350: Hackers Stealing NTLM Hashes?! (featuring Mike Saunders!)

Episode 348 March 07, 2024 01:16:04
350: Hackers Stealing NTLM Hashes?! (featuring Mike Saunders!)
Technado
350: Hackers Stealing NTLM Hashes?! (featuring Mike Saunders!)

Mar 07 2024 | 01:16:04

/

Show Notes

This week on Technado, Daniel and Sophie welcome special guest Mike Saunders of Red Siege!

In our new Rapid Fire segment, the team covers the top security news of the week with fast-paced commentary and hot takes. Kali Linux has a new release, NSO Group and Meta are still locked in a lawsuit, CISA’s issuing a new warning re: ransomware, and thousands of ChatGPT creds are up for sale on the black market. And as always, there are plenty of vulnerabilities to be found: the team talks a zero-day exploited by Lazarus, three severe vulnerabilities in a Zeek plugin, and the recent AMEX 3rd-party breach.

After a short break, it’s another new segment: Deep Dive! With Mike’s help, Dan and Soph get into the details of a new Linux variant of BIFROSE remote access trojan, featuring some visuals and demos courtesy of Daniel. Finally, the trio covers the nitty-gritty of TA577’s novel attack chain involving phishing to steal NTLM authentication hashes.

View Full Transcript

Episode Transcript

[00:00:00] Speaker A: Um. [00:00:04] Speaker B: You'Re listening to Technato. Welcome to Technato, brought to you by ACI learning the folks behind it pro. Don't forget, you can use that promo code, Technato 30, for a discount on your it pro membership. I'm Sophie Goodwin, and today is an exciting day for Technato. It is episode 350, which I think is a pretty big milestone. And we've got a special guest here in house with us. But before we get to that, I want to check in with my co host, Daniel, over on the other end of the table. Daniel, how's your week been? [00:00:29] Speaker A: Oh, it's been excellent, because I've been hanging out with our special guest. I love keeping the veil of secrecy, and everybody's like, who is this person? It is fun, but no, we've been having a really great time doing some really cool hacking. Yeah. Which I thoroughly enjoy. [00:00:45] Speaker B: Well, as we both mentioned, we do have a special guest here in house with us this week. It is Mike Saunders, who is on loan to us from Red Siege. How are you enjoying Florida this week, Mike? [00:00:54] Speaker C: I'm having a great time, Sylvie. Great time. [00:00:56] Speaker B: I totally believe you. [00:00:59] Speaker C: We're having a lot of fun in the studio, aren't we? [00:01:01] Speaker A: We do. We've been having a great time because we are going over AV and EDRs antivirus and endpoint detection response systems, and they like to stop things like malware. But Mike's job is kind of, like, to act as a bad actor, and he has to get around that stuff. And a lot of people do this for a living, so we're trying to help people learn those skills to perform in that job. So it's been really interesting stuff. Highly technical, but very useful stuff. If you are in that space. [00:01:31] Speaker B: I like that you add the qualifiers in there to make sure people know you're doing it ethically. This is for the good guys. [00:01:37] Speaker C: Only for good. [00:01:38] Speaker B: Only for good. [00:01:39] Speaker A: Mike's breaking into hospitals. [00:01:41] Speaker B: Well, now I'm intrigued. I may have to come back to that towards the end of the episode and see if I can get you all pick your brains a little bit about what you guys have been working on this week. But it has been a pretty busy week in security news. And before we get into that, I want to take a second and let you guys know what's in store for this episode. If you've been a longtime viewer, it's going to look a little bit different. We are going to have a lot of fun this week. We're going to start off with a rapid fire segment, so we've got a whole bunch of articles we're going to go through this week's top news stories and security. We're only going to spend a couple of minutes on each one, get those opinions, maybe some hot takes, possibly, potentially without getting ourselves into too much trouble. But after a couple of minutes, we'll move on to the next story after we're done with that rapid fire segment, take a quick break, and then when we come back, we'll have a deep dive on a couple of articles where we'll get into a little bit more detail, get some in depth analysis, because we've got two security geniuses in the studio here with us, and I'm going to have a lot of questions. So they will. Yeah, Daniel's a little. He's twitching. He's twitching a little bit. [00:02:32] Speaker A: Me, not so much. Mike, the imposter syndrome really fires up when people say things like that. [00:02:40] Speaker B: All right, well, I'll lower the expectations. They do some security stuff. [00:02:44] Speaker A: I found some guys, they said they've used a computer before. [00:02:47] Speaker B: I found them on the street, and they're just going to talk to the camera for a little bit. So if that makes sense to you guys. You ready to jump into that rapid fire? [00:02:55] Speaker A: Let's do it. [00:02:56] Speaker B: All right, so, like I said, we're only going to spend a couple of minutes on each article, but we'll go ahead and jump right in this first one. I know we just love to talk about AI here in the studio. Over 225,000 compromised Chat GPT credentials are up for sale on dark web markets, which is always just a fun thing to hear. They were found in infostealer logs, and I believe even just in a couple of months last year, it was over 130,000 unique hosts were infiltrated. So does this inspire panic in either of you? [00:03:22] Speaker A: So here's the thing. Using AI in your titles of your clickbait articles, I kid the hacker news. They're not clickbait necessarily. This is good news that you do need to know about this. If you do have a login to any of the AI technologies and you would like to keep some of the things that you've talked about in those conversations with said AI a secret, this is probably pertinent for you, because that is something that's happening more and more every day. Companies are utilizing AI in various and sundry ways, and exciting new boundaries are being broken into and how they could utilize AI. But because those conversations are happening internally, there could be sensitive information that are in those chat logs. Now, Sophia, you mentioned stealer malware. It's not like Chat GPT got hacked. That's not. And that's where this article title might be a little misleading. What ended up happening was people got compromised. The compromising actor out there used that ability to log in and have access to their systems to look at their chat logs and pilfer the pockets of them for auth creds, API keys, sensitive information, IP, you name it. That's what they were kind of going through this for. So it's more along the lines of thinking about working with AI as a security vector and getting that in our heads is like, oh, we need to be protecting that in some way, shape or form, because that's not really happening now. Mike, what do you know? [00:05:04] Speaker C: You pretty much hit it on the head, from what I was thinking. Like, this isn't a chat GBT issue, this is an endpoint security issue. So these people had their credentials stolen from their machines. So you got to look at, how did that happen? What were the vectors to get in there, and how can we prevent those from happening? Because it could have easily been AWS keys, it could have been your azure keys. All kinds of things just happened to be the clickbait here was Chat GPT, because, you know, that's popular right now. [00:05:34] Speaker B: This is where that reading comprehension comes in handy, because it does say compromised Chat GPT credentials. It doesn't say OpenAI was compromised, that there were credentials that were compromised. So I'm glad you pointed that out. [00:05:44] Speaker A: You got to catch them. [00:05:45] Speaker B: They're tricky. You got to parse through this stuff. Absolutely. So, yeah, definitely something to be on the lookout for. Access to logs can be exploited for espionage, confidential information. You mentioned, like API keys, things like that. So pretty scary stuff. We've actually got another article here that has to do with taking some information, it looks like, or stealing some money, perhaps this next one. This is also from the hacker news. Cybercriminals are using a novel DNS hijacking technique for investment scams. And this is a threat actor who is dubbed. I don't know if they dubbed themselves this or if this is the name they were given. Savvy Seahorse is the name that they've got assigned to them, which is they. [00:06:19] Speaker A: Typically don't name themselves. [00:06:20] Speaker B: I didn't think so. And also, why is that the name you would give yourself? [00:06:23] Speaker A: Security groups out there that are naming threats and apts, they just kind of have fun with it. It does seem like they have adjectives and nouns in a hat, and they just kind of mix it all up and reach in and grab savvy seahorse. Yay. [00:06:39] Speaker B: Yeah, absolutely. [00:06:40] Speaker A: We'll call it. I have a feeling that that might not be too far from the truth, honestly. [00:06:45] Speaker C: Yeah, I think you're pretty close to it. [00:06:47] Speaker B: Well, the way that they're doing this, I was trying to read through it. They employ DNS canonical name records to create a traffic distribution system for evading detection. A lot of different buzzwords in there. Maybe you guys have a better understanding of how this actually works. [00:07:01] Speaker A: So it seems to be a form of subdomain hijacking. Apparently, it's a new way of which they can do it. Ultimately, if you have control over cname. And I can't wait to get Mike's take on this really quickly because I didn't get too much time to get too deep down the rabbit hole on this, but it just seemed to me like a variation of subdomain takeover and using cname records to do that. Did you check this out, Mike? [00:07:26] Speaker C: I read through the article, and that's kind of where I was coming at. Yeah, it looks like some type of cname takeover. So the article was light on details on the technical side of things. My takeaway here is monitor your DNS queries. Right. You can prevent things and you can detect things. And DNS is a great way to detect bad things happening on your network. [00:07:52] Speaker B: It looked like before it got into too much of the technical side of things. The way this was working is that, like so many other operations like this, victims were lured through ads on social media. They were tricked into know, coerced or convinced to provide personal information in exchange, supposedly for high return investment opportunities through these fake chat GBT and WhatsApp bots that were being used to do this. I think that's kind of what it seemed like was going on there. [00:08:18] Speaker A: Yeah, basically using the. And I have a graphic here. We'll bring up the hacker news we want to move to. More a visual christian, if you will. Every time we get past the initial title, go ahead and I'll have the screen up for the actual article so that those that are watching out there can kind of see what's going on. And here is the graphic that Sophia is kind of referring to where they talk about. Here's the bad actor, right? And they're grabbing these bad domains. So if you have subdomains that you've registered but you haven't used, or you haven't connected to a host, they leave themselves up to be taken over by another actor. If they're quick on the draw, right? So they create these multiple subdomains, and then they create these cname records to be able to lure people in because they look like they're from a legitimate site. Therefore, once you get past that and you see, oh, my URL is good, so I'm good to go. I can click on this. This is fine. Then you hit a fake page. You register, you do things. You put in sensitive information, like your username, your name, your password, which I'm sure you're not reusing. That never happens. And so on and so forth. And they're able to even, hey, here's my credit card information. Here's my financial information, because I want to make investments. That was the whole idea behind the scam, was getting you to sign up for investing. And then they start reaching into your pockets and pulling your money out, and you never see it again. That's how this goes. Be aware. Just don't click things. Just always type in the URL. And even if you think it's a. [00:09:49] Speaker B: Trusted source, it's better safe than sorry. [00:09:51] Speaker C: It is, 100%. [00:09:53] Speaker B: I could send Daniel a weird link and have him clicking on things, and he would just be none the wiser because he trusts me so much. Just better to be safe than sorry. But we'll go ahead and move on to our next one. This one. I don't want to bury the lead too much with this one. It does say that there was an American Express credit card breach. There were some credit cards exposed in third party data breach. So it was not american express controlled or owned systems that were breached, but it was a pretty big third party merchant processor that supposedly, potentially, they use words like may might. There may have been some information like account numbers and card expiration data that were accessed, but not a whole lot of details here yet as far as timing. Right? [00:10:28] Speaker A: Well, you know how these things go, Sophia. Just because something happened doesn't mean we got to air our dirty laundry for a whole wide world to see. I do love. And I kind of found it funny that American Express was like, it wasn't us. They were screaming from the roof. This was not an MX breach. This was not us. It was somebody else. You dealt with them. We just happened to allow them to process our credit cards. And their systems were the ones that got popped. If you need info, and I will give them credit. Honestly, they were like, here are some things that you can do. If you see any reports or anything that looks hinky, monitor your credit, watch your statements. Anything looks strange, we'll reimburse fraudulent charges and if you even sniff something's out of whack, just get a new card and that's a good way to go. [00:11:21] Speaker B: Yeah, better safe than sorry, it sounds like. [00:11:23] Speaker A: Mike, you ever fall into identity theft? Have you had your id stolen? [00:11:28] Speaker C: Not yet. [00:11:29] Speaker A: Not yet. I know, I feel like because we're kind of like personalities, for the lack of a better term out there on the interwebs, that we might be targets eventually. What better way to put a feather in your cap and go, I was. [00:11:42] Speaker C: Trying to be anonymous and then you guys came along. [00:11:45] Speaker A: Mike Saunders. Mike Saunders. [00:11:47] Speaker B: I love Red Siege. Mike Saunders, the non committal language of not yet, but I'm open to it. [00:11:52] Speaker A: In the don't try anything twice, don't. [00:11:55] Speaker B: Put limits on me. You never know what might happen. [00:11:58] Speaker A: Right? [00:11:59] Speaker B: So no details as far as a number of impacted customers or the timing of this attack yet, but maybe this will come back up in a future episode. We'll just have to wait and see this next one. A little bit more light hearted, a little bit less doom and gloom. Kali Linux 2024.1 was released, so I don't know if you're Mike, are you a Linux user? [00:12:16] Speaker C: Enjoyer. [00:12:17] Speaker B: Okay, I know Daniel is. So how are you guys feeling about this update? [00:12:21] Speaker A: So it's funny, Mike, you updated to this yesterday? [00:12:24] Speaker C: Yes, had to live update while recording because the previous version was having some issues with vmware and causing my machine to lock up. So we live updated during class and it's looking good, it's working good. [00:12:37] Speaker B: That's pretty impressive. I don't know that I've ever done a live update during a recording before. Same. [00:12:43] Speaker A: We are charting new territory, ladies and gentlemen. First time breaking the grounds. [00:12:48] Speaker B: Have you taken a look at this all yet, Daniel? [00:12:49] Speaker A: Yeah, I installed it as well. I was really interested in just especially that they also updated Nethunter, which is their rootless Kali install for Android devices, and they updated so it would support Android 14. So that's really cool. I know a lot of people like to play around with that and it's just kind of neat to have some Kali on your phone or your tablet or whatever and do a thing or two when you don't have your laptop sitting right in front of you. So kind of fun with that. I don't know if. Mike, have you ever used Nethunter as like a. [00:13:19] Speaker C: No, no, I have not. I know people who have. It hasn't been part of my toolkit, haven't needed, but I do know people who do use it. [00:13:30] Speaker A: I feel like that's probably the case in a lot of ways. Nethunter seems to me I could be way off base. Seems to be more of fun than it is actually. Hey, let's get some work done using my phone. Yeah, niche edge case is obviously where it could come in handy to actually do something. But other than that, that was updated. There was a couple of other things that were updated. Theme refresh. What else do they have going on in there? [00:13:55] Speaker C: More mirrors. [00:13:56] Speaker A: Yes, way more mirrors. [00:13:57] Speaker C: Way more mirrors. And that's one thing that I really liked about it, more mirrors. It updates a lot faster in the past, their default mirrors could be pretty slow sometimes doing updates. And now we were able to pull that down in just a few minutes and get the system updated during class. [00:14:13] Speaker A: Yeah, super awesome. A couple of tools they've installed blue Hydra for Bluetooth discovery. What else we got? Open taxi is now installed by default. How about them apples? We also have repe, a command line tool that manipulates PE files in windows. And snort by default is now in there. So if you want to do a little bit of detection. Got the old snortage going on, but I think those are the big moves. [00:14:38] Speaker B: Oh come on. You didn't mention the know, you don't care about the aesthetics. But I do now really literally have. [00:14:47] Speaker A: A dog turd as the background. As long as it does what I want it to do. [00:14:51] Speaker B: Daniel goes to Google photos and gets an image of a dog turd and specifically sets that as his background. That's what he wants. [00:14:56] Speaker A: Dog turd Linux version two, the newest distro. Yeah, it's always a new poop image. [00:15:04] Speaker B: Great. How many minutes in? [00:15:06] Speaker A: We've got a poop joke down the stairs. [00:15:08] Speaker B: We got to fit one in there somewhere. So real quick, before we move on to the next article, I have just a quick question about this. And I mean, I know, but just for those that might not know, you guys talk about mirrors, what is that? I don't use Linux. So what are you talking about, mirrors? [00:15:22] Speaker A: Can you where you can get your copy of the distro, right. Or anything? That's kind of a part of it necessarily. So if I want to get Linux, if I want to get Kali Linux, I need to download it from the Internet, right? [00:15:33] Speaker B: Right. [00:15:34] Speaker A: So let's say I'm offensive security. I have a server with Kali Linux images on it. You would go to that link to download. Now what happens if, like, I don't know, ten people try to download at the same time? Well, it's got to service each one of those requests. Okay, well maybe we'll stand up another server because we have 100 people. Now we got 1000 people. Now we got like 100,000 people trying to hit two servers. We need more servers. A mirror is somebody that goes, hey, send me those images and you can direct links to us and we'll service those download requests. So they didn't add like five, they didn't add ten, they add 50 by going with what was the name of the organization that. Well, now that you ask that, I wrote it down. It is Fcix software. [00:16:24] Speaker B: Okay. [00:16:25] Speaker A: Given credit where credits do. [00:16:27] Speaker B: Yeah, I appreciate that. I mean, I already knew, but just in case folks watching and listening. [00:16:31] Speaker A: Good point. [00:16:32] Speaker B: So not everybody might. I didn't know. I'm being sarcastic, in case you couldn't tell. We'll jump into our next article here, though. Going back to those security vulnerabilities. We just love them. A Zeke security tool. Vulnerabilities allow ICS network hacking. And I was not familiar with Zeke before reading this, but Zeke, it looks like it is an open source network security monitoring tool. Are you guys familiar with kind of a. [00:16:56] Speaker A: It's kind of a big deal in the industry. It's a great tool. It's a phenomenal tool. It used to be called bro, and then they kind of rebranded as Zeke. And now it's kind of gone a little more because it was like this open source tool anybody could use. You want to do some security monitoring on your network. Anybody could grab this thing. It's well known as being bundled with like security onion, which is an open source distribution of Linux that has all these security monitoring tools as cabana and Elkstack and all this other fun stuff, usually, anyway, and Zeke was a part of that. This is bad because a security researcher here in Florida discovered that one of the plugins, that is an optional plugin, but is usually bundled with Zeke for ICS systems, that's industrial control systems for doing monitoring in those environments. It had RCE problems, which is no. [00:17:55] Speaker C: One packet RCE for. Some of these were really kind of eye opening. Is that all an attacker has to do is send a single crafted packet across the network. And if you're running Zeke with this analyzer, your system's owned. [00:18:10] Speaker A: That sounds bad, Mike, when you say it like that. [00:18:12] Speaker C: It's not ideal, Dan. [00:18:13] Speaker A: It's not ideal. [00:18:15] Speaker B: So was it, what, three vulnerabilities? Two critical and one high severity? [00:18:19] Speaker A: Yeah, I actually looked up some of the. So the researcher discovered this, actually, I think, like six or weeks or so ago. And since then, I think one of them has been downgraded to a medium and things of that nature. But here's the big takeaway, right? Is if you have Zeke, if you're running security and you're like, oh, I'm going to play with Zeke. This might be installed by default, and if that's the case, and it's, for whatever reason, running because you played with it or whatever, you might be susceptible to it. So be on the lookout. Make sure that you're only running the things you need to run and that only the plugins you need to have operating are operating. Did they say there's a patch for this or not? I don't remember. [00:19:01] Speaker C: There are. Yes, there has been a patch that came out. Looks like there was almost a complete rewrite of the plugin. [00:19:08] Speaker A: They had to redesign the plugin. [00:19:10] Speaker C: It was so bad for it to work. Yeah. And one of the takeaways from this article is talking about that. While it's not necessarily always deployed, it is very frequently and enabled. If you have this enabled Internet facing now, the attacker doesn't even have to be on your local network to generate this traffic. Right. They can send it across the Internet. So there's concerns that there might be a lot of these systems directly connected to the Internet that are exploited. [00:19:37] Speaker A: Scariest environment imaginable. That's all I had to say. Scariest environment imaginable. [00:19:42] Speaker B: Jump to those extremes immediately. It did say that these attacks are mostly aimed at ICS environments, and that's industrial control system environments. Just so that I can kind of get an idea for what we're talking about here. What would be an example of that? [00:19:55] Speaker A: Power plants. [00:19:57] Speaker C: Power plants, water plants, nuclear facilities. [00:20:00] Speaker B: Yikes. [00:20:01] Speaker C: Boilers and manufacturing potatoes. [00:20:04] Speaker A: Oh, yeah. [00:20:05] Speaker C: Things that, when they go wrong, they kill people. [00:20:07] Speaker A: Yeah. Remember the old colonial pipeline issue, like where they were moving oil and all of a sudden you can't move oil anymore or refine it or do anything with it, and then all of a sudden, our gas prices went through the roof. [00:20:17] Speaker B: Yes, I do remember that. [00:20:18] Speaker A: That's a problem. See? [00:20:20] Speaker B: True. [00:20:20] Speaker A: And typically, those industrial control systems control these critical infrastructure things. [00:20:25] Speaker B: Right, okay. [00:20:27] Speaker A: Yeah. [00:20:27] Speaker B: So when you hear people talk about an ics, that's generally what they're talking about. [00:20:30] Speaker A: Here you go. You're picking it up. [00:20:32] Speaker B: Picking it up. I'm getting there. So no big deal really. Just minor stuff. Nothing to worry about. I'm being facetious. You should panic immediately. This next one, then. This is an interesting one. Cisa or, I don't know, would you pronounce that it's a government organization? I've heard it, Siza. It doesn't matter anyway. [00:20:50] Speaker C: War. [00:20:53] Speaker B: It doesn't roll off the tongue as tastes bad. Okay, we'll go with scissor then. SZA warns Phobos ransomware group attacking critical infrastructure. So more critical infrastructure attacks. Great. [00:21:02] Speaker A: We've seen a bit of a rise in this in the last few years. Mike, would you go as far as to say cyber warfare? I know that's a fun term to throw out there, but what the hell. [00:21:15] Speaker C: Yolo, I don't want to come off the top rope during the middle of this session here, but say that again. I might have to. [00:21:26] Speaker A: We need that SEO. Okay. Taylor Swift. All right, fine. [00:21:31] Speaker B: I want Mike going like this in the thumbnail, just mind blown. [00:21:35] Speaker A: That's right. [00:21:35] Speaker B: So this is part of, it's a bigger initiative from CISA that's hashtag stop Ransomware initiative, raising awareness about ransomware threats and gangs. So this is just one part of that. But what's important about this, about the. Is it Phobos ransomware? [00:21:48] Speaker A: Yeah. One of the big problems is that who they're targeting, right. They're going after education, health care and emergency services. That seems to be their stock and trade with Phobos. They use open source tools, not that cobalt strike. I think they are using cobalt strike stuff, but maybe the BoF part of it. But yeah, they're basically tooling up using open source materials. So that's just an interesting thing about them and their ttps. They're also a big fan of double extortion. So they ransomware your stuff, right? They get in your system, they crypto lock everything, go, hey, we're going to need that money if you want to get those files unlocked. And you go, okay, well, I guess I'll pay. And you pay. And they go, ha, by the way, I need some more money. And you're like, why? Because I also downloaded all your files and I will put them on the Internet for sale if you don't give me more money. So good old double extortion never hurt anybody. [00:22:48] Speaker B: The thing is, though, you could pay that and they could still do it anyway, right? There's nothing stopping them from. [00:22:52] Speaker C: I mean, that is true, but part of the thing that ransomware groups, most ransomware groups are known for is having really good customer service. And it's a reputation thing. And if I know that if I pay you, you're probably still going to put it out there anyways, there's no incentive for me to pay, right? But if you do what you say, you're going to do I might be, as a victim, more inclined to give you money. However, that being said, we know that there are instances of these ransomware groups that claim that they delete the stuff after you pay them, and then they themselves have been breached and other ransomware groups have then gotten that. [00:23:32] Speaker A: No, no, never have. That just sounds not right, Mike. I mean, these people are fine, upstanding citizens, and when they say they're going to do something, by God they're going to do it. [00:23:43] Speaker B: People would do that, just go on the Internet and tell lies? [00:23:46] Speaker A: It sounds weird to me. [00:23:48] Speaker B: I don't think I believe it. I think this is fake news. Well, yeah, fake news. That was pretty good. That was kind of scary. We'll move on before we have to hear any more of that. [00:23:57] Speaker A: Before I start teasing my inner trump. [00:24:01] Speaker B: This next one is interesting, setting a weird precedent here. Judge orders NSO group to surrender Pegasus source code to meta. Now, for those that might not be familiar, could you kind of give me the cliff notes on Pegasus? [00:24:12] Speaker A: Sure. So Pegasus is a very interesting piece of software and a suite of software, actually, that allows its user to take over. Phones basically have control. They have, like, built in zero days. So NSO Group is the company that develops Pegasus as software, and they sell it as a service. You get access to the platform, you get a dashboard, and then you have all the mobile devices that you are connecting to show up. And it's really nice. It's a really nice piece of software. I mean, you pay top dollar for it, which is why saudi princes and stuff are typically the ones that are buying it in countries where they don't really enjoy journalism. [00:24:54] Speaker C: Yeah. You see it targeting journalists and dissidents and things like that quite a bit where it's used. So governments and those kinds of agencies targeting journalists, dissidents, people of interest, that you might want to get information that you can shut them down. [00:25:12] Speaker A: Right. That's the way it's used now. I want to get too deep in the weed on NSL group because they have their own propaganda as far as whether or not they're like, we do not sell to known terrorists and things of that nature. Okay. That being the case, what's more interesting to me about this is a, they're an israeli company and meta is a us company and Meta is suing them. And a us judge says, you got to fork over your source code. And they're like, well, we'll give you the front end, that's fine. And they're, no, no, you have to give over your ip, your intellectual property and give it to them so they can see how you are. Because they were able to use Pegasus to gain access to people that use WhatsApp and breach those phones that utilize WhatsApp. And they want to see how you did that so they can fix it. And it's like, this is a weird legal thing. I'm not a Honda checked out on. How does A-U-S. Judge tell an israeli company to do there? Is this an international court? It just happens to be A-U-S. Judge. And what if they just throw up the double birds and go, I'm not giving you nothing? Like what's going to happen if they don't do that to me. [00:26:24] Speaker B: That was the take behind this. What's the penalty if you don't? [00:26:28] Speaker A: Right? [00:26:29] Speaker B: Yeah. [00:26:29] Speaker A: Are you going to sanction me? [00:26:30] Speaker B: Yeah. What are you going to do? Tell mom? I didn't realize because Meta owns like Facebook and Instagram and all these things, but I didn't realize they acquired WhatsApp in 2018. And so then this, I think it was back in 2019, they first sued NSO. So this has been an ongoing lawsuit for years. [00:26:47] Speaker A: They're not the only ones. Apple as well. [00:26:49] Speaker B: Yeah. So this is a big thing going on. And it looks like this order is part of that lawsuit. And the actual trial, there's going to be a trial is not going to start until March of next year. So this is going to be a years long issue. [00:27:02] Speaker A: This is like disclosure. They're in the disclosure phase so that their lawyers can figure out how they're going to proceed, but I don't know how they do that. So if you know, in the comments out there, let us know. How does this work? I just thought it was an interesting thing that without further information, but if you have been wronged by the NSO group, maybe. This is a very interesting article for you, Mike. [00:27:24] Speaker B: Have you or a loved one been personally victimized by the NSO group? [00:27:27] Speaker C: You know, not yet. [00:27:29] Speaker A: Call Dan Newland. [00:27:31] Speaker B: Attorney Dan Newland. Yeah. I love that you leave the door open just in case. Not yet, but hey, I'm open to anything. [00:27:38] Speaker A: He's hedging his bets. Anything's possible. [00:27:40] Speaker B: We got one more here for rapid fire. Lazarus hackers exploited a windows kernel flaw as a zero day in recent attacks. I feel like Lazarus has come up before in this studio, and they will probably come up again almost. It's like they keep coming back from the dead. So this was a privacy flaw in windows kernel, is that right? [00:27:57] Speaker A: It does seem to be, and quite a devastating one at that. Where it was like full system access. You gain access to the system account, which is basically an unfettered windows user account, but kind of lives in kernel space in some ways. So it's direct access to just everything you want. I want to see what's going on in the cpu. Give me that information. Sure. Here you go. I mean, your system, your nt authority. Do what you like. And that seems bad. Again, Mike, why is security such a dumpster? [00:28:35] Speaker C: Know, I'm kind of glad that it is because I have a job, but at the same time, man, it never stops. [00:28:43] Speaker A: I can't wait till I, by necessity, need to become a truck driver or something. [00:28:49] Speaker C: I'm going to open up a bait shop. There you go. I'm going to sell some worms and some lures and talk about the weather. Can't wait. [00:28:57] Speaker B: Just be dealing with a different kind of worm, that's all. [00:28:59] Speaker A: That's right. [00:29:00] Speaker C: That's right. [00:29:01] Speaker B: I thought your backup plan was to work at a bucky's car wash. Oh, that's right. [00:29:04] Speaker A: Yes. I'm sorry. [00:29:05] Speaker B: See, I've got access to Daniel's personal file. [00:29:07] Speaker A: Opening one near me soon. So I can't wait to be the car wash manager. [00:29:11] Speaker B: Yeah, right there in your city. [00:29:12] Speaker A: 125,000 a year. Are you kidding? [00:29:15] Speaker B: Start a minimum. [00:29:16] Speaker A: I think starting. [00:29:16] Speaker B: That's like your starting salary. [00:29:17] Speaker A: Starting salary? Dude, if I can't run a bucky's car wash with the utmost efficiency, I don't deserve that money. Right? [00:29:25] Speaker B: Maybe they give you the free. What is it? They're famous for? Their brisket sandwiches or something. [00:29:28] Speaker A: Their beaver nuggets or whatever they are. [00:29:30] Speaker B: Oh, yeah, I forgot about that. [00:29:31] Speaker A: Yeah. [00:29:31] Speaker B: Not made with actual beaver. Just feel like we should clarify it. That's not a thing. [00:29:35] Speaker A: I like how Mike is like, what are we talking about? [00:29:38] Speaker B: They don't have Bucky's up where you're. [00:29:40] Speaker C: No, no, we don't. I have heard of Bucky's. I've seen that it's pretty popular at a very extensive convenience store, but I am unfamiliar. Although Molly. Molly loves Molly. Our Molly. Red siege. Molly loves buckies. [00:29:55] Speaker A: Got you. [00:29:56] Speaker C: No, she doesn't. [00:29:57] Speaker A: No, she doesn't. Not a fan. [00:29:59] Speaker C: Not a fan. For some reason. I don't know. I can't say why, because I haven't been there. [00:30:03] Speaker B: It is a bit of a zoo, but they've got a lot to see. It's like the Disney world of gas station. [00:30:08] Speaker A: And there's like 70 gas station, like, gas pumps around the thing. It's a massive, massive. [00:30:15] Speaker B: It's a gift. Shop. It's a restaurant, it's a gas station. It's everything you could ever want. All right, it's the kitchen sink. Anyway, going back to this article real. [00:30:21] Speaker A: Quick, before we run out of time. [00:30:22] Speaker B: Here, before we wrap up this segment, one thing I wanted to know is that they do have a CVSS score for this one. For the vulnerability in question is 7.8. And I know that I've been warped in reading these articles because I saw that and I was like, oh, that's not that bad because I'm so used to seeing where it's like 9.910.0. I'm like, this is crazy. And I see 7.8, I'm like, oh, all right. And then when you were talking about, you're like, oh, this is a big deal, this is bad. And I realized that's still pretty high on a scale from one to ten. [00:30:49] Speaker C: Yes. [00:30:49] Speaker B: Then .8 is pretty high. [00:30:51] Speaker C: I was kind of surprised to see that it was only a 7.8. I haven't looked at the details of the scoring for why that is. It might be that the. [00:30:58] Speaker A: I'm assuming it's because it's not network access, right. It's because you already have to have access to the system. [00:31:05] Speaker C: I think it might be a local. I think you might be right on that. [00:31:09] Speaker A: Although. [00:31:12] Speaker C: It'S pretty intense once you're in there because your full system access, it looks like it's actually part of app locker. It's an exploit in app locker, so it's kind of cool. [00:31:24] Speaker A: Yeah. [00:31:24] Speaker B: So the severity part of it comes from. Maybe it's a little harder to get there, but once you get there, the things you can do would really. [00:31:31] Speaker A: And apparently what the Lazarus group is using it for is to turn off your monitors, turn off your security systems, no more system logging, no more Windows defender, no more EDR, no more nothing. Turn all those things off or make protective enclaves for myself. And they said they found this being exploited in the wild and it was built into their latest version of their root kits. So they were like, hey, what's this? That seems bad. We should probably do something about this. And now there is a patch. So just make sure you're patched up and you should be good to go. [00:32:03] Speaker B: You can probably end every story like that. Make sure you patch up. [00:32:05] Speaker A: Yeah. [00:32:06] Speaker B: Don't put off those patches, you will suffer. [00:32:09] Speaker C: Speaking of patches, new iOS patch out today. [00:32:12] Speaker A: Critically breaking news. [00:32:14] Speaker C: Yeah. Critically remotely exploitable vulnerability from my understanding. So get an iOS, you better get to it. [00:32:20] Speaker B: Get to it. I think I'm the only iOS user. [00:32:25] Speaker A: I'm going to look that article up. [00:32:26] Speaker B: Are you an iPhone guy? [00:32:28] Speaker C: Unfortunately. [00:32:29] Speaker A: I love how you put that. Unfortunately, I'm an iPhone guy. [00:32:32] Speaker B: All right, well, we'll suffer together, then. We'll suffer in silence. But I think that's going to bring us to the end of our rapid fire segment. So we are going to take a quick break here, let Mike catch his breath, and we'll all cry a little. But stick around. We do have a deep dive coming up on our new malware variant and a story on a hacking group that's stealing hashes. So all of that's coming up right here on Technato. Tired of trying to schedule your team's time around in person learning? Isn't it a bummer to spend thousands of dollars on travel for professional development? What if we said you can save money and time and still provide your team with the best training possible? The answer to your woes is live online training from ACI learning. With live online training, we provide our top in person courses in private online instructor led formats. You get to provide professional development in a manner that fits today's expectations, entertaining, convenient, and effective. Our exam aligned courses inspire the full potential of your team. Visit virtual instructor led training at ACI learning for more info. Welcome back. Thanks for sticking with us through that break. If you are enjoying the show so far, don't forget to like this video on YouTube if that's where you're watching from. And consider subscribing if you haven't already. We've got lots of great stuff going on here on this channel. New episode of Technato. Every week we got webinars. In fact, we've got one this week at 02:00 p.m. On Thursday. So the day this episode is released, and that'll be an all things cybersecurity webinar. We'll have more details on that later in the episode, so if you want to know more about that, you'll just have to stick around. But yeah, consider subscribing if you haven't already, and leave a comment. Let us know how you're enjoying the episode. With that said, it is time for the long awaited deep dive segment. I know that you could just see they're just itching to get to it. They're so excited. I can be. I'm glad to have Mike and Daniel both here to kind of help walk us through this and get into some of the details. I'm probably going to have a lot of questions, so just warning you I'm. [00:34:12] Speaker A: Glad to have Mike here because I've used a computer before, but this seems a lot. [00:34:18] Speaker C: I was depending on you. [00:34:19] Speaker A: Oh, no. Well, maybe we'll all learn. [00:34:22] Speaker B: You can just lean on each other. You lean on each other through this. We will get through it. Are you ready to dive in? [00:34:27] Speaker A: So to say we hit the ground running. [00:34:28] Speaker B: All right, so we'll start with this. We got two we're going to try to get through today. This first one has to do with something called Bifrost or, and this was new to me, but Bifrost, new tactic to deceive users. So I believe the summary of this and kind of the details, we're pulling these from Palo Alto networks, but this is a bifrost, or Bifrost is a remote access trojan or that's what they specialize in. And what exactly is this new development. [00:34:53] Speaker A: Are just, they got some ways that they are now evading it's new evasion for them. Innovative technique to evade detection is what the executive summary says. And it says it uses a deceptive domain, some typo squatting as we love. Right. And we can see that right here. Download now look at that right there. Man, they got it good, don't they? Let's see if I can highlight this for you. Download VMware. Oh no wait, that's not VMware, that's VMfair. Now I kind of picked up on this one really quickly, actually. I saw it almost immediately. I was like, well that's not VMware because it has that big f sticking up in the sky like that, whereas I'm looking for a w. But this apparently has been quite effective for them. [00:35:37] Speaker C: Yeah, I would have thought that like two v's would have been better than. [00:35:41] Speaker B: An f or an m or something. [00:35:43] Speaker A: Maybe it was taken. [00:35:45] Speaker C: It could be, it could be what. [00:35:46] Speaker A: You got, right, but good old typo, squatting, pulling into play here. And it says mimics the legitimate vmware domain. This latest version bypasses security measures and compromised target systems. Bifrost has been around, they get a rat. Remote access Trojan. Anything else? Palo Alto networks customers are better protected. And of course there's the marketing jargon that goes on with buy our stuff. Hey, Palo Alto is pretty good at what they do. They got a great security team, pretty smart people. So I would highly recommend checking them out if you're interested. But the article on the research that they've done around this is really what we're interested in today. So apparently initial compromise. Mike, this is one of your stock in trade. Right. How do you normally gain that initial access into a system? What's your modus operandi? [00:36:37] Speaker C: Well, I mean, as with so many things, the answer is it depends, right? Because sometimes it's fishing. Like, a lot of times it's phishing, but sometimes it's social engineering and phishing and phishing. Sometimes we use our human cheat code, Jason, and tell him to get on the phone. And when he gets on the phone, people do things like, I could call you up and you'd be like, no, I'm not doing that. He calls you up and you're like, oh, where you need me to right click on what? Yes, please. And so a lot of times it's phishing, or phishing combined with social engineering. [00:37:13] Speaker A: Yeah, that seems to