SATURDAY, NOVEMBER 9, 2024
The Unlock Talks
How to break into organizations with style: hacking access control systems
Julia ZDUŃCZYK
English
10:00 AM – 10:45 AM
Have you ever wondered how Red Teamers manage to get access to high-security areas in buildings? This talk is your chance to learn about the tools, tactics, and techniques we use to break access control systems.
The presentation is based on the experience and examples collected during the Red Team assessments and gathers in one place the knowledge needed to gain access to places protected by access cards.
During the talk, Julia is going to show you how she was able to break into organizations using techniques such as simple card cloning.
We'll discover the basics of RFID technology and learn how to use Proxmark3 for access card scanning and cloning with the demo of the device operation.
We'll explore some of the most common misconfigurations in access control systems and learn how to use them for gaining access and escalating privileges.
We’ll also delve into the technical and social engineering aspects of card scanning during a Red Team Assessment with an example of a complete kill chain, which enabled her to gain entry to highly secure areas within a building, starting from a position of zero access.
And last but not least - we'll talk about how to protect your organization from these types of attacks.
Let’s discover how to break into organizations with style.
________
About the speaker:
Julia is a cybersecurity professional who loves getting into places that are not normally easily accessible 😉
Being a Red Teamer allows her to break into high-security areas and infrastructure using not only social engineering skills, but also her technical knowledge - from hacking physical access control systems to attacking AD, internal infrastructure and web applications.
She likes sharing her knowledge and presented her reaserch work at multiple conferences:
Top speaker at CONFidence 2023 (Cracow, Poland).
Best speaker at SEC-T 2023 (Stockholm, Sweden).
She also presented at No Hat (Bergamo, Italy) and Insomni’Hack (Lausanne, Switzerland).
She likes to spend her free time outside - She's a horseback archer, climber, diver, caves explorer and traveler.
When my network appliance cheats on me
Félix AIMÉ
French
10:45 AM – 11:15 AM
Network appliances (edge devices such as routers, NAS, mail gateways, VPNs, etc.) have become the new eldorado for cybercriminal groups and state actors. These devices not only serve as entry points or persistence mechanisms in certain information systems but also support operations by enabling the setup of low-cost anonymization infrastructures.
This threat is accompanied by a recent increase in vulnerability research on these devices. Therefore, a question arises: how can we monitor attack attempts targeting network appliances at a low cost? What are the limitations of traditional honeypots in the face of these new threats? How can we address them effectively?
After reviewing the various threats targeting network appliances with examples from investigations, this talk will present the limitations of traditional honeypots and suggest ways to overcome them. Among these solutions, I will present a project implemented at SEKOIA that allows us to easily track exploitation attempts targeting dozens of network appliances and the results obtained over a year.
__________
About the speaker:
Félix is a Threat Intelligence and cyber security researcher, passionate about geopolitics and technical security. After being a pentester for British Telecom, he co-founded from 2013 to 2017 the Threat Intelligence capabilities of the French National Cybersecurity Agency (ANSSI) by working with a multidisciplinary team dedicated to investigate on threat actors carrying out cyber espionage operations.
In 2017, he joined Kaspersky's Global Research & Analysis Team (GReAT) to work on cyberespionage and highly sophisticated cybercrime investigations. In 2021, he moved to SEKOIA.IO as a principal security researcher to increase their threat intelligence capabilities with internal training courses and workshops, tailored software development, and state-of-the-art investigations on APT and cybercrime threats. The goal was to increase the speed and technical level of the team's investigations.
When he's not investigating on threats, he loves to develop new capabilities, ergonomic softwares and share my own knowledge to increase the ability of his team to discover, track and process new cyber threats. He's also doing some open source stuff to help people - such as SPYGUARD, some personal researches on various topics linked to IT security and ergonomics/design for analysts, allowing them to save lot of time during their investigation, hunting and researches.
Insecure time-based secret in web applications and Sandwich Attack exploitation
Tom CHAMBARETAUD
French
11:15 AM – 12:00 PM
Following discoveries during bug bounties, I have focused my research on poor practices related to time-based secrets in web applications. This presentation aims to provide an overview of these poor practices and show how to detect and exploit them.
Through the creation of an open-source tool [Reset Tolkien], a demo with practical cases, similar to those found in discovered bugs, will be presented.
__________
About the speaker:
Tom has diverse professional experience in the field of cybersecurity and software development.
He began his career at "42", where he held a temporary position as a "Piscine" participant in 2017. Later, in 2018, he worked at Qwant, where he automated vulnerability tests and created a dashboard. In 2019, Tom joined YesWeHack, initially as a Security Analyst & R&D Developer and later as a Security Analyst Lead & R&D Developer. In this role, he worked on improving the continuous integration process and contributed to various security analysis and research and development projects. In 2022, Tom briefly worked as a Security Teacher at Normandie Web School. Currently, he is employed at Aethlios as a Bug Bounty Hunter since 2020.
