Black Hat USA 2022 & DEF CON 30: Highlights, Key Findings & Notable Trends

Last week, hackers, researchers, cybersecurity companies, and government officials descended on Las Vegas for Black Hat and DEFCON, lovingly referred to by many as ‘hacker summer camp”. This year’s events marked the 25th and 30th anniversaries of Black Hat and DEF CON, with more than 30,000 attendees from 111 different countries present this year. It also marked a return to form for the event amid the impacts of the COVID-19 pandemic.

 

What Are Black Hat and DEF CON? The Origin Story and What It Became

The story behind DEF CON and Black Hat events dates back to 1993, in a time of X.25 networks and dial-up bulletin boards. In this era, fido networking was the most popular kind of networking, and Jeff Moss (the founder of DEF CON and Black Hat) held a bulletin board called ‘The Dark Tangent System’. This bulletin board system ran a Telegard BBS – an early bulletin board software system program made for IBM pc-compatible computers running MS-DOS and OS/2. Using this system, Moss could network with more than ten different networks, each focusing on cybersecurity topics such as hacking, piracy, phone phreaking, etc. Because Moss worked multiple small jobs at the time, he could afford to fund his dial-outs to many different fido networking hubs. This made Moss’s bulletin board grow to become the main networking hub in North America at that time. What this meant for Moss was that he was now one of the most connected users in that network, an identity he held while also being a college student. 

Being a well-connected user, Moss talked to many different users from different networks. One such user, a user on the Canadian network Platinum Net, wanted to have a party to celebrate his dad finding a new job. However, since most of the networks were in the U.S, the user wanted the party to be in the U.S. Moss agreed to this and set about planning the party. As he was planning the party, Moss suddenly lost all connection to the user that asked him to plan it. It was like he had vanished. Unwilling to give up on the plan, Moss decided to go ahead with a new party and invite his other networking friends. However, this time there was another setback. Moss lost both his hard drive and his backups, rendering his bulletin board gone. Frustrated, Moss moved to the internet, inviting as many people as he could find. 

Unlike other hacking events during that time that were invite-only, Moss made it an objective that anyone could come to his event. He also made it an objective to have the event in Las Vegas so invitees would still have something to do if the event did not meet expectations. Investing over $2,000 into the event, Moss held no expectations on how everything would pan out. Instead, he felt confident in the reasoning that he had wanted to plan this event and that he tried. With speakers such as Dan Farmer and Gail Thackeray, many attendees could see and hear from the professionals they looked up to for the first time. The reaction after the event was overwhelmingly positive, making Moss’s event a substantial success! Now the world’s largest hacker convention, DEF CON attracts computer security professionals, journalists, lawyers, federal government employees, security researchers, students, and hackers interested in software, hardware modification, conference badges, and other hacker-related reasons. Their sister event, Black Hat, is now a renowned technical skill-building event for offensive and defensive hackers of all levels.   

Black Hat USA 2022 and DEF CON 30 Highlights, Announcements, and Notable Trends 

Heading into this year’s event, we expected to hear a lot of support for building resilience within security through innovative means. Now that this year’s event has come to a close, it’s safe to say that we weren’t disappointed. Here are some important highlights, announcements, and notable trends from the events.

Notable Trends

A Stance to Keeping The Human Element Within Application Security 

While automation and related integration can remove much of the manual work for application security, there should be no substitute for thoughtfulness, intuition, and good judgment. However, the pressures that cybersecurity professionals face are growing each year, putting a strain on this human element. In response to this reality, Adam Shostack, President of Shostack & Associates, led a session called ‘A Fully Trained Jedi, You Are Not’, a session that introduced the topic of training in application security and how better preparing developers for dealing with security issues can help decrease unnecessary risk and burnout. His suggested solution was a structured and compassionate approach to learning that complements the security tools that developer security operations professionals rely on every day to ease pressure in the workplace. In a related session, Kyle Tobener, VP and Head of Security and IT at Copado, emphasized the need for compassion and empathy when focusing on the human element as playing a part in security risk. In his session called ‘A Framework for Effective & Compassionate Security Guidance,’ Tobener discussed how cybersecurity professionals can apply harm reduction and why a compassionate approach can be more effective than prohibitive rules. Since high-risk behaviors such as falling for phishing emails happen regardless of security protocols, it is critical to provide thoughtful insight into a wide range of possible entry points. 

