Theme - Reboot Lance James, CEO Unit221B company (forensics, pen test, disruption)
AI as a worker process FOR attacks, reporting Disruptive Thinking - question, consider, perspective "Hanker Intuition"
Event sourcing, snapshot, "temporal data/file system" Shadow files in
Low Code/ No Code
0-74K growth in LCNC apps over 4 years
IFTTT Power Automate ? Siri Shortcuts (vector - via)
OBSERVABILITY challenge in EA
Auth Auth0/AuthZ via OAuth REFRESH token (no TTL) vs AUTH token (short TTL). COMPLETELY breaks OAuth model - refresh token is authorized to the requestor app (e.g. Zapier, IFTTT integrations with Slack) "Credential Sharing As A Service"
Data Exfil Shows Power Automate? workflow to move e-mail from source to target e-mail accounts
Move to Machine (Lateral Movement) Power Automate agent installable on Windows 10, DEFAULT included in Windows 11
- look at ZapCreds on Github
Baiting Trojan horse application - e.g. stealh steal data, creds, etc.
- where apps are shared, how to scan, sanitize, etc.
- does not know perms on behalf (not like mobile app request)
- CAN BE CHANGED AFTER INSTALL, e.g. request for payload, payload drives conditional change, UNSEEN by user / admin.
- BypassConsent flag from PowerShell call can mute approval request (default accept)
- Demo script of scraping Sharepoint and sending PII/PHI/protected info to random targets
- Consider talk for DSI - Low Code Vulnerability and Mitigations?
Persistency Remote Execution Arbitrary Payload (>>) Maintain access Avoid detection Avoid attribution - who / what / where / when No logs
- Power Automate Management?
- github.com powerful
MITIGATION / DEFENSE
- Review Configuration
- How do we know what Low Code exists?
- Limit connection usage
- Review and monitor access external facing endpoints
- Review connections shared across the entire organization
- OWASP LCNC Top 10!
- emailed OWASP LC/NC group
Brian Contos CSO, Sevco Security
What is xIoT? Printer, cameras, etc. Purpose-built firmware/HW Network-connected Can't run endpoint security
Asset Intelligence Asset inventory Assumptions changed
xIoT Volume, Velocity & Variety
50B IoT - target rich APC devices, apc/apc
Common Attack Types Legacy Attacks
QUIETEXIT
- data theft
- maintain persistence, uses IoT to hide over 10K devices. Use dropbear ssh for reverse
- logs in to O365 and local Exchange, stealing e-mail related to financials (M&A, finance, etc.)
- 2 years embedded, collecting data
SHODAN COUNT HTML ""
Reverse shell,
Mitigation Scanning Sniffing Intelligent Discovery - Mazzoni, Phosphorous Big Picture
Creds, Firmware Upgrade.Hardening, Monitor for Environment Drift (changing surface area), Isolating Malicious / Illegal Devices (soft brick and removal)
Recon -> Tools / Asset Intelligence Program
Sevco - internship
Who Am I Alex Holden
"IT Professional" Security Researcher Hacker Hunter Penetration Tester (Тестер проникновения)
Pen test vs Red team Scope vs Impact
SCOPING Outside/Inside/3rdParty/Infra/App
Define limitations ("Get out of jail" vs "Don't get sent to jail")
Matteo Rosi
OWASP Serverless Risks DVSA Project
https://github.com/OWASP/Serverless-Top-10-Project/
Demo of event injection to AWS Lambda
Michael McCabe Terraform for infrastructure
- checkout semgrep -> rule for terraform-no-provisioners
Wietze Beukema