Omdia Senior Analyst Hollie Hennessy goes over her first experience of DEF CON as a woman in cybersecurity.

If you asked me how I was feeling on Thursday night about attending DEF CON, I would have said "nervous." After a week of preparing for and attending Black Hat — which I'm used to, for the most part — I wasn't sure how different DEF CON would be or what to expect.

I'd heard a lot. Switch your phone off, don't take credit cards, leave your laptop behind …some people asked why I was staying, warned I'd be exhausted, but assured me I'd have fun. And fun was an understatement.

Being able to attend these events in person has massively helped me with confidence and "imposter syndrome." This was mentioned in the opening DEF CON talk on Friday, and I've heard so many women share a similar worry. But in reality, the cybersecurity community is diverse in its talent. Although it may not always feel this way, being in Las Vegas for Black Hat and DEF CON has shown me that all you need is the enthusiasm to become an expert in your chosen specialty. With a community so willing to share knowledge, that's more than enough. I don't need to know everything, and I'm trying to stop myself from thinking that.

As a woman in tech — in cybersecurity even, networking can be difficult to navigate. Luckily, I had the most wonderful experience and genuinely can't say that I've been to many other events (social, work, or otherwise) where people are so kind, welcoming, and eager to teach and learn.

I know this experience is not the same for all women attending, but it's great to see progress made and a zero-tolerance policy toward sexual harassment from both DEF CON and Black Hat and the willingness to enforce this. I was pleasantly surprised to make friends in the girls' restrooms (who would've thought it!) and hope to make many more in years to come.

So, what are my tips?

1.  **Don't try to do too much.** There's so much to do and see and you're better off taking your time to focus on the areas that interest you most. I spent most of my time in the IoT Village (I'm all about the things) and Car Hacking Village. I missed a few that I wanted to get to, but there's always next time!
2.  **Save the talks for post-conference.** A colleague gave me some great advice to spend most of my time in the villages, as the talks are accessible after the event. Unless you want to attend a talk that isn't recorded, or have some burning questions for the speakers, make the most of walking around and seeing all the wonderful things the event has to offer in the flesh.
3.  **Talk to people!** It can be daunting to pluck up the courage to say hi, but one of the best things about attending in-person events (especially after COVID) is meeting others face to face. I guarantee you'll learn something new, and even make some new friends and connections.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

DEF CON: A Woman's First Experience

South Staffordshire in the UK has acknowledged it was targeted in a cyberattack, but Clop ransomware appears to be shaking down the wrong water company.

South Staffordshire plc, a UK water-supply company, has acknowledged it was the victim of a cyberattack. Around the same time, the Clop ransomware group started threatening Thames Water that it would release data it has stolen from the utility unless Thames Water paid up.

The problem? Thames Water wasn't breached. 

Apparently, Clop got its UK water companies confused. 

South Staffordshire serves about 1.6 million customers and recently reported that it was targeted in a cyberattack and was "experiencing a disruption to out corporate IT network and our teams are working to resolve this as quickly as possible." It added there has been no disruption on service. 

"This incident has not affected our ability to supply safe water, and we can confirm we are still supplying safe water to all of our Cambridge Water and South Staffs Water customers," the water company said. 

Meanwhile, Thames Water, the UK's largest water supplier to more than 15 million people, was forced to deny it was breached by Clop ransomware attackers, who threatened they now had the ability to tamper with the water supply, according to reports. 

"As providers of critical national infrastructure, we take the security of our networks and systems very seriously and are focused on protecting them, so that we can continue to provide resilient services to our customers and the environment,” the larger water company told the UK Mirror. 

While Clop seems to have its records all wrong, both water utilities mounted capable responses to the ransomware group's attack on critical infrastructure, according to Edward Liebig, global director of cyber ecosystem at Hexagon Asset Lifecycle Intelligence. 

"I’m impressed by South Staffordshire Water’s ability to defend against the cyberattack in the IT systems and buffer the OT systems from impact," Liebig said. "And had Thames Water not done an investigation of the 'proof of compromise,' they may very well have decided to negotiate further. In both instances, each organization did their due diligence."

Clop Ransomware Gang Breaches Water Utility, Just Not the Right One

Just as one crop of malware-laced software packages is taken down from the popular Python code repository, a new host arrives, looking to steal a raft of data.

