Veronica Valeros


Main focus: Cyber Threats Research

Twitter handle: @verovaleros

Website/blog: https://www.veronicavaleros.com/

Languages: English, Spanish

City: Czech Republic

Country: Czechia

Topics: cyber threats, malware analysis, remote access trojans, threat intelligence, threat research

Bio:

Veronica is a hacker and researcher from Argentina. Her research has a strong focus on helping people and involves different areas, from wireless and bluetooth privacy issues to malware, botnets and intrusion analysis.

She has presented her research on international conferences such as BlackHat, EkoParty, Botconf, Troopers, and others. Since 2017, she has been participating as committee reviewer of several conferences, including BlackHat EU, GreHack, and BSides Zürich.

She is the co-founder of the MatesLab hackerspace (@mateslab) based in Argentina. She is also the co-founder of the Independent Fund for Women in Tech (@womenintechfund), which aims to change the participation ratio of women at security conferences by providing free tickets to attend those events. She is also part of the core team of Security Without Borders (@swborders), a collective of cyber security professionals who volunteer assisting people at risk and NGOs on cyber security issues.

From 2013 to early 2018 she worked in the Cognitive Threat Analytics team (Cisco Systems) where she specialised on malware network traffic analysis and threats’ categorisation at big scale. She led a threat research team, leading simultaneous research projects and mentoring young people.

Since April 2018, she joined the Czech Technical University in Prague. She is leading the Civilsphere project, which aims to help NGOs from targeted attacks and cyber threats that may threaten their activities. In her spare time she is studying and researching remote access trojans in a project called 'A Study of RATs'.

Examples of previous talks / appearances:

América Latina, blanco de un grupo avanzado de cyber espionaje

Desde el 2010, un grupo de cyber espionaje conocido como Machete ha cobrado mas de 700 víctimas en gobiernos, embajadas e instituciones militares de América Latina. En esta charla, te cuento la investigación que realizamos sobre las últimas campañas de El Machete. Vení a enterarte como opera, como funciona el malware, y los trucos que han implementado en los últimos meses.

This talk is in: Spanish
Panel: Mujeres en Tecnología y Ciencia

El viernes 17 de noviembre, desde las 10, se llevará a cabo una conferencia titulada "Mujeres en Tecnología y Ciencia". Durante el encuentro se abordarán diferentes aspectos acerca de la brecha de género y se presentarán los desafíos y las posibilidades que existen en la Industria y en la Academia acerca del tema.

Las disertantes a cargo serán:
-Verónica Valeros: Experta en Seguridad Informática. Investigadora en CISCO Cognitive Analytics. Fundadora de MatesLab Hackerspace. Miembro de Security Without Borders
-María Nazabal: Abogada. Coordinadora del Área de Derechos Humanos de la UNICEN. Miembro del Foro de las Mujeres de Tandil.
-Luciana Zabaleta: Technical Director del estudio de UI Engineering en Globant.

This talk is in: Spanish
Spy vs. Spy: A Modern Study Of Microphone Bugs Operation And Detection

Authors: Veronica Valeros, Sebastian Garcia

In 2015, artist Ai Weiwei was bugged in his home, presumably by government actors. This situation raised our awareness on the lack of research in our community about operating and detecting spying microphones. Our biggest concern was that most of the knowledge came from fictional movies. Therefore, we performed a deep study on the state-of-the-art of microphone bugs, their characteristics, features and pitfalls. It included real life experiments trying to bug ourselves and trying to detect the hidden mics. Given the lack of open detection tools, we developed a free software SDR-based program, called Salamandra, to detect and locate hidden microphones in a room. After more than 120 experiments we concluded that placing mics correctly and listening is not an easy task, but it has a huge payoff when it works. Also, most mics can be detected easily with the correct tools (with some exceptions on GSM mics). In our experiments the average time to locate the mics in a room was 15 minutes. Locating mics is the novel feature of Salamandra, which is released to the public with this work. We hope that our study raises awareness on the possibility of being bugged by a powerful actor and the countermeasure tools available for our protection.

This talk is in: English
Knock Knock… Who’s there? admin admin, Get In! An Overview of the CMS Brute-Forcing Malware Landscape

Authors: Anna Shirokova, Veronica Valeros

With more than 18M websites on the internet using WordPress [1] and hundreds of known vulnerabilities reported [2], this and other well-known Content Management Systems (CMS) have been systematically attacked for the past years by different threat actors looking for disposable infrastructure for their attacks.

Brute-forcing is one of the most common types of attacks against CMS. The main goal of this attack is pretty straightforward: to obtain a valid username and password and access the CMS administration panel. Attackers take advantage of the fact that, in most cases, CMSs chosen passwords are very weak. Successfully brute-forced websites are commonly used for hosting C&Cs, scams, and drive-by attacks to spread malware.
The goal of this presentation is threefold. First, we will give an overview of the history and current state of brute-force attacks and discuss the reasons for why WordPress is getting under brute-force attacks more often than the other CMS platforms. Second, we will provide an overview of the different brute-forcing botnets and the techniques they use. Third, we will provide an in-depth analysis of the Sathurbot botnet.
The Trojan Sathurbot first appeared in 2013 [3], and is still active, affecting hundreds of users. To this date, the trojan has 4 known modules: backdoor, downloader, web crawler, and brute-forcing. The downloader module allows the trojan to deliver additional malware to the infected machine such as Boaxxe, Kovter, and Fleercivet. The web crawler module allows the trojan to search in different searching engines for websites using WordPress CMS. The brute-forcing module is what the trojan uses to attempt to login to the WordPress admin panels with different credentials. The case of study focuses on the web crawling and brute-forcing modules with specific insights obtained from a real infection. It provides insights of the infrastructure, target selection, aggressiveness, and an analysis of its success from our observation.

Finally, we will talk about detections methods to identify these type of attacks.

[1] Built With. (2017, April). WordPress Usage Statistics. Retrieved from https://trends.builtwith.com/cms/WordPress
[2] CVE Details. (2017, April). WordPress Security Vulnerabilities. Retrieved from https://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/
[3] Krebs On Security. (2013, April) Brute Force Attacks Build WordPress Botnet. Retrieved from https://krebsonsecurity.com/2013/04/brute-force-attacks-build-wordpress-botnet/

This talk is in: English
A new twist on the APT targeting Latin America

Authors: Veronica Valeros, Ross Gibb (GoSec 2017)

Talk describing our research on the Machete APT.

This talk is in: English
An overview of the CMS brute-forcing malware landscape

Authors: Anna Shirokova, Veronica Valeros

Web content management systems (CMS), specifically WordPress, have been widely adopted since their inception. Over 5% of the internets’ websites today use WordPress. Because of this wide adoption CMS are a constantly targeted by malicious actors looking for a cheap and disposable infrastructure for their malware. Compromised CMS are often used as temporary command and control servers, to host malicious files, or for various drive-by attacks. Brute forcing is the most common type of attacks against CMS, which takes advantage of users who often choose weak credentials. In order to avoid detection, malicious attackers use distributed brute forcing attacks against CMS websites with botnets designed specifically for this purpose. One of the most recent and prominent botnets in this area is Sathurbot. In this talk we will present an in-depth analysis of the Sathurbot botnet. The goal of the presentation is threefold: First, an introduction of Sathurbot botnet, historical context, and an overview of its modules. Second, a network traffic analysis of a five day real Sathurbot infection. Third, insights into the malicious actor’s operational techniques.

This talk is in: English
Spy vs. Spy: A Modern Study Of Microphone Bugs Operation And Detection

Authors: Veronica Valeros, Sebastian Garcia

In 2015, artist Ai Weiwei was bugged in his home, presumably by government actors. This situation raised our awareness on the lack of research in our community about operating and detecting spying microphones. Our biggest concern was that most of the knowledge came from fictional movies. Therefore, we performed a deep study on the state-of-the-art of microphone bugs, their characteristics, features and pitfalls. It included real life experiments trying to bug ourselves and trying to detect the hidden mics. Given the lack of open detection tools, we developed a free software SDR-based program, called Salamandra, to detect and locate hidden microphones in a room. After more than 120 experiments we concluded that placing mics correctly and listening is not an easy task, but it has a huge payoff when it works. Also, most mics can be detected easily with the correct tools (with some exceptions on GSM mics). In our experiments the average time to locate the mics in a room was 15 minutes. Locating mics is the novel feature of Salamandra, which is released to the public with this work. We hope that our study raises awareness on the possibility of being bugged by a powerful actor and the countermeasure tools available for our protection.

