Black Hat: AI as vulnerability scout and gap in Spectre protection

Contents

To kick off the second day of Black Hat 2025 in Las Vegas, former New York Times journalist Nicole Perlroth conjured up a picture of growing cyber threats in front of the assembled security community. Attackers are targeting public discourse with disinformation campaigns and critical infrastructure such as power grids, healthcare and water supplies with "cyber weapons".

However, public-private partnerships as well as AI could help against increasingly escalating attacks. Considering the situation, the cyber security industry needs the courage to name threats, even if this has consequences.

Stopping malware that communicates via DNS

The next session then delved deeper into individual gaps, vulnerabilities and attack methods. Vedang Parasnis demonstrated how DNS can be exploited as a tunnel for command and control servers (C2) – and how such malicious processes can be detected and killed. He presented an eBPF filter and a userland process that can not only stop DNS traffic from suspicious processes, but also terminate the malware process from the kernel. And if it becomes active again, it is immediately terminated again.

Finding vulnerabilities in software with AI

With the topic of AI Agents for Offsec with Zero False Positives, Brendan Dolan-Gavitt from XBOW managed to fill the lecture room quickly. Everyone wanted to know how he managed to easily find vulnerabilities with LLMs that are not false positives.

The first thing he showed was that LLMs reveal an extremely large number of vulnerabilities that are not false positives. This is a fact that drives many open source developers crazy, as a lot of resources are wasted without advancing the projects. Dolan-Gavitt's approach is different: he uses the AI agents to play a kind of "capture the flag" with them.

He builds UUID flags into the software, which the AI agents are supposed to find. For example, he used an AI bot to find an authentication bypass in Redmine and XSS and other real vulnerabilities in many other web applications. He distinguishes between business logic vulnerabilities by inserting these flags, and applications such as databases, where he places a flag in the admin SQL table or a flag file in the file system. In this way, he can use the AI agents to search for vulnerabilities, and by finding the flags, he has immediate proof that there is a vulnerability there that would otherwise be undetected.

Using this method, the AI has found 174 real vulnerabilities, of which 22 CVEs have already been assigned and 154 are still pending. These include projects such as GeoServer (XXE), Apache HugeGraph (RCE), Puppy Graph (RCE), Apache TomCat (XXS). It currently still has a backlog of 650 vulnerabilities found, whereby the greatest difficulty for researchers is to find the security officers for the respective project.

Hardware errors in all Intel processors

Sandro Rüegge and Johannes Wikner from ETH Zurich identified a vulnerability in Intel processors. Enhanced Indirect Branch Restricted Speculation (eIBRS) is Intel's primary defensive measure against branch target injection (BTI)-style Spectre attacks. eIBRS prevents the misuse of untrusted branch target predictions in domains with higher privileges (for example, in kernel/hypervisor mode) by restricting predictions from privilege domains other than the one for which they were created.

Since its introduction in late 2018, eIBRS has been the best-fit BTI defense relied upon by all major operating systems and hypervisors, and has so far successfully prevented attackers from injecting arbitrary branch-target predictions across privilege boundaries. However, the researchers show that microarchitectural defenses such as eIBRS, like software, are vulnerable to race conditions. Therefore, they demonstrate a technique that allows attackers to completely remove this protection across all CPU authorization levels and rings.

Tracing the flaw back to its origin, the researchers found that it has been present since the introduction of eIBRS. This means that Intel processors have been since Sandy Bridge, over seven years ago. In a live demo, the security researchers demonstrated that with their proof of concept, a normal user can simply capture all memory pages according to the contents of /etc/shadow. This password file should only be accessible to the system and root. The kernel was a Linux 6.8, with all mitigation and protection measures enabled. The whole paper is available here.

Developer from North Korea

Under the pseudonym SttyK, a South Korean has reported on the IT machinations of the North Korean regime. IT employees with false passports are smuggled in as IT service providers and remote employees so that they can then capture information or procure foreign currency for the regime. Applications as qualified "full-stack developers" with particularly favorable salary expectations are typical. Any employer should be suspicious when service providers suddenly want to be paid in cryptocurrencies.

The North Koreans also apply with fake documents, and SttyK has shown how these can be easily detected with open source tools. Normal passports always have noise in the print. If the writing is too perfect, then manipulation is obvious.

(vbr)