355: One MILLION Sites Affected by Critical Flaw?! (Technado visits HackSpaceCon!)

Episode 355 April 11, 2024 01:11:43
355: One MILLION Sites Affected by Critical Flaw?! (Technado visits HackSpaceCon!)
Technado
355: One MILLION Sites Affected by Critical Flaw?! (Technado visits HackSpaceCon!)

Apr 11 2024 | 01:11:43

/

Show Notes

Live from HackSpaceCon, it's Technado! This week, malware takes center stage: beware of bogus NordVPN downloads and YouTube videos promising Fortnite cheats. If you use a D-Link NAS device that's reached its EoL, you might want to check for a backdoor account. In the return of the beloved Tinfoil Hat segment, Five Eyes data has allegedly been stolen & exposed during a breach. Keeping with our space theme, NASA has finally cracked the case of Voyager 1 sending gibberish data. We wrap up our Rapid Fire articles with a critical flaw affecting one million WordPress websites, an update on the Ivanti debacle (four more vulns!), and a special "Crow" segment featuring million-dollar rewards for zero-days. After a quick break, we dive deep into a new malware variant called Latrodectus - and it's just as dangerous as the venomous spiders it's named after. (Stick around to see Dan and Soph mewing for the camera.) Want to read further? Take a look at the stories we covered this week:
https://www.malwarebytes.com/blog/thr... https://www.bleepingcomputer.com/news... https://gbhackers.com/hackers-deliver... https://www.scmagazine.com/brief/alle... https://www.neowin.net/news/after-fiv... https://www.darkreading.com/remote-wo... https://www.darkreading.com/remote-wo... https://thehackernews.com/2024/04/res... https://www.securityweek.com/company-... https://www.proofpoint.com/us/blog/th...

View Full Transcript

Episode Transcript

[00:00:11] Speaker A: Welcome, and thanks so much for joining us for another episode of Technado. I'm Sophie Goodwin, and you might have noticed by the background around me, if you're familiar with Technado, that we are no longer at home. We're not in Gainesville anymore. We are on location right now at the Kennedy Space center. And I'm not alone, of course. I've got Mister Daniel Lowry. Daniel Lowry with me to my left. Look at that. I'm already so excited about the con that I'm just losing my mind. Daniel, you looking forward to hack space Con? [00:00:33] Speaker B: I am. I came last year, first year. A lot of fun, a lot of great talks, a lot of great speakers, and it seems to be ramping up to be twice as good from last year. So I'm. I'm kind of excited about this. [00:00:46] Speaker A: Well, see, I wouldn't know because I did not come last year, but if it's going to be twice as exciting, man, I really don't know what to tell you about that. So, yes, we are here at Hacks Base Con. Uh, we're going to be, I believe, on Friday. Friday, live streaming some of that. So be sure to check out the channel for that on Friday. It'll be the day after this episode is released. But for now, we've got all the latest in technology and security news for you. I say all the latest. I should probably do a disclaimer. There's no way we could cover everything. [00:01:11] Speaker B: No. Welcome to our twelve of tech, NATO. [00:01:13] Speaker A: Exactly. We try to rapid fire. We try to cover what we think is fun and relevant to cover. So we'll go ahead and jump in if you're new here. Rapid fire. We're going to go through these articles pretty quickly, give some, some quick little hot takes, or at least some lukewarm takes, take a quick break, and then when we come back, we'll have a deep dive later in the show. Daniel, you ready? [00:01:30] Speaker B: I wanted to do cold takes. Is that okay? [00:01:32] Speaker A: Cold takes? Yeah, sure. Freezing cold takes ice. Brought to you by Technato. [00:01:36] Speaker B: Arctic. [00:01:36] Speaker A: Arctic takes. We actually will have a. An icy segment or an icy article later on, but to go with the. [00:01:42] Speaker B: Theme, we are one of the moons of Jupiter. [00:01:45] Speaker A: Yes. [00:01:45] Speaker B: That's how I see we are. [00:01:47] Speaker A: Yes. Wow. Wow. [00:01:48] Speaker B: That's a nerdy spaceship right there. [00:01:50] Speaker A: That's pretty good. That's pretty good. Deep space cut, if you will. [00:01:53] Speaker B: I like it. [00:01:53] Speaker A: Well, this. [00:01:54] Speaker B: I see what you did there. [00:01:55] Speaker A: Deep space. [00:01:56] Speaker B: You. [00:01:57] Speaker A: You know, it's funny because, like, cyberspace space con, you know, I feel like there's a connection they could make there. But what do I know? I'm not the wordplay expert. We'll go ahead and jump into these articles here. This first one. If you are a. If you're a bing fan, if you're a Bing enjoyer, you might want to listen up. This one comes to us from malwarebytes Bing ad for NordVPN leads to. I prefer to pronounce this as sectoprat, but it is sec top ratio. So there's a download file called NordVPN setup Exe, and it is digitally signed, so it looks official, but I promise you, it's not. [00:02:25] Speaker B: It does look official, and I'm a little disappointed you didn't do this. As Tommy from just bing Bing, what are you still doing? Right? [00:02:32] Speaker A: You know, what are you still doing? [00:02:34] Speaker B: Because I know how much you love goodfellas. [00:02:36] Speaker A: Thought I told you to go download that malware. [00:02:38] Speaker B: That's right. [00:02:38] Speaker A: What are you still doing? [00:02:39] Speaker B: Are you supposed to get the malware? Right, but here you go. [00:02:41] Speaker A: Right? [00:02:41] Speaker B: The old bing. That's right. So NordVPN, one of the more popular VPN's that are out there and. Well, I guess for good reason, right? If you're into VPN stuff, it can definitely help you do what you're looking to do VPN wise. Maybe add a little layer of security or what. We all know what you're actually doing is watching Netflix in other countries so you don't get hit with a stupid, hey, you're not from around here kind of business, so you can't have access to that content. But guess what? That makes it a prime target for people to go, what if I. Hmm, let me try diggity. And then now we've got ourselves a way to use an advertisement to kind of funnel people into an area that they shouldn't be going to, but looks legit. This is a common practice of the old malware people out there that love to engage in these activities. [00:03:29] Speaker A: No, go ahead. [00:03:30] Speaker B: I was just gonna say, make it look like the real thing to fool you so that when you. And what's kind of interesting is that they used an advertisement. I would have never fallen from this. And not because I don't like NordVPN or other things like that, because I scroll past all the sponsored ad stuff in all my search results, regardless of it's Bing or Google or whatever, because I hate the fact that you're trying to advertise to me because I'm weird out of spite. Yes. I'm not going to glitch, literally out of spite. [00:03:55] Speaker A: I will refuse to go if you're trying to advertise. But you're right, it does have, in addition to the malware payload, it has an installer for NordVPN in it. So when you download it gives you the illusion that you are installing a real life file. If we look here, they show some of what's included in the file. The payload is injected into Msbuild exe, connects to the malware author's command and control server. Oh, boy. Command and control, that's kind of a buzzword. [00:04:20] Speaker B: Yeah, command and control is kind of a big deal. They need that. So once they make, they infiltrate your system, now, whenever they need it or want it, they're going to need to be able to control it from, you know, a remote area. So command and control is always the thing you got to look out for. That's going to be one of your iocs. If you're looking into stopping this, cleaning up the thing, or if you're analyzing this particular malware, you'll want to grab those pieces of information to put them available or use them in your defensive systems to say, hey, we're going to make a DNS sinkhole to nothing, where if someone tries to go to this, it actually goes nowhere, or we're just going to block all traffic to and from ingress and egress filtering. Make all that happen using those, those c two communication channels. Now you also have to worry about whether or not it's over something like HTTP, HTTPs, or DNS or something other, some other normal services. That's typically how things go. So you just got to be on the lookout for that stuff as well. [00:05:19] Speaker A: And always double check your URL's, because in this case they used a lovely little method called typo squatting. [00:05:23] Speaker B: They did that. Typo squatting continues to be kind of a pain in the arse, as it were to put it, because you got to look, you got to be really kind of man, I wonder if there's an extension or something you can install into your browser that will go, hey, I see you're trying to go to Microsoft, but this is Microsoft. I feel like that's not where you were going. [00:05:43] Speaker A: Microsoft, therefore. [00:05:44] Speaker B: Yeah, yeah, let's, let's not go there. [00:05:47] Speaker A: Yeah, let's not. They do have some indicators, compromise listed malwarebytes has provided. By the way, we are going to put the links for all these articles in the description of the video. So you can check those out if you're watching on YouTube, if you're listening on your podcast platform. We recommend you come check out the YouTube channel so you can get to those articles and see all the lovely visuals that we have here. But, yeah, moral of the story, look, look out for that malvertising stuff. [00:06:05] Speaker B: Just skip the ads. [00:06:06] Speaker A: Just skip the ads. Yeah, don't reward them with your clicks there. Yeah. Thought you're gonna start. Start on a rant there for a second. Now, this next one, it seems, like, scary, but I think, you know, there's some stuff that gets revealed later in the article that it's not as scary as we might think. So over 92,000 exposed d link. Not. Not NAS devices have a backdoor account, or NAS devices, rather, which is. Yes. Network attack storage, right? [00:06:30] Speaker B: Yep. [00:06:31] Speaker A: So, uh, 92,000 is a big number. Um, I don't want to bury the lead, though. These are end of life devices. [00:06:37] Speaker B: Yeah, no clickbait here. [00:06:37] Speaker A: No clickbait here. They're end of life. But still, you know, there's decent chance people are still using. [00:06:41] Speaker B: Well, exactly. Depending on how old this device or these devices are that, uh, have this. This issues or these issues. There's two issues, specifically. One is the. The fact that there's a backdoor user into the devices, that they're baked into the firmware. So it has a username of. What was it? [00:07:00] Speaker A: Oh, message bus. [00:07:02] Speaker B: Yeah, message bus. No password. So fun. And then you can parlay that to have authentication. Now you're past the authentication, you can act as a user, and now you can find the system parameter, and you can use that for command execution. So from there, it's. Yay. Oh, no, the walls are burning down again. D link, as they say. What was kind of interesting about this, and I've actually run into this, where I found a flaw in the web admin portal of a Belkin router. I had an old Belkin router kind of fiddling around, doing some hardware hacking and some firmware hacking, and I was like, huh? Well, this is interesting. I cannot. Oh, yeah, yeah. I'm totally exposing the password to this thing. Unauthenticated. I found that. I contacted Belkin and let them know, and they were like, well, it's an end of life product, so it's out of scope. They didn't care. They said, so what? No one's using this? I'm like, is no one using this? [00:07:57] Speaker A: I'm calling you. [00:07:58] Speaker B: Don't get me wrong. I'm sure that it's not a widely used device anymore. But depending on when this thing was eoled, there might still be. How often have you changed your router lately? Right. I've probably had mine for two and a half, three years. [00:08:12] Speaker A: Yeah. [00:08:13] Speaker B: Right. And if it end of life. Right as the time I got that as a device from my provider or I bought it, I could easily still follow under the scope of this thing, depending on how much, you know, leeway they give. I did see that. That D link said that they still have firmware and security kind of advisories and support for some of their end of life products. So you would definitely want to go there. But most people don't pay attention to this kind of thing, so it still could be an issue. You still might be running this old end of life device, and now you're a part of a botnet. [00:08:44] Speaker A: Yeah. [00:08:45] Speaker B: Which is what we don't want to do. That's. That's bad. We want to avoid that. Right. So just saying. [00:08:50] Speaker A: And just because a device or a, you know, operating system, whatever, has. Has been out of service and it doesn't receive support anymore doesn't mean people aren't still using it. There was that train station we talked about that was, like, running on Windows 93 or something like that. Like, it was. It was the. [00:09:02] Speaker B: So there was no Windows 93? [00:09:04] Speaker A: No. I don't know. You know, I'm tired, man. It's been a long day. Windows 95. Windows 87, 7000. [00:09:09] Speaker B: I remember Windows 93 was awesome. The best in the Windows distro ever. They just got to bring it back. That's all I'm saying. [00:09:17] Speaker A: We just. We can't go one episode without clowning on me a little bit. I don't even think I was alive for that release of windows. [00:09:23] Speaker B: I feel like what you were doing is conflating the year and the operating system. [00:09:27] Speaker A: Yeah, yeah. You know, I conflate a lot, right? You weren't around when I was not around. I can't be expected to know. Moral of the story here. There's no patches for this, but that's because these devices are end of life. Doesn't mean you're not still using them. So maybe keep an eye on that. [00:09:39] Speaker B: You said there's no patches, and I immediately my brain went to Mario with bowser singing, patches, patches, patches. [00:09:47] Speaker A: I missed that level of the game. [00:09:49] Speaker B: I don't know how my brain made that connection, but that's what happened. Tons of fun. [00:09:54] Speaker A: Oh, man. We should get a sponsorship from Nintendo, right? We make references to that. We'll go ahead and jump into this next one. This is gonna be a fun one. If you are a Fortnite, enjoyer keep. Keep an eye out. Threat actors are delivering malware via YouTube, video game cracks. And most of the games that were listed for tonight was definitely a big one. But if we come down here, they've got a whole screenshot here. For a while, this channel was posting, I believe, in Thai, and it suddenly made a random switch to English. And it's Fortnight. Roblox Valorant. I think there's a couple of. Premiere Pro, which is kind of doesn't really fit the theme. [00:10:27] Speaker B: Right. Well, that's an Adobe software, right? [00:10:31] Speaker A: Yeah. [00:10:31] Speaker B: Right. [00:10:31] Speaker A: I mean, it's like game, game, Adobe premiere Pro, in case you'd like to. [00:10:35] Speaker B: Yeah. Well, obviously they are using the idea that, hey, would you like to crack this software? [00:10:40] Speaker A: Right, exactly. [00:10:40] Speaker B: Come and get these cracks. Come and crack, you know, cheats for your games, cracks for your apps, and come and get this. So this is one of those times where you're like. It's kind of like we talked about last week with Activision, if I'm not mistaken. It was activision. People were buying cheats and that those cheats had been, I guess, been taken over and infected with some form of malware. And even the cheat developers like, oh, what is this? Oh, no, that's. That's not what I meant. But you're. You're doing something that's kind of like under the table anyway. [00:11:12] Speaker A: Yeah. [00:11:13] Speaker B: And here we are. Same kind of thing. So I don't know what is in the gaming community, but apparently they are a bunch of underhanded. I'll just stop. Anyways, there's a lot of people in the gaming community that are looking to do things they probably shouldn't be doing. It's like, just have fun. [00:11:30] Speaker A: Just have fun. [00:11:30] Speaker B: Just have fun. Stop. [00:11:32] Speaker A: Well, and I think one of the. [00:11:33] Speaker B: You're them, aren't they? [00:11:34] Speaker A: But that's me. Yeah. [00:11:35] Speaker B: Don't tell anybody. [00:11:36] Speaker A: No, I'm not. I'm not a serious gamer. I'm a casual gamer. If you're like, you play. You play this game, you'd probably laugh at me with how little knowledge I have about it. But I said something last week or the week before about being like, I mean, if you're cheating at these games, and then because you downloaded a bunch of cheats, then something happens. It's like, well, you were. You're kind of. It's like you try to rob a bank, and then as a result, you like. [00:11:56] Speaker B: Like, you're like, I want to cop. [00:11:59] Speaker A: Right. Yeah. [00:12:00] Speaker B: This is completely. [00:12:01] Speaker A: What do you think was gonna happen? You know? But in this case says it's concerning because it targets younger users with games that are really popular amongst, like, young kids. So games like fortnite. Right. Not. [00:12:10] Speaker B: That's kind of smart of them. Yeah, because kids don't have the, you know, the maturity wherewithal. Right. Just like, what's the big deal? I just want to cheat for my game. I want to go into God mode and jump around and be able to fly and, you know, teleport and do all the things that you can do with sheets in the game. So they just think that's what they're doing, but then they're infecting their systems, and then that infection probably leads to more infections within their own ecosystem right at home. And now we're looking, staring down the barrel, another botnet, or whatever the case is. [00:12:37] Speaker A: They even include detailed instructions in the comments about. They have a screenshot of it here. If you have problems with downloading, don't worry, you got it. You just got to disable your antivirus. [00:12:45] Speaker B: Oh, yeah. [00:12:45] Speaker A: Try to use a different browser. Disable windows smart screen update. It's like, it just. [00:12:50] Speaker B: So turn off all the security. [00:12:52] Speaker A: But if you're a kid, you're not. [00:12:53] Speaker B: Thinking about when I was totally turning this off. I need this crack, bro. [00:12:58] Speaker A: I mean, I can get cheats for Toontown. All right, sign me up. You know, Toontown's not one of the games, otherwise, League of Legends. I might have fallen victim there. [00:13:04] Speaker B: Oh, they'd had you, huh? [00:13:05] Speaker A: So if you're ten, you're doing o sin on Sophie. [00:13:09] Speaker B: She's giving it away. Yeah. [00:13:11] Speaker A: Rewritten. That's the way to target. [00:13:13] Speaker B: Is Toontown 2024? Hell, yes. [00:13:17] Speaker A: So, yeah, this is another instance of. We got a lot of articles that have to do with, like, malware or secret, because, like, there was the. The VPN, the nordvpN thing, where it was, like, not. [00:13:24] Speaker B: Tons of breaches this week. I don't think. [00:13:26] Speaker A: I don't think so. No, no. So that's even better. Cause it rhymes, right? Oh, you're on a roll. We'll jump into this. [00:13:35] Speaker B: You love my job. [00:13:36] Speaker A: You really do. You really do. And that's good. You should enjoy it. This next one's a part of a segment that we have not seen on Technato for a hot minute. It's tinfoil hat. [00:13:45] Speaker B: The moon landing was fake. [00:13:47] Speaker A: Paul McCartney's been dead since 1966. [00:13:49] Speaker B: Dogs can't see color. 5g causes syphilis. [00:13:52] Speaker A: So I didn't realize that those interviews that weird al does. Like, he. I didn't realize those were fake. Like, how he just. I saw, like, one clip of him. [00:13:59] Speaker B: He's doing so absurd a lot of. [00:14:00] Speaker A: Times, and I didn't realize. I'm like, huh? Anyway, not the point. But he's in the little. He's in the little lower 30. Yeah. [00:14:05] Speaker B: Yeah. [00:14:05] Speaker A: This article comes to us from SC media. Alleged five eyes data stolen from acuity breach exposed. Now, I'm gonna. I'm gonna show my greenness a little bit here. [00:14:13] Speaker B: Okay. [00:14:14] Speaker A: Daniel and I were talking about this the other day, and I was not super familiar with five eyes, but you kinda. You explained it in a way that made sense to me. [00:14:21] Speaker B: I will tell you how I understand it. I could be wrong on this. From what I understand, five eyes are the five countries that have, like, a gentleman's agreement to a handshake deal. So in the US, the United States government is not allowed to spy on us citizens. It's illegal. It's against the law. [00:14:45] Speaker A: That's good. [00:14:46] Speaker B: You ain't gonna do it. You have to get. You have to get a warrant before it's legal for you to be able. And therefore, you have to show just cause and have a judge go through it. There's all sorts of stuff, hoops that you have to jump through if you want to wiretap or sniff down on any us citizen. Great Britain, on the other hand, doesn't have those restrictions. I mean, other than it's illegal. And we would have to prosecute them if we discovered that they were doing it. But if we just go, hey, don't do that anymore, and you go, what's that you left out there? You dropped something. It's all this information about Sophie that. Oh, I mean, that seems interesting for us. We should probably use that. So there's this agreement that while we can't do it legally and neither can you, but only if we prosecute you, would there be a problem. So you spy on our people for us, we'll spy on your people for you, and we'll gather information that way. [00:15:37] Speaker A: Okay. [00:15:37] Speaker B: I could be way off. [00:15:38] Speaker A: This is why. [00:15:38] Speaker B: This is in the tinfoil hat section, right? [00:15:40] Speaker A: Yeah. [00:15:41] Speaker B: This is how I understand this to work. If you're more in tune with this, please, in the comment section below, find us. Give us a comment. Let us know a little more detail about the old five eyes. [00:15:50] Speaker A: I would. Yeah. Any context in this? I would. I would love to hear good conspiracy. Oh, yeah. [00:15:55] Speaker B: I mean, this is just fun. [00:15:57] Speaker A: We need to start bringing back tim fool. Have more off. We certainly do. [00:16:00] Speaker B: But, I mean, this goes along with it. [00:16:02] Speaker A: Right, right. And in this case, it was data allegedly stolen. Allegedly. Allegedly. [00:16:06] Speaker B: Allegedly. [00:16:07] Speaker A: Allegedly stolen from a breach of us federal technology, a consulting firm called Acuity. And this. This group, intel broker who. We've. We've heard their name before there. I think in another article we looked at that. They. Yeah, we're a bunch of rascals. Miscreants, I think is the word. [00:16:22] Speaker B: Malfeasance. [00:16:23] Speaker A: Malfeasance. [00:16:24] Speaker B: One of my favorite. [00:16:25] Speaker A: Claimed that the exposed data trove also included sensitive information from members of the government and military. Fun. So fun. So that's never good, but what is. [00:16:33] Speaker B: The government saying about this? [00:16:35] Speaker A: That's a good question. Let's find out. The US Department of Homeland Security has dismissed the leak to include made up names and contact details to be used as test demos for vendors. That's interesting. What do you think? Do you think that's entirely true? So, theory. Theory. Speaker one. [00:16:50] Speaker B: If I know my government, I feel like I do. This isn't untrue. It's just not the whole truth. Right? That's how it works, ladies and gentlemen, we give you some truth. I don't know. I like conspiracy theories, so I want this to be true. [00:17:07] Speaker A: As long as it's not your information. [00:17:08] Speaker B: I just love this. [00:17:09] Speaker A: You're fine with it? [00:17:09] Speaker B: Yeah, man. Government's out to get you. [00:17:11] Speaker A: Oh. [00:17:12] Speaker B: Run for the hills. Dig a big hump bunker, and stick food and toilet paper in it. [00:17:17] Speaker A: Yeah, that's what's up, man. [00:17:19] Speaker B: Prepper time. [00:17:21] Speaker A: Go play. Fallout after this. I'm gonna be in the mood for it. But like I said, intel broker, it's not the first time we've heard them mentioned. They've claimed attacks against the La International Airport, General Electric, among some other pretty big names. [00:17:33] Speaker B: What's a he said she shed going on here? [00:17:34] Speaker A: He shed? She shed by the seashore. Sean Connery over there. [00:17:39] Speaker B: My wife has a she shed five eyes. [00:17:41] Speaker A: Data breach. [00:17:42] Speaker B: Do you have a seashed? [00:17:43] Speaker A: I do not. I don't have a. But, you know, what is she shed? I'm in my 20s. You think I own a home? [00:17:52] Speaker B: Yeah. [00:17:52] Speaker A: You think I own property? Uh uh. No way. [00:17:54] Speaker B: One day, hopefully, you will be a landowner. [00:17:57] Speaker A: Give me about 60 years and I'll be there. [00:17:58] Speaker B: 60 years. God forbid that that is the case. [00:18:02] Speaker A: This is a. This is a legend. Once again, it does say in the. In the article title, but good to know, especially if you do live in the US. And it's just good to keep in mind. Now, this next one, it's not. Um. We try to keep a security focused here, this one's a little bit different, but because we're at hacks base calm this week, we thought this made sense to include. After five months of debugging, NASA finally knows why Voyager one sends gibberish. Data, or gibberish, if you prefer gibberish. [00:18:27] Speaker B: Is it gif or gif? Right. [00:18:28] Speaker A: I think. I think it's GiF because graphic is the first g, and so I don't know. Anyway. [00:18:34] Speaker B: But then there's giraffe. [00:18:35] Speaker A: That's true, but it's not an acronym. [00:18:37] Speaker B: It's not. Is gif? [00:18:38] Speaker A: Let us know. Is it Gif or Gif, the 80 year old debate? [00:18:42] Speaker B: Yeah. Speaking of 80 year old debates, why is this gibberish? [00:18:48] Speaker A: Since last November, this Voyager one probe has been sending unreadable science and engineering data, and they've now figured out, they think, the reason why this is happening, it was a small portion of corrupted memory in the flight data subsystem. This is a lot of technical language here, no doubt. So that is the computer responsible for packaging the data before being sent. Before the data is being sent. So they're gonna. It's supposedly just a single chip that this comes down to. And so hopefully if they fix or replace that chip, they'll be good to go. [00:19:14] Speaker B: Yeah. What's interesting is, like, if you're not using like, ECC memory or whatever, which, I mean, this went out in the late seventies, right? This voyager was launched off into the. Into the great beyond back in the late seventies. So it didn't have maybe the same predictions, but like, just background radiation of the. Of the universe will change bits in processors and things like that. It'll kind of flip things over and. And make it go weird. So it's highly probable that that's exactly what's happening is that it just kind of messed it up. Also, it's made in the seventies, right? It was launched in the. In the late seventies, but God knows how long before it was like. [00:19:56] Speaker A: Right, right. [00:19:57] Speaker B: Actually built it might have been sitting on a shelf for two years before they stuck it in thing and fired it off in a rocket. So, I mean, it. Voyager's been an amazing. I would be interested to know whether or not they were able to flip it back and figure out what the gibberish says. Oh, yeah, right. And then get the actual data, because. [00:20:14] Speaker A: Right now it's just garbage decorupt it or whatever the term would be. Yeah. And it did mention, like you said, could just be the age because it is 40 something years old. Or it could have been that it was hit by an energetic particle from space. That sounds so much cooler. Why was it data gibberish? Well, there was an energetic particle from space that hit the chip. And you know, that sounds so cooler. [00:20:32] Speaker B: I hate it when that happens. [00:20:34] Speaker A: Hate it when an energetic particle from space story oldest time. It truly is. This was the first human made object to enter interstellar space. So that's pretty cool. It also means it is going to be a challenge to debug and fix this. It might take weeks or months until they find a way to make it operate normally. So until that point, they might still have to deal with that gibberish. Data. [00:20:52] Speaker B: I got to be honest, man. This is the kind of stuff that makes me excited about being a hacks based con, right? Because I was a kid, I totally into space. I loved astronauts and rockets and satellites and anything that has to do with that. One of my favorite movies is the Martian. Super fun, right? Anything to do with the Apollo 13. You name it or write stuff. All, all some of the things that just kind of really turn the old beanie for Daniel. So this kind of stuff, I like this stuff. [00:21:17] Speaker A: This is the kind of stuff that makes me the most excited for hacks. Base con. This is the thing that makes me the second most excited. [00:21:22] Speaker B: It's cool, right? [00:21:23] Speaker A: They gave us little rocket ships, so they did. That's a nice perk. That's a nice perk. This is the badge, by the way. It's not just like a toy that I have hanging from my neck. It is the badge. I don't know. Are we allowed to show that? Can we do that? [00:21:33] Speaker B: It's public. If you can make this in the time it takes to see the episode, fabricate a fake badge, then yes, you deserve to go to hacks based con for free. [00:21:44] Speaker A: Disclaimer. We're kidding. [00:21:45] Speaker B: Your skills are amazing. [00:21:47] Speaker A: Hell, try to get kicked out. Well, this next one might look a little bit familiar to you. I know we've mentioned some WordPress stuff. Stuff over the last several weeks. Seems like there have been a lot of issues with various plugins. And in this case, there is a critical security flaw that exposes 1 million WordPress sites to SQL injection or sequel injection. I feel like I need to say this in the document. [00:22:06] Speaker B: You actually said that, right? SQl is correct. [00:22:09] Speaker A: Oh, okay. [00:22:10] Speaker B: But it become, it has become like common fun vernacular to say SQL. Sql from. If I'm getting it, I know the comment section will. Will bust my head open if I'm wrong on this, but if I'm remembering correctly, SQl is only Microsoft SQL, Microsoft MSS, they have, like, if I'm not mistaken, they trademarked the term sequel. If it's not trademarked, it's just their verbiage for Microsoft SQl. But everybody just says SQl because it's easier. [00:22:37] Speaker A: I guess I'll shut up then because I don't want to get sued by Microsoft. [00:22:39] Speaker B: Yeah, you get the big red machine. [00:22:40] Speaker A: Redmond coming after my door. [00:22:42] Speaker B: Yeah. Bill Gates. [00:22:43] Speaker A: Bill Gates himself. [00:22:44] Speaker B: What are you doing, Sophia? [00:22:46] Speaker A: Is that how he talks? [00:22:47] Speaker B: I don't know. [00:22:48] Speaker A: That's Josh, Dan. [00:22:49] Speaker B: He's the pregnant man, right? He's the pregnant man emoji. Have you ever seen that picture? It's so funny. Christian, you got to get on that, man. Yeah, there's a picture of Bill Gates, and he's wearing like a blue shirt, and he's. He's kind of got a dad BoD going on. [00:23:00] Speaker A: Okay. [00:23:00] Speaker B: And he literally looks like the pregnant man emoji. Yeah. [00:23:03] Speaker A: I'll see if I can find it after this article. I'll see if I can pull up a picture of it. And I don't know. Maybe we'll have to censor it. I don't know. So anyway, the person, the researcher that discovered this received a $5,500 bug bounty, which to me, maybe I don't know much about bug bounty reward systems, but this plugin that has more than a million active installations that's being affected by this vulnerability. He got $5,500 for finding this bug. I feel like that's a little disproportionate. I mean, $5,500 is none of this needs that. But for a million WordPress sites being affected by this, I don't know. We're going to talk about something later where they're offering millions of dollars. Another company is more bugs, bug bounties. So this, to me, seems like a small amount. [00:23:41] Speaker B: Listen, there's going to be a couple of bug bounty hunters here. [00:23:43] Speaker A: Oh, really? [00:23:44] Speaker B: Yes, yes. Like Jason Haddix and Naham Sec. Maybe we can corner them and be like, what do you think about how much they got? Do you think that's an appropriate payout for this level of, of a bug based off of your experience and know how on these things, based on the. [00:23:59] Speaker A: Bug bounty economy, if you will, what's the norm, right? They've got a little more knowledge in. [00:24:04] Speaker B: Chatting the area off on that one. [00:24:05] Speaker A: Yeah. And this vulnerability was a security flaw. Has a rating of 9.8 out of ten. So it's not even like this is a little thing, like, pretty, pretty severe. That is that is one of the highest. I don't know. [00:24:17] Speaker B: I would also like to point out that, like every now and then I read our comments, right? And I did a video, I don't know, a few years ago and it included a SQL injection. I was doing like a CTF in 15 minutes or whatever it was, and there was a SQL injection in the CTF and someone commented, yeah, SQL injection. Like, if this was 2003, what day is this? How many days old are we when we realize SQL injections are still a thing, they still happen. [00:24:45] Speaker A: That's still a major part of a lot of the courses we have. It's still a major part of certification. [00:24:50] Speaker B: Exams and stuff because they still do the thing. Now this is a blind based, time based SQL injection, right? [00:24:56] Speaker A: Okay, so that's, what is that? Like, you have to put something in there that's like, okay, delay this by 10 seconds. [00:25:01] Speaker B: And then if it delays, it's nice when you can go, okay, you know, or one equals one and things come back or you see things mess up on the website. But that doesn't always happen. Sometimes things happen, but you don't see them happen. But you want to verify whether or not your SQL injection was valid. So what you'll do is you'll say, hey, wait a certain amount of time. Obviously, I say, obviously. Typically you'll use something like a sleep function. Sleep and then do X, Y, or z. For me, if sleep works, then the probability is high that your SQL injection was valid and worked and did the thing you think it should do. Okay. If it does not sleep, then it just goes through. It probably just threw your SQL injection away and said, I don't know what to do with this. It didn't work or whatever, because it did not do the sleep. If it does the sleep, that's your verification that things are working. [00:25:52] Speaker A: Okay, gotcha. [00:25:53] Speaker B: And that's why they call it blind. I don't see anything, so I have to use. It's kind of like finding black holes, right? Where we look at the or other suns or other planets, we look for things wobbling around. We look for indicators that something is there because we can't see it. [00:26:08] Speaker A: Right. [00:26:09] Speaker B: It's the same kind of idea. [00:26:10] Speaker A: And the danger here for those who might not know, when you are exploiting something like this, you could potentially extract sensitive information. Right? That's the danger. [00:26:19] Speaker B: Oh, yeah. Absolutely. Okay, so once, once I know that my SQL injection is working now I'm going to start going after the database itself. I want to extract the information from the database. I could even possibly parlay that into remote access. Lots of danger behind SQL injection. That's why I'm like $5,500. Like you say, nothing to sneeze at. But I mean, I guess they would know better on the extent of the capabilities and what database they had access to, what records they were going to have access to through the SQL injection. And maybe it wasn't super sensitive information. [00:26:51] Speaker A: Yeah, that's true. [00:26:52] Speaker B: But it's still a bug in their platform and a pretty good one. So it's worth, I mean, what was the. It did tell us, right? Attackers exploits like the amount that they were paying. Like, what could it do? [00:27:03] Speaker A: Oh, gotcha. [00:27:04] Speaker B: What were they doing with the possible. [00:27:06] Speaker A: To append additional SQL queries or SQL queries into already existing queries to extract sensitive information. But I don't know if they got super specific with the information that you could take out. [00:27:16] Speaker B: Extract sensitive information from the database. [00:27:17] Speaker A: If it's email addresses, I mean, that's still not good. [00:27:20] Speaker B: But if it's passwords and email addresses, that's even worse. [00:27:23] Speaker A: Right. Or like credit card information. [00:27:25] Speaker B: Right. [00:27:25] Speaker A: That obviously. [00:27:25] Speaker B: Right. Obviously you don't want that. [00:27:27] Speaker A: Right. So. But, yeah, it was this guy, his username was, I think, wannabe Leet or Leete wannabe or something. So shouts out to him. [00:27:35] Speaker B: He's making his way. [00:27:36] Speaker A: He's making his way downtown. Walking fast, faces pass. [00:27:38] Speaker B: That's right. [00:27:39] Speaker A: Dollar 5500. Nothing to sneeze at. [00:27:40] Speaker B: All right, cool. [00:27:41] Speaker A: So. And WordPress does account for, I think, 40 something percent of all websites on the Internet. [00:27:45] Speaker B: So this is kind of a WordPress. The Ron Burgundy of hacks here. It's kind of a big deal. [00:27:51] Speaker A: Oh, boy. Yeah, you're right. You're right. Well, we've got another segment here. This is another favorite of ours. We're going to be talking about Avanti again because this is Deja news. [00:28:00] Speaker B: Deja News. [00:28:06] Speaker A: Yeah, yeah, I'm correct. [00:28:07] Speaker B: You're correct. [00:28:08] Speaker A: So they, they are pledging a security overhaul over Devante because four more vulnerabilities were disclosed, closed just the other day, just, just a few days ago. And we're going to be talking about this in a second. But these are already being exploited, these vulnerabilities, by some pretty big, pretty big names, pretty big contenders. So the CEO penned an open letter to customers committed to a series of changes in the company. They're going to make these changes in the coming months to transform their security. What do you think about that? How likely do you think this is? [00:28:36] Speaker B: Well, so I feel like it is likely that they are going to go in and overhaul the code. Absolutely. I believe that that is true statement. Okay. That said, I mean, it's like basically saying, we're gonna take this old jalopy that we told you was awesome and we're gonna make it into the thing we told you it originally was. So, I mean, this is week what that we've talked about, Avanti, right? And here they are throwing out four more CVE's related to their products, which, like you said, is kind of apropos because. And a good thing that you're finding them and working on it, because you've got. Chinese hackers are currently attacking and taking advantage of said flaws in your systems. [00:29:24] Speaker A: Yeah. There were researchers that said multiple China hacker groups are currently exploiting these flaws. Is a separate article, but same, same kind of thing. China nexus threat actors been linked to the zero day exploitation of three of those flaws impacting the Avanti appliances. So four disclosed three already being exploited by these bigger groups. So that is reassuring. I'm really excited about that. [00:29:42] Speaker B: Yeah. So good for Avanti for getting on this now. [00:29:46] Speaker A: Absolutely. [00:29:47] Speaker B: But, man, you know, so I