SATURDAY, NOVEMBER 9, 2024

The Unlock Talks

How to break into organizations with style: hacking access control systems

Julia ZDUŃCZYK

English

10:00 AM – 10:45 AM

Have you ever wondered how Red Teamers manage to get access to high-security areas in buildings? This talk is your chance to learn about the tools, tactics, and techniques we use to break access control systems.
The presentation is based on the experience and examples collected during the Red Team assessments and gathers in one place the knowledge needed to gain access to places protected by access cards.

Voir plus Voir moins

When my network appliance cheats on me

Félix AIMÉ

French

10:45 AM – 11:15 AM

Network appliances (edge devices such as routers, NAS, mail gateways, VPNs, etc.) have become the new eldorado for cybercriminal groups and state actors. These devices not only serve as entry points or persistence mechanisms in certain information systems but also support operations by enabling the setup of low-cost anonymization infrastructures.

This threat is accompanied by a recent increase in vulnerability research on these devices. Therefore, a question arises: how can we monitor attack attempts targeting network appliances at a low cost? What are the limitations of traditional honeypots in the face of these new threats? How can we address them effectively?

After reviewing the various threats targeting network appliances with examples from investigations, this talk will present the limitations of traditional honeypots and suggest ways to overcome them. Among these solutions, I will present a project implemented at SEKOIA that allows us to easily track exploitation attempts targeting dozens of network appliances and the results obtained over a year.

__________

About the speaker:

Félix is a Threat Intelligence and cyber security researcher, passionate about geopolitics and technical security. After being a pentester for British Telecom, he co-founded from 2013 to 2017 the Threat Intelligence capabilities of the French National Cybersecurity Agency (ANSSI) by working with a multidisciplinary team dedicated to investigate on threat actors carrying out cyber espionage operations.

In 2017, he joined Kaspersky's Global Research & Analysis Team (GReAT) to work on cyberespionage and highly sophisticated cybercrime investigations. In 2021, he moved to SEKOIA.IO as a principal security researcher to increase their threat intelligence capabilities with internal training courses and workshops, tailored software development, and state-of-the-art investigations on APT and cybercrime threats. The goal was to increase the speed and technical level of the team's investigations.

When he's not investigating on threats, he loves to develop new capabilities, ergonomic softwares and share my own knowledge to increase the ability of his team to discover, track and process new cyber threats. He's also doing some open source stuff to help people - such as SPYGUARD, some personal researches on various topics linked to IT security and ergonomics/design for analysts, allowing them to save lot of time during their investigation, hunting and researches.

Voir plus Voir moins

Insecure time-based secret in web applications and Sandwich Attack exploitation

Tom CHAMBARETAUD

French

11:15 AM – 12:00 PM

Following discoveries during bug bounties, I have focused my research on poor practices related to time-based secrets in web applications. This presentation aims to provide an overview of these poor practices and show how to detect and exploit them.

Through the creation of an open-source tool [Reset Tolkien], a demo with practical cases, similar to those found in discovered bugs, will be presented.

Voir plus Voir moins

The ORC that hides the forest

Wandrille KRAFFT

French

01:45 PM – 02:15 PM

CSIRT LEXFO has developed a tool for processing traces collected with DFIR-ORC, a “live” trace collection method released by ANSSI. The tool from CSIRT LEXFO, which will soon be available as open-source, aims to extract archives collected by ORC and organize the collected files according to the same directory structure as the source system. The extracted collections are more easily exploitable and can be processed by tools such as Plaso. After an introduction to trace collection in the context of a DFIR service, the presentation outlines the project’s origins using a use case.

Voir plus Voir moins

Construction of attack paths by graph generation in a Kubernetes cluster

Warren POSTDAM

French

02:15 PM – 03:00 PM

Kubernetes is a cloud-native system that enables container orchestration based on a wide range of components, some of which are referenced in the CNCF. In the telecommunications sector, clusters run a very large number of pods with different privilege levels. It is therefore complex for an auditor to quickly identify the most dangerous attack paths within a beneficiary’s cluster, as audits are time-limited. Inspired by BloodHound, OSAKA is a tool that allows for the construction and analysis of attack paths by generating graphs from a Neo4j database.

Voir plus Voir moins

ACECrypter: anatomy of a packer

Pierre LE BOURHIS

French

03:00 PM – 03:30 PM

The presence of packers, also known as “crypters,” is undeniable in today’s cybercrime landscape. This presentation will focus on the analysis of packers within the context of threat intelligence, using the “as-a-service” crypter named ACECrypter as a running example.

Having been around since at least 2016, ACECrypter has facilitated the distribution of numerous other malware families, such as stealers (Redline, Raccoon), ransomware (Stop, DejaVue), RATs (Remote Access Trojans) and loaders (SmokeLoader, Amadey). To understand how this service has managed to persist, we will conduct a technical analysis of the packer. This analysis will present the various stages that compose it and help the audience better understand the different elements of a packer. It is also essential to identify its capabilities and functionalities to improve its detection and automate its processing in future investigations.

Voir plus Voir moins

Lurking in the Directory: Stealthy LDAP recon for Red Teams

Paul SALADIN
Vincent GOURVENNEC

French

04:00 PM – 04:45 PM

When gaining access to an internal network, Active Directory domain reconnaissance is one of the most common action performed by attackers. It enables the acquisition of a large amount of information in a short space of time on the breached infrastructure.
Recent security solutions include various detection mechanisms for those actions, making the use of well-known tools such as SharpHound detecteable rather quickly.
During our Red Teaming engagements, we have to deal with such solutions and we therefore had to find news ways to fly under the radar to perform LDAP reconnaissance.
Several LDAP reconnaissance and detection methods within an Active Directory will be presented throughout this talk.

Voir plus Voir moins

Reality check: Vulnerability management under the Cyber Resilience Act

Rayna STAMBOLIYSKA

French

04:45 PM – 05:15 PM

The Cyber Resilience Act (CRA), or CRA for short, is about to become EU law. It’s a big deal: the CRA aims to stop products with known security holes from being sold in Europe. But how can we make sure that happens? What does the CRA actually say, and who will it affect? This talk will dive deep into the technical side of the CRA, especially when it comes to cloud computing.

Get ready for the Cyber Resilience Act (CRA)! This new EU law is going to change the game for digital products. The CRA wants to make sure that products sold in Europe are safe. But how can we make that happen? What does the CRA mean for businesses and consumers? In this presentation, we’ll explore the technical challenges and opportunities of the CRA, focusing on cloud environments.

Voir plus Voir moins