Speakers

Pedro Ribeiro

Pedro Ribeiro is a vulnerability researcher and reverse engineer with over 16 years of experience. Pedro has found and exploited hundreds of vulnerabilities in software, hardware and firmware. He has over 160 CVE ID attributed to his name (most of which related to remote code execution vulnerabilities) and has authored over 60 Metasploit modules which have been released publicly. He also regularly competes in Pwn2Own as part of the Flashback Team, winning the coveted Master of Pwn in 2020.
Besides his public vulnerability research activities, he is the founder and director of a penetration testing and reverse engineering consultancy based in London (Agile Information Security), with a variety of clients worldwide.

More information about Pedro’s publicly disclosed vulnerabilities can be found at https://github.com/pedrib/PoC. Flashback Team’s YouTube channel can be found at https://www.youtube.com/c/FlashbackTeam

Boglarka Ronto

Boglarka is a cyber security leader and advocate with over 15 years of industry experience. She regularly contributes to legislative frameworks, most recently including DORA and the U.S. Cyber Trust Mark, and liaises with cyber professionals and industry bodies globally. She is a passionate supporter of diversity and inclusion in information security, and a chair of two CREST groups that promote the Penetration Testing Discipline and the role of women and other minorities in cyber.

Boglarka is driven by a lifelong passion for cyber, as well as lots of coffee, and her love for Arch Linux.

Pedro Umbelino

Since the war(s) broke loose last years, a lot has been said about cyberwarfare, attacks on critical infrastructure, ICS/OT vulnerabilities, you name it. In this talk, we are going to talk about a specific set of ICS: Automated Tank Gauging (ATG) systems. These systems control the safe storage and management of fuel in critical infrastructures like gas stations, military bases, airports and hospitals. We will discuss multiple (10) zero-day vulnerabilities that expose these systems to catastrophic risks, from environmental hazards to significant economic losses. Despite past warnings, thousands of ATG systems remain online, unprotected, and vulnerable to exploitation. This track will talk about past ATG research, the new vulnerabilities found and their technical details, demonstrating how they can be exploited to gain unauthorized control over ATG systems. In the end, we will dive into our quest to cause physical damage remotely, in hopes of blowing up (our) gas station.

In the recent years, an increasing number of cyber attacks have been targeting critical infrastructure, especially since the war in Ukraine has started. Automated Tank Gauging (ATG) systems are critical components in the infrastructure of fuel storage and distribution across various sectors, including commercial gas stations, military facilities, and emergency services. These systems monitor fuel levels, detect leaks, and ensure regulatory compliance, but they also present an alarming attack surface when exposed to the Internet and, by their very nature, an interesting target for malicious actors. This presentation will cover the findings of both past and recent investigations, which identified multiple critical vulnerabilities in ATG systems from various vendors, as well as our quest to physically damage such systems remotely. We will explore how these vulnerabilities can be exploited to alter system behaviors, disrupt fuel supply chains, potentially cause significant physical and environmental damage, as well as other out of the box scenarios. We will show global prevalence data from our latest scans, and talk about both our coordination with CISA in order to responsible disclose all these vulnerabilities and our efforts to try to mitigate these risks at a wider scale, in several fronts - one of which is raising awareness within the infosec community.
This session is for cybersecurity professionals, industrial system operators, and anyone interested in the security of critical infrastructure. Attendees will leave with a deeper understanding of the risks posed by ATG systems and how to secure them against potential attacks.

Pedro Umbelino currently holds the position of Principal Research Scientist at Bitsight Technologies and brings over a decade of experience in dedicated security research. ⁤His eclectic curiosity has led to the uncovering of vulnerabilities spanning a gamut of technologies, highlighting critical issues in multiple devices and software, ranging from your everyday smartphone to household smart vacuums, from the intricacies of HTTP servers to the nuances of NFC radio frequencies, from vehicle GPS trackers to protocol-level denial of service attacks. Pedro is committed to advancing cybersecurity knowledge and has shared his findings at prominent conferences, including Bsides Lisbon, DEF CON, Hack.lu and RSA.