Just a week after 10 malicious software packages were found nesting in the Python Package Index (PyPI) repository, several more have come to light, uncovered by different firms. It's becoming a bit of a whack-a-mole exercise, snuffing out bad code only to find more taking its place.

In last week's disclosure, researchers at Check Point found Trojanized packages mimicking popular legitimate components, containing droppers for information-stealing malware. That prompted Kaspersky analysts to scour the open source repository further, which led to the discovery of two more rogue offerings, dubbed "pyrequests" and "ultrarequests," that purported to be one of the most popular packages in PyPI (which is simply named “requests“).

"The attacker used a description of the legitimate 'requests' package in order to trick victims into installing a malicious one," according to Kaspersky's Tuesday analysis. "The description contains faked statistics, as if the package was installed 230 million times in a month and has more than 48,000 stars on GitHub. The project description also references the web pages of the original requests package, as well as the author’s email. All mentions of the legitimate package's name have been replaced with the name of the malicious one."

If installed, the result is a W4SP Stealer infection, through which attackers can steal Discord tokens, saved cookies, and passwords from browsers in separate threads.

Meanwhile, researchers at Synk on Tuesday published findings around a dozen malicious PyPI packages aimed at stealing Discord and Roblox users’ credentials and payment info. According to Kyle Suero, Snyk's lead researcher on the report, the malware will also attempt to steal Google Chrome data or pilfer passwords and bookmarks from Windows machines to pivot throughout all accounts.

All of the offending packages have been removed from PyPI; however, it's unclear how many times they were downloaded before that.

Attacks on code repositories continue to snowball. According to ReversingLabs, attacks on npm and PyPI have collectively spiked from 259 in 2018 to 1,010 in 2021 — a 290% increase.

"As long as we keep ignoring the core of the problem — which is how do you trust code — we are not handling software supply chain security," said Tomislav Peričin, co-founder and chief software architect at ReversingLabs, said in a recent report.

Whack-a-Mole: More Malicious PyPI Packages Spring Up Targeting Discord, Roblox

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

Come up with a cybersecurity-themed caption for the cartoon above, and you could win a $25 Amazon gift card if it's chosen as Dark Reading editors' favorite. Here are four convenient ways to submit your idea:

*   Email _\[email protected\]_ with the subject line "Dark Reading August Toon."
*   Via social media: Twitter, Facebook, and LinkedIn.

The contest ends Wednesday, Sept. 7, 2022. We look forward to your submissions.

**Last Month's Winner**

July's "Modern-Day Fable" caption contest now how a modern-day twist that would even make Aesop laugh. Congratulations go to winner Dana Morrow, director of security services at Foresite MSP. A $25 Amazon gift card is on the way.  

    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Toon: Vicious Circle

Cybercrime has been funded with cryptocurrency, but the valuation of various digital currencies has dropped by more than two-thirds and cybercriminals are feeling the pinch.

The dramatic decline in cryptocurrency has dampened activity around specific types of financial crimes — most significantly, investment scams and illegal Dark Web transactions — leading to a drop in consumer losses for the first half of 2022.

That's according to an analysis published on Aug. 16 from blockchain data provider Chainalysis.

Overall, the cumulative revenue collected by scammers dropped by two-thirds — 65% — for the first seven months of the year, according to the firm. The decline is only partly linked to the decrease in the value of major cryptocurrencies. Bitcoin, for example, plunged in value by 51% between Jan. 1 and July 31, and that still doesn't account for the total drop.

The number of deposits connected to scams also dropped by more than two-thirds, suggesting that fewer consumers were falling prey to those efforts, says Kim Grauer, director of research at Chainalysis.

"Most scams are investment scams, and if investments across the board are down, then less funds will flow to the services that are, in fact, scams," she says. "We also saw a lot of law enforcement wins in the past year which have further deterred scammers."

Since their peak last November, major cryptocurrencies have dropped precipitously in value, reaching lows in June. Bitcoin dropped nearly 72%, from its $67,567 close on Nov. 7, 2021, to $19,018 on June 17. Similarly, Ethereum plunged nearly 80% to close at about $994 on June 17. Both digital assets have recovered from those lows in the past two months.

