LIVE NOW: Dark Reading News Desk returns to Black Hat USA 2022

Welcome to the Dark Reading News Desk, which will be livestreamed from Black Hat USA at Mandalay Bay in Las Vegas. Dark Reading editors Becky Bracken, Fahmida Y. Rashid, and Kelly Jackson Higgins will host Black Hat newsmakers ranging from independent researchers and threat hunters to reverse engineers and other top experts in security, today from 10 a.m. until 3 p.m. Pacific Time. Tune in for some of the biggest headlines and latest cybersecurity research. The livestream will be available from the top of the page and also on our YouTube page.

What to look for today: Dark Reading will be joined at the Black Hat News Desk by Allison Wikoff from PwC, to talk about the latest in job-themed APT social engineering scams; Brett Hawkins from IBM, to discuss supply chain management systems abuse; and many more. Dr. Stacy Thayer, a researcher specializing in burnout, will also be on hand to offer her best tips for helping cybersecurity professionals manage stress. Don't miss it!  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Dark Reading News Desk: Live at Black Hat USA 2022

The Black Hat USA conference's silver jubilee is an opportunity to remember its defining moments, the impact it has made on the security community, and its legacy.

Back in 1997, when tech companies didn't understand hackers very well and didn't take them seriously, the founder of DEF CON, Jeff Moss, decided to create an event that would give everyone the chance to peek inside the minds of these creative geniuses. Black Hat was born.

"\[T\]he Black Hat Briefings will put your engineers and software programmers face-to-face with today's cutting edge computer security experts and 'hackers,'" the official announcement promised. "Only the Black Hat Briefings will provide your people with the tools and understanding they need to thwart those lurking in the shadows of your firewall."

Attendees of that first conference, held July 7-10, 1997, right before DEF CON, got to hear from a stellar list of speakers. Mudge gave a talk on secure coding practices, Bruce Schneier explained why cryptography is harder than it looks, Adam Shostack had a presentation on making code reviews worthwhile, and Dominique Brezinski showed how attacks against Windows NT networks work.

The keynote speaker was techno-philosopher Richard Thieme, who gave a prophetic talk about the role hackers would play in our society. 

"You are going to be the thought leaders in the 21st century," Thieme remembers saying. "The technological revolution was going to transform the context of everyone's life in ways that people could not foresee and didn't expect."

His words might have sounded far-fetched at that time because there weren't any degrees in cybersecurity yet and no certifications with endless letters. Moreover, software companies threatened those who dared to find flaws in their products.

"Every time hackers found a bug, software vendors would come up with some way of downplaying or criticizing it," says Ira Winkler, chief security architect at Walmart, of those early years. "They would criticize password crackers saying, 'Who's going to sit around and just try to brute-force a password?'"

Black Hat helped the corporate world understand the value hackers could bring to the table by giving these creative minds a certain stamp of legitimacy. Twenty-five years after its first edition, the event has expanded to include multiple niches and geographies. 

"We have additional tracks: Community & Career, Human Factors, or Policy," says Shostack, who's a member of the 2022 edition's review board. "I think the philosophy has broadened."

**The Early Days**

But let's turn back time to Black Hat's early beginnings, when Moss, aka The Dark Tangent, recognized the need for a more formal conference. DEF CON originated from the idea of throwing a party where everyone's invited, but Moss wanted an event that brought hackers and software companies together without being ultra corporate.

His idea was to create "a forum where everyone could exchange ideas and talk about what they were working on," says Jeremy Rauch, co-founder of Latacora.

Moss, who was a penetration tester before that term even existed, took a genuine interest in everyone's projects, which helped him to build a community around the event. 

"I would imagine everyone who was speaking at those early Black Hats would say Jeff was a friend doing a conference, and I was excited to be able to speak at his conference," Rauch says.

Thieme adds: "There are a number of ways Jeff manifests real genius. He gives you a chance, and he's willing to take risks."

Moss' gift for networking helped to address at least a bit the divide between the hackers and the software companies they were targeting. Microsoft, for instance, took part in Black Hat's first edition and even invited a few speakers to dinner.

"We came here to look at the hackers' perspective, to understand what they're thinking and what their concerns are," Carl Karanan, then Windows NT marketing director, told ITProToday. "It's good to look at things in perspective: this conference does that. We've opened up a dialogue. The hackers do a service. We're listening and we're learning."

Later on, the Seattle giant ended up sponsoring Black Hat. "And so, the big baddie, who people loved to hate, was showing up and paying for your drinks," Shostack says. "And by and large, not always agreeing, but at least listening to what you have to say."

The gap between the multimillion-dollar Microsoft and the hackers, who often used weird-sounding nicknames and didn't have traditional jobs, was visible. "I remember being in a hotel, and we literally ordered the cheapest bottle of wine on the menu because split four ways, it was what we could afford," Shostack says.

Little by little, the hacker community has grown wider, and its top professionals started to have lucrative jobs or build companies. "I am confident that there are still people who are \[splitting a cheap bottle of wine\], but I think there are fewer people who are doing that, who also are speaking at Black Hat," Shostack says.

The transition from doing it for fun to making money started slowly. One thing that helped the hackers raise their profile was the quality of their technical talks.

**Some of Black Hat's Iconic Hacks**

In its first decade, Black Hat grew by word of mouth. Its bold presentations touched on everything from cyberwarfare to cryptography, anonymity, or flaws in operating systems. The speakers took the stage excited to showcase their work, although sometimes they experienced pushbacks.

One defining moment in the history of Black Hat happened in 2001, when James Bamford, author of _The Puzzle Palace_ and _Body of Secrets_, gave a talk on the NSA, explaining how the agency has been listening to people since World War II. His presentation prompted a conversation on whether Bamford was a whistleblower or a traitor, 12 years before the Snowden revelations.

Another expert who wasn't afraid to speak his mind was Mike Lynn. In 2005, when he was 24, he prepared a presentation on a vulnerability in the Internetwork Operating System used for Cisco routers. But Cisco and the company Lynn worked for at that time, Internet Security Systems (ISS), were unhappy about it. They asked him to refrain from discussing the vulnerability, although it had been patched months before the conference — and threatened to sue him if he didn't comply.

The two companies also pressured Black Hat organizers, telling them not to include information about the talks in the proceedings of the event. Shostack remembers Moss coming to him with an unusual request: "He handed me a razor blade to help cut pages out of it because Cisco's lawyers had shown up in bulk and threatened to shut down the conference if we distributed this."

Lynn responded by quitting his job at ISS. And on the day of his speech, wearing a hat with the word "Good" written on it, he took up the stage and asked the audience: "Who wants to hear about Cisco?" Of course, he went on with his talk, and he was later sued.

This event, dubbed Ciscogate, put Black Hat on the front page of The Wall Street Journal. "When your mom's friends are asking her about the convention or about security, you know you're starting to reach prime time," Moss said in an interview for CNN.

With the publicity it attracted, Ciscogate eventually helped software companies understand how not to deal with vulnerability disclosures, thus moving the needle on making everyone safer. That year, though, Moss sold the conference (to CMP Media, now part of Informa, Dark Reading's parent company).

While some of Black Hat's presentations are highly technical, a few speak to large audiences, trying to show everyone how easy it can be to get hackers. For example, just a year after Ciscogate, researcher Joanna Rutkowska took inspiration from the movie _The Matrix_ and introduced the Blue Pill, a rootkit based on x86 virtualization.

During her talk, she argued that the new technology she built could create malware that would be "100 percent undetectable," with no performance penalty. The idea behind the Blue Pill is to start a thin hypervisor and virtualize the rest of the machine. 

"\[A\]ll the devices, like \[the\] graphics card, are fully accessible to the operating system, which is now executing inside \[the\] virtual machine," she wrote on her blog. Later, Rutkowska built the Red Pill, which can help detect a virtual machine's presence.

Then, in 2010, the late Barnaby Jack forced two ATMs to spit out cash on the conference's stage. One of those was hacked remotely, while for the other, he used a thumb drive loaded with malware.

Equally iconic was the talk security researchers Charlie Miller and Chris Valasek gave in 2015. They showed how they hacked a Jeep remotely while Wired journalist Andy Greenberg was driving it at 70 mph on a highway. The two researchers changed the car's air-conditioning settings, started its windshield wipers, cut the transmission, and toyed with the accelerator. In addition, they were also able to kill the SUV's engine at lower speeds and disable the brakes.

Such talks touch on the values Moss tried to instill into Black Hat, such as creativity, spontaneity, and collaboration.

**Growing Up**

The days when Shostack split a cheap bottle of wine with his friends in a hotel room are long gone. The security industry has matured, and so did Black Hat. The event has transformed from a rowdy bunch meet-up that was kicked out of hotels to a professional conference with a Code of Conduct that's taken "very seriously," according to its organizers.

"People should expect a professional, safe, and inclusive environment, and we regularly take action to ensure that's the case," says Steve Wylie, general manager of Black Hat. "As one of our industry's most established conferences, I think Black Hat plays an important role in promoting diversity and inclusivity."

This year, the event has a diverse speaker lineup and editorial board. It also includes scholarship programs for underrepresented groups. Keynote speakers include Kim Zetter and Chris Krebs; topics include the cyberattacks against Ukraine, the SpaceX Starlink system, elections and disinformation, surveillance vendors, and the burnout phenomenon that has impacted many professionals in the past years.

"There's not a Black Hat conference that goes by where I don't see several talks in the list and think, 'Wow, that's really cool. That's amazing,'" Rauch says. "It's amazing how far everything's come and how much really hard work people do these days in the name of security research."

Looking Back at 25 Years of Black Hat

A Q&A with NCC Group's Viktor Gazdag ahead of a Black Hat USA session on CI/CD pipeline risks reveals a scary, and expanding, campaign vector for software supply chain attacks and RCE.

Continuous integration/continuous development (CI/CD) pipelines may be the most dangerous potential attack surface of the software supply chain, researchers say, as cyberattackers step up their interest in probing for weaknesses.

The attack surface is growing too: CI/CD pipelines are increasingly a fixture within enterprise software development teams, who use them to a build, test, and deploy code using automated processes. But over-permissioning, a lack of network segmentation, and poor secrets and patch management plague their implementation, offering criminals the opportunity to compromise them to freely range between on-premises and cloud environments.

At Black Hat USA on Wednesday, Aug. 10, Iain Smart and Viktor Gazdag of security consultancy NCC Group will take to the stage during "RCE-as-a-Service: Lessons Learned from 5 Years of Real-World CI/CD Pipeline Compromise," to discuss the raft of successful supply chain attacks they've carried out in production CI/CD pipelines for virtually every company the firm has tested.

NCC Group has overseen several dozen successful compromises of targets, ranging from small businesses to Fortune 500 companies. In addition to security bugs, the researchers say novel abuses of intended functionality in automated pipelines have allowed them to convert pipelines from a simple developer utility into remote code execution (RCE)-as-a-service.

"I hope people will give some more love to their CI/CD pipelines and apply all or at least one or two recommendations from our session," Gazdag says. "We also hope this will spark more security research on the topic."

