Blog

Disobey 2025

Samu Ahvenainen Hacker, Senior Security Specialist, Solita

Published 05 Mar 2025

Reading time 12 min

Since 2015, Disobey has been the heartbeat of the Finnish hacker culture, and this year delivered yet again. This is the must-attend educational conference for all security professionals in Finland. Expect to rub shoulders with the brightest minds tackling the toughest challenges, all while embracing the Hackers Creed: create art and beauty on a computer, mistrust authority, and promote decentralisation. Guided by a robust Code of Ethics, Disobey is more than just an event—it’s a movement. Whether you were there to share knowledge, protect the community, or simply find your own path, Disobey 2025 was where you needed to be. So gear up, here is our blog about things we found especially interesting this year.

What is RED and why should anyone care?

For an old hardware and IoT developer, one of the most intriguing talks was at the beginning of the conference. It was given by Heikki Juva from Traficom and was about an upcoming update to an EU directive called the Radio Equipment Directive, or RED for short. The RED update takes effect in Q3 of this year, and manufacturers are ready for it. Right?

Turns out—surprise, surprise—that equipment sold today will fail miserably and should become illegal to sell in the EU in just a couple of months. Heikki had tested 22 of the most-sold medical devices, IP cameras, and home automation equipment against the upcoming legislation. Of those devices, 50% of medical devices, 71% of IP cameras, and a staggering 100% of home automation devices failed RED tests.

To put this in perspective, the tests didn’t even consider all the requirements in the legislation—just a subset deemed the most significant. Failing any requirement should make the hardware illegal to sell in the EU. Time will tell what happens to all of this equipment, which is mostly produced by third-party manufacturers and shipped under different brands.

Even though the updated RED is clearly a step in the right direction and actually contains detailed guidance about the requirements, it still has casting defects. For example, it’s still considered acceptable to outsource security “only to be used behind a firewalled network” and to allow “old, broken ciphers” for backward compatibility. However, there’s still some hope that we can scrape at least some of that asbestos off the Internet in the EU market.

– Samu

Dissecting the Cicada – In the shadow of the Black Cat

The late Friday talk was held by Nicklas Keijser and Mattias Wåhlén from Truesec about the possible connections between the recently emerged ransomware group Cicada 3301 and the now-defunct BlackCat/ALPHV. With my interest in threat intelligence and cybercrime investigation, this was a must-see.

The speakers broke down both technical and non-technical evidence linking the two groups. On the technical side, the Cicada 3301 ransomware has striking similarities to BlackCat’s, from being written in Rust to using ChaCha20 for encryption and having nearly identical behaviours when shutting down virtual machines. The analysis also revealed they use the same naming conventions for encrypted files and the same built-in list to terminate processes. There are also ties to a known access broker linked to the Brutus botnet, with infrastructure and forum activity pointing straight back to Russian cybercrime circles. So, while there’s no neon sign saying “Hey, we’re BlackCat 2.0!”, the breadcrumbs are there.

For me, the key takeaway was highlighted in the last slide – how valuable cyber threat intelligence is in disrupting these groups. By combining technical analysis with OSINT, forensic investigation, and threat hunting, researchers can expose these actors, making it harder for them to operate in the shadows. The last point on “The Lessons” slide was highlighted in the presentation: raising awareness, publishing research, and speaking about these threats don’t just inform people, but instead, they can truly aid in disrupting ransomware actors. The more we analyse, publish, and discuss their methods, the harder we make it for them to operate in the dark.

– Stephen

Attacking and defending identities in the modern era

A must talk for everyone wanting to implement a secure token based was the “Exploiting Token Based Authentication: Attacking and Defending Identities in the 2020s” given by Dr. Nestori Syynimaa, who is also known online as DrAzureAD and the creator of AADInternals toolkit. The talk was really well put together and it was split into three main sections, making it really easy to follow and understand. The talk began by explaining the basics of token-based authentication, such as what was meant by the user, service provider and identity provider. After this common authentication schemes were explained by using diagrams to demonstrate what SSO was and how Kerberos, SAML, OAuth and Entra ID authentication flows work. It was emphasised that in token-based authentication that possession of a bearer token allowed access to the associated resources without the need to demonstrate possession of a cryptographic key and in order to prevent misuse, the bearer tokens should be protected in storage and in transport.

After having covered how token-based authentication works, macro-level attack techniques against token-based authentication were introduced. Stealing or impersonating the token allowed access for a limited time to the associated resources, while on the other hand stealing the secret allowed the possibility to forge own tokens, thus granting persistence for a longer time period and possibly access to other resources beyond the original scope. It was highlighted that refresh tokens held higher value to adversaries than access tokens, due to the limited lifetime of access tokens. The talk had two attack demonstrations, in which two adversaries utilised their skills to gain access to target environments and elevate their privileges. In the first demonstration access to the AD FS was used to access the token signing certificate, which was used to forge SAML tokens, thus allowing to impersonate any user in the tenant. In the second demonstration access to the Global Admin laptop was used to gain access to the Primary Refresh Token, which allowed to login to the environment as Global Admin from any machine, despite the environment having multifactor authentication and conditional access policies in use.

In the last section of the talk defensive measures were presented for the audience, starting with showing that service provider and identity provider logs could be used to detect malicious activity in the on-prem environment, hybrid cloud environment and cloud-only environment. It was emphasised that endpoints should be hardened to prevent the stealing of secrets and utilise zero trust to prevent the stealing of tokens, while the cloud environment should always verify tokens to avoid access to the resources by forged or stolen tokens. In addition, token protection should be used to tie the token to the actual user’s device and continuous access evaluation to notice property changes, such as network location, in the communication.

– Teemu

Infostealer – what a menace, man

On Saturday afternoon Shamil Alifov talked about information stealing malware – infostealers. The presentation discussed the data types infostealer malware target, the types of infostealer malwares there are, how the malware are distributed, and where the data is sold. Alifov also presented a small analysis he had conducted on freely available stolen data.

The focus of the presentation was on Malware-as-a-Service (MaaS) and monetisation of the stolen data through marketplaces. Infostealer services are advertised on for example Telegram, and spread through phishing emails, pirated software and fake updates, to name a few. What was interesting, but also quite natural when you think about it, that also MaaS services, as well as the marketplaces where the data can be bought from, offer support and other types of auxiliary services to help out customers. Isn’t it nice that everyone gets help when needed?

The stolen data are advertised by different actors, referred to as “logs aggregators”, in the “Cloud of logs”. Cloud of logs are basically Telegram channels which both sell the data and offer free sample files. These sample files work as proof of the validity of the data that is sold.

Alifov had utilised the free sample files to conduct his own analysis of the stolen data. He had downloaded in total about 4 TB of data from four different Telegram channels. For me, the main takeaway from the test was that after cleaning and deduplicating the data, the actual amount of unique data had decreased to 178 GB, which is quite an extensive decrease.

During the talk, Alifov pointed out, that infostealers and their findings can also be utilised for legitimate purposes, and work as a defensive tool. For examples, Alifov mentioned bug bounties which can result in security reports that provide companies with information on their stolen credentials. This information can then be utilised by companies to monitor the leaked credentials. Also researching infostealers, the data they collect, and the sellers can provide threat intel on threat actors.

– Miina

Takeaways from the Disobey 2025 community village and capture the flag competition

This year the community village of Disobey 2025 had even more to offer compared to last year’s program. Various cities’ local infosec organisations had their own booths at the community village so the CitySec scene is still running strong. The following CitySec organisations were present at the community village for various content such as hacking challenges puzzles and demos: HelSec, SaimaaSec, LahtiSec, KuoSec, TurkuSec, KymiSec and W4CFI. At the community village you could also find other familiar organisations such as Robot Uprising, Hacklab and Effi.

It was great to see some newcomers as well in the scene such as the booths of SRAL (Suomen radioamatööriliitto), Cyber Club Kotka, Iki, Testausserveri and Skrolli. Additionally, NCSC-FI, the legendary lockpicking village and DJ sets were again part of the community village agenda like last year. In summary, one couldn’t enjoy the full experience of the whole community village of Disobey 2025 as there was so much to experience during a limited timeframe of two days. The community village had something to offer for everyone because the schedule wasn’t filled with just technical topics. You could have a polaroid photo taken of your group or have a chat at any of the booths. There were also many non-technical competitions such as KuoSec’s phishing challenge and HelSec’s physical hacker puzzle.

When comes to the challenges, they were great as you would expect. Clearly the most trending theme for challenges was AI. There were also more traditional themes, such as RFID, lockpicking, reverse engineering, analog systems, networking and robotics. Most of the challenges found in the community village were part of the Disobey 2025 capture the flag (CTF) competition. That meant that by solving any of the challenges you gained points for your team in the CTF competition. The same rule of community village’s content applies to the CTF challenges: One person couldn’t experience all the challenges properly during the event even if they wanted to.

In total, there were over 50 different challenges from different categories such as AI/prompt injection, forensics, network, web, social engineering, crypto, reverse engineering, hardware, OSINT and retro challenges such as telephony. That’s why teamwork is heavily recommended at Disobey for those seeking fame and glory in the CTF competition.

Various companies had also put up their own challenges as part of the Disobey 2025 CTF. One new highlight was the company Loihde’s booth where you could freely try your skills against modern NFC access control readers which were labelled with various difficulty levels. We managed to easily break the first two levels which were the levels with publicly known attacks and vulnerabilities. This challenge also gave us the chance to meet the legendary iceman of the proxmark3 community. This challenge booth caught our eye because it was a perfect chance to configure and play with a fresh proxmark3 device which was unboxed during the event.

The winners of the CTF competition were announced during the closing ceremony of Disobey 2025. The winning teams weren’t a surprise to those who have seen the CTF competition scene before in past events. Congratulations to the winning teams and we hope to see you in the next Disobey!

– Henkka

Supercharging your security pipeline: Managing vulnerabilities in a multi-tool jungle

This presentation was held by Mikael Nilsson of SAS Institute and the topic was centralised vulnerability management. Last year Mikael spoke about securing the cloud with CSPM (Cloud Security Posture Management). Mikael’s business-like presentation style was in stark contrast to the prevalent hacker culture in other presentations. From a software security specialist’s perspective, the presentation flow was pleasant: given a problem, a solution (with trade-offs) was described.

The problem in this case was a smorgasbord of different security tools used by an organisation with a large number of software projects. All tools produce (often overlapping) findings and a dashboard for viewing them, but there is no single pane of glass view across all projects. This complicates the process of triaging possible vulnerabilities, as security engineers need to be familiar with multiple tools. It also prevents having situational awareness of the organisation’s security posture.

According to Mikael, their vision was a centralised vulnerability management system for aggregating and correlating findings from all security tools. Their solution of choice was DefectDojo, which already contains support for integrating many common tools. DefectDojo also correlates findings based on their category, so a XSS vulnerability reported both by a code analysis (SAST) tool and a vulnerability scanner (DAST) would show as a single finding.

After a finding is reported, Jira tickets with remediation instructions are then generated from the findings and assigned to security engineers for triage. Tickets can also be enriched with metadata such as SLA information.

DefectDojo is an OWASP flagship project but is still an open-source tool which can discourage its adoption by commercial organisations. However, there is commercial support and a SaaS version of the product available.

As the presentation focused partly on the current state and future vision, all pieces were not yet in place. The current implementation relied heavily on customised Jira workflows, which was seen as fragile and non-optimal. This presentation is topical and surely resonates with all working with software security.

– Masse

Web application firewalls taking heat

We had a review of “web application firewall” solutions from Knud, a well-known figure in the Finnish infosec scene currently at Fraktal.fi. Covered were various cloud platform-provided solutions as well as some separate WAF products.

Here’s the talk abstract of the abstract from knud: “TL;DR: A quick look at what a WAF is, some of the commercial offerings in WAF space, what it can and cannot do for you, some WAF fails”

Impressively Knud had written his own tools for testing WAFs and he was on the right side of history, not trying to sugar-coat how hit-and-miss the content inspection-based WAF stuff is both by implementation and conceptually.

The tablulated results in the slides were pretty rough for the WAFs. AWS WAF was worst a lot of the time (sometimes catching 0% of the cases). Probably the small request size limit doesn’t help.

My own pet peeve about WAFs not covered in the presentation: how the apps behind the WAF tend to get the short end of the stick – the user submits a form accidentally containing some SQL keyword, and poof their save action fails, the application doesn’t get notified anything is wrong, and it just looks like your system is flaky. Maybe your IP address will even get soft-banned from the app automatically to add insult to injury.

We had a talk with Knud at the bar after the presentation and had a few follow-up words about where I ranted about some development gigs running into policies requiring a WAF to be set up for new custom app development even though they do more harm than good.

I also went to ScanABC’s pre-event on Friday before Disobey which had cool presentations from security-oriented startups Badrap, Sensorfleet, Semantti and Xiphera among others. Was nice to hear about the fascinating stuff Solita alumni Aki Helin was working on at Semantti – Language models applied to logs and making high-level deductions of what’s happening (both classic as in grammars and state machines as well as cool applications LLMs).

– Erno