2024年美国黑帽大会（Black Hat USA 2024）嘉宾演讲PPT合集（共82套打包）

#BHUSA BlackHatEventsPageJackPageJack:A Powerful Exploit Technique With Page:A Powerful Exploit Technique With Page-Level UAFLevel UAFSpeaker:Zhiyun QianContributors:Jiayi Hu,Jinmeng Zhou,Qi Tang,Wenbo Shen8/8/2024#BHUSA BlackHatEventsWho we areZhiyun QianJinmeng ZhouQi TangWenbo ShenJiayi Hu#BHUSA BlackHatEventsOS kernel exploitsControl flow hijackEx:corrupt function pointer return-oriented programming(ROP)Data-only attacksEx:corrupt data pointer arbitrary read/write to modify key objects(e.g.,#BHUSA BlackHatEventsPyLingualPyLingual:A Python:A Python DecompilationDecompilation Framework for Framework for Evolving Python VersionsEvolving Python VersionsJosh Wiedemeier#BHUSA BlackHatEventsHello!AWS Logo PNG Transparent Images-PNG AllSang Kil ChaMuhyun KimElliot TarbetSimon LiuJessica OuyangKangkook JeeJosh WiedemeierJerry TengMax Zheng#BHUSA BlackHatEventsPython is PopularSource:PYPL#BHUSA BlackHatEventsPeople Use It to Make Malware#BHUSA BlackHatEventsHeres One6 LOAD_GLOBAL 1(getpass)8SnailLoadAnyone on the Internet Can Learn What Youre DoingStefan Gast,Daniel Gruss2024-08-07Graz University of Technology1Stefan Gast,Daniel GrussWho are we?Stefan GastPhD StudentGraz University of Technology notbobbytablesinfosec.exchange?notbobbytables?https:/stefangast.eu/Daniel GrussProfessorGraz University of Technology lavadosinfosec.exchange?lavados?https:/gruss.cc/2Stefan Gast,Daniel GrussWho are we?Stefan GastPhD StudentGraz University of Technology notbobbytablesinfosec.exchange?notbob#BHUSA BlackHatEventsTerrapin Attack:Breaking SSH Channel Terrapin Attack:Breaking SSH Channel Integrity by Sequence Number ManipulationIntegrity by Sequence Number ManipulationFabian BumerRuhr University Bochum Marcus BrinkmannRuhr University Bochum Jrg SchwenkRuhr University Bochum#BHUSA BlackHatEventsA Tale Of System Administrationsrv-prod-01ProductionSysadmin Bobbobsrv-prod-01SSHmallorysrv-test-01SSHTrainee Mallorysrv-test-01TestNetwork TAP#BHUSA BlackHatEventsDemo-A Normal Workday For Bob#B#BHUSA BlackHatEventsTuDoor Attack:Systematically Exploring and Exploiting Logic Vulnerabilities in DNS Response Pre-processing with Malformed PacketsSpeaker(s):Qi Wang,Tsinghua UniversityContributor(s):Xiang Li,Nankai University&Chuhan Wang,Tsinghua University#BHUSA BlackHatEventsAttack Impact2Poisoning vulnerable resolvers cache within just one second.Our TuDoor attack could poisonarbitrary domains,e.g.,.com .#BHUSA BlackHatEventsDomain Name System(DNS)3DNS Overviewq Translating domain namWindows Downdate:Downgrade Attacks Using Windows UpdatesAlon LevievSecurity Researcher SafeBreach22-years-oldSelf-taughtOS internals,reverse engineering and vulnerability researchFormer BJJ world and european championCreator of PoolParty process injection techniquesAgendaResearch BackgroundDowngrade Attacks Using Windows UpdatesVirtualization-Based Security VulnerabilitiesWindows Update Restoration VulnerabilityClosing RemarksResearch BackgroundWINDOWS DOWNDATEWhat are Downgrade Attacks?Immune S#BHUSA BlackHatEventsFrom From MLOpsMLOps to to MLOopsMLOopsExposing the Attack Surface of Machine Learning PlatformsExposing the Attack Surface of Machine Learning PlatformsSpeaker:Shachar Menashe#BHUSA BlackHatEventswhoami Shachar Menashe Classically-Binary reverse engineer In practice-Full-time CVSS assigner:)Leading JFrogs security research teams 0-day,CVE,malware research Presenting recent research from our 0-day team Ori Hollander,Natan Nehorai,Uriya Yavnieli#BHUSA BlackHatEventsOrg High V#BHUSA BlackHatEventsFrom Doxing to Doorstep:From Doxing to Doorstep:Jacob LarsenExposing Privacy Intrusion Techniques used by Hackers for Extortion#BHUSA BlackHatEventswhoamiJacob Larsen Offensive Security Team Lead CyberCX Threat Researcher Researching underground cyber crime groups since 2016 Based in Perth,Australialarsencyberhttps:/#BHUSA BlackHatEvents 9 years ago,I was a doxing victim.I had an online account with a rare username which they wanted.Ever since then,I have followed the subcul#BHUSA BlackHatEventsBreak the Wall from Bottom:Automated Discovery of Protocol-Level Evasion Vulnerabilities in Web Application FirewallsSpeaker:Qi Wang(Eki)Contributors:Jianjun Chen,Run Guo,Chao Zhang,Haixin Duan#BHUSA BlackHatEvents2Talk RoadmapvWhat are WAFs and how do they work?vHow do we discover new evasion cases automatically?vHow to bypass WAF at the protocol-level like a Pro?vBonus:Three useful tactics to bypass WAFs at the protocol-level#BHUSA BlackHatEvents3WebApps Security RiskvWebAFromWeapontoTarget:QuantumComputersParadoxMdlina BSorin Bolos,sorin.bolostransilvania-Adrian Coles,Andrei KAndrei Lut,as,Dan Lut,as,Radu Mrgineanradu.margineantransilvania-Andrei MRadu PMiruna Ros,August 2,2024Executive SummaryThe impact of quantum computing on the classical computing based cybersecurityhas been discussed extensively over the past 30 years.This led to development ofthe so-called post-quantum cryptography.In the same time,relatively little atten-tion has been paid to the securityTeam82From Exploits to Forensic Evidence:Unraveling the Unitronics AttackNoam Moshe Claroty Research,Claroty Team82$whoamiNoam MosheVulnerability researcher-mostly breaking IoT clouds.Master of Pwn Pwn2Own ICS 2023.*Special thanks to Claroty Team82 researchers:Sharon Brizinov,Vera Mens,Tomer GoldschmidtSo whats the sitch?So whats the sitch?Nov 23:APT targets Unitronics PLCs CyberAv3ngers Used in water facilities worldwideSo whats the sitch?Nov 23:APT targets Unitronics PLCs CyberAv3ngers Used in#BHUSA BlackHatEventsUse Your Spell Against Y ou:A Proactive ThreatPrevention of Smart Contract ExploitYajin ZhouBlockSec&Zhejiang UniversityThis work is a team effort of researchers from Zhejiang University and BlockSec.Hailin Wang,Jianfeng Zhu,Hang Feng,Youwen Hu,Runhuai Li,Sheng Yu,Lei Wu,Yajin ZhouAbout MeCo-founder of BlockSec and Professor of Zhejiang UniversityResearch interestsDeFi security,Blockchain system securityPublish:60+papers with 9,000+citationsHack and build systemsRead mor#BHUSA BlackHatEventsYouve AlreadyYouve Already BeenBeen HackedHackedWhat if There Is a Backdoor in Your UEFI OROM?What if There Is a Backdoor in Your UEFI OROM?Kazuki Matsuo(InfPCTechStack)2024/8/8 South Seas CD,Level 3#BHUSA BlackHatEventsWhoami-Kazuki Matsuo（InfPCTechStack）Title：Security ResearcherAffiliation：FFRI Security,Inc&Waseda University（This study was done during my masters degree）Interests：UEFI（Negative Rings）Trusted ComputingWindows Kernel#BHUSA BlackHatEventsContributo#BHUSA BlackHatEventsAll Your Secrets Belong to Us:All Your Secrets Belong to Us:Leveraging Firmware Bugs to Break TEEsLeveraging Firmware Bugs to Break TEEsTom Dohrmann#BHUSA BlackHatEventswhoamiTom DohrmannLow-level enthusiastCodingHacking#BHUSA BlackHatEventsOutlineShort Intro to TEEs and AMD SEV-SNPPrerequisitesPlatform Security Processor&FirmwareReverse Map TableBug#1Simple ExploitImproved ExploitBug#2ExploitWrap-up and take-aways#BHUSA BlackHatEventsWhats a TEE Anyway?TEE=Trusted ExecuListen to the whispersJames Kettleweb timing attacks that actually workPortSwigger ResearchThe timing trapdef strcmp(s1,s2):for c1,c2 in zip(s1,s2):if c1!