Program Overview

This talk will tell the story of how The Shadowserver Foundation has responded to many recent high-profile critical vulnerabilities such as Citrix NetScaler (CVE-2023-3519 etc), Cisco IOS XE device implants (CVE-2023-20198), Fortinet Fortigate (CVE-2024-23113), Palo Alto PanOS (CVE-2024-0012) etc, and others affecting tens of thousands of organizations globally. This includes how we worked on new vulnerability scans on an Internet scale to be able to quickly detect exposed, vulnerable or compromised instances and understand the scale of each incident. It will also cover how we improved our attack detection signatures and utilized our global honeypot sensor network to be able to quickly detect exploitation attempts and help identify webshells on compromised or incompletely remediated devices. All information gathered was then quickly disseminated to the affected parties, their National CSIRTs, and Law Enforcement (where appropriate) via our free remediation feeds. None of that would be possible without close collaboration with multiple partners who provided a lot of information observed "on-the-ground", which we could combine with our own data collection mechanisms to maximize remediation effects. We will cover the lessons learned from this collaboration, which will hopefully allow for even more effective response from the community in future incidents.

Piotr Kijewski is the CEO and a Trustee at The Shadowserver Foundation, a non-profit organization with a mission of making the Internet a more secure environment. He also manages Shadowserver's large-scale data threat collection and sharing projects, as well as National CSIRT relationships. Piotr has over 20 years of operational experience in cybersecurity and incident response. He headed CERT.PL building up its various security data gathering and analysis projects as well as managing its anti-malware operations, including numerous botnet disruptions. Piotr is also a member of the Honeynet Project (where he has also served on the Board of Directors), a well-known and respected non-profit that is committed to the development of honeypot technologies and threat analysis. Piotr Kijewski is a member of the Management Board of The Hague Chapter of the CyberPeace Institute.

In this simulation, your company has just experienced a breach. You need to find sensitive data that has been leaked. This information must not fall into the wrong hands. You will need to search the dark and clear web, forums, marketplaces, ransom listings, etc. to uncover these threats. Get to the bottom of this to protect employees and avoid millions of dollars spent on damage control.

Tammy Harper is a Senior Threat Intelligence Researcher and Certified Dark Web Investigator at Flare. She is a contributor and volunteer threat intelligence researcher for the open-source project RansomLook. When not working on threat intelligence, she listens to techno and ambient music. Her other hobbies include street and nature photography, reading, camping, hiking, and learning about theoretical astrophysics, hypothetical stars, and exotic forms of matter.

When we are performing investigations (threat intel, hunting, forensics, malware analysis or anything else), our path is full of pitfalls or more commonly called, “biases”. We do you day to day job, we have our tools, processes and follow playbooks but are we certain that we are not missing crucial informations? In the first half of the talk, I'll explain how we can improve and use our senses in a better way: observe instead of see, listen instead of hear, etc. In the second part, I'll review some common issues that people do when performing malware analysis with real examples that I observed here and there. Even if the abstract mentions “malware analysis”, this is not a very technical talk but it will be helpful for all infosec practitioners.

Xavier Mertens is a freelance security consultant running his own company based in Belgium (Xameco). With 20+ years of experience in information security, Xavier finds “blue team” activities more attractive. Therefore, his day job focuses on protecting his customers' assets by providing services like incident handling, malware analysis, forensic investigations, log management, security visualization, and OSINT). Besides his day job, Xavier is also a Senior Handler at the SANS Internet Storm Center, Certified SANS Instructor (FOR610, FOR71), security blogger and co-organizer of the BruCON security conference.

As scanning and reconnaissance methods grow more diverse - from public platforms like Shodan and Censys to hidden probing by botnets and bulletproof hosting services - security teams need better ways to understand who is on the other side of their network connections. This talk will show how network fingerprinting has developed over time, starting with simple tools like p0f and moving up to more advanced methods like JA4, JA4+, and MuonFP. We’ll discuss how these modern fingerprints can help analysts recognize the tools and infrastructure used by attackers, whether they are fast scanners, basic banner grabbers, or connections routed through VPNs and jump servers. You’ll learn how to use these fingerprints to strengthen your defenses, protect critical infrastructure, and reduce your visibility to public scanners. We will also explain how to fit fingerprinting into SOC and CSIRT workflows, noting both what it can and cannot do. Attendees will leave with a practical understanding of modern fingerprinting techniques and a few examples they can apply in their daily work.

