Schedule | BSides Singapore Conference 2024

Talks Schedule

09:00am - Opening Note

9:12am - Keynote Talk by Rahul Sasi (CEO, CloudSEK)

Speaker Bio:
Cybersecurity expert Rahul Sasi is redefining the cybersecurity landscape by leveraging AI (Artificial Intelligence). He is the CEO, Executive Chairman and Founder of contextual AI company CloudSEK that builds products to predict cyber threats even before they occur.

Rahul founded CloudSEK in 2015, when he realized that there wasn’t a comprehensive solution to monitor external cyber threats. He set out to build intelligent machines that can emulate human cognition, to provide contextual threat intelligence, even before an incident occurs - thus empowering organizations to anticipate and preempt large-scale cyber attacks. Rahul started his cybersecurity journey with Garage4Hackers, an online community of cyber security researchers back in 2006. He spent his college days researching, programming, and contributing to the cybersecurity community. Later, he dropped out of college to pursue his passion for cybersecurity by joining iSIGHT Partners. iSIGHT Partners has since been acquired by Google. Subsequently, Rahul joined Citrix, where he was the first person without an engineering degree to be hired by Citrix India. Thereafter, in 2015, Rahul established CloudSEK.

Rahul is well-known for his significant open-source contributions to the cybersecurity landscape, and has spoken at events and conferences in over 22 countries. He is also part of the working committees of The Reserve Bank of India, where he is the youngest member of the digital lending committee, and MeitY.

10:00am - FIN7 cybercrime group deploys new CL0P ransomware variants against multiple industries by Joeychen

In February 2024, Cisco Talos discovered a malicious campaign delivering previously unreported CL0P ransomware variants which we attribute to the FIN7 cybercrime group, a financially motivated threat actor. We assess with high confidence FIN7 is responsible for the attacks based on the observed attack chain that is consistent with FIN7 techniques and tooling cited in industry reporting, as well as the actor’s use of two Secure Shell (SSH) reverse IP addresses attributed to FIN7 in industry reporting within the same timeframe. The campaign—spanning from early-February to mid-March 2024—affected organizations primarily in the United States across a wide range of industries, underscoring the threat actor's opportunistic approach that is typical of financially motivated groups.

Our research uncovered new CL0P ransomware variants with updated functionalities. Among the changes are two notable capabilities. First, the ransomware integrates three segmented encryption functions into a single unified function, likely increasing the ransomware’s efficiency. Second, the variants directly employ Windows Management Instrumentation (WMI) to delete shadowcopy files—as opposed to the actor having to do it manually—to prevent victims from using shadow volume copies to restore data. The attack chain involves lateral movement and deployment of the ransomware using the Impacket tool “wmiexec.py” and SSH reverse shell, according to our telemetry analysis, consistent with known FIN7 tactics, techniques, and procedures (TTPs).

Speaker Bio:
Joey Chen is working as a Cyber Threat Researcher for Cisco Talos. His major areas of research include incident response, APT/cybercrime investigation, malware analysis and cryptography analysis. He has been a speaker at HITB, Virus Bulletin, CODEBLUE, DeepIntel, HITCON, AVAR and CYBERSEC conferences. Now he is focusing on the security issues of target attack, emerging threats and IOT systems.

10:40am - Break

11:00am - Uncover How Crypto Scammers Are “Stream-Jacking” Popular YouTube Channels by Ionuț Baltariu

Over the past year, there has been an alarming increase in the hijacking of popular YouTube channels, which are then manipulated into platforms for Cryptocurrency Scams. According to a Bitdefender analysis, between July 2023 - June 2024, the 10 most watched hijacked channels reached nearly 64 billion views and are continuing to soar! These channels cleverly incorporate deepfakes with public figures to peddle cryptocurrency scams.

In this session, we will unveil the nitty-gritty details of these emerging threats, exploring real-life examples. The purpose of the talk is to heighten awareness about increasingly common threats found in our social-media saturated landscape, while sharing with the audience concrete solutions for prevention and detection on monitored accounts.

One of the reasons for the success of these types of scams is the psychology behind the phenomenon. Aside from exploring how Deep Fakes are being used for cultivating the trust of the potential victims, we will dive into the anatomy of the cryptocurrency scam takeovers, showing how a scam turns into a business network promoting “Phishing-as-a-Service”.

The repercussions of the crypto scam takeovers are far-reaching – channel owners risk losing not just their content but also hard-won statistics like views and subscribers, along with their revenue. We will show how account takeovers can be prevented by setting up a multi-layered security environment and how they can be detected on monitored accounts.

Speake Bio:
Ionuț Baltariu is a Software Engineer and blog author in the Threat Intelligence and Risk Analytics team at Bitdefender. His aim is to limit the impact of threats that spread through social media, so he is hunting daily for account takeovers, malware and "malvertising" on platforms. While not hunting, Ionuț takes part in the development of internal automation systems and on various risk assessment products.

11:45am - RAG-ging The Android Malware - Conceptualizing AI/ML for benefits of Reverse Engineer by Shivang Desai

The advent of Generative-AI (example ChatGPT) has brought about significant transformation, demonstrating its profound impact across various domains. However, it is essential to acknowledge that its capabilities have also attracted attention from malicious actors who exploit its potential within the territory of cybersecurity. We have already witnessed instances wherein adversaries adeptly utilize the power of chatGPT to craft sophisticated malware with remarkable ease. Despite the implementation of
stringent safeguards by creators of large language models (LLMs), these adversaries persistently innovate and devise novel methods to circumvent existing restrictions, leveraging the inherent capabilities of this artificial intelligence platform to their advantage.

In the current landscape of malware analysis, amidst the growing attention surrounding the
utilization of AI/ML, there exists a demand for a solution that can effectively enhance the
capabilities of reverse engineers and security researchers. This talk delves into the utilisation of Retrieval Augmented Generation (RAG) for Android malware analysis. RAG is an AI framework that combines the strengths of traditional information retrieval systems with the capabilities of generative large language models. The talk shares the idea on how Android malware can be input as an additional dataset to the LLMs, thus minimizing the cycle of training the whole dataset and maximizing the desired output. This concept introduces a chatbot experience (a beta version tool will be made open-source) specifically tailored for reverse engineering, with a focus on Android malware. Imagine a scenario where a chatbot can effortlessly provide detailed insights into malware implementations, responding intelligently to well-crafted prompts.

Additionally, during the talk, a live case study will be presented, showcasing the analysis of an
Android malware using concept of retrieval augmented generation. This practical demonstration will offer valuable insights into the effective application of RAG in real-world scenarios, enhancing the attendees' understanding of malware analysis techniques and methodologies.

Speaker Bio:
Shivang Desai is a Senior Security Researcher at Microsoft. He is a dedicated professional with expertise in implementing security features in mobile applications to ensure the safety and protection of customers from various types of mobile threats. He conducts extensive research on mobile malware and excels in reverse engineering, constantly seeking innovative solutions to stay ahead of evolving cyber threats. He is an avid blogger, and his blogs have been referenced in various international media, including Forbes, Fox News, The Register, and more. Shivang also enjoys sharing his knowledge at security conferences and relishes the opportunity to connect with like-minded individuals in the field. Outside of work, he is passionate about honing his photography skills, capturing moments that inspire and bring creativity to life.

12:30pm - Lunch Break

1:30pm - How adversarial noise protects my selfies from the (AI deepfake) TikTok dance trend by Tania Sadhani

"In the age of AI, where a single photo can make realistic deep fakes, how can you protect your personal photos?"

... were my thoughts when I saw the TikTok AI dance filter.

Join me, as I use AI security techniques to prevent my photos from being made into AI-based deepfakes dancing to Jojo Siwa!

This session will cover the practice of AI security with the following example use case: protecting my personal photos against misuse through AI-based deepfake generation.

With an AI security lens, I describe the different components of an AI-based deepfake model. Then I walk you through an adversarial machine learning method to alter the photos to prevent them from being used by the deepfake models. We’ll then apply what we learnt on leading deepfake models, including the famous TikTok dance filter, to see what happens!

As AI systems are being rapidly adopted and developed, understanding how they can be exploited is important. With this deepfake example, I aim to show you that AI security techniques can provide us with an additional tool in our cyber toolbox.

This will be a practical and fun session for both users or developers of AI systems - and anyone else who is interested in learning about the surprising ways machine learning models can fail!

Speaker Bio:
Tania Sadhani is currently an AI security researcher with Mileva Security Labs working on investigating and addressing the unique vulnerabilities of machine learning systems. She has over 3 years of government experience in emerging technologies in technical and strategic roles, covering machine learning and quantum technologies. She has recently completed an undergraduate degree in applied data analytics at the ANU and is continuing a specialisation in computer science.

