Events

Blackhat USA 2016

This year’s Blackhat USA briefings were held at the spacious Mandalay Bay, bringing speakers from all over the world to deliver mostly technical cyber-security talks. A number of our researchers were there attending talks and participating in the parallel IOActive and BSides events on Smart Cities cyber-security and “Stealing Food From the Cat’s Mouth”. We even bought a round of drinks for a GReAT happy hour at our booth, thanks for coming by! And on Tuesday night, we announced a public HackerOne-coordinated bug bounty program, setting aside $50,000 for critical vulnerabilities. Blackhat whitepapers, slidedecks, and some source code are being posted to the site.

blackhat

Talks and speakers that we enjoyed here:

  • DEMYSTIFYING THE SECURE ENCLAVE PROCESSOR and BEHIND THE SCENES OF IOS SECURITY

Low level details of Apple iPhone security were presented, both from offensive researchers hacking apart hardware and software, and one of the vendor’s lead security engineers Ivan Krstic. They revealed cryptographic design and implementation details of the secure enclave processor and its OS, the iCloud keychain, and JIT hardening, and pointed out some weaknesses and areas for likely security vulnerabilities in the code.

masterkey

  • CAPTAIN HOOK: PIRATING AVS TO BYPASS EXPLOIT MITIGATIONS

The speakers demonstrated how many AV vendors are performing inline and Kernel to user hooking for exploit mitigation, and how this is being done insecurely. They were able to utilize the mistakes made in the various hooking engines to run malicious code in memory. Their research identified six different types of vulnerabilities in the hooking engines and how to exploit them. Essentially, most of the vulnerabilities boiled down to improper handling of permissions on created memory blocks by the AV engines.

  • ADVANCED CAN INJECTION TECHNIQUES FOR VEHICLE NETWORKS

As always, Charlie and Chris delivered a fantastic talk on the next step in their research; targeting CAN to manipulate vehicle behaviors while driving at high speeds. While their research was done hard wired into the car, they stated that if another remote vulnerability were discovered, these attacks would be plausible remotely, not requiring physical access. They showed how they were able to manipulate various vehicles to apply the emergency brake, turn off the power steering module, control the steering, etc, all while driving at a high speed. They had to essentially bypass security measures which don’t normally allow diagnostic mode to be invoked while the car is on or in motion. In normal Charlie and Chris fashion, the talk was full of funny videos of their exploits, one of which showed them crashing their Jeep into a ditch in a cornfield and subsequently having to be rescued by some locals. 🙂

A few GReAT researchers were caricatured by an artist at our Kaspersky Lab booth, next to our Kaspersky Anti-Targeted Attack demo. The artist was good!

cartooning2

Defcon’s challenge badges ran out in record time this year at under 60 minutes! The conference is going on now at Paris and Bally’s. See you next year!

Blackhat USA 2016

Your email address will not be published. Required fields are marked *

 

Reports

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox