Behind LockerGoga – A walk through a ransomware attack worth 40m$
by: Magda Lilia Chelly, CISSP, PhD

This speech is technically describing the attack vectors of LockerGoga and how the ransomware could have penetrated the network of the Norwegian aluminium manufacturer Norsk Hydro. With 31 variations and continuous improvements, LockerGoga has powerful characteristics to ensure evasion from traditional security tools. Unlike NotPetya and WannaCry, LockerGoga doesn’t follow the same propagation method, but rather is being copied manually. Researches are publicly discussing RDP stolen credentials or brute force attacks as the initial attack for the ransomware to get on to the network. The speech will describe the LockerGoga technical variants as well as will focus on the latest attack, including the possible scenarios, as per the use of tools for red teaming and standard penetration testing operations. The speech will as well practically demonstrate how variants of ransomware can evade traditional anti-malware solutions and attack the systems. Showcasing processes like Doppelgänging and hollowing with a focus on the code injection and heavy binary obfuscation methods that takes advantage of NTFS transactions used in Windows to run a malicious executable code hidden under a legitimate process. The goals of the speech are understanding ransomware variations, and evasion methodologies.

Breaking and Entering with SDR: Hacking Physical Access Control Systems and Garage Door Openers, or How I Beat Up Wiegand Over VHF/UHF
by: Tim Shelton aka redsand

In this presentation, we will explore how physical access systems work. Specifically aimed at Wiegand RF attacks over UHF/VHF, this process demonstrates how KeyFob security systems can be reverse engineered, understood, and then re-engineering it to gain access, clone keyfobs, enumerate data sets and disrupt service.

What we will learn:
1. Basics of Software Defined Radios
2. Basics of Radio Waves
3. Demodulating data from RF by hand, learning Pulse Position Modulation (AM/PPM)
4. Writing Gnu Radio plugins to automate demodulation (Reading the data, now lets record our entire complex's keyfobs)
5. Learning Modulation (AM/PPM) (We have lots of data, but can we send/replay/write it?)
6. Writing Gnu Radio plugins to automate the modulation (Writing the data in style...)
7. Brute forcing new keyfobs (Steriod use only!)

What we will touch on:
1. Cloning/debugging keyfobs (snicker)
2. Concepts of Keyspace and how it relates to Business Risk
3. How this actually isn't really security when we look at it from an application developers goggles.
4. Is safety and security a reasonable expectation for these types of physical "security" access systems?

What does this mean? We can copy and clone keyfobs from 500m+ away!

If you would like to participate, you can purchase an RTL-SDR (Software Defined Radio) for $30 at the following link:

Dissecting APT Malware against Taiwan in 2019
by: Bletchley Chen & Inndy Lin

Due to the special political situation in Taiwan, Taiwan receives many APT attacks every year, including different sectors from government, IT to financial. Up to the first-half year in 2019, we have already discovered several APT attacks, and investigating in several APTs, such as: Shadow Hammer, ASUS web storage. In this presentation, we will share tactics as well as detailed malware technique. In the tactic level, these APT attacks first compromise lower-security level, but trusted third party as the vector to reach the targets. Or utilize normal system administration tools, and cloud services to achieve their intent and avoid investigating. In the malware technique, the more sophisticated dropper and downloader are used. These malware are widely equipped with anti-analysis technique as well as file-less memory module. Meanwhile, the investigation and reversing tool and technique will also be included in this talk.

    APT against Taiwan in 2019
        ASUS Shadow hammer
        ASUS WebStorage 
    APT Tactics
        Supply chain attacks
        Synthesis normal program for malicious intent 
    Malware Techniques
        Stealth method
        Multi-stage dropper
        File-less Memory Module 
    Investigating Procedure
        Threat Hunting System
        Threat Intellegence System
        Defeating common obfuscation technique by IDAPython

Don’t be a hater, be an automator
by: Joe McCray

This presentation will cover the attacking and defending Amazon Web Services. A detailed technical walk-through of the Tactics, Techniques, and Procedures (TTPs) for attacking EC2, S3, EBS, RDS, and Serverless endpoints (AWS Lambda) with live demos for each.

