Highlights from Black Hat Asia 2022

The island nation-state of Singapore straddles borders in multiple rhetorical realms. Consider the current COVID situation. In the US there are no social mitigations, no masks, not even on airplanes. But in China, some cities completely are locked down for months. Singapore is in the middle; no lockdown, and you can travel, but this year’s Black Hat Asia 2022 still features contact tracing and light mask theatre.

Also consider the virtual vs physical realms: the conference was originally going to exist only in the virtual world, but at the last minute added the in-person event for a hybrid experience. The resulting sparse physical attendance at least eradicated lines at the men’s room. But the most significant border-straddling was explained by the (ageless) Black Hat founder, Jeff Moss, in his Thursday keynote. 

Mr Moss has been ruminating that world communities are sorting themselves into three camps: Team Rule-of-Law (characterized by democratic freethinkers), Team Authoritarian (the opposite), and Team Undecided in the middle. Among governments, the first group is best represented by the superpower of the West, the United States, with its messy public discourse featuring vocal interest groups of every stripe. The authoritarian governments are invested at controlling discourse, especially in the digital world, to work most efficiently toward a common purpose. Singapore, says Moss, must work to remain in the third, middle group, so that it can translate between the two realms. 

But private communities and super-empowered individuals are sorting themselves in this way as well. MongoDB for example, arbitrarily deleted the projects of all Russian users. The registrar Namecheap no longer accepts renewals on .ru domains, which could therotically allow domain squatters to assume control and then use the domains for phishing, exacerbating the alright grim global cybersecurity environment.

While the Black Hat keynotes cover big, broad topics that affect all of us as denizens of both the physical and digital worlds, the Black Hat briefings are the opposite: technical exposés of hacking techniques and vulnerabilities. Your friendly neighborhood industry analyst attests to the high quality of these briefings but also notes that many of these attacks have been seen before, leading him tip his cap to Ecclesiastes 9. Consider:

Remote Memory Deduplication Attacks

This peppy talk, by Martin Schwarlz, Erik Kraft, Mortiz Lipp and Daniel Gruss from Graz University of Technology, showed a straightforward timing oracle attack against internet servers where memory deduplication has been re-enabled in Windows and Linux. As one might expect, they showed how to counter the randomized page offsets by sending an overwhelming number of packets. They did find an interesting amplification tweak by combining Memcached and InnoDB, which could, in theory, help if requests are rate-limited.

Timing attacks appear with irritating regularity. But the researchers claim that is the first proof of concept that can successfully be run remotely across the internet, without control of a device near the target.

As a former defender myself, trying to fight off timing attacks is annoying; the only foolproof defense is removing the performance optimizations that make the attacks possible, thereby degrading non-theoretical user experience and real-time efficiency, all in the name of fending off a theoretical attack. To their credit, the researchers did recommend some mitigations that don’t go that far.

Autospear: Bypassing and Inspecting Web Application Firewalls

The foundational tool for defending an application against hacking attacks is the Web Application Firewall (WAF). They have a difficult job, because they have to allow legitimate requests while trying to sniff out and block malicious ones. When an attacker can figure out how to sneak a malicious request through the WAF this is called a WAF bypass, and the back-and-forth, cat-and-mouse, game of detection and evasion has been going on for over a decade. 

At Black Hat Asia, security researchers from Zhejiang University and the Chinese Academy of Sciences debuted a tool, Autospear, that builds upon many semi-automated WAF bypass tools from years past, toward a fully automated, learning and optimizing bypass generator. Their talk detailed the mechanics of their advances, and if you’re an appsec defender it’s worth a watch if you can find the video, just to see the level of sophistication that the WAF community is up against today.

The researchers tested Autospear against seven WAFs and found them all to be vulnerable to some degree: AWS, Cloudflare, F5, Wallarm, Fortinet, CSC and ModSecurity. Using the proper responsible disclosure channels, they alerted the WAF vendors to their results, and lauded the three (Cloudflare, F5 and Wallarm) who had already posted fixes.

If that’s the story of the battle, I can already tell you how this war ends. Sophisticated attackers with significant financial interests have already been bypassing WAFs for years, because they can make their requests indistinguishable from legitimate ones. The conflict then escalates to determining the “intent” of the request based (in a context of millions of requests) rather than trying to nab a curiously formatted request. This is the realm of Bot Management, which has its own problems, its own solutions, and its own vendor community. IMHO, the bot management war is going to be the hardest problem in computer science for the next decade.

Like Lightning From the Cloud: Finding RCEs in an Embedded TLS Library and Toasting a Popular Cloud-connected UPS

NanoSSL is a popular light-weight TLS library used for networking and embedded devices. Armis researchers Yuval Sarel and Gal Levy found several vendors misusing the library (not checking all possible error returns). They weaponized these vulnerabilities into a collection they call #TLStorm and created some nifty POC attacks against Aruba switches and a cloud-managed uninterruptable power supply (UPS). Their brilliant demo showed them using the TLS attack against a captive portal (elegant!) to completely take over the switch. From there they disabled VLAN ports to laterally attack the UPS on a hidden VLAN. They overloaded the device, causing it to literally melt down on stage. Being in the first row for the talk (my glasses had broken earlier that morning!), I briefly searched for an escape route, but the researchers stopped the demo before actual fire broke out.

With the TLStorm tool, is no hotel Wifi safe now? The very popular Aruba access points could become access points of a different kind, where anyone in the vicinity not just gets free wifi, but root as well.

While that is definitely worrying, this particular kind of attack itself is neither new nor novel. Several papers, including this historic ACM paper (“the most dangerous code in the world”) from a decade ago, have highlighted this software development challenge over the years. The TLStorm attack is another example of how prevalent these vulnerabilities are. You can bet that the big cyber nation states have hundreds of these vulns in their back pockets, just waiting for the right time to use them.

The slides for all of the talks highlighted here should be available at the talk links buried in the text above and at the Black Hat Asia 2022 website.

Even though in-person attendance at Black hat Asia 2022 was somewhat sparse, leading to a feeling of low energy, this analyst was really glad to attend and is looking forward to the next one, May 9-12, 2023, as it straddles the mid mark between the Black Hat briefings in back in the States.