← All talks

BsidesLV 2025 - Breaking Ground - Monday

BSides Las Vegas10:01:083.0K viewsPublished 2025-08Watch on YouTube ↗
Show transcript [en]

[Music] By [Music] dingle. Heat. Heat. N. [Music] Fire.

Home. [Music] Down. [Music] Hey. Hey. Hey. Hey. Hey.

[Music] Heat. Heat.

[Music] Heat. Hey. Hey. Hey. Heat.

Heat.

[Music] Heat. Heat.

Heat. Heat. Heat. [Music] Heat. Heat. Heat. [Music]

Heat. Heat.

[Music] Heat. Heat. N.

Heat. Heat. [Music] Heat. Heat. N. [Music]

Heat. Heat. N. [Music] Heat. Heat. N.

Heat. Heat.

[Music]

[Music]

[Music] Heat. [Music] Heat. [Music]

Wow. [Music] Heat. [Music]

[Music] Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat.

Heat. Heat. [Music] Heat. Heat.

[Music] Heat. Hey. Hey. Hey. [Music] Heat. Heat.

Heat. Heat. [Music] Yeah, [Music]

[Music] down. [Music] Black. [Music] Yeah.

[Music] Down down down down down down down down down down down down down down down down down down down down down [Music]

[Music] Hey, [Music] hey hey. [Music] Heat. Heat.

[Music] Heat. Heat. [Music] [Music] Corn [Music] baby. [Music] Hey, hey, hey. [Music] Heat. Heat. [Music]

[Music]

Heat.

[Music] Heat. [Music] Heat. Heat.

[Music] Heat. Heat.

Heat. Heat. N.

[Music] Heat. Heat. [Music] [Applause] [Music] Heat. Heat.

Heat. Heat. N. [Music] Heat. Heat.

[Music] Heat.

[Music] Heat. [Music] Heat. Heat. N. [Music] Heat. Heat. [Music]

[Music]

[Music] Hey. [Music]

[Music] Heat. Heat. [Music]

Woo! Wow! [Music] Heat. Hey. Hey. Hey. Heat. [Music] Heat. [Music] Heat. Heat. [Music] Heat. Heat. [Music] Heat.

[Music] Heat. Heat. Hey, heat. Hey, heat.

[Music] Heat. Heat. N.

Heat.

[Music] Heat. Yeah, [Music]

[Music]

[Music] heat. [Music] Hey hey hey hey hey hey hey hey hey hey hey hey. [Music] Yeah, [Music] down down. [Music] Down

[Music] Hey. [Music] Heat. Heat. [Music] [Music] Corn. [Music] Down. [Music] There you go. [Music] D hey do [Music] boom.

[Music] Down. [Music] Hey. Hey. [Music] Heat. Heat.

Heat.

[Music] Hey. Hey. Hey. Heat.

Heat.

[Music] Heat. Heat. [Applause] [Music] Heat. Heat.

Heat. Heat. N. [Music]

Heat. Heat.

[Music] Heat. Heat. [Music] Heat. Heat. N. [Music]

[Music]

[Music] Heat. Heat. [Music] Heat. Heat. [Music]

Woo! Wow! [Music] Heat. Hey. Hey. Hey. Heat. Heat. [Music] Heat. Heat.

[Music]

Heat. Heat.

[Music] Heat.

[Music] Heat.

[Music] Heat. Hey. Hey. Hey. Heat. Heat.

Heat.

[Music] Heat. [Music] Yeah, [Music]

[Music] down. [Music] Hey hey hey. [Music] again. [Music] Down down down down down down down down down down down down down down down down down down down down down.

Yeah, down.

[Music] Heat. Heat. [Music] We'll get started in a one minute.

All right. Good morning. Besides Las Vegas. >> All right. So, uh, usually I sit here and jabber at you for a bit when we start this thing, but, uh, this year I, uh, I found someone else to talk about all the things that we think are really important, all the values that we hold dear, and, uh, someone who's probably going to be about 150% more energetic than I am because I'm working on about an hour of sleep right now. So, uh, caffeine for me, but for you, a very exciting moment where you get to hear from our very good friend and, uh, someone we admire very much, Mr. Bryson Bort. [Applause] Does that work? Check, check, check. Can you hear me?

Can you hear me now? Does that work? Okay, there we go. All right. from me to we the way of the unicorn and I love your participation because it isn't a wei unless it is a wei together. Wow, that's phrasing. But so I have I custom um I had um custom ninjaorn stickers made. So if you participate, if you stand out, if you join, you will get special stickers.

It's not that hard. >> All right. So, I've done some things. Um, I founded an offensive consultancy called Grim, which created my full-time job right now, which is the founder of Scythe. And then I co-founded the IC Village with Tom Ban Norman. Come and check us out at Devcon. [Applause] So cyber security is national security. What is so unique about this discipline is whether you work for the government or the military or an intelligence organization and most of us work at a private company. We work commercial. So why are we going up against national security? What is it so unique about what we do that isn't just sitting there looking at computers, but every single day you're

fighting the Russians, the Chinese, the North Koreans. And it's not just random citizens there. It's state sanctioned, state sponsored operations. The organized crime that we face is tied to those countries. Ransomware, they are given target packages. They are given tools. They are told what to do or else Vlad's going to come and say hello with a gun. This is what makes our space so different. We are not just every day waking up and assuring that the email works. We don't work just the help desk. We're helping our comp. Whoa, it advanced twice. Somebody could have helped me out there. >> Like he's talking about national security and there's an ass and a unicorn out there.

>> I mean, you know, if you think about it, >> I mean, it seemed appropriate. I don't know. >> You can write the jokes or the jokes can write you. It goes both ways. This is what we face every day. This is what you're up against. This is why your passion, your interest, your capabilities matter because it isn't just another business problem. It's a national security problem. >> So there are two kinds of leadership. I got this idea from Dmitri Peravich who a number of years ago he said there's two kinds of companies. Those that have been hacked to know it and those who've been hacked and don't know it. And I came up with this because how many

of you have just had the greatest time in cyber security? You get unlimited budget. You get all the resources. Your leadership every time you come in and say, "Hey, we've got a problem." They're like, "Thank you so much for helping us. We appreciate everything you do to delay the shipment of that product three months because we came to you at the very end and it's your fault." Anybody? Anyone love the way you just feel like management leadership gets you, values you? Nobody. >> Not even for a sticker. >> You do. You don't have to lie for a sticker. Do not lie for a sticker. Only tell the truth. There's seats up here. I can personally

escort you if you like. >> Well, I appreciate that. Get that man a sticker. So there are two kinds of leadership asses and unicorns. The ass which is our perspective leadership does not care about cyber security does not care about security. Leadership does care about security. But let's back that up. Do you really believe that leadership doesn't care about security? No. They really It's not that they don't. It's that compliance is what matters. GRC is the existential foundation of that organization being able to operate. That's what I need to execute business. Cyber security is can I assure myself against something that might happen to me. You don't do what you're supposed to do in GRC. There is no potential. The

impact and the probability are 100%. That's why I care. And the reason I mention this is when you look at your leadership, when you understand which category they're in, change your headset, change the story and how you have to reach out to them. If GRC is what they care about, meet them there and establish that foundation and convince them peacemeal if you can to add the critical thinking of security as a process on top. If I hadn't already given you a sticker, I would have given you another one. Because here's the thing. If you work for an ass, you got a boat still. You don't have to continue to work there. If you don't feel valued,

go somewhere where you will feel valued. Now, I know the job market is tough, right? How many of you are still looking for jobs? For those of you who are hiring managers, look at those hands. Right? Since 2022, this market has been tough and we're now getting the double side of it from artificial intelligence. AI is taking jobs because leadership thinks it can do your job. Can AI think? >> No. You can go where you're appreciated. Go where they get it. Burnout is when we don't feel valued. And you can control that. You can I mean, you're not going to change an [ __ ] boss, but you can change their proximity to you. You don't have to be perfect.

Did anyone feel like a little like twinge at that? our perfectionism, the passion that we feel. We have an engineering and analytic mindset on average in this industry which makes us really prone to the following. We approach cyber security like engineers. But is societ is cyber security truly an engineering problem? >> Why not? >> It's a person problem. >> It's a person problem. It's a people problem. But we keep throwing technical things at it and we keep thinking that there's an answer. Has anyone solved cyber security? >> Not even. >> We're all sitting here, right? Because it's peacemeal. Cyber security is this. We put a bunch of things up. We call it defense and depth. Doesn't that sound good?

And yet like what every pentest as I get in I escalate known domain and I drop Mike. Where's your defense and depth? Well, we had all those firewalls over there. Cool. I have AD. I went right through them. So, we have this mentality that we have to be perfect because we have an engineering mindset as our culture, as people, as our archetype. But the problem is an engineering one. Part of it is social. Part of it is the fact that we do not today have the ability to have a discrete answer. You can't engineer a number in cyber security that matters. So I used to run an AP advanced persistent threat. I was the threat.

And it never occurred to me no matter what mission we got. And by the way, social was a huge part of what we did. We weren't just sitting somewhere hacking things. We got close and personal and we always won and we never got caught. And this isn't like we were going up against mom and pop's cookies. We were going up people who really, really did not want to be found. And let me tell you, fam, we found them. So why? Because the entire attack space is infinite. There an infinite number of ways. Again, courtesy of my great friend right now, my new best friend. What's your name? >> Josh. >> Josh. I'm g have to call you Josh number two

because Josh Corman is my best friend. But you're now second. You're close. If you'd had another name, I would have given it to you. But I will give you another sticker. >> All right. >> Cuz you've you've really done a good job of setting me up here. So, because it's mixed with social. So, first reconnaissance. I'm the thief pacing the neighborhood, deciding what house to break into. I like what you got. I'm going to break into your house. >> So, I watch. When are you home? Who's there? Do you have a dog? Is there an electric fence? Is there an alarm system? I build a target package. Now, there's not a whole lot we can really do

about that, nor should we care. It's minimal organizational impact. Building a piece of paper about me does not impact me. The second step, oh, sorry, this has animations. So, press button. So, reconnaissance, right? Nerds. Lord of the Rings. I mean, yes, that's pandering. I'm pandering. So next button,

they will get in. Anybody who wants to will get in. Now, here's what's interesting. Going back to the two kinds of leadership, to the burnout, to the challenges we face. And I'm going to bet some of you in here will even argue this. We are psychologically held up on that point. the breach, the hack, the breakin. Because back to our thief metaphor, the thief comes, picks the lock, the door opens. So what? Have they done anything to you yet? I mean, your doors open, but nothing has actually happened, right? You're already thinking of the next step, right? You're thinking impact, but impact hasn't happened. Back in the cyber security world, I've got shell. I mean, you don't like that I have

shell, but again, it's not what I've done. I haven't done impact. And this is where we get caught up because we keep thinking, how do we build higher walls? The CEO who flies a private jet read something about installing a moat with sharks with laser beams to defend the house. So, we're going to buy that. Guess who gets to install it and maintain it? But it still fails. All of these things fail. And so we spend all of this energy on it. And here's the thing, the dirty secret of cyber security is technical prevention there fails and isn't most of cyber security. Again, it's users using computers. And the thing we can control is what

happens next. The funny thing about that picture is that's actually me. That is not doctorred at all. That is actually a literal picture of me. Look, co was hard for all of us. Okay. Can we can we acknowledge that? That's me discovering I have an Olympic level ability to grow a beard. That was like 12 months a beard. >> That's awesome. >> Thank you. [Applause] >> So, it's actions on objective that matter. And here's the thing, that's what you control, right? We keep talking about we don't have control. We have anxiety. We already leaped to the next step, right? Your anxiety led you to that because you were already feeling what could happen even though it hadn't

happened. That's actually the psychological definition of anxiety. I am now potentially at risk of falling. Am I falling? But no, but I think I might. And I focus on that instead of the perch that I now have. That's anxiety. That's what we tend to do. But here's the thing because it's flips the trope. You all have heard the defender always needs to be right and the attacker only needs to be right once. Everyone knows that >> [ __ ] It's wrong because that only applies to initial access. Everything I do afterward as an attacker, if I'm not perfect, you catch me. The defender only has to be right once on what they control. Which, by the way, what do you

control? Those are your computers, aren't they? >> You control everything. Yes, you control everything. I knew you were working it. I could feel the energy. It's like the the pocket was getting pulled. They are your hosts talking the way that you dictate. Computers have communication protocols that are limited. I do not I do not have I cannot have unlimited ways to speak. So, I have to talk the way that you already speak because you don't have to speak Russian to recognize me using something special that's not in your environment. It'll stick out. And then the third part, there's only so many things I want to do on a host as an attacker. So more data isn't always a good thing.

We as an industry in the last 15 years have invested all of this energy into visibility. I can't act if I can't see. So therefore, let's just get it all. I call it the NSA problem. You might have a Snowden in your company. I can't say. And the NSA problem is they hoovered everything and then went, "Oh my god, it's really hard to look through everything to find what we want because there's more. More gets in the way of more." This is why detection engineering is becoming so popular because instead of looking at this entire hunk of marble and trying to figure out what we just all right, well, I'm just going to carve what I need.

This is why tier one sock analysts get burned out. Anyone done that? Anyone make it longer than 18 months? Really glutton for punishment. Sticker worthy nonetheless.

There's a reason I'm not an athlete. So, we need to be conscientious and not just collecting more. We need to be purposeful because it will overwhelm us. This is what our tier one analysts are going up against. There's all of this information and it's not curated for me. I'm fighting the system that's supposed to help me do my job. And why are we surprised it doesn't work?

One more button click. Now it's honest. We need to get out of the me mentality that it's us against the user. [Applause] Ground zero clap. >> The user is the best defense. >> The user is the best defense. The no before guys right up there are going to love you right now. >> They're going to hate >> Eric and James. He's right here. Why do we continue to blame users for using a computer the way it was designed? Easy. It's cheap. >> Anxiety. >> If them clicking an email can burn your company to the ground, I'm sorry. That's on us. That's on us. We need to work around users. Going back to different kinds of

leadership. Leadership may not consider this a priority, which means why would users? So why are we getting into this adversarial relationship with them when the reality is it doesn't change anything anyway and they just start ignoring us? That doesn't help. We're supposed to be partners, aren't we? Everyone keeps saying that, right? I feel like I hear that over and over again. Cyber security is supposed to be partners. And yet first time we get this, we start beating up users. Oh, that guy kicked that email again for the 17th time. Well, you know what? Maybe we can do something about that guy where we let him do that, but we quarantine around him, right? We can build additional measures.

A partnership means let's look at the problem and let's come up with creative and collaborative ways to solve it together. The other reason I use that picture besides it's really funny is anyone ever worked with users who think they are smarter than you? Everybody who works in an engineering organization, right? Have we gotten past the point that not everybody should have CIS admin? We solved that at least. All right, good start. Good start team. Good job, fam. But I picked this one because this is also part of the challenge. You will have business processes, business divisions, business leadership, business people, users who think they're smarter or think they're entitled. You don't get to fight that. You have to

work with it. It's a cultural challenge. And you individually cannot just change a culture. That's the point of leadership. That is the onus that is on them. So to avoid the burnout, stop going at it directly. Start offering it up as their problem, not yours. You don't have to be this tall to get on the ride. Has anyone in here felt the gatekeeping? What is it? How does that feel? Terrible. Why does it feel terrible? Makes you feel worse. Shouldn't we are going through this problem together and yet we make it harder to bring people into it and we condescend. I'm sorry. I don't think there's any person in this room, including me, who was born knowing everything.

>> I still don't know everything. Our job is to be students for the rest of our lives. When you stop being a student, you're dead. And part of being a student is being a good teacher when you've learned it. In fact, it's the funniest thing. I love to teach because it's what keeps me current. It's how I learn and I learn. And as a teacher, we should be looking at how do we help others get to where we got? Whether that's helping them find a job, not being an [ __ ] so that we hurt them, and truly building each other up. You know what? That's your inspiration.

You went too far. Offense is not the top. Who thinks that offense is the top? to the career to this industry. We venerate red teamers, pentesters, hackers. We all go, "Oh, I wish I had I was one of them." You want to take a hacker down to size just point out, "Hey man, hey woman, all you do is quality assurance." >> Am I wrong? You find bugs. You find bugs. You're quality assurance. You're a bug tester. Now, I'm not saying there aren't cool parts to this, but that's what it is. It's quality assurance because the end of the day, I can't do offense unless I have something to do offense on. And that's the base of

the pyramid. That's what all of us are. We are GRC. We are blue team. We are all of those functions that actually help our users and our organizations do what they're supposed to do. And Red's job is to just check the work. That's what they're supposed to do. For those of you who've been seeing me speak in industry for a long time, I was the one of I think I was the first actually who took Red Team to task publicly because we had these egos and red team was being driven by ego. What's the cool thing I could do? And I'm sure a number of you got to experience this personally where you got the professional [ __ ]

who came in and was just like, "Man, I just wrecked all your stuff." Okay. And how do you help me? Here's a poorly written report. And you look up and they're already gone. Wait, so you're not even going to help me fix this stuff? Check cleared. That's the way it used to be. It's still like that in some places, but that's where I honestly I first stood up because we kept as an industry lionizing that we were systemically locking in [ __ ] Why? They're QA. You're what matters. And them being a part of what we are doing is what matters. not them high-fiving each other and talking about, "Oh, we still found the same vulnerabilities that I didn't

help you fix." So, this is fun because we are actually where this story happened. The fish tank. There are two takeaways from this story. The first is your organization has a fish tank. Your organization has something that the operations side says this is important and you go it's a fish tank. I have to secure a fish tank. Is this a real job? Now in this case we like the fish tank and operations because we're casino. It gives an ambiance. People are likely to come in and spend more money. There's an operational reason we're doing it. They may never communicate that to you, but it exists. The second is you have a fish tank because you have assets or asset

categories that are not visible completely outside of where you are looking and what you are defending. In this particular case, the Iranian Revolutionary Guard found the fish tank, popped the IoT sensors because if you ever want to feel like elite hacker, just look at IoT. You will find zero day in less than five minutes if you have never even done it before. That's how bad IoT is. And whose organization actually has not only a policy, but a defensive posture that includes IoT in it? I stopped teaching it five years ago because I saw no companies actually do anything about it. I just gave up because it's an entire class we don't even track. What better way to just pop

into a network again, low barrier to entry and I have invisible access in to whatever I want. If you want a demonstration of that, look up my 2018 RSA talk, no IUs with IoT. And I actually demonstrate it's not a privacy problem. It's a lateral movement problem. And so in that story, they popped the fish tank. $50 million of damage to the casino. Not pretend statistics. $50 million in a revenue hit because we didn't see the fish tank because that's where the APS are looking. They are looking where you are not. They have the imagination and that's part of our challenge. But again going back to the BAM model, this is just initial access. If we are

truly building the detections around that, the second they cross into the core enterprise threshold, we will see them and we will stop them.

Cyber is people. talked earlier about the fact that one of the challenges we're having in our job market is driven by artificial intelligence. And I know everybody is well aware because you can't help but miss the hype train that artificial intelligence is this new revolution. Everything is going to change. Well, the revolution today is knowledge management. We went from a datacentric model to an information ccentric model. That's the current artificial intelligence revolution. That's it today. There is this promise that at some point it will be able to be the equivalent, a cognitive equivalent of a person to matter. But we're not there yet. So what is AI? There is a YouTube video called the racist soap dispenser.

And the racist soap dispenser, as you can see here on the right, we see a dark-kinned hand trying to get soap in a bathroom. In that story, he takes a white paper towel and puts it under and gets soap. What did we learn? Do we think the development team for the sensor is racist? >> They're not overtly racist. But we have a training data and a unconscious bias problem. So, I'm going to do a little bit of play acting. My name is now Chad. I live in the Bay Area. I make $450,000. I don't even know how or why. I still got Meta Stock. We called it Facebook back then. And me and my bros, I mean,

we're just vibe coding in the garage. And I got the light sensor to work on this new tech. So, I asked my friend Brad Hey Brad, check it out. Brad comes over and Brad puts his hand under and he's like, "Ship it. We're good." Because we have a homogeneous development team. And so the first lesson that we can learn from here for artificial intelligence is the value of training data and our unconscious biases. How do we assure that what we ship doesn't become Mecca Hitler in 24 hours? It's a Grock joke. The second, while not getting soap in a bathroom is not a life-threatening situation, we look at where this stuff is going, it's going to increasingly affect our

lives in unintended ways, too. We need to build the execution guard rails to be looking at when something gets out of tolerance, a human comes in the loop to fix it, to understand it, to do that. So those are the two aspects of what artificial intelligence is, where it's going, and how we need to be thinking about it at a high level. But at the end of the day, this isn't about tech because cyber is people. Cyber is you. Cyber is the users. Cyber is the leadership. And cyber is us. And whether we are a community

I know that DEI is a dangerous phrase these days, but I'm sorry. It's something we need to address. It's part of the gatekeeping, [Applause] but it's more than that. Security is a critical thinking process. We need people who think differently than us. We need heterogeneity. We need difference. We need weird. We need eccentric. We need calm. We need crazy. We need rational and irrational because irrational is going to think about the think the think tank. You need everybody. We need everybody together. But here's the thing where we are failing. We're inviting all of those people to the table and then they don't feel safe. We need to focus on inclusion. It isn't that you're there, it's that you feel

safe to share your voice. And so, everyone in here is potentially an ally, whether that's in the community or at your company. How can you help others feel safe? That's what an ally is. It's the courage to stand up and help create that safe space for somebody else who can't. And I don't care if that's here in this room. This conference for the next three days is your chance to start to put that into practice. That kindness goes a long way. And every one of you has that responsibility if you can step up to it because it is only together that we're going to do this better. So whether you work at a random company,

your city or your country, this is humankind. This is what we do. This is what we will do. Thank you.

Thank you for the opportunity. >> Right on time. >> All right, folks. We're going to go right into the program now. So, please find the talk that you are interested in. If it's here in Breaking Ground, so much the better and enjoy the con.

Um, >> was the clipper not present or saw one? >> So, I just figured I would like back and forth. >> All good. [Music] Heat. Heat. N. [Music] Heat. Heat. [Music] Woohoo! [Music] During

[Music] I appreciate it.

Thanks for coming. [Music] All

right, ladies and gentlemen, please put your hands together for Lucas. He will be our next speaker. [Applause] Hi guys. Uh first of all, I need to say something. Uh I am still learning English and I've learned everything from myself. So sorry about the accent but I think the message will be the the most important and just to clarify the expectations of this talk. Uh we will cover uh things uh with the focus of uh vulnerability research uh zero day uh fighting and uh issues that uh will help you help you people uh and things that uh will do some like uh red teaming or a uh things like that. and uh feel feel free to reach me out uh after this talk

and I will it's it's will be my pleasure to you know to stretch with everybody and uh yeah and the technical aspect aspect of this talk uh I will uh talk about uh information one information disclosure uh that don't have authentication. And in this information disclosure page, we find one cross- sight script crossite scripting storage. And with this uh cry site we got one proof of concept that uh one user could uh get the ring roll key to join the any agent to the console of the train micro and we'll also cover uh a potential bug uh that could lead to common execution in the Android client side. So uh I think this uh clarifies some things and

please be patient with my accent and with my English but yeah is this here we have some uh you know some letters it's me but uh I think this uh is not some important to this talk. So if you guys need to reach me out or something like that, I think you guys can take one picture or something like this. And let's go with the important things. Uh why trended micro mobile security? To me this uh platform was very important because uh I meet one guy uh his name is Oliver Lima and he uh comes like a father figure to me. uh I was in a bad situation of life and when I meet him he

he he uh start to teach me in in cyber security uh offensive security in particularity and when uh I meet him uh I also see that uh one thing that he make him sprout uh was the this train mro house of fame. So I was start thinking and when one day I have the skills uh I think this will one thing to make him proud of all these years and uh talking about uh you know the aspect of the market uh security tools must need to be tested to uh principle because uh companies have these these uh tools and if you get some zero day some uh issue that uh code get you in uh you

will uh get some privilege of level that maybe others tools don't have because security tools uh need to traffic and need to understand uh various layers of data. So this is uh something that uh researchers uh need to to search in zero day and things like that. And we want uh we want also a challenge because uh you know uh one enterprise focus focused on uh antivirus. I think the uh level of this m the security will more be will be more high. So uh with this challenge we get some datas that uh we could improve and based on our or result uh and yeah this is the uh trend micro hall of fame and Oliver Lima was in 2017.

I think this this is the number and this is the and this is was uh when I meet him and talking about the uh impact of the market when we see in the Google Play Store we see this number so very users uh around the world and companies uh are using the enterprise mobile security that is the APK uh that we use to uh connect in the console console of the trend maker. And in the business page, we can see also the numbers of companies and segments of this industry that uh work with trend micro. Uh this is this was the email of uh my report and uh yeah trained mro uh get some time to to reply

this and also fix the issue because uh the issues uh are uh in particularity h in divers uh applications of trade micro including uh the xdr I think the name is vis one and this takes some time to to get fixed. So uh after uh this approach uh of the mail uh with taking in the process of the responsible disclosure I go to uh tell you guys all the technical uh aspects of these findings. So uh how can I get these uh issues the processes I think in vulnerability research it's like uh some it's like some uh artistic way because you have something like the abstract and if you have some pushes and things that you can uh think and get the

puzzle done you get a really beautiful result of one art that maybe you can chain uh sometimes four, five, six vulnerabilities and get one mona of cyber security exploit. And starting with this uh before I get the uh dynamic analysis uh I had to to front I have in my front I was uh looking and in my front uh I've uh search and got one SSL pine and one dumper. uh I will not uh focus on explain how this work but in how I found this process because uh I think in the internet on the internet you guys already can search how bypass SSL pin and tempering but the the mind behind this the process behind this the flow I

think this will not be on the internet so this is like the thing that I I want to show you guys and uh regarding the SSL uh pinning here here is all the package and class that I find and the method uh that uh I need to to patch to avoid the this client side protection in order to do the dynamic the dynamic analysis. So this is the code of uh the temper. Uh and if you guys can see just to curious in the line 592 this is the hash of the uh APK that uh in the condition if the uh APK does not match this hash. it this uh signifi this result that the hash the APK was

modified and has a have a new hash. So the agent will not let the user open the APK when uh we uh edit this. So I basically remove uh everything and uh put the return of the con constant uh every time false h true. So when the this condition uh comes the boolean true will return every time saying that the emo is right and we uh get in on the application. uh so with no problems and uh with the dynamical analysis in hand we I start with my process and uh the process is very important because uh I think everyone says that the recon part is uh one of the most important thing and uh

in vulnerability research is also true the most important thing because uh you need to uh deal with a lot of uh reverse engineer and things that you can maybe don't have uh information uh exposure on the internet. So you need time, you need uh pay attention and create some processes to not get lost because there is some uh there is a big big big things like uh giant line of codes like uh maybe expose it documentation uh pdf teaching how you how the administrations can use the the platform. So this take time and with this timing when you know how the applications works you can get some insights in how you can uh change the

flow execution or find some things that is not uh expected from the developers. So yeah the key points of this uh this find is uh this report page are this authentic are unauthenticated. So everyone that have this name MDM web notific uh sorry this name MDM web repository hab report rep report manual output security report will get in this page. you just need to uh change the EP address and you will get uh reports of the uh all the agent that uh meta all the metadatas of agents are sending to the console. So and this is the report page of uh administration view. You can also generate the report report and also uh schedule. So uh in big uh giant

companies, giant enterprises uh this report have very very uh good information because the unique problem here is like uh the data that is returned is uh about is focused on one top 10 because all the information are returned in charts. Yeah. So we can only get uh some uh clues about the top 10 uh informations there of the uh that is coming out of the console. So we have for the these all types of report the security report, devices inventory report, compliance violation report, application inventory report, device enrollment report, a device unenrollment report. uh the informations are here in the print screen but uh we don't have some some uh things that is interestant right now

but moving forward when I was uh saying to you guys uh about the process uh to me uh vulnerability research is one artistic way of seeing seeing hacking. So the processes is very important in one page that uh maybe don't represent uh some risk. Uh I think if you go searching and looking deeply, you can maybe find some something that are will get your first vulnerability more and more valuable. So uh this is a clue if the page are already unauthenticated maybe the developers uh have for forgotten to uh something forgot to maybe sanitize it some characters or things like that and I start to to think how can I get this how can I can uh make

this table uh with data uh where this data comes out. And with this uh thinking uh I get into the agent and because of this I was uh it was needed to bypass the client side protections because I needed to uh put the communication uh proxy to watch the uh the traffic and maybe uh modify the metadata of the android and uh get it it to the console. So if everything goes right, the console it will hinder like uh the things that I am sending and maybe we can get some uh vulnerability and in this case uh I search I have done research and so many types of injection in this page but uh the JavaScript injection it was the only

unit that I I got triggered But uh this uh cryite scripting was one interenting uh storage cryite scripting because this page is unauthenticated and uh in the exploitation part p part p part p part p part p part p part p part p part p part p part uh of the chain we could get some uh p some proof of concept that uh we could get in in the console uh you in the administration console with the priv privilege of the admin and we also get the enroll key. So uh like cross-ite scripting is based on you the hacker operation. I think this is uh a type of attack that uh have a majority and various ways to be applied

in one operation or in one a fox it on uh company or one enterprise that is using uh trend micro. Yeah. So the key points here are the Android agent sends meta metadata including the app name to the server. So the parameter that uh was vulnerable is the app name of the uh the uh the one thing that is cool if you guys like create some APK with the name that has the payload when uh the console start this scan everything they will get literally this new APK with the name of uh with with that contains the payload and will trigger again uh because uh the app name will be handed in the device inventory report and you don't

need to like send a properly one request or something like that. you could uh like automate this action to get one uh operation more silently and I think uh more accurate and the name is deployed on the report without the uh sanitization or any type of uh protection allows persistent JavaScript injection in a page handed for admins and users storage cross-ite scripting is delivered via The semi unauthenticated report p report rep uh endpoint work across browsers. No special payload needed for execution. Exploitation occurs with uh without the user uh interact interaction. You just need to enter in this page and the payload will be triggered. And uh yeah this crossside scripting can be used to

to do various various types of attacks different attacks. This was the request and the payload used it. Oh all right is uh is good to to see. Woohoo. But uh yeah we have here the request. We can see here the end point that was affected and here the payload that I have used and in the console part we got here in the device tab and when I got I come to uh the user ID of my device here I can see the names of the installed applications that was sconage from my phone and we also get here the payload that I have used. I before uh after this I go I've go to the application

inventory report generate the uh new report or in case of one real attack scenario world. I think the most appropriate way will be wait the schedule to run and get the new report with the uh payload. And here we got the the simple alert to just see the JavaScript working with uh this explanation here. I will show one simple video to show better because I know that I need to improve my conversation but I think with the video will be more easy. So yeah, here I am changing the app name but you guys can uh automatize this with various ways like uh one using one APK that you you guys have created or maybe using uh one Friday script

embedded in another uh APK. A

generating the report and when we check it out we get the simple alert just to Yeah. Thank you. Thank you. Woohoo. And one thing just to to show is that don't need the authentication. So everyone that access this page will will trigger this cross- site scripting.

Yeah. Showing that I am really not logged in. Okay. So uh yeah we have this uh enter point. So in Hakai security we have some uh mindset that we go always deeply uh every time we can because uh we train our mindset. we learn uh everything every time things and we want to get more close of one real attacker. So in our uh vulnerabilities research in our security researchers we always focus uh on this part to get more close of these uh threats. So I was thinking in one scenario to to this talk and uh one classical uh way of uh you know to get one cross-ite scripting better upgrade better vium of the crossite scription

like upgraded vium uh is the session hijacking but obviously uh based on your raditing operation your PT or something like that. You can always choose your uh way because uh one of one time that you have the control of the client side user uh you can basically do anything that your mindset and your brain uh uh get. So yeah to show uh I have done one JS exploit. I don't know if you guys can see but I will one second. All right, I will uh pass uh some faster to you guys. I think now is better to see but there is not comp complex uh there's not anything hard it's do it it do uh the get the local

storage to avoid problems with the CSR CSF token and uh we uh our goal is to get the cookies the cookies to uh manipulate and interact with the console. So I have done here the exploit to already h log and make a post to my web server uh with uh the communication using the object fetch to avoid problems with uh course uh also. So here we basically have uh the instantiation of the uh cookies and the instantiation of the local storage to get the value of SEF token and uh all the particularity headers that need to communicate to the console after we get the uh the tokens needed. Yeah. So keep going. This was the uh sorry guys just to get a

better view to you guys but this is the code of the web server a simple code uh two but uh created to avoid problems and get more uh debugable verbose uh informations to understand what we are doing. So here we have our configuration of course to avoid again problems our uh self path with the baja with the slash log sorry for the Portuguese uh the slash log and the content length and the information that we are excfiltration uh of the user that are accessing this page. So this was the final payload uh is a simple pay payload. I just need to break the first uh uh meta tag of script. And after this I have created my uh script

with the source uh pointing to my IP address uh with my JS exploit. the previous exploit of JS that I was showing to to you guys. And yeah, this was the haz when the administration access the report page. Uh we got on our VPS the uh cookies like the session info, the deploy mode, the TM MMS token uh and this is was used to authenticate to in the console and previous I was saying uh that I already created one as uh one uh one action that uh make that will make us uh with 100 uh% with uh accurus that we get the a valid token and we got access to the administration console. So again to make things more

easy I think uh videos work very very good. So here we have uh the attack all the uh the all the attack of this proof of concept. I am right now just deleting the metadatas of h every application that was in my cell phone. Here is the affected endpoint and the affected parameter with the payload that I have constructed. And now I am going to the console to see if everything is okay. And yeah, we have the payload. Now we just need to enter in the report page uh the application inventory report page. And you guys already can see nothing happens in the administration view, but in our console we got the all the information that we could use to get

in on the console. So here we have the session info, we have the TMMS token and uh below we have the request use it to test if these sessions is uh valid. Yeah. And here we got the enroll key.

So with a valid uh session we just uh change the values of uh the browsers local storage and we can uh refresh the page and get in of the in the dashboard administration page and moving forward to the common execution part. uh this vulnerability this buggy vulnerability uh unfortunately uh is more specifically so the affected code uh I've found in the trend micro Android base I I2 and device I2 uh this uh class and package have in the line oh the line will be changed And but in the method uh boolean C in the line tree we have one get runtime exact uh this uh particularity of this line uh the when the application start the scan

they look if the Android agent or iPhone was hooted or jailbreaked and this was one of this uh verification to know if the device are with uh high privilege or things like that because the binary sue. So, uh it was a a a hard verification because uh you guys will see if someone with uh you know uh some uh knowledgement about reverse engineering and uh creating exploiting uh maybe you will be uh hacked by uh this specifically in just single line of code but is more hard because this is focused on the client side. So uh you need some scenarios that uh to exploit this but to just to show uh what is the problem if the attacker the operator uh

got success in this uh scenario. Here I am uh setting up my netcat and I will run Friday with the comage execution exploit. The application will open and we will press to scan. And here we got the connection of the our he shell.

Yeah. So if you guys uh see the attack vectors here are the memory level execution view the class the end package uh device U2 the class device U2 and the method was C app size load the attack vector maybe uh could be could be success with app size like using one tried it with embedded uh code or maybe if you have some courage, you know, if you are not like me and have some anxiety, you can maybe try to steal from the enterprise in one operation. And with this cell phone in hands, you can uh v types of data and access that uh could uh help you to uh do the lateral movement and maybe uh get

uh more information and uh a better result of the opera the final operation. Uh unfortunately the challenges uh was uh I could not get the this execution run it by console and uh to understand how this uh to how get one reverse shell. You need also understand the lifetime the life cycle of the scum because the action the malicious actions uh will only happen happen uh when the scan uh goes. So uh we have some cases here and some technical insights but unfortunately trained micro uh has replied me not considerating it a vulnerability because this code to exploit this we yeah we need to create another APK or another type of interaction and unfortunately they not

approve it But uh here we have the affected version if you guys want to get some some you know some aduventory. And yeah in the first uh in the beginning of the talk I was saying Oliver Lima was like one father to me and one inspiration and I am so happy to make him proud to say that trend micro confirmed the other two vulnerabilities and right now I am in the hall of fame of trend micro and this photo to me is very cool because it was in the first time here in Vegas and I am from Brazil and Brazil we do not have dispensary so yeah I love this cooks cooks in in my

heart yeah so I was very very happy Viv America and this was the timeline of research uh uh next month you guys will have the uh fully article. Uh the article I promise you guys that I can uh write perfectly in English but uh I learned everything from from myself. So I need to practice more conversation conversation and I will get more shy less shy and yeah always improving myself questions. Oh, his time was over. But yeah. Yeah. Thank you guys. Thank you. I will be here side if someone have some cash or something. But thank you again guys.

Okay. >> No, you can use the to the code in one another application that uh don't need the h. So the Friday will help you with this question. [Music] Heat. Hey, Heat. [Music] by [Music] Boogie baby [Music] down. [Music] Doo [Music] doo doo doo doo doo. [Music]

[Music] Heat. Heat. [Music] Heat. Hey. Hey. Hey. Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat.

[Music] Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat. [Music]

[Music]

[Music]

[Music] Heat. Heat. [Music] Wow.

[Music] Heat. Heat. Heat. [Music]

[Music]

Uh good morning and everyone and welcome to the Las Vegas Psides 2025. This talk is with Noah Ro uh give on creating the torment nexus using machine learning to defeat machine learning. So a few announcements before we begin. We'd like to thank some of our sponsors, especially our diamond sponsors Adobe and Iredo and our coal sponsors Foromo and Drop Zone AI. It's their support along with all the other sponsors, do donors and volunteers that make these events possible. So these talks are being streamed live and as a courtesy to our speakers and audience, we ask that you make sure your cell phones are set to silent. With that being said, we can stop with Hey everyone.

How many of you guys have seen this uh this tweet before? Um me and my friend were actually talking about this tweet the other day or >> is it not on? Can you hear it? >> How about that? Can you hear that? >> All right. Uh me and my friend were talking about this tweet um about a year ago. Did you know this guy's from The Onion, by the way? Um, here's here's me and my buddy Adrian at the pub last year. Um, I'm the guy on the left. I don't remember much about what we said, but I do remember the most important parts. Uh, we were talking about pandas, specifically how you could convince an

AI that it's actually a monkey. Uh, this was the talk the topic of the talk he gave earlier that day about how you can fool AI into thinking something is what it isn't. Uh, how do you do that? By adding noise. If you hide that specific pattern of noise in an image, it messes with the way the computer thinks about it. And that's enough to fool a million-doll algorithm. But I can hear you thinking, unless we come up with a way for this to fool women on dating apps that you're actually Chris Hemsworth, this doesn't do do much for you, does it? But fortunately, this got us thinking. More and more AI models are starting to be

used in cyber defense. Would they be vulnerable to this kind of noise, too? Hello everyone. My name is Noah Groch. I'm a 21-year-old graduate from UNC Charlotte in North Carolina. Uh I enjoy playing nerd games in my free time and I have four pet ferrets. Last year I was invited to work at Dropbox in order to work on this project that I'm presenting here. Uh where basically I get to uh gaslight AI into thinking what I tell it to. Now even though malware and monkeys are seem like two different things, this idea actually did make quite a lot of sense. Lots of people don't know, but this is actually what AI looks like. Machine learning algorithms are really

just giving a boatload of numbers to a computer and telling it to figure it out on its own. Our monkey example is no different. Even though we're going to be giving the computer an image, it still turns it into something that looks like this through something called an extractor. Now, most modern versions of this are much more complicated than that, but it pretty much the same thing. Uh, and that general idea can be applied to files, too. Our version of that is called leaf. Leaf instead of taking images will take executable files to turn them into numbers which can be used by the computer so we can think really hard about it. Now we just need the part that

thinks really hard about it. And that's going to be our tool right here. This is ember which is stands for that. Uh what it really is is a 1 million sample data set filled with 10 gigabytes of data collected using leaf from earlier. It means 1 million lines of this This is Ember's representation of how it sees every file it's been given and it'll judge every new file based on these examples. Basically, after our file has been processed by Leaf, Ember takes a look at it at the numbers it spat out and gives us a percentage chance that it's malicious. My job is to figure out how to give it the right amount of noise so

I can fool Ember into changing its mind. But in order to convince Ember that my dubious files are actually just for paying your outstanding toll balance, I'm going to first need to figure out how Ember thinks about the files it looks at. I know just the tool. To quote a reputable source, shapely values are a concept from cooperative game theory and explainable AI used to distribute the total gain or loss fairly among a group of players or features. Or in summary, it makes cool graphs so I know what the AI is thinking. Here's one of those cool graphs. Uh it shows a specific feature on the left and how it impacts the overall output of the model.

You can easily see the feature names on the left and how much they influ in influence the final decision. Very useful for what I'm trying to do. Now let's check to see what it does for my project. So you can see that um feature 637 uh it's not very helpful, is it? It looks like the Ember data set doesn't actually ship with any labels whatsoever. So, if I'm going to want them, I'm going to have to make them myself. And I mean, that's crazy. That's how many lines there are. Remember those numbers from earlier? There's 2,000 of those. There's no way I'm writing a name for every single one of those, right? It's going to take forever.

So, anyway, I did. Here's the code. Uh, this is part of it. At least it took a while. Uh, and this got this stuff got so esoteric that I was quite literally dealing with magic. Okay, but now I could put these back through Leaf and see what Ember thinks the most important stuff is. Drum roll, please. It's the time stamp. It thinks the time stamp is the most important. Wow. But this is an interesting result anyway. It shows us me exactly what the model is thinking when it reads my file. And there's some interesting things in here. Here's four specific features I pulled out that might look a little promising for I'm trying. What's special

about these is that they're all things that I can change without actually affecting how the file runs. Timestamp doesn't matter. Uh certificate table size doesn't actually matter if I don't have a certificate. Uh debug, I'm not going to be doing any debugging. I know my code works. And uh major subsystem version, fun fact, Ember actually thinks that Windows 7 files are safer than Windows 10 files. This is something I can definitely take advantage of because these are features that Ember rates really highly but don't actually do anything when I change them. So before we get crazy though, let's look at what Ember actually actually gives us. This first one up here is what Ember thinks about a completely normal

file. And the bottom one is Mimiats, which is a very well-known malware sample. You can see every little detail that Ember thinks about. Uh lots of blue at the top here and lots of red at the bottom. Uh you can see that it actually really likes that both of them have certificate tables. The end evaluation for these files is about what you would expect. One's safe and one definitely isn't. Now let's look at Mimi Cats and let's see if we can reduce this number any. First I don't plan on using the debugger. So let's increase that to the 32-bit max. Okay, I'm just going to spend 30 minutes here trying to figure out where that is in hex. And um there

we go. And okay, that's that's a pretty good reduction there. Uh, this happened because when Ember was trained, it saw that files with larger debug tables tended to be safer, I guess. Uh, even though it didn't really have anything to do with what the file actually does. So, changing it still looks good to Ember. Let's see what else we can change. All right. Now, let's, god forbid, change this to be a Windows 8 program instead of Windows 10. And all right. Wow, that was pretty effective. Now, keep in mind, I haven't actually changed how the file works. I can still run this right now, and it would still break my computer. Trust me, it did. Uh, but surely no

one's risking their entire business on a 25% chance, right? Anyway, um, so I'm like a computer programmer or something. Why am I doing all the work? I'm supposed to get the computer to do all the work for me, and I know just the technique. Particle swarm optimization is a very cool algorithm that lets you pick the best values for when you have a lot of features, which I do. You can think of it like a flock of birds. All the birds act independently, but they all work together to find the best combination of inputs to get the best output. Now, I want you guys to think for a second how that GIF would have looked in

2,300 dimensions. You should see your faces. That's what you look like. Anyway, I did it. Here's the code for it. Uh, it's actually pretty simple algorithm. It just takes a lot of fine-tuning, especially when you have a bunch of different values like this. Also, I made a uh cool UI for it. You can change the sliders and stuff. I think it's pretty cool. Um, anyway, how'd it go? Uh, well, I'd say it did pretty good. It reduced the score by quite a bit. Um, I have now fully convinced Ember that my dubious file is completely safe with an alleged 0.3% chance that the file is malware, which according to chat GPT is the same likelihood as being killed by a falling

coconut. Now, keep in mind, I only did this just by editing these seven features. Uh, handpicked from a list of over 2,000 of them. I didn't when I first started this, I didn't actually know what half of these did. So, I just kind of picked the ones that looked like they were the easiest to change and and and I found those. Um, and so those are the numbers. Apparently, Windows 7 still the safest one. And the best time stamp was Friday, September 17th, 2010 at 800 PM, 3 days after Halo Reach came out. Now, I designed this to work with Ember. my algorithm optimized my new file to give the best values for Ember and give

the best out output. Uh, and it could in theory be optimized for other metrics, but I didn't do that here. Now, that being said, this was the result when I put it into virus total. Keep in mind, I didn't I didn't optimize it for virus total, but that's still about a 20 25% reduction there just as a side effect. Uh, and I did this with about a dozen other malware samples. Um, and they got pretty much the same result. Um, and there's plenty of other ways I can improve this process, too. Uh, these are some of the most popular AI tools available for cyber defense that I could find. Uh, and lots of them do a similar

thing to Ember, but some of them do other things, but they all will have the same kind of vulnerability if they use the same same AI to to decide these things. Uh, and so I'm I'm sure if I did this for many of these other ones, I could get a similar result. Now, there's plenty of ways to fix this issue. For one, don't give useless information to your model. For example, if I'm making a model to predict how long it'll take a pizza guy to reach my house, I don't exactly need to tell him what kind of music he listens to, unless he's a Metallica fan. Uh another idea that came up while I was

working on this uh was to use something called control flow analysis which is basically instead of looking at the properties of a file, I would instead look at the actual logic of the the program, the way that the logic would flow and then feed that into the AI. And I I expect that this would have a lot less of those kind of vulnerabilities since it would be looking at more important things like how what it actually does, you know. Um, but I never got to uh to work on this while I was working at Dropbox because of time. But uh if any of you want to see this at your company, you know, I'm I'm looking.

So uh but so why is this why does this matter? The entire world is in a big AI craze right now. Every company wants to put AI into everything because it looks good for their uh their investors. Uh, sure AI companies can make those annoying AI assistants on on their websites all they want and it doesn't really have that much effect but when it comes to security and protecting the most important things we need to have a lot more scrutiny towards the things that get implemented. I made this job I made this project on the first ever job that I worked on. I am I'm an entry- level person so I I don't have much

experience with this and I was still able to get this kind of result. So, imagine what some guy in Russia who's been hacking since he was 10 would be able to do in a couple more years if he had a if he had that time to work on it. Thanks for coming to my TED talk. I'm Noah Groch. Uh again, if you like what you saw, uh I'm looking for a for a place to work at. So, you know, uh here's my LinkedIn if you guys want to scan it and connect. Thank you. And uh if you guys have questions, you can find me. I'll be around here. Uh but yeah, thank you.

>> Hey

[Music] Apple. [Music]

[Music] Dirty [ __ ]

[Music] Baby [Music] doo. [Music] Here [Music] you go. [Music] Data.

[Music] Hey. Hey. Heat. Heat. [Music]

Heat. Heat. [Music]

Heat. Heat. N. [Music] Heat. Hey, Heat. Heat. Heat. [Music] Heat. Heat. N.

Heat. Heat. Heat. [Music] Heat. Heat. Heat. [Music] Heat. Heat. N.

Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat. N.

[Music] Heat. Heat. N. [Music]

[Music]

[Music] Woo! [Music] Woo!

[Music] Heat. Heat.

Heat. [Music] Heat. [Music]

Wow. [Music] Yeah. Heat. Heat. [Music]

[Music] Heat. Heat.

[Music] Heat.

[Music] Hey, heat. Hey, heat.

Heat. Heat.

[Music] Heat. Hey. Hey. Hey. [Music]

Heat. Heat. [Music] Heat. Heat.

Heat.

[Music] Heat. [Music] Yeah, [Music]

[Music] down. [Music] Hey hey hey. [Music] Down

[Music] down down down down down down down down down down down down down down down down down down down down [Music]

Heat. Heat. N.

[Music] Hey, [Music] hey hey. [Music] saying, "Feed me."

>> Okay, cool. The moment it starts working, we're all going to know. Here

we go.

>> I could actually do that.

Oh, wait. No, I did that in disruption. >> Yeah, that was quick thinking.

>> So, that will go up. >> Yep.

>> Here you go. Uh, this is your mic and you can try to see it up inside the Okay. The moment it starts working, you'll know. >> Oh, yeah. >> Thank you. >> Additionally, I'll be giving you like heads up for like 10 minutes, 5 minutes, 2 minutes if you need it. I'll be there. Just >> I'll be there just directly, guys. Like just giving you a heads up. That's >> okay. The video is going to be 5 minutes long at the very end. >> Mhm. >> So, five minutes. So, >> you know, that should be good. >> Yeah, >> that should be. >> Yep. Just give it give me Thank you.

turned up all the way on your computer. >> Okay. >> Yeah. And I have the sound output set to that, which is it worked when I was >> HDMI. Okay. Um, let me go see.

Nice.

And before you start, just give me a second. I just want >> shout out the sponsors. >> Sounds good.

>> Okay, cool.

See, we have someone coming. Um, >> try a built in. >> No, that's coming from the PC. >> Yeah. >> You know, I could stick a mic into the >> into the thing. >> Yeah. >> I could give back this mic. >> Okay. >> And then I'll just walk around. >> Okay. Sweet. Yeah, that would work just fine. That's a tabletop magic. Make sure to go turn that one on and we'll get going. And then I also have somebody coming right now to fix it if you want to wait or I know we're getting close to time. >> Oh, sweet. >> All right. >> Speaking up. >> So um you definitely don't want the decimator.

You want um >> Well, that's all I got. >> Yeah, guess Oh.

So now >> okay.

>> Yeah. Okay.

>> Okay. just if these get too close together. So, I'm going to go unmute that one unless you want to stay here. >> I don't need this anymore. >> Thank you. >> And then you can just unmute it right there and I'll give you a thumbs up. >> Thanks. >> So, I'll just give a heads up.

Let's see what you think. >> Is that Michael? >> So, I figured the one thing maybe about death and not being able to think of anything. >> Oh, that's so great. >> I love that. >> Uh, good morning everyone and welcome to Besides Las Vegas 2025. Um, just a few announcements before we begin. We'd like to thank our sponsors, especially the diamond sponsors Adobe and Iikido. um and our gold sponsors which are Drop Zone AI and Profit. It's their support that uh along with the other sponsors, donors and volunteers that make events like these possible. These talks are being streamed live and as a courtesy to our speakers and audience, we ask that you make sure your cell phones are set

to silent. So with that being said, we can start with Allison's uh speech with uh scene is dead.

[Applause]

There you go. >> Hello. Oh yeah. Okay, perfect. Thank you. Okay. Hi everyone. >> So, hi. I am here to declare the death of the scene. So, it's only appropriate to start out uh with some greetings and shoutouts. Uh so, first I want to give a shout out to the fine people from this group called Wo Wo or something like that. Um also, Conrad database, where are you? You you inspired the title of the talk. We've had so many long conversations and I never suspected I would be much later on coming to be yet another person to declare the death of the scene. Um also Mr. P and besides proving ground uh this the proving ground is uh where I gave my

first conference talk and it's an incredible honor to be coming back and keynoting at bsides. So, thank you and thank you for being here. Also, for the sake of coverage, I want to give shout out to Matt, Chris, Ben, Brian, David, everyone with that name. I think we got some good coverage there. Uh, also friends in high places, we love you and everyone that works with me for keeping the dream alive. I'm going to just hold the mic. All right. So, I'm going to get into some pretty spicy topics. I'm just going to like cover ground rules here. Um, so I'm not going to talk about bad actor names for the most part except for a

couple just to anchor the discussion in people understanding what I'm talking about. Um, I know the general desire is to not name bad actors because it gives them attention and all that. Um, but that's not actually the reason why I'm not naming bad actors is because these bad actors are so forgettable that, you know, in a little while from now, no one's going to know what any of these groups are. Also, I think this is feedbacking. Can I turn this off? Sorry. Um, also I'm not going to name companies. Uh the reason why is um the public conversation right now around platform abuse is kind of where the public conversation was around data breaches 10 years ago uh where basically

people are blaming companies for admitting that there's a problem and doing something about it rather than blaming companies that sweep it under the rug. Uh so you know the the state of maturity of the conversation is uh the way data breaches were 10 years ago. So, I'm not going to name any companies because I don't want to get anyone punished for doing the right thing because that's happening a lot right now. Um, also bad content warning. We're going to talk about some bad stuff. Uh, if it makes you uncomfortable, you have every right to turn away. Walk out. You don't have to explain anything to anybody. I'm going to avoid shock value, though. I don't like that. All right.

So, I'm going to talk about the way things used to be. Um, you know, I think a lot of people here, pretty much everyone here has tons of really fond memories of the old internet and their life path of discovery through technology and computers and learning that computers are cool and actually really fun. Um, I remember being nine and my dad like dialing into Compuserve with the 56k modem and I didn't even know what 56K was, but I knew that it was better than 28ks, so that was really cool. And I remember playing Hunt the Wumpus. It was my first video game. Um, it was super basic. Um, I I remember the first video game I broke was Sim Park.

Uh, I don't know if any of you guys have ever played it, but it's like an educational game. Uh, and I found out that when you're making the playground, you can make the slide dump the person out in a different place than when they walked in. And that was the only piece that would do that. So, I thought it'd be really funny to dump people in the water. And then the game started breaking. And then I found like, okay, I'll let them free. I'll make a little boardwalk. And then I realized I can just put a concession stand there and they'll just keep buying from the concession stand over and over again. Wow, that's cool. And then very quickly,

my whole game became this infinite money dystopia and I learned that hacking is cool. Also, shout out to this one programming class I took in high school. My teacher taught me the most important lesson I learned in high school is that you can violate the spirit of the rule if you follow the rule. And that's how computers work. And he would give these assignments and I would figure out like, oh, I don't actually have to do the assignment. I can just import a library in PHP that already exists. And like he knew exactly what I was doing. And he would just smile and accept my answer. I'm like, "Holy [ __ ] that's amazing." Um, yeah. So like my whole teenage years

growing up years was being around computers, loving breaking computers because it's funny and it's amazing and it's fun. Um and now I work in cyber security. I work in like looking at patterns of how humans interact with computers and now that's funny and it's interesting and it's fun and I like breaking it and people make organizations and you can break them. Here's a cool document I came across when I was a teenager. It really spoke to me. Um especially the parts about, you know, finding truth, using the internet and computers to find truth. Um how computers when they break, it's not because they don't like you, it's because you messed up and you can fix

it. Love that. Really spoke to me. Uh, I didn't realize until today that this document is one year older than me. But like this is the way things were. This is the nostalgia. This is the old internet. And there's something really echoing right now with the mics. I'm trying to trying to stay away from the mics. Thank you. So, you know, I I literally just declared the death of the scene, but uh the scene is more alive than it's ever been. It's just not underground. and it's full of amazing people. Uh but anyways, to my work, um I've been working on the criminal underground since 2011 in one capacity or another. Um it's been super interesting. I love

cyber crime. I love fraud. I love breaking organizations. I love breaking botn nets. It's great. Um, but over the years I've noticed that the criminal underground has gone through changes and shifts over the years. Um, every single year that I've worked in this stuff, it has gotten more severe. The kind of crimes that they get involved in are more depraved. Um, it's probably always been this way, but there's a couple of uh shifts that have been significant. Um, one was the price explosion in Bitcoin. Uh, this turned hacking from something that was interesting and fun and cool into something that will get you retirement money real quick. And so it attracted a different kind of person.

It attracted the kind of person who wants a lot of money real quick, not the kind of person who really loves technology. Um, another shift that's happened that really changed the underground was the pandemic. Um, I don't completely understand why, but I do know there's been, you know, a massive influx of people that were using were not previously using the internet, probably weren't that interested, and now suddenly they were forced to use the internet. And I think that, uh, the criminal underground has changed as a consequence of that population influx. Um, one thing that I noticed is, you know, these people coming in that have no interest in technology, some proportion of them were interested just

in violence and that manifested in different ways like uh viewing violent content, forming communities around that. Um, trying to create violent content, participate uh and experience uh perpetrating violence. Um, prior to the pandemic, there were certain um, lines of activity that we just did not see and then we started seeing it uh, after the pandemic started. Um, so also, you know, when we're talking about the underground and how the industry deals with it, um, part of that involves off-ramps to try to rehabilitate or divert young people away from doing something that they can't take back, right? Um, this is very important, very noble work. Um, and you know, like as time went on, more and more off-ramps

got built, right? uh the industry professionalized. Uh there were things like bug bounties. There were things like the normalization of hiring reformed hackers. Um and also just people growing up and having a family and like you know starting to care about their life. Uh so these were all uh very good things. Um, but there is one thing that I do want to call out that we collectively do need to discuss as like a cultural change that we need to consciously think about. Um, and like I'm not going to tell you the answer, but I'm going to tell you the problem and you guys can work out the answer. But here's the problem as I see it. Um,

it's very common that people have a stereotype or a joke of like, oh yeah, the best way to get a job in security is to get arrested. Um, I mean, like factually that's not true. it hasn't been for a long time. Uh, but it keeps getting repeated because it's it's a it's a great movie plot. It's a great TV show plot. So, it keeps getting repeated, but like the reality of actually working in the industry is not true. Um, even the people who have been arrested and then gotten jobs later, their career was set back by years. Their pay is set back by years because of all of their issues with the justice system and then having a record. Right?

So, this is this is not a benefit. And I have spoken to multiple people that have come out the other end of the justice system, you know, living a positive life. And they've told me that they've heard sentiments like this when they were a young kid. And I mean, they never blamed it on those sentiments. They're not like a victim mentality type person, but I'm saying I think those kind of sentiments may have influenced them and other people at that young juncture point. So um one thing I do want to introduce into the conversation is we need to start considering the nature of the offenses. So like what I have hired convicted hackers and I will do it

again. I'm not a hardliner on this but we do need to think carefully about the nature of the offenses. Certain kinds of offenses are more possible to rehabilitate than others. And ultimately the choice is on the person what they're going to do with their lives. But, you know, there is some predictive power in understanding the nature of the offense. So, like I would rather hire someone that hacked the Pentagon than someone that hacked a girl like a little girl or hacked credit cards or hacked an old person. You know, it's a completely different mentality that goes into those different kinds of behaviors. So, you know, we got to consider that. Another thing we got to consider is that

current day active offenders think about the industry a lot. Uh I'm going to I'm going to throw up some generic examples and then we're going to go into some specific examples. Um, so one thing that we find in our research is that a lot of high harm offenders, um, especially SWATs, for some reason, I don't understand, they put security researcher in their profiles. And like I get that that's something anybody can just proclaim to be, but this kind of stuff makes me want to like change our job titles. like we got a we got a euphemism treadmill the term security researcher. Um another thing is comm members getting involved in the OSENT community. Um I'm

currently experiencing a lot of confusion because I'm learning about OSENT tools for the first time through fraud and I'm approaching the conversation from a direction of like oh this is a fraud tool but but no actually this is a real company it's an OSENT tool but it's used by a lot of fraudsters. So, how do you differentiate like a legitimate service that's just abused versus a straightup criminal tool? Um, also we're seeing straight up criminal tools being used and sold using industry terminology. Um, the term cement is something that's coming up a lot in the criminal communities and I don't think it's coming up a lot in industry. I could be wrong. CENT stands for closed source intelligence. I'm not

aware of any of the cement methods that are legal. I think C should stand for criminal. Um, and I don't think it's an industry tool because it's all involves illegal activity. Um, but anyway, if you ever see that term pop up, that's an interesting term. Um, also non-reformed black hats in the industry, uh, they exist and if you've worked in the industry for more than a few years, you're probably aware of some and you're probably thinking of one and all of you in this room are probably thinking of a different one. And whenever you see any kind of industry drama blowing up, by the way, if any of you haven't run into this yet, at the core of most industry

drama is going to involve some kind of non-reform black hat. Just a little life tip for everybody that may not understand what's going on with that. Okay, so here's a couple. I'm going to go through several specific examples. Um, all right. So when we're looking at raw information, um sometimes people will call out like, "Oh, hey, you're in university, too." And you can see like some of these people are definitely in school for cyber security, but then they're also hanging out in these fraud chats. And I get the allure of doing research. I mean, I also hang out in fraud chats, but not like socializing. Um, and one thing that I do worry about people coming into the industry is like

when you're doing this kind of work where you're looking into the other side, you do need to compartmentalize and like kids getting into this don't necessarily get training on how to do this. And there's no like actual proper public information on how to protect yourself from a both legal and safety and everything perspective when you're sticking a toe in these waters. And it can be extremely dangerous. Um, like I know some people running aliases, uh, like I I remember recently telling someone like, "Oh yeah, I'm I'm glad you reacted that way in that conversation because if you helped that person, you would be providing material support to a terrorist and and it was like a surprise

to them. Uh, that makes me incredibly uncomfortable that it was a surprise to them. I think uh people are doing this work very dangerously and they don't need to." Um, but anyways, uh, we're going to go to the next item. Um, this comes from a court document that I could not get on Pacer and I really wanted it. Um, and it seems like there was one person on the planet that had the document. It's this journalist on Twitter, um, BX on X and, uh, she follows a lot of these sex daughter gangs, uh, related to 764 and stuff like that. So, so that's going to be the major anchor point here for bad actor groups that I'm talking about. Um, and

and this involves like violent sexual acts for no reason that I can really understand. um it's it's difficult to understand the motivations but but anyways this person in the court document um he's facing several decades worth of charges and the court document shows that um before he was arrested he was employed with an information security startup specifically working on anti-seam tools and you know I don't know if it's ironic or just predictable that someone offending in that category would also be trying to seek work in that category. Um, I mean, this is kind of where our traditional conversation of like, oh, hire the reformed hacker, they'll help out and defend against the thing that they committed a crime in.

Um, you know, the CSAM offenders are hearing those conversations, too. And we got to be really careful around this. Um, another example, this person hacked the SEC or he was part of the group that did it. Um he posted some video blaming everybody except for himself. Uh and he mentioned that he was in college and majored in cyber security. Uh which is interesting. Um, there's multiple actors that I've seen that are majoring in cyber security and then they get arrested for some kind of big fraud and they were clearly using the skills that they were learning in their training for school and courses and certifications for these fraud purposes. Uh I mean those of us that work on incidents, we

see the TTPs, you know, straight out of textbooks, right? Um so, you know, us as an industry, we culturally need to start thinking about the trainings that we give to people. How can we make sure that this knowledge is not going to be abused and misused? Because right now on top of the wave of violence involving sexual violence and physical violence, there's also a lot of high dollar fraud happening as well. And some of these really advanced techniques are coming from people that have access training in pentesting and are playing on the same level that all of us are in this room in terms of pentesting. So, you know, that happened and I'm not going to say what

the answer is. I don't know. But I just want everyone to know that this is happening. Um, here's another situation. Uh, this involves one of the really early sex orders, uh, one of the first groups. He was a really big offender. Um, and I thought it was interesting that he's studying computer science before he got arrested. Um, I'm wondering, you know, how much of this knowledge factored into his ability to target uh underage victims. And one thing we're seeing a lot, especially with, you know, the comm and this overlap between fraud and sex crimes is that a lot of these actors are realizing that the skills that they develop in order to hack and target

little girls and extort them using their personal information, it's also very useful to leverage against companies. So we see some of these people flip their skills into different purposes where you know the same TTPs used against little girls are now being used against companies and they will eventually apply for jobs right that's another thing we all need to think about these skills it it's more difficult to dox a little girl than it is to dox an adult because there's just less footprint and for these people to develop the skills and abilities to be able to do this effectively. Uh I mean they're beyond me in terms of OSEN ability sometimes. Um and and this is going to make them very

hirable. So before I show the video, um I want to you know this is a call to action. So I want everyone to think about what I've said and how we need to change things. So one thing is that we need to think about off-ramps and how we think about them. Um we can't save everybody. There are people coming into this space uh that the initial attraction for them was violent videos, videos of animals and women being harmed and killed and they find this uh enjoyable on some level and and some of some of these people are entering the talent pool. So we need to understand that, you know, certain offenses here we need to think about a

little bit differently. Um, another thing we need to think about as an industry is, you know, it's a fact that we don't have the ability to kick out bad actors from the entire industry. You know, they can get fired, they can get kicked out of a conference, but, you know, they they hop from one place to another. And, you know, this has always been a big controversy. Um, but when these 764 kids start applying for jobs within the next five, ten years, this is a conversation that's going to be forced on us if we don't find the answer ourselves. Because in the nature of our jobs, we all have access to an extraordinary amount of personal

information. And these are personal information on adults and minors and vulnerable people. information relating to victimization, information where if you abused it, it could cause someone to die. And and we have this as a nature of our jobs. Our jobs are a position of trust. It's not just about skills. It's about position of trust. And we need to start treating it that way because if we don't, governments, our government, foreign governments are going to start imposing it on us. Think about it this way. If I was to apply for a job at a daycare where I would be working with five children, I would have governmentmandated background check, all kinds of legally required, you know, like can't, you know, have to

have a clean record, right? But if I apply for a a job working in cyber security with access to millions of children, what is the requirement for minimum conduct and background check and making sure that there's auditing that I'm not misusing the data like where is that? We need that and we need it quickly because this is coming next 5 10 years. Uh the other thing is that we do need to take a look at the talent pipeline. Um, you know, we need to engage with young people. Um, there are still situations where young people are getting interested in cyber security at a very young age and they're stumbling into bad communities. It's still happening and there are still people in

these bad communities that can be saved, that can live a positive life, but if they get wrapped up into this too deep, I'm not sure if they'll be able to come back. So, this is something that we all do need to have a serious conversation about. Um, and like I said, I don't have the answers, but my call to action is that I want you all to think about this. And I'm going to close out with a video. Um, you know, I've said a lot of things about what the bad actors are like and, you know, why I have such a negative outlook about them. And, you know, I haven't really gone into detail about

why. I mean, I you guys have a general idea now, but I'm going to give you their words and then you can think about it.

>> How did you get involved with Bitcoin? >> Actually, that's a really funny story. When I was around 12, I wanted to learn cyber security and then he spoke about documenting and I wanted to learn about DOS because I wanted to seem scary and then uh well I just led myself into calm. He taught me some stuff about documenting. >> How do you find these victims? >> I find some people with socials connected to their accounts and I just do some uh open source intelligence on them and I find some leads and I just get to work. How does Explorer work? What do you do? >> Uh you gather info element either by social engineering or you use uh open

source tools. >> My main method it would be social engineering. I'm not really that good at cyber security and all that. >> If you can think what's the average age of a fifth company? >> Well, the ratio is between 13 and 17. >> Like guess your is 13 then? >> My youngest was 11, but my my average is 13 17. When you make someone overdose, what does that make you feel? If you're proud of yourself, >> well, I don't really feel proud of it, but I feel some type of satisfaction. >> Since you're in these big exclusions, did you ever face pressure or threats? >> No, not really. It's more like a community. Most of these people are all

pretty good friends. We're not really a big bad bulls. We're really put out to be despite the actions we take. Quickly, if you was to get a sentence, what is the highest sentence that would be high enough to make you guys stop doing what you do? >> Nothing. >> Maybe just like a life sentence.

So, we're bunk the internet, but what about the more side of it? These groups taking actions against these harmful people, the police of the internet, better known as anti-extortion. Why don't we learn about who anti-extortion is and what it is that they do? Anti-extortion is a collective of groups that help young people and victims of extortion. These groups do things such as pointing the victim towards a healthy path, providing support, and providing sources for help. So let's say for example a victim come to you and I say they have my family's information. >> We could honestly just pull her information down and get the children arrest them. >> And shout out to my extorters and

friends in extortion. Even though they do extort I still respect them but don't respect what they do. What motivated me to fight against extortion instead of joining it was because I had friends that were extortion victims and I dated extortion victims before. They were terrified of me because they think I was going to make them cut when I was only wanting to help them most of the time. >> Is it hard to gain trust from the AE community? No, it's not even lie. Most A kids were ex already. Do you think everyone in those spaces is evil or just lost? >> Most of them just do for fun to be honest. >> When did you first join the community

and how I joined the community in 2022? No one brought me into com. I was here as an extortionist. What was your first experience with extortion culture? I was disgusted and I was actually curious. My main reason for actually joining the community was for friends, not due to my sick intentions. Why did you decide to return to extortion after leaving AE? I explained this before. They backstabbed me. They didn't want to keep me. They made allegations. They're heavily egoistical. AE is more egoistical and more unloyal than extorters. Are there rumors about you you'd like to clear up? No, not really. Except for the pedophile allegations. I'm under 18. I cannot be a pedophile. What message do you have for

extortionists? I love them. They're not even egoistical and they all have their reasons for doing what they do.

Guess what happens next?

[Applause] questions.

>> Just bring this just bring the stand out to the head of the

>> just come up.

>> Sorry about those. Uh, so you're you're really saying that like well like every hacking generation for the past 50 years it's kids doing stupid [ __ ] you know, and then kind of growing out of it. But you're saying there's qualitatively a really a big difference now in terms of the stupid [ __ ] that they're into. >> I mean, why do you think that is? Yeah, I think there is still the old pattern of kids doing stupid [ __ ] and they're going to grow out of it, but there's a new pattern on top of it and that's what I'm noticing is it is a qualitative and a quantitative difference and I think it

has to do with what initially attracts people to this space, right? So, you know, back in the old days, it was about having fun with breaking computers and making a computer do an impossible thing, which is amazing and funny, right? And sometimes you might go a little bit too far and accidentally hack the Pentagon, but like you know, stuff happens, right? But these people that, you know, I just showed a video about, they're initially attracted to the space because of violent videos, violent material, gore content, death videos, and they're coming into the space and they initially see hacking as a vector to control other people, to coersse other people. And this is a fundamentally different mindset and I

think it's really based on the kind of people that see the initial attraction. >> Yeah. So basically this [ __ ] ain't funny anymore. That's really what it is. >> Yeah. And and there's like a self- selection bias here. I I think the kind of people that are coming into the space and engaging in that specific kind of activity, I think there's something maybe fundamentally different with the nature of themselves, like what they're bringing to the table. And I think we need to recognize that. >> Thank you.

>> Yeah. So, um that was a great talk. It it really struck home like to me because um you know especially I don't know since I was pretty young like you know uh since 2016 and then it really ramped up in 2020 during COVID. Um, I was really big into the Roblox and Minecraft hacking communities. And it's crazy how, you know, the scene progressed from like, you know, just simple hacking and Lua and Java and all that to, you know, stealing accounts, Roblox, Minecraft accounts, and then that turns into doxing and, you know, sexual harassment and a lot of random bigotry that, you know, just didn't sit with me as like a kid and teen. But, you know, getting

into all those communities and discord servers really like irked me. But it also brought a weird sense of intrigue that, you know, had I not gone into like, you know, a more white hat like cyber security tracking school, I might have went down the wrong path. So, I don't know. Is there any like guidance to you know the kids in these spaces that are just stumbling into something that seems cool and you know they don't realize it's like something much more serious after that. >> Yeah. I mean, one aspect of this, um, I mean, I think every kid, teenager, child looking at these spaces from the outside, I mean, they bring something to the table themselves, like their

morality, what their parents taught them, like don't steal, don't be a piece of [ __ ] kind of stuff. Um, and and that serves as probably the biggest off-ramp or deterrence or prevention for cyber crime in this kind of online behavior. So, I mean, a kid encountering these spaces, the the thing that's going to most strongly guide them to their ultimate outcome is probably going to be the morality that their parents gave them. Um, I mean, one thing that we've noticed is that, you know, younger kids running into this stuff, it can be more dangerous because, you know, they're still developing their morality, right? Um, I think parents need to talk to their kids about, you know, who they're

talking to online, what groups they're involved in. Um, because right now the the knee-jerk reaction is to like shut everything down. Um, take away the phone, block the communication, whatever, block all websites. But that's not actually a solution. You can't prevent a child from communicating. They if if you take away a child's ability to communicate, their only goal in life is to restore the ability to communicate. internet blocks are never going to work. Um, and and likewise, like I I go back to like not trying to, you know, punish people for doing the right thing and cleaning up situations. This this problem, like a lot of it gets blamed on the companies, but this is actually a

youth gang violence problem. This is a social phenomenon that is independent of any one website and a lot of it is happening uh driven on third party websites that are operated by bad actors in the first place. So you know as a whole we need to have an understanding of what the problem is shaped like and once we can understand the shape of the problem we can start to tackle it and pull it apart. I I think there's also like a weird intersect between, you know, the community and the alt-right pipeline because um in one of those spaces I was in, it was a simple like Discord server about like Minecraft hacking and it was I was there for like

you know day zero, day one of log 4hell when it was like mainly still for Minecraft and not like you know hacking like you know thousands of uh like vulnerable servers but and it was weird because there's this like technical circle there's this very queer circle as well. And there's also just like this like violent circle of hate and bigotry where you know people were calling each other slurs and you know doxing each other for no reason. It it was just Minecraft hacking. So um I don't know. It was it was really weird to be in and I'm glad I had the morals to get out of that as soon as you know quarantine lifted. But you know I kind of worry

about like some of the people I knew that you know were still there after I was gone. So >> yeah, the social dynamics you're describing, that's my viewpoint of how all this stuff works. Like there is sometimes this small core of violent dysfunctional people that are driving all these investigations that industry has to work on. Uh so I mean yeah identifying that core that's going to be part of understanding the shape of the problem. >> All right. Thank you. This this was like this is super insightful. Uh this is my first conference so I'm glad this uh was a good speech. I'm glad you found it valuable and I hope you make a lot of

lifelong friends here. I've made a lot of lifelong friends at Bsides. >> Thank you. >> Hey, thank you for the talk. Um, as a recent college grad, I'm like particularly interested in uh knowing what you think about what responsibility professors and upperassman students have to the students who are coming in as 18 year olds and being exposed to these topics for the first time, often without um any or minimal discussion of ethics besides don't do it, you're going to get arrested. Um, so yeah, curious to hear any thoughts you have on that. >> Yeah, that's super interesting. Um, I've actually started asking around, you know, university cyber security courses. Are there actually any cyber security

ethics courses? Is there even any class plans, any textbook for this? And the answer has been no. There is no material specifically addressing ethics in cyber security. The question of like, oh, hey, I found this flaw. How far should I go with it? What are the implications? You know, who could I potentially be harming if I do this? How can I avoid harming someone? That's not written down anywhere. And so right now, yes, you're right. There's a whole generation of kids that are going through learning the technical skills, but they're not learning the ethical skills that will direct their activity. And you know, I do see consequences of that on the industry side where people coming into

the industry, they uh they don't realize that they're being a bull in a china shop and they don't intend to be bad, but they just don't know. And maybe if we had some kind of university ethics classes alongside the training, maybe we could reduce some of that from people who do want to do the right thing. >> Thank you. >> Thank you. Thank you for uh touching on such a difficult subject. Um with people that are in this industry seasoned um with gray hair, um how do we um how do we combat this? Like is there a way for us to do something about the young kids that are on the internet? How do we go? H how did you stumble into

this research and how can we pick this research up and move forward with it to stop this activity from happening or at least trying to cut it down? >> Yeah. So, I stumbled into this research because I just find cyber crime to be way more compelling than working on AP. Like AP are just a bunch of government employees that are boring, but cyber criminals are just so creative and interesting. Um so you know that's that's why my work has always focused on it. Um but in terms of combating the problem I mean one aspect of it that ourselves and partners have been working on a lot lately is um arresting the ones that really need to be arrested. Um you

know now that you've seen the video you can probably understand like there's certain kinds of incarceration I can really get behind. Um but that's not the entire underground. there are people that you know can have a future can be part of society and won't be a problem and uh I think everybody needs to take an active engagement in finding those people pulling them out making sure they won't be a problem um and and you know other creative ways that we can find that are off-ramps or blockers to getting into this space entirely like right now a 12-year-old that's interested in cyber cyber security, no criminal background or anything. When they Google search stuff about cyber

security, what are the top Google search results? Because one of them who had his life ruined told me that the top Google search result was a criminal forum. And I don't know if that's still the case, but you know, maybe if the top Google search result was something else, he wouldn't have had multiple felonies. >> Thank you.

Uh, back when I was young and first started getting into hacking security, back when I was young and first started getting into hacking security, there weren't really very many legitimate paths into that. There weren't >> I still can't hear you. Sorry. >> Back when I was young, uh, there weren't many path legitimate paths into learning security and hacking. Uh, if you were interested in that these those topics, you sort of inevitably ran into underground servers, IRC, stuff like that. So there are a lot of people that were doing illegal things but not necessarily uh immoral or malicious or things like you've showed. Now that in the modern day there's you know co cyber security college courses, there's hack

the box uh stuff like that. Uh are there fewer people getting into the underground now that would have sort of moderated that uh horrific influence that we've seen now that it's now only attracts these sorts of people? Yes, I think that's actually a major factor in why things tipped so severely. Um because you don't have a mediating factor of, you know, I don't want to say normal people coming in and kind of balancing things out a little bit. You know, they're not there anymore. They're off getting jobs. Uh, I mean, back when I was growing up, my college, aside from like a couple of classes, there was just no computer classes period and much less

cyber security degrees. There was just nothing. So, yeah, I also looked at a whole bunch of underground stuff too when I was learning. And, you know, back then it wasn't about victimization. It was about knowledge. I'm seeing a stop sign now. I can talk to people after the talk. [Applause]

Can we announce lunch? Will you announce lunch please? You, room host, will you announce lunch? [Music] Mhm. [Music] During

[Music] Heat. Heat. N. [Music] Fire. [Music] Down. Heat. [Music] Heat. [Music]

[Music] Heat. [Music] Heat. [Music] Heat. Heat. N. [Music] Heat. Heat. N. [Music] Heat. [Music]

Heat.

Heat. [Music] Heat. [Applause] Heat. Heat. [Music] Heat. Heat. Heat. [Music]

Heat. Heat.

[Music] Heat. Heat. N.

[Music] Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat.

[Music]

[Music]

[Music] Heat. Heat. [Music] Heat. [Music] Heat. [Music]

[Music] Heat. [Music] Hey. Hey. Hey. [Music]

[Music] Heat.

