“Abusing Electron-based applications in targeted attacks”
Jaromir Horejsi;
Talk30
Electron is a popular framework for creating pseudo-native applications with web technologies like JavaScript, HTML, and CSS. By packaging the application source codes with a particular version of Chromium (front-end part) and Node.js (back-end part), Electron allows to have just one codebase which can be run on different platforms (Windows, MacOS, and Linux).
This versatility and popularity brought attention of threat actors, as we observed several attacks against Electron-based applications, particularly supply chain ones.
In this presentation, we will look at the Electron framework (what it really is from developer's, end-user's, and defender's point of view) and discuss possible infection vectors – exploiting Chromium vulnerabilities, or trojanizing the Electron applications by replacing/patching the app.asar archive (containing application sources) to embed malicious code.
Then we will follow with analyses of several real-life cases, which we recently researched, and which involved Electron-based applications.
These include
a) a secure chat application (MiMi chat) trojanized by Iron Tiger threat actor, targeting Windows, Linux and MacOS secure chat users. Trojanized chat application becomes downloader of additional native backdoors (HyperBro for Windows, rshell for Linux and MacOS).
b) chat-based customer engagement platforms (Comm100 & LiveHelp100) trojanized by a currently unclassified threat actor. Trojanized applications download multi-stage JavaScript payload, which later downloads native multi-stage backdoor & stealer.
c) a live chat application (MeiQia) vulnerable to CVE-2021-21220, then trojanized and exploited by threat actor Water Labbu. Trojanized live chat application becomes downloader of additional malware (custom batch scripts, Cobalt Strike, or system monitoring tool).
We will analyze not only the trojanized JavaScripts, but we will also briefly discuss the interesting native malwares too (custom backdoors, stealers, ...).
At the end, we will talk about targets of these campaigns, as well as the connections to previous campaigns operated by the mentioned threat actors.
“All your hashes are belong to us”
Milan Gabor;
Talk30
Join us for a concise, practical exploration of capturing and cracking NTLM hashes, with a special focus on the role password length plays in securing your digital environment.
This presentation will cover the basics of NTLM hashes and how they can be captured, highlighting potential system vulnerabilities. We will then move into automated hash-cracking techniques, showcasing well-known tools like Hashcat.
A key highlight of our session will be the demonstration of an all-in-one tool, streamlining the processes of hash capture and cracking. This tool offers an integrated approach to the tasks, improving both efficiency and security.
Importantly, we will emphasize the significance of password length. Illustrating how shorter passwords can be cracked more easily, we will discuss strategies for implementing robust password policies.
This session aims to provide critical insights into NTLM hash management for cybersecurity professionals while advocating for responsible, ethical usage of the knowledge gained.
“Analyzing Android Malware — From triage to reverse-engineering”
Vanja Svajcer;
Talk45
It's easy to get wrapped up and worry about large-scale ransomware attacks on the threat landscape. These are the types of attacks that make headlines and strike fear into the hearts of CISOs everywhere. But if you want to defend the truly prolific and widespread threats that target some of the devices closest to us, you need to be on the lookout for mobile malware.
Many actors are deploying malware that targets Android devices. Attackers are frequently targeting Android devices, given that it's the most popular mobile operating system in the world.
If you want to stay up to date on the latest Android malware, I will discuss representative mobile device malware. I will try to show how to reverse-engineer some of these threats, and how you can dissect Android malware on your own to learn more about what techniques attackers are using and how you can defend your devices. CTF players may find this presentation useful for helping to solve some Android reversing challenges.
“API Security in the world of Microservices”
Amit Sharma;
Talk45
The new world has a new way of interaction. There is an immense rise in APIs on which the services interact with each other and so is the rise in vulnerabilities around APIs. It is important to look at it from a different perspective and strategy than what we do for web applications.
In this session we see some best practices on how we can secure and ensure that API's are safe. HOw to look at it from an attack surface perspective and how you can perform certain actions to make sure that your APIs are secure.
We will also touch upon the efforts from OWASP and OWASP API Security group on how we can defend and protect against common API security vulnerabilities.