Cybersecurity is the New Warfare 

With the Biden administration coming out with directives and executive orders on cybersecurity, government agencies are starting to make large changes to their security efforts. For this year’s Black Hat event, cybersecurity becoming a staple of modern warfare was one of the main themes. Many participants agreed that in this new normal amid the after-effects of the pandemic, cyber-warfare, disinformation, and politics are becoming more cohesive.  This harsh reality means that good cybersecurity practices in government are not just a recommendation but a must to not only modernize security tools but also implement zero trust concepts that reduce sensitive data exposure. David Treece, Director of Solutions Architecture at Yubico, held a session on why mandates around phishing-resistant, multi-factor authentication (MFA) are coming from the government. Since organizations with legacy MFA systems and processes are easier to attack, they’re at greater risk if government agencies don’t place emphasis on these mandates. Principal Threat Researcher Juan Andres Guerrero-Saade and Senior Threat Researcher Tom Hegel from SentinelOne were also speakers discussing the growing concerns over cyber-warfare. Their discussions over the daily cyber struggle between Russia and Ukraine reminded the audience of how similar cyber attacks were relatively rare before the war, an ominous sign that cyber attacks can so easily become global.   

Highlights

Security Flaws Found Revealing Major 5G Risks

As 5G commercial networks start to roll out, major changes and innovations are being made to accommodate faster networks. However, this leaves room for these new networks to present new vulnerabilities, as Altaf Shaik and his colleague Shinjo Park suggest. A researcher at the Technical University of Berlin, Shaik and his colleague Park examined the application programming interfaces (APIs) offered by ten mobile carriers. They found API vulnerabilities in every one, revealing flaws that could be used to reveal SIM card identities, SIM card secret keys, billing information, and the identity of who purchased which SIM card. 

After years of examining potential security and privacy vulnerabilities in mobile-data radio frequency standards, Shaik was curious to investigate APIs that carriers offer to make internet of things (IoT) devices data accessible to developers. These are the pipelines that applications can use to pull, for instance, real-time tracking information for a bus or information about how much stock there is at a warehouse. Such APIs are common in web services. However, Shaik highlights that they haven’t been widely used in core telecommunication offerings. Looking at the 5G IoT APIs of 10 mobile carriers around the world, both Shaik and Park found common but serious API vulnerabilities in all of them, some even capable of being exploited to gain access to authorized data or direct access to IoT devices on the network.     

StarLink Hacked with Homemade Circuit Board 

Belgian security researcher Lennert Wouters took to the stage at Black Hat to showcase how he could hack StarLink’s user terminals using a homemade circuit board. Costing him $25, the board permits a fault injection attack that bypasses StarLink’s security system and allows access to control functions that StarLink had intended to keep behind a wall. Wouters revealed the vulnerability to SpaceX last year, earning him a place on SpaceX’s bug bounty hall of fame. SpaceX issued an update to make the attack harder shortly after. However, Wouters says that unless SpaceX creates a new version of the main chip, all existing user terminals will remain vulnerable.  

To access the satellite dish’s software, Wouters physically stripped down a dish he purchased and created the circuit board to be attached to the StarLink dish. Once attached to the dish, the board could temporarily short the system by launching its fault injection attack. This glitch was what allowed Wouters to access previously locked parts of the StarLink system. Wouters is now making his hacking tool open source on GitHub, including some of the details needed to launch the attack. 

Ukraine’s Lead Cybersecurity Official’s Surprise Visit to Black Hat

During his unannounced visit, Victor Zhora, the deputy head of Ukraine’s State Special Communications Service, spoke at the Black Hat event, revealing that the number of cyber incidents that hit Ukraine tripled in the months following Russia’s invasion of Ukraine in February. He also added that Ukraine had detected more than 1,600 major cyber incidents so far in 2022, including the discovery of the ‘Industroyer2’ malware, a malware capable of manipulating equipment in electrical utilities to control power flow. The malware was used by a Russian-backed hacking group called ‘Sandworm’ in an attempt to take down a Ukrainian energy provider. The group attempted to use the malware to disconnect the provider’s electrical substations. 

What’s interesting about the ‘Industroyer2’ malware is that it seems to be an adaptation of the ‘Industroyer’ malware, a malware used by the ‘Sandworm’ group to cut power in Ukraine in 2016 leaving more than 100,000 customers without electricity, two days before Christmas. This new malware, ‘Industroyer2’, was used alongside ‘CaddyWiper’, a destructive wiper malware first observed targeting a Ukrainian bank in March of this year. ‘Caddy Wiper’ was planted on systems running Windows in an attempt to erase traces of the attack. The hackers also targeted the organization’s Linux server using other variants of wiper malware called ‘Orcshred,’ ‘Soloshred,’ and Awfulshred’. The ‘Sandworm’ hacking group has also been linked to recent cyber attacks targeting U.S. satellite communications provider Viasat, an action that triggered satellite outages across central and eastern Europe. 

