Last week, Blueliv was invited to participate in the fourth edition of EuskalHack in San Sebastián.
Geared towards sharing information, the event hosted presentations focused on new discoveries, personal projects and tools from different disciplines in cybersecurity. These included both red team and blue team activities, both sharing information around protecting our systems, and tools and techniques to improve malware and attack investigation processes.
Below we highlight some of the key talks from EuskalHack.
Carlos Hernandez offered his insight into accessing forbidden areas in some videogames. He showed us that using scripts, the position of the character can be changed, and this can be used to access to some hidden areas. These changes are made on the client’s side, so this shows us the relevance to validate all the data on the server side, and the importance of giving only the essential information to avoid this.
A particularly fascinating talk from Juan A. Calles and Jesús Alcalde discussed a web protocol that is starting to be used called QUIC, its advantages and the level of security deployed. This protocol will allow us to share information in a quicker and more secure way in the future, and some of the biggest companies, like Google, are investing and adapting their systems to use this protocol. This talk is advising us to start taking a look into this protocol and its advantages.
An information-stealing technique by creating a proxy to a legitimate page was presented by Michele Orru and Guiseppe Trotta. This proxy makes changes to the code sent to the client to avoid or trick browser verifications, and if the proxy is using a valid certificate, the user must do more checks and be more careful than usual to detect it and avoid it. This proxy is serving the info of the legit server, but using a harder technique to do a Man-in-the-Middle (MiTM) attack, getting personal information or credentials of the victims.
Joxean Koret (@matalaz) talked about malware clusterization, comparing different fuzzy hashing tools, and then he went on to explain his own take on the matter, and explained how some of the tools developed by himself (you can find them here ), work and use this technique.
The second day started with a talk by Blueliv. We presented our research into Formbook carried out by Victor Acin and Borja Rodriguez from our Labs team. The presentation explained the process of malware reversal and some key intelligence from the campaign.
Josep Moreno presented a number of techniques used by cybercriminals and security analysts to trick verifications done encoding the code by some of the most used WAFs on the Internet. Avoiding verification in this way enables cybercriminals to inject code in the server, allowing them to gain access to it, adding malicious code on it or extract information. Currently, there are several ways to detect them, but cybercriminals are always searching other ways to bypass them, so this kind of research is always useful to remind us about the state of the security of this field.
In this industry, collaboration is key, and a hivemind of professionals sharing intelligence is infinitely better than siloing ourselves company by company.
We look forward to being at the event again next year. If you want further information on the malware we presented on, please click through here