Program Overview

This session reveals how attackers exploit typosquatting, author impersonation, and innovative malware campaigns to infiltrate software supply chains. Learn practical threat hunting methodologies, and gain step-by-step guides to detect, analyze, and defend against these malicious threats.

Kirill Boychenko is a Senior Threat Intelligence Analyst at Socket, where he specializes in threat hunting, malware analysis, and tracking software supply chain threats across npm, PyPI, Maven, RubyGems, and Go ecosystems. Prior to joining Socket, he served as a Threat Intelligence Analyst at Recorded Future’s Insikt Group on the Advanced Reversing, Malware, Operations, and Reconnaissance (ARMOR) team, where he analyzed new and emerging threats, malware, and TTPs while engineering detections. Before that, he worked at the United Nations, American Bar Association, and International Labor Rights Forum, coordinating international projects that mitigated human trafficking and corruption, and defended human and labor rights.

Philipp Burckhardt is Lead Data Scientist at Socket (socket.dev), where he is helping to secure software supply chains. Together with Athan Reines, he is engaged in the development of a standard library for JavaScript bringing numerical and statistical computing to the web (https://stdlib.io). An avid open-source contributor, he has spoken at various international conferences on topics ranging from political science, health-care informatics to machine learning and software engineering. He holds a PhD ins Statistics & Data Science from Carnegie Mellon University.

In recent times, ransomware actors have been increasingly using the Bring Your Own Vulnerable Driver (BYOVD) technique, but what does it actually mean? What types of drivers are suitable for BYOVD? Which drivers are they bringing and why? Which vulnerabilities are exploited and what is the purpose of exploiting them? How is it all done and which threat actors have been using them?

This presentation introduces BYOVD technique, digs deeper into driver vulnerabilities and their exploitation by ransomware threat actors. First, we investigate three primary classes of vulnerabilities in legacy Windows drivers abused by threat actors: arbitrary MSR writes, arbitrary kernel memory writes, and insufficient access controls. These vulnerabilities enable attackers to escalate privileges, load unsigned code, bypass EDR software and conduct other activities leading to the final payload.

We shift our focus on ransomware groups leveraging BYOVD for their operations, including Kasseika, Akira, Qilin, BlackByte, and RansomHub. We discuss BYOVD related TTPs of ransomware groups active in 2024.

Our session also briefly discusses Windows exploit mitigations designed to counter these threats. Features like Virtualization-Based Security (VBS), Hypervisor-Protected Code Integrity (HVCI), Kernel Control Flow Guard (kCFG), and kernel shadow stacks play crucial roles in enhancing system security.

We conclude with a section on detecting and preventing BYOVD from the point of view of blue team members, documenting sources of data and detection strategies.

By addressing both technical and operational aspects of BYOVD, this presentation emphasises insights for forensics experts, incident responders, and cyber threat researchers and provides knowledge for better research and detection of BYOVD based threats.

Vanja Svajcer works as a Threat Researcher at Cisco Talos. Vanja enjoys tinkering with automated analysis systems, reversing binaries and analysing mobile malware. He thinks time spent scraping telemetry data to find indicators of new attacks is well worth the effort. He presented his work at conferences such as FSec, Bsides, Virus Bulletin, RSA, CARO, AVAR, BalcCon and others.

Have you considered what an attacker could achieve if they infiltrated an environment filled with critical secrets and IP? Join this session to explore past attacks on CI/CD environments and discover how a CI/CD threat model can help you build detections and respond to these threats in the future.

Julie Sparks is a Threat Detection Engineer at Datadog under the Security Research team and has over 7 years of experience. She has previous experience working on Detection & Response teams at startups such as Cloudflare and Brex. In addition to threat detection work, her focus is on bringing folks into the cybersecurity field and mentoring women in the industry.

Juvenal Araujo is a Senior Cybersecurity Engineer specialising in threat detection at Datadog, where he develops critical detections for highly sensitive assets. With over eight years of experience spanning offensive security, threat intelligence, and programming, Juvenal has held key cybersecurity roles in renowned European organisations. He holds multiple industry certifications and a Master's degree in Electrical and Computer Engineering, where he focused on computer systems and networks, cryptography, and cybersecurity. He has contributed to academia through IEEE and has won first place on the national cybersecurity defense competition held by the Portuguese Armed Forces.

Starting a continuous security validation program in a complex enterprise environment requires thoughtful architecture, clear use cases, and systematic validation approaches. This talk shares SAP's journey in establishing our Breach and Attack Simulation foundation, focusing on how we approached detection validation, security control assessment, and advanced attack scenario testing. We'll explore our methodology for building a centralized Detection Lab, share our framework for staged validation, and discuss how we're preparing for Line of Business deployments. Through practical examples from our initial implementation phase, attendees will gain insights into building scalable security validation programs that can grow with enterprise needs. Learn how we approached infrastructure design, use case prioritization, and stakeholder alignment to create a strong foundation for enterprise-wide security validation.

Nikolas Dobiasch is a Cyber Defense Expert at SAP Austria, where he leads initiatives in security validation and detection engineering. His background includes heading cyber security at Vienna International Airport and conducting digital forensic investigations at Deloitte, bringing unique insights into defensive and offensive security operations. A GIAC-certified professional holding GCTD, GDAT and GCFR certifications, Nikolas focuses on building scalable adversary emulation and continuous behavior testing programs across complex enterprise environments.

“Smart City” has been a trendy buzzphrase used by politicians, city planners, and tech companies for over a decade now — but their shiny promises gloss over dangerous realities.

Downtime and damages in municipalities due to cyberattacks regularly make the news, but we focus primarily on securing and recovering IT systems. Smart Cities by nature use a combination of IT and OT systems but have no established or holistic approach for managing overlapping risks to both. The consequences to security from varied stakeholders involved in Smart City planning and implementation go unexamined. Human hazards, vulnerable devices, and data management issues build on these to create diverse and creative attack paths for all sorts of threat actors.

Smart Cities present a ubiquitous and unique combination of risks which must be comprehensively assessed in order to improve procedural and operational security, reliability, and resilience. By reframing our understanding of what Smart Cities are, we can use and integrate pre-existing actionable strategies to prepare and defend against threats ranging from pandemics to nation-state attacks. As politically motivated cyberattacks expand in reach and collateral radius, we need to prepare our cities for when they become the next battlefield.

This talk aims to expand our definition of Smart Cities; discuss the data, human, and technological risks that they face; and share resources on how to deal with them.

Marina Bochenkova wears many hats as a cybersecurity analyst focusing on digital forensics, incident response, and OT security, while also dabbling in security awareness and culture. She combines a passion for protecting people, a strong belief in digital privacy as a human right, and an overly-enthusiastic approach to problem-solving. When not defending digital spaces, Marina actively nurtures her already-unhealthy obsession with cats and resorts to baking or martial arts when desperate.

This presentation explores the analysis of a real-world Adversary-in-the-Middle (AiTM) attack, in which a threat actor successfully circumvented the Multi-Factor Authentication (MFA) of a Microsoft 365 account belonging to a global corporation. Following this breach, the attacker executed a Business Email Compromise (BEC) and escalated the attack by performing second-stage AiTM and BEC operations on additional targets from the initial victim's contact list.

In this talk, we will learn about:

• Recent shift on focus of attacks
• Adversary-in-the-middle and its usage for attackers
• Evasion & exfiltration mechanisms used by attackers
• Case study
• What can be done to defend & detect & investigate
• Q&A

LA X-Force Incident Response Leader at IBM

Diego Matos Martins is the Leader of Incident Response for IBM X-Force Latin America where he leads a team of security consultants focused on the areas of adversary trend analysis, incident response, threat hunting and investigation.

This talk, "In-Depth Study of Linux Rootkits," will provide a comprehensive examination of the evolution of Linux rootkits, from their inception to the sophisticated variants seen today.

