As tens of thousands of cybersecurity professionals, executives, and policymakers converge on the Las Vegas Strip for the annual Black Hat, DEF CON, and B-Sides conferences, the stakes couldn’t be higher. After all, 2024 is a year that has seen increasing levels of cyber-disruption, from ransomware attacks that crippled doctor's offices and auto dealerships to widespread compromises of federal agencies attributed to Volt Typhoon, the China-based advanced persistent threat group.
And, of course, the recent global outage of systems caused by the CrowdStrike update brings visibility to the brittle nature of the software supply chain. While that outage was not due to a cybersecurity attack, it did illustrate the damage malicious actors can wreak on the software supply chain.
Where does that leave the attendees at Black Hat this week? With a sense of urgency and plenty to discuss. Here are two main themes that attendees at this year’s conference will confront.
[ Come visit the team and learn more about what we have planned: RL @ Black Hat 2024 ]
Software supply chain security is in the hot seat
As the cybersecurity community gathers, governments, enterprises, and entire industries are recovering from the massive disruptions caused by a flawed software update for CrowdStrike’s Falcon endpoint detection and response software that was pushed out on July 19 and resulted in millions of crashed Windows systems displaying the “blue screen of death.” Such a recent incident won't appear on the conference agenda, but it is sure to be a major topic of conversation, both onstage and in the hallways.
But even if this outage hadn’t happened, threats facing software supply chains loomed over Black Hat and the other “Hacker Summer Camp” events, what with the revelations about a targeted campaign to take over the xz Utils open-source project, stories about malicious packages lurking on Google Play, and incidents such as the attacks on Ivanti’s Pulse Secure VPN, all highlighting the risks lurking in both open-source and commercial software.
A number of talks at Black Hat will delve even deeper into the cracks in the foundation of the open-source and commercial software that powers the global economy. They include a high-level Main Stage talk by Danny Jenkins, the CEO of ThreatLocker, on software supply chain risks, but also more in-the-weeds discussions such as “Secure Shells in Shambles,” a presentation by famed security researcher HD Moore (who created Metasploit) and Rob King of the firm runZero. Moore and King will delve into the security risks of the aging Secure Shell protocol, a widely used remote management protocol that is nearing its third decade of life and is ubiquitous in both proprietary and open-source operating systems. Secure Shell’s age raises concerns about code rot, and wide-ranging implementations have led to “unexpected vulnerabilities and novel attacks,” such as the recently revealed regreSSHion (CVE-2024-6387) in OpenSSH, which was uncovered by researchers at Qualys and affects some 14 million publicly accessible systems running Glibc-based Linux systems. Moore and King will unveil an open-source tool, dubbed "sshamble," that “opens the door for further research” into SSH flaws.
The risk posed by wonky code isn’t limited to open source, either. Other Black Hat talks will highlight crippling flaws — including remote code execution (RCE) bugs — in commercial codebases as well as prominent cloud services and open-source platforms. For example, Alon Leviev’s presentation on Wednesday will detail a compromise of Windows Update (yeah, you read that correctly) to execute forced component downgrades on Windows systems that enable follow-on attacks. Leviev, a researcher at SafeBreach, was able to “fully take control” of Windows Update,” downgrading critical OS components, including DLLs, drivers, and even the NT kernel, as well as Hyper-V's hypervisor, Secure Kernel, and Credential Guard's Isolated User Mode process, to expose past privilege-escalation vulnerabilities.
As for threats to cloud environments, Tenable researcher Liv Matan on Wednesday will talk about how the Google Cloud Platform (GCP) and other cloud providers' platforms are “Jenga towers” due for a fall. Matan will highlight a flawed GCP command argument that exposed a critical RCE vulnerability ('CloudImposer') that affected both GCP customers' workloads and Google's internal production servers, affecting millions of cloud servers. Because cloud-based services are a force multiplier for organizations that simplify the deployment and management of complex systems, cloud vulnerabilities can cause supply chain vulnerabilities that “are on steroids,” says Matan.
“Instead of one malicious package affecting one server, one malicious package affects a service that is deployed to millions.”
—Liv Matan
ReversingLabs evangelist Josh Knox said bad actors are ramping up their exploitation of the software supply chain and showing increased sophistication.
"With 2024's xz Utils attack, we saw that bad actors are willing to play the long game if it means that they will be able to have a huge payoff like the xz Utils backdoor would have been if it made it into mainstream Linux distros."
—Josh Knox
The double-edged sword that is AI
Artificial intelligence will be another dominant theme at this year’s Black Hat — as it is now at just about every major tech conference. But the view of AI in cybersecurity circles is a bit less optimistic and more muddied. AI is seen as both a cybersecurity panacea for overworked, understaffed security teams and a scourge that allows malicious actors to automate everything from vulnerability discovery to phishing campaigns and the exploitation of security holes.
For example, "Threat Hunting with LLM," a pre-recorded session from researchers at the firm DBAPPSecurity, highlights how large language models (LLMs) helped the firm detect an advanced persistent threat campaign attributed to APT SAAIWC. LLMs also uncovers other attributable events, speeds up filename-based threat hunting, generates YARA rules for threat hunting, and applies threat intelligence. A similar talk on Wednesday by Bill Demirkapi, a security engineer in Microsoft’s Security Response Center (MSRC), will disclose how the company is using LLMs to automate and streamline what are described as “security response workflows” (read: “vuln scanning” and “patching”).
But even more talks will focus on the risks of rapid AI adoption. One talk, by Chris Wysopal of Veracode, will look at the growing use of AI-generated code by services such as GitHub Copilot, an application of Microsoft’s Copilot AI for code generation. The talk, “From HAL to HALT: Thwarting Skynet's Siblings in the GenAI Coding Era,” will highlight the risks of relying on code developed by generative AI built on LLMs that were trained on vulnerable open-source software and prone to data-poisoning attacks. The higher velocity of code creation made possible by AI burdens downstream actors charged with vetting code. If software producers trust AI over human-generated code, the possibilities for serious flaws slipping into production software are high.
Copilot will the subject of another Black Hat talk. Michael Bargury, the CTO of the firm Zenity, will talk on Wednesday on “15 Ways to Break your Copilot,” detailing how Microsoft Copilot Studio, the platform that powers Copilot, is susceptible to malicious attacks, including prompt injection attacks that could enable data exfiltration in ways that sidestep existing data leak prevention (DLP) protections. The source of the problem? “A combination of insecure defaults, over permissive plugins and wishful design thinking.”
But the risks aren’t limited to Copilot. “From MLOps to MLOops” is a talk on Thursday by Shachar Menashe of JFrog that delves into the cybersecurity risks lurking in machine learning operations (MLOps) platforms such as MLflow, Kubeflow, and Metaflow, which facilitate ML model construction, training, and publishing. Such platforms are hugely powerful -but also a “gold mine for attackers seeking to penetrate the organization and move laterally within it,” Menashe will tell attendees, showing how prominent MLOps feature can be leveraged in real-world attacks. Menashe will also reveal server-side and client-side CVEs that JFrog discovered in prominent MLOps platforms, which could be used to compromise both MLOps platform servers and clients.
Absent clear guidelines and rules around AI’s use, the question of whether AI and LLMs will be a boon for cybersecurity pros and defenders or a force multiplier for attackers will play out in real time.
Meet the RL team at Booth #2660
Rapid, tech-fueled innovation? Digital transformation? AI? And an exploding threat landscape? That all makes for an interesting summer at Hacker Summer Camp. And ReversingLabs will be there.
If you’re at the show, stop by ReversingLabs' booth on the exhibition floor to chat with our experts about our powerful threat hunting and intelligence solutions, in addition to how we’re using these technologies to power our software supply chain security platform. Plus, we have cookies (the good kind!).
