352: Hacker Leaks AT&T Data! (71 Million Customers Affected!)

Episode 352 March 21, 2024 01:12:17
352: Hacker Leaks AT&T Data! (71 Million Customers Affected!)
Technado
352: Hacker Leaks AT&T Data! (71 Million Customers Affected!)

Mar 21 2024 | 01:12:17

/

Show Notes

It's all about RCE this week on Technado! First up, in our Rapid Fire segment, the new "GhostRace" attack can bypass security checks to access sensitive info. In the ongoing WordPress saga, some miniOrange plugins have a critical flaw - including its malware scanner. Over 130k Fortinent boxes are still susceptible to a month old (already patched!) flaw, and AT&T suffered a breach exposing 70 million customers' data - or did they?

For fans of Esports and Apex Legends, an RCE flaw forced ALGS finals to shut down - but no one seems to know whose fault it really is. And in our Behind Bars segment, a Moldovan national will serve 42 months in a US prison for selling 350k+ stolen creds.

After a quick break to discuss Robocop (Sophie's latest movie assignment), it's time for a Deep Dive! Daniel takes us through a breakdown of an attack campaign designed to use Captchas, HTML, and other legitimate services to steal information. Finally, Fortra FileCatalyst has a flaw in its file uploading feature. Patch now!

Want to read further? Check out the articles Soph and Dan covered today:

https://www.darkreading.com/cyber-risk/ghostrace-speculative-execution-attack-cpu-os-vendors
https://thehackernews.com/2024/03/wordpress-admins-urged-to-remove.html
https://www.theregister.com/2024/03/18/more_than_133000_fortinet_appliances/
https://www.bleepingcomputer.com/news/security/att-says-leaked-data-of-70-million-people-is-not-from-its-systems/
https://www.bleepingcomputer.com/news/security/apex-legends-players-worried-about-rce-flaw-after-algs-hacks/
https://thehackernews.com/2024/03/e-root-marketplace-admin-sentenced-to.html
https://www.netskope.com/blog/from-delivery-to-execution-an-evasive-azorult-campaign-smuggled-through-google-sites
https://labs.nettitude.com/blog/cve-2024-25153-remote-code-execution-in-fortra-filecatalyst/
https://www.imdb.com/title/tt0093870/

