Talks were chosen through our call for proposal process and the associated program committee, except keynotes selected by the organizing committee and rump sessions selected during the event.
Unveiling the Express Lane to Catastrophe: Insights from Extensive Security Testing
Needles in the Haystack: A Hueristics-based Approach to Vulnerability Discovery
YouShallNotPass! Hardening GitLab pipelines on mission critical environments
XORtigate: zero-effort, zero-expense, 0-day on Fortinet SSL VPN
Ghidriff: Ghidra Binary Diffing Engine
Quantum Computing Doomsday Planning: Is Your Organisation Ready?
Sideloading Serenade: A Symphony of .NET Payload Techniques
Caviar Scammers: The Sophisticated Operations of the SturgeonPhisher APT Group
Unraveling the Challenges of Reverse Engineering Flutter Applications
A Security Research Journey: how the mobile industry met hackers in the middle
Command-line Obfuscation Detection Using Large Language Models
Signalements de cyberincidents : des devoirs communs au sein des organisations
Defeating VPN Always-On
Infiltrating Kubernetes: A Comprehensive Study of Attack Scenarios and Security Measures
You can access the records of the talks from the previous years on our Youtube channel.
Call For Proposals
A call for proposal (CFP) was organized. The program committee is in charge to select the talks (except the keynotes and rumps). The submission process is now closed (it was open until 10 June 2023).
The program committee was composed of international renowned experts in the field responsible for building a program of quality. They collected the proposals and selected the most outstanding ones.
We expected an event offering a wide range of topics ranging from software security to cyber security, data protection, technical and organizational aspects of software, hardware, networks, infrastructures, systems, and others. Topics could be:
A journey through the darkest corners of cybersecurity: buckle up as we explore the uncharted territories of digital disaster and unveil the most efficient and assured route to chaos – the Express Lane to Catastrophe.
Drawing from a database of thousands of systems and their security flaws, we've distilled the essence of vulnerability into a meticulously crafted roadmap of disaster. From unchecked privilege escalation to the subtle art of cryptographic misadventures, we're leaving no stone unturned, and no pitfall unexplored.
Through a careful examination of poor practices and unfortunate incidents, the goal is to provide a pragmatic view of the vulnerability landscape. Equipped with this knowledge, you will be better prepared to proactively identify and address vulnerabilities, reinforcing your defenses and making well-informed decisions to avert potential disasters.
Co-Founder & CTO
Bug Bounty Switzerland AG
What happens if you compromise a host in the target environment and all of your common tradecraft is no longer viable due to system hardening and patching? The ability to discover, triage, and exploit vulnerabilities on red team operations has become a critical skill set, especially for those targeting mature organizations. It opens many new avenues to build attack paths that otherwise would not be available with common techniques. Discovering new exploitable vulnerabilities on Windows systems, however, can be a daunting task. Many view it as a process that requires an immense amount of time, skill, and often plain old luck. Because of how critical this skillset is to our operations, we have invested an immense amount of time into honing our approach for identifying vulnerabilities that we can quickly leverage while constrained by time. This approach has continuously yielded exploitable vulnerabilities in both commercial and consumer applications in modern versions of Windows, primarily facilitating local privilege escalation (LPE) and remote code execution (RCE), but also providing novel methods of persistence and initial access. In this talk, we will share our heuristics for quickly triaging a host to identify potential vulnerabilities, discuss the common bug classes that we are hunting for, walk through their exploitation, and provide case studies of vulnerabilities that we’ve found on real world operations. After attending this talk, the audience will understand how to optimize their own vulnerability research process and how to exploit some of the most prevalent vulnerabilities we see in our work.
Principal Security Engineer
In this presentation, we will explore the issue of securing CI/CD pipelines targeting mission-critical systems.
We'll begin by providing an overview and the benefits of CI/CD pipelines, before delving into the specifics of GitLab's CI/CD capabilities, including the role of "Runners" in executing jobs and pipelines.
Given the increasing number of security risks associated with CI/CD pipelines and the threat actors trying to exploit them, a MITRE ATT&CK style matrix will be used to highlight these risks and underscore the importance of proper security measures.
Next, the concept of a custom Runner executor will be introduced and its potential in enhancing pipeline security will be discussed. We will describe our own implementation of a custom executor “YouShallNotPass”, outlining the tools and technologies we used to ensure that only trusted images and users can run code in the repository.
Finally, several use-cases will be provided to demonstrate how the custom executor can be deployed in diverse environments to boost pipeline security.
In conclusion, our presentation will emphasize the benefits of utilizing CI/CD platforms to deploy configuration or code on critical systems, the potential security risks associated with them, and our solution by implementing a custom executor to improve their overall security.
Principal Cloud & Security Engineer
While performing a red team assessment, due to limited scope, we were forced to look for 0-day vulnerabilities on a Fortinet appliance. This talk describes how we found and exploited CVE-2023-27997, a pre-authentication remote code execution vulnerability affecting the VPN interface of Fortigate, affecting hundred of thousands of servers on the internet, and used it to completely compromise the company' intranet. It will cover the vulnerability research process from start to finish, starting from how to get a shell on a local appliance, our research logic, the bug and the exploit, and finally how to persist on the target despite reboots.
A quick description of the bugs:
- The first one, allowing root access on the appliance, is a path traversal vulnerability which happens during boot, while the main process tries to decompress a TAR file. This also allows to maintain access after reboot (persistence).
- The second one, reachable pre-authentication on the SSL VPN exposed interface, is a heap buffer overflow, but with a twist. Instead of overwriting memory with arbitrary data, the overflow allows us to XOR memory with a keystream built with MD5 hashes (K0 = MD5(...|key|...), K1=MD5(K0), K2=MD5(K1), etc.).
Fortinet is aware of the bugs and working on a fix (2 months now).
I can provide more details if necessary.
This talk presents `ghidriff`, a new open-source Python package that offers a command line binary diffing capability leveraging the power of Ghidra with a fresh take on the standard patch diffing workflow.
As seen in most security blog posts today, binary diffing tools are essential for reverse engineering, vulnerability research, and malware analysis as they identify added, deleted, and modified functions between two binaries. Matching functions across binaries is a challenging and asymmetric problem because of complex function relationships and the many changes that can occur after a simple change is introduced into the source of a binary. `ghidriff` overcomes this challenge by offering the latest function matching heuristics while also providing the user the ability to extend it with custom function correlation classes. Like other binary diffing solutions, the tool stands on the shoulders of giants (SRE tooling) to interpret a binary and provide a consistent and reliable approach to binary diffing. Unlike other tools, `ghidriff` offers a command line experience, simplifying the entire patch diffing workflow to only a single step, significantly reducing analysis time. Additionally, the results of the diff are rendered as beautiful markdown files that can be shared and hosted almost anywhere.
`ghidriff` is the open source tool security researchers need to quickly understand the latest patched vulnerabilities and easily share their next vulnerability writeup with the security community.
Quantum computing is often portrayed as an imminent threat, but what exactly is it all about? This presentation is designed for a wide audience of security professionals, and aims to address the most important questions.
We will first introduce the concept of quantum computing, describing the key notions of quantum speed-up and quantum parallelism, as well as the notions of universal computation, scalability, and quantum error correction.
We will then give an overview of quantum computing research, describing the leading companies in the space and their main achievements, such as factoring the number 15 into 3×5 (with high probability). We'll explain the difference between real quantum computing and simulated quantum computing, which is not always made very clear by the vendors.
We will explore the various ways in which quantum computing could impact TLS connections, VPN services, secure messaging, 4G/5G communications, database encryption, and blockchain platforms. This information aims to assist the audience in understanding how to manage risks differently for distinct applications.
Additionally, we will offer guidance on conducting and documenting a risk assessment for your organisation or clientele. Lastly, we will outline practical options for transitioning to post-quantum cryptography by examining the post-quantum offerings of technology companies, including cloud service providers, VPN service providers, and hardware manufacturers.
This presentation does not necessitate any prior knowledge of quantum physics or quantum mechanics, and may even include adorable kitten images
Achieving execution of your payloads in typical phishing or red-team scenarios, without being outright prevented, is a constantly moving goal post. It can be almost as frustrating as when you finally develop a payload that meets your needs, only for it to be prevented by a brittle detection logic soon thereafter - leaving you to start from square one.
In this talk, we will cover a variety of core principals we apply to our .NET payloads to increase longevity and effectiveness while decreasing burden associated with development and the build process. Topics spanning entropy-conscious obfuscation, runtime protection techniques, dynamic delivery of encryption keys, polymorphic build automation, and more will be covered. We will discuss additional options the .NET framework gives us for sideloading trusted .NET assemblies, to compliment more traditional sideloading techniques. Creating a repository of preferred techniques regarding shellcode injection and other important components of your payload will be discussed, as well as an approach for selecting from your collection of techniques for a plug n' play experience during the build process to best fit your offensive use-case. Finally, we will demonstrate how all of the concepts can be directly applied to payloads that fit a variety of use-cases: initial access, lateral movement, and more.