2:15pm - Hacking into Apple's Privacy Landscape for Fun & Profit by Tushar Bhardwaj

The presentation titled "Hacking into Apple Inc.'s Privacy Landscape For Fun & Profit" delves into critical vulnerabilities within Apple's privacy ecosystem, revealing instances of personally identifiable information (PII) disclosure and unauthorized access. The research identifies specific weaknesses leading to PII exposure, with a focus on understanding and protecting this sensitive data.

Presents key vulnerabilities within Apple's ecosystem, including issues with iCloud Notes, the Find My app, password recovery functionality, iCloud.com MFA bypass, and unauthorized access to Apple employee meetings.

Speaker Bio:
Tushar Bhardwaj, a seasoned security professional, Founder & CEO @ Trana. He comes with a wealth of experience. in cyber security, including roles at previous CloudSEK, Threat Hawk, and SecureLayer7. He has a deep expertise in penetration testinga and brings a wealth of experience across various sectors, ensuring comprehensive assessments and effective vulnerability mitigation strategies. Some of his notable achievements, such as being credited by industry giants like Cisco, Oracle, Microsoft, Google and Apple for identifying critical vulnerabilities, highlight his capability to deliver impactful results

3:00pm - Most common vulnerabilities in Github Actions: Takeaways from mass scanning Github repositories for bounties by Vasilii Ermilov

GitHub Actions has become a cornerstone of continuous integration and continuous deployment (CI/CD) workflows due to its versatility and integration with GitHub, making it immensely popular among developers and organizations. However, this widespread adoption has also turned GitHub Actions into a significant attack surface that requires vigilant security practices.

In this talk, we present the most common vulnerabilities found in GitHub Actions, highlighting the potential risks and impacts attackers can exploit. By examining real-world scenarios and my personal experiences from mass scanning GitHub repositories for bounty programs, we will uncover prevalent misconfigurations and security flaws.

Attendees will gain valuable insights into:
* The types of vulnerabilities frequently encountered in GitHub Actions workflows.
* The potential consequences and impact of these vulnerabilities if exploited by malicious actors.
* Practical examples and lessons learned from successful bounty hunts on real repositories

Speaker Bio:
Vasilii Ermilov (@ermil0v) is a Senior Security Researcher at Semgrep, a startup working on open source static analysis tools that fit the modern developer workflow. Having more than a decade of experience in web application development for enterprises, governments and startups he now uses his knowledge for identifying weak and vulnerable parts in other people's code.

3:40pm - Break

4:00pm - On Your Ocean's 11 Team, I'm the AI Guy (technically Girl) by Harriet Farlow and Chantelle Ralevska

One of the best parts of hacker summer camp is the glitz and glam of the Vegas Strip. Many have explored hacking casinos (on and off stage). Unfortunately, it’s not like it is portrayed in the Ocean’s franchise… In real life there’s much less action, no George Clooney, and it’s a lot harder to pull off a heist than it seems.
Or is it? Well, fortunately we’re not your typical hackers and this isn’t an Ocean’s movie. We’re AI and Cyber experts, and we use the latest hacking and adversarial machine learning techniques to socially engineer our target, and then disrupt, deceive and disclose information from Artificial Intelligence systems.

We chose our target very carefully: Singapore’s largest casino.

The casino industry is at an interesting inflection point. Many large casinos have already adopted AI for surveillance and gameplay monitoring, smaller casinos are starting to make the transition, and there’s only a couple of companies in the world that provide this software. It’s ripe for exploitation.
In this talk, we are going to show you how we socially engineer our target, bypass casino AI systems - facial recognition, surveillance systems and game monitoring - and deepfake our way out of trouble.

AI Security is the new cyber security threat, and attacks on AI systems could have broad implications including misdiagnoses in medical imaging, navigation errors in autonomous vehicles… oh, and successful casino heists.

This talk was last delivered at DEF CON in Las Vegas, so we come with many lessons learnt straight from the source (and may or may not be on a few watch lists).

Speaker Bio:
Harriet Farlow is CEO at Mileva Security Labs, a PhD Candidate in Machine Learning Security, and creative mind behind the YouTube channel HarrietHacks. She missed the boat on computer hacking so now she hacks AI and Machine Learning models instead. Her career has spanned consulting, academia, a start-up and Government, but don’t judge her for that one. She also has a Bachelor in Physics and a Master in Cyber Security. She calls Australia home but has lived in the UK and the US. Her ultimate hack was in co-founding her own AI Security company but if Skynet takes over she will deny everything and pretend the AI stood for Artificial Insemination, like her Mum thinks it does. (Sorry Mum but I’m not really a Medical Doctor).