Participants will gain insights into advanced rootkit techniques, effective detection strategies, and the future landscape for defenders. By exploring the historical context, current methodologies, and emerging threats, attendees will have the knowledge and tools necessary to safeguard Linux systems against rootkit attacks.

Beginning with an introduction to the fundamental capabilities of Linux rootkits, this talk traces the history of these malicious tools from their origins to their increasingly sophisticated techniques. It categorizes rootkits into kernel-level, user-mode, and hybrid types, explaining their respective methods for hooking kernel functions, intercepting user-space processes, and combining techniques from both realms. The discussion includes an analysis of rootkit persistence mechanisms and stealth techniques, which allow them to remain undetected.

Next, we shift to detection strategies, starting with signature-based detection, which involves identifying known rootkits through specific patterns but also addresses the limitations of this approach. It explores behavioral analysis by monitoring system anomalies and presents case studies demonstrating the effectiveness of this method. The importance of integrity checking is highlighted, emphasizing the challenges in maintaining accurate baselines for system files and binaries.

Furthermore, this talk reviews advanced detection tools and frameworks, providing an overview of popular rootkit detection tools and practical demonstrations of their use. This comprehensive analysis underscores the ongoing battle between rootkit developers and cybersecurity professionals, emphasizing the need for continuous advancements in detection and mitigation techniques.

Stephan Berger has over a decade of experience in cybersecurity. Currently working with the Swiss-based company InfoGuard, Stephan investigates breaches and hacked networks as Head of Investigation of the Incident Response team. An avid Twitter user under the handle @malmoeb, he actively shares insights on cybersecurity trends and developments. Stephan also authors the blog DFIR.ch, where he provides in-depth analysis and commentary on digital forensics and incident response. Stephan has spoken at numerous conferences, sharing his expertise with audiences worldwide.

Kubernetes has become a critical component of modern production environments, valued for its scalability, flexibility, and ability to streamline container orchestration. However, its complexity and dynamic nature present unique challenges for security incident response. A compromised Kubernetes environment can provide attackers with substantial computational resources and access, enabling activities such as data exfiltration, intellectual property theft, or cryptocurrency mining.

Incident response in Kubernetes requires specialized knowledge, as traditional security practices often fall short in addressing the nuances of containerized systems. For example, the ephemeral nature of containers, combined with limited logging and monitoring practices and insufficient support from detection tools, makes it challenging to detect, contain and respond to incidents effectively. Many security teams are unfamiliar with Kubernetes-specific attack vectors and lack the expertise needed to respond to breaches in such environments.

This presentation will first provide examples of Kubernetes attack chains and highlight techniques—such as privilege escalation through "bad pods"—that are specific to this environment. It will then review critical logs that should be collected and explain how disk and memory forensics can aid in incident response. It will also discuss the challenges that a team might face during the analysis.

Mahdi Alizadeh has 13 years of experience in computer security, spanning both academia and industry. He earned his Ph.D. in computer security from Eindhoven University of Technology. Throughout his career, he has worked in various security operations teams, serving as a security analyst, detection engineer, and security manager.

Cybercrime has emerged as a major global concern, with increasing instances of online threats impacting various sectors. In Ghana, the forestry sector, which plays a pivotal role in the country’s economy, has not been immune to the effects of cybercrime. This study investigates the monetisation of cybercrime within Ghana's forestry sector, focusing on how illegal activities are financially sustained through digital platforms and their effects on the industry. Specifically, it explores the extent to which cybercriminals exploit forestry data, illegal timber trade, and logging activities through cyber means. The research addresses several key questions: How are cybercriminals monetising illegal activities in Ghana’s forestry sector? What are the prevalent cybercrime methods used in forestry-related crimes? How do these cybercrimes affect the sustainability of the forestry industry? What measures are being implemented to mitigate these crimes? To answer these questions, a mixed-method approach is employed, combining qualitative and quantitative techniques. Data is gathered through interviews with forestry experts, cybersecurity professionals, and law enforcement, alongside a survey of forestry businesses and government agencies. Additionally, the study uses secondary data from reports on cybercrime and forestry management in Ghana.

