It’s that time again – yep, August. And you know what that means: Black Hat! Vegas! Swag. Great speakers. Putting your Fitbit to WORK in the Mandalay Bay! Oh, and the heat. Oh…wait, it is 2020…
This year, Black Hat 2020 is virtual. Still great speakers. Still great sessions. Still booths to “stop by”. Still swag to be had.
We asked our Research Team to go through the sessions and pick out which sessions sound particularly interesting to them. You may or may not notice a teeny trend here…<cough> rootkits <cough>.
The sessions they picked are listed below:
- Hiding Process Memory via Anti-Forensic Techniques; Speaker: Frank Block
This talk is in the Malware track and will present three novel novel methods that prevent malicious user space memory from appearing in analysis tools and additionally making the memory inaccessible from a security analysts perspective. As a proof of concept, the speaker will show how he implemented all techniques for the Windows and Linux operating systems, and subsequently evaluated these with both, memory forensics and live analysis techniques.
- Decade of the RATs – Custom Chinese Linux Rootkits for Everyone; Speaker: Kevin Livelli
Also in the Malware track. While 2020 is the Year of the Rat for the Chinese, it’s felt more like the Decade of the RATs. The talk reveals how five Chinese APT groups that originally stemmed from the notorious WINNTI collective formed a Linux splinter cell. Set against the backdrop of recent, renewed efforts by the US Department of Justice to expose and prosecute Chinese espionage, the talk sheds light on a new and troubling chapter in an otherwise old story of Chinese IP theft – one that crosses into the Android and Windows platforms as well. The talk demonstrates how the attackers successfully preyed upon defender assumptions regarding the security of Linux, the treatment of Windows adware, and the overall deployment of security products and services.
- Finding New Bluetooth Low Energy Exploits via Reverse Engineering Multiple Vendors’ Firmwares; Speaker: Veronica Kovah
This is part of the Reverse Engineering track. Bluetooth Low Energy (BLE) has seen widespread product adoption and a renewed interest from a security community whose interest in Classic Bluetooth (BT) had waned.This talk describes my process of going from knowing nothing about Bluetooth, to reverse engineering multiple vendors’ firmwares, and finding remote code execution exploits for multiple new vulnerabilities at the lowest levels of the BLE protocol stack which I will demonstrate. Exploits at this layer are of particular interest because they require neither pairing nor authentication, merely proximity, to exploit.
- Detecting Fake 4G Base Stations in Real Time; Speaker: Cooper Quintin
4G/LTE IMSI-catchers (such as the Hailstorm) are becoming more popular with governments and law enforcement around the world, as well as spies, and even criminals. In this talk, we hope to clear up myths about what modern IMSI-catchers can and can’t do, based on results from recent cell network security research. We will also demonstrate software and heuristics to detect fake 4G/LTE base stations that anyone can build. We will also present an outline for the path towards fixing some of the fundamental issues in cell network security, so that hopefully IMSI-catchers are one day a thing of the past.
- Demystifying Modern Windows Rootkits; Speaker: Bill Demirkapi
This talk will demystify the process of writing a rootkit, moving past theory and instead walking the audience through the process of going from a driver that says “Hello World” to a driver that abuses never-before-seen hooking methods to control the user-mode network stack. We’ll walk through writing a rootkit from scratch, discussing how to load a rootkit, how to communicate with a rootkit, and how to hide a rootkit. With every method, we’ll look into the drawbacks ranging from usability to detection vectors. The best part? We’ll do this all under the radar, evading PatchGuard and anti-virus.
- FASTCash and INJX_Pure: How Threat Actors Use Public Standards for Financial Fraud; Speaker: Kevin Perlow
The INJX_Pure and Lazarus FASTCash malware families are each built on publicly documented standards that enable their respective operating threat actors to perform financial “cash outs” at ATMs. While each of these malware families leverages a different standard to do this, they both demonstrate that their authors and operators possess strong programming abilities *and* a knowledge of the underlying mechanics of a financial card transaction. With a focus on ISO-8583 and eXtensions for Financial Services (XFS), this talk will offer analysts an opportunity to understand the underlying, publicly documented standards that allow these malware families to operate. Attendees will learn how knowledge of these standards provides invaluable information that can be used to build a preliminary intelligence snapshot regarding the adversaries’ intrusions and tooling capabilities.