Chantelle Ralevska is a cybersecurity expert and advocate, with six years of experience working in technology and cybersecurity. As the founder and CEO of Psyber, a startup that delivers innovative and customised cybersecurity awareness training to businesses and schools across Australia, Chantelle has made significant contributions to the field in a short period of time. Having worked in security for some of Australia’s largest and most complex organisations, including Macquarie Group, Westpac, and Woolworths, she has successfully delivered training to over 440,000 staff globally. Chantelle is passionate about inspiring more young girls and women to pursue careers in cybersecurity. With just 4% of cyber startups founded by women, she is a trailblazer, paving the way for future generations. Chantelle has presented at global cybersecurity conferences and educated over 500,000 viewers on YouTube about cybersecurity, careers, and more.
Chantelle’s rapid ascent from industry intern to the CEO of her own company reflects her profound impact and expertise within the cybersecurity field. Her efforts to champion diversity in tech further highlight her leadership and visionary approach to both business and advocacy in cybersecurity.

4:45pm - Unmasking SPAWN: a stealthy malware ecosystem used by nation-state actors to persist on edge devices by Lukasz Lamparski,
and Shawn Chew

The exploitation of critical vulnerabilities in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) appliances by nation-state espionage groups highlights the escalating threat landscape. This presentation delves into a real world case study involving threat actors, who leveraged zero-day exploits to gain persistent, long-term access to the victim environment. This talk draws on a recent front-line incident response – including the discovery of a coordinated ecosystem of four highly stealthy, previously unknown malware samples – to provide actionable insights for cybersecurity practitioners.This talk focus will also be on understanding how advanced malware ecosystem can be utilized by Threat Actors to stay undetected, as well as the practical lessons learned for detection and strengthening defenses against such threats.

Attendees will gain insights into:
- Attacker Methodology within a Stealth Framework: Through real-world examples, discover how the nation-state espionage groups leveraged the zero-days while relying on sophisticated evasion techniques.
- Unveiling a Coordinated Malware Ecosystem: Understand the unique and stealthy SPAWN malware family, crafted specifically for this campaign. Dissects the various components of this ecosystem, including SPAWNANT persistent installer, SPAWNMOLE tunneler, SPAWNSNAIL SSH passive backdoor, and SPAWNSLOTH log blocking utility, and highlight their coordinated actions within the victim's environment.
- Understand how advanced malware ecosystem is utilized by Threat Actors to persist undetected on edge devices.
- Understand the detection challenges and limitations presented by sophisticated passive backdoors
- Provide recommendations to improve detection / hardening capabilities against such malware

Speaker Bio:
Lukasz Lamparski currently working as Frontline Intelligence Analyst in the Advanced Practices Team in Mandiant in Google Cloud. Before that an incident responder with 6 years of experience responding to incidents in the financial sector. Helped to respond to a multitude of incidents, and tracked adversaries both from nation-states as well as financially motivated groups. Privately triathlonist, fan of endurance sports and a traveler.

Shawn Chew is a cybersecurity consultant within Google Cloud's (Mandiant) incident response APAC team, providing emergency as well as proactive services to organisations across various industries. Shawn has investigated a multitude of breaches involving sophisticated threat groups such as nation-state actors and other advanced persistent threats.

5:30pm - Closing Note

Workshops Schedule

10:00am - 1:00pm Turbocharge Your Secure Code Reviews with CodeQL by Sayooj B Kumar and Sourav Kumar

This hands-on workshop aims to address one of the most Time-consuming and Error-prone areas in the industry, “The code review process” by utilising CodeQL, one of the most advanced SAST tools. Participants will benefited by saving valuable time identifying new vulnerabilities or recurring ones in their applications which contains million lines of code. The code review process is prone to errors, as evidenced by the OWASP Top 10, which shows injection attacks ranking from Top 1 in 2017 to Top 3 in 2021, proving that these issues still persist. Identifying security vulnerabilities at the code level is crucial, as it is the most effective way to flag vulnerabilities and the cost of mistakes is unacceptable. This workshop helps participants reduce human errors, especially in feature-loaded applications and aims to provide the best quality in vulnerability identification in their codebases.

A portion of this workshop focuses on equipping participants with the skills to write vulnerability identification rules using CodeQL in their codebases, seamless setup, installation, demonstrating real-world examples and insightful results analysis. Training is supported by hands-on sessions with a custom-built application in Java which is designed to be vulnerable to the OWASP Top 10. Complemented by a Capture The Flag competition, a gamified way to compete and learn to make the experience enjoyable.

By the end of this workshop, participants will have the skills to enhance their code analysis capabilities and leverage CodeQL’s full potential for robust security and ultimately improving the security of applications.

Prerequisites
* Laptop running in Linux (Recommended): CodeQL and VS Code installed.
* Basic understanding of common web-based vulnerabilities. (Optional)
* Basic understanding of manual source code reviews.
* A curious soul.

Instructor Bio:
Sourav Kumar is passionate about software security, focusing on securing web applications, microservices, and software supply chains. As a Senior Security Engineer at CRED, he spearheads product security initiatives, conducts security research on trending attack vectors, and works on scaling secure code reviews.
Apart from his day job he loves to reverse engineer the latest Zero Days, researching new zero days on notable softwares and figuring new ways to break into enterprise tech stacks. Recently, he has been concentrating on researching attack vectors in Java EE technologies, software supply chains security and static analysis principles. Few notable contributions are mentioned below:
Securing Apple, earning a spot in their Hall of Fame: https://support.apple.com/en-gb/102812
- Multiple CVEs in prototype pollution in OSS:
- CVE-2021-23574: https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2320790
- CVE-2021-25943 [Duplicate]: https://www.mend.io/vulnerability-database/CVE-2021-25943
- Several other contributions were made to private bug bounty programs.

Sayooj B Kumar is a passionate security researcher and engineer with a keen focus on API and web application security. He currently works as a security engineer at CRED, where he focuses on providing end-to-end product security and conducts research to enhance SAST platforms and their integration into day-to-day security operations.
From the early days of his cybersecurity journey, Sayooj has been actively involved in CTF competitions, leading team Bi0s to become one of the top-ranking teams. In his spare time, he enjoys diving into vulnerability research, bug bounty hunting, and tackling CTF challenges. His interests span various areas, including client-side security and side-channel attacks, where he continually expands his expertise.
In addition to his professional work, Sayooj has helped secure multiple organizations and contributed to several open-source applications. Some of his notable contributions include:
- Securing StackOverflow: Earning a spot in their Hall of Fame.
- Enhancing Security for Deepnote.com
- Reporting Multiple CVEs for Securing Apache, Node Packages, and OpenLiteSpeed:
- CVE-2023-37379
- CVE-2021-23448
- CVE-2021-23718
- CVE-2024-31617
- Making Numerous Other Contributions in Private Bug Bounty Programs

1:30pm - 5:50pm API Security Workshop with OWASP crAPI [Hands-on] by Jayesh Bapu Ahire

In today's rapidly digitalizing world, Application Programming Interfaces (APIs) are the backbone of communication in the vast landscape of web services, cloud applications, and microservices. With this increased usage comes the inevitable rise of security threats targeting APIs. This workshop aims to arm participants with practical knowledge and hands-on experience to secure APIs effectively.

In this workshop, we will be using OWASP crAPI (completely ridiculous API), a purposely insecure API, to demonstrate common API vulnerabilities and their mitigations. We will discuss the ‘Shift Right’ as well as 'Shift Left' approach in API security, emphasizing the importance of integrating security measures early in the development lifecycle. Participants will learn to identify, exploit, and secure API vulnerabilities, equipping them with the necessary skills to build more secure applications.

Pre-requisites:
* Basic understanding of APIs: Although we will cover the fundamentals, a pre-existing knowledge of APIs and how they work will be beneficial.
* API Testing Tool (Postman, SOAP UI, etc.): For hands-on practice, we recommend installing any of these tools on your laptop.
* Supporting File(s): OWASP crAPI (https://github.com/OWASP/crAPI), API Security Essentials (https://github.com/JBAhire/awesome-api-security-essentials)

Instructor Bio:
Jayesh Ahire is the Product Manager at TraceableAI where he works on the Company’s API Security initiative. He is the maintainer of OWASP crAPI, Hypertrace, and many other notable OSS Projects. He is AWS ML Hero, and runs API Security Global Community. He also runs AWS UG, Elastic UG, TensorFlow UG, and many other communities in US and India.
He has delivered talks & workshops in BSides San Francisco, BSides Sydney, DefCon, BlackHat and many other security conferences across the globe. His research interest involved Distributed neural computers and Defi. In his free time, he likes to read and these days he is learning to play the piano.