Tara Seals, Dark Reading's managing editor for news, sat down with Viktor Gazdag, managing security consultant of NCC Group, to find out more.

**Tara Seals:** _**What are some of the more common security weaknesses in CI/CD pipelines, and how can these be abused?**_

**Viktor Gazdag:** We see three common security weaknesses regularly that require more attention:

_1) Hardcoded credentials in Version Control System (VCS) or Source Control Management (SCM)._

These include shell scripts, login files, hardcoded credentials in configuration files that are stored at the same place as the code (not separately or in secret management apps). We also often find access tokens to different cloud environments (development, production) or certain services within the cloud such as SNS, Database, EC2, etc.

We also still find credentials to access the supporting infrastructure or to the CI/CD pipeline. Once an attacker gets access to the cloud environment, they can enumerate their privileges, look for misconfigurations, or try to elevate their privileges as they are already in the cloud. With access to the CI/CD pipeline, they can see the build history, get access to the artifacts and the secrets that were used (for example, the SAST tool and its reports about vulnerabilities or cloud access tokens) and in worst case scenarios, inject arbitrary code (backdoor, SolarWinds) into the application that will be compiled, or gain complete access to the production environment.

_2) Over-permissive roles._

Developers or service accounts often have a role associated with their accounts (or can assume one) that has more permissions than needed to do the job required.

They can access more functions, such as configuring the system or secrets scoped to both production and development environments. They might be able to bypass security controls, such as approval by other developers, or modify the pipeline and remove any SAST tool that would help searching for vulnerabilities.

As pipelines can access production and test deployment environments, if there is no segmentation between them, then they can act as a bridge between environments, even between on-prem and cloud. This will allow an attacker to bypass firewalls or any alerting and freely move between environments that otherwise would not be possible.

_3) Lack of audit, monitoring, and alerting._

This is the most neglected area, and 90% of the time we found a lack of monitoring and alerting on any configuration modification or user/role management, even if the auditing was turned on or enabled. The only thing that might be monitored is the successful or unsuccessful job compilation or build.

There are more common security issues, too, such as lack of network segmentation, secret management, and patch management, etc., but these three examples are starting points of attacks, required to reduce the average breach detection time, or are important to limit attack blast radius.

**TS:** _**Do you have any specific real-world examples or concrete scenarios you can point to?**_

**VG:** Some attacks in the news that related to CI/CD or pipeline attacks include:

*   CCleaner attack, March 2018
*   Homebrew, August 2018
*   Asus ShadowHammer, March 2019
*   CircleCI third-party breach, September 2019
*   SolarWinds, December 2020
*   Codecov's bash uploader script, April 2021
*   TravisCI unauthorized access to secrets, September 2021

**TS:** _**Why are weaknesses in automated pipelines problematic? How would you characterize the risk to companies?**_

**VG:** There can be hundreds of tools used in pipeline steps and because of this, the tremendous knowledge that someone needs to know is huge. In addition, pipelines have network access to multiple environments, and multiple credentials for different tools and environments. Gaining access to pipelines is like getting a free travel pass that lets attackers access any other tool or environment tied to the pipeline.

**TS:** _**What are some of the attack outcomes companies could suffer should an adversary successfully subvert a CI/CD pipeline?**_

**VG:** Attack outcomes can include stealing source code or intellectual data, backdooring an application that is deployed to thousands of customers (like SolarWinds), gaining access to (and freely moving between) multiple environments such as development and production, both on-prem or in the cloud, or both.

**TS:** _**How sophisticated do adversaries need to be to compromise a pipeline?**_

**VG:** What we're presenting at Black Hat are not zero-day vulnerabilities (even though I found some vulnerabilities in different tools) or any new techniques. Criminals can attack developers via phishing (session hijack, multifactor authentication bypass, credentials theft) or the CI/CD pipeline directly if it's not protected and is Internet-facing.

NCC Group even performed security assessments where we initially tested Web applications. What we found is that CI/CD pipelines are rarely logged and monitored with alerting, other than the software building/compiling job, so criminals don't have to be that careful or sophisticated to compromise a pipeline.

**TS:** _**How common are these types of attacks and how broad of an attack surface do CI/CD pipelines represent?**_

**VG:** There are several examples of real-world attacks in the news, as mentioned. And you can still find, for example, Jenkins instances with Shodan on the Internet. With SaaS, criminals can enumerate and try to brute-force passwords to get access as they don't have multifactor authentication enabled by default or IP restrictions, and are Internet-facing.

With remote work, pipelines are even harder to secure as developers want access from anywhere and at any time, and IP restrictions aren't necessarily feasible anymore as companies are moving towards zero-trust networking or have changing network locations.

Pipelines usually have network access to multiple environments (which they shouldn't), and have access to multiple credentials for different tools and environments. They can act as a bridge between on-prem and cloud, or production and test systems. This can be a very wide attack surface and attacks can come from multiple places, even those that have nothing to do with the pipeline itself. At Black Hat, we're presenting two scenarios where we originally started off with Web application testing.

**TS: Why do CI/CD pipelines remain a security blind spot for companies?**

**VG:** Mostly because of the lack of time, sometimes the lack of people, and in some cases, lack of knowledge. CI/CD pipelines are often created by developers or IT teams with limited time and with a focus on speed and delivery, or developers are just simply overloaded with work.

CI/CD pipelines can be very or extremely complex and can included hundreds of tools, interact with multiple environments and secrets, and be used by multiple people. Some people even created a periodic table representation of the tools that can be used in a pipeline.