[Music] Heat. [Music] Heat. Heat.

[Music] Hey. Hey. Hey. Heat. [Music] Hey, heat. Hey, heat.

[Music] Heat. Heat. [Music]

Heat. Heat.

Yeah, [Music] yeah yeah. [Music] Yeah, [Music] hey. [Music]

and hey [Music] down yeah down yeah down yeah down yeah down yeah down yeah down yeah down yeah down yeah down yeah [Music] Heat. Heat. N. [Music]

down.

[Music] By far down. [Music] Baby, [Music] baby. [Music] Here [Music] you go. [Music] Heat. Heat. [Music] Heat. Hey. Hey. Hey. [Music] Down. [Music] Down.

[Music]

[Music]

Heat. Heat. [Music] Heat. Heat.

[Music] Heat. Heat.

[Music] Heat. Heat.

Heat. Heat. Heat. [Music] [Applause] Heat. Heat. N. [Music] Heat. Heat. Heat. [Music] Heat. Heat. N.

[Music] Heat. [Music]

Heat. Heat. Heat. [Music]

Heat. Heat. N. [Music] Heat. Heat. [Music]

[Music]

[Music] Hey. [Music]

[Music] Hello. Heat. Heat. [Music] Wow. [Music]

[Music] Yeah. Heat. Hey, heat. Hey, heat. [Music]

Heat. Heat.

[Music] [Applause] [Music] Heat. Heat.

[Music] Heat. Heat. Heat. [Music] Heat. Heat. [Music] Hey. Hey. Hey. [Music]

Heat. Heat.

[Music] Heat. Heat. [Music] Yeah, [Music]

[Music] down. [Music] Hey, hey hey. [Music]

Down [Music] down down down down down

down down down down down down down down down down down down down down down down down down down down up down

[Music]

Heat. Heat. [Music] Heat. Heat. [Music] Booty [Music] [Music] Woody. [Music] Heat. Heat. [Music] Fire.

Black. [Music] Heat. Hey, Heat. [Music] Down. [Music] Down.

[Music]

[Music]

Heat. Heat. [Music] Heat. Heat. N.

[Music] Heat. Heat.

[Music] Heat. Heat.

Heat. Heat. N. [Music] [Applause] Heat. Heat. [Music] Heat. [Music] Heat.

[Music] Heat. Heat.

Heat. Heat. N. [Music] Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat.

[Music]

[Music] Hey. [Music] Hey. Hey. Heat. Heat. [Music]

[Music] Heat. Hey. Hey. Hey. [Music]

[Music] Heat. Heat. [Music] Heat. Heat.

[Music] Heat. Heat. [Music] Heat. Heat. [Music] Heat. [Music] Heat. [Music] Yeah, [Music]

[Music]

[Music] down down. [Music] Hey hey hey. [Music] down.

Down [Music] down down down down down down down down down down down down down down down down down down down down

Down yeah down down

[Music] Hey, [Music] hey hey hey. [Music] During [ __ ]

[Music] Heat. Heat. [Music] Fire. [Music] Down. [Music]

Heat. Heat. [Music]

Down. [Music]

[Music] Heat. [Music] Heat. [Music] Heat. Heat. N. [Music] Heat. Heat. [Music]

Heat. Heat.

Heat. [Music] Heat. [Applause] Heat. [Music] Heat.

Heat. Heat. [Music] Heat. Heat. N.

[Music] Heat. Heat.

Heat. Heat. N. [Music]

Heat. Heat. N. [Music] Heat. Heat. [Music]

[Music]

[Music] Hey. [Music]

[Music] Heat. Hey. Hey. Hey. Heat. Heat. [Music] Wow. [Music]

[Music] Yeah. [Music]

Heat. Heat.

[Music] Heat. Heat. [Music] Heat. Heat. [Music] Heat.

[Music] Heat.

Heat. [Music] Heat.

[Music] Heat.

[Music] Heat. Heat. Heat. N. [Music] Heat.

Heat.

[Music] Heat. Heat. N. [Music]

Yeah,

[Music] heat. [Music] Hey

hey [Music] down.

down. [Music] Down [Music] down down down down down down down down down down down down down down down down down down down down

[Music]

Heat. [Music]

Heat. [Music] Booyah. Dirty.

[Music] Hey, [Music] hey,

[Music] hey. [Music] Down. Down. [Music]

[Music]

Heat. Heat. [Music]

Heat. Heat. [Music] Heat. Heat. N. [Music] Heat. Heat.

Heat. Heat. N.

[Applause] Heat. Heat. Heat. [Music] Heat. Heat.

Heat. Heat. Heat.

Heat. Heat. N. [Music] Heat. Heat. [Music] Heat. Heat. N. [Music]

[Music]

[Music] Heat. Heat. [Music] Heat. [Music] Heat. [Music]

[Music] Heat. Hey. Hey. Hey. Heat. [Music]

Heat. Heat. Heat.

[Music] Heat. Heat.

[Music] Hey, heat. Hey. Heat. [Music] Hey, heat. Hey, heat. Heat. [Music] Hey. Hey. Hey. [Music]

Heat. Heat.

[Music] Heat. Heat. [Music] Yeah, [Music]

[Music] down. [Music] Hey

hey [Music]

down. [Music] down.

Down down down down down down down down down down down down down down down down down down down down down

[Music] everybody. [Music] Hey [Music] Heat. Heat. [Music] Do you know?

[Music] Heat. Heat. [Music] Fire.

Hey. Hey. [Music] Hello. Hello.

[Music]

[Music]

Heat. Heat. [Music] Heat. Heat. N. [Music] Heat. Heat. [Music]

Heat. Heat.

Heat. [Music] Heat. [Applause] [Music] Heat. Heat.

Heat. Heat.

[Music] Heat. Heat. N.

[Music] Heat. Heat.

Heat. Heat. N. [Music]

Heat. Heat. N. [Music] Heat. Heat. [Music]

Hey. Hey. Hey. [Music]

[Music]

[Music] Hey. Hey. Oh. Heat. Heat. [Music] Hey.

[Music]

[Music] Heat. [Music] Heat. [Music] Yahoo! [Music] Dirty

daddy. [Music] Hey boo. [Music]

Hello.

[Music]

[Music] Heat.

[Music] Heat.

Heat. Heat.

[Music] Heat. Heat. [Music] Heat. Heat. [Music] [Applause] [Music] Heat. Heat.

Heat. Heat. Heat.

[Music] Heat. Heat.

[Music] Heat. Heat. [Music] Heat. Heat.

[Music]

[Music]

[Music]

[Music] Heat. Heat. [Music] Heat. [Music] Heat. [Music]

Wow. [Music] Heat. All [Music]

right. Good afternoon, everybody. Thank you for coming out. I appreciate you taking the time. >> The audio is not good. >> Oh, we can't hear. How's How's the sound? >> So So okay, hang on. >> How about now? >> Much better. Oh, >> still good. All right, great. Make sure these are off.

So, thank you for coming. My name is Chris Merkel. I'm a senior director in cyber defense at Northwestern Mutual, which is a large insurance and investment firm. Um, and I'm here to talk about North Korean uh workforce infiltration. And uh I'll be sharing a bit about my story. Um, but uh this is a little bit about me. So um I've done a lot of things over a 20 year career in cyber defense. um and and cyber security in general. I enjoy hunting bad actors. Um I I genuinely consider cyber to be a societal problem and I'm glad to be part of the solution. I enjoy doing career development with folks. So here at BIDES, there's a career village. Uh I

enjoy volunteering uh when I can and and do career village things at at a local level. And if you, you know, understood the the the talk title, I I assure you I am not Iglass. If you and I'm not going to do an Iglass impression. And if you understood that joke, thank you. If you didn't, stick around to the end. I'll explain it. Um and then and then one last caveat I I have to give these in in all my talks which is um the information I'm sharing is any perspectives I have or own my own opinion not that of my employer but also that some of the information that I'll be sharing today is drawn from my

experiences but I'll be talking about things that largely are known in public. So I'm not here dropping any information that would be confidential or things like that. We're recording. So with that means that some uh names, places and things like that have been changed uh because it represents non-public information. Um but the the overall story that I'm going to I'm going to try to tell here um is true. The other is that the topic of um workforce infiltration is massive. Um I'm going to be sharing my set of experiences and what I've found in talking to a lot of other folks in the industry is that it tends to resonate with them too. So I

I think I'm talking about the most common set of experiences, but what you face may not be the same as what I've been dealing with. So with that, our program today, a story in three acts. Act one, we're going to set up the story. We're going to talk about the pandemic, the rise of overemployment schemes. Then we're going to get to talking about my friend Ben and the threat of workforce infiltration. And finally, we're going to end with solutions. I like to always try to end with solutions. Um, so we're going to talk about helping people bring their authentic selves to work. So with that, act one, the pandemic and rise of overemployment schemes. So our story starts pre- pandemic,

things that my organization and frankly most large enterprises have dealt with and are dealing with. And it's what I call subbing. It's contractors all the way down. So pre- pandemic, your organization very likely has some percentage of your workforce represented by outside contractors. The problem is is that your outsourced labor is outsourcing their labor. What that means is that your contract firm is there to throw bodies at the problem and they're not always good at figuring out how to throw qualified bodies at the problem. So what happens that labor market self-optimizes what that means is that they're phoning a friend when they need help with something. Oh, I don't know boto3 development. I was hired to do this. I

know, my buddy knows this and he doesn't know that. So, we'll just kind of like collaborate. Sounds like a fantastic idea except that that person is outside your organization, that data is going to people you don't know, that gets real problematic real quick. Um, if you have a large um, contingent labor workforce in your organization and you don't think you have this problem, I regret to inform you you do. The only question is whether you're interested in dealing with it. So, how do we prevent this? You know, what we've seen successful is well proctored proficiency testing. If you can work with a firm that is willing to do the testing and share those results, that goes a long way to ensuring that

you are uh uh filling roles with candidates that have the right skills. From a detection perspective, how do we know this is happening? Look for longunning calls. So, Zoom, Teams, Meet, what have you, they have a log stream, you hopefully have a SIM, and uh that gives you the ability to uh run analytics on call statistics. So, if you see a uh five-hour call between two individuals, one of whom is outside the organization um with screen sharing going on and file transfer activity and things like that, there's a good chance that this is happening. Um and then beyond that, you know, relying on on your typical tools for data exfiltration, DLP, things like that. And

I understand that those tools often have their own challenges. So, we're setting the stage here. So this is subbing. What I call subbing. Then the pandemic starts. What did we do? We learned how to make sourdough. We bought ring lights. How many ring lights are in closets right now? Um we learned that we could work four jobs at the same time. Um, so, so this is what I call job stacking. I don't call it job stacking. Everybody calls it job stacking. Okay? And you first heard it here. Corporate America is bad at measuring employee output and performance. If this is news to you, I'm sorry. You'll you'll find out soon enough. Um so so what we found during the

pandemic was there was a massive increase in remote hiring because you kind of had to and many organizations uh who had who had CEOs who you know wanted to be liked and loved said that's it we're going full remote for the end of time and you know about 10% of those actually you know still do that but whatever. Um so with that came the understanding that the uh the issue in corporate America around managers not being able to uh deal with uh employees underperforming um you know results in people being able to do multiple jobs. Now it's not just the manager's fault. It's not just a training issue with them. It's not just HR's fault. Okay. Um there is an aspect

of bureaucratic enablement and that is to say firing people is a lot of work. Now I'm going to pause there for a moment and interject a personal opinion which is that's a good thing. I believe in strong labor and workforce protections. However, this creates a system in which it is difficult to deal with somebody who is underperforming because as a manager your first question is is this a performance issue? Are they failing to ramp up? What's going on here? Is it is it just that I've I've got a candidate who's not suited to the role or the case that um you know they just need to be educated better. So what most managers do is they just try harder. Good

well-meaning managers put in time and effort to help that employee improve. Then they realize this isn't going to work. um you know so so again you're you're at like several months of of coaching and development at this point. So now we have to go into the multi-step performance improvement plan the good old PIP. Well that takes time because now you have to go and document all the conversations you had and and go through that whole PIP process and that's no fun. The net result is it takes a minimum of six months if you if you haven't caught somebody in the probationary phase. If your organization has such a thing, it's going to take an average of six months

to that get that person back out of your organization. And then uhoh, now we have a downturn in tech. There's a hiring freeze in place. No managers, you're not going to get that back, Phil, because we want that money back. So if you lose an employee, the finance department and our shareholders thank you for your contribution. So what is the unintended consequence of doing this? Terlerating low performance. Because again with these folks that are doing the job stacking, it's not the case that they're intentionally trying to do a bad job. They're just trying to do eight jobs when you know realistically they can only really do two well at the same time in corporate America.

Um, so the question is, what does this have to do with a cash hungry mi military dictatorship constantly on the lookout for money-making schemes? Well, that leads us to act two, my friend Ben. First of all, Ben is the name of a stolen identity. Um, I'm using this name and I'm not providing a last name. Uh, because there are actually a lot of Benz. Uh, I read one article where they had let go so many people associated with this scheme and realized that three out of four of them were all named Ben. I don't know why, but they got to calling them the Ben. Um, which I I thought was was kind of funny. Um, so the thing is is Ben is the name

of a stolen identity. So, so, so the person the Ben's refer to is indeed a real person generally alive uh somewhere in the United States. Now, that stolen identity, they may or may not know that this is happening. Um, I did read a comment on a blog post about this topic where some commenter said, "Oh yeah, I don't work in technology. This happened to me. I'm getting all kinds of paperwork and sometimes paychecks for jobs that I don't have." Um, which I found to be very funny. But let's talk about Ben. What do we know about Ben? Well, Ben's a bit of a prodigy. Ben was hired right out of college as a lead engineer in Silicon

Valley companies. That's impressive. Um, so, so he spent his time cutting his teeth in the the the places that middle America corporate IT looks at and says, "Boy, would I love to have one of those engineers on staff." He leaves SoCal and has since held several principal engineer roles conveniently at companies in my vertical. This is great. What a great candidate. Now, for reasons that I don't completely understand, he leaves that tenure of direct employment behind and signs up to be a contractor instead at the second largest contract firm in the tri-state area. Okay? Which is to say, it's a bit of a headscratcher. Why? When you have access to the salary, the stability, the

benefits, options, and equity, all those things. Why? Why are they doing this? Strangely enough, the contract firms don't seem interested in knowing the answer to that question. They're just super excited that they've got somebody of this caliber that can help them prove their value to their clients. So, let's get to know Ben a little bit better. First of all, Ben moves a lot. And the time he moves is generally between the time he gets assigned to a company and when he needs to get started because something inevitably happens. Uh his significant other takes a job in a different state. Uh a bunch of his friends go here and they want a room together. The excuses for the movement

are endless and varied, but they all have one thing in common. Ben always moves before his laptop arrives. Okay? Now, if you haven't figured out why yet, it's because it's a stolen identity. If you shipped it to the actual address on that resume, the wrong person is receiving the laptop. So, that laptop has to get shipped somewhere else. But that's okay. Ben gets plugged in. His laptop's working good, you know, gets up to speed. Uh, might join your your your Zoom calls, your team calls maybe. Um, but he doesn't talk much about his personal life, which that's okay. You know, I'm I'm standing in a room full of cyber security professionals. Some percentage of you

are people who are really really introverted and never ever ever talk about your personal lives. And you are fantastic professionals and I thank you. So you don't stand out on teams like this. his camera's always off. But of course, when you work on a highly demoralized team, that's what everybody does, you know, because, you know, then nobody is seen making faces and rude gestures toward the camera, as may happen on these calls. Ben's not particularly responsive despite the fact that he is on shore, as we would say in uh North America. Um, typically he gets back to you within about four hours. Now, his his manager is not like real happy about that, but you know, Ben generally kind of sort of

eventually gets the work done and the work is fine. Now, I've heard in some cases managers saying, "Oh my gosh, no, we can't let this person go. They're amazing." Right? That happens, too. and and other times. So there's a there's a there's a spectrum of um performance as you find find in any labor pool. Ben does frequently miss meetings. His cat, God bless his poor little cats, always coming down with some sort of an illness. And when it's not his cat, it's his girlfriend's cat. Um, and I am using his and him because to my knowledge we have not seen somebody who identifies as female in these types of schemes. It's always been uh men.

Now the the other problem is Ben's manager is really busy. Uh if you look at an org chart, uh he has uh bunch of staff engineers uh who probably take up most of his time. uh and then a huge amount of contractors. So the ability for his manager to provide meaningful oversight simply isn't there. And in the case of contractors, if you're a manager, again, you you make rational decisions as a manager, where do you spend your time investing in people? And the reality is you don't spend your time investing in contractors, you know, personal growth and development and team cohesion and things like that, right? um you know in in in many cases I've

seen managers who do a fantastic job working with and managing contractors and I see others who who treat them as as as a jura machine where tickets go in and work comes out the other end and we generally just don't talk to them as long as that continues to happen. I think that's a bit dehumanizing and unfortunate but it certainly does happen. So Ben is settled in. He's doing his work mostly. He's showing up here and there. Um but something's going around going on in the background here. So you you remember what I said earlier about the problem of job stacking and subbing. Now uh uh subbing in most organizational contexts is something you really don't

want to happen. It is bad bad bad. Your data is now at some other firm in the hands of somebody you don't know and and that's that's a bad thing. Uh job stacking like I don't know like that that to me feels like more of an HR and performance issue, right? I don't I wouldn't uh decry anybody who decides to go drive for Uber in their off hours uh despite having a full-time job, right? Uh I don't know if you can swing two jobs. Uh who am I to say that that that's bad? Obviously, there's concern about data spillage, data leakage, and and things like that. But most of these um you know the YouTubers, the guides

and things like that um they do a pretty good job of explaining why you want to keep all of that separated which for me as a security professional I really appreciate. Like thank you. Thank you for not taking the Zoom call from the other corporation's computer. Okay, good on you. So if you're doing that, just do a good job of keeping that separated. Okay, that's all I'm saying. Um, but I've got a team of people who are on the lookout for these kinds of things because like I said, they pose a bit of a risk. So, I've got an insider team who's hunting for these subs and these stackers and we're doing so primarily through technical means. Okay. Um, like