think I was talking with Don about this, you know. Cause we've seen a lot of fortinet, we've seen a lot of Avanti and other companies that continue to have security issues week after week, or are very close together. You know, he was saying how it kind of could come from when a corporate entity starts acquiring software. So you were mom and pop shop building something cool. A large company comes along and says, man, I like that cool thing you got there. I'll give you $10 million for it. And they go, heck, yeah, take that. Give me that 10 million. You know, that's. That's a great payday for a tech startup. Now, they, they get that money, they maybe a few of them stay on the team and come over and become a part of large corporate entity, and then it ceases to be as awesome as it once was because they just start packaging and slapping things together and bundling things together. So that doesn't happen all the time, but it can happen. I don't know if that's what happened here, but it could be one of the possible explanations for why we're seeing a lot of things there. There's pulling in different software and then slapping the Avanti name on it again, I don't know if that's what's happening, but it's a possibility. [00:30:58] Speaker A: Could be. And as far as the. The bugs themselves go, was two that could cause denial of service conditions on affected systems, that's never good. Those were, I think, medium severity, but the other two were heap overflow vulnerabilities that were characterized as pretty high severity. So it's all about balance. [00:31:14] Speaker B: Heap overflow, no good. That's where you get them. Buffer overflows. [00:31:16] Speaker A: Yeah, yeah, absolutely, buff. [00:31:18] Speaker B: Overflow lead to remote code execution. Remote code execution lead to, uh oh. [00:31:23] Speaker A: Lead to, uh oh. [00:31:24] Speaker B: Yeah, go ahead and call the number of that incident. What's that? Incident response team number. [00:31:27] Speaker A: Very technical term. [00:31:28] Speaker B: We're going to need to get that out. [00:31:30] Speaker A: Remote code execution lead to. That's our, that's our title for this, for this episode. And it's you just going like thumbnail. Well, uh, like I mentioned earlier, well, first of all, I did find the Bill Gates pregnant man. Whatever you actually get. This is a sticker on Redbubble. [00:31:44] Speaker B: Yeah, it was just super funny. [00:31:46] Speaker A: And then somebody went the extra mile. [00:31:48] Speaker B: And literally put his face. [00:31:50] Speaker A: Oh, I clicked on it. [00:31:50] Speaker B: Awesome. Now you got yourself gonna be in my search. Nice. [00:31:53] Speaker A: Malware, Bill pregnant. Bill Gates malware. That's awesome. [00:31:58] Speaker B: That's it. [00:31:59] Speaker A: So like we mentioned earlier, we're talking about the bug bounty. How we thought that the $5,500 was nothing to sneeze at, but interesting amount. There is a different company offering much, much more, and we've decided to make this part of our segment that's been long lost. The crow segment. Oh, I love it. He looks so happy. He truly. I wish we could have brought the crow with us to hack space. [00:32:23] Speaker B: Smartest of all birds, he would have. [00:32:24] Speaker A: Been running into the window repeatedly. So it's good that we didn't. But this says companies offering $30 million, that is for Android iOS browser zero day exploits. And the reason that we decided to make this a crow segment is because down here, that looks to me like it should be crow defense. Yeah, no, that's not how it's pronounced, but it looks like it should be. [00:32:44] Speaker B: So crows need defense, too. [00:32:45] Speaker A: They do. [00:32:46] Speaker B: Right? [00:32:46] Speaker A: You're right. [00:32:46] Speaker B: To protect a good offense, but without a great defense, they're not going to win that game like they're the Gators football team. [00:32:52] Speaker A: We don't have a good offense or defense, actually. So anyway, so this, this, it's an exploit acquisition firm, which I didn't know was a. Was a thing. They're offering a total of 30 million for any of these zero days. And I just have to wonder why. Why for what? Why are you offering so much money for these euro days? What are you going to do? [00:33:10] Speaker B: That is a great question. Right. So pound own, right? That's a, that's a great research and development or exploit research kind of platform. And I think we reported on that. And there was something like right around a million dollars that they. They paid out. [00:33:26] Speaker A: Yes. Right. Which is a lot. [00:33:27] Speaker B: It was a lot. Who's paying out those. Those bounties? So Microsoft, Tesla. Right. Firefox, Chrome, like all these. All these big organizations are saying, hey, if. If you're finding flaws in our stuff, we'll pay you a good bounty for it. We got this competition going on. You get these points. We gamified it. It's really cool, it's really fun. This is just an organization that says, we will pay you for zero days, and we will pay you well. So, okay, let's say you pay me, what was it? $3 million for an iOS zero day vulnerability for full chain, previously unreported reports. What you doing with that? What you doing with those iOS zero days? If you're willing to pay me $3 million for it, you obviously are making money. [00:34:19] Speaker A: Yeah. What kind of return are you getting on that? [00:34:21] Speaker B: I just don't know how you're doing it. Maybe I just need to do my research into crow defense. [00:34:27] Speaker A: But I don't blame you for being cynical, because it's like I am too gonna be true. I know you're not doing this out of the goodness of your heart, so why offer so much money unless there's something in it for you? [00:34:36] Speaker B: I doubt highly. They're just sticking it on a shelf and going, we're just a philanthropist, just want to help. Yeah. Put these off in the vault. [00:34:43] Speaker A: But if you are a loved one. [00:34:45] Speaker B: Have a zero day for iOS. [00:34:47] Speaker A: You may be entitled to up to. [00:34:49] Speaker B: 9 million successful JG malware. I mean, Wentworth, it's my malware, and. [00:34:54] Speaker A: I need it now. [00:34:55] Speaker B: That's right. [00:34:57] Speaker A: So they did say payouts for full chains or previously unreported exclusive capabilities range from $10,000 to $9 million. But only fully functional, top quality zero day exploits will be evaluated. So at least they've got standards. [00:35:11] Speaker B: Oh, yeah. Taking any janky zero days, that kind of work. [00:35:16] Speaker A: Only the best for the folks over it. [00:35:18] Speaker B: Crow defense, it makes me think of like. And I'm not putting the two together. I'm just saying it makes me think of the NSO group that they specialize in their Pegasus software. And their Pegasus software was to do what they have their own researchers with zero days for iOS and Android. And then if you purchase a license for Pegasus, you can then use that software to access those devices. You do your research. [00:35:45] Speaker A: That's true. [00:35:46] Speaker B: You draw your own conclusions. I'm gonna say good or bad things. I'm just gonna say there. That is. [00:35:52] Speaker A: We'd love to hear what y'all think about any of the articles we've covered. If you've got your own theories, your own questions and comments, we would love for you to leave those down below. And if you are a loved one, have discovered a top quality zero day exploit, you may be entitled to financial compensation, apparently. No defense, but I think we are going to take a quick break. We do have a deep dive coming up here on Technado. I know. Gotta. He's gotta go wipe the sweat from his brow. So we'll take a quick break. We'll be right back here at hacks spacecon with more technato. Tired of trying to schedule your team's time around in person learning? Isn't it a bummer to spend thousands of dollars on travel for professional development? What if we said you can save money and time and still provide your team with the best training possible? The answer to your woes is live online training from ACI learning. With live online training, we provide our top in person courses in private, online instructor led formats. You get to provide professional development in a manner that fits today's expectations. Entertaining, convenient and effective. Our exam aligned courses inspire the full potential of your team. Visit virtual instructor led training at ACI learning for more info. Welcome back. Thanks for sticking with us through that break really quick. If you are watching on YouTube, we are close to hitting a milestone. I just want to mention it before I forget. We're so close. I think we're like less than 50 away from hitting 100,030 something. Yeah. [00:37:06] Speaker B: Yeah. [00:37:06] Speaker A: So hopefully we can hit that milestone. If you haven't subscribed yet, consider doing so. We love to have you join us every week for a new episode. And you can join the Technado family. We get ice cream every Thursday. [00:37:16] Speaker B: Yeah. [00:37:16] Speaker A: Just kidding. No, we don't. [00:37:17] Speaker B: You have to go buy it yourself. [00:37:18] Speaker A: Yeah. And then you sit and then you can have it. [00:37:20] Speaker B: Yeah. That'd be kind of a fun thing if we started doing ice cream Thursdays. [00:37:24] Speaker A: It just. [00:37:25] Speaker B: Of course. [00:37:25] Speaker A: Yeah. It's kind of early in the morning. [00:37:27] Speaker B: It's like we're back in school. We're gonna have a pizza party and ice cream. [00:37:29] Speaker A: Yeah. You finish the f cat and you get your ice cream. That's the, that's the trade off. [00:37:33] Speaker B: Speaking of, we didn't have fcats, we had ctbs. [00:37:35] Speaker A: Oh, that's right, because you weren't a. You weren't a Florida kid, were you? [00:37:38] Speaker B: Yeah. [00:37:39] Speaker A: As a kid. [00:37:39] Speaker B: Mm hmm. [00:37:40] Speaker A: Was. Okay, so I guess f cat. [00:37:42] Speaker B: When I was a kid, it was all ctbs testing. [00:37:44] Speaker A: Okay. Yeah. See, I had to take the f cat. It was fine. It wasn't that bad. [00:37:47] Speaker B: Showing my age. Yeah, old, making money. [00:37:53] Speaker A: Well, speaking of ice cream and more specifically ice, I did mention earlier we did have an article that had to do with ice. Our deep dive today is titled lactrodectus, which is a fun word. This spider bites like ice. I just know they had a great time writing that headline. [00:38:07] Speaker B: Yeah. So lactor. Like, I was just. The whole time I'm reading this article, I'm like, so, pterodactyrus, lactose intolerantous. You know, what is the name of this thing? This is such an odd name. I wonder what that means. Honestly, we should have probably googled that. [00:38:24] Speaker A: That's true. [00:38:24] Speaker B: Before we got into this. [00:38:26] Speaker A: Well, I can. I can google you. [00:38:27] Speaker B: Google you. Go over there touching your screen, getting crazy. [00:38:30] Speaker A: I'm sorry. I'm sorry. [00:38:31] Speaker B: Break this stuff. [00:38:31] Speaker A: It's not a touchscreen pixie dust. [00:38:33] Speaker B: It's. [00:38:34] Speaker A: It's. It's a. It's a new malware. But as far as the root, I'm not sure. [00:38:37] Speaker B: So it is a new malware. You look up Lacroix lacadaquitas lollipop adopts, and. And, well, you got it already. [00:38:45] Speaker A: It says a genus of nearly cosmopolitan spiders, so they wear cute dresses. Nearly cosmopolitan spiders of the family Therididae, or. Yeah, that includes most of the well known venomous spiders, like the black widow. [00:38:56] Speaker B: Spiders in the city spiders. [00:38:59] Speaker A: That's pretty good. [00:39:01] Speaker B: Oh, fun. [00:39:02] Speaker A: So that makes sense. This spider bites like ice. Lactrodectus. I'm seeing the connection here. [00:39:06] Speaker B: We start to get it now, and. [00:39:07] Speaker A: I know this is malware, right? And it's appearing in email threat campaigns. Is there anything specific about this malware that sets it apart from you're just run of the mill male? [00:39:15] Speaker B: You know, there's always something interesting. That's why we kind of do these deep dives, is to start to learn, hopefully. If you've been watching technado since we started doing the deep dive section, the whole purpose of it is to start to see patterns, right? To look and see how are our attackers? How are our enemies out there coming at us? What is their standard way in which they're doing it? You should start to have picked up a few patterns, right? We typically have some sort of phishing campaign that these things begin with. And what's really interesting about this is, you know, so I've been at other cons, I've talked to other hackers, and, you know, a friend of mine, Jacob from Dark Wolf, he does exploit development. That's. That's his. That's what he does every day. He looks for