we will schedule a thread on a stack. Our stack will call our Windows APIs at the ntdl.dll layer and the stack will run in a thread. Then from there everything is the same, we jump to the syscall and then the kernel. However, when the kernel checks the return address of where Windows API syscall came from, it'll find that it came from ntdll.dll, so thats completely normal. Then ETWti will unwinds the call stack; the kernel syscall returns to the ntdll.dll region, which then returns to the thread, and the thread returns to RtlExitUserThread. Nothing in the call stack returns to the RX region of our code. Our call stack is completely clean, there is currently no detection mechanism that exists for calling Windows API in this manner. Attendees should expect to learn the following: how to call Windows APIs using ROP gadgets, basics of ROP, and why current detection mechanisms won't work against this attack. This is the next evolution of calling Windows APIs in malware.
Show More
|
10:00 am - 12:45 pm PT 6:00 pm - 8:45 pm UTC | Blockchain Workshops Workshop | Blockchain Security for Red Teams Learn how to hack smart contracts written in solidity, and exploit DeFi protocols with this hands on security workshop.
Show More
|
10:40 am - 11:15 am PT 6:40 pm - 7:15 pm UTC | The Invisible Threat: AI-Powered Vishing Attacks and Defense Strategies AI-based vishing attacks and voice cloning techniques have emerged as alarming cybersecurity threats, exploiting advancements in artificial intelligence to deceive individuals and perpetrate fraudulent activities. This talk aims to illuminate the problem posed by these sophisticated techniques and present effective solutions to counteract their impact. We will demo a real life vishing attack using voice cloning technologies, and discuss the challenges faced in detecting and mitigating these threats. This presentation will outline strategies such as AI-powered voice recognition, advanced behavioral analysis, user education and some basic simple tips we can all incorporate to defend against AI-based vishing and voice cloning attacks. By fostering awareness and equipping participants with actionable insights, this talk seeks to empower individuals and organizations in the ongoing battle against these evolving cybersecurity menaces.
Show More
|
11:15 am - 11:30 am PT 7:15 pm - 7:30 pm UTC | Break |
11:30 am - 12:05 pm PT 7:30 pm - 8:05 pm UTC | The Complete Idiot's Guide To UEFI Bootkits The attendees will learn the basics of how a UEFI bootkit function, some examples of existing frameworks and tricks learned from them, such as BLACKLOTUS and COSMISCSTRAND, in addition towards publicly available frameworks, that helped me and hopefully the user understand how the bootkit that is presented was constructed. Furthermore, I'll cover deployment methods through UEFI security failures, such as vulnerable Bootloaders that are used with this bootkit, in addition to some interesting examples in the wild of poorly setup firmware that allows us to transition from usermode to writing into the SPI flash due to poorly configured firmware.
Show More
|
12:10 pm - 12:45 pm PT 8:10 pm - 8:45 pm UTC | Ab)using the Microsoft Identity Platform: Exploring Azure AD Token Caching Ruben Boonen, Senior Managing Security Consultant, IBM Adversary Service This presentation examines how JSON Web Token (JWT) caching works in corporate settings with Azure Active Directory (Azure AD) integration, including Azure AD Joined and Hybrid environments. These tokens, accessible to local users, interface with a variety of authorized protected web services. Local attackers can leverage these tokens to access critical corporate resources, like Outlook, Drive, SharePoint, and Teams. While API access is interesting, its operational implications are not always ideal. On the IBM Adversary Services team, we have developed a few lightweight API clients that utilize these tokens to facilitate graphical access to resources. We will demonstrate some of these clients and expand on their limitations and practical use. Abusing stolen credentials has been a critical part of the attacker lifecycle, assisting in persistence, privilege escalation, lateral movement, and information gathering. As Azure AD's prominence increases, it becomes crucial for defenders to understand how traditional attacks can take on new forms. This understanding will aid in developing more effective defense strategies in an increasingly cloud-focused environment.
