2010, 2025

DeepSec 2025 Talk: The Anatomy of DragonRank: Understanding and Defending Against SEO-Driven IIS Compromises – Joey Chen

Sanna/ October 20, 2025/ Conference/ 0 comments

DragonRank, a sophisticated threat actor, primarily targets countries in Asia and a select few in Europe, utilizing deploy BadIIS malware across compromised IIS servers for SEO rank manipulation. In 2023, we already uncovered DragonRank’s commercial website, business model, and instant message accounts. So, what tactics did DragonRank use in these attacks, and most importantly, how can we defend against them? To answer these questions, we will first discuss how DragonRank compromised Windows IIS servers hosting corporate websites all around the world. Following that, we will discuss the advanced persistence methods employed by DragonRank including lateral movement, privilege escalation and deployment of BadIIS/PlugX in the system. Furthermore, we will explore the details of two unique real-life case studies used by the DragonRank actor from initial access to configuration IIS server to their profitable part. We

Read More

1710, 2025

DeepSec 2025 Talk: Déjà Vu with Scattered Spider: Are Your SaaS Doors Still Unlocked? – Andi Ahmeti & Abian Morina

Sanna/ October 17, 2025/ Conference/ 0 comments

LUCR-3 better known as Scattered Spider has surged back in 2025, pivoting its social-engineering playbook from last year’s casino breaches to fresh waves against the insurance, retail and aviation sectors. Within a single June week, LUCR-3 struck several insurers, disrupting airline back-office systems, and a spring ransomware campaign devastated big-box retailers. Still leveraging push-fatigue MFA bombing, SIM-swapping and help-desk impersonation, LUCR-3 now systematically abuses third-party IT providers to fan out across IaaS, SaaS and PaaS estates living off the land in cloud logs to stay invisible until ransom day. Permiso’s P0 Labs has been monitoring LUCR-3’s activities for over two years, documenting their evolving tactics, techniques, and procedures (TTPs). This session will delve into LUCR-3’s latest strategies and provide actionable insights for cloud defenders to detect and mitigate such threats effectively.   Andi Ahmeti

Read More

1610, 2025

DeepSec 2025 Talk: Fake News, Fake Pics: Securing Image Provenance in a Post-Quantum World – Maksim Iavich

Sanna/ October 16, 2025/ Conference/ 0 comments

With quantum computers on the horizon, today’s cryptographic defenses are running out of time. Fake news, deepfakes, and manipulated media already threaten digital trust, and quantum attacks will soon break the few remaining verification systems. Post-Quantum VerITAS is designed to secure digital content in both classical and post-quantum worlds, ensuring that image provenance remains verifiable even against adversaries with quantum capabilities. Our system combines lattice-based hash functions, post-quantum zk-SNARKs, and quantum-resistant digital signatures such as CRYSTALS-Dilithium. Unlike C2PA, which fails when images are modified or quantum attacks render its cryptography obsolete, Post-Quantum VerITAS provides a trustless, scalable, and quantum-secure solution. It enables real-time verification of images even after edits like cropping, resizing, or blurring, without requiring reliance on centralized authorities. In this talk, we will break down the cryptographic foundations of Post-Quantum VerITAS, demonstrate

Read More

1010, 2025

DeepSec 2025 Talk: Securing the Death Star: Threat Modeling in a Galaxy Far, Far Away…. – Coen Goedegebure

Sanna/ October 10, 2025/ Conference/ 0 comments

The Galactic Empire is on the verge of releasing its biggest, most valuable and most important asset: the Death Star. You, the newly appointed Chief Imperial Security Officer, are responsible for improving its security posture. The previous CISO was “let go” and now it’s your job to clean up their mess. Your boss, Darth Vader, is breathing heavily down your neck. He is not amused with the project already over budget in both resources and time, and security will only add to that. His unconventional yet persuasive leadership style convinces you to make this your top-most priority. How will you approach the massive task of securing the Death Star? This presentation will tell an untold story in the Star Wars universe in which the Death Star’s threats and mitigations were identified and prioritised before

Read More

0910, 2025

DeepSec 2025 Talk: Catching WordPress 0-Days on the Fly – Ananda Dhakal

Sanna/ October 9, 2025/ Conference/ 0 comments

WordPress powers over 40% of the web, making its plugin ecosystem a prime target for attackers. While security researchers manually audit plugins for vulnerabilities, the ever-growing number of third-party extensions makes this approach inefficient. What if we could find all the vulnerabilities right after developers publish them? In this talk, we introduce a research-driven methodology for identifying 0-day vulnerabilities in WordPress plugins using static code analysis. We will showcase how we built a tool that continuously monitors the WordPress Plugin Repository via its SVN system, detects newly pushed code or change sets in real-time using multi-threading, and flags potentially dangerous patterns. By leveraging static analysis, the tool identifies sensitive functions and automatically alerts researchers when risky code is introduced. We will dive into the inner workings of this automation, discuss the challenges of scaling

