YSTS X: The highlights of the COOLEST security conference in Brazil

One day after BSides LatAm, it was the turn of another security conference in Brazil: You Shot The Sheriff, now in its tenth edition. Happening on one of the coolest days in Sao Paulo, the event took place at Villa Bisutti, where the whole event was very well organised.

The welcome coffee was a good opportunity to meet some friends and also make new ones, as the majority of the security professionals from Brazil and also other countries were attending the event.

Luiz, Nelson and Willian opened the event by talking about the difference between the first edition to the tenth, showing that it has become much more mature and professional but is still a challenge to make it happen. They also talked of their work to keep the event the same size, as they believe that increasing the number of attendees could decrease of the quality of the event, something they work hard to improve with each edition.

After that, Anchises Moraes from RSA opened the talks by presenting about the stone age and the computing era, comparing the information gathered from paintings on cave walls that could lead us to an understanding of what happened at that time, to the information that we are storing on internet that will stay visible to the next generation.


Following this, Andrey Plastunov talked about a different attack scenario, where instead of targeting the normal user it targets developers, by infecting source code, attacking source control and continuous integration software in order to steal credentials. He explained that in most cases the developer has too much access, allowing the attackers to steal information that usually is not found on normal users’ computers, like remote desktop connections, FTP accounts and so on.


Our own Dmitry Bestuzhev attracted attention with his talk about the mobile weapons used for cyber-espionage, by explaining in detail the level of information that could be gathered from samples found in the wild targeting Android, Windows Phone and also the almost untouchable iOS. In his talk Dmitry drew attention to the point that nowadays, where there is extensive end-to-end encryption, it is easier to collect the desired information by infecting the device rather than attacking software encryption.


After this talk lunch was available as well as the beer and drinks, and at this time people could take time to talk with the presenters, sponsors and friends. The environment was really cool and next to the bar was the preferred place to get together with other participants.

When the sessions restarted, it was the turn of Emmanuel Goldstein, 2600 hacking magazine editor, to talk about the challenging work of running a hacking magazine without any publicity; he also encouraged people to listen to what young people and hackers have to share, as they have too much to say that will also help us.

Another very interesting technical talk was presented by Igor, who did a live demonstration of creating a portable BTS (Base Transceiver Station) in order to perform a main-in-the-middle attack to intercept calls and SMS messages on 2G networks. On the stage he made a call to one of the participants and then reproduced the intercepted content.

In summary, it was an amazing event with excellent organization, a mix of technical and non-technical talks and a very selected group of security professionals, where you had a chance to talk and make connections. Of course I could not forget to mention the party at the end where the participants had another chance to enjoy beer and other good drinks as well as networking.

YSTS X: The highlights of the COOLEST security conference in Brazil

Your email address will not be published. Required fields are marked *



Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox