My impression of BlackHat Europe 2021

The briefing and arsenal presentations of BlackHat Europe 2021 were on 10 and 11 November. It was the first physical European edition since the pandemic started, and it was the first time I attended a BlackHat event. In this blog, I will reflect on the taken COVID measures, the arsenal, the briefings, and the business hall, and I will first provide my general view of the conference.

Table of contents

My general overview

To me, the atmosphere of the conference was very open and welcoming, even with the COVID related measures in-place. The speaker drinks the evening prior to conference provided a welcome opportunity to meet new people before the conference started, which made for great fun to grab a drink in London’s centre the day after.

The organisers are open and friendly, be it to answer a question or when simply chit-chatting. During my first arsenal presentation I had some audio issues, which were quickly resolved, after which I could start my presentation and demo. The lunch, snacks, and dinners that were served were of high quality, with the option between at least two meals, including a vegetarian option for those who so desired.

I’d like to thank all the staff for organising such a great event, especially in these unpredictable times.

COVID measures

The pandemic is not going anywhere anytime soon, but with vaccines, tests, and other additional measures it is somewhat possible to have a physical conference again. To enter the ExCeL London centre, which is the venue BlackHat Europe took place in, one had to show proof of vaccination.

Inside, the usage of a face mask was encouraged, but not mandatory. There were face masks available for those who forgot to bring their own, making them easily available for all. Additionally, there were plenty of hand sanitation stations where attendees could wash their hands. The pathways between the booths, as well as the briefing rooms and the arsenal stations, were spaciously set-up. This allowed attendees to sit with at least one spare chair in-between them.

Even though a physical event will never be as safe as a virtual one, I do think the set conditions and precautions made the event safe to attend.

The arsenal

The arsenal, where tools (or major updates to them) are unveiled, was located in the business hall, where each speaker got their own booth within the arsenal area, along with a screen, and a microphone. Presenting in the arsenal was in parallel with others, all located in one corner of the arsenal area. Attendees could freely walk in at any given moment, with time for Q&A at the end (or during, depending on the presenter’s preference) of the demo.

My presentation starts out with some background information on the project, as well as emulation in general. After that, a demo is shown, displaying the bots for both Anubis and Cerberus. The demo shows the perspective from both the emulator, as well as the command and control panels for both families, which I set-up locally. This provides insight in the usage of the framework, as well as the view of the actor who controls the C&C panel.

During the first day’s lunch, I met the guys from Punk Security who presented pwnspoof and SMBeagle. We had a great time, and I enjoyed the presentations of their tools.

Additionally, I watched a part of the car hacking demo, titled Cluster Fuzz, Introduction to Car Hacking With Real Car Hardware by Ian Tabor. Although car hacking has my interest, it’s hard to get started without proper hardware. Given that this can be quite costly, I mostly watch and read about this topic, but I had not seen it in a live environment before. The hardware Ian brought with made the whole thing come alive in seconds.

The briefings

The conference started out with a keynote from Marietje Schaake, titled “Securing the Public, who is in Charge?”. The keynote covers the security of companies and citizens alike, and how their security is threatened by espionage and other surveillance “services” that are offered, both legally and illegally. It ended with several takeaways for the audience, along with the question what the industry could do in order to improve the status quo, in favour of a more transparent and safe environment.

During the speaker drinks the day prior, I met Nicole Fishbein, who presented TeamTNT: Explosive Cryptomining, together with her colleague Joakim Kennedy. The talk, along with the paper, provided insight in the campaigns of a rather vocal threat actor who seems to be rather concerned about the online persona’s status.

The day after, Christopher Doman and James Campbell presented “They Hacked Thousands of Cloud Accounts Then Sent Us Weird GIFs”, which also digs into TeamTNT, albeit with a different focus: the ways via which the credentials for the cloud accounts were stolen, rather than the group’s development over time.

The last talk I watched in-person was the NOC report, which provided quite some insight into the set-up of the conference’s network, and events that transpired behind the scenes, along with plenty of humour.

Due to my own presentation schedule, I could not attend all talks I’d have liked to, one example being “Windows Defender – Demystifying and Bypassing ASR by Understanding the AV’s Signatures” by Camille Mougey. Being able to watch the recordings of the talks at a later point in time surely is convenient in this case.

The Business Hall

The business hall consisted of a wide variety of companies, many of whom provided the famous conference swag, including stickers. There was no pressure from anyone to hand over details, such as scanning the QR code on the BlackHat badge, at any given time. The exhibiting companies were open and welcome, answering both business and non-business related questions. I enjoyed talking to company representatives of corporations I know from their previously published work, as well as talking to representatives of companies that were new to me.


To contact me, you can e-mail me at [info][at][maxkersten][dot][nl], or DM me on Twitter @Libranalysis.