The ORC that hides the forest
Wandrille KRAFFT
French
01:45 PM – 02:15 PM
CSIRT LEXFO has developed a tool for processing traces collected with DFIR-ORC, a “live” trace collection method released by ANSSI. The tool from CSIRT LEXFO, which will soon be available as open-source, aims to extract archives collected by ORC and organize the collected files according to the same directory structure as the source system. The extracted collections are more easily exploitable and can be processed by tools such as Plaso. After an introduction to trace collection in the context of a DFIR service, the presentation outlines the project’s origins using a use case.
About the speaker:
Former pentester and now head of the DFIR team at CSIRT LEXFO, I am responsible for managing security incident responses. I coordinate with client teams and communicate investigation summaries to CISOs, CIOs, and Executive Committees. I also participate in digital investigations and the development of CSIRT tools.
Construction of attack paths by graph generation in a Kubernetes cluster
Warren POSTDAM
French
02:15 PM – 03:00 PM
Kubernetes is a cloud-native system that enables container orchestration based on a wide range of components, some of which are referenced in the CNCF. In the telecommunications sector, clusters run a very large number of pods with different privilege levels. It is therefore complex for an auditor to quickly identify the most dangerous attack paths within a beneficiary’s cluster, as audits are time-limited. Inspired by BloodHound, OSAKA is a tool that allows for the construction and analysis of attack paths by generating graphs from a Neo4j database.
__________
About the speaker:
Currently at ANSSI in the telecom sector, Warren enjoys breaking things and understanding end-to-end functionality. He tends to dive into projects that allow him to engage in long-term R&D within my lab and discover new technologies to develop tools or conduct deep dives.
ACECrypter: anatomy of a packer
Pierre LE BOURHIS
French
03:00 PM – 03:30 PM
The presence of packers, also known as “crypters,” is undeniable in today’s cybercrime landscape. This presentation will focus on the analysis of packers within the context of threat intelligence, using the “as-a-service” crypter named ACECrypter as a running example.
Having been around since at least 2016, ACECrypter has facilitated the distribution of numerous other malware families, such as stealers (Redline, Raccoon), ransomware (Stop, DejaVue), RATs (Remote Access Trojans) and loaders (SmokeLoader, Amadey). To understand how this service has managed to persist, we will conduct a technical analysis of the packer. This analysis will present the various stages that compose it and help the audience better understand the different elements of a packer. It is also essential to identify its capabilities and functionalities to improve its detection and automate its processing in future investigations.
Despite the availability of tools and solutions (both free and paid), the processing of packers remains a complex task for organizations requiring malware investigation and analysis capabilities. In our Cyber Threat Intelligence (CTI) context at Sekoia, extracting packed payloads is essential. Thus, in the final part, I will present a methodology as well as the tools and frameworks used at Sekoia to automate this extraction.
__________
About the speaker:
Pierre has been a cyber threat intelligence analyst at Sekoia.io since 2017. He started his cybersecurity experience in red teaming then switched to the Threat Detection & Research team in 2021. He is currently Co-leader of the cybercrime investigation team. His main topics of interest are cybercrime, reverse engineering and malware tracking, with a particular interest in large botnet.
Lurking in the Directory: Stealthy LDAP recon for Red Teams
Paul SALADIN
Vincent GOURVENNEC
French
04:00 PM – 04:45 PM
When gaining access to an internal network, Active Directory domain reconnaissance is one of the most common action performed by attackers. It enables the acquisition of a large amount of information in a short space of time on the breached infrastructure.
Recent security solutions include various detection mechanisms for those actions, making the use of well-known tools such as SharpHound detecteable rather quickly.
During our Red Teaming engagements, we have to deal with such solutions and we therefore had to find news ways to fly under the radar to perform LDAP reconnaissance.
Several LDAP reconnaissance and detection methods within an Active Directory will be presented throughout this talk.
__________
About the speakers:
Vincent is the Red Team manager at Intrinsec
Paul is a Red Team member at Intrinsec
Reality check: Vulnerability management under the Cyber Resilience Act
Rayna STAMBOLIYSKA
French
04:45 PM – 05:15 PM
The Cyber Resilience Act (CRA), or CRA for short, is about to become EU law. It’s a big deal: the CRA aims to stop products with known security holes from being sold in Europe. But how can we make sure that happens? What does the CRA actually say, and who will it affect? This talk will dive deep into the technical side of the CRA, especially when it comes to cloud computing.
Get ready for the Cyber Resilience Act (CRA)! This new EU law is going to change the game for digital products. The CRA wants to make sure that products sold in Europe are safe. But how can we make that happen? What does the CRA mean for businesses and consumers? In this presentation, we’ll explore the technical challenges and opportunities of the CRA, focusing on cloud environments.
__________
About the speaker:
Rayna focuses on digital diplomacy and EU resilience, with cybersecurity, strategic autonomy, and data protection as cornerstones. She advises various institutions (European Commission, ENISA, INTERPOL) and teaches at Sciences Po Paris. Rayna Stamboliyska also works with international organizations and innovative companies on issues related to international relations, regulatory compliance, and risk and crisis management.