356: Russian Spies Stole US Emails?! (Microsoft Breach Update!)

Episode 356 April 18, 2024 01:09:54
356: Russian Spies Stole US Emails?! (Microsoft Breach Update!)
Technado
356: Russian Spies Stole US Emails?! (Microsoft Breach Update!)

Apr 18 2024 | 01:09:54

/

Show Notes

This week on Technado, we start off strong with some breaking news: geospatial intelligence firm Space-Eyes has allegedly been breached by IntelBroker. From there, we cover TWO 10.0 command injection vulnerabilities - one affecting Windows, one affecting Palo Alto. Apple has issued warnings to more than 90 countries concerning Mercenary spyware attacks. We've got updates on the most recent Microsoft and AT&T breaches, as well as a new breach involving Sisense. And of course, we can't forget this week's Behind Bars subject: an ex-Amazon engineer who stole millions in cryptocurrency is facing prison time.

In our deep dive segment, it's a double whammy: we return to one of our Rapid Fire articles to get into the details of Palo Alto's 10.0 vulnerability. Then, we unpack Blackjack's newest venture, Fuxnet malware.

Want to know more? Check out the stories we covered this week:

https://www.hackread.com/windows-batbadbut-vulnerability-comment-injection/
https://blog.rust-lang.org/2024/04/09/cve-2024-24576.html
https://www.theregister.com/2024/04/12/microsoft_cisa_order/
https://www.bleepingcomputer.com/news/security/att-now-says-data-breach-impacted-51-million-customers/amp/
https://www.hackread.com/iphone-users-mercenary-spyware-attacks/
https://www.securityweek.com/former-security-engineer-sentenced-to-prison-for-hacking-crypto-exchanges/
https://www.infosecurity-magazine.com/news/cisa-urges-reset-sisense-breach/
https://thehackernews.com/2024/04/palo-alto-networks-releases-urgent.html
https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
https://unit42.paloaltonetworks.com/cve-2024-3400/
https://claroty.com/team82/research/unpacking-the-blackjack-groups-fuxnet-malware

View Full Transcript

Episode Transcript

[00:00:04] Speaker A: You're listening to Technado. Welcome to another episode of Technado. Quick reminder before we get started, tech Nado is sponsored by ACI Learning, the folks behind it pro. And you can use that code Technado 30 for a discount on your it pro membership. I'm Sophie Goodwin, one of your hosts. And I'm not alone here. I've got a dancing machine here to my left here. [00:00:22] Speaker B: Dancing machine. [00:00:23] Speaker A: You're busting down for a second there. [00:00:25] Speaker B: I don't know what she's talking about, ladies and gentlemen. She likes to make things up. [00:00:28] Speaker A: You were dancing like Mister Van Damme is what you were doing over there. [00:00:33] Speaker B: So you got me there. That was funny. I don't think I have such sweet dance moves as a one mister Jean Claude Van Damme, I could nowhere come near his capability and skills. [00:00:45] Speaker A: I agree. [00:00:45] Speaker B: Around the dancing sphere. [00:00:46] Speaker A: I agree for some context. I watched Kickboxer for the first time last night, and it rocked my world in as it does a good way. Maybe it threw me. [00:00:57] Speaker B: It's definitely an experience. [00:00:59] Speaker A: Yeah. There should be a ride about that movie. It is an experience. [00:01:03] Speaker B: Yeah. Who is the what studio made kickboxer? That's a good question, because it needs a theme ride. Does Universal have the right. [00:01:10] Speaker A: Yeah, put it right next to the model. [00:01:11] Speaker B: The kickboxer. Right. I can't see this at Disney. Right. With animatronic Tong Po. [00:01:18] Speaker A: So if you've seen Kickboxer, we may talk about that a little bit this episode. Cause I have some things to say about that movie. [00:01:23] Speaker B: As you're moving through the ride, he's like breaking his back. I don't want to drink. [00:01:28] Speaker A: Yeah, we'll maybe get to that, but that's some breaking news for you. I did see Kickboxer for the first time, and it changed my life. That's not the only breaking news we've got here. [00:01:38] Speaker B: No, we have breaking news. [00:01:39] Speaker A: We do have breaking news. Breaking news. Yeah, listen, just in, if you will. So sometimes things happen and we see that they happen. We don't miss it. Right. We are keeping it up on the news and we're checking the sites and everything to see what's going on. There's just not enough information for us to really talk about it at length. So something happened just yesterday. This broker, uh, this group intel broker, this hacker intel broker claims a space eyes breach targeting us national's national security data. So, uh, there's not any proof. This person went on and boasted that they did. It only took ten to 15 minutes. And supposedly, if it's true. That this actually happened and they were successful. Yeah. I would have significant repercussions for us national security. But there's a lot of ifs. There's a lot of allegedly. So it doesn't really make sense for us to, you know, talk about it. [00:02:20] Speaker B: And just to be sure, like. Cause we basically skimmed this article right. [00:02:24] Speaker A: Before, literally five minutes ago. [00:02:26] Speaker B: This might be an important thing to just kind of mention that it did happen, is that this is not a us government agency that they. It is a company, a private firm, that does geospatial. [00:02:38] Speaker A: Intelligence. [00:02:39] Speaker B: Yeah, intelligence, right. That basically their only client is the US government. So there's that. If it did take. I mean, it does seem to reason that if there is a hack involved, I mean, if you find an exploitable vector, it doesn't take long. [00:02:55] Speaker A: Right? Exactly. [00:02:56] Speaker B: Once you exploit it. Yeah. You're kind of in at that point, for the most part. I mean, it could be, anyway. Sometimes you have to chain things together to. To get things to work or to get farther down the road. Maybe you didn't have as much access as you like, but given the right circumstances, you hit the right tool, you hit the right thing, you hit the right exploit, and you're just like, everything the light touches. Simba is ours. [00:03:18] Speaker A: Oh, yeah. [00:03:19] Speaker B: And that's how it works. So it's possible that this has occurred. And of course, what is step one in the we got breached playbook? Sophia. Deny, deny, deny, deny. [00:03:28] Speaker A: No proof. We have no information where there's no indication that we have been breached or that any of our records have been exposed. And then two weeks later, it's like, hey, do you remember when we said that we were just joking? [00:03:38] Speaker B: Yeah. [00:03:38] Speaker A: I mean, just joking. [00:03:39] Speaker B: But even though they will admit. Right, I was just joking. I mean, they didn't get anything. [00:03:44] Speaker A: Right? [00:03:45] Speaker B: Right. [00:03:45] Speaker A: Yeah. Well, they did get some stuff, but it was just, like, names and addresses. Nothing serious. [00:03:49] Speaker B: They got the phone book from us. Big deal. [00:03:50] Speaker A: Well, big whoops. Maybe they got a few passwords, but nothing crazy. [00:03:54] Speaker B: Yeah, there were. They were all, you know, encrypted. [00:03:56] Speaker A: Right, right. [00:03:57] Speaker B: With, like, the weakest encryption possible. [00:03:59] Speaker A: So they have the encryption key. [00:04:00] Speaker B: Mmm. They did take that, too. [00:04:02] Speaker A: Yeah. [00:04:02] Speaker B: So anyway, that comes out weeks later. [00:04:05] Speaker A: Right? [00:04:05] Speaker B: That's weeks down. [00:04:06] Speaker A: And hopefully, you know, a lot of times by that point, people have kind. [00:04:08] Speaker B: Of forgotten from it. [00:04:09] Speaker A: So it kind of flies under the radar sometimes. But sometimes we do get comments like, hey, this happened this week. You guys didn't mention this. We generally. We do see it. It's just, you know, we are literally. [00:04:18] Speaker B: Looking at articles up to right before we go start the tech NATO. [00:04:22] Speaker A: Exactly, exactly. So we just wanted to mention it and maybe we'll make that a new segment. This just in. Breaking news kind of a thing like that. [00:04:28] Speaker B: Yeah. [00:04:29] Speaker A: And we'll see if we can get a graphic spun up for that. But wanted to introduce that first. [00:04:32] Speaker B: No transatlantic. [00:04:33] Speaker A: I thought you were going to go breaking news. This just in. Intel broker. He is to be trusted. Has breached sensitive data. More next week maybe? Hopefully. [00:04:42] Speaker B: If you could keep that up the entire segment, that would be awesome. [00:04:44] Speaker A: I would love to. I feel like I'd probably people would be like, that's annoying. Get her off the show. [00:04:48] Speaker B: Please stop. [00:04:48] Speaker A: But otherwise. Otherwise I'd do it. I'm a voice actor. I like to work on that kind of stuff. [00:04:51] Speaker B: Sure, it's fun. [00:04:52] Speaker A: But we do have other stories, other articles that we're going to be talking about here in our rapid fire segment. We'll try to go through them pretty quickly because we do have a decent amount of COVID Give our lukewarm takes, if you will. And then later on we do have a bit of a deep dive that we're going to get into. A couple deep dives, in fact. So we'll start off with a pretty big one. Windows apps vulnerable to command injection via bat bad butt, which is a tongue twister in itself flaw. And if we scroll down here, we can see this has a severity score of ten. 1010. Yeah, ten. [00:05:21] Speaker B: That seems bad. [00:05:22] Speaker A: That does seem pretty bad. Bad. But. [00:05:24] Speaker B: Well, because if I. Correct me if I'm wrong, I could be totally wrong here. The CVSS scoring goes from zero and ends at 10.0. That is the highest. [00:05:34] Speaker A: Daniel, I believe it does. [00:05:35] Speaker B: Yes. [00:05:36] Speaker A: I believe you are judges. [00:05:37] Speaker B: Yes, that is correct. [00:05:38] Speaker A: Yes. But it does say it's still a weighting analysis. When I go to the NIST page on it, it says the, the base score for CNA is ten critical. But NIST has not given it its own score yet, so. But based on what we know right now, look at that base score of ten, it is critical. So moving through this we see a ten. [00:05:56] Speaker B: And not only that, you bring that, bring your screen back up because I always like to look at where the NIST score is. Kind of zoom in there and look at the vector right there. Vector. So you see that avoid colon n, that is means its network. Right. So that's the attack vector. Ac, which is the attack complexity. L for low. [00:06:18] Speaker A: Oh boy. [00:06:19] Speaker B: Right. [00:06:19] Speaker A: Which means it's not that hard to pull off. Right? [00:06:21] Speaker B: Yeah, that's like a big problem there. Yeah, you get a little pop up there. That's, that's kind of nice, right? Privileges required or none. User interaction is none. Scope is changed. Confidentiality high. Integrity, high. Availability high. That's why this hits the big 10. [00:06:35] Speaker A: Easy to pull off and big impacts. [00:06:37] Speaker B: Basically, you know, a mildly sentient being could, could probably make this happen. [00:06:44] Speaker A: You got a fish hacking the system. [00:06:46] Speaker B: You could accidentally lean on the keyboard, just like, how did I get inside of. Oh, man, totally owned this box. Yeah. [00:06:53] Speaker A: Yeah. [00:06:53] Speaker B: So that's what we're looking at here. [00:06:55] Speaker A: Anytime we see a perfect ten, we do tend to panic a little bit. But specifically it says that this makes Windows apps vulnerable to a command injection. And command injections are pretty scary in and of themselves. [00:07:06] Speaker B: That's exactly right. So I came across this, looking at this Rust blog. I saw this rust blog. If you jump into my laptop, you can see the security advisory for the standard library of this, of Rust. Rust is a programming language commonly being used. It's kind of like all the prophets out there are saying it's going to be the one that takes over and finally put c and C to its bedroom and rust, because it's got some security measures around it that those languages do not have. But in the standard library they found, and it's not just for Rust, apparently it affects Haskell and PHP and a couple other programming languages as well with this command injection. So if you have a file or a, like a batch file, right, or anything that ends in CMD, the way that the standard library works, the command. So this is the, using the windows API or the command API for windows. You can see here the way it handles arguments is not properly sanitized. And that's the issue. Then it's basically just if you know how to do command injection at that point, if you're taking arguments to your batch files or where you're processing and running batch files or CMD files through your rust code, it'll go cool. What else you got there? Yeah, it's not just the arguments. I can semi colon plus make a reverse shell, plus add a user, plus do whatever, anything I can do from a command line, it will do. And if your program is running in the context of system administrator, that kind of stuff, whatever the context in which that is running, it will have the permissions to do said thing. Actually, I think it all runs it at the highest level because you are running with the Windows API. Yeah, I think it is in kernel space. I'm not 100% on that. So don't quote me, but does have some. Some mitigations for you. So I would definitely check that out if you're using any kind of rust code or PHP. I don't even think PHP has an update for this yet. [00:09:04] Speaker A: I don't think so. When I was looking through it, and maybe I'm wrong, I might have missed something. But it doesn't look like this is a situation where it's like, oh, there's a flaw. Here's a patch. You should be good to go. It's like, you can mitigate this. Here's what you should do to try to prevent this from being an issue. But there's not like a per se. [00:09:16] Speaker B: Yeah, and that's only for some of the languages, not all of