exploits. He looks for zero days. And specifically in Android, which is kind of funny. He could get some of that money. [00:40:04] Speaker A: Yeah, that's right. [00:40:05] Speaker B: That we talked about earlier. But that's a very specific thing. It's very difficult, but that's not typically what a lot of hacking is in real life land, real lifeland. It's malware. Malware is what they use. I don't have to find some sort of crazy problem in your operating system or some software that you're using and exploit that. I just exploit you. I come after you. So where does that begin? It begins with social engineering. Phishing. Right. This is no different. It only differs in what their fish is like. What is the lure that they use to try to get you to bite on it so they can snag you and pull you in. And this one was an interesting one, and I was kind of seeing this one making its way around the headlines from different places. They were using the idea that you have violated a copyright. They were acting as copyright lawyers, giving you a cease and desist and follow the link and you'll see where you have violated our copyright. Click of the link. Ruh row. Now you're down the malware rabbit hole. [00:41:12] Speaker A: That's pretty creative, because usually I feel like I think of malware and it's like you've won a vacation or this is your bank and there's been a big, big withdrawal from your account. It's very, like, money centric or very urgency. This is something, though, that especially, like, if you're a creative type or whatever and you've got stuff that you're doing, even if just, it's like a YouTube channel that you're running and, oh, shoot, I'm getting copyright struck for something that I said or did. Yeah, it's going to. It's still going to create a sense of urgency. Yeah, but you don't think of that kind of stuff when you think malware. So this is kind of. This is a dangerous one. Yeah, I would think. And it does say that I'm looking through. It says it's first observed being distributed by TA 577. So I'm not sure if this is a threat actor that we've discussed before. Because unfortunately, I don't have them memorized by number. I wish that I did, but they used it in at least three campaigns in November 2023. But since mid January, it's being almost exclusively used by separate threat acting group TA 578 in email threat campaigns. And we just love to see that. [00:42:06] Speaker B: Yeah. And it's just the evolution of malware. You start to see this a lot where it kind of goes from one thing to the next and kind of, or, you know, maybe a malware group will kind of splinter off from their main group and start creating their own malware. But you'll see a lot of vestigial code coming from the previous versions making its way, because it's like, I don't want to reinvent the wheel. I've got something that works really well. I just now need to kind of modify it, make it a little bit different. And honestly, as, as AV and EDR and XDR systems start to catch wind of. Of your malware and start to block said malware, you have to constantly evolve it, or it's not going to be effective. It's not going to work as well as it once did. And since most of these folks are, you know, this is their stock and trade, this is how they make their money. That is not what they would want to do, is have it be like, well, I just sold this, and it doesn't work. No one's going to buy it after that. So they have to continually evolve these things. So we do see this as that. Now, from what I'm reading here, it says that they have seen at least a dozen campaigns delivering Lacto Dekta, Quetta, cacadas, beginning in February 2024, which is not that long ago. The malware is used by actors access to be initial access brokers, IABs, that's right around that region right there. So IABs, this is what these people are doing. So an IAB is, let's say that you have, maybe you run ransomware as a service, or you're running some sort of hacking as a service. Getting that initial access into the system is one of the tougher things to do. So do you want to spend all your time doing that, or do you want to work on your dashboards and selling to customers and servicing customer requests and all the things that do they actually run, you know, hacking like a business? No, I'll outsource it. That's what an IAB is. They're like, you know what? We've done all the heavy lifting of getting access into systems. What system would you like access to. We'll check our. Our coffers and see if they're in there. Let me run through the database. Oh, yes, we do have access into Bob's tires. I don't know why you want access there, but you. We've got it. He clicked the fish. We got the malware in. It's all good. There you go. Now you have access, and you. You basically pay them for the service that they've already done. So this is what they're doing. This is the. They don't seem to care to do too much after the fact, because that's not their job. Their job is to get access, maintain access, and have c two communications ready to go. And all you got to do is go, okay, now I can sell this. So that's what initial access brochures are doing. Since the malwares first observed by being distributed by TA 57 577 and the IAB known as a prolific Cubot or CAC bot. There's a lot of different ways. Cubot is a very well known initial access program in malware distributed prior to the malware's disruption, 2023. So using at least three campaigns, like you said, since November before reverting to Pikabot. Interesting. [00:45:04] Speaker A: Cute. Cute name. Peekabot. [00:45:05] Speaker B: Peekabot. [00:45:06] Speaker A: Cute name for a not so cute thing. I'm looking down at the. I know you mentioned that it was, like, copyright infringement accusation. That was kind of what they were using to get a click on this thing. And initially, I was like, wow, that. That might be a little more convincing. After reading it, I could still see how somebody would fall for this. But there are some things that I'm like. Like, first of all, it's all in the first person. It's. I have a strong self belief that you are violating our copyright. And I swear, under consequence of. I don't think I've ever gotten an email that's like, a very official. It's usually like, good evening, on behalf of the company. We or the company. It's almost never first person, like, direct like that. [00:45:38] Speaker B: You've never gotten a cease and desist. [00:45:40] Speaker A: You're right, I haven't. So are they usually written in first person? [00:45:43] Speaker B: I don't know if they're usually written in the first person. I don't feel like it wouldn't. It would be out of the realm of possibilities. But they are usually very strongly worded, like, you must stop. [00:45:54] Speaker A: Yeah, well, sure. [00:45:55] Speaker B: Like, like, you must stop now. [00:45:56] Speaker A: I think it was more the first person that was getting me. [00:45:59] Speaker B: Oh, this is the weirdness. [00:46:00] Speaker A: I demand the elimination. I'm like, you specifically demand it. You legal officer, you. [00:46:05] Speaker B: So that's interesting that that's something that your brain queued on, was the fact that it was written in the first person. [00:46:10] Speaker A: I just don't think I've ever gotten a very official email that was legitimate. [00:46:12] Speaker B: That was, if anybody's ever ceased, received a cease and desist. Do you get it in the first person? Right. Educate me in a manner. [00:46:19] Speaker A: Educate me. [00:46:20] Speaker B: I personally have not received a cease and desist, but I have been in the middle of filming content and have gotten the stop. The door opened, and it was stop immediately. Cease immediately and desist. And we got a cease and desist, which ended up being a nothing burger. Cease and desists are kind of like, WHOOP de do, prove I did something wrong. Like, if I'm doing something wrong, I'm probably going to stop at that point. But in real life land, if you get a cease and desist and you're not doing anything wrong, just keep going. They haven't proven anything yet. You might want to stop for the moment and investigate whether or not you might be, but that's where they get you here with their, with their fish, is to go, well, here's how I can prove you're breaking the law. And breaking the law is a really good motivator of fear and urgency and so on and so forth. So to me, it was a pretty good social engineer. [00:47:11] Speaker A: Yeah, I mean, there's, of course, always going to be the, you know, there's little grammatical mistakes that you can see. There's a really big, long, suspicious looking link. So that kind of stuff can be, can be indicators. But that's just the first part of it. That's just the email you receive that got this link. And if you click on the link, well, then you're in trouble. So let's just say I receive this email. I'm not paying attention. I get worried. I click on the link. What happens then? [00:47:31] Speaker B: All right, from there, it is going to. So you download the dropper. So once you click the link, it downloads a dropper. Not familiar with droppers. Droppers are basically, they drop malware. A lot of times they don't do anything specifically malicious. They reach out and grab things that do specifically malicious things, but that is to evade checking of. Well, are you doing something malicious? No, I'm just talking to the Internet. Who doesn't talk to the Internet? Lots of Internet talking going on all day. How is my stuff any different? Right? And honestly, most of these, unless you are reaching out to a known malicious entity is probably going to go, well, yeah, I mean, we do a lot of Internet talking, there's no doubt. And you seem to be doing the exact same thing. So what do droppers do? They look. And they. So a lot of malware will have their own specific infrastructure built up that has not been known. A lot of this comes in malware campaigns. The malware developers will have to spin up custom new infrastructure that have never been used before so that they can, you know, bypass any EDR. They're not known to be malicious. You're not going to get a virustotal, slap their domain name in there and go, yes, this is known malicious. It's going to go, there's no known problem with this. [00:48:44] Speaker A: Looks okay to me. [00:48:44] Speaker B: So that's what the dropper typically does. This one also makes sure to check. And this is something that we see more and more when it comes to malware is it looks to see, am I in a sandbox? Are you analyzing to see whether or not I'm malware? Huh, smart. [00:49:01] Speaker A: Yeah, that's interesting. So then if in theory you are opening it a sandbox, does the way that it acts change? [00:49:07] Speaker B: Oh, yeah. It starts going, I'm done. See you guys later. And it backs away into the, into the ether and disappeared. Deletes itself, usually that kind of stuff. I didn't see whether or not it did that. If it detected any kind of analysis that's going on, but here's what it does. It says if it's in a Windows ten or new, so it looks to see what device am I on. So if it's a Windows ten or newer, it must have at least 75 running processes, because that would be something that's actually happening on an end user system. If I'm running in a sandbox, you're not going to see this many processes running. It's highly unlikely if it's earlier than Windows ten looks for 50, because I guess that would be a little more in line with something in the windows eight, seven and previous. Then it does ensure that 64 Apple, the 64 bit application, is running on a 64 bit host, because apparently this is 64 bit code. If it's not, obviously that's going to make it a little difficult for it to do much. So it's going to look for that and ensure that the host has a valid Mac address. If you look at Mac addresses for virtualized devices, they typically have a virtualized Mac address. As you remember, that whole first couple of characters in a Mac address is the identifier, excuse me, of the manufacturer, if that's vmware. [00:50:30] Speaker A: Yeah. And before it even gets to the point where it's doing something that's obviously malicious, like you said, it does this check to see if it's running in a sandbox. I think it says it's environment checks. Then it does something called a mutex check. So I guess the malware always registers a mutex called runnung. I don't know how you would pronounce that. It's up here. Run ung. That is a fun name for it. If the mutex already exists, then those are already infected. So I guess that means malware doesn't have to worry about it and it can dip. [00:50:58] Speaker B: Yeah. So Mutex is a mutually exclude onomatopoeia. Right? Like, oh look, an acronym. Not an acronym. That's where you take two things. Not onomatopoeia. Portmanteau. Thank you. That you slap two words together. It's mutually exclusive something or other. I can't remember off the top of my head, but it's a portmanteau of two different words. Yeah. Do the lookup on that. [00:51:17] Speaker A: Google. [00:51:17] Speaker B: And they just use that because it makes it to where only one thread can access this at a time. So you can't be multiply coming at it and taking it. It's against. So kind of helps keep things where it wants to be and no other threads coming in and checking things or trying to in. What's the word I'm looking for? Interject. Like, hey, let's stop. Might be causing problems. It wants to make sure that the code runs okay. [00:51:43] Speaker A: It does say, I googled it. Mutual. Mutual exclusion. Mutual exclusion, that's what it means is representative of. So it's checking to make sure there's nothing that's going to get in the way and it's going to interrupt its processes. Right. And then it says it goes through something called global variable initialization. So it's initializing variables for the campaign. [00:51:59] Speaker B: Yep. [00:52:01] Speaker A: Including the current user's username handle to its own file campaign id. So. But again, this is all, it's almost like it's prep work for what the malware is going to do. [00:52:10] Speaker B: That's right. Because it needs to eventually connect to the c two. But pretend you're a c two or a malware developer. All of a sudden I put that hat on and you're like, okay, I've gotten access to a machine. It's reached out, it's talked to me, and now somebody else clicks the malware how do I know the difference between the two? I have to have some sort of unique identification for each one of my devices. This is, like you said, the prep work that's kind of going on underneath the scenes to create some sort of unique identifier for each one of the targets. So once it gains access to the machine and reaches out to c two, c two can now go, well, I've got this machine. I got that machine, I got that machine. And it was able to reference them as necessary. So if I only want one machine or ten machines to do what I need them to do, I can make that reference and have that action happen. [00:53:00] Speaker A: Okay, so there's a unique id for each unique host the malware is installed on. It's like each host gets its own unique american girl dollar. It's just like you and only for you. [00:53:10] Speaker B: I get that reference because I have two girls. [00:53:12] Speaker A: There you go. See, we're finally, we're finding some common ground with the pop culture together. Let me know when you watch the Kit Kitteridge movie. And then. [00:53:18] Speaker B: And then we can talk. [00:53:19] Speaker A: Yeah, real ones. No, it's an american world. [00:53:21] Speaker B: We're going to get a Judy doll soon. Are you familiar with Judy's? [00:53:24] Speaker A: Judy might be a new one. Yeah, I'm not familiar with that one. [00:53:27] Speaker B: I don't know. My daughter's obsessed with it. [00:53:29] Speaker A: I'll be googling that, doing some googling later. So after it does generate a unique id for each unique host, then it looks like it converts it to a string. And then we start getting into. They start mentioning c two. C two servers being decrypted. So this is where it starts to get a wee bit scary. [00:53:44] Speaker B: Yep. It's got some hard coded information inside of the code there. It's got to extract. Where am I supposed to reach out and who am I supposed to reach out to? It's going to have a list of those c two servers is like, hey, you're possible. You're possible. Or maybe one c two server does one thing and one another c two server does another. It can, it can vary depending on the malware, but ultimately, again, you start to see patterns emerge when we start analyzing different malware, but kind of doing the same thing, maybe it's just doing in a little bit different way, but you're going to see a lot of the same things. So we're going to use a fish to gain access. Once I gain access, I'm going to check for virtualization and make sure that I'm not being analyzed. If I am I want to pull the rip cord and get the heck out of there. Right. Don't want to do any of that analysis stuff. We're going to put the kibosh now. Okay, so I'm not being analyzed. Great. Now I can actually start doing stuff. Maybe I go up for stage two or three, maybe both, and continuing on. Ultimately, though, I need to connect with my c two server and let them know and beacon back and say, hey, I'm alive, I'm ready, I'm willing, I'm able. Let me know. Put me in the game, coach, and make that happen. Now. Here we see that's kind of wrapped up in encryption. They're using some encryption mechanisms throughout this malware, and I think there was some XOR encryption going on and, and some sort of rotational ciphering that was occurring as well. But ultimately, at the end of the day, they're using that encryption, and most malware will use, or I say most, some malware will use encryptions to bypass antivirus EDR XDR systems because you can't read jumbled up junk, even though the keys are, like, hard coded into the malware, which is like, makes it easy for us. You got to remember, computers don't think like we do. If I see encryption key, I go, cool. Well, I mean, you gave me the decryption key. I can just decrypt this. But in a program, an application, it's not going to decrypt that until it's already slapped into memory. And from there, it's highly unlikely that your antivirus systems are able to touch it. At that point. It's kind of abstracted away from it. It can't see it, but now it's being decrypted. It's doing something in memory. It's not on the disk. It's all, file this at this point. [00:55:52] Speaker A: Now, I know there are still, it breaks it down, really step by step in this article, which comes to us from proof point, and there's still several more steps to go. [00:55:59] Speaker B: Oh, yeah. [00:56:00] Speaker A: But obviously, this is, you know, once you click on the link, it just goes like. It's not like it requires assistance from the user for this to happen. So I know it takes a little bit to go through each step and to understand how it works in, in real life, in a real life situation. If this is happening, how long do you think it probably takes for all of these steps to occur? [00:56:16] Speaker B: Moments, really? Yeah. It doesn't take very long. Now, they might, if they're smart, they'll probably bake in some, some time, some weight some slow and low. Let it. Let it simmer. [00:56:28] Speaker A: So it's not sus. [00:56:28] Speaker B: Yeah, let it simmer on the, on the, on the oven there. Right, on the, on the, on the range, as it were. Right. Because the faster these things happen, the more likely it is for behavioral analysis to kind of kick in and go, what's all this? Right, so your a. Your av might not see anything malicious on disk, and it might not check or see anything even malicious, obviously, in memory, because that's a lot more. That's more difficult to detect, but behaviorally, those systems will start going, hmm, just weird. [00:56:59] Speaker A: Yeah. [00:56:59] Speaker B: And you know what my rule is for weird. Turn it off. Right? Make it stop. So it's. It's usually a good idea to kind of bake in some time, let it simmer, let it go slow and low, and then do something. Because they don't have forever to wait. An AV system will start bogging down cpu and memory and all that stuff as it analyzes each different process, especially if it's doing behavioral analysis. That can take some time and that can take processes. And now all of a sudden, your end user is getting super upset with their experience, with their system. So they try to have to try to have to find some balance between performance and efficiency and effectiveness. So if you're a good malware dev, you prey on that and say, I got all the time in the world. I'm going to make it wait ten minutes before it actually does anything malicious. [00:57:49] Speaker A: Because you've clicked on a link and you're probably not any of the wiser that anything's happening. You're just, okay, well, link happened and doesn't look like it's anything, so I'll just delete the email. So a lot of this, like you said, is checks of the environment. It's prep work. How much of this does it go through before it gets to the actual. [00:58:04] Speaker B: All right, we're ready to go with this specific malware. I don't know. What is it doing? I didn't count. [00:58:13] Speaker A: Yeah, it's 17 steps. [00:58:15] Speaker B: Yeah, there's 17 steps. [00:58:16] Speaker A: No, it goes through the different checks. Bot id to string, then it says c two decryption. The c two servers are decrypted, then it goes. [00:58:24] Speaker B: I think my browser blocked all those pictures. I don't have any of them. [00:58:27] Speaker A: You don't have the pictures? [00:58:29] Speaker B: I got that security turned up pretty. [00:58:31] Speaker A: High, so I don't. [00:58:32] Speaker B: It blocked all the. [00:58:33] Speaker A: I am using Firefox. [00:58:35] Speaker B: Yeah, you're getting. I am using Firefox, but I have a couple of extensions as well. [00:58:39] Speaker A: But he knows more than I do. [00:58:41] Speaker B: That doesn't matter. Ultimately, at the end of the day, what we want to see is not necessarily it's looking for those patterns and seeing how it is similar and how it is dissimilar. And what are the specific things that we can key on to identify this as malware for our defensive system. And that's what always, the end of the article is always the best part of that, right? Because it gives us those iocs as indicators of compromise. So definitely want to look through that. Another cool thing about it though is just its capabilities. What can it do? So you can, you can maybe use those as an indicator as well is if I see this type of activity on my machine, maybe that's something that I want to get to. But as someone who does malware analysis and wants to look at malware and see what it can do, I can, I can see these different commands that laparoscopic surgery can do, which is we can get the file names of files on the desktop, we can list of running processes, send additional system information executables, execute DLL's with a given export. We can pass strings to CMD and execute. A lot to do with executing stuff for us here in this malware. Update the bot and trigger restart. That's nice to go. Hey, we've made this bigger, better, stronger. We might want to go ahead and update that thing. It's so funny how it mimics and apes legitimate applications and software, because that's what you do. If you want software to be good and effective, they just want it to be good for bad reasons, which is weird. [01:00:14] Speaker A: Motivation is not really in the right place there, I guess, for having the software be, be high quality. Now once this is fully executed, once this is fully, you know, you've clicked the link, you've gone about your business and it's done what it needs to do. [01:00:26] Speaker B: Yeah. [01:00:27] Speaker A: What's then the end result? Is it just then, okay, well, you know, if it's on my computer, they can use my computer like in a botnet. [01:00:32] Speaker B: That is, that is absolutely. So I can make you a part of my botnet. I can so remember these are initial access browsers. So as far as they're concerned, they're done, right. They've got what they needed, which is access to the device and they have control over the device. Cool. Now they sell that to whatever bidder and then that person's intentions, whether it be botnet, whether it be. So maybe they want to do a distributed denial of service. Now your machine is a part of that distributed denial of service. Botnet. Maybe you have, you know, you're part of an organization that they're targeting. Now they have access to said organization because you have access to said organization. So it's all going to depend on who eventually purchases the access from the IAB and what they want. So their motives are going to be their own. [01:01:20] Speaker A: Hmm. Okay. [01:01:21] Speaker B: But various and sundry. [01:01:23] Speaker A: Various and sundry. A cornucopia. A veritable cornucopia of reasons. I thought it was funny. They, they give us a little pie chart because I do love the images that they give us. [01:01:32] Speaker B: I wish I could too. [01:01:33] Speaker A: For share screens, there's a. It's got a little chart offering a high level view of when new infrastructure is typically established. Decrease in activity noted to occur on weekends. I wonder if it's because people don't check their email on weekends. And it's just like you're only gonna have people really clicking on these links and then new, new connections being established Monday through Friday with a weird increase on Friday. So I guess people check their emails on Fridays before they leave the office. I don't know, but I know I do. Oh, yeah, definitely, definitely all day Friday. [01:02:05] Speaker B: Yeah, I'm in there till five, checking, just checking, just checking. Watching teams and teams. Checking emails. Diligent. [01:02:12] Speaker A: I know you're not watching teams. I'm