    

Monthly deposits to scams have declined. Source: Chainalysis

Cryptocurrency is the financial backbone of most online crimes, Chainalysis stated in its midyear update, so the drop in cryptocurrency has impacted other major cybercrimes, such as money laundering and ransomware. Both have dropped by 20% to 25% since the beginning of the year, according to cybersecurity firms. 

That said, crimes that do not depend on enticing victims with cryptocurrency have been less affected by the volatility. Business e-mail compromise (BEC), for example, still accounted for 35% of the dollar losses in 2021, compared with 0.7% for ransomware, according to the FBI's Internet Crime Complaint Center (IC3).

"Nobody likes a crypto bear market, but the one silver lining is that illicit cryptocurrency activity has fallen along with legitimate activity, albeit not as sharply," the company stated. "This is especially encouraging in scams, where the decrease in market hype seems to mean fewer are fooled by scammers, and in darknet markets, where law enforcement’s \[shutdowns of major markets\] appears to have dampened the entire sector."

**DeFi Services Still Hot Targets**

One constant? Hacking of digital wallets and decentralized financial (DeFi) services continued to grow. Overall, cybercriminals stole at least $1.9 billion in cryptocurrency through hacking online services so far in 2022, an increase of about two-thirds from the same period in 2021.

The majority of the hacking profits comes from hacking DeFi protocols, Chainalysis stated in the mid-year report.

"DeFi protocols are uniquely vulnerable to hacking, as their open source code can be studied ad nauseum by cybercriminals looking for exploits — though this can also be helpful for security as it allows for auditing of the code," the company stated. "\[I\]t's possible that protocols' incentives to reach the market and grow quickly lead to lapses in security best practices."

Specific regions have also focused on specific types of crime. North Korean nation-state actors have compromised specific DeFi protocols, leading to massive gains for the sanctioned government. The attackers stole approximately $1 billion so far in 2022, accounting for the majority of the $1.9 billion in losses from exchanges and services, as of July 2022.

"We have seen ransomware attacks coming out of North Korea, but right now DeFi hacking is the most profitable thing for the North Korean hacking organizations to carry out," Grauer says. "North Korean hacking organizations have realized how profitable this type of hacking can be if done correctly, so have continued to carry out attacks throughout 2022."

Financial institutions, consumers, and cybersecurity professionals should not expect the decline in fraud related to cryptocurrency to continue, Chainalysis stressed. Consumers need to be better educated about the risks, while the cybersecurity of decentralized financial protocols needs to be bolstered and audited. Finally, legitimate exchanges should have protections in place to prevent the transfer of money to known scams, and law enforcement should develop their capabilities to seize cryptocurrency from bad actors, the company stated.

With Plunge in Value, Cryptocurrency Crimes Decline in 2022

The security flaw tracked as CVE-2022-30216 could allow attackers to perform server spoofing or trigger authentication coercion on the victim.

Researchers have discovered a vulnerability in the remote procedure calls (RPC) for the Windows Server service, which could allow an attacker to gain control over the domain controller (DC) in a specific network configuration and execute remote code.

Malicious actors could also exploit the vulnerability to modify a server's certificate mapping to perform server spoofing.

Vulnerability CVE-2022-30216, which exists in unpatched Windows 11 and Windows Server 2022 machines, was addressed in July's Patch Tuesday, but a report from Akamai researcher Ben Barnes, who discovered the vulnerability, offers technical details on the bug.

The full attack flow provides full control over the DC, its services, and data.

**Proof of Concept Exploit for Remote Code Execution**

The vulnerability was found in SMB over QUIC, a transport-layer network protocol, which enables communication with the server. It allows connections to network resources such as files, shares, and printers. Credentials are also exposed based on belief that the receiving system can be trusted.

The bug could allow a malicious actor authenticated as a domain user to replace files on the SMB server and serve them to connecting clients, according to Akamai. In a proof of concept, researchers exploited the bug to steal credentials via authentication coercion.

Specifically, they set up an NTLM relay attack. Now deprecated, NTLM uses a weak authentication protocol that can easily reveal credentials and session keys. In a relay attack, bad actors can capture an authentication and relay it to another server — which they can then use to authenticate to the remote server with the compromised user's privileges, providing the ability to move laterally and escalate privileges within an Active Directory domain.

