360: Dell Got Pwned?! (49 MILLION Records Stolen!)

Episode 360 May 17, 2024 01:16:39
360: Dell Got Pwned?! (49 MILLION Records Stolen!)
Technado
360: Dell Got Pwned?! (49 MILLION Records Stolen!)

May 17 2024 | 01:16:39

/

Show Notes

This week on Technado, Dell got pwned: 49 million records were stolen & are up for sale on the dark web. Dan & Soph talk privacy as Proton has turned over more customer info to cops, and we also take a look at MITRE's newest framework, EMB3D. In exploit news, Cinterion cellular modems have some severe vulnerabilities to deal with, and a PoC has been released for a critical PuTTY key vulnerability.

In our Pork Chop Sandwiches segment, ANOTHER malicious Python package has been found in PyPI. A new LLMjacking attack is being used to exploit stolen cloud creds, and Nmap 7.95 is out with new features!

Lastly, in our deep dive, we take a look at Mallox RaaS and how it's being used in MS-SQL exploitation campaigns. And before we sign off, we touch on some of the breaking stories from this week that we couldn't cover in depth.

Want to read more? Check out the stories we covered in this week's episode:

https://www.theregister.com/2024/05/09/dell_data_stolen/
https://www.theregister.com/2024/05/13/infosec_in_brief/
https://thehackernews.com/2024/05/mitre-unveils-emb3d-threat-modeling.html
https://thehackernews.com/2024/05/severe-vulnerabilities-in-cinterion.html
https://thehackernews.com/2024/05/malicious-python-package-hides-sliver.html
https://www.infosecurity-magazine.com/news/llmjacking-exploits-stolen-cloud/
https://cybersecuritynews.com/nmap-7-95-released/
https://gbhackers.com/putty-private-key-poc-released/
https://blog.sekoia.io/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns/#h-mallox-ransomware-deployment

View Full Transcript

Episode Transcript

[00:00:04] Speaker A: You're listening to Technado. Welcome and thanks for joining us for this episode of Technado. Quick reminder before we get started that Technado is sponsored by ACI learning, the folks behind it pro. And you can use that code, Technato 30, for a discount on your IIT pro membership. I'd recommend it, but that's just me. I'm Sophie Goodwin. I'm one of your hosts for the show today. I was out last week. I was taking some vacation time and going to see mom and stuff for Mother's Day, so I'm glad to be back. Daniel, how did. How did things go while I was gone? [00:00:31] Speaker B: It was great. We had don to come on, and it was a lot of fun. We talked about some really cool articles and tech news as well, because I figured Don's going to be here. We got to do some tech news, bringing it back. Right. We won't be doing tech news without Don because Don's really loves that stuff, and that's. That's neither of our bags. [00:00:45] Speaker A: Yeah. [00:00:46] Speaker B: So I did hear some interesting and exciting news, though, that you have started watching the X Files. [00:00:52] Speaker A: Yes, I did start watching the X Files while I was out last week. I'm only on. [00:00:56] Speaker B: Keep the camera off me. [00:00:57] Speaker A: I'm ready. Just so proud. [00:01:00] Speaker B: I'm so proud. [00:01:01] Speaker A: It took me long enough. Right? Cause you guys talk about it a decent amount. You reference it, and it was Don's favorite show. And we have like a. I think one of our segments has the X Files music in the background. [00:01:10] Speaker B: Oh, yeah, yeah, yeah. Tinfoil hat, right? [00:01:12] Speaker A: So I'm like, all right, it's been enough time. I need to just. It's on Hulu, I think. So I'm like, I'll just start watching it and I'll just do it to say I give it a shot. I got through the first episode, and I was like, I have time for another one. I could probably just. [00:01:26] Speaker B: Yeah. Do not try to binge watch X Files. Yeah, you're gonna find yourself friendless. Probably, like, none of your bills will be paid. So many episodes. Like, I think it's like eleven seasons or something. [00:01:38] Speaker A: Yeah. I looked up as, like, over 200 episodes. So I have. And they're each, like 40 something minutes. [00:01:42] Speaker B: They're like 47 minutes. [00:01:44] Speaker A: So I'm excited. I'm. I'm about to watch episode eight. I stopped on episode seven of season one. Cause I got busy with other stuff last week. But I did watch quite a few episodes, and so far, I really like it. [00:01:52] Speaker B: Yeah, I think you're I think we were talking about this. I think you're on ice. [00:01:56] Speaker A: Yes. That's the next one. Yeah. [00:01:57] Speaker B: Such a good episode. [00:01:58] Speaker A: I said. I said ice episode. And he goes, you're gonna love that. How do you know it by name like that? [00:02:03] Speaker B: Because I've watched it, like, a thousand times. Right. Like, such good tv. So. [00:02:08] Speaker A: That's true. So I still haven't watched a lot of the movies that are on my list to watch, but I have started the X Files, so. [00:02:12] Speaker B: You're young. You'll get there. [00:02:14] Speaker A: I got time. Step in the right direction. [00:02:15] Speaker B: I'm currently, like, doing a bad eighties movie like, tour. [00:02:21] Speaker A: Oh, really? [00:02:22] Speaker B: Yes. I watched some real interesting ones last week. I. Let's see, what did I watch? I watched, um. Not hands of steel. I watched hands of steel. Then I watched robot Apocalypse. So bad. So bad, I can't even begin to explain to you how bad that movie was. And then hands of Steel was a bad movie, but it was more bad in a good way. [00:02:46] Speaker A: Okay. [00:02:47] Speaker B: It's very entertaining. [00:02:48] Speaker A: So bad. It's entertaining. [00:02:49] Speaker B: Yeah. I enjoyed it. But definitely robot apocalypse next on my list is going to be, I believe it's called USA 3000. [00:02:57] Speaker A: Okay. [00:02:58] Speaker B: Looking forward to it. Sure. It's amazing. Okay, bad. I think. [00:03:01] Speaker A: I think Fifth Element's next on my list that I need to watch that. So that's. [00:03:05] Speaker B: That's hot. [00:03:06] Speaker A: It's on the list. I'm gonna try to. I'm also watching the Sopranos. There's a lot of good stuff going in and out of my head. So speaking of things going in and out of my head, I did. I did take a look at these articles that we're gonna be going through today. And, man, there's. There's some interesting news going on this week. We initially were, like, kind of a slow news week, and then we, like, refresh the page and we're like, whoa. So we'll go ahead and jump right in. We don't have a tinfoil hat segment today, unfortunately, but we do have another old favorite who got pwned. Looks like you're about to get pwned. [00:03:32] Speaker B: Fatality. [00:03:35] Speaker A: I love that little guy in his computer chair. So this one comes to us from the register. A Dell customer order database of 49 million records was stolen, and it is now up for sale on the dark web. And, oh, isn't that fun? Isn't that usually where this stuff ends up? It ends up on the dark web eventually. [00:03:50] Speaker B: I gotta go on the dark web more often. Apparently I saw all sorts of goodies for sale on the dark web. Reach out and go, hey, here's my bitcoin. I got to get bitcoin first, I guess. Yeah, I guess that's the one of the hurdles to actually being a part of the dark web economy, is that you have to get into cryptocurrency. [00:04:09] Speaker A: Yeah, it seems like that's a requirement. [00:04:11] Speaker B: Seems to be a requirement. Might be a non starter for this guy. [00:04:14] Speaker A: Yeah, probably. It's just best if I would buy. [00:04:17] Speaker B: Hard drugs and start with dogecoin murder for hire, and I. I just can't get down the cryptocurrency. [00:04:24] Speaker A: Well, as in many cases where we have a big company like this that. That has an incident. Uh, they did. They did acknowledge there was an incident with access to a database with customer information. But I bet you can't guess what the next thing they said was. [00:04:36] Speaker B: Oh, let me see. Let me put on my. Let me get my crystal ball out here. Did they say, but no sensitive customer information was really touched. [00:04:45] Speaker A: Ding, ding, ding, ding. [00:04:46] Speaker B: At all? They did access our systems, but, I mean, who hasn't had their system accessed from time to time? I mean, these things happen, right? That data is still super safe. Can't wait to read next week. [00:04:57] Speaker A: Maybe I don't. Maybe I don't know what I'm talking about, because this is no financial or payment information, email address, telephone number or anything highly sensitive. And if that's true, then that's great. It seems like a lot of times, though, things come out later, like you said. Oh, well, maybe some Social Security numbers, but no big deal. But one of the things that they said was access, you know, name, which is not great, but I guess it's public knowledge, technically speaking. Dell hardware and order information. Okay? And physical address. Now, I know that's not a bank account number or Social Security number, but if I knew my physical address was out there, that would freak me out. Maybe that doesn't count as sensitive information. [00:05:30] Speaker B: This is fun, right? I've really enjoyed this little conversation we're having right now because I'm gonna channel my inner don. [00:05:36] Speaker A: Oh, no. [00:05:37] Speaker B: And Don is gonna say, that's what we used to call the phone book, right? Because they would throw a free phone book on your doorstep. You would open it up, and I could look up your name, your phone number, and your address was there as well. All these things were just freely available to the masses back in my day. Yeah, right. But now we're. You know, your generation has been taught those are Pii. That's private information. You don't let that stuff out. So it's just kind of. It's kind of interesting for me to see from my generation to your generation how things have changed quite a bit. And now that's considered like, yeah, bad things have happened. They know where you live. [00:06:18] Speaker A: Yeah. I mean, I guess you could probably Google somebody's name and find stuff about them and at least previous addresses and stuff. I know a lot of times you can find relatively easy, and it's not very expensive. [00:06:27] Speaker B: If you wanted to really go down the rabbit hole to look at your work history and. And things of that nature. A lot of our personal information, but they would have to be targeting you specifically. [00:06:36] Speaker A: Yeah, that's true. [00:06:37] Speaker B: For really that to be a problem. If that's. This is all they got. I mean, the best thing they got, maybe, is, like, username information, but data is the. Is the big. It's. It's more valuable than oil and gold. You know what I mean? Like, this is the hot commodity of our time. At what point does that hit an equilibrium, though? Right? Like, how many. How many data breaches will it take before everybody in the world has been. [00:07:02] Speaker A: Right. Yeah. [00:07:03] Speaker B: Exposed in some way, shape or form. And now you're just giving me duplicates of stuff I already have. [00:07:09] Speaker A: Because it's very rare that somebody has zero online presence, even if somebody actively avoids social media and all that stuff. Like, you know, like, my grandma doesn't do that kind of stuff, but if I google her finder, like, everybody's got some kind of a presence. So, yeah, I would be curious. [00:07:22] Speaker B: That's what I mean. It's like, it's getting interesting. How. How long before. I mean, it's got to be a race to the bottom before that. That data is no longer as valuable as it once was. Like, it's like thinking of gold. I can only mine so much gold once. Once all the gold has been mined, it hits a set value. Right. You know, that's a. I think more, I guess a bitcoin maybe would be a better analogy. There's only so much of it. It's that valley now, it continues to raise in price because of rarity and scarcity. So maybe new people are coming in and that's what's keeping it from being, uh, hitting that homogeny, is that because new people are born every day, therefore there are new Pii to grab? I guess that's. I'm thinking through this in real time, by the way. You can't tell. [00:08:06] Speaker A: This is why we like this kind of stuff. Encourages conversation. [00:08:09] Speaker B: Dell got popped. [00:08:10] Speaker A: They did, they did. And you're right. It's. They'd have to be targeting somebody specifically. And out of 49 million records, I mean, also, I haven't bought anything from Dell between 2017 and 2024, so I. Not part of this. But I just. Personally, if somebody said, yeah, I've got your physical address, that would set off some alarm bells for me. But they did send out an email to their customers and let them know what was going on. They did downplay it a little, but they said they're taking the privacy and confidentiality very seriously. There was an incident, but not a significant risk to our customers, given the type of information involved. [00:08:40] Speaker B: We. This was obviously a marketer that wrote this. Sure. You know, some. Some pr person. Yeah, come out. There we are. We continue to monitor the situation and take steps to protect our customers information. [00:08:50] Speaker A: Oh, yeah. [00:08:51] Speaker B: Were you not taking steps before you say you're continuing to do it? Are they the same steps you took that got you breached, or are we doing something different? I mean, this is a really vague sentence you got going on here. Is it supposed to fill me with security and happiness, confidence in it? Yeah. That you're continuing to take steps. What does that mean? [00:09:09] Speaker A: It's like when a restaurant comes out and is like, our burgers are now 100% beef, and it's like, what were they before? [00:09:13] Speaker B: Hold on. Yeah, back up there. Wait, did you just say, now they're 100% beef? Cause what were they before? [00:09:20] Speaker A: Right, exactly. [00:09:21] Speaker B: Well, they were 20% person and rat. [00:09:23] Speaker A: But I mean, technically, you know, soylent, greenest people eat the bugs. [00:09:29] Speaker B: Yeah. There's a pods. [00:09:30] Speaker A: There's a certain percentage of bugs that are allowed to be in food. And so, you know, that's all we were talking about. [00:09:36] Speaker B: Yeah, yeah, yeah. [00:09:37] Speaker A: So, anyway, so Del is, at the very least, acknowledging that something happened. It will be interesting to see if there's more information that comes out later. Probably not. [00:09:45] Speaker B: I'm sure if you're a Dell customer, you're being contacted with some very opaque form that talks about the latest and greatest things that are happening at Dell. And, oh, by the way, down on the fine print, there was a breach. He's not. Got nothing to worry about. [00:09:59] Speaker A: Well, this next one is, I think, going to give us some interesting fodder. I'm curious to know what your take is on. This next one also comes to us from the register. Encrypted mail service. Proton hands suspects personal info to local cops. And I don't think this is the first time this has happened with this specific company organization. [00:10:14] Speaker B: Yes. [00:10:15] Speaker A: So. But it was I believe back in 2021, there was an IP address that was shared, and they claimed that they didn't track IP addresses. So then they had to change that and say, well, maybe we do, but in this case, it was a recovery email address that they gave to police. And then I think they also had to work with Apple to identify the person who owned the email address. So it was a multiple company operation here. But, I mean, we were kind of talking about this something similar the other day. If the police, if you're subpoenaed to give up information, what are you supposed to do? Like, you kind of have to. [00:10:45] Speaker B: Speaker one. So you can, you cannot. Right there. There is that. You can't go down that road and say, I'm going to protest this. I don't believe that you should get this access, and then they'll just handcuff you and take it anyway. Right? That's, that's what's going to happen. And maybe, maybe if you are a quote unquote, privacy advocate, you should fall on your sword there. There's an argument to be made there philosophically. Whether or not I agree with that, I don't know. Uh, honestly, I'm a proton male user. I like their service. I found it to be quite great. I am the kind of person that reads the fine print and says, what do you offer me? I am a privacy advocate. I think that, that people should have, they do have a right to privacy inherently that is just given to us as humans by nature. I need to be able to have secret things for myself. That's just for me and my own thoughts. Whether or not Proton has done something wrong here, that's the question I think, and I think we should probably look at this socratically. Let's just ask questions and then try to figure out those answers on our own. Does Proton ever say that if you engage in our service, we will give, we track absolutely nothing? I know they said that the email, they guarantee that the email is encrypted end to end, that you are the only one that has access to the decryption, that they have no access to the decryption. So if someone comes and asks them for the emails that are in your inbox, they can't. They can give them to them, but it'll be encrypted and so will be nothing for them. [00:12:18] Speaker A: Right. [00:12:19] Speaker B: There are other things they get out. If they said we're not tracking. I think there was a time when they said they didn't track ips and then they got subpoenaed and they did have ips. So if they're saying that they, these are specific items that they are, they do not have, they either said that in bad faith and do have those things and when they were subpoenaed they gave that over. I don't know, um, or they were unaware that those things were. And they, they're just bad at their, they're bad at doing their job. And maybe that's a reason not to go with Proton. Ultimately, for me, if, as a privacy, I'm k, if, if I'm worried about the ips that are being tracked, if I'm using proton as a service, service, then I'm going to go through intermediaries to access my proton mail. I'm not going to access it from my home, at least not directly. Right. I'm going to do other obfuscations. Honestly, if you want privacy, it's the same as you do with security. It's privacy through obscurity. Right. There's many layers. You use a layered approach. You jump through a bunch of different hoops and that's going to add to your privacy. So that by the time protonmail has an ip address, it's to some exit node in, you know, Scandinavia. [00:13:27] Speaker A: Yeah. [00:13:28] Speaker B: Right. So then, yes, so they have the IP. But so I'm not 100% like on the full on burn proton to the ground bandwagon, at least not from the information that I have. I feel like this is one of those kind of like ways to get some people that are very zealous about privacy up in arms. And maybe I'm wrong about that. That can be totally true. I'm not, I'm not as super zealous as a lot of people might be, but I do think it is. And maybe I'll go that way as I continue to learn more about privacy and the invasions of privacy that do occur. I do understand that there are people's lives can be impacted by this. [00:14:09] Speaker A: Sure. [00:14:09] Speaker B: Right. So we, we do need good privacy. But if you're at that level where you need like super secret privacy, man, you got to take things in your own hands. Right. I wouldn't personally, well, I would not rely on any service like Proton. I would spin up stuff and do sock puppet accounts and I would go crazy tails on everything and Hoonix and that kind of stuff. I would go and everything's through Tor and VPN's and I would be bouncing all over the place if I really wanted to stay out of the hands of the prying eyes of the governments out there. So I think that, for me, Proton gives me enough security that I'm not worried about them having my IP address. And if I was, I would do things to make that a non issue. [00:14:50] Speaker A: And I think outside of that issue with the ip addressing where they claimed that they didn't track user IP addresses and then they were able to provide one. So it's like, well, you kind of do. Yeah, that was in 2021. So a couple years ago, but outside of that. [00:15:02] Speaker B: And then they changed that. Right? [00:15:03] Speaker A: They did. They updated the claim on their site. They took that down. That said they didn't track it. [00:15:07] Speaker B: They're still. They do have that. And what I say, they change. They changed the fact that they. They no longer say that we don't track ips. [00:15:13] Speaker A: Right. That's what I mean. Yeah. They took down a statement. You know, but the only other thing that they promise is that they cannot read, like you said, the content of email attachments. Because of the end encryption, there's no trackers, no ads, and the highest standards of privacy, as far as I'm aware, they've not gone back on any of that. And all of that is still true in this case. They still have access to user information, and they never said that they didn't. [00:15:33] Speaker B: Right. So I think they don't freely give it out. They say if they come with a subpoena, they. I believe, if I'm remembering correctly, I signed up for proton years ago when I read the, you know, the agreement and all the things that they tell you is that if we get subpoenaed by the government, we, by law, must give these things over. So understand that if you're using our service. And I was like, okay, I totally get it. Fine. Okay. [00:15:57] Speaker A: Right? You acknowledge that. The other thing that caught my eye was in this article. It says they've been previously accused of offering real time surveillance of users to authorities. And that sounds like they're just offering, like, here, take a look. And that was misleading the way. The way that it was worded. I went back and looked at the story, and this was even further back. In 2019, a spokesperson was like, well, hang on. We don't just voluntarily. Here you go. Take a look. They only will offer policy to the government unless they are court ordered. And it's like, this is the law, and you have. [00:16:26] Speaker B: Right. And think about that. Like, if Johnny law shows up on your doorstep, they're gonna have a subpoena in their hand. [00:16:32] Speaker A: Right? [00:16:32] Speaker B: What is a subpoena? It is a court order. A judge that signed this, they had to show probable cause and get the warrant to get the subpoena to get all those things. It's not like they were just like, I don't like Billy Bob and I want to watch everything he does. Now you let me have access. And they've said, they just rolled over and said, oh, don't hurt me. And so I don't see that from them. I think it's a little unfair. Proton. [00:16:53] Speaker A: Yeah. [00:16:54] Speaker B: Now can they do some things like stop tracking ips? If people don't like that, you've got a customer base that really is against that, so just stop doing it. It seems simple. Like, I. I don't know why they're doing it. [00:17:08] Speaker A: Yeah. [00:17:09] Speaker B: Right. Have as little information as possible and then say, hey, we're constantly making strides to remove as much information as possible about our users, and that's going to make people trust you more. Especially when you have things like this that happen where there are people that just are on dead set, ready to get angry about something. And again, super zealous about their privacy. Cool. But if you are, what are you using Proton for? Build your own super private solution and utilize that. [00:17:37] Speaker A: In this case, despite proton having access to some user information, it's not a lot of user information. All they gave up was the recovery email address, and that was not enough to identify the person. They then had to cross reference with Apple and they were able to find the same address, and that's how they were able to get an actual name and an identity. So even then, it's not like they were just like, here's his first and last name, here's his physical address, which is apparently not sensitive information. And here you go. This is where you find him. Like, they gave up what they were asked to give up. Ordered by law to give up. I don't, I don't think this is a, like you said, burn proton to the ground situation. I'm not a proton user, so I guess I'm not really. I can't really speak on it. But as an outsider. Right. This seems reasonable to. [00:18:12] Speaker B: And if we could see it as a step in the right direction, maybe it's not perfect. Right. It's not the. It's not the solution we need, but it's the solution we get right now. Right, right kind of thing. It's the old Batman. [00:18:23] Speaker A: Batman, yeah. [00:18:24] Speaker B: Is start using stuff like that and then clamor for the types of features that you're looking for, like, no ip tracking. And then they go, you know what? Maybe competition spins up and goes, well, we have the same things as Proton, but we don't track ips. Cool. Now I'll move my business over there. And proton goes, whoa, that sucks. Let me. I got to compete. Let's compete with them. And off you go. So that's just my thing. [00:18:51] Speaker A: That's our two cent, you know, again. [00:18:54] Speaker B: Off the top of the head. [00:18:55] Speaker A: Sure. And I'd be curious to know what, what viewers and enjoyers of technito think of that, you know, are there better. [00:19:01] Speaker B: Privacy solutions out there that, you know, if so, please drop that in the comments. I want to know, because, again, I am a privacy advocate, and if there is a better solution than proton out there that I can. I totally want to. [00:19:12] Speaker A: I'm sure he'll, he'll take a look. [00:19:13] Speaker B: Absolutely. [00:19:14] Speaker A: Well, moving away from the, from, you know, more controversial stuff, this is not necessarily a security event, but it is definitely security news. Mitre has unveiled a new threat modeling framework for embedded devices called embed, with a three in place of the e. They're using that, what did you call it? Leet speak. Yeah, I think I probably missed the vote on that one. But this is the, this is the diagram or the framework that they've released here, color coded. How nice is that? Now, Daniel, when they say that it's for embedded devices, can you give me, like, an example of what that would be? [00:19:43] Speaker B: This is Iot, right? So, Iot, they have to have operating systems that run those devices. Those are embedded operating systems. So it's basically, uh, we're talking probably a lot about IoT, mostly things that are probably being used in an industrial space, critical infrastructure space. I would think that's where they're going with this, but very cool. I mean, Mitre has obviously done a phenomenal job, has always been a great resource for security professionals and people that are just passionate about security. It's going to go in there. Threat modeling is one of the best things you can be doing. If you have an organization that might very well come under attack. So if you're in some sort of industry or space that, you know, the threat actors out there are hot and bothered about, then you probably want to take a look and see what is their common tactics, techniques and procedures for gaining access into our systems. And if I kind of can map that out, well, then I can start building better fences to