If a company allocates time to create a threat model for the pipeline they use and the supporting environments, they will see the connection between environments, boundaries, and secrets, and where the attacks can happen. Creating and continuously updating the threat model should be done, and it takes time.

**TS:** _**What are some best practices to shore up security for pipelines?**_

**VG:** Apply network segmentation, use the least-privilege principle for role creation, limit the scope of a secret in secrets management, apply security updates frequently, verify artifacts, and monitor for and alert on configuration changes.

**TS:** _**Are there any other thoughts you would like to share?**_

**VG:** Although cloud-native or cloud-based CI/CD pipelines are more simple, we still saw the same or similar problems such as over-permissive roles, no segmentation, over-scoped secrets, and lack of alerting. It's important for companies to remember they have security responsibilities in the cloud as well.

Software Development Pipelines Offer Cybercriminals 'Free-Range' Access to Cloud, On-Prem

The computing giant issued a massive Patch Tuesday update, including a pair of remote execution flaws in the Microsoft Support Diagnostic Tool (MSDT) after attackers used one of the vulnerabilities in a zero-day exploit.

Microsoft patched 118 vulnerabilities in its software products and components on Aug. 9, including a flaw that attackers have exploited in the wild to run malicious code when users click on a link, according to security experts. 

The patches, part of Microsoft's regularly scheduled Patch Tuesday, fixed the zero-day vulnerability (CVE-2022-34713) and a second remote code execution (RCE) vulnerability (CVE-2022-35743) in the Microsoft Support Diagnostic Tool (MSDT) that has not yet been exploited. 

The MSDT vulnerabilities are a variant of an issue that researchers have called "DogWalk," public discussion of which began about 18 months ago, although it has been exploited only recently, Satnam Narang, a staff research engineer at cybersecurity firm Tenable, tells Dark Reading.

The MSDT vulnerabilities give attackers the ability to use the MSDT protocol through a URL contained in a document — such as a Microsoft Office Word file — that, when clicked, will execute code in the security context of the application.

"An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application," Microsoft stated in its advisory for the previous MSDT exploit. "The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights."

Security teams that cannot apply the patch can disable the MSDT URL protocol, update their Microsoft Defender detections, or rely on Protected View and Application Guard for Office to prevent the current attacks.

The zero-day vulnerability, and a previous one exploited in May, are being used by attackers in phishing campaigns, Narang says.

"\[I\]t would appear that attackers are looking to take advantage of flaws within MSDT as these types of flaws are extremely valuable to launch spear-phishing attacks," he says. "We've seen flaws ... continue to be exploited years after patches have been made available. Therefore, it is vital that organizations apply the available patches as soon as possible."

**Security Teams Wrestle with Patching Tsunami**

The tranche of updates fixes 17 vulnerabilities rated critical and 101 rated important. Elevation-of-privilege issues dominated the patches, accounting for 64 of the CVEs, while RCE vulnerabilities make up 31 of the 118 security issues fixed in the software updates, according to Tenable's analysis of the updates. Information-disclosure vulnerabilities account for 12 of the patched vulnerabilities, and denial-of-service issues account for seven vulnerabilities. Another three vulnerabilities allowed security features to be bypassed.

The vulnerabilities — along with another 25 flaws issued by Adobe on the same day and nearly 20 issues released for Microsoft's Edge browser on Friday — highlight the workload faced by security teams on Patch Tuesday. 

"The volume of fixes released this month is markedly higher than what is normally expected in an August release," Dustin Childs, security communications manager for Trend Micro's Zero Day Initiative, wrote in a review of the updates released on Patch Tuesday. "It’s almost triple the size of last year's August release, and it's the second largest release this year."

Some companies have reported that Microsoft fixed 121 flaws, rather than 118, but that tally includes three issues in Windows Secure Boot that previously were reported through the CERT Coordination Center and are updates to third-party drivers, according to Tenable's analysis.

While the MSDT vulnerabilities are the most critical to fix, more than a third of the vulnerabilities fixed by the patches occur in local components of Microsoft Azure, including 34 vulnerabilities in Azure Site Recovery software, eight flaws in the Azure Real Time Operating Systems, and a single vulnerability for Azure Sphere and the Azure Batch Node Agent.

The updates also fix vulnerabilities in the code handling older tunneling protocols, such as Point-to-Point Protocol (PPP) and Secure Socket Tunneling Protocol (SSTP), including four vulnerabilities affecting Windows PPP and nine affecting the SSTP functionality.

"These are older protocols that should be blocked at your perimeter," Trend Micro's Childs wrote in the ZDI analysis of the patches. "However, if you're still using one of these, it’s probably because you need it, so don’t miss these patches."

**Adobe Patch Tuesday**

Microsoft is not the only company to drop significant monthly patches. Adobe also published updates to fix 25 vulnerabilities in five different products, including Adobe Commerce, Adobe Acrobat and Reader, Adobe Illustrator, Adobe FrameMaker, and Adobe Premier Elements.

"None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release," Childs wrote. "Adobe categorizes the majority of these updates as a deployment priority rating of 3, with the Acrobat patch being the lone exception at 2."

Microsoft Patches Zero-Day Actively Exploited in the Wild

The latest startup to enter the space also has a free scanning service to audit the contents of any website.

Enterprise defenders need to know what they have in their environments before they can figure out how to protect them. The challenge lies in the fact that organizations often have assets they have forgotten about or never knew about them in the first place.

Attack surface management continuously looks at the organization's IT infrastructure from the outside to determine what assets attackers can see. Halo Security, officially launched at Black Hat USA this week, is the latest entrant into the attack surface management space.