I said, we're looking for things like new accounts downloading VPN and uh remote management tools. um that's usually a sign of two things. One, the the person is is doing this type of job chicainery or they fancy themselves kind of a techie and want to have ProtonVPN and remote in their system with Team Viewer and Any Desk and all this kind of nonsense. They're uh uh uh they are there are IT people that at least in an organiz if you're in an organization that's very uh heavily regulated uh you you don't get to stand out that way. You don't get special tools. Sorry. Like that's that's not allowed, right? So we're looking for things like that

because um we want to root out certain types of of behaviors that kind of run the gamut. We're looking again for those longunning web conferencing sessions. Um, we've been hunting for KVM over IP USB device identifiers. There's a couple of really popular ones on the market. Uh, Tiny Pilot being one of them. Um, there's there's like an endless longtail of uh uh cheap uh overseas manufactured ones. Um, but if you kind of go on Amazon and and pick out some of those top ones, you can find people using uh KVM over IP devices. Um you and if you have uh system management tools or uh EDR tools uh that can do device querying and discovery and things like that, you can

find these things. Um obviously looking for your your typical anomalous um outofcountry login. Um so everything from you know geo IP discrepancies to impossible travel things like that. Um, and then one of the other things that we were looking at was things that look like corporate network peers. Okay, so if you think about your home network, and I, and I know all of you have really cool home network setups that you, you know, you're going to brag to me about. Um, because because everybody's got them. Um, realistically you might have two, three, four corporateisssued devices on your LAN. Maybe you, maybe your spouse, maybe another person, maybe maybe you're rooming with a few people, but like that that total count of

corporate managed systems is fairly small. The rest of what is seen in terms of like broadcast announcements, DNS names and things like that on your local LAN are things like Chris Merkel's MacBook Pro and you know tablets and all this consumer grade stuff. If it's a Windows laptop or a Windows desktop, it's called laptop dash string of letters and characters, right? You know, most people when they have a personally owned device don't go and use what looks like a corporate naming convention to call your computer workstation 38721, right? Um so if you're kind of good at data analysis, you can start to look at network peers to understand um how many corporate devices all kind

of show up in the same place. Now why would you look for such a thing? Well, for those people that are job stacking, you would expect to see a higher quantity of uh corporate assets on on somebody's local land. Now, uh I I do want to state that you can't um uh you have to understand the legal boundaries, right? Um if you're carrying out an end mapap scan or a vulnerability scan from the the standpoint of a local machine, your lawyers may have a problem with you. However, there is a ton of broadcast traffic that occurs on a typical LAN that hits the Ethernet interface of your corporate managed asset that you may be able to take

advantage of. I'm being non-specific because there's not like a good playbook for do doing this. You have to understand your tools, their capabilities, and things like that and determine whether you're capable of doing something like that. So, generally my subs, my stackers, they're usually tripping one or two of these detections. Ben caught them all. Um, and that was wild. Now, at at this point, I don't know that I've got a DPRK person. I've just got somebody who just lit up like a Christmas tree. Um, and in case you're wondering, the AI slop images that I'm using, um, I have used Google Translate on all of the Korean and most of it is actual Korean words. If you speak Korean and you're

reading that and going, "What on earth does that mean?" I don't know. But most of it is syntactically correct. So, having found somebody who, like I said, really lit us up, um, this is where our friendship begins. Or, I should say it's more of a parasocial relationship. So, we start to dig in. We look at Ben's resume. His years of service don't add up. either um he's not telling the truth or he is much older than he appears to be and I want to know his skincare routine. Um it just it doesn't make sense. Uh criminal background check generally clean. Good. Now in some organizations you can get uh workforce history reports like uh Equifax work number um and things like

that. um that history report does not match the resume. Now again, that's not the most damning bit of evidence because people lie on their resumes all the time. Okay. What's interesting is LinkedIn profiles less than a year old have despite having worked in tech since what I think is the age of eight if I do the numbers. Um most of his pictures look like stock photos. So there's a lot of shots from far away that show engagement and like fun and interesting activities but like they're far enough away that you don't get a whole lot of facial detail. Um you know reverse image search great for that kind of stuff. Um, we find out much more about Ben than

Ben's generally willing to disclose to his team on calls, which which is neat. It's fun to really get to know people. Ben likes to ski. Uh, interesting. Interestingly enough, despite being inside the United States his whole life, he owns a ski jacket that's only available for sale in Australia and Singapore. That's kind of neat. Good for him. Like eBay hunting, I don't know. Um, but then that picture from his ski trip to Colorado, which is a a closer, you know, face, very visible pick. Uh, who's played Geogesser before by by show of hands? Awesome. Awesome. I have a son who's really good at Geogesser. Um, so I love that y'all do this. Um, Geogesser, you can play it

at work. It's a real job skill if you're in threat intelligence. You heard it from me. You tell your manager. Okay. Um, the ski trip in Colorado we geoged to be a mountain in China. So that's interesting. Um, and then of course more reverse image searching finds more GitHub profiles, LinkedIn profiles, uh, personal websites, portfolio style websites, and things like that that all share the same picture and name. So now we're left wondering who am I dealing with here, right? We're we're starting to zero in on a hypothesis that I might just have a DRPK actor in my environment. So where is Ben? So the the laptop does indeed geollocate to the new city, the city he moved to,

uh three to four states away. Um and this is where where Osent matters. Um the shipping address yields different names associated with the house obtained by publicly accessible property records. Again, maybe you're renting and that is completely normal. Okay. Um, but doing some more oent on the actual property owner, you see uh criminal records, civil judgments, um, all kinds of stuff like like the person who who actually like owns this house. Um, little bit sketchy. Um, at a certain and and then the other thing is we don't see them as looking like an investment property owner. We don't see in the large metropolitan area um you know multiple active ownership of property. We only see one person owning

one property at a time. But the laptop actually uh moves across town. Um and and now if if if this was a rental situation, you would expect that the uh the destination address would have a different owner than where they came from. But they don't. they have the same owner. So that lends additional credence to the idea that this person um this laptop is uh at in in the possession of the person who owns the property. Um another thing you can get from your laptops in your environment is snapshots of uh all the Wi-Fi networks around you. So you can get the BSSIDs, the MAC addresses, signal strength, all those kinds of things. And I have found that

most thread intel organizations that are, you know, really worth their salt still are kind of sometimes sleeping on the Google location services API because if you have an Android phone, uh, and you have nothing but Wi-Fi available to you, uh, you can still be geollocated. So there's a publicly available geoloccation services API. you can feed it the the list of uh SSIDs, signal strengths, things like that and get a fairly accurate uh uh location. And in our case, that location uh services uh based on the the surrounding networks um you know located him in the general vicinity of that property address. So, I had a pretty good handle on saying because because I'll tell you

like generally from a privacy perspective as a corporation, systematic collection of location data on laptops um generally frowned upon. I don't advocate doing that as a wholesale regular routine kind of a thing. Okay. Um I think it results in a lot of uh ethical and privacy concerns. Um but we we say to ourselves, okay, I think we have a laptop farm now. Um, this this next picture here is is one of the few that is not AI generated. This is a picture of an actual laptop farm. Um, I actually kind of cropped the image. It's twice as large as this. Uh, this comes by way of the DOJ. Um, and and what happens is in this

scheme, you you can't take a laptop and ship it overseas. It'll get noticed. It'll get caught. It'll, you know, it'll be found out at at some point or another. hopefully in organizations, right? So, so people are recruited uh often by a telegram to operate laptop farms. It is not clear to me in reviewing some of these uh solicitations whether the person knows at the beginning that they are involved in a criminal scheme with the most sanctioned c country on the planet. Okay. Um, obviously most people aren't going to respond to an ad that says, "Do you want to support the weapons program of our dear leader?" Okay, they did the AB testing. It just doesn't work. Okay. Um,

instead it's vague language about uh offshore contracting and facilitating and uh some of them even get into data tenency, you know, and things like that. They've got all kinds of like kind of flimsy excuses. So, if you are a person who is in need of of additional income and and who isn't um uh you're going to get roped into something like this. Um uh generally speaking, you have about up to 50 laptops maintained by that local farmer and they've got a distinct set of job responsibilities. Uh they're monitoring all these laptops, what's going on on them. They're ensuring that uh uh VPNs stay connected back to the corporation. They make sure that the mouse jigglers are there. Um they're

installing remote management tools. Uh those are generally preferred first because they can be configured for unattended access. Obviously, if you set up a a a teams call or a Zoom call or something like that, that takes a little more like care and feeding to like keep up and running and make sure the screen sharing is working and things like that. Um but they're there really to just facilitate the remote access into those machines um and and uh you know make sure that they're up and running. Um laptop farmers uh you know generally take a cut of the take-home pay for each worker. Um in this case uh this is from a person who was recently sentenced to

eight years and a significant monetary judgment uh for operating this laptop farm. This person uh kind of clueless. They're they went on TikTok to complain about their boss one day um and tell them how good the uh the acai bowl was from the place down the street while like the laptop farm was in the background on Tik Tok. >> Um now if you ask me whether somebody of that caliber should be sentenced to eight years, I think that's a good open question. So you found a Ben. What do you do about it? Well, you got to make some decisions. Do you need to collect forensic evidence or are you willing to just cut that laptop off and walk away?

Uh you're you as an organization, you have to decide what's more valuable to you, what your regulatory and risk drivers are. It is a business and risk management decision, not a technical decision. So, you got to bring the right people in. Um you're going to want to do an internal access review. uh you're going to need to work with uh uh HR, law, privacy, and things like that. You're going to need to know how, you know, how and whether you're going to engage with law enforcement and things like that. Um if you decide to go the intel route, um have a plan for quarantining and bricking. Prepare for when they call the help desk. Otherwise,

the help desk will just try to help them. That's not good. Um getting them to join from a personal phone is going to be tricky. They're not going to want to give that up if you've quarantined the laptop. Um, however, they are often willing to ship laptops back. And I was just talking to somebody uh yesterday who who said that sometimes when they know the jig is up, they'll ask for the last paycheck in exchange for the laptop, which I think, yeah, you got to hand it to them. So, that's what ends up happening. And and the thing is is like they're not in there rampaging when they know the jig is up. Like they're just in there to do

work. They're there to collect a paycheck. They are not the part of the North Korean uh cyber folks who are there to cause havoc and steal and and do all those kinds of things. This is simply a money-making opportunity just like all the other hairbrained ones the Kim regime is engaged in. So on solutions here. So that takes us to act three. Act three, trust issues, helping people bring their authenticelves to work. The gold standard here is in-person stuff. Now, the second I say that, everybody thinks to themselves, "Oh, no. Our corporate overlords are absolutely not going to be okay with that." Because the second I have to pay money to fly somebody in for interviews,

I'm adding, you know, a minimum of $1,000 uh, you know, per interview, right? Okay. Well, then don't do that. Do it after you've hired somebody. Well, yeah, but that still costs money. Okay, I get that. So, but I'll tell you what. I I stated earlier that this is not a problem that is best solved through technology. It is a problem best solved through process and that process is do strong in-person identity validation. If you do that, the likelihood of you having this problem goes down drastically. Okay. Now, some bright engineer might say, "Oh, I know we have all these new document verification services." Yes, we do. And we also have a telegram channel where I can pay $10 to generate an ID

that passes all of those. Okay, those uh know your customer document verification things. If you rely on them, I am sorry. Um maybe they work for your threat scenarios. They don't work for this one. The address change, you need to have visibility into your business process. And oh my gosh, I am so happy right now. As a quick aside, everybody in the audience for being here, you all get North Korean flags. As a speaker, I am given the opportunity to make one outrageous request, and that is to have North Korean flags handed out to all of you. So, uh, let's give it up for the people at Bites for being super awesome. Thank you. So en enjoy your handout.

>> Dear Damon would like to thank you for participating in the glorious economic activity of our fully American conference. There is no association with the Democratic People's Republic of Korea or any other. We are all happy and productive workers here. Thank you. All our volunteers are wellfed. Um, so that address change is a red flag, but that means you have to get in the middle of the hiring processes of your contractors. That means you have to get your contractors on board to stop what they're doing when that happens. But if you can't do that document verification, stopping that laptop shipment is huge. It's critical. Okay. Increase that due diligence of your your contracting partners. Most of this

hiring is happening through contract firms and cutouts. It's not usually happening in the uh happening through direct employment, although they try. Um do not necessarily rely on um your contract firms to do these background checks, uh review resumes, and things like that. At least if you have high-risisk positions, identify what those are that have contract staff in them and do those reviews yourself. make sure they make sense because so many of these resumes have are just littered with with with contextual red flags. Um, and then finally, if you have people in high sensitivity positions, um, maybe consider the use of a hardware security token like a phyto key because if you're a laptop farmer, having to go around and

and like constantly tap that phto key whenever you need to carry out a high-risk interaction with a technology system in your environment, that's a huge huge mess, right? That's going to suck. Okay, if you can do that, I strong first of all, if you can do that in general for high-risisk transactions in your environment, please do so. But uh if you have to like scope it, at least do it for those offshore contractors. Uh and finally, there are some technical indicators. We talked about those longunning calls, the the installation and use of remote access tools in particular within the first 14 days of hiring. Um, watch out for uh browser and IDE plugins if you can. A lot of them,

just like everybody else, like to use AI. Um, and then of course for for like the subs and stackers, go to r/over employed. Understand what they're doing and and you know, maybe you can work on that, too. So, like I said, focus on business process, not technology solutions. I know you are all technologists, but I'm asking you to to work internally across your organization to solve this problem because that's where it happens is in that partnership with HR and law and those other partners. Okay, if you have the opportunity, educate and manage your environment what those red flags look like, form that collaboration. So with that, the last thing I want to say here is that I did this in the style of the

show This American Life, uh, which is found on National Public Radio. Um, we have seen a significant devaluation of public media in this country. So um, you know, I will ask you to wave your flags, but more importantly, what I ask you to do is support public media. How many of you listen to darknet diaries? If there was not this American life, there would not be the darknet diaries you're listening to today. Public media um fuels innovation and knowledge and I strongly recommend uh that that you give it the support that it's due. So, with that, I'm at time and um I I'm not going to be able to take questions because I can't give off-the- cuff responses uh to

to some of these things, but even better, we can have some some uh uh out there conversations. So, I'm going to head out there and anybody who wants to to to talk certainly can. And there are a lot of flags available, so please take one. In true democratic people's republic public fashion, you are all now part of the economic output of this conference and you must assemble your own flags if you want to go to happy hour later. Thank you so much.

I don't know. [Music] Heat. Heat. [Music] [Music] Heat. Heat. N. [Music] Fire down.

[Music] Heat. Heat. [Music] down. [Music] Heat. Heat. [Music] Hey, hey hey. [Music] Hey, [Music] hey hey. [Music]

Down. [Music] Down.

[Music]

[Music] Heat.

[Music] Heat. [Music]

Heat. Heat. [Music] Heat.

[Music] Heat. [Music] Heat.

[Music] Hey Heat.

Heat. Heat. N. [Music] [Applause] Heat. Heat. [Music] Heat. [Music] Heat.

[Music] Heat. Heat. [Music] Heat. Heat. [Music]

[Music] Yeah sure.

Good afternoon and welcome to Besides Las Vegas, Breaking Ground, this talk will be given by Torata U. A few announcements before we begin. We'd like to thank our sponsors, especially our diamond sponsors, Adobe and Aikido, and our golden sponsors, Formal and Drop Zone AI. It is their support along with our other sponsors, donors, and volunteers that make this event possible. These talks are being streamed live, and as a courtesy to our speakers and audience, we ask that you check to make sure your cell phones are set to silent. Enjoy the talk. Okay. Uh thank you for introducing and thank you for giving me a wonderful opportunity to talk about my research for the first time. Uh today's talk talk

title is shedding light on web isolation technologies and their bypass techniques. So I will focus on uh web isolation. Uh that is not so familiar uh solutions. So that's why I hope you enjoy it. Uh let me quickly introduce myself. Uh I'm Tera, security researcher for Fujitsu and uh five years as a security analyst for a bank and uh three years as a security researcher and a speaker for black hat and code and so on and sometimes I do internal reting and cyber exercise. Uh today's talk talk is based on the experience for security analyst for a bank because uh that bank is used uh web isolation technology. So that's why today's talk is based on the

security analyst for bank. Uh this is the outline of my talk. Uh first I will talk about the web isolation technology. Uh so what what is a web isolation technology and what is the threats for web isolation technology. And the second I will talk about email exploit technique. So what kind of a technique exist and what kind of malware or actors uh you abuse email email. And the third one is demonstration of my developed tool uh outlook and the last one is how to mitigate and detect such kind of attack technique. This is outline. Okay. So let me talk what what is a web isolation technology. So web isolation technology uh it if I explain this solution in a one word it's

a kind of virtual browser. So web isolation technology ensures secure web browsing by executing a web content in a remote and isolated environment. So users interact with a safe visual image of web page. Uh so this is a graph visual image of web isolation. So without web isolation uh then malicious web content like malicious javascript or malware can be leached to end end users directly. uh but with with uh web isolation technology just only visual image can be reached to end users uh so that's why users just only interact with visual image only so that's why malware or malicious web javascript cannot be reached to web end users so that is the biggest advantage of web isolation and

actually in my opinion web isolation is one of the strongest cyber security solution to protect end users in my opinion. But so let me explain why it's so secure. So the biggest advantage is HTTPS YTP traffic from clients can be blocked by firewall. So as I mentioned just only visual image is only transferred to uh end users. So that's why end users does not need to uh communicate uh with internet over http or https. So that's why we can add the deny firewall. We can add the deny rules of https by firewall. So that is the biggest advantage. So that's why typical attacks such as downloading malware through HTTP by word file like macro or BBA can almost all of

them can be blocked by firewall. So that is the biggest advantage and actually when I worked for bank as a security analyst actually most security alerts of workstation were closed due to no impact as HTP requests were blocked by the firewall. So that's why I think it is one of the strongest cyber security solution in my opinion. Actually there's a disadvantages as well because one is little bit response time is little bit slow. So just only visual image is transfer to end users. So that's why compared to direct HTP commi communication it's a little bit slower. So that is a disadvantage and and web scraping is not possible and web isolation technology because HPS traffic

is blocked by firewall. So that that's why web scraping is blocked or we need to ask firewall guides to allow that domain on firewalls. So that is a disadvantage and also installation is difficult. So these days most inst software installers require internet access uh during the setup. So that's why just so we need to prepare offline installer and web isolation technology. So that's why they are kind of disadvantage and also from my past experiments not related to web isolation but I ex I had I I had experience to have a development laptop with no external connectivity except for email. So when I worked for a bank and when I developed a banking system so that of

course I need to I need I would like to do browsing in such cases I need to check the error error message for my email and I need to send the email content by my development laptop by email. So yeah it's very old type development style but yeah such develop style existed in the past and experienced in the past. So that's why I would like to say yeah still yeah it's a cloud and AI is getting common but there's a working environment that communication is mainly done by email. So so uh there are kind of web isolation products by lot many vendors like semantic or crowd flare or force point or main law security and so on. There

are couple of web isolation vendors. Okay. So then what organization use web isolation technology? So I think yeah bank or government and also hospital and legal and so on uh use this kind of technology uh they they usually they tend to handle sensitive data and uh and also traditional and large organization there. So the reason is web isolation technology is not so very easy solution. I mean it takes time and cost and effort to introduce it. So that's why I think yeah the large organization that have enough effort to spend doing cyber security and they prioritize prioritize cyber security is important. So such organization tend to introduce uh such web isolation technology and also many

non-technical stuff working. So they are non nontechnical stuff working. So that's why their IT literacy is not so high. So that's why for for example banking stuff and so on. Uh they are easily tricked into clicking malicious URL or fishing site or something. So that's why to protect such a non-technical stuff working uh workers from malware or something uh this solution is effective I think. So that's why bank and the government tend to use uh this solution and also they prefer to use traditional and standard tools like Outlook or Microsoft Office not G Suite or Gmail and so on. Okay then so what is not threat for web isolation technology? uh this was my job

to consider what was threat and what was not threat for to attack web isolation technology. So as I mentioned uh downloader and situ malware through HTTP or HTTPS is not a threat because it can be blocked by firewall and also domain fronting as well. uh I don't talk in detail but if you are letter team or something you may be familiar with domain fronting but it's a kind of a technique to bypass network filters by impersonating true destination of https traffic so this graph shows a domain fronting so they usually domain fronting usually use crowd benders in this case Google crowds and malicious traffic first goes the crowd vendors like Google and in this case

Google and crowd benders redirect that traffic to true destination uh of malicious one. So that's why crowd vendor domains in front and in the back there is a malicious domain. So that's why I think this technique is called the domain fronting and uh actually it was the biggest threat uh for web isolation technologies because uh I mentioned uh under under web isolation technology uh all traffic https traffic can be blocked by firewall but technically it's not true because uh we need to allow some domains uh even and web isolation technology for example Microsoft if we block the traffic to Microsoft on firewall then we cannot use Microsoft service like uh Microsoft office or outlook and so on so that's why domain

fronting abuse this one I mean maicious traffic goes to Microsoft Azure first and Microsoft Azure transfer that traffic to uh Malicious malicious domain. So that's why it was biggest threat to attack web isolation technology. Uh but I think these days crowd benders have addressed this issue. So it's reducing its effectiveness. So on the contrary what is a threat for web isolation technology. So first is malware without C communication. It might be possible maybe ransomware but it's very rare and it's difficult because most malawares use download and communication. So such independent malware might be possible but a little bit difficult I think and also malware using DNS uh DNS DNS works even web isolation technologies but I think there

are many security solutions to analyze and block uh malicious DNS like jettoscala and sec and for guard and so on so that's why it might be possible but maybe not so effective in my opinion And the last one is uh malware using SMTP and IMAP. This is the one the one I would like to talk about by this talk because SMTP is one of the protocol that is allowed for inbound and outbound communication. So I would like to focus on this one by this talk. Okay. So next I would like to talk about email exploitation technique by malware and threat actors. Uh this is the top malware communication ports. Uh so as you may know uh most

adversaries and malware use HTTP or HTTPS and DNS. So this is the data of net scope uh in 2023 and the net scope reported that most malware used HTTP or HTTPS for C and C communications. uh and the second most commonly used port was DNS. So I can say most adversaries or malwarees use HTTP or HTTPS and DNS. So I'd like to say SMTP and IMAP can be overlooked as a potential channels for collection or data expiration and CNC communication and C2 framework as well. So most C2 frame C2 framework use HTTP or DNS TCP for uh for listenet for protocols. So like metasloit and qualar and habok all of them use HTTP HTTPS TCP

and SMP and so on. So no IMAP or SMTP is supported. Okay. So then why malware use HPS protocol? Of course, first I think uh it's fast and stable. So, and it it's easy to hide malicious traffic because of much legitimate traffic. So not so suspicious to upload or download uh large files over HTTP and uh and of course and outbound traffic is usually allowed uh in my current company as well because we need to do browsing to to do keep our business and so on. So that's why usually outbound traffic is usually allowed but but it's not true if uh under web isolation technology. So that's why HTTPS traffic is not so effective to attack web isolation

technology. Okay. So uh also less common than HTTP uh and HTPS some malares and adversaries abuse email techniques and SMTP. uh technique is MIT defines email correction technique and the adversary is lazarus and apt28 and so on uh abuse um email it's mainly for data expilitation and the malware is ocean map and agent tesla and emot abuse uh email okay this uh this is the m framework uh ma framework identified three email collection sub techniques. Uh one is local email collection. Uh as you may know email email box it contains a lot of sensitive data. So that's why ACA m adversaries collect sensitive data from outlook inbox and remote email collection is a similar one and last one

is email forwarding group. So malware and adversaries set up uh email forwarding rule to steal future emails as a kind of persistence. So there are kind of email collection technique ma defines and uh actor as well uh a28 it's a Russian state sponsored cyber person group targeting government and military sectors. uh f as the last step they drop the malware called the ocean map and uh they use ocean map to which connects to IMAP C2 servers and communicate via IMAP. Uh this is a screenshot that malware researcher uh published on his blog. Uh as you can see uh it is a diir directory command was executed and it is uh saved in a email box as a mail like this.

