Posts Tagged ‘Cybersecurity’
[MiamiJUG] Taming Vulnerabilities and Technical Debt Through Deterministic Refactoring
Lecturer
Kevin Brockhoff is a Director and Consulting Expert at CGI, one of the world’s largest IT and business consulting firms. With decades of experience in the technology industry, Kevin specializes in navigating the complex intersections of cybersecurity, digital transformation, and large-scale enterprise systems. His work at CGI involves helping multinational organizations—spanning sectors such as banking, government, and manufacturing—modernize their legacy infrastructure while maintaining robust security postures. Kevin is a prominent voice in the Miami technology community, frequently sharing insights at the Miami Java User Group (MiamiJUG) regarding automated refactoring and the integration of generative AI in software engineering.
Abstract
As enterprises face an accelerating stream of feature requests and increasingly sophisticated cyber threats, the accumulation of technical debt and security vulnerabilities has become a critical bottleneck. This article examines a deterministic approach to large-scale code remediation using OpenRewrite, an open-source automated refactoring ecosystem. Unlike indeterminate generative AI agents, which can produce inconsistent results and hallucinations, OpenRewrite utilizes Lossless Semantic Trees (LSTs) to ensure predictable, traceable, and scalable code transformations. By combining the creative potential of AI with the reliability of rule-based transformers, organizations can achieve a fourfold increase in productivity for vulnerability remediation. The following analysis explores the methodology of LST-based refactoring, its application across thousands of repositories, and its strategic role in modernizing global IT infrastructure.
The Crisis of Speed and Indeterminacy in Enterprise Software
In the modern software landscape, engineering teams are caught in a perpetual race between delivering new features and mitigating emerging security risks. Kevin emphasizes that speed is the decisive factor in this environment; delays in remediation allow vulnerabilities to proliferate across growing application portfolios. While generative AI agents have been proposed as a solution to this problem, they introduce significant challenges when applied in isolation at an enterprise scale.
The primary issue with relying solely on Large Language Models (LLMs) for code refactoring is their indeterminate nature. Applying an AI agent to the same codebase multiple times may yield different results, and the risk of “hallucinations” necessitates a manual human review of every line of code. Furthermore, current AI tools often struggle with scalability; while they may function effectively on a single repository, managing transformations across 5,000 repositories requires a more structured, traceable mechanism.
OpenRewrite: Deterministic Refactoring via Lossless Semantic Trees
To address the limitations of AI, Kevin advocates for the use of OpenRewrite, a tool sponsored by Moderne that provides a deterministic framework for source code modification. At the heart of OpenRewrite is the Lossless Semantic Tree (LST). While a traditional Abstract Syntax Tree (AST) represents the hierarchical structure of code, the LST incorporates two additional layers of critical information:
- Type Information: Every node in the tree is enriched with comprehensive type data, similar to the output of a compiler.
- Formatting Preservation: Uniquely, the LST captures all original formatting, including whitespace and comments.
This architecture allows OpenRewrite to parse code, apply transformations, and write it back to the source file with character-for-character fidelity to the original style, provided no changes were intended. Most importantly, these modifications are deterministic; a “recipe”—the rule-based transformer used by the engine—will produce identical results every time it is applied, enabling mass application across thousands of repositories without the need for exhaustive manual re-verification.
Methodology: Combining AI with Rule-Based Transformers
The most effective strategy for large-scale remediation involves a hybrid approach that leverages both AI and deterministic tools. In this model, AI agents are used to assist human developers in generating the refactoring recipes themselves. Once a recipe is refined and tested, it acts as a reliable, version-controlled asset that can be executed at scale.
OpenRewrite’s ecosystem is divided into open-source and commercial components. The core engine and a vast catalog of common recipes—covering framework migrations (such as Spring Boot upgrades), security fixes, and stylistic consistency—are available under the Apache license. For large-scale enterprise management, the Moderne platform provides advanced capabilities, including:
- SaaS and On-Premise (DX) Options: These allow for mass refactoring across an entire organization’s source code system.
- Semantic Search: By calculating embeddings on LSTs, the platform enables highly sophisticated code intelligence and search.
- Batch Remediation Tracking: A centralized dashboard for managing the progress of large-scale security and tech debt campaigns.
