0910, 2025

DeepSec 2025 Talk: Catching WordPress 0-Days on the Fly – Ananda Dhakal

Sanna/ October 9, 2025/ Conference/ 0 comments

WordPress powers over 40% of the web, making its plugin ecosystem a prime target for attackers. While security researchers manually audit plugins for vulnerabilities, the ever-growing number of third-party extensions makes this approach inefficient. What if we could find all the vulnerabilities right after developers publish them? In this talk, we introduce a research-driven methodology for identifying 0-day vulnerabilities in WordPress plugins using static code analysis. We will showcase how we built a tool that continuously monitors the WordPress Plugin Repository via its SVN system, detects newly pushed code or change sets in real-time using multi-threading, and flags potentially dangerous patterns. By leveraging static analysis, the tool identifies sensitive functions and automatically alerts researchers when risky code is introduced. We will dive into the inner workings of this automation, discuss the challenges of scaling

Read More

0810, 2025

DeepSec 2025 Talk: From Firewalls to Fragmentation: Identifying Adversarial Traffic in a Politically Divided Internet – Vladimer Svanadze

Sanna/ October 8, 2025/ Conference/ 0 comments

This talk presents a multidimensional analysis of Internet fragmentation, examining how political, technical, economic and cybersecurity factors are converging to break apart the global Internet. While often viewed through a policy lens, fragmentation has real-world implications at the packet level. We introduce a lightweight, rule-based detection model capable of identifying fragmented, mis-configured and adversarial IP/UDP traffic. Built upon RFC 791 semantics, the model analyzes packet offset alignment, TTL discrepancies and payload irregularities to classify traffic without reliance on machine learning. Through controlled experiments using synthetic fragmented traffic, we show how fragmentation behaviors map directly to geopolitical and cybersecurity-driven disruptions. This session will bridge the gap between global governance debates and low-level protocol behaviors, offering tools and insights for analysts, researchers and defenders navigating an increasingly segmented digital landscape. We asked Vladimer a few more

Read More

0710, 2025

DeepSec 2025 Talk: Predicting IOCs with Historical Analysis – Josh Pyorre

Sanna/ October 7, 2025/ Conference/ 0 comments

What does looking at the history of malware, threat actors, and related network infrastructure tell us about the future? Are there unexpected connections to be found to help us not only find attribution, but potentially discover what to block, what to watch out for, and even predict where the next threat will be? Through the analysis of historical data of various malware variants, focusing primarily on ransomware, I will show the relationships of infrastructure and other indicators of compromise in an attempt to develop a mechanism for predicting how and where future threats might operate. This presentation will discuss the methods of collecting data and finding connections, and will help the attendees apply these results to their threat modeling and mitigation practices. We asked Josh a few more questions about his talk. Please tell

Read More

0410, 2025

DeepSec 2025 Talk: Man-In-The-Service: Truly OpSec Safe Relay Techniques – Tobia Righi

Sanna/ October 4, 2025/ Conference/ 0 comments

Recently, due to EDRs, it has become harder and harder to abuse credential access by dumping LSASS after compromising a Windows server and gaining local administrator on it. So, many red-teamers, pentesters and APTs have moved towards a stealthier way of abusing credentials access by relaying such credentials in real-time to other mis-configured servers in the network. Gaining administrative access to a server can be quite helpful in this; however, all current techniques are not very effective and/or require complete or partial disruption of existing Windows services, making them not very opsec safe. Introducing RelayBox, a new technique to perform a Man-In-The-Service attack. Using RelayBox, an attacker is able to place themselves in between a legitimate Windows service, relay valid authentication attempts, without any disruption to the service’s usability. This creates a transparent proxy

Read More

0310, 2025

DeepSec 2025 Talk: ∞ Day at Scale: Hijacking Registrars, Defeating 2FA and Spoofing 17,000+ Domains Even with DMARC – Alessandro Bertoldi

Sanna/ October 3, 2025/ Conference/ 0 comments

What happens when a registrar is the weakest link in your security chain? This talk reveals how systemic failures in credential recovery, 2FA bypass, and email spoofing allow persistent exploitation—even when domains have SPF, DKIM, and DMARC p=reject properly configured. Based on real-world research conducted between 2018 and 2025, we present ∞-day (forever-day) vulnerabilities affecting over 17,000 domains—including cross-tenant spoofing in N-Able Mail Assure and flaws in Register.it’s identity recovery procedures. We’ll show full control over customer panels with zero credentials, using only PDF forms and social engineering. We’ll also propose a concrete solution: a Reliability Scoring System for registrars and a “Green Check” trust mark for end users, integrated with RDAP and aligned with the NIS2 directive. This talk challenges assumptions about authentication, identity, and trust in Internet infrastructure—and offers both attack and