sending them like, a link to something. And he's teams. [01:02:16] Speaker B: Doesn't ever work. [01:02:17] Speaker A: That's true. Yeah. [01:02:18] Speaker B: Right. Yeah. [01:02:19] Speaker A: I'll be sitting next to him and send him a link to something. And it doesn't. [01:02:21] Speaker B: It literally doesn't work. [01:02:22] Speaker A: It never appears. It gets lost in the ether. [01:02:23] Speaker B: I'm like, why are you sitting right here? Just tell me. [01:02:26] Speaker A: I can't verbalize a webpage to you. Let me describe it to you in detail. They've also. [01:02:30] Speaker B: I would prefer that, though. [01:02:32] Speaker A: So in the top left hand corner, there's a proofpoint logo. Picture, if you will, join me on a journey like chat GPT. Start talking like chat GPT. There's also another diagram here, chart visual, if you will, that shows the Latrodectus. Also, I've been pronouncing it lactrodectrus. There's no c in there. [01:02:49] Speaker B: Who cares? [01:02:49] Speaker A: It's latrodectus that shows the infrastructure and how this works. So we've got a couple servers at the top, jump boxes, which is fun word. And then all the way down here. So it shows you kind of what the layout is like. And there's a lot going on here. [01:03:01] Speaker B: It's kind of their infrastructure happening here. So obviously you've got a development server. I didn't see what they were referring to with the t two server. [01:03:09] Speaker A: Oh yeah, good point. [01:03:10] Speaker B: I see the back and x two s, which is nice. And the management infrastructure, a jump box is basically instead of connecting directly to one of these servers, just like you would do in a real life lan. You do not necessarily want to connect directly to your administrative servers you want to use because your laptop might be infected with something. So you use a remote connection into a jump box which you then connect to. So if I want to do an RDP session into a Windows server, I wouldn't do it from my laptop. I would log into the jump box and from there I would do the RDP connection and I would do all my remote control from there, or maybe SSH or whatever. It's just another layer of security that we like to use for that. And they're obviously, they're implying that it's there as well under their infrastructure. [01:04:03] Speaker A: Huh. Okay. That's a new thing for me. I'd never heard jumpbox before today. I notice you've got a list of decoded project ids that look like they're all named after cars. What's that all about? [01:04:12] Speaker B: Well, some of them are. It's really interesting. So the project ids, I think were the axis that they had gotten into or. No, this came from. Where was it? Here. Another campaign. Right. The data represented in this update was collected between 2022 and 2023. The patterns and hypothesis formed are limited to the malware configuration data collected from approximately 100 campaigns originating from emails during the scope of time and the subset of campaign ids successfully decrypted. While proofpoint is planning to publish more thorough analysis of the patterns and campaign ids in relation to tracked threat actors. Below is a table of selected project ids, initially brute forced. And we see Ascari, we see Austin Buick. I think these were the name of some of these campaigns, Porsche, Pontiac. And this is associated with the iced id campaign and now is morphing and evolving into Lacronoco. [01:05:17] Speaker A: Like a coconut. [01:05:18] Speaker B: Yes. [01:05:19] Speaker A: Lime into coconut. [01:05:19] Speaker B: That's the lime into coconut malware, as it were. [01:05:23] Speaker A: If you click on that link, it makes you all up. So don't do that. So coming down to the bottom of this article, they do always give us a conclusion, which is nice because sometimes it's a lot of detail, there's a lot of, it breaks it down. But it does say that proof point at least anticipates that it's going to be increasingly used by threat actors, which doesn't surprise me because it, I mean, it is a, it's a smart way to go about it using that, you know, hey, you've got a copyright infringement. You got make sure you're not breaking the law and then all of this stuff happening in the background. So if you do receive an email that says you're infringing on somebody's copyright and they want you to cease and desist, don't ignore it, I guess, because. I know, but it's also checking, like the sender. Right. Because odds are maybe it didn't mention anything about the email typoswatting or anything. Probably if you looked at it close enough, you'd be able to tell without even opening the email. This is knowledge. [01:06:12] Speaker B: Honestly, if they, if they put in a name of a company or an organization or whatever that is claiming that they are claiming to be in the email, which most of them do, just go to that do not click the link that takes you there. Go open browser tab. I mean, this is not, this is not difficult, right. You go browser tab. You know, so and so law firm. I mean, kind of. There's a number right there. Hi, are you Sally with so and so law firm? Yeah, I received an email not from you. You say, interesting. Good to know. Have a great day. [01:06:41] Speaker A: Yeah. Delete and then. Yeah. Destroy your computer. [01:06:44] Speaker B: Yes. Little kerosene here. [01:06:47] Speaker A: I know in theory, it's not hard, but it's, you get an email like that, I get scared. I start crying. I don't want to break the law, you know? [01:06:54] Speaker B: Yeah. [01:06:54] Speaker A: I'm a good person. I'm a law abiding citizen, so I would see something like that, and it might freak me out a little bit. Okay. [01:06:59] Speaker B: I wrote down here with her. [01:07:01] Speaker A: When have I ever broken. Well, actually, yeah. Hang on. See? [01:07:05] Speaker B: And the truth comes out. [01:07:07] Speaker A: Hang on. It's a long drive. All right. I'm doing my best to keep, to stay. I was a little bit sleepy. I was a little sleepy, I'll admit, on the drive, but he talked and he kept me awake, so that's good. [01:07:16] Speaker B: I did. [01:07:17] Speaker A: I've never knowingly broken the law. [01:07:18] Speaker B: Don't forget those iocs, though. [01:07:19] Speaker A: Yes. The indicator compromise has a long list of them, too. [01:07:22] Speaker B: It's a, it's a hefty list. [01:07:23] Speaker A: It is a pretty big. And all these long, complicated links. It's great. It's great. But it is good to know to have this available so that, hey, you can go in and look at that and cross reference. [01:07:33] Speaker B: Do you know what you do with these now? [01:07:35] Speaker A: You use them to indicate if you have been compromised. [01:07:38] Speaker B: You do. But a great way to do is to take this information, take those iocs and start building yara rules and sigma rules, which are helpful in going, if there's any of this information in a file that is on your device, you can use tools like Yara and Sigma. You create the rule that looks for these iocs and then flags on them if it sees them. Okay? Because remember, your AV and EDR might not detect it, but you can create Yara and Sigma rules that go, well, hey, it's got that information in it. And I know because you've made a rule that, that says that's malicious personally, that you can start detecting for these things. [01:08:17] Speaker A: Okay? [01:08:18] Speaker B: So that's why you take iocs and I can look at domain names and I can look at IP addresses that are baked in and I can say, hey, block that using my firewalls, right, and do DNS, sinkholing and all that other stuff. [01:08:34] Speaker A: Okay, see, I don't think Yara and Sigma rules, I don't think I was super familiar with those. You said sigma rules. And I feel like we should start mewing like the, our poor audio listeners have no idea what's going on. If you want to see Daniel mogging here. Yeah, you gotta go. You gotta go watch the video feed. I know Christian enjoyed that. [01:08:53] Speaker B: He did. I could see the smile on his face. He's right over there, ladies and gentlemen. [01:08:58] Speaker A: He's. He's so embarrassed for me. It's great. It's great. Well, this is definitely a, we say deep dive. This one went deep. [01:09:04] Speaker B: It did. It goes super deep. Like, there's no way we could hit every little detail on this thing. It's a very well published analysis of this, right, of this malware. [01:09:15] Speaker A: Absolutely. If you do want to get more into the details and look at those images that poor Daniel couldn't have pulled up on his screen, I was like. [01:09:20] Speaker B: Where are all the images? [01:09:22] Speaker A: He lost his image privileges. [01:09:24] Speaker B: Every now and then, security kind of bites you in the tail, doesn't it? [01:09:26] Speaker A: Yeah. Every now and then you get a little bit lonely because there's no pictures around. But if you do want to take a look at those, we'll have again the links in our description for the YouTube video. So this will be the last one in the list because it is our deep dive. I think that's pretty much gonna do it for the deep dive today. I do want to remind you all that ACA learning is the sponsor of Technado, the folks behind it pro. You can use the code Technado 30 for a discount. Forgot to mention it. So wanted to make sure I tell you, because I like you guys, and I want you to get that discount. [01:09:49] Speaker B: That's right. [01:09:50] Speaker A: We're currently working on a bunch of different courses. We were recording like crazy last week. So if you want to check out some of those courses in the ACI learning it pro library, Daniel and I are there, and we're having a great time doing all sorts of security stuff. [01:10:02] Speaker B: You thought this was fun. [01:10:03] Speaker A: Yeah. Oh, just you wait. [01:10:05] Speaker B: I'll show you fun. [01:10:06] Speaker A: We talked about cryptography. [01:10:08] Speaker B: We did. We did some cryptography. [01:10:09] Speaker A: We did. We did. You demonstrated. [01:10:11] Speaker B: I did. [01:10:11] Speaker A: It was pretty cool. So if you. [01:10:13] Speaker B: Next week, we're gonna do attacks against. Yeah, we'll play around with a little bit. [01:10:16] Speaker A: I love when we get to talk about, like, the threats and attacks. That's the fun part. But anyway, so if you want to check those out, feel free to head over to ACI learning. If you're watching from the Technado website, you can just click the orange button, and that'll take you there. And you can use the code Technato 30 if you're not already subscribed and get a discount on your membership. Speaking of subscribed, don't forget to subscribe here. We've got new Technato's every Thursday. [01:10:35] Speaker B: It's simple. You just click the button. [01:10:36] Speaker A: Simple little play button. Different. [01:10:38] Speaker B: Yeah. [01:10:39] Speaker A: New print, anyway. And we'll also be live streaming subscription. Yeah, we'll be live streaming on Friday as well. It's going to be, I think, the stage that way behind us. Is that where we're gonna be, or are we gonna be here, do you know? That way back there? That way? Back that way? We'll be there on that stage doing some talks, some interviews, that kind of stuff. [01:10:55] Speaker B: That's where the talkers will be, and then we'll bring them here. [01:10:57] Speaker A: Oh, so we get to bring them up here. It's gonna be like college game day. This is gonna be great. [01:11:00] Speaker B: Yes. [01:11:01] Speaker A: You could tell. I know. A lot of information. So if you want to check out those talks or the interviews, you can tune into that live stream. It's gonna be on the YouTube channel right here. Am I right? [01:11:09] Speaker B: As far as I know. [01:11:10] Speaker A: Okay, well, I think that's pretty much gonna do it for this technado. We've jabbered long enough. So thank you, Daniel, for deep diving with us on that this episode, lime and the coconut dextrous. You know, we had it fire, and there it is. We lost it. Thank you for joining us and putting up with us for this week's tech NATO. We'll see you next week. Thanks for watching. If you enjoyed today's show, consider subscribing so you'll never miss miss a new episode.

Other Episodes

Episode 312

June 15, 2023 00:55:29
Episode Cover

Technado, Ep. 312: Apple Made Developer Betas Free For All

Catch up on the cybersecurity and tech news of the week with Don, Dan, and Sophie as they cover the latest. This week in...

Listen

Episode

January 16, 2020 00:46:37
Episode Cover

Technado, Ep. 134: Headliner’s Neil & Oliver

Neil and Oliver from Headliner were guests on this week’s episode, talking all about the state of the podcasting industry and their innovative approach...

Listen

Episode 344

January 25, 2024 01:18:17
Episode Cover

344: MOTHER OF ALL BREACHES: 26 Billion Records?!

Today on Technado, Don, Dan and Sophie are joined by a lizard (yes, really) to bring you the latest in tech news. Google is...

Listen