惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The Hacker News
The Hacker News
C
Cisco Blogs
P
Privacy & Cybersecurity Law Blog
Cloudbric
Cloudbric
S
Security Affairs
PCI Perspectives
PCI Perspectives
The Last Watchdog
The Last Watchdog
AWS News Blog
AWS News Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
N
News and Events Feed by Topic
W
WeLiveSecurity
T
Tenable Blog
L
LINUX DO - 最新话题
T
Tor Project blog
Help Net Security
Help Net Security
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
P
Proofpoint News Feed
爱范儿
爱范儿
O
OpenAI News
Hacker News - Newest:
Hacker News - Newest: "LLM"
Y
Y Combinator Blog
I
Intezer
C
Check Point Blog
Stack Overflow Blog
Stack Overflow Blog
Recent Announcements
Recent Announcements
Google DeepMind News
Google DeepMind News
S
Securelist
P
Privacy International News Feed
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
V
Vulnerabilities – Threatpost
Schneier on Security
Schneier on Security
量子位
SecWiki News
SecWiki News
L
Lohrmann on Cybersecurity
T
Threat Research - Cisco Blogs
Recent Commits to openclaw:main
Recent Commits to openclaw:main
M
MIT News - Artificial intelligence
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Scott Helme
Scott Helme
H
Help Net Security
Vercel News
Vercel News
云风的 BLOG
云风的 BLOG
Spread Privacy
Spread Privacy
Know Your Adversary
Know Your Adversary
I
InfoQ
TaoSecurity Blog
TaoSecurity Blog
Blog — PlanetScale
Blog — PlanetScale
N
News | PayPal Newsroom
小众软件
小众软件
C
CERT Recently Published Vulnerability Notes