“ATM (in)Security”
Vladan Nikolic;
Talk30
ATMs are everywhere, but safe are they, and we are we safe to use them? ATM security is a critical concern in today's digital age, focusing on protecting users from fraud and theft.
What is skimming and how we can protect ourself? How well is our data protected? And after all - how safe are ATM themself?
“AV/EDR bypass with Go”
kost;
Talk30
Some time ago, it was enough to recompile Go program with different Go version and you would magically bypass anti malware products. Nowadays, it become an art. Since you have to do lot of work in the background in order to bypass all the protections in place. Also, craft is different for different anti malware product providing more spice to the challenge and both sides do not like to share all details publicly.
“BalCCon2k23 Badge”
Orga;
Talk30
https://2k23.balccon.org/index.php?title=BalCCon2k23_Badge
“Beginner's Malware Analysis Workshop”
Robert Simmons;
Workshop120
This beginner's workshop introduces students to the basics of malware analysis. This includes how to source new malware samples for practice as well as where to find resources for self-directed learning going forward. Students will learn how triage malicious email attachments as well as how to work with automated malware analysis tools. As a capstone exercise, students will learn the basics of manual dynamic malware analysis using a controlled lab environment.
“Binary Reverse-Engineering and Batch Binary-Diffing”
Robin David, Riccardo Mori;
Workshop120
When analyzing a system, reverse engineering a program at binary-level is often needed to understand its behavior. A common use-case is malware analysis or security assessement in order to uncover vulnerabilities. Reverse-engineering usually requires working on the disassembled program to perform manual or automated analysis. Furthermore, we are usually led to analyze a whole bunch of programs and to compare them with binary diffing. The later is essential for comparing variants of a same program or malware. It is also useful to inspect updates published by vendors for the sake of understanding a patch. This workshop introduces a variety of python programs and libraries that we developed to automate the analysis of disassembled programs, to automate the diffing and to automate the analysis of the differences!
“Concert Kavers”
Orga;
Workshop120
Live Concert!!!!
“Deep dive into Windows relaying attacks”
Bojan Zdrnja;
Talk45
Windows relaying attacks have been around for ages - yet, we have still to see a company where such attacks do not work.
In this presentation we will dive into NTLM and Kerberos, talk about how relaying works (and why), show some real world examples and discuss why it's so difficult to prevent these attacks.
We will dissect SMB/NTLM authentication as well as some secure channel sessions Windows use to verify credentials, and we'll throw some crypto here and there - but we'll make sure that everyone can follow this!
“Device Neutrality: or how to safeguard Free Software in devices”
Lucas Lasota;
Talk30
While our devices are increasingly becoming proprietary, we need to find ways to safeguard ways to Free Software, otherwise our digital autonomy can be highly compromised. This talk introduces "Device Neutrality" as a principle to ensure that users equal access and non-discriminatory use of Free Software in of their devices. The audience will learn about real-life examples, as the struggle for Router Freedom and the latest regulatory initiatives for internet devices in the EU.
“Exploiting Smart Contract Vulnerabilities”
NZT;
Talk45
This talk explores the world of smart contract vulnerabilities and the importance of secure development practices.
“Formal specifications of systems - why and how?”
Stefan Nožinić;
Talk
Designing systems is difficult. Designing distributed systems is more difficult. Designing correct distributed systems becomes headache. In this talk, it will be shown how to approach towards more formal way of describing systems and what is motivation behind this approach. TLA+ and PlusCal will be shown as formal languages for formal system specification and how we can check our designs. During the talk, we will investigate some real world problems of real world systems and model-check them together!
“Grand Theft Data - 101 Exfiltration Techniques”
@sophus;
Talk45
A talk about data exfiltration techniques and egress0r.io - a network security testing suite
“Hack all the CI”
Anne Jan Brouwer;
Talk30
Going into the dark side of (rolling your own) CI systems.
So much owning happens through this because we want all the relevant data in one place .. right?
“Hack The Planet! ...But It's Mostly Water?!”
Zoz;
Talk
Ocean exploration always required hacking - from figuring out tricks to keep your crew alive on long voyages far from land, to repurposing consumer tech on underwater robots. Carbon fiber hulls killing Titanic tourists = bad hacking. Repurposing smartphone supply chains to get down deep cheap = good hacking. I'll give you an overview of how to use your hacking skills to roam the seas like a pirate, and talk about a few things I've worked on recently which involved some interesting hacks.
“Hello World-World Of stealers and crypters.”
Blueberry vignesh4303, Siva Teja;
Talk45
This talk aims to present the summarized information about stealers & crypters ,it also includes with writing their own stealer and how the normal AV/EDR were bypassed . This talk discusses how we can safeguard our self from the modern day stealers and includes with real time writing their own stealer.
Internal note : This talk does not entertain users/students to write their own stealer whereas it would be drafted in the form where it discusses in and out's ,also discusses the other side of stealer market where users selling data and how they were utilizing it.
“How I accidentally became an ISP”
Milan Kragujević;
Talk30
It's truly a scrappy rural wireless start up story. I just wanted to have a fast Internet connection at home. But in the end, I became an ISP. The how, the why, the challenges I faced, and all the fun I had!
“Karaoke night (again)”
MacLemon;
Workshop120
There's songs, and you can sing them. If you're uncertain, the audience is very supportive. Let's make this a night to remember.
“Kickstart your CSIRT”
Blåhaj;
Talk30
We built a commercial Incident Response team in one year: here's how we did it!
“La Casa de Papel = (POS * Security Mindset) + Research / Con Artist Skills + SE”
Dr G;
Talk45
La Casa de Papel for Point-of-Sales systems, Point-of-Interaction devices, virtual/physical payment systems, acquirers, card issuers, payment processors. A topic that many of you have heard being presented here and there, but, this is how it all started...
“Ligtning Talks”
Orga;
Workshop120
Non recorded session!
“Lockpicking Corner”
Kamee, D3v, Wolfy;
Workshop120
Come, and learn how to open different locks and handcuffs without a key at this interactive workshop! Beware, as we do not have the keys for the majority of the locks.
“Low hanging apples”
Antonio Zekić;
Talk30
N/A
“Malware Analysis Topics: Instrumented Binary Emulation”
Robert Simmons;
Workshop
This workshop examines how to use the Qiling instrumented binary emulation framework to analyze PE malware executables. Students will learn about how to interact with the framework using Python code to detect execution conditions and to dynamically run custom analysis code. Specific skills the student will learn are dumping memory containing the next malware stage for further analysis as well how to circumvent anti-analysis features added to the malware by the adversary with the intent of foiling the malware analyst.
“Masters in Information Security at Faculty of Technical Sciences”
Stevan Gostojić;
Lightning talk
Faculty of Technical Sciences in Novi Sad introduced a multidisciplinary 1-year masters study program in information security. More info about the study program is available at https://www.ftn.uns.ac.rs/1546190821/information-security. In this short talk, we will present the study program to prospective students and give more details about the application procedure that is to start briefly after the conference.
“MatterBot”
Blåhaj;
Lightning talk
MatterBot is a two-part extensible Python bot framework that provides a scheduled feed of information sources to your Mattermost channel(s), and listens in channel(s) for commands to trigger the appropriate module(s).
“MITM on PSTN -- novel methods for intercepting phone calls”
Kirils Solovjovs;
Talk30
In this talk the author proposes a novel method for intercepting phone calls over PSTN, including
mobile networks.
We'll briefly each discuss the necessary components of the attack, including Caller ID spoofing,
SS7, call diverts, and social engineering, and then join the all together to form the novel attack
method.
Two separate methods will be proposed.
The author will provide a pre-recorded demo of each attack.
“NGI: Building the internet of the future with Free Software”
Lucas Lasota;
Lightning talk
What will the Internet of the future look like? At the FSFE, we believe that Free Software is key for a human-centric Internet that respects people's fundamental rights. The NGI initiative provides financial support for software projects developing key technologies for the future of the Internet. In this talk you will learn about this project and how to get funding!