View Full Transcript

Episode Transcript

[00:00:00] Speaker A: Um. [00:00:04] Speaker B: You'Re listening to Technato. Welcome to another episode of Technato. I'm Sophie Goodwin. I'm one of your hosts here on the show. And before we get started, I want to thank the sponsor of Technato, ACI learning, the folks behind it pro. Just quick reminder, before we jump in, you can use that code Techno 30 for a discount on your IT pro membership. And that's what Daniel and I do in our day jobs, and we have a lot of fun doing it. Well, I don't want to speak for Daniel. Daniel, you have a lot of fun doing this. [00:00:27] Speaker A: No, speak for me, please. It's fine. She's now going to attribute a bunch of horrible things to me. [00:00:32] Speaker B: I do feel a little bit at least like this week, I can kind of vouch for you because we're working on courses together. [00:00:36] Speaker A: We are. We do that a lot. So that does make it a lot more fun when you're working with people you enjoy to work with. And the content has gotten really interesting. Right? Because we're getting some security vulnerability stuff, which is always a good time. How's this going to work itself out in real life plan? Oh, that's bad. [00:00:54] Speaker B: Yeah. Especially when we can kind of demonstrate it instead of just some stuff you can just talk about, because it's vocab stuff. But it's neat to see you jump in and be like, oh, SQL injection. Well, let me show you how that works in a safe, controlled environment. [00:01:07] Speaker A: Yeah, absolutely. It's not real. So let's go to this random Internet site. [00:01:13] Speaker B: So, point being, the stuff is fun, and if you want to see it, you can use that discount code. You just have to jump in the library and take a look at what we're doing. We're having a good time, but our good times are not limited to what we do in the other studios. We're going to have a good time right here. We got some great articles today, not only for our rapid fire segment, but for our deep dive. And just a reminder, we do start with our rapid fire. We spend a few minutes on each article, kind of run through the hot topics, if you will, and then in the second half of the show, we'll get a little bit deeper under the surface of some of the stuff going on in this week. Daniel, ready to get started? [00:01:41] Speaker A: I am. You'll have to forgive me, I'm fueling up. [00:01:44] Speaker B: Oh, that's fine, right? [00:01:45] Speaker A: Because this weekend for me was, I laid some sod at my house, and that is a hard, hard job. So what did you do this weekend? [00:01:54] Speaker B: I watched Robocop this weekend. [00:01:56] Speaker A: You watched Robocop? [00:01:57] Speaker B: Yes, I did. [00:01:58] Speaker A: Well, I find no flaw in your logic. [00:02:01] Speaker B: Robocop has changed my life. Truly. I put it off for a while, because, to be honest with you, I didn't think I would enjoy it as much as I did. It was like, I watched. [00:02:10] Speaker A: This is a very entertaining film. [00:02:12] Speaker B: Yeah, I wasn't expecting it to be. People told me, like, oh, it's pretty violent. Okay, it's 1987. How violent could it be? It's violent. [00:02:19] Speaker A: Yeah. No, it's super violent. [00:02:21] Speaker B: And I think my Clarence Bottinger, that's. [00:02:23] Speaker A: All you have to say? [00:02:24] Speaker B: He's my favorite. And with a name like Clarence Boddinger, I really don't blame him for being the way that he was, because if I had that name, I'd want to kill people all day long. Clarence Bottaker. That's the worst name you could possibly have. [00:02:34] Speaker A: Cops don't really like me. [00:02:36] Speaker B: Did you ever see that 70s show? [00:02:38] Speaker A: Yeah, when he was red foreman? [00:02:39] Speaker B: Yeah, I'm watching. I'm like, I know him. Yeah, I had to Google it. It's him. [00:02:42] Speaker A: He's reading a lot of stuff, and he always kind of plays the hard character, right. But, man, Clarence is definitely one of his primo roles. Can you fly, Bobby? [00:02:53] Speaker B: That's my favorite. That was in the running for my favorite quote the whole movie. [00:02:57] Speaker A: One of my favorite memes of that is when Emile, one of the bad guys, he gets doused in toxic waste, right? And he turns into, like, this dripping goo. Then, you know, he dies in an epic fashion. Yes, there is a t shirt, I believe it is, that somebody put, like, a hard hat and a clipboard in his hand and wrote toxic waste inspector. It is hysterical. [00:03:23] Speaker B: It startled me when he popped up and was, like, melting. I'm like, I've never seen that character. [00:03:27] Speaker A: Before that. [00:03:31] Speaker B: He was asking him to help him. I'm like, dude, I don't think there's any help for. [00:03:34] Speaker A: Oh, no. He was far beyond help at that point. [00:03:37] Speaker B: It was like, you got to pull an old yeller and put him out of his mouth. [00:03:39] Speaker A: And Clarence did old Yeller him. [00:03:41] Speaker B: He did. [00:03:42] Speaker A: No, he didn't intentionally do it. No. [00:03:43] Speaker B: I don't think it was out of. [00:03:44] Speaker A: The kindness, just like, oh, what's this slime monster in the middle of the street? Well, I guess I'll hit the gas now. [00:03:52] Speaker B: I'm like, I saw that there was, like, robocop two, and then there's, like, a couple of series, and now I kind of want to keep. I probably won't immediately. I'll let it marinate for. [00:04:00] Speaker A: But you're going to go down the rabbit hole. [00:04:01] Speaker B: But I think eventually. I'm open to that now. [00:04:03] Speaker A: Yeah. As you should be open to my mind a lot. Well, we'll do our best to theme this episode. Robocop for you. [00:04:09] Speaker B: Oh, lovely. Yeah. Maybe we'll start adding in themed segments after when I get my education in these movies. [00:04:15] Speaker A: That's right. [00:04:16] Speaker B: But we do have quite a few articles that we're going to work our way through today. So this first one says ghost race. Speculative execution. Speculative. Am I saying that right? [00:04:24] Speaker A: Yeah. [00:04:24] Speaker B: Speculative execution attack impacts all CPU and OS vendors. And I was a little confused at first why they were calling this ghost race, but I guess it's because it has to do with a race condition. Could you kind of give me the spark notes on. I don't quite remember. I know, it's like there's a couple of things happening at once. [00:04:38] Speaker A: Okay, so race conditions are when you have a resource, this is kind of the headier vulnerability that's out there. And if you're able to take advantage of it. Remember dirty cow was a very famous race condition in the Linux kernel that allowed you to gain root access to the operating system. Right? So you're like, okay, how does that work? So if I want to have access to a resource, and I got two people trying to get access to that resource at the same time, or two objects, I guess, would be a better way of putting it, and you got one of them has elevated permissions, maybe their root or whatever the case is. Right, and you don't. But depending on what timing, you can get access to it. The system might think that they're servicing the request for root, but they actually send that information back to you. Okay, and now you're working in that elevated environment because it was because you're both going at the same time. If you can hit the right timing, you win the race. Therefore you get elevated permissions. [00:05:43] Speaker B: You can get like unauthorized access to something. [00:05:45] Speaker A: Right. With these CPU, these side channel vulnerabilities like Spectre and meltdown that were super famous a few years ago and still tend to kind of pop themselves up. And this is a bit of a variant on Spectre, if I'm not mistaken. What ends up happening is there's like if conditions, they basically trick the CPU into letting you have access to things that you should not have access to. Okay? And it does this by kind of timing attacks, by guessing what's going on and going, hey, it took you 60 milliseconds to return that you couldn't find this variable in the CPU register, but it took you five milliseconds to return that you couldn't find it in this one. But that is kind of an inference to the fact that it was there. You found it, and that's why it took less time. [00:06:31] Speaker B: Okay. [00:06:32] Speaker A: Right. Again, it's a timing attack. This is all about how. So this is just a new variation on that theme. But what was interesting about this article, and this is what you need to be really worried about, I guess, or thinking about, is it says that their key finding quote is that all common synchronization primitives can be microarchitecturally bypassed on speculative paths, turning all architecturally race free critical regions into speculative race conditions. That's a lot of big, fancy words for saying that. All CPUs, and I think they made a list of them. Yeah. Intel, AMD arm, and IBM processors are all susceptible to this new type of speculative race condition. Okay. Yeah, there were speculative execution, I believe they call it. [00:07:21] Speaker B: There was definitely a lot of technical speak in this article, but I was glad to see that it wasn't like this was an exploit that came out like, oh, this is being exploited in the wild. It was researchers at IBM and Vu, Amsterdam that developed this, and now it's a CBE or whatever. [00:07:35] Speaker A: See, if Robocop would have known about this, he would have been able to bypass directive four. [00:07:40] Speaker B: That's true. [00:07:41] Speaker A: Right. View the contents of directive four, which were hidden to him. [00:07:45] Speaker B: Well, he didn't have any problem viewing the information. He just had to put his spike into the machine. [00:07:48] Speaker A: No, he couldn't access. So he had directives one, two and three would show up on his display. Protect the public trust. [00:07:54] Speaker B: Right, exactly. [00:07:55] Speaker A: So on and so forth. Directive four said classified. That's all it said was classified. [00:08:01] Speaker B: I see. So you're saying he would have been able to know what that was. [00:08:03] Speaker A: His CPU is intel arm AMD. Then he could probably use Ghost race to access the secret contents of directive four and therefore know that he could not arrest an executive of OCP. [00:08:20] Speaker B: The game named Ghost Race does really have an 80s movie vibe to it. [00:08:23] Speaker A: It really kind of does. [00:08:24] Speaker B: So it would have fit if this had been around at that time? [00:08:26] Speaker A: That's right. [00:08:27] Speaker B: It's unfortunate. [00:08:28] Speaker A: Too bad the movie was a little. [00:08:29] Speaker B: Ahead of its time, I guess. So sad. We'll take some time to mourn the fact that Ghost race was not present in that film. We'll go ahead and move on to this next one. We've been seeing a lot about WordPress, it seems like over the last month or so, lots of issues with plugins and things, and this is no different. WordPress admins are being urged to remove the mini orange plugins they might be using due to a critical flaw. And mini orange isn't something that I wasn't super familiar with. But I guess they've got like a malware scanner, web app, firewall plugin, and there's potential that if you've got these and you're using them, you could be in trouble. [00:08:56] Speaker A: Yeah, they got a 9.8 out of ten CBS. How much we love. Those are super awesome, aren't they? When you see that, it does seem counterintuitive to me as well that you would say, hey, you need to uninstall your malware scanner, the web application firewall. [00:09:13] Speaker B: I'd be interested to know how they got the word out about this. If I was using this and I got a message that said, hey, we need you to uninstall your malware scanner, I would immediately think it was like not a phishing thing, but like a scam. Like, oh, they're telling me to uninstall my malware scanner. Why? [00:09:27] Speaker A: And if you're not keeping up on your third party stuff, your plugins, your themes and things that you're using inside of your WordPress, WordPress, your WordPress environment, this could