This week, BlackHat Asia 2022 took place in hybrid mode. It’s one of the most important events within the #infosec community, where security experts show how far they can go. In this edition, the trend of talks and tools focused on improving the security of Kubernetes, Cloud Security, and Supply Chain, either from the perspective of the blue team or the red team.
In this article, we’ll share our insights about a few talks and tools presented that we liked, and we’ll give you an idea of the future trends this year in cybersecurity.
During two days of Blackhat Asia informative sessions, we were able to enjoy several high-level talks on cybersecurity. These are, in our opinion, the most remarkable ones.
Backdoor Investigation and Incident Response: From Zero to Profit
- Managing a security incident where a backdoor takes place is not trivial. This talk explains the Backdoor Incidence Response Matrix (BDIRM) framework based on a triangle (server, backdoor, and network) for the acquisition and analysis of data to understand the attacker’s access. This allows us to make a better attribution and generate the best indicators of compromise or detection techniques.
The Firmware Supply-Chain Security Is Broken: Can We Fix It?
- Dependencies are the headache of any security auditor or developer, and even more so when you don’t have full visibility. In some cases, firmware components are vulnerable and continue to be used because they are not exploitable on their own. That is why when another vulnerability appears in a different component, it makes a previous one possible, making it much more complex to see the risk of old vulnerabilities that remained latent and badly scored.
Using Zero to Attack Zero-Knowledge Proof (ZKP) PLONK
- This talk reviews an incredible but real case of theoretical vs practice. The speaker discusses a critical issue in a cutting-edge ZKP PLONK C++ implementation which allows an attacker to create a forged proof that all verifiers will accept.
Quantify Security Effectively – Moving the Security Needle From the Security Trenches to the Boardroom
- One of the keynotes. The speaker shared attracting ideas such as the definition of a shared responsibility model between developers and the cybersecurity team. Understanding who owns the vulnerability and who owns the mitigation is key to avoiding future incidents, loss of time, and money. It is necessary to escalate and prioritize, otherwise it is not achievable.
- Another impressive concept is to quantify success in cybersecurity. It is necessary to measure it and thus be able to check if the measures are being effective.
Like Lightning From the Cloud: Finding RCEs in an Embedded TLS Library and Toasting a Popular Cloud-connected UPS
- This talk explains the importance of handling errors in code. The presenters explained how the exploitation of this would allow an attacker to control switches and systems such as UPS (controls system power if the network goes down), and how to replicate the exploit in different vendors because they use the same implementation. During the demonstration, they provoked the burning of the device.
Dynamic Process Isolation
- Explanation of a remote Spectre attack using amplification techniques in combination with a remote timing server. The authors contribute with a process isolation mechanism that only isolates suspicious worker scripts following a detection mechanism. The Dynamic Process Isolation paper demonstrates a solution to detect all state-of-art of this kind of attack.
Several tools were presented at Blackhat Asia this time. Although not necessarily new, it is always interesting to see the latest features or discover unknown tools. Something to mention are the differences when changing the point of view. For instance, considering Kubernetes tools as intended for red teams against those of the supply chain where the focus is its usage by blue teams.
- An open source penetration testing framework that can improve your cybersecurity posture scanning your cluster and also post-exploitation attacks. This tool is a must in your repository.
In Supply Chain Attacks, three tools were presented. Dependency Combobulator detects dependency confusion using heuristics; for example, if the repository is public or time since last change. Similar to packj but in this case, it implements metadata (if the repository activates 2FA) or typosquatting detection, finding packages with similar names to avoid errors. ChainAlert focuses on automation and detection of dependency commitment using the difference of tags between Github and NPM, but detection is very low.
Pwnppeteer is an offensive tool to manage the phishing attacks with lambda functions to automate the process