Black Hat Europe 2024: Key takeaways for cybersecurity pros – Source: www.csoonline.com

Black Hat Europe brightened up the winter gloom in London last week with the latest security research and a plethora of technical talks.

Presentations exploring how to exploit AI chatbots and gen AI systems were much to the fore but more traditional hacking topics also got an outing.

Application security expert Orange Tsai highlighted vulnerabilities in the “Best Fit” character conversion technology built into Windows. The issue stems from shortcomings in string conversions in cases where particular characters are not represented in the target character set.

Various technologies, including Microsoft Office, cURL, PHP, and Windows executables that indirectly use vulnerable command line tools, such as pip, composer, and git, are at risk. Only the Microsoft Excel vulnerability has been patched so far, according to Tsai.

It’s an adage among security experts that when network problems arise it’s nearly always DNS (Domain Name System) that’s to blame. Security researchers from Germany’s National Research Centre for applied cybersecurity (ATHENE) offered a retrospective on the KeyTrap vulnerability, a flaw patched last February that could have brought name resolution systems that rely on DNSSEC (Domain Name System Security Extensions) to a standstill.

Defending off the land

Attackers often rely on security tools built into Windows to elevate privileges, exfiltrate data, and move laterally across compromised network — a tactic known as living off the land. Security researchers from Thinkst Canary offered a presentation at Black Hat on how a similar approach might also be used by defenders by using existing Windows OS capabilities to detect and alert on attackers, an approach described as “Defending off the Land.”

For example, a registry configuration can be set that generates a Windows alert when certain commands are run. The talk also covered setting up a honeypot-like RDP (Remote Desktop Protocol) service and setting up PowerShell scripts that create fake security Services that alert on stopping.

These agentless, configuration-based defences are positioned as a supplement to endpoint detection and response (EDR) technologies, particularly if used on vendor appliances and legacy systems where EDR systems cannot be installed.

Exposing the dark corners of SAP

Mobile, cloud, and desktop systems are nearly always the main focus of security research, but a talk by ERP-focused cybersecurity firm Onapsis shone the spotlight on a less covered aspect of cybersecurity: attacks against enterprise resource planning systems from SAP.

A review of threat intel data from the past four years shows that both profit-motivated cybercriminals and cyberspies are increasingly interested in targeting SAP systems. Dark web forums and message boards are full of talk on how to exploit SAP vulnerabilities as well as tips and tricks on monetising SAP compromises.

Onapsis explained how cybercrime groups such as, for example, Elephant Beetle have exploited SAP-based vulnerabilities to hack into point of sale (POS) systems. Ransomware systems have increased five-fold since 2021 while the price of exploits hawked for sale on cybercrime forums has exploded, Onapsis reports.

CVSS — what is it good for?

Another presentation, delivered by experts from financial giant JPMorganChase, offered a critical take on another topic core to the work of enterprise security defenders: the CVSS vulnerability scoring system.

The sheer volume of vulnerabilities discovered means that many CISOs and other security experts rely on CVSS (Common Vulnerability Scoring System) assessments to prioritise security remediation efforts.

However, lack of APT activity and the general exploitability of vulnerabilities, insufficient consideration of privacy or weighting attached to availability concerns means that CVSS scores are sometimes misleading, security intelligence analysts from JPMorganChase argued.

The times they are AI-changin’

A significant strand of the conference looked into the security weaknesses of AI-based

systems (example here) while, on the flip side, their application in augmenting security functions within enterprises was covered in a presentation by ING Bank.

Daniel Cuthbert, a security researcher and longstanding member of the Black Hat Review board told CSO: “We are seeing more insight into how artificial intelligence can be used and abused over just simple hacks that we’ve seen in recent years. There’s some really good research going into RAG [retrieval-augmented generation] abuse and how such systems are not following secure development guidelines of the last two decades.”

Internet resilience under pressure

Black Hat is not just about presentations on technical research and development with conversations about technology policy and politics always making up a substantial component of the overall mix.

Frédérick Douzet, a professor of geopolitics at the University of Paris 8, and director of the French Institute of Geopolitics research team, gave an opening keynote at Black Hat Europe that focused on how geopolitics and macro-economic developments are threatening the resilience of global telecoms networks.

States such as Iran and Russia are seeking to exert control over data routes and weaponising routing so that they can selectively block traffic or apply surveillance or censorship controls.

In the West, there’s a concentration of traffic towards eight dominant, mostly US-based companies. This centralisation is tending towards creating points of vulnerability and makes us “vulnerable to geopolitical tensions, sanctions, and restrictions” decided elsewhere, according to Douzet.

These US companies are subject to US laws, such as the Cloud Act and Patriot Act, provisions of which may run contrary to EU regulation. But establishing European alternatives may be difficult because the cost of entry is so high and because established hyperscalers can cut costs because of their sheer size.