BruCON 0x10

Join us to explore the power of shared insight in the battle against today's sophisticated threats, as seen through the eyes of a reverse engineer’s journey. Collective defense can be much more than just sharing signatures—to me it's about guiding diverse talents to forge a strong front against evil. From analyzing APT1 malware, teaching workshops at Brucon, to testifying before US Congress on AI's impact on homeland security, this talk reveals how mentoring and teaching can help others walk a similar path, amplifying our collective impact to secure the future together.

WHAD stands for "Wireless Hacking Devices" (or "Wireless Hacking for Dummies") and is a brand new framework providing a unified interface to play with various wireless protocols, with multiple hardware devices supported out-of-the-box. It has been thought as a flexible and extensible toolbox to interact with wireless devices, including multiple customizable protocol stacks and some super-duper features like real-time monitoring with Wireshark or tool chaining to achieve complex tasks.

This workshop will teach you how to use WHAD and its off-the-shelf tools, but also how to take advantage of it to create your own tools in Python to interact with Bluetooth Low Energy and other ZigBee devices, as well as wireless mice and keyboards! You will also discover how to emulate a device with a few lines of Python and even create BLE exploits that run smoothly on any compatible device.

In this 2 hour workshop, Didier will guide you through XOR Cryptanalysis exercises using several open source tools (several of these tools are created and maintained by Didier).

After an introduction to the XOR operator and its use in cryptography, we will work through several exercises that will familiarize you with tools like:

• CyberChef
• translate.py
• XOR 010 Editor script
• XORSearch
• xor-kpa.py 

And we will end with exercises using custom ransomware decryption tools that Didier developed for a particular ransomware strain with flawed crypto.

The evolution of China-nexus based backdoors the last decade has rapidly produced several families that have been documented in great detail. One of the latest additions to this order are SideWalk / ScrambleCross which employ challenging techniques and are difficult to detect without prior knowledge about their functionality. In the fall of 2023, the mnemonic Incident Response Team (mIRT) was engaged to uncover an attack as part of an esponiage campaign, and discovered a previously undocumented backdoor in the evolutional trail. Keeping track of the development of these malware families is essential for defenders. This talk shares the highlights from our analysis of the malware and reflections on how to detect it.

It's a struggle keeping track of everything happening day after day, right? Don't blink or you'll miss new vulnerabilities, new techniques and leaks, …

The presenter, Dieter Van Den Bosch, suggested in the feedback form of BruCON back in 2011, that someone should do a presentation on the security highlights of the past year.

We’re 13 years later… and for the second year in a row, Dieter will give that talk himself!

He will take you through a journey of the most active threat actors, some surprising facts that even experts have missed and some of the weirdest things of the past year!

Zeek is an open-source network security monitor (NSM) and analytics platform that has been around for quite some time (since the mid-90s). It is used at large university campuses and research labs, but in the past few years, more and more security professionals in the industry have turned their attention to this fantastic tool.

But Zeek is so much more than just a NIDS generating alerts (notices) and log files! Zeek's scripting language allows security analysts to perform arbitrary analysis tasks such as extracting files from sessions, detecting brute-force attacks, or, most importantly, interfacing with external sources, such as Python! The Zeek Python bindings allow us, the analysts, to use powerful Python libraries such as Numpy, Pandas, and Tensorflow and apply machine learning-based detection on network traffic.

During this two-hour workshop, we will learn about the following topics:

• Super fast introduction to Zeek (architecture, events, logs, signatures, etc.)
• Using machine learning and data science tools on Zeek logs (as an example, we will use Fourier Analysis to detect C2 beaconing)
• Super fast crash course in Zeek scripting (just enough to understand how to create new logs)
• Connecting Zeek and Python via the Zeek Broker Communication Framework
• Using machine learning tools in Python on the data we receive from Zeek for detection (as an example, we will use convolutional neural network and random forest models to compare them, and then use them to find unknown malware in live network traffic) 

Requirements for the workshop:

1. A laptop with at least 16 GB of RAM and more than 50 GB of free disk space (VT-x support must be enabled on the host system).
2. Application to run Virtual Images (type-2 hypervisor): VMWare Workstation Pro (recommended), VMWare Workstation Player, VMWare Fusion, or VirtualBox.
3. Only 64-bit Intel-compatible (Intel or AMD) processors are supported. 

/!\ WARNING /!\: ARM-based (Apple Silicon, some Microsoft Surface) devices cannot perform the necessary virtualization and therefore cannot be used for the workshop.