"The direction we chose was to take advantage of the authentication coercion," Akamai security researchers Ophir Harpaz says. "The specific NTLM relay attack we chose involves relaying the credentials to the Active Directory CS service, which is responsible for managing certificates in the network."

Once the vulnerable function is called, the victim immediately sends back network credentials to an attacker-controlled machine. From there, attackers can gain full remote code execution (RCE) on the victim machine, establishing a launching pad for several other forms of attack including ransomware, data exfiltration, and others.

"We chose to attack the Active Directory domain controller, such that the RCE will be most impactful," Harpaz adds.

Akamai's Ben Barnea points out with this case, and since the vulnerable service is a core service on every Windows machine, the ideal recommendation is to patch the vulnerable system.

"Disabling the service is not a feasible workaround," he says.

**Server Spoofing Leads to Credential Theft**

Bud Broomhead, CEO at Viakoo, says in terms of negative impact to organizations, server spoofing is also possible with this bug.

"Server-spoofing adds additional threats to the organization, including man-in-the-middle attacks, data exfiltration, data tampering, remote code execution, and other exploits," he adds.

A common example of this can be seen with Internet of Things (IoT) devices tied to Windows application servers; e.g., IP cameras all connected to a Windows server hosting the video management application.

"Often IoT devices are set up using the same passwords; gain access to one, you've gained access to them all," he says. "Spoofing of that server can enable data integrity threats, including planting of deepfakes."

Broomhead adds that at a basic level, these exploitation paths are examples of breaching internal system trust — especially in the case of authentication coercion.

**Distributed Workforce Broadens Attack Surface**

Mike Parkin, senior technical engineer at Vulcan Cyber, says while it doesn't appear that this issue has yet been leveraged in the wild, a threat actor successfully spoofing a legitimate and trusted server, or forcing authentication to an untrusted one, could cause a host of problems.

"There are a lot of functions that are based on the 'trust' relationship between server and client and spoofing that would let an attacker leverage any of those relationships," he notes.

Parkin adds a distributed workforce broadens the threat surface considerably, which makes it more challenging to properly control access to protocols that shouldn't be seen outside the organization's local environment.

Broomhead points out rather than the attack surface being contained neatly in data centers, distributed workforces have also expanded the attack surface physically and logically.

"Gaining a foothold within the network is easier with this expanded attack surface, harder to eliminate, and provides potential for spillover into the home or personal networks of employees," he says.

From his perspective, maintaining zero trust or least privileged philosophies reduces the dependence on credentials and the impact of credentials being stolen.

Parkin adds that reducing the risk from attacks like this requires minimizing the threat surface, proper internal access controls, and keeping up to date on patches throughout the environment.

"None of them are a perfect defense, but they do serve to reduce the risk," he says.

Windows Vulnerability Could Crack DC Server Credentials Open

Threat hunting not only serves the greater good by helping keep users safe, it rewards practitioners with the thrill of the hunt and solving of complex problems. Tap into your background and learn to follow your instincts.

Growing up in the Pacific Northwest, I was fascinated by treasure hunting. I love the idea of finding something valuable or important. I had an arsenal of tools even the most seasoned treasure hunters would envy: a metal detector, a bucket, and a plastic shovel. Yet the most valuable tool I possessed was my firm belief that I would find treasure as long as I looked hard enough.

Threat hunting is like treasure hunting in many ways. Threat hunters also have their tools of the trade.

Several years ago, I traded that plastic shovel for a data visualization tool (i.e., Kibana) and too much coffee. I still feel the excitement of the hunt for something valuable. You see, treasure hunting and threat hunting both stimulate the mind. They are both filled with hidden clues, there is no set path, and sometimes you must solve complex problems. There is unmistakable value in discovering threats, so that we can improve the security of our organizations.

At one point in my military career, I worked as a networking specialist on a cyber-protection team, where I became a network traffic analysis expert. The mission was simple — just hunt. Remember, no good treasure hunt starts without a treasure map. That's where this threat-hunting story begins.

I received a PDF version of the network map that contained hundreds of endpoints, ports, protocols, and services (PPS) to quickly identify acceptable and normal network traffic as a baseline. The posters we printed from the PDF were the size of twin-sized blankets. Yet, we hung them up on the ops floor. We had our "treasure map," and set out to analyze the hex and packet captures (PCAPs).