Implementation and Impact
The practical application of these tools has demonstrated a 4X increase in productivity for security vulnerability remediation at major corporations. Beyond security, use cases include technical modernization, library upgrades, and maintaining architectural standards. By automating the “grunt work” of refactoring, senior engineers can focus on higher-level architectural decisions while the deterministic engine ensures that thousands of microservices remain up-to-date with the latest security patches and framework versions.
Relevant links and hashtags:
[AWSReInvent2025] Revolutionizing DevSecOps: How Cathay Pacific Achieved 75% Faster Security with Agentic AI
Lecturer
Mike Markell is a Practice Manager for AWS Professional Services in Hong Kong, where he leads digital transformation and security initiatives for major enterprises across Asia. Naresh Sharma is a senior technology leader at Cathay Pacific Airways, overseeing the airline’s global application security and DevSecOps strategy. Tony Leong is a Senior Security Architect at Cathay, specialized in building AI-powered security tooling and integrating AppSec-as-Code into high-velocity deployment pipelines.
Abstract
In the highly regulated and high-stakes environment of global aviation, managing security across more than 4,000 annual deployments presents a massive operational challenge. This article details how Cathay Pacific Airways revolutionized its “security-first” culture by moving beyond traditional security scanning to a comprehensive DevSecOps model. The core methodology centers on the implementation of Agentic AI and a RAG-based (Retrieval-Augmented Generation) assistant to solve the industry’s “false positive crisis.” By deploying “AI-powered security champions” and customized scanning rules, Cathay achieved a 75% reduction in vulnerability remediation time and a 50% reduction in security operations costs. The analysis explores the technical and cultural shifts required to empower over 1,000 developers to become proactive security practitioners while maintaining the airline’s rapid pace of innovation.
Context: The Bottleneck of Manual Security Reviews
For a global leader like Cathay Pacific, the pace of digital innovation is essential for maintaining a competitive edge in the aviation industry. However, this speed was being severely hindered by the limitations of traditional security scanning tools. The primary conflict centered on a high noise-to-signal ratio, where approximately 78% of the vulnerabilities identified by standard tools were determined to be false positives. This created a crisis where security teams were overwhelmed by alerts, leading to significant delays in the deployment of features for the airline’s fleet.
Furthermore, the manual review process required to validate these alerts created significant friction between the security and development teams. Developers often viewed security requirements as a hurdle that slowed down their ability to deliver value, while security professionals struggled to keep up with the volume of code being produced. To overcome these challenges, Cathay needed a solution that could scale with their deployment frequency—which covers everything from customer-facing apps to critical flight operation systems—without compromising on the rigorous safety standards that define the brand.
Methodology: Implementing Shift-Left Security with AI
The solution implemented by Cathay Pacific and AWS Professional Services involved a comprehensive “shift-left” strategy, which integrates security at the very beginning of the software development lifecycle. The cornerstone of this methodology is the use of Agentic AI. Unlike traditional static scanners, these AI agents act as “security champions” that provide real-time, context-aware guidance to developers as they write code. This allows for the identification of security anti-patterns and the suggestion of defensive coding practices before the code is even committed to a repository.
Another critical component of the methodology is the AppSec-as-Code library. This centralized knowledge base translates complex security policies into programmatic requirements that can be automatically enforced within CI/CD pipelines. To make this information accessible to developers, the team developed a RAG-based (Retrieval-Augmented Generation) assistant. This tool allows developers to query internal security standards using natural language, receiving accurate and context-specific advice instantly. Finally, the team moved away from “out of the box” tool configurations in favor of highly customized scanning rules. This technical fine-tuning was essential for drastically reducing the false-positive rate and ensuring that the security team only focused on legitimate threats.
Technical Analysis of Operational Gains
The implementation of AI-driven DevSecOps has yielded remarkable quantitative results for Cathay Pacific. The most significant outcome is a 75% reduction in the time required to remediate vulnerabilities. Because the AI agents filter out the vast majority of false positives and provide developers with clear, actionable fix suggestions, the entire security lifecycle has been compressed. Qualitatively, this has led to a 70% improvement in developer security capability, as the tools effectively serve as an automated, on-the-job training system that reinforces secure coding habits.
From a financial perspective, the automation of manual reviews and the reduction in wasted engineering time have led to a 50% cost reduction in security operations. The airline is now able to manage over 4,000 deployments annually with a higher level of confidence and lower overhead than was previously possible. A critical technical lesson learned during the journey was that “by default, no tool is perfect.” Success required a commitment to continuous customization and a willingness to collaborate with product vendors to tune their tools to the specific needs of the aviation industry. This iterative feedback loop was the key to moving from “human-in-the-loop” automation to a more efficient “AI-informed” model.