Show More
|
12:45 pm - 1:45 pm PT 8:45 pm - 9:45 pm UTC | Lunch |
1:45 pm - 2:20 pm PT 9:45 pm - 10:20 pm UTC | A Hole in the Bucket: The Risk of Public Access to Cloud Native Storage In this session, we’ll explore how allowing public access to AWS S3 Buckets, Azure Blobs and similar cloud storage services can risk exposing sensitive files in the cloud. Misconfigurations and legacy defaults are often to blame for this and can go unnoticed for years. A common way of dealing with this issue is indexing publicly accessible buckets and blobs. However, there are “holes in the bucket” that emerge from using this technique, as not all files are easily searched. Using examples from anonymous case studies, we will go through the ways that these “holes” in the form of the bucket, why discovering them is difficult, and how much risk they can create. Most of the analysis that is occurring with these API providers relies on manual analysis of file names. After initially manually searching and inspecting files, our Red Team developed tools to expedite this process and unearth sensitive credentials that had been inadvertently left exposed in the cloud for a client. These files exposed patient information, personally identifiable information (PII), IT administrative guides, system backups, and much more. We’ll discuss how the most difficult part of the analysis was attempting to hone in on files that were never supposed to be public. Many indexing tools do not make any filtering decisions. Instead, they use their own "wordlists" to generate a list of bucket names or Azure DNS filenames. They will also use common wordlists for Azure blob container names. This allows them to find companies that are very well-known along with well-known patterns of container names. What this does not include are lesser-known bucket names, lesser-used container names, and other cloud providers. This session will center on how we found these items, what the items were, and how the conversations with the organizations went. We will also provide ways to prevent these “holes” through defensive measures that would have protected against these vulnerabilities. We plan on releasing the tool that we used to discover these vulnerabilities to further the analysis and to share how we created our own wordlists to attempt other cloud providers, providing a strategy for others to do the same.
Show More
|
1:45 pm - 3:30 pm PT 9:45 pm - 11:30 pm UTC | Blockchain Workshops Workshop | Blockchain Security for Blue Teams Defend the blockchain using security tools made for smart contracts, to monitor and prevent exploitation.
Show More
|
2:25 pm - 2:50 pm PT 10:25 pm - 10:50 pm UTC | Unlocking Secrets: An Exploration of PulseView & Side-Channel Timing Attacks In this live demo, intro to hardware hacking, we'll introduce you to PulseView - the 'Wireshark of hardware hacking' and we'll unveil a technique behind unlocking a keypad safe, relying solely on its user interface. Our approach? A Side-Channel Timing Attack. Using an affordable logic analyzer, we'll capture the nuances of response times tied to incorrect passcodes. By leveraging this side-channel data, we will then carefully decipher the true passcode of the safe. Join us in this intriguing journey where time reveals more than just seconds and minutes.
Show More
|
2:55 pm - 3:10 pm PT 10:55 pm - 11:10 pm UTC | Break |
3:10 pm - 3:45 pm PT 11:10 pm - 11:45 pm UTC | Proxyjacking: The Latest Cybercriminal Side Hustle Allen West, Security Researcher - Security Intelligence Response Team (SIRT), Akamai Technologies, Inc. In this presentation, attendees will delve deep into the emergent cyber threat landscape, specifically focusing on the rising threat of proxyjacking - the unauthorized exploitation of a user's internet bandwidth for profit. Drawing parallels with cryptojacking, we will walk you through the mechanics of these attacks, their impact, and their evolution in the world of cybercrime.
We'll also unpack a detailed case study examining a compromised server used for proxyjacking, shedding light on the modus operandi of threat actors and their innovative monetization strategies. In examining this specific cybercrime operation, attendees will gain a comprehensive understanding of the methodologies employed by modern threat actors.
My presentation will provide actionable takeaways on how to effectively defend against these threats. Emphasizing the importance of fundamental security practices, we will outline the value of strong passwords, patch management, meticulous logging, and intrusion detection/prevention systems.
As part of this, attendees will learn about the telltale signs of proxyjacking and cryptojacking and how to identify and respond to these threats both in personal and professional environments. Furthermore, we will illustrate how these stealthy attacks form a critical tool in the arsenal of modern cybercriminals and their far-reaching implications for security at both organizational and individual levels.
The presentation aims to equip attendees with an understanding of the current threat landscape, the knowledge to detect these cyber threats, and practical strategies to mitigate them. This session is crucial for anyone keen on enhancing their understanding of emerging cyber threats and strengthening their cybersecurity defenses.
Show More
|
3:50 pm - 4:25 pm PT 11:50 pm - 12:25 am UTC | TBA
Show More
|
4:30 pm - 4:45 pm PT 12:30 am - 12:45 am UTC | Wrap-Up |