Wiz Blog | RSS feed

Meet Wiz for M365: Bringing SaaS into the Security Graph Bringing Security Visibility to Vercel with Wiz Axios NPM Distribution Compromised in Supply Chain Attack Tracking TeamPCP: Investigating Post-Compromise Attacks Seen in the Wild The Wiz Blue Agent, now Generally Available Beyond the Badge: What Achieving Microsoft’s Certified Software Designation Means for Your Cloud Security Introducing the Green Agent: AI-Powered Remediation for the Cloud Three’s a Crowd: TeamPCP trojanizes LiteLLM in Continuation of Campaign KICS GitHub Action Compromised: TeamPCP Strikes Again in Supply Chain Attack Introducing the Wiz Red Agent- AI-Powered Attacker Introducing Wiz AI Application Protection Platform (AI-APP) Introducing Wiz Agents & Workflows: Security at the Speed of AI AI Runtime Threat Detection: From Input to Real-World Impact Trivy Compromised: Everything You Need to Know about the Latest Supply Chain Attack It’s Official: Wiz Joins Google Understanding and Reducing AI Risk in Modern Applications Introducing Wiz Tenant Manager: Multi-Tenant Management for Federated Organizations The Agile FedRAMP Playbook, Part 4: Reactive Risk Management through Enriched Incident Response Wiz Achieves CPSTIC Certification in Spain Seeing AI Clearly: Building Visibility Across Modern AI Applications The Agile FedRAMP Playbook, Part 3: Preventative Risk Management by building Secure by Design Wiz Leads the 2026 Latio Application Security Report with awards in 4 categories Building an Agentic Cloud Security Ecosystem: A Reference Architecture with Wiz MCP and Infosys Cyber Next The Agile FedRAMP Playbook, Part 2: Proactive Risk Management with Continuous Monitoring Cloud-native Security for your Windows environment: Announcing the Wiz Runtime Sensor for Windows Would You Click ‘Accept’? Automatically detecting malicious Azure OAuth applications using LLMs Wiz Named a Leader in The Forrester Wave™: Cloud Native Application Protection Solutions, Q1 2026 From Detection to Remediation: It’s Time to Rethink AppSec Around Exploitability and Root Cause Fixes The Agile FedRAMP Playbook, Part 1: Why Risk is Your Best Starting Point Introducing AI Cyber Model Arena: A Real-World Benchmark for AI Agents in Cybersecurity Wiz + Spotify Backstage: Security at the Developer’s Desk Building AI Security Together: New Ways to Partner with Wiz for AI Security in 2026 Hacking Moltbook: The AI Social Network Any Human Can Control The Year in Wiz Research: 2025 Most Read Blogs WizExtend is Here: AI and Cloud Security Insights in Your Daily Workflow From Detection to Remediation: Wiz in Your JetBrains IDE Agentic Browser Security: 2025 Year-End Review CodeBreach: Infiltrating the AWS Console Supply Chain and Hijacking AWS GitHub Repositories via CodeBuild A 90-Day Action Plan to Turn Resolutions into Results with Wiz Introducing the Wiz Partner Alliance: A New Chapter for Partner Success Preparing for Post-Quantum Cryptography Wiz Recognized as a 2025 Customers’ Choice in the Gartner® Peer Insights™ Voice of the Customer for CNAPP Expanding the Zero Critical Club to set a new standard for AppSec and SecOps teams Snipping the Long Tail of Shai-Hulud 2.0 Protecting Against Zero-Day Vulnerabilities with SOC-Level ASM Alert MongoBleed (CVE-2025-14847) exploited in the wild: everything you need to know The Kenna Transition: Your Strategic Shift to Exposure Management From MCP to Vibe Coding: Full Endpoint Visibility in Wiz AI Security Bringing Oracle Cloud Identity to Wiz Zero‑Days in the Age of AI: Behind the Scenes of ZeroDay.cloud 2025, with a Record High of CVEs in Critical Cloud Infra Gogs 0-Day Exploited in the Wild Code to Cloud Attacks: From Github PAT to Cloud Control Plane Top AWS re:Invent Announcements for Security Teams in 2025 React2Shell: Technical Deep-Dive & In-the-Wild Exploitation of CVE-2025-55182 React2Shell (CVE-2025-55182): Everything You Need to Know About the Critical React Vulnerability Wiz Product Announcements at re:Invent 2025: Expanding Visibility from Code to Cloud Introducing Wiz SAST: Where Code Risk Meets Cloud Context Wiz Becomes Fastest Security ISV to Reach $1 Billion in AWS Marketplace Lifetime Sales It's Here! Wiz Exposure Management is Now GA Shai-Hulud 2.0 Aftermath: Trends, Victimology and Impact Service Catalog is Here: Expand Risk Visibility for Your Service and Its Dependencies, Simplify Issue Ownership WizOS: Powering Secured Image Adoption with AI 3 OAuth TTPs Seen This Month — and How to Detect Them with Entra ID Logs Mastering Software Governance with Hosted Technologies Inventory Shai-Hulud 2.0 Supply Chain Attack: 25K+ Repos Exposing Secrets Get Certified on Wiz Defend for Threat Detection and Response Blueprint for Security: A Guide to Code, Governance, and Response Frameworks Google Unified Security Recommended Program Names Wiz Among First 3 Strategic Partners Introducing Posture Issues: Transform Security Findings into Actionable Outcomes Empower and Accelerate Your SOC with the Blue Agent Exposure Report: 65% of Leading AI Companies Found with Verified Secret Leaks Wizdom 2025 Product Announcements: Extending the Cloud Operating Model When AI Becomes the Heart of Security: Powering a Future You Can Trust AI-Powered Wiz: From Agents to Everyday Intelligence Defend Agentless Workload Detection: Bringing Visibility to Blind Spots in Threat Detection Securing AI Agents with Wiz AI-SPM Introducing Wiz ASM: Context-Driven Attack Surface Management Securing Critical Infrastructure in the Cloud Era: A Policy and Technology Blueprint How CISOs Should Plan Security Budgets for 2026 Beyond the Checkbox: How Wiz Transforms SOC 2 into a Security Powerhouse Bringing Visibility to Kubernetes: Unified Inventory and Network Insight The Foundation Modern AppSec Is Still Missing: Code to Cloud, Rebuilt the Right Way Dismantling a Critical Supply Chain Risk in VSCode Extension Marketplaces Introducing HoneyBee: How We Automate Honeypot Deployment for Threat Research RediShell: Critical Remote Code Execution Vulnerability (CVE-2025-49844) in Redis, 10 CVSS score Defending against database ransomware attacks AI Security 101: Mapping the AI Attack Surface Introducing zeroday.cloud: First-of-its-kind cloud and AI hacking competition Unifying Cloud Risk and Network Defense: Wiz and Check Point The emerging use of malware invoking AI Wiz achieves FedRAMP High authorization Wiz + HCP Terraform: Close the IaC-to-Cloud Infrastructure Security Gap IMDS Abused: Hunting Rare Behaviors to Uncover Exploits Beyond CVEs: The Exploitation of Everyday Misconfigurations Wiz Research Discovers One in Five Organizations Exposed to Systemic Risks in Vibe-Coded Applications - Here's How to Secure Them Introducing Wiz Incident Response: Your Expert Partner for Cloud Security Incidents Shai-Hulud: Ongoing Package Supply Chain Worm Delivering Data-Stealing Malware DORA Compliance in the Cloud Era: Insights from Deloitte and Wiz How Wiz Customers like Brex and FICO See AI Changing Security Wiz Recognized as a Leader in the 2025 IDC MarketScape for ASPM
The 10 must-attend sessions at Black Hat 2021
Benjamin Miller · 2021-06-25 · via Wiz Blog | RSS feed

Black Hat has always been a must-attend event for security professionals. When it opens in Las Vegas in July, it will be one of the first major security conferences to return in person since COVID. For those who can't make it out, you'll still have an opportunity as there are live events happening online that you can watch remotely. There’s a great lineup of sessions this year, with over 140 hours of hands-on labs, briefings, talks, workshops, and expert panels. To help you make the most of your time, we took an informal poll of security professionals attending this year’s event. Here are the top 10 sessions they’re most excited about.

FragAttacks: Breaking Wi-Fi through Fragmentation and Aggregation

Format: 40-Minute Briefings

Tracks:  Cryptography,  Network Security

This presentation introduces three novel security-related design flaws in Wi-Fi and various widespread implementation flaws. An adversary can abuse these to inject packets or exfiltrate selected frames. As an example, it will be demonstrated how packet injection can be used to punch a hole in the router's NAT so the adversary can connect to and exploit internal devices in the network (e.g. BlueKeep against Windows 7).

The first design flaw is present in Wi-Fi's frame aggregation feature where a flag in the Wi-Fi header is not properly protected. The other two design flaws are present in Wi-Fi's frame fragmentation feature where the receiver improperly verifies and manages fragments. Although these design flaws can be non-trivial to exploit, they affect all protected Wi-Fi networks. Some design flaws even affect the ancient WEP protocol meaning these flaws have been part of Wi-Fi since 1997.

In practice, the implementation vulnerabilities are the most concerning. Several are widespread and trivial to exploit. For example, some devices accept plaintext frames in a protected Wi-Fi network and others accept plaintext aggregated frames that resemble handshake messages. The resulting attacks will be demonstrated, such as turning an IoT power socket on and off, and a tool will be released that can be used to test Wi-Fi products against all the discovered vulnerabilities.

More info about the session >

Breaking the Isolation: Cross-Account AWS Vulnerabilities

Format: 40-Minute Briefings

Tracks:  Cloud & Platform Security,  AppSec

Multiple AWS services were found to be vulnerable to a new cross-account vulnerability class. An attacker could manipulate various services in AWS and cause them to perform actions on other clients' resources due to unsafe identity policies used by AWS services to access clients' resources. The vulnerabilities have been proven on three major AWS services (AWS Config, Cloudtrail, and Serverless Repository) and have allowed a potential attacker to write and read certain objects from private S3 buckets.

In this presentation, we will review the discovered vulnerabilities and explain their root cause. We will show how an attacker can perform actions on any account in AWS using these services via the discovered cross-account vulnerability. We believe this is a new class of vulnerabilities that may affect many other services in AWS because the tenant scope is implicitly defined in AWS IAM policies, causing services that allow multi-tenant access to perform unintended actions.

While reporting and working with the AWS security team on resolving these issues, we concluded that the process of updating IAM-related vulnerabilities is sub-optimal. Although AWS acted very quickly to fix the issues, the cloud provider relies on customers to perform the IAM policy updates, which often does not happen. IAM vulnerabilities are not tracked by NIST, do not have a CVE, and do not have scanning tools that provide IAM vulnerability scanning results. The result is that most customers are running with vulnerable IAM policies and have no process to fix them. Furthermore, we discovered that AWS issues hundreds of security updates to its IAM policies, but security teams lack tools to scan for them and prioritize fixing them. It is vital to raise the community awareness of the issue of IAM CVEs because identity-related vulnerabilities are a key attack surface in cloud environments.

We will review the specific mitigations provided to the IAM vulnerabilities we found and discuss the current gaps in the way the vulnerability management process for IAM is handled today.

More info about the session >

HTTP/2: The Sequel is Always Worse

Format: 40-Minute Briefings

Tracks: AppSec, Cloud & Platform Security

HTTP/2 is easily mistaken for a transport-layer protocol that can be swapped in with zero security implications for the website behind it. Two years ago, I presented HTTP Desync Attacks and kicked off a wave of request smuggling, but HTTP/2 escaped serious analysis. In this presentation, I'll take you beyond the frontiers of existing HTTP/2 research, to unearth horrifying implementation flaws and subtle RFC imperfections.

I'll show you how these flaws enable HTTP/2-exclusive desync attacks, with case studies targeting high-profile websites powered by servers ranging from Amazon's Application Load Balancer to WAFs, CDNs, and bespoke stacks by big tech. I'll demonstrate critical impact by hijacking thick clients, poisoning caches, and stealing plaintext passwords to net multiple max-bounties. One of these attacks remarkably offers an array of exploit-paths surpassing all known techniques.

After that, I'll unveil novel techniques and tooling to crack open a widespread but overlooked request smuggling variant affecting both HTTP/1 and HTTP/2 that is typically mistaken for a false positive.

Finally, I'll drop multiple exploit-primitives that resurrect a largely forgotten class of vulnerability, and use HTTP/2 to expose a fresh application-layer attack surface.

I'll leave you with an open-source scanner with accurate automated detection, a custom, open-source HTTP/2 stack so you can try out your own ideas, and free interactive labs so you can hone your new skills on live systems.

More info about the session >

A New Class of DNS Vulnerabilities Affecting Many DNS-as-Service Platforms

Format: 40-Minute Briefings

Tracks:  CorpSec,  Cloud & Platform Security

We present a novel class of DNS vulnerabilities that affect multiple DNS-as-a-Service (DNSaaS) providers. The vulnerabilities have been proven and successfully exploited on three major cloud providers including AWS Route 53 and may affect many others. Successful exploitation of the vulnerabilities may allow exfiltration of sensitive information from service customers' corporate networks. The leaked information contains internal and external IP addresses, computer names, and sometimes NTLM / Kerberos tickets. The root cause of the problem is the non-standard implementation of DNS resolvers that, when coupled with specific unintended edge cases on the DNS service provider's side, cause major information leakage from internal corporate networks.

In this research, we detail a specific vulnerability that is common across many major DNS service providers that leads to information leakage in connected corporate networks. Specifically, we show how Microsoft Windows endpoints reveal sensitive customer information when performing DNS update queries. The security risk is high. If an organization's DNS Updates are leaked to a malicious 3rd party, they reveal sensitive network information that can be used to map the organization and make operational goals. Internal IP addresses reveal the network segments of the organization; computer names hint at the potential content they may hold; external IP addresses expose geographical locations and the organization's sites throughout the world; and internal IPv6 addresses are sometimes accessible from the outside and allow an entry point into the organization. The impact is huge. Out of six major DNSaaS providers we examined, three were vulnerable to nameserver registration.