definitely slip past your radar because it says right here in the article, it is worth noting that the plugins have been permanently closed by the maintainers as of March 7. So just a few, like about a little over a week ago, they were like, yeah, we're done with this. No longer, we're just kind of shuttering the doors. What you going to do? But the malware scanner has 10,000 active installs and the web application firewall has more than 300 active installations. So not a ton, but could be maybe supply chain, depending on who's used, like what system it's protecting. And this gives you kind of remote access into these systems. That would be bad. [00:10:18] Speaker B: Well, sure. And it's only 10,000. It's only 300 until you're one of the 10,000 that's affected. And then it's like, oh, well, I'm never going to get cancer. And then you get cancer and it's like, oh, well, now it matters. [00:10:28] Speaker A: Well, and it becomes exponential. Right? Because if it becomes a supply chain issue where, oh, a lot of vendors for a government entity use this, our service that is protected by mini orange. [00:10:45] Speaker B: Exactly. You're not talking about necessarily just mom and pop shop. [00:10:48] Speaker A: Now, if I'm an attacker, I can get into the system that was protected by mini orange and that system is utilized by a government entity. You see, now I've made my way into the government through a third party. That can be a problem. So these are the kind of things. This is why it's really important to stay on top of the ball when it comes to not only your operating systems, but any software that you're installing on your systems to make sure that it's being updated, maintained, and if it's reached end of life time to start looking for an alternative. [00:11:21] Speaker B: Yeah, I mean, it says if you were to exploit this vulnerability, it makes it possible for an unauthenticated attacker to grant themselves admin privileges by updating the user password. So you can see why this is rated as a critical vulnerability. So I don't know. The odds of our viewers potentially using one of these plugins may be low, but hey, if you are, and you didn't know about this, maybe take a look at uninstalling that it's time to. [00:11:43] Speaker A: Chuck mini orange out the back of the van. Mini orange. [00:11:48] Speaker B: It's going to be a recurring theme, isn't it? I've only seen it once. You've probably seen it several times. [00:11:52] Speaker A: I've seen it once or twice. [00:11:54] Speaker B: Them unlocked. [00:11:54] Speaker A: Yeah. [00:11:55] Speaker B: You can make the references. All right. I'm going to have to think. [00:11:58] Speaker A: But you get the reference now, which is what makes me happy. [00:12:01] Speaker B: I do. [00:12:01] Speaker A: That's all that matters. [00:12:02] Speaker B: It brings warmth to your cold heart, so that's all that really matters. We'll jump into this next one here. More than 133,000 Fortinet appliances still vulnerable to a month old critical bug. So pretty big attack surface vulnerability with various POCs available. Fortinet boxes exposed to public Internet vulnerable to pretty old security flaw. How does something like this happen? It's a month old. You would think at this point, most folks that are using applications like this or appliances would have taken care of updates, patches, things like that, but apparently not. [00:12:32] Speaker A: It's like how Bob Jones continued to use the ED 209, regardless of its. [00:12:36] Speaker B: Flaws, in his own dojo he had in use. I'm like, really? [00:12:40] Speaker A: Yeah, really. [00:12:41] Speaker B: You saw what happened and you're still. [00:12:43] Speaker A: Comfortable and it did nothing but suck. [00:12:45] Speaker B: Yeah, right. I'm curious how he got it up there if it couldn't get down the stairs. So how did he manage? It's like a cow working. Go upstairs, but not downstairs. You're right. Not the point. [00:12:55] Speaker A: Questioning the robocop. And that's not what we do here. Okay. [00:12:58] Speaker B: Not the point. [00:12:59] Speaker A: No. It's a great question. How does this continue to be a thing? Unfortunately, the blame here is going to fall on the administrators of these systems. This is not actually Fortinet's. I mean, it's Fortinet's fault that there was a vulnerability in the first place. [00:13:17] Speaker B: Sure, but that happens. [00:13:18] Speaker A: But it does happen. It kind of happens a lot on Fortinet, apparently. Yeah. If you just start looking at their chain of screw ups, it is long and distinguished at this point in time. But they did release a patch for this. The patch does exist. So at that point, when Fortinet released the patch, the blame kind of shifts away from them. The fault is no longer theirs if your system is still vulnerable. And apparently the owners of Fortinet appliances are like, Yolo, I don't care about patches. 133,000 appliances. I mean, that's not 300 appliances like what we saw with mini orange. [00:14:02] Speaker B: Right. [00:14:03] Speaker A: That's not even 10,000. That's an order of magnitude above that or two. Right. [00:14:10] Speaker B: Patches. We don't need those stinking patches. [00:14:11] Speaker A: Yeah, we don't need no stinking patches. [00:14:14] Speaker B: I think it was, the biggest number of posters was in Asia, upwards of 50,000, and then North America and Europe coming in second and third. But you're right, even, I mean, obviously Asia's got a pretty big population, but 50,000 is still nothing to sneeze at. I mean, that is a pretty large amount of appliances to not have this patch implemented especially for. It's a pretty severe vulnerability. [00:14:30] Speaker A: It makes me wonder if they're running a pirated version because sometimes they won't accept updates or they won't patch your update. You can't patch it. [00:14:43] Speaker B: Okay. [00:14:44] Speaker A: I don't know if that's the case with Fortinet. I know that windows does that. So again, I'm just thinking out loud here. [00:14:49] Speaker B: I didn't think about that, though. If you've got a pirated version. [00:14:51] Speaker A: Yeah, you're kind of screwed just throwing it out there. That there is a lot of piracy in the asian region of the world for certain things. China. Sorry, man. I got one right there. Yeah. And not just them though, but North Korea. It's very common throughout there. Not that we don't have our own fair share, but we have auditing and things of that nature that occur. If they find out you're pirating software in an enterprise, the sanctions are not going to be worth it. It's just not worth it. [00:15:25] Speaker B: You die immediately. Yeah, it's the punishment. [00:15:27] Speaker A: And this is an appliance, though, right? I wonder if that is like an actual box you bought from Fortinet. I didn't read that part. [00:15:35] Speaker B: It does say Fortinet boxes. [00:15:36] Speaker A: It's a security flaw in Fort OS. So, yeah, these are boxes. [00:15:41] Speaker B: And it was a 9.6 vulnerability, and it says it leads to remote code execution. I looked ahead of some of the other stuff we're going to talk about. Seems like that's a recurring theme today. [00:15:50] Speaker A: RCE. We do love a good RCE, don't we? [00:15:51] Speaker B: So that is interesting. Lots going on with that this week. But, yeah, hopefully you're not one of the owners of one of the 133,000 boxes that is affected by this, because if you are, you should probably go ahead and implement that patch. Unless you're pirating, in which case, yeah, I didn't see anything. [00:16:07] Speaker A: I would not buy Fortinet for a dollar. [00:16:10] Speaker B: Man, you're good. I don't know that I think that fast to be able to make those references. We'll have to see what you come up with for this one. This 1 may apply to more of you. At and t says the leaked data of 70 million people is not from its systems. So massive trove of data impacting 71 million. At and T says it didn't come from its systems. It was a hacker that leaked it on a cybercrime forum. And this hacker claimed that it was stolen back in 2021 in a breach of the company. And I believe the guy that posted it, guy or girl, whatever, that shared this information was like, I don't care if the company lies, that's fine. I don't care what they do. I just want my money. They're just trying to sell the information. [00:16:46] Speaker A: I'm selling it. [00:16:47] Speaker B: Yeah. I think if you want to buy immediately instead of bidding, it's like a million. [00:16:52] Speaker A: Yes. They're like, if. Hit the buy now button of a million bucks. Free shipping. Yeah. Right. Today to come to your house. No problem. This is an interesting article to me because there's a lot of, I guess, contradictory facts when it comes to this. Somebody's lying somewhere. [00:17:12] Speaker B: Somebody lying. [00:17:13] Speaker A: Somebody lying. Right. That's what's up. I don't know who it is. OCP. Right. I can't wait till you get the robocop, too, because then it expands the universe even more for you. [00:17:24] Speaker B: Oh, great. [00:17:25] Speaker A: Okay. Some people have verified that the information in the data leak that's being sold is true. It's like, okay, we found these records in the samples that have been leaked out, and here is the proof that, yes, they line up. We know people that are ATT customers and this is their actual information. And then they got. Well, we also found people that we couldn't verify that they were a part of this leak. Now, they said maybe that contributes to the fact that at the time that the breach occurred, or supposedly occurred was in 2021, that at that time they had, like, I want to say, like, 140. No, it was 200 and something million subscriber users in the system. And this is only like, 70 million, 74 million records. So if it is a breach, it's a partial breach, right? [00:18:20] Speaker B: Yeah. And it was, I believe, the folks. [00:18:22] Speaker A: Or a partial dump. [00:18:23] Speaker B: Partial, yeah, partial dump. [00:18:25] Speaker A: Sure. This one. [00:18:29] Speaker B: I didn't say it. All right. I didn't say it. [00:18:30] Speaker A: Oh, man. I only got a partial dump today. I'm hoping tomorrow my mom's going to. [00:18:36] Speaker B: Watch us and be like, I'm so disappointed in you. [00:18:39] Speaker A: That's not very ladylike. [00:18:41] Speaker B: Yeah, I wish you were more feminine. That's what she's going to say. But the folks here that I believe it was bleeping. Computer said that they couldn't go through all the data, obviously. But they did check people that they knew that might have been affected and confirmed that the information was legitimate, at least from what they could tell. So it's not like they just are making this stuff up and selling fake records. [00:18:59] Speaker A: ATT is just straight up like, it's not mine. [00:19:01] Speaker B: Right? [00:19:02] Speaker A: I don't know. I love how it's all in the framing of the wording, right? So you read the wordings. They say that we have detected no breach. [00:19:10] Speaker B: Right. [00:19:11] Speaker A: It doesn't mean a breach hasn't happened or that they even know about it. It's just they didn't detect one. [00:19:16] Speaker B: Yeah, I would think you should be. [00:19:18] Speaker A: Would. And either, a, these hackers are awesome. B at t security sucks. Or both. Yeah, right? [00:19:29] Speaker B: Seems like a lot of times it's both. [00:19:31] Speaker A: It could be both. [00:19:32] Speaker B: You got pretty talented hackers. Crappy security. You combine them and it's just a wonderland. I'm just saying, for cybercrime. So if you're interested in purchasing, it's a starting price of 200,000, incremental offers of 30,000. It's this guy here, shiny hunters. You can see the page they've got up. And this little animal profile picture they. [00:19:52] Speaker A: Got here from Maui with shiny. [00:19:57] Speaker B: Yeah, that's a pretty good song. [00:19:58] Speaker A: He was a drab little crab once. [00:20:01] Speaker B: I love that you know enough about the movie to be able to quote it directly like that. [00:20:05] Speaker A: That's how entertaining. [00:20:07] Speaker B: So I know you got daughters. [00:20:08] Speaker A: Yeah, I