16.9.2022 (Friday) at Park Boutique Hotel Varaždin.

Technical lectures, single track, relevant technical content with no sales talks.

Additional activities include: OWASP Croatia meeting.

Time	Speaker	Subject
08:30 - 09:00		Registration
09:00 - 09:05		Opening Ceremony
09:05 - 09:50	Ivan Fratric	How I Hacked Zoom
10:00 - 10:45	Antonio Zekic	Apple Security Research Device
10:55 - 11:40	Martin Hanc	Fantastic secrets (and where we hide them)
11:40 - 14:00		Lunch Break (no organized lunch, make your own arrangements)
14:00 - 14:45	Jagor Cakmak	Cybersecurity in automotive: How I Learned to Stop Worrying and Love the Connected Car
14:55 - 15:40	Bojan Zdrnja	Pwning around the Balkans
15:50 - 16:35	Vanja Svajcer	XLLing in Excel – the world of malicious add-ins
16:35 - 16:40		Closing Ceremony

XMPP is an instant messaging protocol based on XML, used by Zoom but also by other messaging applications, online games etc. This talk will introduce a new way of attacking XMPP client software: XMPP stanza smuggling. More specifically, it will show how seemingly subtle quirks in XML parsing can be exploited to "smuggle" attacker-controlled control messages to the victim client and how the design of the XMPP protocol makes it especially susceptible to such issues. Using these issues, a 0-click remote code execution attack on the Zoom client will be demonstrated that can be achieved by simply sending a message to the victim.

Ivan Fratric is a security researcher at Google Project Zero, where he currently focuses on browser security, remote attack surfaces in applications and fuzzing. Previously, he worked on the Google Security Team and, before that, at the University of Zagreb where he received his PhD. He has been publishing security research for over a decade and is the author of multiple open-source security tools.

Antonio's lecture 'Apple Security Research Device' will provide a general introduction to specially fused iPhone that allows security researchers to perform research on the latest version of iOS without having to defeat or disable the platform security features of iPhone.

Antonio Zekić is a senior information security consultant in Diverto d.o.o. He is experienced in penetration testing and reverse engineering. In spare time he enjoys fuzzing, exploit writing with an emphasis on iOS/macOS vulnerability research.

How modern cloud companies (like ours) handle their deepest secrets, and how (we believe that) we solved the secret zero problem, or "How it feels being a big secret storage provider" (#HashiCorpVault, #LetsEncryptBoulder, #HSM, ...)

After working too long in Operations, trying to do automation, switched to a Security role, and successfully started working as Security DevOps engineer in a company building private cloud infrastructure. Trying too hard to do stuff better, got promoted to Security Devops Technical Lead, with main domain of focus being Access & Encryption. After stealing and implementing all ideas from Lets encrypt to the private cloud, started to re-think the way the company handles secrets, and solved the secret zero problem.

Talk is about cybersecurity challenges, solutions and other fun stuff that currently keeps automotive world up at night. I will try to explain risks of the connected car and how classic electrical engineering in embedded systems will need to change to keep up with new connectivity.

Doing cybersecurity for 12 years. Moved from IR/R&D in CARNet NCERT, Blue Team in EGCP, Red Team in Infigo IS to managing product security for connected automotive products in Rimac Technology.

In last few years Bojan was involved in a number of serious incidents in various companies in the region.

In this presentation we will take a look at several most notable incidents; we will take a look at technical sophistication that was introduced, some novel exfiltration techniques as well as some boring but devastating attacks.

Combined the attacks caused damage of almost 1 million EUR, and that is probably only the tip of the (hacking) iceberg.

Bojan is the Chief Technical Officer in INFIGO IS, a Croatian information security company. He leads INFIGO's offensive team, which is full of amazing researchers and one of the biggest in the region.

Besides this, Bojan is also a SANS certified instructor. He teaches the SEC542 (Web application penetration testing and ethical hacking) course, which he also co-authored.

Finally, he is a senior SANS Internet Storm Center handler, where he tries to regularly analyze new attacks and post (hopefully) interesting information about them.

When Microsoft announced that they will prevent downloaded VBA macros from executing and users won’t be able to work around that there was an audible sigh of relief in the anti-malware researcher’s community. For decades, VBA macros have been one of the main infection vectors employed by many actors, from commodity malware developers to cybercriminals and state sponsored groups.

This change will be gradual as we will have to wait until most of the users upgrade to the latest versions of Microsoft Office. Nevertheless, it marks a step change in the malware resilience of Office applications even if take in account that security vulnerabilities will provide another port of entry for malicious code for the foreseeable future.

VBA macros and vulnerabilities are not the only way for malicious code to interact with the rich capabilities of Microsoft Office and use Office programs to infect systems. For example, native Excel XLL add-ins, according to Microsoft, are files with extension .xll, a type of dynamic link library (DLL) file that can only be opened by Excel. XLL add-in files must be written in C or C++.

The C API has none of the higher-level rapid development features of Microsoft Visual Basic for Applications (VBA), COM, or the Microsoft .NET Framework. Memory management is low level, and therefore puts greater responsibility on the developer. Many Excel features that are exposed through COM, making them available through VBA and the .NET Framework, are not exposed to the C API.

For malicious actors to run their code when Excel opens an XLL file, the XLL file must contain one of the well-known exported functions which will called when specific events in Excel are triggered. For example, xlAutoOpen, is called by Excel whenever the XLL is activated and xlAutoClose whenever the XLL is unloaded.

The development of XLL add-ins requires a level of proficiency in C/C++ programming which malware actors often don’t possess so there are several builders that allow threat actors to build certain types of XLL without an in-depth programming knowledge and the API functions. There are other frameworks, such as Excel-DNA which allows easy creation of XLL files using .NET languages.

Although XLL files have been used by malicious actors since their introduction by Microsoft, we have observed an increase in their usage since Microsoft announced the discontinuation of VBA macros, even if that decision was temporarily reverted.

In this presentation, we dive into the world of Microsoft Excell Add-ins and XLL malware. We start with the development process, the official tools such as Excel XLL SDK and the API available to Excel Add-Ins and continue with documenting other tools for building XLL files.

We discuss evolution of XLL samples since their inception and specifically focus on the most interesting examples indicating that the interest in XLL add-ins is not just in the domain of the most prevalent families of commodity malware.

We finish with recommendations on how to protect against XLL plugins and the best ways of detecting them.

Vanja Švajcer works as a Technical Leader for Cisco Talos. He is a security researcher with more than 20 years of experience in malware research and threat intelligence. Prior to joining Talos, Vanja worked for SophosLabs and in a Security Research Team at Hewlett Packard Enterprise.

Vanja enjoys tinkering with automated analysis systems, reversing binaries and analysing mobile malware. He thinks time spent scraping telemetry data to find indicators of new attacks is well worth the effort. He presented his work at conferences such as Virus Bulletin, RSA, CARO, AVAR, BalCCon, FSec and others.

In his free time, he is trying to improve his acoustic guitar skills and occasionally attempts to play basketball, which at his age, is not a recommended activity.