=c2:return Falsetime.sleep(0.01)return TrueDoes the database contain a password reset token starting with d7e?(not to scale)The timing divideLab-provenTheoretical200s(0.2ms,0.0002 seconds)The timing divideMaking timing attacks that work everywhereListening to whispers:Hidden attack-surface Server-side injection Reverse proxy misconfigurationsDe#BHUSA BlackHatEventsRelationships Matter:Reconstructing the Organizational and Social Structure of a Ransomware GangSpeaker(s):Dalya Manatova and L Jean CampIndiana University#BHUSA BlackHatEventsL Jean CampProfessor,IUFellow,IEEEFellow,ACMFellow,AAASWe areDalya ManatovaDoctoral ResearcherOstrom FellowIndiana University#BHUSA BlackHatEventsModern eCrimeAttackers are described asExcitingArtistsInnovativeAnonymousReputation&profit maximizing#BHUSA BlackHatEventsIs OrganizedeCrime as a serviceHardening HSMs for Hardening HSMs for BankingBanking-Grade Crypto WalletsGrade Crypto WalletsBlack Hat 2024Black Hat 2024JP Aumasson,Chervine MajeriJP Aumasson,Chervine MajeriWhoisWhoisJP Taurus co-founder&CSO First BHUS talk was in 2013 Chervine Taurus lead research engineer First BHUS talk is nowCrypto asset custody&issuance for banks()regulated and running a marketplace for tokenized assets(t-)In Geneva,Zurich,London,Paris,Vancouver,DubaiOutlineOutline1.What is really an HSM?2.Securit#BHUSA BlackHatEventsAre Your Backups Still Immutable,Even Though You Cant Access Them?Speaker(s):Rushank Shetty Ryan KaneINTROwhoamiData Immutability BackgroundVendor Case StudiesRecommendationsThe WhyQ/AIntro whoami Ransomware Groups Data Immutability Dell/EMC IBM DS8000 AWS Backup Recommendations Why test Q/AWHOAMIRyan KaneNorthwestern MutualPen Tester/Red TeamerCypherCon Volunteer(MKE,WI)Rushank ShettyNorthwestern MutualPen Tester/Red TeamerFirst-time Black Hat Attendee/PresenterIntro whoami#BHUSA BlackHatEventsForeign Information Manipulation and Interference(Disinformation 2.0)FRANKY SAEGERMAN Based on Learnings from 30 Years at NATO#BHUSA BlackHatEvents#BHUSA BlackHatEventsfrankyliticsFRANKY SAEGERMAN Head of Social Media.(2012-2016)Head Digital Insights.(2016-2020)Information Environment Analyst.(2020-2024)#BHUSA BlackHatEvents#BHUSA BlackHatEventsWhat is Disinformation?Disinformation#BHUSA BlackHatEvents#BHUSA BlackHatEventsWhat is Disinformation?What is it not?Disinformation##BHUSA BlackHatEventsBytecode Jiu-JitsuContributors:Ryo Kubota1,Yuhei Kawakoya1,Makoto Iwamura1,Kanta Matsuura2Choking Interpreters to Force Execution of Malicious Bytecode 1NTT Security Holdings Corporation2Institute of Industrial Science,The University of TokyoToshinori Usui1,Yuto Otsuki1#BHUSA BlackHatEventsToshinori Usui,Ph.D.Research scientist,security principalResearch interests:malware analysis,reverse engineering,and exploit developmentCTF loverBrazilian Jiu-Jitsu enthusiastYuto Otsuki,PBLACK HAT BRIEFINGSSecure Shellsin ShamblesHD MOORE|ROB KING|AUGUST 7,2024Agenda2This is a talk about the evolution of the Secure Shell(SSH)An overview of the SSH ecosystemWhats changed&what hasntNew&interesting attacksOpenSSH fragmentationIntroducing SSHambleDefending SSH2024In the beginning was SSH3Tatu Ylnen created SSH v1 in 1995 as freewareContinued development as the proprietary SSH.comBjrn Grnvall forked Ylnens free SSH v1.2.12 as OSSHOpenBSD forked OSSH into OpenSSH in 1999199519#BHUSA BlackHatEventsThe Way to Android Root:Exploiting Your GPU On SmartphoneXuan XingEugene RodionovXiling Gong#BHUSA BlackHatEventsWhoamiIncrease Android and Pixel