You can start buy Tickets from July, the 15th 2022


Cybersecurity Track - November 25, 26th


Cybersecurity Track - November 25, 26th

PASS 60€

Cybersecurity Track - November 25, 26th


Cybersecurity Track - November 25, 26th

No cON Name Congress - 2022 Edition



  • November, 25th
  • November, 26th

Media Partners




Cybersecurity Track

Android Threats in Legitimate App Stores

Tatyana Shishkova

The best way of protecting any mobile device against cyberthreats is to download all applications from official marketplaces, such as Google Play or App Store. However, despite apps undergoing many security testing procedures before being published, this does not guarantee a user will not encounter a phishing application or even a banking Trojan. In this presentation will talk about current cyberthreats to Android users that have made their way into official marketplaces in the last year.

Development of Threat Intelligence platforms with the integrity of the security operation center

Touhami Kasbaoui

Threat intelligence becomes more important in the cybersecurity industry, especially with the growth of RaaS attacks and threat actors. The research generally how briefly advanced threat intelligence based on different solutions for development and strategies to take into consideration, Including briefly a proof of concept gathering different types of leaks and automated malware analysis IOC to identify the threat actors' kill chain and strategies. because APT requires high skills and the most relevant challenge it's to change the way of coding and the tactics and techniques in different ways. The talk generally will include threat actors developing ATM malware Dispensers in South America and the benefits of threat intelligence skills that lead to discovering the TTPs of each actor

Malware emulation with scemu

Jesús Olmos

He will present scemu. scemu is a cpu & windows/linux internals emulation developed in rust providing speed and safety enough to analyze some malwares, both shellcodes and also PE binaries. The tool allows automatic emulation and also has a console to manually control the emulation states. It’s like a debugger where the malware is not really executed.

Radio Car Hacking, mejorando rolljam para ataques en entornos reales

Joel Serna Moreno

Durante la charla se hará una introducción al estado actual de la seguridad implementada por los fabricantes a nivel de radio en coches modernos, partiendo de un vehículo comprado a finales de 2021. La charla se centrará en el ataque rolljam, presentado por Samy Kamkar, donde se explicará técnicamente en que consiste el ataque y sus limitaciones, donde finalmente, se mostrará una mejora del ataque realizada por el propio ponente utilizando hardware de bajo coste. Por último, se mostrará un dispositivo desarrollado para este propósito, capaz de tener control total sobre el ataque utilizando tecnologías inalámbricas

Inside the Halls of a Criminal Business

David Sancho

Do you know how modern cybercriminal organizations are structured? This presentation will show an in-depth analysis of how three different cybercriminal enterprises function like a normal legitimate business. Modern cybercriminal organizations have evolved now to include HR departments, sales-like "OSINT" departments, hand out bonuses and even offer holidays off. We compare criminal enterprises that exist at the start-up, mid-level and large level to the inner workings of an equivalent-sized legitimate company.

Characterization and Evaluation of IoT Protocols for Data Exfiltration

Daniel Uroz and Ricardo J. Rodriguez

Data exfiltration relies primarily on network protocols for unauthorized data transfers from information systems. In addition to well-established Internet protocols (such as DNS, ICMP, or NTP, among others), adversaries can use newer protocols such as Internet of Things (IoT) protocols to inadvertently exfiltrate data. These IoT protocols are specifically designed to meet the limitations of IoT devices and networks, where minimal bandwidth usage and low power consumption are desirable. In this talk, we review the suitability of IoT protocols for exfiltrating data. In particular, we focus on the Constrained Application Protocol (CoAP; version 1.0), the Message Queuing Telemetry Transport protocol (MQTT; in its versions 3.1.1 and 5.0), and Advanced Message Queuing Protocol (AMQP; version 1.0). For each protocol, we review its specification and calculate the overhead and available space to exfiltrate data in each protocol message. In addition, we empirically measure the elapsed time to exfiltrate different amounts of data. In this regard, we develop a software tool (dubbed CHITON) to encapsulate and exfiltrate data within the IoT protocol messages. Our results show that both MQTT and AMQP outperform CoAP. Additionally, MQTT and AMQP protocols are best suited for exfiltrating data, as both are commonly used to connect to IoT cloud providers through IoT gateways and are therefore more likely to be allowed in business networks. Finally, we also provide suggestions and recommendations to detect data exfiltration in IoT protocols.

Reversing and Debugging EDRs to find vulnerabilities and strengths

Alejandro Pinna

During the last few years the use of EDR software by companies has become a fact. Everyone knows their ability to prevent incidents and react effectively when they occur, vastly surpassing the ability of old antivirus software. Following the publication of numerous studies and articles, most EDRs have moved the core of detections towards the use of Kernel Callbacks, which are much more difficult to bypass than when detections are implemented in user space. These techniques are much less documented, since bypassing them requires research work based on reverse engineering, so in many cases an in-depth analysis of their implementation is ruled out. Over the past few months, research has been conducted on a number of well-known EDR software, including CrowdStrike, Cortex XDR, SentinelOne, and Elastic EDR.

Developer in a digital crosshair, 2022 edition

Mateusz Olejarka

Recent years show huge increase in the number of attacks on third party libraries and tools used in software development. Typosquatting, dependency confusion, malicious changes in popular dependencies (UAParser.js, coa, node-ipc...), issues in popular dev tools (Codecov, Homebrew, npm...) or incidents (PHP, GitHub...). During my talk I will show a lot of interesting, recent examples of such attacks, causes and effects and discuss how to stay secure when developing software.

Is persistence on serverless even possible?! Pwning AWS Lambdas & GCP Cloud Functions

Paweł Kusiński

Serverless computing is not only a popular option in the cloud environments, but also a suggested method for creating a lot of things! Did you even think about how it works under the hood? Is serverless really server-less? How execution environment works? Is persistence even possible in this event-driven compute service? - Remote Code Executions or Command Injections are rare, but what if there is one in your function? It could also be introduced by an attacker through dependency injection. How to use it to acquire persistency and exfiltrate more data than function role gives. Let’s hijack the data real-time from the AWS Lambdas and GCP Cloud Functions!

Common TTPs of modern ransomware

Marc Rivero Lopez

State of the art related to ransomware is one of the principal concerns for either private & public organizations. Since the ransomware transitioned to a RaaS model, we could spot how the different groups adapted their TTPs to that evolution. Be aware of the TTPs of these ransomware groups; it will be the glue that can bind together multiple diverse teams operating at different levels with different priorities. The Global Research and Analysis team, also known as the GReAT team from Kaspersky, analyzed thousands of operations made by the other RaaS groups and drew conclusions regarding how these operations are conducted and on which TTPs should the industry focus to either track them or defend the different organizations. We drew on our statistics to select the most popular groups, analyzed the attacks they perpetrated in detail, and employed techniques and tactics described in MITRE ATT&CK to identify a large number of shared TTPs. By tracking all the groups and detecting attacks, we see that the core techniques remain the same throughout the cyber kill chain. The attack patterns thus revealed are not accidental because this class of attack requires the hackers to go through certain stages, such as penetrating the corporate network or the victim's computer, delivering malware, further discovery, account hijacking, deleting shadow copies, removing backups, and finally, achieving their objective.

Building Threat Intelligence from the malware network protocol

Albert Priego

Obtaining a good insight of current malware behavior and in-depth understanding of how to build threat intelligence to fight it. Use cases explained from scratch about Hydra and Qbot explaining: What is that malware / what it does, how to track/retrieve information from the C2 and get configurations. Build actionable intelligence and use it.

Container Escape: All you need is cap

Ilan Sokol, Eran Ayalon

In the last few years, containers have become a significant part of the cyber attack surface. Containers are now used by virtually all enterprises for day-to-day operations, making them a prime target for attackers. As a result, the number of cyberattacks involving containers has significantly increased. Consequently, security researchers and blue teams have to be familiar with this whole new world. In our talk, we will be focused on Container escapes. Container escape is considered the ‘Holy Grail’ of the container security attack world.

El compendia definitivo de ataques en Directorio Activo

Jorge Escabias Martínez

Desde que el Directorio Activo se publicara de manera oficial con el lanzamiento de Windows Server 2000, como un ecosistema único orientado a la gestión de servicios, ha sufrido importantes cambios y desarrollos para adaptarse al tan cambiante mundo IT. Estos cambios no solo han alargado y mejorado su funcionamiento, si no que han traído consigo la aparición de vulnerabilidades y pequeños fallos de diseño que han ido siendo descubiertos por analistas e investigadores de seguridad a lo largo del tiempo. Como 22 años dan para mucho, a lo largo de esta conferencia se analizarán las vulnerabilidades y fallos de configuración más importantes y que cualquier analista y administrador de sistemas debe conocer dentro de un Directorio Activo. Sesión indispensable para cualquier pentester que se precie

Important Dates

    • Call For Papers Requests closing: September, 15th 2022100%
    • Call For Papers Approval: September, 25th 2022.95%
    • Schedule publication: October 1st, 2022.15%
    • Cybersecurity Track: November, 25-26th 2022 (BARCELONA)0%