Blackhat USA 2012 – Pushing Past Intrusion Tolerance, Cutting Edge Research

The Blackhat 2012 keynote started the event with Shawn Henry, former Executive Assistant Director of the Fbi, painting a grim, seemingly unspeakable picture of cyberespionage in the US. It was interesting that he continually spoke about the gravity of the situation and the need to apply what he learned at the Fbi to protecting digital assets, but he couldn’t describe a single concrete example. At the same time, other than a weapon of mass destruction, he claimed that cyber threats are the single biggest problem facing this nation. This inability to convey concrete details during the Blackhat keynote only highlights some of the problem in understanding the cyber problem. And it’s the problem of overclassification of computer network exploitation (CNE) incidents and a tangled set of dynamics that silence breach data sharing and exchange. There is a long way to go here to fixing it.

While parts of the talk were very interesting, especially discussion of creating a hostile network for your adversaries and taking intrusion tolerance a step further, it was criticized for being a bit self-promoting. All across the twittersphere, tweets like this one protested signs of this year’s corporate influence.

The two days of talks explored some new territory. Day 1 included “Advanced ARM Exploitation”, where Stephen Ridley and Stephen Lawler provided some more indepth Android exploitation details and the quirks in exploring the software and developing exploits on the platform. For example, ROP techniques are required even to perform the ancient ret2libc technique on Android. They poured over data manipulation on ARM and particular assembly level tricks, specifics of discovering ROP pivots and pushing data into the stack on ARM for control. The talk provided content from their hands-on, 650+ slides across 12 decks, 80 page lab manual, multi-day course “Practical ARM Exploitation”.

Other notable talks included Chris Valesek and Tarjei Mandt’s discussion of Windows 8 Heap Internals. From the offensive security perspective, they blew through new Windows 8 usermode and kernel heap protections that they reversed and analyzed, based on Microsoft’s heavy investment in understanding and addressing past exploitation techniques.

The two presented a list of eight or ten past publicly known heap exploitation techniques effective on Windows 7 and prior that Microsoft for the most part has stamped out on Windows 8 with new protection technologies. An impressive feat on the part of Microsoft, and something the other vendors, like Oracle and Apple, have a difficult time keeping up with.

This presentation was followed by Microsoft’s Matt Miller and Ken Johnson, whose previous work can be found in the Uninformed journal and early ASLR technology implementations. These two “defenders” provided details on the long list of protections from the Microsoft Security Science team previously discussed by the two “attackers” onstage.

Day two brought two talks that were particularly good. For another year, Mark Vincent Yason and Paul Sabanal from IBM X-Force presented their analysis of Adobe’s sandboxing technology, this time focusing on Flash. The talk was very well structured and progressed, probably the best technical talk I attended. They pulled apart details of three different implementations of the Flash sandbox for Firefox and Chrome web browsers, finding that “Pepper Flash” is implemented with the lowest level of privileges and tightest set of policies. Pepper is the plugin API that the Adobe and Google teams are using to develop this more secure plugin that is yet to be complete for chrome.

The end of the day approached with a talk from Jonathan Brossard on “Hardware Backdooring is Practical”, where he presented his tool, “Rakshasa”, focused on permanently backdooring computer hardware. The tool is frankensteined together from various open source projects like Coreboot, SeaBIOS and iPXE, so as to minimize any visibility into this software as malicious, attempting to gain a greater chance of evading anti-malware solutions. Interesting PoC material indeed. But the backdoor does not really backdoor any hardware, it is all software-based. Other interesting functionality included its ability to disable DEP and ASLR, remove CPU updates, and force write permissions on every kernel level memory mapping.

Finally, the end of the conference finished with the Pwnie Awards. It was another tongue in cheek, irreverent review of major security issues of the past year, with “artwork winning out over utility”.

Blackhat USA 2012 – Pushing Past Intrusion Tolerance, Cutting Edge Research

Your email address will not be published. Required fields are marked *



Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox