On April 25th and 26th, four Hacknowledge’s Engineers attended to the Insomni’hack conference 2024, one of the largest information security events in Switzerland, at the EPFL (Lausanne, Vaud).
Interrogating cybersecurity industry as an introduction
During the opening talk, the speaker, Charl Van Der Walt, warned the audience about the risk of using heuristics for the daily life, but especially when it’s related to the design and life cycle of the most common security services and solutions in the market. The warns were addressed to the critical vulnerabilities that have been disclosed during the last months by huge security vendors, such as Ivanti (CVE-2024-21887, CVE-2023-46805), Palo Alto (CVE-2024-3400) or Fortinet (CVE-2023-34992, CVE-2023-42789 or CVE-2023-48788). So, the speaker proposed to anticipate these vulnerabilities by acting proactively, specially through risk assessment measures, invest in more bug bounty policies and to improve public-private collaboration and government policies. As a result, he also mentionned that the current way of managing security is a systemic failure that governments and big companies must assess now, and that no tech companies should accept anymore.
A glimpse of the talks
Then, several conferences talked about LLMs (Large Language Models) consolidating more and more this trend. They showed how to compare LLMs and benchmarked by defining some variables and capabilities and how to exploit them. Adversaries could employ them to gather “illicit” information (OSINT, other accounts) or generate malicious code, data poisoning of the sources, also by interference attacks and model stealing. It was showed how can LLM be fuzzed by employing different techniques and take advantage of them to jailbreak their configuration.
Regarding the detection side, some speakers pointed interesting cases about the last attackers trends and analysed malware: from Rhadamanthys, to abusing .NET for initial access, passing through Android’s malware, anti-reverse engineering techniques and the most common persistence attacks against ADDS services during pentest’s missions. This cutting-edge and valuable information will improve our SOC’s detection services. During several talks about reverse engineering and malware development, last trends about adversaries TTPs (Tactics, Techniques and Procedures) were showed. Furthermore, several vulnerabilities with their PoCs were discussed and explained, as demos, from JVM to JumpServer vulnerabilities. Some of these vulnerabilities showed again how in some cases services can be unsecure by design. Also, it’s common to find a lack of security assessment and control before passing widely used open sources to the public usage.
The cloud part was also discussed, the one that attracted our attention was about o365, more precisely how an attacker can abuse some of the features that are specific to Microsoft’s environment to enter or propagate into his target’s infrastructure. The idea was to take a few typical scenarios and show how to investigate them, using a number of queries made on Azure Sentinel. The talk had the merit of reminding us of a few key elements in order to reduce false positives as much as possible, using correlation across several tables, as well as taking into account certain operational aspects such as the use of a VPN by users, the presence of custom applications, and so on.
In conclusion, all the main actors from the system related to the IT sector (security vendors, software designers and developers, researchers, governments, users, agencies, NGOs, etc.) should collaborate to increase the global cyber security by design. Adversaries are working hard to avoid detection and accomplish their goals. So as defenders, we need to be prepared to face new TTPs trends and security challenges in this changing environment.