Blog
Sep 6, 2024
Top 5 Best Talks from Black Hat USA 2024
The OffSec team was at the Black Hat USA 2024 conference and we are excited to share our top 5 favorite talks.
5 min read
Black Hat is one of the most renowned cybersecurity conferences, attracting top researchers, security experts, and industry professionals for over 25 years. With a focus on uncovering the latest threats, vulnerabilities, and innovations in the field, Black Hat has become a global hub for cutting-edge research and knowledge sharing. The event is held in multiple locations, including the United States, Europe, and Asia, bringing together experts worldwide. The OffSec team was excited to be part of the 2024 conference in Las Vegas, meeting with the community and exchanging insights on the latest developments in cybersecurity.
We truly enjoyed our experience so we’ve prepared a list of our favorite talks at Black Hat USA 2024.
At Black Hat USA 2024, the talk “Becoming Cybersecurity Bilingual: Effective Communication for Hackers”, by John Dwyer, Director of Security Research at Binary Defense, centered around the communication breakdowns that have led to major ransomware incidents. Dwyer emphasized that many disasters could have been avoided if cybersecurity professionals had better conveyed security risks to business leaders in terms they understood. The talk outlined strategic approaches to building stronger connections between cybersecurity and business operations by adopting a “bilingual” approach to communication, allowing organizations to prioritize and invest in cybersecurity based on empirical financial impacts, ultimately aligning detection and response strategies with broader business goals.
This focus on fostering collaboration between security and business teams emphasized how cohesive efforts can strengthen organizational resilience and preparedness in an evolving threat landscape. By communicating the financial implications of cyber threats more effectively, security teams can help ensure better resource allocation and informed decision-making at the executive level. Dwyer advocated for a holistic cybersecurity approach that transcends technical proficiency and integrates seamlessly with business objectives, which is crucial for navigating today’s complex digital environment.
The “Bytecode Jiu-Jitsu: Choking Interpreters to Force Execution of Malicious Bytecode” session introduced a novel code injection technique that avoids detection by security tools. The presenters, Toshinori Usui, Research Scientist, Yuto Otsuki, Senior Researcher, Ryo Kubota, Researcher, Yuhei Kawakoya, Distinguished Researcher, and Makoto Iwamura, Distinguished Researcher at NTT Security Holdings Corporation, and Kanta Matsuura, Professor at Institute of Industrial Science, The University of Tokyo, explained how traditional code injection relies on suspicious APIs that are easily monitored, but their method bypasses this by injecting malicious bytecode directly into the memory of interpreter processes. The technique dynamically replaces benign bytecode in memory, making it difficult to detect since no suspicious system calls are involved. They also showcased an automated analysis method for reverse-engineering interpreter binaries, allowing the injection to work on a wide range of interpreters, even proprietary ones.
The speakers demonstrated that their attack can evade detection by more than 80% of antivirus products and advanced forensics tools. Their method also disrupts behavioral analysis by EDRs and malware sandboxes, making it a formidable challenge for security analysts. As a major takeaway, they announced the release of their tool, allowing red teamers and researchers to use this approach for further research and evaluation, ensuring the audience walked away with a clear understanding of how the attack works and its implications for real-world security environments.
The talk “Flipping Bits: Your Credentials Are Certainly Mine” by Fredrik Alexandersson, better known for his hacker handle STÖK, explored the fascinating concept of bit-flip attacks, where minor changes in a domain name’s binary representation (such as flipping a bit in “google.com” to get domains like “coogle.com” or “woogle.com”) can lead to significant vulnerabilities. STÖK demonstrated how registering bit-flipped domains could inadvertently collect legitimate credentials, OAuth tokens, and sensitive data. The session introduced a tool called ‘Certainly,’ designed to passively harvest credentials and deploy payloads via bitflip-typosquatting domains, making it a powerful offensive and defensive tool.
In addition to revisiting previous bitflip research, STÖK showcased how ‘Certainly’ can be used for red-team engagements by intercepting incoming requests, using Wildcard DNS, and generating SSL certificates on the fly to capture credentials. He also discussed how the tool exploits these vulnerabilities while bypassing modern security protections. Importantly, the talk provided insights into the frequency and impact of bit-flip attacks on cloud infrastructure and web technology, as well as practical mitigations to defend against these non-human-generated attacks.
OVPNX: 4 Zero-Days Leading to RCE, LPE and KCE (via BYOVD) Affecting Millions of OpenVPN Endpoints Across the Globe
The talk titled “OVPNX: Zero-Days Leading to RCE, LPE, and KCE via BYOVD Affecting Millions of OpenVPN Endpoints Across the Globe” by Vladimir Tokarev, Senior Security Researcher at Microsoft, revealed the discovery of four zero-day vulnerabilities in OpenVPN, affecting millions of devices worldwide across various platforms, including Windows, macOS, and Android. The session dove into the technical research that led to uncovering these logical vulnerabilities within OpenVPN’s complex multi-process system. Attendees were shown a detailed attack chain, from remote code execution through privilege escalation, culminating in kernel code execution via BYOVD (bring your own vulnerable driver). The presentation also covered mitigation strategies to defend against these critical vulnerabilities.
The talk “AI Safety and You: Perspectives on Evolving Risks and Impacts”, by Nathan Hamiel, Senior Director of Research at Kudelski Security, Amanda Minnich, Senior Red Team TL at Microsoft, Nikki Pope, Senior Director, AI and Legal Ethics at NVIDIA, and Mikel Rodriguez, Research Scientist at Google Deepmind, addressed the growing urgency of AI safety as AI technologies become more embedded in critical systems. The speaker emphasized that AI safety is not just an existential risk concern but a practical issue for organizations deploying AI. They discussed the potential harms AI deployments can cause if safety isn’t prioritized, stressing the responsibility of companies to ensure secure and ethical AI usage. The talk also explored how AI safety and security intersect and what security professionals can do to mitigate these risks.
Black Hat USA 2024 delivered a range of standout presentations that showcased the latest research, vulnerabilities, and innovations in the cybersecurity world. From mastering the art of communication between technical and business teams, to exploiting overlooked hardware vulnerabilities, and addressing AI’s growing influence in cybersecurity, the talks offered invaluable insights. The OffSec team was not only thrilled to attend but also inspired by the diverse topics covered, which reinforced the importance of staying ahead in an ever-evolving threat landscape.
Cybersecurity leader resources
Sign up for the Secure Leader and get the latest info on industry trends, resources and best practices for security leaders every other week
Latest from OffSec
Enterprise Security
Red Team vs Blue Team in Cybersecurity
Learn what a red team and blue team in cybersecurity are, pros and cons of both, as well as how they work together.
Dec 13, 2024
13 min read
Enterprise Security
Building a Future-Ready Cybersecurity Workforce: The OffSec Approach to Talent Development
Learn all about our recent webinar “Building a Future-Ready Cyber Workforce: The OffSec Approach to Talent Development”.
Dec 13, 2024
4 min read
Enterprise Security
How to Become the Company Top Cyber Talent Wants to Join
Become the company cybersecurity talent wants to join. Learn how to attract, assess, and retain experts with strategies that set you apart.
Dec 4, 2024
5 min read