Last updated at Fri, 07 Aug 2020 20:21:29 GMT
This blog post is part 2 of a two-part blog series recapping Rapid7’s Black Hat debriefs as part of Virtual Vegas. Check out our recap of day one here!
It’s no secret that days (and time in general) are generally meaningless now—except when you get the opportunity to break out of your routine and attend an amazing event like this year’s virtual Black Hat. Our Rapid7 experts attended another day of incredible talks, and have plenty of key takeaways and insights to share with you about their research, vulnerability management, and detection and response sessions. Here’s what they had to say:
Research takeaways from Black Hat 2020 (Day 2)
The accidental theme all three research topics ended up being "how can attackers leverage external influences to get internal goodies?" So, here we go!
EtherOops: Exploring Practical Methods to Exploit Ethernet Packet-in-Packet Attacks
This session, hosted by Ben Seri and Gregory Vishnepolsky, explored how packet-in-packet attacks on the Ethernet protocol have moved beyond a theoretical capability to become both a practical and powerful attack.
Tod Beardsley, Director of Research at Rapid7, said that at the start of the talk, he was pretty much expecting a crafted packet-in-packet attack using some type of tunnelling protocol such as IPv4-over-IPv6. By the middle, he was asking, “Wait, how do you control the random interface failure?” And by the end, he finally understood that you can’t control the failure, but you can control what happens next and how the CPU interacts with the packet it just thinks it got. He said it was an emotional rollercoaster, but he now feels way smarter about how physical networking works.
His big takeaways were that WebRTC is black magic and breaks NAT a little more than he first thought. He added that the rate of failure and bit flipping due to external, physical interfaces is high enough on normal, commodity cables that high-security environments really need to pay more attention to their cabling. Additionally, he (exasperatingly) wanted to know why IPv6 Router Advertisement is a thing, since he sees it as a super-aggressive and un-ignorable DHCP response when you didn’t even ask for it.
“I know that’s the point of the talk,” Tod said,” “but I have to think there are other means for generating up RA packets that can go a long way on an internal pen test.”
In terms of next steps, Tod said he’s looking forward to seeing more research about smuggling UDP over WebRTC and plans to finally replace all of his cables.
Industrial Protocol Gateways Under Analysis
In this session, hosted by Marco Balduzzi, researchers shared their results of a cross-vendor security evaluation of five popular protocol gateways, including several potentially damaging classes of security problems for industrial facilities.
For Andreas Galauner, Senior Security Researcher at Rapid7, one big takeaway was their explanation of the fact that most people don’t see industrial appliances as computers, but rather “special-purpose hardware.” However, they have everything that belongs to a proper computer, including operating systems, bugs, and all of the implications for the necessity of regular patching. Andreas said that while this wasn’t news to him, he hadn’t considered that other people might not think that way.
He also found it interesting that logic bugs can be as severe as classic remote code execution bugs, and that industrial control system security is in an absolutely horrible state. Andreas also discovered that the approach on the Industrial Control Protocol gateway is to not just look for code execution bugs, but also actual bugs in the translation from one side to the other. A logic bug in this part of the system could lead to firewall bypasses and control of protected parameters, which could be very dangerous.
A Hacker's Guide to Reducing Side-Channel Attack Surfaces Using Deep-Learning
This talk, put on by Elie Bursztein, used a concrete, step-by-step example to showcase the promise of combating deep-learning-based side-channel attacks, the approach’s limitations, and how it can be used today.
Erick Galinkin, Principal Artificial Intelligence Researcher at Rapid7, said this was a very clean presentation and found it interesting that these types of attacks are possible at all, though he doesn’t think they are very practical. Andreas added that side-channel attacks are complicated, and you really have to dig into the inner-workings of the CPU. However, he found that the talk did a great job of breaking down a very complicated topic and explaining it so well that a five-year-old could understand it (well, maybe not a five-year-old, but you get the idea).
Erick reported that side-channel attacks against cryptographic devices are possible and can be made easier with deep learning. Each bit requires its own model to be trained, and there may be more advanced architectures and collections methods that allow these attacks to work. He added that he found that traditional side-channel methods are still effective and are only marginally less effective than SOTA methods using machine learning.
Vulnerability risk management takeaways from Black Hat 2020 (Day 2)
A Decade After Stuxnet's Printer Vulnerability: Printing is Still the Stairway to Heaven
This session revisited one of security’s best-known foils—printers. Peleg Hadar and Tomer Bar walked through the impact of the Stuxnet worm, and how it’s still wreaking havoc a decade later, despite the availability of patches from Microsoft. In fact, the researchers found several zero-days in the wild leveraging the same mechanism that made Stuxnet so pervasive years ago.
For Brendan Watters, Senior Security Researcher at Rapid7, the two takeaways are clear: First, security pros should be wary that deploying patches does not ensure risk mitigation. Specifically, he enjoyed the discussion around the narrow vs. complete patch binary. Second, and most poignant for Brendan as a researcher, was that he appreciated that the speakers published both a PoC and a patch for the vulnerability. He comments, “More researchers should be focusing on risk mitigation.”
I calc'd Calc - Exploiting Excel Online
This session, brought to you by Nicolas Joly at the Microsoft Security Response Center, walked through a project conducted in 2018 to exploit client-side software (namely Excel) using formula-based functions. In the study, Joly leveraged an integer overflow vulnerability to chain Excel formulas together and get remote code execution on the server.
For our team, it was interesting to see what forms of security research are being explored by both practitioners and adversaries. While fascinated by the background and methodology, Scott King, Senior Director of Advisory Services at Rapid7, noted that the talk lacked some actionability for organizations. He’s interested in how the learnings can be applied in a more current context, such as with cloud-based applications like Google Sheets, and encourages further research on online and cloud-based equivalents of Microsoft applications.