defend against those specific attacks, and that's what it's all about. So that's why they're coming up with this embed threat model framework for these embedded devices. It looks really cool. And the fact that they're kind of going down this road is, is very, very interesting. I don't know if they're, they're going toward the operating system specifically or the device as a whole. I haven't really got down that far down the rabbit hole with it yet, but I do. [00:21:06] Speaker A: I mean, obviously the first time that I had heard about Mitre when I first started working here a couple of years ago, it was in the context of the Mitre ATT and CK framework. And so that I, I think it's just more of a general, for general threats, like in general, you know, threats in general, but general threats in general. Threats in general, more at six. But this specifically is for threats that target embedded devices, which is kind of nice because there might be things that maybe you don't think about. [00:21:31] Speaker B: Yeah. In the article, it says the embed model provide a means for ICS devices. So there we go. Right. Industrial control system device manufactures to understand the evolving landscape and potential available mitigations earlier in the design cycle, resulting in more inherently secure devices. This will eliminate the reduced, this will eliminate or reduce the need to bolt on security after the fact, resulting in more secure infrastructure and reduced security costs. So very, very great stuff that they're trying to kind of cut it off at the pass. If I can get the people that are creating these devices to bake in more security on the onset, then I have to do less strategizing and bolting on of security measures on, on the backend as we implement them. A lot of times when you're building something or making a product, you get, you're trying to develop what's called a minimum viable product. Right. This is the thing we with, this was the idea we had and it works. It does the thing we want it to do. Usually that's at the point when somebody that's signing checks goes, sell it. [00:22:33] Speaker A: Right? [00:22:33] Speaker B: You said it works. Sell it. But I mean, yeah, it works. It was like, does it work? Yeah. Can you make it? Well, yeah, sell the thing. I want my money. And you're like, okay. I mean, I guess. And unless you have companies that are thinking about the security ramifications and impacts that would come from something like an ICS embedded device being popped by a threat actor going, well, that'll give us a really bad reputation as not caring about security. And then the people that possibly would be purchasing our devices are going to go with our competitors because they do care about security. So. Okay, well, let's start working on security. So that's what Mitre is attempting to help them do is get that security baked in at the best levels. That really is focused on their specific industries, right. [00:23:24] Speaker A: Building it in rather than tacking it on at the end so that it's more inherent to the device. When you were talking about how a lot of times it's just as soon as you've got something you can sell, they want to sell it and turn that profit. I feel like I've seen a dozen movies with that plotline where it's like, sir, we've got the prototype, but it's still dangerous for the public. Doesn't matter if it's working. You could sell it, and then it kills a bunch of people or whatever. Obviously, in this case, it's maybe a little bit less severe, but let's hope so. I've read this book before, and that never ends well for anybody, you know. Yeah, I did not like the ending. [00:23:51] Speaker B: And that guy was a total d bag. [00:23:53] Speaker A: Was that the robot in Robocop? The, like, the one that shot the guy during the demonstration? [00:23:59] Speaker B: Oh, yes. [00:24:00] Speaker A: Where it was like, oh, but we still gotta work some things out, and then he ends up killing the guy. Of course. They just. They ended up. Did. They did turn that loose on the public, didn't they? That was not like they did. So they did not learn their lesson. [00:24:10] Speaker B: Yes. [00:24:11] Speaker A: So Mitre is trying to avoid that kind of a thing. [00:24:13] Speaker B: If Omnica. Right. If omni consumer products had only had the mitre embedded framework, maybe the ED two, and I would not have killed that junior executive in the boardroom that day. [00:24:24] Speaker A: Tragic. [00:24:24] Speaker B: Yeah, it is. [00:24:25] Speaker A: We could turn back time, you know, if we could turn back time, well, that's a little bit more severe, I guess. And speaking of severe, we got another story here. This one says severe vulnerabilities in Centurion cellular modems pose risks to various industries, various and sundry, as Mister Daniel Lowry would say, corneucopia. So a veritable cornucopia. Yes. Now, Centurion, I had not heard much about this company until we took a look at this article. Was this a company you were familiar with before? [00:24:50] Speaker B: Apparently, they make cellular models. Actually, no, I wasn't. But, you know, um, apparently they are kind of big in this space, and cellular modems are really useful and helpful devices that we tend to slap on things that it's hard to get Internet access to. Right. So I've got something that's way out in the boonies. You know, Starlink obviously is starting to become a definite competitor in that space as well, but you're. It's going to be a while before we walk away from cellular technology as being a viable solution for getting access to certain devices that make, that is difficult to get access to. I think of things like critical infrastructure, Iot devices. They need access to the Internet. I say they need it. We like to give it to them. Because who likes going out into the field to admin something, right? So the problem here is that these vulnerabilities include flaws that permit remote code execution and unauthorized privilege escalation, posing substantial risk to integral communication networks and IoT device foundational to industrial and industrial healthcare, automotive, financial, and telecommunications sectors. That seems like a problem. [00:26:02] Speaker A: A little scary. Yeah, a little scary. Now. [00:26:04] Speaker B: Es no. [00:26:04] Speaker A: Bueno, bueno, bueno. And they had, the headline obviously says severe vulnerabilities. And I went to look at the list because I think there were eight. Eight flaws. They were presented at a con a couple days ago in, I think, Germany. And the first one, CV's, has score of 8.1. Okay, that's pretty bad. And then as we go down, there's a couple down here that maybe I'm just. I don't know. Maybe. Maybe I think too much in extremes, but I'm like, up 2.4. What are we even. What are we even talking about? That's no big deal. Oh, boy. A flaw, you know, I mean, just walking around. [00:26:33] Speaker B: I got a CVSS score at 2.4. [00:26:36] Speaker A: Is by existing, you take on certain risks. So. But there were a couple that were. [00:26:41] Speaker B: It is funny about those, right? Like, we do sit here and look at a CV's 2.4 and a 3.3 and another 3.3, maybe 4.4. And we think it's kind of some really low hanging fruit there. That's like, what are you going to do with that? Ultimately, good hackers will use that information to. And build upon it. Every piece of information that they can gather and glean from their target could potentially be. Right. It's all about analyzing that data and figuring out where the weak points is and how it all fits together. Building that puzzle. [00:27:13] Speaker A: Because we do see them string together correct vulnerabilities. Right. [00:27:15] Speaker B: Right now it's. It's always bad, you know, it's why we always see the, oh, 9.8, 910 point zeros. And, you know, up in the nines is typically what makes the headlines. And we do have a. What was an 8.1 was a buffer overflow. Okay. Yeah, I mean, that's, that's definitely up there. But if you start putting all these things together, that's when it starts to get dangerous and gives you the ability to fire off that 8.1. So really good hackers out there. And when you think of the space that we just. The space is that we just discussed on where this would be affected, that, that's, that's nightmare fuel right there. Right, right. Industrial, healthcare, financial, telecommunications. Come on. I mean, automotive, I guess that that has some severe implications as well, because what if that automotive industries like self driving cars, and they have now have access to the code to the self driving car? Who knows? What if their actor will do? Especially if they're some sort of zealot hacktivist or they're just state sponsored. There are countries that are at war with us. That kind of stuff. That's when it gets super dangerous. [00:28:23] Speaker A: And I guess, too, I sometimes forget that when they've got scores attached to them. Right. It doesn't necessarily mean, like, well, this one's, you know, an eight or a nine or whatever. And so, hey, we gotta get this fixed. That one's a 2.4. We can just leave that. Like, you still want to do what you can to mitigate that and fix it, but it's more like a. I remember learning about, like, all the, the risk matrix and all that stuff and how if you have ten flaws, you can't just fix all them at the same time. A lot of the time you have to kind of pick and choose which ones you want to address first. And so you have to prioritize and kind of help you prioritize. Maybe let's address these bigger ones first. We still want to address these, but we can hold off a little bit and work on these first because these are not as pressing, I guess. But it doesn't mean you still don't want to fix the problem. [00:29:01] Speaker B: Yeah, I do love this little quote here. It says, since the modems are typically integrated in a matrioshka style within other solutions, like a russian doll kind of thing going on there with products from one vendor stacked atop from the, from another. Compiling a list of affected end products is challenging. Yes. Yes, it is. But hey, there you go. Hopefully there's going to be an update soon, if not already. [00:29:27] Speaker A: Right. [00:29:28] Speaker B: And that will address the flaws. A lot of times, that's by the time they disclose these things, that has what has happened, right? [00:29:36] Speaker A: Yeah. [00:29:36] Speaker B: Yeah. Okay. It's time to update our devices. It's crazy how many, how many organizations and environments out there are just not updated regularly. It's like, I want to get to it, you know? Well, it's the big deal. It's an Iot device. [00:29:50] Speaker A: You always think it won't happen to you until it happens to you. [00:29:53] Speaker B: Yes, yes. [00:29:54] Speaker A: Never immune from it. But yeah, you're right. I mean, this, these were presented at that conference only, I think, three or four days ago. And this article just was published like yesterday or a couple days ago. So maybe we'll see more on this in the coming weeks. But for now, we've got another. I know it's one of Daniel's favorite segments. It's pork chop sandwiches. [00:30:11] Speaker B: Pork chop sandwiches. Pork chop sandwiches. Just keep playing. [00:30:20] Speaker A: It just keeps going. Just put it on a loop in the back. [00:30:22] Speaker B: Never gets old. Never gets old. [00:30:25] Speaker A: Our pork chop sandwiches segment a lot of times is like a. What the heck is going on? So in this case, we've got some malicious python packages hiding slivers c two framework and fake requests library logo. And this is another case, I know we've talked before. It got a lovely little AI generated picture or something, but we talked before about just a few weeks ago, Pypy had some stuff that, like, people were downloading and it, because it's a. Anybody can upload and anybody can share stuff. [00:30:49] Speaker B: And it was just a few weeks before that we talked about how in pypy there was some malicious packages that made their way in there disguising themselves as non malicious packages. And then a couple of weeks before that, I think we talked about how Pypy. Yeah, you know, it seems like there's a pattern happening here. And it's not just them, you know, NPM and all the other package distribution kind of things for all these different programming languages. They are. If it is open for anyone to put in code and make it available for the masses, then you run the risk of a threat actor putting in something malicious. And that is what we are seeing right here. I just thought it was interesting that this week, within the saga that is the pie, pie repos, is that we're seeing Sliver C two, which is a framework that I'm vaguely familiar with. I've used it a little bit. Yeah. [00:31:46] Speaker A: If either of us is going to be familiar with it, it's going to be you. Just ultimately speaking, it's free and open. [00:31:51] Speaker B: Source