And this is a system info command. Sorry little bit small but yeah system info command was executed and it was saved in a email box. And this uh this email was used to communicate with C2 servers. And this one is IP config command. It was com it was executed and it was also saved to email box. So I can say ocean map use uh IMAP for C2 communication. And this one is the most similar one that I will give a demonstration later. Okay. And also agent Tesla as well. Uh agent of Tesla is a malware that acts as a key logger and information stealer. It's targeting uh credentials and system data and they use uh SMTP uh

yeah they use SMTP to send stolen data via email attachments. And the last one is emote. It's it's a famous I think it's very famousware and emoting

emails uh fishing email with malicious attachment or links and uh it allows attackers to load additional payloads and steal sensitive information like emails or email server credentials. And it also turns infected devices into spam bots to send spam emails for worml like activity. So they still ste they use become they turn device into spam bots to do lateral movement for another organization. So that's why emot can be a tricky pattern but I think I can say emote is also one of the malware that abuse emails. Okay. and also C2 tools as well. So not so many tools and like uh so there are not so many tool exist that's you exploiting emails for communication but there are couple of uh

tools like first one is bad outlook uh this one is the most similar I think for my tool of my tools it's a simple poke which uses uh outlook application to execute share codes and it's most similar that's not specific for web isolation technology. So I can say my research is enhanced and analyze the activity uh in terms of web isolation technology and the sharp Gmail sheets as well. Uh it abuses Gmail process not outlook but yeah Gmail process for situ communication via SMTP and IMAP. And the next one is auru outlook sitsu. It uses the Microsoft graph API for sitsu communication via http https protocol not smtp but yeah it's also similar and s article as well. Uh it's su

communication through outlook. So the these are the my related research I can say. Okay. So next uh I will going to give a a demonstration of my developed tool outlook C2. Okay. But before that let me quickly introduce component object model. So component of object model is a Microsoft technology allowing software components to interact. So Microsoft exposes some software as a component object mo model objects to combine different soft parts together. So they expose it outlook or office products or edge and and so on to to communicate from to control or to communicate from a different uh process. So, so this I my tool used this component object model. So, as I mentioned, uh Outlook exposites its

functionality through component object model. So, that's what thanks to that it enables uh native tools like PowerShell ornet to get and send emails via Outlook process. So this is the uh uh this uh this this is a poke data poke code to to get email box contents by powershell. So just only three lines it can I can get the inbox uh outlook processed inbox content get creating a instance by outlook by outlook and uh by this code I can get a inbox of the outlook outlook process. So thanks to that the key advantage is I can do task automation and integration without additional software. So when I worked for a bank uh we created a ticket

uh based on detection email like EDR or seam and so on. So we we can we couldn't use lessto API because ATPS traffic is blocked by firewall. So that's why we automate such ticketing system using uh outlook process. So thanks to that yeah we can automate some tasks uh using outlook process but of course I can use it in a bad way as well. So so I I think I can use it to for C2 communication. So this is the overview of Outlook C2 that that I developed. So it's three steps. So first outlook beacon uh it's monitoring outlook process for new emails by powershell and the C2 servers send commands like fui and so on to client via email and

then outlook beon execute that commands and return the result to C2 servers using outlook process. This is the overview of outlook C2. So it's better to give a uh demo uh play a movie of my short demonstration. So yeah uh uh and also I I cannot prepare web isolation technology because I don't have it. So so that's why I added the deny HTTP and HTTPS traffic rule by my uh by Windows host firewall to simulate to simulate uh web isolation technology. So let me play the short movie. Uh give me a second. Okay. Uh this uh this is this is a client and victim side of Windows and this is attacker side. So and outlook bitcoins

running. Okay. And send a command like system info task list as in a mail body. Then this Bcoin is analyzing and executing that command system info and task list and return the result back to C2 servers mail servers and I can get it I and it can be saved in an email like this and I and to simulate more interactive shell I developed such a graphical user interface for to simulate interactive shell. So I ex send task list or IP config or net user and system info and then it is that that command is executing and uh I this uh that result is displayed in a in this visual uh GUI tools and also we can

upload some additional uh payload as well like reconcript I'm uploading and uh I can execute that uh recon script as additional module. So executing leon powershell scripts and uh send it then this recon powershell script is running on client side victim side and uh the it send returns a result like what kind of until is running and what kind of process is running and so on. So that's why I can say this tool can upload or download some additional module as well. So and also I think this technique is very good with steganography. So steganography is a kind of technique that malware hide the malicious content into visual image. So at the previous email in in the in

the in the mail in the mail body there is a system info ip config command in the email body. So that's why user may think this is very suspicious right. So that's why I think it can be good to combine with steganography. So by so I can spoofing like a advertisement email. So I can create advertisement email and embed some malicious command into this ping file. Then outlook se beacon analyze that ping file and execute that command like IP config and who am I and so on. And then even user uh noticed such uh email but this one is is a kind of spoofing advertisement email like looking for a laptop that works as hard

as you do. So I think most users ignore such advertisement email but in the background outlook seat beacon analyzing that uh um that uh steganograph is email and executing that command and send the result back to the C2 servers. So yeah this is in the ping file just it is just a normal laptop. So that's why probably user don't think it is suspicious. So that's why I can say this technique is very good with steganography. Okay. Uh this is a short demonstration movie of my tools and let me get back go back to the slide. Okay. Uh so okay this is a process flow of outlook cu. So first disable not it might not be necessary but just in case

disable notification and then monitoring outlook process and the third communication so it execute commands and return the results via outlook process. So not it uses launched outlook process. So that's why no authentication required and the last one is clean up removable emails from the inbox and outbox just in case. And the server side is just simple just GUI interface for sending commands and receiving responses and and I I didn't demonstrate all of them but there are other commands as well like upload and down downloaders download and list folders and get folders and also you can search keyword in a email box as a C2 command and also forward as a persistence. Okay. And yeah, this is a miter

technique. So I can I combined a couple of miter techniques like execution or correction and command cor command and control and xfiltration into that C2 tools. Okay. Uh the and this is a network traffic on client sites. So as I mentioned I added a uh fire http and https deny rule on the on the windows firewall but this s communication can possible because uh this situ tool uses SMTP and IMAP so that's why HTP deny yps deny it doesn't matter and yeah next I would like to compare this to with general libas shells so Lib share is has three steps. Uh usually as as you may know you may know first uh rebell uh send request to C2 servers regularly

and the second C2 server responds with some command with some commands or other instructions like fi or IP config and so on and as the last step reverse share execute that commands and return the results back to C2 servers. This is a general behavior of libas shells and the first step. So first step is different. So liver shell need to send request to C2 servers regularly. But outlook C2 is first step is different. So it's just monitoring out process only for new emails. So that's why no traffic unless C2 communication C2 servers send commands. So I can say outlook C is similar to bind shell but bind shell is usually used for lateral movement only because

bind shell needs a inbound traffic but usually inbound traffic is usually blocked by firewall. So that's why bind shell is usually used for lateral movements uh in the domain. But in this case uh we use I use email for inbound traffic and email is allowed for inbound traffic as well. So that's why it's possible to do like a a bind share outlook C2 and this is a process tree of liver shell. uh so this uh I think anus or EDL detects the most is when it execute that process or some process write some uh files into the disk and so on and this this is a process tree that's I executed the lib shell generated by metasloits

so usually shu liver shell write files by malware itself for additional payloads uh like This uh this is a reverse shell and uh and this malware itself write another module uh like test upload.exe as a disk operations. Of course, you can change the parent process by migrating to another process or injecting but then injection itself can be often detected by antidr. So that's why anti anti often detects malware during file oper file light operations and outlook se this is a outlook se process tree. So in this case outlook itself write another module like this. So it's normal behavior for outlook because yeah outlook need to send some data to disk of course. So that's why

it's natural behavior. So making detections more difficult I think. And so in summary that is a key threat points of outlook situ. So it operates even in isolated environments like web isolation and uh it's low traffic that is the main key threat point I think and also low traffic. So as I mentioned communication occurs only when C2 server C2 server send commands only and also upload and download via Outlook is legitimate not so suspicious and unusual and I utilize technique making it harder for users to identify suspicious emails so more difficult for an or users to detect I think of course there's a disadvantage as well. Uh fast is little bit slower compared to HPS. I think it's a protocol

issue. So I cannot help it. And email notification may trigger popup and the user may notice it. In this case as I demonstrated I think uh impersonating advertisement emails that users most likely ignore using steganography is one of the good counter measure. I think and also logs remain on mail server and easy for investigation. In this case, I think encrypting email body could be a counter measure and also steography using steography is one of the counter measure. And the last one is mail security services like DP may block it especially to personal domains. In this case, uh adversaries may use uh legitimate domain addresses stolen from botnet like emot. I had these days I heard that most fishing ms comes from

legitimate uh domain. So that's why it's this DP or something maybe good way but it might not be enough maybe perfect. Okay, last one, last page is last title phase is mitigation and detection. How to prevent yeah such attacks. Okay, first mitigation is the end point security. So this is the uh outlook option. So I can change the uh programmatic access security in Outlook option to one about email sending from pro another process like PowerShell or something. So default settings only triggers warnings if antivirus is inactive or outdated. But if you you are letter team as as you may know evasion of indoor defender is not is not so very very difficult. So that's why I don't think it is enough.

Uh but in in this solution might be difficult in environments relying on automated email process like uh when as I mentioned when I worked for a bank we created a ticket based on detection emails. So that's why this endpoint security policy might be difficult in such cases but yeah but if not it's a one of the good uh security solutions and the second one is email policy so restrict emails to personal domains like Gmail and so on. Disadvantage is some teams need to send emails to personal addresses like HR or something. If so then this m mitigation may be difficult and adversaries may as I mentioned may use legitimate domain addresses stolen from botnets then this solution might not been enough

and also detection rule as well actually not so many detection rules to detect such communic C2 communication through SMTP but still some of them exist like elastic So elastic has a suspicious interprocess communication via outlook. So this rule might be effective and splank as well and crowd strike. Not also often but few times sometimes uh crowd strike detected outlook seats behavior as a uh email connection anomaly rules like this. So not not every time but yes a few times it can detect it. So that's why this is one of the good detection rules I think and this one is a custom rule I developed. So as as far as I analyzed the behavior of outlook seats by process

monitor uh I noticed that uh the parent process is servicehost and the child process is outlook and the argument is embedding arguments. So so service host process uh manage the execution of component object model. So that's why uh if we launch outlook through component object model the parent process become service host and if we launch nor outlook normally through by double click or something then it start with explorer.x take it as a parent process. So that's why I can use this information to detect it. So that's why uh this is a rule to detect it. So yeah command lines outlook.ex there and the parent process is service host then I can put that execution of outlook seats only

and this is the sigma rule uh it's same yeah parent processes service host and outlook and yeah is I can I make it public on my GitHub so if you have interest in it please access to my GitHub page okay this is a summary and takeaway so I introduced the Web isolation technology. So what is web isolation technology and what what kind of threat exists and email exploitation technique I introduced uh what kind of technique exist and what kind of attackers and malware abuse email and I developed a tool outlook seats and demonstration. a demo how outlook is controlled via component of object model for C2 communication and lastly I introduced the mitigation detection uh and end

point and email policy for mitigations and detection rules by sigma root okay uh that's all for my presentation uh thank you for listening [Applause] If you have a question or something, please I'm I'm still around, so please let me know. Thank you.

[Music] Hey. [Music] Turn it up. [Music] dirty. Oh, down. [Music] D. [Music] Here [Music] you go. [Music] Black [Music] Hello. Hello.

[Music]

[Music] Heat. Heat.

Heat. Heat. [Music] Heat. Heat. [Music]

Heat. [Music] Heat. [Applause] Heat. Heat. Heat. [Music]

Heat. [Music] Heat.

[Music] Heat. Heat.

Heat. Heat. N. [Music] Heat. Heat.

[Music]

[Music]

[Music] Mat. [Music]

[Music]

What are you doing? [Music] Heat. Heat. [Music]

[Music] Heat. Heat. [Music] Heat. Heat.

Heat. Hey, heat. Hey, heat. [Music] Heat. Heat. Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat.

[Music]

Yeah, [Music]

[Music]

yeah yeah. [Music] Let

me show you. Yeah, [Music] down. [Music] Down

down down down down.

[Music] Baby. [Music] Hey. [Music] Fire.

Fire. [Music] Hello. Hey.

[Music]

[Music] Heat. Heat. [Music]

Heat. Heat. N. [Music] Heat. Hey, Heat. Heat. Heat. [Music] Heat. Heat. [Music] [Applause] Heat. [Music] Heat.

Heat. Heat. [Music] Heat.

Hey. Hey. Hey. [Music] Heat. Heat. N. [Music] Heat. Heat.

[Music]

[Music]

[Music]

[Music] Oh yeah. [Music]

[Music] Heat. Heat. [Music] Heat. [Music]

Heat.

Heat. [Music] Heat.

Heat. Heat.

Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat. [Music]

Heat. Heat. Yeah,

[Music]

[Music] yeah yeah.

Down [Music] back. Yeah, [Music]

down. [Music] Down [Music]

down down down.

[Music] Heat. Heat. [Music] I [Music] during

[Music] Heat. Heat. [Music] Heat. Heat. [Music] Fire. [Music]

Hello.

Down. Hey. Hey. Hey. [Music]

[Music] Heat. Heat.

Heat. Heat. [Music]

Heat. [Music] Heat.

[Music]

Heat. Heat. Heat. [Music] Heat. [Applause] Heat. Heat. Heat. [Music]

Heat. Heat. Heat. [Music] Heat. Heat. Heat.

Heat. Heat. N. [Music]

Heat.

Heat. [Music] Heat. Heat. N. [Music] Heat. Heat. N. [Music]

[Music]

[Music] Heat. [Music]

Heat. [Music] Heat. Heat. [Music] What are you? [Music] Heat. Heat. N. [Music]

Heat. Heat.

[Music] Heat. Heat.

[Music] Heat. Heat.

[Music] Heat. Heat.

[Music] Heat. [Music] Heat. [Music] Heat. Heat.

Heat. Heat.

Yeah, [Music]

[Music]

down. [Music] black

hey [Music] you hey you hey you hey you hey you hey you hey you hey you hey you hey you hey Yeah, [Music]

down. [Music] Down.

[Music] Heat. Heat. [Music]

I do. [Music] Daddy. [Music] Hey. [Music] Here [Music] you go. [Music] Fire [Music] down. [Music] Hello. Heat.

[Music]

[Music] Heat. Heat. [Music]

Heat. Heat. N. [Music] Heat. Hey, Heat. Heat. [Music] Hey Heat. Heat. Heat. N.

Heat. Heat. [Music] Heat. Heat.

Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat.

[Music]

[Music]

[Music] Hey. [Music]

Love you. [Music]

[Music] Heat. Heat. [Music] Heat. [Music]

Heat.

Heat. [Music] Heat.

Heat. Heat.

Heat. Heat. [Music] Heat. [Music] Heat.

[Music] Heat. Heat. [Music]

Heat. Heat.

Yeah. [Music] Yeah. Yeah. [Music]

Down. [Music] Down. [Music] Sh. [Music] Yeah. [Music]

Down [Music] down down down. [Music]

[Music] Apple [Music] [Music] Heat. Heat. [Music] Hey,

[Music] hey hey.

Johnny

[Music]

down. [Music]

[Music] Heat. [Music] Heat. [Music] Heat. Heat.

[Music] Heat. [Music] Heat. [Music] Heat. Hey. Hey. Hey. Heat. Heat. N. [Music] [Applause] Heat. Heat. Heat. [Music] Heat. Heat. Heat. [Music] Heat. Heat.

[Music] Heat. Heat. Heat. [Music] Heat. Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat. N. [Music]

Heat. [Music] Heat. Woo! [Music] Hey! Hey, [Music] hey hey. [Music] Heat. Heat. [Music]

What are you? [Music] Heat. [Music]

Heat.

Heat. Heat.

[Music] Heat. Heat.

Heat. Heat. [Music]

Heat. Hey. Hey. Hey. Heat. Heat. [Music] Heat. [Music] Heat.

Heat. Heat.

