8:00 am - 9:45 am
GMT
8:00 am - 9:45 am UTC | Live in London Registration & Networking |
9:45 am - 10:00 am
GMT
9:45 am - 10:00 am UTC | Live in London and Online Opening Remarks James Lyne, Chief Strategy and Innovation Officer, SANS Institute |
10:00 am - 10:15 am
GMT
10:00 am - 10:15 am UTC | Live in London and Online Why You Are Critical to Our Mission |
10:15 am - 10:55 am
GMT
10:15 am - 10:55 am UTC | Live in London and Online Keynote | From 2024's Biggest Threats to What's Next: A Look Ahead to 2025 with Chich and Ciaran This session will provide a comprehensive review of 2024’s most pressing challenges, including the Chinese hacking network known as Volt Typhoon. Our experts will then turn their attention to the future of AI In 2025, exploring whether the high expectations surrounding AI’s potential are justified or merely fuelled by Fear, Uncertainty, and Doubt.
Show More
|
11:00 am - 11:25 am
GMT
11:00 am - 11:25 am UTC | Live in London and Online APT41 Has Risen from the Dust APT41, a Chinese cyber espionage and cybercrime group, has reemerged with a vengeance, targeting a broad spectrum of industries globally. This presentation delves into the recent resurgence of APT41's activities, dissecting their evolving tactics, techniques, and procedures (TTPs) as observed by Mandiant in recent engagements and highlighted in a recent blog post. We will discuss recent targeting, explore novel methodologies, and dive into some malware samples.
Show More
|
11:25 am - 11:35 am
GMT
11:25 am - 11:35 am UTC | Live in London and Online Intro to CTF |
11:35 am - 11:50 am
GMT
11:35 am - 11:50 am UTC | Live in London and Online Networking Break |
11:35 am - 9:00 pm
GMT
11:35 am - 9:00 pm UTC | Live in London CtF |
11:50 am - 12:15 pm
GMT
11:50 am - 12:15 pm UTC | Live in London and Online Democracy Wiped: Tales of an Iranian Iconic Duo Roey Shua, Security Researcher, Check Point Software Technologies Ltd Since October 2023, Check Point Research (CPR) has actively responded to a myriad of state-sponsored threats targeting Israeli organizations, including destructive attacks using wipers and ransomware. One unique incident stands out among those threats in a joint operation by two Iranian state-sponsored threat actors (Scarred Manticore and Void Manticore) as an Israeli Municipality was hit by a freshly baked wiper sample, aiming to destroy a critical network and disrupt the local elections. This presentation will delve into the numerous data restoration measures we took to dig into impacted machines, leading us to forensic traces of a clear handoff procedure between the actors, eventually unraveling a coordinated months-long offensive operation of two distinguishable APTs.
Show More
|
12:20 pm - 12:45 pm
GMT
12:20 pm - 12:45 pm UTC | Live in London and Online Once a victim, always a victim, a dive into the ecosystem of Cyber Extortion (Cy-X) and the increasing desperation of its participants In this presentation we will talk about our latest cybercrime research on the topic of ransomware / Cyber Extortion (Cy-X). Here we observe both sides, the offender side and the victim side. For the latter we share insights into the fairly new phenomenon of re-vicimization, which we increasingly observe since 2023. On the offender side, we want to share the flexibilkity of this criminal ecosystem by using the example of CONTI. What happened to the affiliates and in which Cy-X groups are they operating now after the CONTI’s operation shut down. Since 2020, we have been observing re-occurrences of victim organizations in our dataset with seemingly random patterns. Some of the most typical scenarios we observe are the following: - Same threat actors re-posting victims within several months - Threat actors posting the same victim organizations on the same date to at least two different leak sites - Victims being re-posted after several years since the first time victimization We wanted to look into this more closely to understand why and what type of re-victimizations we are observing. We know by now that the cybercrime ecosystem is a complex one, including many different type of actors, roles and actions. Before we dive into the data, let’s take a moment to talk about the phenomenon of re-victimization and why it is relevant to study. We see different scenarios of victim organizations being re-posted on the darkweb. One of our most urgent questions when looking at possible re-victimization is why we see some victims re-appearing. We have some hypotheses about it: - Another cyber-attack: An actual, second round of Cyber Extortion / cyber-attack against the same victim has occurred. Either through potentially using the same point of entry or backdoor; or completely unrelated to the first occurrence. - Re-use of access or data: The victim data has ‘travelled’ (leaked or sold to the underground) and is being used as leverage to try to extort the victim once more. Or the access has been sold to different buyers. Nevertheless, data or access is being re-used. - Affiliate crossover: An affiliate has reused victim data between different Cy-X operations We will show some clusters we analyzed between threat actors that are re-posting the same victims and also dive a bit into the “time-delays” between re-victimizations. When do we see occurrences of posting victims not once, not twice but even three times on the dark web. And why it matters also in context what happened to CONTI and affiliates.
Show More
|
12:50 pm - 1:15 pm
GMT
12:50 pm - 1:15 pm UTC | Live in London and Online We’ll knock your SOCKS off, exploring the hidden depths of a residential proxy network Adversaries have been utilizing residential proxy networks to obfuscate their access and ‘blend in’ with legitimate traffic when targeting organisations. We will walk you through one of the largest of these networks, used by adversaries such as SCATTERED SPIDER to mask their tracks…
Attendees will learn how a high-perfomance network is constructed from 0 and n-day exploits for thousands of embedded devices. We’ll share how we were able to gain insight into how it works, some of the vulnerabilities used, and how adversaries use it.
Show More
|
1:15 pm - 2:15 pm
GMT
1:15 pm - 2:15 pm UTC | Live in London and Online Networking Lunch |
2:15 pm - 2:40 pm
GMT
2:15 pm - 2:40 pm UTC | Live in London and Online Russian Gamaredon APT Group, Mobile Surveillance Tools Lookout Threat Intelligence has attributed two new Android surveillance malware families tracked as BoneSpy and PlainGnome to the Russian Gamaredon Advanced Persistent Threat group, tied to the Russian Federal Security Service (FSB) by the Security Service of Ukraine (SSU) in 2021. Lookout will present findings of the capabilities of these surveillance families and the factors that led to their attribution to Gamaredon. The purpose of this presentation is to expose these families to the public for the first time, as well as to demonstrate the techniques leading to attribution as well as to communicate mitigations to these threats.
The primary factor tying PlainGnome and BoneSpy to Gamaredon is the strong overlap in command and control (C2) infrastructure hosting. Both mobile families use dynamic DNS provider ddns[.]net for domain registration, while both are hosted on IP address space owned by a single Russian service provider. Multiple IP addresses resolving the mobile C2 also resolve dozens of known Gamaredon C2 domains as well as several others that share the same naming convention. In addition to the direct address space overlap between desktop and mobile campaigns, Gamaredon is known to have used ddns[.]net for domain hosting and typically uses Russian internet service providers for C2.
Both mobile families targeted former Soviet countries, and contained Russian-language user interface strings. These factors suggest targeting of Russian-speaking victims outside Russia, and generally limited to former Soviet states. Gamaredon has targeted Ukraine extensively since at least 2013, which generally aligns with the threat group’s physical location in occupied Crimea. Gamaredon appeared to target enterprise victims based on use of a BoneSpy sample poorly masquerading as Samsung Knox Manage, used for enterprise mobility management (EMM) and only capable of being installed from sources internal to an organization.
Show More
|
2:45 pm - 3:10 pm
GMT
2:45 pm - 3:10 pm UTC | Live in London and Online It Has Been 0 Days Since Our Last Edge Device Security Incident In the past 12 months our team have investigated critical incidents in customer environments where the root cause of the incident was a zero-day exploit.
CVE-2024-21887 & CVE-2023-46805 (Ivanti Connect Secure)
CVE-2024-3400 (Palo Alto Networks Global Protect)
In this talk, we will discuss:
* Why the issue of edge device security continues to be a problem and won't go away in the short term
* Common detection approaches that enable detection of these incidents
* Insights into the incidents including their discovery and key findings from those incidents.
Show More
|
3:15 pm - 3:35 pm
GMT
3:15 pm - 3:35 pm UTC | SPONSORED TALK | Live in London and Online Platinum Sponsor | VMRay Sponsored Talk | Understand Your Attackers: The Role of Sandboxing in Threat Intelligence In the face of a rapidly evolving threat landscape, understanding attackers and proactively mitigating threats has become imperative. This technical talk delves into the symbiotic relationship between sandboxing technologies and cyber threat intelligence (CTI), emphasizing the use of dynamic malware analysis to gain a deeper understanding of attackers and fortify organizational defenses. The presentation is structured into four sections: - The Significance of Threat Intelligence: This section explores the fundamental reasons for collecting threat intelligence and its practical applications.
- Choosing the Right Sandbox: Not all sandboxes are created equal. This section provides insights into the selection of a sandboxing solution, considering factors such as integration capabilities, avoiding vendor lock-in, and effective benchmarking.
- The Value of Indicators of Compromise (IOCs): We discuss the critical role of IOCs in threat intelligence, comparing public and in-house sources, and how they contribute to a comprehensive understanding of threats.
- Maximizing the Value of Threat Intelligence: The final section focuses on practical applications, demonstrating the effective utilization of threat intelligence, including the automation of threat data collection using platforms like MISP and the deployment of block rules to devices such as routers and proxy servers to prevent threats from advancing.
Handling today’s deluge of malware and phishing attempts may seem overwhelming, but by the end of this session, attendees will have a clear understanding of how to integrate sandboxing technologies into their threat intelligence workflows, enabling a transition from reactive response measures to proactive defense strategies.
Show More
|
3:40 pm - 4:00 pm
GMT
3:40 pm - 4:00 pm UTC | Live in London and Online Networking Break |
4:00 pm - 4:25 pm
GMT
4:00 pm - 4:25 pm UTC | Live in London and Online Camouflage and Chaos | On the Trail of Chinese APTs Playing the Ransomware Game The APT vs. cybercrime debate has been a staple of cyber threat discussions for years, but recent years have seen a convergence that challenges traditional categorizations and demands a fresh perspective. Cyberespionage groups are involved in a disturbing scheme: deploying ransomware as a final act in their operations to secure financial gain, cause disruption, create confusion, misdirect blame, or erase evidence. This tactic allows adversarial countries to maintain plausible deniability by attributing these actions to independent cybercriminals rather than state-sponsored entities.
From high-tech research in Europe to healthcare in India. From manufacturing in the Americas to aviation and government in the Indian subcontinent and the Far East. We trace this global trail of suspected Chinese APT clusters taking on cybercriminal roles. The involvement of operatives moonlighting as cybercriminals and dual-role contractors in the Chinese cyberespionage ecosystem adds further layers of ambiguity. We expose custom tooling, dubious “ransomware affiliates”, and additional links between ransomware operations and espionage clusters. We dive into key risks this ransomware tactic poses to government cybersecurity organizations and private sector defenders, such as missed intelligence opportunities and diminished situational awareness, and explore challenges in countering this threat.
Show More
|
4:30 pm - 4:55 pm
GMT
4:30 pm - 4:55 pm UTC | Live in London and Online When Cybercriminals Goof: OPSEC Oopsies and Epic Falls In the ever-evolving digital landscape, cybercriminals rely heavily on Operational Security (OPSEC) to shield their identities and evade law enforcement. However, even the most sophisticated hackers can make mistakes that unravel their carefully constructed facades. This presentation will explore the fascinating world of cybercriminals' OPSEC blunders and provides investigators with the tools to detect and exploit these vulnerabilities. Join me as I delve into real-world cases where cybercriminals' slip-ups led to their downfall. I shall examine the most common OPSEC mistakes made by hackers, from careless metadata exposure to poor compartmentalization of online personas. By dissecting these errors, investigators can gain valuable insights into the mindsets and behaviors of their targets. Attendees will learn practical techniques to identify and leverage these mistakes, turning them into opportunities for successful investigations.
Show More
|
5:00 pm - 5:25 pm
GMT
5:00 pm - 5:25 pm UTC | Live in London and Online Novel Insights Into How Dark-Web Threat-actor Are Weaponizing Deepfakes to Target C-suites & Enterprises in 2024 The presentation will examine the intent, capability and opportunity enabling threat-actors to conduct successful deepfakes attacks by giving specific details, statistics, and tangible case studies of threat-actors weaponizing deepfakes to target enterprises. The presentation moves far beyond high-profile well-known attacks discussed elsewhere to give you tangible, novel insights from within the last 12 months rooted in Cyber Threat Intelligence data and IR cases. - Dark-web criminal groups of all calibers - ranking from common fraudsters to high-end ransomware group's - are increasingly weaponizing deepfakes as a method to target individuals and enterprises. While famous case studies include the ‘Hong Kong’ attack resulting in a 25$ million loss are well known, many novel deepfakes attacks have been overlooked. - Specifically, threat-actors are moving far beyond using deepfakes for BEC, VEC or CEO fraud and are increasingly utilizing it as a tool of enterprise compromise and to enrich technical attack chains, making deepfakes a highly dangerous threat trend for enterprises across geography and operating industry. - By examining the intent, capability and opportunity of dark-web criminals and their use of deepfakes, the presentation will showcase a significantly changing threat posed by deepfakes, and how it is being utilized by ransomware, extortion and BEC groups alike. - Several case studies will be examined including by ransomware groups use of deepfakes, VEC attacks as well as examining how c-suites are putting themselves at increased risk, simply by doing their job. Overall, the research in this presentation is based on 4 years of research and more than 16 case studies. It will examine why the we have seen a more than 205% increase in the purchase of dark-web deepfake service since 2022, how the intend to use the deepfake has changed from fraud to enterprise compromise and how infostealer credentials is helping deliver the deepfake ploys. Moreover, the large volume of data leaked by ransomware groups is now being used to enrich deepfake attacks by making them more accurate and targeted, an often overlooked threat.
Show More
|
5:25 pm - 5:30 pm
GMT
5:25 pm - 5:30 pm UTC | Live in London and Online Closing Remarks James Lyne, Chief Strategy and Innovation Officer, SANS Institute |
5:30 pm - 9:00 pm
GMT
5:30 pm - 9:00 pm UTC | Live in London Networking |