3.3.2023 (Friday) at SRCE.
Technical lectures, single track, relevant technical content with no sales talks.

08:30 – 09:00Registration
09:00 – 09:15Opening Ceremony
09:15 – 10:00Mackenzie JacksonState of Secrets Sprawl for 2022 – Finding millions of valid credentials in public source code
10:10 – 10:55Marijo DujmićPoor Man’s Ransomware
11:05 – 11:50Michel de Crevoisier10$ for a cookie: a modern view on the threat detection landscape
12:00 – 12:35Vanja ŠvajcerPlanetary abuse – IPFS and malware
12:35 – 14:00Lunch Break (no organized lunch, nearby lunch locations: tinyurl.com/2p8uppaw)
14:00 – 14:45Matko Antun BekavacFileless malware
14:55 – 15:40Krešimir LovrićSCDRM – Security configuration disaster-recovery manager
15:50 – 16:35Danijel GrahModern Attacks against Modern Solutions
16:40 – 17:25Imran SaleemWeaponizing Mobile Infrastructure – The русский (RU) Affect.
17:25 – 17:30Closing Ceremony

State of Secrets Sprawl for 2022 – Finding millions of valid credentials in public source code

GitHub is the largest platform for open-source code, more than 80 million developers are active on the platform and tens of millions of public repositories created every single year. But public code distribution on this scale brings with it a serious security threat, the unwanted exposure of API keys, credentials and other secrets, a problem known as Secrets Sprawl.

These secrets are the crown jewels of our applications and if leaked can grant attackers access to our applications core infrastructure and data. This includes access to databases, cloud infrastructure and third party services. The scale of the problem is exposed clearly in the yearly report released by GitGuardian titled “The State of Secrets Sprawl”. The report uncovered over 6 million secrets exposed in PUBLIC git repositories on GitHub in 2021 alone.

This presentation is going to present for the first time, the currently unreleased, 2022 State Of Secrets Sprawl report. This new report shows that total number of secrets being leaked publicly has increased from 2021 and goes into detail about the types of secrets being leaked and core contributing factors for leaked secrets.

The presentation will also explore:

  • Recent high profile security breaches and how attackers found and exploited secrets
  • What happens when you leak secrets publicly (We leak a secret live and watch bots try and exploit it)
  • How developers can securely store and share their secrets
  • What to do if you do accidentally leak secrets

The audience will be left with a clear understanding of how big the problem of leaked secrets in python apps are, why the problem exists and how developers can prevent this from happening.

About the speaker

Mackenzie is a developer advocate with a passion for DevOps and code security. As the co-founder and former CTO of a health tech startup, he learnt first-hand how critical it is to build secure applications with robust developer operations. Today as the Developer Advocate at GitGuardian, Mackenzie is able to share his passion for code security with developers and works closely with research teams to show how malicious actors discover and exploit vulnerabilities in code.

Poor Man’s Ransomware

This presentation contains an overview of a malware development process, primarily used as a practical demonstration for a graduation thesis. The malicious binary is being made under the premise of “If it’s stupid and it works – it ain’t stupid”. Envisioned as a part of a spear phishing attack, the malware is designed to deceive the user by opening up a fake CV while doing some nasty stuff in the background. The malware is written in C++ and uses a legitimate external component to achieve its goal. By classification, it is combining dropper, trojan and ransomware functionalities. Fueled by the author’s love for malware and hate for Excel files, it feeds on tears of hypothetical users that dare to double click it. This poorly built piece of godforsaken software demonstrates just how little it takes to get started on malware development. However, there are some useful techniques in there that may provide an insight on how “normal” malware works – some basic sandbox evasion, EDR evasion, binary dropping, inbuilt OS functions and legitimate file usage, etc. Inspired by a real life attack and random grains of wisdom picked up from Twitter, this portable executable might not be your C-level executive’s favorite candidate.

Pesentation: Poor Mans Ransomware – Marijo Dujmic

About the speaker

This guy loves Cybersecurity, especially Digital Forensics and Incident Response. Worked in various security roles since 2018, hardcore TVZ student (IS&DF), guitar nerd, keyboard player. Obviously not a developer, but has a creative side that sometimes cannot be contained by means of good coding practices.

10$ for a cookie: a modern view on the threat detection landscape

Defenders mindset and detection technologies are bound to always evolve as attackers arsenal is continuously growing. During this session we will provide a modern view on the threat detection landscape by highlighting and analyzing top threats from the last recent breaches. With an approach based on different perspectives, we will dive into the modern defender mindset and assess some challenges they face. One of them remains the SIEM solutions which, despite of being a master piece in Security Operation Center (SOC), still represent a challenge when it comes to onboard data sources, specially Windows operating systems. Therefore, we will take the opportunity to introduce a complete new toolset aiming to simplify auditing requirements, group policy configuration and data collection via the Splunk Universal Forwarder agent. That said, another key player for detection and response started to raise in the last years: EDR (Endpoint Detection and Response). But due to its popularity and also due to a matter of trust, we will see that several evasion techniques can make them vulnerable, leading us in a direction of a combined approach between EDR and SIEM, together with complementary detection tools for Linux and Windows.

