I was able to attend Defcon this year and as usual it was another exceptional event. It seems like every year the numbers keep growing. So, why is this one of the most relevant and successful security conferences? Because it’s built around people who love to explore, share knowledge, and learn about security and computing. This is the closest you will get to the original conferences that we or our parents/relatives attended at the dawn of computing.
During the show, there were sessions like “Say Cheese, How I Ransomwared Your DSLR Camera” by Check Point Software security researcher Eyal Itkin (more on that in a later post), “Defeating Bluetooth Low Energy 5 For Fun”, “Breaking Google Home” or “Reverse Engineering 4G Hotspots For Fun, Bugs, And Net Financial Loss”, and just like last year election security testing was a big topic.
Hacking in the cloud
Since I work for a company that is heavly involved with the cloud, the Cloud Village was particularly interesting to me.
Cloud services are built for increased collaboration and productivity, and provide capabilities like auto sync and API level communication. This has led enterprises to exclusively use SaaS, PaaS and IaaS services for storing and sharing critical and confidential data. End users as well as security products tend to place implicit trust in cloud vendors such as Microsoft, AWS, Google, and SaaS app vendors such as Box, Salesforce, DropBox. As a result, cybercriminals have started launching their attacks from these trusted cloud services. The talk focused on how attackers are abusing these trusted cloud services to create Phishing attacks that are highly effective and hard to detect.
One presentation I enjoyed was called “Phishing the cloud era”. They began the presentation by sharing some statistics that illustrate the wide-scale adoption of cloud services by cybercriminals. In particular, they focued in on the usage of cloud services as a launching point of an attack.
They looked at a few specific techniques discovered in the wild:
- Targeted BEC (Business email compromise) Phishing attacks abusing popular services like S3, GCS, Azure Storage, and GCP Google’s App engine.
- PhaaS (Phishing-as-a-Service) Criminals hosting a full-fledged phishing infrastructure over cloud and selling it as a B-to-C model. These on-demand service based models provides an essence of a criminal version of software-as-a-service which allows purchasing site login accounts along with crafting and hosting phished links.
The key takeaways they found behind the threat actor’s motivation and interest in using the cloud were:
- Reducing the infrastructure overhead.
- Access to more powerful hosting or computing services.
- Significantly cheaper attack methods (No DGA or BPH needed).
- Gives attackers protection by default (encrypted traffic, API driven communication etc).
- Slow take-downs, fast recovery.
The presentation overall was about phishing attacks hosted in cloud and how organizations should carefully assess the risks and potential threats when moving their enterprise workload towards the cloud.
Over all it was another successful Defcon. There were so many different people from every walk of life it seemed. Every person I interacted with was super friendly and eager to learn about everything security. Looking forward to Defcon 28!