ROOTCON 16
Theme: (Hard Wire)
September 28, 29 & 30 2022
Taal Vista Hotel, Tagaytay City
Media direct downloads || YouTube Videos || Back to past events
Talks
A new secret stash for fileless malware
by: Denis Legezo
Download Slide |
Watch Video
Today, attacks using fileless malware have become more complex and the actors behind them have created new advanced means of implementing them. In 2022, Kaspersky discovered the new methods used to keep the code hidden from prying eyes. For the first time, we’ve discovered that Windows’ event logs participate in the infection chain. This is concerning, as the event logging exist in any installation of the most widely used operating system on the globe.
These informational messages might keep the additional binary data. The dropper saves the shellcode into the Key Management System’s (KMS) event sources information, assigning a specific category ID and incremented message IDs. Auxiliary malicious modules can then gather 8KB pieces from logs, turn these into a complete shellcode and run them.
Nevertheless, the actor’s interest in the event logs isn’t limited to just keeping the shellcodes. To hide the infection process, Go droppers also patch the ntdll.dll Windows API functions related to logging (like EtwEventWriteFull, etc.).
In our presentation, we will share the results of our in-depth research into the infection chain, containing:
- commercial pentesting frameworks
- a number of anti-detection decryptor-launchers, written in different languages
- last stage fully-fledged trojans for C2 communications and lateral movement
Alternative ways to detect mimikatz
by: Balazs Bucsay / @xoreipeip
Download Slide |
Watch Video
mimikatz is detected by AVs and EDRs in different ways, mostly based on signatures and behavior analysis. These techniques are well known, but we looked into a few other things to find more exotic ways. Turns our that mimikatz by default talking to USB devices, so I created an emulated device as a user-mode driver for Windows, which is capable to detect most mimikatz variants out-of-the-box. Other technique was implemented and will be part of the presentation, where the console communication is "sniffed", but this technique can be applied to other malware as well. Both techniques will be published and code will be opensourced after the con.
AWSGoat : A Damn Vulnerable AWS Infrastructure
by: Jeswin Mathai, Shantanu Kale,
and Sanjeev Mahunta
Download Slide |
Watch Video
Compromising an organization's cloud infrastructure is like sitting on a gold mine for attackers. And sometimes, a simple misconfiguration or a vulnerability in web applications, is all an attacker needs to compromise the entire infrastructure. Since cloud is relatively new, many developers are not fully aware of the threatscape and they end up deploying a vulnerable cloud infrastructure. When it comes to web application pentesting on traditional infrastructure, deliberately vulnerable applications such as DVWA and bWAPP have helped the infosec community in understanding the popular web attack vectors. However, at this point in time, we do not have a similar framework for the cloud environment.
In this talk, we will be presenting AWSGoat, a vulnerable by-design infrastructure on AWS featuring the latest released OWASP Top 10 web application security risks (2021) and other misconfiguration based on services such as IAM, S3, API Gateway, Lambda, EC2, and ECS. AWSGoat mimics real-world infrastructure but with added vulnerabilities. The idea behind AWSGoat is to provide security enthusiasts and pen-testers with an easy-to-deploy/destroy vulnerable infrastructure where they can learn how to enumerate cloud applications, identify vulnerabilities, and chain various attacks to compromise the AWS account.
Building defensive playbooks from others misfortune
by: Chester Wisniewski
Download Slide |
Watch Video
Building defensive strategies is difficult at the best of times and too often is confused by what we read in the headlines,
instead of from real hands-on experience. The problem with getting the experience is that you must be victimized to gain
the experience necessary to craft your defensive plans. We must learn from others to gain the experience we need before it
happens to us.
Sadly, most victims don't share their stories as they are often embarrassing or show some level of negligence in keeping
their data secured. This talk will condense the experience of those victims into actionable advice for defenders to use in
creating their own up-to-date defensive strategies. Using the data from 144 distinct attacks in 2021, I will demonstrate
the most common tools, tactics, and procedures (TTPs) used to gain access to networks and the behaviours to watch for that
indicate compromise. This information was gathered by the Sophos Rapid Response team, a group of incident responders who
are called in to assist victims during attacks worldwide.
China’s Cyber Capabilities: Espionage, Warfare, and Implications
by: Aaron Aubrey Ng
Download Slide |
Watch Video
Over the past decade, there has been an alarming rise in the frequency and sophistication of China’s state-sponsored and state-affiliated cyberespionage activity, as well as its scope of targeting. China-Nexus Adversaries have deliberately and aggressively pursued targets across a spectrum of industries, including technology, defense, energy, healthcare, education, and other key sectors in pursuit of trade secrets and of sensitive information.
Of note, in early 2021, the China-Nexus Adversaries rapidly and effectively exploited a series of vulnerabilities in Microsoft Exchange — now collectively known as ProxyLogon and ProxyShell — to compromise email servers and consequently the sensitive information of tens of thousands of organizations around the world. Over the duration of the pandemic, Chinese cyberespionage campaigns continue to target hospitals and research institutions for data that could confer competitive advantages in science and technology, and at the same time, demonstrating emphasis on COVID-19 related research.
Coupling these recent prolific intrusions with the longstanding campaign of targeting a wide swarth of industries, including insurance, travel & hospitality, government, for the purpose of acquiring sensitive personnel data, the threat that China-Nexus Adversaries pose to organizations today cannot be understated.
This session will provide insight into China’s intent and capabilities for cyberespionage and importantly what organizations can do to address this challenge effectively.
DDexec
by: Carlos Polop (@carlospolopm) and Yago Gutiérrez
Download Slide |
Watch Video
Running binaries in memory from a reverse shell on the target machine is very common in Windows environments, there are dozens of different ways to achieve this and many of them very simple. However, in Linux environments it is not so common, nor so easy to load things into memory from a simple bash session, for example.
In this talk we will present and show a novel technique for loading binaries and shellcodes into memory from a linux session without the need to touch the disk, allowing not only to be potentially more stealthy, but also to bypass measures such as mounting the filesystem protected with read only and/or noexec.
Gazing into the Crystal Ball - The Fog of Cyberwarfare Escalations
by: Harshit Agrawal (@harshitnic)
Download Slide |
Watch Video
Every new technology presents the possibility of new weapons, and for every new weapon, there’s a soldier hoping it will yield the ultimate advantage, although few ever do.
The nature of war is never gonna change. But the character of war is changing before our eyes–with the introduction of a lot of technology, a lot of societal changes with urbanization,
and a wide variety of other factors. In order to have a robust discussion about how emerging technologies may affect the proliferation of modern cyberwar, it is vital to understand
these technologies. In this session, ISR techniques (intelligence, surveillance, reconnaissance), and counter-drone security serve as productive examples of technologies that we
have witnessed in recent conflicts playing the role of a potential tool of exploit and will be greatly escalated in the future as well. This session provides the background and context
required to assess potential challenges to this emerging cyber threat. As will be demonstrated with case studies, advancements in these areas are especially relevant because
they have made it increasingly easy for Infosys to leverage these technologies to achieve its objectives and threaten the global IT/ICS ecosystem.
How Did I Get Here? I still don’t know what I’m doing: Getting into The Lifelong Adventure of Learning Cybersecurity & Incident Response
by: James Kainth (@j3st3rjames)
Download Slide |
Watch Video
Where will your journey take you? My adventures have taken me from feeling confident about knowing what is normal for our computers or in our networks, to never feeling that way again and daring to innovate. Incident Response is an ever-growing field, with not enough people who can do the work. Heck, most jobs that require some form of cybersecurity are suffering from lack of support. The skills gap is REAL! If you want to learn and stay up to date with the ever-expanding world of cybersecurity, then this talk is for you. In digital forensics/incident response (DF/IR) you can peek behind the scenes of technology and learn about an entire world you never even knew was there! Think you’ve cleaned up after your ultimate hack? Think again! By starting your adventure into DF/IR you get to sleuth and learn about the artifacts attackers leave behind! Join me on this journey of self-improvement as we discover the potential cyber detectives we know we can be!
Learn what the necessary skills are to get into DF/IR with James Kainth who works on a Fortune 50 Incident Response Team! Develop an action plan to get started on your journey learning DF/IR Today!
While attending this session, folks will:
* Learn about the field of digital forensics & incident response
* Learn about ways to stay up to date in the cybersecurity industry
* Learn skills to tackle the imposter syndrome that comes along with being in any technical field
* Realize that Imposter syndrome can be a productive feeling if managed well
* Learn about free/open-source resources like Wazuh, ZimmermanTools, Autopsy, FTK Imager, Elastic Stack, Wireshark, and more!
* Generate an action plan and outline next steps to continue learning DF/IR
* Don’t delay … Start threat hunting today!
Human-Controlled Fuzzing With AFL
by: Maxim Grishin / Igor Korkin (@IgorKorkin)
Download Slide |
Watch Video
Early detection of new bugs is crucial for all modern software products. Fuzzing techniques are applied to reveal different types of bugs and vulnerabilities. American Fuzzy Lop (AFL) is a free most popular software fuzzer used by many other fuzzing frameworks. However, AFL has some disadvantages, the key one is that AFL verifies the program code without human intervention. However, involved security expert can make the fuzzing process more focused. On the one hand, AFL simplifies applying fuzzing systems, but, on the other hand, the flexibility of AFL is limited. Fuzzing is based on sending generated data as input to the target application and recording how the instrumented app processes this data. Using the output of the instrumented app, AFL can regenerate new input data to go deep inside the application into the next step.