c two framework. So if you want to go, just download it, get it installed and start, you know, making beacons and things like that to play with, you totally can. It's. It's really fun. Gives you some, some hands on experience with what red teamers do on a daily basis. And obviously they're not the only ones. Just like any of these administration tools, this tailors all the time when it comes to it, we build an administrative tool, right. Or something for that can help with security or lower our administrative, um, overhead. And that tool is really great, man. Could see inside of things. You can do all this stuff and make our lives really easy, but it can be turned around and used against us. It is a double edged sword. [00:32:31] Speaker A: Yeah, right. [00:32:32] Speaker B: A lot of times sliver is no different. These red teaming, uh, individuals that are out there using sliver on a daily basis to do red team activities to help increase the security of organizations out there in the wild. Doing a good job, doing a good thing. Threat actors can turn and go, well, it's free and open source. Cool. Let me, let me grab that and use it. You're telling me I can, I can hack people with this? Awesome. [00:32:53] Speaker A: Yeah. [00:32:54] Speaker B: Guess what they're doing? They're hacking people with this. [00:32:57] Speaker A: Always gotta be somebody that spoils the fun. [00:32:59] Speaker B: One bad apple and the whole bunch, right? [00:33:00] Speaker A: That's right. That's right. So this malicious python package, in this case it purported to be an offshoot of a popular request library of the popular request library. And that was called request Darwin Light. That was the name here employing steganographic trickery. Love that phrase. [00:33:14] Speaker B: Yes. [00:33:14] Speaker A: So it has been taken down from the registry, but not before being downloaded over 400 times. So it was researchers that found this and that's good. We like when that happens. Right. But there were some folks that downloaded this and so I guess maybe it's, it's wreak some havoc. [00:33:26] Speaker B: Well, you know, what kind of points? I just, I just thought of this. I don't know why this had never hit my brain before and it has today is if you're a security researcher and you want to get some experience or maybe you're new to security, start looking through these public repositories and looking at code and seeing if anything malicious is in there and then you can make a blog about it. That's a great way to get some real hands on experience in practical, applicable security without having a job in it. Doing it. It's just right there jumping up. Apparently PI, PI is rife with these things, so. And you're doing a good thing, you're providing a public service. So, man, you just got all sorts of really good things going for you by being a part of the solution instead of the problem. [00:34:08] Speaker A: So this is, I mean, they kind of mentioned in the article a little over a month after a company discovered a different rogue NPM package. And so this is obviously not the first time something like this has happened, specifically with Pypy. But like you said, I'm sure it's not just pypy. And there's an interesting twist. It says the infection chain only proceeds if there is, if the identifier matches a particular value. So they are looking for specific machines that they want to breach. I guess so. I thought that was kind of interesting. So it's either highly targeted or they're testing something before they switch to a little bit of a broader scope. [00:34:38] Speaker B: Yeah, that's, that's very interesting that they have a very specific, maybe this was a, a test run. Right. That kind of thing. Um, but what really, to me, the big interesting thing about this was that they were using sliver, right. They didn't make their own thing. They used an off the shelf solution that was incorporated into the malicious package. So very, very interesting to see when threat actors use commodity malware, I guess, for lack of a better term. And maybe, again, maybe that was because this is in the testing phase and they weren't really worried about it at that point. They were just testing things. And they do have their own kind of c two infrastructure built on the backend. Or maybe they're modified because Sliver is open source, they're making modifications to it, and they're going to come out with whatever their threat actor name is. Version of Sliver. Yeah, I thought that was an interesting little thing. [00:35:32] Speaker A: It was interesting, and I guess we'll, we'll have to wait and see if anything else comes out about this, if it is some kind of a test, before they start, you know, casting a wider net. Obviously the package has been taken down, but over 400 downloads is a decent sample size, I think. So we'll have to see if anything comes of this and if there's more updates that come out in the coming weeks. But we got a couple more articles we want to jump through before we take a break here. This next one, a new LLM jacking attack. Exploits stolen cloud credentials. Lots of buzzwords here, LlM cloud and, oh, it's great. [00:36:01] Speaker B: It was just missing AI. All we needed was AI in the title. [00:36:04] Speaker A: Well, well, yeah, I mean, I mean. [00:36:06] Speaker B: It'S not far down the road. [00:36:07] Speaker A: Go in a few sentences. There it is. LLM based artificial intelligence systems. So this is a novel cyber attack. They're calling it LLM jacking. So I guess like hijacking, but specifically with LLM related stuff. So this is, I think this was just a couple days ago that this was published, but there was a blog post published last week about it. And attackers are finding more ways to exploit AI models. Shocker. They're using something that we could be using for good and for positive development, and they're using it for evil. [00:36:33] Speaker B: Oh, man. Why? Why are they doing shocker? That's right. I know. I'm aghast, even appalled, truly, of the. [00:36:40] Speaker A: Gall of these people. [00:36:41] Speaker B: Well, no, you know, if. If something comes out and it's useful, attackers are going to go for it, right? Whether that be to use AI directly to create malware or phishing campaigns and all that other horrible stuff that they attempt to use it for or to go after your LLM and your access to said LLM so they don't have to pay for it, right? Because it does cost money to get the good stuff. You know, you can play with chat, GPT 3.5, or Gemini or, you know, some of those other open systems, but if you want the big dog on the blocks, you're going to shell out some door. Amy. And they're like, why? I could just hack into somebody else's stuff and utilize theirs. [00:37:21] Speaker A: Yeah. [00:37:22] Speaker B: And I believe it says right here, says in this instance, the attackers exfiltrated cloud credentials to gain access to the cloud environment, where they targeted local LLM models hosted by cloud providers. For instance, they targeted a local claude LLM model from Anthropoc, which, if left undetected, could result in over $46,000 of LLM consumption costs per day for the victim. That seems like an issue, right? That's some, that's some big do ramey right there per day. [00:37:50] Speaker A: Yeah. [00:37:51] Speaker B: Right. So obviously they are just stealing your resources and then using that to do horrible things. [00:37:57] Speaker A: Right. It could be, you know, like developing code that's malicious or whatever. Or they also pointed out trying to ask a bunch of questions to pull any sensitive data out of it. Because if you are using it and asking questions for your own personal stuff. Yeah. Your data is then going to end up in there. Maybe it's sensitive company information, whatever. [00:38:15] Speaker B: That's the other shoe that goes on this. Exactly. I'm glad you pointed that out. It's not just now I have access to your LLM, but I have access to all the data that you put into your LLM, which API keys, code, password, you name it. [00:38:29] Speaker A: If you know what access or what questions to ask, then, yeah, you have no idea what you could spit out the good stuff, pull something out of it. It's like when you put one quarter in the gumball machine and it gives you three gumballs for some reason. [00:38:40] Speaker B: If you got that LLM access out there, you might want to make sure all your systems are tightly secured and keep an eye because that could be a bad day if they start really spinning stuff up. [00:38:51] Speaker A: Yeah, absolutely. Luckily I'm not running any large language models so hopefully I don't have to worry about this. But yes, it's good to keep in mind. Now we've got an exciting little update. NMaPs 7.95 was released. [00:39:02] Speaker B: Look at that. [00:39:03] Speaker A: We've got an article talking about what's new. Now I personally I have not used NMap extensively, but I have witnessed Daniel use ndash on many various sundry occasions in lots of courses that we do here in the studios. So what is exciting about this update to you Daniel? [00:39:18] Speaker B: Um, it looks like it's performance okay. For the most part kind of just shaving off some of the rougher edges around Nmap. If you've ever run an Nmap scan, you'll notice that when you do things like Os fingerprinting that it goes, our best guess is this. And sometimes it's just really bad. It's not great. You're looking at it and if you do it enough you figure it out yourself. You oh yeah, we're working with a Linux machine or this looks like Windows server, probably something to that effect. You start to intuitively to figure those things out. But NMap has realized that hey you know what, we're not great at that OS detection. Let's really hunker down and try to make that a more user friendly experience and have a better experience for our end users. So they've really worked on that. I think they also worked on the versioning. So if you look at, if you see an open port, you know, Nmap will kind of tell you, let's say you see port 80 is open, it'll say HTTP okay well what about port 792? What port is that? What services normally associated with that? I think they've done some, some refining on what goes on and now how that's defined to make sure that when you see that port it's reflecting what is normally used in today's day and age on said port. And then if you actually go into the versioning and say hey you know you run like a dash V or you know the dash a, I typically just run a dash a because it does like operating system scan versioning it does. Or fingerprinting, not versioning. It'll tell you the operating system fingerprint and it'll tell you the service version if it can. Right so it kind of increased not only the accuracy, which it tells you what that software and version is that's running on that service port, but it has increased what services and software is available and being used for those, because, you know, we come out with new software and services all the time, and now they've just kind of updated that. So they added a lot. I think it was something over 6000. [00:41:18] Speaker A: Oh, yes. [00:41:20] Speaker B: 6500 new fingerprints with 3336 new os detection signatures and 1246 protocols now recognized. So lots of updates for this and very good ones. Also new bug fixes as well. We always like bug fixes when it doesn't do the thing we think it should do and gives us some garbage. We don't like garbage. We like the thing we're looking for. So, very cool to see 795 marking a significant increase in functionality in addition. [00:41:50] Speaker A: To expanded support and bug fixes. Looks like there's some new scripts, so that's kind of fun. Four new NSE scripts for querying industrial control systems. [00:42:00] Speaker B: Moving into that space, that's been an industrial control systems day, hasn't it? [00:42:04] Speaker A: It's gonna be our title. We'll have a big factory in the background of the. No, I'm just kidding. We'll think of a catchier title so that you click on it. [00:42:12] Speaker B: That's right. Technado destroys ICS clickbait. [00:42:16] Speaker A: Yeah, no, we try not to do that. We do have one more article we wanted to touch on before we take a break here on Technato. New Poc released for critical putty. Putty, putty, putty, putty, putty. I said putty. And how in the world. [00:42:30] Speaker B: What are you, Sylvester the cat? I taught. I. Yeah, I taught, I taught. I guess that's tweety, right? [00:42:37] Speaker A: Putty, putty. Sorry, hoodie. My bad. Anyway, Poc released for critical putty private key recovery vulnerability. Daniel is obviously the. The putty expert, because I've been using. [00:42:49] Speaker B: Putty for quite some time. [00:42:49] Speaker A: I can't even say it correctly. [00:42:51] Speaker B: So have you never used putty before? [00:42:53] Speaker A: I've never used it. You've seen the closest I've gotten is watching you use it. And