- Reversing the Root: Identifying the Exploited Vulnerability in 0-days Used In-The-Wild; Speaker: Maddie Stone
Over the past 12 months, Project Zero has analyzed eleven 0-day vulnerabilities that were exploited in the wild. Rather than discussing these exploited vulnerabilities in detail, this talk will instead cover the reverse engineering techniques to determine the vulnerability in the first place. For these 11 different 0-days, we used five different techniques to determine their root cause. This talk will detail the factors that go into when each technique is used, how we used the technique, and lessons learned from when it’s been successful and when it hasn’t.
- Demigod: The Art of Emulating Kernel Rootkits; Speaker: Quynh Nguyen Anh, Quang Nguyen Hong, Tuan Do Minh
Kernel rootkit is considered the most dangerous malware that may infect computers. Operating at ring 0, the highest privilege level in the system, this super malware has unrestricted power to control the whole machine, thus can defeat all the defensive and monitoring mechanisms.
This research proposes a novel approach to deal with kernel rootkits. We introduce Demigod, a framework to emulate OS environments, so kernel rootkits can be run in software emulators, all in ring 3. From this sandbox, we can safely monitor, trace, debug or perform all kinds of dynamic analysis with this advanced malware. Demigod will be released after our presentation, with full source code.
- Stealthily Access Your Android Phones: Bypass the Bluetooth Authentication Speaker: Sourcell Xu, Xin Xin
Every Android phone loves Bluetooth, a short-range wireless communication technology. We can find a large number of Bluetooth devices in any public place. Many of their security issues have been exposed before, such as BlueBorne, KNOB, and BadBluetooth. Today, due to the security risks in AOSP (Android Open Source Project) and the negligence of some well-known mobile phone manufacturers, we have another 0day vulnerability that can be played. And it was named BlueRepli (Bluetooth Replicant). At the application layer, Bluetooth is like a parent who over-disciplined. It defines various implementation standards for a variety of complex application scenarios. These standards are called profiles. Of course, the use of these profiles by remote devices requires authorization from local users and strict authentication from local Android phones. However, this study found two new ways to bypass these authentications and gain profile access. We also prepared rich video demos to show the exploits we implemented, such as stealing mobile phone contact information, call history, stealing SMS verification codes, and sending fake text messages using the vulnerable phone.
- Detecting Access Token Manipulation; Speaker: William Burgess
Windows access token manipulation attacks are well known and abused from an offensive perspective, but rely on an extensive body of arcane Windows security internals: logon sessions, access tokens, UAC, and network authentication protocols, such as Kerberos and NTLM, to name a few. This presentation aims to demystify how access tokens work in Windows environments and show how attackers abuse legitimate Windows functionality to move laterally and compromise entire Active Directory domains. Most importantly, it will cover how to catch attackers in the act, and at scale, across enterprises. In doing so, defense practitioners will understand the key signals to identify access token manipulation within their own environments in order to detect and respond to these types of attacks.
- A Decade After Stuxnet’s Printer Vulnerability: Printing is Still the Stairway to Heaven; Speaker: Peleg Hadar, Tomer Bar
In 2010, Stuxnet, the most powerful malware in the world revealed itself, causing physical damage to Iranian nuclear enrichment centrifuges. In order to reach Iran’s centrifuges, it exploited a vulnerability in the Windows Print Spooler service to gain code execution as NT AUTHORITY\SYSTEM. Due to the hype around this critical vulnerability, we (and probably everyone else) were pretty sure that this attack surface would no longer exist a decade later. We were wrong…in this presentation, we will show:
- Past Stuxnet’s vulnerabilities and how they were partially patched (even multiple times)
- The analysis of the 3rd Stuxnet vulnerability in the Windows Print Spooler, which was considered fully patched until now
- A live demo of two 0-day vulnerabilities we discovered in the Windows Print Spooler. One of them works on all the Windows releases from 2000 to Windows 10 (32 and 64-bit); the other works on all the Windows releases from Windows 7 to Windows 10 (32 and 64-bit)
- Our research process, our methodology and home-brewed tools
- A more robust way to mitigate future exploitation of similar vulnerabilities
- Several open-source tools for testing the system against the attack, mitigating it and helping other researchers to challenge this mechanism as well.
