NCC Group Research at Black Hat USA 2022 and DEF CON 30

This year, NCC Group researchers will be presenting at least five presentations at Black Hat USA and DEF CON 30.

A guide to these presentations (abstracts, dates, and links) is included below. We will also update this post with any additional presentations as they are accepted and announced.

Virtually or in-person, we hope you will join us!

Black Hat USA 2022

  • RCE-as-a-Service: Lessons Learned from 5 Years of Real-World CI/CD Pipeline Compromise (Iain Smart & Viktor Gazdag, NCC Group)
  • MacAttack – A client/server framework with macro payloads for domain recon and initial access (Chris Nevin, NCC Group)
  • Responding to Microsoft 365 security reviews faster with Monkey365 (Juan Garrido, NCC Group)

DEF CON 30

  • Pursuing Phone Privacy Protection (Matt Nash, NCC Group & Mauricio Tavares, Privacy Test Driver)
  • Hidden Payloads in Cyber Security (Chantel Sims, NCC Group)

Black Hat USA 2022

RCE-as-a-Service: Lessons Learned from 5 Years of Real-World CI/CD Pipeline Compromise

Iain Smart & Viktor Gazdag, NCC Group

Black Hat USA 2022 – Briefings

August 10-11 2022

In the past 5 years, we’ve demonstrated countless supply chain attacks in production CI/CD pipelines for virtually every company we’ve tested, with several dozen successful compromises of targets ranging from small businesses to Fortune 500 companies across almost every market and industry.

In this presentation, we’ll explain why CI/CD pipelines are the most dangerous potential attack surface of your software supply chain. To do this, we’ll discuss the sorts of technologies we frequently encounter, how they’re used, and why they are the most highly privileged and valuable targets in your company’s entire infrastructure. We’ll then discuss specific examples (with demos!) of novel abuses of intended functionality in automated pipelines which allow us to turn the build pipelines from a simple developer utility into Remote Code Execution-as-a-Service.

Is code-signing leading your team into a false sense of security while you programmatically build someone else’s malware? Is it true that “any sufficiently advanced attacker is indistinguishable from one of your developers”? Have we critically compromised nearly every CI/CD pipeline we’ve ever touched? The answer to all of these questions is yes.

Fortunately, this presentation will not only teach you exactly how we did it and the common weaknesses we see in these environments, but also share key defensive takeaways that you can immediately apply to your own development environments.


MacAttack – A client/server framework with macro payloads for domain recon and initial access

Chris Nevin, NCC Group

Black Hat USA 2022 – Arsenal

August 10-11 2022

While using macros for malicious purposes is nothing new, this tool provides a suite of payloads ideal for initial recon and footholds that will not burn other methods of attack. MacAttack is a framework that generates payloads for use in Excel and includes client/server communication to perform dynamic alterations at runtime and collate received data. The payloads included in MacAttack cover a number of areas that have not been published before, including a new stealth technique for hiding payloads, methods for retrieving a user’s hash, and performing common recon/early stages attacks such as As-Rep roasting, retrieving documents, browser credentials, password spraying the domain, enumerating users, and domain fronting. The client/server communication and GUI will allow for dynamic checks such as only allowing a password spray to run once or once within a certain time period even if multiple targets enable the payload at the same time, and will provide a visual representation of the enumerated information. Part of the benefit of this tool is that this information is retrievable from a “zero foothold” position – a phishing campaign may be detected or blocked – but this does not burn any existing beacons and the potential rewards can be as great as multiple sets of credentials for users and relevant authentication portals. Microsoft are rolling out changes to macros that have still not been fully deployed by the time of the deadline – and research into these changes and impacts will be included in the discussion. It looks like these changes will only affect O365 to begin with and will include a “recommended policy” to implement.


