Episode Transcript
[00:00:04] Speaker A: You're listening to Technado. Welcome, and thanks for joining us for this episode of Technado. Before we jump in, quick reminder, we're sponsored by ACI learning, the folks behind it pro, and you can use that code, Technado 30, for a discount on your it pro membership. I'm Sophie Goodwin, and I'm one of the hosts for this lovely little podcast that we do, and I'm looking forward to today. We're already having a great time. We like to cut it up in the studio a little bit before we start. Daniel, are you having a good morning so far?
[00:00:28] Speaker B: You know, I was feeling horrible at first, and then I got me a little bit of the old energy drink, and now I'm feeling pretty good.
[00:00:33] Speaker A: The ingredients in those things are horrific.
[00:00:35] Speaker B: Oh, it's going to kill me.
[00:00:35] Speaker A: Yeah, yeah. But I. But I do still drink them, so, you know, I can't really complain. I chugged a celsius before this, so I have no room to talk. We. We have quite a few articles we're going to try to get through today. We've got, of course, our regular rapid fire segment, and then we'll have a fun little deep dive into some banking malware. So that's always fun. Uh, first, you know, let's just. Let's just go right into it, because we do have quite a bit to get into this first one, uh, you may have heard of, especially if you're a resident of the UK, uh, they're laying down some fresh legislation, and that is the article title. Laying down fresh legislation, just like, a sick beat. Banning crummy default device passwords. So this is something that. I mean, I don't know that it's, like, unprecedented. I don't feel like this. This is gonna happen eventually. I feel like. I'm curious, though. Do you think that this is, like. We are. It's good. They should have banned it or. No, it's your right to make a crummy password if you want to.
[00:01:21] Speaker B: Yeah, that definitely. Let us know in the comments what you think about this. This is. This is. This is a great fodder for hot takes right here. Right? This has got hot take written all over it. But it is an interesting conversation to have. Should the government come in ham fisted, could come down and say, listen, you make a junkie password and you will pay the penalty by the full extent of the law.
On one hand, it feels like, yeah, you know, come on in there and help us out. Obviously, we're not doing a great job, so now threaten us with some, you know, fine or whatever to make sure that we are doing this. Ultimately, though, do you. Is the. Does the government ever do anything? Very well.
[00:02:04] Speaker A: Plead the fifth.
[00:02:05] Speaker B: Yeah.
[00:02:05] Speaker A: Well, this is the UK government, so I can't really. I can't really do that.
[00:02:09] Speaker B: I don't. I don't live in the UK. I couldn't tell you anything, honestly. They have parliament. What I understand they wear those cool wigs.
[00:02:15] Speaker A: They do.
[00:02:15] Speaker B: Right. They got that going on for them.
[00:02:17] Speaker A: Sure.
[00:02:18] Speaker B: Sounds great. I don't.
[00:02:19] Speaker A: I don't know, like pirates of the Caribbean every day over here.
[00:02:21] Speaker B: Yeah. But ultimately, let's, you know, having fun. Let's get to the topic of hand. So they have said, and don't, don't catch us wrong here. This is like your home computer.
[00:02:32] Speaker A: No.
[00:02:32] Speaker B: And if you. You have a crummy password on that there, you know, the Johnny law is going to show up with his nightstick and cracking on top of the noggin.
[00:02:39] Speaker A: Right.
[00:02:40] Speaker B: This is for like IoT devices. And I want to say mobile devices. Didn't they give us a little laundry list of different things?
[00:02:45] Speaker A: It's like. It's like if you get a device.
[00:02:47] Speaker B: Smart tvs, home service. So entertainment devices, home surveillance, home appliances and wearables. So entertainment devices being smart. Tv streaming devices, smart speakers, game consoles, smartphones and tablets with cellular connectivity. Home surveillance includes door video doorbells, home security cameras and baby monitors. And then home appliances includes light bulbs, plugs, ovens, fridges, washing machines, thermostats and kettles. Wearables are fitness tractors and old smartwatch. So a lot of devices here, if you're a manufacturer of said devices, and I think that's really where this kind of drops down to. It's not you as the end user, you can set any passwords you want. Right, right. But the default that it comes with by law can no longer be 12345. They have to set some much more difficult. Unique password is what I'm taking from this. I could be wrong on that, but, you know, the 3 seconds I took to read this article that they must put, and I've had this happen. Right. Have you ever, like, moved or something or you upgraded your service or whatever, your router died and they give you a new one from your ISP, you look at the bottom, it's got some crazy password on it.
[00:03:57] Speaker A: Yes.
[00:03:58] Speaker B: That's basically what they're saying. That's a unique password, or it's supposed to be, and it's crazy. So it can't be easily guessed by attackers.
[00:04:06] Speaker A: Yeah. Yeah. I think you're right. It is something that initially it looks like, oh, you can't. It's banning simple passwords or whatever, which, I mean, hopefully you're using pretty complex passwords anyway. But no, this is hopefully, we hope, but this is something that applies to. It's more to like, businesses that are. That are shipping out these devices, which, I mean, I think it makes sense to. Again, I'd be curious to know y'all's takes on this about legislating this, but are, you know, making it legally mandatory. But I do think it makes sense. And especially when they give examples like child trackers with passwords like 12345, somebody gets into that, that has serious implications. You know.
[00:04:41] Speaker B: You know what's interesting, though, is, like, what I didn't read is, do they mandatory change that?
Because here's the thing. Most people don't change those default passwords. And in lies the problem. So they're trying to cut the problem off by saying, well, we will make it a unique, difficult password instead of one of these janky passwords that everybody can easily look up. And that's what they're trying to avoid. They didn't want you just be able to go to Google and go, what's the default password for being baby monitor blank? Right. Oh, it's one. It's password one. Cool. And now I can log in and watch someone's child sleep. And that's. That's not creepy at all. But people do it. It's weird. So they're trying to avoid that by saying out of the gate, but should we then come behind that?
You know, what if that company has a data breach and those passwords gonna obviously be on a spreadsheet somewhere. Cause they can't help themselves but to document everything except for the things they need to document. It's weird how things work in the real world, isn't it, ladies and gentlemen?
[00:05:39] Speaker A: And on the other side of it, you know, maybe there are folks that think like, you shouldn't legislate this, but legislate this and start talking like Sean Connery. But on the other side of it, legislate this. The folks that think it doesn't go far enough, somebody had said they don't think that this goes far enough. It lags behind the recommended standards in Europe. So the European Telecommunication Standards Institute, I guess, has 13 standards and font. This is. Oh, yeah, no, you're right, you're right. Let me zoom. Yeah. Computer enhanced.
So they will only require devices to meet three out of the 13. So this guy who works at this company here, Tim Calhoun for our listeners. For our listeners. Tim Callahan, chief experience officer at Sectigo.
[00:06:23] Speaker B: Sec two go.
[00:06:23] Speaker A: I don't know.
[00:06:23] Speaker B: I like sec two go better.
[00:06:24] Speaker A: Octagon.
[00:06:25] Speaker B: Yeah.
[00:06:25] Speaker A: Anyway, so this guy, this chief experience officer has. This is his opinion on this. That doesn't go far enough. They need to be mandating more. I guess. So. I guess it's an opinion thing. But it's interesting to see that my first instinct was, oh, I wonder if people will be upset that, hey, you're reaching your hand.
[00:06:43] Speaker B: Here's where we could just easily kind of push this off the table is use your crap password and then mandate that the user, when it goes, they go to log in for the first time. Once they use that default crap password, it is you must change it and. Or you go no farther. Right. Do not pass go, do not collect. $200 is now mandated for you to change it. And now it's changed. Default is gone. It's now something simpler. Make a very simple password policy app or whatever, inside of. Inside of the code of the password changing device and make it say, oh, that's not complex enough. Please try again. Right. And give them. I know they'll be frustrated. Ultimately, that frustration will. We'll go ahead and go away and it will be much less than the frustration of, oh, no, I got breached.
[00:07:32] Speaker A: Yeah.
[00:07:33] Speaker B: Right. So it's just that simple.
[00:07:34] Speaker A: Just that simple.
[00:07:35] Speaker B: That's where I would go with it. I'm sure there's plenty of, like, you know, things I'm not thinking about with old Daniel.
[00:07:41] Speaker A: Well, sure, yeah. We also don't live in the UK, so I'd be curious to know. I mean, even if you don't, I'd love to know your opinion on it, but especially if you do, if this is something that. Yeah, that is true. We do. I need the bald eagles.
[00:07:52] Speaker B: Yeah, I was about to say, can you cue the.
[00:07:54] Speaker A: Which. Apparently, when you hear that sound effect a lot, it's not actually an eagle. It's like a hawk. Eagles don't really sound like.
[00:07:59] Speaker B: They don't really sound like, apparently.
[00:08:00] Speaker A: So I've heard.
[00:08:00] Speaker B: Yeah, they do have a sound, but.
[00:08:02] Speaker A: They do. But it's a little bit weaker. But that's not as cool. You know, you need the screeching. Cause it sounds like freedom.
[00:08:07] Speaker B: Right. Well, anyway, so, yeah, Texas law hawk. That junk is funny.
[00:08:10] Speaker A: The Texas law hawk, he's a lawyer.
[00:08:12] Speaker B: Yeah. And he made these commercials. He was like a young guy. It was very funny.
[00:08:15] Speaker A: Oh, okay. I'll add it to my list of things that you need me to watch things that I'm supposed to watch.
[00:08:19] Speaker B: You're welcome.
[00:08:20] Speaker A: But moving through the rest of these articles, this next one, I saw this in quite a few different news sources, so figured we'd throw this one in here. October warns of unprecedented search in proxy driven credential stuffing attacks. And that is a lot of words. So this is something that, it comes on the heels of another advisory from Cisco that hinted at something similar. So there's been a spike in the frequency and scale of these credential stuffing attacks, and that's a little scary. So just, just a tad. Just a ten.
[00:08:46] Speaker B: Yeah. Well, we like credential stuffing attacks if we're attackers because they tend to work a lot. And this, this kind of is actually a really nice segue away from default passwords into passwords that you and I make and use in our day to day life. So for those of you that need to get up to speed on credential stuffing, you're like, Daniel, I know what credential stuffing is, but for those rest of us that haven't really caught on to that concept, could you. Yeah, sure. So credential stuffing is where I, as an attacker, look for passwords that have been used in other breaches or that I have harvested from other users, from other sites and go, you know what? If user x here is using spring 2024 exclamation mark as their password for Facebook or whatever, Twitter or whatever they're using, I guess it's xnow.
I wonder if they're using it somewhere else. I'm sure that's not the case.
Oh, look at all the things I can log in as that user because they use the same credentials in multiple different errors. So password reuse, that's basically what's happening here. I, as an attacker, would be exploiting the vulnerability of you, the user reusing your password in multiple different places. This is why we like password managers, ladies and gentlemen, because take, you take that old password manager, you go, hey, generate me something unique and difficult of this strength and magnitude and then save all that. And I don't have to. All the password I need to know is my password manager password, which should.
[00:10:15] Speaker A: Still be complex, but you should be able to remember it, right?
[00:10:17] Speaker B: Correct. That would be the one that you, you have to, like, spend some time and effort on creating a nice, secure password because that's the keys to your electronic kingdom, right? So definitely spend time to make that a very. And you can use AI and other things to help you generate that thing. Once you've got it, though, everything else should just be random fodder that I don't even know. Gun to my head, I couldn't tell you what it is to get into my bank account. I don't know, legit.
[00:10:41] Speaker A: I literally have no clue.
[00:10:42] Speaker B: No clue. Right. So that's, that's what's happening. People are reusing those passwords and they're going after like SSH logins and VPN's and all these different services that are Internet facing to gain access into these systems using credentials that they gathered from other places.
[00:11:00] Speaker A: And something that they said was unique about these. All the recent attacks that Okta has observed rely on requests being routed through anonymizing services such as Tor or anonymizing if you're, if you're French. And the variety of them were also routed through residential proxies like NSOCs, Luminati and data impulse. And some of those I have not heard of. But it seems like that's the common thread here with these credential stuffing tax that they've seen recently. Now rely on requests being routed through services like Tor. I guess my question would be, what's significant about that?
[00:11:30] Speaker B: So the significance of that? It becomes difficult to block. Oh, right. So if I'm getting, if I'm routing through a residential proxy or the Tor network, do you, do you block that whole ip range because you don't know, and then you got legit residents that are now being blocked that can't access it? That's the problem with the difficult. That's why they're using it a, it anonymizes who they are. They now have a veil of secrecy layer to work through, and then it makes it really difficult to block because you don't know who they are. Right. So it's a one two punch of making it difficult. So now you have to start like inspecting traffic, we start slowing things down. And then if there's any kind of encryption on top of that, then it's like, well, I don't even know what this does anyway. I just know that it's encrypted traffic. So this is, uh, why you are seeing that. And of course, the attackers are completely hip to this. They say, oh, if I want to start running a brute force. So with credential stuffing, it's, it's much better than traditional brute forcing because it's a, it's faster because you're only using the passwords, you know, are legit for that user. So you're much less likely to hit like, um, password caps. Oh, oh, you've you've typed in the password incorrectly x amount of times, and now there's a lock on the account. So you're less likely to hit that with credential stuffing because you're fair. Yeah, I'm only trying maybe two or three or maybe five passwords or whatever the heck it is that I've got for that user. And unless the security is very, very tight on password errors, then you're probably going to be sailing, because the normal users going to log in, they're not going to see. They're not going to be alerted to anything because of the fact that they're not locked out. That's one of the great things about password lockout policies. If I sit down my computer, go to log into my bank account, and it goes, you have incorrectly typed your password too many times. I go, you mean one?
[00:13:23] Speaker A: Yeah, that.
[00:13:25] Speaker B: That seems wrong. Then you call the bank, hey, blah, blah, blah, crap. And, you know, that starts that incident response much quicker. Now you don't have that because things aren't getting locked out. At least it's happening. Less.
[00:13:38] Speaker A: Sure, yeah. It's not totally gone, but you're right. It's less common now.
[00:13:41] Speaker B: Yeah.
[00:13:42] Speaker A: Now, Octo specifically talks about an uptick they noticed in, like, the last week or so of April. But like I said, Cisco had also released an advisory about this, about something similar, global surge in brute force attacks targeting a lot of, like, VPN type services.
But they said the same thing. All appeared to be originating from Tor exit nodes and other anonymizing tunnels and.
[00:14:02] Speaker B: Proxies coming a lot from mobile devices, too. I saw. That was big dang.
[00:14:05] Speaker A: And this was back in March. This was early March, so mid March. So this recent advisory from Okta is just here at the end of April. I guess we're in May now. Happy, happy May day.
[00:14:13] Speaker B: The accordion has caught up with reality, huh?
[00:14:15] Speaker A: Yes, exactly. Yeah. Time moves too quickly.
[00:14:18] Speaker B: Yeah.
[00:14:19] Speaker A: So it's just interesting to see that this has been ongoing for a little bit, and we continue to see these types of attacks increase.
[00:14:25] Speaker B: So enable that two fa. It's much better than not having it.
[00:14:29] Speaker A: Oh, yeah. Maybe it won't prevent everything, but it sure will catch a lot.
[00:14:32] Speaker B: There's ways around it, but it's still a worthy endeavor. Ultimately, I think, like, the best thing you can do at this point is, like, a fido key. Like, a yubikey.
[00:14:41] Speaker A: Well, yeah, I think with a lot of those security measures, like, there's always gonna be a way around it, but, like, you. You can pick a lock. It doesn't mean you shouldn't lock your door.
[00:14:47] Speaker B: Exactly.
It's all about making that layer of defense, making it as difficult as possible. They want in, they're gonna have to work for it.
[00:14:54] Speaker A: Build a moat around your house.
[00:14:55] Speaker B: That's right.
[00:14:55] Speaker A: Build a wall.
[00:14:56] Speaker B: Nothing wrong with that.
[00:14:57] Speaker A: Put a hedge in place. I've got one to deter. I'm sure you do.
We'll go ahead.
[00:15:01] Speaker B: These crocodiles were difficult to get in there. I'm not gonna.
[00:15:03] Speaker A: Yes. Yeah. Cause they're not native to this area.
[00:15:05] Speaker B: And they're not nice.
[00:15:06] Speaker A: It's tough. Gotta go down to the everglades for that.
[00:15:08] Speaker B: Yeah.
[00:15:09] Speaker A: This next one comes to us from dark reading. R programming bug exposes orgs to vast supply chain risk. And R of course, is a pirate's favorite programming language.
[00:15:17] Speaker B: Yeah.
[00:15:17] Speaker A: I'm just kidding. It's.
[00:15:18] Speaker B: But. Oh, it's c. It was a horrible drink.
[00:15:20] Speaker A: Yeah, well. Horrible. Yeah, you're right. So this was something that stood out to me about this. Let's see if I can find the score. 8.8 out of ten. Now I saw this and I was like, oh, well that's not that bad.
[00:15:31] Speaker B: Only I like how you're thinking, 8.8 is not that bad.
[00:15:33] Speaker A: We had seen like other stuff this week that was like, oh my gosh, it's a 9.9. It's a perfect ten. So then I saw that and relative to those, I was like, that's not that bad. But 8.8 is still really high. That's still. That's still pretty severe. So in this case, it involves R's process for deserializing data or converting objects encoded in these formats back to their original form. Now Daniel, you are a little bit more familiar and well versed in programming languages and such than I am. So what is the significance? Well, more than me is not really, you know, it's not hard to do.
[00:16:03] Speaker B: You probably know as much as I do.
[00:16:04] Speaker A: I'll take that compliment and I won't push it further. But in your estimation, what is the significance of this and why is this a pretty high severity vulnerability?
[00:16:12] Speaker B: So deserialization attacks are kind of a problem, right? Because basically there are, and a lot of programming languages do this, right? They say, hey, I need you to kind of bundle up information into a pretty pink package with a bow on it. That way when I need it, I can pull the string on the bow, undo the package and go, hey look, there's the data I needed. Thank you so very, very much. We call that serialization. They say that packaging of that information. JSON is one way to do this, XML is another way to do this, and so on and so forth. Right? Which is why, if you're familiar with, like, external xml, external entities attacks, that's a deserialization attack. Python Pickles is a deserialization problem because a pickle is serialized data in JSON format, if I'm remembering correctly, in the Python language.
And that's not the problem, honestly. You know, serialize stuff all you like, it's fun. All the kids are doing it nowadays, why shouldn't you?
It's the deserialization is where we have a problem. When it goes, okay, let me undo this. This packaged up information.
A lot of times you can just put code in there and it goes, hey, look at that. There's some code in here. I'll run it. You're like, I'm sorry, what? Why? Why would you run that? Because it's there and it looks like my code. So I'm going to do that. So that was the, that's the issue that they discovered with rust, is that has a serialization function that when deserialization occurs, it will arbitrarily execute code.
That's never good.
[00:17:45] Speaker A: So it looks like it builds on something or it relies on something. A couple of fundamental concepts in R, a couple of things called lazy evaluation, which is kind of fun, and promise objects. And it looks like this means basically that R is not going to evaluate an expression until it actually has to, or when it's directly asked to. And this, in addition to these things called promise objects have allowed for some tinkering, for some messing around. Uh, but if these are things that are fundamental to the, to the language r, how do you fix this?
[00:18:13] Speaker B: Yeah, so they do this kind of stuff to, to speed up performance. And typically when we are looking for ways to perform faster, better, stronger, we cut corners. And that corner cutting can lead to some issues, and that's what we're seeing here. So promise objects are like, like, it's almost like speculative execution. It's very similar in that, hey, I don't know what way you're going to go, but I have to, like, try to figure what's going to be the most likely, and then we're going to go with that. So you can, you can put stuff in there that's not necessarily going to be used, but if it is, there you go. So again, I'm not a programmer as well. I don't claim to be any kind of developer. I fiddle and tinker with this stuff so that I can build malware like things to see if I can bypass any virus. So I'm not a proper developer that would understand the ins and outs of how this works, other than the fact that, as security minded folks, what I would do is tell anybody that has a shop. So if I was consulting for a firm and I say, okay, what's your tech stack? And they say, well, we use rust, I would go, okay, cool. You need to be aware that there is a serialization issue or a deserialization issue in rust. So ultimately, what can be done is if you're pulling from repositories, serialized data could be inside of some rust code that you pull from one of these repositories, which could contain malicious code. And then when you incorporate that into your code to do x, y, or z function, you could also be adding malicious functions as well that you didn't know were there. So you have to be very cautious about where you're pulling from. And not only that, but once you pull from it, that you've examined it to make sure that there's nothing hinky going on underneath the hood. So we've talked a lot about how that works with Python, right. With PI. PI, where all these malicious actors are throwing up malicious packages that look like the real deal but have malicious crap in them.
[00:20:08] Speaker A: Right?
[00:20:08] Speaker B: Yep. Right. It's no different. Rust has their own versions of that stuff. Java has their own version of that stuff. It's. It's just same story, different chapter.
[00:20:16] Speaker A: Yeah.
[00:20:16] Speaker B: Right.
[00:20:16] Speaker A: Yeah, it does seem like, I mean, this is not the first time that we've seen something like this, and I'm sure it won't be the last. The only thing that I could see that was close to, like a, like, how do you address this was a recommendation that you move to the latest version of R. So just make sure you're working in the latest version.
[00:20:28] Speaker B: So that means there's probably, like an update to the code base that stops this from working.
[00:20:33] Speaker A: Right. So if you're working in R, make sure you're using the latest version was.
[00:20:36] Speaker B: Really, you know, we say that for this kind of thing, but. And we go, oh, it's just that simple. Just go download the latest version of R. But if you've been building in another version, all of a sudden things are different. You might have to refactor a bunch of code.
[00:20:47] Speaker A: Yeah.
[00:20:48] Speaker B: And that's where it's a pain. Sometimes. It's just not as simple as hitting the update button.
[00:20:53] Speaker A: It's annoying. It's annoying. But, hey, security comes at a price, right?
[00:20:56] Speaker B: It does indeed.
[00:20:57] Speaker A: Sometimes that price is inconvenience. Well, we'll go ahead and move to our next article. There were a couple of breaches this week, and this is a pretty big one. So we're gonna make this part of a segment called who got pwned? Looks like you're about to get pwned.
[00:21:08] Speaker B: Fatality. Yeah.
[00:21:11] Speaker A: Turns out a lot of people, there was a collection agency. There was a data breach of this collection agency that affected millions of users. Almost 2 million people lost their sensitive data. It was FCBs, I believe, FBCs, excuse me, financial, business and consumer solutions sent.
[00:21:24] Speaker B: Out a little bit and desist from FCBs right now.
You mismatched our name.
[00:21:30] Speaker A: Yeah. Is that slander or libel spoken?
[00:21:32] Speaker B: Yeah, if it's.
[00:21:33] Speaker A: I think it's slander.
[00:21:34] Speaker B: If it's slander, okay, it's printed. It's libel.
[00:21:36] Speaker A: I make no claims that I did that. I didn't slander them. FBCs sent a notification letter to effective customers saying that a bunch of this data was accessed for seven or eight days unnoticed. So they were, this was back in February that it happened, but they just sent out notice recently. So no word on who the attackers were. But I believe there's some information maybe on some of what, some of the information that was taken, I know I had seen, like, a list somewhere about it was certain sensitive information. And when you're talking, looks like it's.
[00:22:06] Speaker B: Full name, Social Security numbers, birth dates, account information, driver's license numbers and id cards.
[00:22:11] Speaker A: There we go. Skipped right over it.
[00:22:13] Speaker B: So, yeah, it was staring me right in the face.
[00:22:15] Speaker A: It was, yeah. I'm like, where did it go?
Because I'm zoomed in, like, 200% on the screen.
[00:22:19] Speaker B: Yeah. It's funny, for those of you watching or even listening out there, like, we have these articles in front of us, and when we're live and talking, it can just become a sea of letters.
[00:22:28] Speaker A: Yes, yes, it does become a sea of text. It also helps that I can't read. So anyway, but during those two weeks, they did harvest a lot of sensitive information on those people. So they notified customers, let them know, which is good. I think that's a good. A good step to take.
[00:22:41] Speaker B: We're obviously in step one.
[00:22:43] Speaker A: Right?
[00:22:43] Speaker B: Right.
[00:22:43] Speaker A: Step one. Admit that there was a problem, but don't admit defeat.
[00:22:46] Speaker B: We don't admit that it was bad. We just admit that, hey, we, they. They could access some certain things. Now, they. They've obviously shown us a bit of, to the extent of what they think has been accessed, but it's probably worse than this.
[00:23:02] Speaker A: Well, yeah, that generally seems to be how it goes. It's, they tell you what they do know specifically and they give you a little bit of information. Well, well, this happened, but we don't think it's really that bad. And then a few weeks later it's like, remember that conversation is they, they.
[00:23:16] Speaker B: They haven't really gotten down the incident response rabbit hole quite yet, so we don't have any. What was, how, how did they get at. What was the initial access vector? Yeah, we don't have that yet.
[00:23:25] Speaker A: They don't know who the attackers were, how they got to it.
[00:23:27] Speaker B: Let's play a game, everybody. Let's have some fun. What do you think is the initial access vector into this organization?
Right. Write your, write your answers in the comments below. Let us know what you think they did to gain access to this because that's going to be fun to see who was right by the time. We'll have to keep an eye on this, obviously. And, well, obviously we could probably play this game for many. We probably could of the articles we're going to look at today. But what do you think it was?
[00:23:55] Speaker A: Yeah, well, so I read another story this week about, over in LA county there was a breach of some health organization and it was due to a, like a credential, like a phishing attack. There were like two dozen employees. We're not going to cover it in depth today, but it was like two dozen employees that fed victim to this and ended up exposing a bunch of patient information. So not like Social Security numbers, but like medical information, which is still not good.
So I don't know, I feel like human error probably was a, was a factor.
[00:24:20] Speaker B: If I had to put my money on it, it would be fishing. Yeah, it was a phishing attack. Somebody got fish. Somebody got scammed via SMS or just straight up email or whatever. They clicked the link, they downloaded something that was dumb. They shouldn't have done it, but they did. And here we are today.
Other things it could be, though, is it could be a zero day, right?
[00:24:40] Speaker A: Or be.
[00:24:41] Speaker B: It's unlikely, though. I gotta be honest with you. We'd be hearing about like, if this was a zero day, would probably be a little more like, whoa, zero day. Found in whatever system they were using that allowed the access to it. But other good possibility could be that they had an unpatched version of some software. Right. Or, you know, the operating system or something of that effect to one of their edge devices. Who knows?
[00:25:05] Speaker A: Could be. That could be. Yeah. My monies on it had something to do with somebody maybe clicking a link that they shouldn't have. But that's typically, that's just an safe bet. That's a guess. It's just I don't claim to know this information. And for individuals that were affected, FBCs is providing access to credit monitoring services for the next year. So I mean, good on them for doing that. I guess I feel like if they.
[00:25:23] Speaker B: Got hit in the wallet a little more that they would, and don't get me wrong, security hard, right, it can be difficult, but if they prove that they, you know, obviously an investigation must occur. If that investigation discloses the fact that they were doing something dumb, then they should, they should pony up. I'm not saying they got to pay everybody like a $100 or whatever. I mean, that would be pretty nice, but 2 million, that'd be $200 million, right? That would, that would probably financially ruin them. But who knows? I don't know what their financials are. Here's a Starfuck come up with. Yeah, here's a free frappuccino on us for my bad, that you're now a victim of identity.
[00:26:04] Speaker A: Some itunes credits you can't use. Have fun.
[00:26:07] Speaker B: Maybe with the credit monitor or not the credit monitoring, but because they are, they're a credit collection agency, right. Yeah, maybe you gotta forgive the. Call me for six months or something.
[00:26:17] Speaker A: Just forgive some of that, some of that collection debt.