Candid Wuest

Are we facing an AI Armageddon? With the rise of Generative AI (GenAI), concerns are increasing about cybercriminals leveraging advanced AI tools to create sophisticated, unblockable Skynet-like zero-day threats. But are these fears justified? And if so, how severe is the threat? This talk will explore the realities of GenAI in cybercrime, delving into incidents like deepfake scams, including a million-dollar fake BEC (Business Email Compromise) video call. We’ll discuss how GenAI is enhancing phishing attacks through personalization and automation, enabling cybercriminals to scale their efforts more rapidly. The presentation will also demonstrate how GenAI can generate basic malware and assist in the development of advanced threats, such as polymorphic/metamorphic malware. While GenAI indeed scales attacks, it doesn’t create entirely new threat patterns, allowing behavior-based detections to remain effective—much like how malware builder kits or Metasploit lowered the entry barrier for attackers without rendering traditional defenses obsolete. Additionally, we’ll cover threats that exploit GenAI, such as indirect prompt injection attacks against Retrieval-Augmented Generation (RAG) systems and AI applications. Finally, we’ll weigh current AI threats against existing defenses and highlight future research areas, including zero-day vulnerabilities (AIxCC) and supply chain attacks targeting GenAI. Join us to separate the hype from the real impact of GenAI in cybercrime and understand its implications for cybersecurity.

Candid Wuest is an experienced cybersecurity expert with a strong blend of technical skills and over 25 years of passion in the field of security. He currently works as an independent security advisor for various companies and the Swiss government. Previously, he was the VP of Cyber Protection Research at Acronis, where he led the creation of the security department and the development of their EDR product. Before that, he spent more than sixteen years building Symantec’s global security response team as the tech lead, analyzing malware and threats – from NetSky to Stuxnet. Wuest has published a book and various whitepapers and has been featured as a security expert in top-tier media outlets. He is a frequent speaker at security-related conferences, including RSAC and BlackHat, and organizer of AREA41 and BSidesZurich. He learned coding and the English language on a Commodore 64. He holds a Master of Computer Science from ETH Zurich and has various patents and useless certifications.

Dimitrios Valsamaras and José Leitão

Android’s rise to one of the world’s most popular operating systems has expanded its reach to billions of devices worldwide. This massive footprint is a beacon for malware developers who seek to exploit the personal data of its expansive and diverse user base. As with any operating system, Android treat actors aim to distribute their malicious software as widely as possible. Yet, the methodologies for spreading in the Android ecosystem differ significantly from those in traditional desktop environments, which historically have relied on worm-type malware for rapid propagation.

In mobile, application markets serve as a prime channel for reaching this objective, given their role in distributing billions of apps annually. However, a significant hurdle exists: to be listed on prominent platforms such as the Play Store, an app must satisfy specific criteria and undergo thorough screenings for signs of malware, both prior to and post-publication.
During our review of Android malware samples in these markets, we uncovered a multitude of evasion techniques designed to circumvent both static and dynamic detection mechanisms. From simple yet clever methods like analyzing a device’s battery level to gauge its legitimacy, to sophisticated technical tactics employing Java reflection, obfuscation, encryption, steganography, and dynamic code loading, these tactics illustrate the evolving nature of modern mobile malware.
This survey presents a thorough examination of the most advanced detection evasion techniques utilized by several of the most notorious Android malware families, with the infamous Joker and Hydra families as key examples. Our in-depth analysis elucidates the evolving sophistication of these techniques and their implications for the security of the Android ecosystem. Through this detailed exploration, we aim to provide insights that can aid in the development of more robust defense mechanisms to protect against such insidious software threats.

Dimitrios is a cybersecurity professional with expertise in mobile, web, and network penetration testing. He holds a degree in Computer Science, majoring in Cryptography and Security, and has worked with top companies like Microsoft and Google. He is frequent speaker at prominent security conferences such as BlackHat, Nullcon, Insomni’hack, and Troopers. He is passionate about reverse engineering and was a member of one of Greece’s first reverse engineering research groups.

Oliver Kunz

The world is full of sandboxing solutions which serve different user scenarios. These solutions have in common that untrusted code should be executed in a contained environment. What if your code depends on a third-party library that you want to contain? Instead of sandboxing the entire binary, with SAPI the sandbox can be shrunk down to the specific library.

