Black Hat Archives

Tech Optimizer

August 29, 2025

New type of ransomware created with AI shows how easy it is to evade antivirus detection now

Researchers from SlashNext have revealed a new ransomware variant developed using artificial intelligence, which was discussed at the Black Hat USA conference. This ransomware can be created quickly using generative AI platforms, allowing attackers to bypass traditional coding methods and evade detection by standard antivirus solutions. In tests, the AI-generated ransomware successfully circumvented most major security suites, posing significant threats to financial institutions, businesses, and everyday users. The malware can modify its structure with each execution, complicating traditional detection methods. Unlike previous ransomware, this variant can be assembled in hours or days. The accessibility of AI tools enables individuals with limited coding skills to create sophisticated malware, challenging the belief that technical barriers deter attackers. Companies and IT teams are urged to reevaluate their cybersecurity strategies, as conventional antivirus tools may no longer suffice. Security professionals should monitor for unusual behaviors and invest in automated detection systems that utilize machine learning.

Winsage

August 8, 2025

Warning: Windows Hello Security Bypassed Using Other People’s Faces

A vulnerability in the Windows Hello facial recognition sign-in system was demonstrated at the Black Hat hacking conference by Dr. Baptiste David and Tillmann Osswald from ERNW Research. They showed that an individual with local admin credentials could bypass the security mechanism by injecting biometric information, allowing the system to recognize any face or fingerprint. This issue stems from the architecture of Windows Hello, which uses a cryptographic key stored in a database linked to the Windows Biometric Service. Although Microsoft's Enhanced Sign-in Security feature could help mitigate such attacks, it is often disabled due to hardware requirements. Researchers suggest that fixing the vulnerability would require significant code changes by Microsoft and recommend users disable biometric authentication in favor of a traditional PIN for better security.

Winsage

August 8, 2025

German researchers show ‘Windows Hell No’ flaw at Black Hat

Microsoft is working to move Windows users away from traditional passwords to its Hello biometrics system. Researchers from ERNW Research, supported by the German government, discovered a critical vulnerability in Hello that allows individuals with local admin access or malware credentials to inject biometric data, bypassing security measures. Hello facilitates authentication for business users by connecting corporate PCs to platforms like Entra ID or Active Directory, storing a cryptographic key in a database linked to Microsoft's Windows Biometric Service. While Enhanced Sign-in Security (ESS) is designed to mitigate such vulnerabilities, not all PCs are compatible with it. During a presentation, researchers demonstrated the flaw by logging in with a facial scan and then injecting a captured facial scan to unlock the device. They suggested that users without ESS disable biometric authentication and revert to using a PIN. Microsoft has not yet responded to these findings, which are part of a research program called Windows Dissect.

AppWizard

July 15, 2025

Google is doubling down on cybersecurity using AI

Google's AI security agent, Big Sleep, has identified a vulnerability in SQLite, designated as CVE-2025-6965, which was being exploited by hackers. Enhancements have been made to Google's open-source forensics tool, now operating on the upgraded Sec-Gemini platform for improved log analysis and threat detection. Google is set to unveil FACADE, an insider threat detection system that has monitored billions of daily events since 2018 using contrastive learning. At DEF CON 33, Google will co-host a Capture the Flag event with Airbus, involving AI assistants in security challenges. Google is contributing data from its Secure AI Framework to the Coalition for Secure AI to enhance research in cybersecurity. The AI Cyber Challenge, a DARPA-led competition supported by Google, is nearing its conclusion, with winners showcasing AI tools for identifying and rectifying vulnerabilities in open-source software.

Winsage

July 9, 2025

Zero Day Initiative — The July 2025 Security Update Review

In July 2025, Adobe released 13 bulletins addressing 60 unique CVEs across various applications, including ColdFusion, After Effects, and Illustrator. ColdFusion received a Priority 1 patch for 13 CVEs, five of which are Critical. FrameMaker's patch fixed 15 CVEs, including 13 Critical vulnerabilities. Illustrator's update addressed 10 bugs, with the most severe enabling code execution. Other applications like InCopy and InDesign also had Critical vulnerabilities fixed. Microsoft released 130 new CVEs across its products, with 10 rated Critical. Notable vulnerabilities include CVE-2025-47981, a heap-based buffer overflow in Windows SPNEGO, and CVE-2025-49717 affecting Microsoft SQL Server. CVE-2025-49704 allows code injection in SharePoint, while CVE-2025-49695 highlights an attack vector in Microsoft Office's Preview Pane.

AppWizard

June 7, 2025

‘I’m not here to apologize but I am here to clarify’: Splitgate 2 boss says his Make FPS Great Again hat is ‘not a political statement’

1047 Games unveiled a battle royale mode for Splitgate 2 at the Summer Game Fest, announced by CEO Ian Proulx. Proulx wore a hat with the phrase "MAKE FPS GREAT AGAIN," which drew mixed reactions from viewers. He later clarified the hat's message on social media, emphasizing the company's commitment to improving the multiplayer FPS experience. The launch included a shop refresh with a new skin bundle, the most expensive item in the game, prompting discussions about in-game purchase value. The new mode led to a surge in players and technical issues, including problems with the experience points (XP) system, which the company is working to resolve.

