Key Takeaways from DEF CON 2022

Members of ACA Aponix’s penetration testing team, Jeff Standley, Senior Principal Consultant, and Derek Van Natta, Consultant, attended DEF CON, one of the world’s largest and most prominent annual hacker conferences August 11-14, 2022. Crowds of information security professionals, journalists, lawyers, federal employees, law enforcement agents, students, and hackers alike gathered at DEF CON’s 30th convention to talk all things hacking and cybersecurity.   

Read Jeff and Derek’s Q&A below for a breakdown of what they learned about the industry’s newest trends, tools, and attack vectors.

Are there any emerging attack trends for which our clients should be on the lookout?

OAuth attack techniques against Microsoft^® Office 365^®

Attack techniques involving Open Authorization (OAuth), or an open standard for access delegation, and directed at Microsoft Office 365 (O365) are becoming more mature and effective. Jenko Hwong, a principal engineer at Netskope, delved deeply into this emerging trend in his presentation “OAuthsome Magic Tricks Yet More OAuth Abuse”. Because the attack method closely resembles a standard O365 user’s experience with corporate applications, and because users typically do not possess a clear understanding of how the underlining application authorization processes function, this technique is ripe for abuse.

Implications 

By configuring a fake OAuth application within O365, an attacker could leverage the application in an illicit consent grant phishing attack to obtain permissions to the victim’s O365 resources. Microsoft defines this as an attack where “the attacker creates an Azure-registered application that requests access to data such as contact information, email, or documents. The attacker then tricks an end user into granting that application consent to access their data. . . .” 

A successful phish would present the victim with a login session at a legitimate O365 resource to approve vague permission grants for the attacker. Since the login session is to a legitimate O365 endpoint, it could bypass many current phishing controls that rely on the blocking of malicious sites or sites with a low reputational score. Once permissions are granted, an attacker could use the assumed application identity to access the granted resources within the victim’s O365 environment.  

End user education regarding the granting of application permissions will be key in preventing this newly maturing attack vector. ACA’s penetration test team expects criminal communities to increasingly propagate these attacks, as well as develop additional automated tooling to carry them out.

Weakness exploitation of K8s 

Major corporations and organizations globally dramatically increased their adoption of Kubernetes (K8s), an open-source container orchestration system for automating deployment, scaling, and management of containerized applications. Its containerization provides significant benefits of use in numerous business scenarios, which explains the uptick in adoption. Attackers are taking notice and actively exploiting weaknesses in the configuration of these clusters. At least seven unique methods to escalate privileges or bypass controls to compromise individual containers were demonstrated.  

Implications

Though the navigation required to perform the attacks relies on a basic knowledge of K8s, the attacks themselves mirror decade-old approaches in penetration test systems and networks. This arena of new technology will force businesses to take a deeper look at their containers for specific analysis and testing to avoid falling victim to active exploitation attempts.

What tool or tactic that you learned about was most impactful?

“TeamFiltration” – Both an attacker and cybersecurity tool

An offensive security tool, “TeamFiltration,,” developed by Melvin Langvik of TrustedSec and released at this year’s DEF CON conference, focuses on the abuse of the Microsoft Teams application and the extensive permissions the application has on a user’s O365 resources. Langvik observed that while multifactor authentication (MFA) was widely deployed across client O365 environments, a gap often existed when using the Microsoft Teams desktop client application to authenticate to O365. The researcher deduced that this gap in MFA coverage may be the result of the obscurity of the MFA enablement for this specific access method. With the Teams application having rights in many environments to read and write emails for the authenticated user, read and modify the user’s OneDrive files, and to read Azure Active Directory (AAD) objects, the tool is able to consolidate and automate many common enumeration and attack methods utilized against O365 environments.

