Trends at Blackhat Asia 2022 – Kubernetes, Cloud Security and more

This week BlackHat Asia 2022 took place in hybrid mode. It’s one of the most important events within the #infosec community, where security experts show how far they can go. In this edition, the trend of talks and tools focused on improving the security of Kubernetes, Cloud Security or Supply Chain, either from the perspective of the blue team or the red team.

BlackHat Asia 2022

In this article, we’ll share our insights about a few talks and tools presented that we liked, and we’ll give you an idea of the future trends this year in cybersecurity.


During the two days of Blackhat Asia informative sessions, we have been able to enjoy several high-level talks on cybersecurity. These are, in our opinion, the most remarkable ones.

  • Backdoor Investigation and Incident Response: From Zero to Profit
    • Managing a security incident where a backdoor takes place is not trivial. This talk explains the Backdoor Incidence Response Matrix (BDIRM) framework based on a triangle (server, backdoor and network) for the acquisition and analysis of data to understand the attacker’s access and be able to make a better attribution or generate the best indicators of compromise or detection techniques.

  • The Firmware Supply-Chain Security Is Broken: Can We Fix It?
    • Dependencies are the headache of any security auditor or developer, and even more so when you don’t have full visibility. In some cases, firmware components are vulnerable and continue to be used because they are not exploitable on their own. That is why, when another vulnerability appears in another component, it makes a previous one possible, making it much more complex to see the risk of old vulnerabilities that remained latent and bad scored.

  • Using Zero to Attack Zero-Knowledge Proof (ZKP) PLONK
    • This talk reviews an incredible but real case of theoretical vs practice. The speaker discusses a critical issue in a cutting-edge ZKP PLONK C++ implementation which allows an attacker to create a forged proof that all verifiers will accept.

  • Quantify Security Effectively – Moving the Security Needle From the Security Trenches to the Boardroom
    • One of the keynotes. The speaker shared attracting ideas such as the definition of a shared responsibility model between developers and the cybersecurity team. Understanding who owns the vulnerability and who owns the mitigation is key to avoid future incidents and loss of time and money. It is necessary to escalate and prioritize, otherwise it is not achievable.
    • Another impressive concept is to quantify the success in cybersecurity. It is necessary to measure it and thus be able to check if the measures are being effective.

  • Like Lightning From the Cloud: Finding RCEs in an Embedded TLS Library and Toasting a Popular Cloud-connected UPS
    • This talk explains the importance of handling errors in code. The presenters explained how the exploitation of this would allow an attacker to control switches and systems such as UPS (controls system power if the network goes down), and how to replicate the exploit in different vendors because they use the same implementation.
      During the demonstration they provoked the burning of the device.

  • Dynamic Process Isolation
    • Explanation of a remote Spectre attack using amplification techniques in combination with a remote timing server. The authors contribute with a process isolation mechanism that only isolates suspicious worker scripts following a detection mechanism. The Dynamic Process Isolation paper demonstrates a solution to detect all state-of-art of this kind of attack.


Several tools were presented at Blackhat Asia this time. Although not necessarily new, it is always interesting to see new features or discover unknown tools. Something to mention are the differences when changing the point of view. For instance, considering Kubernetes tools as intended for red teams against those of the supply chain where the focus is its usage by blue teams.

  • Kubesploit
    • An open source penetration testing framework that can improve your cybersecurity posture scanning your cluster and also post-exploitation attacks. This tool is a must in your repository.

  • Kdigger
    • This CLI tool is similar to the first one, but also recommended as it keeps adding improvements. To present the features the demo shows a minik8s-ctf environment. Something really great to test and implement the new features.

  • ThunderCloud
  • In Supply Chain Attacks, 3 tools were presented. Dependency Combobulator detects dependency confusion using heuristics, for example if the repository is public or time since last change. Similar to packj but in this case it implements metadata (if the repository activates 2FA) or typosquatting detection, find packages with similar names to avoid errors. ChainAlert focuses on automation and detection of dependency commitment using the difference of tags between Github and NPM, but detection is very low.

  • Pwnppeteer is an offensive tool to manage the phishing attacks with lambda functions to automate the process

  • Telegrip assists in obtaining evidence from telegrams for android devices with an autopsy-like UI, a great forensic tool.

Next conference – KubeCon EU

This has been the most relevant in Blackhat Asia. As expected, the three main topics, Kubernetes Security, Cloud Security and Supply Chain Attacks, stays on track with more content and tools, and we assume this will continue over the long term.

There are still a few months till the next BlackHat in Las Vegas , but next week we will be at the KubeCon Europe in Valencia!!

Kubecon Kubernetes Prometheus Security

If you’d like to meet us, we will be at Kubecon for the whole week. Come visit us at our Sysdig booth or assist the security talk How Attackers Use Exposed Prometheus Server to Exploit Kubernetes Clusters.

The post Trends at Blackhat Asia 2022 – Kubernetes, Cloud Security and more appeared first on Sysdig.

Article Link: Trends at Blackhat Asia 2022 - Kubernetes, Cloud Security and more – Sysdig