Any cloud provider, domain registrar, and website host who provides DNSaaS could be vulnerable. The number of organizations vulnerable to this weakness is shocking. Over a few hours of DNS sniffing, we received DNS Updated from 992,597 Windows endpoints from around 15,000 potentially vulnerable companies, including 15 Fortune 500 companies. In some organizations, there were more than 20,000 endpoints that actively leaked their information out of the organization. Exploiting the weakness is very easy. A single attacker with a single cloud account can get information on thousands of organizations in one step. There are several possible mitigations to this problem. We will review the solutions for both DNSaaS providers and managed networks.

More info about the session >

Can You Roll Your Own SIEM?

Format: 40-Minute Briefings

Tracks:  CorpSec,  Data Forensics & Incident Response

At Two Sigma, we had sunk over $1 million in licensing for a popular third-party SIEM product and were paying an additional $200,000 in annual maintenance. We were limited on what data sources we could leverage as our license was restricted to a low daily ingestion rate. As our company began to explore cloud transformation broadly, we in Security began investigating competitive options for our event collection and analysis platform. We wanted to know if we could roll our own cloud-native SIEM more efficiently while providing greater access to our data, and be as effective as the vendor's solution.

To figure that out, we asked:

  1. Does the vendor SIEM product cover enough of our threat landscape to make it worth the cost?

  2. If not, has our organization made strategic investments in alternate platforms which could be leveraged instead?

  3. If yes, does our team have the skills required to implement and mold these platforms to our needs?

The answers led us to roll our own SIEM. In our presentation, we'll dig into these questions and decisions in-depth, as well as describe our architecture and several use cases. At the end of the day, we've been running our GCP SIEM for over a year and have moved off the vendor platform. To get started, we wrote less than 6,000 lines of code across a handful of simple tools. We ingest 5TB of data per day and have over 2PB of historical data stored and instantly searchable. In the end, we spent ~$500,000 to build our own SIEM that would have cost us $4 million if we used our third-party vendor. We're also saving an estimated $600,000 year over year in maintenance and subscription fees, plus reducing hardware capital expenditure.

More info about the session >

IPvSeeYou: Exploiting Leaked Identifiers in IPv6 for Street-Level Geolocation  

Format: 40-Minute Briefings

Track:  Network Security

While IP Geolocation -- tying an IP address to a physical location -- is in common use, available public and commercial techniques and tools provide only coarse city-level locations that are often wrong. With "IPvSeeYou," we develop a data fusion attack against residential home routers running IPv6 that provides *street-level* geolocation. We then demonstrate IPvSeeYou by discovering and precisely geolocating millions of home routers deployed in the wild across the world.

We assume a weak adversary who is remote to the target and has no privileged access. Our privacy attack lies in IPv6 addresses formed via EUI-64, which embed the interface's hardware MAC address in the IPv6 address. While EUI-64 IPv6 addresses are no longer used by most operating systems, they are commonly found in legacy and low-profit-margin customer premises equipment (CPE), e.g., commodity routers connecting residential and business subscribers. Because IPv6 CPE are routed hops (as opposed to IPv4 NATs), we can discover their MAC address via traceroute if they use EUI-64.

These CPE are frequently all-in-one devices that also provide Wi-Fi. Crucially, the MAC address of the Wi-Fi interface is often related to the MAC address of the wide area interface, e.g., a +/-1 offset. These Wi-Fi MACs are broadcast (the 802.11 BSSID) and captured by wardriving databases that also record their physical location. By correlating the MAC addresses embedded in IPv6 home router addresses with their Wi-Fi address counterpart, we can remotely geolocate them, fusing virtual data with meatspace.