Implications 

“TeamFiltration” can be used to conduct account enumeration and password spraying attacks (brute force logins based on usernames with default passwords) against O365 to aid in an attacker gaining an initial foothold within a company’s tenant environment. Once initial access is obtained, attackers can use the ability to pull a full listing of AAD user accounts to widen the password spray attack surface, possibly leading to additional account compromises. Moreover, the ability to download and parse through emails and OneDrive files belonging to compromised accounts lessens the burden on an attacker by reducing the need to manually scour through such data for avenues of lateral movement and privilege escalation within the environment. While “TeamFiltration” can be a tool for bad actors, it is expected to aid offensive security consultants in identifying security gaps through the toolset’s ability to evaluate O365 environments for common attack paths.

Untested technology 

Throughout the conference, speakers gave a variety of hardware and Internet of Things (IoT) hacking talks. However, a young researcher leveraged commonly available hardware to create a $25 “modchip”, or a small electronic device to alter or disable the capabilities or restrictions of a device, to compromise his SpaceX Starlink terminal and thereby its network traffic and even proprietary data, stood out from the rest. Though many of the techniques used to perform the compromise were not new, the researcher made clever use of the technology to take advantage of the lack of various security controls; companies like SpaceX should be integrating security controls into their devices and products as a standard, as opposed to a response to these findings.  

Implications

Any company whose business participates in or relies on untested hardware should question the potential impact such devices may have on their organization or their customers, especially if it is compromised and/or their services are rendered unavailable. This demonstration at DEF CON is a poignant reminder to always conduct due diligence on all critical vendors, such as hardware and internet providers, to determine how they are testing their technology for security flaws, addressing their findings, and otherwise taking steps to protect customer data.

What was the most unexpected takeaway from your time at DEF CON?

Issues stemming from cloud computing environments 

It may not be unexpected that research and developments within the hacking community reinforce that computer technology and its security issues continue to travel on a steady trajectory, with increasing focus on both cloud and IoT devices. However, the increase in both usage and complexity of cloud computing environments has resulted in organizations reliving many of the traditional security issues that were once solved with on-premises deployments, while at the same time experiencing new problems not previously encountered. Additionally, smart connected devices continue to proliferate and appear to undergo little-to-no security testing prior to market release, making them prime candidates for attacks.

Implications

For the foreseeable future, cloud and the IoT are likely to be a focus for security researchers, both ethical and criminal, as well as a security challenge to organizations implementing them. A routine regiment of offensive security testing and evaluation of these two resources are essential to any company’s security program.

Freedom of information

DEF CON was so packed with information, exciting new discoveries, and a shared sense of interest in hacking that it was almost overwhelming to try to grasp it all. The freedom of information presented and received, regardless of participants’ disparate backgrounds or even legal footholds, was a reminder that systems, services, networks, and all other things we have come to love about the Internet and computer technology revolve around the ebb and flow of red vs. blue, attacking and defending, to refine technology for the good of humankind. It is not to be taken advantage of by any parties, adversarial or commercial.

Implications 

There are significant efforts to deliver freedom of information and accessibility, which should be continually supported by all who seek that common future. Ultimately, it is not possible to achieve this future without strong collaboration. All organizations are encouraged to not only invest in their own cyber hygiene and security, but also work collaboratively with regulators, other organizations across all industries, and even ethical hackers, to work towards this common goal.

How we help 

Our penetration testing (pen testing) and vulnerability assessments can help your firm reduce the risk of significant financial, operational, and reputational losses resulting from breaches, including:  

• Vulnerability scanning to detect weaknesses that could be used by an attacker to exploit a network 
• External penetration testing to conduct a controlled real-world attack that exploits vulnerabilities found on a network and identifies key weaknesses that could lead to a cyber-attack 
• Internal penetration testing to identify network vulnerabilities and see how far a prospective attacker could go and what sensitive information could be compromised 
• Microsoft Office external access testing to validate conditional access policies and multifactor protections in your O365 environment

We also offer additional testing services, including physical office security penetration, wireless LAN testing, and social engineering.  

For more information about the information in this article, or to find out how we can help you secure your firm, please reach out to your trusted cybersecurity advisor or contact us.

Contact us