As a result of such an autonomous mode of operation, a fuzzer spends a lot of time analyzing minor code sections. To solve this question, the paper proposes a new approach that can fuzz only the specified functions. As a result, the chosen ones will be inspected more meticulously by a fuzzer, without wasting the time on inspecting minor code sections. Another new feature is to provide feedback about the inspected functions and controls, so that an expert can change which code functions need work in runtime. The developed module has been integrated with AFL and successfully responds to this challenge. This expert-controlled fuzzing with AFL shows positive test results.
Microsoft Defender Will Be Defended: MemoryRanger Prevents Blinding Windows AV
by: Igor Korkin (@IgorKorkin) and Denis Pogonin
Download Slide |
Watch Video
Windows OS is facing a huge rise in kernel attacks. An overview of popular techniques that result in loading kernel drivers will be presented. One of the key targets of modern threats is disabling and blinding Microsoft Defender, a default Windows AV. The analysis of various attackers’ techniques that can disable and blind Microsoft Defender will be given. One of the recently published attackers’ techniques abuses Mandatory Integrity Control (MIC) and Security Reference Monitor (SRM) by modifying Integrity Level and Privileges for the Defender application via syscalls. However, this user-mode attack can be blocked via the Windows “trust labels” mechanism.
The presented research discovers the internals of MIC and SRM, including the analysis of Microsoft Defender during malware detection. We show how attackers can achieve the same result using a kernel-mode driver. The driver modifies the fields of the Token structure allocated for the Microsoft Defender application. The experiments prove that Microsoft Defender is disabled without triggering any Windows security features, such as PatchGuard. The customized MemoryRanger was used to protect the Windows Defender kernel structures. The experiments show that MemoryRanger successfully restricts access to kernel data from illegal access attempts with affordable performance degradation.
Pwnppeteer - Phishing Post {Exploi/Automa}tion at Scale
by: Joffrey Czarny aka Sn0rkY
Download Slide |
Watch Video
Phishing is well know attack but more and more company have implemented countermeasure to limit the efficiency of this kind of attack. For example, Multi-Factor Authentication (MFA) is being adopted to make password spraying and standard phishing ineffective. Countermeasures adopted raise the exploitation bar, for attacker.
But what happens if you can easily tamper MFA too? If you can proxy all traffic, directly steal sessions and automate malicious actions before the credentials are changed or the attack detected? What do you think if you phish an SSO portal and then you're able to instrument all applications granted with a SSO token...
The goal is to share my experience of a massive phishing campaign, how you can use Muraena/Necrobrowser at scale and show how we can phish and get a temporary access to steal enough data or add some persistents access in order to come back later. And of course before being detected and losing access.
Mureana/Necrobrowser tool and concept have been already presented in several conferences but what I plan to present here is Pwnppeteer - Necrobrowser Lambda implementation https://github.com/muraenateam/pwnppeteer. The focus will be done on targeting SSO portal and how this attack can be efficient.
Security Like the 80's : How I stole your RF
by: Ayyappan Rajesh
Download Slide |
Watch Video
The issue about convenience vs. security has been spoken about for years now, with most devices having wireless capability now, it invites trouble, especially when it is not encrypted or secured. Right from our tap-to-pay cards to even unlocking and starting out car.
This talk discusses CVE-2022-27254 and the story of how we came about discovering it. The CVE exploits an issues wherein the remote keyless system on various Honda vehicles, allowing an attacker to access the cars, and potentially even let them drive away with it!
Signs, Signs, Everywhere There are Signs of a Ransomware Intrusion
by: Allan Liska
Download Slide |
Watch Video
Threat hunting is great way for organizations with even a limited security budget to look for indications that a ransomware actor is in your network. However, there is an assumption that threat hunting is challenging and requires a large, well-funded security team to carry out. That is not always the case. There are some low-cost things organizations can do to conduct effective threat hunting missions in your network. This presentation will review some effective, relatively easy threat hunting missions that defenders can carry out to look for signs of a ransomware actor. Some of these include:
1. Alerting when security tools are disabled
2. Looking for remote desktop tools
3. Hunting through PowerShell logs
4. Traffic to mega.nz or one of its other domains
5. Looking for common file copy tools.
Streamline security with shift left: A cloud approach
by: Avinash Jain
Download Slide |
Watch Video
In the agile world, continuous iteration of development and testing happens throughout the software development lifecycle involving constant collaboration with stakeholders and continuous improvement and iteration at every stage, engineers release their changes very frequently. All this makes the chances of potential security loopholes more and more real.
