Conference:  Black Hat Asia 2023

Authors: Koh Nakagawa

2023-05-12

In recent years, Arm processors have become popular on laptops, not limited to embedded devices. For example, Apple announced the Mac transition from Intel to Arm-based Apple Silicon in 2020, which made a big splash. Apple Silicon Mac has Rosetta 2, which enables the execution of Intel-based apps by translating x64 code into Arm64 code. Several researchers have conducted research on Rosetta 2 from a performance perspective. However, to our best knowledge, there is no research on Rosetta 2 from a security perspective.In this talk, we present a new code injection vulnerability in Rosetta 2. Rosetta 2 stores binary translation results as Ahead-Of-Time (AOT) files, which are cached and reused for the next application launch. Since these files are SIP-protected, we cannot modify these files even as root users. However, we developed a new exploit that bypasses this SIP protection and injects arbitrary code into AOT files with user privileges. This code injection can be used to bypass macOS security and privacy mechanisms. Moreover, this technique enables us to make a stealthy backdoor by hiding a malicious payload in a SIP-protected location. Apple has fixed this vulnerability, but only partially. Therefore, an attacker can still exploit this vulnerability even for the latest macOS.Our journey does not end with this finding. Interestingly, we also discovered a similar issue in Arm-based Windows x86/x64 emulation and developed a similar code injection. Therefore, we believe this vulnerability is prevalent among these compatibility technologies and will affect similar technologies introduced in the future.This talk will show the vulnerabilities specific to these compatibility technologies in Arm-based OSs for the first time. New code injection techniques with PoC code benefit red teams. In addition, new exploit techniques and reverse engineering results will help future vulnerability research.

Conference:  Black Hat Asia 2023

Authors: Sudhanshu Chauhan, Ty Miller, Jeff Moss, Asuka Nakajima, Pamela O'Shea

2023-05-12

Join Black Hat Founder Jeff Moss and Black Hat Asia Review Board members Sudhanshu Chauhan, Ty Miller and Asuka Nakajima for an insightful conversation on the most pressing issues facing the InfoSec community. This panel session will feature a candid discussion on the key takeaways coming out of the conference and how these trends will impact future InfoSec strategies.

Conference:  Black Hat Asia 2023

Authors: Yoav Alon, Tzah Pahima, Yanir Tsarimi

2023-05-12

Cloud is the new operating system of the internet – almost all companies use the cloud to host workloads and data. While there are many talks about how to configure and maintain secure public cloud environments, there's little security research into the core cloud infrastructure, and vulnerabilities in core services could have a big impact on customers.This is the story of how our research led to two major discoveries, crossing tenant boundaries in two services in the biggest cloud vendors. We researched two data integration services, where our exploits allowed us to obtain credentials to other customer accounts and run code on remote machines.We're here to discuss new types of cloud provider service vulnerabilities, the anatomy, the implications - how simple vulnerabilities can lead to great impact, and yet how it still is beneficial to be a cloud customer.

Conference:  Black Hat Asia 2023

Authors: Chrisando Ryan Pardomuan Siahaan, Andry Chowanda

2023-05-12

Have you ever wondered whether screen-sharing could pose a threat to your privacy? Or, perhaps imagine whether it is truly safe to keep your screen-sharing mode active when typing passwords, even if they're masked on-screen? Think about it: during video meetings, we frequently share our screens, giving our audience a real-time view of the characters and symbols as we type them. Some of us don't even bother to stop the screen sharing mode while typing passwords, believing that since the password is masked (hidden) on the screen, there is no potential threat to our privacy. However, while this behavior may not matter to human audiences, a computer vision model observing the screen-sharing session can gain a lot of information. It can determine the precise time a certain character is typed, how often we make mistakes in our typing, and even the delay between one character we type and the next. These metrics, unique to everyone, can be used to identify our generic typing behaviors. This way, an adversary can easily impersonate a victim's typing behavior without the need to install additional software/hardware such as keyloggers. In this presentation, we'll unveil the exploitation algorithms to extract an individual's typing behavior from a recorded screen-sharing video. We'll also demonstrate a staggering 67% chance that an attacker can mimic a victim's typing behavior and deceive a keystroke biometric authentication system to steal the victim's access or identity, just by using a recorded screen-sharing video. Furthermore, we'll demonstrate how an attacker could possibly recover one's typed password by using the mimicked typing pattern. Finally, we'll highlight some recommendations on how to prevent our keystrokes from being mimicked and stolen out, although we believe there isn't yet a silver-bullet approach that could completely annihilate the risks.