We found nothing that deviated from the baseline and PPS listing. But I still had the unshakeable belief from my youth that I would find something if I looked hard enough. We were parsing through millions of network events and terabytes of data. I decided to investigate the top-talking ports – even the acceptable ports outlined on the PPS.

"Manual" threat hunting, for lack of better words, relies on highly skilled people and the knowledge they have collected over years in the field. Down the list I went looking at HTTPS, HTTP, DNS, SMTP, and so on. Finally, I arrived at port 1433, or SQL, which is the primary language used for managing data. This was significant as it's often a large attack surface for hackers and adversaries. I built a query and modified data fields to quickly identify the IPs communicating with one another.

One pair of IPs looked a little unusual and didn't fit into the schema of the other IPs. It stood out to me because I understood the network (thanks to our trusty map). That's when I discovered unencrypted SQL data. I could see everything and the data in these tables made my jaw drop. This data was leaving the network unencrypted. I immediately notified my mission commander, who carried it up the chain – we discovered it was a configuration error that was quickly fixed. The goal of discovering threats was so that we could take action to remediate them.

**Learning From Experience**

Eight-year-old me would have been very proud of my ability to find such a significant threat – being able to improve our security was certainly of value. There were many lessons to be learned from this hunt that I have held with me over the years:

*   Understand the network you're working on to easily recognize patterns and behaviors that deviate from normal.
*   Question and review all traffic, even acceptable or normal traffic. Network traffic is guilty until proven innocent in the world of threat hunting.
*   Not every hunt will result in threats being found, but always listen to your instincts. If you know it's out there, it probably is.

Threat hunting is an opportunity to help a greater good. Cyberattacks are relentless. We must work together as professionals to change the playing field. Equally, be willing to accept help. I have been fortunate to find work that brings me so much joy. I love what I do because it connects me with a lifelong drive. There are many specialties within cybersecurity; finding your particular niche will make you successful in this field.

Lessons From the Cybersecurity Trenches

Heads of CIA and CISA headline event at DC Convention Center.

Returning in person after two years, the 13th Annual Billington Cybersecurity Summit is a three-day event designed to examine the nation's pressing cyber needs and the impact of the Biden Administration's fast-moving cyber strategic direction.

The summit explores "Transforming Cybersecurity Through a Unified Approach" with a focus on the hottest cyber topics. More than 125 speakers spanning government, military, nonprofits, industry, and academia, including CIA Director William Burns; Chris Inglis, National Cyber Director, EOP; DHS CISA Director Jen Easterly; John Sherman, CIO, DOD; and two top cyber officials from Ukraine will discuss cyber trends and issues during more than 40 sessions.

**WHEN**

September 7-9, 2022

Sept 7: 8:45 a.m.-5 p.m.

Sept 8: 8:30 a.m.-5 p.m.

Sept 9: 9 a.m.-noon

**TOPICS**

The summit has more than 40 panel discussions, breakout sessions, and fireside chats. Agenda topics include:

*   Cyber Lessons Learned from Ukraine
*   Securing Infrastructure in an Increasingly Connected World
*   Election Security and the 2022 National Elections
*   Lessons Learned for Fortifying a Strong Cybersecurity Workforce
*   All-Star VC Roundtable: What Are the Next Game-Changing Cyber, Disruptive Technologies?
*   The Cyber Threat Landscape and Zero Trust: Lessons Learned and Success Stories
*   Future of Encryption: Moving to a Quantum-Resistant World
*   Cybersecurity Public/Private Engagement
*   Addressing Insider Threat while Protecting Privacy
*   Future Panel | Cybersecurity and the Future of 5G
*   Enhancing the Security of Open-Source Software and the Supply Chain
*   Automating Cybersecurity: Applying AI Internally and at the Edge
*   Beyond Ransomware: Identifying the Next Cyber Threats

**WHERE**

Walter E. Washington Convention Center

801 Mt Vernon Pl NW

Washington, DC

**HOW**

Learn more or register at https://billingtoncybersummit.com/. Complimentary government and military tickets are available. Tickets for corporate attendees are $895; academic and non-profits are $125; and students are $25. Press is free for credentialed reporters but must register in advance online.

