Black Hat 2017: 10 Security Threats To Watch Out For

User Beware

Black Hat brings together some of the best security researchers in the industry every year to present new threat research and vulnerability findings. With that naturally comes insight into some of the biggest – and potentially damaging - new attack vectors of the year. This year's list of threat research includes insight into security vulnerabilities in some of the channel's most used software and hardware, including Apple devices, containers, Office 365, Windows 10, VMware, Android mobile devices and more. Take a look at the CRN roundup of some of the biggest security threats to watch that were highlighted at the show, which is being held this week in Las Vegas.


Multiple Black Hat talks this year revealed security threats to Apple devices and operating systems, which are both notorious for their security. Objective-See creator Patrick Wardle presented on the first OS X/macOS malware of the year, called FruitFly. The malware, which appears to target biomedical research institutions, allowing for targeted surveillance. Wardle said he has seen around 400 infections of the malware. A second presentation, by Longterm Security founder Alex Radocea, showed an implementation flaw in iCloud cryptographic implementations that could allow for man-in-the-middle attacks by sophisticated hackers to potentially get access to iCloud Keychain secrets.

Container Security

Container security challenges were also front and center at Black Hat 2017. Aqua Security Head of Research Michael Cherny and Senior Security Researcher Sagie Dulce presented on a complex attack on developers using Docker, where developers visit a malicious web page and end up with a reverse shell communicating back to attacker machines on their internal network. The researchers also used Host Rebinding and Shadow Containers attacks. The researchers said attacks on container environments will become more popular, as developers are a prime target for attackers and Docker grows in popularity. Capsule8 CTO Dino Dai Zovi also discussed how new data-center-level operating systems – including Docker Enterprise – have changed attack vectors and made single-node privilege escalation and persistence less useful to attackers. He said companies need a different tactic when attacking and defending entire clusters versus single machines. Docker has since patched the issue.

Broadcom Wi-Fi Chipsets

Exodus Intelligence Vulnerability Researcher Nitay Artenstein presented on a chipset vulnerability in Broadcom Wi-Fi chips that can be triggered remotely for full code execution in the main application processor. The vulnerability – called Broadpwn – requires no user interaction and affects the Broadcom BCM43xx family of Wi-Fi chips. These chips are used in some models of iPhone, HTC, LG and Nexus, as well as most Samsung phones.

Android Firmware Challenges

Krytowire security researchers revealed that firmware on some Android mobile devices allowed for remote monitoring of users and obtaining of personal information without user permission. Information transmitted to third-party servers in China included user and device information, text messages, call history, application use, and unique device identifiers. The firmware also allowed for the device to be remotely reprogrammed or for remote installation of applications. The devices impacted include the BLU R1 HD and the BLU Life One X2, available through US-based online retailers. The firmware was shipped with devices tested, allowing it to bypass detection by most mobile AV tools, and managed by Shanghai Adups Technology Co., the researchers said.


More and more enterprises are turning to VMware as they look to separate infrastructure domains from guest machine domains. However, that can come with its own security challenges, a presentation by GuardiCore Vice President of Research Ofri Ziv found. The VMware VIX API, which allows users to automate guest operations functions across VMware products, has an undocumented functionality that allows a malicious user to bypass the guest domain authentication, Ziv said. To do that, he said attackers only need to be able to send guest machines commands and run at root permissions using an API. He said there are tools available to test which users are able to perform this type of attacks on guest machines.

3G And 4G Device Privacy

Security researchers from TU Berlin, University of Oxford and ETH Zurich displayed new attack vectors for tracking and monitoring 3G and 4G devices, raising major privacy concerns. The researchers showed the devices were vulnerable to IMSI catcher attack techniques – also known as Stingray devices – allowing for tracking and activity monitoring of the users. The researchers also showed a cryptographic protocol flaw in the cellular networks for the devices. The vulnerabilities do not appear to affect 5G network devices, they said.

Android Anti-Virus

The latest vulnerability to Android is around mobile anti-virus, security researchers from the Georgia Institute of Technology found. The researchers spoke of AVPASS, a tool for bypassing Android antivirus programs. AVPASS works using leaked detection models of AV programs combined with APK perturbation techniques to disguise malware as a benign applications, as it knows the detection features and hierarchy of detection rule chains of the software. The researchers said the findings help illustrate some of the weaknesses in commercial AV systems, as well as provide insight into the processes for APK perturbation, leaking model and auto-bypassing.

Active Directory

Botnets took center stage with the Mirai attacks last fall leveraging IoT devices, but Senior Security Consultant Paul Kalinin and Managing Director Ty Miller from Threat Intelligence said a new type of botnet attack has emerged that turns Active Director Domain Controllers into C&C servers to command a botnet. The attack forces Domain Controllers to act as a central communication point for compromised systems already inside the network, using the Active Directory's own standard attributes. Most Active Directory implementations are set up in a way that they connect to the Domain Controller for authentication. What makes this type of attack so damaging is that it operates inside the walls of the organization, bypassing all traditional network controls to communicate across internal systems, the researchers said.

Office 365

As more companies adopt Office 365 solutions, they also need to think about the new security risks the software poses, Juniper Networks Security Chief Architect Craig Dods said. Dods said businesses need to know about how attackers can take advantage of Office365 and PowerShell to bypass AV and other security protections, exfiltrate data, encrypt communications and mount external Office365 storage.

Windows 10

Microsoft has worked hard to update its operating systems to prevent kernel-level vulnerabilities, particularly around the kernel pool allocator, with multiple examples of the software giant repairing published vulnerabilities. Independent Security Researcher Nikita Tarakanov detailed a new technique to exploit kernel pool overflow that works on Windows 7, Windows 8, Windows 8.1 and Windows 10. Improsec Security Advisor Morten Schenk also detailed how read and write kernel primitives can be leveraged to abuse kernel-mode Window and Bitmap objects. The bypasses specifically center around KASLR bypasses in Windows 10 Creators Update, which allow the exploit to overcome KASLR through a generic de-randomization of the Page Table entries with reverse engineering. A second method also uses an arbitrary size piece of executable kernel pool memory to bring code execution to hijacked system calls.