This talk is in: English
Spy vs. Spy: A modern study of microphone bugs operation and detection

Authors: Veronica Valeros, Sebastian Garcia

In 2015, artist Ai Weiwei was bugged in his home, presumably by government actors. We were concerned about the lack of research about placing and detecting bugs and how little it is discussed in the community. While in some countries the possibility of having a mic bug at home is non existent, sadly in other countries is far to common. As the technology gets cheaper and more accessible, the possibility of being bugged gets more real. However, our general knowledge about mic bugs comes mostly from movies and other fictional sources, which may be far from reality. How much of this is true? How much it is fiction?

Concerned about the knowledge gap in this area, we decided to perform an in-depth survey on the state-of-the-art microphone bugs, their characteristics, features and pitfalls. We did real life experiments in a Spy-vs-Spy scenarios: one person in charge of placing hidden mic bugs and the other attempting to detect them. Given the lack of open source detection tools, we also developed a free software SDR-based program to detect hidden microphones. In this talk we present the results of our research and we release our tool, hoping to help debunk the common and usually fictional beliefs about microphones bugs. Our results show how far the mics can reach, how difficult it is to place them, how much time it takes to find them, how much space do they occupy, how hard is to change them and how hard is also to remove them.

This talk is in: English
The Future of Cybersecurity Needs You: Here is Why

In the last decade we have observed a shift in cybersecurity. Cyber threats started to impact more and more our daily lives, even to the point of threatening our physical safety. We learnt that attackers are well aware of our weaknesses and limitations, that they take advantage of this knowledge and that for being successful they need to be just a little better than us. As defendants, we struggle. We perfected existing solutions to protect our environments with some degree of success but still today we fall behind adversaries more often than not. We got really good at collecting data until the point of not being able to use it in its full extent. This lead us to ask ourselves, Is this it? Is this all we can do? The future of cybersecurity needs you, join me on this talk to find out why.

This talk is in: English
50 Thousand Needles in 5 Million Haystacks: Understanding Old Malware Tricks to Find New Malware Families

Authors: Veronica Valeros, Karel Bartoš, Lukas Machlica

The malware landscape is characterised by its rapid and constant evolution. Defenders often find themselves one step behind, resulting at best in monetary losses and in most extreme cases even endangering human lives. Corporations with the unique challenges they face, must assume that sooner or later malware infections will get through their security perimeter. Efforts should then be focused on early detection to contain and quickly mitigate the threats before they manage to cause any substantial damage. Even today’s most stealth malware, if it’s controlled remotely, needs an active network communication for reporting back to the attacker. This activity gives us a competitive visibility advantage. Nowadays we have the computational power and mechanisms to process huge amounts of data. Machine learning give us the algorithms to analyse network data in order to find specific types of behaviour. The challenge is how to use this technology to detect what matters most: malicious behaviours that pose a high risk to companies. In this talk we address four key challenges related to automatic malware detection in the network traffic: how to detect malware changing its network behaviour over time (e.g. changing different parts of the URL), how to mitigate potential mislabeling of the training data and how to perform large scale multi-class detection. We also introduce a training mechanism that allows to automate the learning process and improves the precision of the classifiers. We present unique algorithms that helps to solve different problems in each of the identified challenges. Results of our research constitute part of a working intrusion detection system that consumes real network traffic from more than 5 million users per day. We show how these methods can be used to learn from well known malware samples, generalise the behaviour and consequently find novel threats. We illustrate the detection performance of each algorithm presenting real examples of malware detected by algorithms described in this work. We also elaborate on how the found infections would have been otherwise missed using traditional detection tools.

This talk is in: English