Mobile platforms and open-source software emerged as key cybersecurity issues at the annual Black Hat USA cybersecurity conference this week, judging from presentations by a mix of onsite attendees and virtual streaming of briefings from security researchers around the globe.

In his opening keynote remarks, Black Hat founder Jeff Moss summed up the general feeling in the cybersecurity community, which has weathered an explosion of ransomware attacks, a major supply chain exploit and the growth of Russia, China, North Korea and Iran into serious nation-state hacking operations.

“We’re just recognizing that we’re getting punched in the face and we’re trying to figure out what to do about it,” Moss said. “It’s been a really stressful couple of years.”

Here are five key takeaways from a week of Black Hat presentations:

1. The mobile platform is the next frontier for malicious actors

There is mounting evidence that threat actors are turning their considerable resources to exploiting vulnerabilities in mobile platforms. With an estimated 6 billion smartphone subscriptions around the globe, they’re just too attractive an opportunity to pass up.

The attacks on mobile coincide with an increase in zero-day exploits, bugs that are unknown in the security community and therefore unpatched.

Zero-day exploits are market-driven, based on supply and demand. Last year, the zero-day broker Zerodium announced a pause in acquiring Apple iOS exploits because of a high number of submissions. An iPhone zero-day allowed cybercriminals to hack into the mobile devices of 36 international journalists last summer.

Research presented by keynote speaker Matt Tait, chief operating officer of Corellium LLC and a former analyst for GCHQ, the U.K.’s version of National Security Administration, showed how significant this problem is becoming.

“The amount of zero-day exploitation against mobile phone devices is being exploited dramatically,” Tait told conference participants. “We’re only getting a tiny glimpse of what actually may be happening out in the world.”

Part of the problem is that the architecture of some mobile platforms has created its own set of issues. Natalie Silvanovich, a security researcher for Google Project Zero, described an analysis of mobile messaging bugs which uncovered an ability for one user to turn on another user’s camera or audio without their consent.

She found various bugs in Group FaceTime, Signal, Facebook Messenger, JioChat and Mocha, all have which have been reported and fixed.

“The ability to turn on someone’s camera and take a few photos without the user’s consent is fairly concerning,” said Silvanovich.

2. The open-source community needs to focus on security and fast.

By its very nature, the open-source model is not set up for generating fully secure code. When you have millions of contributors from around the world, a freely usable resource of important software tools, and an ever-changing roster of maintainers, security can easily fall through the cracks.

The problem is that threat actors know this as well and they are cashing in. The Equifax breach of 2017, which exposed the personal information of 147 million people, was attributed to an exploit of a vulnerability of an unpatched open-source version of Apache Struts.

The threat landscape involves tools used by developers and where they store them. It was reported in December that two malicious software packages were published to NPM, a code repository used by JavaScript developers to share code blocks. In addition, an analysis by GitGuardian found 2 million “secret” passwords and identifying credentials stored in public Git repositories over 2020 alone.

“Things are not getting better and on top of this, applications are growing in complexity,” said Jennifer Fernick, senior vice president and global head of research at NCC Group. “The number of reported vulnerabilities in open-source software is growing each year. Without serious and coordinated intervention, I think it will get worse.”

3. DNS-as-a-Service is creating an open highway into corporate networks

Vulnerabilities in Domain Name System or DNS have been known for a while, but a team of security researchers recently conducted a simple experiment and found disturbing results.

DNS, which facilitates communication between computers on an IP network, is a foundational technology behind the open internet. DNS services have expanded among various cloud providers which offer DNSaaS as a managed enterprise network solution.

The problem, as discovered by Shir Tamari and Ami Luttwak, security researchers at Wiz.io, is that registering a domain and then using it to hijack a DNSaaS provider’s nameserver allows a user to eavesdrop on dynamic DNS traffic. The researchers were able to wiretap DNS traffic from 15,000 organizations using one hijacked server.

Two of the six major DNSaaS providers have fixed the flaws, according to Tamari and Luttwak.

“DNS is the lifeblood of the internet and one of the most important services,” said Luttwak. “A simple domain registration got us access to thousands of companies and millions of devices. When we dug deeper, we saw it was coming from Fortune 500 companies and more than 100 government agencies.”

4. GPT-3’s advanced text capabilities have disinformation actors licking their chops

Developed as an advanced project within OpenAI, GPT-3’s ability to generate human-like text is powerful, convincing and, according to two security researchers from Georgetown University, potentially very dangerous.

The AI text generator is the largest neural network ever created and it can return paragraphs of fully understandable writing when given a text prompt or a sentence. GPT-3 can also generate workable computer code and has even written a highly informative blog post about itself. What could possibly go wrong?

OpenAI provided Drew Lohn and Micah Musser, research analysts at Georgetown University’s Center for Security and Emerging Technology, with the automated language tool. They were given six months to find out what kind of damage it could cause.

Using various control groups, the researchers tested out multiple samples on political or social issues to see if readers could distinguish the difference between what was written by humans versus the machine. When GPT-3 was asked to rewrite two legitimate news stories from Associated Press into pieces that were pro-Donald Trump or against the former president, a panel of experts could not tell the difference.

The researchers noted that GPT-3 was especially adept at generating tweets with minimal instruction, and its speed and accuracy made it possible to disseminate a large amount of information from a single social media account.

“I’m not sure the ramifications are being thought out as thoroughly as they should,” said Lohn. “There is a lot of potential good that can come from these technologies. We need a discussion about these sorts of decisions.”

5. Hackers have ransomware problems too

As time goes on, the cybersecurity community is beginning to gain a clearer picture of the methods and operational approach used by nation state hackers, and their problems as well.

Security researchers at IBM Corp.’s X-Force have been analyzing the exploits of IBM Threat Group 18, which overlaps in the cybersecurity world with the Iranian cyberwarfare organization known as Charming Kitten. Unlike other nation-state hacking operations, ITG18 has been remarkably lax about keeping its work out of the public eye and doesn’t appear to be especially concerned about it.

The group, which has been engaged in phishing attacks on pharmaceutical companies, journalists and Iranian dissidents, posted a set of training videos that were discovered by the IBM researchers in May of last year. Along with providing a tutorial on how to test access and exfiltrate data from compromised accounts, the videos also exposed website information tied to group members’ Iranian phone numbers. The trove of material revealed that the hackers experienced problems solving CAPTCHAs, like many of us, and provided evidence they had been the victim of a ransomware attack themselves due to poor security.

“Over the last 18 months, we’ve continued to see errors from this group,” said Allison Wickoff, an analyst with IBM Security X-Force. “We thought it would be nice to flip the script and humanize the adversaries we are dealing with.”

Image: Pixabay Commons