We hope to demonstrate that following a handful of OPSEC considerations, combined with the added trust of sideloading existing .NET assemblies, can ease the burden and lower the barrier to entry for effective .NET payload development.
SturgeonPhisher, also known as YoroTrooper, is a cyberespionage group active since at least October 2021. The group focuses on spearphishing and webmail-credential stealing. It targets government officials, think-tanks, and employees of state-owned companies in countries bordering the Caspian Sea – the Russian Federation being one of the most targeted countries.
SturgeonPhisher’s activities are not limited to credentials stealing, they also use a recently updated arsenal including some reverse shells, password stealers, remote access trojans (like RustyRAT), and a Telegram backdoor as a way of performing espionage campaigns on selected targets. In order to deliver their malicious payloads, we observed the compromission of legitimate websites in addition to traditional spearphishing.
In their phishing operations, this threat actor registered many domains similar to the legitimate ones used by the targeted entities and hosted a copy of the target website. The initial attack vector in their espionage campaigns is mostly spearphishing emails with an attachment.
In this presentation, we will describe a few typical compromise chains with some examples of phishing websites and analysis of multi-stage malware. For now, we have made no attribution of the group’s origin, but it is likely that it is operated from a Central Asian country, given the operating time zone and narrow targeting.
Flutter, a popular cross-platform application development kit developed by Google, utilizes the Dart programming language. Dart is an object-oriented programming language with a C-style syntax and features like sound null safety. One of Flutter's key attractions is its ability to develop applications with a single codebase, which can be compiled for various mobile and non-mobile platforms.
While Flutter debug applications pose no difficulty to reverse, release applications are totally different: a nightmare. The challenges arise from several design choices: including default code obfuscation, the utilization of a virtual machine (VM), an evolving and undocumented executable format (Dart AOT snapshot), indirect access to objects and constants, dedicated registers, unique representation of Small Integers (SMI) and non-standard calling conventions.
In this talk, we delve into these challenges and provide techniques and analysis to overcome them. The centerpiece of the talk is a practical demonstration of reversing a Flutter CrackMe app. Initially, even strings remain elusive, and many disassemblers are completely lost. We work our way through the identification of significant functions, encryption loops, access to constants and disassembly of byte arrays. To accomplish this, we navigate between the code in the Dart SDK repository, Dart programs and the Flutter crackme app. We discover that Radare2 excels in recognizing function names (for Dart) and offering insightful assembly comments. JEB disassembler, on the other hand, proves invaluable in recovering the Object Pool, a Dart structure which provides access to objects and constants.
Principal Security Researcher
The mobile industry has always had a relationship with the hacking community and it has often been collaborative when it comes to protecting consumers.
This is the first time that the mobile industry has spoken about its work with the security research community which started with very informal relationships with hackers and developed into the world’s first cross-industry Coordinated Vulnerability Disclosure (CVD) scheme. The scheme that has run since 2017 has had 70 submissions affecting technologies used by the entire mobile industry. The resulting fixes have saved end users from major pain through the avoided exploitation of the disclosed vulnerabilities.
The speaker will take the audience on a journey through mobile hacking history from the industry’s point of view. Highlights include SS7 signalling attacks and rogue base stations through to femtocell hacks, LTE network breaches and lots of clever device hacking as well as some legendary names from the hacking world. The talk will focus on the technical details of the hacks, how we were able to address them as an industry; what went wrong and what we learnt along the way. The talk will also look at where we can go together in the future and what types of technology challenges and issues we expect to see.
GSMA Fraud and Security Group (FASG) Chair, CEO Copper Horse
Copper Horse Ltd
Command-line obfuscation is one of the most common methods adversaries use to avoid detection. These methods include changing the case of letters in the paths to binaries, adding symbols that are ignored by the command-line interpreter, using homoglyphs or storing the arguments in variables and re-ordering them on the command-line, etc. Most security solutions use signatures to detect state-of-the-art malware requiring threat analysts to create an exhaustive enumeration of signatures for obfuscation techniques. Instead of signatures, we utilize an NLP approach that can generalize and detect previously unseen obfuscation techniques.
The proposed NLP method consists of two components, a tokenizer and a classifier. The tokenizer augments the command lines and transforms them into a low-dimensional representation without losing information about the underlying obfuscation technique. Since the command line has a different structure than natural language, the pre-trained classification model is fine-tuned on samples observed in the wild.
The experiments demonstrate that the approach yields high precision and recall with a small number of false positives. Additionally, it uncovered new hard-to-detect obfuscation techniques that rely on pre-installed software on the operating system. The novel detections include new strains of the Raspberry Robin worm on Windows 11 that use a highly obfuscated execution of wt.exe or Gamarue that uses rundll32.exe to execute its obfuscated payload.