“No Fluff Stories Part 1: Your Hypervisor is (un)Safe and (in)Secure.”
Anna, Jakub;
Talk
The scale of ransomware campaigns targeting commercial infrastructure, including enterprise-scale ones, and the extent of damage proof that ransomware threat actors gained (some) competence in virtual environments based not only on Hyper-V (Microsoft), but also on ESXi (VMware). VMware-based environments were the last line of defence (and hope)o, as there was only a few ransomware that could be executed on the hypervisor and corrupt the VMDK files (on the VMFS, which is a different file system than NTFS, etc.). The recent esxiArgs campaign shows that an unpatched environment with a published management interface is a risk.
“Photographing Bits of Firmware”
Travis Goodspeed;
Talk
There are many ways to rip firmware from a microcontroller, but a particularly cool method is to photograph the bits of a mask ROM through a microscope. In this lecture, I'll teach you the chemistry and photography needed to get a picture of the ROM, as well as a bit about my open source CAD tool for extracting those bits and converting them into logically ordered bytes.
“Photographing Bits Workshop”
Travis Goodspeed;
Workshop120
A follow-up to the mask ROM lecture, in this workshop we'll provide you with photographs of a real ROM and the CAD software to interpret it. In two hours, you will mark the bits of that ROM, error correct them, and dump them to disk. You will also learn a bit about decoding them into bytes for emulation or disassembly.
“r2wars”
hanemile;
Workshop
Running programmes simultaneously in the same memory: what could go wrong? This is about how and then playing with it hands-on. We look at the substructure, build our own small programmes that then try to overwrite each other.
“Rakija Leaks”
Orga;
Talk
Rakija connecting people!
Rakia is one of the most popular alcoholic drink in Serbia. It is usually served before lunch and dinner and is drunk along with appetizers. It is mandatory to drink with roasted pig, lamb, or dried meat. It is a very important part of the Albanian and Serbian cultures and there are many historians that say that the origins of rakia are in Serbia. Serbia has the most consumption of rakia per capita and is the largest exporter of rakia. In a 2009 European Court ruling, the names "Slivovica" (Slivovitz), Dunjevaca, Orahovaca, and Kruskovaca were ruled to be Serbian and thus the country has a trademark on those three types of rakia (Slivovitz being the most famous and most consumed in the world).
Rakia is part of Serbian culture. It is part of many special occasions, including baptisms, marriages, joining of the army, and visiting of friends. At funerals, custom demands that a bottle of rakia be left on the grave of the deceased who liked to drink it, or at least to sprinkle a drop or two during the memorial service for peace of the person’s soul. For some peasants, a flask of rakia is one’s only luggage. Poor peasants many even offer the village doctor, policeman, judge, tax collector, or minister a flask of rakia as a gift of payment. Many folk songs have been composed during rakia production.
“Reclaim your brain: neglected aspects of digital self-defense”
Christina;
Talk
There is one device that is often forgotten when people talk about digital self-defense and privacy: the brain. Inconveniently, your brain does not come with a manual, and useful apps cannot simply be downloaded. And whether or not you can root your brain is debatable (let me know if you find out).
Even if your approach to technology is critical and creative, you are not an island. Much of our daily life is shaped by a technological culture in which big players use significant resources to manipulate their way into our brains in order to increase profits.
This talk will point out different ways in which our mind, psyche and attention are affected by our digital surroundings and suggest a few ways to protect your sanity.
“Recycling via code execution”
Aleks;
Talk
Many devices are brought into this world with very cool hardware and sleek design, but with very poor and limited software. Soon they are obsoleted and forgotten by the manufacturer and would be destined for a landfill.
Gaining code execution on an inaccessible device breathes new life into it. By gaining access, a hobbyist can repurpose it for their own projects while benefiting from robustness and usually nice form factor.
We will do a case study of the whys and the hows of breaking , reverse engineering and repurposing a couple of devices including a car infotainment system and an unusual camera.