Last, we demonstrate IPvSeeYou in practice. We develop an Internet-scale IPv6 router discovery technique that finds tens of millions of deployed CPE with EUI-64 addresses. On a per-OUI basis, we map these to a corresponding Wi-Fi BSSID. We search for these BSSID in geolocation databases to successfully map millions of routers, across the world, to a precise geolocation.

More info about the session >

How I Used a JSON Deserialization 0day to Steal Your Money on the Blockchain

Format: 40-Minute Briefings

Tracks:  Exploit Development,  Applied Security

Fastjson is a widely used open source JSON parser with 23'100 stars on GitHub. As a basic module of countless java web services, it serves hundreds of millions of users. We managed to find a way to bypass many security checks and mitigations by using the inheritance process of some basic classes, and achieve remote code execution successfully. We will disclose these high-risk and universal gadgets for the first time in this talk.

Now, we can control many important websites and affect millions of users. Let's make things more interesting. We found that this fastjson vulnerability affects a multi-billion-dollar blockchain. We designed multiple complex gadgets based on the features of the blockchain, and exquisitely achieved information leakage and pointer hijacking. Putting all these gadgets together, we achieved remote code execution on the blockchain nodes.

However, generally after remote code execution, we seem to have no better exploit method other than the 51% attack, which will lead to serious accounting confusion. After a detailed analysis of the architecture design of the public blockchain, we found a way from RCE to steal the public blockchain users' assets almost without any notification.

To the best of our knowledge, this is the first published attack case on the realization of covertly stealing user assets after RCE on the public blockchain nodes. We will propose a more covert post penetration exploit method for public blockchain nodes in this talk.

Blockchain is not bulletproof to security vulnerability and we hope our work can notify blockchain developers and users to be more careful about security.

More info about the session >

Timeless Timing Attacks  

Format: 40-Minute Briefings

Tracks:  Network Security,  AppSec

25 years ago, the first timing attacks against well-known cryptosystems such as RSA and Diffie-Hellman were introduced. By carefully measuring the execution time of crypto operations, an attacker could infer the bits of the secret. Ever since, timing attacks have frequently resurfaced, leading to many vulnerabilities in various applications and cryptosystems that do not have constant-time execution. As networks became more stable and low-latency, it soon became possible to perform these timing attacks over an Internet connection, potentially putting millions of devices at risk. However, attackers still face the challenge of overcoming the jitter that is incurred on the network path, as it obfuscates the real timing values. Up until now, an adversary would have to collect thousands or millions of measurements to infer a single bit of information.

In this presentation, we introduce a conceptually novel way of performing timing attacks that is completely resilient to network jitter. This means that remote timing attacks can now be executed with a performance and accuracy that is similar as if the attack was performed on the local system. With this technique, which leverages coalescing of network packets and request multiplexing, it is possible to detect timing differences as small as 100ns over any Internet connection. We will elaborate on how this technique can be launched against HTTP/2 webservers, Tor onion services, and EAP-pwd, a popular Wi-Fi authentication method.

More info about the session >

Siamese Neural Networks for Detecting Brand Impersonation

Format: 30-Minute Briefings

Tracks:  AI, ML, & Data Science,  Applied Security

Brand impersonation is a key attack strategy in which a malicious user crafts content to look like a known brand to deceive a user into entering sensitive information, such as account passwords or credit card details.

To address this issue, we developed and trained a Siamese Neural Network on labeled images to detect brand impersonation. Specifically, our dataset consists of over 50,000 screenshots of known malicious log-in pages encompassing over 1000 brand impersonations. Our Siamese network learns to embed images of the same brand relatively close together in a low dimensional space while images of different brands are embedded further apart. We then perform a nearest neighbor classification in the embedded space.

To present the results and fully characterize the performance of our Siamese network, we developed metrics that capture how well the Siamese network performs on known as well as previously unseen brands and show how the network outperforms a baseline image hashing algorithm on a held-out training set. We will then discuss further applications and planned enhancements to the baseline machine learning model.

More info about the session >