do. [00:20:09] Speaker B: It's a good thing. [00:20:10] Speaker A: I know a lot of Disney songs. [00:20:11] Speaker B: It was a good movie. [00:20:12] Speaker A: It was. [00:20:13] Speaker B: Hey, they got good taste. [00:20:14] Speaker A: I have no problem with Moana. [00:20:15] Speaker B: It's high quality. That's one I think I would have asked you to watch if you hadn't already seen it. I would have been like, you should watch Moana. It's a good film, but I'm glad you've already seen it so we don't have to waste our time there because you're already familiar. But yeah. So hopefully this gets resolved. Maybe at T will come out in a few weeks and be like, well, I mean, I know we said there was no breach, but we may have found some information. It seems like that happens. Know tune changes. It's a deja news segment, so we'll see if that comes up later on. But speaking of segments, we've got an old favorite here. If there are any gamers out there, this one's for you. This is who got pwned. Looks like you're about to get pwned. [00:20:49] Speaker A: Fatality. [00:20:51] Speaker B: So if you are an Apex Legends fan and maybe you follow the whole esports thing going on, there was a Apex Legends global series going on in North America, and electronic Arts EA had to postpone the finals of that because hackers compromised players during the tournament. And look at that. This is Apex Legends, if you're not familiar with it. So what happened was it happened a couple of times. There's this player participating in a match and there was a cheat tool that popped up on a screen. It was TSM halal hook, which is an interesting name. And it had all these cheats listed and then a couple of weird things like vote Putin. So that was an interesting little thing. And we have a clip here. It just said vote Putin at the bottom. Yeah. Like magic bullets, grenades. Vote Putin. You know, the three food groups. So there was a clip, there's a capture. I'm not going to turn on the sound because there's some language here, but there was a capture of this guy and what happened? So he's playing, he's got a screen up there, and then this little box pops up and you can't hear him, but he's saying, what's going on? What's going on? What the f? What the F? [00:21:45] Speaker A: Yeah. [00:21:45] Speaker B: And he's like, I don't know. It's a cheat. It's not me. It's not me. He takes his hands off the keyboard. He ended up having to leave the match because of it. And at this time they did not stop the competition. They just let it keep going because I don't think probably they knew. Probably just assumed it was an isolated thing. [00:21:58] Speaker A: And this is for money, right? Like people are. [00:22:03] Speaker B: At this point. Yeah, it wouldn't surprise me if it was on the ocho or something. You might see it live. I mean, if you're not a basketball fan, you're looking for something to watch. Right about now, this would be the thing. But this wasn't the only time it happened. Then a short time later, it was a separate player that was affected. Imperial Hal, another player hacker, gave him an aim bot and then the tournament admins at that point intervened and shut down the match entirely. So they said, I believe the competitive integrity was affected. We're going to shut down, postpone till further notice. And you can imagine probably some gamers are upset, but this was another, I believe it was an Rce flaw. [00:22:38] Speaker A: But the EA didn't. They say we have no flaw. You can't prove this was an RCE, that we had a flaw in our system, that the gamers machines themselves maybe were compromised or something else, but it wasn't us. We detect no flaw. [00:22:55] Speaker B: Right. [00:22:56] Speaker A: And you'll notice it's kind of like, it's a bold move, cotton. Let's see how it plays out for them. Bold strategy. That's a bold strategy, cotton. [00:23:04] Speaker B: Let's see how it plays. The anti cheat software. Easy anti cheat. They also said, hey, we've investigated this, we are confident there's no Rce vulnerability here. So it's like, okay, again, somebody lying. There's no issue with Apex Legends, no issue with EA, no issue with easy anti cheat, but two separate players were affected. So unless it's a crazy coincidence, which. [00:23:21] Speaker A: Seems, I mean, it's possible, right? Maybe they did some targeted attacks against the players that they knew were top of the game. That would be in these tournaments for the purposes of coming in there and cheating for God knows what would be the purpose of doing this. I don't game in this realm. [00:23:40] Speaker B: That's an interesting question. You could get conspiratorial with it and say that this was like player that felt like he was slighted, he didn't make the finals and so he wanted to ruin it for everybody else, he or she or whoever. As a person claiming to be destroyer 2009, which is a sick name, to be honest with you. [00:23:55] Speaker A: It couldn't have been Ed 209. I mean, come on. It was sitting right there. [00:23:59] Speaker B: All right, that was pretty good. That was pretty good. You scramble some of the letters or just. Some men just want to watch the world burn. That's true. Maybe that's what it was. Just felt like going in and causing problems. They say some hackers, they just do it to show that they can. It's true. Look at this funny thing that I did. [00:24:15] Speaker A: It's just a bragging rights kind of thing. [00:24:17] Speaker B: Yeah, and this is a pretty public thing. So people know this guy that did it. It's not like it's some rinky dink competition. It's a pretty big deal. [00:24:25] Speaker A: Listen, hackers, you're a scumbag. Your clients are scumbags and scumbags see the judge on Monday. [00:24:31] Speaker B: Oh, I wish it was like that. Really? I was like, you know, I know that's not really how it is, but you go, dude, you're right. [00:24:39] Speaker A: He said, it's attempted murder. He goes, knock it down to manslaughter, and I can make bail today. [00:24:45] Speaker B: He said attempted murder? It's not like he killed somebody. That was enjoyable. [00:24:51] Speaker A: Oh, my goodness. That is funny. [00:24:53] Speaker B: We're still not really sure where exactly this came from or what exactly the issue was or where the issue lie laid, but this was an unprecedented occurrence in Algs history. Never been a case of players hacked mid match. So, hey, making history. Maybe that was why dude wanted to make history and be the first to do it. [00:25:10] Speaker A: They did indeed, didn't they? [00:25:11] Speaker B: They did. So, if you are an apex Legends fan, and you participated in this finals, you were hoping to spend some time watching the finals. Sorry, you're going have to to find something else. We've got one more here. We were just talking about. You're a scumbag. Your clients are scumbags. Uphold the law. So we've got another segment here. An old favorite. This one's behind bars. [00:25:35] Speaker A: Break the law, and you'll go to jail. [00:25:38] Speaker B: They put. I didn't realize the little sound effect was there at the end. They put Robocop behind. [00:25:42] Speaker A: Well, now I want to change the sound effect for that to be Clarence Bottinger asking Emil. He's like, so you stayed at the Gray bar Hotel? How would you stay at the Gray bar Hotel? They let me keep the shirt. [00:25:55] Speaker B: Start updating segments just specifically for these references. [00:25:58] Speaker A: Exactly. It. [00:26:00] Speaker B: Well, this is another case. We've seen this before, where they show the sentence, and it's like they're talking about a baby. An error. Marketplace admin was sentenced to 42 months for selling 350,000 stolen credentials. So it was a Moldovan national, 42 months. I don't know. I can't do the quick maths. I know 48 months would be four years. So between three and four years, I guess they're sentenced, too. I don't know why they can't just. [00:26:22] Speaker A: Say, like you said, I can't do the quick math. And then literally did the quick math. [00:26:27] Speaker B: Hey, call it talent, call it whatever you want, but it was. But this was a whole marketplace. This guy operated eru marketplace. Hundreds of thousands of compromised credentials, and he's serving these 42 months in prison in the US. So he's a Moldovan national, but he's going to be serving those here. So justice was served. He's going to be behind bars. [00:26:46] Speaker A: It's nice to finally see some justice prevail and get these scumbags and their scumbag clients to see the judge on Monday. Right? So, yeah, we don't often get to see. I love the behind bars segment because it gives us a little hope that we are actually working and actively trying to go after these criminals that are perpetrating these things. And I would love just robocop to come. And I can see him walking into the house, dead or alive, you're coming with me. Just getting this. But, yeah, I mean, running, especially with these marketplaces that do selling these things, the money that goes from the transactions that are no good. No good at all. So I love seeing how this gets taken down. [00:27:39] Speaker B: And this has been ongoing for a while. The site was up between January 2015 and February 2020. So several years that this was going on. His last name was Diaconu. Diaconu. I'm probably butchering that. [00:27:52] Speaker A: But, you know, he's a criminal. [00:27:54] Speaker B: He. He's not going to be offended by it because he won't see this because he's in jail. But he was arrested in the UK, 2021 while trying to flee the country and not extradited here till late October 2023. So this has been ongoing for a while. And just now finally kind of coming to a close there. [00:28:08] Speaker A: Hopefully. I guess he's acting as what's called an initial access broker, an IAB. Okay, so a lot of ransomware groups and other hacking groups, instead of trying to send out the fish and get you to click a link or download the thing or get their malware installed, that way they just go to straight to things like this, an IAB, an initial access broker, and go, hey, if I gave you five grand, how many logins can I get for that? [00:28:36] Speaker B: Right? [00:28:36] Speaker A: And they go, oh, okay, I'll give you this many logins for five grand, and they go, cool. Or do you have logins for this organization? I want to gain access into that organization. If they do, they'll sell it to you and they discuss the price. So I wonder if that's the kind of marketplace we're talking about here, if that's what they were doing. Because obviously they were selling. You could search for compromised computer credentials on errors such as usernames and passwords. That would allow buyers to access remote computers for purposes of stealing private information or manipulating the contents of the remote computer. So it sounds like they were an IAB, even though they don't specifically say that in the hacker news article. [00:29:13] Speaker B: And they make it real easy. You could filter by price, geographic location, ISP, operating system. I mean, really just seems like they did a good job. [00:29:20] Speaker A: They're the OCP of IAB. [00:29:23] Speaker B: OCP of IAB. [00:29:24] Speaker A: Yeah. [00:29:25] Speaker B: Wow, that's catchy. [00:29:26] Speaker A: Yeah. [00:29:26] Speaker B: You're good at this. You got a career in marketing, Daniel. [00:29:29] Speaker A: I've got my skills. [00:29:31] Speaker B: Sounds like Daniel's not too thrilled about that one. [00:29:33] Speaker A: I'm not good at marketing. [00:29:34] Speaker B: It is always nice to see when justice gets served. He pled guilty back in December, so just now was sentenced to somewhere between three and four years. Again, I'll have to go back and figure out the math on that one. But 42 months, the size of a toddler, that's the length of time that he's serving. [00:29:50] Speaker A: 42 months. Well, I mean, I wouldn't want to spend any time in prison. [00:29:53] Speaker B: No, I wouldn't. [00:29:54] Speaker A: That's what keeps me from doing a lot of bad things. [00:29:56] Speaker B: Yeah. Two months would be too long. [00:29:57] Speaker A: He's going to jail. [00:29:59] Speaker B: But, hey, you know what? You can't do the crime or you can't do the. You know what I mean? [00:30:02] Speaker A: Yeah. [00:30:03] Speaker B: Don't do the crime if can't do the time. That's what I was going with that Dr. Seuss. [00:30:06] Speaker A: Yeah, you fell down the stairs and you landed on your feet. [00:30:09] Speaker B: And I screamed like a cow while I did it. [00:30:11] Speaker A: Oh, no, it was a pig. I like how he's. We're talking about the ED 209, by the way. It opens the door, and then you can see it kind of, like, scrunch down to try to get through the door, and they cut to robocop. They cut back, and he's through the door. I'm like, there's no way he fits. [00:30:28] Speaker B: In that door, right? [00:30:29] Speaker A: It never happened. And then he starts, like, towing around looking for, like, can I do this. Can I make this step like a cow? Like a cow. Yeah. But then does the complete front flip down the stairs and starts squealing like a pig on its bag. [00:30:44] Speaker B: Yeah, I did enjoy. Later when he gets like blown up, the machine gets blown up and he's like toddling around. He falls over, he's wiggling his toes. His robot toes. [00:30:51] Speaker A: His robot toes. [00:30:52] Speaker B: Yeah. That was a really good movie. I quite enjoyed that. So glad we were able to work that in. We'll have to see if we can do the same thing during the deep dive segment, but that's going to wrap up our rapid fire news. Lots of interesting stuff going on this week. And like I said, I think the RCE stuff is going to come back up in one of these next deep dive articles. So if you want to hear more about that, don't go away. We'll be right back on Technato tired of trying to schedule your team's time around in person learning? Is it a bummer to spend thousands of dollars on travel for professional development? What if we said you can save money and time and still provide your team with the best training possible? The answer to your woes is live online training from ACI learning. With live online training, we provide our top in person courses in private online instructor led formats. You get to provide professional development in a manner that fits today's expectations. Entertaining, convenient and effective. Our exam aligned courses inspire the full potential of your team. Visit virtual instructor led training at ACI Learning for more info. Welcome back. Thanks for sticking with us through that break. Just a reminder, if you are watching on the YouTube channel, we've got all the past episodes of Technato that live right here on the channel. You can check those out. If you're enjoying this episode, feel free to leave a like comment down below. Let us know what you're enjoying, what you want to see more of, and maybe even subscribe if you haven't already, so you never miss an episode in the future. And of course, if you're listening on a podcast platform like Apple Podcasts or Spotify, thanks so much for joining us and we do appreciate having you here with us now. Daniel, this next segment, for those that don't know, is going to be something called deep dive, where, as you might guess, we're going to dive deep. So we kind of crazy, right? Thanks for joining us. We'll see you next time. [00:32:24] Speaker A: The segment name kind of tells you what it is. Weird. [00:32:27] Speaker B: It's almost like we did that on purpose, but we've got a couple for this one. And I know one of them, we'll get a little bit more into the weeds on and the other one will be a little bit more of a shallower dive, if you will. [00:32:36] Speaker A: Well there's just not as much to. [00:32:38] Speaker B: Right, right, exactly. So we don't have to dive as deep. Yeah, because there's just not as much to go on. But still some interesting stuff going on here. We'll go ahead and jump into this first one. Now the summary here, this is from Netscope threat Labs that they've observed this campaign that says it employs multiple defense evasion techniques from delivery through execution. And so there's a description there. But the way that it does this, the way that this attack works is it's through something called HTML smuggling. And before reading this article, it's something I had heard of but I'd never really gotten into detail on. And from what I understand, it takes advantage of legitimate processes to do bad, oh man, do bad things. [00:33:12] Speaker A: Basically super smart, right? These attackers out there, they are a crafty bunch. I will give them credit where the credit is due. HTML smuggling is fairly a new technique if I'm not mistaken. Basically what you're doing is you're saying, hey, here's a payload in usually base 64 encoded formats and it uses HTML. Hey, reach out, use this, grab this to bring that in because that base 64 encoded string, which is your payload, it could be an exe if you're in a Linux system, you can base 64 w zero so it doesn't word wrap and give it an exe and it'll give you the base 64 encoded variation of that exe. You put that in the code, then when someone loads the page, it loads the code and then there's some more JavaScript or whatever that actually fires that off, decodes that string and then fires that off. This is a newer way to do this where they're reaching out to Google Docs to grab a JSOn formatted, which is usually so if you've never seen JSon. We use JSon for a lot of things. This is JavaScript or not JavaScript. What is it? It's something, yeah, look that up. I'm horrible with acronyms. [00:34:31] Speaker B: JSon stands for JavaScript. [00:34:33] Speaker A: Okay, I was right on that. All right, there you go. The old brain is firing on all cylinders. I told you it was a long weekend. Yes, long weekend. Thank God I am not a Honda at this point in time. But so instead of just having that base 64 string inside of the actual HTML itself, it reaches out to Google Docs, which is most likely not going to be. So this is great for evasion. Your antivirus, your EDR systems, they look at you reaching out to Google Docs and it goes, oh that's cool, that's a legit service. You're not going to, because if I go into my AV and say, hey, block off Google Docs so that we don't get hit by this, your phone's going to ring at the help desk. Hey, I'm trying to access x, y or z in my Google Docs and it's not happening. Why? Well, because we blocked Google Docs. You did what now? Why did you do this? Well, you see, there's this HTML, I don't want to hear your excuses. I just want access to my Google Docs. You're like, yeah, okay, I'll make an exclusion for you. And next thing you know you're making a bunch of exclusions that basically really, this is a really smart way to keep your payload available and bypassing your detection systems, right? [00:35:46] Speaker B: It's not like this is some random malicious site that you can just easily block stuff. You know, there's, there's a legitimate reason to use Google Docs. And I mean, I guess as a company you could say, sorry, if you want to create a document, you can use word, you're not using Google Docs, but people would be pissed because a lot of people use Google Docs. [00:36:00] Speaker A: And if you've never seen JSON, the end format is base 64, right? So there's a JSon web token, like a Jwt or jot as they call them. JSON Web tokens is very common in web applications. So a lot of that, it'll be base 64 encoded string delineated by a period and another base 64 encoded string delineated by another period and another base 64 encoded string. And it all works where you have payload. If you never looked at JSON web tokens before, very useful. And a lot of information can actually be within those. But we use JSon all the time. It's a way to serialize information to pass it easily between systems. So how does that affect us here? Well that's where our malicious payload is going to come from. And now I kind of, kind of use Google Docs if I'm an attacker, as a repository for my malicious payloads that won't get busted by your avedrs. Interesting. [00:36:58] Speaker B: One of the things I thought was interesting, when you come across a captcha, it says like you're supposed to check the boxes. I'm not a robot. The whole point is so that it makes sure you're a human, right? [00:37:06] Speaker A: Yeah. [00:37:06] Speaker B: But in this case, it looks like they used a captcha to actually help them evade detection. Because if you're using a public scanner like virus total, it can't get past the captcha. So it says it's a layer of protection against URL scanners. So in this case, it's not doing its intended purpose. [00:37:21] Speaker A: They're using all the safety measures that we put into place to keep bad things from happening to their advantage. This is why this is a super crafty, very smart way of getting their payloads on the system. They have a couple of other things that they're doing as well. They said, we've seen this in this defense evasion technique was also used by nation State group, a nation state group to smuggle a remote access trojan, and by Nokoyawa ransomware, where they started the infection process through HTML smuggling. Then it uses the unorthodox HTML smuggling technique where the malicious payload is embedded in a separate JSON file hosted on an external website. This is kind of like the breakdown here. The executive summary. It executes the filess Azo Roltz info stealer. We do love a good info stealer, right? They seem to be the bell of the ball here lately. A lot of info stealers are being deployed here as of recent, and they're stealthily by reflective code loading, bypassing disk based detection. So that's right here. Bypassing disk based detection and minimizing artifacts. So this is fileless malware. We're not writing to disk when we don't have to. We like to just load it into memory. Hey, call out, reach out, grab this, and then throw that up in memory. Decode that. That's how that works is I say, hey, grab this blah of information and then I'm going to need you to perform a function on that. Well, what's that function? That function is, well, it's encoded. I need you to decode it. So it has to allocate some memory, puts it up in the memory, and then it de allocates it and it says, okay, I've decoded that. What do you want me to do? I want you to push it over into this other function I've created and run it. What is it? It's usable code. Run that code. So that's how we bypass being able to write it to disk. So those AV systems that are looking for stuff that's written to disk, it's going to bypass that altogether. It uses an AMC bypass. And AMC is the system to make sure that either Windows Defender is checking things for known malicious activity, or if you have a third party it hooks into and it kind of says, okay, I don't need Windows Defender, but we are running a third party piece of software that's within Windows systems that you'll see AMC, but it is a bypass technique to evade being detected by a variety of host based anti malware products, including defender. So this bypasses a lot of AV systems, and then it steals information it's looking for. What's it looking for? 137 distinct crypto wallets, login creds, browser files, and important documents. [00:39:54] Speaker B: Secrets. [00:39:55] Speaker A: I loves the secrets. It does love the secrets. [00:39:57] Speaker B: Like a treasure trove and going through kind of the process because they do break it down step by step. I love when they do that because it's neat to see behind the scenes how this works. But once you get past the captcha test, it shows you like a file and it looks like a PDF, but it's not. And if you click on it, then it's like all this stuff happens, this big chain of events. And maybe I skipped a step, but it kind of seems like from then on, there's not much that the user does. It's all this stuff that it downloads this, it runs this, it overwrites this, it's this batch file. It all just kind of happens. And this triggers that, and this triggers that until you're screwed, right? [00:40:27] Speaker A: This is what we would call a loader, right? The loader is the thing that starts this whole chain of events. Once that occurs, once you get that execution right, everything else starts tumbling into place, which is interesting to me know, I know a lot of red teamers. We had Mike Saunders on, right? He does this for a living where he's trying to get his