Portable Document Flaws 101
Old dog, many tricks. This talk by Jens Müller centered around the various features of portable document format (PDFs), including some lesser-known weaknesses, and the various attacks that can be executed from these exposures, as PDFs have code execution by design. One of the most eye-opening findings? The more feature-rich PDF readers are, the more susceptible they are to exploitation—this included every single one of the 28 readers (including browser-based) examined in the study.
Senior Technical Lead for Vulnerability Risk Management Justin Prince admits that the session exceeded expectations, finding the dissection of the format surprisingly informative. He advises against “assuming safety” of PDFs, as an attack on a personal desktop can easily escalate to business-critical servers. His general piece of advice following the session is refreshingly simple but resonant: “No local admins.”
Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities
One of the more technical sessions covered, this talk walked through how a team of researchers, comprised of Yonghwi Jin, Jungwon Lim, Insu Yun, and Taesoo Kim, used their knowledge of common broken mechanisms in macOS to leverage six vulnerabilities and garner many offsec professionals’ holy grail—a compromised macOS kernel.
Without getting into the nitty-gritty details, Brent Cook, Director of Engineering for Metasploit summarizes, “the biggest takeaway from it is that there are many weaknesses that an attacker can be creative with, and there needs to be much more systemic mitigation to prevent attacks like this in the future.” He looks forward to how Apple’s new silicon will help prevent exploitation of these vulnerabilities in the future, and being first in line for those products. In the meantime, “core mitigations can help stem corrupting program flows.”
Detection and response takeaways from Black Hat 2020 (Day 2)
Experimenting With Real-Time Event Feeds
This session explored the historical reliance on SIEMs for forensic analysis on past logs, and the impact that configurations can have on detections. Speaker Jose Morris also looked at tooling that Microsoft has developed to allow users to access real-time data feeds from their Windows systems.
Alan Foster, senior security solutions engineer at Rapid7, found the positioning of this session interesting. He said, “These tools were created because a lot of SIEMs are pretty hard-coded in terms of selecting which event codes to collect from Windows OS. They found a way to handle a large amount of data efficiently. The user has freedom to pick and choose.”
Ultimately, this session honed in on the concept that while data collection and logging are what SIEMs traditionally do, with new methods and tooling it can now be up to the user what data they want to collect and what they ultimately want to do with it, as opposed to a one-size-fits-all approach.
My Cloud Is APT’s Cloud: Investigating and Defending Office 365
Attackers always have a purpose. And, with current events and more infrastructure moving to the cloud, attackers are reacting, turning their attention to services like Office 365 and third-party solutions. This session explored attack techniques that utilize parts of Office 365 that are often poorly understood and not closely monitored.
Scott King, Senior Director of Security Advisory Services at Rapid7, noted that O365 is pretty friendly when it comes to third-party developers creating applications. “One of the approaches they saw in their research is where MFA was being bypassed,” he said. “It was being bypassed by design, not a vulnerability that was being taken advantage of.” As a result, he stressed that it’s important for organizations to look at where they’re requiring MFA, and where the solution is not.
For Wade Woolwine, principal threat intelligence researcher at Rapid7, a key takeaway from this session was, “Ultimately, your cloud is not as secure as you think, even if you don’t own it.” When organizations pivot to SaaS or IaaS, they lose some control over what’s going on. The provider is also going to make some decisions on your behalf, so it’s even more important to engage with trusted parties to understand the full implications of the platform and visibility. Ultimately, be aware, and make sure you have MFA required at critical points.
A Framework for Evaluating and Patching the Human Factor in Cybersecurity
In this session, Ron Bitton argues that social engineering attacks have dramatically changed in recent years: They are no longer limited to PCs, and they go way beyond phishing. It’s time to take a tougher look at traditional security awareness training and find ways to better evaluate a user’s awareness of their security.
For Jason Hunsberger, senior product manager at Rapid7, the research presented was multi-layered and ambitious. He agreed that most security training is forced on employees and artificial; as a result, there’s an opportunity to shift to using real tools around what internet-connected users need to know and actually secure. Ron provided a framework of 30 items—from virtual accounts to channel controls—which our team found very helpful. The general consensus is that there’s a lot of opportunity to make training more actionable and users more vigilant, because the current training methods don’t really set most employees up for the real world.
Mind Games: Using Data to Solve for the Human Element
Building on the concept of human behavior as it relates to risk, this session was our attendees’ favorite of the day, with takeaways for both security professionals and non. At its core, Masha Sedova explored how our traditional approach to mitigating human risk assumes that people will make the right security decisions if they have enough training and fear of the consequences. Years of security research indicates otherwise.
Alan Foster noted, “I remember taking acceptable use policy training, and then thinking ‘okay, security is done.’ But it’s more than that, it’s a behavior. What Masha did was collect data connected to security tools to understand what people are doing, and compare it against the trainings. You realize that no amount of training really changed the behavior of individuals.”
Meg Donlon, senior product marketing manager at Rapid7, noted the examples provided, particularly around the impact of audience reviews, really helped drive the research home. “If I see that 100 of my peers have completed this course, I don’t want to be the only one who hasn’t done it.” Ultimately, the research presented made our attendees think of users as part of vulnerability management activities and programs, not just the attack methods.
That’s a wrap! Thank you so much to our Rapid7 team for taking the time to attend these events and share their key takeaways. If you have any questions or anything you’d like to add to the conversation, please feel free to comment below or tweet us @Rapid7.