This week, BlackHat Asia 2022 took place in hybrid mode. It’s one of the most important events within the #infosec community, where security experts show how far they can go. In this edition, the trend of talks and tools focused on improving the security of Kubernetes, Cloud Security, and Supply Chain, either from the perspective of the blue team or the red team.
In this article, we’ll share our insights about a few talks and tools presented that we liked, and we’ll give you an idea of the future trends this year in cybersecurity.
Briefings
During two days of Blackhat Asia informative sessions, we were able to enjoy several high-level talks on cybersecurity. These are, in our opinion, the most remarkable ones.
- Backdoor Investigation and Incident Response: From Zero to Profit
- Managing a security incident where a backdoor takes place is not trivial. This talk explains the Backdoor Incidence Response Matrix (BDIRM) framework based on a triangle (server, backdoor, and network) for the acquisition and analysis of data to understand the attacker’s access. This allows us to make a better attribution and generate the best indicators of compromise or detection techniques.
- The Firmware Supply-Chain Security Is Broken: Can We Fix It?
- Dependencies are the headache of any security auditor or developer, and even more so when you don’t have full visibility. In some cases, firmware components are vulnerable and continue to be used because they are not exploitable on their own. That is why when another vulnerability appears in a different component, it makes a previous one possible, making it much more complex to see the risk of old vulnerabilities that remained latent and badly scored.
- Using Zero to Attack Zero-Knowledge Proof (ZKP) PLONK
- This talk reviews an incredible but real case of theoretical vs practice. The speaker discusses a critical issue in a cutting-edge ZKP PLONK C++ implementation which allows an attacker to create a forged proof that all verifiers will accept.
- Quantify Security Effectively – Moving the Security Needle From the Security Trenches to the Boardroom
- One of the keynotes. The speaker shared attracting ideas such as the definition of a shared responsibility model between developers and the cybersecurity team. Understanding who owns the vulnerability and who owns the mitigation is key to avoiding future incidents, loss of time, and money. It is necessary to escalate and prioritize, otherwise it is not achievable.
- Another impressive concept is to quantify success in cybersecurity. It is necessary to measure it and thus be able to check if the measures are being effective.
- Like Lightning From the Cloud: Finding RCEs in an Embedded TLS Library and Toasting a Popular Cloud-connected UPS
- This talk explains the importance of handling errors in code. The presenters explained how the exploitation of this would allow an attacker to control switches and systems such as UPS (controls system power if the network goes down), and how to replicate the exploit in different vendors because they use the same implementation. During the demonstration, they provoked the burning of the device.
- Dynamic Process Isolation
- Explanation of a remote Spectre attack using amplification techniques in combination with a remote timing server. The authors contribute with a process isolation mechanism that only isolates suspicious worker scripts following a detection mechanism. The Dynamic Process Isolation paper demonstrates a solution to detect all state-of-art of this kind of attack.
Arsenal
Several tools were presented at Blackhat Asia this time. Although not necessarily new, it is always interesting to see the latest features or discover unknown tools. Something to mention are the differences when changing the point of view. For instance, considering Kubernetes tools as intended for red teams against those of the supply chain where the focus is its usage by blue teams.
- Kubesploit
- An open source penetration testing framework that can improve your cybersecurity posture scanning your cluster and also post-exploitation attacks. This tool is a must in your repository.
- Kdigger
- This CLI tool is similar to the first one, but also recommended as it keeps adding improvements. To present the features, the demo shows a minik8s-ctf environment. It is really great to test and implement the new features.
- ThunderCloud
- This tool is a compilation of other techniques focused on AWS. Two of them are especially interesting: creating a SSO phishing to steal the access token and the simple code to collect the ACCESS KEYs when the Cognito endpoint is known and misconfigured.
- In Supply Chain Attacks, three tools were presented. Dependency Combobulator detects dependency confusion using heuristics; for example, if the repository is public or time since last change. Similar to packj but in this case, it implements metadata (if the repository activates 2FA) or typosquatting detection, finding packages with similar names to avoid errors. ChainAlert focuses on automation and detection of dependency commitment using the difference of tags between Github and NPM, but detection is very low.
- Pwnppeteer is an offensive tool to manage the phishing attacks with lambda functions to automate the process
- Telegrip assists in obtaining evidence from telegrams for android devices with an autopsy-like UI, a great forensic tool.
Next conference – KubeCon EU
This has been the most relevant in Blackhat Asia. As expected, the three main topics, Kubernetes Security, Cloud Security, and Supply Chain Attacks, stay on track with more content and tools, and we assume this will continue over the long term.
There are still a few months untill the next BlackHat in Las Vegas, but next week we will be at the KubeCon Europe in Valencia!!
If you’d like to meet us, we will be at Kubecon for the whole week. Come visit us at our Sysdig booth or assist the security talk How Attackers Use Exposed Prometheus Server to Exploit Kubernetes Clusters.