SAPI is an open-sourced sandboxing solution by Google. The underlying sandboxing layer is Sandbox2 (also open-sourced). It uses Linux kernel features to create the sandbox (namespaces, seccomp-bpf syscall filter). While Sandbox2 will execute the entire binary inside the sandbox, with SAPI we have designed a solution which shrinks the sandbox footprint to only the library of concern.
The benefit of SAPI is that the many syscalls, which would need to be allowlisted when executing the entire binary in Sandbox2, is now reduced to only the syscalls which are needed by the concerning library. This makes it easier to reduce the Kernel’s interface to the minimum but it also allows to better manage the syscall filter.
This talk will give the attendees an introduction into SAPI, explain how it works and ultimately how a sandboxed API is being used.

Oliver is a Security Engineer with over 10 years of experience in consultancy, penetration testing, and security design. He is currently working at Google, focusing on securing third-party libraries used by developers.

Jordan Santarsieri

SAP systems are the backbone of many organizations and the main financial system in the world. According to SAP, 77% of the world’s transaction revenue touches an SAP system!
But despite their significance, SAP security is often misunderstood and overlooked by information security professionals due to highly complex architecture and a steep learning curve.
This session aims to provide a highly technical introduction to SAP penetration testing, shedding light on the unique challenges posed by SAP’s complex architecture, extensive modules, and proprietary protocols.
We will explore common vulnerabilities, demonstrate potential attack vectors, assist live exploitations and learn how to implement mitigation techniques.
Attendees will gain insights into the intricacies of SAP environments and learn why traditional approaches to penetration testing may fall short, underscoring the importance of incorporating SAP security into a comprehensive risk management strategy protecting this highly valuable target.

Mr Santarsieri is a founder partner at Vicxer where he utilizes his 16+ years of experience in the security industry, to bring top notch research into the ERP (SAP / Oracle) world.
He is engaged in a daily effort to identify, analyze, exploit and mitigate vulnerabilities affecting ERP systems and business-critical applications, helping Vicxer’s customers (Global Fortune-500 companies and defense contractors) to stay one step ahead of cyber-threats.
Jordan has also discovered critical vulnerabilities in Oracle, IBM and SAP software, and is a frequent speaker at international security conferences such as Black-Hat, Insomnihack, YSTS, Auscert, Sec-T, Rootcon, NanoSec, Hacker Halted, OWASP US, Infosec in the city, Code Blue and Ekoparty.

Valter Santos and João Batista

In October 2023, while investigating PrivateLoader and Amadey, two loaders frequently employed by threat actors to distribute malware and build their botnets, Bitsight TRACE researchers uncovered a proxy malware dubbed Socks5Systemz. In this talk we will present the outcomes of our research that led to the ultimate takeover of a botnet composed of more than 250,000 infected systems and the temporary disruption of a main “Residential Proxy Service” that was supported by it.


We’ll dive into the discovery of one of the most pervasive botnets operating in today’s malware ecosystem, spanning nearly every country on the globe, including Russia, but operating under the radar for at least the last seven years. We’ll unpack the initial triggers that led to its detection, followed by an in-depth look at the malware’s architecture, its command-and-control (C2) infrastructure, communication channels, and global distribution. You’ll gain a behind-the-scenes view of how we took control of a segment of this C2 infrastructure, and how collaboration with industry partners enabled us to dismantle remaining elements outside our reach, gaining full visibility and disrupting the service that operated the botnet.

Valter is Principal Threat Researcher at Bitsight. Experienced in digital forensics, incident response and intelligence. For the last 10 years, his focus is to understand the malware ecosystem to collect compromised systems telemetry at scale. Valter is a member of the Europol EC3 Advisory Group for Internet Security.

João is a Senior Threat Researcher at Bitsight with experience in penetration testing, malware analysis, and incident response. Currently, he focuses on tracking malware botnets and threat actors while continuously exploring new ways to collect botnet telemetry at scale. As a member of the Cryptolaemus team, he collaborates with security researchers to monitor emerging threats and provide insights into botnet infrastructure and malware campaigns.