Read More

0810, 2025

DeepSec 2025 Talk: From Firewalls to Fragmentation: Identifying Adversarial Traffic in a Politically Divided Internet – Vladimer Svanadze

Sanna/ October 8, 2025/ Conference/ 0 comments

This talk presents a multidimensional analysis of Internet fragmentation, examining how political, technical, economic and cybersecurity factors are converging to break apart the global Internet. While often viewed through a policy lens, fragmentation has real-world implications at the packet level. We introduce a lightweight, rule-based detection model capable of identifying fragmented, mis-configured and adversarial IP/UDP traffic. Built upon RFC 791 semantics, the model analyzes packet offset alignment, TTL discrepancies and payload irregularities to classify traffic without reliance on machine learning. Through controlled experiments using synthetic fragmented traffic, we show how fragmentation behaviors map directly to geopolitical and cybersecurity-driven disruptions. This session will bridge the gap between global governance debates and low-level protocol behaviors, offering tools and insights for analysts, researchers and defenders navigating an increasingly segmented digital landscape. We asked Vladimer a few more

Read More

0710, 2025

DeepSec 2025 Talk: Predicting IOCs with Historical Analysis – Josh Pyorre

Sanna/ October 7, 2025/ Conference/ 0 comments

What does looking at the history of malware, threat actors, and related network infrastructure tell us about the future? Are there unexpected connections to be found to help us not only find attribution, but potentially discover what to block, what to watch out for, and even predict where the next threat will be? Through the analysis of historical data of various malware variants, focusing primarily on ransomware, I will show the relationships of infrastructure and other indicators of compromise in an attempt to develop a mechanism for predicting how and where future threats might operate. This presentation will discuss the methods of collecting data and finding connections, and will help the attendees apply these results to their threat modeling and mitigation practices. We asked Josh a few more questions about his talk. Please tell

Read More

0410, 2025

DeepSec 2025 Talk: Man-In-The-Service: Truly OpSec Safe Relay Techniques – Tobia Righi

Sanna/ October 4, 2025/ Conference/ 0 comments

Recently, due to EDRs, it has become harder and harder to abuse credential access by dumping LSASS after compromising a Windows server and gaining local administrator on it. So, many red-teamers, pentesters and APTs have moved towards a stealthier way of abusing credentials access by relaying such credentials in real-time to other mis-configured servers in the network. Gaining administrative access to a server can be quite helpful in this; however, all current techniques are not very effective and/or require complete or partial disruption of existing Windows services, making them not very opsec safe. Introducing RelayBox, a new technique to perform a Man-In-The-Service attack. Using RelayBox, an attacker is able to place themselves in between a legitimate Windows service, relay valid authentication attempts, without any disruption to the service’s usability. This creates a transparent proxy

Read More

0310, 2025

DeepSec 2025 Talk: ∞ Day at Scale: Hijacking Registrars, Defeating 2FA and Spoofing 17,000+ Domains Even with DMARC – Alessandro Bertoldi

Sanna/ October 3, 2025/ Conference/ 0 comments

What happens when a registrar is the weakest link in your security chain? This talk reveals how systemic failures in credential recovery, 2FA bypass, and email spoofing allow persistent exploitation—even when domains have SPF, DKIM, and DMARC p=reject properly configured. Based on real-world research conducted between 2018 and 2025, we present ∞-day (forever-day) vulnerabilities affecting over 17,000 domains—including cross-tenant spoofing in N-Able Mail Assure and flaws in Register.it’s identity recovery procedures. We’ll show full control over customer panels with zero credentials, using only PDF forms and social engineering. We’ll also propose a concrete solution: a Reliability Scoring System for registrars and a “Green Check” trust mark for end users, integrated with RDAP and aligned with the NIS2 directive. This talk challenges assumptions about authentication, identity, and trust in Internet infrastructure—and offers both attack and

Read More

0210, 2025

DeepSec 2025 Talk: Machine Learning Poisoning: How Attackers Can Manipulate AI Models for Malicious Purposes – Shahmeer Amir

