While all cyberattacks and malware infections can be scary and harmful, few are as potentially impactful as those committed against industrial process networks that facilitate electrical power, oil and gas pipelines, water services, logistics, manufacturing, and transportation systems. These systems have real life effects on life, safety, and the environment. So why, then, do we connect them to computers which can be infected? Or to computer networks that can be compromised? Lesley will provide a primer on the function, applications, and history of industrial control devices, how they came to be connected to modern computer networks, and what that truly means from a threat perspective today - and into the future.
Back to Schedule >>
The recent rise in popularity of Developer portals, which integrate critical assets within the organization, makes them lucrative targets for threat actors. Having more than 19,000 stars on Github and used by various organizations, including American Airlines, Netflix and Epic Games, Backstage – a CNCF incubated project by Spotify, is one of the most popular open source platforms for building developer portals.
This presentation will showcase how we gained unauthenticated remote code execution rights on a Backstage application through a complex exploitation chain of various vulnerabilities. The chain includes a sandbox escape vulnerability we discovered along the way, improper authentication implementation, and the abuse of the integrated templating engine.
By the end of this presentation, you will have an understanding of the thought process that guided us through the research, including mapping the attack surfaces, choosing the components in the app that were most likely to become exploited, and how we managed to chain them all together to achieve the ultimate goal.
STRONTIUM (overlapping with FancyBear & APT28) has long utilized legitimate services and cloud platforms to evade defenders. Most notably, they utilize malware tracked by Microsoft as FusionDrive, an early-stage capability to facilitate access to valuable networks. From late 2021 until mid-2022, the Microsoft Threat Intelligence Center (MSTIC) observed significant use of FusionDrive against high-value government, military, and telecommunication organizations across Central Asia and Europe. In several campaigns, FusionDrive was packaged with novel access methods, including an exclusive zero-day exploit for a security feature in Microsoft Excel (CVE-2021-42292) and various implementations for patched CVE-2021-40444. In early 2022, the Microsoft Threat Intelligence Center (MSTIC) undertook an effort to track and disrupt the use of FusionDrive, leading to account takedowns, product protections, and nation-state notifications, including notifications to victims targeted as part of STRONTIUM’s efforts in the war in Ukraine. This talk will introduce the STRONTIUM actor and the FusionDrive malware family, provide technical insights into the TTPs employed and the vulnerabilities exploited, and tell the story of MSTIC’s efforts to track and disrupt FusionDrive.
Back to Schedule >>As quantum development rapidly advances, encryption is facing unprecedented challenges. Asymmetric algorithms, such as RSA, Diffie-Hellman, and ECC, are particularly vulnerable to quantum computers, as well as "harvest now, decrypt later" attacks. To address these threats, the concept of quantum-safe cryptography, or post-quantum cryptography (PQC), has emerged. This lecture will provide a comprehensive overview of quantum-safe cryptography and why it's needed now. It will be of interest to anyone concerned with this critical area of cybersecurity.
Back to Schedule >>
A key component of any botnet is a robust C2 infrastructure. This infrastructure should be resilient and stealthy. Therefore, researchers focus their efforts on detecting and intercepting a botnet’s C2. This is useful for initial detection and tracking of malicious activities by the same actor.
Today, most C2 infrastructure is based on hosts controlled by the attacker. These are either special-purpose servers and end-points, or general servers hijacked by the attacker. Some advanced operations are using different methods to evade detection of their C2 communications. Techniques include code injection into the host kernel, tunneling over common protocols, and use of public cloud share apps. The more evasive techniques require considerable effort and sophistication, uncommon among most attackers.
Yet, the biggest challenge for attackers is that once a botnet’s C2 components are detected and identified by researchers, all existing bots lose connectivity FOREVER.
In our presentation, we will discuss the evolution of evasive C2 infrastructure based on evidence from actual campaigns. We'll discuss the pitfalls of the current state-of-the-art techniques and present a new approach to C2 infrastructure. This new approach is based entirely on public infrastructure, accessible to attackers of any skill level. The most important feature of our infrastructure is the ability of existing bots to rise from the dead and restore communication with the operator, regardless of the efforts made by researchers to tear down the infrastructure- leaving the defense community to play a vicious game of whack-a-mole against relentless malware. We'll show that this technique can be easily applied to any OTS backdoor to dramatically increase the persistence of attack campaigns.
Our presentation aims to prove that persistent and resilient C2 infrastructure is not the sole property of high-end attackers. Hence defenders and solution providers must prepare for this new age of stealthy campaigns.