then when I was, like, kicking buckets and stuff, not for anything malicious, but a lot of times I would find stuff that was like, oh, it had that, that file extension river on it, and I was like, oh, what's this? And so that's the closest I've ever gotten to touching it. [00:43:09] Speaker B: Okay, so this is actually a bit of an old thing. I say a bit of an old. It's like last news, about a month ago, they discovered a flaw in putty, and that flaw was disclosed properly and patched. So all you have to do is go patch. But guess what? You ready for this big shocker? I hope everybody's sitting down. Not everybody. Patches. You could still be running an older version of putty, which is now susceptible to a real problem. And a proof of concept has come out for people to be able to wait for it. Recover keys, private keys that is, that you use to log into things like ssh. So if you've got putty and you're running it, man, you really need to do the update thing. And now that's the long of it. What's really cool is that there's point of concept or proof of concept code out there that we can go and look at if you're so inclined to see how does this actually work. Maybe modify it for yourself, play around with it, build a label, put an old version of putty, see if you could extract the keys and build your. So it's more of like, hey, there's a resource out there for all of us to be able to kind of play around with security stuff and exploit unknown vulnerability with putty. And putty is ubiquitous, man. Everybody uses putty, so it should be fairly easy to go get your hands on an older version that would be susceptible to this. Slap some keys in it and see if you could extract them out using the proof of concept code that is now available online. So just very cool stuff. And of course the article goes into a little bit about which versions are susceptible and where you might see the problem. Right? So it says the POC leverages the nonce bias to recover the private key from a set of signatures generated by a vulnerable putty version. Attacker could obtain the required signatures in several ways, such as setting up a malicious SSH server and capturing the signatures from connecting putty clients, or extracting signatures from signed git comments or git commits. I'm sorry. Or other sources where putty was used on SSH agents. The vulnerability effects not only the putty client, but also several other popular tools that incorporate vulnerable putty versions, including, and not limited to, Filezilla. Now no one's ever heard of that. Winscp again, no one's ever heard of that. Now this tortoise git and tortoise svn I'm not as familiar with, but I definitely know these two bad boys right here. So it's not just putty itself, it's things that incorporate putty into it that you gotta be on the lookout for. So definitely, if you haven't heard of this, definitely need to go updates. And if you're so inclined, grab that POC and see what you can do with it. See if you can make it work. It's a lot of fun and you'll know more about that. And that will kind of hopefully lend to you being building better fences and understanding the importance of getting updates done in a timely fashion. [00:45:58] Speaker A: Well, this has been Daniel Lowry, our residential putty user and expert, because I don't understand it. So he's the expert. [00:46:05] Speaker B: By, you mean pooty? [00:46:06] Speaker A: Hootie, yeah. Yes, exactly. He's right. He reads my mind. He knows exactly what I'm thinking. Oh, that's gonna do it for our conversation on Pootie. For now. [00:46:19] Speaker B: I see. We start a campaign where we rename Putty as Pootie. [00:46:24] Speaker A: It's the long use. [00:46:25] Speaker B: That's right. You gotta put an oomlot above it or something. [00:46:27] Speaker A: Yeah, well, that's going to do it for our conversation on P for today. Maybe we'll come back to it in the future. But we are going to take a quick break so that. So that we can, you know, rest and I can finish my celsius. And we will be back with a deep dive. So. So don't go away. Stick with us through this break here on Technato. Tired of trying to schedule your team's time around in person learning? Isn't it a bummer to spend thousands of dollars on travel for professional development? What if we said you can save money and time and still provide your team with the best training possible? The answer to your woes is live online training from ACI learning. With live online training, we provide our top in person courses in private, online instructor led formats. You get to provide professional development in a manner that fits today's expectations. Entertaining, convenient and effective. Our exam aligned courses inspire the full potential of your team. Visit virtual instructor led training at ACI learning for more info. Welcome back. Thanks for sticking with us through that break. As you can see, I did finish my celsius. It is gone. Daniel is ready to get into our deep dive. [00:47:29] Speaker B: What? [00:47:30] Speaker A: I think so. Yeah. I didn't. We have a deep dive surprise. Yeah. You're our subject matter expert for this and we're gonna be. [00:47:36] Speaker B: Push me on stage. You'll be fine. [00:47:39] Speaker A: Into the spotlight. You're just sweating profusely. Yeah. [00:47:42] Speaker B: So, uh, yeah. Malware. Right? [00:47:45] Speaker A: Man, it's hot before Daniel starts just open mouth sobbing. Yeah, it is about malware. We're gonna be talking about malware. And I do enjoy a good malware conversation. And this one is a Mallocs. Malox. Mallocs. [00:47:57] Speaker B: I want to pronounce it Malox because anyway, it's kind of funny because Malox is the, you know, if you get boo boo belly, you take some malox, you drink a little malox, makes you feel better, whereas this is kind of the opposite of that. This kind of makes you mallocs. I think it is Malloc or mallocs. I think it makes you need maalox. If you've been infected by it. You're like, ah, suck. Because it's ransomware. [00:48:21] Speaker A: Okay. [00:48:21] Speaker B: Ransomware is not fun. [00:48:24] Speaker A: Yeah. [00:48:25] Speaker B: If you've never had to deal with that before, well, then, man, count your blessings. Yes, you should. Absolutely. Because it's total suckville. Have your entire thing encrypted. That's all your sensitive data. Then you got to worry about things like double extortion, where not only do they want money to decrypt your files, but, oh, yeah, we exfiltrated all that information, and we will put it on blast if you don't give us some more money. So, which is a common tactic, honestly. So I wouldn't be surprised if we see Malloc doing the same exact thing. It's repeating. But what I thought was really interesting about this article is this article isn't about like, oh, this company got breached or, you know, this software vulnerability per se. It's more of how do we discover and look at and analyze malware. Malware strains its evolution, its impetus, where all it comes from. This is a, this is from the Sequoia blog, and they are security researchers. And what theyre doing is trying to figure out more about the Malix platform, the Maliks ransomware itself. How does it work? How is it deployed? So thats what this is all about. And what they did was they set up a honey pot, man. If you want to learn about malware, set up a honey pot. You make it look as enticing as possible. You put it on the Internet and you just let it fly and won't pay. Take long. And if I'm not mistaken, if you look at, you know, this table of contents, which give us a bunch of interesting different things, like the introduction, the infection flow, and initial access exploitation, all the good stuff we normally love to do right here in this deep dive section, a little bit about pure cryptor, which is the loader that it uses, the Malloc ransomware deployment itself, the infrastructure used behind it, and then some detection conclusions and iocs as we always like to give you. But it says that they, I want to say it took them within the hour before this machine that they, this honey pot that they set up was popped. So it's in here somewhere that they used a weak password. They set up a Microsoft SQL server, they put it on the Internet, they gave it a weak password, gave access to the MSSQL from remote areas. And within the hour this thing was brute forced. And there starts the chain of events. Right. You've got a server, you need access to it from anywhere in the world. So you give it Internet capabilities and if you're not using good security, you can be rest assured that this is going to happen to you. And that's exactly how this started. [00:51:02] Speaker A: And honey pots are fun. Like, you know, you just, it's basically, you're just, hey, come on, hit me. Do it. Like let's see what you got. And they, you know, set it up. Obviously they were breached within the hour or he was hitting them within the hour and they just kind of, okay, let's see what you can do. And just monitored it throughout that following week and they were able to then see kind of the process and, you know, how did you get access and what did you do after you got access? So the initial access though was through a brute force attack and they targeted an account. I guess if the account had a weak password, then probably didn't take them too long. [00:51:31] Speaker B: Yeah. And unfortunately that happens. Yeah, right. [00:51:34] Speaker A: That's true to life. [00:51:35] Speaker B: That is, that is not out of the realm of possibilities. Don't be sitting there on your high horse going, oh, there's some stupid man. It happens a lot. Unfortunately, that is the thing. So the first thing we can learn from this specific deep dive is don't use weak passwords. Do not do that. Now argument can be made whether or not you should be letting remote access happen to your Microsoft SQL servers from, you know, anywhere ville there's pros and cons and there's use cases for allowing it not. But okay, if I am going to allow that, what are the other security like? Maybe I should be putting a firewall in front of that and rate limiting connection attempts. Because if brute force is the common way of attacking these things to get to the SA account, then I need to rate them in the ability to brute force this. I need to have abilities to, you know, kind of block access. If I'm getting too many requests from a single source, that would be that. And then I need to send an alert. I need to set up systems that will alert that, hey, did you know? And that's where things like seams and sores and, and all that come into play to where they're telling you, hey, we've noticed a little pattern happening here. You probably need to go take a look at that. Why is it taking somebody? 333 tries to get into the account and they've did that within five minutes. Hmm, seems unreasonably fast. [00:52:55] Speaker A: It's me at my desk. I can't remember, like spring 2021. Dang it. [00:52:58] Speaker B: Spring. [00:52:58] Speaker A: Spring 2022. Dang it. Exclamation point. Dang it. [00:53:01] Speaker B: Capital s spring. Son of a gun. [00:53:05] Speaker A: But probably, yeah, it's a, it's a sign that you should go check on things. Sorry, it just started raining really loud and I got distracted. Cause I'm like a, you guys can't hear it, but you can't hear it. But we can have a limited attention span. So I got excited. But you were mentioning like, you know, if you're seeing a pattern, draws your attention to it. And in this case, all the exploitation attempts are coming from the same place. But there were two distinct patterns that they saw and so they kind of detail them and going through these patterns. What's, what's important about this? Why is this, is this not common? Is it usually. [00:53:35] Speaker B: Just tell me what you mean by patterns. What patterns? [00:53:38] Speaker A: So they said there were two exploitation patterns. [00:53:39] Speaker B: Oh, exploitation patterns. Not, not initial access patterns. [00:53:43] Speaker A: Right. But once they were in, so we've. [00:53:44] Speaker B: Moved in, they've, they popped the SA account because it had crap password. Now we're in. They got two different ways to exploit. Yes. Now that is interesting. And the reason is they're hedging their bets. Right. If one doesn't work, try the other way. Right. Because maybe they do have some sort of security system in place. And based on what we can see, and I say we go ahead and dive into those exploitation patterns, see the difference on what's going on and why one might work versus the other and so on and so forth. That's really good information. So let's start with the first one, exploitation pattern number one. So the first thing they do, the attacker enabled the twervy twist worthy. Got me with the pootie I taught. I thought twist wovey path. I did. [00:54:31] Speaker A: What a way. [00:54:31] Speaker B: I see that enabled the trustworthy parameters