Conference:  Black Hat Asia 2023

Authors: Mathy Vanhoef, Domien Schepers

2023-05-12

This presentation introduces two novel attacks that abuse the power-save (sleep) functionality of Wi-Fi. In our first attack, we target a protected Wi-Fi network and abuse sleep mode to leak frames in plaintext. The idea is that the adversary forces an Access Point to buffer frames, and then causes the buffered frames to be transmitted using the wrong or no key. For instance, some affected APs will leak buffered frames by encrypting them using an all-zero key, and some APs will even leak frames in plaintext. In our second attack, we introduce network disruption attacks based on the forced queueing of frames. As an example, we show how this can be used to block Fine Timing Measurements, which in turn may disrupt geofencing. Our attack can also be used to disconnect clients even when WPA3 and Protected Management Frames are enabled. We also explain how after disconnecting a client, a malicious insider can reconnect as the victim to subsequently bypass client isolation and intercept traffic towards the victim. We will demonstrate and release a tool that can detect if a network is vulnerable to this client isolation bypass method. To prevent our sleep-based attacks, the power-management bit in Wi-Fi frames must be authenticated, which is currently not the case even when using WPA3. Preventing our attack to bypass client isolation is non-trivial, and we will discuss the security and reliability trade-offs of possible mitigations.

Conference:  Black Hat Asia 2023

Authors: Sandro Pinto, Cristiano Rodrigues

2023-05-12

The discovery of Spectre and Meltdown has turned systems security upside down. These attacks have opened a novel frontier for exploration to hackers and shed light on the untapped potential of hidden transient states created by shared microarchitectural resources. Since then, we have witnessed the rise of a plethora of effective software-based microarchitectural timing side-channel attacks capable of breaking and bypassing the security (isolation) boundaries of numberless processors from mainstream CPU vendors (Intel, AMD, Arm). Notwithstanding, one class of computing systems apparently is resilient to these attacks: microcontrollers (MCUs). MCUs are shipped in billions annually and are at the heart of every embedded and IoT device. There is a common belief that MCUs are not vulnerable to these attacks because their microarchitecture is intrinsically simple.In this talk, we challenge the status quo by unveiling a novel class of microarchitectural timing side-channel attacks affecting MCUs. First, we provide evidence of the existence of this channel on multiple platforms. Then, we explain the building blocks, the overall methodology, and the main challenges we faced in successfully mounting the attack. To close our talk, we discuss and demonstrate how to bypass the isolation guarantees of a reference TEE architecture on a state-of-art MCU. We perform a live demo of this attack emulating a secure smart lock IoT application.

Conference:  Black Hat Asia 2023

Authors: Ziling Chen, Nan Wang, Hongli Han

2023-05-12

Nowadays, multiple mitigation mechanisms have gradually been added to Google Chrome in order to reduce the traditional RCE attack surfaces (e.g., V8 and Blink), which greatly increases the attack difficulty. Besides these well-known attack surfaces, we found SQLite can be directly accessed by remote attackers via Chrome WebSQL API.In this talk, we will present a mutation-based Fuzzer towards WebSQL. By leveraging extra syntax tree and context analysis, the fuzzer substantially improves the syntactic and semantic correctness of the generated SQL samples, and uncovered new vulnerabilities in WebSQL.Most of the acknowledged CVEs related to WebSQL were discovered by our fuzzer since the SQL statement whitelist restriction has been enhanced in Chrome WebSQL in 2020. Furthermore, the identified vulnerabilities were all rated as high severity. The details and exploits of these vulnerabilities will also be shared by us.

Conference:  Black Hat Asia 2023

Authors: Sarah Young

2023-05-12

Call it what you will, security advocacy/evangelism/devrel content such as documentation, talks, demos, videos, etc. is usually targeted at other security professionals within the industry. Great, isn't that how this part of the industry works? One professional advocating to others in the same field?But security advocacy is different. Security advocacy is needed by all parts of IT and arguably, all parts of society. The old trope of "security needs to teach devs to be secure for DevSecOps" is still relevant, but what about SMBs and even individual, everyday people on the street?In this talk, I will present analysis and research of past and present security developer relations and vendor content from all over the globe. I will demonstrate how most security messaging from this content is missing the majority of the intended audience and why this is causing content creators - whether they be dev rel, advocacy or vendors - to not have as compelling content as they may think they do. I will break down a few examples of security content to illustrate my points and I will analyze how these could be improved. The audience will leave with an improved awareness of this gap in security content targeting and strategies to redesign security content to be relevant to a wider audience with minimal effort and to plug said content into more communities so they can consume it.

Conference:  Black Hat Asia 2023

Authors: Imran Saleem

2023-05-12

The talk is mainly driven by the cyber intelligence gathered in response to political shifts in the region. The core focus of the talk is to bring awareness, and reveal actionable intelligence to a larger set of audience, specifically operators to take solid measures to ensure they have cyber resilience when it comes to handling these nation-state attacks during conflicts. As the theme of the talk is cyber-attacks during conflicts, we will share a glimpse of intelligence that was captured during the US forces' withdrawal from Afghanistan. We will discuss the timeline of the US withdrawal and how these activities were directly reflected and seen on the global signalization. We will also share our intelligence gathered around the Russian and Ukraine conflict and how mobile networks were weaponized to inflict cyber war with a primary focus on nation-state activity led by Russian sources/identity holding various objectives (i.e hostile registration, location tracking and surveillance, SMS hijack, account takeover performing identity impersonation, identity spoofing via SS7 on link level and upper layers, and zero-day exploit techniques used in an attempt to bypass security control). These activities were supported by fuzzing looking to evade security defenses. Redacted network capture would be used to demonstrate the attack methodology. We will also walk through and provide evidence of how zero-day exploits on the global Signaling are incurring financial losses for mobile operators. The talk brings a unique perspective for mobile network operators on how revisiting their efforts in building a concrete cyber resilience security strategy can prevent operators from financial and reputational losses and prepare them for hybrid war.Please note that this will be a remote (virtual) presentation.

Conference:  Black Hat Asia 2023

Authors: Nestori Syynimaa, Sravan Akkaram

2023-05-12

The majority of Fortune 500 organizations are using Azure Active Directory (Azure AD) as Identity and Access Management (IAM) solution. The high adoption rate makes Azure AD a lucrative target for threat actors, including state-sponsored actors like APT29/Nobelium. Azure AD is leveraging Microsoft's not-so-well-documented Evolved Security Service (eSTS). eSTS hides multiple security token services so that users see only Azure AD. While studying how eSTS works, we were able to identify flaws that allow users to log in to resource tenants using just username and password, regardless of their home tenant Conditional Access (CA) policies or MFA settings.Azure AD Premium P2 includes an Identity Governance service which allows internal and external users to request entitlement to Access Packages. Access Packages are a collection of permissions to provide access to specified organization's services, such as SharePoint sites, Teams, and applications. We observed that the APIs used by the Identity Governance service allowed access to privileged information for anonymous users.This talk will provide technical details of our findings and how to exploit them. This includes viewing the target user's tenant membership information after bypassing home tenant MFA and listing creators (administrators) of all Access Packages of any organization.