**WHY**

Presented by over 40 sponsors, led by Amazon Web Services, Raytheon Intelligence & Space, and Cisco Secure, the Billington Summit convenes leading senior cyber government decision-makers to examine key trends and topics while fostering deeper dialogue between government leaders and private industry.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

SEPT. 7-9: Ukraine, Election, AI, Cybercrime, 5G Among Topics Explored by 125+ Speakers at 13th Billington Cybersecurity Summit

After 30 years and a brief pandemic hiatus, DEF CON returns with "Hacker Homecoming," an event that put the humans behind cybersecurity first.

DEF CON — Las Vegas — Halls stuffed with hackers lined up for hours for their chance to hone their skills on the latest tech, helped along by a volunteer army of so-called "goons" — it was a hopeful place to be last weekend during DEF CON 30.

Everyone wore masks so even the immunocompromised could participate. There was a trend toward focusing on using hacker powers to protect the population from utility breaches, smart car accidents, misinformation, and more. Giving the entire conference its reputational edge were rooms buzzing with information and the kind of immediacy and potency that made it feel almost subversive — punk rock, even.

Here are just a few of the highlights Dark Reading happened to find among the organized chaos that was DEF CON 30.

**1\. Merch Madness**

The longest lines, by many hours, were those to get the latest DEF CON-branded merchandise. While some used the time to refuel with snacks, others put a little more thought into the break in the action. Take Brad Lindsley, who made his own "Linecon Bag" with a mounted gaming screen and controllers for four players.

"I was waiting in line for hours at another DEF CON and I was thinking about what I would want to do in line," he told Dark Reading.

    

Brad Lindsley shows off his Linecon bag. (Photo by Becky Bracken for Dark Reading)

**2\. IoT Village**

DEF CON 30 hackers also had the option to ply their skills on dozens of Internet of Things (IoT) devices, including the Emergency Broadcast System and a Globecomm satellite system, thanks to the work of TIVO Trevor and the rest of the team, who spent the last 90 days building the IoT common control framework (CCF).

Trevor said that this year the IoT Village made the decision to shift its emphasis because of the shifting threat landscape that now focuses on infrastructure and other IoT devices.

"We've moved away from SOHO (small offices/home offices) to IoT this year," he told Dark Reading.

    

TIVO Trevor at the DEF CON 30 IoT Village. (Photo by Becky Bracken for Dark Reading)

**3\. Sink This Battleship**

There were too many contests going on during DEF CON 30 to count. One big one was a version of Capture the Flag called "Can You Sink the Ship?" put on by Fathom5, which challenged teams of hackers to bring down their ship training module. The kickoff was preceded by more than a few rules laid out by Fathom5 CTO David Burke, who included an instruction not to tinker with the hoses underneath: "Please don't spray hydraulic fluid everywhere around the room."

    

Burke explains the ground rules of the contest. (Photo by Becky Bracken for Dark Reading)

**4\. Other Challenges Accepted**

Other, less elaborate contests included a collection of Capture the Flag versions, Red Team challenges, and even a DEF CON Scavenger Hunt.

    

One of the many contest leaderboards projected around the DEF CON Contest Village. (Photo by Becky Bracken for Dark Reading)

**5\. The Voting Village**

Noted voting-machine researcher Harri Hursti, representing the Election Integrity Foundation, brought in a collection of voting machines currently in use across the US for hackers and conspiracy theorists alike to try out and challenge their security.

Dark Reading ran into a group of hackers giving one of the US voting machines a careful look. Asked if they thought they might be able to crack into it, one of the group responded, "I don't know if we can, but it's fun thing to play with."

    

Voting machine hackers, from L to R: Wkampbel, Segzf4ult, Cole Knight, James, Semifour. (Photo by Becky Bracken for Dark Reading)

**6\. The Signage**

Even the signage spread out around DEF CON 30 was flair-forward, with an array of clever quips, dazzling digital renderings, and just straight-up art. Here is just the tiniest taste of what was on display.