[00:26:20] Speaker B: Yeah.
[00:26:20] Speaker A: So, yeah, this one is, you know, we hear about breaches like this sometimes and it's like, oh, that kind of sucks. And maybe it was avoidable, maybe it wasn't. Stuff like this is bound to happen from time to time, I think. But it'll be curious or it'll be interesting to see how this actually came about. And if we get any more information on this in the coming weeks to move on to a little bit of a lighter note here, I think. I thought this was just such a neat story. So japanese police are creating fake support scam payment cards to warn victims and they're supposed to try to help combat some of the elderly citizens that maybe are falling victim to, hey, you need to go and buy these. Not itunes cards, but stuff like that, right?
[00:26:54] Speaker B: Apple gift cards.
[00:26:55] Speaker A: Apple gift cards, things like that, right. And it ends up being a scam. So they go to these stores to buy these cards. So what they're doing is they're placing fake payment cards like this, convenience stores in Japan that have labels like virus Trojan horse removal payment card as an alert mechanism so that then when they go to buy these things, they can kind of be warned, I think, by, like, the cashier. Hey, you're probably being scammed. So I just thought that was kind of neat.
[00:27:18] Speaker B: Yeah. I really like this article as well because, you know, Sophie and I kind of go through the list of articles that we think are worthy of putting on our little show here for all four of you that are watching.
[00:27:28] Speaker A: Yes.
[00:27:29] Speaker B: But, yeah, we do appreciate your viewership. Thank you for putting up with us, because we are idiots anyway. But this was, you know, I'm not saying it's going to be a super effective step, but they're trying something. They're thinking outside the box. And that's what I liked about this, was they're like, you know what? Let's just. Let's just start trying things. Us sitting around and pontificating isn't really helping. We got to put some wheels on something. Why not this? Maybe it works, maybe it doesn't. Is that a good use of the japanese government's time and money? I don't know. If it, if it works out, though, it's. It's definitely can't be any worse than some of the other garbage we spend money on. That is true right there. So there's that. I don't find this either objectionable or offensive, so.
[00:28:14] Speaker A: Yeah. And I can't imagine, I mean, I don't know how much this costs them to implement a program like this, but if all you're doing really is printing off some, some dummy cards.
[00:28:22] Speaker B: Yeah.
[00:28:22] Speaker A: And they do pay the employees or reward them, I'm assuming, financially, for participating in this, like, employees of these convenience stores for, you know, their participation in this. In this program. I can't imagine it's costing them a terribly high amount.
[00:28:34] Speaker B: $84 billion.
[00:28:36] Speaker A: 84 billion. Wow. Wow. That's. That's.
[00:28:38] Speaker B: At least if it was the US, I'll dish on the US government now.
[00:28:43] Speaker A: Right, exactly.
[00:28:44] Speaker B: Is. Is. Yes. If we were doing it, it's absolutely an $84 billion program.
[00:28:48] Speaker A: Yes. Wrong country.
[00:28:49] Speaker B: Yeah, yeah. We love to spend that money.
[00:28:51] Speaker A: And the reason for the name being like, virus Trojan, blah, blah, blah, blah, blah is because I guess a lot of these victims are being told, hey, you have a virus. You've got a Trojan virus, and in order to clean it up, you've got to go and buy this card and send it to me and then I'll help you. So there were already a couple people that had fallen victim to this or that were going to fall victim to this that were in the process of trying to buy these cards, and they were stopped. They were, you know, warned, hey, that you're probably being scammed. So already it's. It's seeming to help at least a few people. Uh, and then, of course, they can identify the victims, talk to them, and try to investigate the scams a little bit further, maybe track these people down.
[00:29:22] Speaker B: So it'll be great if it leads to that, if it starts putting some of these, you know, total a holes behind bars for scamming old, old folks and whatnot and young folks alike. But they do tend to really target the elderly.
[00:29:35] Speaker A: Sure.
[00:29:36] Speaker B: Because taking advantage of their ignorance of digital systems and how they work to, you know, take their money. I mean, they're in their golden years, and you're. You're stealing all the stuff that they've saved over a lifetime to help them see that out. Maybe pass that on to their children once they go, that's not cool, man, and then use those funds. Like, don't. I'm just gonna put it this way. Don't get in a room, four walls with me if you're one of those people. We're gonna have a talk.
[00:30:00] Speaker A: Yeah.
[00:30:01] Speaker B: You know what I mean? I'm gonna write everything I got to say right there and give you a close up look. Yeah. Make sure you get.
[00:30:07] Speaker A: Several times very quickly.
[00:30:09] Speaker B: That's right.
[00:30:09] Speaker A: Somebody pointed out in the comments that, of course, like anything else, scammers adapt, and so they'll adapt to this, I'm sure. But if they stay on top of this, it could be pretty, pretty effective. So I'm curious to see if we hear any more about this or where this goes. But I just thought that was kind of neat. You know, maybe we'll introduce that segment the lighter side. Right.
It's like the opposite of grinds my gears. Makes me happy.
[00:30:31] Speaker B: Yeah. Yeah.
[00:30:31] Speaker A: Gives me a little bit of a smile.
[00:30:33] Speaker B: Japanese government on this. We salute you.
[00:30:36] Speaker A: Yeah, I'm not in the army, so I can't do that. I was never a boy scout or anything. I don't have the authority to do that. But switching back into some. Some of the more scary stuff, this next one you might have heard about. Cyberspies hit Cisco firewalls and zero day exploits. And there's another name that this is associated with. Arcane door, I believe. Yeah. The campaign's being tracked as arcane door, so you might have seen that used in some headlines. But there's a couple different flaws here that the threat actors used as zero days. These flaws right here. Denial of service and persistent local code execution flaws. No workarounds to either vulnerability to date.
[00:31:07] Speaker B: You just have to update.
[00:31:09] Speaker A: Just have to update. Just update. You'll be fine.
[00:31:11] Speaker B: You can't mitigate this. You just update, and then. That should help. So if you got an ASA or a firepower threat defense device. The FTD. I thought that was a floral arrangement place, but, hey, I guess I was wrong. Apparently Cisco is going crazy. I. Did they get a cease and desist for using the same acronyms as. I don't know.
[00:31:33] Speaker A: Good question. I don't know.
[00:31:34] Speaker B: Yeah. Which one of those giants has the deeper pockets?
Nah, nah, it's Cisco.
[00:31:43] Speaker A: They did say they haven't identified they being Cisco. The initial attack vector.
[00:31:47] Speaker B: Yet again, what do we think it is? Obviously, it's got to be some zero day.
[00:31:52] Speaker A: Sure.
[00:31:52] Speaker B: Right?
[00:31:53] Speaker A: Yeah.
[00:31:53] Speaker B: Is this a post zero day? Like, are these things. I didn't read that. Whether or not.
So, what I mean is, you have a chain of events that occurs to a compromise to a breach. Right. You have basically, like, recon enumeration. Then you go to initial access. The compromise part. How do I gain access into the system? And then from there, once I gain access, I'm probably looking to pivot through the network. Right. And move laterally. And from there, I also want to gain persistence. I always want to kind of hang out. That's what we call post compromise. What do I do? Post compromise? How do I maintain that persistence? How do I then cover my tracks? These are all post compromise activities that occur.
So is this a post compromise activity or was this because they're. If they're saying, we don't know how they initially gained access, I would assume so. And it does say that this zero day is persistent local code execution. So are. Is this zero day what they're using to maintain their access once they've gained it? It does seem to be that case.
[00:32:57] Speaker A: It does seem that way. I went to the Talos intelligence blog just to. To look at the advisory. We won't go too in depth on it because we would be here all day. But they do have a little timeline of events here, and it says that they identified or they were alerted to suspicious activity early 2024. But evidence that this capability was being tested and developed as early as July of last year. So could have been that. This is being kind of dabbled with for a while, and it's only.
[00:33:23] Speaker B: They don't know how they gained access initially, though.
[00:33:26] Speaker A: No, just that.
[00:33:28] Speaker B: Yeah. Somebody clicked the link in the comments. Put the.
[00:33:31] Speaker A: Somebody clicked the link. Isn't that always how it goes? Yeah, but there are patches available now so, you know, update. And like you said, just update that.
[00:33:38] Speaker B: That's really the only, what's interesting about this, obviously, this shows the level of sophistication behind the attackers is that they went for these kind of edge DMZ devices for persistence, because often you log into these devices and look at the traffic that is or the things in the process that it's doing. It's not often so with an end user. Right. If I, if I attack your pc that's sitting on your desk or your laptop or your phone or whatever, if I'm doing things that causes crashes or just, you know, unstable activity, it might cause your device to act oddly. If I'm an attacker and I'm kind of kicking around inside the guts of it, you might notice something's going on. Maybe I'm leaving all sorts of breadcrumbs or the fact that I'm there because I'm just lazy. You never know. Or the end user gets lucky and see something.
It's much less likely to occur on a device like these because they're less likely to be actually being interacted with. These are devices that we kind of sent Ron Popeel set. Forget. Okay, it's got all the right firewall rules. If it's an ASA, I'm allowing all the things, and until someone complains, you kind of leave it alone. It's, is it up? Is it pinging? Is it allowing all the things we want to allow? Is it disallowing all the things we want to disallow? Okay, I guess it's working. So you kind of walk away. Great way to kind of sit and, and monitor traffic.
[00:34:59] Speaker A: Right.
[00:35:00] Speaker B: Because you're in that. You're connected from the Internet and the internal network. You're kind of sitting in that middle spot. You can watch, and if you've got access, complete access to that device, you're watching, you can modify things. It's a really smart way to maintain that persistence.
[00:35:18] Speaker A: Now, they don't have a definitive answer on, on who's behind this yet, but wired apparently reported that China suspected of being behind the exploits. I'd show you the sons of, but they stuck behind a paywall, so they really, yes. I could read it for about 5 seconds, and then it said, give us money and we'll let you read.
[00:35:33] Speaker B: Yeah, there's ways around, I know they.
[00:35:34] Speaker A: Got to make their money, but anyway, I'm not going to pull it up because it's, you're not going to be able to read it anyway. But supposedly it looks to align with some of these chinese nation state attackers interests.
[00:35:44] Speaker B: Turn off JavaScript and you'll probably be.
[00:35:46] Speaker A: Able to read that article. You know, you look at me like that's something that I would think to do. I'm just like, paywall? Nah, I'll just find a different.
[00:35:52] Speaker B: Oh well, oh well.
[00:35:53] Speaker A: Especially when it's a source like that was wired, but when it's like New York Times or something, I'm like, I'm not paying money to go read New York Times. I'm not doing that. I'm sorry. So it'll be interesting to see if any more information comes out on who's behind this. And of course the initial attack vector.
[00:36:06] Speaker B: It's China.
[00:36:07] Speaker A: It's, it's China. We'll see. We'll have to wait and see. But moving on, we've got another favorite segment of mine. I think you already know what I'm about to say.
[00:36:22] Speaker B: My birthday was not too long ago, she got me some donuts, and one of them is the purple or pink frosted topping with the sprinkles. That is Homer's donut.
[00:36:32] Speaker A: That's Homer's donut, and it's a classic. Strawberry frosted with sprinkles. Cannot be beat. Is a little sugary.
[00:36:38] Speaker B: But anyway, I'm a Boston cream guy myself.
[00:36:40] Speaker A: Oh, really? See, I prefer the ones with like, the, the whipped cream, because isn't the Boston cream more like a custard? It's a custard, yeah, it's a custard. And see, I'm not really a big custard, girly, but there you go. The. I don't remember there's a name for it, but I prefer the whipped cream I got you.
[00:36:51] Speaker B: It's like frosting inside. It is whipped cream.
[00:36:53] Speaker A: It is. It's like a whipped frosting kind of perfect breakfast item, right?
[00:36:56] Speaker B: Start the day right till the crash happens.
[00:37:00] Speaker A: I didn't get you any Boston cream doughnuts. I'm sorry, I did not know that was your favorite.
[00:37:03] Speaker B: I like chocolate glazed. They were great.
[00:37:04] Speaker A: Okay, well, I'm glad you enjoyed.
[00:37:06] Speaker B: Yeah.
[00:37:06] Speaker A: It was Daniel's birthday recently, so I'm not going to give them their official date, but sometime in the last several weeks he had a birthday, so. Happy belated birthday.
[00:37:14] Speaker B: Yeah.
[00:37:15] Speaker A: Or pre birthday.
[00:37:16] Speaker B: Who knows when my birthday is.
[00:37:19] Speaker A: Moving on. Dope. We've got a segment here, security bugs in popular phone tracking app isharing exposed users precise locations. Isharing has about 35 million users. They've fixed the flaws, but basically what it looked like here was that even if you if you use this app, even if you weren't sharing your location, a person could still access your location somehow. There was a way that they could still get to your coordinates and try, basically, within a few feet of where you were, figure out your exact location. Um, which. What's the point of having the option to turn off location tracking if it's just gonna. It's just gonna work anyway.
[00:37:52] Speaker B: That seems ridiculous. It says I sharing. Blame the vulnerability on a feature it calls groups, which allows users to share their location with other users.
Sure. Is it ch or k? I don't know. Chuh.
[00:38:07] Speaker A: Oh, okay, right. I don't know.
[00:38:09] Speaker B: Cold Techcrunch that the company's logs show that there's no evidence that the bugs were found prior to Daigle's discovery considered or Chuck conceded that there may have been an oversight on our end. You think?
Is that. Is that how you put it? Because its servers were failing to check if users were allowed to join a group of other users. So obviously, this is like a poorly done authentication authorization kind of thing that's going on. It's a sensitive data exposure bypass.
You got to do the permissions. Right, kids?
[00:38:44] Speaker A: Yeah.
[00:38:44] Speaker B: Otherwise, you start looking at things like this. I do not want people tracking. I don't want anyone tracking me. I don't want me tracking me. If I lose my phone, I guess it's gone. Yeah, right. That's. That's. I. And I have lost phones, so if he's like, well, lose your phone, Daniel. We'll talk. I have legit lost phones. I left my phone on top of my wife's van one time, and she drove away, and I was like, oh, no, it was gone. And I just went and bought another one.
[00:39:11] Speaker A: Oh. So is there a way you can remotely, like, just erase everything on it in case somebody were to find it?
[00:39:16] Speaker B: That's a good question. It's been a while since I've done that. Obviously.
[00:39:19] Speaker A: I guess if it fell off your wife's van, maybe it's just dead to the world anyway.
[00:39:22] Speaker B: Maybe it's crushed and it probably was.
[00:39:25] Speaker A: Run over several times.
[00:39:26] Speaker B: Destroyed or went down like a sewer. Yeah, whatever.
[00:39:30] Speaker A: But that's secure disposal right there.
[00:39:32] Speaker B: Yeah, just have a car run over.
[00:39:33] Speaker A: It a few times.
[00:39:34] Speaker B: Don't buy thousand dollar phones and you gotta worry about losing them. Yeah, get that. A 52 or whatever it is from Android.
[00:39:41] Speaker A: And I guess technically, I mean, this. It's a widely used app, but technically, it's, I guess, would be a third party app. It's not like it's an official by.
[00:39:48] Speaker B: The way, you can buy a $1000 phone. I'm not, he's not gonna judge on you.
[00:39:52] Speaker A: He'll judge you a little.
[00:39:53] Speaker B: We're just, we're just having fun here privately. Don't get angry.
[00:39:56] Speaker A: He won't judge you for buying a $1000 phone, but he will judge me.
[00:39:58] Speaker B: This is the thing that I'll get comments in the sense he's like, dang, you bastard.
[00:40:02] Speaker A: Check your privilege.
[00:40:03] Speaker B: I hate you.
[00:40:04] Speaker A: I can't believe you would say this.
[00:40:05] Speaker B: This is an attack just having fun.
[00:40:08] Speaker A: But because this was, it's not like it was. I think Apple's official tracking whatever is find my. Or something. Find my iPhone.
[00:40:14] Speaker B: Oh yeah.
[00:40:14] Speaker A: So I think this is a different thing. But there is a fix and Techcrunch is the author of this. They're the proponent, the, the pusher of this article and they held off on posting this until there was a confirmed fix.
[00:40:25] Speaker B: So that's what responsible people do.
[00:40:27] Speaker A: Of course, yeah. You don't want to be like, by.
[00:40:29] Speaker B: The way, hey, you know there's a big exploit going on here, man. I would hate to be you.
[00:40:34] Speaker A: Uh huh. Took him only a couple hours I think to find that there was any kind of a way to do this and then to carry it out and create a proof of concept. And then once he figured out how to do it, this researcher took him only a couple seconds to locate uh, to locate somebody in this app. So kind of scary. But they did fix it. So if you are an I sharing user again, I guess this would be. Just make sure your stuff is updated, right?
[00:40:53] Speaker B: Yep.
[00:40:53] Speaker A: Just make sure your stuff's updated. We got one more here in our rapid fire. And I say rapid fire.
[00:40:58] Speaker B: Well we went through a lot of articles.
[00:40:59] Speaker A: We did, we did. But we do talk a little bit about. It's not really a deja news because it's not the same. But it seems like over the last several weeks a lot of WordPress issues and plugins and stuff have been topics of conversation and this is no exception. There is a Wordplay WordPress plugin called WP automatic and there's vulnerability that is just about as severe as it gets.
Millions of attempts to exploit a high severity vulnerability that allows complete takeover using this plugin. So the kind of scary stuff and a 9.9 severity rating out of a possible ten. And correct me if I'm wrong, that's pretty high.
[00:41:30] Speaker B: That seems excessive. Yes.
[00:41:32] Speaker A: Seems a little excessive.
[00:41:34] Speaker B: Little up there in the exploitation severity rating there. That being said, this is a fun one. It's a sequel injection. And I, every time we see SQL injection in the news, I feel vindicated because I teach SQL injections. You know, you need to know about them, you need to understand them, you know, what they are and why they're a problem and the things you can do to kind of solve that issue for yourself. This has been long known. I've been dealing with SQL injections in training and in real life land since like 2005, right? And I know they've been around a lot longer than that, but that's just when I got into, like, started looking into the security game as something I was interested in. So here we are in 2024, which is almost 20 years later, right? And here's a sequel injection with a 9.9 severity rating because we still can't figure out how to do this.
So learn about SQL injections, kids, and figure out those security measures for stopping them. So using, filtering out specific characters, using parameterized queries, all the fun stuff that goes along with making this not a thing anymore. Because, like, what we're seeing here, if an enterprising young attacker such as yourselves decide to find and abuse SQL injection, you could find yourself with administrative access into the database and then into the system. And from there it is the sky being the limit. And that's what we are seeing right here, right now. Uh, what's funny is I read the comments and the first comment, right. First comment was total vindication.
[00:43:14] Speaker A: That's crazy.
[00:43:15] Speaker B: I can't believe sequel injection attacks are still happening in 2024. Didn't everybody get the memo back in 1995 or so? Probably on paper, because olden times, it would make me sad if I were all, if I weren't already so angry to hear it.
[00:43:29] Speaker A: Silver boy, you got a point.
[00:43:30] Speaker B: You do.
[00:43:31] Speaker A: You got a point.
[00:43:32] Speaker B: But here we are.
[00:43:33] Speaker A: So you, you have been vindicated. I'd be curious. I always love going through the, going through the comments.
[00:43:39] Speaker B: Ours, Technica always has the best comments.
[00:43:41] Speaker A: Yeah, yeah, yeah. So they did put, there's a patch available. The developer silently published a patch is what is what the article said. So that's available. If you do use this plugin, go ahead and. Go ahead and take care of that. That seems to be the theme today. Make sure your stuff's patched and updated.
[00:43:54] Speaker B: Yeah.
[00:43:55] Speaker A: Which is really the theme for every week.
[00:43:56] Speaker B: It's like breach and update weekend.
[00:43:58] Speaker A: That's always the, that's always that. This is.
[00:44:01] Speaker B: Do exactly that.
[00:44:02] Speaker A: Can we show, there's a little comic in the comments. Can we show. This is.
[00:44:06] Speaker B: Oh, little Bobby tables.
[00:44:07] Speaker A: Little Bobby. Oh, you're familiar with this?
[00:44:08] Speaker B: Oh, yeah. This is a very famous.
[00:44:10] Speaker A: Okay.
[00:44:11] Speaker B: Comic xkcd if I'm not. Yeah.
[00:44:14] Speaker A: See, I'm too young. I don't know. I've never seen this one. But for those of you that are. Should we narrate it? For those that are listening and not.
[00:44:21] Speaker B: Watching, you haven't seen. It's a mom. She picks up the phone, she says, hi, this is your son's school. We're having some computer trouble. Oh, dear. Did he break something?
In a way. Did you really name your son Robert?
Semi. Not semicolon, but, like, a single quote. Yeah. Parentheses and then a semicolon. Thank you. Drop table, students. Semicolon. Dash, dash, question mark. Oh, yes. Little Bobby tables, we call him. Well, we've lost this year's student records. I hope you're happy, and I hope you've learned to sanitize your database inputs.
[00:44:56] Speaker A: That's pretty funny. That is pretty good.
[00:44:59] Speaker B: That is an oldie but a goldie right there.
[00:45:01] Speaker A: I learn so much on this podcast every week. I'm so glad one day I'll catch up with you guys, but not today. So that's going to do it for our rapid fire segment. Hope that you enjoyed. The theme for this week is just patch, patch, patch, and breach after breach after breach. It's great. We have a great time.
[00:45:16] Speaker B: I came up with that. Remember? We were hanging out, and I came up with the idea for a t shirt. Bowser instead of a key instead of piano. He's gonna. He's on a laptop going, breaches, breaches, breaches.
[00:45:29] Speaker A: That's a good idea. We should make that shirt.
[00:45:31] Speaker B: Make that shirt.
[00:45:31] Speaker A: We can't sell it, but we should definitely make it. Nintendo come after us with a. For that one. They're gonna yell at us.
[00:45:36] Speaker B: If I was selling it, they would kill me. I can make a one off.
[00:45:38] Speaker A: They'll kill you. I'll report you.
[00:45:40] Speaker B: Yeah.
[00:45:40] Speaker A: Anyway, we're gonna take a short break.
[00:45:42] Speaker B: So that we can come and get me.
[00:45:46] Speaker A: Yes, exactly. For that reason. But don't worry, we're going to be back with the deep dive into that banking malware I mentioned earlier. So don't go away. We'll be right back here on Technato. Tired of trying to schedule your team's time around in person learning? Isn't it a bummer to spend thousands of dollars on travel for professional development? What if we said you can save money and time and still provide your team with the best training possible? The answer to your woes is live online training from ACI. Learning with live online training, we provide our top in person and courses in private online instructor led formats. You get to provide professional development in a manner that fits today's expectations. Entertaining, convenient, and effective. Our exam aligned courses inspire the full potential of your team. Visit virtual instructor led training at ACI learning for more info.
Welcome back. Thanks for sticking with us through that break. We're going to get into our deep dive here in a second. Once again, it is the beginning of May. Happy belated May Day. I guess by the time you're watching this, and just a reminder, as the day this episode is released, we're gonna have a webinar this afternoon, May 2, with Mister Gerald Osier himself of simply cyber big Jer. Big Jer. I'm not gonna call him that, but yes, doctor Gerald Ozer. But he's, you know, he just goes by Jerry. He's a cool guy, but we're gonna have an all things cyber webinar with him. Afternoon of May 2, it's gonna be at 02:00 p.m. Eastern time. Eastern standard time. Daylight time. I don't know what we're in. I don't know what part of the year we're in. Eastern time's not real eastern.
[00:47:01] Speaker B: That way I can. It's eastern. You know what I mean?
[00:47:04] Speaker A: Florida time. Okay. Uh, so make sure to tune into that. Bring all of your burning cybersecurity questions for Daniel, for Gerald. For myself, I can't promise I'll have answers, but I'll be there. So. Yeah, just a reminder that that's happening, and I'm super excited about it. But with that said, we'll go into our deep dive here. This one is about, like I said, it's a banking malware. We're pulling this from threat fabric broke. Well, do not go broke. From new banking malware posing a threat to the banking industry. A significant threat, in fact. Uh, with an extensive set of device takeover capabilities. And, I mean, that sounds like a bad thing, but for an attacker, that sounds fun.
[00:47:39] Speaker B: Oh, it is a laundry list of capabilities that the brokewell malware can allow an attacker to perform. We will get into each one of those. I say each one. We'll cover it. We'll take a look at it. This is the deep dive, as it were. So. And we're not going to go as, as technically deep as we normally do, but I thought this was a really good one for us to just kind of get our eyes on because we're talking about banking malware and we. I don't think we have in the past. Least I don't recall doing it. We do this podcast regularly, and I've been on quite a few of them, so it may have come up. I just don't remember that being said. We are today. So, looking at some banking, are you familiar with banking malware, Sophia?
[00:48:18] Speaker A: I feel like we talked about something similar not too long ago. That was like an Android. Like, I remember. I think I told you my grandma texted me and was like, do I need to be worried about this? But it was just an Android thing.
[00:48:28] Speaker B: All right, so banking malware, it's purpose in life, is to give the attacker the ability to access your bank.
[00:48:36] Speaker A: Okay. Yeah.
[00:48:37] Speaker B: And then do things with your bank, like give themselves all your money or buy things and then have it shipped to themselves. That kind of stuff. Right. But how. How do they gain access to your bank account? That's a tough nut to crack, right? So what do they do? They go, well, you know what? You're gonna eventually log in at some point. If I'm there to watch it, that would be great. So they create an app that allows them to kind of read the screen. All the swipe gestures and things that you're doing, things that you're typing in, things that you're clicking on, all that stuff gets recorded and then sent back to them. So if you typed in a username and password, there you go. Now they have that as well, because they were recording all those keystrokes, all the swipes, all the things that you've done to gain access to your thing. Here's the other fun part. It can also steal cookies.
So, when you log into your bank, right, and you get past all the fun stuff, because maybe you got two fa. Going on, that's. That's gonna be a whole lot more difficult. Now, they do have access to your device, so they could glean that two fa token and use it to their heart's content. But you know what's easier? Just let you log in and then go grab the sand, the token that's in your cookie, and go, cool, let me just inject that into my browser. And now I'm you. So those impersonation attacks are. Are definitely sought after as capabilities in banking malware. Now, banking malware is a. You know, this broke. Well, is not the only game in town, banking malware. People like banking malware. I say people. I mean, horrible, you know, horrible.
[00:50:08] Speaker A: Horrific.
[00:50:09] Speaker B: From attackers. Yeah, we call attackers that are, you know, pilfering the pockets of John and Joe Smith out there. So you definitely got to be on lookout for banking malware. It's a big deal.
[00:50:22] Speaker A: So it kind of takes us through here step by step. And the first part of this, there is a fake browser page, fake browser update page. And they show you a side by side of the legitimate Google Chrome page. And the one that distributing broke, well, that claims to be offering an update for Google Chrome. And, I mean, they're not exactly the same. We look at them side by side and it's like, okay, yeah, they're obviously different, but if you just saw this fake one here by itself, it would look like. That looks to me relatively legitimate. Now, hopefully, you're double checking things and not clicking things that you don't understand, but it does look relatively innocent if you're unsuspecting. Right. Looks, yeah, natural occurs during normal browser use. Right. So this is the first, the first part of this, which is not terribly out of the ordinary, but then they noticed that it's a previously unseen malware family with a wide range of capabilities. So there is some new game in town, it looks like.
[00:51:09] Speaker B: Yeah, these people are new games in town, the whole brokewell faction that's going on right now. But this is, this is not uncommon, as they say, to getting their banking malware onto someone's device. So picture this. You're. You get a text message or you see a pop up jump up on your mobile device. It says, hey, you've got an update. Of course you want to stay secure. And as we security professionals like to say, make sure you're performing all your updates. If you have a new update, don't take too long, don't sit on it. Find it. Find a good stopping spot. Close all your apps, do your, your update, because a lot of updates require a restart, and then you're good to go. Move on about your day. You're fine. You want to make sure you're doing that on a regular basis.