Vítor Ventura

Most vulnerability research starts from potentially vulnerable code and moves forward towards finding that piece of code. However, from time to time, research needs to be done backwards. To make the research even harder sometimes you can’t count on support form a vendor since there is no vulnerability confirmed. In this use case from the technical point of view this vendor implements vetting methods that makes it difficult to anonymously create user accounts that can be used on the application to test the PoC code. On the other hand, several mechanisms including extensive logging which like shutdown application access and thus preventing testing.
With all of this in mind, this presentation is about the vulnerability research on Android applications native code libraries using dynamic analysis. The use case is a popular Android chat application where I intended to prove a vulnerability without being able to test it on the fully working version of the vulnerable software. After several failed approaches, oddly enough I used the popular Android malware application wrapping technique to bypass user registration and be able to perform dynamic tests. However, before that I needed to find the localisation of the potential vulnerable code. Followed by assuring the execution path leads to that piece of code while bypassing anti-analysis techniques. In a mix of reverse engineering, exploit analysis and code development it was possible to test the actual vulnerable code without ever creating a user in the platform. Once the code was reached the public PoC needs to be tested and tweaked to affect our targeted version. This required vulnerability analysis and exploit analysis which culminated in the adaption of the public PoC into the targeted version. The presentation will end with a generalization of the use case showing how this technique can be used to perform vulnerability research on any kind of Android applications when there is a very specific target inside the application.

Vitor Ventura is a Cisco Talos security researcher and manager of the EMEA and Asia Outreach team. As a researcher, he investigated and published various articles on emerging threats, and biometric authentication both in face recognition and fingerprinting. Most of the day Vitor is hunting for threats, reversing them but also looking for the geopolitical and/or economic context that better suits them. Vitor has spoken in conferences, like LabsCon, VirusBulletin,CARO, NorthSec, Recon, Recon Brussels, Defcon’s Recon Village and Crypto and Privacy Village, BSides Lisbon and Dublin among others. Prior to that he was IBM X-Force IRIS European manager where he was the lead responder on several high profile organizations affected by the WannaCry and NotPetya infections. Before that he did penetration testing at IBM X-Force Red, where Vitor led flagship projects like Connected Car assessments and ICS security assessments, custom mobile devices among other IoT security projects. Vitor holds a BSc in Computer Science and multiple security related certifications like GREM (GIAC Reverse Engineer Malware), CISM (Certified Information Security Manager).

Yousif Hussin

Just as Vulnerability Research is an important area of focus at Google, so is Vulnerability Response to critical and complex vulnerabilities including novel discoveries affecting the CPUs. These responses not only safeguards the security of Google’s products and users but also extends its reach to millions of devices connected to the Internet, in certain instances, including the case I’m going to share here in details.
In this talk, I’d like to go through a recent incident at Google, in deep technical details, in which I was the global lead. The incident involves the discovery by a Google’s security researcher of a critical CPU vulnerability (Reptar) and the extensive remediation efforts across all of Google’s products and systems.
The incident presented a confluence of intriguing technical challenges and unique operational complexities. I plan to elaborate on the strategies employed by Google to address these challenges effectively, emphasizing the time constraints and pressures under which we operated.

I’m a Security Engineer at Google, currently specializing in remediating critical software vulnerabilities and I lead global teams in the engagements addressing vulnerabilities in all of Google products. I’m also part of the team managing Google’s Bughunter Vulnerability Rewards Program.
I’ve been a security professional since 2007, and in the past 8 years I’ve been mostly focusing on development of security tooling, incident response, forensics, malware analysis and working with developers in how to address security vulnerabilities. I worked at Apple, Microsoft, Meta and now Google.

Diogo Lemos

This talk will explore the implementation and benefits of secrets scanning tools, addressing challenges and solutions for managing secrets eMectively across large organizations. It will include insights from real-world implementations, focusing on reducing false positives, managing secrets in multiple repositories, and integrating security measures into CI/CD pipelines.

In this talk, Diogo Lemos will explore the concept of ‘Turnkey Code’ as a metaphor to emphasize the crucial role of integrating secrets directly into code with security in mind. He will discuss the implementation and benefits of secrets scanning tools that check for sensitive information across code bases and git histories. The presentation will delve into the challenges and solutions for reducing false positives, managing secrets in multiple repositories, and creating unique hashes for sensitive files. Additionally, Diogo will share his experiences in integrating these tools into CI/CD pipelines, maintaining dashboards, and developing a security scoring system to eMectively triage issues.

Key Takeaway: Learn how to eMectively integrate advanced secrets scanning tools into CI/CD pipelines, reducing false positives and managing sensitive data across multiple repositories, with real-world insights from implementing these solutions at scale.

Diogo Lemos is an Application Security Engineer with extensive experience in developing and managing security solutions. His professional journey began at Checkmarx, where he built security products, and subsequently advanced to Flutter Entertainment. At Flutter, Diogo not only implemented these products but also gained the freedom to develop and tailor them to meet specific organizational needs. His expertise includes automating security processes, optimizing scanning programs, and spearheading cloud security initiatives. Diogo is also an active contributor to various open-source security projects and has a solid record of speaking at industry conferences, including talks on SAST and SCA solutions at Flutter and other venues.

João Godinho

This presentation explores a recent and active malvertising campaign that disguises itself as legitimate software to deliver a malicious stealer payload. We will conduct a technical analysis of the campaign, starting with the infection chain – from a fake ad to an infostealer – and then examine how attackers have set-up their infrastructure to evade detection. The talk will conclude with an overview of the attackers’ activity in the recent months.

In April 2024 we’ve identified suspicious activity from a binary named notion.exe, which triggered an investigation into its origin. Our research revealed that the binary was coming from phishing websites targeting Discord, Notion, Slack and Zoom users. These phishing websites provided a fake installer that ultimately dropped LummaStealer.
Upon further research we discovered that the infection chain was more intricate than expected: it began with sponsored links, followed by a redirect chain to a phishing website. Users would then download a fake installer, which would communicate with an intermediate C2 to fetch a malicious script. This script downloaded a dropper that would then fetch the final infostealer payload.
Even though the entire infection chain process was governed by IP and computer UUID whitelisting, OPSEC failures on the attackers’ part allowed us to gain visibility into their infrastructure. This revealed alarming data on their activities, including a concerning number of potential daily infections.
By the end of this talk, attendees will gain a deeper understanding of how attackers are leveraging ad networks to target unsuspecting victims while avoiding detection by researchers.

João Godinho is a Security Researcher with 10 years of experience in the cyber field. He currently integrates the Global Research and Analysis Team (GReAT) at Kaspersky Lab, focusing on tracking and uncovering APT and Crimeware activities. When he’s not hunting malware you might find him flying or hacking stuff.

Antonis

Have you ever wondered about the “hard work” that threat actors put into executing a malware campaign? This talk explores the intricate efforts, time, and financial resources needed to target thousands of email addresses and infect businesses and organizations globally. We will delve into the behind-the-scenes steps taken by a threat group that targeted over 62,000 business email addresses in the United States and Australia.

Antonis Terefos is a malware reverse engineer at Check Point Research with experience in the cyber threat landscape. He passionately reverse-engineers malware and automates malware extraction processes. In his spare time, he enjoys testing malware command and controls, adding depth to his understanding of cyber threats & their operators.

Marina Bochenkova

“Smart City” has been a trendy buzzphrase used by politicians, city planners, and tech companies for over a decade now — but no one can fully agree on what it means. As a result, there exists no standardized, universal framework for planning, designing, building, or securing them.

Shiny promises of Smart City futures gloss over stakeholder management, supply chain risks, human hazards, and data management. Downtime and damages in municipalities due to cyberattacks regularly make the news, but we focus primarily on securing and recovering IT systems. Smart Cities by nature use a combination of IT and OT systems but have no established or holistic approach for managing overlapping risks to both. The consequences to security from public, private, academic, and individual involvement in Smart City planning and implementation go unexamined.

Smart Cities present a ubiquitous and unique combination of risks which must be comprehensively assessed in order to improve procedural and operational security, reliability, and resilience. By reframing our understanding of what Smart Cities are, we can use and integrate pre-existing actionable strategies to prepare and defend against threats ranging from pandemics to nation-state attacks. As politically motivated cyberattacks expand in reach and collateral radius, we need to prepare our cities for when they become the next battlefield.

This talk aims to expand our definition of Smart Cities, detail the data, human, and technological risks that they face; show what a secure Smart City might look like; and share resources on how to get there.

Marina wears many hats as a cybersecurity analyst focusing on digital forensics, incident response, and OT security, while also dabbling in security awareness and culture. She combines a passion for protecting people, a strong belief in digital privacy as a human right, and an overly-enthusiastic approach to problem-solving. When not defending digital spaces, Marina actively nurtures her already-unhealthy obsession with cats and resorts to baking or martial arts when desperate.