Presentation: A modern view on the threat detection landscape – Michel de Crevoisier

About the speaker

Michel is a Senior Security Analyst in the Cyber Defense Center of K-BusinessCom since 2022. Formerly, he worked during 5 years as a Security Analyst, developing threat detection solutions and investigating modern attacks. During his professional career, he handled several positions as a system and network administrator as well as a security architect in France, Spain and Austria.

In addition to his practice, Michel contributes to the SOC Prime platform as a Threat Bounty Developer and regularly participates as a speaker on security conferences, especially Bsides. He is also a guest contributor at Red Canary and the author of several detection projects in regards of the Microsoft solutions.

Michel graduated with an MSc in computer sciences. During his studies, he was named by Microsoft as a “Student Partner” (MSP) and was in charge of organizing different talks and conferences in order to present the Microsoft ecosystem and its related services or products.

Planetary abuse – IPFS and malware

The emergence of new Web3 technologies in recent years has resulted in drastic changes to the way content is hosted and accessed on the internet. Many of these technologies are focused on circumventing censorship and decentralizing control of large portions of the content and infrastructure people use and access on a regular basis.

While these technologies have legitimate uses in a variety of practical applications, they also create opportunities for adversaries to take advantage of them within their phishing and malware distribution campaigns. Over the past few years, an increase in the number of cybercriminals taking advantage of technologies like the InterPlanetary File System (IPFS) to facilitate the hosting of malicious content has been observed.

It is expected this activity will continue to increase as more threat actors recognize that IPFS can be used to facilitate bulletproof hosting, is resilient against content moderation and law enforcement activities, and introduces problems for organizations attempting to detect and defend against attacks that may leverage the IPFS network.

Organizations should be aware of how these newly emerging technologies are being actively used across the threat landscape and evaluate how to best implement security controls to prevent or detect successful attacks in their environments.

The presentation will introduce IPFS technology and discuss the ways malicious actors have been abusing it, including case studies of interesting malicious campaigns.

Presentation: Planetary abuse – Vanja Svajcer

About the speaker

Vanja Švajcer works as a Technical Leader for Cisco Talos. He is a threat researcher with more than 20 years of experience in malware research and threat intelligence.

Vanja enjoys tinkering with automated analysis systems, reversing binaries and analysing mobile malware. He presented his work at conferences such as Virus Bulletin, RSA, CARO, AVAR, BalCCon, BSides and others.

Fileless malware

Fileless malware refers to a type of malicious software that operates without writing any executable files to the disk of an infected device. Instead, it takes advantage of existing software and system tools to carry out its malicious activities, making it more difficult to detect and remove. This type of malware infects the memory of the device and can persist even after rebooting the system.

One common method of infection is by exploiting vulnerabilities in software to execute malicious scripts in memory. Fileless malware can also be delivered via phishing emails, infected websites, or through software exploits. Once on the system, the malware can carry out various malicious activities such as stealing sensitive information, performing unauthorized actions, and spreading itself to other devices on the network.

One of the major challenges in detecting and mitigating fileless malware is the fact that it does not leave any files or artifacts behind for security tools to detect. This makes it difficult for traditional antivirus and anti-malware programs to identify and remove the threat. Additionally, since fileless malware uses legitimate system tools and software to carry out its activities, it can blend in with normal system processes, making it harder to identify.

To combat fileless malware, it is important for organizations to implement a multi-layered security approach that includes proactive threat detection and response tools, endpoint security, and security awareness training for employees. By using a combination of these measures, organizations can better protect themselves against this evolving threat and ensure that they are prepared to respond quickly if an infection does occur.

Presentation: Fileless malware – Matko Antun Bekavac

About the speaker

Matko Antun Bekavac is a developer with a deep passion for cyber security. Even though his main focus is eCommerce, he always looks out for potentional threats and looks for ways to deter them. He was introduced to cyber security while working as a military intelligence officer and continued to research this field even after his transition to civilian life.

SCDRM – Security configuration disaster-recovery manager

SCDRM is a add-on to any Linux based infrastructure dealing with forced change management, protecting critical server configuration, doing some simple disaster-recovery and trying to protect the infrastructure from human made disaster.

Presentation: SCDRM – Kresimir Lovric

About the speaker

KL currently working as Linux IT architect for IBM Croatia, has been a Linux professional for over a decade with wast experience, focusing on high availability, performance, automation and as always – security.

