357: Malware in Microsoft's GitHub Repo?!

[00:00:04] Speaker A: You're listening to Technado. Welcome to another episode of Technado. I'm Sophie Goodwin, one of your hosts here. Before we jump in, just want to take a moment and thank the sponsor of Technato, ACI Learning, the folks behind it pro. Quick reminder, you can use that code, Technado 30 for a discount on your it pro membership if you don't have one already, which you totally should, because we make those courses and it's a fun time. And by we, I mean myself and Mister Daniel Lowry over here to my left. Daniel, you look like you're having a great day. [00:00:29] Speaker B: I'm actually having a really hard time right now not breaking you in front of the entire audience because she is set on a razor's edge. She's very primed to just start laughing hysterically. I know what to do to make that happen, but we have a show to do, so I guess I'll let it go. [00:00:46] Speaker A: Well, we've got an hour, so there's plenty of time for that. I'm sure it'll happen at some point, intentionally or not. [00:00:52] Speaker B: If we're wondering what it is, I just have to do, like, a really bad Elvis impression right now. [00:00:56] Speaker A: We had fun this morning. [00:00:56] Speaker B: We were. [00:00:57] Speaker A: We were talking to our director and just doing the worst Elvis impressions we could possibly do. So anyway, which got you going pretty good. It did. [00:01:03] Speaker B: It's kind of funny. Once. Once the string gets pulled, it's not much to keep it going. [00:01:08] Speaker A: I started bringing energy drinks in the morning, and it's really improved my mood considerably, considering I'm a little. [00:01:13] Speaker B: She's like our own. [00:01:14] Speaker A: I'm shaking. [00:01:14] Speaker B: Gary Busey. [00:01:16] Speaker A: Okay, sure. I'm Gary Busey. Yeah. All right. Well, hopefully. Hopefully not entirely. Hopefully not in every way. [00:01:23] Speaker B: Did you talk to angels this morning? [00:01:25] Speaker A: Okay. [00:01:26] Speaker B: Yeah. Gary Busey's. I love Gary Busey. I think he's a national treasure. He's just a very strange man. [00:01:31] Speaker A: Oh, sure. Yeah. He's. He's a very interesting guy. But, hey, the strangest people get famous. [00:01:35] Speaker B: Indeed. [00:01:35] Speaker A: So that's probably part of why he's. [00:01:37] Speaker B: Made where he cracked his head open. [00:01:39] Speaker A: Did that. [00:01:40] Speaker B: Yes. [00:01:41] Speaker A: I did not know that. By Gary Busey. All right, well. [00:01:45] Speaker B: Or Gary. [00:01:46] Speaker A: Anyway, welcome to Technado, where we give you all the fun facts about your favorite odd celebrities. We're going to start off with, if you're familiar with our format, we're going to start off with some rapid fire articles. We'll go through a couple of these and just kind of give our. Give our quick little synopsis of what's going on in the news. And then, of course, we'll have a deep dive later on in the show. So stick around for that if you want to get a little more in depth on some of these topics. But we'll go ahead and jump into our first article. And this one comes to us from the register. Cybercriminals are threatening to leak all 5 million records from a stolen database of high risk individuals. And this is the world checklist. I was not familiar with it, and that makes sense because this is primarily used by businesses, I guess, and I am decidedly not a business. So it makes sense that I would not be familiar with it. But, I mean, it's a big deal because these are, from what I understood, this is all public information anyway. It's just this is a consolidation of. [00:02:31] Speaker B: A bunch of, like, corporatizing, cancel culture. [00:02:34] Speaker A: Right? [00:02:34] Speaker B: Yeah, I mean, like, it, it doesn't seem to be all bad. I was also unaware of said list before, so the, uh, what's the name of this list again? Give me the name on this world check. The world check. Thank you. Yes. So apparently the world check list is, let's say you're a bank and someone, and I don't, I don't mean like, you know, the, the local Wells Fargo or truest that's sitting on the corner. I mean, although it could be. But most likely this is going to be like, you're a big bank, like Wells Fargo, and someone says, I want to open a large account, and I want to start funneling money to and fro, as one does when they open large accounts, and you go, cool. I like money because that's how banks make money, is, by taking your money and then investing it and making money off that money. And it's fun, usually are an interesting thing. [00:03:27] Speaker A: Sure. [00:03:28] Speaker B: What if I were, I don't know, like a terrorist organization, and now you have my money, and you are basically, like, facilitating my terror. [00:03:40] Speaker A: Right. The last thing you want is a terrorist is a client. [00:03:43] Speaker B: There you go. So, so that's what this list is all about, apparently, is to say, hey, these are people that we've been monitoring, or are known terrorists, or all around bad people or, and. Or organizations. Because if you were the said bank, you would be like, I wouldn't touch that with a ten foot pole. No, thank you. [00:04:00] Speaker A: Yeah. List, like money launderers, specifically. Which makes sense, because if you're a bank, that's the last thing you want. [00:04:04] Speaker B: Yeah. To be associated with helping facilitate money laundering. [00:04:09] Speaker A: Calls them undesirables. [00:04:11] Speaker B: I do enjoy that term. [00:04:12] Speaker A: Yeah. Undesirable miscreant is another favorite of the register. I do enjoy that. [00:04:15] Speaker B: I enjoy the job. Using their thesaurus is getting a workout. I appreciate that. [00:04:19] Speaker A: Props to the register. They know how to write. Yeah, but, uh, but from what I understood this, I mean, it's subscription only. So if you are going to use this world check database, you do have to pay to use it. But it pulls data together from it says open sources here, like, and now it's not necessarily things that would be like the easiest to access. Sanctions lists, regulatory enforcement list, government sources and just media publications. But if it's all open source like available, it's not like Social Security numbers. [00:04:43] Speaker B: How do you pay for this? Actually, I think it is Social Security numbers. [00:04:46] Speaker A: I think it's like if you look. [00:04:47] Speaker B: Down in the article, it talks about what exactly, exactly is in this list. [00:04:52] Speaker A: Oh, really? [00:04:53] Speaker B: Believe it does say Social Security numbers. [00:04:55] Speaker A: This says includes full names, the category of person. So like, if you remember organized crime, job roles, dates, places of birth, aliases, security numbers, gender. Well, God. Oh, gender secret, top secret. And a small explanation of why they're there. [00:05:09] Speaker B: I love that one. That's my favorite part of the list. [00:05:11] Speaker A: Yeah. Oh, my gender. [00:05:13] Speaker B: Why did we put that on there? Well, you know, Bob doesn't get to play with everybody because, screw Bob, you know, he's dating my ex wife and that's. [00:05:24] Speaker A: Yeah, that's why he's here. [00:05:25] Speaker B: Yeah, he's on the list. [00:05:26] Speaker A: He's committed crimes against man. And by man, I mean me. [00:05:29] Speaker B: I'm a man. [00:05:31] Speaker A: He hurt my feelings. He's on the list. [00:05:33] Speaker B: I don't like him. [00:05:34] Speaker A: But if this is, I mean, I guess in that case, yeah, Social Security numbers and stuff, that'd be concerning. But if it's only open source stuff, this isn't like, you know, somebody's hacked into a service and like, you know, I guess you're maybe paying for the convenience at that point, right. [00:05:48] Speaker B: So what you're selling for is the fact that they did all the heavy lifting of putting it into a database and going, oh, you want this database? You want instead of doing all the legwork yourself. Sure. [00:05:57] Speaker A: Right. [00:05:58] Speaker B: Get that money. And apparently this is the first time this has happened, like a few years ago that this, this got popped before and it was selling for up to like almost $7,000. [00:06:08] Speaker A: Yes. [00:06:09] Speaker B: Download. So if you wanted to get a copy. Seven G's player. [00:06:13] Speaker A: Yes. [00:06:14] Speaker B: Yeah. Oh, $6,750. [00:06:16] Speaker A: So, yeah, basically. So about a little under 7000, which is pesos. Sure. [00:06:22] Speaker B: The one, this. [00:06:24] Speaker A: It's no small. It's no small number. I mean, I don't know. I know for some people, that's small amount. 7000 to me is like, dang, man. [00:06:29] Speaker B: I ain't got seven grand just sitting around so I can buy a list of people. [00:06:32] Speaker A: No, that's certainly not for a list of people. No, but, uh, they. They didn't respond. This group, uh, call themselves Ghost R, which is. I hope I'm pronouncing that right. Maybe it's ghoster. Yeah, I'm gonna say ghost r because that's how it's spelled. Ghost R did not respond to questioning, but said they were gonna be leaking this database. [00:06:47] Speaker B: But they ghosted them. [00:06:48] Speaker A: That will include, basically, they didn't respond. You're right. That's pretty good. Pretty good. [00:06:52] Speaker B: See what I did there? [00:06:53] Speaker A: But says that it will include details on individuals, including the royal family members. So. Ooh. [00:06:58] Speaker B: Uh oh. [00:06:59] Speaker A: Big fish over here. [00:07:00] Speaker B: I bet there's some people that have conspiracy theory websites right now. They're like, so how do I get my hands on this? [00:07:05] Speaker A: They're going nuts. Yeah, yeah. So we've been waiting for this. [00:07:08] Speaker B: Now, seven grand. Got it. [00:07:09] Speaker A: And they gave them this, this publication, a sample, like, of 10,000 records to be like, oh, you want to make sure it's legit. Here you go. And it turns out that I believe. [00:07:16] Speaker B: It was the company that actually compiles and houses the list, said that they were not breached. It was a third party. Let's make sure we put that out there on the airwaves, that it was a. That they say it was a third party, that a copy of the list. And they were the ones that got breached, and that's how the list got leaked. Not through the company that actually, like, does the list. [00:07:39] Speaker A: Yes. So, yes, I believe you are correct or not. [00:07:42] Speaker B: That's true. Or not remains to be seen. I don't see any reason not to believe it at this point. [00:07:47] Speaker A: Sure. [00:07:47] Speaker B: You know, I'll give it a 72% chance. [00:07:50] Speaker A: Because they came out. They did say, like, yes, the breach is genuine. This did really happen. But it was an unnamed third party that, you know where this occurred. So they're. I mean, they're being honest about the fact that it happened and not a lot on, like, the severity of it other than just, I mean, they talked about, like, what, what's included in that database. [00:08:04] Speaker B: If I was a bad guy, I would now know if I was on the list. And parts of my organization are on the list, and maybe I need to spin up new infrastructure, new, you know, fake accounts and all the other stuff to try to circumvent those things. Maybe that's. [00:08:16] Speaker A: But as with anything, I mean, if there's human error, and this does say. During the first leak, investigations revealed that there were inaccuracies in the data. False terrorism designation. [00:08:24] Speaker B: I told you what happened to Bob. [00:08:25] Speaker A: It could ruin your life if somebody gets you wrong on this list. And like. Yeah, he's a known terrorist. And it's like you're just in, like, Milwaukee running a business. [00:08:33] Speaker B: I was a known terrorist. [00:08:35] Speaker A: It's like. Yeah, he's. He's running a mattress store that's a front for money laundering. Like. No, I'm just. Mattresses. [00:08:39] Speaker B: Listen, ladies and gentlemen, always ask for the receipts. Just because someone's name is on a list of something, or someone says someone did something or didn't do something or whatever. I want to see proof. [00:08:49] Speaker A: Never trust. Always verify. [00:08:50] Speaker B: That's right. It goes everywhere. Always verify these things are true. Because. Yeah, some. And it has happened that they got their name on this list and got ruined. [00:09:01] Speaker A: Yeah, you could ruin a life. And so that. We don't want to do that, you know, unjustly. [00:09:04] Speaker B: So avoid that at all costs. [00:09:06] Speaker A: No, no. If it's Daniel, I mean, in that case, yeah, I'm putting him on a list immediately. Just don't do that. Ruin him. [00:09:11] Speaker B: No, I'm just. Family. They need food. [00:09:14] Speaker A: Pain in your voice. Okay, well, maybe. Maybe not today, but you're on thin ice, so we've got, actually, this next one. I don't recall if this is something that you mentioned that affected you, but this next one did affect a lot of people. A cyber attack occurred, taking frontier communication systems offline, affecting millions of broadband customers. So. I had not heard of frontier communications by name. I believe it was. It might be a Verizon company, but I could be wrong about that. But definitely. I mean, millions of customers. And they were affected by this. It confirmed that it was a cyber attack. So unnamed third party gained access once again. There was a third party situation here and disabled Internet access for a lot of people, which I. [00:09:55] Speaker B: Well, I think frontier disabled their Internet access. [00:09:58] Speaker A: Right. [00:09:58] Speaker B: Like, they shut their systems. [00:09:59] Speaker A: They had to shut it off. [00:10:00] Speaker B: They were. [00:10:01] Speaker A: Yeah, yeah, they had to kind of, you know, get control of the situation, I guess. So you got to shut everything down, which, at the. At the minimal level, would be inconvenient. But in some cases that, you know, if you don't have Internet access, it could. It could have more severe, I guess, consequences, depending on what you use it for. Um, so could. It could have been bad, but, I. [00:10:18] Speaker B: Mean, the, the end of this article talked about the impact of having a major ISP going down, going dark, becoming a dark part of the Internet because they're, they're not connected at that point in time, and how, because we're connecting so many things now that are critical infrastructure, that the Internet itself might be needing to be considered as critical infrastructure. [00:10:39] Speaker A: Yeah. [00:10:40] Speaker B: And so what ends up happening? So you've been through a couple of hurricanes living here in Florida, right? [00:10:45] Speaker A: Yes, I have. [00:10:46] Speaker B: Have you noticed that it's like the telephone system always comes up back up, like, really quickly? [00:10:49] Speaker A: Yes. [00:10:50] Speaker B: That's because it is considered necessity. [00:10:53] Speaker A: Sure. Cause if you're stuck somewhere, if you're in danger. Yeah. Right. [00:10:56] Speaker B: We have to have that. So they focus their efforts on bringing that back up first, and then they move to, like, water and power and so on and so forth. They have this, this list of how they prioritize bringing systems back online when they've been taken down due to a disaster, saying they're. They're thinking about adding the Internet to that list. Whereas it's just been a fun convenience for us. We may be moving in or have moved into a world where the Internet is a necessity. [00:11:21] Speaker A: Yeah. [00:11:22] Speaker B: At least as far as, like, infrastructure goes. Maybe not for you personally. So you can go, you know, check Facebook or whatever. [00:11:29] Speaker A: Sure. [00:11:29] Speaker B: But. [00:11:30] Speaker A: But it's in everything, right? It's. I mean, the Internet's everywhere, in everything. And. Yeah. It has more. More serious uses or more, I guess, critical uses than just. Yeah, right. Like you said, just checking Facebook or sending a text or whatever. But that's the other thing, too, I guess, in theory. Like, for instance, if I had, like, an iPod and I didn't have a phone number associated with it, but I could maybe download, like, a messaging app and, you know, still message from it. Right. I would need to have Internet to do that. I don't know. In theory, you could say it becomes then as. As important in the same way that telephone services are in an emergency situation like that. Because maybe I do use the Internet to communicate primarily and I got to get in touch with somebody because I'm in danger, there's a problem or whatever. So. Makes sense. But back to your point, having it be like a critical infrastructure type thing, it does seem like that's becoming more of a target. And in this case, Frontier has, says 5.2 million locations for their fiber optic network, and they serve customers in 25 states, 3 million broadband subscribers. So targeting that fiber optic network. Yeah, that could, uh. That could be a little. Yeah, yeah. Just a bit disruptive. But they, did they contain the incident? They believe they've contained the incident, started bringing stuff back online, beginning normal business operations. [00:12:35] Speaker B: So three days, though, man. [00:12:37] Speaker A: Yeah, right. But they addressed it pretty quickly. They detected the access on the 14th, reported it on the 15th to the SEC. So Fenn Elisp to the SEC. So they did address it very quickly, and they, you know, publicly talked about it very quickly, which I don't know, I respect that with a big organization. [00:12:53] Speaker B: Like this, you know, and that's, that does bring up that whole question around incident response is like, what's the, what is the first thing you do? And obviously it's going to depend. Depends on organization. The, the breach in question, like, what do we think is going on? How do we respond to that? So that's why you build up playbooks, you do tabletop exercises. And obviously for Frontier, this was the type of brief that said, shut her down. [00:13:16] Speaker A: Right. [00:13:16] Speaker B: We gotta, like, you know, Houston, there is a problem. [00:13:20] Speaker A: Yeah. [00:13:21] Speaker B: And we got to do something about it. We cannot leave this online. We have to. We have to do that. So, good for them. You know, they did the hard thing. I know this is probably going to hurt them financially, it's going to hurt them reputationally, but at least their instant response, they were like, you know what? This is where we're at. [00:13:36] Speaker A: Yeah. [00:13:37] Speaker B: Somebody, you know, throw the big switch. [00:13:39] Speaker A: And because, like you said, the, them taking services offline was an attempt to control it. It wasn't like this was a denial of service attack type thing. [00:13:45] Speaker B: Right. [00:13:45] Speaker A: What they were doing, what this third party did, they think it was a cyber crime group was they gained access to Pii. So personally identifiable information. [00:13:51] Speaker B: They never want that. [00:13:53] Speaker A: Right. No, that's so rare. That's crazy. I can't. Why would they take that? But they don't have any information yet on whether it was like, customer Pii employee Pii. [00:14:00] Speaker B: Right. Or what early in the game. [00:14:02] Speaker A: Right. Or how, like, how sensitive. If it was like, names and email addresses, if it was like, more personal, you know, we'll probably hear about it. Right. It'll be a deja news segment in a few weeks, so stick around and we'll talk about that. Just to stick around. [00:14:14] Speaker B: Yeah. [00:14:14] Speaker A: So, but, so this was definitely a big one this week. It seemed like it popped up a lot across a lot of sources. This next one, though, probably takes the cake for story of the week, in my humble opinion. And this is part of a segment that it's an old favorite. Who got pwned? Looks like you're about to get pwned. [00:14:29] Speaker B: Fatality. [00:14:32] Speaker A: I do enjoy. I do enjoy that audio. [00:14:35] Speaker B: Every time I see the graphic, I'm just like, there's Thor's dad. [00:14:38] Speaker A: I forgot that's come up a couple. [00:14:40] Speaker B: Times on this show. [00:14:41] Speaker A: I always forget, but I do. I do enjoy that segment. It's been a while and I could not think of a better time to use it than this story because Mitre was breached by a nation state threat actor. Via or via, depending on how you want to pronounce that. The Avanti zero days that we have talked about many a time on this show. [00:14:56] Speaker B: So, say, via satellite? [00:14:58] Speaker A: Via satellite. Via satellite, yeah. Makes it sound. Make it sound like we have Mitre on the phone. Not so pompous. Via satellite. So they were breached by attackers via 20 day vulnerabilities in Avanti secure connect or connect secure VPN devices. So. And they also managed to move laterally, which is always fun. And because Mitre is such a big. I mean, we talk about Mitre, I would say more often than not, it comes up at least as like a reference or a source on the show. So definitely when I saw that name, I was like, whoa, this is a big deal. [00:15:25] Speaker B: I wonder if Mitre went to the attack frameworks to see exactly what they would do next. [00:15:32] Speaker A: They use their own sources. [00:15:33] Speaker B: Yeah, well, this is apt. Like, didn't they, didn't they tell you which apt. They thought this was perhaps a chinese apt. [00:15:40] Speaker A: They definitely said it was a nation state. Yeah. They previously tied it to a chinese attack group. Yes. [00:15:45] Speaker B: There you go. [00:15:46] Speaker A: Um, so it definitely. They've confirmed that, that we believe this is a nation state attacker. And, uh, because it's Mitre, you know, this is something that they, they're not just, you know, you go to refer the attack framework, but they also manage federally funded research development centers supporting various us government agencies. And anytime I see breach and us government agency in the same article, I'm like, oh, that's fun. That's always fun. Anytime I see those connected in any way, it's a little. It's a little bit scary. [00:16:11] Speaker B: Yeah, it is cool how they did the breakdown of. [00:16:13] Speaker A: Yeah. [00:16:13] Speaker B: What happened. They said basically this is how it went down. Performed reconnaissance of the organization's network, exploited one of the organization's VPN's through the Avanti zero days, hijacked the VPN sessions to move laterally into the VMware environment, leveraged compromised accounts, including an administrator account, rut row. Then we got some Webshell happening, some backdoors happening that gave them the persistence they were looking for the exfil data using their c two infrastructure, and then created staging and persistent virtual machines with the VMware environment, which was kind of like, apparently that was the thing that really made them think, oh, this is, we've seen this before with chinese state sponsored hackers. So that's why we're kind of going that way. [00:16:55] Speaker A: Kind of a hallmark of those kind of groups. [00:16:58] Speaker B: It's how they know them, right? [00:17:00] Speaker A: Yeah, it's like when the wet bandits go in and rob a house and they turn the sinks on. [00:17:03] Speaker B: That's it. [00:17:03] Speaker A: It's just, you just know that it was them. [00:17:05] Speaker B: Good reference, by the way. [00:17:07] Speaker A: Thank you. I try to make movie references when I can. Cause a lot of times I'm just not on par with what you're dishing up. So I try to keep. But Mitre did say that they followed the recommendations to patch these zero days back when they first became, you know, a thing of concern. [00:17:20] Speaker B: That's right, they did. [00:17:21] Speaker A: So they did. They did do what they're supposed to do, but they, this, this group had already gained access, and it was Miter late. It was too little, too late. They had already moved laterally, and they did not detect that. So even though they, they made the patches and everything and hardened the system. Didn't matter. I mean, it mattered. It's good that they did it, but. [00:17:36] Speaker B: They were going to do that again. But they'd already. Yes, they'd already set up, like, doesn't matter, and close that. And, you know, we talk about this when we teach classes. When it comes to especially, like, hacking methodology, that last stage is going to be persistence and covering tracks and things of that nature. So you get people that are new to it and say, why? Why create, go through all this work to try to, like, upload backdoors and, and create some persistence mechanism that can be kind of a pain. It could open you up to, you know, being discovered. You're like, yeah, absolutely. But what happens if they patch the way you got in right now, you can't get back in. So you always try to, like, set up some form of persistence. [00:18:18] Speaker A: Sure. [00:18:18] Speaker B: Through, you know, malware, c two, whatever the case is, maybe you figure out. [00:18:22] Speaker A: A way to make your own account or something. So then you can just log in back. [00:18:25] Speaker B: Works great. [00:18:26] Speaker A: Yeah. So then even if they close up, whatever, whatever hole you exploited, whatever you, you know, however you got into that. [00:18:32] Speaker B: System, it doesn't matter if they mend the fence. [00:18:35] Speaker A: That's true. That's true. Uh, so they did. There's no timeline, specific, explicit timeline of these stages. So it's not known like when they first, you know, took care of these bugs or patched what they needed to patch. It's not known when they gained access and all that stuff. So hopefully this stuff comes out later on. But they did take immediate action. They took down their nerve environment, investigated the incident, notified authorities. So they notified authorities. So they did everything they were supposed to do. [00:18:57] Speaker B: And Mitre is like, I think they said, yeah, this is. The investigation is still ongoing, but Mitre decided to share preliminary findings to help others, as well as specific advice for defenders talking about monitoring VPN traffic for unusual patterns. Look for deviations in user behavior segment networks and to limit lateral movement. All those defensive things that we always preach. And if you're not listening or you're not doing, you should really have a dang good reason why not. [00:19:25] Speaker A: Yeah. [00:19:26] Speaker B: Right. Other than it's really hard. We get that. No one's going to blame you for trying and failing at it. We are gonna like go, hmm. You didn't even try. [00:19:36] Speaker A: Yeah, you gotta at least put in some effort. [00:19:37] Speaker B: Yeah, yeah. You gotta try to lift the stone. Yes. It's heavy. [00:19:41] Speaker A: It's not gonna be perfect every time, you know, take you some air. Is human. [00:19:45] Speaker B: That's right. To tune everything just right. Yeah. [00:19:47] Speaker A: But you gotta put in the effort. You gotta give it a shot. So props to Mitre for, you know, still investigating, still figuring out what's exactly, what's going on. Co op. [00:19:55] Speaker B: Now, Mitre, who's next? [00:19:56] Speaker A: Right. Exactly. [00:19:57] Speaker B: Who's next on the list? [00:19:58] Speaker A: No one is safe. [00:19:59] Speaker B: That's right. [00:19:59] Speaker A: It is. It is a little bit like, makes you feel a little better. Like, okay, if they can't even stay secure entirely, 100%, all the time, it. [00:20:06] Speaker B: Just goes to show you, security is. Is difficult. [00:20:09] Speaker A: Yeah. And mistakes happen. So hopefully they're able to, uh, you know, get this completely under control and, you know, figure out exactly what it was that went down. And maybe this will appear later on like a deja news segment, uh, later on in an episode. But we've got a couple more that we want to get through today. Uh, you might have heard about this one, the crush FTP file transfer vulnerability that lets attackers download system files. This is another one that, uh, I had mentioned to you. I had not heard of crush FTP before I read this. And you were like, well, you hadn't heard of move it either before we started talking about it. And you're absolutely right. [00:20:36] Speaker B: Yeah. [00:20:36] Speaker A: You don't hear about it until something goes wrong and then suddenly you know who they are. [00:20:39] Speaker B: Because it's weird. Like move. It had so few customers, right. That you're like, oh, well, it has so few customers. What's, what's the big deal about this? It was who their customers were, right? That made it important, that made it more impactful. [00:20:54] Speaker A: Sure. [00:20:55] Speaker B: I'm wondering if crush FTP is kind of the same kind of thing. Because I'm like you, I never heard of crushed FTP. Know, most FTP that I use is going to be like Filezilla. You know, like that's, that's the big FTP. And then there's like the open source FTP stuff that you get in your apt of repositories if you wanted to spin up FTP. What are we doing with FTP all the time? That's my question. [00:21:15] Speaker A: Yeah. [00:21:15] Speaker B: What's with all the FTP is, I mean, I don't work in an environment where like FTP is a big deal and never have. Honestly, if we did need to transfer and or store files, yeah, we would have a certain, we just have like use SCP because SSH is going to be installed. So why not just use SCP, you would think. And maybe, maybe crush FTP has a really nice user interface. You know, a lot of, a lot of end users like graphical stuff where you point and click and do that and it makes that more usable for them. So again, I'm completely ignorant to the usefulness or not of crushed FTP. That's what I'm saying. If you know a little about crush FTP, you gotta. You got some love for crush FTP. This, this like is going to affect you. Let us know in the comments. It'll be interesting to hear a little more other than the article that crush FTP got popped. [00:22:07] Speaker A: Drop us a line if you're personally affected. We do like to hear from you all in the comments. Let's get back to the breach, the breach. So one thing that I thought was interesting, there was an intelligence report that came out about this and it seemed to suggest that the crush FTP servers that were exploited were at us entities for intelligence, intelligence gathering activity. So that is a little. [00:22:25] Speaker B: There's the client, right? [00:22:27] Speaker A: Exactly. So that tells you why. Oh, maybe that's why this is a little bit more of a bigger deal. Because if that's true, it's just a suggestion at this point. But if that is true, then that, you know, could indicate maybe it's politically motivated. Maybe it's, you know, if it's, I don't know. Could it be like a nation state type thing? [00:22:42] Speaker B: Of course. You always got to have that on the table just about. Unless it's just some little janky hack that no one really cares we won't be talking about. It wasn't big enough that it's possible that a nation state actor was doing it. [00:22:54] Speaker A: That is true. But what this does is it allows you to download system files. I guess so. I mean that could mean anything. Which makes it even more dangerous. [00:23:02] Speaker B: Right. Well, I mean, start thinking of system files that hold information, configuration files. Right. Just about anything in the Etsy directory. That would be fun if you're running a Linux based system. I don't know how if this is working against both Windows and Linux operating systems. It doesn't really kind of get into that detail. At least not that I remember reading. But yeah, you grab the right type of file and you can have all sorts of fun, fun times with that because that information could lead you to all sorts of things. What if I'm able to download, I don't know, encryption keys? That'd be fun. So if I'm able to just basically walk around your file system using this exploit, sky's the limit. I just got to get creative what I'm looking for and what I can find. [00:23:50] Speaker A: Yep. Yeah, absolutely. They did release an advisory about this and they do have a patch. So they're urging customers to update on their dashboard. And it did mention that if customers are using a DMZ perimeter network in front of their main instance, then they should have been protected from the attack. [00:24:03] Speaker B: So got a layer of abstraction between. [00:24:05] Speaker A: You and this, then you should be good still probably. I mean you still update everything, but. [00:24:10] Speaker B: A reason not to, you know, if. [00:24:11] Speaker A: That'S something that you're employing, that's good. [00:24:13] Speaker B: And I say that there are reasons not to update. Oh sure, it breaks things. It's just security guard. [00:24:19] Speaker A: It's true. Yeah, that is true. There's always going to be a reason. But in this case I think, you know, having that patch there, right? Probably. If you're, if you are a user of crush FTP, if something that affects. [00:24:28] Speaker B: You, good patch, obviously firewalling at that point, like, and that's what they're, that's what they're talking about when they say a DMC is you have some layer of abstraction between you and the, and the host of the crush FTP server. [00:24:38] Speaker A: Sure. Defense in depth. You've got, you've got a couple different ways to protect yourself from this kind of stuff. So, again, we'd be curious to know if this is something that affected you or if you've got more information on that. You know, if you're a crush FTP user, let us know. But we got a couple more that we want to jump into here. Now, this next one here is interesting. It's not all that meets the eye. So that's why this is going to be part of a segment called don't make no sense. It make no sense. It makes no sense. What you're talking about, Will, is love that little graphic. So this caught my eye because it talked about game cheats, and that's always fun. New redline stealer variant disguised as game cheats using Lua bytecode for stealth. We do love stealth. So this was something from McAfee Labs did, did a little research into this, and there's something in this article that initially, they didn't really know how this was happening, how they were carrying this out. And we have some more information on that now. But initially, what was the issue to begin with? You know, what was the big problem here? [00:25:28] Speaker B: So it looks like people were downloading game cheats or what they thought were game cheats, but they weren't game cheats. Oh, they were cheats, all right. But they weren't for the game you were looking for. They were for cheat codes to get into your system and then stay there undetectedly. And that's what this is all about. So if you're out there, just, just word of caution for those of you out there thinking, you know what? I need some game cheats in my life. We have seen here in the recent past quite a few people going exploiting those with the proclivity to go and find game cheats. Just play the game, just. Just enjoy the game and get better at it. I is there areas I'm not a huge, like, online game? I say huge. I'm not an anything online gamer at all. I don't do it because I don't like it. [00:26:14] Speaker A: That's fair. [00:26:15] Speaker B: Okay. [00:26:16] Speaker A: That's fair. [00:26:16] Speaker B: So it's one man's opinion. [00:26:17] Speaker A: Right? [00:26:18] Speaker B: Right. But can't they just create room where it's just all cheats all the time? [00:26:23] Speaker A: I mean, I guess I think you start to see that in older games. So, for instance, like, like black ops two, I was like a year ago, I went into the, the online lobby for that, and it's just been overrun by. It's just awful. It's chaos. But I think you see a lot more cheats in that kind of environment. And I'm no expert, it's been a while since I've online gamed, but because it's an older game and, you know, it's. It's maybe kind of gotten out of control. People don't pay as much attention to it, but I think maybe in these newer games, you have more people that are paying attention to that stuff, and it's like, hey, look, I guess my. [00:26:52] Speaker B: Question is, like, I just don't. That doesn't compute in my brain. Why? Why cheat? [00:26:58] Speaker A: That's a good question. [00:26:58] Speaker B: Because what are you getting at? [00:26:59] Speaker A: Like, it would take the fun out of it. The only thing I can think of is if. [00:27:03] Speaker B: Is there money involved? Like, if I kill you, do I get your stuff? Is this ready? Player one? [00:27:07] Speaker A: I mean, I guess if you're right, if you're competing, but if you're competing and they found out you're cheating, then you. You're disqualified anyway. So I think, you know, you see it, like, people using cheats in just, like, a game lobby. You're just. You're just playing online with people. I don't know, maybe it's just like, they don't want to lose. Yeah, it's. They were an online gamer. [00:27:23] Speaker B: What is the purpose of the cheats? Just to. Some people like to watch the world burn. Is that. Is that what we're looking at here? [00:27:28] Speaker A: I guess maybe if you're trying to, like, if there's certain cheats that allow you to 100% the game a little bit easier, maybe if you're trying to get 100% completion and you're just screw it. I just want to do it quickly. [00:27:36] Speaker B: I get that. But these games are online. They are perpetual. There is no hundred percent in the game. Right. [00:27:40] Speaker A: You can still get achievements, but. But. Right, I mean, that's the only thing I think of, is that maybe you. You just don't want to lose, and so you just figure it's easier to cheat rather than. Rather than get good. [00:27:47] Speaker B: Well, guess what? You're getting your just desserts, right? [00:27:50] Speaker A: Because in this, it masquerades, is a game cheat. So gamers are the target, but comes fitted with an MSI installer that runs that malicious bytecode. Now, the Lua bytecode is something they mentioned specifically a few times. Is this something that we've seen elsewhere, or is this a relatively new thing? [00:28:03] Speaker B: So Lua is a scripting language for creating all sorts of things. And Lua is. It's very popular within the gaming community. [00:28:11] Speaker A: Okay. [00:28:11] Speaker B: Right. So you might run into Lua if I think it's a scripting language. If I'm, if I'm remembering correctly off the top of my head, byte code is basically the low level assembly language for computer instructions. So if I need to tell the cpu to do x, y or z, as you get lower to actual, like when I want to say what, we'll start binary. That's the word, yeah. As I get closer to binary, byte code is going to be the one step up from just zeros and ones. Right? So lua has the ability to create instructions and they call that bytecode. So the reason this is stealthy is because normally we're using like c and c and things of that nature to generate our shellcode, whereas Lua has its own way of doing that. And since it's not as signatured, you're kind of getting beyond like, oh, this doesn't look like shellcode. So at least that's what I'm reading from here. That's what I'm taking from that. I don't use Lua. I'm not a Lua programmer or whatever. [00:29:12] Speaker A: That makes sense. [00:29:13] Speaker B: I think I saw it once and that's how I knew about it. [00:29:16] Speaker A: I did not realize it was popular with, with gamers. You may have mentioned that before. I just. [00:29:19] Speaker B: Yeah, I think it's a, it's a popular like, gaming program. I'm gonna look it up here. [00:29:24] Speaker A: Makes sense. [00:29:25] Speaker B: Lua gaming. [00:29:28] Speaker A: Well, while you're doing that, this is something too. That they would display a message on the screen if this is something that you downloaded and you fell victim to the display message saying, hey, if you want the unlocked version of these cheats of this software, all you gotta do is share it with your friends, send a copy to your friends so it spreads in that way. Because you think, oh, I want the unlocked version. I want all the cheats I can get. And you share it with people and then they also fall victim to it if they're cheaters. So I say that with such malice, but did you find it? [00:29:51] Speaker B: I did. It says. Lua is a popular scripting language used in game development due to its perceived easiness to embed fast execution. In short, learning curve is often used alongside CC game engines to separate concerns and provide flexibility. Some notable Gary's mod. [00:30:05] Speaker A: No way. [00:30:06] Speaker B: Yeah. Roblox, Garry's mod, World of Warcraft, payday two fantasy, Star Online, Dota two Crisis, so on and so forth. So there, there you go. That's the, that's the love of Luo. [00:30:18] Speaker A: Well, that's quite the range. Roblox, Gary's mod and World of Warcraft, that is. What a range. Well, there you go. It's a fun fact that I did not know. And this article also mentioned at the time that this story broke, they didn't know how the files came to be uploaded to repositories. But it sounds like we've now got more information on that. [00:30:34] Speaker B: Right? Because it does say in here that is currently not known how the files came to be uploaded to the repository. And the repository you're talking about is GitHub repository. Repository. And the specific GitHub repository is Microsoft, right, right. This is like this was coming from Microsoft's official GitHub repository. [00:30:51] Speaker A: Seems legit. [00:30:51] Speaker B: And they're saying like how is that happening? Right? The technique is a sign that threat actors are weaponizing the trust associated with trustworthy repositories to distribute malware. So these were coming out as zip files, right? That was cheat lab two dot seven dot two dot zip and cheater dot Pro dot one 60 dot zip. Those were the masquerades as cheats. But they weren't, they were MSI installers inside the zip file which installed malware. Uh oh, that's no good. And the writing of this article, they couldn't figure out how that was happening. They postulated a couple of things and I had actually stumbled across a different article that talked about that very thing. This is takes us to our next article. I'll let you, I'll let you because. [00:31:36] Speaker A: That'S what you, oh sure, it's part of the same segment, but yes, GitHub comments are being abused to push malware via Microsoft repo URL's. So sounds like that may be how this came to be. [00:31:45] Speaker B: Yep, that's exactly how this came to be. And as you can see in this article, there it is, right there, right there. Cheat zero. So what's interesting about how this works is GitHub has the ability to comment issues, that kind of stuff, right? And that's very useful to developers. If I'm a developer, I want my users to go, hey, I had a problem, or hey, have you thought about doing this? Or so on and so forth? And they have the ability within that commenting capability to upload files. So you can go, here's a screenshot, here's some of this that the other, you can actually upload a file for the developer to be able to work with. This is where the problem comes in. So apparently if I make a comment and I upload a file, and then what ends up happening is GitHub goes, hey, here's a URL to that file you uploaded. It's, anybody with that URL can go grab that file. You cool? Even if you go, you know what? I'm not going to submit this, I'm going to cancel my comments, I'm good. Or even if I committed, the comment said, okay, yeah, there you go, there's my comment. Add any, let me delete that. I'm gonna delete that comment. That URL, guess what? It still works. And here's the other fun part about it. It doesn't show up anywhere. So Microsoft can't just go into their git repo and go, they go, I don't see this file anywhere. You deleted it, it doesn't exist, or you never committed it. It doesn't exist. It's like dug way down in the guts of GitHub, somewhere down in the basement. It still does actually exist. It actually did. As soon as you hit that, this is the file I want to upload. It does. Download that file, put it into GitHub, create a URL that continues to work regardless of whether or not the comment was deleted. This is what malicious actors are exploiting. They figured this out and they said, okay, cool. So when you contact Microsoft and say, hey, you're hosting malware, they go, no, we're not. [00:33:52] Speaker A: That's crazy. You don't even have to post the comment. And even if you delete the comment, the files are still there forever. That's crazy to me. [00:33:59] Speaker B: Now they say, well, here's what you can do, is you can just disable comments. But guess what? It auto re enables after like six. [00:34:05] Speaker A: Months or something, and you can block individual users, but they can create another account. And it's not like it's just one person that's doing this, I'm sure is. [00:34:12] Speaker B: Oh, yeah. [00:34:12] Speaker A: A widespread thing. [00:34:13] Speaker B: I'm sure there's a dark web for him somewhere. Here's what you gotta do. [00:34:16] Speaker A: Yeah, it's like trying to block every spam bot on Twitter. You just cannot do it. It's an impossible task. It's like the, who's the guy that pushes the boulder up the hill and it just keeps rolling back down? [00:34:24] Speaker B: Atlas. No, that's Atlas. He holds, steals the world. What is this? [00:34:28] Speaker A: What is his name? [00:34:28] Speaker B: I don't remember. [00:34:29] Speaker A: I think it's Sisyphus. Anyway. Literally. Literally doesn't matter. But it's a, but it's like a futile task, if you will. So is, I wonder from your chair, is there any way to really because you don't want to, you don't want to, as GitHub say, no more comments ever, because they do have a real purpose. So how do you fix this? [00:34:45] Speaker B: GitHub's gonna have to figure this out. [00:34:46] Speaker A: Well, I think that, yeah, I think that goes without saying. I just wonder how I would think that. [00:34:51] Speaker B: Like I'm just off top of my head, maybe again, not, not fully baked at all. Maybe when I hit that don't post button or I delete my post, those files get destroyed. [00:35:04] Speaker A: Right. [00:35:05] Speaker B: And that URL stops working. So if you're, that's just one thought. [00:35:08] Speaker A: If you're gonna upload malware in a file like that, you gotta commit to the bit and you've gotta now hit comment. [00:35:13] Speaker B: And that might be easier said than done. I don't develop GitHub, so there, sure. But that's just, that's one thing I'm thinking here, other than that would be very, very difficult for someone on the other end of this, because it looks legit, it looks like it's coming from Microsoft's GitHub repo. And that happens all the day. Like, that's not uncommon. So if you're looking at it, you've got the ultimate, it's not even a typo squat, it's the real deal. You are, you are taking advantage of a trusted system that has a flaw. And this is, that's what hacking is all about. Girl, kid, boys and girls. [00:35:54] Speaker A: Well, yeah, and even just disabling comments outside of the fact that you can't disable them for longer than six months at a time. You want comments on, because that's the whole point of if you're gonna put something in GitHub and you want people to, hey, here's a suggestion. Hey, I found a bug. Like, it's about, you know, helping people, and there's always gonna be some jerk that spoils the fun for everybody else by doing something like this. [00:36:12] Speaker B: That's right. [00:36:12] Speaker A: In this case, it's not one jerk. I think it's at least a couple instances that we've seen this, but I. [00:36:16] Speaker B: Think Nvidia's driver installer repo is that, for example, a threat actor could upload malware executable. Oh, they're giving an example into Nvidia's driver installer repo that pretends to be a new driver, fixing up issues in popular games or threat hacker could upload a file into a comment to Google Chromium source code and pretend it's a new test version of the latest web browser. So you see like the sky's the limit with this. So while Microsoft has in some way shape or form removed this malware, I don't know how they did that. They apparently found it or they have access to it, but it's not easily discovered. [00:36:51] Speaker A: Right. [00:36:52] Speaker B: Which is why at first they were like, I don't know what you're talking about. So, yeah, they figured that out. Now they, they, you have to go. But that's a lot of work. That's, that's the backwards way. We shouldn't, we have to build some fence that prevents this from occurring. [00:37:05] Speaker A: Yeah. And I mean, as of right now, there's no, it's still accessible. GitHub removed the malware link to Microsoft repositories, but the malware is still accessible technically. So I just wonder how, how they're going to go about kind of curbing this and if we'll see this in a future story. [00:37:21] Speaker B: I love this. There's a Sergey frank off of automated malware analysis service. Unpack me. Did a live stream on Twitch about this bug just a month ago saying that threat actors were actively abusing it. And there's a little video here, them saying open analysis live like weeks later, GitHub bug still dropping malware. Right, right there. And let's see if it works here. Oh goodness, that's three and a half minutes. We're not going to watch that. [00:37:49] Speaker A: Put on double speed. [00:37:50] Speaker B: Yeah, I'm thinking, can you just show the exploit? [00:37:53] Speaker A: I don't want to watch a three. [00:37:54] Speaker B: And a half minute video. Just get me to the fun stuff. [00:37:56] Speaker A: Yeah, we're in, we're part of, it still works. Apparently it still works. So I mean, I guess, and not respect, respect is the wrong word. But it is interesting to see how people figure this stuff out. And somebody had to figure out, oh, if I do this and if I don't even have to comment, I can just, it'll just upload. Somebody had to figure that out. [00:38:12] Speaker B: It is a common thing to want to try because people trust GitHub, people trust aws, people trust like Dropbox and Google Cloud and, and these things, they're, they are trusted entities. [00:38:25] Speaker A: There's reputation associated. [00:38:26] Speaker B: So if, right, that would be like me abusing like virustotal. [00:38:31] Speaker A: Right. [00:38:31] Speaker B: Right. If I could find a way in the virus total system, which I think I actually already have to use that and everything looks like it's coming to and from virustotal. You're gonna trust that because virustotal is a trusted entity. So they just sit around looking at these trusted systems going, is there some way I can massage some bad stuff in there? Because then it becomes the sugar around my, my pill. [00:39:00] Speaker A: Yeah, right. [00:39:01] Speaker B: That nobody thinks twice of. And they just swallow it. [00:39:03] Speaker A: Yeah. [00:39:04] Speaker B: So that's, that's what's going on. And they found one here in GitHub. [00:39:07] Speaker A: Scary stuff. It's. I wish people would use their knowledge and their talents for good, but unfortunately, instead of money. Instead of money and. Yeah, just some people just want to watch the world burn. Right. [00:39:17] Speaker B: You know, I understand money. Like, I get it. Having money's nice. But like, how much money do you need, Mister Rockefeller? [00:39:23] Speaker A: Yeah. Yeah, that is. Yeah. [00:39:25] Speaker B: The fact that you would turn on your, your fellow humans in a way like you just don't care. [00:39:31] Speaker A: Betrayal. Yeah, that's unfortunate. And hopefully, like I said, there is a solution that ends up coming to lighter. They find a way to at least curb this a little bit, but hopefully that will come up in a future episode. Now, we are going to take a quick break here. We've got a little bit more that we want to cover in our deep dive. Has to do with a little thing called magic dot that you might have heard of. So that's a little teaser. You'll have to stick around if you want to know more about that. We'll be right back after a break here on Technato. Tired of trying to schedule your team's time around in person learning? Isn't it a bummer to spend thousands of dollars on travel for professional development? What if we said you can save money and time and still provide your team with the best training possible? The answer to your woes is live online training from ACI learning. With live online training, we provide our top in person courses in private online instructor led formats. You get to provide professional development in a manner that fits today's expectations. Entertaining, convenient, and effective, our exam aligned courses inspire the full potential of your team. Visit virtual instructor led training at ACI learning for more info. Welcome and thanks for joining us. For more Technado, thanks so much for sticking with us through that break. We're getting ready to go into our deep dive and we are going to have some, hopefully some visuals here. A lot of times these articles do have some visual aids, so if you are listening on a podcast platform, we'll do our best to walk you through it. [00:40:43] Speaker B: Our best. John Madden verbally. [00:40:44] Speaker A: Yes, exactly. We'll give you a little play by play, but if not, if you are watching on YouTube, you know we'll be able to show you those visuals. [00:40:50] Speaker B: Who's your favorite sports commentator. [00:40:52] Speaker A: Yeah. Oh, right now of all time. McCubert. [00:40:55] Speaker B: Okay. [00:40:55] Speaker A: McCubert. He's the voice of. [00:40:56] Speaker B: The voice of the Gators, right? [00:40:57] Speaker A: Yeah. Oh, my. That guy. He is my favorite. [00:41:00] Speaker B: I love him. [00:41:03] Speaker A: You have to. It's Mc Hubert. Okay. [00:41:05] Speaker B: Okay. [00:41:06] Speaker A: That was like his thing, you know? Sure. [00:41:07] Speaker B: Our, you know, european listeners are like, okay, sure. [00:41:10] Speaker A: Yeah. Our very niche gator audience is like, yeah, that guy thought you had crocodiles. Different. They are different. No crocodiles here. Just not here in Gainesville. [00:41:22] Speaker B: Not in Gainesville. [00:41:22] Speaker A: Yeah. So it's what, everglades, would it be everglades down there? [00:41:25] Speaker B: Yeah, down in the everglades. The keys. [00:41:27] Speaker A: Oh, yeah, yeah, that's true. That is a good point. Anyway, deep dive, little geography list. We're gonna. We're gonna take a deep dive with the gators and the crocodiles. You may have heard a little bit about something called magic dot, and this article describes it as a hackers magic show of disappearing dots and spaces. So I went through this and I didn't get too deep into the details on it yet. So I am interested to know what disappearing dots and spaces. That sounds fun. [00:41:51] Speaker B: So I'm not going to lie, this is a bit of a heady. [00:41:55] Speaker A: All right. [00:41:56] Speaker B: Lots of detail. We're going to do our best to kind of follow the dots, as it were, and put them together and figure out what's going on here. Don't worry too much about this is probably not something that's going to affect you today, maybe even tomorrow. But as the author of this article kind of goes into, this is really good information for someone that was trying to develop a rootkit that could escalate into. Because for rootkits to be really effective, they need administrative privileges. Right. They need. They need to kind of get into that kernel space if they. If they can. And if you're in user land, you still need admin privileges. But they are saying maybe we can kind of escalate into that without any kind of authentication. So it's really interesting stuff. And just the fact that this is a weakness, I guess, would be a vulnerability in the Windows operating systems and has been for a while. Microsoft knows about this. [00:42:57] Speaker A: This isn't like known issue. [00:42:58] Speaker B: Yeah. They're just kind of like, well, you know, until it becomes a problem. So I think the security researchers, whose name is. Let's see if I'm getting this correct. Or. Or yare or. [00:43:13] Speaker A: Yeah, yeah. Or, yeah, probably that sounds right. [00:43:16] Speaker B: I hope I'm getting that correctly. Their whole purpose in this article was to prove that this could be leveraged for a little more danger than Microsoft is getting a credit for either way, shape or form. Still really interesting and something good for us to know about the most ubiquitous operating system in the land. [00:43:35] Speaker A: So up until, you know, this person started looking into it, it's just kind of like, like a quirk, like, oh, this is a thing that happens. It's an issue, but until it gets to be a serious problem, it's probably fine. But by exploiting this issue, they were able to uncover an RCE vulnerability and a couple of elevation of privilege vulnerabilities. So three separate things that they were able to uncover through this that could lead to some more, more serious issues. [00:43:55] Speaker B: That's exactly right. And that was the whole purpose of trying to figure out whether or not you ever get that as you're like, I feel. I feel like there's something more here than meets the eye. [00:44:05] Speaker A: Gut feeling. [00:44:05] Speaker B: Yeah, that whole gut feeling. Well, or went down that rabbit hole. And usually when you do that, you go, yep, I was right. Here it is. Here's the problem. At the end of the day, again, like I said, probably not going to affect you. A Microsoft fixed all these vulnerabilities. They released patches for this and now they're no longer a problem. But as or states down at the, you know, end of this article, just because they fixed these three things that I discovered doesn't mean there's not a whole. Well, right. Issues that stem from this one problem. [00:44:37] Speaker A: Sure. [00:44:38] Speaker B: So you just got to get more creative and keep. Keep scratching at it, as it were. [00:44:42] Speaker A: Yeah. [00:44:42] Speaker B: So, shall we begin? [00:44:45] Speaker A: Oh, we shall. [00:44:45] Speaker B: It. [00:44:46] Speaker A: I saw the word rootkit like privileges or abilities in here, and that to me. Oh, boy. Admin privileges or with. Even without admin privileges, they can do things that they should not be able to do. So I am interested to know how exactly this person was able to get to this point and how an attacker could exploit this. [00:45:01] Speaker B: All right, so the root. The crux of the issue, as it were, is the fact that paths. Right. You have a path. If I want to get to a file. C colon, Backslash directory. Backslash directory to Backslash file name, dot extension. Right. We're all familiar with this idea of paths. Two things. That's how we find objects on our computers. If I store a file, and you'd be able to access the thing. Little fun fact, are you. I'll go to Sofia here. She'll be our guinea pig for today. Are you familiar with the Windows API? [00:45:37] Speaker A: No. Great. I mean, I know it's application programming interface. But as far as like, am I intimately familiar with it? [00:45:43] Speaker B: No, that's fine. You get the idea of what an API is and that it's the Windows API. Sure. If I want Windows to do stuff, I'm a programmer, I'm a developer. I'm going to call the windows API. This is basically a whole library of functions that I can just reach out and grab. I don't have to build it from scratch. Just go, cool. Hey, Windows, I need to do x, y or z, pick the right API, call, throw it in my soup, as it were. Add the salt as necessary, which is going to be all the details that are required to make that thing happen. And off it goes. It does the thing. Fun facts. When you say, hey, I need you to do something with this file. It looks for the path, but because of older versions of Windows, it has to convert to, and that functionality has to stick around because Windows has to be backward compatible for like ever. [00:46:39] Speaker A: Oh yeah, right. [00:46:41] Speaker B: So what it does is it convert, it converts that dos path into an nt path. [00:46:46] Speaker A: Okay, okay. [00:46:47] Speaker B: And it's within that where the problem arises because of that. If you add weird characters like dots or spaces, it goes, nah, I don't know what to do with this. And kind of changes things. [00:47:01] Speaker A: Hence the name magic dot. [00:47:02] Speaker B: Magic Dots is what Orr has described these as because of how that ends up working out in real life land. So I think we got ourselves a little, yeah, I love this. It's kind of got a chart demonstrating this. And here we go. So if you have this doth pass of, see example, example, period. You see a little period there on the end of that. Ah, it converts it to this with this question mark, question mark, slash c. Example, example. The dot is gone. Or if I fiddle with this, what can happen? Well, a bunch of things can actually happen. And you can kind of see, just kind of keeps messing with this. You can see we've got one with triple dots which converts again to the same thing. And if we come back over here and we look at what, if we add a space to the end of it, a space, although you can't see it, is an actual character and the computer does see it. It knows it's there. You just don't see it because it's not visible. [00:48:03] Speaker A: Sure. [00:48:04] Speaker B: What does it do? Well, it converts it to the same thing yet again. Okay, well, interesting. What else do we got? We got space. Space we've got inside the directory. So not just on the file but directories itself. If you put a dot on the end of an example, so on and so forth or use spaces. It's a lot of fun. So there's your conversion chart kind of giving you this is going to cause a problem. It says. When I understood how this conversion process worked, I knew it provided the perfect opportunity for some rootkit magic. [00:48:38] Speaker A: I wonder why. I wonder what it was about this that gave him a lightbulb that I could maybe exploit this, you know, probably. [00:48:46] Speaker B: Just fiddling with it or a previous experience, I would think. True, right. So I've in some of the things that they're doing with these rootkits. So I've messed around with in the Linux, I'm more of a Linux person and I've done something similar. Not with necessarily, I mean I guess it was with names I worked with aliases and files where I wanted to, if I gained access into a system, I didn't want you to know I was there. Sure, right. So if I drop some sort of file or if I modified a file, I wanted to get a little more stealth out of that. So what I would do is I would create aliases for stuff like the cat command inside of Linux. I cat a file and it basically dumps the contents of the files of the screen. [00:49:32] Speaker A: Sure. [00:49:33] Speaker B: Well if you cat the bashrc file and I've put a bunch of aliases there to do things that when you run the normal command you get different output, you would see oh, what are these aliases? So I would say, okay, if someone cats bashrc I'll make an alias for that in the bash Rc that says run this cat command instead which basically strips off all the malicious content, all those aliases, feeds you a copy of the pristine bash RC and goes, see, nothing to see here, it's all fine. So basically what I would do is make a copy of the pristine Bash RC, load that either into memory or a temporary file. And then when you ran the current version of Bashrc by typing in cat something, it would run an alias that would say oh, if you're bash, if you're catting bash RC, make sure you grab it from the temporary file and display that as the output and not the original. Huh, right. Same kind of idea here. I know it's really heady, like I. [00:50:34] Speaker A: Said, but smart, that is a smart way to go about it. For some reason it's giving me an image in my head of like a Rube Goldberg machine. Like when I do this, it does this and trigger this and the domino falls over and super convoluted. [00:50:44] Speaker B: So I did that with things like, like Netstat. I didn't want you to see if I had a connection established. So I would strip out all the reverse shells or any kind of HTTP connections or DNS connections that I was making through malware, it would strip all that information out. So if you were doing some sort of threat hunting, you would not see that it would hide that from you. And it looked like it was pulling from the original source. [00:51:11] Speaker A: Okay. Stealthy it was, yes. Okay. [00:51:13] Speaker B: Same kind of idea here. It needs to be stealthy. Rootkits need to be stealthy and they're going to use this for stealth purposes. I can hide stuff with this dot capability. So if I put a dot on the end of a file, according to this article, I think it talks about user rootkits and kernel rootkits, but ultimately if you go down to, I really have to turn off the dark mode because look what they do with these. [00:51:40] Speaker A: Oh, diagrams don't show up. Oh man. [00:51:43] Speaker B: You would think that it would not change that background because it's an image. So we'll have to room for improvement there. Yeah, yeah, totally. You know what, let me, never mind. But what's important really is the, this what we got right here, talking about concealment. So if you put a dot in the end of a file, it just conceals it from the system. It basically doesn't see that it's there. Not only that, but even if you knew it was there for whatever reason, you can't perform any operation on it. So if there is a piece of malware, I've hit it with the dots. You can't open that file and see it. The system is unable to work with that file. So that's step one. Another thing you can do is impersonation. It says, beyond making files and directories inoperable, I wanted users to be presented with different contents and information when they tried to retrieve them. Sound familiar? [00:52:35] Speaker A: Yeah, like what you described. [00:52:37] Speaker B: I totally recognize what's going on here. This is stuff I've done just in a Linux environment, and he's leveraging this problem inside of windows to make it happen. So to accomplish this, I created what I call the impersonative file directory. For example, if there was a harmless file called benign, I was able to create the malicious file in the same directory, but name it benign dot, okay? As a result, when a user reads the malicious file, the contents of the original harmless file would be returned instead, because it doesn't see that. So if I've got two files in the same directory, one's called benign, one's called benign dot inside. Benign dot is malicious, malicious? Malicious inside actual. Benign is, you know, not malicious. Not malicious. Not malicious. When I try to read benign dot, it gives me the contents of benign. [00:53:23] Speaker A: So it looks like, oh this is fine, there's nothing wrong going on here. But in the meantime there's other stuff going on in the background. [00:53:29] Speaker B: It impersonates the good file. Okay, we like this, right? So if you start threat hunting around and you think well is this benign folder really or this benign file really benign? It returns. Yes, I am, I absolutely am. Cool. And I think they even have like a little, yeah, a little demonstration here. Let's, let's jump into this thing here because it kind of really lets you see how this works. And you can see he's doing tree over here. He shows, it's showing normal content. Normal content, normal content, lol dot. So he's got all these files and folders that are in here, that kind of leverage and you can see everything showing normal content. You have this one, a text file inside the zip. And then once he drops it in here he's kind of creating this, what looks like, I guess he's opening each one of these files. You're seeing it's showing normal content, but give it a moment. And then now we do the same thing in WSL. So now they're using a Linux system no longer in the windows operating system kind of faking this out with, and you can see inside of these files is actually malicious content because the WSL system can see inside of this normally because it's not relying on the Windows API to read the files. He's bypassing that to prove that there is actual malicious content inside of these things. He's just using the dots to impersonate the good files underneath the windows operating system. Right. Scary. [00:54:51] Speaker A: That is kind of scary like this. I like that he gives us a little video visual because it's good to have diagrams and stuff. But the video is always neat because you can actually watch him walk through the process and learner. So that's, that's always pretty cool. But then he does go into detail talking about describing the process of how he actually carried this out. So he talks about concealment. [00:55:08] Speaker B: Well this is what he's talking about is processes. So I process inside of, oh, I. [00:55:12] Speaker A: See what you mean. Impersonating process. [00:55:14] Speaker B: This isn't my process that I do. [00:55:15] Speaker A: I see what you mean. [00:55:15] Speaker B: Okay, he's impersonating and concealing malicious processes, which is actually another really cool thing. So he was able to say okay, because we've got these magic dots. I can create an exe that mimics and hides. It is a process. It runs code, it does things. But I can use these magic dots to hide said process. And that's what's interesting. So you have, like you said, concealment. So you can see here he says, all right, let's say I've got blah, blah, blah exe. Then when accessed with the dos path, it is converted to the non existent nt path. As a result, I was able to prevent a user from using a tool to view, or. Yeah, to view the properties of the executable of the process and carry out any operation on just like what we saw before. But because now it's a process, it's making threat hunting a whole lot more difficult. That's you sneaky, crafty sucker, you. Right. [00:56:12] Speaker A: But then not only is he just concealing, not only is this person concealing things, he's not just sneaking into the building, he's walking into the building looking like he's supposed to be there. So he's impersonating. [00:56:21] Speaker B: Correct. So again, same idea. Now we're just applying it basically to an actual process. And here, which is super fun. This is going to be a good one. I got another little demo here for you. Let's fire this off. And if you're watching here, does a dir. He sees the magic exe and there's mimicats. Now, mimicats should not. You can see that stuff like it's happening right here. Mimicast should not run at all. When does defenders should be like, oh, that's garbage, right? It does not like that. You can, you might be able to get me be cats on disk, but you go to try to run that joker and it's going to get flagged. It's going to be like, nope, that's, that's illegal. Okay, but he's got this magic dot exe that's going to mimic an actual process in his system, right? So let's see how that works out. Vi this back up. He cleared the screen and now he's running this, right? He says create impersonated process. So he's using the magic dot, and he's kind of throwing some arguments to it. Gives an exe path which saying, hey, what executable do you want to run? It's saying, cool, run mimicats. And then it's going to say, well, also, who do you wish to impersonate? Well, I want to impersonate C Windows system 32 svchost exe, which is a legitimate process that runs on every Windows operating system. So if this all works, mimicat should run. But to the system it looks like it's svchost and there's no way to tell that it's not. That's, that's the danger. So let's see if it works here. He's going to fire it off. It's kind of showing you all this different stuff. And wait for it. Oh look, there's Mimikatz, right? He's going to canal kind of jump over here, find that svchost and you can see what is it saying is running. See, it's kind of blurry because it's a blown up video, but it says, see Windows system 32 svchost exe. That is the process that Mimikatz is impersonating. So the system just goes, oh, that's good, that's fine, I can totally run that. So we're starting to see why this is kind of a big deal and why Microsoft was like, well yeah, maybe you got into something there, let's fix this. [00:58:27] Speaker A: So beyond this, he didn't find any more, this person didn't find any more vulnerabilities as a result of the magic issue specifically, but kept, kept looking around, kept poking around and found something that, another vulnerability that allows an attacker to fully disable process explorer. So what, what will be the implications of this? [00:58:42] Speaker B: So when you, when you're threat hunting or you're doing analysis on files for malware, right, okay, like that, there's this thing, and this was actually a kind of a new thing idea to me. I probably heard the term before, but I never properly ever ran it down. There's something called prefetch analysis where there's like information about the file. If you google it up, I think like trusted SEC has some really good information on it. So go read more about prefetch analysis. Just do a Google search for that and then look for trusted sec. They did a great job of writing up what all that means and how that works. We don't have time to really get into that, but it's, it's a specific technique that's used for analyzing potentially malware or if you know it is malware. So you find out some information about said files that are running said malware. And even in our article, they kind of go into the idea that this is how this works is how they kind of like get around that. They realize that file names in Windows can only be 256 characters long. [00:59:38] Speaker A: Okay. [00:59:39] Speaker B: Right. They were able to, through the abuse of the Windows API and the magic dots, to create file names that are over 256 characters long. When that happens, there is an internal check for these. As developers you always have to be looking for what happens if it goes wrong. What does it do if things don't work? What should it do? Right, this is called errors. Right? You get an error, should it, should it should stop running? Should it give you an error and dump? Can it, can it recover? Can it can do something gracefully? Is it going to fail? Well, how's this going to work and what are we going to do? How are we going to. Error handling, I guess is the better term for that. How are we going to handle these errors? There is error handling for that built into the windows API. Swear it got really fun. They realize that the default action, if you do not define what to do and you just take the default action for that era of hey, this file name is over 256 characters is to create like a mini dump. And no, that's not what you get your head out of the gutter. [01:00:45] Speaker A: I didn't see your eyes, nothing. [01:00:48] Speaker B: I saw the look on your face. No, she's, she's a twelve year old. [01:00:52] Speaker A: Ladies and gentlemen, I'm being accused falsely. [01:00:54] Speaker B: No, you're not. [01:00:54] Speaker A: So a mini, a mini dump in the computer. [01:00:57] Speaker B: You know it's funny. [01:00:58] Speaker A: Well, yeah, now it's gonna be funny. Now I'm gonna laugh. I wasn't even. [01:01:01] Speaker B: Course you are. [01:01:02] Speaker A: No, no, no, you're poison. You're poison. [01:01:04] Speaker B: You're poison. So the mini, the mini dump is basically saying, hey, here's what was wrong and it basically crashes the system. But this isn't like a full system crash. It doesn't stop the whole system from working, it just stops that thing from working that was running it. If that is process Explorer, then it crashes process Explorer. Guess what we use process Explorer to. [01:01:28] Speaker A: Do to check for malicious stuff, right? [01:01:30] Speaker B: Well we do, we can absolutely, and we do use it in that way. But even if you just wanted to see what process. Maybe I've got, you know, a runaway program over here. Like, you ever have chrome going crazy? [01:01:40] Speaker A: Yes. [01:01:41] Speaker B: And you're like, man, well, how much ram is this thing using? So you open a process explorer. [01:01:44] Speaker A: Oh, yeah, yeah, yeah, okay. [01:01:46] Speaker B: And you see, oh, there's chrome and, oh, wow. Yeah, it's using like ten meg or ten gigs of RAm. What the heck is going on here? That's just, I just started it. [01:01:54] Speaker A: Hit the restart button. [01:01:54] Speaker B: Yeah, I gotta kill that process or I've got a hung up process. I can open up task manager and jump into process Explorer. Process explorer. I think specifically is a part of the, like the tools. What are the tools? I'm forgetting the name off the top of my head, but it's a suite of tools that they now bake in. They used to be the p's tools. That's okay. I think process Explorer is part of that. It may be baked into windows now as I've, like I said, linux sky. Other than that, if you can't start process Explorer to see it at all, then it hides. And that's what they did. So they figured out how to do that using that. Obviously this kind of has to have stars the line kind of thing. The developer did not. They used their own check. They didn't go with the default on this. But he has of course a demonstration of seeing how this works, which we do love. Thank you so much. Or for these demos. And you can see he's got this process exe, right, fires us off. Yeah, this sysinternals, that's what I was trying to think of. You can see here running this program, ntrun exe going for that file name, which is way too long. And as you can see, uh oh, process explorer stopped trying to restart it and it's not restarting. So now you cannot do the analysis on any file because you can't get process Explorer to start. Right. So it's enough for it to hide. Now whether or not that's going to continue to be like whether a restart would bring this back or whatever, maybe that might be an indicator of compromise, so on and so forth. It's still really interesting that they were able to get that far to just keep process explorer from starting at all. [01:03:36] Speaker A: Yeah. [01:03:37] Speaker B: So really cool. Yeah. [01:03:40] Speaker A: Now after going into this and showing, you know, how he made this 255 character long, you know, file name or process name. [01:03:46] Speaker B: Yeah. [01:03:46] Speaker A: And then it goes over the 256 limit after the, that string gets added and creates kind of a denial of service in that way. He shows that, he demonstrates that. But then he does go into the vulnerabilities that he talked about, the elevation of privileges or escalation of privileges vulnerability as well as. There was another one, I believe it was an RCE. [01:04:04] Speaker B: Rce. That's where it gets real fun. Right? [01:04:06] Speaker A: Scary stuff. [01:04:07] Speaker B: Remote code execution or remote came in. So basically he realized that if you make a sim link to something that doesn't exist, Windows will create it using this technique. If you say, hey, I want a symlink to calc, it should be in the scheduled tasks folder or the startup folder, you start to see where we're going with this creating persistence, it all comes linchpins around the idea of creating an archive. This is abusing the archive capabilities that Windows has recently baked into the Windows operating system, or Microsoft has recently baked in to the Windows operating system, leveraging the fact that if I create a specific type of archive, it has a symlink inside of it to a specific thing, which I am hiding with the magic dots. It'll go, hey, that's supposed to be there. It's not there. Don't worry about that. I got a copy right here. But Tao. And it drops it in the folder again. Another demo. Let's kind of watch this because it is a lot of fun. So you got this demo, right? Here's our dot, dot dot folder, right? Magic dots happening all day long. And he's going to delete that. Okay, deleting. Interesting. Oh, and did I hit the wrong one? [01:05:32] Speaker A: This is, well, this is. He's talking about the elevation of privileges. [01:05:36] Speaker B: So that was eop. Right? [01:05:38] Speaker A: And that's the first one he talks about. [01:05:39] Speaker B: Yeah. Where's the one where he actually creates the. Because that's what, here it is. [01:05:45] Speaker A: Right? [01:05:45] Speaker B: Vulnerability. This is the one I thought we were looking at. Bada bang. So he's going to run tree f. He sees that we have this a tasks and it says it's innocent. Right. In test B dot text. Innocent. And now it's going to write, oh, this is one is to the shadow copy. I forgot about. There's so much information layers about this, how many things he was able to do. I'm absolutely skipping over things because I get the one I think is most interesting. So they're writing stuff to the shadow copy. And then if you restore that shadow copy, it has things that are not supposed to be in that shadow copy. In the shadow copy, you are now restoring malicious information to your system that you shouldn't be restoring. So there was that one. Here's the RCE. Those is the one I'm talking about. Those were read and write capabilities. It's going to create the symlinks. This is the one I was trying to get to right here. Absolutely. So we got the archive, dot tar dot gz extracts, all going to get it extracted. And now we can see Calc Exe is in startup. He's going to restart the computer once he does signs out. And you got some. Yep. Restart the pc, sign back in, hit sign in. And once he signs in, the first thing that happens is the calculator pops. Oh, common proof of concept that what you're doing is work he wrote that using symlinks that were inside an archive. Calc did not exist at the target, so windows created it there. [01:07:17] Speaker A: Oh. [01:07:18] Speaker B: Based off of it should have been there. So. Because that's what the archive said was there. That's what that symlink said was there, and he just supplied it to it in the archive using the magic dots to hide it. [01:07:30] Speaker A: Interesting. [01:07:31] Speaker B: You start to see the problem that. [01:07:32] Speaker A: Is kind of scary. So that's the RCE. And I know you also had shown the elevation privileges write vulnerability. [01:07:38] Speaker B: Yeah. [01:07:38] Speaker A: That first one was a deletion vulnerability. So, yeah. [01:07:40] Speaker B: One was delete files. [01:07:40] Speaker A: One was without delete files. Yeah, delete, write, and now this RCE vulnerability. So really just all the food groups are represented here and these examples that this guy's giving. So beyond this, beyond these vulnerabilities, he does talk a little bit about vendor response because he did report all these issues to the Microsoft security response center. And they acknowledged the issues. They took some actions on these issues. I don't know if it, if it was like entirely. Oh, yeah, we fixed everything and we're all good because this has been a known issue for a while, the magic dot. [01:08:07] Speaker B: So they fixed the, the vulnerable, like. So he got cve's for each. [01:08:11] Speaker A: Right. [01:08:11] Speaker B: One of these problems that he found using magic dots, the magic dot vulnerability is still there. [01:08:17] Speaker A: Right. [01:08:18] Speaker B: All they did was keep it from doing these three things. [01:08:21] Speaker A: Oh, okay. [01:08:22] Speaker B: Right. So if you find there's potentially, there are multiple ways in which you could do all three of those things or even more things, ultimately, those are the kind of things you want to do. You want to be able to read files, write files and execute files. [01:08:34] Speaker A: Oh, you know what? They, they confirmed and fixed the RCE issue, the elevation privilege write issue, and the process explorer issue, but not the deletion issue. That's still. [01:08:43] Speaker B: Wow, that's still hanging out. [01:08:45] Speaker A: They'll continue or they'll consider a fix in the future, but right now they're not doing anything about it. [01:08:49] Speaker B: Yeah. And ultimately, like, you have to have access to the system, obviously. Right. But if I sent you maybe some of these things via the archive, you downloaded some sort of attachment. [01:09:00] Speaker A: Sure. [01:09:01] Speaker B: And you ran it and you don't see anything wrong there and it can't, literally, can't detect whether it's there or not. This could be a definite way to drop malware on a system. [01:09:11] Speaker A: Looks like just a harmless kind of little quirky thing. Oh, this has been an issue for a while, but it's not really that big of a deal. And this shows how, you know, if you try hard enough, if you really believe in yourself, anything, you too, you too can cause problems for everybody everywhere. So thanks to this guy for. For going through. I did. I found him on LinkedIn, so maybe I'll connect with him. [01:09:29] Speaker B: Yeah, absolutely. I will. [01:09:31] Speaker A: Definitely. In depth analysis of all of these issues and good on him for, you know, reporting it and doing his due diligence. [01:09:36] Speaker B: Very cool. [01:09:37] Speaker A: Maybe there will be a fix for that other one. [01:09:38] Speaker B: I'm not a windows guy, but this was like a super cool. Someone's just looking at how the system works and going, well, I know what it does now. What can I make it do? [01:09:48] Speaker A: Yeah. It truly was a magic show. [01:09:50] Speaker B: Absolutely. [01:09:50] Speaker A: And I do enjoy the visuals. If you want to take another look at those demos that Daniel kind of showed them up on his screen and talked us through them. But if you want to take a look at those a little bit more in depth, we're going to link all of the articles that we've covered today in the description so you can take a look at them a little more in depth for yourself. Just do a little light reading here this week. So that's totally up to you. But I think that's pretty much going to do it for our news this week. [01:10:09] Speaker B: That's all I got. [01:10:10] Speaker A: I didn't see anything that was super pressing, that was breaking. Kind of like last week where we had that. There's. I haven't seen an update on the geospatial intelligence thing we talked about last week. So to my knowledge, nothing on that yet. [01:10:20] Speaker B: Old news now. [01:10:21] Speaker A: Well, now it is. I was hoping there'd be an update, but I couldn't find one. So maybe next week there will be something on that, but that's pretty much gonna do it for this episode. I encourage you to subscribe if you haven't already, leave a comment. Let us know what you liked, what you didn't like, what you want to see in the future. And if you're listening on Spotify, Apple Podcasts, wherever you may be, we do thank you for tuning in and encourage you to check out the channel for some of the visuals that we're able to show. Yeah, we've got a lovely little all things cyber webinar coming up next week with Jerry Osier. Oh, Jerry's coming on Doctor Gerald. Simply, sorry, Doctor Ozer. [01:10:49] Speaker B: That's his name, but he doesn't go by doctor. [01:10:51] Speaker A: I know, but I want to teach in a GRC. I will respect that. That is his title. But yes, he's Jerry yeah, he's Jerry. [01:10:57] Speaker B: Old Jer bear. [01:10:58] Speaker A: Cool. Jerry. I'm not going to call him that. [01:11:00] Speaker B: But sure, you absolutely should. [01:11:01] Speaker A: You guys are friends. You could do that. [01:11:03] Speaker B: I'm going to tell him you call him that. [01:11:04] Speaker A: Awesome. Thank you so much. That is the last thing I need. [01:11:08] Speaker B: Jer Barrel. [01:11:10] Speaker A: Great. Our good friend Jerry is going to be on the show next week. That'll be here on the YouTube channel as well. So we encourage you to check that out. But I think that's pretty much going to do it. So thank you, Daniel, for walking us through that deep dive. I do enjoy those. Thanks for joining us for another episode of Technato. Hope you enjoyed, and we'll see you next week. Thanks for watching. If you enjoyed today's show, consider subscribing so you'll never miss a new episode.