BruCON 0x10

Join us to explore the power of shared insight in the battle against today's sophisticated threats, as seen through the eyes of a reverse engineer’s journey. Collective defense can be much more than just sharing signatures—to me it's about guiding diverse talents to forge a strong front against evil. From analyzing APT1 malware, teaching workshops at Brucon, to testifying before US Congress on AI's impact on homeland security, this talk reveals how mentoring and teaching can help others walk a similar path, amplifying our collective impact to secure the future together.

The evolution of China-nexus based backdoors the last decade has rapidly produced several families that have been documented in great detail. One of the latest additions to this order are SideWalk / ScrambleCross which employ challenging techniques and are difficult to detect without prior knowledge about their functionality. In the fall of 2023, the mnemonic Incident Response Team (mIRT) was engaged to uncover an attack as part of an esponiage campaign, and discovered a previously undocumented backdoor in the evolutional trail. Keeping track of the development of these malware families is essential for defenders. This talk shares the highlights from our analysis of the malware and reflections on how to detect it.

It's a struggle keeping track of everything happening day after day, right? Don't blink or you'll miss new vulnerabilities, new techniques and leaks, …

The presenter, Dieter Van Den Bosch, suggested in the feedback form of BruCON back in 2011, that someone should do a presentation on the security highlights of the past year.

We’re 13 years later… and for the second year in a row, Dieter will give that talk himself!

He will take you through a journey of the most active threat actors, some surprising facts that even experts have missed and some of the weirdest things of the past year!

In this talk we'll explore the opportunities that protocol & standards transformations provide for attackers in environments with an API microservice architecture.

Transformation of user input happens automatically when protocols & standards support certain encodings.

When API backends are constructing their own API calls to 2nd order API's using user input, "chained transformations" happen. This allows an attacker to construct payloads that only manifest in harmful form after a certain number of transformations. The payloads are often too obfuscated to be recognized by the perimeter Web Application Firewall.

This type of vulnerability is present even in hardened targets. Pentesters and bugbounty hunters can maximize the attack surface and increase impact using this bug.

For over two years, US and “Five Eye” entities have focused significant attention on the threat posed by an activity cluster initially identified by Microsoft as “Volt Typhoon.” Linked to People’s Republic of China (PRC) cyber operations, Volt Typhoon is notable for effective, persistent use of living off the land behaviors via proxied command and control (C2) infrastructure to target civilian and dual-use critical infrastructure entities. The entity has been described as the most concerning threat to US infrastructure and interests by multiple commercial and government entities – yet for all this attention specifics on the group and their operations remain maddeningly scarce in public, available reporting.

In this discussion, we will examine the nature of high-profile, yet vaguely described, threats such as Volt Typhoon, and what lessons we can learn from such activities. Particularly, we will look at natural tensions in information disclosure that may uniquely align with insights into the Volt Typhoon threat, where counter-cyber operations may play as large a role (and potentially greater) in tracking this adversary as traditional intrusion analysis. Through this discussion we will look into how information sensitivity for cyber threat intelligence reporting may clash directly with the actionability of such information, and how this both plays into direct defense and more broadly in public messaging around concerning (but objectively vague) threats.

To conclude, we will explore the natural tension between disclosure and action for intelligence operations, and the potential harm that may result when secretive items are broadcast widely in public discourse. Using Volt Typhoon as a high-profile and relevant example, attendees will learn to better advocate for and hold reporting entities to account for threat reporting, while also highlighting the need to execute care and discretion in public messaging on the part of commercial and government authorities.

While there's often a strong focus on securing Windows environments against malicious activities, due to their widespread use, it's crucial not to underestimate the potential for Linux based systems to be exploited in a similar fashion.

Wrangling those EDR tools on Linux is downright essential, given its varied attack vectors and plenty of trickster trails to navigate. Linux setups are pretty common in server, cloud and IoT environments, each bringing their own flavor of security showdowns.

With Linux's robust privilege management, you need to set up your EDR solutions in a way that they can effectively oversee and respond to unusual activities. By engaging in active EDR testing on Linux, a comprehensive approach to security is ensured, covering a wide range of threats and system complexities. It's like having your digital glam squad handle all the security drama, so you can focus on the fabulousness!

Debunking this and other persistent privacy myths is highly overdue. In this keynote, we'll explore privacy engineering and discover how it can strengthen security. Threat modeling will be the star player here, as it not only drives and improves the secure development process, but also serves as the perfect vehicle to integrate and align privacy into security practices.

Mistyped domains often take some convincing to be effective in phishing attacks. After finding the perfect typo, the real work starts setting up the perfect lure. Instead of this, an often-forgotten attack vector exists where potential victims already make these typo's when sending email and or configuring systems, letting go of plenty useful information while at it.

In this talk we will explore this attack vector, ultimately setting ourselves up for a Mail-in-the-middle (MaiTM) attack to steal confidential information, login using password resets, embed tracking pixels and even deliver malware. Configuring this can still take some work and requires quick timing, so to help with that we have developed a toolkit that we will demonstrate during this talk. Finally, considering the impact of these attacks we will dive into some detection and prevention strategies for this attack while also releasing some new proof of concept tooling to aid organizations in defending against it.

Since we were children we wanted to go to the arcade and play for hours and hours for free. How about we do it now? In this talk I’m gonna show you some vulnerabilities that I discovered in the cashless system of one of the biggest companies in the world, with over 2,300 installations across 70 countries, from arcades in Brazil, amusement parks in the United Arab Emirates to a famous roller coaster in Las Vegas. We will talk about API security, access control and NFC among other things.

Digital forensic procedures often come with significant overhead, from navigating the complexities of different operating systems to lengthy processes for image collection in the cloud. Additionally, the myriad of available tools can require expertise to select and utilize effectively. Why deal with these challenges when you can automate the basics?

In this talk, we'll discuss the design of a framework aimed at automating triage-level forensics, making it accessible for all analysts to integrate into their investigations. We'll explore the open-source tools we've incorporated and the design paradigms ensuring scalability, concluding with valuable lessons learned.

Over the last 12 months Microsoft’s AI Red Team (AIRT) has conducted nearly 100 assessments of AI systems including comprehensive reviews of foundation models, multiple reviews of Copilot features, and in-depth reviews of AI systems in sensitive domains such as health care. From this work AIRT has developed deep knowledge of the most impactful security, safety, and privacy risks that the usage of AI systems in the real world can cause, the techniques and tooling needed to elicit them, and approaches to prevent or detect these risks.

In this presentation we will cover what AI Red Teaming is, the processes and tooling AIRT has developed, and most interesting what the key trends have been in terms of techniques and weaknesses identified during our many assessments. We will discuss how AI security issues are tightly connected with traditional cybersecurity, but also how the safety aspect of AI introduces new and exciting challenges to our work. We will also touch on how AIRT’s work has informed the development of new defenses for AI systems and security professionals should approach defending the AI systems that they use.

We will also look ahead to next year and where the risks might go next, and how we might want to prevent them in a world where AI system capabilities are evolving at an extremely rapid pace.