Yeah, [Music]

[Music]

down. [Music] black hey black

hey [Music] you hey you hey hey [Music] ground. A few announcements before we begin. We'd like to thank our sponsors, especially our diamond sponsors, Adobe and Aikido, and our gold sponsors, Formal and Drop Zone AI. It's their support along with other sponsors, donors, and volunteers that make this event possible. These talks are being streamed live and as a courtesy to our speakers and audience, we ask that you check to make sure your cell phones are silent. If you have any questions, use the audience microphone so YouTube can hear you. Make sure to point at the mic in the audience so people know where it is. Hello everyone. Uh I'm very excited to be here. This is actually my first time

talking in a conference. So getting to do it in ve here in Vegas, it's like a dream come true. And now uh today I'm going to talk about a vulnerability a vulnerability that I have found in active directory. And uh before we start uh this vulnerability uh I found during my research on DMSA and few years ago I also did a research about GMSA and uh I now know a lot about MSA but there is just one thing that I just couldn't figure out and that is why the D in DMSA and the G in GMSA are lowercase and uh at first I thought that this is just because I'm not an not an English

speaker but uh I asked a lot of people and I didn't actually get a response that satisfied me. So, uh I'm telling you this so just so you know if during this talk at some point you will ask yourself why it is written that way uh I have no clue. So uh I'm Yuval Gordon. I'm a security researcher at Akamay and in the in the last decade I've done uh different roles in security in cyber security and uh the one domain that I'm keep coming back to is active directory and today in Akami I'm focused on offensive research. So uh this is how I got to uh this vulnerability. Uh that's my ex handle. So feel free to uh to

follow me or reach out. Uh so the agenda for today we're going to start with a quick introduction to service accounts. Uh then we're going to deep dive to DMSA. I'm going to explain exactly what DMSA is, how they work and uh where exactly I found the vulnerability. Then I'm going to talk about bed successor which is a technique that abuse this uh vulnerability. So uh in order to explain what a service account is, I'm going to use a story by Elach Shamir. So uh Elachameira's amazing talks where he talks about uh different things around Kerberos and um I really love the way that he speaks about uh explains about Kerberos and and the different terms. So uh I really

recommend his talks but for now I'm just going to summarize uh the the relevant part for us. So uh in a lad story there is this new amusement park and in this uh in this amusement park there are uh uh visitors and those visitors when when they want to come into the park they get a daily ticket. Uh so this daily ticket is like a TGT in Keraros and uh when when a visitor want so uh in the park there are also uh several rides. So uh for example we have this really really cool roller coaster and uh each different ride has a ride operator. Now a ride is like a service. So for example that can be a web application

and uh the ride operator is a service account. This is the main focus of our talk and uh when a visitor wants to get on a ride uh they can't use their daily ticket. what they need to do is to go to the ticket office and actually get a ticket for the specific ride. So, uh to enter to to uh to enter each ride, they need a different a different ticket. And when they get the the ticket to the specific ride they want to uh to enter, uh they take this ticket to the right operator and uh the ride operator looks at the ticket, they validate it and uh the ticket has some information. So it

has for example the the visitor height and age and uh the different memberships. So maybe this ride is only for the the premium maybe this is a premium ride. Uh so the ride operator will choose whether to allow the visitor to um to to uh join the join the ride. So um this is basically service accounts and we have different types of service accounts. So uh we have the unmanaged type the legacy kind uh and this kind has a lot of security risks uh the most major one that uh legacy service accounts are a target for for career roasting attack. So uh in 2008 and 2012 Microsoft introduced MSA and GMSA. Uh for the sake of our talk I will just

refer to both of them as MSA. uh it's not really important the the difference between them, but uh the the manage type of account solved the problems that the legacy account had. And so um so that was really great but uh it it has been u more than more than a decade more than a decade since uh Microsoft introduced MSA but still I'm talking about legacy service accounts. So uh I'm doing this because uh uh MSA just didn't take over. Uh organization still uses today legacy service accounts and uh I haven't actually found any organization that don't use legacy service account at all. So uh the reasons for that um the most major one is that uh legacy uh in

order for a service to be um to be configured with uh with an MSA they have to support MSA and unfortunately just some services just don't support MSA. So uh we can't configure MSA for that services. So if our organization uses uh those services we can't we can't uh use MSA for them and uh the other reason is if we have a service an existing service that is currently running with a legacy service account uh if we want this service to now use an MSA we will need to uh configure a lot of things for the MSA to work exactly like the the old service account. uh we want them to have the same privileges,

the same configurations and this will just take a lot of time from the IT team and if they will do some mistake uh it will uh result with a app downtime. So uh luckily for us in 2025 just recently Microsoft introduced DMSA or delegated managed service account. So, uh, the MSA is completely new and it has all of the advantages that the old MSA had, but, uh, this time the IT team can just lay back and relax because Microsoft has introduced a really cool new migration process that lets, um, lets IT admin take an existing legacy service account and just migrate it into a DMSA. uh and it doesn't matter if the services that uses this service account

support MSA or not. Uh they will all just work with the DMSA and the IT team doesn't need to do any work and they don't need to um to take care of anything. So that's really amazing. So let's talk about this uh cool migration process. So uh we can actually divide the migration process into three phases. we have the we need to start the migration then we uh in the waiting phase and then we complete the migration. Now uh before I actually get into uh uh into one of those uh phases uh let's look at at how authentication looks like before we start a migration. So uh on our left we can see an SQL server. I

I've called this a server SQL SRV and this server is running an SQL service. Now when the uh when the service needs to authenticate in the domain uh we have configured it to run with SVCSQL a legacy service account. So um when the service authenticates it will issue an authentication request with SVCSQL and the DC will respond with a TGT which is like uh the daily ticket in the amusement park. So uh now let's start the migration and uh what happens now is uh we we have a new DMSA that have called DMSA dollar and we have the old legacy service account and uh when we start the migration uh those two accounts are being linked. So each of

them is uh just pointing to the other and the other thing that happens is that the legacy service account is granted right permission on a specific attribute on the DMSA. So uh this attribute is really important one and uh uh what it controls it it actually uh controls who can authenticate as the DMSA. So uh in order for a server to authenticate as the DMSA they have to be listed in this attribute. So uh in the next slide I will show how this attribute is uh being used. So uh we have configured we we have started the migration and now we are on the waiting phase. So uh now when the server wants to authenticate it will

uh again issue an authentication request just as before but uh and and this time again the DC will respond with the TG with the TGT but uh the response will now have an additional information. So the additional information will say that this user will be soon superseded by the MSA dollar. Now when the carros client which is um uh what actually take carees of the authentication on the SQL server side. When this car client sees this message uh it will just automatically uh respond with sending an LDAP modification request to the DC requesting to add the server we are currently working on which is SQL SRV dollar to the attribute that controls who can authenticate as the DMSA. So uh

the result of that will be that this server will now be able to authenticate as the DMSA from now on. So uh this is why we are on the waiting phase. This phase is uh for the environment to learn which servers are currently using the legacy service account. So they will all be able to use uh the DMSA. So uh now we need to wait we wait for about a week before we complete the migration. So uh at this point the we complete the migration and uh what happens is that uh the legacy service account is getting disabled and um some career configurations are being copied from the legacy service account to the DMSA and

now uh let's look at the authentication now. So once again uh we're the the server is requesting uh a TGT uh requesting to authenticate as SVCSQL but this time uh the DC responds with an error because uh this user is now disabled. So uh this response again has an additional information which says that this user is superseded by DMSA dollar. Now when the keros client get this response, it will just automatically try to authenticate with uh DMSA dollar and because we are listed in the attribute that controls who can authenticate as the DMSA uh we will be allowed to authenticate uh and and everything is is good. But uh so everything that I have just shown is uh

from the Microsoft documentation. But uh there was just one thing that that was missing that really bothered me because uh the documentation didn't mention privileges at all. And uh uh actually uh this is really concerning because if we have a really cool uh great migration process uh they have to take care of privileges. If the legacy service account had certain priv certain privileges, the new DMSA should have the ex exactly the same for the service to to uh to work as as expected. Now uh let's talk about privileges in Keraros. So uh in Keraros uh in Kerbaros we have a structure that called pack which is in the Keros tickets. So uh this pack lists

some information about the user and it also it also lists the uh group membership of the user. So it will list every group that the user is a member of and if we had the svcsql the legacy service account and uh it was a member of several groups. So I have just created a new DMSA and I have completed the migration and I checked and the new DMSA is not a member of any group. So we can expect the the pack of the DMSA to look like this. Um so this is really bad if that's the case because uh that means that the DMSA don't has the same privileges as the legacy service account. Uh so uh that's a huge problem

but uh I guess Microsoft engineers have watched Dragon Ball uh because they too knew that when a problem is just too big there is only one solution fusion. So uh the the pack of the DMSA actually looks like this. So um what happens is when the when the when we authenticate as the DMSA uh the DC will build the pack just as before but this time it will also check if the DMSA is linked to another account and if so it will just also build the pack for the uh superseded account and will merge the two packs. So the the new pack will have uh every group that either the the DMSA or the legacy service account was a

member of. So uh that way we we make sure that the DMSA and the and the DMSA has the exactly has exactly the same permissions as the legacy service account had. Now uh we we thought that this uh mechanism is really great because that means that uh we can just take privileges of one account and give it to another without changing group membership. Uh so that is really cool and we wanted to know uh whether if whether we can abuse it and uh and and we can but uh in order to explain how we actually abuse it I'm going to explain how the migration process uh actually look like how we how we start the

migration process. Um so uh one moment

so uh uh according to Microsoft documentation when we want to start the uh the migration we need to execute this PowerShell commandlet. Now uh we tried executing this PowerShell commandlet uh by a non-domain admin but uh it failed. So uh in order we we wanted to understand exactly what happens when we execute this command and actually this command is just a a wrapper for this LDU Rud DCSC operation. Now uh if you're not familiar with LDSC operation that's okay. Uh it's basically just requesting uh to invoke a certain functionality from the DC. Now uh if we try to in if we try to manually uh send this request to the DC as a non-domain admin it will

also fail. So uh that's because on the DC side there is a verification whether the color of this operation is uh is a domain admin and if not uh it will just not work. So uh at this point we wanted to understand what happens when the DC uh does approve this operation and what the DC does is just uh changing some attributes. So uh basically uh the DC just takes the DMSA and the superseded account and changed some attributes on them. And at this point we wanted to know whether we can uh if we control a DMSA maybe we can just change the same attributes that that this is changing. So apparently we can do that. We don't need domain admins

for that. Uh so that means we can link the DMSA to another account and uh the link is and we do the link just from the DMSA to the superseded account not the other way. So we don't need actually uh any permissions on the target account just on the DMSA and we link it to any account including domain admin and um uh we gather privileges. So uh that is basically bad successor and uh let's see it in action. So um we have an attacker and this attacker has a control over a DMSA and they want to get a domain admin privileges. So um they will just simulate DMSA migration. They will link the DMSA to a domain admin and they now

need to authenticate as a DMSA and uh that this is just granting them the privileges. So that's great. That's amazing, really cool. But uh there is a huge problem because uh getting getting control over a DMSA uh that's pretty hard because DMSA is is brand new as as I said. So most organizations don't use DMSA yet. And uh the second point is that DMSA are being created by default in the managed service accounts container and this container is uh heavily restricted. So only highprivileged groups have have access to this uh container by default and so uh we we even if there is a DMSA it will probably mean we can't just uh I mean getting control over it will be hard. So

uh uh luckily for us we can actually create the DMSA in any OU not just in the managed service account container. And that means that uh now the the diagram changed a bit and if we control any OU and OU is basically OU is an organizational unit. It's basically a folder in active directory. So if we control a folder which you know some folders are just not as important as the others. If we control an OU, we can create a DMSA there and therefore we can simulate a migration and get domain admin. Now uh let's hit uh let's see a demo of it. So here we are running as a weak user and this user has uh we are trying to

add to domain admins and we fail because we we don't have privileges but we can create objects in an OU called temp. Now we will try now we uh create a new DMSA in the temp ou and we link the DMSA to the administrator account. Great. Now we need to authenticate as the DMSA. So we use Rubio for that. Okay. Now we are authenticated as the DMSA as we can see in K list and uh we try to add a member to domain admins once again. This time we succeed because we are running with administrator privileges. So um we have reported this vulnerability to Microsoft and Microsoft said uh that this is a vulnerability. They they agreed with us but uh they

said that if we have a control over ou and we can just gain any privileges that we want that is moderate. So uh because this is moderate uh it does not meet the bar for uh immediate servicing. Uh however they did said that they're going to uh to fix it in the future. Um but that's actually uh not the end. So uh when I started with uh with the research I saw that uh there is this structure and uh I didn't thought much about this structure. I I actually ignored it. Uh basically this structure uh is in in TGT for DMSAs and uh it has two key members. It has the current keys and the previous keys.

So uh those fields uh hold the the Kerros keys for the DMSA both the current one and the previous. Uh so uh Kerros keys if anyone uh is not familiar with that is basically credentials in Keraros and we can think about it as a password hash. So now uh the the thing that that led me to look at this structure again is seeing this uh decoded response. So this is a decoded response of this structure. And uh we can see the current keys above and the previous keys below. And uh maybe it doesn't says much to you but uh I I saw this when I worked on the demo. So I have just created the DMSA. I have uh

simulated a migration. I linked it uh into admin administrator and and then I got this response. Now uh the weird part that I actually didn't notice is that the new DMSA that I have just created has a previous password. Now uh I didn't uh actually see that but uh what I did saw is the value in the previous keys and uh maybe you can't see the value or it just doesn't mean anything to you. H it makes sense that that is just an antlash and uh usually I don't recognize antlash but uh this antmash specifically uh it means a lot for me because uh this is the anti-mash of this password and I always use this

password for my lab environment. So I immediately I immediately recognized the hash of AI126 as I always use it. Now uh that was really weird because we have a DMSA which is a great security uh new feature and they have a randomly generated password but the old password is the password that I always use. That that's pretty weird. So uh apparently what happens is when we link the DMSA to another account we are not only stealing the privileges of the other account we also get uh their their credentials. So uh I have created a tweet about it and I show that I'm running a script and I just uh dump uh all of the credentials

of all of the users and computers in the domain. Uh so that's really cool and I'm also dumping the credentials of uh KBTGT. Maybe you can see it from here but KBTGT is uh I think the most critical uh user in active directory. If you have those credentials you can craft golden ticket. Uh so that's really cool. Uh and uh I'm showing I I'm showing this tweet because there was just one comment that I I think summarized this whole thing uh perfectly. So uh Andre Andre replied with seems quite moderate. So yeah dumping the the every credentials is moderate. So now uh let's talk about uh detection. Uh and I'm not going to talk about

mitigation because uh we I I think uh the best mitigation will be just to wait for uh uh for Microsoft patch. Uh in the meantime there are some there was some discussion after I posted a blog about this. Uh there was some discussion in the in the identity realm about like uh how how organizations can protect themselves from this attack and uh there were some uh great ideas but I think that none of them actually uh is is uh like good enough for perfectly uh mitigating this uh this vulnerability. So uh in order to detect this uh this attack uh there are a couple of logs that are being created when we execute the attack. So uh first of all when we

create a DMSA uh uh there will be a log saying that uh a DMSA was created if we configure a sackle. So a sackle is a system ACL uh and uh yeah you should configure sackle for uh for the creation of DMSAs. Uh the second point is DSA linkage. So again uh this requires a suckle but then you will get a log every time that someone's link a DMSA to another account. And uh the last one the the most interesting is uh this log is actually for GMSAs. So uh when a user fetch a password of the GMS of a GMSA uh this log is uh logged but uh apparently it is also logged when we request a TGT

for DMSA. So I guess this is because of how uh Microsoft is uh sending us the the credentials. Uh now the the interesting part is that uh when we when we uh fetch GMSA password we we have the caller seed and caller IP and those those fields will have the seed that fetch the password and the IP that uh the the user was working from. that uh when we request a TGT for uh a DMSA uh this is getting logged with uh the caller IP as blank and the color seed as anonymous loon. So uh I think this is really interesting. I actually uh didn't have the time to to look into it more but I think uh this

may be uh worth uh some digging. Uh and now uh before we get to the conclusions um I I have contacted with uh MSRC because uh they were actually uh pretty great. I I mean beside the point that I don't agree with them on the severity uh that they were really great working with and uh I sent them the presentation and I asked if they want to put uh any official statement. So uh this is their their statement. Uh we are aware of this report and we'll be addressing it in an upcoming update. Um okay so uh let's talk about conclusions.

Okay so uh DMSA is a brand new feature and it was designed with security in mind. it actually solves some I think great security risk and uh but but that doesn't mean that the DMSA is necessarily uh secured and that they they don't have any vulnerability there. Uh the second point is to never skip the obvious because uh I think that when when I saw that uh that the whole new uh um uh pack merging thing, I talked with my manager about it and uh his response was something like well uh maybe you can just change the attribute and then it will give you the pack. And I said h no that sounds way too easy. Uh but

apparently it was just that easy. So uh good thing that I I didn't skip it. Uh the the next point is uh as I said to log and alert on DMSA creation and links and uh the final point is uh that DMSA is a great new feature. I know that in in this talk I I talk badly about it, but I actually really like this feature and I think that once Microsoft will uh finish with the patch uh it will be much better and organization definitely should use this feature. Uh so uh thank you and if you have questions uh feel free [Applause]

Okay, thank you.

[Music] Heat. [Music] Heat. [Music]

[Music] Down.

[Music] Born down. [Music] There you go. [Music] Hey, hey hey. [Music] Down. [Music]

[Music] Heat.

[Music] Heat.

[Music] Heat. Hey. Hey. Hey. Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat.

Heat. Heat. Heat. [Applause] [Music] Heat. Heat.

[Music] Yeah.

Heat. [Music] Heat. Heat. N. [Music]

[Music]

[Music] Heat. [Music] Heat.

Heat. Heat. [Music] Wow. [Music] Heat. [Music]

Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat.

Heat. Heat.

[Music] Heat. Heat. Heat. Heat. [Music] Heat. [Music] Heat.

Heat.

[Music] Heat. [Music] Yeah, [Music]

down. [Music] Hey, hey hey. [Music] Yeah, [Music] down. [Music] Down

[Music] Hey. Hey. [Music] Heat. Heat. [Music] Woohoo! [Music] Down! [Music] Baby. [Music] Hey.

[Music] Hey, hey, hey. [Music]

Down. [Music] Heat. [Music] Heat. Heat.

[Music] Heat.

[Music] [Applause]

Hey. Hey. Hey. Heat. Heat. [Music] Heat. Heat. [Music] [Applause] [Music] Heat. Heat.

Heat. Heat. Heat. [Music] Heat. Heat. N.

[Music] Yeah.

Heat. [Music] Heat. Heat. N. [Music] Heat. [Music]

Heat. [Music]

[Music] That's [Music] Heat. Heat. N.

[Music] Heat. Hey. Hey. Hey. Heat. [Music] Hey Heat. [Music] Heat. Heat. [Music]

[Music] Heat. [Music]

Heat.

Heat. Heat. [Music]

Heat. Heat. [Music] Good afternoon and welcome to Bides Las Vegas breaking ground. This talk is detecting deoffuscation and blocking fileless malware with tree sitter given by David McDonald. A few announcements before we begin. We'd like to thank our sponsors, especially our diamond sponsors, Adobe and Aikido, and our gold sponsors, Formal and Drop Zone AI. It's their support along with other sponsors, donors, and volunteers that make this event possible. These talks are being streamed live, and as a courtesy to our speakers and audience, we ask that you check to make sure your cell phones are set to silent. If you have any questions, use the audience microphone so YouTube can hear you. With t

Related talks

51:51
Six Degrees of Domain Admin... - Andy Robbins, Will Schroeder, Rohan Vazarkar
BSides Las Vegas
32:48
G1234! - Cash in the Aisles: How Gift Cards are Easily Exploited - William Caput
BSides Las Vegas
33:48
CG - How to Start a Cyber War: Lessons from Brussels -EU Cyber Warfare Exercises - Chris Kubecka
BSides Las Vegas
54:33
BG - ATT&CKing the Status Quo: Improving Threat Intel and Cyber Defense with MITRE ATT&CK - Katie Ni
BSides Las Vegas
31:06
BG - From Email Address to Phone Number: A New OSINT Approach - Martin Vigo
BSides Las Vegas
20:51
PG - One OSINT Tool to Rule Them All - Emilie St-Pierre
BSides Las Vegas