Black Hat USA 2025 | Let LLM Learn: When Your Static Analyzer Actually 'Gets It'

Imagine the process of a human security auditor. What distinguishes an expert? It's their accumulated knowledge and nuanced understanding, allowing them to see beyond simple rules. Indeed, Large Language Models (LLMs) demonstrate semantic understanding capabilities potentially exceeding traditional rule-based static analysis. However, raw reasoning power isn't synonymous with effective learning in this complex domain. While LLMs have shown promise for semantic reasoning tasks, deploying them directly on massive codebases is frequently impractical due to scalability constraints and excessive computational overhead. Additionally, isolated semantic summarization at function or module granularities often yields overly abstract results lacking practical actionable insights, or excessive context that proves too cumbersome to analyze effectively. In this talk, we propose "Let LLM Learn," an innovative approach that facilitates incremental semantic knowledge learning *using* reasoning models. Our method reframes the role of static analysis; instead of relying directly on its predefined rules, we leverage it to identify and extract relevant code segments which serve as focused learning material for the LLM. We then strategically partition complex codebases into meaningful, semantic-level slices pertinent to vulnerability propagation. Leveraging these slices, our framework incrementally teaches the LLM—potentially guided by human annotations—to summarize and cache valuable semantic knowledge. This process significantly enhances accuracy, efficiency, and context-awareness in automated vulnerability detection. Empirical evaluations demonstrate that our approach effectively identifies over 70 previously unknown bugs in real-world software projects, including VirtualBox and critical medical device systems in the IN-CYPHER project led by the UK and Singapore. Crucially, the semantic knowledge accumulated by our system naturally encodes high-value vulnerability patterns, closely resembling the intuition and analytical capabilities of human security experts. Our technique thereby bridges a critical gap between human expertise and automated analysis capabilities, considerably enhancing vulnerability detection effectiveness, precision, and practical utility. By: Zong Cao | Phd Student, Imperial Global Singapore and Nanyang Technological University Zhengzi Xu Yeqi Fu Yuqiang Sun Kaixuan Li Yang Liu Full Session Details Available at: https://ift.tt/GCBnQyo

source https://www.youtube.com/watch?v=FPzOgf2EGQE

Black Hat USA 2025 | Wormable Zero-Click RCE in AirPlay Impacts Billions of Apple and IoT Devices

Since its introduction in 2010, AirPlay has transformed the way Apple users stream media. Today, it is integrated into a wide range of devices, including speakers, smart TVs, audio receivers and even automotive systems, making it a key part of the world's multimedia ecosystem. In this session, we will share new details about AirBorne - a series of vulnerabilities within Apple's AirPlay protocol that can compromise Apple devices as well as AirPlay supported devices that use the AirPlay SDK. These attacks can be carried out over the network and on nearby devices, since AirPlay supports peer-to-peer connections. Among the AirBorne class of vulnerabilities, there are multiple vulnerabilities that lead to remote code execution, access control bypass, privilege escalation and sensitive information disclosure. When chained together, the vulnerabilities allowed us to fully compromise a wide range of devices from Apple and other vendors. In this talk, we'll demonstrate full exploits on three kinds of devices: MacBook, Bose speaker and a Pioneer CarPlay device. We will reveal, for the first time, the technical details of the Zero-Click RCE vulnerabilities impacting nearly every AirPlay-enabled device, including IoT devices that may take years to update and some that may never be patched. By: Gal Elbaz | Co-Founder & CTO, Oligo Security Avi Lumelsky | AI Security Researcher, Oligo Security Uri Katz | Senior Vulnerability Researcher, Oligo Security Full Session Details Available at: https://ift.tt/MeBTz9a

source https://www.youtube.com/watch?v=cNCSml35wLU

Black Hat USA 2025 | Watching the Watchers: Exploring and Testing Defenses of Anti-Cheat Systems

Anti-cheat is a gold mine of interesting, novel defenses—battle-hardened from years of attrition in a defender's worst nightmare. It's time we start digging. This talk will present new work on video game anti-cheats; highlighting how they are among the most widely deployed and resilient software defenses in the industry. We will outline the key difficulties in analyzing anti-cheats and then dissect some key behaviors to explain how such systems protect game software in hostile environments. We investigate past scenarios where anti-cheats have pioneered novel defense measures against cheating techniques, which later became relevant when deployed by serious threat actors. These cheating methods, used by groups such as Scattered Spider, Earth Longzhi, and Lazarus, in APT and ransomware attacks, are commonly handled by anti-cheat systems. If some victims had been playing Fortnite at the time of intrusion - it would have stopped real attacks. We show how the strength of these defense methods can be tested, running grey box tests to 'prod the bear' and measure reactions. Using this data, we rank solutions based on technical strength. We unveil a flourishing underground ecosystem generating millions in sales each year, where the driving factor of prices seems to be directly influenced by the strength of the anti-cheat. By scraping cheat marketplaces, we also show the real effect of strong defences on attacker downtime. Come join our talk to learn about state-of-the-art defense & resilience techniques, as deployed in games such as Fortnite, CS2, Valorant, and more. By: Marius Muench | Assistant Professor, University of Birmingham, UK Sam Collins | PhD Researcher, University of Birmingham, UK Tom Chothia | Professor, University of Birmingham Presentation Materials Available at: https://ift.tt/nmZ28Dd

source https://www.youtube.com/watch?v=lAW2mAl96KI

Black Hat USA 2025 | The First 30 Months of Psychological Manipulation of Humans by AI

In our highly rated 2023 talk "Evil Digital Twin", we warned that large language models (LLMs) were exploiting the cognitive vulnerabilities of their users, and that humans would perceive AI as sentient long before true artificial general intelligence emerges. Twenty four months later, the situation has escalated rapidly, and many of our predictions have become realities, rewriting our civilization's core realities. Join us for a two year check-in, as we discuss how human digital twins (HDTs) trained on the core patterns of human individuals are being deployed at scale to simulate everything from human i workflows to relationships. Cyberattack stakeholders have taken notice of the capabilities of LLMs in exploiting human social norms, cognitive bias, and perceptual limitations. We will detail a present where longitudinal interaction data is facilitating low-cost social engineering labor and high power AI-human hybrid attacks. We will also explore a coming future of persistent cognitive cyberwarfare, escalating as the cost of deception approaches zero, and the attack surface shifts from networks to minds. Audience members will interact with a human digital twin of a Supreme Court justice, meet a perfect AI assistant for insider threat, and leave with a NIST research-based LLM that speaks in phishing emails. Get a sneak peek at research in collaboration with the US Military Academy (USMA) at Westpoint that pits humans and human digital twins against one another in competitions of manipulation and deception. We will finally talk about a brighter future that is still attainable, where AI natives, those that have grown up in a context suffused by AI, can help us to build defensive posture that extends beyond infrastructure to include cognitive security, protecting not just digital systems, but the systems that underpin civilization and the human beings they serve. By: Ben D. Sawyer | Associate Professor of Industrial Engineering, University of Central Florida Matthew Canham | Executive Director, Cognitive Security Institute Presentation Materials Available at: https://ift.tt/sp79knj

source https://www.youtube.com/watch?v=XOMJcT-DrlY

Black Hat USA 2025 | Conjuring Hardware Failures to Breach CPU Privilege Boundaries

Catastrophic hardware failures. From an aging I/O device to cosmic ray bit flips, memory degradation to CPU fires. When an unrecoverable hardware error is detected, the common platform response is to generate a Machine Check Exception, and shut down before the problem gets worse. In this talk, we'll see what happens when we circumvent all the traditional fail safes. What happens when, instead of exceptionally rare failures from natural causes, we deliberately create these fatal events from software. When instead of a platform shutdown, we force the system to limp along, damaged but alive. We'll show how carefully injecting these signals during privileged CPU operations can disrupt secure transitions, how those disruptions progress to cascading system failures, and how to ride the chaos to gain hardware privilege escalation. Finally, we'll see how to undo the damage, recover from the unrecoverable, and let the system continue as if nothing happened - now with a foothold in privileged space, all through hardware failure events synthesized through software-only attacks. We'll conclude by showing how to use this previously unknown vector against [redacted], to reveal another [redacted] hardware vulnerability, and walk through a brave new world of machine check research opportunities - for both attackers and defenders - across technologies and architectures. By: Christopher Domas | Independent Security Researcher, Dazzle Cat Duo Presentation Materials Available at: https://ift.tt/4C2KB1D

