As tens of thousands of cybersecurity professionals, executives and policymakers converge on the Las Vegas strip for “Hacker Summer Camp”— the annual Black Hat, DEF CON and B-Sides conferences — the stakes couldn’t be higher. After all, 2024 is a year that has seen increasing levels of cyber disruption, from ransomware attacks that crippled doctors offices and auto dealerships, to widespread compromises of federal agencies attributed to Volt Typhoon, the China-based APT group. 

And, of course, the recent global outage of systems with the Crowdstrike update brings visibility to the brittle nature of the software supply chain. As was clearly stated, this was not due to a cybersecurity attack. But it did illustrate the damage malicious actors could play as we look at software supply chain security (SSCS).

Where does that leave the attendees at Black Hat this week? With a sense of urgency and plenty to discuss. Here are two main themes that attendees at this year’s conference will confront.  

[ Come visit the team and learn more about what we have planned: RL @ Black Hat 2024 ]

Software supply chain security is in the hot seat

As the cybersecurity community gathers in Vegas, governments, enterprises and entire industries are recovering from the massive disruptions caused by a flawed software update for CrowdStrike’s Falcon endpoint detection and response software that was pushed out on July 19th and resulted in a tsunami of crashed Windows systems displaying the “blue screen of death” (BSOD). The close proximity of the attack to the shows means that this incident isn’t (officially) on the agenda, but it is sure to be a major topic of conversation that is sure to be raised on stage and in the hallways.

But even this outage hadn’t happened, threats looming in software supply chains were sure to be a major topic of conversation at Black Hat and the other “Hacker Summer Camp” events, what with the revelations about a targeted campaign to take over the xz Utils open source project, stories about malicious packages lurking on Google Play as well as incidents like the attacks on Ivanti’s Pulse Secure VPN highlighting the risks lurking in both open source and closed source, commercial software. 

A number of talks at Black Hat delve even deeper into the cracks in the foundation of open source and commercial software powering the global economy. They include a high-level Main Stage talk by Danny Jenkins, the CEO of ThreatLocker on software supply chain risks, but also more in the weeds discussions like “Secure Shell in Shambles,” a presentation by famed security researcher HD Moore (who created Metasploit) and Rob King of the firm runZero. Moore and King will delve into the security risks of the aging Secure Shell protocol, a widely used remote management protocol that is nearing its third decade of life and is ubiquitous in both proprietary and open source operating systems. 

But Secure Shell’s age raises fear of “code rot,” while wide ranging implementations have led to “unexpected vulnerabilities and novel attacks,” such as the recently revealed regreSSHion (CVE-2024-6387) in OpenSSH which was uncovered by researchers at Qualys and affects some 14 million publicly accessible systems running Glibc-based Linux systems. Moore and King will reveal an open source tool, dubbed “sshamble” that “opens the door for further research” into SSH flaws. 

The risk posed by wonky code isn’t limited to open source, either. Other Black Hat talks highlight crippling flaws — including remote code execution (RCE) bugs — in commercial codebases as well as prominent cloud services and open source platforms. There’s Alon Leviev’s concerning presentation on Wednesday detailing a compromise of Windows Update (yeah, you read that correctly) to execute forced component downgrades on Windows systems that enable follow on attacks. Leviev, a researcher at SafeBreach was able to “fully take control” of Windows Update,” downgrading critical OS components, including DLLs, drivers, and even the NT kernel, as well as Hyper-V’s hypervisor, Secure Kernel, and Credential Guard’s Isolated User Mode process, expose past privilege escalation vulnerabilities.

As for threats to cloud environments, there’s Tenable researcher Liv Matan’s talk on Wednesday about the “Jenga Tower” that is the Google Cloud Platform (GCP) and those of other providers. Matan highlights a flawed GCP command argument that exposed a critical RCE vulnerability (‘CloudImposer’) that affected both GCP customers’ workloads and Google’s internal production servers, affecting millions of cloud servers. Cloud-based services are a force multiplier for organizations – simplifying the deployment and management of complex systems. But that means that supply chain vulnerabilities in the cloud “are on steroids,” Matan observes.

“Instead of one malicious package affecting one server, one malicious package affects a service that is deployed to millions.”
—Liv Matan

ReversingLabs evangelist Josh Knox said bad actors are ramping up their exploitation of the software supply chain, and showing increased sophistication.

“With 2024’s xz Utils attack, we saw that bad actors are willing to play the long game, if it means that they will be able to have a huge payoff like the xz Utils backdoor would have been if it made it into mainstream Linux distros.”
—Josh Knox

The double-edged sword that is AI

The topic of artificial intelligence (AI) is another dominant theme at this year’s Black Hat — as it is at just about every major tech conference. But the conversation in cybersecurity circles is a bit less optimistic, and more muddled  — with AI presented as both a cybersecurity panacea for overworked, understaffed security teams and a scourge while also allowing malicious actors to automate everything from vulnerability discovery to phishing campaigns and exploitation of security holes. 

For example, there are talks such as Threat Hunting with LLM from researchers at the firm DBAPPSecurity (a pre-recorded session) that highlight how large language model (LLM) AI helped the firm detect and advanced persistent threat group campaign attributed to APT SAAIWC, as well as other attributable events, using LLMs to speed filename-based threat hunting, sample hunting using YARA rules generated by LLM, and applying threat intelligence. A similar talk on Wednesday by Bill Demirkapi, a Security Engineer in Microsoft’s Security Response Center (MSRC) will talk about how the company is using LLMs to automate and streamline what are described as “security response workflows” (read: “vuln scanning” and “patching”). 

But there are more talks that focus on the risks of rapid AI adoption. These include the growing use of AI-generated code by services such as GitHub CoPilot, an application of Microsoft’s CoPilot AI for code generation. Chris Wysopal of Veracode sets the tone with his talk “From HAL to HALT: Thwarting Skynet’s Siblings in the GenAI Coding Era,” where he highlights the risks of relying on code developed by generative artificial intelligence (GenAI) that relies on large language models (LLMs) “trained on vulnerable open source software” and prone to data poisoning attacks. The higher velocity of code creation made possible by AI burdens downstream actors charged with vetting code. And, with many trusting AI- over human generated code, the possibilities for serious flaws slipping into production software are high. 

CoPilot is the subject of another Black Hat talk as well: Michael Bargury, the CTO of the firm Zenity will talk on Wednesday on “15 Ways to Break your CoPilot,” that details how Microsoft Copilot Studio, the platform that powers Microsoft’s CoPilot is susceptible to malicious attacks, including prompt injection attacks that could enable data exfiltration in ways that sidestep existing data leak prevention (DLP) protections. The source of the problem? “A combination of insecure defaults, over permissive plugins and wishful design thinking.” 

But the risks aren’t limited to CoPilot. “From MLOps to MLOops” is a talk on Thursday by Shachar Menashe of JFrog  that delves into the cybersecurity risks lurking in machine learning operations (MLOps) platforms like MLflow, Kubeflow and Metaflow, which facilitate machine learning model construction, training, and publishing. Such platforms are hugely powerful – but also a “gold mine for attackers seeking to penetrate the organization and move laterally within it,” Menashe will tell attendees, showing how prominent MLOps feature can be leveraged in real-world attacks.Menashe will also reveal server-side and client-side CVEs JFrog discovered in prominent MLOps platforms that can be used to compromise both MLOps platform servers and clients.

Absent clear guidelines and rules around AI’s use, the question of whether AI and LLMs will be a boon for cybersecurity pros and defenders — or a force multiplier for attackers will play out in real time. 

Meet the RL team at booth #2660

Rapid, tech fueled innovation? Digital transformation? AI? And an exploding threat landscape? That makes for an interesting summer at Hacker Summer Camp. And ReversingLabs will be there.

If you’re at the show, stop by ReversingLabs’ booth on the exhibition floor to chat with our experts about our powerful threat hunting and intelligence solutions, in addition to how we’re using these technologies to power our software supply chain security platform. Plus, we have cookies (the good kind!).

*** This is a Security Bloggers Network syndicated blog from ReversingLabs Blog authored by Paul Roberts. Read the original post at: https://www.reversinglabs.com/blog/the-big-cybersecurity-themes-at-black-hat-2024-and-why-they-matter