According to the most recent Secure Code Warrior report, more than 50% of organizations are still following reactive security practices, such as using tools on deployed applications and manually reviewing code for vulnerabilities. Even the DORA 2021 Accelerate State of DevOps report suggests that security can no longer be an afterthought. Top performers who have implemented security practices earlier in the software development life cycle are likely to exceed their reliability targets by 2x.
Companies often have the high-quality security scanning and detection signal for application security issues only once the app is running in production, but increasingly need to understand issues when the code is written so that they can have a scalable pipeline for identifying and preventing attacks early before they get into production and also when it is less expensive to fix them in terms of overall efforts and cost. Attacks like Solarigate (Zod) demonstrate how security hardening later in supply chain is shifting attacks earlier. This trend of moving towards prevention by including security from the early stages of SDLC with a proactive mindset is known as “Shift Left” and securing the development environment with DevSecOps controls. Here I seek to build the right framework to get a much-earlier security scanning and detections built within the CICD pipeline in a scalable way to productize testing, monitoring, and response to support security drift detection.
By integrating security in CICD, one can deliver secure and compliant application changes rapidly while running operations consistently with automation. In order to do this well, the most logical place security can be checked are code reviews. But now the series of questions raised -
How can it be achieved?
How can we make sure every release that goes to production has proper security sign-off?
How can we scan and test every piece of code that is changed from not just DAST or SAST point of view but also including wide custom and flexible security test cases?
Here we will talk about building such a solution and framework to integrate security in CICD and automating the complete process for continuous scanning of different kinds of potential security issues on every code change in Azure Pipeline.
Some of the improvements it brings -
Wide Variety of Security checks — Integration of standard and custom checks
Early Checks — Now security checks are performed as soon as any PR is raised or code is modified
Highly Flexible —The security checks are very modular. We can add more checks as we want and configure them to perform response-based action
Completely Automated — Automation is the key/let the machines do the work
Alerting - Integration of alerts for check success or failure
Reporting - Scan reports are shared across different communication channels
Framework as code - Any company having their CICD over Azure can use this framework by just running in-house built cloud formation template
Vulnerability Management - All the vulnerabilities and findings are logged in a single place - Azure Security Center
The Simple, Yet Lethal, Anatomy of a Software Supply Chain Attack
by: Yehuda Galb
Download Slide |
Watch Video
Security teams nowadays are struggling to contain the risk of software supply chain attacks on their organizations, implementing control of that sort varies from internal controls hardening CI services /hardening developer workstations to demanding compliance to standards from vendors\contactors.
However, one of the places security teams having harder time is in the field of open-source software.
The use of third-party software components is part of the modern software development culture with over 90% of engineering teams worldwide building and shipping software that uses external code. While facilitating extreme agility, it also increases the attack surface of organizations as seen in the spike of recent major incidents .
It’s known in cybersecurity that you must understand the threat you are facing with. In this session, we will do an overview of the software supply chain flow and deep dive into each one’s weak spots.
We will also demonstrate the ease of conducting this sort of attack and our point of view as a defenders.
Uncovering 0-days in Healthcare Management Applications
by: Aden Yap Chuen Zhen, Sheikh Rizan
and Muhammad Ali Akbar
Download Slide |
Watch Video
OpenEMR is the most popular open-source medical practice management, electronic medical records, prescription writing and medical billing application used by Healthcare Professionals. Security researchers from Project Insecurity and SonarSource had reported numerous vulnerabilities in OpenEMR application prior to 2021.
However, BAE Systems Vulnerability Research team took up the challenge to uncover more vulnerabilities in the same application. To our surprise, we still found a huge number of high impact vulnerabilities inside the application recently. These vulnerabilities could potentially expose medical records and other sensitive patient data, to tampering of the billing information and administrator functionalities by unauthorized personnel. The security flaws were discovered by combining both manual source code analysis and white box testing.
In this talk we will share our experiences of uncovering over 60 vulnerabilities resulting in 8 public CVEs. We will share the key findings (subject to pending patch rollout) and challenges in hunting for OpenEMR VDP. It is our hope that this talk will enable other researchers to get involved in Vulnerability Research and help make the Internet a safer place.
Understanding and Re-creating Process Injection Techniques through Nimjector
by: Ariz Soriano / ar33zy
Download Slide |
Watch Video
Process injection is one of the prominent techniques used by threat actors to execute malicious code and gain access inside the target’s system. It mostly aids in stealth and evasion to avoid common security defenses such as endpoint detection & response (EDRs) and antivirus (AV) softwares.
From a red teamer's perspective, being knowledgeable with different process injection techniques can be handy when crafting payloads that evade such defenses. On the other hand, blue teamers would understand better how a payload interacts and establishes a foothold inside a compromised machine. When either teams are unacquainted with this technique, they could have a hard time producing a working payload or improving the defenses of an organization by detecting indicators of compromise (IOCs).
Nimjector is a payload creation framework written in Nim which enables Penetration Testers and Red Team Operators to easily re-create or simulate process injection techniques based on a template. This tool also allows Security Operations Center (SOC) Analysts or Incident Responders (IRs) to understand and learn how different process injection techniques run and execute.
Inspired by existing repositories crafted with Nim such as OffensiveNim, Nimcrypt2, and NimHollow, this new tool was created to help both teams understand and learn more about Process Injection. It aims to open a collaboration between template creation from malware samples used by threat actors and using these to feed or tune security tools as well to detect such a technique.
Wild IoT Tales: from power grids to oil pipelines
by: Barak Sternberg
Download Slide |
Watch Video
In this talk, we will analyze 3 of the wildest IoT attack stories happened last year - who was targeted? What Malware was used? What was the impact?
First, We will dive & explore the recent attack over Ukranian power grids and show how it (almost) caused blackout for over 2 million people in Ukraine!
We will further technically analyze "Industroyer2", the unique malware used in this attack, its unique ways of operation & cool techniques.
Afterwards, We will describe the Conti-ransomware attack over Public Health Systems in Ireland (HSE) & see for how long attackers stayed hidden in their IT networks!
Finally, we will shortly describe the Colonial Oil Pipelines Attack in US, the damage was done & how the FBI got involved in all that!?
we will explore some of the unique technical techniques, attack vectors and lateral movement involved! This systematic review conclude the wild IoT attacks of the year, and will be based on multiple both-technical & public-reports!
Speakers
Aaron Aubrey Ng serves as Strategic Threat Advisor at Crowdstrike. He is responsible for CrowdStrike’s Threat Intelligence business across Asia-Pacific and the Middle East & North Africa regions. Aaron focuses on helping customers operationalise and integrate threat intelligence within their organisation's cybersecurity strategy. Additionally, he represents the Crowdstrike Intelligence ecosystem and frequently speaks at Security Conferences, sharing insights into the latest threat trends and developments.
Aaron got his start in Security and Threat Intelligence in the Singapore Armed Forces as a Military Intelligence Officer. He concluded 12 years of Active Duty in 2019 and has served in multiple Command Appointments in classified Intelligence Units, and garnered staff experience in the areas of Strategic Planning and Policy Development. In his penultimate tour of duty, Aaron was instrumental in establishing the Defence Cyber Organisation (DCO), which is akin to Singapore’s Cyber Command.
Aden is a penetration tester with BAE Systems based in Malaysia and has 6 years of experience in the field of Cybersecurity. He is responsible for delivering red teaming exercise and various penetration testing for numerous industries and reported critical vulnerabilities in their application and infrastructure. He holds CRTO, OSCP, CREST-CRT, CEH and industry certifications. Apart from projects, He also contributed in bug bounty program for health and financial industries and vulnerability research program for internet spaces.
With more than 20 years of experience in ransomware and information security, Allan Liska has improved countless organizations’ security posture using more effective intelligence. Liska provides ransomware-related counsel and key recommendations to major global corporations and government agencies, sitting on national ransomware task forces and speaking at global conferences. Liska has worked as both a security practitioner and an ethical hacker at Symantec, iSIGHT Partners, FireEye, and Recorded Future. Regularly cited in The Washington Post, Bloomberg, The New York Times, and NBC News, he is a leading voice in ransomware and intelligence security. Liska has authored numerous books including “The Practice of Network Security, Building an Intelligence-Led Security Program;” “Securing NTP: A Quickstart Guide;” “Ransomware: Defending Against Digital Extortion;” “DNS Security: Defending the Domain Name System;” and “Ransomware: Understand.Prevent.Recover.”
A purple teamer in the making, Ariz (also known as ar33zy) is an Information Security Professional with 5 years of experience in the field and is currently leading the Red Team Operations at THEOS Cyber Solutions. Before transitioning as a full-time penetration tester and red teamer, he worked as a SOC Analyst and Incident Responder where he gained and developed his skills in Threat Hunting and DFIR. Currently, he is holding multiple certifications such as GCDA, CRTP, CRTE, CRTO, OSCP, and OSEP.
