Level: Technical

Abstract:

In 2007, researchers demonstrated a proof of concept attack with damaging consequences on a physical device that could be part of critical infrastructure. Later, we witnessed Stuxnet destroying Iran’s nuclear centrifuges and cyber-attacks of critical infrastructure which came into being as far as the broader public is concerned. We also witnessed malware such as WannaCry and NotPetya. From a perspective, both were not designed to have ICS/OT capabilities but nevertheless had a devastating impact due to bad security practices. With the Ukraine blackout saga 2015 and 2016, it was proven that cyber-attacks can have an impact on the electrical grid. It is believed that 2015 no malware with ICS capabilities was used. In 2016 in terms of capabilities, the story changed as Industroyer or Crashoverride was introduced to the world. The first known malware, designed to disrupt electrical grid operations. Industrial systems and Critical Infrastructure hacking and malware made a transition from Hollywood to real life. It is time to address the security and misconceptions of ICS/OT, before we witness another disruption or destruction.

Bio:

Danijel Grah has a bachelor’s degree in computer science at the University of Ljubljana, Slovenia. He works in a Security Operation Center (SOC) as a Cyber Security Analyst at NIL. He has experience in penetration testing, security assessments, programming, consulting and research. He has a deep understanding into threats, vulnerabilities, and trends. In 2019 he got GIAC Response and Industrial Defense (GRID) certified and became GIAC board member. Apart from profession, he loves all kinds of sports.

Level: Technical

Abstract:

In this presentation, we will reveal the busted famous botnets from inside and outside, with all the original source code, files, and logic behind those criminals. By revealing this busted C&C servers, we will see and learn how serious they take this illegals’ business and we will have a chance to peek inside them.

The list of the busted botnets we will reveal in this presentation:

• Inside Cryptolocker C&C server
• Revealing Unique MitB Builder C&C Server
• NAS Botnet Revealed *Inside Cryptolocker C&C server
• Kins origin malware acting like a Real E-banking web app
• Are 2 factor authentications enough to protect your money?

We will learn how advanced botnets are in the wild, how they function and how we managed to bust them. Also, we are going to publish the source code of a very advanced botnets which has the full capability with the back-end, front-end and 2FA. After this presentation, the attendees will have knowledge about botnets by practical peeking inside them. They will also learn the methods and techniques for unlocking and will have a better understanding of logic and attack methods. We are going to peak inside these famous botnets and their original files, we will see their attack logic and architecture design. We will share and exchange our past experience with real case scenarios. Also, we are going to reveal the full source code of an advanced Botnet, targeting 10 banks with live DEMO.

Bio:

Senad Aruc is a seasoned cyber security professional with more than 10-years experience in: Incident management, CSOC and MSSP experience, IT Security, IDS & IPS, SIEM, Network and Digital Forensics, Malware Analysis.

Blog:

http://senadaruc.com

Level: Technical

Abstract:

The only port open is the Remote Desktop Protocol (RDP) on a large number of hosts. You have a username and password for each of them, but signing in manually to each host would take days if not weeks. RDP has many bells and whistles, but what can help in this certain case? Come and let’s deliver commands or payloads over the Remote Desktop Protocol (RDP) on a massive number of hosts.

What to expect? Attack scenario on hardened hosts where RDP is only open. Some of the authored tools will be presented, such as:

• https://github.com/kost/rdpcmd
• https://github.com/kost/rdpcmd-ruby

Bio:

Vlatko Kosturjak is a security consultant at Diverto where he helps clients to reach desired security level(s). He likes to break and build, depending on the mood and time of day(night). Besides security, his passion is open and free software, so he authored many open-source offensive tools and contributed code to various free security software.

Level: Technical

Abstract:

New systems are always interesting targets since their security model couldn’t mature yet. NoSQL databases are no exception and had some bad press about their security. But how does their protection actually look like? We will take a look at three widely used systems and their unique approaches:

• MongoDB: Widely criticized for publicly accessible databases and a common victim of ransomware. Actually, it provides an elaborate authentication and authorization system, which we will cover from a historic perspective and put an emphasis on the current state.
• Redis: Security through obscurity or how you can rename commands. And it features a unique tradeoff for binding to publicly accessible interfaces.
• Elasticsearch: Groovy scripting has been a constant headache, but the new, custom-built scripting language Painless tries to take the pain away literally.

Slides: https://speakerdeck.com/xeraa/nosql-means-no-security

Bio:

Philipp Krenn lives to demo interesting technology. Having worked as a web, infrastructure, and database engineer for over ten years, Philipp is now working as a developer advocate at Elastic — the company behind the Elastic Stack consisting of Elasticsearch, Kibana, Beats, and Logstash. Based in Vienna, Austria, he is constantly traveling Europe and beyond to speak and discuss open source software, search, databases, infrastructure, and security.

Blog:

https://xeraa.net

Level: Technical

Abstract:

The presentation deals with abusing third-party cloud services in targeted attacks. Through multiple APT cases from all around the world, we will show which cloud services were abused, why and how. For each case, we will discuss the advantages and disadvantages of such abuse for malware developers, organization defenders and threat researchers. Both Windows and Android malware cases will be included.

Full description:

In order to achieve their espionage goals, threat actors need a mechanism to exfiltrate data from their targets. Malware developers have a multitude of choices to achieve this task, among which are the design and implementation of a custom communication protocol, and the use of an existing protocol offered by different cloud services.

In this presentation, we will first discuss the benefits and limitations of implementing a custom communication protocol. Then, we will explore cases where the attackers abused third-party cloud services in selected targeted attacks. These cases will include noteworthy targeted threat actors from all over the world, including among others Patchwork (South Asia), Confucius (South Asia), MuddyWater (Middle East), SLUB (Korea), and APT-C-36 (Latin America). In these examples, we will show which cloud services were abused and how exactly it happened. We will mention the additional difficulties these cases brought for the defenders to detect and block these attacks on the network level.

As we will see, the campaigns involved not only Windows operating system but also Android mobile platform. Fortunately, cloud services also open new opportunities for threat researchers that did not exist in traditional C2 communication protocols. We will discuss some of these advantages in the selected examples of targeted attacks that we analyzed.

Bio:

Jaromir Horejsi is a threat researcher at Trend Micro. He specializes in hunting and reverse-engineering threats that target Windows and Linux. He has researched many types of threats over the course of his career, covering threats such as APTs, DDoS botnets, banking Trojans, click fraud and ransomware. He has successfully presented his research at RSAC, SAS, Virus Bulletin, HITB, FIRST, AVAR, Botconf and CARO.