- Operation Chimera – APT Operation Targets Semiconductor Vendors; Speaker: Chung-Kuan Chen, Inndy Lin, Shang-De Jiang
This presentation provides an analysis of the advanced persistent threat (APT) attacks that have occurred during the past two years on the semiconductor industry. Our research shows that the majority of these attacks were concentrated on the Taiwan semiconductor sector. In this presentation, we seek to shed light on the threat actors and campaigns of these attacks, where they are collectively referred to as Operation Chimera (a.k.a. Skeleton). Additionally, we provide a brief overview of the current information security status of Taiwan’s semiconductor industry.
In this presentation, we conduct a comprehensive analysis on the employed technologies, tactics, and customized malware of Operation Chimera.
- TiYunZong: An Exploit Chain to Remotely Root Modern Android Devices – Pwn Android Phones from 2015 to 2020; Speaker: Guang Gong
As more and more mitigations have been introduced into Android, modern Android devices become much more difficult to be rooted, in particular, remotely rooted. This is especially true for Pixel Devices as they always have the latest updates and mitigations. In this presentation, we will explain why Pixel devices are difficult targets and will give an attack surface analysis of remotely compromising Android. Furthermore, we will introduce an exploit chain, named TiYunZong, which can be leveraged to remotely root a wide range of Qualcomm-based Android devices including Pixel Devices.
- Election Security: Securing America’s Future; Speaker: Christopher Krebs
We have a vested interest in this session, as we are familiar with election issues.
The United States Government is intensely focused on election security and is working together with election partners better than ever before. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is leading the federal effort to support state and local officials in their important mission to secure elections in 2020. We are sharing intelligence, resources, support and cybersecurity services to secure election infrastructure against malicious activity.
Since 2017, federal, state, local and private sector partners have been building up our defenses and preparing for the 2020 elections. We know this election will be a target and the bad guys are still out there, but we are trained, exercised and ready.
- Policy Implications of Faulty Cyber Risk Models and How to Fix Them; Speakers: Wade Baker and David Severski
Our long-time friend, Wade Baker is one of this session’s speakers, so we are kind of partial to this one.
Bad security data leads to bad security policies; better data enables better policies. That, in a nutshell, is the thesis of this talk. To back that up, we’ll share a FUD-free and data-driven analysis of the frequency and economic costs of tens of thousands of historical cyber incidents, with a special focus on events that impact multiple organizations.
Are we under or overestimating the economic risk of cyber events? How might errant estimates of breach likelihood or probable losses affect organizational governance and risk management? Could misunderstandings about the true extent of incident propagation across supply chains hamper the development of effective policies to manage third-party risk? What would an inter-organizational approach to security policies and practices look like? Can the study of past events aid future-looking decisions such as establishing risk appetite and evaluating cyber insurance needs? Could poor risk data lead to regulatory and/or compliance requirements that fail to meet their objectives? These are just some of the policy-oriented questions we’ll explore in the talk.
Attendees will gain an understanding how readily available data can be used to first orient to this problem space. From there, the audience will get a picture of ground truth to make better policy decisions on issues ranging from cyber insurance, supply chain management, and the near-mythical risk management ROI.
So, as you can see, good stuff to be had. “Stop by” our booth, get a demo, and of course a t-shirt if you sign up to chat with us. We look forward to “seeing” you there!