malicious code to execute and give them access into systems, access to sensitive information. Attackers are doing the exact same thing, except they are actually doing malicious things. [00:41:04] Speaker B: Right. [00:41:06] Speaker A: So the fact that this is still an effective means of initial access is to get somebody to click on a link, to open a document, and double click a PDF, what looks like a PDF, which is actually, I think it was an LNK file, if I'm not mistaken, which is a very common attack vector in this day and age. And then once that happens, cool, I got my second stage. I delete my original file, removing IOCs and indicators, indicators of compromise. And now the chain of events has begun. That's all that matters, right? That that is still effective. It blows my mind that we click on links and we open documents that come from. Now don't get me wrong, they use some very sophisticated like typo squatting and things of that nature. A lot of times will point at certain targets to make it look more legitimate and make it more tantalizing for the fish to bite. Oh yeah, right. But we've just got to have a system that just says, I just don't click links. I'll go to the site myself. I'll go there and see if you've got something for me. I don't trust my email for anything other than text. Right. But that is not the system that we live in nowadays. So you're right, does the capture thing and then it says malicious shortcut downloading. Okay, this is where the runs powershell. We're running Powershell in JavaScript. These are simple, normal, I don't know how much you've seen me do. I've created a couple of things myself for demonstration purposes that mimic this line of attack. [00:42:45] Speaker B: Right. [00:42:46] Speaker A: I'll create an executable. I use Golang now, but I've done batch files and things of that nature where it basically just runs PowerShell script and reaches out, does a web request for a malicious file, the second stage, which is just another Powershell. Powershell is great. It runs on every windows operating system just about, unless you have it completely turned off. And it does all the things I needed to do. So I did that because that's what you see in real life land. [00:43:17] Speaker B: It sort of reminds me like a Rube Goldberg machine where it's like you tip over the first domino and then the marble rolls down the track and the milk glass falls over and then. [00:43:25] Speaker A: 209 is laying on his back screaming like a pig. [00:43:28] Speaker B: All you really have to do is click that first file and then it's just that simple. And then everything else just kind of fires on its own and this triggers that. And this script runs this. And it's kind of scary because then beyond that point, what are you supposed to do? How are you supposed to stop it? [00:43:41] Speaker A: It just goes, yeah, once that's done, hopefully some activity or behavior, a lot of behavior based things can maybe be able to catch this stuff. Obviously we're looking at Netscope. Netscope's probably baked in some functionality now to detect this activity because they discovered it. And now they can go, oh, I can build a mechanism to look for the right iScs. And if you look here, you can see it says the lnk file, which is masquerading as a PDF. It spawns a command prompt where it saves the base 64 encoded powershell command to a batch file. So it goes from base 64 is a Powershell commands gets saved as a batch file, and there's the name of the batch file, so you can start looking for these things. So it's fayap four ckj bat, right? Then it's another powershell command is then decoded using a Windows native application named Certutil Exe. That's something that's built in. This is called living off the land. I don't use something that I have to download to make all this stuff work. I just use what I already have that's on the system I'm targeting, which is windows. I know cert util can decode this and then overwrites that batch file. Then it creates a scheduled task named t nine p blah blah blah that executes that batch file. Then once that gets done, it will execute a Powershell script that uses invoke web request to download a PhP file. So it's just continually down the road. And not any one of these things are necessarily malicious at this point, right? So behaviorally all it's doing is downloading a file from the Internet. It's decoding and creating a batch file that's not inherently a malicious thing. So it's continually avoiding detection because it hasn't done anything malicious yet. By the time that it does, it's too late. Right. You've already kind of like things are beyond the looking glass. So you can see there's the chase statement PDF. It's just basically using a PDF icon. Even though this is an LNK file. [00:45:50] Speaker B: If you were to right click and look at all the details, then you would see it. But most people are not going to. [00:45:54] Speaker A: Think to do that, which is, I think right here, it's kind of showing this. You can see it is an application from system 32. So there's what's going on there. Anything else we want to look at when it comes to the details here, just more along what you were talking about, chain of events that lead us here. Definitely check out these details because it's nice to see how all this stuff works and those chain of events and how they work themselves out. Because I can't tell you how many times people say that never worked. Works every day, right? Yeah, works every stinking day. [00:46:27] Speaker B: It could be. You never say never. [00:46:29] Speaker A: That's right. [00:46:29] Speaker B: And once it goes through all of that process of these things that are kind of firing automatically, then when it starts to actually steal data or steal info, it takes a screenshot. It's pilfering your browser data. It's looking at crypto wallet information. I mean, any and everything, I guess, that it can find. I know you said it was looking for specific types of crypto wallets. [00:46:46] Speaker A: Everything, yeah, it talks about the different browsers and the crypto wallets that they're looking for in that. It was interesting, though, that we had Mike on, right? And Mike and I were doing a course on AV and EDR evasion techniques, and they're all in this, every single one. Talk about obfuscating shellcode. They talk about the standard way of using virtual alloc with what was the execution path? I think they tell us up here, maybe it's later, but how they. Oh, there it is. Virtual alloc, create thread. And then they use wait for single object, which actually executes. What's going on here? This is a way you allocate memory. This is using the Windows API. Create a thread so that the shellcode gets loaded into that memory and then wait for single object, actually executes what's in that memory area, which is your malicious payload, which is the shellcode, which is right here. Right. And then you're off to the races at that point. So it was just cool to see the stuff that Mike was teaching in our series on that is right here in one of the newest ways that people are getting malware on a system and executing malicious code. So very, very cool to see it in real life land, but not so cool that it's being used for malicious purposes. And grab your crypto. [00:48:10] Speaker B: And they've got a GitHub repository. We'll put the links in the description of the video as well for all the articles that we're looking at today. But they've got all the OCs in their GitHub repository linked there at the. Just when you were talking about how it uses all of these different things that you and Mike were talking about, kind of reminds me of like, we talk about layered defense and defense in depth. This is like the evil version of that. You're using every possible. We're using this, this and this to kind of COVID it up, make it so that it looks legit. It's the opposite of, oh, not only do we have this defense, but we've got this mechanism to make sure an attacker it is the evil version. [00:48:41] Speaker A: It's kind of cool that you point that out, that it is. The concept of a layered sense works itself out. Whether you're being malicious or you're right, still, still works. [00:48:52] Speaker B: If nothing else, this should prove that. So yeah, definitely an interesting one. And like Daniel said, there's a lot more detail there if you want to take a look at that link. But this next one, we do have another one we kind of want to get into. And I know you said there's not as much to pull from here, but still interesting. And we're going back to that remote code execution theme once again. Told you it was going to be recurring. This is CVe 2002 425153. It's a RCE in Fortra file catalyst. So I believe this is one that, like you said, it was a little bit shorter, didn't go into as much detail, but they did break it down step by step. And they have like a proof of concept exploit listed there at the bottom that you can take a look at. What do you think of this one? [00:49:29] Speaker A: So surprisingly easy to pull off this RCE, which is why we're looking at it today. If you're not familiar with Fortra file catalyst, it is a file transfer software and it kind of gives you some bells and whistles to go along with it. It's not a simple FTP with a GUI front end. It has a few bells and whistles, which is kind of cool. I can understand why people would be interested in using this software, but unfortunately we found an unauthenticated RCe, which is going to be bad for us ultimately. It says they have a proof of concept for the exploit. So there's a GitHub repo if you want to go check that out. Basically it's a python script, kind of makes this automatic for you. So if you want to test this or if you have fortra file catalyst, you can go and see if you are susceptible to this. You must be very careful if you're doing this. Do not write to your web route with a temporary file using this because it will then wipe out your web route and then you will lose your site that it goes bye bye and you have to rebuild. So don't do that. Just safety tip when it comes to if you were actually going to test this. But ultimately what this came down to is that if I'm an unauthenticated user, I want to say, was it just by adding a slash they were able to, or it was a specific area? That's what it was. Through finding a specific area for file upload, they were able to just upload anonymously anything they want, right? [00:51:04] Speaker B: What could go wrong? [00:51:07] Speaker A: What harm could have happened here? And now they did discover, and let's kind of get into the nitty gritty of this. So here is the login. Obviously I don't have a login, but it says several significant vulnerabilities have been discovered in managed file transfers. And they talk about the SQL injection and remote code execution for move it. Remember move it was horrible. [00:51:27] Speaker B: Remember that horrible thing? [00:51:28] Speaker A: And a little vindication for myself. I did a SQL injection. I did a CTF in 15 minutes. I did this a couple of years ago and I was recently reading the comments in it and someone was like, SQL. Because it was SQL injection that gave me initial access. They were like, yeah, if it was 2000, maybe you could find a SQL injection. I'm like, here we go, vindication. SQL injections are still found in today's day and age for remote code. That's not what we're seeing here, but it's just along this. So they found this during security assessment. Hughes fortune file catalyst. Within there they found this FTP servlet. So within the file catalyst workflow, a file upload process involving a post request requests for the following URL. And here they give you the URL for it. So whatever your site is set up as. And then you have this web directory of workflow Servlet, FTP servlet. And here's like a pseudo request to this here. And you can see you're right around this region. I'll zoom in a bit. You can see it has kind of like port equals 21. Are you familiar with port 21, Sophia? [00:52:35] Speaker B: Oh, I want to say like SSH or something, but I could be wrong. [00:52:41] Speaker A: It starts with an F and ends in a TP. Okay, right? [00:52:45] Speaker B: Yeah, I give up. [00:52:46] Speaker A: That is, the