The SMM (System Management Mode) is a well-guarded fortress that holds a treasure – an unlimited god mode. We hopped over the walls, fooled the guards, and entered the holy grail of privileges.
An attacker running in SMM can bypass practically any security mechanism, steal sensitive information, install a bootkit, or even brick the entire platform.
We discovered a family of industry-wide TOCTOU vulnerabilities in various UEFI implementations, affecting more than eight major vendors and making billions of devices vulnerable to our attack. RingHopper leverages peripheral devices that exist on every platform to perform a confused deputy attack. With RingHopper, we hop from ring 3 (user-space) into ring -2 (SMM), bypass all mitigations, and gain arbitrary code execution.
In our talk, we will deep-dive into this class of vulnerabilities and exploitation method, and learn how they can be prevented. Finally, we will demonstrate a PoC of a full exploitation using RingHopper, hopping from user-space into SMM.
KubeVirt is a Kubernetes add-on that enables running virtual machines in Kubernetes pods. Intuitively, we may think that virtualization should bring additional assurance. However, in this talk, we will show that this reasoning may come with flaws. After covering background information on KubeVirt purpose and architecture, we will dive into our findings on KubeVirt security, covering in particular CVE-2022-1798. To conclude the talk, we will touch on hardening, recommended setup, and the remediation at scale of the CVE.
Back to Schedule >>Artificial Intelligence (AI) has emerged as a transformative technology used in almost every industry. However, rapid adoption of AI also poses significant unmanaged risks that has recently captured the attention of the public with the advent of powerful but fallible language models and chatbots. While these appear to be ethical risks in nature, there is also a growing concern in security: AI inherits the vulnerabilities from the software stack, but also introduces new security concerns that are unique to AI. In this talk, I explore the burgeoning field of AI security and the key role that security practitioners must play in securing AI technologies. This includes immediate challenges of fundamental security hygiene and software supply chain security adapted to the new paradigm. Additionally, new classes of confidentiality, integrity and availability violations have emerged with AI as a new attack surface. Today, those vulnerabilities are exploited in rather simple, but impactful ways. And this is why security practitioners must step in for help.
Back to Schedule >>The 0-day market is a source of intense interest and speculation. The reporting on the subject often quotes jaw-dropping prices that researchers can sell their exploits for on this gray market, often prompting heated debate on the ethics of collaborating with governments rather than vendors. But how accurate is this reporting? How does this market really function? In this keynote, I will discuss the realities of the exploit market, as well as dispelling some of the myths and beliefs that people often hold about how this market functions.
Back to Schedule >>
The CherIoT (Capability Hardware Extension to RISC-V for IoT) project has built a platform for secure IoT devices. This includes an extension to RISC-V, an open-source implementation based on the lowRISC Ibex core, and an RTOS with lightweight compartmentalization abstractions. The platform provides complete spatial memory safety, cross-compartment stack safety, and a heap that can be shared between mutually distrusting parties with temporal safety. All violations of these memory safety guarantee deterministically trap.
The platform uses non-bypassable memory safety as a building block for compartmentalization. Compartments can expose functions as entry points and enjoy strong isolation and object-granularity sharing. The component that enforces these isolation guarantees is only around 300 RISC-V instructions. No component in the system is fully privileged; even the scheduler is merely another compartment and cannot see the state of the threads that it interrupts.
This is the first IoT system to provide fine-grained memory safety. It provides far more scalable isolation than existing techniques based on a memory protection unit (MPU): our implementation has comparable area to an MPU that supports 16 regions, yet allows a number of compartments bounded only by available memory, with each compartment requiring only a few words of memory as overhead. This makes it possible to have many isolated compartments providing a rich set of features, such as JavaScript interpreters, even on low-cost devices with 256 KiB of RAM or less.
This talk will discuss how these security guarantees are built and how audience members can build things on top of the platform.
As security researchers for Orca Security, we continually work with various cloud providers to give our customers the latest security insights by investigating high-profile services and components. This talk will discuss our most recent findings from the past several months, ranging from a single attack hypothesis to a full disclosure vulnerability. We'll highlight our partnership throughout the various disclosure vulnerabilities and the actions taken under different circumstances and get a glimpse into performing security research on Azure services and the process behind the scene of triaging such vulnerabilities and mitigating them. The various cases that we will present –
● FabriXss (CVE-2022-35829): How We Managed to Abuse a Custom Role User Using CSTI and Stored XSS in Azure Fabric Explorer
● CosMiss: Azure Cosmos DB Notebook Remote Code Execution Vulnerability
● Additional vulnerabilities are still in the disclosure process with MSRC.