This workshop will introduce attendees to the world of firmware analysis. It will discuss only structured firmwares---i.e. firmware containing a file system---by opposition to monolithic firmwares also known as baremetal firmwares. Students will discover two major steps of this analysis workflow which are also the most firmware specific ones: extraction of the filesystem and its cartography. Various open-source tools will be introduced, including two developed by Quarkslab: Pyrrha, a mapper collection for firmware analysis, and its underlying API Numbat. Based on this latter, attendees will be able to develop their own cartography tools with a nice UI. All along this workshop, a strong focus will be made on the tasks that could be automated by some existing or future tools but also on the limits of this automatization.

Requirements:

1. This workshop requires attendees to be able to script in Python. 

In this talk we'll explore the opportunities that protocol & standards transformations provide for attackers in environments with an API microservice architecture.

Transformation of user input happens automatically when protocols & standards support certain encodings.

When API backends are constructing their own API calls to 2nd order API's using user input, "chained transformations" happen. This allows an attacker to construct payloads that only manifest in harmful form after a certain number of transformations. The payloads are often too obfuscated to be recognized by the perimeter Web Application Firewall.

This type of vulnerability is present even in hardened targets. Pentesters and bugbounty hunters can maximize the attack surface and increase impact using this bug.

For over two years, US and “Five Eye” entities have focused significant attention on the threat posed by an activity cluster initially identified by Microsoft as “Volt Typhoon.” Linked to People’s Republic of China (PRC) cyber operations, Volt Typhoon is notable for effective, persistent use of living off the land behaviors via proxied command and control (C2) infrastructure to target civilian and dual-use critical infrastructure entities. The entity has been described as the most concerning threat to US infrastructure and interests by multiple commercial and government entities – yet for all this attention specifics on the group and their operations remain maddeningly scarce in public, available reporting.

In this discussion, we will examine the nature of high-profile, yet vaguely described, threats such as Volt Typhoon, and what lessons we can learn from such activities. Particularly, we will look at natural tensions in information disclosure that may uniquely align with insights into the Volt Typhoon threat, where counter-cyber operations may play as large a role (and potentially greater) in tracking this adversary as traditional intrusion analysis. Through this discussion we will look into how information sensitivity for cyber threat intelligence reporting may clash directly with the actionability of such information, and how this both plays into direct defense and more broadly in public messaging around concerning (but objectively vague) threats.

To conclude, we will explore the natural tension between disclosure and action for intelligence operations, and the potential harm that may result when secretive items are broadcast widely in public discourse. Using Volt Typhoon as a high-profile and relevant example, attendees will learn to better advocate for and hold reporting entities to account for threat reporting, while also highlighting the need to execute care and discretion in public messaging on the part of commercial and government authorities.

In the dynamic realm of system security, the ability to diagnose and debug at the kernel level is invaluable. "Uncovering Hidden Threats: Intro to Kernel Debugging with WinDbg" is a workshop designed for IT professionals, system administrators, and security researchers who are eager to gain foundational skills in kernel debugging. This session will immerse participants in practical, hands-on scenarios using WinDbg for kernel debugging.

Throughout this workshop, attendees will engage directly with real-world debugging exercises, designed to provide a deep dive into the inner workings of the Windows kernel. Participants will be provided with preconfigured virtual machine (steps on how to set up debugging environment from scratch are provided on request), interpret common kernel-mode data structures, and detect common stealth and persistence techniques encountered in the Windows rootkits. The focus will be heavily on 'learning by doing,' ensuring that every attendee not only understands the theoretical underpinnings but also acquires direct experience in applying these techniques.

By the end of the workshop, participants will have the skills to uncover and mitigate hidden threats in their own systems, armed with a robust set of debugging competencies that can be applied immediately in their professional roles.

While there's often a strong focus on securing Windows environments against malicious activities, due to their widespread use, it's crucial not to underestimate the potential for Linux based systems to be exploited in a similar fashion.

Wrangling those EDR tools on Linux is downright essential, given its varied attack vectors and plenty of trickster trails to navigate. Linux setups are pretty common in server, cloud and IoT environments, each bringing their own flavor of security showdowns.

With Linux's robust privilege management, you need to set up your EDR solutions in a way that they can effectively oversee and respond to unusual activities. By engaging in active EDR testing on Linux, a comprehensive approach to security is ensured, covering a wide range of threats and system complexities. It's like having your digital glam squad handle all the security drama, so you can focus on the fabulousness!