Responding to Microsoft 365 security reviews faster with Monkey365

Juan Garrido, NCC Group

Black Hat USA 2022 – Arsenal

August 10-11 2022

Monkey365 is a multi-threaded plugin-based PowerShell module to help assess the security posture of not only Microsoft 365, but also Azure subscriptions and Azure Active Directory. It contains multiple controls and currently supports CIS, HIPAA, GDPR, as well as custom security rules.


DEF CON 30

Pursuing Phone Privacy Protection

Matt Nash (NCC Group) & Mauricio Tavares (Privacy Test Driver)

DEF CON 30 – Crypto & Privacy Village

August 11-14 2022

New year, new challenges to privacy.

You are in a public event, or a coffee shop. Did a notification just tell you about a sale nearby? Why is this app showing ads for the car you rented and told your friend about? Is Santa Claus the only one who knows if you’ve been naughty or nice? “Maybe if I run a VPN I will be safe.” This is wishful thinking at best; it only helps to deal with some privacy attacks. You see, smart phones are little snitches. By design.

They listen to you. They know where you go, what you purchase, and who you interact with. And they never sleep or take vacations.

You can fight back. You can regain (at least some) control of your privacy! But it will not be done buying some magic software and pressing the EZ button. Some assembly is required.

If you are willing to roll up your sleeves and take your brave pill, join us in this workshop as we show how to build your Android phone with the balance between privacy, security, and convenience that fits your comfort level.

Attendees will come out of this workshop with a privacy mindset:

  • Appreciating the privacy and security implications of using a smart phone in general — specifically consumer Android devices.
  • Knowing how to achieve different levels of privacy in their phones and understanding the costs and benefits of each approach.
  • Understanding what “attribution of traffic” tying IP to a person through a VPN is.Finding out which apps are privacy-respecting, and how to contain untrusted apps that may be a “must have”.

Who should take this workshop:

  • Privacy-conscious smartphone users who would like to understand and control what their phones share about them.

Audience Skill Level:

  • Intermediate
  • Entry level, if you have studied the instructions and are prepared to hit the ground running. Or if your team is willing to help you out. We will NOT be able to wait for you to install 374 OS updates, download and install VirtualBox, and then build a Linux VM.

Attendees’ requirements

  • An understanding of basic Linux commands.
  • Be comfortable with the idea of installing an aftermarket firmware/OS (“ROM”) on a mobile device. Soft/hard “bricking” is a possibility, so having a spare phone may be a good investment.
  • Follow additional instructions provided on the GitHub repository (https://github.com/matthewnash/building-phone-privacy/wiki) ahead of the workshop.

What students should bring (or do beforehand)

  • An Android phone that has been configured per the GitHub instructions.
  • Alternatively, a laptop with Android Studio installed.
  • A learning attitude.


Hidden Payloads in Cyber Security

Chantel Sims, NCC Group

Black Hat USA 2022 – Girls Hack Village

August 10-11 2022

“Hidden Payloads in Cyber Security”

Cybersecurity has a diversity problem. We all know this. Executives and managers believe that filling job roles and enacting diversity initiatives is where the work begins and ends. Even though we are aware of this diversity problem, we’ve only just begun to start the conversation of how “bias” directly impacts hiring practices and cyber operations themselves. Our lack of observation of our bias’ has also made most of us blind to the bias that exist within our security tools and operations. To be fair, social engineering is the one, if not only, place where we bend and manipulate bias to our will. But I believe we should do the same within our operation’s as a whole. In 2018, Joy Buolamwini’s began to research and call out algorithmic bias and its impacts. Through Joy and Timnit Gebru’s research, the tech community has finally started to acknowledge the real world implications of biased algorithms. As humans, we tend to “believe what we think”. It’s not common practice for most humans to question or challenge their thought bubbles. Most humans are aware that a thought doesn’t necessarily equate to being factual in reality but
the action of diving deeper seems to be staved off by our ego’s and credulous brains. I’d argue that our ‘inaction’ to dive deeper into our own personal bias’ is a precursor to writing biased code or tools and affects cyber operations in general which therefore contributes to a continuing cycle of cyber operations embedded with bias.