LAS VEGAS – The security industry makes its annual pilgrimage to the hot Sonoran desert this week for skills training, hacking demos, research presentations and cybersecurity vendors showing off shiny new products.
For its 25th anniversary, the venerable Black Hat hacking conference is promising more than 80 presentations on a wide range of topics ranging from hardware and firmware hacking to zero-day malware discoveries to the latest and greatest in APT research.
SecurityWeek editors have combed the agenda carefully and identified the 10 Black Hat USA 2022 sessions that will be making news headlines all week. Here’s the list of talks worth your time and attention:
1. RollBack – A New Time-Agnostic Replay Attack Against the Automotive Remote Keyless Entry Systems (Researchers from the University of Singapore and NCS Group).
Automotive Remote Keyless Entry (RKE) systems implement disposable rolling codes, making every key fob button press unique, effectively preventing simple replay attacks. However, RollJam was proven to break all rolling code-based systems in general. By a careful sequence of signal jamming, capturing, and replaying, an attacker can become aware of the subsequent valid unlock signal that has not been used yet. RollJam, however, requires continuous deployment indefinitely until it is exploited. Otherwise, the captured signals become invalid if the key fob is used again without RollJam in place.
We introduce RollBack, a new replay-and-resynchronize attack against most of today’s RKE systems. In particular, we show that even though the one-time code becomes invalid in rolling code systems, there is a way to utilize and replay previously captured signals that trigger a rollback-like mechanism in the RKE system. Put differently, the rolling codes can be resynchronized back to a previous code used in the past from where all subsequent yet already used signals work again. Moreover, the victim can still use the key fob without noticing any difference before and after the attack.
Why is it relevant? As we have covered in the past, these types of practical attacks on modern automobiles (See RollingPwn) are already here and advancements in offensive security research will help identify – and fix – security problems before they’re exploited in the wild.
2. Industroyer2: Sandworm’s Cyberwarfare Targets Ukraine’s Power Grid Again (Robert Lipovsky and Anton Cherepanov, ESET).
Industroyer2 – a new version of the only malware to ever trigger electricity blackouts – was deployed in Ukraine amidst the ongoing Russian invasion. Like in 2016 with the original Industroyer, the aim of this recent cyberattack was to cause a major blackout – this time against two million+ people and with components amplifying the impact, making recovery harder. Researchers believe the malware authors and attack orchestrators are the notorious Sandworm APT group, attributed by the US DoJ to Russia’s GRU.
This presentation covers the technical details: reverse engineering of Industroyer2, and a comparison with the original. Industroyer is unique in its ability to communicate with electrical substation ICS hardware – circuit breakers and protective relays – using dedicated industrial protocols. While Industroyer contains implementations of four protocols, Industroyer2 “speaks” just one: IEC-104.
Expect a higher-level analysis of the attackers’ modus operandi and discuss why and how the attack was mostly unsuccessful. One of the most puzzling things about Industroyer has been the stark contrast between its sophistication and its impact: a blackout lasting one hour in the middle of the night is not the worst it could’ve achieved. Industroyer2 didn’t even accomplish that.
Why does it matter? These presentations shine a bright spotlight on an apex threat actor previously caught using some of the most destructive malware tools. As we have previously reported, this malware attack has some major geopolitical implications and all new disclosures will be closely followed.
3. Déjà Vu: Uncovering Stolen Algorithms in Commercial Products (Patrick Wardle, Objective-See and Tom McGuire, Johns Hopkins University)
In this talk, we discuss what appears to be a systemic issue impacting our cyber-security community: the theft and unauthorized use of algorithms by corporate entities. Entities who themselves may be part of the community.
First, we’ll present a variety of search techniques that can automatically point to unauthorized code in commercial products. Then we’ll show how reverse-engineering and binary comparison techniques can confirm such findings.
Next, we will apply these approaches in a real-world case study. Specifically, we’ll focus on a popular tool from a non-profit organization that was reverse-engineered by multiple entities such that its core algorithm could be recovered and used (unauthorized), in multiple commercial products.
Why it matters? The talk is expected to provide actionable takeaways, recommendations and strategic approaches to confronting culpable commercial entities (and their legal teams). These presentations are important to keep vendors honest in their dealings with the security community.
4. Monitoring Surveillance Vendors: A Deep Dive into In-the-Wild Android Full Chains in 2021 (Google security engineering team)
Over the past 12 months, Google’s TAG (Threat Analysis Group) and Android Security teams have discovered and analyzed several in-the-wild 1day/0day exploits by surveillance vendors.
This presentation promises technical details on CVE-2021-0920, an in-the-wild 0day Linux kernel garbage collection vulnerability; not publicly well-known, but much more sophisticated and arcane in contrast with the other aforementioned exploits.
The talk will discuss the vendor that developed the CVE-2021-0920 exploit and connect multiple Android 0day/1day exploit samples to this vendor, including attempts at submitting a malicious app to the Google Play store and early use of the Bad Binder exploit.
By analyzing the vendor’s exploits, we found a full chain in-the-wild targeting Android devices. The exploit chain uses 1day/nday browser exploits CVE-2020-16040 and CVE-2021-38000 and 0day CVE-2021-0920 to remotely root Android devices.
Why does it matter? The outing of private commercial software vendors as dangerous spyware merchants was one of the biggest stories of the last year as companies like NSO Group, Candiru and Cytrox made global headlines. Google’s research teams have rare visibility into the work on these exploitation firms and this talk promises to be a scorcher.
5. Attack on Titan M, Reloaded: Vulnerability Research on a Modern Security Chip (Damiano Melotti and Maxime Rossi Bellom, Quarkslab)
The Titan M chip was introduced by Google in their Pixel 3 devices, and in a previous study, we analyzed this chip and presented its internals and protections. Based on this acquired background, in this new talk we will focus on how we performed software vulnerability research on such a constrained target, despite the limited information available.
We will dive into how our black-box fuzzer works and its associated limitations. We then show how emulation-based solutions manage to outperform hardware-bound approaches. By combining a coverage-guided fuzzer (AFL++), an emulator (Unicorn) and some optimizations tailored for this target, we managed to find an interesting vulnerability, which was only allowing to set a single byte to 1, with several constraints on the offset. Despite looking hard to exploit, we present how we managed to obtain code execution from it, and leaked the secrets contained in the secure module.
Why does it matter? The mobile security research team at Quarkslab is among the most skilled in the world and their demonstration of a Pixel RCE via the chip is sure to raise eyebrows.
6. The Cyber Safety Review Board: Studying Incidents to Drive Systemic Change
The first ever Cyber Safety Review Board (CSRB) project focused on the Log4j crisis, identifying major ongoing gaps and making practical recommendations for organizations to avoid the next big zero-day.
This conversation on the work on the CSRB will include Rob Silvers (DHS Undersecretary for Policy and Chair of the Cyber Safety Review Board) and Heather Adkins (Deputy Chair and Vice President, Security Engineering, Google) for a discussion about Log4j vulnerability review, the key findings of the board, and how industry and government can implement the recommendations.
Why it matters: The CSRB is a unique project and it will be fascinating to hear from cybersecurity leaders on how a review board can help push for transformational changes in cybersecurity. The board’s first set of recommendations are already circulating through industry and there are lots of controversial things still to be worked out.
7. Charged by an Elephant – An APT Fabricating Evidence to Throw You In Jail (Juan Andres Guerrero-Saade and Tom Hegel, SentinelLabs)
It’s easy to forget the human cost of state-sponsored threats operating with impunity. While we often think of espionage, intellectual property theft, or financial gain as the objectives of these cyber operations, there’s a far more insidious motivation that flies under the radar– APTs fabricating evidence in order to frame and incarcerate vulnerable opponents.
This talk focuses on the activities of ModifiedElephant, a threat actor operating for at least a decade with ties to the commercial surveillance industry. More importantly, we’ll discuss how they’ve gone about incriminating activists who are locked up to this day despite forensic reports that show the evidence was planted. And if that’s not concerning enough, we’ll show how multiple regional threat actors were going after these same victims prior to their arrest. This cluster of activity represents a critically underreported dimension of how some governments are abusing technology to silence critics, and one that we hope will incense threat researchers into action.
Why does it matter? As we have discussed at length, the blending of the mercenary hacking industry with state-sponsored threat actors have led to some startling malware discoveries. Pay attention to some of the implications here for civil society.
8. Google Reimagined a Phone. It was Our Job to Red Team and Secure it (Google Red Team researchers)
Despite the large number of phone vendors, most Android devices are based on a relatively small subset of system on a chip (SoC) vendors. Google decided to break this pattern with the Pixel 6. From a security perspective, this meant rather than using code that had been tested and used for years, there was a new stack of high value device firmware we needed to get right the first time.
This talk will go over how Android secured the reimagined Pixel 6 before its launch, focusing on the perspective of the Android Red Team. The team will demonstrate how fuzz testing, black box emulators, static analysis, and manual code reviews were used to identify opportunities for privileged code execution in critical components such as the first end-to-end proof of concept on the Titan M2 chip, as well as ABL with full persistence resulting in a bypass of hardware key attestation.
Why it matters: It’s relatively rare for a big tech vendor’s red team to come forward and publicly share vulnerabilities and security weaknesses. In fact, in this talk, the Android Red Team plans to demonstrate multiple security-critical demos, showcasing the value of red teaming to the product release cycle.
9. Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling (James Kettle, PortSwigger)
The recent rise of HTTP Request Smuggling has seen a flood of critical findings enabling near-complete compromise of numerous major websites. However, the threat has been confined to attacker-accessible systems with a reverse proxy front-end… until now.
In this session, I’ll show you how to turn your victim’s web browser into a desync delivery platform, shifting the request smuggling frontier by exposing single-server websites and internal networks. You’ll learn how to combine cross-domain requests with server flaws to poison browser connection pools, install backdoors, and release desync worms. With these techniques, I’ll compromise targets including Apache, Akamai, Varnish, Amazon, and multiple web VPNs.
Why does this matter? HTTP Request Smuggling is an oft-used hacking technique that has significantly raised the stakes for webapp security. James Kettle and the folks at PortSwigger have been out front in this research area and these lessons and demonstrations will attract all sorts of eyeballs.
10. RCE-as-a-Service: Lessons Learned from 5 Years of Real-World CI/CD Pipeline Compromise (Iain Smart and Viktor Gazdag, NCC Group)
In the past 5 years, we’ve demonstrated countless supply chain attacks in production CI/CD pipelines for virtually every company we’ve tested, with several dozen successful compromises of targets ranging from small businesses to Fortune 500 companies across almost every market and industry.
In this presentation, we’ll explain why CI/CD pipelines are the most dangerous potential attack surface of your software supply chain. To do this, we’ll discuss the sorts of technologies we frequently encounter, how they’re used, and why they are the most highly privileged and valuable targets in your company’s entire infrastructure. We’ll then discuss specific examples (with demos!) of novel abuses of intended functionality in automated pipelines which allow us to turn the build pipelines from a simple developer utility into Remote Code Execution-as-a-Service.
Why does it matter? Software supply chain security has been a front-burner topic and research work into CI/CD pipeline attack surfaces will surely attract attention at the highest levels.
###
