Black Hat USA 2025 | How Tree-of-AST Redefines the Boundaries of Dataflow Analysis

In recent years, vulnerability discovery has largely relied on static analysis tools with predefined pattern matching and taint analysis. These traditional methods are not as efficient for complex codebases that span multiple files and utilize atypical input processing techniques. While successful for common vulnerability patterns, they frequently miss sophisticated attack vectors that operate across multiple functions, and sometimes multiple files. In this talk, we will be covering Tree-of-AST, a new framework that combines large language models with abstract syntax tree analysis to address the limitations above. This approach leverages a unique Locate-Trace-Vote (LTV) methodology that enables autonomous tracking of data flows within large-scale projects, even in the absence of predefined source patterns. We will be sharing conclusive benchmark analysis showing that the Tree-of-AST method outperforms established tools by discovering previously undetected vulnerabilities. The study was done on widely-used open-source projects. Further, we demonstrate that our system autonomously generates working exploits with a success rate above the industry average for similar tools. We would wrap up the talk by examining practical defensive strategies developers could implement to protect their codebases from similar emerging techniques, and discuss how automatic exploitation capabilities reshape the modern digital security landscape. By: Sasha Zyuzin | Student, Bachelor's Degree, University of Maryland Ruikai Peng | Founder, Pwno Presentation Materials Available at: https://ift.tt/MBxqKGU

source https://www.youtube.com/watch?v=VNBEoLE_bGA

Black Hat USA 2025 | Digital Dominoes: Scanning the Internet to Expose Systemic Cyber Risk

Policymakers and risk owners face significant challenges in managing systemic cyber risk, largely because few tools use empirical data to accurately identify and quantify it. But that data is essential to (1) identify vendors and technologies that require targeted measures, (2) track how systemic cyber threats evolve compared to non-cyber risk, and (3) assess the effectiveness of targeted interventions. Traditional approaches rely on backward-looking models or hypothetical scenarios—methods that can't keep pace with today's fast-moving, complex digital infrastructure. What's needed are real-time, data-driven insights that empower decision-makers to take meaningful action. We address this gap by leveraging internet-scale scanning to build a dynamic, empirical map of concentration risk—showing how systemic vulnerabilities spread across networks, technologies, and vendors. In a first-of-its-kind live demonstration, we will unveil a new risk visualization platform that highlights how risk concentrates within and across sectors, including those supporting critical national functions. Our findings challenge conventional wisdom. Many assumed sources of systemic risk have limited real-world impact, while some overlooked technologies (e.g., large industry-specific white label SaaS vendors) carry significant potential for cascading failures across society. Drawing from real-world examples in sectors such as financial services and manufacturing, we demonstrate how this platform—and the dynamic models behind it—can support more informed, data-driven policy interventions. Participants will leave with a clearer understanding of the systemic risk landscape, as well as actionable insights for developing smarter, more resilient national cyber strategies. Participants will be able to: - Define the Unseen: Understand systemic cyber risk in the real world—down to specific technologies, vendors, and interdependencies in the digital supply chain. - Track, Quantify, Predict: Monitor how cyber threats evolve, compare risk levels across sectors, and assess impact alongside traditional risk categories. - Test What Works: Evaluate potential policy interventions using dynamic, empirical models grounded in real infrastructure data—not theoretical scenarios. By: Morgan Hervé-Mignucci | Head of ERM Analytics, Coalition, Inc. Presentation Materials Available at: https://ift.tt/Rc1SdmN

source https://www.youtube.com/watch?v=sPyhJykSLUw

Black Hat USA 2025 | Detecting Taint-Style Vulnerabilities in Microservice-Structured Web Apps

Microservice architecture has become increasingly popular for building scalable and maintainable applications. A microservice-structured web application (shortened to microservice application) enhances security by providing a loose-coupling design and enforcing the security isolation between different microservices. However, in this paper, our study shows microservice applications still suffer from taint-style vulnerability, one of the most serious vulnerabilities (e.g., code injection and arbitrary file write). We propose a novel security analysis approach, named MTD, that can effectively detect taint-style vulnerabilities in real-world, evolving-fast microservice applications. Our approach mainly consists of three phases. First, MTD identifies the entry points accessible to external malicious users by applying a gateway-centric analysis. Second, MTD utilizes a new data structure, i.e., service dependence graph, to bridge inter-service communication. Finally, MTD employs a distance-guided strategy for selective context-sensitive taint analysis to detect vulnerabilities. To validate the effectiveness of MTD, we applied it to 25 open-source microservice applications (each with over 1,000 stars on GitHub) and 5 industrial microservice applications from a world-leading fintech company, i.e., Alibaba Group. We found that MTD effectively vetted these applications, discovering 59 high-risk zero-day vulnerabilities. Among these, vulnerabilities in open-source applications resulted in the allocation of 31 CVE identifiers, including CVE-2024-22263 in the Spring Projects, which has a CVSS score of 9.8. In the industrial microservice applications, we discovered 20 vulnerabilities, including groovy code injection and arbitrary command execution. These vulnerabilities could compromise the entire web server, severely affecting the integrity of millions of users' private data and the security of company systems. MTD effectively detected these high-value vulnerabilities (worth $50,000 in bounties) and successfully safeguarded enterprise security. By: Fengyu Liu | Ph.D Student, Fudan University YouKun Shi | Postdoctoral Researcher, Hong Kong Polytechnic University Tian Chen | Master's Student, Fudan University Bocheng Xiang | Fudan University Junyao He | Senior Security Engineer, Alibaba Group Qi Li | Senior Security Engineer, Alibaba Group Guangliang Yang | Assistant Professor, Fudan University Yuan Zhang | Professor, Fudan University Min Yang | Professor, Fudan University Presentation Materials Available at: https://ift.tt/LWVH8UX

source https://www.youtube.com/watch?v=DhJphVrsof4

Black Hat USA 2025 | Death by Noise: Abusing Alert Fatigue to Bypass the SOC (EDR Edition)

Many security incidents today don't occur due to a lack of alerts—they happen because the right ones are ignored. In this talk, we demonstrate how attackers can achieve their goals while triggering only medium and low severity alerts, which make up the majority of SOC alerts and are often overlooked or not thoroughly investigated. Instead of disabling EDRs or relying on highly complex techniques, attackers can blend into the noise. We walk through how adversaries adapt common TTPs across platforms to bypass SOC operations. By targeting endpoints and cloud workloads protected by CrowdStrike, SentinelOne, and Microsoft Defender for Endpoint, we show how default critical/high-severity alerts can be consistently downgraded to medium/low or suppressed — all while maintaining attack effectiveness. Our goal is to expose critical SOC blind spots in the ways SOC teams interpret, prioritize, and act on alerts. In many environments, even custom detections that could close critical gaps are deprioritized because they add to the overwhelming volume of low and medium severity alerts. Without rethinking how alerts are created, prioritized and investigated, defenders will continue missing threats. We'll discuss custom detections to detect these TTPs and automation is the key to scale the investigations. By: Rex Guo | CEO/Co-Founder, Culminate Inc. Khang Nguyen | Founding Security Researcher, Culminate Inc. Presentation Materials Available at: https://ift.tt/x1JvHfs

source https://www.youtube.com/watch?v=Xd4y4hkXprE

Black Hat USA | LLMs-Driven Automated YARA Rules Generation with Explainable File Features & DNAHash

Malware on the cloud is growing massively every day, and an automated rule generation solution is needed to improve operational efficiency. YARA is a widely used tool for creating malware signatures and detection rules, however, existing YARA-based automated rules generation solutions suffer from limitations in three key areas: rule quality, false positive rates, and the interpretability of features. These shortcomings restrict their effectiveness in real-world malicious threat detection scenarios. In this presentation, we will introduce LLMDYara, which is an automated rule generation solution that integrates expert knowledge with large language models. We first utilize expert knowledge to pre-extract string, function, and file DNAHash features. Subsequently, we design a function signature algorithm and an efficient querying similarity search mechanism to filter these features against a billion-scale white database, thereby enhancing feature quality. We then leverage large models for string feature evaluation and functional identification of function fragments, where the latter enhanced the interpretability of opcode features. Finally, we generated YARA rules through an ensemble decision based on selected features. Our newly introduced file DNAHash feature ensures rule usability even when other features have lower quality, further reducing false positives. Our automated rule generation solution has made efforts to address challenges such as reducing false positives, enhancing feature interpretability, and improving rule quality. Additionally, we will share our experiences in feature engineering and large language model fine-tuning, with the hope that these insights will help advance the application of large language models in the program analysis domain. By: Xiaochen Wang | Security Engineer, Alibaba Cloud Yiping Liu | Security Engineer, Alibaba Cloud Xiaoman Wang | Security Engineer, Alibaba Cloud Cong Cheng | Senior Security Engineer, Alibaba Cloud Presentation Materials Available at: https://ift.tt/nusEShv

source https://www.youtube.com/watch?v=0i8UhpUgw_0

Black Hat USA 2025 | Invoking Gemini for Workspace Agents with a Simple Google Calendar Invite

Invitation Is All You Need! Invoking Gemini for Workspace Agents with a Simple Google Calendar Invite Over the past two years, we have witnessed the emergence of a new class of attacks against LLM-powered systems known as Promptware. Promptware refers to prompts (in the form of text, images, or audio samples) engineered to exploit LLMs at inference time to perform malicious activities within the application context. While a growing body of research has already warned about a potential shift in the threat landscape posed to applications, Promptware has often been perceived as impractical and exotic due to the presumption that crafting such prompts requires specialized expertise in adversarial machine learning, a cluster of GPUs, and white-box access. This talk will shatter this misconception forever. In this talk, we introduce a new variant of Promptware called Targeted Promptware Attacks. In these attacks, an attacker invites a victim to a Google Calendar meeting whose subject contains an indirect prompt injection. By doing so, the attacker hijacks the application context, invokes its integrated agents, and exploits their permission to perform malicious activities. We demonstrate 15 different exploitations of agent hijacking targeting the three most widely used Gemini for Workspace assistants: the web interface (www.gemini.google.com), the mobile application (Gemini for Mobile), and Google Assistant (which is powered by Gemini), which runs with OS permissions on Android devices. We show that by sending a user an invitation for a meeting (or an email or sharing a Google Doc), attackers could hijack Gemini's agents and exploit their tools to: Generate toxic content, perform spamming and phishing, delete a victim's calendar events, remotely control a victim's home appliances (connected windows, boiler, and lights), video stream a victim via Zoom, exfiltrate emails and calendar events, geolocate a victim, and launch a worm that tarets Gemini for Workspace clients. Our demonstrations show that Promptware is capable to perform (1) inter-agent lateral movement (triggering malicious activity between different Gemini agents), and (2) inter-device lateral movement, escaping the boundaries of Gemini and leveraging applications installed on a victim's smartphone to perform malicious activities with physical outcomes (e.g., activating the boiler and lights or opening a window in a victim's apartment). Finally, we assess the risk posed to end users using a dedicated threat analysis and risk assessment framework we developed. Our findings indicate that 73% of the identified risks are classified as high-critical, requiring the deployment of immediate mitigations. By: Ben Nassi | Cybersecurity Expert, Technion Or Yair | Security Research Team Lead, SafeBreach Stav Cohen | PhD Student, Technion Full Session Details Available at: https://ift.tt/l4T3LqO

source https://www.youtube.com/watch?v=nmMUMzLxBkU

Black Hat USA 2025 | Reinventing Agentic AI Security With Architectural Controls

AI red teaming has proven that eliminating prompt injection is a lost cause. Worse, many developers consider guardrails a first-order security control and inadvertently introduce serious horizontal and vertical privilege escalation vectors into their applications. When the attack surface of AI-driven applications increases with the complexity and agency of their model capabilities, developers must adopt new strategies to eliminate these risks before they become ingrained across application stacks. Our team has surveyed dozens of AI applications, exploited their most common risks, and discovered a set of practical architectural patterns and input validation strategies that completely mitigate natural language injection attacks. This talk will address the root cause of AI-based vulnerabilities, showcase real exploits that have led to critical data exfiltration, and present threat modeling strategies that have proven to remediate AI-based risks. By the end of the presentation, attendees will understand how to design/test complex agentic systems and how to model trust flows in agentic environments. They will also understand what architectural decisions can mitigate prompt injection and other model manipulation risks, even when AI systems are exposed to untrusted sources of data. By: David Brauchler III | Technical Director | AI/ML Security Practice Lead, NCC Group Presentation Materials Available at: https://ift.tt/5IhPjHQ

source https://www.youtube.com/watch?v=iLX4OdAEznY

Black Hat USA 2025 | Use and Abuse of Palo Alto's Remote Access Solution

Palo Alto Networks' GlobalProtect is a widely adopted remote access solution used by major organisations worldwide — but how robust is it? Is it designed following secure development principles? Is it possible that this highly-privileged agent, typically installed on all user endpoints, could actually be a source of vulnerability? In this talk, I will introduce and discuss the research that led to the discovery of several security vulnerabilities that could be used to bypass the VPN or escalate privileges on MacOS and Linux endpoints with GlobalProtect installed. As well as providing technical details and practical demonstration of the vulnerabilities, I'll provide an overview of how the GlobalProtect client works and consider its design from the security engineer's perspective. I'll explore fundamental design decisions whose overlooked risks directly contributed to the discovered vulnerabilities. By: Alex Bourla | Security Engineer and Researcher, Graham Brereton | Senior Software Engineer, Form3 Presentation Materials Available at: https://ift.tt/w0StFJf

source https://www.youtube.com/watch?v=6IGmNLs4tk8

Black Hat USA 2025 | Turning Camera Surveillance on its Axis

What are the consequences if an adversary compromises the surveillance cameras of thousands of leading Western organizations and companies? In a world of losing trust in Chinese-made IoT devices, there is less variety left for organizations to choose from. This is even more prevalent when it comes to video surveillance and cameras, in which multiple countries around the world have chosen to ban the use of products made by Dahua and Hikvision in government facilities. This question drove our research, leading us to discover that surveillance platforms can be double-edged swords. We researched Axis Communications, one of the dominant vendors in the field of video surveillance and monitoring, heavily adopted by US government agencies, schools and medical facilities and even Fortune 500 companies around the world. In our talk, we will showcase the comprehensive research we've conducted on the Axis.Remoting communication protocol, identifying critical vulnerabilities allowing attackers to gain preauth RCE on Axis platforms, giving attackers a runway into the organization's internal networks through their surveillance infrastructure. In addition, we've identified a novel method to passively exfiltrate information about each organization that uses this equipment, potentially enabling attackers to pinpoint their attack. Noam Moshe | Vulnerability Researcher, Claroty Team82 Presentation Materials Available at: https://ift.tt/I0frAWY

source https://www.youtube.com/watch?v=7J7UgLwrxdQ

Black Hat USA 2025 | Uncovering Threats and Exposing Vulnerabilities in Next-Gen Cellular RAN

5G Radio Access Networks (RANs) are undergoing a major shift from tightly integrated, vendor-specific systems to disaggregated, software-driven architectures. At the forefront is the Open RAN (O-RAN) movement, which defines new standardized interfaces to support RAN disaggregation and introduces modular RAN Intelligent Controllers (RIC) for smarter network optimization. While this openness promotes innovation and interoperability, it also significantly expands the attack surface. In this talk, we will reveal how O-RAN's design exposes critical interfaces to potentially malicious user equipment (UEs) and under-protected RAN nodes, and demonstrate how these exposed interfaces can be exploited to launch new classes of attacks. We will also present how our systematic testing has uncovered 26 previously unknown memory-corruption vulnerabilities across widely used O-RAN RIC and RAN implementations, resulting in silent service disruptions, performance degradation, component crashes, and even system-wide failures. These vulnerabilities resulted in 20 new CVEs. As major operators worldwide accelerate the adoption of O-RAN, our talk will demonstrate the significance of architecture-specific security testing for such emerging systems. We will begin by mapping out new attack surfaces and associated protection challenges introduced by O-RAN's microservice-based, cloud-native architecture, contrasting them with traditional closed RANs. To guide threat modeling and defense strategies, we will introduce a taxonomy of attack vectors targeting the O-RAN stack. We will then share our insights on testing this unique system and present the first automated security testing framework designed for O-RAN. Our approach combines dynamic tracing and static analysis to uncover inter-component dependencies and generate constraint-driven test inputs capable of reaching deep internal logic within RICs, RANs, and third-party xApps. Finally, we will showcase the vulnerabilities we uncovered and how these issues are remotely exploitable via public-facing interfaces by malicious UEs or rogue RAN nodes, demonstrating the potential operational impact of these attacks in real-world deployments. By: Tianchang Yang | Research Assistant, The Pennsylvania State University Kai Tu | Research Assistant, The Pennsylvania State University Syed Md Mukit Rashid | Research Assistant, The Pennsylvania State University Ali Ranjbar | Research Assistant, The Pennsylvania State University Gang Tan | Professor of Computer Science and Engineering, The Pennsylvania State University Syed Rafiul Hussain | Assistant Professor, The Pennsylvania State University Presentation Materials Available at: https://ift.tt/UnLvoGi

source https://www.youtube.com/watch?v=rqzK1xd3wng

Black Hat USA 2025 | Training Specialist Models: Automating Malware Development

You get what you optimize for. The current trajectory of major AI research labs emphasizes training large language models (LLMs) optimized with verifiable rewards in broadly applicable domains such as mathematics and competitive programming. However, this generalist approach neglects niche applications, especially those explicitly restricted by major providers, including security testing and AV/EDR evasion. Such tasks present unique opportunities suited to smaller teams and independent researchers. This presentation discusses reinforcement learning (RL) fine-tuning for LLMs tailored to highly specialized tasks, using evasive malware development as a case study. A new 7-billion parameter model demonstrating significant performance improvements over state-of-the-art generalist models on AV/EDR evasion tasks will be released alongside the Briefing. By: Kyle Avery | Principal Offensive Specialist Lead, Outflank Presentation Materials Available at: https://ift.tt/PAygKVL

source https://www.youtube.com/watch?v=WKmEzRJZ6H4