them. [00:09:20] Speaker A: Right. Okay, gotcha. So keep an eye out. I guess the bad, big deals, bad. [00:09:26] Speaker B: Bat, bad, but good luck with that one. [00:09:28] Speaker A: Bad, bad. But it reminds me of a arrested development, blah, blah, blah. Of loblaw lawyers or something like that. That's what that reminds me of. [00:09:36] Speaker B: Oh, it's like job, right? His name. Gob. Gob. It looks like Gob. So funny. [00:09:42] Speaker A: Oh, yeah. Well, we. We do have. I know I mentioned we might introduce a new segment. This just in. We've got an old favorite segment here. Up next. And this is going to be a bit of a double feature. This is Deja News. [00:09:51] Speaker B: Deja News. [00:09:56] Speaker A: We got it in the. We got the music in the room. We can have a little dance party. You can pull out your van Damme moves. This first part of our Deja news segment today, you might remember we talked a little bit about just a tiny little breach with Microsoft several weeks ago. Had to do with cozy bear. Operation midnight blizzard. Might have heard of it. Anyway, so this just in, Microsoft breach allowed russian spies to steal emails from the US government. So kind of scary. Let's take a look here. Us government's cybersecurity and infrastructure Security Agency warns that the russian spies who gained access were able to steal sensitive data from us government emails. And anytime you see that, that's a little bit scarier than. I mean, it's bad enough when it's like private citizens information, but this has some more serious implications, I would think. [00:10:36] Speaker B: Man, you gotta love a good supply chain attack. Really, really kicks you in the gut. [00:10:42] Speaker A: Kicks you where it matters. [00:10:43] Speaker B: Yeah. Because. And especially when it involves the US government. If you live in the United States of like, are hoping with fingers crossed that the government can, will keep you safe from foreign entities that want to harm us or destroy our way of life. The Russians seem to be quite at odds with us on these things. I know. It's weird. Weird. You know we got to find some common ground there and fix this because we've got a lot of like warfare going on. So as we've reported before and I'm sure that you've heard that the Microsoft certificate keys that were available to decrypt information kind of got stolen through some crazy means and then you got Microsoft kind of waving one hand on one side of things going well you know it's not that bad. We ended on the other hand, we don't really know how they did that. All we know is it's fixed and it's like, I mean is it? Even if it is the fact that we are now uncovering right here we are in maybe phase two or moving into three of what happens when he, when a breach occurs. We admit only what we need to and then it's like well here's, here's kind of the big deal of it. You have sensitive information. So there basically I think it was Microsoft or was it, I think it was telling the government agencies that were affected by this, which are basically all of them, that you need to go through all the emails during that period find out if there's any sensitive information that was, that could have been gleaned. [00:12:15] Speaker A: Yeah. [00:12:15] Speaker B: Flag that and let us know. So and then of course if like you leaked a username and password or an API key or something like that, an encryption key we have to revoke that stuff and generate new things and you got to go through all this is going to be one heck of a process. [00:12:31] Speaker A: Yeah. [00:12:32] Speaker B: I do not envy that task. [00:12:33] Speaker A: No. Got to hit the reset button on a bunch of stuff. Got to. [00:12:35] Speaker B: It's like Hercules is twelve tasks. [00:12:39] Speaker A: Yeah, yeah that's true. That is true but yeah they are going to hopefully you know take some, some measures going forward. There was, they had a quote from somebody from Tenable. I think they interviewed somebody from Tenable for some reason. I don't know what they have to do with this situation but anyway. Well Tenable is like a large security. [00:12:53] Speaker B: Like a big deal they make nessus. [00:12:55] Speaker A: But I don't, it wasn't like they were directly affected or anything. I think they were just giving, they're probably just commentary and it was like, I love the way they described it. Microsoft's lackadaisical security practices and negligent approach to disclosure have national security implications. I've never heard somebody use the word lackadaisical in a, I love it. I love that. That's the word they chose to use. Not just that. It was, you know, half assed, for lack of a better word. Lackadaisical is a much better word for that. [00:13:19] Speaker B: Just, you know, we'll get to security when we get to it. What's the big hairy feel about this? [00:13:23] Speaker A: Not really a priority. [00:13:25] Speaker B: Yeah. [00:13:25] Speaker A: But, yeah, I think especially for a company like Microsoft. And the implication that, oh, us government emails that were accessed, it's just not the best news for anybody involved. [00:13:33] Speaker B: Well, and I would agree with. I mean, historically, we see Microsoft, when something happens that affects a Microsoft product, they love to just kind of be like, did it really happen? [00:13:44] Speaker A: Yeah. [00:13:44] Speaker B: Yeah. Sure about that? Bad. [00:13:47] Speaker A: You sure about that? [00:13:48] Speaker B: Like, I don't even know. They. They won't let employees use, I think, again, correct me from this. [00:13:53] Speaker A: Oh, yeah. [00:13:53] Speaker B: You can't say that there was a breach or a compromise. [00:13:56] Speaker A: There's, like, words that they are. [00:13:57] Speaker B: Yeah, they're not allowed to use. [00:13:59] Speaker A: You can't say zero. Yeah, they don't supposedly. [00:14:02] Speaker B: I mean, why not? Yeah. Denying the fact that it exists does not mean it does not exist. [00:14:08] Speaker A: Are you afraid you're gonna speak it into existence or something? You talk about it. [00:14:10] Speaker B: It's weird. Well, it became bad pr. They admitted. If you don't admit it. [00:14:15] Speaker A: Yeah. [00:14:16] Speaker B: You know, it's like, whatever. It's. And I think that's why someone would go as far as to say, oh, Microsoft was. Lacks a daisical. [00:14:21] Speaker A: Yeah. [00:14:22] Speaker B: Lackadaisical. [00:14:23] Speaker A: Lackadaisical. [00:14:24] Speaker B: Lackadaisical. [00:14:24] Speaker A: Yeah, they lacks daisies too, but they are. Lackadaisical. [00:14:27] Speaker B: Would be the worst lack of daisies. [00:14:29] Speaker A: Well. Well, like I said, this is actually a deja news, and we may see more on this. Hopefully any developments in the future are not in the negative direction. Hopefully. It's like, hey, it's not as bad as we thought, but, you know, but it probably is. History's taught us probably worse than what we think it's gonna get worse. It's, you know, not to speak into existence or anything. [00:14:46] Speaker B: Yeah. [00:14:46] Speaker A: Like I said, this is actually deja news double feature. So this next one you might remember, we also talked about another teeny, tiny little breach having to do with a small startup called at and t. They're talking about this data breach. It's not a new one. It's the one that happened recently, but there's an update. They're now saying it impacted 51 million customers. And, I mean, I can't really count. [00:15:05] Speaker B: But that's a. Oh, man, that's a. [00:15:07] Speaker A: Pretty big number Daniel, know that. [00:15:08] Speaker B: That just goes to show you how good their security was, because there was originally reported that was, like, over 70 million. So they're. They're down 20 million. That seems like a lot. [00:15:20] Speaker A: That's true. It says the leak contained information for more than 70 million, but only 50 some odd million. [00:15:25] Speaker B: Yeah, they said some were, like, some of those were duplicates or they didn't have sensitive data that were actually in the, you know, this part of the breach, there was, like, a name associated to it, but there was no real data, and the others were duplicates. It's like, how do you have 20 million duplicates? Or empty rows? Yeah, that seems like a lot. [00:15:49] Speaker A: It's a little concerning. Yeah, that's a little odd. [00:15:51] Speaker B: Obviously, your IT department needs some help. [00:15:56] Speaker A: Neither of the t's in at and. [00:15:57] Speaker B: T stand you are storing. Almost. Okay, so let's see here. They said it was 51 million, down from 70 some odd million. So let's call it 22 million. Less. [00:16:07] Speaker A: Sure. [00:16:08] Speaker B: How much. How much percentage is 22 million of 50? [00:16:12] Speaker A: Good question. [00:16:13] Speaker B: Right. I'm going to go with. It's like four sevenths. [00:16:17] Speaker A: What percent is 22 of 50? 44%. [00:16:20] Speaker B: So 44%. Right. That's weird. Why do you have 4% more data that does nothing for you? You guys should really, like, obviously, like I said, obviously at and t's IT department, they're lacking. They are. They need some help. [00:16:36] Speaker A: Yeah. I mean, with the job market being what it is, they're hurting for people. It's like, golly, you've got. [00:16:41] Speaker B: You've got 44% more data than you need. [00:16:44] Speaker A: Yeah. Yeah, it is a little bit. A little concerning would be an understatement, I guess. As far as the data goes, though, as far as I can tell, this data is from June 2019 or earlier. They still have not. They've admitted there's been a breach. Yeah, but they're still, like, we don't know how they got this data. I mean, it wasn't us. We have no idea where this came from or how they got a hold of it. But it may have included. They're not confirming, but it may have included full name, email address, mailing address, phone number, Social Security number, date of birth, at and T account number, and at and t passcode. So a lot of information may have. May have. They're being very vague. [00:17:16] Speaker B: They don't. They're hedging their bets. [00:17:18] Speaker A: They're hedging their bets. [00:17:18] Speaker B: Non committal language. [00:17:20] Speaker A: But if I hear that somebody may have my Social Security number, that's probably still gonna freak me out. [00:17:24] Speaker B: Yeah, I'm. Well, good news, right. The good news is at and t said, well, you know, we'll give you free credit monitoring for a year. [00:17:31] Speaker A: Oh, thank God. [00:17:32] Speaker B: Oh, man. Didn't this happen in 2019? [00:17:35] Speaker A: Right, exactly. It's like, if this data is that old, the breach itself is probably, you know, I mean, the information was leaked recently, but how long has it been exposed? [00:17:45] Speaker B: And you mentioned that they're under class action lawsuits because of this, right? [00:17:48] Speaker A: Yes. Yeah. And there was, there was another breach that happened previously or another or. No, I guess it was data throttling thing. At and t is dealing with a lot of stuff right now. [00:17:55] Speaker B: Oh, yeah. [00:17:55] Speaker A: They're having to pay out money for a data throttling thing from like, back in 2019. And now they're dealing with, I think I should lawsuit from this. So they're straight up not having a good time right now. So I guess pray for at and t that their security gets better or something. [00:18:08] Speaker B: Yeah. That they do better. Stop doing better this way. Do better. [00:18:12] Speaker A: You have a bad time. [00:18:13] Speaker B: Yeah. [00:18:14] Speaker A: Okay. Anyway, so mackie. So, so moving into a different company, that's kind of having a bad time right now, iPhone users in 92 countries are being targeted by mercenary spyware attacks. So Apple has issued iPhone security alerts to these countries stating their devices have been targeted. And I thought it was interesting. One of the countries that is affected pretty heavily by this is India. And India has been pretty outspoken before about they do not like those security alerts from Apple. That makes them angry. [00:18:42] Speaker B: They just don't want security alerts. [00:18:44] Speaker A: The indian government opposes the security alerts by Apple, but they are pretty heavily affected by this issue. That's a really good question. Let's see if I can find some more information on that. But for whatever reason, they are a political firestorm in India. So this is from a while ago. Cause tension with the government, questioning the claims and pressuring Apple to soften them. So this. This issue between India and Apple appears to go back. If you've got information on it, let me know. [00:19:09] Speaker B: That is just a weird thing that, like, if there is a security issue that affects my device and the company just kind of like gives me a little push notification. By the way, you probably want to update, patch, do whatever, or just be on the lookout for, do you? There's heavy, you know, activity when it comes to these devices. You might want to be on the lookout. Be, just be diligent, vigilant. [00:19:34] Speaker A: I guess it so says this again. Previously, the reason that India's government was up in arms about this. It triggered strong reaction with the government because they accused Apple of interfering in their internal affairs and questioned the accuracy of the warnings. They're saying, like, it might not even be that big of a deal. [00:19:46] Speaker B: So they're saying this is like election interference or something, right? [00:19:49] Speaker A: Yeah. That it's causing issues and it's, it's causing interference in their political affairs. So whether or not that's true, I have no idea, but. [00:19:55] Speaker B: So, so they would rather it's that. So this is, you know, when things just get way too politicized. It's like when the company can't tell you, by the way, we got some, like, jacked up security flaws, you probably want to be on the lookout for more concerned or there's like a real threat actor out there going haywire attacking things, just, just FYI. But hey, if you want us to blacklist that and just never talk to you about this again, that's cool. We can be like that. I mean, if I'm Apple and you don't want, I guess they would have to geo locate where those devices are. [00:20:27] Speaker A: Yeah. [00:20:28] Speaker B: In some way through IP or GPs or something. [00:20:32] Speaker A: Well, and in this case, I mean, it's mercenary attacks, which I guess is basically a targeted spyware attack. And so this article does say that journalists and activists in jurisdictions of risk tend to be targeted and so group. Right, exactly. [00:20:44] Speaker B: And Pegasus, that's the first thing that pops in my head. They're not the only game in town, but sure, they're kind of like the, the ballers on the block when it comes to this. They, they specialize in having specifically for Apple devices because Apple typically has fairly good security. [00:20:58] Speaker A: Sure. [00:20:59] Speaker B: On their mobile devices. They. Decent reputation and very, very tight, very sandboxed, very controlled. They, they pride themselves on keeping those devices secure. That doesn't mean they, they win that battle all the time. And obviously, zero days, unless they are reported to Apple for remediation, are going to continue to plague them. So that's the things like the NSO group, what they do is they hire very skilled hackers to develop zero day exploits for that platform and then they can sell their Pegasus product to say, doesn't matter. Well, you can be on the latest and greatest, most patched version of iOS. We still got you. And that's what makes it very appealing to people like Saudi Arabia to say they're very, how do I do this in a pc way? Right. They're not huge fans when people talk bad about them and they like to discuss that further with those that find them to be objectionable, and maybe they'll talk to them about that forever. [00:22:03] Speaker A: That's. Yeah. Yeah. Well, on the implications of this targeted mercenary spyware attack in this case, could remotely access sensitive data, communications, even the camera and microphone. And that is scary. I mean, even if I was, you know, the target here, it looks like, would be, you're more likely to be targeted if you're a journalist or an activist in a jurisdiction where there's a lot of stuff going on, you know, where you're at higher risk. But even just. I'm not. I'm not a journalist. I'm not an activist in any way. But that would scare me. Like, they might have access to my camera, my microphone. They could access my data and communications. That's just, you know, you feel. You feel dirty. It's like a breach of your privacy. It's a breach of your information. So. So it is. It is scary stuff. But Apple's issued a warning for this very reason, because it is scary stuff. And that's basically what a mercenary attack is, is a targeted spyware attack. So if you were a loved one, it's unclear whether it affects us iPhone owners. And so I think probably a good portion of our audience is in the US. But other countries, you can go over and look at that, at the list of the countries they've issued the warnings to. And I don't know if you're a journalist or an activist in one of those countries, you might want to just watch it back a little bit, you know, be careful and take those security alerts seriously, especially. Cause Apple does have a pretty good reputation when it comes to their mobile security. Now, uh, this next one, unless you've got more to contribute on the Apple mercenary issue. [00:23:15] Speaker B: Pretty straightforward. [00:23:16] Speaker A: Pretty straightforward. Pretty straightforward. This next one is. It's one of my favorite segments, because we love to see cybercriminals get their justice. This is behind bars. [00:23:27] Speaker B: Break the law and you break the. [00:23:29] Speaker A: Law, you go to jail. There was a. [00:23:31] Speaker B: We hope so. [00:23:31] Speaker A: We hope so. [00:23:32] Speaker B: Yeah. [00:23:32] Speaker A: Do hope so. Most of the idea, we hope. I can't even say most of the time, we hope you go to jail if you break the law. [00:23:37] Speaker B: It depends on where you're at. It depends. [00:23:39] Speaker A: It depends on the crime. [00:23:40] Speaker B: Right. [00:23:40] Speaker A: But in this case, there's a former security engineer sentenced to prison because he was hacking crypto exchanges. This was in prison. Prison, prison, prison, I believe, for at least a couple of years. But he. Yes, three years. Former Amazon engineer. An ex Amazon engineer, yeah. This guy, he defrauded a decentralized cryptocurrency exchange of roughly $9 million. And that's no small potatoes. That's a lot of money. [00:24:03] Speaker B: Right? Last time I checked, that was the whole purpose of crypto exchanges was so that someone could defraud them. The one back, that seems to be the only thing that happens with these things. They amass a bunch of crypto money, and then someone comes in and absconds away with it. [00:24:17] Speaker A: Yeah. [00:24:18] Speaker B: And then we go on that. That sucked. [00:24:19] Speaker A: That's the one great thing about crypto. It's easy to steal. [00:24:21] Speaker B: But, hey, they caught this guy. [00:24:22] Speaker A: They caught this guy. [00:24:23] Speaker B: Yeah. [00:24:23] Speaker A: Sentenced to three years for hacking and defrauding from New York. New York. He was actually arrested in July, pleaded guilty in December. So he was just sentenced. But this has been ongoing for a bit. I love. [00:24:32] Speaker B: How so? As I read this article, he. The. The gentleman in question, I can't. I don't know if they named him Ahmed. [00:24:38] Speaker A: Shakib Ahmed. [00:24:39] Speaker B: Yeah. So Shakib, he. He saw himself as more of helping than he did hurting, because he would. He would hack these crypto exchanges and take all the money and then go, hey, I was easily able to hack and take all this money. That seems like a security problem. I'll give it back to you for a bounty. [00:25:01] Speaker A: Yeah. [00:25:01] Speaker B: Of x amount of dollars. And, like, one company paid him out, another company didn't. So he just took the money. [00:25:09] Speaker A: Well, they didn't. Company Nirvana. They were going to pay him money. They were going to pay him over half a million dollars. But that wasn't enough for him. He wanted more money. So he ended up just saying, no deal and keeping all. [00:25:19] Speaker B: He's just keeping all the money. [00:25:20] Speaker A: Yeah. So it's like, it wasn't enough for him. [00:25:23] Speaker B: That's not how it works. I don't. I don't break into a jewelry store, steal all the jewels, and then contact. [00:25:29] Speaker A: The owner, keep a necklace. [00:25:30] Speaker B: We call that crime. Not. Right. That is a crime. You have to have authorization from those people to do said thing before you engage in said activities. [00:25:43] Speaker A: Right. [00:25:44] Speaker B: Otherwise, you are what's known as a criminal. [00:25:47] Speaker A: Well, and even if you had, like, even if this guy was a pen tester and he had authorization to do this, you wouldn't steal the money. You maybe have authorization to go looking for these for, like, flaw or a way that you could. That you could break stuff. [00:25:58] Speaker B: Even if you did. If you did steal the money, you would steal, like, a little bit. [00:26:01] Speaker A: Right. [00:26:01] Speaker B: To an account that was there for you to quote. [00:26:05] Speaker A: Right. [00:26:05] Speaker B: Steal the money. [00:26:06] Speaker A: You would not be. [00:26:06] Speaker B: Everything would be set up for you to prove that you could steal money if you wanted. [00:26:11] Speaker A: Sure. Yeah. But you wouldn't be stealing $9 million, right. [00:26:14] Speaker B: And then going, well, I'll give it to you back if you give me a million bucks. [00:26:18] Speaker A: Yeah, that's. [00:26:19] Speaker B: And again, they would be in on this, right. It would be like, it's a group project you have, like, where you sit down with people and then paperwork is signed, legal. This is why you're going to jail. [00:26:30] Speaker A: Yeah. [00:26:31] Speaker B: Because, fun fact. If you accidentally pen test somebody's stuff, like, they. They might not care that it was an accident. [00:26:40] Speaker A: Yeah, that's true. [00:26:41] Speaker B: You will go to jail or you might get prosecuted. You. You'll have a tough time. [00:26:45] Speaker A: Yeah. [00:26:45] Speaker B: Explaining. And their sanctions might come. Might come down the road on your head. So just be aware of that. That's why when you do a sit down talk with prospective clients, or even people that have signed up for clients, you do scoping, you do statements of work, you do ro. You do all sorts of paperwork. [00:27:05] Speaker A: Sure. [00:27:05] Speaker B: Before the facts. And in that scope and plus, even, let's. Let's say this, right. Let's say that, Sophia, you decided you needed a pen test, and you've hired my firm. [00:27:16] Speaker A: Sure. [00:27:16] Speaker B: To pen test for you. We sit down, I go, cool. What's in scope? You give me your production servers and maybe some test servers or whatever the case is that you want scoped. I got IP addresses. I got domain names. I, as the pen tester, still have to verify that those belong to you because you can't even accidentally give me permission to hack something that you don't own. [00:27:37] Speaker A: Right? Yeah. [00:27:37] Speaker B: Right. [00:27:38] Speaker A: And we're both in trouble. [00:27:38] Speaker B: Yeah. I can't pull up my. My. My statement of work and all that and go, look. Well, she said it was okay. She doesn't have authorization to say it was okay. [00:27:47] Speaker A: I can't give you permission to break into my neighbor's house. [00:27:49] Speaker B: Correct. [00:27:49] Speaker A: It doesn't work that way. [00:27:50] Speaker B: Right. So if you accidentally put that in your scope and I just go, well, it's in my statement. Yeah, that doesn't matter. [00:27:56] Speaker A: We're both in trouble, right? [00:27:57] Speaker B: We know you're not in trouble at all. [00:27:59] Speaker A: Oh, really? [00:27:59] Speaker B: No, no, no. Oh, okay. The owners of the liability. That's right. That's exactly right. So, yeah. [00:28:06] Speaker A: Good to know. So. So anyway, like I said, he's supposedly an ex Amazon engineer. The only. The only thing that's been released in court documents was that he worked at an international technology company. They didn't name the company, but you go to his LinkedIn profile. It says he worked at Amazon. [00:28:19] Speaker B: He says, I work at Amazon. [00:28:20] Speaker A: Right. It's like, okay, they didn't name it. It's not hard to find, you know, that's, that's osint at work right there. [00:28:25] Speaker B: Just went to LinkedIn. [00:28:26] Speaker A: Yeah, LinkedIn.com. So he was sentenced three years in prison. In addition to that, sentenced to three years of supervised release, as well as ordered to forfeit approximately 12.3 million and pay over 5 million in restitution for the victim. Cryptocurrency change exchanges. So he is out quite a bit of money and he's gonna do some time. But if you can't do the crime, you can't do the time, don't do the crime. That's how they say you can't do. [00:28:49] Speaker B: Stand the heat, get out of the kitchen. [00:28:51] Speaker A: Exactly. So, uh, yeah, you know, God, God bless, God bless the legal system, I guess, for catching this guy. Sometimes it works right now and then. [00:28:59] Speaker B: Right. We sometimes get a win. We like a win. [00:29:01] Speaker A: And he's gonna serve his time. This next one, though, this is another one that's a little bit concerning. Sisa siza Caesar, however you want to pronounce it, urges immediate credential reset after cicense breach. I hope I'm pronouncing that right. Cicense cis sense. I don't know. We'll find out. Somebody will correct me and we will find out. So they've disclosed a breach affecting. This is a business analytics provider, this company, and they're telling all these customers, you better reset your credentials because you might be in trouble. So a little bit concerning. Just, just slightly. Just slightly. [00:29:28] Speaker B: Just a little bit. Yeah. Because they do like, like you said, data analytics. But I, if I'm not mistaken, they do a lot of data analytics for, like, the government. [00:29:35] Speaker A: Yes. [00:29:36] Speaker B: Right. So you go, hey, here's my big data, like, stuff that's really hard for us to kind of parse through and collate and figure out what everything means. Sise sense, they go, we'll handle that for you. We've got the AI and ML utilities that can, you know, easify that for you. And now they had like a big breach. [00:29:55] Speaker A: Yeah. [00:29:56] Speaker B: And that is a problem because there's all sorts of really good info. I mean, think about it. They have like, data lakes, right? These are, these are huge piles of data. And now attackers have had access to said data. And I don't know if you know this, but that's like a big deal nowadays. [00:30:12] Speaker A: That is a big deal. [00:30:12] Speaker B: Yeah. [00:30:13] Speaker A: Yeah, when hackers have access to any kind of data that they shouldn't have. But supposedly this was, as far as they can tell, company information that was on a restricted access server, which doesn't. [00:30:23] Speaker B: Have, they say how they got initial access. [00:30:24] Speaker A: So Brian Krebs, on his website, had kind of released some information. And supposedly, sources with knowledge of the breach said it appears to have started when attackers gained access to the company's GitLab code, Repo. And in that repo, a token or credential gave the bad guys the initial. [00:30:40] Speaker B: Access is how'd they get into that GitLab? Repo. [00:30:42] Speaker A: Right. [00:30:42] Speaker B: Okay, that's initial access. [00:30:44] Speaker A: That's a good question. [00:30:44] Speaker B: Because all the other sensitive stuff was behind. [00:30:47] Speaker A: Right, right. [00:30:48] Speaker B: Was behind that. [00:30:49] Speaker A: That. It doesn't say. It just says that they gained access and then they got a token or credential, uh, that gave them access to their s three buckets in the cloud. But as far as their actual access to the git. [00:30:58] Speaker B: Right. [00:30:58] Speaker A: GitHub repo doesn't say how they got. [00:31:00] Speaker B: If it was an open s three bucket, we'd all be sitting here going, morons. [00:31:03] Speaker A: Yeah, you can't. [00:31:04] Speaker B: But so far, without that piece of information. So that's really the linchpin behind this is. What was it? Did they use initial access broker? Were they able to, you know, send a convincing fish to somebody and they clicked and so on and so forth, and that was like, what was the way in which they found themselves into that GitLab repo where all the gold was? Yeah, because that's what, that's where the metal meets the meat when it comes to, like, how do. If I was sisense, what would I do to secure this so this wouldn't happen again? [00:31:37] Speaker A: Right. [00:31:37] Speaker B: Right. Do we need to do remediation training when it comes to end user awareness or, you know, was there a hard coded cred somewhere? Like, what happened here? That's, that's what I want to know. [00:31:47] Speaker A: Well, his, his website, crabs on security, he says it appears to have started when the attacker somehow gained access. So they don't know yet. And there, there is a decent amount. Whoa, magic. There's a decent amount of, like, apparently allegedly still. So we know that something happened. But as far as the information that was exfiltrated, says attackers use the s three access to copy and exfiltrate several terabytes worth of sise sense customer data, which apparently included millions of access tokens, email account passwords, and even SSL certificates. So if that's true, that's a problem. That's a problem. Yeah, that is a big problem. You're gonna have a also problem that I keep smacking the mic. That is also a big problem. I'll have to do something. [00:32:22] Speaker B: Don't smoke the mic. You might. So mister Mackie now. [00:32:28] Speaker A: That good? I'm glad, I'm glad. [00:32:30] Speaker B: No, I'll just make you think of those. Sweet Van Damme. [00:32:33] Speaker A: I was gonna say in a thai bar you need to start doing the Van Damme accent. That's, that's the voice you need to start doing. [00:32:40] Speaker B: Yeah. Or that's happening. [00:32:42] Speaker A: It might, yeah. I don't know. I think if you practiced it you get it down. So this may be another one that pops up again when more information starts come out about this. About what exactly, uh, what data exactly was. [00:32:51] Speaker B: I can't wait to see how that happened. That's what I'm going to be interested. [00:32:54] Speaker A: Because there are, yeah, the implications are not great. Uh, we're getting ready to wrap up our rapid fire segment that we got one more and we're going to go deeper on this in our deep test segment as well. But probably wondering what about that Palo alto vulnerability that was, that was a perfect ten. Well perfect, a strong word but uh, yes. Palo Alto Networks released an urgent fix, or urgent fixes for an exploited pan Os vulnerability. So it was a perfect ten, a cvss score of ten. And let me see if I can pull up the, the report on that or the breakdown of that vulnerability because you know how we were looking before it like vector and stuff, I want to see if I can pull that up. But say case of command injection and that's command injection again. Oh those are fun. Right. [00:33:33] Speaker B: And we are finding command injections all over the place. I saw someone talking, it was either on LinkedIn or something where they were saying it's just like 2024 is the year of the breach. It has just been so bad when it comes to rc ease this year. Like everybody's RCE. RCe this, rce that, we've had quite a few tens already this year and we're only four months into the thing. We, if it continues on this, this vector we're going to have a really, really, really bad year. But command injection, they found a place where you're taking user inputs and from there it's being processed on the backend to run a command like a system or operating system command using some sort like eval or OS or system or whatever the case is in the underlying language to kind of lean on the operating system itself to do x, y or z function. Instead of rebuilding the wheel, you just go, hey, the operating system can do this. Run that for me, would you? But if you're not checking for specific characters and sanitizing that stuff out and really watching what's coming in, well, you got to remember it's feeding it to the operating system. My 5ft operating system. Have you ever heard of a thing called a one liner? And that's where you string commands together using characters. Like I have one command that I, then I delimit to the next command by using a character like a semicolon or two semicolon or ampersand or a pipe character where I'm just moving, okay, move from one thing to the next. And there's different ways of doing that. But ultimately if I can build this one thing and feed it to the machine, and the machine goes, cool, you gave me the command, I'll run said command. That's why this is such a big deal. [00:35:16] Speaker A: Yeah. And I looked at the, I was able to find the breakdown of like the metrics and stuff. It looks almost identical to the one that we talked about earlier. The bad. But whatever it was as far as the metrics go, triple b, low complexity, high confidentiality, integrity availability. Attack vector was through the network, so very similar, which makes sense because that was also a command injection issue, but definitely a big deal, huge, if you will. And we are going to go a little bit deeper into what this actually was and kind of how it works. And I know that it was valexity, I think that ended up finding this identifying activity that it is a zero day or it was a zero day. So there's fixes that have been released, but outside of that, outside of deep dive material, anything else that's like surface level that we should cover kind of in our rapid fire segment before we get too deep in the loose, we'll. [00:36:00] Speaker B: Just give you the bells a. It was obviously they found a flaw in the pan OS and specific versions that allowed for command injection from there a threat actor. So this is actively are being exploited. That's, that's one of the big problems that, that's occurring right now. I believe they are. Midnight, uh, eclipse. Operation Midnight Eclipse, that's happening. So that's, that is um, the activity that is being tracked by Palo Alto networks, Unit 42, their security branch of Palo Alto. Like you said, it was velexity that discovered that this was happening and that the operation Midnight eclipse, they actually have built a python based malware to kind of help them do this in real life lands to continue the campaign. So that's. Those are the highlights. Like you said, we're going to kind of dive a little deeper into this when we come back. [00:36:55] Speaker A: Yes, absolutely. So if you were just wanting kind of the gist of it, if you just wanted the surface level stuff, there you go. But we are going to get deeper into this when we come back. We are going to take a short break, collect ourselves, and I'm going to think some more about the movie kickboxer and how it's changed my life. But stick with us through that break and we'll be back with a deep dive here on Technado. Tired of trying to schedule your team's time around in person learning? Isn't it a bummer to spend thousands of dollars on travel for professional development? What if we said you can save money and time and still provide your team with the best training possible? The answer to your woes is live online training from AC learning. With live online training, we provide our top in person courses in private online instructor led formats. You get to provide professional development in a manner that fits today's expectations. Entertaining, convenient and effective. Our exam aligned courses inspire the full potential of your team. Visit virtual instructor led training at ACI learning for more info. Welcome back for more Technato, thanks for sticking with us through that break. As promised, we are going. I was going to say you were busting it down over there. Okay, let's bust an open. Some moves. [00:37:58] Speaker B: I felt like I was in a thai bar just drunk as Cooter Brown. That's a southern colloquialism right there. [00:38:08] Speaker A: The perrier is the Perriers. [00:38:09] Speaker B: That's right. Get him a perrier. [00:38:10] Speaker A: That's what did it. That's funny. [00:38:12] Speaker B: Sparkling water. [00:38:14] Speaker A: He's off the water, which is, you know, that'll do crazy things to you. Well, like I said, we did promise we were going to go a little bit deeper into that Palo alto vulnerability, that Palo alto command injection issue, which is so much fun. We already talked about how that is a perfect ten on the cvss. Perfect. It's a strong word. [00:38:30] Speaker B: That's right. It's Carrie Scrugg. [00:38:32] Speaker A: Okay. [00:38:33] Speaker B: You're not familiar with her? [00:38:34] Speaker A: I don't think so. [00:38:34] Speaker B: She was a gymnast in the Olympics in the nineties and she. I think she hit a perfect ten without like a broken ankle. [00:38:40] Speaker A: Oh, wow. [00:38:41] Speaker B: Yeah. [00:38:41] Speaker A: Well, good for her. See, if it's not a gator gymnast, I probably don't know. I'm very pigeonholed into the gator athletics world. [00:38:46] Speaker B: Mary Lou Retton not familiar. She was like one of the first gymnasts to get a perfect ten. [00:38:51] Speaker A: Oh, good for her. Yeah, I'm happy for her. She walked so simone biles could run or something like that. Anyway, Palo Alto, we'll go back to this one. We have a couple different articles we're going to pull from. As we mentioned, velexity is actually the group that discovered this, that there was actively being exploited issue. And then we're going to take a look at Palo Alto site as well. Their unit 42 kind of breakdown of this. We have a little bit of a figure here that we're going to show that breaks down how this malware works. And so I love the little images that they show us. Maybe you can kind of walk us through this, Daniel. [00:39:21] Speaker B: Sure thing. Right? Because that's what the deep dive is all about, learning a little bit more about this so that we can better understand how those attackers out there are operating and what we can do to kind of like figure out what we can do to stop that. So it's always interesting to see the workflow. And like you said, velocity has a great graphic that kind of breaks down how this, how this actually is accomplished. So let's jump in here. Let's take a look. So it starts off here, right, with a web request, which is a get request to a specific pattern for, for adding a command to the error log. Right from there, this thing reads, we got the command injection, which will start the ability to actually infiltrate, infect the system with the malware, which reads the error log that's happening right around here. It'll retrieve commands via pattern remove. And then if we move over here, it'll decode that. So these are all encoded. We're going to get into a little more details here. So just kind of give us the overview of how this is working. So it'll decode and execute that command. That command output will then be pushed back over here and saved to the output or save that command output to a file. It will then blah, blah, blah, retrieve results. The attacker is now going to retrieve those results. Go back to step eight, which will remove the command from the log file. We want to leave no trace that we were here. [00:40:43] Speaker A: Creative. [00:40:43] Speaker B: Yeah. And actually, as we kind of get into the details on what's going on in that step. Very interesting, very smart. Yeah, very crafty. Right. The crafty suckers that did this. Is this the midnight. [00:40:56] Speaker A: Midnight eclipse? [00:40:57] Speaker B: Yeah. Yeah, that's crafty. [00:40:59] Speaker A: Under cover of dark. [00:41:00] Speaker B: And then finally it waits 15 seconds to restore the original CSS file, which is kind of what it's manipulating here. So very cool. As you can see, it's that bootstrap min css. So once all that is done, then we have successful basically c two operations with our malware. If we were midnight, eclipse wasn't so. [00:41:19] Speaker A: Evil, I'd respect it, but it is evil. These are the bad guys. And Palo Alto, like I said, they're unit 42. They've got a good breakdown, I feel like of what this actually does. They kind of put it all in one sentence. Enables an unauthenticated attacker, which is never good, to execute arbitrary code with root privileges. [00:41:35] Speaker B: It seems like a problem. [00:41:35] Speaker A: Anytime we see root privileges, absolutely a problem. That's a problem. Root privileges on the firewall, so they give some details on the vulnerability and then they go into the scope of the attack and kind of break it down line by line. What's happening? So what is happening? [00:41:47] Speaker B: Yeah, so let's start off here, right? It says as a part of the activity observed in the operation minute eclipse after exploitation, the threat actor creates a cron job. Not familiar with cron jobs. They are cool little basically scheduled tasks inside of Unix Linux operating systems. That's how they work. If you're coming from Windows world, this is going to be that, that's scheduled task area. So a lot of fun and not really a difficult thing to do, but obviously a very useful thing. So what does that tell me? It tells me that if I'm a threat hunter, if I'm a defender, one of the things that I need to be looking into is regularly looking for changes made to my cron. So I need to be alerted when cron activity occurs so that I can go. Is that authorized? Is unauthorized. Because if I'm not looking for a cron job to be changed in any shape or form, that should not be happening. That should only be done after a change request and all the specific types of management you do. So if you're monitoring your cron jobs, then that'll go a long way because as you can see, that is being utilized and I've done it myself to maintain persistence. I make cron jobs that reach back out. So if the system is rebooted or I get disconnected for any reason, then it will just kind of reach back out because I could sell schedule a cron job to run like every minute of every hour of every day of every week of every month of every year, and then I can just wait for that good old shell to pop back in. So cron jobs, so it's using wgets. And as we can see, like right here, we've got this qo, right? Wget qo. So the Q is telling to be quiet. The big o is saying hey, output that to the terminal. And then the dash is kind of like, I believe that's telling it to like feed that as output or input to the command line. Then of course she gives the ip address of the malicious server and it's looking for the endpoint of slash policy and then piping that into the bash system. So bash run this. So basically they're taking this and w getting a command that works as a command string into bash. It did say that it was unable to access the commands that were executed via this URL. But we believe this URL was used to deploy a second python based backdoor, which our colleagues at velocity refer to as upstyle. So that's, the second backdoor is called upstyle. The upstyle backdoor uploaded to the firewall was hosted at and it gives you that update Python with the IP address for that. But we saw similar backdoor at this URL, which is obviously being hosted in Amazon. As you can see from us west two, there's an S three US west two Amazon AwS.com dot kind of hard to, it's much more difficult that, that's really a good tradecraft right there because it's really difficult to block. You're going to block AwS.com dot, right, exactly. Especially if you're using Amazon AWS for things, which is a high probability that you are. Makes it much more difficult. Plus it also kind of like uh, bypasses any kind of scrutiny when it comes to, if you had like a web application firewall. Hey, this is good traffic because it's coming from AWS. So they're, they're kind of like using that as camouflage. [00:45:05] Speaker A: It doesn't raise any red flags looking at it. It's okay. That especially, like you said, if you are using AWS for, for stuff, then okay, that's normal. Moving on. And you probably pass it over without giving it a second thought. [00:45:15] Speaker B: That's exactly right. That's, that's the idea. That's the intent, the stealth. [00:45:18] Speaker A: They are creative. Like I said, if they weren't evil, I would respect them. And so it says the appears the attacker in this instance, last modified on April 7, 2024. Now you have been talking about how they, they go in and they like change the timestamp and they stomp out any evidence they were there. And that to me is very creative. I think that's a very interesting way to go about this. [00:45:37] Speaker B: Yeah, they, they were super creative and honestly this isn't super difficult to do because they had such an ease of command injection for the pan os that's, that's running here, that they just built this in Python or like. Yeah, that's simple, we like it this way. So they just built a Python script that built, grabs more Python scripts and builds more python scripts and basically it just uses Python. Python is a very easy language to kind of get under your belt. So if you wanted to write effective malware, that's not difficult to kind of code up. Python is a great language in which to do it. And if you've got full access to the system, everything's just going to work like a charm. Because Python's installed on most Linux based things because we like to run Python, but in that it does the first update, Py writes another Python script to the following location sites site desk packages system pth says this Python script written to system Pth base 64 encodes an embedded Python script and executes it. Yay. We do love to see some base 64 encoding. This is common. I was at b sides not too long ago and I was asking some developers, do we see regular developers like just base 64 encoding a bunch of stuff? I know I do it for the purposes of getting around and being obfuscation or doing obfuscation and being stealthy. You can't just easily look and see, you just see some base 64 encoded. And I'm like, would that in and of itself not be because the only reason I base 64 encode stuff is for the purposes of, well, I do it for two reasons. To make it easy inside of the, sometimes using single quotes and double quotes, and when there's multiples of those inside of like a block of code, it can get really like janky and kind of break on you. So you just base 64, encode that whole thing and go, here you go. And then you have to worry about it anymore. And once it decodes it, it can then run all that stuff without a problem. So that's reason one, why I would do that. Reason two, it's good for obfuscation. You can't just look at it and see that it's something malicious. It's a base 64 encoded string. And they were like, yeah, coders do it all the time for like one of the reasons that I was saying it can get really janky trying to build, you know, command structure. You want it to do stuff when you have a bunch of different like nested single quotes and double quotes going on inside of your code. So yeah, we see this a lot, for both the reasons of obfuscation and just coders like to do this. So it's not necessarily a bad thing, it's just a thing, but they are obviously doing it for this, right? [00:48:10] Speaker A: You can use it for good or evil, but in this case it's obviously not being used for, for a great purpose. And this, this file has multiple layers, so this is really just the first part of what happens, right? [00:48:20] Speaker B: That's exactly right. Once it decodes all that, that base 64 encoded badness this is the python script run by system. PTh has a function doneder main that will run in a thread. This function first reads the contents of the following file and it goes for the bootstrap man CSS, which we saw in the graphic from velexity. Then it enters an infinite loop, iterates once every 2 seconds, reading the following file, which is SSL VPN NGX error log. And it is looking for a certain thing and it is using this endpoints here with what looks to be some regular expression. And if you scrutinize this regular expression a little bit, you can tell that it's looking for base 64, right? And base 64 because it's looking for