Black Hat 25 – What you need to know
Did you miss out on Black Hat 25 or got stuck in the business hall? Don’t worry, I’m going to summarize some of what I thought were the most important takeaways from BlackHat 25 briefings. As always there is an endless list of talks, events, tool showcases, and of course corporate sponsored partying. Below is a compiled list of some of the trends and more interesting talks we found at Back Hat 25.
Source control, a new target for supply chain attacks
Recent years have seen a dramatic rise in software supply chain attacks. From Solarwinds to Codecov. It is then little surprise that briefings on supply chain attacks were prominent in this year's Black Hat event. A lot of the technical briefings on the supply chain attacks this year focus on the role of developer accounts from code repositories and beyond.
“Why do adversaries target the software supply chain? Because that's where the access is!” Chris Kerbs
In one such briefing “RCE-as-a-Service: Lessons Learned from 5 Years of Real-World CI/CD Pipeline Compromise” speakers Viktor Gazdag and Iain Smart from NCC discussed some real-world examples of compromising organizations through their CI/CD pipelines. CI/CD (Continuous Integration and Continuous Delivery) is common in DevOps practice to test, build and deploy applications. Compromising the CI/CD pipeline can mean you control the build and deployment process. Developers are often granted too high privileges relating to the CI/CD environments or miss configurations that make it easy for an attacker to elevate their privileges.
“Assume that every developer is malicious or compromised” Iain Smart
The presenters of this talk were able to show multiple real-life examples where they were able to conduct attacks from a developer account by elevating their privileges and taking advantage of common misconfigurations to perform admin-level tasks and ultimately take over the CI/CD environment. This included loading in external malicious packages to trick the pipeline to give them admin credentials or simply access production environment credentials by replacing DEV with PROD and printing environment variables to screen.
“Anyone that was a dev could get full access to production accounts” Iain Smart
But this theme ran in many other presentations. Brett Hawkins, Adversary Simulation Researcher, IBM X-Force Red, had two presentations at Black Hat focusing on his new tool called SCMKit. This tool and related presentations showed how you can attack SCM tools like GitHub Enterprise, GitLab Enterprise, and Bitbucket Server using hijacked credentials. Why is this so significant? If you can control the source code you can control not just the application, but its complete pipeline: testing, building, and deployment.
“I wanted to bring more attention to securing these systems, Black Hat is the perfect place to do this.” Brett Hawkins, Adversary Simulation Researcher
The toolkit Hawkins released automated a large amount of the manual tasks an attacker would need to do to be able to achieve a takeover of these systems. Those steps included reconnaissance, which allows exploration of repositories or code, and privilege escalation, which could allow users to elevate accounts under their control to the admin level. There’s also a module for persistence or the use of personal access tokens or SSH keys to maintain access to the compromised SCM system.
“I wanted to create a tool that could interface with the APIs of the source code management systems” Brett Hawkins, Adversary Simulation Researcher
This theme of targeting developer tooling and accounts to launch a supply chain attack was a core focus across many briefings and showed not just the need to secure code repositories and other tools but also showed a clear trend in where supply chain attack scenarios are heading.
AI (Artificial Intelligence) tools are more A than I
Black Hat 25 also took a look at the role of AI and ML in cyber security. There has been a lot of hype about the role of AI in cybersecurity as a possible way to ease the skill shortage and gain a significant upper hand against adversaries. This hype has been largely vendor-driven, but many security researchers and prominent voices at Black Hat were quick to shut down the role AI may have in security.
“Despite the hype, AI has not been the cybersecurity silver bullet many hoped it would be. Cyber defenders are still faced with increasingly sophisticated attackers.” Edward Wu, Senior Principal Data Scientist
One particularly fascinating look at the failings of the promise of AI was in a briefing by Hammond Pearce and Benjamin Tan presented. Their talk “In Need of 'Pair' Review: Vulnerable Code Contributions by GitHub Copilot” looked at the research they have done to see if GitHub Copilot introduced vulnerabilities through code suggestions. Copilot is an AI-driven tool for developers to help them by making code suggestions to the IDE system. The findings not only proved that yes, Copilot does suggest vulnerable code but actually that the worse the input the worse the output. If you are a less experienced developer then you are more likely to make basic coding mistakes, this is also true for the code suggestions Copilot makes. This may not be that surprising but it does mean that the Artificial Intelligence from Copilot is closer to artificial guessing based on the GitHub database of code. This may result in AI in software could actually be worse, at least in our current capabilities, for security than helpful.
One area where AI was identified in the conference as being helpful is in reducing the mundane workload of analysts.
“Artificial intelligence is more about taking analysts away from the mundane and repetitive tasks” Edward Wu, Senior Principal Data Scientist
A focus on policy and regulation
Black Hat and DEF CON is a rare moment in space and time where government officials, security researchers, hackers, and organizations come together in a single place. BlackHat is a place that literally shapes policies concerning cyber security based on both the briefings, panels, and network discussions. This year, as in all years, there was a big focus on policy changes that many hope will slow the pace of adversaries.
“Government has struggled to balance market interventions regulation with the desire in a capitalist economy to allow innovation to grow. As a result, what we have had is an uneven application of market interventions or regulations.” Chris Kerbs
A Lot of discussions this year were around the Executive Order on Improving the Nation’s Cybersecurity (EO) 14028. One item within this order that came up throughout the conference is the SBOM, Software Bill Of Materials, requirements. Executive Order 14028 (EO) outlined that providers will need to adopt “providing a purchaser a Software Bill of Materials (SBOM) for each product directly”. This was to show and track what software would be affected in a massive supply chain attack. A few months later in Log4J, the almost exact scenario this policy described happened, so did it help? The answer from the Cyber Safety Review Board was a definitive no… but it should… in the future.
