Thanks to the SAP devX external conferences program I had the opportunity to attend virtually the BlackHat USA conference. Together with DefCon, BlackHat is one the most advanced and exciting conference on offensive and defensive security that a security expert should attend.

As explained in my previous article about BlackHat Europe 2019 the conference is proposing three main tracks: Briefings (advanced hacking and research presentations), Arsenal (live demo of open source security tools) and Sponsored sessions (presentation made by security companies). I made my selection among these different tracks according to my interest topics (Social Engineering, Machine Learning Security, Threat Intelligence, Code scanning, vulnerability management, ..) and here is a non exhaustive list from my personal selection of interesting topics:

Cloning MLasS commercial platforms

MLaaS (Machine Learning as a Service) platforms, are cloud based commercial services proposing pre-trained machine learning models and prediction functionalities deployed in a powerful cloud computing infrastructure and accessible to any user through an API.  The goal is to benefit from a descent computing power hosted by a cloud provider but also take benefit from pre-trained models to make directly some predictions on the data. For example a photographer can use image classifier to sort and tag his photos without building or training any ML model in advance. Big internet players are providing such services. we can site the usual suspects like Amazon Machine Learning services, Azure Machine Learning, Google Cloud AI, and IBM Watson. These models have a clear business value coveted by cybercriminals. Some researchers demonstrated how they can clone (or reproduce) these models using adversarial neural network models applied on the commercial cloud APIs. This opens the the floor to the different model protection solution already discussed in the research and academic world, but not yet implemented by the cloud industry. We at SAP Security Research we are already working on concrete solutions to protect online machine learning models from cloning or reusing.

Exploiting publicly avaialble medias to produce Deepfakes and use it for targeted spear phishing attacks

A very interesting session was dedicated to the recent trends related to the usage of deepfakes to build targeted spear phishing attacks especially during the COVID crisis where all the employees were/are meeting virtually. These kind of attacks are currently used by cyber criminals to penetrate systems and ransom organizations. The presenter sited one recent case (without naming) of a Bank CEO who was deepfaked and targetted colleagues to execute financial operations. During the presentation, the speaker used avaialble and Open source library and some publicly avaialble videos to generate a deepfake conversation zoom meeting with colleagues. Very impressive and super challenging for security professionals ... it's time to work on deepfake identification systems integrated to video conferencing platforms. Facebook seems to work on this detection systems.

Conversational AI is also used to create bots on social media in order to influence users on some political topics. Some of the intelligent bots are identified on Twitter to spread fake news and try convince real users. Intelligent bots can be used during elections as smart extension to the Cambridge Analytica intrusion attack; Instead of proposing "static" adds to targeted users, bots can start discussion and influencing them via messenger.

Code scanners for hardcoded secrets in source code hosting platforms

This is the most business related topic for me, since at SAP we recently open sourced one of the most advanced Gituhub scanner for hardcoded credentials called Credential Digger . Hardcoded credentials publicly released on open source code hosting platforms (like Github, Gitlab, BitBucket ..) is a low hanging fruit for attackers that can exploit these clear text credentials to access and compromise systems. Very recently, medical data leaked on Github due to exposed hardcoded credentials. In one Arsenal session, Greg Johnson (Senior Security Engineer, Red Team at GitLab) made a live demo comparing the capabilities and the functionalities of two open source Github credential scanners: Gitrob and Token Hunter. Even, if these tools are still generating a lot of false positive hits (problem addressed with Credential Digger) the APIs and the UI are quite advanced in terms of scanning automation and code patching management. Scanning for clear text credentials must be incorporated to all the secure development processes like any other high critical vulnerability scanning task.

Hacking Tiktok Accounts ...

BlackHat conferences are usually the good events to see funny hacks exploiting basic vulnerabilities. CheckPoint demonstrated how a basic vulnerability related to a bad-written regular expression in the TikTok Android app can let attackers redirect the App update URL to malicious domains containing forged version of the application that enables the access to the account of any user targeted by this attack. The attacks starts with a phishing SMS asking to update the App.

Takeaways ...

In BlackHat USA 2020 we feed a real concern about the US elections in November. Many presentations are tackling security issues related to the election process: from the campaign (Social Media influence) to the voting machines (technical vulnerabilities). Advanced attacks based on machine learning are now mastered by cybercriminals that started exploiting them to target companies and governmental organisations.