The results indicate that cybercriminals are exploiting gaps in the digital infrastructure of the forestry sector to facilitate illegal logging, timber trafficking, and the falsification of forestry-related documents. These crimes often involve phishing, hacking of logging permits, and the manipulation of satellite data used for forest monitoring. The financial benefits gained by criminals from such activities are significant, contributing to the growth of illegal timber trade and undermining legal and sustainable forestry practices. The monetisation of cybercrime within Ghana's forestry sector poses serious risks to both the economy and environmental sustainability. There is a critical need for enhanced cybersecurity measures, stricter law enforcement, and the integration of technology-driven solutions to curb these activities. Further research is needed to develop effective strategies to protect the sector from cyber threats while promoting sustainable practices in forestry management.

Anthony Yeboah Akoto is a skilled development policy and planning professional with a strong background in climate change, biodiversity, and natural resource management. He holds an MSc in Development Policy and Planning from Kwame Nkrumah University of Science and Technology, Ghana, and has worked in both academia and public service. Anthony has served as an Assistant Lecturer at the University College of Agriculture and Environmental Studies and held various roles in the Ghana School Feeding Programme and the Ghana AIDS Commission. He is a member of multiple professional organizations, including the Citizen Science Association and the Ghana Geographical Association.

James Ofori is a dedicated professional with expertise in forest ecosystems, conservation, and land management. He holds an MSc in Conservation and Land Management from Bangor University and an MSc in Forest Ecosystems from Copenhagen University. James has conducted significant research on the impacts of biodiversity on human wellbeing and the local democracy effects of forestry interventions in Ghana. With extensive experience in environmental governance, data collection, and analysis, he has worked with notable institutions like the Forestry Research Institute of Ghana (FORIG) and CODESRIA. James is passionate about promoting good governance in natural resources management for sustainable development.

Building on last year’s investigation into a massive Chinese package redelivery smishing syndicate, this presentation delves deeper into one of the key actors briefly touched on in the previous research.

PepsiDog is a threat actor that exemplifies a new level of professionalism, operating as a “developer-first” entity in the phishing ecosystem. By selling advanced phishing kits and offering phishing-as-a-service (PhaaS), they provide tools that enable global targeting of individuals and institutions, often through package redelivery scams.

This research highlights how this actor differs from others in scale, sophistication, and operational structure, demonstrating the ongoing evolution of threat actor capabilities. A day in the life of a threat researcher investigating this group will offer attendees a behind-the-scenes look at the challenges of unraveling their operations.

Additionally, we’ll explore their technical innovation, the expanded adoption of new cash-out mechanisms, and how their kits are being sold and deployed globally.

Key findings and updates for attendees include:

• Insights into how this actor designs and markets phishkits to other criminal groups, enabling widespread and efficient phishing campaigns.

• A peek inside the panel demonstrating of the actor’s sophisticated phishing kit, including their modular and customizable features designed for global targeting.

• Analysis of the steadily increasing number of compromised credentials and financial data linked to this actor’s operations over the past year.

• Examination of the actor’s growing influence and their collaboration with other Chinese groups exhibiting similar tactics, techniques, and procedures (TTPs).

This session, tailored for both technical and non-technical audiences, will provide actionable insights into the professionalization of cybercrime and offer strategies for detecting and defending against such advanced threats.

Stefan Tanase is an experienced security researcher based in Bucharest, Romania. Having spent the last two decades combating the world’s most sophisticated cyber threats, Stefan joined CSIS Security Group in 2019 as Cyber Intelligence Expert, part of the eCrime Unit. Through innovative research projects and effective public speaking engagements, he actively contributes to keeping internet users safe. While Stefan specializes in collecting threat intelligence and monitoring the cybercrime ecosystem, he has a real passion for digital rights and internet privacy.

Ionut Bucur is a co-speaker for this session.