They're taking advantage. I should start to see the cat and mouse game that gets played between attackers and cybersecurity professionals. And, of course, you good folks out there that aren't either of those things are getting caught in the middle. So what do we do? We as professionals tell you to do your updates. The attackers go, cool. We'll take advantage of that. We know you're being told actively, you should update. I'll just make it look like an update. Right. I love, I've seen people put, how did I, how did I get the phishing link to work? I made the phishing link, the unsubscribe link in the email.
[00:52:28] Speaker A: Yeah.
[00:52:28] Speaker B: So I made it purposefully look like a fish or something that you wouldn't want, you know, like spam or something. Yeah. This comes from, you know, some horrible group.
[00:52:37] Speaker A: Yeah.
[00:52:38] Speaker B: How do I get on that mailing list? To unsubscribe, click here. Bam. You're click. Yeah. Ah, you dirty rotten scoundrels. So they're taking advantage of you trying to be a good cybersecurity sanitized, you know, person out there in the world to gain access to your thing. Right. So there you go. They're, they're using that technique right here. And as you so succinctly put, Sofia, that it looks legit. It looks very similar to a real update. And you'd be hard pressed, especially for average Joe and Jane user out there, that they would go, oh, this is legit. Let me just go ahead and click.
[00:53:14] Speaker A: Especially when, like you said, you're trying to do what you're supposed to do. You're trying to keep things updated, which is what you're told is the right way to go. And it is, it is good to keep your stuff updated. And in most cases, and so, you know, you're just trying to do the right thing. Now, something that they do go, they, they go into the next part of this article and talk about some of the tactics here. And it uses something called overlay attacks, says it's a common technique for Android banking malware, where puts a bogus screen over top of a different screen to capture user credentials. So would this be like, like for instance, if there was a screen that looked like it was Google Chrome or whatever and it's asking you to sign into your Google account to update or whatever the case may be. I know that's not in this case. And then underneath it, there's other stuff going on where they're, they're taking whatever you're typing in. Kind of scary.
[00:53:52] Speaker B: Yeah, this is, this is really crazy that they are able to basically create a screen that looks like the legitimate screen. It overlays over the actual thing. So basically this is the layer that you see. It records all the things that you have done and then passes that along to the actual application so that those procedures can be done and everything looks legit. Or if they need to modify it, they can do some modifications to it. So don't just transfer money to my sister in Belize, but also send a couple of bucks over here to this apt or whatever the attack group is that's doing this. A lot of people are, a lot of banking malware is used as kind of like a service. Most people don't create banking malware and then directly make money off of what gets stolen by the banking malware. They rent it out. They go, oh, I've got this wonderful. It's kind of like an, like I said, like an as a service.
Service for you. So if I'm a total douche and I want to steal people's money and I want to do it through banking malware, I can go, cool, yeah, I'll rent that malware, and now I can install. I can, I can proliferate it as I need, and I get all these cool tools and capabilities, and they're, they're starting to go very legit looking almost like they are a business where they're, they've got web pages, they've got support, they've got, I've heard of even HR guy having inside of these, these organizations to try to sell you their product. They're basically taking the tried and true methods of any organization that has a corporate structure and utilize that within their.
What's the word I'm looking for?
Evil entities.
Yeah. Yeah. So it's kind of weird to see how that's kind of blending together. But, yeah, that overlay attack is one of those features that they can easily sell and starting to become one of those things that you, as a, I say you, as someone who is interested in purchasing and utilizing said banking malware, renting it as a service, that would be a feature you would want to see more and more. If you didn't have that, I'll probably go into your competitor now.
[00:55:58] Speaker A: You also mentioned the whole concept of stealing cookies, how that's something that this can do as well. And it's also equipped with something called accessibility logging. It says that basically means it captures every event that happens on the device. Every time you touch something, swipe something, look at information, input, text, any applications you open, all that stuff gets logged and then sent to them. So any confidential data that you're dealing with or entering then is in the wrong hands.
[00:56:18] Speaker B: Right. Good. And so that's how they do this. That's how they make that. Give the. The malware the capabilities to record and log and see all those things that you are doing is through those accessibility functions and features that are built into your mobile device. Because you got to think, if I wasn't able to hear, how would I know what's being on the screen? Well, I need talk to text or text to talk to be able to. Right. Did I say here?
[00:56:43] Speaker A: Yeah.
[00:56:43] Speaker B: If I can't hear, then I can't hear. I'm thinking, if I can't see, if I can't see, I need text to talk. So that requires access to the screen. What's on the screen. The text needs to be able to read that. So this accessibility functions have a lot of capabilities. And they just say, well, let's just lean on that to gather all that information and then send that back over our c two channels and put that in the database.
[00:57:09] Speaker A: And because it logs every single event, whether every tap, every text input, that basically then makes it a threat to every application on the device. I mean, I know it's banking malware, but it's a threat to every application that you have installed.
[00:57:20] Speaker B: That is a, that's a phenomenal point that the fact that you got to remember, if I have access to your device, I have access to everything on your device, not just your bank account, but everything you're doing. If you're doing anything sensitive, if you have access to certain things, maybe, maybe the attackers realize, oh, I've got lucky. And this, this person that installed our banking malware is also a member of the state Department, you know, ah, that's going to be great. Now, what else do they do with this phone? Maybe this is a. Supposed to be a highly secured phone, and they've sometimes done something dumb, like installed this, this malware. Awesome. What do we have access to? So just remember, just because they're primarily after banking information, does not limit them to that, if this malware is installed in your device. So it's a really important point for us to, like, be on the lookout for this kind of stuff and, and constantly trying to figure out, is this. It's. It's really hard. I get it. You know, I'm not gonna sit here and throw aspersions at you because you got popped with this kind of malware. This is very tricky malware, and I could see why a lot of people could be taken by it. You just gotta be really, really, really careful about the things that you install, especially if you downloaded it.
[00:58:35] Speaker A: Super, super vigilant. I feel like it's better to be a little bit more cautious, even if it makes things a little less convenient or even if you have to be a little annoying about it. Like, I just want to make sure. I just want to double, triple check. I'd rather be a little bit annoying about it than end up with this kind of malware on my phone. And this, this particular malware also supports a variety of spyware functionalities, so it can collect info about the device but also call history geolocation and it can record audio. So this is really just a catch. All of all the bad things that you would never want happening to your, to your phone that you carry with you everywhere or your Android device as it may be. But then once, once these credentials are stolen, once they've got access to them, then they can initiate a device takeover attack using remote control capabilities. So they perform a couple things, screen streaming and give the actor a range of actions that can be executed. So they can basically then touch and swipe like they're actually on your phone.
[00:59:20] Speaker B: Is this not the craziest thing? Like they are able to stream your screen, what is happening on this screen? Kind of like go to my pc or something where they are looking at your device and then they are able to give it inputs and say hey, click this, do that, type that. Just as if they were the end user themselves at the other end. So that is, that's very crazy that they have that level of capabilities, but it does exist. So I mean ultimately this makes them the master of the domain there to be able to, let's say you set your phone down and go to sleep and now they're basically on your phone going let's go through this, let's go through that, let's pilfer this and let's look through there. And what other sensitive information can I pull from this lovely little device? Oh, maybe I can use it for this purposes or that purposes. Remember this is the sky's the limit. I have full control over this device if I am this threat actor. So I do find it amazing that they do have those capillaries. Let's take a look at some of those other capabilities that they have. Just because it's, it's very interesting. We've got this do click lm like this is right around here. So we got the commands and you got the description. This performs a click on the specified element on the screen. We got another one. Performs a click on the specified coordinates on the screen. So just a couple of ways to kind of get clicking around as you need. Draws a line between the specified coordinates, simulates the back button, simulates the home button, simulates the recent button, performs a scroll and the specified element starts screen streaming. Stop screen streaming. Perform swipe downs. Perform swipe left, slide all the swipes. We got swipes coming out of our wazoos here, right? Swipe between the specified coordinates, input specified text and specified text field. Wake up the screen, simulate vibration, set brightness to zero, set volume to zero, which at first you're like, what do they care what brightness or volume? And they're not actually there for it to affect them. I don't want them. If I, if I move the screen and I put the brightness down to zero, it's less likely that you'll notice.
[01:01:20] Speaker A: That's true.
[01:01:20] Speaker B: If I make no sound because I've turned the volume off, you're less likely to notice I'm kicking around doing something.
[01:01:27] Speaker A: And I guess on the other end of that you might simulate vibration. If you want them to look at the phone, if you want to catch.
[01:01:32] Speaker B: That's a good question. Why you would want that?
[01:01:34] Speaker A: Do you want to draw attention to that?
[01:01:35] Speaker B: I don't know. That's a good question.
[01:01:37] Speaker A: It's a good question.
[01:01:38] Speaker B: You know, comment below.
[01:01:39] Speaker A: Do you have any predictions or any estimates as to why that would be? But lots of different commands that they can execute showing they do truly have full control over once they've infected that device.
[01:01:48] Speaker B: There's a little bug on my.
[01:01:49] Speaker A: Oh, really?
[01:01:50] Speaker B: It looks like a red bug.
[01:01:51] Speaker A: Is that a good thing or a bad thing?
[01:01:53] Speaker B: Mites that come from the spanish moss to hang out in our trees.