security by attacking key components and features,identifying critical vulnerabilities before adversariesOffensive Security Reviews to verify(break)security assumptionsScale through tool development(e.g.continuous fuzzing)Develop proof of concepts to demonstrate real-world impactAssess the efficacy of security mitigations#BHUSA BlaPractical LLM Security:Takeaways From a Year in the TrenchesRich Harang,Principal Security Architect(AI/ML)|August 7,2024IntroWho am I and why should you listen to me about LLM security?PhD in Statistics and Applied Probability Working at intersection of machine learning,security,and privacy since 2010 U.S.Army Research Laboratory making and breaking ML tools for applied network security in partnership with CNDSP;source code and binary stylometry;adversarial examples for sequence models;frog-boi#BHUSA BlackHatEventsReinforcement LearningReinforcement Learningfor Autonomous Resilientfor Autonomous ResilientCyber DefenceCyber DefenceIan Miles,Sara Farmerarcdfnc.co.ukFrazer-Nash Reference:016273-146560V#BHUSA BlackHatEventsBriefing ContributorsIanSara2#BHUSA BlackHatEventsAutonomous Resilient Cyber DefenceUK ARCD programMission:Machine speed cyber response&recovery on military platforms&systems Defending IT&OT systemsGoals:Understand&demonstrate Autonomous Cyber Defence(AC#BHUSA BlackHatEventsKicking in the Door to the Kicking in the Door to the Cloud:Exploiting Cloud Cloud:Exploiting Cloud Provider Vulnerabilities for Provider Vulnerabilities for Initial AccessInitial AccessNick Frichette#BHUSA BlackHatEvents#BHUSA BlackHatEventsBoringBoring#BHUSA BlackHatEventsLeaked Access Keys#BHUSA BlackHatEventsLeaked Access KeysExposed S3 Bucket#BHUSA BlackHatEventsLeaked Access KeysExposed S3 BucketExploited EC2 Instance#BHUSA BlackHatEventsWhy is it,when something happenMicroarchitecture VulnerabilitiesPast,Present and FutureDaniel Gruss(Graz University of Technology)Anders Fogh(Intel Corporation)IntroductionDaniel GrussGraz University of TechnologyAnders FoghIntelDaniel and Andersdo not always agree!PastPast earliest daysSide Channels always existedPast earliest daysSide Channels always existedFirst scientific observations in 1943Past earliest daysSide Channels always existedFirst scientific observations in 1943Concept of“covert channels”in 1973Past earliestGotta Cache em allBending the rules of web cache exploitationMartin DoyhenardPortSwigger Research1.Web Caches2.Cache Rule Exploitation3.Cache Key Exploitation4.Cache-What-Where(DEMO)5.Defences6.TakeawaysAgendaWeb CachesKeyResponseOrigin ServerCache ProxyWeb CachesKeyResponseGET/styles.cssOrigin ServerCache ProxyWeb CachesKeyResponseOrigin ServerCache ProxyGET/styles.cssWeb CachesKeyResponseKey()Cache ProxyOrigin ServerGET/styles.cssWeb CachesIdentify Requests elements used for comparisonGET/styl#BHUSA BlackHatEventsWe R in a right pickle with all these We R in a right pickle with all these insecure serialization formatsinsecure serialization formatsSpeaker(s):Kasimir Schulz&Tom Bonner#BHUSA BlackHatEventsIntroductionKasimir SchulzPrincipal Security Researcher at HiddenLayerlinkedin/in/kasimir-schulzSocials:abraxus7331Tom BonnerVP of Research at HiddenLayerlinkedin/in/thomas-j-bonnerSocials:thomas_bonner#BHUSA BlackHatEventsIntroduction Weve been investigating machine learning libra#BHUSA BlackHatEventsSpeakers:Eyal PazLiad CohenWill We Survive the Transitive Will We Survive the Transitive Vulnerability Locusts?Vulnerability Locusts?#BHUSA BlackHatEventsVP of Research OX SecurityEyal Paz is the VP of Research at OX SecurityEleven years at Check Point working on security research for product innovation in network security,and threat intelligence Ph.D.candidate researching the problem of encrypted traic classification.Eyal PazLiad CohenData Scientist&Security Researcher Splitting The Email AtomExploiting Parsers To Bypass Access ControlsGARETH HEYESOutlineWhy email address parser discrepancies matterThe shaky foundationParser discrepancies-Unicode overflows-Encoded-word-PunycodeMethodology/ToolingDefenceTakeawaysADD FUNKY STARS1.2.3.4.5.6.Why email address parser discrepancies matterPredicting an email destination is extremely difficultThe shaky foundationRFC2822RFC“features”Quoted local- foo Quoted C(bar)foo(bar)(bar) The wrong questionWhich email is valid?#Unraveling the Mind behind the APTAnalyzing the Role of Pretexting in CTI and AttributionSpeaker:Sanne MaasakkersBlackHat USA 2024 briefingsContents3Introduction01Introduction02Research concept03Analyzing content04Analyzing context05Result&demos06Conclusion&outlookSanne4Introduction-Joined Mandiant Intelligence/Google Cloud in 2023 as Senior Analyst-Previously worked in Red Team/Research&Intel Fusion Team(Fox-IT)and Fusion Centre(NCSC-NL)analyzing threats against The Netherlands-3 ma#BHUSA BlackHatEventsUnveiling Mac Security:A Comprehensive Exploration of Sandboxing and AppData TCCZhongquan Li&Qidan He#BHUSA BlackHatEventsZhongquan Li GuluisacatSenior security researcher from Dawn Security Lab of JD.com Focusing on bug hunting and fuzzing in Android,IoT,and Apple products Blog:https:/Qidan He flanker_hqdDirector,Chief security researcher from Dawn Security Lab of JD.com Focusing on security architecture of mobile and cloud native security,bug hunting,anti-fruad Blog:ht1 Ignore Safety Directions.Violate the CFAA?Kendra Albert(Harvard Law School);Jonathon Penney(Osgoode Hall Law School/Harvard Berkman Klein Center);and Ram Shankar Siva Kumar(Harvard Berkman Klein Center)*Introduction In March,twenty-three artificial intelligence(AI)experts publicly released a working paper calling for legal and technical protections for researchers engaged in good faith evaluation and“red teaming”of AI systems.1 The co-authors,including experts from Massachusetts Institute of#BHUSA BlackHatEventsBugs of yore:A bug hunting Bugs of yore:A bug hunting journey on VMwares hypervisorjourney on VMwares hypervisorZisis Sialveras,zisiscensus-,_zisis#BHUSA BlackHatEventsWHOAMI Computer security researcher at CENSUS Finding and exploiting bugs professionally since 2013 Reversed A LOT of VMwares code Gave a few talks about VMware exploitation in the past#BHUSA BlackHatEventsHOW EVERYTHING STARTED Goal:Develop guest-to-host escape exploit for VMware Workstation 12(on Windows hos#BHUSA BlackHatEventsUnOAuthorizedUnOAuthorizedEric WoodruffSenior Security Researcher,Semperis#BHUSA BlackHatEventsEric WoodruffSenior Security Researcherericonidentityinfosec.exchange/in/ericonidentity#BHUSA BlackHatEventsUnauthorized+OAuth 2.0#BHUSA BlackHatEventsUnauthorized1+OAuth 2.0#BHUSA BlackHatEventsUnOAuthorized11h/t to myself,AI did not help with this name#BHUSA BlackHatEventsBackgroundBackground#BHUSA BlackHatEventsBackgroundPlenty of research on Entra ID app permissions and roles1G#BHUSA BlackHatEventsAttention Is All You Need for Semantics DetectionA Novel Transformer on Neural-Symbolic ApproachSheng-Hao MaYi-An LinMars Chengaaaddress1marscheng_TXOne Networks|Keep the Operation RunningTXOne Threat Researcher From Sheng-Hao MaMars ChengThreat Research ManagerPSIRT and Threat ResearchTeam LeadPSIRT and Threat ResearchYi-An LinThreat ResearcherPSIRT and Threat ResearchTXOne Networks|Keep the Operation RunningBackground and Pain PointsCuIDA(Cuda-trained Inference Decompiler #BHUSA BlackHatEventsListen Up:Sonos OverListen Up:Sonos Over-TheThe-Air Air Remote Kernel Exploitation and Remote Kernel Exploitation and Covert WiretapCovert WiretapRobert Herrera NCC GroupAlex Plaskett NCC Group#BHUSA BlackHatEvents$who$whoRobert Herrera NCC Group Hardware/Embedded Security Team(HES)Alex Plaskett NCC Group Exploit Development Group(EDG)#BHUSA BlackHatEventsDevice IntroductionDevice IntroductionSonos OneSonos Era-100#BHUSA BlackHatEventsSonos One Sonos One WiWi-Fi ExploitationInto the Inbox:Novel Email Spoofing Attack PatternsSpeakers:Caleb Sargent&Hao Wang#BHUSA BlackHatEventsAbout UsCaleb Sargent(squared_)Offensive Security EngineerHao Wang(MrRed_Panda)Offensive Security Manager#BHUSA BlackHatEventsDisclaimerThe ideas,content,or opinions expressed in this presentation are solely those of the author and do not reflect any endorsement or support by our employer.#BHUSA BlackHatEventsAgendaStory Time1Email Security Basics2Attack Patterns3Next Steps4Recommendations5Deep Backdoorsin Deep RLReinforcement LearningReinforcement LearningReinforcement LearningReinforcement LearningThe Anatomy of a RL BackdoorMaliciousTriggerBackdoored NeuronsSoftware Supply Chain AttacksCodeBuildDeployUpdateSoftware Supply Chain AttacksCodeBuildDeployUpdateCompromise source codeSoftware Supply Chain AttacksCodeBuildDeployUpdateInject malicious code in buildSoftware Supply Chain AttacksCodeBuildDeployUpdateExploit deployment pipelinesSoftware Supply Chain AttacksCodeBuildDeployUpConfusion Attacks!Orange TsaiExploiting Hidden Semantic Ambiguity in Apache HTTP ServerUSA 2024Who hasnt heard of Apache HTTP Server before?Apache Httpd in a Nutshell1.Almost 30-year-old open-source project2.CGI enabled by default3.Heavily integrated with PHP101 Ways to Run PHP1.mod_php2.php-fpm3.mod_fastcgi4.mod_proxy_fcgi5.mod_fcgi6.mod_fcgid7.mod_cgi+php-cli8.mod_cgi+php-cgi9.mod_cgi+spawn-fcgi10.mod_cgi+fcgiwrap11.more?Config Directives are ComplicatedSetHandler handler-name|none|expressionAModern Kill ChainsReal World SaaS Attacks and Mitigation StrategiesCory MichalVP of SecurityAugust 7,2024Brandon LevenePrincipal Product Manager,Threat DetectionBen PruceLead Threat Detection Engineer1Agenda Reflect on where we are currently Hypothesize why we are here Examine what it is like to be here Determine if something better is possible Outline how we could move to better state2Historical Attack Surface Change3Pre Cloud&SaaS Attack Surface 20094DMZDMZDMZModern Attack Surface 20205Att#BHUSA BlackHatEventsModern Anti-Abuse Mechanisms in Modern Anti-Abuse Mechanisms in Competitive Video GamesCompetitive Video GamesJulien Voisin dustri.orgJulien Voisin dustri.org#BHUSA BlackHatEventsAgenda-Cheats&abuses?-Countermeasures-Technical-Social-Exotic-Conclusion#BHUSA BlackHatEvents#BHUSA BlackHatEvents#BHUSA BlackHatEventsToxicity?Play Counter Strike or League of Legends for 10 minutes to get vivid examples.#BHUSA BlackHatEventsCheats,abuses,toxicity,Cheats arent hunted down becau#BHUSA BlackHatEventsSecuring Network AppliancesSecuring Network Appliances:New Technologies and Old ChallengesSpeaker:Vladyslav Babkin#BHUSA BlackHatEvents$whoamiVladyslav Babkin(“hotab”)Network&Web Hacker,Web Developer Long-time CTF player(team dcua)Security Researcher Eclypsium Twitter:HotabZero#BHUSA BlackHatEventsHOW DID NETWORK DEVICES EVOLVE?#BHUSA BlackHatEvents2005 First Cisco Rootkit2008 Operation Cisco Raider2015 SYNFUL Knock Cisco ROMMON Attack Juniper Backdoors 2016 Shadow Bro#BHUSA BlackHatEventsSelf Hosted GitHub Self Hosted GitHub RunnersRunnersContinuous Integration,Continuous DestructionContinuous Integration,Continuous DestructionAdnan Khan|John StawinskiFirstA StoryTwo months ago,someone identified a GitHub Actions misconfiguration in a public repository owned by one of the largest domestic chip manufacturers in the United States-anyone with a GitHub account could have exploited it by creating a pull request.The vulnerability allowed them to obtain Enterprise #BHUSA BlackHatEventsWhat Lies Beneath the Surface:What Lies Beneath the Surface:Evaluating LLMs for Offensive Cyber Capabilities through Evaluating LLMs for Offensive Cyber Capabilities through Prompting,Simulation&EmulationPrompting,Simulation&EmulationSpeaker(s):Michael Kouremetis,Marissa Dotter,Alexander ByrneCopyright 2024 The MITRE Corporation.ALL RIGHTS RESERVED.Approved for public release.Distribution unlimited.Case:24-2367#BHUSA BlackHatEventsTeamMarissa Dotter(Speaker)AI,AI Sec#BHUSA BlackHatEventsSuper Hat TrickExploit Chrome and Firefox Four TimesNan Wang,Zhenghang Xiao#BHUSA BlackHatEventsAbout usNan Wang eternalsakura13 Security researcher at 360 Vulnerability Research Institute Focusing on hunting Chrome vulnerabilities Chrome VRP top 10 researcher in 2021/2022/2023 Facebook Top 2 whitehat hacker in 2023 Speaker of BlackHat USA 2023/BlackHat Asia 2023Zhenghang XiaoKipreyyy Individual security researcher First-year Masters candidate at NISL Lab,Tsinghua University#BHUSA BlackHatEventsBreaching AWS AccountsThroughShadow ResourcesYakir KadkodaMichael KatchinskiyOfek Itach#BHUSA BlackHatEventsAWS Account IDEach AWS account has a unique account ID12-digit IDSome treat it as a secret,others dont#BHUSA BlackHatEventsAWS Account IDEach AWS account has a unique account ID12-digit IDSome treat it as a secret,others dont#BHUSA BlackHatEvents#BHUSA BlackHatEvents#BHUSA BlackHatEventshttps:/ BlackHatEvents#BHUSA BlackHatEventsYakir KadkoaSecurityLead Security ResearYehuda SmirnovHOOK,LINE AND SINKER:PHISHING WINDOWS HELLO FOR BUSINESS Like learning&researching Windows,Active Directory,Azure and anything interesting Develop in C,C#,Python&Assembly Ex private investigator Like to surf&play tennisRED TEAM&SECURITY RESEARCHER ACCENTURE SECURITY ISRAELABOUT MEyudasm_ on twitterYehuda Smirnov Like learning&researching Active Directory,Windows,Azure and anything interesting Develop in C,C#,Python&Assembly Ex private investigator Like to su 2022 Akamai|Confidential1Tunnel VisionExploring VPN Post-Exploitation TechniquesOri DavidAgendaVPN exploitationVPN post-exploitationWhat can we do about itwhoamiOri DavidSecurity Researcher at AkamaiBackground in red teaming&threat huntingWhy VPNs areappealing to attackers?VPNInternal NetworkWhy VPNs areappealing to attackers?“Classic”VPN exploitationAbused mainly to gain initial access to the networkVPNInternal NetworkVPN Post-Exploitation?VPN post-exploitationPersistencyCredential Acces#BHUSA BlackHatEventsHow Hackers Changed the Media(and the Media Changed Hackers)Moderated by:Sherri Davidoff|CEO,LMG SecurityPanelists:Lorenzo Franceschi-Bicchierai|Senior Writer/Editor,Cybersecurity,TechCrunchRobert McMillan|Reporter,The Wall Street JournalSadia Mirza|Partner,Troutman Pepper#BHUSA BlackHatEventsSenior Writer/Editor,CybersecurityTechcrunchLorenzo Franceschi-BicchieraiReporterThe Wall Street JournalRobert McMillanPartnerTroutman PepperSadia MirzaCEOLMG Security(Moderator)Sherri