Read More

0210, 2025

DeepSec 2025 Talk: Machine Learning Poisoning: How Attackers Can Manipulate AI Models for Malicious Purposes – Shahmeer Amir

Sanna/ October 2, 2025/ Conference/ 0 comments

The use of machine learning and artificial intelligence has been on the rise in various industries, including the field of cybersecurity. These technologies have shown great potential in detecting and mitigating cyber threats, but they also come with their own set of risks. One of the most significant risks is the threat of machine learning poisoning attacks. Machine learning poisoning attacks involve an attacker manipulating the data or the learning algorithm used by an AI model to compromise its accuracy or functionality. This type of attack is particularly dangerous because it can go undetected for a long time, and it can be challenging to trace its origins. A successful poisoning attack can result in the AI model making incorrect decisions, which can lead to a security breach or data loss. The session will cover

Read More

0110, 2025

DeepSec 2025 Talk: Breaking Into OT Environments: Exploiting Vulnerabilities to Compromise Critical Infrastructure – Avanish Pathak

Sanna/ October 1, 2025/ Conference/ 0 comments

In this session, we’ll delve into how attackers systematically exploit weaknesses in Operational Technology (OT) systems to compromise critical infrastructure. OT systems—including building management systems (BMS), access control systems (ACS), and surveillance networks (CCTV)—are the backbone of many critical sectors, managing everything from facility operations to security and environmental controls. Despite their importance, these systems are often neglected in cybersecurity frameworks, making them prime targets for exploitation. We’ll explore real-world attack vectors and strategies used by adversaries to infiltrate OT environments, focusing on how they gain control over critical systems. Through a real-world example, I’ll demonstrate how I successfully gained unauthorized access by chaining faulty configurations to compromise a building management system (BMS). We’ll break down how attackers exploit common entry points, escalate privileges, and disrupt operations. Additionally, we’ll examine how adversaries move laterally

Read More

1611, 2024

DeepSec 2024 Talk: Executive Breach Simulation Toolkits – Pavle Bozalo, Aron Feuer & Matias Ulloa

Sanna/ November 16, 2024/ Conference

As cyberattacks multiply and become more sophisticated, executive breach simulation toolkits have become essential. Enabling organizations to simulate, predict, and assess the impact of potential security breaches from an executive perspective is necessary to know how to keep organizations safe. Unfortunately, simulations are broken. Simply put, they don’t properly prepare leaders and security practitioners for security breaches. This talk will look at the evolving landscape of breach simulation toolkits designed for security practitioners, focusing on their role in enhancing cybersecurity strategies, incident preparedness, and organizational resilience. We will see how simulations can be engaging, while remaining instructive and preparing people for actual cyber events. We’ll discuss how these toolkits work, why they’re essential for making smarter business decisions around cybersecurity, and how they help align leadership with technical teams. Real-world examples will show how

Read More

1511, 2024

DeepSec 2024 Talk: The Malicious Bloodline Inheritance: Dissecting Deed RAT and Blood Alchemy – You Nakatsuru, Kiyotaka Tamada & Suguru Ishimaru

Sanna/ November 15, 2024/ Conference

ShadowPad is a particularly notorious malware family used in Advanced Persistent Threat (APT) campaigns since 2017. ShadowPad use spread to various groups beginning in 2019, and a ShadowPad builder was disclosed in June 2024. One reason ShadowPad has garnered so much attention from security researchers is that it is an advanced modular type fileless RAT with a complex structure that is difficult to analyze. In July 2023, Deed RAT was published by Positive Security as a variant of ShadowPad. Furthermore, Blood Alchemy malware was also discovered as another variant of Deed RAT in April by ICI, with evidence such as unique data structures, malware configurations, loading schemes, and code similarities. However, important features of both Deed RAT and Blood Alchemy, such as the C2 communication scheme, loading additional modules, and details of backdoor commands,

Read More

0311, 2024

DeepSec 2024 Talk: Modern vs. 0ld Sk00l – Seth Law

Sanna/ November 3, 2024/ Conference

The development landscape includes an ever-changing set of security practices. It has finally become standard practice to perform penetration testing, run threat modeling, teach developers about security, push left, and have zero trust. This shows the industry is better off today than in previous years. Or does it? Get a taste for the actual history of security and why everything old is new again. See security failures as they existed in years past and how they still exist in modern examples from the last year. Finally, explore the strategies that effectively catch these problems early in the development lifecycle without spending a fortune on security snake oil. We asked Seth a few more questions about his talk. Please tell us the top 5 facts about your talk. Modern vs. 0ld 5k00l is a comparison

Read More

3010, 2024

DeepSec 2024 Talk: The Tyrant’s Toolbox – Julian & Pavle B.

