Black Hat USA 2025 | AI Enterprise Compromise - 0click Exploit Methods

Compromising a well-protected enterprise used to require careful planning, proper resources, and the ability to execute. Not anymore! Enter AI. Initial access? AI is happy to let you operate on its users' behalf. Persistence? Self-replicate through corp docs. Data harvesting? AI is the ultimate data hoarder. Exfil? Just render an image. Impact? So many tools at your disposal. There's more. You can do all this as an external attacker. No credentials required, no phishing, no social engineering, no human-in-the-loop. In-and-out with a single prompt. Last year at Black Hat USA, we demonstrated the first real-world exploitation of AI vulnerabilities impacting enterprises, living off Microsoft Copilot. A lot has changed in the AI space since... for the worse. AI assistants have morphed into agents. They read your search history, emails and chat messages. They wield tools that can manipulate the enterprise environment on behalf of users – or a malicious attacker once hijacked. We will demonstrate access-to-impact AI vulnerability chains in most flagship enterprise AI assistants: ChatGPT, Gemini, Copilot, Einstein, and their custom agent . Some require one bad click by the victim, others work with no user interaction – 0click attacks. The industry has no real solution for fixing this. Prompt injection is not another bug we can fix. It is a security problem we can manage! We will offer a security framework to help you protect your organization–the GenAI Attack Matrix. We will compare mitigations set forth by AI vendors, and share which ones successfully prevent the worst 0click attacks. Finally, we'll dissect our own attacks, breaking them down into basic TTPs, and showcase how they can be detected and mitigated. By: Michael Bargury | CTO, Zenity Tamir Ishay Sharbat | AI Researcher, Zenity Full Session Details Available at: https://ift.tt/bsKoH0d

source https://www.youtube.com/watch?v=M_BDq2hTJxU

Black Hat USA 2025 | Vaulted Severance: Your Secrets Are Now Outies

Enterprise vaults are meant to be the last line of defense – the trusted stronghold for your organization's most sensitive assets: secrets, credentials, and encryption keys. But what if the vault itself can be breached remotely – without even logging in? In this session, we disclose two novel, confirmed remote code execution (RCE) chains affecting the world's most widely adopted vault systems: HashiCorp Vault and CyberArk Conjur. For the first time, we demonstrate a full RCE chain in HashiCorp Vault, coinciding with its 10-year anniversary. For CyberArk Conjur, we present the kind of pre-auth RCE that keeps admins up at night. This isn't theoretical. We'll show it live on stage – against default, out-of-the-box configurations. And just as importantly, we'll walk through how these attacks can be detected and prevented – before your secrets become outies. By: Shahar Tal | CEO, Cyata Security Yarden Porat | Core Team Engineer, Cyata Security Full Session Details Available at: https://ift.tt/cSlOefs

source https://www.youtube.com/watch?v=KC-8DhS8x5Q

Black Hat USA 2025 | A Fireside Chat with Cognitive Scientist and AI Expert Gary Marcus

Cybersecurity, AI, and Our Brains. A Fireside Chat with Cognitive Scientist and AI Expert Gary Marcus Join us for a fireside chat with cognitive scientist Gary Marcus as we explore the new but often overhyped world of AI oracles and assistants. For the time being, the most valuable resource for security professionals and hackers isn't cutting-edge tools or vendor-purchased products. It's our brains. Our discussion examines the hype surrounding generative AI and the effects of treating it like a magic wand instead of a tool in our toolkit. We address the potential pitfalls that arise from the overuse of AI tools for cognitive offloading and discuss mitigation strategies to protect ourselves from these risks. By: Gary Marcus | Founder and Executive Chairman, Robust AI Nathan Hamiel | Senior Director of Research, Kudelski Security Full Session Details Available at: https://ift.tt/yeWDK6n

source https://www.youtube.com/watch?v=e69OE0ZjskA

Black Hat USA 2025 | Hacking the Status Quo: Tales From Leading Women in Cybersecurity

Join us for an inspiring conversation with leading women in cybersecurity, each bringing a wealth of experience spanning deep technical research, engineering, and various aspects of security leadership. In this panel, they will share their journeys, challenges, and triumphs in the ever-evolving world of cybersecurity. Whether you're a mid-career professional or a seasoned professional, this session offers a rare chance to connect directly with trailblazers who are shaping the future of the industry. Ask questions, gain real-world insights, and walk away with practical takeaways, renewed motivation, and a sense of community. Let's talk about careers, challenges, and the power of perseverance and purpose in cybersecurity. By: Valentina Palmiotti | Head of X-Force Offensive Research (XOR), IBM Kymberlee Price | Engineering Response Founder + CEO, Zatik Security Chi-en (Ashley) Shen | Security Research Engineering Technical Leader, Cisco Talos Natalie Silvanovich | Team Lead & Security Engineer, Google Project Zero Vandana Verma | Black Hat USA Review Board Member Full Session Details Available at: https://ift.tt/lpcAh4s

source https://www.youtube.com/watch?v=8V4i8TW1YXU

Black Hat USA 2025 | Exploiting DNS for Stealthy User Tracking

Who needs AI when raw statistics can do the job just as well—if not better? Every Domain Name System (DNS) query leaves a trail, and with the right statistical techniques, you can uncover user behaviors, fingerprint devices, and even track individuals across networks. This session dives into how simple yet powerful methods like frequency analysis, correlation metrics, and anomaly detection can turn DNS traffic into a goldmine of intel. We dissected over 1.5 billion DNS requests from 30,000 iOS and Android devices over a 30-day period, and the results are eye-opening. Within just minutes of observing DNS traffic, devices begin to reveal their unique fingerprints. Given only a few hours, accurate identification becomes a certainty. But here's where it gets even more interesting—iOS devices flood the network with repetitive DNS requests, hitting the same domains over and over, while Android devices operate nearly 10x more efficiently, generating far less noise. This difference isn't just a curiosity—it's the key to our findings. With as little as 20% of DNS traffic for both iOS and Android, device tracking becomes shockingly precise. Our research shows that simple statistical techniques are more than enough to achieve highly accurate tracking—no need for AI or complex models. This paves the way for real-world applications, especially in resource-constrained environments like routers, and, in general, in embedded systems. The combination of simplicity, accuracy, and scalability makes the technique a great candidate for large-scale deployments. Of course, where there's a method, there's a defense. We'll also explore countermeasures to mitigate these vulnerabilities. To this end, DNSSEC and other secure protocols offer some level of protection—though as we'll demonstrate, true privacy is much harder to achieve than most expect. By: Bela Genge | Senior Security Researcher, Bitdefender Ioan Padurean | Junior Security Researcher, Bitdefender Dan Macovei | Director of Product Management Presentation Materials Available at: https://ift.tt/5XLF28r

source https://www.youtube.com/watch?v=xQy1YcLK1Ak

Black Hat USA 2025 | From Prompts to Pwns: Exploiting and Securing AI Agents

The flexibility and power of large language models (LLMs) are now well understood, driving their integration into a wide array of real-world applications. Early use cases, such as retrieval-augmented generation (RAG), followed rigid, predictable workflows where models interacted with external systems in tightly controlled sequences. While these systems were easier to optimize and secure, they often resulted in inflexible, single-purpose tools. In contrast, modern agentic systems leverage expanded input modalities, such as speech and vision, and use more sophisticated inference strategies, such as dynamic chain-of-thought reasoning. These advancements allow them to act independently on users' behalf to automate increasingly complex workflows, often involving sensitive data and systems. As their utility increases, so too does their attack surface: more usability means broader access to data, greater ability to execute actions, and significantly more opportunity for exploitation. In this talk, we will explore the emerging security challenges posed by agentic AI systems. We demonstrate the implications of this significant shift through internal assessments and proof-of-concept exploits developed by our AI Red Team, targeting a range of agentic applications, from popular open-source tools to enterprise systems. These exploits all leverage the same core finding: that LLMs are uniquely vulnerable to malicious input, and exposure to such input can have a significant impact on the trust of downstream actions. In short, we lay out what can go wrong when agentic systems vulnerable to adversarial inputs are deployed within enterprise environments. We conclude by discussing how NVIDIA addresses the security of emerging agentic workflows, and our principles for designing agent interactions in ways that mitigate risk, emphasizing a security-first foundation for safe and scalable adoption. By: Rebecca Lynch | Offensive Security Researcher, NVIDIA Rich Harang | Principal Security Architect, NVIDIA Presentation Materials Available at: https://ift.tt/FjcC9HR

source https://www.youtube.com/watch?v=zipgr080EQU

Black Hat Europe 2025 Highlights | Record‑Breaking 4,500+ Attendees

Setting a new attendance record with more than 25% growth, Black Hat Europe 2025 brought together more than 4,500 security professionals from across the globe, showcasing the research, insights, and innovations shaping the future of cybersecurity. This year’s event delivered: ✔️Cutting‑edge content from top researchers and practitioners ✔️Hands‑on learning through labs, workshops, and demos ✔️A high‑energy Business Hall featuring the world’s leading security organizations From breakthrough briefings to unmatched networking opportunities, Black Hat Europe 2025 set the stage for the next evolution of cyber defense. Upcoming Black Hat events: https://ift.tt/CBkqYPK Become a sponsor: https://ift.tt/QPgoqcV #BlackHatEurope #BHEU #Cybersecurity #InfoSec #BlackHat

source https://www.youtube.com/watch?v=tfptvW07N-E

Black Hat USA 2025 | Locknote: Conclusions & Key Takeaways from Black Hat USA 2025