Zoom Installer Flaw Enables Root Access on macOS

The COVID-19 pandemic has had a large influence on Zoom, becoming an essential communications tool for many organizations. Today, more than a million devices worldwide carry Zoom. However, this has created an opportunity for exposing security flaws. Mac security specialist Patrick Warde revealed during a talk at DEF CON that a flaw in Zoom’s installer for macOS could allow attackers to gain the highest level of access to the operating system, such as sensitive user files and system files. During his research, Warde discovered the Zoom macOS installer has an auto-update function that runs in the background. This auto-update function runs in the background with elevated privileges, allowing an attacker to run any program through the update function and gain those same privileges.

The exploit essentially works by targeting the Zoom installer by exploiting a bug in how the updater function within the installer would install the new package after checking that it had been cryptographically signed by Zoom. This bug meant that giving the updater any file with the same name as Zoom’s signing certificate would be enough to pass the test, meaning an attacker could substitute any kind of malware program and have it be run by the updater with elevated privilege. The result is a privilege escalation attack that assumes an attacker has already gained initial access to the target system, employing an exploit to gain even more access. For instance, the attacker could begin with a restricted user account but escalate into a more powerful user type such as ‘superuser’ or ‘root’, allowing them to add, remove, or modify any files on the machine. Zoom has since fixed the issue with an update released over the weekend. However, Warde has presented one unpatched vulnerability that still affects systems today.Announcements

U.S. Department of State Unmasks Alleged Conti Ransomware Operative

The U.S government will offer up to $10,000,000 for information related to five individuals believed to be high-ranking members of the notorious Russian-backed Conti ransomware group. The group has been responsible for nearly 1,000 ransomware operations targeting the U.S and critical international infrastructure, including law enforcement agencies, emergency medical services, and 911 dispatch centers. The reward is offered as part of the U.S. Department of State’s Rewards for Justice (RFJ) program, marking the first time the U.S. government has publicly identified a Conti operative. The program, which specifically seeks information on national security threats, is offering the reward for information leading to the identification and location of the Conti ransomware operator known as ‘Target’, along with four alleged Conti members known as ‘Tramp’, ‘Dandis,’ ‘Professor’, and ‘Reshaev.’ In a bonus offer, the RFJ said it would also pay up to $5,000,000 for any information leading to the arrest or conviction of any individual in any country conspiring to participate in or attempt to participate in Conti variant ransomware-related incidents. 

Virtu Reveals Encrypted Period-Tracking App Prototype

In response to the recent overturning of Roe v.Wade, Virtu, a company best known for its email encryption service for enterprises and consumers, revealed a prototype period-tracking app at DEF CON. The app claims to give users complete control of their private information, such as information regarding period and ovulation tracking. This has come as a concern for many since there are now fears that period and ovulation tracking information can be used to prosecute people who are seeking an abortion or medical care for a miscarriage and those who assist them. Using an application that Virtu calls ‘SecureCycle,’ they can leverage open source, end-to-end encryption offered by OpenTDF to notify the user if any third party attempts to access their data. “Now more than ever, it’s important for people to know that they have a choice to protect their data. I often hear from friends that they end up using products for the features and that when it comes to security, they don’t have much of a choice. By building this app, I think we are showing the market: There is a way to protect data, and there is a way to put the control back in the hands of the individual,” says Tarryn Lambert (UX Research and Design Manager at Virtu). 

Conclusion

This year, Black Hat and DEF CON events marked a return to a time before the pandemic. However, in many ways, it represents the effort that has been made despite these substantial challenges to innovate and grow within security. It has made us more willing to trust our abilities and also not to forget the details, especially when it comes to the software we use every day. 

Did you attend, showcase a product, or speak at Black Hat USA or DEF CON this year? We want to hear about your experience. Have a trend, highlight, or story from Black Hat USA 2022 or DEF CON 30 that was not covered in this article? Please share it with us on Twitter, and we will share it with the community. Vendors and security experts: Don’t miss out on the opportunity to be featured in future LinuxSecurity articles and social media posts! Connect with us on Twitter and share your story.