Winsage

April 8, 2025

EncryptHub plays dual role as cybercriminal and Windows researcher

EncryptHub, a threat actor linked to intrusions at 618 organizations, reported two Windows zero-day vulnerabilities, CVE-2025-24061 and CVE-2025-24071, to Microsoft, which were resolved in March 2025. The vulnerabilities were reported by an individual named SkorikARI, who has been connected to EncryptHub after the threat actor exposed its login credentials. Researchers at Outpost24 identified this link through multiple pieces of evidence, including exfiltrated password files and a GitHub login associated with SkorikARI. EncryptHub has a history of selling zero-days on hacking forums and has been involved in both freelance development and cybercriminal activities. Despite his expertise, the hacker fell victim to poor security practices, leading to the exposure of personal information and interactions with ChatGPT regarding malware development and self-assessment as a hacker.

Winsage

April 7, 2025

EncryptHub’s dual life: Cybercriminal vs Windows bug-bounty researcher

EncryptHub has been linked to breaches affecting 618 organizations and is associated with the disclosure of two Windows zero-day vulnerabilities, CVE-2025-24061 and CVE-2025-24071, to Microsoft. The vulnerabilities were addressed during the March 2025 Patch Tuesday updates, and the reporter was acknowledged as 'SkorikARI with SkorikARI.' Investigations revealed a connection between EncryptHub and SkorikARI, following an incident where EncryptHub exposed their credentials. SkorikARI's accounts were used to report the vulnerabilities, contributing to Windows security. Evidence linking SkorikARI to EncryptHub includes password files exfiltrated from EncryptHub's system and a GitHub account associated with SkorikARI. EncryptHub has previously attempted to market zero-day vulnerabilities on underground forums and is believed to have affiliations with ransomware groups. The threat actor has executed social engineering campaigns, phishing attacks, and developed a custom infostealer known as Fickle Stealer. They created fictitious social media profiles and websites, such as a fake project management application called GartoriSpace, which installed malicious files on unsuspecting users. EncryptHub has also been implicated in exploiting a Microsoft Management Console vulnerability, CVE-2025-26633.

Winsage

October 28, 2024

Windows ‘Downdate’ Attack Makes Patched PCs Vulnerable

Recent findings have identified a vulnerability in fully patched Windows 11 systems that allows attackers to install custom rootkits, which can bypass endpoint security and maintain persistence on compromised systems. This vulnerability is linked to a downgrade attack technique demonstrated by SafeBreach researcher Alon Leviev at Black Hat USA 2024, using an exploit tool called Windows Downdate. This tool enables an attacker with administrative access to manipulate the Windows Update process, reverting patched components to vulnerable states. Leviev's demonstration showed that even systems using virtualization-based security (VBS) are at risk, as he could downgrade VBS features and expose previously fixed privilege escalation vulnerabilities. Microsoft has patched two vulnerabilities (CVE-2024-21302 and CVE-2024-38202) but has not addressed the core issue of the downgrade capability. Microsoft maintains that the ability for an admin-level user to gain kernel code execution does not cross a security boundary. Leviev released details of a new downgrade attack on October 26, using the Windows Downdate tool to revive a driver signature enforcement bypass attack. He categorized this flaw as False File Immutability (FFI), exploiting incorrect assumptions about file immutability. He noted that downgrading specific OS modules, like CI.dll, allows exploitation even with VBS enabled. Tim Peck from Securonix highlighted that the attacks exploit Windows' failure to validate DLL version numbers properly, enabling the use of outdated, vulnerable files. Microsoft is actively developing mitigations against these risks, including a security update to revoke outdated VBS system files, although specific measures and timelines are not yet disclosed.

Winsage

October 28, 2024

Windows kernel components can be installed to bypass defense systems

Cybersecurity experts have discovered a method that allows cybercriminals to bypass Windows security features, specifically Driver Signature Enforcement (DSE), enabling the installation of rootkits on fully updated systems. Alon Leviev from SafeBreach reported that the exploit involves downgrading specific Windows kernel components, making Windows 11 devices particularly vulnerable. Despite notifying Microsoft, no fix has been implemented, as the company stated the vulnerability does not breach a “security boundary” since administrator access is required for exploitation. Leviev presented this vulnerability at the Black Hat and DEF CON 2024 conferences, introducing a tool called Windows Downdate that can reactivate previously patched vulnerabilities. He demonstrated downgrading components on Windows 11 to bypass DSE and install rootkits that disable security software. A key part of his attack involved replacing the ci.dll file with an unpatched version, which requires a system restart and disguises the action as a routine update. Leviev also showed methods to disable Virtualization-Based Security (VBS) by modifying settings and files. Microsoft is working on a solution to block outdated system files and prevent downgrade attacks, but the timeline for this fix is uncertain due to the need for thorough testing. Leviev advises organizations to remain vigilant against downgrade attacks until a resolution is available.