Full Report
In a world of returning back to, well, “normal” it meant that we could finally have our annual internal hackathon as Orange Cyberdefense in person! And that is exactly what SenseCon 2022 was. An internal, global ethical hacker conference spread across six regions. In this post we’ll talk about exactly that, the challenges as well as the projects people worked on. As a bonus, we have one of the challenges, BuzzWord, available for you to play via our Discord server, today! Just join using this link, and check out the instructions in the #buzzword-instructions channel.
Analysis Summary
# Main Topic
The content describes SenseCon 2022, an internal, global ethical hacker conference and hackathon hosted by Orange Cyberdefense across six regions, focusing on training sessions and various technical projects developed during the event, **not** a threat intelligence report concerning active threats or malicious campaigns.
## Key Points
- SenseCon 2022 was an in-person, internal ethical hacker conference held across six regions.
- The event included training sessions, technical challenges ("BuzzWord" optimization challenge and a password cracking challenge), a social event, and a 24-hour hackathon.
- One challenge, "BuzzWord," which involved submitting "FUD" to a server, is being made available to the public via the organization's Discord server.
- Training themes included Infrastructure as Code (Ansible, Packer), Mobile Hacking (Android), and Ethereum/Smart Contract security (Solidity).
- Hackathon projects covered topics such as hardware keylogger brute-forcing, automating Evilginx setup via Terraform/Ansible, Telegram anonymity testing, and hardware hacking (Wink Hub, classic car remote start).
## Threat Actors
- No external threat actors, campaigns, or attribution are mentioned. Insights are derived from internal security professionals performing ethical hacking exercises.
## TTPs
The following offensive and defensive security techniques were explored during training and hackathon projects:
- **Password Cracking:** Utilizing cracking techniques against hashes from a narrative challenge.
- **Infrastructure as Code Exploitation/Automation:** Deploying **Evilginx** setup automatically using Terraform and Ansible.
- **Hardware Glitching/Hacking:** Jailbreaking a Wink Hub using a glitching technique.
- **Hardware Control:** Using an ESP-8266 to control a car's remote start mechanism.
- **Mobile Reverse Engineering/Interception:** Setting up tools to reverse engineer and intercept Android mobile applications.
- **Smart Contract Security:** Exploring vulnerabilities in Ethereum smart contracts developed using Solidity.
- **Anonymity Testing:** Investigating the anonymity of Telegram groups and developing deanonymization techniques.
## Affected Systems
- Windows computers (targeted by a drive-by attack simulation project aiming to dump hashes).
- Android mobile applications (for reverse engineering training).
- Ethereum/Solidity smart contracts.
- Wink Hub devices.
- General cloud infrastructure utilizing Pulumi and AWS.
## Mitigations
Mitigations are implied through the training topics, suggesting areas where defensive improvements are needed:
- Secure configuration and operational security practices related to Infrastructure as Code environments (Ansible, Packer, Terraform).
- Thorough security auditing and vulnerability analysis of Ethereum smart contracts.
- Secure development practices for mobile applications targeting Android.
- Strong password policies and multi-factor authentication (implied by the password cracking challenge).
## Conclusion
SenseCon 2022 served primarily as an **internal knowledge-sharing and skill-building event** for Orange Cyberdefense ethical hackers, focusing on cutting-edge techniques in IaC, hardware manipulation, and blockchain security. The "threat intelligence" derived is focused on internal assessment of offensive capabilities rather than external threat reporting. The public availability of the "BuzzWord" challenge indicates a desire to engage the community via their Discord platform.