5 key takeaways from Black Hat USA 2024
The infosecurity world came together in Las Vegas this week for Black Hat USA 2024, offering presentations and product announcements that will give CISOs plenty to consider.
Here are the top takeaways CISOs should keep in mind when adapting their cybersecurity strategies going forward.
[For more Black Hat USA coverage, see “Black Hat: Latest news and insights.”]
Cloud security under scrutiny
Security researchers from Aqua Security used a presentation at Black Hat to outline how they uncovered security flaws involving the automatic provisioning of AWS S3 storage buckets.
The attack vector — dubbed Shadow Resource — created a potential mechanism for AWS account takeover, data breaches, or even remote code execution.
Predictable naming conventions of buckets created a potential mechanism for attackers to wait for targeted users to enable vulnerable services, potentially resulting in sensitive files and configurations been scooped up into attacker-controlled buckets.
Six AWS cloud services were potentially vulnerable: CodeStar, CloudFormation, EMR, Glue, ServiceCatalog, and SageMaker.
The problems were responsibly disclosed to Amazon Web Services prior to Aqua Security’s presentation, allowing AWS to resolve the vulnerabilities, which it has done.
CSO’s Lucian Constantin dives into the details of the shadow bucket attack and potential remediation steps here.
Separately, Symantec warned that an increasing number of hacking groups are abusing cloud-based services from Microsoft and Google for command and control and data extraction. Abusing widely used services such as Google Drive and Microsoft OneDrive gives attackers greater stealth because it makes malign communications harder to detect.
The tactic is not new, but it is evolving to become a bigger threat. And when viewed in conjunction with the AWS vulnerabilities, as well as presentations on the cloud as the seat of initial access and a potential for privilege escalation, it’s clear that cloud security remains a key concern for enterprises today.
CrowdStrike meltdown emphasizes cyber-resilience
The July CrowdStrike-Microsoft meltdown was fresh in the mind of delegates to Black Hat this week.
During the opening keynote roundtable Hans de Vries, COO of the European Union Agency for Cybersecurity, warned delegates that the industry needs to be prepared for more supply chain attacks, which like the CrowdStrike validation failure, put CISO’s resiliency plans to the test.
Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency, said the incident emphasizes the importance of security vendors developing a secure by design approach. Organizations need to bolster their cyber resilience, Easterly said, according to Secure Computing, adding that adversarial nations such as China or North Korea would likely exploit any weaknesses.
During the conference, CSO Online caught up with CrowdStrike’s counter adversary team to talk about the latest tactics of North Korean state-sponsored hackers and others.
Patching is no panacea
The comforting notion that simply keeping systems patched and up to date was enough to safeguard security took a serious knock with the release of a presentation from SafeBreach at Black Hat.
SafeBreach security researcher Alon Leviev explained how it might be possible to downgrade systems via Windows Update, exposing them to old vulnerabilities, through a form of version rollback attack.
The so-called Windows Downdate attack relies on hijacking the Windows Update process to craft custom downgrades on critical OS components, elevate privileges, and bypass security features.
In a statement, Microsoft said it is not aware of any attempts to exploit this vulnerability. The software giant has published two advisories (including CVE-2024-21302) offering recommended actions and detection while it works on delivering more comprehensive mitigations.
CSO’s Gyana Swain has more on the Windows Downdate attack here.
AI is a double-edged sword
AI, particularly generative AI and large language models (LLMs), was a significant focus at Black Hat.
Many sessions explored the risks and vulnerabilities associated with AI technologies.
For example, security researchers from Wiz outlined their research into hacking AI infrastructure providers. The work uncovered novel attack techniques to break into AI-as-a-service providers, including Hugging Face and Replicate.
“On each platform, we utilized malicious models to break security boundaries and move laterally within the underlying infrastructure of the service,” according to the researchers. The research opened the door to accessing customers’ private data, including private models, weights, datasets, and even user prompts.
In another session, a security architect from chip giant Nvidia’s Red Team offered practical findings around LLM security, including the most effective offensive and defensive security strategies and methodologies.
Black Hat also offered an arena for cybersecurity vendors to launch new products and services. Many vendors have added AI-based capabilities to their technologies, as detailed in CSO’s roundup of product releases.
CISOs face personal jeopardy from corporate breach handling
A session titled “Skirting the Tornado: Essential Strategies for CISOs to Sidestep Government Fallout in the Wake of Major Cyberattacks” highlighted strategies that CISOs should apply to stay on the right side of regulators in the event on security breaches.
Recent cases, such as that of SolarWinds’ Tim Brown, have highlighted how senior security staff face individual regulatory and criminal liability for alleged corporate reporting failures
The session covered practical strategies to mitigate damage, ensure IT compliance, and maintain stakeholder trust in an environment of increasing regulatory pressure.
[For more Black Hat USA coverage, see “Black Hat: Latest news and insights.”]