Halo Security's attack surface management platform helps enterprise defenders identify and monitor all of their Internet-facing assets across clouds and service providers. The platform's vulnerability scanning, application testing, and manual penetration testing capabilities allow defenders to detect risks and security posture improvements, as well as organize the data to remediate found issues. The agentless and recursive discovery engine can help uncover unknown assets, the company says.

The company also announced a free scanning tool to audit security controls of any website. The Halo Security Site Scan service audits all the certificates, headers, scripts, forms, and technologies in use on the website and makes recommendations to improve the site's security posture.

Originally founded in 2013, Halo Security operated under the McAfee umbrella until 2021.

Attack surface management prioritizes protecting assets attackers can see. Because enterprises know they can't protect what they can't see, there is a growing interest in attack surface management solutions. IBM acquired Randori for an undisclosed sum back in June. Bishop Fox, the security consultancy behind the Cosmos platform that continuously maps the attack surface and identifies high-risk exposures, announced last month that it had raised $75 million as part of a series B funding round.

"There's a reason Gartner and others are sounding the alarm about the need for attack surface management tools," said Halo Security founder and CEO Tim Dowling.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Halo Security Emerges From Stealth With Full Attack Surface Management Platform

New SOC Analyst Assessment delivers threat-informed training in a live lab environment to help cybersecurity professionals defend their organizations against the latest adversarial tactics and techniques.

LAS VEGAS, Aug. 9, 2022 /PRNewswire/ — Black Hat 2022 — Cybrary, the leading training platform for cybersecurity professionals, today announced a major evolution of its offerings that includes new threat-informed and interactive training and assessment experiences designed to help teams better reduce organizational cyber-risk resulting from the millions of unfilled positions in the industry.

Cybrary's new capability architecture enables cybersecurity leaders to evaluate, measure, and upskill their workforce and take the guesswork out of the hiring process. Aspiring and existing cyber professionals will be able to demonstrate their skills, build confidence, or reveal gaps in knowledge and areas for improvement as they apply for new roles, onboard, and perform their jobs. Managers will be able to quickly and continuously assess prospective and current team members' capabilities to help them become productive faster by creating training plans aligned to areas of opportunity.

**Cybrary Launches New SOC Analyst Assessment**

At Black Hat this week, Cybrary is unveiling a beta program for the first assessment of its kind geared specifically toward SOC analysts. Cybrary's SOC Analyst Assessment is an engaging, live lab environment that simulates a typical day in the life of a SOC analyst, teaching users how to separate noise from real threats and develop the skill-based instincts necessary to best protect their organizations.

"As the cybersecurity field has evolved, so has Cybrary. By creating opportunities for individuals to build relevant skills as they enter the field and delivering immersive, threat-informed training for more experienced professionals, we're taking our offerings to the next level," said Kevin Hanes, Cybrary's CEO. "Combining next-generation tools like the SOC Analyst Assessment with the 1,900-plus learning activities offered within our platform today advances our mission to equip cybersecurity professionals with the skills to succeed against ever-evolving threats."

By simulating a typical day in the life of a SOC analyst and placing individuals directly in a realistic, gamified, and scenario-based lab exercise, the SOC Analyst Assessment provides real-time insights into their ability to perform essential job functions. The assessment is also mapped to major cybersecurity frameworks, including MITRE ATT&CKⓇ, NIST NICE, and CAE-CD Knowledge Units. With robust reporting capabilities, learners and managers alike will gain actionable insights that highlight strengths, weaknesses, and recommended courses for further training in Cybrary's expansive resource library.

**How Cybrary is Tackling the Skills Gap Head-On**

The cybersecurity skills shortage is a reality that all companies, regardless of size or sector, face when trying to develop their employees' skills and protect their organizations against complex, ever-evolving cyber threats. Investing in people is key to narrowing the cybersecurity skills gap, and Cybrary remains committed to providing accessible, affordable, and high-quality tools at scale to arm practitioners and organizations alike with confidence to respond to threats.

"Leveraging Cybrary's all-new training architecture, in addition to CTIG's expertise, we are developing a suite of high-fidelity experiences aligned to cybersecurity roles," said Rob Usey, Cybrary's CTO. "Our unique, hands-on training and assessments will allow organizations to hire the right talent faster, pinpoint their entire team's skill gaps, and prescribe courses and activities to upskill practitioners at all experience levels every day."

Cybrary's new hands-on, scenario-driven resources, such as the SOC Analyst Assessment, are the first of many upcoming tools that will revolutionize cybersecurity training for years to come. Organizations interested in becoming SOC Analyst Assessment beta testers are encouraged to submit a request.

The launch of Cybrary's new strategy comes on the heels of rapid growth and momentum for the company with its new $25M Series C funding round, addition of both a new CEO, executive team, and top researchers, as well as launch of the Cybrary Threat Intelligence Group (CTIG), which tracks threat actors and vulnerabilities to ensure every training, course, and lab is relevant, timely, and communicates real-world skills.

For more information on Cybrary's next generation of hands-on training experiences or to leverage the entirety of its resource library, please visit Cybrary's Black Hat booth (#1381) from Aug. 10-11, 2022, or visit www.cybrary.it.

**About Cybrary**

Cybrary is the industry-leading training platform that provides the right training at the right time to fully equip cybersecurity professionals at every stage in their careers. Cybrary's threat-informed training, advanced assessment capabilities, and certification preparation helps industry professionals build the skills and knowledge to confidently mitigate the threats their organizations face and bridge the persistent cybersecurity skills gap. Cybrary enables more than 3 million learners, from individuals to service providers and government agencies to Fortune 1000 organizations, to be ready to respond in the fight against constantly evolving cybersecurity threats. For more information on Cybrary's offerings, visit www.cybrary.it.

Cybrary Unveils Next-Generation Interactive, Hands-On Training Experience to Upskill Cybersecurity Professionals

The finding exposes the danger of older, unpatched bugs, which plague at least 4.5 million devices.

A new vector to exploit a vulnerable version of Google SLO Generator has been uncovered, which facilitates remote code execution (RCE). It allows an attacker to gain access to the system and deploy malicious code as if it is coming from a trusted source inside the network.

Google SLO Generator is a widely used Python library used by engineers who want to track their Web API performance. The tool is used by thousands of Google services, but prior to a September 2021 patch, it housed unsafe and exploitable functions, potentially exposing user input data.

Michael Assraf, co-founder and CEO of Vicarius, explains that this path to exploitation was previously unknown and created a new way to exploit outdated versions for worse outcomes than simple information disclosure.

It is unknown how many of the more than 167,000 applications using this library are running vulnerable versions, according to Vicarius, which published a report detailing the attack path. Users who updated the code won't be exposed to this attack, but that said, unpatched vulnerabilities are still the most common way that companies are successfully attacked.

Assraf also raises the issue of potentially problematic workarounds as security researchers uncover new vectors to exploit vulnerable software instances. Developers will often use workarounds to protect against known exploits rather than deploying a systematic update/patch.

"Developers who fall into that category will be vulnerable to this new exploit — along with anyone else who has yet to deploy the patch," he says.

**Millions of Unpatched Devices Remain a Problem**

Externally accessible vulnerabilities expected to remain a favorite attack vector for cybercriminals in the future. A report published this week from Rezilion found vulnerabilities as old as a decade remain unpatched in software and Internet-connected devices.

The study identified more than 4.5 million Internet-facing devices that remain open to vulnerabilities discovered between 2010 to 2020. The report also identified active scanning/exploitation attempts in most of these vulnerabilities.

Yotam Perkal, director of vulnerability research at Rezilion, says there are multiple reasons why unpatched vulnerabilities are so common.

"First, many organizations with less mature security programs do not even have visibility into the vulnerabilities they have in their environment," he says. "Without the proper tooling and vulnerability management processes in place, they are basically blind to the risk and can't patch what they do not know about."

Second, even for organizations with mature vulnerability management processes in place, patching presents a challenge — it requires time and a considerable amount of effort and can often lead to unforeseen patch compatibility issues.

"With the constant rise in the number of new vulnerabilities discovered each year, organizations simply struggle to keep up," he explains.

**Unpatched Vulnerabilities a Top Security Issue**

Assraf calls unpatched vulnerabilities one of the most significant, prevalent, yet fixable security problems across the board — and for a multitude of reasons.

"This issue transcends industry and company size, although large enterprises are typically more susceptible due to sheer volume of systems and users in place," he adds.

He points out there are also new vulnerabilities cropping up daily, so managing "zero vulnerabilities" is a bit of a pipedream.

In addition, large-scale updates also occasionally break things and create unforeseen consequences and compatibility issues, leaving many to take a stance of "If it ain’t broke, don’t fix it."

"The problem is, it is broken, you just don't see the chink in the armor until you've been breached," Assraf warns. "Other common issues are around visibility, shadow IT, and distributed teams that lead to ownership complications."

From his perspective, visibility is the first step in getting vulnerabilities and patching under control, as you can’t fix what you don’t know is broken.

"Having an accurate and continuously updated asset inventory of all assets and devices in your environment is a critical first step," he explains.

Next is knowing how to prioritize the updates available to those systems and assets, which is a common place where enterprises fall short and the volume begins to become just noise.

Perkal says he thinks the key point to having a more proactive posture towards risks from unpatched vulnerabilities is awareness.

"Once you are aware of the risk, make sure you have the right processes and tools in place that will allow you to effectively take action," he says. "At the end of the day, applying an existing patch to a known vulnerability that is known to be exploited in the wild should be the easy aspect of proper security hygiene."

A July report from Palo Alto Networks' Unit 42 also suggested attackers play favorites when looking at which software vulnerabilities to target.

**Solving the Patching Problem With Business Context**

Assraf says it's common to prioritize based on criticality from the major frameworks like CVSS, which assign severity ratings to known vulnerabilities — several security vendors also assign their own black-box scoring systems.

"What's important to account for, and where this step — and vendors — often fall short, is a failure to take business context into account," he says.

It's important therefore to focus on the potential threats that will have the largest impact on your unique digital environment, not necessarily a third-party rating assigned without context.

"The most mature organizations will then automate the patching process based on said context, updating the most critical systems while minimizing downtime and impact through strategic scheduling of deployment," Assraf says.

Perkal points out that most of the code running in an organization comes from various third parties, whether open source or commercial.

"While this allows organizations to focus on their core business logic and release code faster, this also introduces a security risk in the form of software vulnerabilities," he says. "Patching everything simply isn't feasible."

He says to be able effectively to cope with the risk, attack surface management platforms that can intelligently prioritize the vulnerabilities that matter most, as well as help automate some of the mitigation and remediation aspects, can help address this risk.

"The most concerning aspect I drew from the research is these old, known, exploitable vulnerabilities are still so pervasive," he adds. "It's especially concerning since it is likely the same analysis we did is also being conducted by attackers, and by leaving this huge attack surface vulnerable, we are making their lives easy."

Researchers Debut Fresh RCE Vector for Common Google API Tool

Upcoming Black Hat USA presentation will examine the implications of Kerberos weaknesses for security on the local machine.

As the main authentication protocol for Windows enterprise networks, Kerberos has long been a favored hacking playground for security researchers and cybercriminals alike. While the focus has been on attacking Kerberos authentication to carry out remote exploits and aid in lateral movement across the network, new research explores how Kerberos can also be abused to great effect in carrying out a variety of local privilege escalation (LPE) attacks.

At the Black Hat USA conference this week in Las Vegas, James Forshaw, security researcher for Google Project Zero, and Nick Landers, head of adversarial R&D for NetSPI, plan to take the security discussion beyond the Kerberoasting and Golden/Silver ticket attack discussions that have dominated Kerberos security research in recent years. In the session "Elevating Kerberos to the Next Level," Forshaw and Landers will explore authentication bypasses, sandbox escapes, and arbitrary code execution in privileged processes.  

"James and I have both spent a lot of our time digging into Windows internals, and Kerberos is fundamental to network authentication between Windows systems. However, most of the existing research and tooling I've done focuses on remote exploitation — ignoring attack surfaces that exist on just a local machine," says Landers, who explained why the pair decided to dig deeper into design flaws in the way Kerberos does local authentication. "Through this, we've discovered many interesting flaws — some fixed and some not — that we're excited to share on Wednesday, along with the tooling we’ve built and knowledge we've gained over the last several months."

The tooling will help others in the security research community to inspect and manipulate Kerberos on local systems to build on the pair's research. The duo will also offer up some important detection and configuration advice to help security practitioners mitigate the risk of the flaws that they'll present.

From a bigger-picture perspective, Landers hopes that his talk can help bring further attention to Kerberos from the entire security world. He says that even though it is the recommended long-term solution for network authentication in Windows environment, replacing deprecated protocols like NetNTLM, security teams shouldn't assume that its more secure by default than the predecessors.

"Kerberos maintains an extremely large feature set, which continues to grow every year. Obscure functionality first designed in 1998, as well as brand-new code engineered for Windows 11, can both provide nuanced attack surfaces for LPE, security bypasses, or even RCE," he says. "Where there are more features to search, there is always greater opportunity to discover flaws."

In addition to offering practical mitigation steps, he hopes the talk will spur security and network administrators to brush up on their Kerberos knowledge to better harden their systems.

"Administrators should become more familiar with Kerberos to be able to apply best practice mitigations effectively. Specifically, since we consistently see the knowledge of attackers outpacing that of defenders when it comes to Kerberos internals," he says.

His talk will be one of several eye-opening identity and access management-related research presented at Black Hat this week. Some discussions up for exploration include how hybrid cloud IAM deployments are leaving open flaws and misconfigurations ripe for attack and the way that attackers can utilize stolen PII to make it easier to conduct smishing attacks.

Abusing Kerberos for Local Privilege Escalation

The success of Domino's Flex IoT project can be attributed in large part to the security best practices it followed.

The Internet of Things (IoT) has created a great deal of opportunity for the enterprise — and equal possibility for risk. We have witnessed vulnerable IoT technologies leak personal data, fall victim to cyberattacks, and face exploitation in dozens of ways — in "things" ranging from medical devices to smart hot tubs. Security must be at the foundation of every plan, and for organizations to reap the full benefits of IoT technology, they must incorporate it from acquisition to deployment.

I recently had the opportunity to partner with Domino’s Pizza and evaluate firsthand the security implications at work around a large-scale enterprise IoT project — the company's IoT-based ecosystem solution, Flex. Flex is a platform comprising various small services that allow stores to leverage diverse Web experiences and digital products on different kiosk screens.

Through the assessment and review of Flex, Domino’s stakeholders and I were able to build a comprehensive understanding of security vulnerabilities and best practices for implementing IoT in the enterprise environment. Here’s what we found together — and what organizations implementing IoT should consider every step of the way.

**Security Considerations for the Acquisition Phase**

Making security a priority in an IoT acquisition plan helps prevent problems down the road, but security is often left out or ineffectively executed during this phase.

An organization's security team is critical to successful planning and implementation of a large-scale IoT project. The security team's role is to help define the security expectations and requirements for IoT technology to ensure that they match the organization's security policies. Introducing new IoT technologies may highlight gaps in governance, so having the security team involved paves the way for installing new security protocols and controls.

Organizations' enterprise-level IoT initiatives, including Domino's, often require external vendor services. Before entering into such a relationship, organizations must conduct a vendor risk assessment because vendors often need direct access to an organization's network or VPN access to manage resources or corporate data. The risk assessment process should extend from conception to deployment, with regular re-evaluations of each vendor and its products to ensure they continue meeting base requirements and security expectations. This will help protect the organizations implementing IoT as well as the supply chain.

**Security Considerations for the Design and Implementation Phases**

When it comes to implementation and support of a new IoT solution, it may be necessary to make modifications. An important first step is to determine how the new IoT solution maps to current security control processes and compliance needs. For example, Domino's security control solution uses NIST SP 800-53 and Center for Internet Security (CIS) Controls. CIS provides a companion manual that can help with the mapping process and is handy for any organization deploying an enterprise IoT project.

External services can also help design IoT technology at the highest security level. Domino’s partnered with expert services from Google for its Flex solution to ensure that baseline configuration met industry best practices and mapped to internal security policies.

**Security Considerations for the Deployment and Support Phases**

When it is time to deploy, it's necessary to evaluate the entire product ecosystem: firewalls, routers, embedded hardware, back-end server systems, cloud API and Web services, and more. The security of any component within the ecosystem can ultimately affect the security of all other parts — such is the nature of IoT. All security testing needs to be holistic.