standard port for FTPs is 21. So you also have this put request that's on here so you can kind of see what's going on here, even though it's a bit obfuscated. But that's okay. Ultimately what they're doing is uploading a file to there you are putting a file into an FTP server. That's kind of what it looks like it's doing. So it says session token is required for this request. By default, the file catalyst workflow allows anonymous login for public users. Rutro Rut row raggy so once you upload a file, you do have a very short window in which to access said file. And they do have some cleanup that's involved, and that's for the purposes of safety. Right. I want stuff to stick around and do things. And it said in order to identify potential, they obfuscated some of this code. Fortra did sure. So netitude had their work cut out for them, deoffuscating what's going on in the workflow. But once they did, they were able to see that, uhoh, maybe I can find a directory traversal. Directory traversal being that good old dot dot slash dot dot slash, I can kind of work my way out of the directory that I'm at and then work down into other directories to access files. I want to be able to access the file that I'm working with. So they have the session ID and the file name. However, any files and folders in the upload temp directory were explicitly denied from being accessed publicly, so they couldn't put it there. The session ID was randomly generated and unknown to the user. Ordinarily, an attacker would attempt to use a series of characters with the X filename request header to navigate out of the intended directory. But slash characters were sanitized and this attack was not possible. So there was some security that was around this that they did find. [00:54:39] Speaker B: That's good. [00:54:39] Speaker A: Yeah. Trying to do their due diligence. But if you got enough time, you got enough effort, you can find your way around this. [00:54:46] Speaker B: Oh, sure. [00:54:47] Speaker A: Right now, they observed that temporary uploaded directories would be deleted by a cleanup process. That's why they said, hey. The exact time window was determined by the amount of time it took for a server side FTP connection to complete. So obviously this is not easy to find vulnerabilities like this, but it does. [00:55:05] Speaker B: Say if directory traversal is successful, you can't target the top level webroot directory without risking deleting the whole application because of that cleanup, right? Yeah. [00:55:13] Speaker A: What would happen? Oh, it goes, oh, you created a temporary thing in the web route. [00:55:20] Speaker B: Right. [00:55:20] Speaker A: What do we do? What does my logic say? Delete that folder, that directory that it's in. It's got to go bye bye. [00:55:27] Speaker B: So is that kind of a security measure in and of itself? It's gone. You can't do anything with it now, right. [00:55:31] Speaker A: If I'm an attacker and I wanted to dosh your server, I delete the Webrid. There is no server, right. The server is still up, it's still serving, but there's no pages. It's been deleted because your system is deleting it. So that's just one it says, the unfortunate side effect is shown in the screenshot below where it is deleting all this stuff. Right. Snubueno. [00:55:53] Speaker B: It seems like for both parties, I mean, unless that was your goal was just to, hey, sorry. [00:55:57] Speaker A: Sometimes it is. Yeah, that's true, right, let's see here. What are we moving on here? So it has this BBD code option. So it says if we can exploit the directory traversal within the file name field, how can we instead manipulate the session Id to a known value? Reverse engineering this portion of the code revealed the following functionality which showed the optional query parameter BB decode. And this is how they were able to gain access to their session ID. Okay, and then uploading right as below, shown below, this revealed the Sid request parameter. That's what you see here. [00:56:35] Speaker B: Okay. [00:56:36] Speaker A: From there they uploaded the command shell and it was 80 bar the door at that point. [00:56:41] Speaker B: It does seem like there is a little bit more like the previous one we talked about. Once the person clicks something, everything kind of runs automatically. A little more steps involved in this one it seems like, or a little bit more hands on stuff. [00:56:50] Speaker A: So if you were doing this manually, absolutely. Okay. But they release proof of concept code and get right, okay, that does it automatically for you. You just say run my PoC. This is the address to the web server and here's the command I would like you to run because as you can see it's uploading this shell jsp file right there to a location outside of the upload temp directory. And then from there they're able to just start throwing it commands in the web requests. So a Jsp file is a JavaScript something I think, let me find, look up, I'm not good with that. And from there you can do there it is right there in the request. You just go for shell jsp because now that is a file you've uploaded onto the web server and then give it the query string of CMD equals whatever you want it to run. They can run who am I? Id cat etsy password cat etsy shout. I don't know what kind of level, it's probably dub dub dub data is your user id, but. Oh, I'm sorry, what is it? If it's running in a windows context, it is nt authority, so that's not good because it demonstrates that OS level access could be achieved depending on what user context this is running under. If this is running as a service account with NT authority system or local service, then what could possibly go wrong? Well yeah, that's a problem. That's an issue. [00:58:34] Speaker B: I looked up the JSP files, I'm getting some that say Java server pages and then Java server pages, Jakarta server pages. Okay, gotcha. [00:58:42] Speaker A: That's it. [00:58:42] Speaker B: So you had it, you had it, you doubted yourself. So then once that shell is uploaded. Then that's when you get to the point where you're talking about the remote code execution that they're led with. But all of these steps in this proof of concept exploit, all you've got to do is run that command that they give you and it will detect whether there's anonymous login, get a valid session token, upload the command shell, do it all for you. [00:59:05] Speaker A: Yeah. [00:59:05] Speaker B: Wow. It's that simple. [00:59:06] Speaker A: It's that simple. So for you CTF players out there, I wouldn't be surprised to see this one show up. You think so? Absolutely. [00:59:13] Speaker B: Well, it does say that this vulnerability was first discovered several months ago, back in August. But it was interesting, the quickness with which it happened. It was discovered on the 7th, it was reported on the 9th, and it was patched on the 11th. [00:59:23] Speaker A: So pretty quick. Applause to Fortra for getting a patch out that quickly. A lot of times it takes public pressure, like, I'm going to release this proof of concept code of an RCE. Now, you have doesn't require authentication. What you're going to do about that, I would suggest releasing a patch. Right. Sometimes that occurs. So for fortune to be like, oh, cool dog, what do you got? Oh, yeah, that's no bueno. Let's patch that up real quick. And so that's really cool to see how fast that happened. [00:59:56] Speaker B: Yeah, that was nice to see. I was surprised to see that it was that quick because it does seem like a lot of the stories we cover, it takes a while, even if it's not pressure, sometimes companies drag their feet on acknowledging it and then patching it, or sometimes it just takes a while after it's discovered to even be reported. Crap. We didn't even realize this was happening. So nice to see that this was a pretty quick, pretty quickly taken care of. But the exploits there, or the proof of concept exploit is there, which I guess is interesting. This is kind of an aside. When they provide something like this, is there a measure in place to prevent that from being. Can you use that proof of concept exploit they're providing maliciously? [01:00:32] Speaker A: Absolutely. [01:00:32] Speaker B: So there's nothing in place to really prevent that. [01:00:35] Speaker A: That is other than the patch. [01:00:37] Speaker B: So if you're not patched. [01:00:41] Speaker A: You are definitely asking for trouble. [01:00:45] Speaker B: I guess at this point, though, because it's been, I mean, we're in March now and that was in August that this was first patched. If you don't have the patch yet. [01:00:51] Speaker A: Yeah, it's kind of like that fortinet thing we talked about earlier. Right. It's like, what is the hold up. [01:00:55] Speaker B: Why are stopping you? [01:00:56] Speaker A: Right. If you can't patch the system, at least put in some sort of secondary security control measure in front of it to stop those kind of things. Maybe like a web application firewall might be able to stop this since it's going against using web requests. So your waf might be able to do the job. If you can't, for whatever reason, patch your actual server. [01:01:16] Speaker B: Right. [01:01:17] Speaker A: Do something right. Do not allow access to that part of your web application through firewall rules. [01:01:26] Speaker B: It sounds simple. [01:01:27] Speaker A: It does. But that also sounds like work. [01:01:30] Speaker B: We don't always get there. [01:01:31] Speaker A: I'm a big fan of the work sometimes. That's why you wanted to get in the business. [01:01:36] Speaker B: I'm really surprised you didn't have any kind of Robocop reference for that. [01:01:39] Speaker A: I did not Robocop reference anything. You got one. [01:01:42] Speaker B: I thought for sure you would have something. But to be fair, you were walking through the steps. You can't have too many wheels spinning at once. [01:01:47] Speaker A: I had my head. Nothing jumped out at me and said, oh, this is Robocop themed. [01:01:52] Speaker B: That's all right. We'll think about it. [01:01:54] Speaker A: Baby food tastes like baby food. [01:01:56] Speaker B: Couldn't believe the guy's just sitting there eating it with his fingers. I'm like. [01:02:01] Speaker A: I thought to myself when I saw, I was like, what if it was specifically for Robocop's digestive system, which is not human, really? [01:02:10] Speaker B: There's like, lead. [01:02:11] Speaker A: It's poisonous. It's like, oh, yeah, you're going to die, bro. [01:02:14] Speaker B: There's gasoline. There's fuel in there. It looks like pureed pumpkin. Did not look appetizing. [01:02:19] Speaker A: We put petroleum products in that. And you probably want to get to a doctor and start the process of emptying your stomach. [01:02:25] Speaker B: If you get crappy gas mileage, it'll work well for you. [01:02:27] Speaker A: Otherwise, the 6000 sux. [01:02:30] Speaker B: The 6000 sucks, if you will. Yeah. Anyway, so this one came to us from, what was it? Netitude that broke this down. So shout out to them. We couldn't stay on Robocop for too long. [01:02:41] Speaker A: Now my gears are spinning in the robocop because I'm thinking of the reporter we talked about. The officer that was fighting for his life. [01:02:48] Speaker B: We're pulling for do we should pull them for you? [01:02:51] Speaker A: Fortinet. [01:02:52] Speaker B: Instead of doing our normal break that we do, we should have like, a TV break that it's me. Like this. Just in. [01:02:58] Speaker A: Yeah. [01:02:58] Speaker B: And we go back and forth. [01:02:59] Speaker A: You can pick your replacement heart, Jensen, Johnson, Johnson, any of the major producers of fake hearts. Because, hey, we care. [01:03:10] Speaker B: Wow, you've really got it down pat. You've probably got that script memorized. Well, we do appreciate folks like netitude that break this stuff down and provide those proof concept exploits so that we can take a look at those and then walk you through them. But that, I think, is going to do it for our deep dive segment. And I know we obviously covered a couple of things in rapid fire. Was there anything we didn't get to that you felt like was important to bring up? I know there's the whole TikTok band thing going on, but that's everywhere and everybody's talking about it. And to be honest with you, I'm kind of sick of hearing about it. [01:03:36] Speaker A: We'll just throw in a bunch of SEO words. Taylor Swift, right? [01:03:39] Speaker B: TikTok fan, the Chiefs, march Madness. Perfect. Just those are two separate sports. Just throwing a bunch of random words. [01:03:46] Speaker A: There you go, YouTube algorithm. Put that in your pipe and smoke it. [01:03:49] Speaker B: I know we're running long on time. I did want to mention I was nearly the victim of a phishing attempt this week. [01:03:56] Speaker A: Really? You almost clicked the. [01:03:59] Speaker B: Yeah, I'm a voice actor. I do that kind of on the side. And every once in a while I pick up know, like freelance stuff. And so some of that comes through Facebook. There's pages for it. People be like, hey, we need a voice to do such and such as mom and pop stuff. And so sometimes they do it through like a Google form. It'll be, hey, you go in, right? So you go in. You don't ever submit personal information. It's like, hey, what would be your rate of pay? [01:04:19] Speaker A: You don't ever click Linux. [01:04:20] Speaker B: Okay. No, but what kind of experience do you have? And it's legitimate. I've gotten jobs like this before. It's usually very simple. And I know people are going to be in the comments like, is she dumb? Why would she do. Just stop while you're there, just stop. So I go in, I'm like, okay, might be interesting. And it looked like the pay was pretty good. Should have been red flag number one, right? But it was not outside of the scope for a job like this. It was realistic. But I'm just like, oh, that could be a decent amount of money. I could use that, right? I had to pay my taxes. We'd love to get that money back. [01:04:48] Speaker A: I like you say you have to pay your taxes because your normal deductions don't cover it anymore. [01:04:54] Speaker B: Well, no, I'm saying, like, in years past I've been in school and stuff, and so I've gotten a tax refund, and this is the first year I owed money on my taxes. And it sucked. Anyway, yeah, welcome to the world. Right? So they reached out. They, the ambiguous they. Hey, we loved your demo. We'd love to talk to you about doing this. Would you be interested in scheduling, like, a brief interview? Also normal, right? Talk to you about your expectations. They wanted to do it through telegram. Now, I have never used telegram in my life, but I'm aware of it. I know a lot of people use it. [01:05:22] Speaker A: Secure system for messaging. [01:05:24] Speaker B: I'm like, okay, so I have a telegram. I just don't use it. And I'm like, all right, maybe do that, right? And I know this now, right? And it was immediately after this, as soon as I'm like, on telegram, and. [01:05:35] Speaker A: I'm like, hey, Rando wants to contact you. [01:05:37] Speaker B: He's like, hey, so we just ask you some questions. And I'm like, I kind of answered these in the form, rate of pay, things like that. And they're like, yeah, we have these spots. They're going to air April through September. We need them recorded by the end of the week. So urgency, right? It's got to be this many 32nd spots. You can easily do it. And this is the rate of pay. Okay, since I don't have a script or anything, do you have, like, a website or socials I could take a look at just to get an idea of your company, what you're looking for. Guy says, I'm an independent contractor. My website's under construction. You'll come to know more about the company in due time. Oh, okay. So this is definitely fake. This is definitely fake. There's no way you don't have any kind of socials website. So I'm like, oh, right, okay, sure. In due time. So what is it that you'd like me to do? He goes, do you have professional equipment? Of course I do. I'm a voice actor. Okay, we need you to reach out to this vendor to order professional equipment that you can use. I was like, but I just told you I have a mic. And I'm kind of like, just. I'm just kind of, what's your game? No, we're going to send you this. He tries to send me this draft that I can send to a vendor, somebody named [email protected]. Come on, really? I know I'm dumb enough to have gotten to this point, but I'm like, you're not even trying anymore. Come on, put in some effort. So I'm like, okay, you said you're an independent contractor, usually just, you'd have a personal LinkedIn or something. Could you send me that? Just because there's a lot of scams going on out there, I got to protect myself. He goes, I'm on my lunch break. I'll send it in a bit and then immediately deletes the message thread. I was like, oh, man, come on. I asked you one hard question and you gave up. Yeah, I was kind of hoping you'd keep going with it. [01:07:06] Speaker A: Double down, bro. [01:07:07] Speaker B: Dude, you couldn't have spun up. Like, you could spin up a fake Facebook, but you couldn't bother with a LinkedIn or an Instagram, like a website. Nothing. You didn't even try. But anyway, so I just thought it was interesting. I had never seen, usually it's like you get an email, you get a link, you get a text, but it looked like a job, and I was trying to apply for a job. It's not like a get rich quick. I'm going to enter and win this competition. [01:07:30] Speaker A: It's a common attack vector at this point. Like, a lot of people are using fake job posts to get access to people's sensitive information or get them to click on something, download something, open this link, download this thing, double click it. If it says, hey, just yes and next your way through it and it's all fine. And then they never hear from them again because they don't need to. [01:07:51] Speaker B: I do have a separate email address I use for that stuff, just in case. And because I don't want them knowing. [01:07:55] Speaker A: My, you should personally build like a virtual machine sandbox for opening well, right. [01:07:59] Speaker B: And that's the other thing. I didn't have to open anything they sent me because they didn't really send me anything. They did try. Then later, like, oh, we'll send you an email with a thing. And that I just immediately was like, because at that point I knew. So I was glad that it didn't involve me having to open anything because. [01:08:12] Speaker A: I get people asking me on LinkedIn if we can have like a one on one over telegram or WhatsApp or whatever. And I'm like, that's not happening. Never in a million years is that going to happen. A. I would never use my personal account. I would create an account for doing those things if I was so inclined to do personal one on one mentoring. You never be too careful tutoring or whatever, right? And that would be all done through virtual machines on a, would hijack my network's Wi Fi, my neighbor's. Yeah, yeah. I would be like, total safety, because we get targets on our back as security professionals. And people would just love to say, oh, I hacked Daniel, or I hacked Sophia. [01:08:56] Speaker B: Yeah, I was more pissed than anything because I was like, man, how low do you have to be? How much of a scumbag do you have to be? I'm, like, trying to make some extra money so that I can pay bills, make insurance payments. That kind of I'm. Because I was, like, in an accident at the end of last year. I've got money that I stole from that. I'm like, dude, I'm trying to pick up some extra gigs and make a little extra money. You gave me hope, and now I'm just mad at you. I'm not even like, oh, my gosh, that was so scary. I'm just pissed. I'm like, where do you live, buddy? [01:09:22] Speaker A: Water on the seeds of cynicism. [01:09:25] Speaker B: I'm like, I just hate the world now. Like, I'm never going to apply for a job again. [01:09:28] Speaker A: Lies, lies, lies. You're a liar. You're a liar. I know you're a liar. [01:09:33] Speaker B: The scumbag. [01:09:34] Speaker A: That's right. [01:09:35] Speaker B: Client's a scumbag. And scumbag see the judge on Monday. [01:09:37] Speaker A: That's right. [01:09:38] Speaker B: So, anyway, I just figured I would share that because I have not had to worry about that in a while because I feel at this point, like, I understand. And, oh, get an email with a link. Don't click on that. Get a random text blocked and reported. This was something that I'm like, damn, you could have had me if you'd been more convincing. I don't know. I think I'm a relatively average intelligence individual. [01:09:59] Speaker A: What do you think you can do to be more secure? And if that is your business, and that's how you get business, probably at. [01:10:06] Speaker B: That point, it sucks because there are a lot of jobs that get posted that way that are legitimate, but you probably just have to bypass those kind of jobs. Then I don't know that it would be worth it to. Well, it probably is legit, but you're taking. Because there's websites you can go through that do vet all of that stuff. If you're getting it through Facebook or LinkedIn, it doesn't always places like voices one, two, three. Voice uses.com. They do have systems in place to where, if you get to a point where you're able to post on that website, you can tell by other stuff the English is broken. It says, it's like, oh, we'll pay you $8,000 for a 32nd spot. And that's like nobody. Disney's not paying that. So I know you're fake and I can report you something like Facebook. It's easy to be like, oh, we're just a small business and this is the only way we can do it. [01:10:46] Speaker A: Sounds like a good reason to just get rid of Facebook, right? [01:10:50] Speaker B: And I did for a while. I use it for acting. Yeah, I've got like three friends and they're all acting friends. [01:10:56] Speaker A: Disappointed? [01:10:56] Speaker B: Don't come finding me. I will reject your friend request anyway. So. Yeah, I just figured I would share that. I know you probably haven't been victim of a phishing scan ever in your life, so I won't even ask you to share. Daniel's immune. [01:11:09] Speaker A: You know why? Because you stick stuff in the emails like, hey, contact us about. Yeah, it's not happening. [01:11:14] Speaker B: You probably wouldn't even open links from me unless you saw me send it to you. [01:11:18] Speaker A: That is correct. [01:11:19] Speaker B: You would just go to the website, which is smart. I should probably do that. [01:11:22] Speaker A: I just do that anyway. [01:11:23] Speaker B: I know I've wasted enough of your time. Daniel's got an interesting story. He's got courses to create and I've got hosting stuff to prep for working on some courses this afternoon, so we'll go ahead and call it there. Thank you for walking us through these deep dive articles, Daniel. [01:11:37] Speaker A: And joining us might. We might cut down to one article. [01:11:40] Speaker B: It seems we're running long. [01:11:42] Speaker A: Yeah, I don't want to run too long on this. I think next week we'll try to just drop down to one deep dive article so that we can have a little more time on that. [01:11:50] Speaker B: We're just having too much. [01:11:52] Speaker A: I just. I like doing want it. [01:11:55] Speaker B: We don't want to keep you here forever, so. Yeah, we'll work on that. It's a work in progress again. If you have any feedback, feel free to leave a comment down below. But it's going to do it for this week. So thanks, Daniel, thank you for joining us and we'll see you next week. Thanks for watching. If you enjoyed today's show, consider subscribing so you'll never miss a new episode. Bye.

Other Episodes

Episode

February 12, 2018 01:03:50
Episode Cover

ITProTV Podcast 35: Week 6 in Review

In week 6 of 2018, we’ve got a host of operating system stories to cover from Windows, Linux, Chrome OS, and Mac. After that,...

Listen

Episode

May 13, 2021 00:52:57
Episode Cover

Technado, Ep. 203: Valtix’s Douglas Murray

It was a busy week at Technado with Don Pezet. First, Don was out, but ITProTV Edutainer Adam Gordon filled in. Douglas Murray from...

Listen

Episode

June 15, 2018 00:53:06
Episode Cover

The Technado, Episode 53: Week 24 in Review

With Don still on the lamb, Peter teams up with Technado veteran Daniel to look back at the week's news. Microsoft dominated the headlines,...

Listen