Hacking ICS devices/PLC's for Fun - ICS and IOT Hacking
by: Arun Mane

New generation malware and attacks have been targeting ICS and systems causing huge monetary and human life losses. ICS system still vulnerable in nature because it’s poorly understood. As ICS industries is old and functioning from a long time, there is no considering of security aspect since they started. Apart from PLC, RTU, DCS and SCADA system, there are third party vendors devices available in the market which can talk or convert one protocol to another, sometimes they called serial servers or couplers. These devices still in a vulnerable state as per their HMI, Protocols and hardware point of view. In this talk, we will demonstrate about these devices vulnerability as well as some well-known plc vulnerabilities.

Hacking Airplane Air to Ground System
by: Ali Abdollahi

One of the most important part of avionic systems is the communication. Airplanes use mobile communication to connect to stations on the ground. In many cases the connection is base on LTE-Advanced technology and in some cases when an airplane is on the seas or somewhere else that there is no base station on the ground, It uses the satellite as a hub. In this presentation I will explain the architecture of the communication between an airplane and a ground station, after that review the technology used like mobile communications. In the next part I will review the vulnerabilities around the mobile communications particularly in radio segment which used by both airplane and the ground base station. In the last part of the presentation I will cover and show how a hacker or criminal can take advantage from the communication line between airplane and the base station to passive sniffing, manipulate the data, active sniffing, airplane functions disruption, privileged escalation to other avionic system which threaten both airplane and passengers.

Hacking LTE Radio Tower
by: Ali Abdollahi

The most accessible part of mobile telecommunication is radio waves and equipment. When you are walking or driving, you may see radio tower that makes you to have a call, sending SMS or data. In this presentation, I will show you how you can perform both physical and logical attacks against LTE radio cell tower to initiate your attacks against subscriber and telecom core network.

The main objectives in the presentation is show all techniques, demos and security solutions to perform passive sniffing, active sniffing, mobile subscriber data manipulation, fraud and pivoting into the core.

Hunting Threats with Wireshark Plugins
by: Nishant Sharma, Jeswin Mathai, & Shivam Bathla

Network traffic dumps can be very valuable when processed with proper tools. There are various open source and paid tools to analyse the traffic but most of them either have predefined functionality or scalability issues or one of dozen other problems. But, what if we can convert our favourite traffic analysis tool Wireshark, to an extensible, free platform independent threat/signature/attack hunter tool? In this presentation, we will talk about developing wireshark plugins to do security analysis of live and stored packets. We will use examples of older and newer protocols (including non-standard ones) to explain the plugin workflow and development.

Identity crisis: war stories from authentication failures
by: Vishal Chauhan

Your online identity has become one of your most valuable assets. Identity vulnerabilities can let attackers completely masquerade as you online: access your personal information, your social media, online banking, and more.

In this talk, we will explore some of the vulnerabilities that Microsoft has observed related to online identity compromise and the approaches we’ve taken to address these issues. These examples will demonstrate how you might approach searching for other vulnerabilities in the identity space and the bug bounty programs that exist to support these efforts.

Making Anomaly Detection system(ADS) for Vehicles (Automotive Hacking)
by: Arun Mane & Nikhil Bogam

Today all vehicles are connected through V2X technologies. All manufacturers are coming with new technologies which can be added technologies for Vehicle industries like Fleet management systems, diagnosis toolset etc. These systems are from third-party vendors which are still in a vulnerable state. So addressing their weakness requires specific skillset in cybersecurity as well as attack mitigation of vehicle industries. Mitigation part (Making ADS) requires huge and niche expertise in vehicle industries. No one show, how to mitigate these vehicle attacks through ADS systems in any conference. In this talk will show you how to mke ADS (Anomaly detection system) to mitigate vehicle cybersecurity attacks.

CANBus attacks

- Introduction and protocol Overview

- Firehose attack

- Replay Attacks

- Right-After and Right-Before Attacks

- Denial of Service
Making an ADS (Anomaly Detection system)

- To mitigate Firehose attack:- The expected CAN message reception frequency is checked with actual. If it is not in range, then the message is discarded and will not be processed. If expected CAN message is not received with expected frequency the system transit to a safe/secure state. (CAN message frequency checking)

- To mitigate Replay Attacks: - Transmitter ECU sends an encrypted message, which includes monotonic counter and data and at the receiver end, after decryption receiver checks received monotonic counter is equal to last received counter plus the incremental value of the monotonic counter. In case of mismatch, receiver discard the message, which in turn prevents replay attack.

