This hype has been largely vendor-driven, but many security researchers and prominent voices at Black Hat were quick to shut down the role AI may have in security. There has been a lot of hype about the role of AI in cybersecurity as a possible way to ease the skill shortage and gain a significant upper hand against adversaries. AI (Artificial Intelligence) tools are more A than Iīlack Hat 25 also took a look at the role of AI and ML in cyber security. #BLACK HAT TOOLS CODE#This theme of targeting developer tooling and accounts to launch a supply chain attack was a core focus across many briefings and showed not just the need to secure code repositories and other tools but also showed a clear trend in where supply chain attack scenarios are heading. “I wanted to create a tool that could interface with the APIs of the source code management systems” Brett Hawkins, Adversary Simulation Researcher There’s also a module for persistence or the use of personal access tokens or SSH keys to maintain access to the compromised SCM system. Those steps included reconnaissance, which allows exploration of repositories or code, and privilege escalation, which could allow users to elevate accounts under their control to the admin level. #BLACK HAT TOOLS MANUAL#The toolkit Hawkins released automated a large amount of the manual tasks an attacker would need to do to be able to achieve a takeover of these systems. “I wanted to bring more attention to securing these systems, Black Hat is the perfect place to do this.” Brett Hawkins, Adversary Simulation Researcher Why is this so significant? If you can control the source code you can control not just the application, but its complete pipeline: testing, building, and deployment. This tool and related presentations showed how you can attack SCM tools like GitHub Enterprise, GitLab Enterprise, and Bitbucket Server using hijacked credentials. Brett Hawkins, Adversary Simulation Researcher, IBM X-Force Red, had two presentations at Black Hat focusing on his new tool called SCMKit. #BLACK HAT TOOLS FULL#“Anyone that was a dev could get full access to production accounts” Iain Smartīut this theme ran in many other presentations. This included loading in external malicious packages to trick the pipeline to give them admin credentials or simply access production environment credentials by replacing DEV with PROD and printing environment variables to screen. The presenters of this talk were able to show multiple real-life examples where they were able to conduct attacks from a developer account by elevating their privileges and taking advantage of common misconfigurations to perform admin-level tasks and ultimately take over the CI/CD environment. “Assume that every developer is malicious or compromised” Iain Smart Developers are often granted too high privileges relating to the CI/CD environments or miss configurations that make it easy for an attacker to elevate their privileges. Compromising the CI/CD pipeline can mean you control the build and deployment process. CI/CD (Continuous Integration and Continuous Delivery) is common in DevOps practice to test, build and deploy applications. In one such briefing “RCE-as-a-Service: Lessons Learned from 5 Years of Real-World CI/CD Pipeline Compromise” speakers Viktor Gazdag and Iain Smart from NCC discussed some real-world examples of compromising organizations through their CI/CD pipelines. #BLACK HAT TOOLS SOFTWARE#“Why do adversaries target the software supply chain? Because that's where the access is!” Chris Kerbs A lot of the technical briefings on the supply chain attacks this year focus on the role of developer accounts from code repositories and beyond. It is then little surprise that briefings on supply chain attacks were prominent in this year's Black Hat event. Recent years have seen a dramatic rise in software supply chain attacks. Chris Kerbs - Source BlackHat 25 Source control, a new target for supply chain attacks Below is a compiled list of some of the trends and more interesting talks we found at Back Hat 25. As always there is an endless list of talks, events, tool showcases, and of course corporate sponsored partying. Did you miss out on Black Hat 25 or got stuck in the business hall? Don’t worry, I’m going to summarize some of what I thought were the most important takeaways from BlackHat 25 briefings.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |