Black Hat Reflections: Supply Chain Attacks, Zero Days and Disclosures

August 18, 2021 Andy Thompson

Black Hat Reflections: Supply Chain Attacks, Zero Days and Disclosures

Black Hat 2021 had a markedly different tone from previous years. Welcoming remarks explored the strong parallels between cybersecurity and COVID-19 prevention, with founder Jeff Moss asking “…what are you doing to try to confer an immunity to those around you?” and urging the security community to be part of the solution.

Whether you ventured to Vegas or tuned in from afar, the thought-provoking questions and content continued throughout the event. Here are some topics that particularly stood out to me:

Ransomware Supply Chain Targets Aren’t Always the Real Targets

Throughout the event, supply chain attacks dominated the conversation. Opening keynote speaker Corellium COO Matt Tait painted a sobering picture of the near-future, warning that what we’ve seen is “peanuts” compared to what’s coming. Instead of using “spray and pray” tactics, attackers — and ransomware actors in particular — are targeting very specific organizations for very specific reasons. And they’re using upstream providers like Kaseya to reach them. Tait also noted that the number of zero days being exploited by attackers is “off the charts,” reaching levels not seen in the past eight years. Why? They’re scaling their attacks, pulling out all the stops and moving at incredible speed.

The Malware-as-a-Service Market Is Thriving

While attacks are growing in sophistication and scale, there are still plenty of threat actors going after “low-hanging fruit.” For instance, the dark world of malware-as-a-service (MaaS) is alive and well, providing nefarious characters with easy access to popular credential theft malware, one of the most prevalent types of malware used in cyber attacks today. The main objective of nearly all credential theft malware is to gather as much confidential and sensitive information (like user credentials and financial information) as possible. Popular credential stealers, such as Oski Stealer, are cheap to buy and can be operationalized easily — with little to no technical skills required.

Identity’s Leading Role in Major Breaches

The cybersecurity community needs to collaboratively innovate to move as fast as our adversaries — and embracing an attacker’s mindset is a crucial starting point. In my Black Hat talk, “The Anatomy of a Breach with CyberArk Labs: Supply Chain and Privilege,” we did just that by deconstructing the phases of recent supply chain attacks — from initial infection and customer targeting through privilege escalation and exfiltration. By examining revelations from these attacks, it’s clear that the compromise of identity and subsequent manipulation of privileged credentials were instrumental in their success. To build effective cybersecurity strategies, you have to assume that any identity in your network may be compromised. And instead of trying to keep the “bad guys” out, you can focus on protecting what they’re after.

The Disclosure Debate Reignites

Speaking of identity compromise, criminal enterprises are increasingly reliant on vulnerable web applications to harvest credentials and launch their attacks. Navigating the internet’s many hidden dangers is a challenge for consumers and security researchers alike. So, it was no surprise that tools that can search across websites for vulnerabilities and aggregate threat information on exploitable flaws at scale created buzz, and even some controversy, at Black Hat. The debate boiled down to this: Attackers are innovating in lockstep with defenders. Do well-intentioned vulnerability disclosure tools give them an edge?

Cloud Apps Now the “Holy Grail” for Espionage Attackers

As organizations shift more data to the cloud, nation-state attackers are setting their sights on popular SaaS applications as they work to exfiltrate sensitive information. With motivations that reach far beyond financial gain, these types of attacks often require stealthy, long-term persistent access in cloud environments. At the conference, researchers presented a series of novel and sophisticated attack techniques seen in the wild — one of the most notable being Golden SAML, first discovered by CyberArk Labs, and used in the massive SolarWinds supply chain attack.

Passwordless Authentication Risks We Now “Face”

Biometric authentication is gaining traction in the enterprise to help mitigate the numerous security risks inherent with password use. But, considering most of our faces are out in the public domain, passwordless login features are not fail-safe. Our own CyberArk Labs security researcher Omer Tsarfati presented his talk, “Bypassing Windows Hello for Business and Pleasure,” on how to circumvent Microsoft’s Windows Hello biometric authentication using a spoofed USB webcam, in what PC Mag called one of the “scariest things” seen at this year’s show. Read more about his research here.

Open Source Tools Aid Containerized Environment Testing

Managing containerized workloads and services is top of mind for many DevOps teams today and according to a recent Cloud Native Computing Foundation (CNCF) survey, more than 78% of organizations rely on Kubernetes as their container orchestration platform. This year, multiple Black Hat sessions focused on finding and mitigating vulnerabilities in these dynamic environments — with community-sourced tools that aid pen testers and Red Teamers in pinpointing threats generating significant interest.

Biohacking Is the New Frontier 

The threat research and tools presented at Black Hat are essential in helping security professionals protect against digital threats. But what happens when they come up against someone who is both the attacker and the attack vector? My CyberArk colleague Len Noe took Black Hat attendees deeper into the mind of an attacker: from a rogue employee sporting an implanted RFID microchip to secretly store sensitive data and files to the malicious outsider who conceals an entire Linux system beneath their skin to pass every physical and digital security check and make off with your most valuable corporate assets. While it sounds like a science fiction novel, it’s real life today. Are you ready?

Previous Article
How Collaborative Cybersecurity Is Disrupting Disruption
How Collaborative Cybersecurity Is Disrupting Disruption

Out of a period of severe, real-world disruption came disruption’s polar opposite: cooperation. For a long ...

Next Article
Critical Infrastructure Cybersecurity Gets its Invisible Spotlight
Critical Infrastructure Cybersecurity Gets its Invisible Spotlight

While the federal government cannot command private industry, it can provide direction and drive urgency. T...