Black Hat 2019: Unveiling New Tools and Exposing New Vulnerabilities
lack Hat 2019 just hit Las Vegas, marking the 22nd annual running of the largest cybersecurity conference in the world – and it did not disappoint. In addition to presenting important research and running expert-led training courses, over a dozen exciting new tools made their debut at Black Hat this year. Microsoft just launched Azure Security Lab, which will give security researchers the opportunity to put the company's cloud security to the test. With up to $300,000 in bug bounty on the table, Microsoft has definitely gotten people's attention this week.
Security flaws plaguing Boeing, WhatsApp, Windows 10 and Apple also dominated conversations at the event. In this rundown, we'll look at some of the new tools unveiled at Black Hat and discuss the critical vulnerabilities that security researchers revealed this year.
New tools seen at Black Hat
All kinds of goodies were on center stage this week at Black Hat. Dozens of new tools for fuzzing, threat detection, system mapping and reverse engineering, and many other specialties, just made their Vegas debut. Here's a look at some of the hottest open source tools seen this week:
- RedHunt OS: A tool designed by Red Hunt Labs for purple team exercises, which means RedHunt OS brings functions for both red and blue teams together. This product offers advanced logging and monitoring, along with adversary emulation for blue teamers – while also offering the red team insight as to what “footprints” get left behind during their exercises. Red Hunt also offers OSINT (open source intelligence) and threat intelligence tools.
- PivotSuite: An open source tool which is described as a “portable, platform-independent network pivoting toolkit.” It can be used by pen testers as a server, or by clients to simplify lateral movement across networks.
- PhanTAP: Designed for network security analysis, PhanTAP is an invisible network tap that doesn't affect traffic and can be installed inline between a corporate network and a network device.
- PhyWhisperer: This open-source tool for fault injection attacks allows users to perform advanced triggering on USB packets.
- Eyeballer: A new open-source AI tool for the red team, which identifies websites with actionable leads for attackers. Eyeballer was launched by Bishop Fox and is designed to help pentesters determine what websites might be “interesting” to malicious actors quickly.
- MITME Engine: Cloudflare researchers Luke Valenta and Gabriele Fisher demoed their open-source HTTPS detection tool, known as MITME Engine, during an overview of HTTPS interception techniques.
A tool for HTTP desync attacks was also unveiled during a talk given by Portswigger Web Security's James Kettle. Kettle showcased how to create desync attacks against HTTP requests, which can allow malicious actors to pass through request isolation and attack larger web infrastructure. To go along with the demonstration, he introduced an open source tool that helps red team and blue team professionals conduct and counter these kinds of attacks.
Dozens of tools were on display at Black Hat's Arsenal this year, and many were also featured during informative talks and demonstrations. But tools aren't the only thing getting people's attention this year in Vegas: Multiple critical vulnerabilities for major apps, devices and systems were exposed at Black Hat this year.
Putting the spotlight on security flaws
At Black Hat this week, Microsoft announced that it would be adding up to a premium to their Azure bug bounty – offering up to $300,000 to anyone who can hack their way into the company's public-cloud infrastructure service. While the top bug bounty for Azure is set at $40,000, a Microsoft spokesperson reports that the company has launched new, scenario-based challenges within Azure Security Lab. And if you're up for the challenge, you could earn a few hundred grand. But, the lab isn't open to the public, you have to apply. The boost in bounty follows Microsoft's launching of the Azure Security Lab, a “customer-safe cloud environment” where security researchers can ruthlessly test Azure without doing any real damage.
The hunt for security flaws comes on the heels of patches for multiple critical vulnerabilities and massive updates. But Microsoft is not alone: Apple got taken to school during a presentation by Google security engineer Natalie Silvanovich. In her presentation, Silvanovich demonstrated how she exploited two vulnerabilities in the Apple iOS operating system.
Apple also revealed that they would be launching a bug bounty program of their own. Alongside handsome cash rewards of up to a reported $200,000, security researchers invited into Apple's bug bounty program will also receive jail-broken iPhones.
Researchers at Black Hat also demonstrated how known vulnerabilities in the popular app WhatsApp could still be exploited. A few different exploits were used to manipulate chats within the app, which could allow would-be attackers to change users' messages, make private conversations public and alter senders' identities. As the researchers noted, two of the attacks used preyed upon vulnerabilities that were actually discovered a year ago – and still remain open.
Ruben Santamarta, principal security consultant at pen-testing biz IOActive, also revealed vulnerabilities in the software used aboard Boeing jetliner computer networks – and then demonstrated how an attacker could potentially hijack a plane by exploiting bugs in the code, which was on a public-facing server. During the talk, Santamarta said that while the vulnerabilities have been confirmed, how exploitable they are remains unknown. Apparently, Boeing would not let him test his theory on a real plane.
This year's Black Hat saw many critical vulnerabilities exposed, dozens of new products were unveiled and lots of great information was shared by some of the most knowledgeable professionals in the business.
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.