be a fairly popular, and not just for the red teamers out there at Red Siege, but actual threat actors find this to be quite the effective technique. So I'm not surprised to see that phishing is one of their main avenues for compromise. They apparently also use malicious websites as well. They want to get you to download their junk. So I guess one of the big takeaways when it comes to initial compromise is stop clicking stuff in emails. Stop already. Why is this a thing that we just don't seem to get? [00:37:48] Speaker C: Well, now there is a hot topic for you, because if when we say stop clicking right, we're blaming the users, when really, why did we allow them to be able to do that in the first place? Why did we allow that system to be able to get compromised? So there is an existential debate right there. But for sure, people are going to click on things, and especially if they're not paying attention. VM fair looks pretty close. I mean, we use those same tactics of finding something that looks close. We do that because we know the attackers are doing that, trying to mimic those actions. Another thing I thought was really interesting is that as of late February, that domain still hadn't been rated. [00:38:32] Speaker A: Let's go to virustotal and give it a shot here. So, vira, virus vir. There we go. Virustotal.com. I will make this human readable. We'll hit URL and say, download vmfair.com and kind of see what happens here. Okay, so at least some traction has been made on this domain. We got 13 security vendors now flagging this as malicious. And it looks like a lot of the big dogs are. We got Sophos, we've got Viper, Fortinet, sci radar, Bitdefender. I don't see Microsoft on here saying anything. But this just could be the vendor. Wait a second. URL is bad. [00:39:15] Speaker C: Is Palo Alto on there? I was just looking. I don't scroll back like they're the ones that identified it. [00:39:21] Speaker A: They are the ones that identified it. [00:39:22] Speaker C: Shouldn't they be rating it? [00:39:24] Speaker A: What is their system? I would think they would. [00:39:28] Speaker C: Interesting. Cortex is their XD. [00:39:31] Speaker A: Yeah, I don't see it. [00:39:33] Speaker B: Interesting. [00:39:34] Speaker A: Well, see, this is why we're doing this. Learning new things. [00:39:37] Speaker B: I'm glad we've got this live demo aspect now. [00:39:41] Speaker A: I'm sure we're just missing something here. We're going to give Palo Alto the benefit of the doubt and that for whatever reason, virus total is not showing them as someone who recognizes this because they found it. [00:39:52] Speaker B: Well, and this is updated as of February 29. So last week it was undetected on virus total, the site that you just used. So give them a week. Now they've got. It's showing up on some systems and so give it another week and hopefully we'll see that increase. But yeah, I guess we can give them the benefit of the doubt. The other thing is, you guys mentioned that it's not similar to VMware. It's VM fair. That looks nothing like it. But for somebody that, I don't know if they're new to that. Right. Maybe this is just like I'm going to see if I'm going to toy around with VMware and see what this is all about. Me a year ago, right? Yeah, maybe you look at that and no, I wouldn't do this because I have the benefit of having folks like you in the office that steer me away from this stuff. But somebody might look at that and think, well, maybe that's just the name of the link. It's short for VM firmware or something like that. Maybe I'm just missing something and I don't know that that's what they're calling it. So okay, we'll just go ahead and hit download and it'll be fine. Not necessarily, oh, I misread it, but they're just assuming that, oh, that's got to be legitimate. So I don't know, that's kind of where my mind went when I read that. But I'm approaching it from a little bit more of a beginner's. [00:40:53] Speaker A: And that's why I love having all these different perspectives on how this might look, because it can be easy for us to kind of like, be too close to the problem and go, well, it's obviously v, and that's not right. [00:41:04] Speaker B: Because I'm vMware, but. [00:41:06] Speaker A: Right. If you're a salesperson or you're in HR and you work for a company that utilizes that stuff and maybe you've heard of it and maybe it's something that is tertiary to your job but not direct, you might think, well, this should be all right, I got this link. [00:41:22] Speaker B: I should click on it. [00:41:23] Speaker A: Yeah, it seems legit. I don't know any better. And therefore, and it goes back to Mike's point, is we need to do a better job at building more secure systems to help them and, of course, doing our security awareness training so that they are being a little more scrutinous on those links and zip files or anything that you get as a downloader, as an attachment. I want to get to the day where my end users are so jaded and cynical on links and through positive reinforcement, like, yes, you did the right thing. Good job. You get a cookie, right? Yeah, here you go. You contacted it and let us know that you got a link and you weren't 100%, you weren't 99%, you weren't 80%. I don't care how small the fraction was. You thought it was hinky, and you let us know, good job. And you throw them the Scooby snack for doing that. So that we reinforce that behavior, so that one day we start to really reduce down how much that actually works. [00:42:23] Speaker B: Positive reinforcement. Because, I mean, like I said, this is distributed usually through email attachments, malicious websites. So if we can curb it there, that'd be great. You avoid the issue altogether. But if we can't, if somebody does end up installing this on their computer, what happens after that? [00:42:36] Speaker A: Nothing good. [00:42:37] Speaker B: Nothing good specifically in this case. [00:42:40] Speaker C: Well, and that depends on what you have for endpoint protection at this point, right? Like, if you don't have any or you don't have good endpoint protection, then maybe this gets through. Or maybe they wrote their malware in such a way that it bypasses most EDR available at the time they wrote that. So who knows? Another thing that was interesting in this, though, talking about people clicking on things, is we don't know how they delivered it. Did it just come from random email addresses or were they analyzing, was there some osint that was done ahead of time and try to impersonate legitimate relationships? That's something that I would do, is try to figure out who are people they're likely to communicate with, domains they're likely to communicate with and try to impersonate that. Because if a rando emails me this link, I'm probably not going to click on it. [00:43:34] Speaker A: Straight to garbage. [00:43:35] Speaker C: Yeah, if you email me this link, I'm probably not going to click on it. But you on the other hand, I. [00:43:40] Speaker A: Have an outlook rule that just sends your stuff to the trash immediately. That's right. [00:43:44] Speaker C: So if it's come from someone you trust, you're less likely to inspect that link anyways. [00:43:50] Speaker A: And even if you think it was weird, since it came from what you thought was a trusted source, you're more likely to go, well, it came from a trusted source so it's probably fine. And then if you click on it then we get into the whole ballgame of oh no, I've clicked on it and I think something bad has happened. Do I just keep my mouth shut or do I tell again, going back to we want to positively reinforce the fact that okay, we all make mistakes. You click the link, it happens, you're just a human. Thank you for telling me as soon as possible because now we can start to do incident response and the quicker we get on that the better. So if you're out there in user land and you're listening to this and you think I've clicked on something, I have something wrong. I'm afraid to tell. If they are coming and sanctioning you for letting them know that you made a mistake, then your IT team needs some remediation, right? They need to be coming alongside you. Go, it's going to be okay. They need to throw a blanket around you and bring in a crisis counselor and tell you how everything is going to be fine, we're going to fix it and don't worry. And it's a great learning opportunity for us. Speaking of learning opportunities, Mike and I are in the middle of shooting an avedr evasion series. That's what we're kind of building for you. The learner out there wanting to kind of figure this stuff out. There is some evasion tactics that they kind of tease out here in this article for Bifrost and I thought it was really interesting. [00:45:12] Speaker C: Yeah. [00:45:12] Speaker A: So what they're doing here is if you look in the article, it says the sample binary is compiled for x 86 system seems to be stripped. A stripped binary is one from which debugging information and symbol tables back over here has been removed. Attackers usually use these techniques to hinder analysis and it kind of makes things look a little less weird, gives up a little less of the ghost if you do some stripping. And I thought can we kind of see what that looks like? So we have this right here I have just a test go program right there. I don't know if you can see that very well, but we'll do go build test go right. And now I have a binary right here. And if I run file test, we can see it is an ElF 64 bit LSB executable for x 64, so on and so forth. And you see right around this region, it says not stripped bing. But guess what? There's a strip command in my system that I can look and see. I can start to remove things from it. I can strip unneeded, I can merge nodes. Lots of options here. I'm going a little too fast with the scroll for you. You can have input output files, remove sections that I know about, or I can just kind of strip the known unneeded things or strip all if I like. So if I wanted to do that, I would just say strip trip. What was it? S, I believe, and then give it the binary, which is test. And now if I look at the binary file, so you notice nothing has really changed. But if I do file test here, you now notice it does say that it is stripped. And if I were to compare the strings that were available or even file size, you'll notice that it's been reduced. There's less information now in this for it to be reversed and understood. And that's what I want to get around those detections. Mike, you've talked a ton about how brittle signatures. [00:47:08] Speaker C: Yeah. [00:47:09] Speaker A: And that doing things like this just shatters them like a fabric egg. [00:47:13] Speaker C: Yeah, certainly. Once you strip this, you make the whole size of it and the information that's exposed a lot smaller. And a lot of those keys have been stripped out as things that they can, can strip on. Now, looking at something, if it's stripped, could be an indicator, of course, depending on who you are, but it reduces that amount of information that's available. And then when an analyst tries to look at this and analyze it, or they try to analyze in a sandbox, it's much more difficult for them to do that. Another interesting thing here, and I don't know if it's for a reason. If you notice, that's an x 86 executable. [00:47:49] Speaker A: Yes. [00:47:50] Speaker C: We live in a 64 bit world. [00:47:51] Speaker A: I thought that was interesting as well. [00:47:53] Speaker C: And I'm wondering if that's an evasion tactic, like if it's compiled for 32 bit. Do they know that some EDRs and Avs tend to pay less attention to 32 bit? I have heard that in the past. I don't know if that's still the case. But I knew of people building 32 bit payloads or x 86 payloads because there was less scrutiny than 64 bit payloads. [00:48:16] Speaker A: This is why I wanted Mike on the show today, because that is a factoid I was unaware of. And now it's up here. Hopefully it's in your head as well. But very interesting, the fact that an EDR or AV system would do that would say, well, I mean, it's a 32 bit binary. Who cares about those? No one uses that crap anymore. It's like, really? Is that how it works? It'll still run it though, right? Oh, yeah, it'll run it, but I mean, who cares? It's probably like, what was the old pinball game on Windows systems? That galaxy pinball or whatever it was. Yeah, that's what it is. You're finding your galaxy pinball game, putting it back on your system. That's what this is. It's 32 bit junk. [00:48:52] Speaker C: Minesweeper. [00:48:53] Speaker A: Yeah, man, I do love me some minesweeper, bro. I've wasted many hour of my life sweeping those minds. [00:48:59] Speaker B: I wasted many hour of my life figuring out how minesweeper worked. Because anytime I've played it online, it was like, there was no instruction. It was just like, here you go, click. And then things explode. And I'm like, that. This is a stupid game. I'm not playing this. [00:49:12] Speaker A: It's a logic game. [00:49:13] Speaker B: And then once, right, once I figured it out, I was like, this is the best game I've ever played. And now I love it. It's like one of my favorites. [00:49:18] Speaker A: It is super addictive. [00:49:19] Speaker B: Yes, it is super addictive. [00:49:21] Speaker A: That's what I'm going to do. All my implants now will be bundled with minesweeper. It'll bypass everything. Everybody, like, I don't know, put in an exclusion. I don't know why it's being blocked. [00:49:29] Speaker B: What do I have to do? Yeah, I'll do whatever I can. [00:49:33] Speaker A: That's right. Mike's taking Osit notes over here. [00:49:37] Speaker B: I hate to play the assume game, but assuming somebody installs it on their computer, there's no amount of antivirus or EDR or whatever can stop this. So it's there. Once it's installed, it says that Bifrost allows the attacker to gather sensitive information, things like hostname and ip address and I imagine various incendiary other things. So that's the real, that would be the consequence of this being installed, right? [00:50:00] Speaker A: That's exactly right. They're trying to get that information out of your pocket and into theirs to use for whatever reasons they have for. Probably for building a profile of usernames and device names and kind of looking into your system and seeing what else is out there. Looking to do that old pivot maneuver. Everybody loves to pivot, Mike. Why don't they just get settled with what they have in their, know, a burden of hands worth two in the. [00:50:24] Speaker C: You want, you want more. You just want more. [00:50:27] Speaker A: You're like David Rockefeller. How much money do you need, sir? [00:50:30] Speaker C: All of it. [00:50:30] Speaker A: Just a little bit more. He said, just a little bit more. [00:50:33] Speaker B: Is that a real. [00:50:34] Speaker A: Yeah. Well, so like a reporter or whatever asked him, how much money do you need? He said, just a little bit more. And that was always the answer. I just need a little bit more. Yeah. [00:50:44] Speaker B: You didn't know we were going to be including a History segment on today's episode. Did. [00:50:48] Speaker A: Didn't study for this. [00:50:51] Speaker B: That's okay. We've got a rubric that we're grading you according to, and if you don't do well, you will not be invited. So. [00:50:56] Speaker C: All right. [00:50:57] Speaker B: Just keep that in mind. [00:50:58] Speaker A: Just keep it in mind. [00:50:58] Speaker C: I'm going to up my game. [00:51:00] Speaker B: Well, Palo Alto put together this. They kind of broke it down. Hey, this is how this works. Step by. You know, it's a decently long process, at least to my eyes. [00:51:09] Speaker A: Right. [00:51:10] Speaker B: Was there anything specific that stood out to you in this kind of breakdown? [00:51:13] Speaker A: Yeah, they kind of gave some details. So they reverse engineered this malware and they show you some of the assembly code behind what's going on. Break it down for you to show you how this works. So let's jump back in the laptop here and I'll show you. What I'm talking about is they're showing the code here and they're kind of focusing in on the fact that this is a call for data collection. And then you have this very inconspicuously named send data to c two call, which is like, okay, I wonder what that does. Mike, what do you think that does? You think that's downloading pictures of cats or something? [00:51:46] Speaker C: I think it launches minesweeper. [00:51:48] Speaker A: Yeah, that's exactly right. And then it shows you here about snippet of code looking for that set socket building a TCP connection between the compromised machine and the attackers themselves. And you can see this in these pushes that they do. And you can show you push to the, corresponds to the socket domain, which is that af inet I-P-V four protocol. So you got to get IP smuggled in. Then it builds this TCP sock stream so it can send and receive data and then of course it also needs the TCP protocol. So that's what's going on with these push calls that you see down here, six one and two. You'll notice that that corresponds as well with push two, push one, push six in the article. So just kind of helping you build it because they want to start talking, they want to start getting that information and then when necessary they want to reach back out and say, hey, do some stuff for me. What do you think, Mike? [00:52:47] Speaker C: You're 100% right. I'm going to get up on my soapbox here again. Now, for home users, this doesn't count, right? This isn't the thing. But let's talk about the enterprise here. There's no calls here to talk about like, hey, let's find out what the web proxy is and use the web proxy. They're using raw socket communication here, right? So that means they're going directly out to the Internet. So I'm going to ask you, why are you allowing egress unrestricted to the Internet from inside your network? [00:53:19] Speaker A: I can answer that, Mike. I can answer it well, because we forgot. That's right. Data goes that way too. Stupid. Stupid. [00:53:32] Speaker B: Everybody makes mistakes. [00:53:34] Speaker A: That's a mistake that tends to get made. I think that's what Mike is pointing out. [00:53:38] Speaker C: It is a mistake that tends to get made, but it's one of those things that I can't stress enough about not saying it's easy. Never say it's easy. But effective basic controls know you can shut down a lot of badness if you just don't allow bad things on your network to talk to the Internet. No one's writing proxy aware tools, so it just bounces off the back of the firewall. [00:54:05] Speaker A: And that was a fun little thing we did. Glad we could play this game. Right, because then it's over. I think that DNS sinkholing also seems to be a woefully underused security mechanism. [00:54:18] Speaker C: Yes. I think that allowing just individual workstations to query out to the Internet to any DNS server that they want is a really bad idea, especially when we. [00:54:29] Speaker A: Have vast tomes of known bad. Like we went to virus total today and it said, hey, these are bad. It knows about bad stuff. You can just make a list and say anything tries to go here, send it to 1271. [00:54:42] Speaker C: Yes. [00:54:42] Speaker A: The end. [00:54:43] Speaker B: Yeah. Wow, you make it sound so simple. But obviously it's something that slips a lot of people's minds because if you got stuff like this happening regularly, obviously mistakes are made. Yeah, well, I do like that we have this ability to. You kind of showed some of it on your screen. I'm glad that if you are listening on Spotify or Apple Podcasts, I recommend checking us out on YouTube because we do have some visual elements that are kind of coming into play here that you did a good job of describing it. Audio, whatever the word would be for that. [00:55:11] Speaker A: My ASMR version of the Technato. Hi, welcome back to Technato Bifrost. [00:55:16] Speaker B: Like we're on NPR. [00:55:19] Speaker A: Good times, good times. [00:55:21] Speaker B: Our poor director. But I recommend checking out the YouTube channel to see those visuals. And if you want to see more of what Daniel was kind of showing on his laptop, that was Palo alto networks that had that breakdown of kind of how they walked through this. But we'll move on to our next deep dive. [00:55:35] Speaker A: We have a couple of other little. [00:55:37] Speaker C: Other little bits here. [00:55:38] Speaker A: Oh, do you? [00:55:39] Speaker C: Yeah. One thing in the expanding the attack surface section in here is that they also built an arm version of this. So not only are they working on traditional intel hardware with the X 86 payload, arm is becoming much more popular as a processor. [00:55:56] Speaker A: Raspberry pis, orange pies, banana pie, all these other things that are using these arm processors, Iot, they love an arm processor. [00:56:07] Speaker C: But even the desktop market is shifting to more arm. And this payload wouldn't. The X 86 payload wouldn't necessarily work on an arm system, but now they've got an Arm native payload as well. So they're thinking forward. They're looking like, hey, there's a lot more we can attack if we just build a second payload. [00:56:28] Speaker A: That's right. And of course, if you need any of the iocs for this, this is in the article as well. There's some hash files for you. We got them on the screen. [00:56:36] Speaker C: Are you not going to read out the hash? [00:56:37] Speaker A: Yeah, I'm going to read the hashes. So everybody get your pens and paper. Route eight E 85. No. So it's just a shaw 256 hash for both the X 86 and ARm versions, as well as those domains and ips that you need to be aware of, which was download vmfair.com as well as IP 459-18-2127 those are things that you would want to have any of your detection mechanisms looking for. Write some Yara rules, do some sigma and go, hey, what's that? What you got there? No, put your hand out. No, we don't do that. [00:57:13] Speaker B: It's one of my favorite danielisms. Little hand slap. Makes an appearance in our courses sometimes. It's always fun. So does that pretty much cover as far as that kind of breakdown. And like you'd mentioned, it's Palo Alto. So if you want to see the hash, because Daniel's not going to read it out loud, you'll have to go and look at that there. Now, this next one, this is something to do with. They're stealing hashes. It's this group, ta 577 is how it's pronounced, which I guess is just threat actor 577. They're not special enough to get a name, I guess, are they? [00:57:38] Speaker A: The 577th threat actor named? [00:57:42] Speaker B: So they win a prize for being number 570. You're the 570 7th caller. So it looks like, let's see, they're stealing NTLM hashes to hijack accounts, which seems like hijacking accounts or creds or something is always the end goal. And they're using thread hijacking, something called thread hijacking, to do this, which is basically where they make it look like they're sending you an email and they make it look like it is just a reply in an ongoing thread. So maybe you're a little more likely to be like, oh, I must have missed this. You think you're already in the conversation. [00:58:11] Speaker A: You're more likely to respond, I said, call this. [00:58:13] Speaker B: Yeah, we're done. [00:58:13] Speaker A: Good job, Sophia. [00:58:15] Speaker B: Can you complicate it for me? [00:58:17] Speaker A: No. You've made it so well put out there in definitions and explanation that I cannot top this. [00:58:24] Speaker C: You know where they got that from, that technique? [00:58:27] Speaker A: What's that? [00:58:27] Speaker C: Sales. They've been doing that. [00:58:30] Speaker A: True. [00:58:30] Speaker C: They have been doing that, like, nonstop the last year, year and a half. Be like, hey, in case you missed my previous email, it's like you never emailed me before, and I'm definitely not going to ever do business with you now. [00:58:41] Speaker A: Yeah, I wanted to reach back out to you pure our conversation. We never had a conversation. I don't know you. But, yes, you are absolutely right. Someone must have switched over from being a salesperson into tech, and they were like, I really like computers, and now I can use it to make money, because that's what it always boils down to. Right? [00:59:00] Speaker C: 100%. [00:59:01] Speaker A: But this is a bit of a novel approach to the way using that thread hijacking way to compromise those nTLMV two hashes. Because if you're out there going, Daniel, what's an NTLM V two hash? It's gold. That's what it is. It's hacker gold. They want it, they love it. They mine for it day and night. Because, Mike, correct me if I'm wrong. These can be used in a myriad of different ways. Yeah. [00:59:29] Speaker C: So ntlm v two can be cracked. Like, you can throw that on a hashcat rig and try to crack the password for that. I believe you can downgrade this to ntlm if you have the net ntlm v two hash as well. Don't quote me on that. I could be wrong. I could be wrong. But when you have those NTLM hashes, and this article keeps talking about NTLM hashes, so I have to assume that that's what they're doing because you can replay those. Like, if I have your hash, I can now use tools like impact it or something like that to pass the hash to your computer. I don't need to know your password because I have your hash. Just need to know who you are. [01:00:09] Speaker A: And how that works. I love how the system basically assumes. And here we go. Right. When anything makes an assumption, it's obviously 100% right every time. And in this case, it assumes that if you have the hash of the password, how else would you have that if you were not the actual user? Therefore, the hash is as good as the password, in its humble opinion, and allows you access to these things. Why? We love a good old pass the hash attack. Don't. [01:00:39] Speaker C: It's a feature. [01:00:40] Speaker A: Yeah, it's a feature. [01:00:41] Speaker C: Not a bug. [01:00:42] Speaker A: It's not a bug. But let's talk about initial access, right? Sophia, you were talking about how they did this little trick to say, hey, we talked before, I'd like to talk to you more. I got something for you. And it's that I got something for you is where this gets really fun, because there's an attachment on these emails that if you click on them, inside of it, it's a zip file. [01:01:08] Speaker C: And that's the important part of this. [01:01:09] Speaker A: And you'll notice it's also encrypted, so they have to give you the password. Why do they encrypt that, Mike, what's the purpose of that? [01:01:16] Speaker C: So that it is not automatically inspected by whatever mail server is handling that message. Lots of email providers, if you attach a zip to an email, they will explode that zip to look at the content before it even gets delivered to you. [01:01:33] Speaker B: See, I would not have even thought of that angle when I saw that you need a password to get to it. I would have just thought that was to make me, as the end user, think, oh, this is something good. If I got to put in a. [01:01:43] Speaker A: Password to get to, that's just a bonus. [01:01:46] Speaker B: I would have thought it was just like a psychological thing. [01:01:49] Speaker A: On sale for the attacker out there, right. That helps them to bypass security systems that are looking to see is this bad. And it bypasses the user security system of, oh well, it's got security built onto it. [01:02:03] Speaker B: That door has a lock on it. [01:02:04] Speaker A: Yeah. [01:02:04] Speaker C: I want to get in. [01:02:05] Speaker A: This is right, I'm curious. And it has a security mechanism, therefore it must be safe, right? It can't have been exposed, it's been encrypted. I'm being safe. So kind of preying on that. Not pejoratively, but ignorance of the system and how that works. [01:02:22] Speaker B: And if you were to receive an email like this and you haven't been watching Technato, so you don't know not to open these things, but you decide that you're going to put in this password and open the zip file. What happens when you open that file? [01:02:34] Speaker A: So inside the file there's a bundle of file. Yeah, a bundle of joy. It writes some HTML files to your disk, right? Or I don't know if it was some or one, there's at least one obviously. But this HTML file does what's called a meta refresh. So HTML, that's what runs websites, right? That's the code which runs websites. It can do a lot of stuff and it's usually fairly innocuous, but in this specific case, and Mike, this is where Mike went fuming mad and flipped a couch, started a fire in the trash can. It was a thing to see, honestly, never seen a grown man swear so much. But when that file, let's jump in here, I'm explaining it, but here's the actual file itself. And what the important bit is, is right here, you see this meta, HTTP equivresh content equals zero. And then this URL, and it has a file. So file is fun, you think, well it's a file, it's a local file, but guess what? File can also look at URLs and out into the Internet. And look, there it is, 66.63 188 19. And it's got a directory and ultimately this two text file. So it goes out and looks for that. But because of this refresh, it does an SMB connect, it looks to authenticate to an SMB server and that's where the magic starts to happen, right Mike? [01:04:05] Speaker C: Exactly. So if this had been like an HTTP URL, it's just going to try to reach to this website, but because it's file, it'll cause it to do an SMB connection to the attacker's server. Now someone with the appropriate toolkit like impact, it or something like that. Responder I suppose would work here too. If you have that running on your server and this connection reaches out to you, you can automatically capture the hash from the user. It's how Windows works. It's going to pass that on to you. And now you have captured the hash. And the reason they had to put this HTML file inside a zip is because outlook has been patched. So this used to work. You could have just attached that HTML directly to your email and it would have worked. But there's a patch that doesn't work anymore. So we stuff it inside a zip, we get the action outside of Outlook and Windows will do its thing and try to give up your hash and. [01:05:00] Speaker A: All things old or new again. Right? Isn't it fun? Isn't this a fun game that we get to play? Now you mentioned impacket. They're fairly certain that impacket is what they are using because impacket has a kind of a rudimentary SMB server for doing this specific thing. And when they looked at the packet analysis, which we can see here, they showed that this NTLM server challenge of all these AAA thing that's going on, they could see that down here in the packet, which is, if I'm remembering, yeah, right around this region. And that seems to jive with this is impact, it's GitHub repository and we can see that right around here. And you see those x bytes, those hex bytes of 4141-4141 that is the hex representation of the letter a. So there you go. That's what's leading these research to believe that they are using impacket for the purposes of stealing that NTLMV two hash. [01:05:58] Speaker C: Note to pen testers everywhere, if you're using impacket, go ahead and change that default challenge and guid because that is easily signatured and can get you busted. [01:06:12] Speaker A: Please stop trying to make me work. I know that's all of 4 seconds worth of it, but who's got that kind of time? [01:06:19] Speaker C: I know it's oppressive and burdensome. [01:06:23] Speaker A: It really is. I'm going to need you to get off my back. Okay. [01:06:27] Speaker B: It's like I'm in the room with a married couple. This is incredible. I get to witness the fight in person. The goal I guess here, or the idea behind why instead of just sending a file like this, a zip file like this, or something so similar, and then you open it and no, now there's malware on your computer. Instead of doing that, it's more of a long game thing where they're trying to capture that hash, so then they can use that to basically log in as you. Right. So then it just looks like it's just a user logging in. It's not suspicious the way that, I don't know, a malware signature might be. Is that right? [01:06:56] Speaker A: Yeah, because it is way more typical to drop malware to disk instead of just trying to find novel ways of getting NTLM hashes. But if you can, it would seem preferable to get those hashes because you can't crack them offline. Or you could do a pass the hash, if possible, and gain access with legit user creds, whereas that malware sitting on the disk is on a ticking clock before something trips a wire, it's much less likely. And, Mike, you correct me on your experience. I'd love to hear exactly your experience on how long your malware tends to survive in a system. I know you don't probably leave it in there for too long. [01:07:32] Speaker C: Yeah, most of our campaigns are pretty short, so we're in and out. But we do have some red team type campaigns where the client says, hey, we want you to execute this malware and then come back in six weeks and start doing the test. And we've done that. And if you've done your job right, it's still running six weeks later, and then you go on and do your couple of weeks campaign. But you were talking about doing some work. It takes some work to get there. [01:08:01] Speaker A: And I'm thinking, if you have, like, a threat hunting team that's doubling down now, not only do you have AVR system looking for signatures and behaviors that are off and setting off tripwires, you've got literal people going, I'm going to look at these things and go, what's going on here? What's going on there? I'm going to use assume breach to think, well, this is doing something. What's all these network connections? I don't recognize, even though I don't have any signatures. Firing off with the AV and EDR. I don't know what that is. I'm going to start doing some research. [01:08:33] Speaker C: You know, I just got triggered. [01:08:37] Speaker A: The kerosene in the matches. Sophia, hurry. [01:08:39] Speaker C: I don't think the soapbox came out for this. But you said something, talking about threat hunting and seeing these connections. What kind of connections are these, and where are they going? They're SMB connections going from inside your network out to the Internet. Why are you allowing SMB out to the Internet? [01:08:54] Speaker A: Pixie dust, Mike. Pixie dust. Pixie dust. Calm down. Okay. [01:08:59] Speaker C: I'm better now. I'm better. Thank you. [01:09:02] Speaker B: This is a sight to see. This is more entertaining than the whole. [01:09:05] Speaker A: Podcast bubble just beneath the surface. Okay. [01:09:08] Speaker B: This is great. Yeah, we need to get, like, just Mike, his own. Do you do a podcast? Do you have like a show that you don't? [01:09:15] Speaker C: I don't. [01:09:16] Speaker B: We need to rectify that immediately. [01:09:18] Speaker C: And it's tragedy, sir, but you're going to have to travel to my town to do. [01:09:22] Speaker A: Absolutely. Listen, don't threaten me with a good time. [01:09:25] Speaker B: Angry commentary from an angry man. I want that from Mike. Next. Got this is from proofpoint that kind of broke this down and talked about how this works. And I believe that's the site that you were pulling from as well. [01:09:37] Speaker A: Absolutely. [01:09:37] Speaker B: And they've got a whole list of indicators of compromise and example, threat signatures, which is good, because then you know what to look for. [01:09:43] Speaker A: That's right. This is where you start your rule writing. Right. Get your sigma and Yara rules going. If you had DNS syncholing, this would work very well for that. Or just make a firewall rule that says do not allow from or to. Don't forget the from or two part. Right. Egress is also as important as ingress and say, we just don't talk to these things. They are Persona non grata in this environment. Do something. You have it here. Secure yourself. [01:10:12] Speaker B: Secure yourself. Yeah, this is a new trademark. [01:10:14] Speaker A: Go secure yourself already. [01:10:17] Speaker C: All right. [01:10:18] Speaker B: This reminds me a little bit of how they were talking about. We've never observed this threat actor just demonstrating this attack chain to steal these credentials. It reminds me of, there's like a John Mulaney bit where he's talking about the horse in the hospital and the horse is using the elevator. I didn't know the horse knew how to do. Oh, why is he doing that? That's a little different. So that's kind of what this reminded me of, that usually they observe this particular group conducting attacks to deliver malware, and it's like, okay, at first blush, this is a little different, but potentially the consequences could be a lot worse because now you've got potentially long term access to an account. So scary, scary stuff. We'll rename this segment to just striking fear into my heart. That's all we do during this segment. But that pretty much finishes up this kind of breakdown that they gave us, that proofpoint gave us of this particular attack and this threat actor. Were there any other points posed in this article that you all wanted to touch on? [01:11:11] Speaker A: Just hopefully you learned a thing or two about how threat actors, and this goes for both of the articles, is we're just trying to show you what are some of those common ways in which threat actors are gaining access into systems. And as we continue the deep dive section in the new format here on Technato, you're probably going to start to see some patterns and you're going to start getting like Mike here and going, why is SME on, like, what is even the purpose of this? This doesn't make any sense. We've seen it a million times. You will eventually become angry Mike here, and we look forward to that day. [01:11:46] Speaker C: Honestly, I do. You don't want that. Don't bring that on yourself. [01:11:51] Speaker A: Technato turning people into cynics since 19. [01:11:55] Speaker B: Something, 1616 ish years ago, something like that. Yeah. I don't know. I wasn't around then, so I wouldn't know. But I do like that we've got this kind of, I'm enjoying this new breakdown. I feel like this, the deep dive gives us an opportunity to dive deeper, to look a little bit more at the details of things and how this stuff works. But that rapid fire segment is a lot of fun because it does keep it a little more surface level because we're going on a quicker time limit, but it allows us to get through a bunch of stuff. And if you're somebody that maybe doesn't like getting into the nitty gritty of things, you can still enjoy that rapid fire segment and kind of get your fill, if you will, of the news going on for the week. But I've enjoyed this. Let us know in the comments what you'd like to see for Technato in the future if you enjoyed this episode, what your favorite parts were. I also mentioned earlier in the show techno is sponsored by ACI learning, the people behind it pro. And you can use that code, Technato 30 for a discount. So you'll get access to the it pro library. A lot of binge worthy cybersecurity and it content. That's not my word. That is a word that is collectively used. And we're in there. Daniel and I are in that library as well as all the other great educators at ACI learning. So if you want to check out those courses, whether you're looking to maybe study for a cert or you just want to pick up a new skill, in fact, you guys are working on a course. I know you mentioned it a little bit earlier on AV and EDR. Is that the course you're working on? [01:13:03] Speaker C: Yeah, AV and EDR evasion. [01:13:06] Speaker B: It seems like you're having a good time. [01:13:07] Speaker A: That's what I call premium content, ladies and gentlemen. [01:13:10] Speaker B: Every time I poke my head back there, you guys are laughing. You look like you're having a great time. Are you enjoying your time in the studio? [01:13:15] Speaker A: We don't talk about SMB being open. [01:13:18] Speaker C: I don't get too ranty. Yeah, we're having a great time picking up some skills and learning some stuff on the fly because windows defender likes to push updates during the middle of the class and then stuff doesn't work. But yeah, we're having a great time. [01:13:34] Speaker B: Those are the best ones. [01:13:35] Speaker A: It's quite the cat and mouse game, but it is fun to watch. [01:13:38] Speaker B: We have just as much fun recording those courses as you hopefully have watching them. So if you're watching from the Technato website right now, you, you can actually just click on that sponsored by button and it'll take you straight to a page where you can look at your subscription options. So it's as easy as that. But otherwise, if you're watching from YouTube, listening on Spotify or Apple podcasts, just go to acionarning.com and you can take a look at the options there. If you're looking to maybe dive into that it pro library and see what's in store there. But I think that's pretty much going to do it for this week. I did mention we've got a webinar coming up Thursday 02:00 p.m. Eastern time with Joe Helly. So that's going to be fun. He's a new guest here on the AC platform. [01:14:10] Speaker A: Super excited. Looking forward to found out yesterday. I did not know this. He posted on LinkedIn and said that I was one of his first cybersecurity trainers when he got started. And I'm like, well, of course I wouldn't know that, right? Because I don't get to see you normally unless I'm at a con or something. You come up and you say, oh, I watch aci it pro. And I'm like, oh, that's cool. I had no clue that Joe, who is now a coo of TCM security, I helped him cut his teeth a little. It yeah. So it's kind of to can't wait to hang out with him. [01:14:41] Speaker B: It's a full circle moment, right? That's really cool. It warms the cold heart. And we'll have Mike here as well while we're recording that. He'll be able to kind of sit and watch and judge. [01:14:52] Speaker A: I'm sure he'll be in the chat room throwing the hardest questions. [01:14:55] Speaker B: Give us some immediate feedback. Who knows, maybe you'd be interested in coming on as a guest in the future. Potentially. Possibly. [01:15:01] Speaker C: You know, you could convince me. [01:15:03] Speaker B: Not yet. [01:15:04] Speaker A: Right? [01:15:04] Speaker B: But maybe one day, yeah, you can convince me. [01:15:08] Speaker A: It's a statement of fact. [01:15:09] Speaker C: There's a statement of fact. There's not a not yet here. You can convince me. [01:15:13] Speaker A: We are at the station. [01:15:15] Speaker B: Well, that's good to know. I'll add that to my notes and we'll talk to Kathy about it, see what we can do. But with that said, I think that's going to wrap it up for this episode. Mike, thank you so much for joining us for techno. I hope you had a great your time because we certainly love having you here. [01:15:26] Speaker C: I had a great time. Have me back anytime. [01:15:29] Speaker B: I'm glad to hear it. Once again, Mike from Red Siege. Daniel and I are looking forward to coming back in the studio every week and trying out this new format. I had a lot of fun. I hope that you did too. [01:15:36] Speaker A: Good times were had. [01:15:37] Speaker B: Good times were had by all and only one feces joke and I feel like that is a game we'll give him a challenge, except to measure up to. Thank you so much for tuning in for this episode of techno. Once again, let us know what you thought and we'll see you next week for another episode. Thanks for watching. If you enjoyed today's show, consider subscribing so you'll never miss a new episode.
Previous Episode
Next Episode

Other Episodes

Episode

December 15, 2022 00:41:54
Episode Cover

Technado, Ep. 286: Bypassing WAFs

Security researchers have figured out how to get around a web application firewall with a new technique that impacts several vendors. The Technado crew...

Listen

Episode

January 23, 2020 00:51:42
Episode Cover

Technado, Ep. 135: Progress’ Greg Mooney

On this week’s episode, the team is joined by Greg Mooney from Progress, the company behind products like WhatsUp Gold and iMacros. Greg has...

Listen

Episode

January 07, 2021 00:50:23
Episode Cover

Technado, Ep. 185: ACI Learning’s Brett Shively

For the first episode of 2021, Technado welcomed ACI Learning’s Brett Shively who talked about the state of adult learning and the recent merger...

Listen