Join Black Hat USA Review Board Members for a compelling discussion on the most pressing issues facing the InfoSec community today. This distinguished panel will analyze key conference takeaways and provide valuable insights on how emerging trends will shape future security strategies. Don't miss this opportunity to hear candid perspectives from some of cybersecurity's most influential voices. By: Heather Adkins | Security Engineering Daniel Cuthbert | Global Head of Security Research Aanchal Gupta | Chief Security Officer, Adobe Jason Haddix | CEO, Hacker & Trainer, Arcanum Information Security Jeff Moss | Founder, Black Hat and DEF CON Full Session Details Available at: https://ift.tt/Ne6kX0d

source https://www.youtube.com/watch?v=DmXlafnjn0M

Black Hat USA 2025 | Advanced Active Directory to Entra ID Lateral Movement Techniques

Is there a security boundary between Active Directory and Entra ID in a hybrid environment? The answer to this question, while still somewhat unclear, has changed over the past few years as there has been more hardening of how much "the cloud" trusts data from on-premises. The reason for this is that many threat actors, including APTs, have been making use of known lateral movement techniques to compromise the cloud from AD. In this talk, we will take a deep dive together into Entra ID and hybrid AD trust internals. We will introduce several new lateral movement techniques that allow us to bypass authentication, MFA and stealthily exfiltrate data using on-premises AD as a starting point, even in environments where the classical techniques didn't work. All these techniques are new, not really vulnerabilities, but part of the design. Several of them have been remediated with recent hardening efforts by Microsoft. Very few of them leave useful logs behind when abused. As you would expect, none of these "features" are documented. Join me for a wild ride into Entra ID internals, undocumented authentication flows and tenant compromise from on-premises AD. By: Dirk-jan Mollema | Security Researcher, Outsider Security Presentation Materials Available at: https://ift.tt/X4g86EP

source https://www.youtube.com/watch?v=rzfAutv6sB8

Black Hat USA 2025 | Keynote: Threat Modeling and Constitutional Law

The legal system is terrible at threat modeling. It trusts the wrong insiders, overreacts to outsider threats, and is stodgy and sclerotic when circumstances shift. In this talk, Jennifer Granick examines constitutional law doctrines' longstanding mistakes in threat modeling—mistakes that civil libertarians have warned about for years. These missteps make it particularly difficult to for Congress, the Courts, and the public to navigate the evolving legal and political landscape ushered in by the Trump Administration. By: Jennifer Granick | Surveillance and Cybersecurity Counsel, ACLU Full Session Details Available at: https://ift.tt/y7hK3XE

source https://www.youtube.com/watch?v=H0bM5q5TtC0

Your Traffic Doesn't Lie: Unmasking Supply Chain Attacks via Application Behaviour

Supply chain compromises like the 2020 SolarWinds breach have shown how devastating and stealthy these attacks can be. Despite advances in provenance checks (i.e., SLSA), SBOMs, and vendor vetting, organizations still struggle to detect compromises that come in via trusted apps. In this talk, we unveil BEAM (Behavioral Evaluation of Application Metrics), an open source tool that contains a novel technique for detecting supply chain attacks purely from web traffic—no endpoint agents, no code instrumentation, just insights from the network data you're probably already collecting. We trained BEAM using over 40 billion HTTP/HTTPS transactions across thousands of global organizations. By applying LLMs to map user agents to specific apps, extracting 65 behavioral signals, and building application-specific baselines, BEAM detects deviations with over 95% accuracy—and up to 99% for highly predictable applications. It's fast, automated, and doesn't rely on vendor cooperation or manual tuning. We'll walk through how BEAM works under the hood: from enriching noisy traffic data to behavioral modeling and surfacing anomalies that reveal active compromises. Alongside prebuilt models for eight popular applications, we'll also show how organizations can build custom models for internal apps, enabling scalable monitoring for both off-the-shelf and bespoke software. This approach is new, highly effective, and purpose-built for threats that continue to bypass traditional defenses. By focusing on how applications behave—not just who built them or where they came from—BEAM gives defenders a powerful new signal against a threat that's been challenging to defend against. This session includes a live demo and practical takeaways for defenders, researchers, and security engineers alike. By: Colin Estep | Principal Engineer, Netskope Dagmawi Mulugeta | Staff Threat Research Engineer, Netskope Presentations Materials Available at: https://ift.tt/pAB1ezW

source https://www.youtube.com/watch?v=UGB5W-yJCrQ