characters a through z, upper and lower case. It's looking for characters zero through nine. It's looking for the plus character and the equals character, and also the forward slash character. Those are all the characters that are used within base 64. So it's saying, hey, if you regex on this, then you know you found base 64. And that's exactly what I'm looking for. Right? It says the above regular expression matches base 64, contents will be decoded and the command will be run yay. The lines of the SSL NGX error log file that do not match the regular expression are written back to the file. So it's basically going, okay, I wrote something bad into this log file. I now need to remove that so that there is no indicator of compromise from that vector. So they're cleaning up after the, they're cleaning up. They're covering their tracks, smart as they were. I think they even changed the timestamp of the original as well, as you can see. Yeah, it'll run these functions called Restore. Restore function takes the original content of the bootstrapmind CSS file as well as the original access and modify times, sleeps for 15 seconds, and writes the original contents back and changes the modified times. The original times very, very good. Tradecraft there. So once that's done, honestly, they've, they've got that backdoor kind of running. It's got a slightly different URL for. We observed the threat actor running another command to receive commands from a slightly different URL as the cron job backdoor. So just different variations on a theme here. So you just want to kind of grab these iocs and if you're running a Palo Alto device that has these pan OS versions that are susceptible to this, this is definitely something you're going to do with your threat hunting. [00:50:50] Speaker A: And there were several hotfixes released for those versions of Pan OS that were affected. So basically what Palo Alto is encouraging people to do is strongly advising them to immediately update to a fixed version of whatever operating system you're running, whatever pan os you're running, whatever version. So it's good to know that they were super quick about getting a fix or a couple fixes released for this issue. And hopefully, you know, people are seeing that notice and if they are affected getting that update. [00:51:14] Speaker B: Yeah, I think both the velocity and of course all the links are in the description down below. So you want to kind of check this out. I think both Valexity and Palo Alto unit 42 have like, mitigations, work around fixes and, and kind of keeping you up to date on these two pages on what you should be doing if this is a problem for you. [00:51:32] Speaker A: Yeah, absolutely. We like to like to end our deep dives. On that note, how, you know, ask your doctor if this is, if the solution is right for you, give you a little bit of a fix or a little bit of hope that, uh, they have released some fixes. For now, we do have another deep dive we're going to get into another one that might have popped up on your radar this week. This one we're going to pull from it's clarity, I believe, is how you pronounce that. They're the ones that have kind of been covering this. Rottie clarati blood clotty clarati. [00:51:54] Speaker B: That's right. Put the red and fastest on the salable. [00:51:59] Speaker A: They've got this breakdown here unpacking the blackjack groups. Fuchsnet malware, we will call it fuke snap. That is how we are choosing to. [00:52:08] Speaker B: Even though it's based on the idea is similar to Stuxnet. That's what we have with Fuxnet. [00:52:16] Speaker A: We don't. [00:52:17] Speaker B: Fuchsnet. [00:52:17] Speaker A: We don't want this video to get taken down. [00:52:18] Speaker B: No, we're trying to keep it friendly here, keep it for the kids that's right. Ear muffin for me. Kids. [00:52:24] Speaker A: Kids that are following along with a breakdown. So this one, obviously, Stuxnet, I'm at least somewhat familiar with. But this particular one, Fuchsnet, I didn't have a chance to go as deep on this one. So what was it about this one that stood out to you? [00:52:39] Speaker B: So, what I thought was cool about this, I say cool. I mean, it's just something. It's something different. We don't see this every day. You know, we. Obviously, when we do deep dives, it's typically about malware or a specific breach. And obviously, and this is a breach, but it's. It's against systems that we don't see every day, especially with this level of detail, because the. What is it? Rux filled site, or hackers. They are. They're quite verbose about what's going on. They're kind of blasting it on the airwaves. They actually have a website that you can go to if you want to see that. It's right here. Are you exfil.com? Forward slash moss? And if I click on that, let me kind of let that pop up. Here's all the data that they found in a very simple the mosque collector takedown, 9 April 2024. And they're going after Russia's industrial sensor and monitoring infrastructure, and they have apparently successfully disabled it. There's a lot of proof, quote unquote, in here where you can click on access to 112 or the 112 emergency services kind of think that's like, there's our. Our nine one. Their version of our 911 is one one, two, I guess. In Russia, 87,000 sensors and controls have been disabled, including airports, subways, gas pipelines, et cetera, et cetera, et cetera. They have a couple of YouTube videos showing that they were able to accomplish the upload of their malware. And it's just very interesting, the fact that this is against ICS scatter critical infrastructure. That is something you do not see every day. [00:54:24] Speaker A: Well, it does say that at least these folks were not able to confirm all of the attackers claims or whether it has had a big impact on the russian government's emergency response capabilities, because that was, I guess, the end goal here. But they were able to kind of go in and break down the. The malware itself, the Fuchsnet malware, and the claims that were made. So they don't have 100% concrete proof that this happened. But based on those claims, it's. It's kind of scary. [00:54:46] Speaker B: Yeah. It's. It's just really interesting. And I thought that clarity did a really good job of kind of walking you through. So if you're new to the ics, the scatter, the OT world, this is, and it's something that maybe is on your horizons as far as, like, security wise. This article is going to point out a lot of the reasons why those industries are rife for attack and the. The fallout that can occur due to that because of the systems that are being taken after. So again, let's take a look at some of the claims that are included in this hack. They say they gained access to the emergency services number. They were hacking and bricking sensors and controllers in critical infrastructure, including airports. Right. We saw subways, gas pipelines, all of which have been disabled. What do these sensors do? All sorts of stuff. And they're meant for safety purposes, usually, or are they? A lot of them are, let's put it that way. [00:55:43] Speaker A: Yeah. Fire alarms, things like that. [00:55:44] Speaker B: Right. If nothing's being reported. Now, if you go back to the idea of Stuxnet, if you're not familiar with Stuxnet, it was a. I think a collaboration between the US and Israel to damage or defeat the iranian nuclear program. This happened quite a few years ago at this point, but they were able to destroy nuclear centrifuges that are critical in the production of useful plutonium and uranium for nuclear production. Right. Of. Of nuclear weapons. They were able to destroy those things and they. They modified the sensors to not report back the fact that something was wrong. They reported back all as normal. I believe that's. That's kind of what they're going with here, actually. They just did a lot of disabling, if I'm not mistaken. Yeah, because it says right here, disabled network appliances such as routers and firewall deleted servers, workstation. This was scorched earth. Right. They just went, let's just kill everything. I don't care if they know about it. 30 terabytes of data that was wiped, including backup drives. They disabled the MOS collector office building. All key cards have been invalidated and dumping passwords from multiple internal servers. So, like I said, this was kind of a scorched approach. And they had these proof things like I really like there. So they have this. This kind of ace of spades, woody hacker, always. I was like, that's clever. [00:57:05] Speaker A: That's kind of neat. [00:57:05] Speaker B: Yeah, because they're called blackjack. [00:57:07] Speaker A: I see. [00:57:08] Speaker B: That's the. That's the hacking group. So that's a really cool logo. Good for them. But this was proof that they were able to hack into and successfully take over a terminal in one of these buildings. [00:57:20] Speaker A: Now, I don't want to. I don't want to say anything too controversial here because I know some of this is still up for question, but if this is something that, you know, these alarm systems are being affected, things like fire alarms. Right. It's supposed to alert you if there's a fire in the building. Let's just say, for example, that's affected. You're not alerted to a fire, people could die. Does this count as cyber terrorism? [00:57:37] Speaker B: So they're in the middle of an actual hot war. So I don't know. That's. That's a tough one. [00:57:44] Speaker A: It's just an act of war at that point. [00:57:45] Speaker B: Yeah, I guess it depends on what side of the fence you're standing on. [00:57:47] Speaker A: That's true. [00:57:48] Speaker B: Right. [00:57:48] Speaker A: That's a good point. Yeah. Because the way that I understood cyber terrorism is like, if it causes harm to human life and limb, then. But I guess it does depend on how you're looking. [00:57:56] Speaker B: Yeah. [00:57:57] Speaker A: Like I said, I don't want terrorism. [00:57:58] Speaker B: Usually done when you're not in hot conflict with each other. It's kind of, uh, I. We're. We're not a state. I think that these. Is blackjack a state sponsored. [00:58:09] Speaker A: Good question. I don't. [00:58:10] Speaker B: I didn't see whether or not they were a state sponsored, but typically believed. [00:58:13] Speaker A: To be affiliated with ukrainian intelligence services. Believed to be, yeah. So. Okay. Okay, I see. [00:58:18] Speaker B: Because of its close association with the ukrainian governments, going after critical infrastructure of the russian governments. Right. This seems more of just cyber warfare, which is another interesting point that that kind of comes up from this article is that this is the horizon of warfare. Yeah, we are seeing that while, yes, they are shooting guns and bombs and. And all that other stuff, and. Which is. Which is horrible. They're also being. They're going after this. Those digital. [00:58:49] Speaker A: Right. [00:58:50] Speaker B: Battlefields. [00:58:51] Speaker A: You can't discount cyber attacks. [00:58:52] Speaker B: Yeah. [00:58:52] Speaker A: In that context because it can be just as bad. You know, it can have. It can also have serious effects. [00:58:55] Speaker B: And this isn't the first time we've seen this in this conflict either. So we have to expect that as we move forward from this date and time, that doesn't matter what warfare that is going to occur. Any kind of conflict that happens, you have to expect it to bleed over into critical infrastructure to see attacks coming in that that is no longer like. Well, you know, that's. That's. That could happen, but probably won't. It's. It's a. It's a more likely than not at this point, I think. [00:59:22] Speaker A: And they did go into detail about a lot of the different devices that were targeted or that may have been affected. But then also it says when one connects to the gateways via Ssh, they're greeted with a notice that includes default username and password. The attackers release JSON files with information about these gateways, including device types and names, IP addresses, communication ports. So a lot of information that was available that they showed. [00:59:43] Speaker B: I love this part. Right. So