Following deployment is the support phase, where the solution should continue to operate and meet business needs, using management and support infrastructure. Ideally, this is how organizations can avoid outages and other security incidents that lead to loss of services or data or that impact production.

The key to this support plan is patch management, which many organizations overlook with embedded appliances. It's important to develop a regularly cadenced patch management cycle, with QA testing and changes piloted to a small production test group before rolling out official updates. Enterprises should also consider integrating new IoT technology with logging and monitoring processes. Tackling security through these channels should allow for better detection and action on security incidents.

**The Value in Planning Ahead**

There is a great deal of complexity and difficulty when tackling a project as all-encompassing as Domino’s IoT implementation, but with a bit of foresight comes success.

With threat actors taking advantage of any vulnerabilities — across a range of industries — it’s critical to follow holistic security processes before adding any technology to an enterprise ecosystem. While there is no one-size-fits-all strategy when designing, implementing, and deploying new solutions within the enterprise, best practices exist and should be considered. Domino’s successful Flex project is a testament to the value in planning — carefully — ahead.

Domino's Takes a Methodical Approach to IoT

Initial attacks used damaging wiper malware and targeted infrastructure, but the most enduring impacts will likely be from disinformation, researchers say. At Black Hat USA, SentinelOne's Juan Andres Guerrero-Saade and Tom Hegel will discuss.

The online attacks against infrastructure and information operations used by both sides in the conflict between Russia and Ukraine fulfill the definition of cyberwar and hold lessons for governments and companies, two researchers plan to say this week at the Black Hat USA conference in Las Vegas.

Cyberattacks preceding Russia's invasion of Ukraine on Feb. 24, 2022 — and ongoing operations since the initial push into eastern Ukraine — qualify as cyberwar because they involve state-sponsored actors, use tactics designed to support Russia's objectives, and focus on specific targets and motivations, says Tom Hegel, a senior threat researcher at threat intelligence firm SentinelOne, who will present the research at the conference. The threat actors aimed to support the overall war effort, in the case of Russia-linked actors, or the support for Ukraine's defense, in the case of Ukraine-linked actors, he says.

In their Wednesday, Aug. 10, presentation, "Real 'Cyber War': Espionage, DDoS, Leaks, and Wipers in the Russian Invasion of Ukraine," Hegel and colleague Juan Andres Guerrero-Saade plan to outline how attackers have used seven different families of malware and denial-of-service (DoS) attacks to attack everything from telecommunications infrastructure to oil and gas firms.

"We want to challenge the idea that cyberwar has not occurred, but also lay out a road map of what we have seen over the past few months in terms of actors and the types of activities," Hegel says. "The Russian threat actors, while there is not a clear line that they have crossed that makes it cyberwar, we have seen the initial wave of wipers, then community-focused hacktivism that took off, and finally a long tail of destructive attacks."

The presentation is the latest research attempting to define what constitutes cyberwar and cyber conflict.

**Defining "Cyberwar"**

The most formal definition comes from the second version of the _Tallinn Manual on the International Law Applicable to Cyber Warfare_, published in 2017, which defines cyberwar as "a cyberattack, in either an offensive or defensive cyber operation, that is reasonably expected to cause death to persons, damage, or cause destruction to objects." The manual, however, often uses the words cyberattack and cyberwar interchangeably and excludes cyber operations that could be supportive of war efforts, such as information operations and attacks on financial systems, neither of which aim to cause physical damage or death, two professors stated in a review of the manual in 2017.

In the current conflict, cyber operations have similarly supported the aims of either Russia or Ukraine rather than attempting to necessarily inflict physical damage or death.

"The connection to war is focused on destruction or disruption of infrastructure, or gaining an upper hand during an armed conflict, even if the coordination of the kinetic attacks with cyber operations is not there," Hegel says.

The playbook used by Russia in the early days of — and even prior to — the invasion of Ukraine included initial waves of damaging attacks focused on infrastructure, especially telecommunications systems. During Russia's buildup of forces on Ukraine's border, threat actors used a variety of attacks, such as WhisperGate and HermeticWiper, to target organizations in Ukraine with destructive wipers.

"In many conflicts, there is an aspect that has been modernized on the cyber side, but this is the first time that we have a really clear example of cyberwar," Hegel says.

**The Rise of Influence Campaigns**

While not traditionally considered a facet of cyberwar, the most enduring strategy of the current conflict may be information operations, he says. Russia has pursued a disinformation strategy to change worldwide opinions and gain support for its claims of Ukrainian territory, while Ukraine has pursued information operations to undermine Russian support for its invasion and bolster support for supplying the country with weapons.

"The disinformation side is a big piece of this war, but even more so, the weaponization of public information that is already out there," Hegel says. "A good example is the Amnesty International report, for example, and social media accounts supportive of Russia amplifying pieces of the message critical of Ukraine."

The researchers also had a message for corporate information-security teams. Companies should take note of the activities used by each side in a cyberwar, because the conflict can quickly impact participants who otherwise would be distant from the war. Organizations that take side or a stand in a conflict will often be targeted, but collateral damage is also a problem. The cyber-physical Stuxnet attack on Iran's nuclear processing capability, for example, spread to non-Iranian systems, although the payload did not affect those systems in the same way. Two even worse attacks, WannaCry and NotPetya, are both thought to have been cyber operations and both spread far beyond the original targeted group of organizations, causing billions in damages.

"A lot of what we have seen is not just government attacking government, but businesses in the middle being impacted," Hegel says. "It is not just because of their function being impacted, such as a telecommunications company's infrastructure, but also because their messaging made them a target. So even though you are not taking a step in a conflict, you will likely get pulled in, if your business operates in those regions at all."

Source

DARKReading