“RFID access control, what it is and how to exploit it”
nemanjan00;
Talk
People attending the presentation will have the chance to try out some of the tools and see an example access control system.
While exploring the interesting world of RFID, witnessing a disappointing amount of improper implementations of access control systems, and dealing with shady vendors for backdoored cards, I realized there is a need for the proper education of people and making sure they know what to look for.
Prior knowledge about any of the topics of this presentation is optional, and it is appropriate for both beginners and someone who might already know something about this topic.
While some of the techniques and demos might look like some James Bond-level magic, most of the stuff I will be demoing and talking about can be done with pretty inexpensive equipment (you might need to spend some money if you decide to go deep into research equipment) and without much prior learning.
If you want to find more about some kind of credential, please, bring it and I will take a look at it
https://github.com/nemanjan00/rfid-access-control
“Security Impress Karaoke”
Kirils Solovjovs;
Workshop120
See: https://en.wikipedia.org/wiki/PowerPoint_karaoke
Come and participate! Win eternal glory!
“Security in Cloud Kubernetes Services: Attacking and Defending Cloud”
Miguel Angel Hernandez Ruiz, Marios Kourtesis;
Talk45
Cloud adoption is becoming more and more common nowadays. It is getting difficult to find just one company which has not any service within a cloud environment or it is not adopting cloud technologies. Attackers are also aware of this fact and Cloud environments are quite complex which is a clear enemy of security.
Our main goal with this presentation is to show some of the most common attack scenarios weaponised by cybercriminals which are affecting Cloud Kubernetes Services. We will also offer some possible controls to mitigate those risks.
After motivating the presentation, this talk will explore the shared responsibility model and their variants. This will help to introduce the attendees to the main cloud security challenges which are sometimes overlooked when migrating to the cloud.
Next, this talk is presenting the different deployment models and how those have evolved in time. How a Cloud Service Provider infrastructure looks like is introduced during this stage of the conference along with the specific role of Kubernetes within the Cloud Service Provider.
Walking towards the core of the presentation, this talk covers the most common attack vectors for Kubernetes, cloud and containers, digging into the corresponding MITRE att&ck matrices. We will put in common these Matrices with the attack scenarios presented right after this section.
Once the attack vectors have been presented, a detailed view of a step by step kubernetes exploitation is offered prior to jumping to the actual demonstrations. Following with Kubernetes attack scenarios, this presentation will offer at least two attack scenarios:
- External Attacker gaining control of the whole Kubernetes cluster by:
- Finding and exploiting a vulnerable application/service
- Gaining access to the container
- Escalating privileges within the container
- Escaping to the host
- Attacking the Host and performing privilege escalation
- Insider threat and how kubernetes environments are prone to be over-permissive
Moving forward this presentation we will offer some controls and mitigations to avoid these kinds of attacks. We will focus on admission control and introduce tools like Kubewarden, Kyverno or OPA Gateway to control the Admission policies. We will also explore other options available in the market to secure other aspects of the Kubernetes deployments.
Finally this talk summarises the lessons learned from the attack scenarios shown and offers the most relevant conclusions on Kubernetes Cloud Security Services.
“Self-Hosted AI for Good, Evil and Everything In-Between.”
Brian;
Talk
There is a whole world beyond ChatGPT so embark on an epic quest through the realm of Self-Hosted AI as I unveil my journey of learning, hacking, and fine-tuning models on a budget. Brace yourself for awe-inspiring demos and tap into your darker side as we explore the untamed potential of AI. While a basic understanding of programming is beneficial, high-level math skills are not required.
“SSH Configuration, Intermediate Level”
leyrer;
Talk
So you know hot to "use" the ssh command line? You enter connections parameter like username. hostname and privte key to use every time you need to connect? You manually log into the jump/bastion host when connecting to your target host?
The come to this session and learn how you can make your life easier and your work more efficient with custom config files and a little bit of preparation.
In addition we will also cover common best practices and improvements to your ssh setup.
“Support your Local Admins”
Christos Tsiakoulas;
Workshop
Incidents analysis for the average sysadmin.
“Tails, The Amnesico Incognito Live System”
ignifugo;
Talk
Tails, The Amnesico Incognito Live System https://tails.net/
Introduction to the Tails live operating system. Amnesico: in that it can be used without saving any data from the current session; Incognito: automatically uses connections to the Internet via Tor, a popular anonymized network; Live System: fits on a USB stick and can be used on different computers without leaving a trace on the hardware itself.
The most famous case of its use, was in 2013 i.e. journalist Laura Poitras used it to establish communications with Edward Snowden that led to the publication of important documents documenting illegal activities of the American NSA, National Security Agency. Since then this Debian-based Linux distribution has been under continuous development and maintenance, during the talk we will see together the advanced tools that are inside and 3 demos based on use cases. Tails' current usage of 750,346 times in June 2023. This is a daily average of more than 25,012 boots.
“The Dark Age of Memory Corruption Mitigations in the Spectre Era”
Andrea Mambretti;
Talk
After decades fighting memory corruption vulnerabilities, several defenses have been developed to increase the bar for attackers to carry out exploitation. Defenses like control flow integrity (CFI) and stack smashing protector prevent completely the direct use of memory corruptions primitives, and require an attacker to employ bypass techniques to complete an attack. After the introduction of the new class of transient execution attacks, it is natural to wonder how these well established defenses perform in the post-spectre era.
In this talk, I present a sub-class of transient execution attacks, we call SPEAR. This sub-class enables an attacker to repurpose memory corruption primitives that cannot be used in the context of traditional exploitation to achieve arbitrary memory read. In our talk, we discuss how SPEAR change the game in three main use-cases: control flow integrity (CFI), memory safety languages and stack smashing protectors (SSP) . I present our end-2-end attack in which we achieve information leakage through a SPEAR attack against a buffer overflow mitigated by SSP in libpng. I also present the first application of speculative ROP in an real world attack and discuss its differences with traditional ROP.
“The internet is broken - The modern supply chain made us vulnerable”
Mackenze Jackson;
Talk45
We have gone through a drastic shift in how we build software, no longer are our applications stand-alone monoliths, they are now a collection of thousands of different modules and building blocks. This has enabled us to innovate at an unimaginable pace but at the cost of security. These building blocks include frameworks, open-source libraries, SaaS platforms, and cloud infrastructure. In this talk, we will examine the anatomy of recent supply chain attacks to show how hackers are targeting vulnerabilities that are at the core of how we build modern software. This will mean examining how open source libraries are being turned malicious, how attackers are able to break into our systems, and why credentials to our infrastructure are leaking all over the internet. The goal of the talk will then be to provide actionable steps on how we can build secure applications on an insecure internet and take back control of our security.
“Three factors that are blocking contributions to your Open Source project”
Saurav Jain;
Talk30
When talking about contributing to open-source projects, it’s crucial to understand from a maintainer point of view what factors are stopping new contributors from contributing to your project. Whether your codebase is very overwhelming to the contributors for the first time or it lacks good first issues and enough responsive response to their problems. In this talk, I will explain how I built a campaign at Amplication that scaled the contributors from 30 to 200 in just one year and how it solved every problem I mentioned above.
“USB, how does it even work? Certified USB4 (Version 2.0)”
MacLemon;
Talk
Continuing the USB story of your universal plug with USB4, alternative modes, and power delivery. Let's see what the USB implementers forum is up to.
“Web3 security: Smart contracts and stupid exploits.”
profMagija;
Talk
Join us on a thrilling expedition into the captivating world of Web3 and smart contract security. In this talk, we will delve into historical exploits, showcasing the real-world consequences of smart contract vulnerabilities. Gain a deeper understanding of the evolving challenges faced in Web3 security and the quest for a safer decentralized future. Brace yourself for an enlightening journey that combines chaos, hacking, and the exciting possibilities of smart contracts.
“Werawolf”
Hetti;
Workshop120
We play Werewolf!
“Werewolf”
Hetti;
Workshop120
We play Werewolf everyone welcome!