Consequences: A Cultural and Technical Transformation
The transformation at Cathay Pacific extended far beyond the technical architecture; it required a fundamental shift in the organization’s culture. The success of the project was predicated on a “can-do” spirit and the setting of ambitious targets that challenged the status quo. By providing developers with the tools to take ownership of security, the organization has fostered a culture where security is seen as a shared responsibility rather than an external constraint.
The implications for the global aviation and enterprise sectors are significant. Cathay has proven that it is possible to maintain a high-velocity deployment schedule in a safety-critical environment by leveraging the power of generative AI. Looking forward, the organization plans to develop even more insightful dashboards to provide security leaders with real-time visibility into the health of the application portfolio. The journey serves as a powerful testament to how Agentic AI can bridge the gap between agility and security, turning a potential bottleneck into a powerful competitive advantage.
Links:
[RivieraDev2025] Olivier Poncet – Anatomy of a Vulnerability
Olivier Poncet captivated the Riviera DEV 2025 audience with a detailed dissection of the XZ Utils attack, a sophisticated supply chain assault revealed on March 29, 2024. Through a forensic analysis, Olivier explored the attack’s two-year timeline, its blend of social and technical engineering, and its near-catastrophic implications for global server security. His presentation underscored the fragility of open-source software supply chains, urging developers to adopt rigorous practices to safeguard their systems.
The XZ Utils Attack: A Coordinated Threat
Olivier introduced the XZ Utils attack, centered on the CVE-2024-3094 vulnerability, which scored a critical 10/10 severity. XZ Utils, a widely used compression library integral to Linux distributions and kernel boot processes, was compromised with malicious code embedded in its upstream tarballs. Discovered fortuitously by Andres Freund, a PostgreSQL engineer at Microsoft, the attack aimed to weaken the SSH daemon, potentially granting attackers access to countless exposed servers. Olivier highlighted the serendipitous nature of the discovery, as Andres stumbled upon the issue during routine benchmarking, revealing suspicious behavior that led to a deeper investigation.
The attack’s objectives were threefold: corrupt the software supply chain, undermine SSH security, and achieve widespread system compromise. Olivier emphasized that this was not a mere flaw but a meticulously planned operation, exploiting the trust inherent in open-source ecosystems.
Social and Technical Engineering Tactics
The XZ Utils attack leveraged a blend of social and technical manipulation. Olivier detailed how the attacker, over two years, used social engineering to infiltrate the project’s community, likely posing as a trusted contributor to introduce malicious code. This included pressuring maintainers and exploiting the project’s reliance on a small, often unpaid, team. Technically, the attack involved injecting backdoors into the tarballs, which were then distributed to Linux distributions, bypassing standard security checks.
Olivier’s analysis, conducted through extensive virtual machine testing post-discovery, revealed the attack’s complexity, including obfuscated code designed to evade detection. He stressed that the human element—overworked maintainers and community trust—was the weakest link, highlighting the need for robust governance in open-source projects.
Supply Chain Vulnerabilities in Open Source
A key focus of Olivier’s talk was the broader vulnerability of open-source supply chains. He cited examples like the npm package “is-odd,” unnecessarily downloaded millions of times, and the “colors” package, whose maintainer intentionally broke builds worldwide by introducing malicious code. These incidents illustrate how transitive dependencies and unverified packages can introduce risks. Olivier also referenced a recent Hacker News report about over 200 malicious GitHub repositories targeting developers, underscoring the growing threat of supply chain attacks.
He warned that modern infrastructures, heavily reliant on open-source software, are only as strong as their weakest link—often a single maintainer. Tools like Docker Hub, npm, and pip, while convenient, can introduce unvetted dependencies, amplifying risks. Olivier advocated for heightened scrutiny of external repositories and dependencies to mitigate these threats.
Mitigating Risks Through Best Practices
To counter supply chain vulnerabilities, Olivier proposed practical measures. He recommended using artifact repositories like Artifactory to locally store and verify dependencies, ensuring cryptographic integrity through hash checks. While acknowledging the additional effort required, he argued that such practices significantly enhance security by reducing reliance on external sources. Auditing direct and transitive dependencies, questioning their necessity, and reimplementing simple functions locally were also advised to minimize exposure.
Olivier concluded with a call to action, urging developers to treat supply chain security as a priority. By fostering a culture of vigilance and investing in secure practices, organizations can protect their systems from sophisticated attacks like XZ Utils, preserving the integrity of the open-source ecosystem.
Links:
[DefCon32] DEF CON 32: Hacker Jeopardy – Night 2
The DEF CON 32 Hacker Jeopardy Night 2, hosted by the spirited duo Lint and Miss Kitty, delivered an electrifying conclusion to the iconic contest, blending technical prowess with raucous entertainment. With a dedicated crew and enthusiastic audience, the event showcased cybersecurity-themed challenges, culminating in a dramatic finale where team Stepmoms clinched victory. Lint’s dynamic hosting and Kitty’s birthday celebration added a personal touch, reinforcing the community spirit that defines DEF CON’s beloved game show.
Crafting a Cybersecurity Spectacle
Lint kicked off the evening with gratitude for the 14-person crew’s tireless efforts, emphasizing the complexity behind the seamless show. The introduction of the “Lentil Lookalikes,” replacing past crew roles, brought fresh energy to the stage. The contest featured teams like Pandemonium and OnlyFans, competing in categories testing hacking knowledge, from network protocols to historical exploits. Lint’s humor and Kitty’s candid revelation of her “30 [expletive] years” birthday infused the event with camaraderie, making it a memorable celebration of hacker culture.
The Thrill of the Final Jeopardy
The competition intensified in the final round, where a question about OSI model layers—application, presentation, session, transport, network, data link, physical—tested the teams’ precision. Pandemonium’s correct answer, marred by failing to phrase it as a question, led to a catastrophic point loss, while OnlyFans’ alphabetical misordering cost them their lead. Stepmoms’ strategic zero wager secured their win, earning them a coveted Black Badge. Lint’s animated commentary amplified the drama, cementing Hacker Jeopardy’s reputation as a high-stakes, community-driven spectacle.
Fostering Community and Legacy
Reflecting on Hacker Jeopardy’s evolution, Lint highlighted its role in uniting the DEF CON community, encouraging attendees to “be [expletive] excellent to each other.” The event’s blend of technical rigor and playful chaos, supported by the crew’s dedication, showcased the hacker ethos of collaboration and creativity. Kitty’s personal touch, sharing her birthday with the audience, deepened the sense of connection, ensuring Hacker Jeopardy remains a cornerstone of DEF CON’s cultural legacy.
Links:
- None available
[DefCon32] DEF CON 32: NTLM The Last Ride
Jim Rush and Tomais Williamson, security researchers from Wellington, New Zealand, electrified DEF CON 32 with a deep dive into exploiting NTLM authentication before its planned phase-out in Windows 11 and beyond. Representing CyberCX, they unveiled new vulnerabilities, bypassed existing fixes, and exposed insecure defaults in Microsoft’s NTLM-related controls. Their fast-paced presentation, infused with humor and technical depth, offered a final hurrah for NTLM hacking, urging attendees to turn off NTLM where possible.
Revisiting NTLM’s Persistent Flaws
Jim and Tomais began by contextualizing NTLM, a 25-year-old authentication protocol still prevalent despite its known weaknesses. They highlighted Microsoft’s plan to deprecate NTLM, yet emphasized its lingering presence in legacy systems. Their research uncovered new bugs, including a bypass of a previously patched CVE, allowing attackers to coerce NTLM hashes from various applications. By exposing these flaws, Jim and Tomais underscored the urgency of transitioning to more secure protocols like Kerberos.
Novel Exploitation Techniques
The duo detailed their innovative approaches, combining multiple bug classes to extract NTLM hashes from unexpected sources, such as document processors and build servers. Their live demonstrations showcased “cooked” bugs—exploits leveraging URL inputs to trigger hash leaks. Jim’s anecdotes about their discoveries, including a nod to their CyberCX colleague’s assistance, highlighted the collaborative nature of their work. These techniques revealed NTLM’s fragility, especially in environments with permissive defaults.
Insecure Defaults and Systemic Gaps
Focusing on Microsoft’s NTLM security controls, Jim and Tomais exposed glaring gaps, such as libraries allowing unauthenticated hash extraction. They demonstrated how attackers could exploit these defaults in applications like Microsoft Teams or PDF generators, turning innocuous features into attack vectors. Their findings, supported by CyberCX’s research efforts, emphasized the need for organizations to audit NTLM usage and disable it wherever feasible to prevent hash coercion.
Community Collaboration and Future Steps
Concluding, Jim and Tomais called for community engagement, inviting attendees to share ideas for extracting hashes from novel sources like video games. They praised Microsoft’s MSRC team for their responsiveness and urged continued disclosure to advance research. Their advice to “turn off NTLM, then turn it back on when someone screams” humorously captured the challenge of legacy system dependencies, encouraging proactive steps toward more secure authentication frameworks.
Links:
[DefCon32] DEF CON 32: Finding & Exploiting Local Attacks on 1Password Mac Desktop App
J. Hoffman and Colby Morgan, offensive security engineers at Robinhood, delivered a compelling presentation at DEF CON 32, exploring vulnerabilities in the 1Password macOS desktop application. Focusing on the risks posed by compromised endpoints, they unveiled multiple attack vectors to dump local vaults, exposing weaknesses in 1Password’s software architecture and IPC mechanisms. Their research, blending technical rigor with practical demonstrations, offered critical insights into securing password managers against local threats.
Probing 1Password’s Security Assumptions
J. and Colby opened by highlighting the immense trust users place in password managers like 1Password, which safeguard sensitive credentials. They posed a critical question: how secure are these credentials if a device is compromised? Their research targeted the macOS application, uncovering vulnerabilities that could allow attackers to access vaults. By examining 1Password’s reliance on inter-process communication (IPC) and open-source components, they revealed how seemingly robust encryption fails under local attacks, setting the stage for their detailed findings.
Exploiting Application Vulnerabilities
The duo detailed several vulnerabilities, including an XPC validation bypass that enabled unauthorized access to 1Password’s processes. Their live demonstrations showcased how attackers could exploit these flaws to extract vault data, even on locked systems. They also identified novel bugs in Google Chrome’s interaction with 1Password’s browser extension, amplifying the attack surface. J. and Colby’s meticulous approach, including proof-of-concept scripts released at Morgan’s GitHub, underscored the need for robust validation in password manager software.
Mitigating Local Threats
Addressing mitigation, J. and Colby recommended upgrading to the latest 1Password versions, noting fixes in versions 8.10.18 and 8.10.36 for their disclosed issues. They urged organizations to enhance endpoint security, emphasizing that password managers are prime targets for red teamers seeking cloud credentials or API keys. Their findings, developed over a month of intensive research, highlighted the importance of proactive patching and monitoring to safeguard sensitive data on compromised devices.
Engaging the Security Community
Concluding, J. and Colby encouraged the DEF CON community to extend their research to other password managers, noting that similar vulnerabilities likely exist. They shared their code to inspire further exploration and emphasized responsible disclosure, having worked with 1Password to address the issues. Their call to action invited attendees to collaborate on improving password manager security, reinforcing the collective effort needed to protect critical credentials in an era of sophisticated local attacks.
Links:
[DefCon32] DEF CON 32: Gotta Cache ‘em All – Bending the Rules of Web Cache Exploitation
Martin Doyhenard, a seasoned security researcher, captivated the DEF CON 32 audience with his exploration of innovative web cache exploitation techniques. Focusing on exploiting ambiguities in RFC standards, Martin unveiled two novel methods—Static Path Deception and Cache Key Confusion—that push the boundaries of web cache attacks. Through detailed case studies and a live demonstration, he showcased how these techniques can compromise application confidentiality, enable arbitrary cache poisoning, and even achieve full site takeovers, providing actionable insights for security practitioners to identify and mitigate such vulnerabilities.
Unveiling Web Cache Mechanics
Martin began by elucidating the inner workings of web caches, which store frequently accessed content to enhance website performance. He highlighted how caches rely on URL parsing to determine what to store and serve, yet inconsistencies in parsing across platforms create exploitable vulnerabilities. By leveraging ambiguities in RFC standards, attackers can manipulate cache behavior to serve malicious content or expose sensitive data. Martin’s clear explanation set the stage for understanding the sophisticated attacks that followed, emphasizing the critical role of URL parsers in web security.
Static Path Deception: Breaching Confidentiality
Delving into his first technique, Martin introduced Static Path Deception, a method that exploits cache handling of static file paths to compromise application confidentiality. Using a case study involving Nginx behind Cloudflare, he demonstrated how attackers can trick caches into serving sensitive content to unauthorized users. By crafting specific URL patterns, Martin showed how this technique bypasses traditional cache restrictions, exposing private data. His findings underscore the need for consistent cache configuration across content delivery networks and web servers to prevent such breaches.
Cache Key Confusion: Poisoning and Denial of Service
Martin then presented Cache Key Confusion, a technique exploiting discrepancies in how platforms like Microsoft Azure Cloud normalize cache keys. He illustrated how attackers can manipulate URL parsing to poison caches, serving malicious content to all users or triggering denial-of-service attacks. His live demo combined Cache Key Confusion with an open redirect vulnerability to execute arbitrary JavaScript, achieving a complete site takeover. This powerful demonstration highlighted the far-reaching impact of parser inconsistencies and the potential for significant disruption in cloud-based environments.
Mitigation and Community Engagement
Concluding, Martin shared practical strategies to counter these vulnerabilities, urging organizations to audit cache configurations and disable key normalization where possible. He introduced his open-source tool, Cache Killer, designed to detect parsing discrepancies, and encouraged the DEF CON community to contribute to its development. By sharing references to prior research and his own findings, Martin fostered a collaborative approach to improving web cache security, inspiring attendees to hunt for similar vulnerabilities in bug bounty programs and beyond.
Links:
- None available
[DefCon32] DEF CON 32: Feet Feud
Tiberius, presenting as “Toes” with the OnlyFeet CTF team, hosted the lively “Feet Feud” game show at DEF CON 32, bringing together cybersecurity enthusiasts for a fun, interactive competition. Team captains Ali Diamond, known for her Hack 5 ThreatWire hosting, and John Hammond, a prominent cybersecurity educator, led their teams in a spirited battle of wits. The event, a fan favorite after unofficial runs in previous years, engaged the audience with hacker-themed challenges and quirky prizes, fostering community spirit and camaraderie.
The Game Show Experience
Tiberius kicked off the event with infectious enthusiasm, introducing Ali and John as team captains. Audience members, selected based on vibrant attire like orange bow ties, joined the teams, creating an electric atmosphere. The game, inspired by classic game shows, featured cybersecurity-themed questions and challenges, blending humor with technical knowledge. Tiberius’s dynamic hosting, supported by assistants Helen and Wolfie, ensured a fast-paced, engaging experience that kept the crowd entertained.
Celebrating the Hacker Community
The event celebrated the DEF CON community’s creativity and collaboration, with Ali and John leading their teams through rounds that tested hacking trivia and problem-solving skills. Prizes, including Hack The Box VIP vouchers, coding socks, and whimsical baby foot candles, added a playful touch. Tiberius emphasized the importance of community-driven events like Feet Feud, which provide a lighthearted counterbalance to the conference’s technical intensity, strengthening bonds among attendees.
Building on Tradition
Reflecting on Feet Feud’s evolution from a small gathering to a main-stage event, Tiberius highlighted its growing popularity, with this year’s crowd far exceeding the previous high of 40 attendees. The game’s success, supported by sponsors like Hack The Box, underscores its role in fostering a sense of belonging within the cybersecurity community. By encouraging audience participation and celebrating victories with quirky rewards, Feet Feud reinforces DEF CON’s unique blend of learning and fun.
Looking Ahead
Concluding, Tiberius expressed hope for Feet Feud’s return with even grander prizes, thanking Helen and Wolfie for their invaluable support. The event’s success lies in its ability to unite hackers in a shared celebration of their craft, inspiring future iterations that continue to blend competition with camaraderie. Ali and John’s leadership, combined with the audience’s enthusiasm, ensures Feet Feud remains a cherished DEF CON tradition.
Links:
[DefCon32] DEF CON 32: HookChain – A New Perspective for Bypassing EDR Solutions
Helvio Carvalho Junior, a renowned security researcher and CEO of Sec4US, unveiled his groundbreaking HookChain technique at DEF CON 32, offering a fresh perspective on evading Endpoint Detection and Response (EDR) systems. By combining Import Address Table (IAT) hooking, dynamic System Service Number (SSN) resolution, and indirect system calls, Helvio demonstrated how HookChain stealthily redirects Windows subsystem execution flows, bypassing EDR monitoring without altering application code. His presentation, enriched with live demonstrations, challenged cybersecurity conventions and spurred discussion on adaptive defense strategies.
Understanding EDR Limitations
Helvio opened by outlining the rapid evolution of digital threats, which continuously challenge EDR solutions designed to monitor API calls through Ntdll.dll. He explained that traditional EDRs rely on hooking key functions to detect malicious activity, but these mechanisms can be circumvented. HookChain exploits this by manipulating the execution flow to avoid monitored interfaces, achieving stealth without modifying the source code of applications or malware. Helvio’s approach highlights the need for EDRs to evolve beyond static monitoring techniques.
Technical Mechanics of HookChain
Delving into the technical core, Helvio detailed HookChain’s methodology, which integrates IAT hooking to redirect function calls, dynamic SSN resolution to adapt to varying Windows versions, and indirect system calls to bypass EDR hooks. His live demo showcased shellcode injection into a process, executing it undetected by EDRs like CrowdStrike and SentinelOne. By leveraging techniques like Halo’s Gate to locate unhooked functions, HookChain ensures malicious payloads operate invisibly, achieving an impressive 66% success rate against top EDR products listed in Gartner’s Magic Quadrant.
Testing and Vendor Responses
Helvio shared results from testing HookChain against various EDR solutions, including remote process injection and credential dumping with tools like Mimikatz. His findings revealed that while some vendors, such as SentinelOne, implemented patches to counter HookChain, others lagged in response. He emphasized the importance of open collaboration, noting that two vendors engaged with him to test mitigations. Helvio’s transparency, including sharing his whitepaper and source code on GitHub, encourages the community to refine and challenge his techniques, fostering stronger defenses.
Future Directions for Cybersecurity
Concluding, Helvio urged the DEF CON community to embrace continuous innovation in security research. HookChain not only exposes vulnerabilities in current EDR systems but also paves the way for more adaptive solutions. He advocated for proactive strategies that anticipate emerging threats, inspiring researchers to explore new evasion techniques and defenders to enhance monitoring beyond Ntdll.dll. His work, rooted in a passion for discovery, sets a benchmark for advancing endpoint security in a dynamic threat landscape.
Links:
[DefCon32] DEF CON 32: Leveraging Private APNs for Mobile Network Traffic Analysis
Aapo Oksman, a seasoned security researcher specializing in IoT and network protocols, delivered a compelling presentation at DEF CON 32 on harnessing private Access Point Names (APNs) to analyze mobile and IoT device traffic. As devices increasingly rely on 4G and 5G networks, bypassing traditional Wi-Fi monitoring, Aapo’s innovative approach enables security professionals to inspect, filter, and tamper with mobile network traffic. His talk provided practical techniques for both offensive and defensive cybersecurity, from penetration testing to detecting malicious activity in mobile ecosystems.
Challenges in Mobile Network Monitoring
Aapo began by highlighting the shift in device communication from Wi-Fi to mobile networks, which complicates traditional traffic analysis due to direct connections to ISP-operated base stations. Setting up private base stations, while possible, is costly and complex. Aapo introduced private APNs as a cost-effective alternative, allowing users to create isolated networks within ISP infrastructure. This approach grants visibility into device communications, overcoming the limitations of locked-down devices and enabling detailed traffic analysis for security purposes.
Harnessing Private APNs for Security
Delving into the technical details, Aapo explained how private APNs can be configured to route mobile traffic through controlled environments, such as firewalls or custom servers. His demonstration showcased the setup process, emphasizing affordability and scalability, with costs decreasing as more devices are added. By intercepting IP traffic, security professionals can perform penetration testing on IoT devices or monitor for malicious activity, such as command-and-control (C2) communications. Aapo’s approach leverages ISP infrastructure to create a controlled network environment, enhancing both offensive and defensive capabilities.
Uncovering Advanced Malware Threats
Aapo addressed the growing sophistication of mobile malware, which often avoids Wi-Fi or VPN connections to evade detection. He cited an example of a misconfigured malware detected via Wi-Fi traffic, underscoring that advanced threats are designed to operate solely over mobile networks. Private APNs enable defenders to monitor these communications, identifying C2 servers or other malicious activities that would otherwise go unnoticed. Aapo’s insights highlight the critical need for innovative monitoring techniques to counter evolving mobile threats.
Practical Applications and Future Directions
Concluding, Aapo shared project details and encouraged the DEF CON community to explore private APNs for their research. He emphasized the dual-use potential of his approach, enabling both penetration testers and defenders to gain deeper insights into mobile device behavior. By connecting private APNs to existing security infrastructure, organizations can enhance their ability to detect and mitigate threats. Aapo’s work paves the way for future advancements in mobile network security, urging continued exploration of ISP-based solutions.
Links:
- None available