if you. These devices have SSH enabled on them. So there's problem number one. Right? Problem number one. Sophia, can you answer for a thousand points? Critical infrastructure. I thought it was supposed to be air gapped. How are they gaining access to these things? [01:00:06] Speaker A: Well, yeah, I mean, if it's something like this, you shouldn't, you shouldn't be able to access it through the Internet, right? [01:00:11] Speaker B: Correct. Ding, ding, ding, ding, ding. They connected it to the Internet. That's the problem. I think that they were using like a specific Iot router that has like three g, four g connectivity. So it has like cellular capabilities, which gives it access to public networks. [01:00:28] Speaker A: Why? Wonder what the motivation was there. [01:00:30] Speaker B: You can remotely administer these things so that you don't have to go out into the field. It's all about like, ease of administration. Yes, ease of administration. Sliding scale comes back every time, doesn't it? Right. It's always there. So that was step one of problems. And then there was other ways in which they were like, they were connected to networks that were connected to the Internet, which gave people access to step two. Just by the fact that I'm going to try to connect to it, it gives me a banner with the username and password, which are default, which they were able to successfully leverage to gain access into these devices. Yeah, that's a problem. So we're connecting Iot or not Iot. I'm sorry, OT. And technically, I guess Iot as well, or IIot, I guess it is devices to OT, SCADA ICS systems to the Internet. Problem number one. Problem number two, we're using defaults. Right. Hello. Like, don't do that. That's, that's just lowest level security. [01:01:34] Speaker A: Yeah. [01:01:35] Speaker B: That you could think of is just change those default usernames and passwords so you can't just gain access to them. [01:01:40] Speaker A: This group was looking for Internet exposed IRZ devices. They showed in, which is something I've used before on like shows and stuff, discovered thousands of devices, most of which are located in Russia and currently around 4100 IRZ routers that expose their services to the Internet directly. And of those, around 500 of them enabled Telnet. And I thought Telnet was like, you don't use Telnet if you don't have to. [01:02:00] Speaker B: Nope. [01:02:00] Speaker A: That is like, you stay away from Telnet at this point. [01:02:02] Speaker B: Yeah. Well, that just goes to show you, like, how the critical infrastructure, ot ICS scatter systems, a lot of them are developed without security in mind, because who's going to touch this? And I believe the, like, the Mbus communications protocol, that these are the sensors right here, that some of these sensors utilize are like, they don't really have any kind of encryption or security built into them. [01:02:30] Speaker A: Right. [01:02:30] Speaker B: So it's easy to just, once you connect, you start throwing commands at the thing and it goes, okay, I'll do that. I found this one to be quite interesting right here. This is a gas analyzer that looks for, like, carbon monoxide. Carbon dioxide. Yeah. Oxygen and something else. I forget which in there, but, yeah. And it reports back whether or not those are too high, too low, whatever the case is, and then can alert the end user, the administrator, to a problem. Yeah, that. That doesn't seem bad. [01:03:03] Speaker A: Yeah, if that's not working, then that's bad news. [01:03:05] Speaker B: Oh, yeah, here it is right here. They got a big close up of it all in Russian. I don't. Ch four. CO2, co and o two. So oxygen, carbon dioxide. And that ch four is something. [01:03:17] Speaker A: Something. [01:03:18] Speaker B: Hydrogen, carbon monoxide, or is that co. [01:03:20] Speaker A: No, that's co. Yeah. Let's look for the common name. Ch four is methane. [01:03:24] Speaker B: Methane. That's it. Yeah, yeah, yeah. Here's another. Just, I think some of these are obviously, these are sensors, and there was also, like, RTus, remote terminal units that they were able to gain access to. So really, really big time. So this is a temperature and humidity sensor. Converts the physical values of temperature and humidity into a digital signal and transmits them to the sensor gateway. So I think that was one of the big things that we can learn. While you might not agree with the politics, I'm removing the politics from this and just looking at the security of this. And that's what's centering how they were able to basically cripple their. Their critical infrastructure with SsH Shodan. [01:04:12] Speaker A: Yeah. [01:04:12] Speaker B: And some really well crafted scripts that just said, kind of destroy these things. They. I think they destroyed the. The NAnd chips that are on a lot of these things. That's the non volatile memory, so even if you lose power, it continues to hold information. And they just wrote those chips over and over and over and over and over again until they were unwritable anymore because they only have so many read writes before they. For they go bye bye. But that's not typical that you would do a lot of rewriting from those chips. So they should last a very, very long time. Their script said, nah, I got a better idea. How about we write a lot? I mean a lot lot. And then once it stopped responding, cool. I guess you don't work no more. And it bricked the device. Or they would flood the network with information and requests, basically denial of servicing it. And then they would turn off all the remote services. So even if it was fixable, you can't log in to fix it. [01:05:03] Speaker A: Right, right. [01:05:04] Speaker B: So lots of, like I said, it was a scorched earth policy of what was going on. And then they. So much that was released with the. If you go to the Ru exfil site. [01:05:15] Speaker A: Yeah. [01:05:16] Speaker B: You can kind of scrub through and look at a lot of the pngs and the JSON data that they released and passwords, usernames, all sorts of data dump going on in there. To have free access to that kind of stuff is just really interesting to be able to look at this. We can see some of the JSON information. So 424 devices that use the MPSB, the sensor gateway. Then you got the sensor gateway modem. That was 93 devices. The 3G router, 93 devices. Some Windows ten, Windows seven and Windows XP workstations. [01:05:44] Speaker A: Only one device. [01:05:45] Speaker B: Only one. Only one probably runs. It's probably the main server. [01:05:49] Speaker A: Yeah, that's the big target. [01:05:52] Speaker B: This is the big dog right here. If that XP system goes down, we are hosed. [01:05:56] Speaker A: Because I guess. Yeah, I mean, truthfully, that is the case sometimes with, with this critical, critical infrastructure stuff is that it runs on older systems. Right. Because to. To update or upgrade would require you to like shut everything down. Right. So you can't really do that, which is why things are air gapped usually, right? [01:06:11] Speaker B: Yeah, absolutely. Because if they go down, things go bad. Another interesting thing, we got a screenshot here. And you can look at this in that you can actually see screenshots of how, like, I don't read Russian, obviously, but they're kind of giving you some idea of. This is the Kansky district right here. And it looks like they've got Cisco, looks like some type of server or something that's going on here. We've got some IP phones maybe, and things that are just. You normally wouldn't be able to see this kind of stuff, but because they made all this public, you know, have access and you can look and see what this kind of data breach looks like. [01:06:50] Speaker A: This is something that I do want to mention again. They make sure to say that Blackjack's alleged attack against Moscollector other than the information leaked by the hacker themselves. The hacker himself. Herself. Itself. They sell and yeah, themselves. They themselves and published reports from ukrainian media they can't 100% confirm, but they were able to go and analyze this fuxnet malware because that does exist. That is a thing. And there may be more details about this that come out in, in the coming weeks or months and hopefully it's not anything terrible. I mean but, but, but removing any of the political from it just technically this is an interesting thing to look at this. [01:07:29] Speaker B: It's really interesting. So I would, I would definitely look through some of those screen captures and data information on the Moss website there. So definitely check that out. There's a lot of it already here in this specific article. So if you don't want to go over there, you don't have to. A lot of it is within the clarity article. They make sure to put all the really cool bits in there for you. And of course breaking down how it works and destroying the NAND chips and they show you some code where it's basically just doing bit flipping to make that occur. Destroying volumes of the actual file systems themselves. File system goes bye bye. Hard time doing anything right. [01:08:10] Speaker A: Gonna have a bad time. [01:08:11] Speaker B: Yeah, you're gonna have a bad time. So you can kind of look at these pieces of code that make this happen. We got the denial of service. Start to look at some of the actual devices themselves and the serial buses. It's just all really cool stuff. We could never go too deep into this. This would be like a series of technados really tackling this, but kind of giving you the highest high level with some detail. Bits should get you flying and really cool stuff. [01:08:35] Speaker A: And all this stuff is of course in the description. So if you do want to go in and really get into the nitty gritty of it and the details, those article links will be available there for you. And this is clarity. Again, thanks to them for breaking this down. But yeah, hopefully you enjoyed some of these deeper dives that we do here on Technado, especially that Palo Alto one, because it is something that was huge news this week. I feel like I saw that everywhere. So hopefully you enjoyed. If you missed last week's episode, we were actually at the Kennedy space center at hack spacecon. That was a lot of fun, but we are glad to be back home in our home studio, I guess. The dawn studio. The dawn for studio dawn is what they call it, I guess. [01:09:08] Speaker B: Studio Don in loving memory, the Technato studio. [01:09:11] Speaker A: He's not dead. He's just not here right now. Like a banner moment of silence for Don. [01:09:17] Speaker B: Yes. [01:09:18] Speaker A: Maybe he'll be back at some point, I'm sure. [01:09:20] Speaker B: Yeah, we'll have him. [01:09:21] Speaker A: It's just he's a busy guy, but we. [01:09:22] Speaker B: Super busy. [01:09:23] Speaker A: Crazy, crazy busy. So we hope that we can have him back on at some point as a special guest here on Technato. [01:09:28] Speaker B: All right, wrap it up. [01:09:29] Speaker A: Yeah, we'll wrap it up because we've taken enough of your time. Thank you so much for sticking with us through this episode. Once again, don't forget, you can use that code, Technato 30 for a discount on your it pro membership. Thanks to our sponsor, ACI learning. Thanks so much for joining us. We'll see you next week for more Technato. Thanks for watching. If you enjoyed today's show, consider subscribing so you'll never miss a new episode.

Other Episodes

Episode

January 28, 2021 00:46:48
Episode Cover

Technado, Ep. 188: NNT’s Mark Kedgley

This week, Mark Kedgley from New Net Technologies (NNT) was the guest on Technado to talk about NNT’s Change Tracker for catching suspicious behavior...

Listen

Episode

December 24, 2020 00:36:50
Episode Cover

Technado, Ep. 183: 2021 Predictions

As 2020 nears a close, it’s time for an annual Technado tradition: trying to guess what the heck is going to happen next year....

Listen

Episode 384

October 31, 2024 01:24:56
Episode Cover

384: Fitness App Gives Away World Leader’s Locations?! (Plus, “Black Ops 6” Staff on Strike)

This week on Technado, money talks: Delta and Crowdstrike are in a $500 million legal battle, Russia fined Google for $2.5 decillion, Apple’s offering...

Listen