Modern Attacks against Modern Solutions

Windows as a preferred choice by organizations has undergo a soft and unseen transition to becoming a more secure operation system. With modern security solution and the new Windows VBS based architecture offensive security practitioners are facing obstacles in their engagements. We need to dive deeper when bypassing those security solutions by using kernel drivers to block or blind endpoint detection and response (EDR) solutions, which are becoming increasingly popular among organizations to detect and respond to cyber threats. Drivers are also the answer to how to dump credentials from the Local Security Authority Subsystem Service (LSASS) process, which runs as a protected process. And they can be used to divert network traffic on a compromised machine without using an additional attacker machine, especially useful when trying to run Responder, ntlmrelayx and other tools on a compromise Windows computer. Due to the power and popularity drivers presents, the technique “Bring Your Own Vulnerable Driver” (BYOVD) has become popular among threat actors. But then, the new security features of Windows Virtualization-Based Security (VBS) like Hypervisor-enforced Code Integrity (HVCI) and Credential Guard can reduce the attack surface immensely and prevent the abuse of vulnerable drivers and the possibility of dumping credentials in a traditional manner. It is worth to mentioning that these features are not enabled by default in a lot of organizations. Facing all these new security features requires creativity and this is what cyber criminals are known for. Latest research shows how credential dumping is still possible with all the new Windows security features enabled. The talk will bring a lot of demos and delve deeper into the modern security solutions and how they can be bypassed in an offensive engagement.

Presentation: Modern Attacks against Modern Solutions – Danijel Grah (Videos)

About the speaker

Daniel Grah has been in cyber security for almost ten years. He began his career as a consultant, later moved into research, and today at NIL he works as a cyber security analyst in the Security Operations Center (SOC). Danijel has rich experience in penetration testing and security hardening, programming, consulting, and developing systems of cyber defense. He has published and presented research papers at various international conferences in the field of information security, and he has confirmed his knowledge and experience with industry certificates such as GRID.

Weaponizing Mobile Infrastructure – The русский (RU) Affect

Mobile networks are globally interconnected via private/public networks. Mobile signalization being the core of the telecoms is widely used, hence mobile networks are always at risk of exposure to data leaks. Signaling firewalls is the first line of defense, which could prevent known attacks, but are typically inadequate to identify zero-day exploits or sophisticated bypass techniques.

Besides, the threat actors are no longer stagnant and bound to a geographical area rather they are moving around the world leveraging cloud-based deployments using various interconnect points geographically dispersed, making it more arduous to detect new patterns.

At times, massive exploitation of victim networks by sophisticated bypass techniques has been seen where operators are incapable to correlate the entire frame of the security chain due to limited view. Not knowing if the damage has been done and under the hypothesis that they are protected comes in as a surprise when a high-profile individual becomes the victim of this series of a coordinated unnoticed chain of events.

In this engagement, we describe how mobile networks are weaponized to inflict cyberwarfare with focus on nation state activity led by russian source/identity holding various objectives, i.e performing account takeover, attacks on Ukrainian and German subscribers via SS7 Spoofing and the new indicators that has been captured to bypass Signaling firewalls in an attempt to get hold of initial data access like real IMSI for the subscriber, Serving Node address for the network that can potentially be used to perform subsequent attacks like, Call Interception, billing fraud, tracking, surveillance, 2FA bypass.

Having experienced such large-scale operation, Now is the time for the mobile operators to build their own security strategy that can protect their subscribers and networks.

Presentation: Imran Saleem – Weaponizing Mobile Infrastructure

About the speaker

Imran Saleem is a Security Researcher, with nearly two decades of experience in Telecom and Security he has also served as the Cyber Security Consultant for Fortune 100 companies in the past. Imran holds a master’s degree in Cyber Security and maintains CISSP, CISM, CDPSE, and other highly sought-after security certifications. His past work areas combine Threat Intelligence, Security Design & Architecture, security risk assessment, privacy impact assessment, and data analytics.

Imran is associated with the Advanced Threat & Research wing providing MNO’s with information on the Global threat landscape. With thought leadership on 5G security, his aim is to assist green field operators with End to End 5G security using Zero Trust architecture.

As a speaker, he has been talking at RSA, DeepSec and various other security conferences with contributions to bodies like GSMA, the World Economic Forum and significant efforts made towards GSMA interconnect Signaling Security guidelines.

He also serves as a member of GSMA CVD PoE (Panel of Expert). His work has been acknowledged in the GSMA. https://www.gsma.com/security/gsma-mobile-security-research-acknowledgements/

LinkedIn Profile: https://www.linkedin.com/in/imran-saleem-357b9231/