Vlad Iliushin is co-founder of ELLIO, a research lab transforming exploitation and reconnaissance data into actionable threat intelligence and defense techniques. A cybersecurity enthusiast passionate about network security, IoT, and cyber deception, he serves as President of AMTSO. Previously, he founded and led the Avast IoT Lab (now part of Gen Digital). A speaker at BSides, HackTheBay, Web Summit, and SXSW, at ELLIO he leads development of its threat intelligence platform.

This talk explores various techniques, tactics, and psychological models used to infiltrate emerging threat actor groups. We will examine the process of target identification and discuss when it is appropriate to attempt infiltration. Additionally, we take a closer look at the concept of probing the enemy and the idea of weaponizing new relationship energy (NRE), which can be effective at destabilizing individuals and placing them outside of their comfort zones. An important aspect of Persona Theory is not only what we write but also how we present it. Stylometric analysis can be particularly useful in this area. We will compare transliteration and translation (both human and machine) to understand how to pass as a native speaker.

Tammy Harper is a Senior Threat Intelligence Researcher and Certified Dark Web Investigator at Flare. She is a contributor and volunteer threat intelligence researcher for the open-source project RansomLook. When not working on threat intelligence, she listens to techno and ambient music. Her other hobbies include street and nature photography, reading, camping, hiking, and learning about theoretical astrophysics, hypothetical stars, and exotic forms of matter.

In this session we will dive into business of residential proxies and will explore how are the residential proxies sourced, how do residential proxy sellers build their infrastructure. We look behind the veil of a few prominent sellers and examine the ecosystem behind. Discuss use cases of use and abuse of residential proxies by criminals including campaigns of information scrapping, credit card and crypto fraud, credentials harvesting and account brute force and finally, examine the difficulties of dealing with residential proxies from the defender role and discuss the possibilities of detecting residential proxy traffic as well as strategies for risk mitigation.

Fyodor Yarochkin is a Senior Researcher, Forward-Looking Threat Research Senior at Trend Micro with a Ph.D. from EE, National Taiwan University. An early Snort Developer and Open Source Evangelist as well as a Programmer, his professional experience includes several years as a threat investigator and over eight years as an Information Security Analyst

State-Actor Empowered Threat Intelligence (SAETI) represents a potent blend of government resources and cybersecurity expertise aimed at identifying, assessing, and mitigating threats in cyberspace. On the positive side, SAETI can significantly enhance national security by providing comprehensive insights into potential cyberthreats from hostile states, criminal organizations, and terrorist groups. Governments can leverage their vast resources, including advanced technologies and intelligence networks, to gather and analyze data more effectively than private entities can. This level of threat intelligence can lead to more robust defense mechanisms, better-prepared responses to cyber incidents, and a more secure digital infrastructure for both public and private sectors.

But the empowerment of state actors in threat intelligence also raises several concerns. One major issue is the potential for abuse of power and overreach. State actors with extensive surveillance capabilities might infringe on citizens' privacy and civil liberties under the guise of national security. The “centralized” control over threat intelligence might lead to a lack of transparency and accountability, making it difficult to ensure that such powers are not misused. There is a risk that the focus on national security could lead to the suppression of dissent and the targeting of political opponents, thereby undermining democratic values. And it can also cause private organizations to lose visibility as they will lose telemetry possibilities, such as with the EU regulated “electronic IDentification, Authentication and trust Services”, or short: eIDAS.

