Transformational developments in cybersecurity and agentic AI were front and center during presentations and product announcements at Black Hat and DEF CON in Las Vegas last week.
Here are the top takeaways from hacker summer camp that CISOs should consider while developing their cybersecurity strategies.
AI continues to create fresh avenues for attack
Security researchers from Zenity presented vulnerability chains that exploit rogue prompts and affect many flagship enterprise AI assistants, including ChatGPT, Gemini, Microsoft Copilot, and more. Some of the so-called AgentFlayer attacks involve tricking users into making a bad click while others work without any user interaction, making them 0-click attacks.
For example, a proof-of-concept exploit developed by Zenity’s researchers facilitated attacks against ChatGPT Connectors, a technology that enables enterprises to link the chatbot to third-party file and document storage services.
Providing users can be tricked into uploading and requesting a summary of a booby-trapped document from ChatGPT, a hidden prompt is triggered that searches for API keys in the connected Google Drive account before forwarding this sensitive information to a potential attacker.
CSO’s Lucian Constantin expands on this and other attacks on popular AI agents demonstrated by Zenity.
Systems that link large language models (LLMs) to enterprise data repositories are increasingly popular. During another presentation at Black Hat, David Brauchler, technical director at NCC Group, demonstrated how these systems opened new mechanisms to extract passwords.
The root cause of the issue is a failure to assign proper permissions to users and the data they access, according to Brauchler, who called for the application of zero trust principles to AI environments by, for example, assigning trust labels to all application data.
Guardrails and other existing defenses are inadequate, NCC has discovered through a combination of customer engagements and research. “We have been able to use large language models to compromise database entries, get code execution in environments, take over your cloud,” Brauchler told CSO.
Vaults can be cracked open
Critical vulnerabilities in popular enterprise credential vaults were unveiled by security researchers from Cyata during Black Hat.
The flaws in various components of HashiCorp Vault and CyberArk Conjur — responsibly disclosed to the vendors and patched before their disclosure — stemmed from subtle logic flaws in authentication, validation, and policy enforcement mechanisms, as CSO reported in our story on the research.
Secrets vaults store credentials, tokens, and certificates that govern access to systems, services, APIs, and data while offering role-based access controls, secret rotation and auditing functions. Designed for integration with DevOps tools, these technologies often form an integral part of software development pipelines.
Security of hardware components merits closer examination
Flaws in the firmware that ships with more than 100 models of Dell business laptops threatened the security of hardware subcomponents designed to secure biometric data, passwords, and other secrets.
Security researchers at Cisco Talos used Black Hat to demonstrate how flaws in the ControlVault3 (CV) firmware and associated chips in Dell laptops could be used to bypass Windows login given physical access to a vulnerable laptop. In the worse-case scenario, one of the vulnerabilities discovered by Cisco Talos would allow attackers to plant a malware implant capable of surviving even an operating system reinstallation.
All five of the vulnerabilities were addressed by driver and firmware updates released by Dell between March and May 2025.
Cisco Talos selected ControlVault as a target for security research because the technology is widely used for security and enhanced logins but little studied by security researchers. Philippe Laulheret, senior vulnerability researcher at Cisco Talos, told CSO that the affected technology was limited to Dell laptops, adding that there is no evidence of exploitation of the flaws it discovered in the wild.
Multi-tenancy isolation in cloud systems called into question
The security of cloud-based systems fell under the spotlight at Black Hat with a talk on how an undocumented internal protocol in Amazon Elastic Container Service (ECS) running on EC2 hosts was open to exploitation.
Security shortcomings allowed a malicious container task with low identiy and access management (IAM) privileges to impersonate the ECS agent and steal AWS credentials belonging to other, higher-privileged tasks running on the same instance, CSO’s Shweta Sharma reported.
By abusing the ECS agent’s communication channel with the control plane via WebSocket, an attacker can harvest IAM credentials, security researcher Naor Haziz of Sweet Security demonstrated.
Attackers could have crashed Windows domain controllers and built a botnet using unauthenticated remote procedure call (RPC) and Lightweight Directory Access Protocol (LDAP) vulnerabilities.
The attack breaks assumptions of container isolation on ECS EC2, enabling privilege escalation and lateral movement within the cloud environment. Containers sharing one EC2 instance are effectively in the same trust domain unless users enforce isolation, the research demonstrated. AWS recommends adopting stronger isolation models such as Fargate as a countermeasure.
Windows research uncovers new botnet vector
During DEF CON, security researchers from SafeBreach detailed novel denial-of-service (DoS) and distributed denial-of-service (DDoS) attack techniques against Windows systems dubbed Win-DDoS.
The attack involves remotely crashing domain controllers or other Windows endpoints on internal networks, using the RPC framework combined with a set of zero-click vulnerabilities affecting Windows services.
The discovery came as part of a follow-up research on a previous Windows LDAP RCE vulnerability, LDAPNightmare, as previously reported.
No Responses