“The board did not find stakeholders that were able to use SBOM successfully.” Rob Silvers
“SBOM has extraordinary potential but needs more work to be able to be used out in the wild.” Rob Silvers
But it wasn’t just policy around EO14028 that was under focus, a huge focus of the policy discussions was around protection for security researchers.
There were also some interesting sessions on how Policy with a capital P may negatively affect the trajectory of security. Stewart Scott who works for Atlantic Council's Cyber Statecraft Initiative hosted an interesting session on how bad policy may affect the vulnerability research ecosystem. The vulnerability research programs, otherwise known as bug bounty programs, have become an integral part of security research and were critical in the aftermath of Log4J to share expertise.
Scott's sessions look at how policy can work against security researchers disclosing vulnerabilities. For example, Alibaba Cloud was suspended for 6 months from information sharing with the Chinese Ministry of Industry and Information Technology for six months. and threatened with further action from the Chinese government for not notifying Log4J within 2 days. There are also examples of researchers in Germany and Missouri who were threatened with legal action after discovering, and reporting vulnerabilities. The talk concluded that governments and organizations need to work together to better protect the vulnerability research ecosystem if it is to continue to be a reliable source of defense.
“The reliability for this ecosystem cannot be taken for granted.” Stewart Scott
“Consider vulnerability research at large as a supplier, a community that has to be invested in and given some guard rails and protections.” Stewart Scott
This same sentiment of fear for security researchers was shared by Dylan Avery in a session he conducted with a lawyer from Asana Whitney Merrill called “Bug Hunters Dump User Data. Can They Keep it? Well, They're Keeping it Anyway.” Together they showed that Bug Bounty hunters almost unavoidably access data that goes against the bounds of the responsible disclosure programs. This can put the bounty hunter in a difficult and legally risky situation if they are not careful. While this talk didn’t directly reference policy it does show the sentiment of the bug bounty community which is a vital part of the security defense landscape.
“Even when the government does regulate, they don’t do it right, they don’t do it well, we see an over-reliance of checklist and compliance rather than performance based outcomes.” Chris Kerbs
One such talk was a Panel discussion involving Heather Adkins and Rob Silvers who took a deep dive into the Cyber Safety Review Board (CSRB). This new board comes about as a result of President Biden's administration's executive order.
Ukraine takes the stage - Lessons from the invisible war
Black Hat started 25 years ago as a way to monitor the activity of the Black Hats, the malicious hackers. While Black Hat has morphed into something almost unrecognizable from the early days. It is still the place to get the most up-to-date information from Black Hats around the globe. It is no surprise then that Ukraine took center stage at this conference.
The general news coming from Ukraine is what many have described as bleak. Most significantly Ukraine’s cyber chief Victor Zhora made an unannounced visit to Black Hat to address the audience. Zhora told attendees that Ukraine had detected over 1,600 "major cyber incidents" so far in 2022 Cyber incidents have also tripled since Russia invaded Ukraine. The most significant impacts from this come from DDoS attacks that have taken many Ukraine government agencies offline as well as targeted malware like Industroyer2 which specifically attacks energy systems in Ukraine.
“This is perhaps the biggest challenge since World War Two for the world, and it continues to be completely new in cyberspace.” Victor Zhora
Briefings on Ukraine also included senior threat researchers from SentinelOne Thomas Hegel and Juan Andres Guerrero who gave a detailed breakdown of the Cyber War happening in Ukraine. One of the key points clarified in this session is that the term Cyber War gives the idea it is somehow disconnected from a physical war. But in fact, the attacks are physical. They are shutting down real infrastructure disrupting planning and having a real impact on a real war.
“We keep expecting it to be its own domain of warfare, that one day we will have a war completing online but this isn’t the case.” Thomas Hegel
Other Ukraine-focused briefings looked into the technical details behind Industroyer2. Interestingly this was delivered by the same researchers who, 5 years ago, outlined Industroyer itself.
“Industroyer was the first piece of malware to attack the power grid in an automated way.” Robert Lipovsky
What can be learned from much of the research presented on Ukraine is that the attacks could have been much worse. Industoryer2 is the most significant attack on Ukraine based on its potential outcome, however, it was stopped before it even caused a blackout in Ukraine.
“This was the most significant cyber attack, even if unsuccessful, during the war thus far.” Robert Lipovsky
Ultimately what was learned throughout all the sessions on Ukraine at Black Hat is a look at what modern, and future, cyberwarfare will look like. It is not a separate domain that is linked but disconnected from the physical war. It takes the form of attacks that are trying to actively disrupt physical activity. But through preparations and collaboration from the community, we are able to prevent and disrupt these attacks.
Final Notes
Black Hat can be overwhelming with the amount of information jammed into a few days! Ultimately it gives us a look into where the industry and community are heading from a holistic view. We can see a clear trend in attacks from this year's briefings with many adversaries now targeting the components that make up the software development lifecycle and the response from public agencies and vendors to define the new guidelines, frameworks, and tools that will help public and private organizations alike build a resilient software supply chain.
If you enjoyed this mega wrap-up of Black Hat 25, subscribe for more updates from the GitGuardian team!