He is also a member of hackstreetboys, a Filipino CTF team competing in different events such as ROOTCON CTF and DEFCON Red Team/Blue Team Village CTFs.
I am an information security researcher working at Microsoft and earlier built complete end-to-end information security in a couple of startups. I love to break application logic and find vulnerabilities in them, which have been - acknowledged by various MNCs like Google, Yahoo, NASA, Vmware, MongoDB, and other top companies. I am also an active blogger where I write about interesting vulnerabilities, data privacy issues, and everything security. Some of my articles and interviews have been published in various news media like Forbes, BBC, Techcrunch, Economic times, Huffingtonpost, Hindustan times, ZDNet, Hakin9, Hackerone, etc. I am also a cybersecurity speaker, love to share my views on various infosec threads.
I'm a student at the University of Massachusetts Dartmouth and am a cybersecurity enthusiast. Currently the Social Chair at the Cybersecurity Education Club @ UMass Dartmouth. I like researching about radio and wireless security! I love CTF's and often spend my free time on HackTheBox.
Balazs Bucsay is an IT-Security expert and techie geek, mainly focusing on research. He gave multiple talks around the globe (Singapore, London, Melbourne, Honolulu) on various advanced topics and released several tools and papers about the latest techniques. He has multiple certifications (OSCE, OSCP, OSWP) related to penetration testing, exploit writing and other low-level topics and degrees in Mathematics and Computer Science. Balazs thinks that sharing knowledge is one of the most important things, so he always shares his experience and knowledge with his colleagues and friends. Because of his passion for technology he starts the second shift right after work to do some research to find new vulnerabilities.
Barak Sternberg is a Founder @ "Wild Pointer", Security Research Company, Barak is a frequent speaker at cybersecurity conferences, including DEFCON. His Previous Talks include: "Extension-land exploits and rootkits in your browser extensions" @DEFCON29, "Hacking smart devices for fun and profit" @DEFCON 28 IoT Village. Barak is also Hacker-In-Residence at YL Ventures, where he researches emerging cybersecurity trends and technologies & conducts technological due diligence. Prior to founding "Wild-Pointer", Barak was a Senior Security Researcher at SentinelOne and a Senior Security Researcher and Innovation Lead at Blue-Ocean. Barak also served for over six years in Unit 8200, an elite technological intelligence unit of the IDF. Barak holds a BSC Degree and a Master of Science in Mathematics and Computer Science focused on algorithms from Tel Aviv University.
Carlos has a degree in Telecommunications Engineering with a Master in Cybersecurity. He has worked mainly as Penetration Tester and Red Teamer for several companies, but also as developer and system administrator. He has several relevant certifications in the field of cybersecurity such as OSCP, OSWE, CRTP, eMAPT and eWPTXv2. He was captain of the Spanish cybersecurity team in 2021 and champion with Team Europe in the ICSC 2022. Since he started learning cybersecurity he has tried to share his knowledge with the infosec community by publishing open source tools such as https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite and writing a free hacking book that anyone can consult at https://book.hacktricks.xyz.
Chester Wisniewski is a principal research scientist at Sophos.
With more than 20 years of professional experience, his interest in security and privacy first
peaked while learning to hack from bulletin board text files in the
1980s, and has since been a lifelong pursuit.
Chester analyzes the massive amounts of attack data gathered by
SophosLabs to distill and share relevant information in an effort to
improve the industry’s understanding of evolving threats, attacker
behaviors and effective security defenses. He’s helped organizations
design enterprise-scale defense strategies, served as the primary
technical lead on architecting Sophos’ first email security appliance,
and consulted on security planning with some of the largest global
brands.
An GCFA-certified specialist working as Lead Security Researcher with Global Research and Analysis Team (GReAT). At Kaspersky since 2014. He specialized on targeted attacks research, reverse engineering and malware analysis. Denis regularly providing trainings for the customers on these matters. He got his degree at cybernetics and applied mathematics facility of Moscow State University in 2002 with diploma topic related to information security. Then he started his career as a programmer in different public and commercial companies. He presented his researches at RSA, HITB, SAS, VirusBulletin, MBLT Dev.
I'm a penetration tester and an application security expert in BI.ZONE with over 3 years of experience in the IT security field.
I'm an alumnus of NRNU MEPhI, Department of Cryptology and Cybersecurity (#42).
I'm keen on the security research on Windows OS and open-source projects.
My research results have been presented at the 2022 ADFSL conference (USA).
