August 17, 2023
A litany of vulnerabilities step into the spotlight during hacker summer camp, the cluster of cybersecurity conferences that includes Black Hat. Each new threat discovered brings a question of risk. How vulnerable is your organization, and what can you do to mitigate that risk? Some threats are relevant to a smaller audience; others concern nearly all CIOs and CISOs. Some are quickly fixed, while others demand deeper investigation and remediation.
While each organization’s tech stack, industry, and security posture will determine which threats loom largest, here are four big vulnerabilities discussed at Black Hat 2023 to consider.
1. AI vulnerabilities
Unsurprisingly, AI was a hot topic during Black Hat 2023. Jeff Moss, Black Hat and DEFCON founder, opened the conference with a keynote on the risks and opportunities that come with AI.
The intersection of cloud security and AI vulnerability concerns arose during Black Hat. Cybersecurity company Trend Micro presented a session on vulnerabilities discovered in Azure ML, Microsoft’s machine learning as a service (MLaas) platform. Researchers discovered vulnerabilities that could “result in information disclosures of credentials and exposed APIs that could leak service logs,” Nitesh Surana, a senior threat researcher at Trend Micro, shares in an email interview.
Surana tells InformationWeek that vulnerabilities in Azure ML indicate the possibility of security concerns in other MLaaS platforms. “The underlying issues related to insecure logging and storage of sensitive information, sensitive information disclosure, and potential persistence mechanisms could potentially extend to other cloud-based MLaaS platforms as well,” he explains.
The bugs Trend Micro presented at Black Hat have been fixed, according to Surana. But he sees more room for transparency from cloud service providers (CSP) around security issues. “CISOs/CIOs need clear information to continuously assess their risk,” he says. “A CSP may not think there is an action for their customers, but in many cases, there might be one. A consumer can take actions like having their keys rotated or logs cleared up to avoid tokens from lurking around in the logs.”
Additionally, Mike Kiser, director of strategy and standards at identity management software company SailPoint, emphasizes the potential attack surface of large language models (LLMs), in emailed comments. “The hype cycle for this technology is still near its peak, and the idea that these systems can be compromised through careful construction of prompts rather than a highly technical approach that relies on multiple points of failure only underscores how utilizing these systems without guardrails is potentially a Chekhov’s gun for security practitioners -- a key decision that is waiting for the negative ramifications to reveal themselves in the final act,” he says.
2. Azure AD misconfigurations
Cloud platform vulnerabilities were a big theme during Black Hat 2023. One session focused on an Azure Active Directory (AD) misconfiguration that resulted in unauthorized access. The research team at cloud security platform Wiz first discovered the new attack vector in March and detailed its findings in a blog post.
Wiz Research found vulnerabilities that impacted Microsoft applications, including the content management system that powers Bing.com. The researchers found that vulnerability allowed them to alter search results and execute cross-site scripting (XSS) attacks on Bing users, according to the Wiz blog post.
Microsoft addressed the authorization misconfiguration and released security guidelines for its customers with multi-tenant applications.
Wiz researchers conducted a scan to find applications at risk of authentication bypass and found that 25% of multi-tenant apps were vulnerable, according to the Wiz blog post.
Chris Eng, chief research officer at application security company Veracode, points out in an email interview that Azure AD is commonly used in enterprises. “Small misconfigurations in cloud infrastructure can leave applications vulnerable to attack in numerous ways, such as the authentication/authorization mismatches described during a Black Hat session,” he says.
Organizations hosting applications through Azure AD may have already taken action following the initial release of the research in March. Any that haven’t will need to determine the potential scope of the risk.
“This can be a massive project depending on the org's exposure/scale for Azure AD-connected apps,” saysAlex Delamotte, threat researcher at SentinelLabs, the threat intelligence team of cybersecurity company SentinelOne, in an email interview. “Create an investigation and remediation plan that involves your org’s infrastructure, application, and cloud teams, as well as managed service providers (MSPs) and contractors if applicable. Work with DevOps and DevSecOps to ensure future applications have the right permission types.”
Researchers from cybersecurity and compliance solutions company Onapsis gave a presentation on SAP P4/RMI software security issues that could be exploited to gain remote access in SAP enterprise software. The researchers discussed how threat actors could connect seemingly non-critical vulnerabilities to increase the impact of an attack.
“In most cases, the likely risk is going to be somewhat limited to attackers who already have access to a target network using SAP P4 to move laterally, escalate privileges, etc., because these products typically are not directly reachable from the Internet,” explains Oleg Kolesnikov, vice president of threat research at security analytics and operations management company Securonix, in emailed comments. “Some of the key attack scenarios related to these might include internal RCE, SQL injection, and leaked password data. So, CIOs and CISOs should definitely take these seriously.”
4. Downfall bug
Daniel Moghimi, a senior research scientist at Google, gave a presentation on a vulnerability that could impact Intel CPUs: “Downfall.” The bug, which could impact billions of devices, allows accidental data leakage. Intel has released a patch, but CPUs may need an updated design to address the underlying cause of the vulnerability.
“The Downfall bug gives bad actors the chance to exploit software weaknesses on Intel processors, with just one instruction,” Richard Vibert, co-founder and CEO of Metomic, a data loss prevention software company, tells InformationWeek via email. “It’s a worrying time for people who are using these devices, as they’ll now need to find ways of securing their data, with the added pressure of knowing how vulnerable they have become.”
Thus far, Downfall is still lurking in the theoretical attack space, according to Delamotte. But the potential for exploitation is definitely there.
“CPU vulnerabilities like Downfall (and previously Spectre, Meltdown, etc.) are impactful and exciting from a technical standpoint but do require a certain amount of prior access to the system in order to exploit,” Eng notes.
“CISOs should ensure that all applications deployed in cloud infrastructure, regardless of the provider, are checked thoroughly against security best practices throughout the development lifecycle. But it’s ultimately going to be the responsibility of the cloud providers, not enterprise CISOs, to apply Intel’s patches to the affected CPUs,” Eng adds.
CIOs and CISOs have a lot on their plates. New threats are always coming to light, making the attack surface a broad and noisy place.
Industry resources can help CIOs and CISOs determine which threats are making a splash simply because they are interesting, and which merit more attention. “For example, the CISA Known Exploited Vulnerabilities Catalog is the first step in understanding if a vulnerability is risky, as that tells you if the vulnerability is known to be exploited,” says Travis Smith, vice president, threat research unit at cloud-based IT, security, and compliance solutions company Qualys, in an email interview.
Keeping up to date on the latest threats is important, but cybersecurity leaders cannot forget about the basics. “Organizations are compromised every day through devices that are targeted by attacks against vulnerabilities that have had patches available for months or even years,” says Shawn Surber, senior director of technical account management at Tanium, a converged endpoint management company, in an email interview.
CIOs and CISOs can prevent their organizations from becoming one of those by securing their environments. Have all devices in your network been identified? Have all available patches been applied? Have you isolated the devices that cannot be patched?
“CIOs and CISOs need to stop focusing on the threat of the week and get back to the fundamentals of securing their networks,” Surber says.
What to Read Next:
About the Author(s)
You May Also Like