Emerging Threats You Need To Know + Advanced Security Research: On Demand Masterclass

Attackers love DNS spoofing. The ability to redirect unsuspecting victim's traffic is very appealing to the bad guys, and can lead to all sorts of devastating consequences - sensitive data exposure, credential compromise, and even remote code execution.

As every sysadmin knows - DNS is hard. It is a complex ecosystem with many moving pieces. One such "piece" is a seemingly harmless feature in the DHCP protocol called "DHCP DNS Dynamic Update", which allows a DHCP server to register DNS records on behalf of its clients. This feature is also present and enabled by default in the Microsoft DHCP server, one of the most common DHCP servers in the market.

In this session, we will explore this feature and show the attack surface it exposes in Microsoft environments - we will detail a novel attack tactic that could allow unauthenticated attackers to spoof arbitrary DNS records in Active Directory DNS zones, and show how this could be abused to intercept authentication and achieve remote code execution. We will examine the different security settings that should prevent these attacks, and show how they fail to do so in some cases.

Finally, we will release 2 open-source tools; the first one is meant to detect risky DHCP misconfigurations, and the second one - to exploit them.

We have all heard this story before - a critical vulnerability is discovered in a VPN server. It's exploited in the wild. Administrators rush to patch. Panic spreads across Twitter.

Attackers have long sought to exploit VPN servers - they are accessible from the internet, expose a rich attack surface, and often lack in security and monitoring. Historically, VPNs were primarily abused to achieve a single objective: gaining entry into internal victim networks. While this is evidently very valuable, control over a VPN server shouldn't solely be seen as a gateway to the network, and can certainly be abused in various other ways.

In this talk, we will explore VPN post-exploitation - a new approach that consists of different techniques attackers can employ on the compromised VPN server to further progress their intrusion. To demonstrate this concept, we will inspect two of the most common VPN servers on the market - Ivanti Connect Secure and Fortigate, and show how an attacker with control over them can collect user credentials, move laterally, and maintain persistent access to the network.

We will conclude by detailing best practices and principles that should be followed by security teams when using VPN servers to reduce the risk from post-exploitation techniques.

During the session, you will:
- Explore critical vulnerabilities and real-world exploits on popular VPN platforms.
- Discover post-exploitation tactics for credential collection, lateral movement, and persistent access.
- Learn best practices to enhance VPN security and reduce advanced threat risks.