Harshit Agrawal (@harshitnic) is currently working as an RF Security Researcher, Graduate Student at Boston University, and Chair for Media & Technology at IEEE Computer Society - Cybersecurity STC. He is enthusiastic about SIGINT, Drone Pentesting, Network Security, ISR activities, Threat Intel and IoT Security. He presented his research at multiple International Security conferences including Defcon USA, RSAC USA, Cyberweek UAE, HITB Amsterdam, Hack Summit Poland, Nanosec Malaysia, etc. Previously, he was President of the CSI Chapter and Vice President for the Entrepreneurship cell at MIT, where he also headed the team of security enthusiasts, giving him a good insight into cybersecurity and increasing his thirst to explore more in this field. He is a student, developer, programmer, and researcher, he believes in providing something out of the box!
James is a recent graduate of Champlain College who joined a Fortune 50 tech company in 2020 as an early professional and joined their elite family of Incident Response Consultants. Ever since he got his first computer in 2008 then broke it, James has been troubleshooting his life into what some have been calling the one of an artificial intelligence, who learns to walk by tripping up the stairs. But he’s just getting started! You can find him @j3st3rjam3s on most of the things, recording Youtube videos at bit.ly/TheJestersCastle, and blogging on jameskainth.com
I have been in OS security research for more than 10 years working on various areas related to Windows and Linux kernel security, rootkit detection, memory forensics, bare-metal hypervisors.
I apply theoretical knowledge and practical expertise to make computer systems secure and reliable.
My research results were presented at numerous conferences all over the world: BlackHat 2021 (UK), Texas Cyber Summit 2021 (USA), IEEE SP SADFE 2021 (USA), HITB 2020 (Singapore), BlackHat 2018 (UK), REcon 2016 (Canada), six ADFSL conferences 2014-2019 (USA), and RusCrypto 2011 (Russia).
You can find my results in my blog - https://igorkorkin.blogspot.com
Jeswin Mathai is the Chief Architect (Lab Platform) at INE. He leads the team responsible for managing the lab infrastructure, Prior to joining INE, He was working as a senior security researcher at Pentester Academy (Acquired by INE). He has published his work at DEFCON China, RootCon, Blackhat Arsenal, and Demo labs (DEFCON). He has also been a co-trainer in classroom trainings conducted at Black Hat Asia, HITB, RootCon, and OWASP NZ Day. He has a Bachelor degree from IIIT Bhubaneswar. He was the team lead at InfoSec Society IIIT Bhubaneswar in association with CDAC and ISEA, which performed security auditing of government portals, conducted awareness workshops for government institutions. His area of interest includes Cloud Security, Container Security, and Web Application Security.
Joffrey Czarny is a Red Team Leader at Medallia, Security researcher and VoIP hacker at night, Ambassador of Happiness and Healthy Living. Since 2001, he is a pentester/red teamer who has released advisories and tools on VoIP Cisco products, Active Directory, and SAP and he has spoken at various security-focused conferences including Hack.lu, Troopers, ITunderground, Hacktivity, HITB, SSTIC, REcon, and Black Hat Arsenal.
I am a bachelor of the National Research Nuclear University MEPhI. My specialization program is information security. I am doing research in fuzzing of various applications, and I have already taken part in some events. For example, in 2020 I participated in the national Information security forum "INFOFORUM - 20" (Russia) as a speaker with the report "Various methods of cyber warfare". After that, in July 2022, I have placed in the annual conference on digital forensics, security and law (adfsl - 2022, USA) with a report, on the topic of which I've prepared an article entitled "Human Controlled Fuzzing With AFL" and it has been sent for publication in journal (JDFSL, USA).
Ali started his first step in Cybersecurity while participating in Capture The Flag (CTF) competitions. From that, he develops more interest in cybersecurity skills by writing a blog, creating a tool and joining CTF globally and locally. He is a penetration tester with BAE Systems based in Malaysia and has reported several critical vulnerabilities to his clients. He also holds OSCP, CRTO, and CREST-CRT industry certifications. Ali also has contributed back the knowledge he gained to local students in Malaysia and will continue doing so in the future.
Sanjeev Mahunta is a Cloud Software Engineer at INE with a strong background in web, mobile application design and has high proficiency in AWS. He holds a bachelor's degree in Computer Science from Amity University Rajasthan. He has 2+ years of experience building front-end applications for the web and implementing ERP solutions. Having interned at Defence Research and Development Organisation (DRDO), he has acquired neat skills in application development. His areas of interest include Web Application Security, Serverless Application Deployment, System Design and Cloud.
Shantanu Kale is a Cloud Developer at INE with strong roots in cloud, Linux and web application security. He has published his work in BlackHat Asia and have led teams for various national level hackathons, including the Smart India Hackathon, conducted by GoI. His areas of interest include Advanced Pentesting, Cloud security, Malware Analysis, Cryptography, Web Application Security and AD Security.