A significant drawback is the international implications of SAETI. When state actors engage in cyber¬operations, it can escalate tensions between nations and contribute to an ongoing cyber ¬arms race. Countries might feel compelled to enhance their own cyber capabilities in response, leading to an environment of mutual distrust and increased cyberconflict. This can also complicate diplomatic relations and international cooperation on cybersecurity issues; Instead of fostering a collaborative approach to securing cyberspace, the involvement of state actors may lead to a fragmented and adversarial global landscape. Information professionals in the public sector have the Code of Ethics, established by the International Federation for Information Processing (IFIP) in 2020. Almost all affiliated organizations for information professionals endorse this code as a basis and guideline for methods, best practices, standards, and frameworks. The question is whether state-affiliated actors can and will use a code similar to the one that provides confidence in the private sector. Join us while we take a tour having a look at all the good and bad things of SAETI, where of course a flashback to ancient and historical intelligence services is not forgotten, as we always must learn from past mistakes, right?

Righard Zwienenberg began his work with computer viruses in 1988 after encountering his first virus issues at the Technical University of Delft. This experience sparked his interest in virus behavior, leading him to study and present solutions and detection methods ever since. Over nearly four decades, he has worked for various companies, including CSE Ltd., ThunderBYTE, Norman, and ESET. He has also held or continues to hold positions in several industry organizations, such as AMTSO, AVAR, the WildList, IEEE ICSG, and serves on the Advisory Board for Europol’s European Cyber Crime Center (EC3) and Virus Bulletin. He also runs his own computer security consultancy company (RIZSC). Zwienenberg has been a member of CARO since late 1991. He is a frequent speaker at conferences, including Virus Bulletin, EICAR, AVAR, FIRST, APWG, RSA, InfoSec, SANS, CFET, ISOI, SANS Security Summits, IP Expo, government symposia, SCADA seminars, and other general security events. Beyond his professional work in security, his hobbies include playing drums, performing magic, modeling balloons, restoring ancient computers, and much more.

Detecting and mitigating phishing on a country scale is a big part of our operations at CERT.PL. In this talk we will share our experiences with applying machine learning to identify suspicious sites using the .pl registry data and DNS traffic observed at the resolver level. We will compare results of different approaches to proactive detection of phishing domains and benchmark our work against alternative solutions. Deploying machine learning tools in production is often challenging and we will share how we integrated new monitoring capabilities with a country-wide DNS firewall, serving millions of users. Our lessons learned can be useful for operators of DNS infrastructure and anyone interested in translating large volumes of data into indicators.

Piotr Białczak is a researcher at CERT.PL. His professional interests include network traffic analysis, phishing detection, and applying machine learning to security problems.

Paweł Pawliński is a principal specialist at CERT.PL. His job experience includes data analysis, threat tracking and automation. He is always looking for better ways to collect, leverage and share CTI.

Sometimes, you disrupt a massive fraud operation only for it to return bigger and stronger two years later. That's what HUMAN Security found with the successor to the original BADBOX campaign. BADBOX 2.0 targets millions of victims with more backdoor variants, more fraud schemes, and more sophistication than ever before. The China-based threat actors created an entire fraud ecosystem, infecting over 1 million consumer devices with a backdoor in over 200 countries and territories. BADBOX 2.0 is the largest botnet of infected connected TV devices ever uncovered and represents a significant evolution in cybercrime in which multiple types of fraud co-occur. This talk will dive into all of the details of BADBOX 2.0, including its interconnected nature, how threat actors target the entire customer journey, and how it can be impossible to thwart crimes like this without proper protection. HUMAN’s Satori Research team will present the technical intricacies, including the backdoor techniques, infection vectors, monetization strategies, and the infrastructure that enabled threat actors to hijack millions of devices worldwide, in addition to BADBOX’s implications for the Internet and how the company worked to stop it.

Lindsay Kaye is the Vice President of Threat Intelligence at HUMAN Security. Her technical specialty spans the fields of malware analysis and reverse engineering, with a keen interest in dissecting custom cryptographic systems. Outside of work, Lindsay writes articles on complex cybersecurity issues including data and trends analysis, technical pieces on reverse engineering and TTPs, and discussions on the business of the cybercriminal underground. Lindsay is an internationally-recognized cybersecurity speaker and author, and her first book, Reversing the Dark Web: Dissecting the Tools of the Underground Economy (No Starch Press) will be released in February 2026.