DefCon has been around for 3 decades and is the one of the oldest hacker conventions and one of the largest globally. DefCon 31 was a great gathering, as always. While a lot of people figured this year would be all and ONLY about AI, there were plenty of other topics covered in depth. AI did have its own village, though, along with the voting, industrial control systems (ICS), red/blue team, mis/disinformation, social engineering, and many more, to allow for hands on experience in the most crucial areas of cybersecurity.
The DarkOwl team sent a number of analysts from our Darknet Services analyst team to advance their skills, keep up to date with the latest trends and topics, and of course practice their skills. This blog outlines some highlights from this year’s event, from our analysts eyes.
Remote Desktop Protocol (RDP) has always been an entry vector for attacks, namely ransomware. A pair of brilliant scientists from a Montreal organization, GoSecure, set up a RDP honeypot (PyRDP) to attract malicious actors to use it to study them. They studied actors for 3 years as the criminal actors used their platform in operations. PyRDP is open source and available on GitHub.
Using this tool, researchers and professionals can obtain actor credentials, operating system details, browser information, languages spoken, and more. The scientists openly stated they released this tool for free to put a dent in the current ransomware epidemic. DarkOwl analysts will implement PyRDP in operations where appropriate to do our part to reduce the ransomware epidemic.
RDP is a human process, and more targeted than some processes in cyber. While many parts of the criminal ecosystem can be automated and left to a machine, RDP and the actions to comb around a computer and its filesystem, exfil those, and then move on, all require humans.
Tool: PyRDP – https://github.com/GoSecure/pyrdp
Given the political climate and current world events, censorship online was a big topic. Russia, China, and Iran are all building their own internet, separate from the world grid. Additionally, these countries have their own apps equivalent to the western Facebook, Twitter/X, and Reddit. These apps are heavily promoted in the countries of concern to get a solid user base, making the transition from western apps to these authoritarian controlled and monitored apps easier. Russia’s Facebook equivalent is Vkontakte (VK), China has several platforms (Douyin in country is what TikTok is in the US), and Iran has iGap, which is a WhatsApp equivalent (these examples are not an exhaustive list). These efforts coming to fruition mean more isolation under authoritarians, and citizens who deal with lack of availability to information and education, truth, and global resources.
Interestingly enough, this panel couldn’t come to a resolution for this problem of censorship. It’s a tough issue which (like the rest of all things cyber) requires public and private partnerships (PPP) to effectively keep a society or country from becoming completely isolated from the world. The panel did highlight that sanctioning companies and individuals is not effective. If you turn off an internet service provider (ISP), such as Russia’s ROSTELECOM, this contributes to the malicious efforts to isolate – the citizens of Russia also lose access when you cut an ISP, so, this is quite damaging.
An interesting suggestion was to target individuals, including individual netblocks, versus taking an entire ISP offline. If you take only part of ROSTELECOM offline, and you are more precise, this does exert pressure on the malicious entity while preserving the access of individual residents of a country.
There is also a new treaty in progress attempting to combat cybercrime. The United Nations (UN) is negotiating this effort to try and assist with country and border agnostic policies to fight cybercrime while preserving digital rights and freedom, as well as internet access, more effectively to countries under authoritarian regimes. A timeline of the effort can be found here. DarkOwl analysts will monitor this developing cybercrime initiative by the UN for impacts in the space and see how they play out geopolitically. The last plea from this panel was that universities need to host TOR nodes to provide more access to TOR worldwide, as authoritarian and censorship creep continues.
Near field communication (NFC) is what powers all the contactless payment systems coming into banks and retailers today. The technology uses radio waves to conduct encrypted data to point of sale (or other appointed) devices. With any growing technology, there is a risk for fraud and abuse, which is what this talk spoke of. This is true of NFC payments, even though the data is encrypted.
Website HappyATMs[.]com sells parts that facilitate NFC for Point-of-Sale (POS) systems, vending machines, and of course ATMs, as does eBay. This means that malicious actors can buy these parts and use them in everyday efforts to steal data and finances. The vending machine pictured to the left was not part of this talk, but it was an exercise on the main floor to hack it. So the concepts continued and were reinforced all over Def Con – pretty cool!
Data from NFC can be intercepted – if a criminal positions themselves in range of the two devices, they can intercept the transmitted signals as well as record the data. This means financial details, PII, credentials, and more sensitive information used to conduct NFC transactions can be stolen and used maliciously. Actors can resell personal data, drain money from accounts, or impersonate the person from whom they intercepted the data.
NFC tags can also be manipulated, which leads to the distribution of malware. Criminals can create fake NFC tags or work with existing ones to distribute hidden payloads. If the unsuspecting person scans the NFC tag, the malware is downloaded and installed in a flash and can also steal personal information.
All the information procured by a malicious actor can be cloned, so they can use sensitive data they stole (or copied) to bypass security and MFA, impersonate someone else, and again steal sensitive data.
DarkOwl analysts can now track the models of ATMs, POS systems, and other hardware that have open vulnerabilities, and monitor talk for it on the DDW, Telegram, and Discord. We can also setup mentions of any actor using happyatms.com to track purchase data and build out the bad actor network. This was an enlightening talk that gave a lot of insight into current financial fraud and theft TTPs, which are always changing. Really happy I caught this one.
Mikko Hypponen’s talk on “Growing Up Next Door to Russia” was pretty spellbinding – ending with standing room only. He (IMO) took his life in his hands by outing and including pictures of very, VERY recent Russian cyber actors who had been sanctioned. You KNOW they, their associates, their family members, were there in Vegas. It was very brave of him to call out the recent actions and cyber activities of these actors, highlighting their disruption to daily life and contributions to global cybercrime campaigns. Definitely recommend checking out his book, If It’s Smart, It’s Vulnerable, as well as his podcast, Cyber Security Sauna.
Speaking of swag, the plushie Onion from the TOR vendor booth was a huge hit and highlight! 😀 Always eager to pass on giveaway ideas to the DarkOwl Marketing team and happy to report that they loved this too.
With all of the thought-provoking topics, trends, games, challenges and speakers throughout the week, the DarkOwl analyst team looks forward to diving into some of these topics and contributing to the research and conversation. The possibilities are endless! Make sure to sign up for emails to get the latest research first straight to your inbox. Looking forward to DefCon 32 already.
Products
Services
Use Cases