- To Mitigate Right-After and Right-Before Attack: - The receiver ECU CAN message circular buffer shall check if buffer is filled. So if Last in First out circular buffer is implemented and Right - After attack is executed then checking of buffer full will prevent the over-riding of malicious CAN message on intended CAN message. Similarly, if First in First out circular buffer is implemented and Right-Before attack is executed then checking of buffer full will prevent the over-riding of malicious CAN message on intended CAN message

- To mitigate Denial of Service:- All expected CAN message is filtered and unexpected messages are discarded. In case of DOS attack is executed, then the filter will not have allowed processing this unexpected messages. Frequency Checker of CAN frame

Pilot Study on Semi-Automated Patch Diffing by Applying Machine-Learning Techniques
by: Asuka Nakajima

When developing a 1-day exploit code, patch diffing (binary diffing) is one of the major techniques to identify the part that security fixes are applied. This technique is well-known since long ago among reverse engineers, and thus to support the diffing, various tools such as BinDiff, TurboDiff, and Diaphora have been developed. However, although those fantastic tools greatly support the analysis, patch diffing is still a difficult task because it requires deep knowledge and experience. In order to address this issue, we conducted a pilot study with the goal to achieve a semi-automated patch diffing by applying machine-learning techniques. Based on the hypothesis that “similar types of vulnerabilities will be fixed in a similar manner,” we have applied the unsupervised machine learning technique to extract those patterns and considered the way to achieve semi-automated patch diffing. In the talk, we will show the details of our pilot study and share the insights that we have gained it. We believe that our insights will help other researchers who will conduct similar research in the future.

The Man-In-The-Middle attack against a certain password manager
by: Soya Aoyama

How many sites do you use? Is the password long enough and secure? Do not tell me you reused it. Unfortunately, we have not a memory good enough to remember so many passwords long and secure. For this reason, there are several companies providing password management applications. However, are they really secure?

I have executed a man-in-the-middle attack against a certain password management application. Surprisingly, the password was exchanged in plain text between .exe and .dll, and it was very easy to steal it. The program I created is generic and, under certain conditions, can steal information between all .exe and .dll in Windows. In this talk, I will demonstrate the actual attack, and provide technical explanations to enable this attack. And finally, I suggest ways to protect other apps from this attack.

Utilizing YARA to Find Evolving Malware
by: Jay Rosenberg

YARA rules are often made specifically for a certain variant of a threat using strings from a binary. What happens when the strings simply disappear or become obfuscated? This presentation will highlight key components to building YARA rules for finding newer variants or new versions of malware from the same threat actor, that will last through generations of the malware evolution process.

z3r0 to h3r0 - Targeting Crown Jewels over the Internet
by: Viral Maniar

It is very common nowadays to hear about company X been pwned by a hacker. But, have you ever wondered how hackers can get into these companies’ network? Are they really utilising precious 0–days to get inside these networks? Even after installing and managing all the latest flashy “cyber” products which detects and blocks unknown threats - why are we still vulnerable?

As a penetration tester, I perform plenty of external penetration tests which includes open source intelligence (OSINT) gathering techniques such as subdomain enumeration, Email addresses dictionary creation and password spraying. Information gathered through such techniques are very crucial for a targeted attacker to perform preliminary reconnaissance on the company and its employees. The presentation will also cover how malicious actors use the exposed information and correlate these in a short span of time to obtain access to the internal host. Once an attacker gains the initial foothold, it is a matter of time to perform a privilege escalation and gain complete access over the domain. In short, this talk will demonstrate a number of techniques hacker uses to profile a company and gain access to the crown jewels aka from z3r0 to H3r0. Attendees will leave with detailed information on how they can better protect their infrastructure.

Talks Index

Behind LockerGoga – A walk through a ransomware attack worth 40m$

Breaking and Entering with SDR: Hacking Physical Access Control Systems and Garage Door Openers, or How I Beat Up Wiegand Over VHF/UHF

Dissecting APT Malware against Taiwan in 2019

Don’t be a hater, be an automator

Hacking ICS devices/PLC's for Fun - ICS and IOT Hacking

Hacking LTE Radio Tower

Hacking Airplane Air to Ground System

Hunting Threats with Wireshark Plugins

Identity crisis: war stories from authentication failures

Making Anomaly Detection system(ADS) for Vehicles (Automotive Hacking)

Pilot Study on Semi-Automated Patch Diffing by Applying Machine-Learning Techniques

The Man-In-The-Middle attack against a certain password manager

Utilizing YARA to Find Evolving Malware

z3r0 to h3r0 - Targeting Crown Jewels over the Internet