    

The Chill Out Room at DEF CON had an elaborate stage for DJs and performances. (Photo by Becky Bracken for Dark Reading)

    

Signage at the lock-picking area at DEF CON. (Photo by Becky Bracken for Dark Reading)

    

Wall projection over main DEF CON 30 entrance. (Photo by Becky Bracken for Dark Reading)

**7\. Brain Hacking & Misinformation**

An entire village at this year's DEF CON was dedicated to misinformation. With phishing and social engineering still driving so many successful cyberattacks, Dr. Matthew Canham of Beyond Layer 7 gave a presentation on cognitive security, which essentially means blocking attackers from compromising the brain itself. From optical illusions to instances like Cambridge Analytica's practice of building psychographic profiles to target victims, brain hacks are here and getting more sophisticated, according to Dr. Canham.

    

Misinformation Village information screen prior to Dr. Canham's presentation. (Photo by Becky Bracken for Dark Reading)

**8\. The Traditions**

This year was Michael Bargury's debut on the DEF CON stage. That meant that before he kicked off his presentation about codeless malware, the CTO and cofounder of Zenity (and Dark Reading columnist) engaged in a DEF CON tradition... he did a shot, along with his "goon" who gave the introduction. After a few seconds and just one wince while the liquor went down, Bargury was officially inaugurated into the DEF CON speaker's club and ready to go.

    

Bargury takes the podium following his inaugural shot of courage. (Photo by Becky Bracken for Dark Reading)

DEF CON 30: Hackers Come Home to Vibrant Community

The most heavily targeted flaw last quarter was a remote code execution vulnerability in Microsoft Office that was disclosed and patched four years ago.

Attacks targeting a remote code execution vulnerability in Microsoft's MSHTML browser engine — which was patched last September — soared during the second quarter of this year, according to a Kaspersky analysis.

Researchers from Kaspersky counted at least 4,886 attacks targeting the flaw (CVE-2021-40444) last quarter, an eightfold increase over the first quarter of 2022. The security vendor attributed the continued adversary interest in the vulnerability to the ease with which it can be exploited.

Kaspersky said it has observed threat actors exploiting the flaw in attacks on organizations across multiple sectors including the energy and industrial sectors, research and development, IT companies, and financial and medical technology firms. In many of these attacks, the adversaries have used social engineering tricks to try and get victims to open specially crafted Office documents that would then download and execute a malicious script. The flaw was under active attack at the time Microsoft first disclosed it in September 2021.

The attacks targeting the MSHTML flaw were part of a broader set of exploit activity last quarter that overwhelmingly targeted Microsoft vulnerabilities. According to Kaspersky, exploits for Windows vulnerabilities accounted for 82% of all exploits across all platforms during the second quarter of 2022. While attacks on the MSHTML vulnerability increased the most dramatically, it was by no means the most exploited flaw.

**Old Is Gold for Threat Actors**

Kaspersky's telemetry showed far more attacks on a handful of other vulnerabilities from 2018 and 2017. One of them was CVE-2018-0802, a remote code execution (RCE) vulnerability in Microsoft Office that was attacked some 345,827 times last quarter. Another similar memory corruption flaw from 2017 (CVE-2017-11882) was targeted in 140,623 attacks while a Microsoft Office/WordPad remote code execution flaw also from 2017 (CVE-2017-0199) was involved in 60,132 attacks.

The so-called Follina vulnerability in Microsoft Support Diagnostic Tool (MSDT) (CVE-2022-30190) was among the most targeted of recent vulnerabilities. The RCE flaw was one of at least five zero-day flaws that Microsoft has disclosed this year.

In total, Kaspersky found vulnerabilities in older versions of Microsoft Office being used in attacks against more than half a million users in second quarter. The attacks are another reminder of how unpatched vulnerabilities in older technologies remain a popular and highly attractive target for threat actors, the security vendor noted. "Old versions of applications remain the main targets for attackers, with almost 547,000 users in total being affected through corresponding vulnerabilities in the last quarter," Kaspersky said.

Kaspersky's report is another reminder of why security experts advocate quick patching of Microsoft vulnerabilities. Recent data has shown attackers have gotten much faster at exploiting flaws than before. A study that Rapid7 conducted last year showed that the mean time to known exploitation for vulnerabilities in 2021 was just 12 days — a 71% decrease from 42 days in 2020. The company explained the numbers as being driven by a sharp rise in zero-day exploit activity. "A drastic reduction in time to exploitation year over year means that not only are well-worn emergency patching procedures necessary, incident response protocols are likely to require repeated use as well," Rapid7 noted at the time.

Source

DARKReading