351: Google has a Mole?! (Corporate Espionage!)

Episode 351 March 14, 2024 01:11:04
351: Google has a Mole?! (Corporate Espionage!)
Technado
351: Google has a Mole?! (Corporate Espionage!)

Mar 14 2024 | 01:11:04

/

Show Notes

Daniel and Sophie jump right into this week's episode with the return of favorite segments like D'oh, Behind Bars, and Who Got Pwned. They cover a VMWare patch so urgent, it's even being issued to EOL software. Roku had some trouble this week with angry customers and breached accounts (which, by the way, are barely worth 50 cents). We saw some sour news from the US government this week: CISA fell victim to a breach, and the FBI announced record losses to cybercrime in 2023. The Technado team covers all this and more in this week's Rapid Fire segment.

In today's Deep Dive, Daniel gives us a detailed look at MagnetGoblin (the threat behind Ivanti, Magento, and more hacks). We take a look at some of the threat group's favorite tools and tactics, as well as the 1-day vulnerabilities they've been exploiting recently. In a bonus Deep Dive, there's a Python Infostealer lurking in messaging services - and thanks to the researchers at Cybereason, we have the latest on each variant and how this attack works.

 

View Full Transcript

Episode Transcript

[00:00:00] Speaker A: You're listening to Technato. Welcome to another episode of Technato. I'm your host, Sophie Goodwin. And just a reminder that Technato is brought to you by ACI learning the folks behind it pro. And that's what we do in our day jobs. You can check out that course library for lots of great cybersecurity it and audit content. You can use that code, Technato 30, for a discount on your membership. Of course, I'm not alone here. Am joined by Mr. Daniel Lowry, the one and only, a man who probably needs an introduction because you might not know who he is. [00:00:30] Speaker B: I don't even know who that's. [00:00:32] Speaker A: That's normal. That means we're off to a good start here. I want you to do the whole show in that voice, please. We'll make that a segment on one of our upcoming shows. But we got a lot of great news. We were kind of going through some of the articles the other day, and it was tough for us to narrow this down. [00:00:51] Speaker B: We only have so much time, ladies. [00:00:52] Speaker A: And we had a hard time. [00:00:54] Speaker B: Stay under an hour six of techno. [00:00:58] Speaker A: It's like a telethon. [00:00:59] Speaker B: We got phones. The phones are standing by. [00:01:01] Speaker A: Send water, please help. But we'll go ahead and jump in. Just a reminder, if you're relatively new here, we've got kind of a new format we're trying out. So we're going to run through several of these articles in kind of a rapid fire style and just spend a couple of minutes on each one, touching on the hot topics, if you will. And then later in the show, we'll do a bit of a deep dive into some of the other news that came up this week. You about ready, Daniel? [00:01:21] Speaker B: As will ever that was. [00:01:23] Speaker A: You were so close. You were so close to saying a full sentence. I'm proud of you. We'll go ahead and jump into this first one. This comes to us from malwarebytes and it says patch. Now, vmware escape flaws are so serious, even end of life software gets a fix. And I read this and I was like, well, that seems weird, because if it's end of life, that would mean probably it doesn't have or it's end of support, I guess would be the term. And Daniel confirmed for me. Yeah, this is not normal, right? [00:01:45] Speaker B: Yeah, it's got to be super, super bad for them to go, hey, even if you're running like an older version of this, we're going to go ahead and give you a patch. This is how bad that is. It's fire all around you, dogs and cats living together. Complete anarchy at this point. So when we talk about VMware, you're familiar, right? VMware, really nice piece of software. A lot of people like it. It's probably waning on that because they've gone through some acquisitions and mergers and things of that nature, and now they're kind of throwing the double birds up at their customers. But neither here nor there at this point, at this juncture, because they have a VM escape flaw. Are you familiar with VM escape flaws at all? [00:02:28] Speaker A: So it sounds like it would be a flaw that allows you to escape the virtual machine. But I could be wrong. [00:02:34] Speaker B: No, you are absolutely right. Obviously, it kind of embezzles the definition, what's inside of it. But are you familiar with what that means to the end user? [00:02:42] Speaker A: Well, when I think about using a virtual machine, especially for security purposes, it's maybe you've got a VM spun up as kind of like a sandbox. So if you've got a file or something and you open it, there, hopefully, if there's anything weird in that file, it's, like, contained. Right? [00:02:56] Speaker B: Okay. So you can use them as sandboxes, and they are used as sandboxes. But if you're running a product from VMware, like Esxi or Fusion or workstation, you are making virtual machines that you are going to use, most likely for business purposes or testing purposes, especially with Esxi. Esxi is their product for enterprise virtualization. So I don't go out and buy a bunch of servers. I buy one or two servers that have a lot of memory, have a lot of CPU, and then I build virtual machines with inside of it. And that's my file server, that's my content server. That's everything. Okay. This affects that. [00:03:37] Speaker A: Right? [00:03:37] Speaker B: Okay. So pretend, if you will. You're Amazon, you run AWS. You're using VMware, Esxi, to build out your virtualization for all your clients. [00:03:49] Speaker A: Okay. [00:03:49] Speaker B: All right. Now you're Sophie's hats for cats and I'm Daniel's socks for dogs. Right? Completely different companies, we might be on the same piece of hardware. And through that virtualization escape, I can now jump from me to you, to every other client on that VM on that server. That's why this is not good. This is why they're telling everybody, even if you have an older version, that we no longer support, we are supporting you. [00:04:18] Speaker A: Yeah. [00:04:18] Speaker B: So that's kind of a big deal. [00:04:20] Speaker A: It looked like there were, I think, three or four CVes that were mentioned in this. And obviously, if they are providing some kind of a fix or an update for end of life software, that's how you know it's pretty serious. So I guess if you are using end of life vMware, you're not immune. You should probably keep an eye out for that. [00:04:35] Speaker B: Yeah, I would check out the advisory that's linked to it. It is the VMSA 2024 six. And of course you can just do a Google search. We'll land you on that probably pretty. [00:04:46] Speaker A: Quickly in a PSA courtesy of Daniel Lowry. [00:04:49] Speaker B: Yeah, the more you know. [00:04:50] Speaker A: Yeah. The reading of the rainbow. [00:04:52] Speaker B: The more you know, the more you know. [00:04:53] Speaker A: We'll go ahead and jump into our next one. This one's kind of interesting. Over 15,000 hacked Roku accounts sold for $0.50 each to buy hardware. I read an article that was about Roku, like, last week, and it was something about, like, there was new terms of service and people had to agree. There was no option to disagree or look at them later. And if you did not agree, it locked your account and you couldn't access your Roku stuff because you don't agree. [00:05:14] Speaker B: To their terms of service. [00:05:15] Speaker A: Exactly. [00:05:16] Speaker B: That's kind of how that works. [00:05:17] Speaker A: And people were like, so mad. They were like, this is disgraceful. That was a word used, disgraceful. Don't know that I'm. [00:05:22] Speaker B: Were they making you agree to something like, horrible? You must be a Holocaust denier, right? What is going on? [00:05:30] Speaker A: If you don't kick puppies, you cannot use. But in this case, it's accounts that were sold to buy hardware. So this is a data breach that impacted 15,000 customers. Hacked accounts were used to make fraudulent purchases. So that's just so fun for Roku users out there. I wonder how many total roku users there are. If 15,000, probably a lot. [00:05:48] Speaker B: I mean, 15,000. I would assume that Roku has quite a few. I mean, how many Roku's are in your house? Right? Good point. Do the math. [00:05:57] Speaker A: Yeah. At least two. [00:05:58] Speaker B: Now, you only have one account for sure, but they're so ubiquitous, right? Everybody has something that probably has Roku hardware shoved in. [00:06:07] Speaker A: Pretty widespread at this point. [00:06:09] Speaker B: Yeah, but it was very interesting because the breach allowed the attackers to gain access to your account. Right. So they could log into their Roku as you, and then they could sign up for streaming services, they could purchase hardware because a lot of times through the Roku system, you can sign up for all your streaming services and have kind of Roku manage that. So that not only gave them access to their Roku account, but your other streaming services so they could watch your streaming and do whatever they want. Then somebody got the entrepreneurial bug and went, hey, I'll sell them for like $0.50. [00:06:51] Speaker A: Yeah, right. [00:06:53] Speaker B: Get your logins here. Fifty cents, two for a dollar. It's just kind of funny. It's like a street barker. [00:07:02] Speaker A: The only way you can really fix this if your account was hijacked is going and clicking on that forgot your password link on the website to get a link to your email. But they don't support two Fa. So even in the case of credential compromise, you can't prevent a hijack like this because if somebody were to get a hold of your credentials, it's not like they've got that stoppage of. We tried to log in, but there's. [00:07:20] Speaker B: An app or something you can do is use a strong password with Roku because as I was reading about what they did, they did a credential stuffing attack. So known passwords being used and see if they're being reused in other places. So one breach has a password and they try it in other areas to see if they can breach those as well. They used open source tools such as open bullet two, which I checked out the GitHub repo. It's like, oh, that's a really nice looking tool. For non evil malicious purposes. It's very helpful to check whether or not you have password issues in your organization. But they were using it obviously for that. But yeah, since they don't support that two fa, you got to have a good password on there. Otherwise this is going to be your life until Roku goes two fa on you. [00:08:10] Speaker A: Probably a good rule of thumb, just even if you have two fa and all the other security measures make it a strong password anyway. Don't use like my dog. Four, five, six. That's just probably not a great security measure. My dog, I don't want to put my actual dog's name in there because somebody's going to guess my password. [00:08:24] Speaker B: Well, you can always use service like have I been poned? [00:08:29] Speaker A: Right. [00:08:29] Speaker B: To see, to check and see whether your password is in a known data breach. [00:08:32] Speaker A: You're right on the money. Because speaking of this next segment, because we are doing the segments, is who got pwned? [00:08:38] Speaker B: Who got poned? [00:08:38] Speaker A: Looks like you're about to get poned. Fatality bringing them back. We love those segments. This one comes to us from nine to five. Mac security byte, hackers, breach. Cisa. Cisa, sisa. [00:08:49] Speaker B: I call them Cisa. [00:08:50] Speaker A: CisA, I've heard it pronounced all the different ways. CISA forced the agency to take some systems offline. And this is a little ironic, right? [00:08:57] Speaker B: It is. Which is why we shuffled around. Whether or not we're going to do this is a dough segment, because it's kind of funny or ironic, we'll put it that way. It's kind of ironic. So Cisa got breached. They are a branch of the DHS. It is a very good thing. Right. They're trying to bring awareness to things like ransomware and known vulnerabilities that are out there. They put out a lot of really good information. I have used them quite extensively, so it's a very good thing. Unfortunately for them, they had two systems hacked. One was their infrastructure protection gateway, the other was the chemical security assessment tool. According to CIS, nothing bad happened because of this. Even though that the chemical security assessment tool does have access to critical infrastructure stuff. [00:09:53] Speaker A: Right. [00:09:54] Speaker B: There is that. But don't worry, it's all good. We shut those systems down. Or did we? Because I think there was some ambiguity of whether or not systems were shut down or what was affected or what was reached. [00:10:07] Speaker A: Yeah, it just says that they reportedly had critical ties to us infrastructure, which is always great to hear, and they reportedly had to shut down both systems. So I guess it's just going off of whatever they're saying. And we know when security breaches happen, agencies are always honest about all the. [00:10:22] Speaker B: Details every time, especially the federal government. They never lie, ever. Not one time. [00:10:28] Speaker A: Oh, they care about you. [00:10:29] Speaker B: Never happened. But the reason we thought about making this a dough was because they had reports. So they got breached through the avanti vulnerabilities that are out there. They just keep on giving. And they had reported on this and said, you need to patch, but they didn't quite make that deadline themselves, it seems. And, yeah, there you go. That's fun. [00:10:53] Speaker A: Yeah. It's not immediately clear who's behind the attack, but it did happen through the vulnerabilities affecting Avanti connect secure VPN. And, yeah, on February 1, it ordered all US government agencies to disconnect the Avanti connect secure and all that stuff. And then weeks later, they were like, oh, we were affected. And that kind of makes me wonder, maybe this is, like, conspiracy theory esque, and I know this is rapid fire, so we'll try to get through this quickly. But if they were supposedly breached, it said in February, towards the end of February, that's when they announced this or started talking about this. They told agencies at the beginning of February. Hey, you need to disconnect. Were they already breached? That's what it seems like they were like. Well, hey, just at random. We just thought we'd tell you probably don't want to use these. Not for any particular reason. [00:11:31] Speaker B: Yeah, not that we have any personal experience with that, but this bad, right? [00:11:37] Speaker A: Maybe a conspiracy there, but it's not a theory if it's true. [00:11:40] Speaker B: That's exactly right. [00:11:40] Speaker A: Maybe that'll come back later on. We'll have to wait and see. We'll have to find out this next one. Another just awesome tale from the government. FBI. US lost record 12.5 billion to online crime in 2023. And they lose a lot of money every year. But if we look at this chart. [00:11:56] Speaker B: Here, I don't think that's the FBI that lost twelve point something. [00:11:59] Speaker A: I think that's the US economy. That's the reported loss. But we were kind of talking about this. You see these red lines? They just keep going up, just exponentially, year after year. [00:12:09] Speaker B: Man, they keep giving that money up, don't they? [00:12:11] Speaker A: They keep giving the money up, but the complaints are not really increasing by much, and I can't imagine why. [00:12:17] Speaker B: Yeah, that does seem interesting. You folks out there, what do you think that is? Why do you think that they're increasing in the. Well, maybe they're just stealing more money, right? Could be. So there's the same amount of hacks that are happening, but they're just more lucrative. That's a total possibility. Could also be. This is where we thought was kind of interesting. It could also be, could. Big emphasis on could. We don't have the facts in front of us. You know, it's about statistics. They are fun, right. You have to be without all of the information in front of you. You're left to draw your own conclusions. But maybe they're just not reporting that. But they are reporting losses, right. They're not reporting the breaches, but they're reporting losses. And maybe that's the whole impetus behind the fact that we've passed some legislation recently to say, you must report things when it happens. Maybe we'll see this go up next year. As far as the reporting, that is hopefully not the money, right. [00:13:18] Speaker A: Hopefully the money goes down. But if the past several years, they're setting new records every year, which is just great. I love it here. [00:13:24] Speaker B: 2% since last year, 22%. That's a lot. [00:13:29] Speaker A: Everything's bigger in the US. [00:13:31] Speaker B: That's almost one quarter of an increase, right? [00:13:36] Speaker A: You're absolutely right. A couple of other things I thought were interesting were the types of crimes that increased were textport scams and extortion. But phishing, personal data breach and non payment, non delivery scams waned. So if phishing scams are on the at least they waned a little in the last year. That's good. [00:13:50] Speaker B: Number one was BEc business email compromise. [00:13:53] Speaker A: Right? [00:13:53] Speaker B: They love that, man. That's popular. Yeah, that is a popular one because it works. It works like a charm. Clearly they have hit on hacker gold right here. [00:14:05] Speaker A: A million dollar method right there. [00:14:07] Speaker B: Literally have to be technically savvy to do this. Just make an email, looks like it's them. Then bada bing, they start sending you stuff. Bing, bada boom, dummies. [00:14:16] Speaker A: Definitely. There's a lot more detail in there about specifically the types of crimes and everything. So you can go and take a look at that, but we'll go ahead and move on. This one comes to us from the hacker news. Proof of concept exploit released for progress software open edge vulnerability. The reason I thought this would be a kind of interesting one to include is because if we scroll down a little here, maximum severity rating of ten, cvss scoring system. So that's a good sign, right? Ten is good. [00:14:40] Speaker B: Perfect ten, yeah. The bigger the number the better, right? This is America. [00:14:44] Speaker A: It's like gymnastics. [00:14:45] Speaker B: We like it. [00:14:45] Speaker A: You want a perfect ten. [00:14:46] Speaker B: That's right. What do you think this is, some kind of little sissy hack? No, this is the good stuff here. [00:14:53] Speaker A: So when it says a proof of concept exploit, just for those that might not be familiar, what does that mean when they say there's a proof of concept that's been made available? [00:15:00] Speaker B: So a proof of concept means that someone has developed a script or an exe that you can double click or run and it does the hack and it's proving that the concept that they have researched and are claiming to be true as a vulnerability actually works. So it's not just a. Oh, theoretically we were looking at the code and it looks like this might have this effect, they went, nah, I'm going to throw my cards on the table and prove to you this will actually work. Hence the term proof of concept. Right, POC code. Once that gets released, it's usually just a matter of time before the threats of the world pick up on that and go, I can modify this to my own ends. Yay. I did look at the POC and yeah, you got to be fairly savvy on this system to be able to pull it off. It seems unlikely that you're at script kitty level. It seems that the researchers that created that POC code were in mind of like, let's not just give the whole kitten caboodle to the world, let's make them work for a little bit, which is common. It's common with POC, is to be something's wrong with it. It's kind of janky and it doesn't really work outside of a very specific environment. So you have to have the wherewithal to change that and make it work. But if you are within that, as long as they can prove that their concept actually works, then it is true POC. [00:16:30] Speaker A: Yeah. And when you see a high ranking like a ten like this, a lot of times that means if this is exploited, the consequences could be bad. Right. And it's not terribly like, I know sometimes they'll have a lower score because even if the consequences would be disastrous, it's like super hard to pull off or the likelihood of somebody being able to exploit this is low. So in this case, a perfect ten, that would lead me to believe. Not that difficult to pull off. [00:16:50] Speaker B: No bueno. When you see the big 10 on the score for the CVSs, a lot of times that does mean that it is being exploited in the wild. Like that is happening, but not necessarily. This, I think is because their proof of concept code is like, and it is publicly available. So that leads me to believe that's what it is. But interesting little hack. They said that basically what ends up happening is you get remote code execution as nt authority system, which is not good. That's full system authority. You can do anything you want, have access to anything you want. And this is due to the mishandling when passing unexpected account information, which it did not expect, it did not know how to handle when you tried to authenticate as nt authority. So it just went, okay, at least that's what I took away from. [00:17:45] Speaker A: Yeah. The phrase they use is unauthorized access sans proper authentication. And it looked like, yeah, it was unexpected types, usernames, passwords that are not appropriately handled. So it sounds like what you're saying, like they just don't really know what to do with it. They throw up their hands, they didn't. [00:17:56] Speaker B: Expect it, so they never coded in how to deal with this type of. And that's how a lot of these things end up happening is how does it handle unexpected information. Right. As a developer, part of your job in secure coding is to try to make account for those things. Okay, let's say you can never trust your end user, you can never trust input from the end user. So if that is a username coming through the system. What happens if they give you something you don't expect? It should throw an error. It should say, hey, that's not a legit username. Sure, we expect this format. If you do not follow those rules, you will continue to get this message. But if you don't code in those expectations, it could just go, there you go. I guess that was it. And to authority. Good for you. [00:18:48] Speaker A: Looks good to me. [00:18:49] Speaker B: I mean, who am I to argue? [00:18:50] Speaker A: Kid walking up to the club with a fake mustache and a trench coat on, and they're like, it looks good to me. Let them on in. Yeah, that's an adult right there. So those tens on the vulnerability scales are always so fun to cover. So hopefully that's not something that affects you in the future. We'll go ahead and move on. This one comes to us from dark reading. Japan blames North Korea for piepai supply chain cyber attack. And, well, the girls are fighting. I saw supply chain, and I was like, oh, those supply chain attacks. Those are no buenos are never good. [00:19:19] Speaker B: Yeah, that's the world on fire right there. [00:19:21] Speaker A: We don't, like, had to. I talked through this with Daniel a little bit, because I'm not a python girly. I'm not a python user per se, yet. Give me some time. Yeah, I'm young. I got time. But he was kind of talking me through what pypy is and how you explained it to me. It's kind of like a GitHub, and it's open, and you've got, like, well. [00:19:41] Speaker B: It'S a repository of python libraries. I can create a module, as you were, and put it in pypy, and then if you want to use it in your python code, you can just import that right in. Cool. Everybody's happy. Look at that. I didn't have to reinvent the wheel. It was already there in pypy. Thank you, pypy, for being awesome. And your code is much better because of it. So we like pypy. [00:20:06] Speaker A: It's open. Anybody can contribute, right? [00:20:08] Speaker B: Anybody can contribute. [00:20:09] Speaker A: But on the other side of that, anybody can contribute, correct. [00:20:12] Speaker B: And unfortunately, this is not the first time this has happened. Pypy has historically had some issues with malicious actors going. So I can just put anything in there I want, name it anything I want. And y'all are cool with that? And you're like, yeah, I mean, that's the purpose of it. And because of that level of trust, we can use typo squatting attacks. So I can create. If I'm a malicious actor. I could create a package that looks like a legitimate package named very similarly, and hopefully, if you are not diligent with your typing skills or you're scrolling through and you see it, you go, oh, this looks like exactly what I want it to be. And it probably even does those. It's probably just a straight carbon copy of the original that it's mimicking with a few extra twists and turns that you did not expect. So a, obviously, it brings up the importance of if you are using something that is open source and you are going to incorporate it into your code, you should obviously be skimming through that code and verifying what it is and what it does and that there's no surprises lurking under the sheets there. So you got to do your due diligence. Japan is blaming, so the Lazarus group, obviously, our north korean friends, I say that very facetiously. They are well known for being a holes and doing ahole things. And this is one of the ahole things that they have done this week. This week, right? Yeah, it's how we know them. Right. It's what they do. So they have put in the PI crypto Env and picrypto conf packages, which are malicious, and they are attempting to mimic the PI crypto system that is in pypy and using that typo squatting. It's all purpose malware does ransomware has a cred stealer. It also will do some development infiltration. So they want to see. Hey, what are you doing? Let me get into that and kind of get that back on my system to see if it's anything interesting for me. This is also not exclusive to pypy. The malware itself is named comebacker. I don't make these. It's not my job. I just report the news. Right. Comebacker has also been seen in NPM repos as well. So if you're running that old Java, you might be on the lookout for this as well. And they're saying that Japan is kind of isolated, right. Their teams do not have access to as much security information. Again, I'm just reporting the news because of the way they are very tightly knit and they don't apparently research security for their systems, and therefore they are getting hit disproportionately. Also, because of the language barrier, they don't tend to learn other languages and therefore they can't look at it. I guess this is what they're trying to tell us. But was it just really interesting that this is how this is going down, that Japan is getting you. Your onus is on you to do your own security, man. [00:23:23] Speaker A: I read the first sentence, and this is. Again, I'm probably oversimplifying it, and this is a little bit of the conspiracy theories to me, but it said, japanese cybersecurity officials warned that North Korea's blah blah blah group waged a supply chain attack. The first thing I thought of is, like, if I broke something as a kid, and then I immediately went to my mom and was like, just so you know, Grayson broke this thing. My brother broke that. Just want to let you know. [00:23:42] Speaker B: You thought they were trying to shift blame. [00:23:43] Speaker A: It's like, yeah, like, why would I tell you I did it? [00:23:47] Speaker B: That just sounds crazy. [00:23:48] Speaker A: Why would I know myself? I'm sure that's not the case. [00:23:51] Speaker B: Japan not known for the hotbed of apts. [00:23:53] Speaker A: Yeah, that was the first thing I thought of. I was like, oh, again, the girls are fighting. [00:23:58] Speaker B: I wonder if there are any. I'm going to look that up in the break. [00:24:00] Speaker A: All right. [00:24:01] Speaker B: What the japanese apts are. [00:24:03] Speaker A: We'll jump through the rest of these so Daniel can get to his research. [00:24:06] Speaker B: Hurry up. Let's go. [00:24:07] Speaker A: This next one, I just thought it looked interesting. A man in the middle phishing attack can let attackers unlock and steal a Tesla. Obviously not a good thing, but I feel like I don't see headlines like this very often involving Tesla. Maybe I'm just not paying attention to Tesla news. [00:24:22] Speaker B: I'm going to say that this probably jumped up on your newsfeed, because originally these articles, because the attackers used a flipper zero. It was flipper zero. This was clickbait. It was all SEO, right? It was all about that SEO and getting that click so they can make that money. And I don't begrudge people making money. I do begrudge clickbait articles. [00:24:43] Speaker A: Right? [00:24:44] Speaker B: And to the credit of the article that we have posted, they did change their article, but, I mean, it's kind of after the fact. There's that. Anyway, so let's get to the hack, shall we? And not my personal musings on clickbait. So what they do is they create a new phone key, quote unquote phone key. This is a thing. If you own a Tesla, you can use your phone as a key for your car. There's an app. Tesla app. You're a Tesla owner. It's awesome, right? It's software. We're merging software and hardware in the most modern of ways. Very cool. So what the attacker does is you could use a flipper zero, you could use a laptop. You could use a raspy. You could use just about anything. You basically are spinning up an evil twin, evil portal with the SSID of Tesla guest, which is a familiar SSID to Tesla owners, because at Tesla service centers, that is an open Wi Fi hotspot. [00:25:41] Speaker A: Right? [00:25:42] Speaker B: So for you to be able to connect with, once you connect and go to the captive portal, well, it's a fake captive portal asking you to log in. And then when you try to log in, it will then prompt you for your two Fa token, which you will get because they're going to pass that login information along, prompting the two Fa to go to your phone, and then you're going to get that two Fa, and you're going to go, my two fa, or you got the authenticator app or whatever it is, and you go, oh, here's the two Fa code. And you type that in to the fake captive portal. Now, the attackers have everything they need to gain access to your account. They log in using those credentials as long as they beat the time, because a lot of those two Fas are maybe run a minute or 30 seconds. So they got a very short amount of time. But once they get in, now they're you. And now they can create this new phone key on just a blank phone, and it will give them access to your vehicle. [00:26:40] Speaker A: The researchers, they did reach out to Tesla and let them know this was an issue. And one of the things they mentioned was, hey, if you were to require a physical Tesla card key when you're adding a new phone key, that would improve security because it's like an authentication layer. And the company basically said, well, no, it's supposed to be that way. The manual doesn't say that you need a key card. And I think the researchers were like, exactly. That's the problem. Hello, mcFly. [00:27:02] Speaker B: Think, McFly, think. Do you know what would happen? [00:27:07] Speaker A: They did ask. [00:27:09] Speaker B: You're on point. [00:27:10] Speaker A: You're on theme. Yeah. They did ask if they plan to issue an update that introduces these security measures. And Tesla did not respond yet. They haven't heard back yet. [00:27:18] Speaker B: Another fun fact about it was when the attackers created the new phone key, the owner of the car was not informed that a new key had been made. [00:27:28] Speaker A: See, that seems like that would just be the default. You would just get a notification on that. [00:27:33] Speaker B: I guess they're just assuming it's you, right? You're logged in as you. You're just adding a phone key. You're doing it. So why would I notify you that you did something? So maybe that was the thought process. [00:27:44] Speaker A: Maybe it's know, it's an issue that Tesla had no idea this would even be a problem. And hopefully, now that they see that this can be done, they will introduce something to try to prevent this in the future. We'll go ahead and move through our last two here. This next one is part of a beloved segment called behind bars. [00:28:04] Speaker B: Break the law and you'll go to jail. [00:28:08] Speaker A: Isn't that the truth? Break the law and you will. [00:28:10] Speaker B: Well, in this case, not everybody does that. [00:28:12] Speaker A: Yeah, but in this case, it was true. A Google engineer was caught stealing AI tech secrets for chinese firms. Yeah, Rutro, indeed. [00:28:20] Speaker B: Insider threats. [00:28:22] Speaker A: It was Lin Wei Lion Ding. He was a former software engineer at Google, suspected of stealing Google AI trade secrets for chinese companies. And he is going to face some time, it sounds like, for this, he. [00:28:33] Speaker B: Is actually going to the jail. [00:28:35] Speaker A: Yes. Break the law and go to jail. [00:28:37] Speaker B: He is going to jail. [00:28:38] Speaker A: Maximum penalty of ten years in prison. But that's not all. He also has to pay a fine of up to 250,000 for each count of theft. A million dollars in total. [00:28:47] Speaker B: Where's he going to get that money? Maybe the CCP will pay for it. [00:28:50] Speaker A: Yeah, I was going to say from the. [00:28:51] Speaker B: Actually, he founded a company in China, and he was the CTO of another large organization that does AI. So he's probably got a couple of bucks rolling around. [00:29:01] Speaker A: He's got a savings account set up. [00:29:03] Speaker B: Yeah. This right here just emphasizes the fact that insider threats are one of your most dangerous threats. Right? These are the most because they're insidious. There's a level of trust and a veil of secrecy behind it because of that trust. It's really cloak and dagger. I mean, this is corporate espionage at its stewed to a perfection, right? Somebody gets a job at a competing, leading edge company for a technology that is changing the world. Let's catch up, shall we? Let me just have some access to this. I'll get a little bit of that. Ooh, this looks nice. And we'll just take that home with me. Did you see how he was getting. This was interesting to me, the fact that Google fell down on the job on this one. [00:29:49] Speaker A: Yeah. [00:29:50] Speaker B: That he was getting a coworker to badge him in to work when he was in China. Oh, that's like he was attending board meetings and giving secrets in China. He would fly to China, and while he was there, he would have a coworker badge him in like he was still at work. [00:30:08] Speaker A: That's like one of the. I feel like when I was first doing security awareness training and stuff. It's one of the first things, like, you never log in for somebody. But. So that makes me wonder if then in the case of this coworker, the poor guy was just like, didn't think about it and was like, yeah, no problem, buddy. I got you. You're trying to get some extra hours in, whatever. Or if he was in on it and was like, oh, dude, yeah, if you cut me some of that cash. [00:30:29] Speaker B: That dude's got to get fired. Or she, whoever it is, that person needs to be fired. You have done the wrong thing and have caused a real problem because of it. And it was something as simple as. Right. I just want to help my friend. Oh, yeah, it's no big deal. I'll badge you in. But, I mean, even if they weren't stealing secrets, you are stealing money from Google because they're getting paid for work they're not doing. [00:30:49] Speaker A: What do they call that time? Theft or. Yeah, yeah. And it could be that this person, male or female, whatever, was let go or fired in addition to this guy, and this guy's the one getting the. [00:30:57] Speaker B: Press because, of course, they obviously weren't stealing secrets. Or maybe they did that part of the investigation. Accomplice and unwitting. [00:31:06] Speaker A: I wonder, because you know how if you're an accomplice to a crime, you can still be penalized, pay a fine or go to jail. [00:31:10] Speaker B: Absolutely. [00:31:11] Speaker A: I wonder if in the case like this, if he's technically an accomplice, you've got to knowingly. Right. [00:31:16] Speaker B: Be a part of it. So if they did it unknowingly, then. [00:31:18] Speaker A: It'S just breaking company, breaking the law. [00:31:21] Speaker B: I mean, they could get them for being a part of a. Right monetary theft. So Google decided to press charges. They could. They probably just fired him, though. [00:31:30] Speaker A: The worst part of this is he signed a self deletion affidavit and he. [00:31:34] Speaker B: Signed it falsely, man. [00:31:35] Speaker A: He signed it falsely. [00:31:36] Speaker B: He lied on this. [00:31:37] Speaker A: Can you believe it? [00:31:40] Speaker B: What is the world coming to? [00:31:41] Speaker A: Corporate espionage, I understand. Yeah, but signing a document, that's a bridge too far. Yeah, that's where I draw the line. [00:31:47] Speaker B: Sorry. [00:31:47] Speaker A: So, yeah, this guy is going to do the time because he did the crime, and he will be paying a million samula cool millie. Cool Millie dollars. So that's never fun. We'll go ahead and move into our last one here. You may have noticed, got a new shirt on today. And that is because it's time for my favorite segment. [00:32:06] Speaker B: Dang. [00:32:07] Speaker A: Sometimes I can hear the sound effect in my ear. I couldn't that time I wanted to hear it and see if I could. How close I was. I'll have to listen to it during. [00:32:13] Speaker B: The bass, but you kind of truncated. No, it wasn't like, sharp enough at the end. [00:32:18] Speaker A: Oh, yeah, it kind of dragged. [00:32:20] Speaker B: Yeah. [00:32:21] Speaker A: Okay, I'll practice that. But in the meantime, the girls are fighting again. Change healthcare hacker may be linked to China espionage gangs. Throughout this article, it talks about the black hat ransomware gang that claimed responsibility for that change healthcare attack that we did talk about. [00:32:34] Speaker B: Yeah, change healthcare. Anyway, these hackers, this could be a deja news. [00:32:39] Speaker A: But the thing that I thought was funny is there was a. They called it a cat fight on. [00:32:44] Speaker B: A message board because that's tug in cheek. [00:32:47] Speaker A: Yes, I'm sure. Black cat fight. Because it's. [00:32:49] Speaker B: Black cat. [00:32:49] Speaker A: Yeah, it was because there was some kind of an affiliate, supposedly of this ransomware gang that didn't get their cut, it sounds like. [00:32:55] Speaker B: No, they did not. [00:32:55] Speaker A: And they're not happy. [00:32:56] Speaker B: No, they got a little pissy on the dark web about it, too, and started a bit of a flame war back and forth. Well, they were just continually posting, hey, where's my money? They're not doing a thing. And they were talking about this. It was very interesting, the fact. And this kind of goes back to. So you're a thief, you work with a bunch of thieves. You all stole some stuff worth a lot of money, right? This change healthcare thing is no small thing. Honestly, I kind of made light of it before, but in real life, that was a big deal. Lots of phi could be exposed. People's benefits, their health care, identity theft, all this stuff comes out of this. So I was just kind of making a joke before, but in real life land, that is a big deal that they stole all this. And then this one hacker known as Nachi, weird name. We're like, hey, I didn't get my money out of this. And then all of a sudden, black cat goes on the forums and like, here's the thing. These feds, they got us good, and we're going to have to shutter the doors on this operation. So they go dark. Then they come back up and like, hey, yeah, it's for sale. Anybody want the code? I think $5 million, and we'll give you the code to all our stuff. And we're just going to have to do a Vegas dealer style and call it. We're done. We're out of here. So Nachi's like, yo, where's my cut? [00:34:29] Speaker A: Yeah. [00:34:30] Speaker B: And they're like, they just go dark on them. They ghost them hard. So Nachi starts trying to sell, or they think they're going to sell the four terabytes, or maybe they're threatening to sell the four terabytes of data that they got from this change healthcare hack to try to recoup their money. Not only that, we're getting ready to start to see some hacker warfare here, as they're like, I'm coming for you. You got my money and you didn't pay. But this goes back to the they are thieves. [00:35:02] Speaker A: No honor among thieves. [00:35:03] Speaker B: You work with thieves, you're a thief. What made you think in any world that this was not an option for them? [00:35:14] Speaker A: It was Nachi's response that I just thought was, I got a kick out of it, because it sounds like he's saying, have some dignity and be a man. And he says, stop blaming the feds. No one is idiot here to believe what you have said. Return what you have stole, and be a man with dignity. And I'm just like. I feel like we're past the dignity part. [00:35:33] Speaker B: I don't think that they've got a conscience to prick. [00:35:36] Speaker A: Yeah, you're attacking a health care system here, and they're still recovering, bringing their systems back online, and you think that they've got dignity? [00:35:43] Speaker B: Yeah. And we know that a lot of these types of hacks end up becoming the money that it's generated from. It tends to be for things like human trafficking and drugs and all bunch of horrible things. So you're over here talking about be a man. I don't understand your worldview. I must hear more of this philosophy on life because it seems contradictory in many ways that I'm interested in hearing. But there you go. This is Nachi. Some of those Nachi. [00:36:11] Speaker A: Some of the sentences in this article sound made up. The prospect of a vengeful nachi could also be ominous for members of the black cat gang. [00:36:17] Speaker B: Listen, Nachi going to get buck wild. [00:36:19] Speaker A: Okay, that sounds like it's from a vengeful nachi. That sounds like a Disney character. Like a Disney villain. I mean, not to hate on Nachi, but also, come on, dude. [00:36:28] Speaker B: I've always said, you are the douchebag that stole the stuff, right? [00:36:32] Speaker A: There's no Robin Hood. [00:36:33] Speaker B: You act like I'm the victim here. I feel like that's not true. [00:36:38] Speaker A: Yeah. Nobody's innocent here. [00:36:40] Speaker B: No. [00:36:41] Speaker A: A lot of good stuff this week in that rapid fire segment. I think that's going to wrap up the first half of the show. I know we got a little carried away with some of those articles. We try to go fast, but we do. It's just so fun. [00:36:52] Speaker B: 30 minutes. We're just a little past. [00:36:55] Speaker A: We're doing okay. We will take a quick break though. So Daniel mentioned he was going to do some research and I'm going to as well. I don't remember on what, but I'll figure it out. We'll be right back, though. We got some deep dive stuff coming up here on Technato. Tired of trying to schedule your team's time around in person learning? Isn't it a bummer to spend thousands of dollars on travel for professional development? What if we said you can save money and time and still provide your team with the best training possible? The answer to your woes is live online training from ACI learning. With live online training, we provide our top in person courses in private online instructor led formats. You get to provide professional development in a manner that fits today's expectations, entertaining, convenient, and effective. Our exam aligned courses inspire the full potential of your team. Visit virtual instructor led training at ACI learning for more info. Welcome back to Technato. Thanks for sticking with us through that break. Hope you enjoyed the rapid fire segment. If you have any questions, comments, things you want to see in the future, feel free to leave a comment. If you are watching on YouTube or if you're listening on Spotify, Apple Podcasts, any one of those platforms, jump over to the channel, check us out like the video. Maybe even subscribe so you never miss an episode of Technato in the future. That being said, it's time for our deep dive part of the show. The part where we dive deep. Shockingly. I know. It's crazy. Crazy that these things are aptly named. Daniel, how you feeling? You ready to get into it? [00:38:10] Speaker B: Oh, man. There's a lot to cover, so we got to hit the ground running with this. [00:38:14] Speaker A: Hit the ground running? [00:38:14] Speaker B: Yeah. [00:38:15] Speaker A: This is something you guys have probably been seeing a lot on the news this week. I saw several articles on this. It's popping off at the moment. [00:38:20] Speaker B: It is. [00:38:21] Speaker A: A group called Magnet Goblin is targeting publicly facing servers using one day vulnerabilities. So they got a little AI image they've generated for us here. And that's not really what I picture when I think of a goblin. That's like you were saying, that looks more like an elf. Whatever. I'm not the one that made it. [00:38:37] Speaker B: Going to make you some shoes or clean your house or something? [00:38:40] Speaker A: Yeah, he's the coblin. [00:38:42] Speaker B: He's the coblin. [00:38:44] Speaker A: So Magnet Goblin is a financially motivated threat actor, which I feel like most of them are. You probably could a lot of them. [00:38:51] Speaker B: I would almost go as far as to say it's like 95%. [00:38:54] Speaker A: Yeah, I would say that's pretty fair. [00:38:56] Speaker B: I think it's fair. [00:38:57] Speaker A: It's leveraging one day vulnerabilities in public facing services as an initial infection vector. And this group is not a new group to the scene. It's been around for a while, right? [00:39:04] Speaker B: Yeah. Well, usually, especially if we're looking at malware that has been around for a hot minute, that's because it has been evolving over time. And these groups have been around and they're doing their thing and they're getting better at their jobs every day. So we must get better at our defenses. And looking at what they do to get around our defenses, well, guess what? That goes a long way to putting up a new fence to stop them, right? That's what it's all about. Or building our fence a little bit stronger, higher, taller, whatever the case needs to be so that we can put the kibosh on their ability to be successful. So that's what it's all about with the deep dive. [00:39:40] Speaker A: A lot of campaigns that it says here in the article that were attributed to this actor, including the one we mentioned earlier, the Avanti stuff. It looks like they had a hand in that. [00:39:48] Speaker B: You just keep seeing that name all over the place. [00:39:50] Speaker A: Hand or claw? Do gallons have claws or just regular hands? Yeah, I said they have a hand in it. I don't know if that was accurate to say. [00:39:56] Speaker B: I mean, they have a talent hand, I guess. [00:40:00] Speaker A: Anyway, not the point, but it looks like there were several different kinds of attacks that were attributed to this actor, but this is a new one. So they've got a little overview here on who Magnet Goblin is. We kind of touched on that. Lots of CVes attributed to this group. They've got a whole diagram on their past campaigns, so really getting into it, but recently it looks like Linux, Nerbian Rat was a new variant that was downloaded. So what's new on the scene here? [00:40:26] Speaker B: All right, so what's different here is, so you mentioned nervian rat. Nervian rat is their malware. That's their kind of stock and trade. They like to drop that malware on your system. And through that they can do things like command and control, exfiltrate data, do stealer stuff, and ultimately try to use that for financial gain of some ilk. Right. When they say there's a new variant of it, obviously it just means that it's kind of changed in the way that it initially gets onto a system as well as probably a few updates to how it works. Add some new shiny new features so to give them a little more functionality and maybe a little more stealth as well. But ultimately you notice that you talked about how they used one day exploits, one day being a little bit different than a zero day. Sometimes they call it end days, which means that the exploit is known to the vendor, but they don't have a patch yet. [00:41:22] Speaker A: Right, okay. [00:41:22] Speaker B: Whereas a zero day is an unknown that's being exploited. And obviously there's no patch because we don't even know how they're doing it, we just know they're exploiting the systems. [00:41:30] Speaker A: So if it's a one day, probably a patch is hopefully being worked on. [00:41:33] Speaker B: Right. [00:41:33] Speaker A: They're aware of the issue, they should. [00:41:34] Speaker B: Haven'T fixed it, right. But you got a time frame within that before people start patching because the patch becomes available to start gaining access into these systems. And that's kind of magnet Goblin, that's their stock and trade, that's what they go for. They're like, hey, I like that. One day I don't really want to develop my own exploits because that's hard. I don't know if you know that exploit development super hard. A lot of work goes into that. They're like let's just go with stuff. [00:42:00] Speaker A: That we already know that already exists. Let's take advantage of what's already there. [00:42:05] Speaker B: Right? They're on these dark web forms. They find out and they do tend to target. I think it was Magento, I had a whole list of them. I think they had a list of them. There we go, there it is. Avanti, Magento, Qlink sense and possibly Apache active MQ and that's right there. Campaigns that we were able to attribute to this director and targeted these systems. So this is their bread and butter. They also use this other malware called Warpwire, which is a JavaScript cred stealer. [00:42:38] Speaker A: A JavaScript cred stealer. Okay, so stealing credentials, it's stealing credentials. [00:42:42] Speaker B: It uses JavaScript, it's built to JavaScript, okay. And it uses that to steal your credentials. So just kind of when you fill out or if you have a browser open, it'll start trying to grab that from the browser. If they have any saved credentials, they'll say hey, you reach into that vault there and let me have some of that, I need that. And he'll go cool, and give it to thing. Yeah, they also have the mini Nurbian. [00:43:05] Speaker A: Yeah, it's like a baby rat. [00:43:07] Speaker B: Yeah, and it's a very stripped down version of Nerbian rat which is a small Linux backdoor. It's basically help them to do remote monitoring and management. It's very similar to the windows like screen Connect or any desk. Okay, but it's a Linux backdoor specifically not for your windows. I think in the Windows systems they just use screen connect or any desk and you can see that imported in. What are we looking at here? This is checkpoint. Checkpoint saw that happening on the Windows systems that were infected. So. Yeah man, they've got a whole section. [00:43:46] Speaker A: Here on just the, they said the Nerbian rat family. So it's got a family tree, which is great. And it seemed like what was unique about this one is that it was a Linux variant, right, which previously didn't exist. And it says it's different from the Windows variant because it uses raw tcp sockets and sends data blobs back and forth in a custom protocol so it can communicate with this version of the backdoor. So it sounds like it's a little more advanced than the Windows variant. [00:44:10] Speaker B: So it's not that it's more advanced, it's just a different way of doing things. Right. So you have your C two, your command and control. This is how they connect and talk. [00:44:19] Speaker A: So you can't rectify it the same way you would if it was the Windows variant. Like if you were trying to fix the problem. [00:44:24] Speaker B: Well it's not even that, it's just what you're looking for. It's part of the IOC gotcha indicators of compromise. You would be looking for raw tcp sockets in your Linux machines to the IP addresses like we see that it is right here. The Linux nerve and rat. A new nerbian rat variant was downloaded from attacker controlled servers. Following the exploitation, the payloads were downloaded from the following URLs. So you would look for these URLs, these would be part of your IOCs, right? Following their execution they're being rat variants used in campaign connect back to this IP address. So all this stuff, it's very well possible that if it's the Linux variant that it's using a raw tcp socket instead of whatever screen connect does or whatever. Gotcha. [00:45:11] Speaker A: So you need to be looking for different red flags than you would for the Windows variant to figure out what's going on. Okay. There was a whole list of actions too that it listed that it could perform. And when I scrolled down to the one you were talking about, mini nurbian, only three actions as opposed to the list for the other one. Makes sense because it's mini and it's mainly focused on command execution. [00:45:28] Speaker B: I need you to run a command for me. Right, do the thing. [00:45:32] Speaker A: Still not good, but I don't know, I guess if you had to pick one I'd rather have to deal with mini nerve. [00:45:36] Speaker B: Well you're probably doing both. They're probably doing both and I think they are as a matter of fact because they don't want to get caught. It's all about not getting caught. And what they'll do is they'll go okay, well I've got the main malware. It's doing things like working with warp wire to steal and exfiltrate and check in and do things. But if I just need to quick and dirty jump into this box and have a run of commands I can use the mini Nurbian C two. That just makes my life easier. Interesting fact we mentioned that they talked about. Let's jump into my computer really quickly. Here's the Ivanti campaign talking about the nerbian family. And you can see that you got the Linux nervian rat right around here and you got the windows Nervian or the warp wire cred stealer. And then you can see this goes over here. You've got the Windows version and you also have the Linux version. You'll both come back to this hacked magento servers and this is kind of like part of their TTPs. They use hacked magento servers as C two communications. They basically go hey, I don't need to spin up a C two. We'll just use these hacked magento servers as the C two because we have control over the Magento software and we can utilize that for C two communications. So that's what they end up doing. It's very interesting that that's kind of their modus operandi. [00:46:59] Speaker A: It says they were able to kind of fly under the radar for a little bit because the tools they were using reside, it says on on edge devices. So they're targeting areas that have kind of been left unprotected. People don't really think to look at those and so then people don't think to check and it's like, oh, something's going on over there. What's happening? [00:47:14] Speaker B: Yeah, well, they get a lot of traffic so that would be a difficult thing. And this is why you have to do your due diligence and why it's difficult to secure stuff is because it can just be a flood of traffic that you have to wade through and create rules for protections against your waf, your next gen firewalls, IDs, IPs, all the other stuff that we do to try to protect those things that are especially, that are kind of in that DMZ zone. They're touching the edge. They're connected to the Internet, but they're also connected to your internal network, so they become prime targets for attack. [00:47:51] Speaker A: Down here towards the bottom, I forget this, we're pulling this from checkpoint research. So they've got a little shout out to their firewall. But then they've also got a whole big list of all of the IOCs and how they're described. So that's good to have. I'm glad they provide that so that if this is something you're going to be on the lookout for, you know, kind of what to look for. Got some hashes down there, some URLs. It's nicer than provide that for us. [00:48:12] Speaker B: Yeah. I always love you mentioned about how configurable it was, which is a very interesting part of the nerbian rat itself that they can turn on and turn off features based off of command and control commands that they send it. So very cool. There's a whole list of them. We've got one, like default con interval, use a live signal, start work time, end work time. So don't run during these times. Right. Only run during the given time, so less likely for detection. Right. What else they have here? Use secondary host, use sleep file transfer time. Sleep file transfer. Again, all about getting information out of the device and onto their systems. [00:48:55] Speaker A: So, like, if it's not running at a time that I'd be using the machine or looking for stuff, then it might go undetected. Whereas if they're making sure it's running when I'm not touching the machine, then who's going to see it, right? Nobody's going to know. [00:49:05] Speaker B: That's it. [00:49:06] Speaker A: Man, these guys are. It's almost like they're really smart and they are basically for a living. [00:49:11] Speaker B: I guess you got to have your hats off to them as far as, like, the ingenuity and the craftiness of their tradecraft. Very cool. Except for the part where you're doing better with it. [00:49:21] Speaker A: It's a shame you can't use your powers for. [00:49:22] Speaker B: That's where you stepped over the line there, kids. Just saying. [00:49:25] Speaker A: We say that like we're talking to them like they're watching this. [00:49:28] Speaker B: I have actually had malware developers talk to me. [00:49:34] Speaker A: I feel like I remember this because they left a note or something. [00:49:37] Speaker B: They left a note in their malware to you referencing me? Yes. [00:49:41] Speaker A: Daniels man, we got fame here on the podcast. [00:49:45] Speaker B: It was funny. [00:49:46] Speaker A: It's quite an extensive surreal. I can't believe they noticed me. [00:49:50] Speaker B: Well, no, it was more like what's happening? [00:49:54] Speaker A: I'm not associated with them. Yeah, but it's quite an extensive breakdown here that checkpoint research has done of Magna Goblin and some of their tools and stuff. Was there anything that I missed? Because it is a lot of information. It's possible. [00:50:07] Speaker B: It's a lot of information. I mean, this is the deep dive. If you're interested in malware and how it works, this is a great example of malware analysis. Right? So if you're interested in malware analysis or you want to know, or maybe you run these types of devices, maybe you have a magento system, maybe you're running Avanti, maybe you're running any of the other services that Magnagoblin is targeting. This would be good to know. And now you can come in here, grab a bunch of IOCs, learn how it works and set up your defenses, create those sigma and Yara rules, set up DNS syncholing, do all the things necessary so that if they were patching, obviously is probably a really good idea, if that's possible, and so on and so forth. I know that they target one day, so at the time of attack there isn't a patch available for you. But as soon as there is, you should patch, obviously. [00:51:06] Speaker A: Sure. [00:51:07] Speaker B: It is a known vulnerability, and maybe you can set up a secondary control as a workaround until that patch becomes available, especially if you have a whole list of IOCs, which this is quite extensive because they did a great job of analyzing this malware. [00:51:23] Speaker A: Right. [00:51:24] Speaker B: Definitely. You should be looking into things like this that pertained to your systems. [00:51:29] Speaker A: Right. And if you need to slap a band aid on it until you can get the thing in stitches. Do you think we got time for another deep dive? We're sitting. [00:51:36] Speaker B: Maybe a quick one, maybe for fun. [00:51:38] Speaker A: Maybe just for fun. [00:51:38] Speaker B: Yeah. All right, we'll do a quick deep dive. [00:51:40] Speaker A: We do have another one here from cyber. Reason says unboxing snake Python info stealer lurking through messaging services. And I ended up seeing this through another news source and kind of went here for the deep dive, but it said it was through like Facebook messenger and things like that. And that's kind of what caught my eye because I was like, that means the moms and grandmas of the world. I don't know. [00:51:59] Speaker B: They are after them. Yes. [00:52:00] Speaker A: They are susceptible. [00:52:01] Speaker B: Absolutely. Interesting stuff. Python. Python. That's why the snake reference, obviously. Let's see here. Sly rabbit will have three openings. So there's a couple of different variants of this malware, so just want to be on the lookout for that, depending on what's going on. I just like looking at and learning about how these different malware works, because then I can, like I always say, build a better fence to try to, or maybe train your grandmas out there to go, hey, if you're getting messages from people, you need to be really leery of clicking any links, because that's what they do. They send you a message, it's got a link. You hit the link, and now you're getting infected. What's kind of ironic about this is I, for fun, will build quote unquote malware. And it's very similar to what we're seeing in some of these examples. And sometimes you get the naysayers out there. That'll never work. That's too simple. It's just a simple python script that runs Powershell and downloads a file man av. And everything's going to bust this so fast. Maybe it will, but maybe it won't, because it's obviously working for somebody. Because we're reading an article right now that this malware is not complicated. Right. That's the thing. [00:53:22] Speaker A: Reading through it, it took me a little bit to kind of break down in my head what was going on here, but they did provide. I have it pulled up here, kind of a helpful little flowchart as to how this attack works. [00:53:32] Speaker B: I also have it up. [00:53:32] Speaker A: Yeah, I appreciated that. The kind of helpful visual there. Where, here, I'll zoom out a little bit. Starts with their. [00:53:38] Speaker B: Zoom in. [00:53:39] Speaker A: Zoom in. [00:53:39] Speaker B: Actually, jump to mine. Jump to mine. [00:53:41] Speaker A: Okay. Yeah, he's maybe got a little bit of a better view. [00:53:44] Speaker B: I got a better zoom of the. Oh, yeah, I got the nice Mac. [00:53:48] Speaker A: Well, yeah, you're on a Mac. [00:53:49] Speaker B: This is what you can do here in a Mac and go like this. Isn't that nice? Isn't that sweet? But let's look at this chain of events, because this is really kind of the meat and potatoes of what's going on here. And then we can kind of extrapolate everything out from there. So where does it start? To Sophia's point. They begin with an SNS message, which is basically a message on, like, Facebook or X or wherever you're at. A direct. A DM. [00:54:13] Speaker A: Instagram DM. [00:54:14] Speaker B: Yeah, that's what we're looking at. And what does it want you to do? It has a link that asks you to download a file. How do we get past this stage? [00:54:26] Speaker A: You don't download suspicious zip files in. [00:54:29] Speaker B: Your daily life in my sandbox to analyze it. [00:54:31] Speaker A: Right? [00:54:32] Speaker B: Not on my actual machine. Right. Hope you're following what we're putting down right here. Right, let's move on there. In that is this archive file gets extracted. Obviously there's a zip file, so you want to extract that. What's in that first extraction? Well, a downloader is executed, which is downloads and unzips a file, which is stage two. Right? The stage two gets executed. It does a couple of things here in stage two. So it downloads this python module from what looks like GitHub, and then also downloads the obfuscated batch file or batch script and deploys it under the startup folder. So feel, why would we put our batch file in a startup folder? [00:55:21] Speaker A: So that when you start your computer, it automatically runs persistence. [00:55:24] Speaker B: Ding ding ding, ding ding. That's exactly what they're doing, right? Because I can run a script, but then it's run, it's over. I ran the script, it did the thing. If I shut my computer off, whatever it was doing now gets shut off. Turn my computer back on, I have to rerun that script. How do I make sure that script gets rerun? If I'm an attacker, I do things like create a scheduled task, put things in the startup folder, make registry entries for startup things. Interesting, right? There's a whole startup area of your Windows registry, so that's what they do. Fun fact is if we come over here, we see that another thing it does is download obfuscated Python info stealer variant X, right? Well, if this is a Windows machine, because we're talking batch files here, think about Python. If I want to run Python code, I got to have Python installed now, today's day and age, it's not uncommon, right? [00:56:22] Speaker A: But if, like for instance, like I said earlier, moms and grandmas of the world, a lot of them probably don't have Python installed. [00:56:27] Speaker B: It's a fair bet that they might not have Python. Let's head back. You'll notice it did this download Python module. It actually downloads, kind of like, what's the word I'm looking for? It's a portable, it's a portable version of Python. You don't have to install it like. [00:56:48] Speaker A: A little care package. Everything you need, everything you need to. [00:56:50] Speaker B: Make Python available to your system, you don't have to actually install Python. It just, this script will look in the right spots for that python package and go, cool, I can run Python now how sweet, right? They're giving to you. [00:57:06] Speaker A: Can't say they never did anything. [00:57:07] Speaker B: Or you can run your own python stuff. Gifts between friends. All right, so then it executes the Python info stealer variant X and then starts stealing credentials within the browser. If I'm not mistaken, this is for purely monetary. [00:57:26] Speaker A: Shocker. I mean, I'll double check, but I bet you're probably right. [00:57:29] Speaker B: Double shocker. [00:57:29] Speaker A: There's a lot that happens, though, between the message, because an unusual, like me, if I were to fall victim to this attack, which I would hope that I wouldn't, but all I would see on my end is, okay, I'm getting this suspicious message. I click on the file, don't really know what happened there. Okay. I go about my day, and the next thing I know, my credentials are getting stolen. So the stuff that happens in between, there's a lot going on in the background. [00:57:50] Speaker B: Yeah. [00:57:51] Speaker A: Seems like some effort went into this. [00:57:52] Speaker B: Just a little bit. I want to take a look at the screenshots and everything that they grabbed. It's kind of interesting to see. It's one thing to show you a flowchart and go, hey, that's how this works. Now we can apply that flowchart to actual pieces of information that they gather. So let's jump back into my laptop here, and you can see there is raw. They download the zip. Here's the zip file right here, so you can see it's getting dropped. Winrar Exe is being run, and there's the zip itself. So you see this dot zip with a weird file name, right? Screenshot of the product to buy, blah blah blah, blah, blah. From there, it runs CMD exe to this bat file, because that's what got unzipped. From there, we see this conhost exe also gets run, and then this curl command, which do we know what curl does? [00:58:48] Speaker A: I don't know, do we? [00:58:49] Speaker B: It downloads files. Oh, it's a command line tool for downloading stuff from the Internet from a network, right, using HTTP. So you see curl l tells it o where to drop it. So make it in user publicmyfile zip, and then go grab HTTPs shoppingvideo 24 two, four seven ashung three zip. So grab another zip file, right? So just keep following the bouncing ball here, scrolling down. Obviously, we want to. They're using Powershell this time. Command. Expand archive literal path and expand that archive that file they just downloaded. [00:59:29] Speaker A: This is all just that first stage. [00:59:31] Speaker B: This is all just stage one, right. You'll notice this isn't like super crazy hacker kung fu here. This is simple scripts. If you've ever worked at a command line before, you know what a batch file is, you kind of know how to make them work. Powershell is fairly common for anybody that's kind of a power user in their system. It's not difficult to figure out how to make this work, but they are being very successful in very simplistic methods as far as hacker kung fu goes. Right now, obviously stage two is a little bit different. This is this, that CM VN CMD is the primary script responsible for the downloading of and executing of the Python info stealer. And here we see that happen. You see the start chrome. Guess what start Chrome does? [01:00:21] Speaker A: Starts chrome. [01:00:21] Speaker B: It starts chrome and it reaches out to Alibaba. Do you know Alibaba is. [01:00:26] Speaker A: Isn't it like a shopping website, like you buy? [01:00:28] Speaker B: It's like Chinese. Yeah, Amazon. [01:00:31] Speaker A: Okay. [01:00:31] Speaker B: Right, right. Or one of them, they got a couple. Alibaba is probably the biggest one. Dhgate is another one. [01:00:36] Speaker A: Okay, I've definitely heard of Alibaba. [01:00:38] Speaker B: Yeah. So, hey, can you reach out and touch something out here? Yeah, it might be like a test. And you can see, I love this part right here where it's running Powershell. Right. We see that Powershell windows style hidden so it doesn't pop a window up when it runs. The Powershell command invoke web request. I wonder what that does. Uri is the argument for that. And then here it is. It's reaching out to GitLab.com, crazy name that doesn't really mean anything. And that's meant for obfuscation purposes home. And then it grabs this raw master and that's going to throw that to an out file. So it's grabbing stuff from the Internet and putting it in specific spots on the actual. And I think this is ultimately what it's trying to get, which is Project py. [01:01:27] Speaker A: Okay. [01:01:28] Speaker B: Right. [01:01:29] Speaker A: And this is stage two. This is the second downloader. [01:01:31] Speaker B: Stage two. Right. This is what we're. Then it runs these various set commands, typically for obfuscation. They said that a lot of the variants of this they saw did not have obfuscation. They just Yolo coded it and said, yeah, I don't care if you know what this is, and it still works. Obviously they're not going to do that if they might be testing, but they didn't care whether or not somebody found it, whether somebody saw it. They expect this to still work. Right. But all these echoes and these sets are basically creating a map so that they can call the set instead of the actual letter. So instead of using the letter D ru, I would use DQ. Okay, right. And then I could craft a word using these obfuscations. And now you can't read it, but the machine can obfuscate and de obfuscate because it has a map that we are setting right here. [01:02:27] Speaker A: But if it's a suspicious, like, it's not going to flag it and be like, oh, this name looks weird because it's obfuscated. [01:02:31] Speaker B: If it was called my horrible malware. Right, your AV system, I go malware. You say, I am queued into words like malware. I'm probably not going to let this run. [01:02:42] Speaker A: You say, my horrible malware. I think my little pony. Yeah, we need like a theme song for it. [01:02:45] Speaker B: My little malware. [01:02:49] Speaker A: But you're right, if it's obfuscated, then. [01:02:50] Speaker B: I can't wait for my little malware. Version two. [01:02:53] Speaker A: We need the sparkles to go across the screen of that part of the show. And this is all a part of stage two. And this is all just for that first variant. [01:02:59] Speaker B: That's just for that first variant. I think one of the variants is actually a compiled version of this, where there's a thing called Py installer which will allow you to take your python scripts because it's a scripting language, and turn them into a compiled exe. [01:03:15] Speaker A: Okay. [01:03:16] Speaker B: Instead of a py, it'll be exe and you just double click and it runs. I've done a lot of that in the past. It can be kind of a pain, so I hate it. And that's why I just jumped over to go, because go was very python like. And it's like, it's so simple to compile, it's just go build my thing. Yay. [01:03:34] Speaker A: You had to go to go. [01:03:35] Speaker B: Yeah, I had to go to go, yeah. Moving on. Anything else interesting here? I think some of the obfuscations were really interesting. So here we go. Here's the variant one. And you can kind of see this is not very easily read. It's just a wall of stuff. But it's running in exec, it's importing Marshall load imports LZma. So it's, oh, that was something. I forgot about that. It does a bunch of compression. Like a bunch of compression. Is that right here? Yeah. Let's take a look at this little chain of events, shall we? So it converts hex strings to binary strings. So you take the data that's in hex, which is a little more machine readable, you turn it into a string data types, they're fun. Dealing with them inside of your software can get a little tricky. Binary strings can be a little more useful. Then they take that binary string and they compress it with zlib. Then they compress it with Bzip, and then they compress it with Gunzip. Or I guess they start the other way around. It starts with LmZa, then goes to gunzip, then to bzip two, then to zlib. So to back out of that, you have to decompress everything with each one of those compression algorithms. And if we look back, we see right here, I think it starts right there, and there's the decompression. So you have to import, there's Gzip, right? Then it finally hits Benaski, which is the final, like, ASCII text, but it's decompressing from zlib, it's decompressing from bzip two, and so on and so forth. So using a lot of compression mechanisms, this makes it much more difficult for AV EDR systems to look into what's going on and see it, because it's all just compressed. [01:05:29] Speaker A: Right. [01:05:29] Speaker B: It won't be until you decompress this and lay it on the disk that it would have the opportunity to check this. [01:05:36] Speaker A: So it's like you're obfuscating, and then taking that obfuscated form and obfuscating it again. And just, I think they call it what? Nested obfuscation. Like a little russian doll. [01:05:43] Speaker B: That's it. Matrioska. [01:05:44] Speaker A: Yes, Matrioska. I don't know how to pronounce those words, but that's an interesting form of obfuscation. Got to hand it to them again. I wish they used their powers for good. So then once it's deofuscated, then it can run, right. [01:05:58] Speaker B: Once it's de obfuscated, then it has the ability to actually be run by. And that might just mean that it's. Well, yeah, it's not even deoffuscated yet. It's just decompressed. Okay, got you. Then you deofuscate. [01:06:11] Speaker A: But the compression is like, it counts as a form of obfuscation. [01:06:14] Speaker B: It does count as a form of obfuscation to the AV because it can't look into it. It's just like, oh, this is a compressed. [01:06:19] Speaker A: Okay. [01:06:19] Speaker B: All the data is kind of squashed together. I can't really see what it does. It's not in its final form. [01:06:25] Speaker A: But even after you decompress it all. [01:06:26] Speaker B: The way saying, God, dragon Ball Z. Yeah. Hey, got a shout out to put. [01:06:32] Speaker A: Some respect on his name. [01:06:33] Speaker B: Right. [01:06:35] Speaker A: Even after you decompress all of it, there's still that final deofuscation that you have to do, or that it would have to do, I guess. [01:06:40] Speaker B: It looks like it's using some base 64. I'm looking at this code sample here. You can see it's grabbing. It does seem to be doing encryption as well. So we got some AES, we got some triple des and hashlib import sha one PDKF. I think I also saw anything else. Oh, HMAC and then base 64. So it's base 64 encoding some strings and it has some base 64 encoded strings. It's going to decode that to UTF eight, which is just ASCII text. So like readable human stuff to that. So this is a fairly common practice to do so. I'm not surprised to see that because for whatever reason, as well known as as easily reversed as de encoded as base 64 is, it's still a very valid method for bypassing and obfuscating against protection mechanisms. [01:07:35] Speaker A: Evidently because this is actively being used, it's working against however many people it's affected so far. [01:07:39] Speaker B: Yeah. [01:07:40] Speaker A: You know how sometimes you go on Amazon or a website or something and it'll show you their product and then it'll say our product compared to the competitor and it'll show you like the checklist of. We have this, the competitor doesn't. They provided a lovely little chart that compares. There's three variants of this, I guess, and it gives you a little check as to what it is that they can do. Well, variant one gets the request to identify the geolocation. Variant two and three, they don't do that. That was nice of them to give us a little breakdown of what each one does. And I guess would this help us to kind of identify what variant we're dealing with? Yeah, right. [01:08:08] Speaker B: Absolutely. [01:08:09] Speaker A: Okay, I like that they do that. That's nice. [01:08:10] Speaker B: Yeah, we'll leave variants two and three to you to check that out, obviously. Do we put the article links in the description? [01:08:19] Speaker A: I don't think we do. [01:08:20] Speaker B: We should start that right now. Yeah, that's a simple copy. Pasta. [01:08:25] Speaker A: Yeah, maybe we should start doing that. Maybe we'll try that. We'll try that this week. [01:08:28] Speaker B: Absolutely. [01:08:29] Speaker A: We'll talk to Christian, see what we can do and get those in there so that you can go and peruse these for yourself. Because I can tell you it's the hacker news or wherever, but they got so much stuff on there that it'd be hard to find and this one again came to us from cyber reason. So thanks to them for breaking this down and kind of going through that chain for each of those variants. Christian put the article title up there again so you can find it if you'd like to. But I think for this deep dive, is that pretty much going to. [01:08:52] Speaker B: The only other thing I wanted to mention was they're using open services like Telegram and GitHub and things that have APIs that you are able to easily script in working, uploading, downloading, updating, certain areas that you can easily access through the API. They're using that for the credential exfiltration. Yeah, a lot of threat actors will use things like Telegram API for C two communications. Okay, like, oh, I want you to run this and then give that back to me. Okay, now run this. Now give it back to me where they're just saying, hey, run, get the things I want and shoot it to me over the API. They're very hands off with this. [01:09:35] Speaker A: Legitimate service is being used for illegitimate reasons. Yes. We hate to see it. That's unfortunate. The researcher for this one was Kotaro Ogino. So shout out to him for doing the research on this one. Want to give him his props, credit where it's due and take a look at that article. Go show them some love and share it to the Twitter or the Facebook or whatever. But I think that's pretty much going to do it for this deep dive. I know we went a little bit deeper than we were initially planning, but a lot of good stuff this week. Hope you were holding your breath and you brought your goggles because that was a fun one. I think that's going to pretty much do it for this episode. Again, if you've got any feedback, things that you want to see more of on the show, let us know. You can check out the channel, all of the previous episode episodes of Technato live here on the YouTube channel, as well as any previous webinars. We've done have one a couple of weeks ago with Joe Helley, all things cyber. That was a lot of fun. And of course we've got one coming up. I believe that is with. Is it for John Strand? That's right, yeah. Can't believe I forgot. It's John Strand here in just a couple of weeks. [01:10:30] Speaker B: But who's he again? [01:10:31] Speaker A: Yeah, right. Kind of a big deal up and coming guy at the cyber scene. Am I missing anything else? Daniel, can you think of anything you wanted to share with the people? [01:10:40] Speaker B: Be kind. [01:10:41] Speaker A: That's a first coming out of Daniel's mouth. So. Wow. You saw history here today, folks. Thanks so much for joining us for this episode of Technato. Enjoy your St. Patrick's Day, and we will see you next week for another episode. Thanks for watching. If you enjoyed today's show, consider subscribing so you'll never miss a new episode.
Previous Episode
Next Episode

Other Episodes

Episode

November 30, 2017 00:36:40
Episode Cover

ITProTV Podcast 22: Week 48 in Review

So much to look back at this week. It all started with sales a-plenty on cyber Monday and ended with a slew of announcements...

Listen

Episode

November 11, 2019 01:14:01
Episode Cover

The Technado, Episode 125: Central Texas College’s Joe Welch

This week on Technado, Don and Justin talked with Joe Welch, Professor of Computer Information Technology & Systems faculty member at Central Texas College,...

Listen

Episode

November 12, 2018 00:27:23
Episode Cover

The Technado, Episode 74: Okta’s Matias Brutti

Dealing with your own data’s security is stressful enough, so how does Okta deal with handling sensitive data for so many customers? In this...

Listen