source https://www.youtube.com/watch?v=MMaRq6ac41c

Black Hat USA 2025 Keynote | From Slide Rules to GenAi

Keynote: From Slide Rules to GenAi - Musings of a Graybeard Public Servant on What's Changing, What's Not, and What Should Global reliance on distributed digital infrastructure has created unprecedented opportunities alongside dangerous vulnerabilities, as traditional stabilizing forces lose their beneficial inertia and transformative technologies, nationalism and fragmented regulation reshape the landscape. Fragile supply chains heighten systemic risks and threats from cyberattacks, climate disruptions, and technological dislocations now propagate faster and hit harder, overwhelming traditional risk management as defense responsibilities shift toward private actors. Success requires integrating resilience with innovation, fostering unified coalitions, and adopting systems-level thinking that aligns technical, strategic, and human factors—with those who can adapt and lead in resilience positioned to thrive amid ongoing instability and accelerating change. By: Chris Inglis | Former US National Cyber Director, MITRE Trustee Full Session Details Available at: https://ift.tt/yzKUI7X

source https://www.youtube.com/watch?v=bARa6fr8frU

Black Hat USA 2025 | Enhancing Command Line Classification with Benign Anomalous Data

Anomaly Detection Betrayed Us, so We Gave It a New Job: Enhancing Command Line Classification with Benign Anomalous Data Anomaly detection in cybersecurity has long promised the ability to identify threats by highlighting deviations from expected behavior. For classifying malicious command lines, however, its practical application often results in high false positive rates, making it expensive and inefficient. But is that the whole story for command line anomaly detection? With recent innovations in AI, is there a new angle that we have yet to explore? In this Briefing, we will explore that question by developing a pipeline that does not depend on anomaly detection as a point of failure. By combining anomaly detection with large language models (LLMs), we can confidently identify critical data that can be used to augment a dedicated command line classifier. Using anomaly detection to feed a different process avoids the potentially catastrophic false positive rates of an unsupervised method. Instead, we create improvements in a supervised model targeted towards classification. Unexpectedly, the success of this method did not depend on anomaly detection locating malicious command lines. We gained a valuable insight: anomaly detection, when paired with LLM-based labeling, yields a remarkably diverse set of benign command lines. Leveraging this benign data when training command line classifiers significantly reduces false positive rates. Furthermore, it allows us to use plentiful existing data without the needles in a haystack that are malicious command lines in production data. Attendees will gain an understanding of the methodology of our experiment, highlighting how diverse benign data identified through anomaly detection broadens the classifier's understanding and contributes to creating a more resilient detection system. By shifting focus from solely aiming to find malicious anomalies to harnessing benign diversity, we offer a potential paradigm shift in command line classification strategies. Learn how to easily implement this method in your detection systems at a large scale and low cost. By: Ben Gelman | Senior Data Scientist, Sophos Sean Bergeron | Senior Data Scientist, Sophos Presentation Materials Available at: https://ift.tt/UAroVyd

source https://www.youtube.com/watch?v=om5x9aFrnLE

Black Hat USA 2025 | FACADE: High-Precision Insider Threat Detection Using Contrastive Learning

While insider threats are a critical risk to organizations, little is publicly known about how to detect those attacks effectively. To help address this gap, we present FACADE: Fast and Accurate Contextual Anomaly DEtection, Google's internal AI system for detecting malicious insiders. FACADE has been used successfully to protect Alphabet by scanning billions of events daily over the last 7 years. At its core, Facade is a novel self-supervised ML system that detects suspicious actions by considering the context surrounding each action. It uses a custom multi-action-type model trained on corporate logs of document accesses, SQL queries, and HTTP/RPC requests. Critically, FADADE leverages a novel contrastive learning strategy that relies solely on benign data to overcome the scarcity of incident data. Beyond its core algorithm, Facade also leverages an innovative clustering approach to further improve detection robustness. This combination of innovative techniques led to unparalleled accuracy with a false positive rate lower than 0.01%. For single rogue actions, such as the illegitimate access to a sensitive document, the false positive rate is as low as 0.0003%. Beyond presenting the underlying technology powering Facade during this talk, we will showcase how to use the just released Facade open-source version so you can use it to protect your own organizations. By: Alex Kantchelian | Staff Software Engineer, Google Elie Bursztein | Security & Anti-Abuse Research Lead, Google Birkett Huber | Senior Software Engineer, Google Casper Neo | Senior Software Engineer, Google Sadegh Momeni | Senior Software Engineer, Google Yanis Pavlidis | Senior Software Engineering Manager, Google Ryan Stevens | Senior Software Engineer, Google Presentation Materials Available at: https://ift.tt/OB9YR5u

source https://www.youtube.com/watch?v=3CV1efZSHmQ

Black Hat USA 2025 | Breaking Out of The AI Cage: Pwning AI Providers with NVIDIA Vulnerabilities

The overwhelming majority of AI applications run on NVIDIA hardware and software and use NVIDIA tools to containerize and isolate applications running on the same infrastructure. A vulnerability in this single point of failure could allow the breakdown of security mechanisms and takeover of the AI infrastructure. In this research project, we managed to prove this scenario is indeed possible. We found a critical vulnerability in one of the foundational software components that powers all the world's AI managed infrastructure: the NVIDIA Container Toolkit. This vulnerability allows an attacker to escape from the container to the underlying host and often compromise the entire Kubernetes cluster. We tested this vulnerability on all major AI platforms, all of which proved to be susceptible to this attack. In some cases, the container escape was sufficient to prove unauthorized cross-tenant data access. Including credentials and customer data, breaching the platform's foundational security model. We'll take a deep dive into two case studies with completely different results: Replicate and DigitalOcean. In this talk, we will dive into our findings, starting from the discovery of the vulnerability itself, through its real-world exploitation on AI cloud services, finishing with the details of industry-wide impact. Attendees will learn about how major cloud services operate their security behind the scenes and the lessons they can apply to their own environment. By: Andres Riancho | Security Researcher, Wiz Hillai Ben-Sasson | Security Researcher, Wiz Ronen Shustin | Security Researcher, Wiz Presentation Materials Available at: https://ift.tt/EsT7Fe9

source https://www.youtube.com/watch?v=5RH0StmV7Eo

Black Hat USA 2025 | Autonomous Timeline Analysis and Threat Hunting: An AI Agent for Timesketch

Digital incident timeline analysis is a complex and time-consuming task. It demands highly skilled professionals with deep domain knowledge, who must invest significant time, sometimes weeks, to unravel difficult cases. Investigators must reconstruct event timelines, from initial access to exploitation and lateral movement, by sifting through hundreds of millions of log records from hundreds of different and potentially unfamiliar log types. Log-normalization and collaborative analysis tools like Plaso and Timesketch offer valuable assistance, yet the cost in time and expertise remains substantial. In this talk, we present the first AI-powered agent capable of autonomously performing digital forensic analysis on the large and varied log volumes typically encountered in real–world incidents. Furthermore, we demonstrate the agent's proficiency in threat hunting, that is, identifying and explaining evidence of system compromise without needing predefined attack signatures. We evaluate our technique on a dataset of 100 diverse, real-world compromised systems. The agent achieves high recall and precision on finding and contextualizing individual log records pertaining to the overall attack chain. This performance is driven by a core combining sophisticated prompting techniques and reinforcement learning. By: Alex Kantchelian | Staff Software Engineer, Google Maarten van Dantzig | Senior Security Engineer, Google Diana Kramer | Senior Security Engineer, Google Presentation Materials Available at: https://ift.tt/C3Z5sHB

source https://www.youtube.com/watch?v=9EA7kz4bGvQ

Black Hat USA 2025 | AI Enterprise Compromise - 0click Exploit Methods

Compromising a well-protected enterprise used to require careful planning, proper resources, and the ability to execute. Not anymore! Enter AI. Initial access? AI is happy to let you operate on its users' behalf. Persistence? Self-replicate through corp docs. Data harvesting? AI is the ultimate data hoarder. Exfil? Just render an image. Impact? So many tools at your disposal. There's more. You can do all this as an external attacker. No credentials required, no phishing, no social engineering, no human-in-the-loop. In-and-out with a single prompt. Last year at Black Hat USA, we demonstrated the first real-world exploitation of AI vulnerabilities impacting enterprises, living off Microsoft Copilot. A lot has changed in the AI space since... for the worse. AI assistants have morphed into agents. They read your search history, emails and chat messages. They wield tools that can manipulate the enterprise environment on behalf of users – or a malicious attacker once hijacked. We will demonstrate access-to-impact AI vulnerability chains in most flagship enterprise AI assistants: ChatGPT, Gemini, Copilot, Einstein, and their custom agent . Some require one bad click by the victim, others work with no user interaction – 0click attacks. The industry has no real solution for fixing this. Prompt injection is not another bug we can fix. It is a security problem we can manage! We will offer a security framework to help you protect your organization–the GenAI Attack Matrix. We will compare mitigations set forth by AI vendors, and share which ones successfully prevent the worst 0click attacks. Finally, we'll dissect our own attacks, breaking them down into basic TTPs, and showcase how they can be detected and mitigated. By: Michael Bargury | CTO, Zenity Tamir Ishay Sharbat | AI Researcher, Zenity Full Session Details Available at: https://ift.tt/bsKoH0d

source https://www.youtube.com/watch?v=M_BDq2hTJxU