Sanna/ October 2, 2025/ Conference/ 0 comments

The use of machine learning and artificial intelligence has been on the rise in various industries, including the field of cybersecurity. These technologies have shown great potential in detecting and mitigating cyber threats, but they also come with their own set of risks. One of the most significant risks is the threat of machine learning poisoning attacks. Machine learning poisoning attacks involve an attacker manipulating the data or the learning algorithm used by an AI model to compromise its accuracy or functionality. This type of attack is particularly dangerous because it can go undetected for a long time, and it can be challenging to trace its origins. A successful poisoning attack can result in the AI model making incorrect decisions, which can lead to a security breach or data loss. The session will cover

Read More

0110, 2025

DeepSec 2025 Talk: Breaking Into OT Environments: Exploiting Vulnerabilities to Compromise Critical Infrastructure – Avanish Pathak

Sanna/ October 1, 2025/ Conference/ 0 comments

In this session, we’ll delve into how attackers systematically exploit weaknesses in Operational Technology (OT) systems to compromise critical infrastructure. OT systems—including building management systems (BMS), access control systems (ACS), and surveillance networks (CCTV)—are the backbone of many critical sectors, managing everything from facility operations to security and environmental controls. Despite their importance, these systems are often neglected in cybersecurity frameworks, making them prime targets for exploitation. We’ll explore real-world attack vectors and strategies used by adversaries to infiltrate OT environments, focusing on how they gain control over critical systems. Through a real-world example, I’ll demonstrate how I successfully gained unauthorized access by chaining faulty configurations to compromise a building management system (BMS). We’ll break down how attackers exploit common entry points, escalate privileges, and disrupt operations. Additionally, we’ll examine how adversaries move laterally

Read More

0408, 2025

DeepSec 2025 Training: Becoming the Godfather of Threat Modeling – Mike van der Bijl

Sanna/ August 4, 2025/ Conference/ 0 comments

In the world of cybersecurity, there is always a threat lurking. Waiting in the shadows for the perfect moment to strike. You can sit back and relax and hope for the best and react when it’s too late… or before they even think about making a move, you can take control and see everything coming from miles away. In this session, you’ll dive deep into the art of threat modeling—an essential skill that allows you to anticipate risks, identify vulnerabilities, and develop a proactive defense strategy. Mike will guide you through the process and show you why threat modeling is an offer you simply can’t refuse. You’ll learn how to analyze threats with precision, build effective threat scenarios and develop a mindset that stays one step ahead of the attackers. Ultimately, you won’t only

Read More

0108, 2025

The Call for Papers for DeepSec 2025 has ended

René Pfeiffer/ August 1, 2025/ Administrivia, Call for Papers, Conference/ 0 comments

The call for papers for DeepSec 2025 has officially ended. We already reviewed most of the submissions, but now we will complete the conference schedule. Allow us some time to consider and review your content. As always, it is very hard to choose because of the high quality of your content. You are amazing.! If you are still interested in presenting at DeepINTEL 2025, then let us know. The deadline for DeepINTEL content has been extended. All contributions regarding threat intelligence, ongoing attacks, capabilities of adversaries, and proposals for defence are welcome!

2705, 2025

DeepSec 2025 Press Release: High threat level for IT security research. IT security is under attack from politics and hostility towards science.

Sanna/ May 27, 2025/ Conference/ 0 comments

Information technology is an integral part of computer science and therefore also of mathematics. Since 2007, the DeepSec conference in Vienna has brought together international researchers to discuss current threats, publish acute vulnerabilities and exchange knowledge on the defence of critical infrastructure. The increasing hostility towards science and the dismantling of US authorities that contribute to IT security are jeopardising the work and, therefore, also the results of the research groups. One consequence is a higher threat level for European companies. The DeepSec conference aims to counter this as a platform. Networks and data in the crosshairs Data may not be crude oil, but it is the driving force behind modern information technology. Digitalisation has made data via networks and services indispensable in many companies. Very few people today can go about their working

Read More

0505, 2025

DeepSec/DeepINTEL Conference Tickets available!

René Pfeiffer/ May 5, 2025/ Administrivia, Conference/ 0 comments

Easter is the traditional time for us to dust off the ticket shop and configure the next version. It is a bit more than just increasing the year and checking the dates because we need to check with the hotel venue and make sure that the tickets stay stable until November. You can take advantage of the early booking tariff. We have put some training session early selections online to assist you with planning this year’s education schedule. More trainings are currently under review. Please book as early as possible. It facilitates planning, and you will get a room at the conference hotel. There is a limited contingent of rooms available. If you wait too long, you probably can not find a room at the hotel. Vienna is beautiful, but being closer to DeepSec

Read More