[01:01:57] Speaker A: Oh, somebody called on. His office is infested. We need to get that lizard back in.
[01:02:01] Speaker B: Allergic to him. You'll wish you got. They'll bite you.
[01:02:04] Speaker A: Oh, really?
[01:02:05] Speaker B: Yeah. And whatever they bite will swell upon you.
[01:02:07] Speaker A: All right, awesome. I'm gonna stay on my side of the desk.
Wow. ASMR in the mic. Our poor director Christian is over there just covering his ears right now. So. Yes, the actors then have full control over the infected device. They can perform all these actions on the victim's behalf. Scary stuff. Because it really. If you can do all of this in the phone and you've already been logging every single swipe and every single action the user takes, you really, there's no limit to what you can do then on this phone. So scary.
[01:02:33] Speaker B: And other than that, there's only one other kind of, like, big thing about this, and this is the Android 13 restrictions that are built into Android 13 and above, which is. Are you looking at the. Do you see him?
[01:02:45] Speaker A: I'm looking at.
[01:02:46] Speaker B: He's right there. Yeah, he's right there. He's having a good time. He's hanging out with us today, ladies and gentlemen. But anyway, back to the Android 13 restrictions. So a lot of malware gets installed by, like, through side loading. Right. So this is just a program that is not in. Maybe in, like, the Google Play store. Okay, I can go to a website and I can download an APK and hit, you know, install and it'll install on my device. That's how malware traditionally gets in and that's how they gain access to certain functionality. So they introduced this restricted settings in this blog from the same. Right. This is also from threat fabric and I think there's a link to it from the previous article we were looking at. So this was meant to stop the device from allowing access to things like accessibility. Okay. So they introduced this feature. If you do not get installed through the play store, then there is like a specific flag that doesn't get flagged and therefore it does not allow access to the accessibility features.
This malware has figured out a way around that and that is what it's kind of like giving it its little claim to famous. I don't think it's the only one in town, but it's definitely a new thing. And they released publicly how they're doing it. So now we're going to just see more malware variants coming out with this capability and it's going to become like that. Well, if you don't have the ability to bypass that, those restrictions, then you're not the malware for me. I'm going to go to your competitors. So eventually this will be something, at least according to threat fabric. So like I said, basically they have this restricted setting says side loaded applications. Are applications loaded onto the device from sources other than official App Stores. Because sideloaded apps are not subject to the same checks as apps submitted for publication in the official App Stores, this method of loading apps onto devices is seen as attractive to malware developers.
Restricted settings act as a gatekeeper, prohibiting sideloaded applications from directly requesting accessibility session or settings, and notification listener access, two features often abused by malware. So for side loaded apps, the entry in the accessibility menu corresponds to the app that will be grayed out and not directly accessible. So this is, this is a good thing that they've added this, but. And here you can see this is what this looks like. So if I side loaded an app and I tried to get to the accessibility features through it, I would get this restricted settings kind of thing going on. This is what we want to see with the bypass of the restricted settings. Notice I have full functionality and capabilities to access said things, right. So with the kind of payload that gets installed, bypassing it. So they said we just basically need to figure out a way to get it to hit that session based flag in the installer. They were able to successfully do that. And then of course it bypasses those restrictions. So that's one of the more technical aspects to this malware is it has that capability to bypass those restrictions and still gain access to the accessibility functions.
[01:05:52] Speaker A: And it does look like somebody that by all, by all accounts, it looks like is maybe the perpetrator of this particular type of malware basically just publicly was like, hey, here's this. Here's the source code. I did it. And feel free, you know, take a look. And so in this particular breakdown of it, they talk about how this could potentially lower the barrier to entry. We love that, you know, free market, right, for cybercriminals looking to distribute malware. So in this case, maybe not so much. Uh, so easier for more actors to enter the field. Yikes. We. We don't love that. Um, but this particular profile has been active for at least two years, has provided other tools to cyber criminals. This is not his first rodeo, clearly.
[01:06:32] Speaker B: Because this is a pretty comprehensive cyber labs. I love this graph. This is. This is their landing page right here, right?
[01:06:38] Speaker A: Broke.
[01:06:38] Speaker B: Well, they got a logo, all the tooling. Like, look at this. It looks like this was like tenable or rapid seven or something.
[01:06:45] Speaker A: Contact us.
[01:06:45] Speaker B: Yes, contact us. Knowledge base. Log in and register. This is for malware, right? This is what it looks like. Here's the tooling that we offer. PayPal Validator version 17 Apple Validator 2023 Bitwarden account Checker American Express Checker Global Mega NZ account Checker Amazon Email Validator Dropbox Checker Dropbox Validator Amazon Email number validator carrier info check. And then there's rat PWN and stealer, ransomware fake authenticator. These are some of the tools and services that they provide. If that seems interesting to you, go ahead and hit that register button, and one of our salespeople will contact you shortly. Right. Enter the chat.
[01:07:27] Speaker A: That's kind of. Yeah, very, very bold. Just, hey, just take a look. Peruse our wares. So they kind of go into a conclusion. They talk about some of the iocs you can be on the lookout for. And of course, there's a list of those commands as well, if you're interested.
[01:07:40] Speaker B: In reading for a much more extensive list.
[01:07:42] Speaker A: Much more extensive list. Yes, they can truly do it all with this malware. And once again, this is an Android. This is specifically for targeting Android users. Right? So I just. Last time we talked about something like this, I had somebody reach out and they were like, do I need to be worried about this? Who's my grandma?
[01:07:56] Speaker B: I do.
[01:07:57] Speaker A: Sweet grandma. She's trying to stay informed and she was like, do I need to read about this? I said, well, grandma, you know, you don't have an Android, so you're good. You're all. You're all set. This particular threat doesn't apply to you. Doesn't mean you shouldn't stay vigilant.
[01:08:08] Speaker B: Right.
[01:08:08] Speaker A: But in this case, this is an Android thing, so keep an eye out for that. Don't do any bogus Google updates. If you are an Android user, never trust, always verify. Always verify.
[01:08:18] Speaker B: That's right.
[01:08:18] Speaker A: But I think that pretty much does it for the, for the breakdown of this. I kind of like that they, they still went into depth on it, but it wasn't too technical for me to follow, you know?
[01:08:25] Speaker B: Right. I. So I kind of like that one a little bit. Take a step back. Not so close to the problem, as it were. Still very interesting in my estimation.
[01:08:33] Speaker A: We are going to put all of this, of course, in the description for the video. So if you're watching on YouTube, you can check that out below for any of the articles that we talked about today. So if you want to read more in depth on that stuff. I don't think there was much this week that was like, oh, this is breaking, but we can't really talk about it yet. I did mention the LA county breach that you might have heard about, but it was specific to LA, you know, so we ended up having to omit that one, a couple other ones that were a little more technical that kind of went a little bit more in depth that I just don't think we could have. Could have really covered in adequacy on the show today.
[01:09:01] Speaker B: It does take a bit of time and effort for this show.
[01:09:04] Speaker A: Should we. Should we tell them about next week? Should we give them a heads up about next week? Or should we let it be a surprise?
[01:09:08] Speaker B: Oh, no, I think we should tell them. That way they can anticipate and if they're looking forward to it, they can.
[01:09:13] Speaker A: I will unfortunately not be present next week. I'm taking some mandatory vacations.
[01:09:16] Speaker B: Just getting a lobotomy.
[01:09:17] Speaker A: I'm in trouble. No, I'm gonna be out. Just. Just running some errands, visits, family, that kind of stuff. So I will not be present. But fear not, we have heard your cries.
[01:09:27] Speaker B: Yes.
[01:09:28] Speaker A: And Mister Don Pezet is going to be back in the studio next week with Mister Daniel Lowry.
[01:09:32] Speaker B: So we reached out. He said yes.
[01:09:34] Speaker A: He said yes. I mean, you know, we had to jump through some hoops. We did have to, you know, work around a schedule because he's been the.
[01:09:39] Speaker B: Wheels, if you know what I mean.
[01:09:40] Speaker A: He was pretty quickly, like, when can we record it? Like as long as we do it on this day?
[01:09:44] Speaker B: He misses Technato. He's just so busy. He doesn't have time for it on like a full time basis. So, yeah, we're definitely going to have him on more often, as I put it this way, as much as we can.
[01:09:54] Speaker A: Yeah, of course, it'll just depend on his schedule and stuff. But as it turned out, it worked out well for next week, he's able to fill in for me. So the dream team will be back in the studio again, Don and Dan, so definitely recommend you tune in for that one. Once again, we've got our webinar the day this episode is released to be this afternoon, 02:00 p.m. Eastern time with Mister Gerald Ozer. Doctor Geraldozer. Excuse me. So you don't want to miss that. I think that's pretty much going to do it, though, for this week. So I know Daniel wants to get back to celebrating his belated birthday that happened several days or weeks or months ago. You don't know? You don't know. I don't even know Don's birthday. He keeps that a secret. Secret.
[01:10:23] Speaker B: He does. He keeps that. Nobody knows. Yeah.
[01:10:26] Speaker A: Anyway, you guys are better about that than I am. You could probably google me and find my birthday so it's not really a secret. Anyway, thanks so much for joining us for this episode. Hope you enjoyed. Leave your comments down below and let us know what you thought. Subscribe if you haven't already so you never miss an episode in the future. And until next time, we'll see you next week for more tech NATO, thanks for watching. If you enjoyed today's show, consider subscribing so you'll never miss a new episode.