Les cyberincidents, les cyberattaques et les vulnérabilités touchent toutes les personnes travaillant dans des organisations. Ils déclenchent divers processus, y compris des processus juridiques, notamment sous la forme d'obligations. Ces obligations comprennent des obligations de signalement ou d’annonce à diverses entités externes, parfois pour remédier à un événement dommageable ou pour se conformer à ses obligations et permettre aux autorités d'exercer leurs fonctions.
La présentation abordera les principales obligations de déclaration pour les organisations actives en Suisse ainsi que leurs modalités. Les principales obligations de notification en Suisse sont l'obligation de signaler les cyber-attaques visant les infrastructures critiques et l'obligation d’annonce des violations de la sécurité des données personnelles. La présentation cherchera à expliquer ce qu'elles impliquent ainsi qu’à examiner brièvement d'autres obligations susceptibles d’être imposées en parallèle, afin que le public comprenne ce qui existe en Suisse, comment chaque personne dans une organisation peut aider à son échelle l'organisation à gérer ses obligations légales et comment la conformité à ces obligations peut aider à accroître la résilience des organisations.
Une telle présentation est importante pour permettre aux différents acteurs des organisations 1) de comprendre les enjeux en termes de flux d'informations, 2) de connaître les obligations de chacun (par exemple en termes de documentation et de partage d'informations), 3) d'améliorer les échanges et la compréhension entre les différentes professions, et d'augmenter la confiance et la résilience des organisations.
University of Lausanne
University of Lausanne
VPN Always-On is a security control that can be deployed to mobile endpoints that remotely access corporate resources through VPN. It is designed to prevent data leaks and narrow attack surface of enrolled end-user equipment connected to untrusted networks. When it is enforced, the mobile device can only reach the VPN gateway and all connections are tunnelled.
We will review the relevant Windows API, the practicalities of this feature, look at popular VPN software and... bypass them with ridiculously complex exfil methods but also with unexpectedly trivial tricks. We will exploit design, implementation and configurations issues to circumvent this control in offensive scenarios. We will then learn how to fix or harden VPN Always-On deployment to further limit the risks posed by untrusted networks.
This talk is more than just the outcome of my technical research against one particular network security feature. It is an attempt to fully embrace the hacker spirit through the revolt against Control, the unreasonable time trying to understand the technological subtleties and finally the sharing of beautifully simple techniques to break free.
This original research has outcome that will give security practitioners (blue & red) tangible ways to attack & defend in the context of corporate VPN setups. I am not a security researcher but I would like to share my experience on this topic after years of penetration tests and red-teaming in mature environments.
CSIRT Leader - Senior Manager
Kubernetes (K8s) is a leading container orchestration platform, and it has revolutionized how we build, deploy, and manage containerized applications. However, with great powers comes great responsibilities. This research uncovers attackers' methods to infiltrate and remain undetected in a compromised K8s cluster.
Using real-world applications as examples, we delve into the various tactics, techniques, and procedures (TTPs) that attackers or malicious users can leverage to exploit your K8s cluster. A detailed examination of an attack scenario starts from the initial compromise of a pod. We illustrate many strategies to escalate privileges, from exploiting misconfigurations to leveraging software vulnerabilities. Subsequently, we analyze the steps involved in container escape, which enables an attacker to access the underlying node, effectively breaching the host. Furthermore, our analysis includes studying stealth techniques that allow attackers to remain undetected within your K8s cluster. Using sidecar containers, attackers can mask their activities and maintain persistence within the environment. We illustrate how such an attacker could escalate their privileges to eventually become a K8s cluster administrator, thus gaining complete control of the victim's environment.
Despite the grim picture painted by these potential attack vectors, we demonstrate that proactive detection and response strategies can significantly mitigate these risks. Using K8s' built-in security features and audit logs, we provide insights into identifying potential indicators of compromise (IoCs). As part of our mitigation strategies, we explore using runtime security tools such as Falco. Falco enables creating and deploying of rules that detect abnormal behavior within your K8s cluster. By detailing the implementation of such rules, we provide a robust guide to enhance the detection of and response to a broad array of potential attacks. The research aims to enhance the understanding of potential threats facing a Kubernetes environment and offers comprehensive guidelines on securing the K8s cluster. Understanding an attacker's modus operandi and the appropriate defense mechanisms are integral to maintaining a secure environment in the contemporary landscape of containerized applications and microservices.