for the master database, which is disabled by default. So there's step number one. So they, if you enable that, then it allows them to impersonate other users and then you can execute as those other users I think Sophia thinks this is awesome because she's about to cry with laughter and I must know. [00:54:57] Speaker A: I'm sorry. [00:54:58] Speaker B: No, please share with the class. [00:55:00] Speaker A: I'm still thinking about twist wovey. I'm sorry, I'm sorry. [00:55:04] Speaker B: No, no, it's actually good because the people out there are now getting a glimpse in what I deal with on a daily basis. If you hit her funny bone, she cannot stop and she starts crying. [00:55:16] Speaker A: Sorry. I'm sorry. You can keep going. I'll collect myself. [00:55:18] Speaker B: It's funny. [00:55:19] Speaker A: Exploitation pattern. [00:55:20] Speaker B: One exploitation. We're going to do the entire thing like this for the whole thing, right? It enabled the CLR. Right? I can't do it. I can't. I can't even do it. Yeah, it gets crazy. So CLR now, this is not something I'm not, I've never done like an MS sequel. Database admin. I'm not a database guy. I remember trying to do it way back in the day when I first got started, my career, I was like, oh, this is dumb. I don't know who's interested in these things, but this is not me. So I figured this CLR, what is that? What a CLR. And then a CLR assembly. So I want to look that up. So let's go to Google and let's look up MssQ L. I'll actually make. This was a human readable. Yeah. Mssql. CLR. What is that? Common language runtime. So that's interesting. Learning something new right here live on the show. So what is a common language runtime? This is for SQL server users and application developers. CLR integration means that you can now write stored procedures triggers, use defined time. Okay. So it's like programming. Gotcha. So you're kind of like dipping into the code execution. At least that's seemingly what that's saying when it comes to the CLR business inside of Microsoft SQL server. Okay, so they are enabling CLR makes more sense and trustworthy parameters and is a prerequisite, a prerequisite for exploiting CLR assemblies. So I'm guessing they're going to build an assembly or a binary package, something with code and executable that if you have CLR enabled that you would able, you would be able to actually execute it. That's what they want. And they're going to use trustworthy to execute it as a different user. That's my thought. So the attacker created an assembly. Oh, look at that. Had I went to the next sentence, that would have been fun. They call it shell. And they stored it on the MSDB database with the unsafe permission. So none of the. None of the nannies are going to balk and yell and go, hey, you're doing something unsafe. Yes, I know. Turn that off, please. You ever watch the Simpsons? [00:57:27] Speaker A: A little more casual? [00:57:29] Speaker B: In the Simpsons, they always do the Halloween special, the treehouse of horror. And there was one where there's this demonic monkey, and every time you make a wish, every time it claps its hands. [00:57:41] Speaker A: Oh, like the symbol monkey, right? [00:57:42] Speaker B: It does something. It takes your wish and twists it up and does evil things. [00:57:46] Speaker A: Okay. [00:57:46] Speaker B: Right at the end of it, they turned. It was like, oh, there's the problem. It's set on evil. They flipped it to good. [00:57:54] Speaker A: So in this case. Oh, unsafe. [00:57:56] Speaker B: Yeah. Just flip this to evil and do all the bad things. Right. And then from there, it says, the assembly is a.net dll containing, which is a fancy way of saying it's a binary program written in.net, and it contains a class called store procedure, which executes CMD exe function. What can I do with CMD exe? Hmm. Well, I think the sky's the limit on that one there, Sophia. Yeah, yeah. Because CMD is basically, you're at the command line telling the computer run commands, right? So if I can run CMD exe function, then it says right here, this function executes commands passed to it, just. [00:58:37] Speaker A: In general with no parameters. [00:58:39] Speaker B: Man, I'm just starting to think of all the wonderful commands I could pass to said device. You know, when we talk about remote code execution or command execution, that's kind of what's happening here, right? Not necessarily an RCE in that way. [00:58:51] Speaker A: Sure. [00:58:52] Speaker B: I'm interfacing with the system in a way that allows me to pass it commands, and we'll run them. So very cool. Let's see, what else do we have with this thing here? [00:59:02] Speaker A: I've got a whole big graphic here that shows you all the different. Whenever they start to get into that, where they show the strings of code, I'm like, all right, hang on. I got to prep up and zoom in. [00:59:11] Speaker B: You got to get prepared. You got to center yourself. [00:59:14] Speaker A: Yeah, I'm like, all right, so it. [00:59:15] Speaker B: Is interesting because they do talk about this. So this is the shell assembly. This is what they're looking at right here. And you can kind of look in here, and you don't have to be a code expert, because I sure as heck ain't and use words like ain't. But you see right around this region, you see what it's calling right. I know that. That's okay. So it's looking in a folder environment, special folder, windows. And there's the path. So get folder path. And you can see system 32 CMD exe, which is where CMD, if you go into your windows systems, that's where your command exe exists. Okay. So it's grabbing that. It's got the string format and it's got this execute command value which is going to pass whatever value that it sends to it and then uses. She'll execute false start, redirect, standard output. True. They probably don't want this to go to anybody that's watching. They don't. They just want to redirect that out to nothing or somewhere else. What else do we got here? Anything interesting? More standard output, read to end string to answer. So this is where it gets the results. So it says send results start to SQL data record. Really interesting. So it's just using this to, this is what the shell binary does. It gives them the ability to run shell commands on that system. So I'm guessing they're going to use that for more fun stuff down the road. So it creates a stored program, CMD. Yeah, yeah. So we kind of gone through this and here's more of the kind of the bouncing ball, right? Finally it called. Finally it called, I've been waiting by the phone. It called the stored procedures to execute a command passed in parameters, which then performs the following action, echo and redirect. We saw the redirection. I didn't see Echo in there, but there's a lot of code. It creates a Powershell script. It's not the first time we've seen that, is it? [01:01:08] Speaker A: No. [01:01:08] Speaker B: Why do you think they use Powershell so much? [01:01:10] Speaker A: Well, maybe it allows them to do more because there's isn't Powershell. Like I had to get permission from Nate, like, to our rit guru here to even use Powershell on my own machine. It was so locked down, you don't touch it unless you have to. So that tells me it's probably pretty dangerous if the wrong person. [01:01:27] Speaker B: That's right, because Powershell is very powerful. [01:01:29] Speaker A: Okay. [01:01:30] Speaker B: If I've got access to Powershell, I can do anything on this machine. I can. It is a fully fledged programming language. You can build things. You can do things like reach out to the Internet and download malware. It's a lot of fun. So that's why here we turn off Powershell for random regular users. [01:01:50] Speaker A: Yeah. [01:01:51] Speaker B: What are you using Powershell for? You don't use it. That would be a red flag if. [01:01:55] Speaker A: I was using it regularly. Yeah, absolutely. [01:01:57] Speaker B: So if you don't have that system set up and you're running this, you might want to go ahead and make that happen. You might want to do that anyway. Just make sure that only administrators are running or have the ability to run Powershell, right? Otherwise it's just weird. So from there it downloads a binary and saves it to the program data folder right there. Then it calls Powershell to execute the script which finally uses WMIC to execute the binary. It's just another function inside of Windows system to be able to do certain things like it's similar to Powershell and its functionality just in the way that it works is a little different. Okay. [01:02:35] Speaker A: A lot of creating and calling and creating and calling and creating and calling. Even after this, through that it enables these parameters, it uses this, it enables this, uses this to create this and then calls this object. So there's several steps but I would imagine this is probably happening pretty rapidly. [01:02:52] Speaker B: Oh yeah, yeah, in super fast time. [01:02:54] Speaker A: Okay. [01:02:55] Speaker B: Because it's being done programmatically, it's not like they're oh, I've gotten access to the system and now a shell has popped and I'm enabling all these commands manually. That would be a big time suck, right? That would not be it looks like it, yeah. One of the things I am familiar with though is they enabled this XP CMD shell. The little bit that I have done when it comes to offensive security, hacking things in real life land, I have done this right here. So I gain access into Microsoft SQl server. If I have the ability to enable XP command shell then I can then send commands to the operating system and it will execute them. So just one of those tried and true things that you might see out there that allows you to execute commands. Another one of these things is enabled OLE automation procedure. That is something I definitely am not familiar with. So let's go look that up. I think it is object level. Maybe that's it. So let's do Ole and MsSQl see driver but I don't know what this is. Microsoft Oledb driver. It provides connectivity to database servers. I don't really know what it does. Just has this DB driver, interesting connection strings but it's enabling it and it seems important for them. So they are totally doing it. And also enable the OLE automation procedure parameters to allow the SQL server to leverage OLe objects. Gotcha to interact with other objects. I'm wondering if there's some functionality with this Ole thing that would allow for more execution of binaries or something of that effect. [01:04:30] Speaker A: Okay. All of this is just the first exploitation pattern that they noticed. The second one, it looks like it's the same sequence as what we just talked about, but it says it's the same sequence as the previous case, but without the attempt to deploy the assembly and the associated stored procedure. So if it's the same sequence, what would be the reason for changing it in this way? [01:04:49] Speaker B: So you know how you said that you tried to run Powershell and it didn't work? [01:04:53] Speaker A: Oh, okay, so they can't get access to it then. All right, here's plan B basically. [01:04:57] Speaker B: Yeah, plan b, right. Okay, Powershell routes, that's, that's not gonna work. Let's try something else. Let's just drop something malicious and see if it works. Okay, that, that's what it seems to be. It says in this case, based on the Microsoft SQL log analysis and more specifically the client app name field, a relevant pattern emerges. Vim four year. That's a fun name. Obviously that is meant to not ring any bells to say, oh, look at me, I'm an evil thing, right? It's just some random weird thing. Or is it? This application name appears several times and is systematically associated with the same action sequence. It is most certainly an exploitation tool. So it says, I did find this interesting. Note that the crap crack crap Mac. No, crack map exec, Ms school. This has been the flubby talkie episode. [01:05:51] Speaker A: Of tech data crack attack epidemic. Putty puddy hoodie Putty. [01:05:58] Speaker B: Crap Mac. [01:05:59] Speaker A: Chris is gonna put this together in a short, like we're having a stroke just collectively. [01:06:03] Speaker B: Yeah, absolutely. We have aphasia team effort. So it uses crack map exec or it looks like that. Very similar. Right. That tool leaves a familiar similar trace. A random application name of eight characters long is also the case for the metasploit exploit module. So if you're running crack map exec or metasploit module, they're very similar. So maybe these attackers are using those and just kind of modifying them a little bit or they're using them and this is exactly what it is and they just can't put their finger on it. That to tell you, yes, I've got hard proof. I've got circumstantial proof that seems to be proving that fact to be true. [01:06:40] Speaker A: Okay, now after either