In today's cloud-centric business landscape, cyber threat actors are increasingly targeting cloud infrastructures to conduct high-impact ransomware attacks. This presentation delves into the tactics, techniques, and procedures (TTPs) of the threat actor known as Scattered Spider, with a focus on understanding their ransomware deployment life cycle within cloud environments.

Drawing from in-depth research and real-world case studies targeting the insurance and financial sectors, we will explore how Scattered Spider employs advanced social engineering methods—such as voice phishing (vishing) and SMS phishing (smishing)—to compromise high-privileged accounts like IT service desk administrators and identity administrators. The session will examine their use of SIM swapping to bypass multi-factor authentication (MFA) and gain unauthorized access to critical cloud services and Software as a Service (SaaS) platforms.

We will uncover how Scattered Spider leverages legitimate cloud features, including Cross-Tenant Synchronization in Microsoft Entra ID and federated identity providers, to establish persistent access and escalate privileges within compromised environments. The talk will highlight their use of open-source tools for cloud reconnaissance, their methods for impairing security tools, and their strategies for evading detection—such as utilizing remote monitoring and management (RMM) tools, protocol tunneling, and creating unmanaged virtual machines.

Furthermore, the presentation will dissect Scattered Spider's ransomware deployment strategies targeting cloud Infrastructure as a Service (IaaS) platforms like VMware ESXi. We will discuss their automated deployment tactics, and cloud-native tools to execute ransomware payloads efficiently, making recovery efforts more challenging for victims.

By mapping out Scattered Spider's comprehensive attack life cycle—from initial cloud account compromise to ransomware execution—we aim to equip cybersecurity professionals with actionable insights to bolster their cloud security posture. The session will conclude with prevention opportunities, offering best practices in authentication and account security, cloud environment hardening, and detection queries to identify and mitigate malicious activities.

Key Takeaways:

• Understand the new TTPs used by Scattered Spider in cloud environments.
• Gain insights into the ransomware deployment life cycle within cloud infrastructures.
• Learn how to detect and prevent similar attacks through practical security measures.
• Explore real-world incidents and case studies for a comprehensive understanding of the cloud threat landscape.

Arda Büyükkaya is a Senior Cyber Threat Intelligence Analyst with experience in advanced threat analysis, proactive threat hunting, and incident response. Specialized in tracking financially motivated cybercriminals and nation-state actors. Authored intelligence reports uncovering novel adversary tactics, techniques, and procedures (TTPs), providing actionable intelligence that supports Fortune 500 companies and government entities in enhancing their threat detection and response strategies.

Silent patching—fixing security vulnerabilities without disclosure—presents a critical blind spot in software supply chain security. With 1 in 6 vulnerabilities patched silently, traditional security tools relying on public vulnerability databases like CVE or NVD fall short, leaving organizations exposed to unknown risks. This presentation introduces an entirely novel approach that harnesses the power of Large Language Models (LLMs) to detect these hidden vulnerabilities in open-source software.

We'll show how our novel dual-LLM architecture analyses public changelog data to identify and classify silently patched vulnerabilities. Through a live demo, we'll show how this AI-driven method has allowed us to uncover hundreds of previously unknown vulnerabilities in major open-source projects, with 20% classified as critical or high severity.

Key points:

• The threat landscape of silent patching and its impact on supply chain security
• Detailed breakdown of our dual-LLM model architecture and methodology
• Real-world findings and their implications for the security community
• The crucial role of Human-in-the-Loop (HITL) verification in the AI-driven process
• Benchmarking results against traditional security research methods
• Limitations of the current approach and future improvements

Mackenzie Jackson is a security researcher and advocate with a passion for code security. He is the former CTO and founder of Conpago, where he learned firsthand the importance of building secure applications. Today, Mackenzie works for Aikido security to help developers and DevOps engineers build secure systems. He also shares his knowledge as a contributor to many technology publications like DarkReading, Financial Times, and Security Boulevard along with appearing as an expert in TV documentaries and interviews.