Skip to main content
MSRC

BlueHat 2023: Connecting the security research community with Microsoft

BlueHat 2023 Banner

We’re excited to welcome more than 400 members of the security research community from around the world to Redmond, Washington for BlueHat 2023. Hosted by the Microsoft Security Response Center (MSRC), BlueHat is where the security research community, and Microsoft security professionals, come together as peers to connect, share, learn, and exchange ideas in the interest of creating a safer and more secure world for all.

The two-day conference builds connections, provides learning opportunities, and strengthens trust between the security researcher community, customers, and partners. BlueHat also showcases thought leadership in the research and vulnerability discovery and mitigation space and provides insight to both internal Microsoft and external audiences on current and emerging security threats and techniques. BlueHat attendees will have the opportunity to listen to our incredible keynote speakers Charlie Bell (Executive Vice President, Microsoft Security Division), Mark Russinovich (Azure CTO and Technical Fellow, Microsoft), and and MSRC leader Aanchal Gupta (Deputy CISO and CVP Engineering, Microsoft). Conference-goers will also listen to 27 security thought leaders discuss a wide range of security topics, including AI/Machine learning based security, advanced hardware security, researching and securing your infrastructure, and more. In addition to the speaker sessions, BlueHat will also host a series of lightning talks from a group of up-and-coming security professionals from Microsoft, Grammarly, Tiktok, Intuit, and Meta. The lightning talks will feature actionable information from security pros about the top threats and concerns companies and organizations are facing today.

In addition to the keynotes, speaker sessions, and lightning talks, BlueHat attendees, hailing from 26 countries and representing 184 companies or organizations, will connect—and reconnect—with the security research community from around the world, building their personal and professional relationships, while gaining valuable insight into ideas that will create a safer and more secure world for all. Opportunities for networking and connecting include the 8 BlueHat Villages, such as the Post-Quantum Village, Cyber Training Village, AI/ML Village, and more.

We’re so excited to host the first in-person BlueHat conference since 2019. Follow MSFTBlueHat on Twitter for updates and announcements, and use #BlueHat to join the conversation. At the conclusion of BlueHat 2023, we’ll share recordings of the keynote talks and speaker sessions.



Conference sessions

Wednesday, February 8th

Keynote

Charlie Bell, Executive Vice President, Microsoft Security Division and Aanchal Gupta, Deputy CISO and CVP Engineering, Microsoft (Twitter)

Stronger Together: Celebrating the Microsoft Research Community

Speakers: Dr. Abhilasha Bhargav-Spantzel - Partner Security Architect (Twitter); Dr. Andre Alfred - Partner Director, Azure Security; David Weston - Vice President, Enterprise and OS Security (Twitter); Cristin Goodwin - General Manager and Associate General Counsel (Twitter), moderated by Stephanie Calabrese, Principal PM Manager (Twitter)

MSTIC Ghost Stories: A Threat Intelligence Year in Review

Speakers: Eunsil Han (Twitter), Emily Hacker (Twitter | LinkedIn), Terri Forslof, Microsoft (Twitter | LinkedIn)
Abstract: The Microsoft Threat Intelligence Center (MSTIC) discovers, tracks and disrupts the world’s most impactful and well-resourced threats, from state-aligned actors to financially motivated criminals, on a daily basis. As part of this mission, MSTIC works across Microsoft’s security signals gaining firsthand insight into the technical methods and capabilities of threat actors. The intelligence produced by MSTIC is infused into everything Microsoft does, from security products to generic product roadmaps, and BlueHat is no different.

In a rare opportunity, BlueHat attendees have a chance to hear an entertaining and educational account from MSTIC about its most significant observations from 2022. The talk will look back over the last year of technical threat data, spanning global threat actors of various motivations, to deliver regional trends, insights, and never before heard investigation stories from our work defending customers. The observations delivered in this talk ultimately seek to inform the future, empowering global people and organizations to achieve more, and do so securely. Examples covered in this presentation include:

  • Overview of multiple trends observed being used by China over the past year
  • DEV-0228 Leveraging supply chain relationships to target shipping companies in Israel
  • An onslaught of intrusion activity in Ukraine from STRONTIUM and IRIDIUM leading to espionage, cyber-enabled influence operations, and destructive attacks
  • Notable trends/activities associated with multiple North Korean groups including ZINC

0-Day firmWarez

Speaker: Nate Warfield, Eclypsium (Twitter | LinkedIn)
Abstract: Firmware is the foundation of modern computing. It’s the first code executed when your computer boots, it manages your hardware, runs critical infrastructure, controls systems in nearly every part of our lives, and exists in most electronics sold today. It’s also one of the most vulnerable, poorly maintained, and infrequently patched components of technology.

In this talk, we will discuss recent high-profile firmware vulnerabilities and attacks, including a series of vulnerabilities found in MegaRAC Baseboard Management Controller (BMC) software which powers millions of servers worldwide. We will explore the remote attack surface, the risk due to firmware’s position on devices, and the defensive weaknesses attackers are abusing. In addition to server firmware, we will also cover networking hardware and IoT device risks and threats.

In the second half of the talk, we will showcase open-source tools organizations can utilize to analyze device firmware, identify unpatched vulnerabilities, weak security controls, and find hard-coded credentials. The goal of this portion is not building exploits, but rather empowering organizations to better understand the risk posed by the firmware on their connected systems. These tools don’t require significant skill or time to use and provide valuable information on devices whose security posture is poorly documented, if at all.

Attendees will better understand how to threat model their environments and what additional steps may be required to secure their infrastructure. They will also gain insight into what real world attacks look like, to better defend against them and recognize them should they occur.

Advanced Hardware Hacking

Speaker: Sick Codes (Twitter | LinkedIn)
Abstract: Modern techniques to find vulnerabilities in modern hardware: this talk will show you techniques, tools, and concepts to assess most devices, especially those which are worth hacking. Sick Codes will bring you up to speed on exact methods to hack brand new smart TVs, watches, tractors, cars, game consoles, and more. Be able to identify and hack any new hardware.

High Risk Users and Where to Find Them

Speaker: Masha Sedova, Elevate Security (Twitter | LinkedIn)
Abstract: What if you could predict and ultimately prevent most incidents in your organization? 82% of all attacks originate from human fallibility, but an effective risk management approach is impossible without the ability to pinpoint our riskiest users. Research findings from a 300k-employee data set spanning 8 years reveal trends in our most vulnerable populations. We’ll share how 8% of the workforce is responsible for the majority of incidents and dive into what makes workers high-risk, where those high-risk users spend their time, what are their riskiest behaviors, and what that might mean for your organization’s security. From there the talk will explore how security professionals can effectively measure user risk in their own organizations and action on these findings to strengthen their cyber defense. By applying the different stages of user-risk management, from feedback to tailored safeguards & access, learn how to keep your workforce safe and business productive.

Thursday, February 9th

Keynote

Mark Russinovich, Azure CTO and Technical Fellow, Microsoft (Twitter) with opening remarks by Aanchal Gupta, Deputy CISO and CVP Engineering, Microsoft (Twitter)

Hunting Qakbot

Speakers: Dan Taylor (LinkedIn) & Ben Magee (Twitter | LinkedIn)
Abstract: When it comes to attack surfaces, there are few quite as large as that of NHS England’s Microsoft Defender for Endpoint estate. With close to 1.7 million endpoints enrolled in a tenant spanning thousands of separate organizations across the healthcare service, it presents a uniquely challenging environment to protect – one where cyber incidents can have very real, human consequences.​
How then do we go about defending an IT estate as large and complex as this one?​

It’s a challenge that couldn’t be better illustrated than with the perpetual battle against Qakbot. With delivery mechanisms and TTPs that shift week to week, a repertoire ranging from access-for-sale to the deployment of ransomware and no scruples about targeting healthcare organizationsfrom its operators, Qakbot truly is a formidable adversary.​

In this talk we walk through:​

  • A brief overview of the NHS and the role NHS Digital CSOC plays in its defence​
  • The scale of the challenges facing security teams tasked with securing the NHS against the likes of Qakbot, and why common malware poses such an acute threat​
  • The critical role threat hunting (and intelligence) plays in that defence, with technical breakdowns of Qakbot TTPs, the methods we use to stay ahead of them, and the key advantages afforded by Microsoft Defender for Endpoint​
  • Examples of the mistakes, successes, close calls, and critical lessons learned in the interminable battle against Qakbot and its contemporaries

Houdini of the Terminal

Speaker: David Leadbeater, G-Research (Twitter | LinkedIn)
Abstract: Text based terminals have used escape sequences in some form since at least the 1970s. Windows has for a long time had fairly limited support for them, using a different method to perform out of band messaging. As a result of the support added for Windows Subsystem for Linux (WSL), Windows gained support for common terminal escape sequences and now they are the preferred method for formatting and related functions.

Just like XSS, if an escape sequence ends up being sent unsanitized to a terminal it can be used to do unexpected things. This can range from changing formatting outside of the area where the text should have been inserted or if the terminal has a vulnerability anything from a DoS to remote code execution.

This risk has existed in Unix terminals for many years, for example 20 years ago it was discovered a terminal’s title can be read back and in some cases that can result in code execution. Terminals now disable this by default or do not implement it.

We will explore over 20 years of terminal vulnerabilities, from attacks via Apache’s log files to attacking via Kubernetes.

Our research found several severe bugs in common terminals and we have used them to perform a chained exploit from low privileges on a Kubernetes cluster to obtaining RCE on an administrator’s machine. This builds on the research done by CyberArk in early 2022, which found the original kubectl bug (CVE-2021-25743).

Along the way we’ll discuss some other bugs we found in both Windows and Unix utilities and how to achieve some level of defense-in-depth against this kind of threat.

Through the Eyes of a Guest

Speaker: Callum Carney (Twitter)
Abstract: This talk will walk you through months of external research into how identities were incorrectly handled within Microsoft internal systems, from uncovering an unusual way to gain access to a privileged Azure AD tenant, to navigating multiple systems with unrestricted access to customer data and confidential information, all the way through to trying to create enough noise to raise awareness and working with MSRC to fix the issue.

Catch Me If You Can in the Eyes of Authorization

Speakers: Cameron Vincent (Twitter) & Sean Hinchee, Microsoft
Abstract: Ever wonder how one of the top participants in the Microsoft bug bounty program was finding security issues across Azure for many years? Or what about the other side? Ever wonder what the perspective was like from a MSRC security engineer working on these submissions and finding a more holistic approach towards them? In this talk you are going to get the best of both worlds. Not only will you hear about the offensive side from a former full time bug bounty hunter, but you’ll also get to hear from a MSRC engineer that was dealing with these submissions firsthand. The specific type of issues that will be discussed in this talk are going to be AuthZ/Authorization related issues. This is an extremely common area where many services and companies have been failing. In this talk Cameron Vincent is going to go over how he was hunting across Microsoft and other services for these types of issues. He will discuss some examples and techniques that were used when hunting for specific AuthZ/Authorization issues for many years. Sean Hinchee is then going to talk about what the defensive side was like. He will then dive deep into some open-source tools that he developed to help try and catch these types of authorization issues at a more automated scale.


Related Posts