Back in 2007, Bruce Willis’ Live Free or Die Hard warned us about the impending digital future we faced, where a white-hat turned-black-hat hacker could wreak massive terror and chaos by taking out transportation hubs, the stock market and the power grid. We’ve seen some of this come to pass, but only in attacks of limited degree and effect. Even the digital devastation anticipated in the war in Ukraine hasn’t materialized. But this doesn’t mean the potential for destructive attacks against critical infrastructure doesn’t exist. It also doesn’t mean we’ve seen the full extent of digital warfare — despite the naysayers who assert that digital attacks can never rival kinetic ones. It’s not just the lights and financial markets that are at stake. Hackers could be coming for the military’s high-tech weapons systems next. This talk will look retrospectively at some of what has already occurred as well as look at the digital destruction that still may be in our future.
Back to Schedule >>
At Pwn2Own Miami [0], contestants had ten industrial control system-related products in four categories to pwn with 0days . All ten were supported by default with the popular OPC-UA protocol, to the extent that even one of the categories focused solely on OPC-UA protocol stacks. This was no coincidence. OPC Unified Architecture (OPC-UA) is one of the most important protocols in industrial communication.
In addition to being platform-independent, it is trusted for connecting industrial environments with IT and the cloud. This means that today almost any OT/IoT device, application, or server will communicate over OPC-UA to send or receive data (e.g., temperature samples from a remote sensor).
What started as a simple preparation for yet another Pwn2Own competition grew into what became extensive research on ALL known OPC-UA protocol stacks. We studied the protocol from the bottom up and prepared a detailed plan on how to pwn it. To date, we’ve discovered and privately disclosed seven unique pre-authentication attack vectors with risky outcomes for users that include denial-of-service attacks, information leaks, and remote code execution. We reported 16 CVEs across 16 OPC-UA protocol stacks—earning $45K in prize money at Pwn2Own Miami [1].
In this talk, we'll share our journey, methods, tools, and the story of how we broke the OPC-UA protocol to help secure the global supply chain.
Authentication is crucial to Windows security, especially in enterprise environments. While there's a push to move towards web-based authentication such as OAuth, many of the legacy authentication protocols, among them NTLM and Kerberos, are still in use today. These protocols stretch back over 20 years; with code and design choices baked in for so long, it's an interesting area to look for high-impact security issues.
This presentation will go through the work I've done in the past two years to hunt for bugs in the legacy Windows authentication stack. I'll share my overall methodology for the hunt, tooling that I've developed to aid in the research and highlight some intriguing vulnerabilities that I discovered. Some of these vulnerabilities are down to design choices made 20 years ago, others are in brand new code and range from privilege escalation, authentication bypass and remote code execution.
The introduction of Web3 smart contracts has opened unlimited opportunities for decentralized apps (dApps) and users. With smart contracts, anything that can be coded can be deployed by anyone on the blockchain. As a result, in a Web3 environment, the users’ blockchain transactions, previously merely used for sending coins to peers, are now, in fact, Remote Procedure Calls (RPCs) for smart contracts.
The flip side of this expressiveness is that it’s almost impossible to know analytically in advance what would be the outcome of such RPC to an arbitrary smart contract. Attackers abuse this observability gap to trick users into signing transactions that are harmful in reality. This situation bears a close resemblance to the desktop environment: users need to evaluate in advance if a particular program behavior will be benign.
To solve this gap, Web3 security has taken a page out of the desktop’s security book by using a sandbox-style emulation to evaluate the transaction's outcome before it gets sent to the blockchain. In Web3 lingo, such sandbox emulation is referred to as transaction simulation.
In this talk, we will present our newly discovered attack methods against Web3 simulations, including the first-ever Web3 red pill exploits that allow smart contracts to know that they are running in a simulation and as a result, need to behave differently.
We have tested our findings against numerous leading simulation providers in the Ethereum Virtual Machine (EVM) domain and found that they are indeed vulnerable to such attacks. As a result of our responsible disclosure, multiple (currently three) issues were fixed, and we were awarded bug bounties. We will explain these exploits in detail, including the research methodology allowing us to inspect simulators’ inaccessible inner workings.
We will conclude with new and enlightening insights we gained through this research regarding the true capabilities and limitations of Web3 simulations.
This talk will take the audience through the evolution of Windows security and provide insight into the latest advances. This will include a technical overview of the some of the recent capabilities in the Windows 11 OS as well as hardware. Finally the audience will also get a view of future changes in Windows that will have a large impact in preventing attacks and the exploitation of vulnerabilities.
Back to Schedule >>