Sanna/ October 30, 2024/ Conference

Social media, and our communications systems, have devoured any semblance of privacy, putting the eyes and ears of authoritarian and wannabe fascist types into the pockets of each of us; radically erasing whatever distance once existed between those who exercise authority and the human objects of their control, both at home and abroad. As Professor Ronald J. Deibert, founder of Citizen Lab, eloquently highlights in his book “Reset: Reclaiming the Internet for Civil Society”: “…recent years have brought about a disturbing descent into authoritarianism, fueled by and in turn driving income inequality in grotesque proportions the rise of a kind of transnational gangster economy.” As we continue our descent into a global madness fueled by AI, spyware, algorithms, and misinformation, tyrants around the world continue to expand their toolbox. Through our talk, we examine

Read More

2110, 2024

DeepSec 2024 Talk: AI’s New Era: Impacts on Health Data Security and Beyond – Sina Yazdanmehr & Lucian Ciobotaru

Sanna/ October 21, 2024/ Conference

It has become easier to create AI systems because of the availability of many options and datasets. These AIs can quickly gain expert knowledge in different domains, enabling attackers to exploit scientific knowledge and target system and data security, which was not workable before. Although recent studies have highlighted these impacts, a tangible example has been missing. For instance, attackers can use AI’s expert knowledge in the healthcare sector to perform complex attacks with no need of domain expertise. Earlier this year, Google launched Health Connect, an Android app designed to share data seamlessly between medical and fitness apps, intended to replace Google Fit. While Health Connect is robust against conventional cyberattacks, it is susceptible to these emerging threats. In this talk, we will show an example of these threats by explaining a malicious

Read More

1710, 2024

DeepSec 2024 Talk: Windows Defender Internals – Baptiste David

Sanna/ October 17, 2024/ Conference

Microsoft Defender Antivirus (aka Windows Defender) is an antivirus deployed worldwide and used by default on every Windows out-of-the-box. We all use it but who knows exactly how it really works? What is inside this software trusted by many people and companies across the world? This talk is the first one providing such a view about Windows Defender internals, from kernel mode to user-mode, based on extensive reverse engineering research work. With the recent world-wide BSOD of CrowdStrike antivirus, it matters to understand how an antivirus work, what it really monitors, and how some designs are prone to error or security issues. During this talk, we see that such a highly privileged software is just another Deus Ex Machina, not only for regular malware analysis but also for many security features on Windows. This

Read More

1610, 2024

DeepSec 2024 Talk: Insights on Client-Side Scanning and Alternatives in the Fight Against Child Sexual Abuse and Exploitation – Carolyn Guthoff

Sanna/ October 16, 2024/ Conference

Content Warning: This talk may include mention of child sexual abuse and exploitation. In this talk, we want to summarize our research into Client-Side Scanning (CSS) and follow-up work on safety in end-to-end encrypted messaging concerning sexual risks. Client-Side Scanning (CSS) is discussed as a potential solution to contain the dissemination of child sexual abuse material (CSAM). A significant challenge associated with this debate is that stakeholders have different interpretations of the capabilities and frontiers of the concept and its varying implementations. In the current work, we explore stakeholders’ understandings of the technology and the expectations and potential implications in the context of CSAM by conducting and analyzing 28 semi-structured interviews with a diverse sample of experts. We identified mental models of CSS and the expected challenges. Our results show the CSS is often

Read More

1010, 2024

DeepSec 2024 Talk: Detecting Phishing using Visual Similarity – Josh Pyorre

Sanna/ October 10, 2024/ Conference

Current phishing detection methods include analyzing URL reputation and patterns, hosting infrastructure, and file signatures. However, these approaches may not always detect phishing pages that mimic the look and feel of previously observed attacks. This talk explores an approach to detecting similar phishing pages by creating a corpus of visual fingerprints from known malicious sites. By taking screenshots, calculating hash values, and storing metadata, a reference library can compare against newly crawled suspicious URLs. By combining fuzzy searches and OCR techniques with other methods, we can identify similar matches. We asked Josh a few more questions about his talk. Please tell us the top 5 facts about your talk. In security, URL block lists are widely used, but I rarely see people utilizing a database of visual information to hunt for phishing attacks that

Read More