Black Hat USA: Supply Chain Security Remains a Key Puzzle That’s Tough to Crack

essidsolutions

Black Hat USA, the top cybersecurity conference that attracts experts, inventors, and researchers worldwide, kicked off on July 31. It’s worth mentioning, though, that this year’s megaconference takes place under the shadow of an increasingly weaponized cyber threat environment. The systematic targeting of vulnerable supply chains, the emergence of ransomware as a service, and cyberespionage campaigns have exposed the soft underbelly of the corporate sector even as it embraces digital transformation. Here’s an inside peek into how Black Hat USA 2021 reflects the changing cybersecurity paradigm.

Black Hat USA is turning out to be as much fun as it promised. It features the who’s who from the world of cybersecurity, with keynotes delivered by Matt Tait, the chief operating officer at virtualization tsar Corellium, Alejandro Mayorkas, Secretary, Department of Homeland Security, and Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA). Expect plenty of insights on government response to cybersecurity threats and bringing nation-state actors to justice.

Learn More: 5 Key Takeaways From Black Hat 2020

The Keynote Factor: Supply Chain Vulnerabilities

In his keynote address, Tait will address the new sore point the industry is struggling to manage- supply chain security. An attack on a popular service provider can have a cascading impact on every organization that uses its tools, demonstrating why ENISA says 66% of today’s attacks focus on exploiting the supplier’s code.

The explosion of third-party dependencies, the sheer scale and depth of the modern software stack, and the need for more diverse sets of privileged programs to manage infrastructure has complicated supply chain security, and 2020 added rocket fuel to that fire, said Black Hat. In his address, Tait will talk about the key risks to supply chain integrity, factors that prevent organizations from addressing them, the issues the industry is not paying attention to, what the future holds, and will we ever achieve total supply chain security.

Black Hat says Easterly will call upon the hacker community (the good ones, that is) to work with the government and the private sector to unearth cyber threats before they are discovered and brutally exploited by malicious hackers. She will stress upon the cybersecurity community to focus on transparency, information sharing, and developing partnerships as only a unified effort can secure the nation from cyber threats.

Mayorkas, who is just a few months into his role as the DHS Secretary but served as the Deputy Secretary between 2013 and 2016, is also expected to speak at length about the need for a unified approach to cybersecurity to prevent the recurrence of disruptive cyber incidents, such as the one involving Colonial Pipeline. Black Hat saysOpens a new window he played a significant role in negotiating cybersecurity and homeland security agreements with foreign governments during his previous tenure. It’ll be interesting to see if Mayorkas will shed light on the recent international agreements that led to the demise of the DarkSide and REvil ransomware gangs.

Learn More: Kaseya Attack: How Your Supply Chain Partner Can Undermine Your Cybersecurity

Are DNS as a Service Products Secure Enough?

Not exactly, said Wiz.io’s co-founder and CTO Ami Luttwak and Head of Research Shir Tamari. In a talk delivered on August 4 at Black hat USA, they said Wiz.io discovered a novel class of DNS vulnerabilities affecting multiple DNS-as-a-Service (DNSaaS) providers. Exploiting these vulnerabilities enables malicious actors to exfiltrate sensitive information from service customers’ corporate networks, including internal and external IP addresses, computer names, and sometimes NTLM / Kerberos tickets.    

Malicious actors have successfully exploited DNS vulnerabilities on three major cloud providers, including AWS Route 53. “The root cause of the problem is the non-standard implementation of DNS resolvers that, when coupled with specific unintended edge cases on the DNS service provider’s side, cause major information leakage from internal corporate networks,” the researchers said.

They also highlighted the real impact of successful exploitation by hackers. “If an organization’s DNS Updates are leaked to a malicious 3rd party, they reveal sensitive network information that can be used to map the organization and make operational goals. Internal IP addresses reveal the network segments of the organization; computer names hint at the potential content they may hold; external IP addresses expose geographical locations and the organization’s sites throughout the world; and internal IPv6 addresses are sometimes accessible from the outside and allow an entry point into the organization,” they added.

Critical Flaws Threatening the Healthcare Industry

Security researchers Ben Seri and Barak Hadad from Armis detailed as many as nine critical security vulnerabilities in the pneumatic tube system (PTS), a critical infrastructure system used widely in the healthcare industry for delivering medications and blood products and lab samples. “Modern PTS systems are IP-connected, and offer advanced features, such as secure transfers (using RFID and/or password-protected carriers), slow transfers (for carriers containing sensitive cargo), and remote system monitoring — that enables the on-prem PTS system to be monitored and controlled through the Cloud,” they said.

“Despite the prevalence of these systems, and the reliance of hospitals on their availability to deliver care, the security of these systems has not been thoroughly analyzed to date,” they said. The nine vulnerabilities uncovered in the PTC cloud enable attackers to “take over PTS stations and essentially gain full control over the PTS network of a target hospital.”

“This type of control could enable sophisticated and worrisome ransomware attacks that can range from denial-of-service of this critical infrastructure, to full-blown man-in-the-middle attacks that can alter the paths of this networks’ packages, resulting in deliberate sabotage of the workings of the hospital.”

For a detailed description of the nine security vulnerabilities, read Armis’ reportOpens a new window that also talks about the remedial measures healthcare organizations can take to preempt their exploitation.

Learn More: 6 Biggest Healthcare Data Breaches of 2020

Vulnerabilities in OPC Unified Architecture (OPC-UA) 

Yet another major surprise at Black Hat USA was the revelation of vulnerabilities in OPC Unified Architecture (OPC-UA), an IIoT superstar emerging as one of the leading architectures for industrial communication and industry 4.0 transformation. Security researchers at Otorio discovered as many as nine zero-day vulnerabilities within the OPC Foundation stack and multiple SDKs.

According to the ARC Advisory Group, OPC Unified Architecture (OPC-UA) is arguably the most extensive ecosystem for secured industrial interoperability. ARC says that OPC-UA will potentially change the industry structure of process automation, e.g. Ethernet Advanced Physical Layer (Ethernet APL), NAMUR Open Architecture, and the Open Process Automation Forum (OPAF).   

“OPC UA is highly extensible via its Information Modeling (IM) capabilities. This makes OPC UA an excellent fit for use by automation vendors and other standards organizations wishing to express and share semantic data seamlessly across all verticals. Forward-looking companies should make OPC UA a crucial part of their long-term strategies today because the changes this technology brings will become a necessity faster than most people anticipate,” ARC saidOpens a new window .

According to researchers at Otorio, “the potential of the OPC-UA protocol as an enabler for cyberattacks is tremendous.” 

“During our analysis of the communication stacks, we noticed an interesting tree of software supply chain branches. At the end of these branches were products using stack implementations made by a line of vendors, modifying and extending the original (now legacy) implementation. How secure is a protocol after a chain of vendors have made customizations on top of legacy implementation, based on an evolving specification? Spoiler alert – not very.

“Using what we learned from the attack surface analysis, we had a few ideas for weak spots where different implementations might fail. Targeting the leading nodes in the tree revealed 9 zero-day vulnerabilities within the OPC Foundation stack and multiple SDKs, affecting a variety of industrial products at the end of the chain,” said Eran Jacob, Security Research Team Lead at Otorio. Jacob will present the firm’s findings at 1:30 PM PT on August 5. 

Other Major Announcements at Black Hat USA 2021

While the afore-stated announcements highlight the importance of conferences like Black Hat and DEF CON for the cybersecurity community and the industry as a whole, the conference also brings to light cybersecurity issues that most organizations tend to ignore. For instance, SecuRing and Offensive Security made their audience count more than twenty ways one could bypass the Transparency, Consent, and Control (TCC) framework in macOS. TCC was introduced in the first place by Apple to restrict applications’ access to sensitive user data such as documents, cameras, microphones, and emails.

In the conference, researchers at TU Darmstadt, SEEMOO, also talk about how a user can modify firmware interaction in Apple’s U1 chip. The U1 chip that powers iPhone 11 is also known as an Ultra-Wideband (UWB) chip and ensures cryptographically secured communications within the Apple ecosystem. Stan Skowronek, the co-founder and Chief Architect of Corellium, will also talk about the findings he arrived at after reverse-engineering the M1 chip that powers Mac devices like the MacBook Air, MacBook Pro 13-inch, and MacBook Pro 16-inch.

What were your main takeaways from this year’s Black Hat USA conference?  Comment below or tell us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!