Rizan is a passionate information security professional with more than 20 years of experience. He loves anything Linux or open-sourced. He had spent over 13 years securing one of the largest oil and gas company in the world from cyber threats. He holds several industry relevant certifications including OSCP, OSCE, OSWE, and Burp Certified Practitioner & CISSP. He had reported security bugs to the US Department of Defense (US DoD), Spotify, Amazon, General Motors, Toyota, Alibaba, Airbnb, Dell, Starbucks & Rockstar Games.
Yago is currently studying Telecommunications Engineering. He is a C programmer, tolerates python and has extensive knowledge of Linux Internals. He is a frequent CTF player and was a participant in the ECSC2020 as a member of the Spanish national team.
Yehuda is a security researcher at Checkmarx and has a passion for making cyberspace a safer place to live and work. Prior to Checkmarx, he served as an information system security officer for the Lockheed Martin F-35 program, and assisted in developing the Cyber Defense strategy for Israel’s Air Force, the IAF. Yehuda currently holds numerous cyber certifications including CISSP and CCSP. During his free time he also employs his expertise to help people and non-profit organizations share their stories with the world through audio and visuals. Yehuda’s hobbies include creating music, producing films, traveling, and strategy board games.
Villages
101 Village
Talks
Red Team 101 - Red Team Infrastructure, Planning and Intrusion
Synopsis
Red Team has become a buzzword in the information security field for quite some time as most people think that anything related to offensive security engineering is Red Teaming. This talk aims to reintroduce the concept and purpose of Red Teaming, and how to start becoming a red team operator. Topics such as Operator's mindset, Red Team Infrastructure, Phishing Methodology and Basic Payload Creation will be covered by this interactive session.
An introductory course to hacking all the things
Synopsis
Want to start offensive security operations but have no idea where? Wonder how they hack machines and gain privileges?
Do you ever wonder how hackers think? What mindset is needed and how you'll formulate your attack plans?
Enroll in our talk on how to take baby steps and hack your first machines
Web Pentesting 101 - Basic Web Penetration Testing using Burpsuite
Synopsis
A Basic and Fundamental training on Web Pentesting for newbie pentesters and security practitioners. This training aims to provide a run down on how to perform web pentesting using Burpsuite. This training will also cover in detail the web pentesting methodology and end-to-end process of a pentest engagement. This session will be interactive and will include hands on exercises/challenges. And at the end will share best practices, tips and tricks on how to perform pentesting more efficiently and deliver enterprise grade penetration tests.
Malware Analysis 101
Synopsis
In Malware Analysis 101, we will be defining malware and then quickly go over the process of analyzing malware and what malware analysis tools can be used for the task.
Car Hacking Village
Talks
A Teardown of Starting Your Very Own Car Hacking Test Bench
Synopsis
Building a car hacking test bench takes both time and patience, from sourcing usable parts, understanding wiring diagrams, powering the parts and connecting them to each other in able to see accurate output of signals being sent as command through the car hacking tools being utilized. This will provide anyone who would like to build their own car hacking test bench tips and tricks on how they can build one quicker and effeciently. Through this, challenges on how to come up with your car parts grocery list for your test bench will be shared and will help realize why some car parts just wouldn’t work for the intended purpose.
A Teardown of Starting Your Very Own Car Hacking Test Bench
Synopsis
Building a car hacking test bench takes both time and patience, from sourcing usable parts, understanding wiring diagrams, powering the parts and connecting them to each other in able to see accurate output of signals being sent as command through the car hacking tools being utilized. This will provide anyone who would like to build their own car hacking test bench tips and tricks on how they can build one quicker and effeciently. Through this, challenges on how to come up with your car parts grocery list for your test bench will be shared and will help realize why some car parts just wouldn’t work for the intended purpose.
Let's Get Down with canTot: quick and dirty canbus h4xing framework for car hackers
Synopsis
canTot is a python-based cli framework based on sploitkit and is easy to use because it is similar to working with Metasploit. This similar to an exploit framework but focused on known CAN Bus vulnerabilities or fun CAN Bus hacks. It can also be used as a guide for pentesting vehicles and learning python for Car Hacking the easier way. This is not to reinvent the wheel of known CAN fuzzers, car exploration tools like caring caribou, or other great CAN analyzers out there. But to combine all the known vulnerabilities and fun CAN bus hacks in automotive security.
Contest Winners
Receives the Black Badge entitled them for free entrance for next years conference.
Capture The Flag
Countoten
Hacker Jeopardy
Team Apprentice+
Sponsors
Elite
To be updated
To be updated
Pics