one of these two things happens, right, one of these two patterns that they're seeing post exploitation says the payload downloads a file from the Internet that's got encrypted data that then gets decrypted there's a.net library that's obtained and then a third party payload is loaded. And that third party payload is the Mallocs Maalox, however you want to say it, ransomware that we talked about. And they've got like a little of flow chart, I think that shows kind of that process. And from the brute force all the. [01:07:07] Speaker B: Way to the end, I've got that flow chart. If we want to see that flow of execution here, like you said, sophia, we've got the brute force and the MS SQL server. From there, after they log in, they'll try to drop and execute that SQl shell, maybe try to run XP command shell, and last but not least, execute that SPOA method. And if we get that CMD exe to run cool, then we use PowerShell to download and drop purecrypter. And that kind of takes us in. The next phase of what goes on in here is once we get to this purecrypter, which is a loader, if I'm not mistaken, it's going to download stage two and uncypher and load other malicious activities as well. So loaders are just that kind of malicious code that goes, hey, I need a little more functionality. Grab that from the web. Hey, I've got some built in. Let me probably decrypt that because a lot of times they're using encryption functionality to obfuscate that away from any AV EDR systems that might be looking at it. And once it gets there, it just loads up the final malware, which is drop and execute mallocs. Mallocs is the final stage of this. Malloc is the ransomware itself. Once that get loaded and executed, it starts encrypting files. It's probably going to give you a little, hey, how you doing? By the way, I didn't know if you noticed this, but we've encrypted your files. If you'd like to get them unencrypted. Well, that is an easy process. If you'll see this bitcoin wallet address, you'll just put some bitcoin in it, let us know you did that, we'll give you that decryption key. No problemo. So there that is. I like, I like watching these flow charts because it does kind of surmise everything into one easy, pretty pink package with a bow on it. [01:08:47] Speaker A: So once that, that third party kind of payload has been, if this succeeds, right, and it ends up on the target, right at that point, is it just like, okay, now your files are encrypted and that's it and you're done. [01:08:57] Speaker B: No, actually before it does that, I don't think we saw that in the flowchart, but it does do some. Am I in a sandbox check? [01:09:04] Speaker A: Oh yeah. [01:09:05] Speaker B: You want to make sure that it's not running to be analyzed by people like sequoia. It looks for some really interesting things. Specifically it looks for a DLl called SBIe Dll which is associated with sandboxy. Also tries to retrieve the win 30 two's bios using WMI query, looking for values like VMware, virtual AMI or Zen. What else does it look for here? Malware checks for monitor size, which I thought was really interesting because you're probably not full screened in a sandbox environment. Right. It's going to be weird sizing. So if he doesn't see like a normal sizing structure, it's going to go, oh, it's probably a sandbox. Jump, stop, run, delete thyself. Right. System malware checks for a username as well. If it's something very common like John, Anna, or just like a bunch of x's, it will exit a network test is performed the following command, ipconfig, renew and release to see if it gets all that, how that process is working to see if that might be within a virtual network. So really interesting stuff. Also uses this technique detailed by the red team, Vade mecum, called ETW event write patching to avoid system logging. So that's really cool. Kind of patching different nanny systems, I think, like AmSI and whatnot, to bypass the detection there. So a lot of sandbox detection, a lot of malware does this because they don't want to be analyzed because the more we analyze it, the more we can signature it and create better defenses against it. So a lot of times it will just stop immediately and delete itself if it detects any of these things. [01:10:51] Speaker A: When it checks for usernames for something common like John or Ann or like a bunch of xs, is that because usually if there's usernames like that, it's probably like a honey pot or something and it's, yeah, okay, you're in a sandbox. Don't waste your time. Just exit. Turn it off, we're done. [01:11:02] Speaker B: Yeah, even if it's, if that was the actual John is the user, it's not worth the, it might not be John, it might just be something Randall. [01:11:10] Speaker A: So, okay, interesting. So, okay, so we've kind of talked about the couple different exploitation patterns that the folks over at Sequoia had witnessed once this. Once this payload ends up there, it's obviously, it's a ransomware as a service type deal and talks a little bit about double extortion, which is, oh, just so fun. Was there anything else unique about how this malware ends up there or how it operates? That is something pretty different from what we see usually. [01:11:35] Speaker B: I don't know about different. It's just attributes you probably want to be aware of is that, as they say in, in this article, Malix is kind of opportunistic. It's not necessarily going after a specific organization or government or anything like that. It just starts scanning the Internet. And these threat actors that are using mallocs do typically come from a very specific area of the world. I think it's from Southeast Asia. It's usually Southeast Asia or Russia. Right. The two heavy hitters. Iran, likes to throw their name in the hat in the ring from time to time. But that being said, you know, and that kind of takes us to indicators of compromise and mitigations and things of that nature. So if you do have a sequel server, you probably want to kind of lock it down, because we can see where the countries that are affected by Malloc. I've got that pulled up. I don't know why that banner is getting in my way. Go away, Banner. [01:12:24] Speaker A: Annoying. [01:12:25] Speaker B: Yes, it is. And you can see the heavy blue is here in the United States, but we see India, we see some parts of Europe and Africa down what looks like Brazil. So if you're in those regions, you probably want to be on the lookout for this. Coming through, more information about the payloads and things of that nature. Basically, what, what we need to know about this is down in the focus of, you know, not this, but where's the indicators of compromise, boys along they have. [01:12:52] Speaker A: Down at the bottom, there's a link. It says the list of iocs is available on Sequoia's GitHub. [01:12:55] Speaker B: Thank you. Thank you for jumping down there. For me, it's on their looking for the list. [01:12:59] Speaker A: It's. Yeah, they don't put it here, but, and I've, I wonder if I click, if it'll take me there, because before it was like, you gotta sign in. And I didn't feel like doing that, so. But yes. Okay. I went to their GitHub page. They put a link down at the bottom, and there are, there's a full list of iocs I'm gonna show you. [01:13:13] Speaker B: Oh, yeah. [01:13:14] Speaker A: You guys can't see. Daniel can see. I don't think so. I think it's hard to do both at the same time and because you know more about this stuff than I do, so it makes more sense to show your screen. [01:13:22] Speaker B: Thank you. It's not. [01:13:24] Speaker A: There we go. [01:13:25] Speaker B: Christian. [01:13:25] Speaker A: Christian's got my back. Christian's a real one. [01:13:27] Speaker B: Look at him. [01:13:27] Speaker A: We need to get a camera over there by his workstation so he can make a face appearance. But yes, this is on their GitHub repo. We, of course, are going to put links for all the articles we've talked about, including this one in the description for the video. So if you're listening on Apple podcasts or Spotify, maybe check out the YouTube and you can take a look at those links if you want to read further, because this deep dive was. It went further even than we did. I mean, they list out a whole bunch of stuff about pure cryptor and more stuff about Alex, so there's a lot more where that came from. [01:13:53] Speaker B: Yeah, this would be three technatos. If we to actually do the full deep dive on this is so much information. [01:13:58] Speaker A: We'd be here hours and Daniel would probably kill me by the end of it. And so, you know, it just. There's time limits, you know, we gotta, gotta make sure. [01:14:05] Speaker B: Speaking of, speaking of, I think we're at the end here. We are. [01:14:08] Speaker A: We are coming up at the end. Yeah, we are running short on time. So thank you for, for walking through that and kind of explaining some of it as much as you could, because there is a lot of it. I know sometimes there's stuff that we're not able to cover because it comes out like the day we record or the day the technique is released. A couple headlines that stood out to me really quick. Tornado Cash, which is a cryptocurrency mixing service. The developer was jailed for laundering billions of dollars. So I know Don is over there, like. [01:14:30] Speaker B: Yeah, I tried to tell you. [01:14:32] Speaker A: I tried to tell you. So he's in jail. Adobe patched multiple code execution flaws. There was a new Google Chrome zero day exploited in the wild new even beyond what was earlier this week. Yeah, but literally, like right before we recorded this stuff broke so we could cover it in detail. A couple of other things that were interesting. Tor browser has a new version released, so that's good to know. Uh, that Blackbasta stuff, there was more updates on that, so maybe if there continues to be updates, maybe we'll talk more about that next week. And then a cybersecurity expert was jailed for hacking 400,000 smart homes and selling the videos. So that's fun. This is stuff that we will talk. Like, by the time next week's episodes rolls around, it's gonna be old news. [01:15:10] Speaker B: I know you heard it here first. [01:15:12] Speaker A: Here first, just today. [01:15:14] Speaker B: Not much about it, but you heard it here first. [01:15:16] Speaker A: And then that Dell hack we were talking about earlier as we were recording this new update, there was a specific threat actor known as Menelik. Menelik. [01:15:23] Speaker B: Okay. [01:15:24] Speaker A: That reportedly accessed and scraped sensitive customer data from a Dell support portal. So it may be just beyond that initial. Oh, it was just names and physical addresses. Now, there may actually be some sensitive customer data that's. That's gonna get exposed. So maybe there'll be an update on that next week. [01:15:37] Speaker B: We'll have to phase two of incident. [01:15:39] Speaker A: Response, but I wanted to mention a couple of those. Cause I know sometimes we get comments like, what about this? And this happened. And as much as we would just. [01:15:44] Speaker B: Don'T have enough time to cover it all, ladies and gents, man, security landscape is a dumpster fire. [01:15:49] Speaker A: We never ran out of stuff, which is a good problem to have, so. But, I mean, we never. Well, we've got one article today, so I guess we'll just five minutes leave. So the episodes will never be too short. They won't promise you that. But we are going to go ahead and we'll sign off here in a second because it's time for us to go eat some lunch. So, Daniel, thanks so much for walking us through that again and putting up with me. And my twist will be twist with me. Little breakdown that I had. And, of course, crap. Macrame. Yeah, Pootie. Is that what you said? Yeah, we're. Oh, man. [01:16:21] Speaker B: Yeah, I'm gonna really digress. [01:16:22] Speaker A: Have a good giggle about that later. And thank you, of course, for joining us for this episode of Technado, and we'll see you next week. Thanks for watching. If you enjoyed today's show, consider subscribing so you'll never miss a new episode.

Other Episodes

Episode

February 23, 2023 00:40:16
Episode Cover

Technado, Ep. 296: Windows 11 Is Now Available on M1/M2 Macs

Catch up on the cybersecurity and tech news of the week with Don, Dan, and Sophie as they cover the latest. This week in...

Listen

Episode

November 12, 2018 00:27:23
Episode Cover

The Technado, Episode 74: Okta’s Matias Brutti

Dealing with your own data’s security is stressful enough, so how does Okta deal with handling sensitive data for so many customers? In this...

Listen

Episode 371

August 01, 2024 01:13:56
Episode Cover

371: Meta is Removing Instagram Accounts?! (Plus, Crowdstrike Apology Backfires!)

Beware of new ServiceNow critical RCE bugs, a massive phishing campaign, and more outages from Microsoft! This episode is chock full of the good,...

Listen