Cybersecurity: Amplified And Intensified

Escalate, Exfiltrate & Encrypt - Round 6

September 10, 2021 Shiva Maharaj/Eric Taylor
Show Notes Transcript
Shiva Maharaj:

Good morning, ladies and gentlemen. Welcome to another episode of cybersecurity amplified and intensified with your host, Eric Taylor, myself, Shiva Maharaj. Today is going to be a super quick one, because Eric over here has some chick fil a on the way, and I cannot keep him back. That stuff is better when it is warm. With that, Eric, what's the first one on here?

Eric Taylor:

What's going on bud? So we definitely want to talk about a hacker released right around 180,000 credentials for SSL VPN to the dark world a couple of days ago, through one of the growth sites, it is really, really interesting to see this, you know, at first we were going through, we as you know, me internally, and you know, a bunch of cyber security folks, and we started digging into this, the traversal flaw for the for the net OS, or the 40. s was from back in 2018. So we're like, at first it eluded us of I didn't notice that it was part of that CVE, where we were seeing this data dumplin it only after about an hour. So I actually saw this, the fact that I can say with 100% certainty, there were usernames and passwords on this data list that I picked randomly that are still working right now. So I don't know when these things were actually scanned. But there's definitely a whole bunch of people who do not have updated firewalls by any means, because this is pretty, pretty old.

Shiva Maharaj:

So we're talking here about a three year old vulnerability that has hasn't been mitigated by Fortinet, at least within the last three years. Oh, many times over. So we are talking about it practitioners internal IT and other providers who just did not update their firewalls. But here's the scary thing about SSL VPN, which is why I've been moving away from it. And you and I have been having conversations ad nauseam about this. How many people are still using SSL VPN, but they're not using any type of MFA and real MFA, not that text based bullshit.

Eric Taylor:

Not a whole lot of people. Um, so I mean, we're for that partner. So we primarily use I think I've said it before, but we use a primarily for debt, or a Palo Alto just depending on the deal, or the application base that we're going to be put out there.

Shiva Maharaj:

But what Eric is saying small for net big Palo Alto,

Eric Taylor:

they even have a city botany behind them. Anyway. There's not many shorter nets, or there's not many firewalls out there that will actually invoke a to FA token like, you know, a to TP code, I should say, for to have a I'm looking

Shiva Maharaj:

more for something like a dual push. I hate those to TP based things.

Eric Taylor:

Before that has that you have to use a geo gateway. Same thing with Palo Alto. And I think if I'm not mistaken, back in the days when I use so foes you bury remember more than I do. I'm a Rocky Horror. So

Shiva Maharaj:

there's go Cisco shits all built in? Yeah. Does it work flawlessly? No. Well, yes, it works flawlessly. But it takes a lot of effort to configure appropriately. So I guess my question to you is, how do people get in touch with you? So you can scan there for net updated and unfuck the situation they're in because their current IT provider fucked it up?

Eric Taylor:

I really easy just barricade cyber.com. My calendar leak is literally right there on the homepage, right, right there in that whole banner area, make it really easy.

Shiva Maharaj:

And what are they looking at time? Let's say they book you whatever time? How long would it take you or a practitioner at your caliber to mitigate this

Eric Taylor:

typically within the same day?

Shiva Maharaj:

Okay. And are we talking about cycling passwords, because I'm assuming sslvpn passwords are probably connected to LDAP for their active directory, and these are actual user passwords that can get into email and all kinds of other platforms, especially if there's no MFA involved.

Eric Taylor:

Yep. So for the tech savvy folks that will be either watching or listening to this, definitely go follow. Go to my LinkedIn page, there's an onion site. So you know, I'm not going to publicly, you know, pump out the actual file just for legal reasons. But if you want to go to the onion site, on your own accord, and download it and unpack it, and all this stuff, but what we've been recommending for the more tech savvy folks is that do a user dump out of your Active Directory, and leverage PowerShell to parse this text file and see if there's user number usernames match up, you know, and the file is a freaking garbage mess. It's it will not export it friendly.

Shiva Maharaj:

I read your either 500,000 lines, or 500,000 user

Eric Taylor:

gets paired, I don't know. I don't have the exact number because we're still trying to clean up the whole mess ourselves. Oh god. And you know, just for legal reasons, I won't show the text file but you know, if Do you ever open up Notepad or notepad plus plus? And you see those? No, no, no, no, no, that black nose all over the place. This thing is at bird with it. It's crazy.

Shiva Maharaj:

But is this a vulnerability that could have been mitigated aside from being smart and updating your stuff, but with having MFA in place?

Eric Taylor:

MFA would definitely help because they wouldn't ever be able to confirm a connection.

Shiva Maharaj:

Okay, yeah. This really goes into the recent zero day that I know we have on deck here getting access to a network or a device with all the privilege escalation vectors out there now is even more time where you have to protect the identity. And the network for I know, for the last year, everyone's been saying protect the identity, protect the identity, well, now, you can escalate a standard user to an admin user, even if you're just doing Azure AD.

Eric Taylor:

Absolutely. So let's

Shiva Maharaj:

get which which RC E is this one that we're looking at here,

Eric Taylor:

this is around the Microsoft Word, embedded ActiveX controls. So this for those who are watching on the YouTube feed, this is a really, really ugly video. But in essence, if you actually go out there, and look, there is a Word document that's actually being called that's making an HTTP header call to a remote server that then enables my Microsoft calculator to be executed. So by embedding HTML code, once again, wrapped around ActiveX, it can be done to do whatever. So in a real world scenario, if I was hosting malicious content on a web server, I could change that to actually go to that web server and download a ransomware payload. Mimi cats exploits, whatever, and be able to start infecting your network. You know, there's still the whole, this whole thing could be dominoed. Really, and this is really what people need to understand the amount of CVS are still out there. They're still hit and miss with print, high print and matrix print hive exploit

Shiva Maharaj:

nightmare and hive nightmare. I think it is.

Eric Taylor:

Yep. Those exploits are still out there in the wild. So

Shiva Maharaj:

Well, I mean, we're seeing for net 2018 CVS being leveraged today. So it's not like everything's going to be patched within two months of announcement.

Eric Taylor:

Exactly. But this really needs to get a little bit more attention. People need to pay attention. Because it's not just oh, we just got one exploit to worry about, you know, I mean, we're CrowdStrike partners, and they released something earlier today, where they are putting up mitigation steps and monitoring for the CVE. But it's more monitoring, if I'm not mistaken, because even Microsoft doesn't have a mitigation for the full threat. Correct. I'm mistaken here. So they have what's called a workaround. So essentially, and sorry, if I just gave someone Tourette's by scrolling that thing too fast for those on YouTube, but they want you to basically set up your three zone or your four zones to disable ActiveX controls. Now, the one thing you know, I have a colleague of ours, Robert, down there in Florida was like, well, we got customers who actually need ActiveX. But it will tell you right here, new ActiveX controls will not be installed previously installed. ActiveX controls will continue to run. So as long as your systems have not been compromised with the new ActiveX control, that's leveraging the leveraging that exploit then you should be okay.

Shiva Maharaj:

Is CrowdStrike picking up on the new installs with ActiveX being compromised? As of

Eric Taylor:

as of right now, supposedly, yes, definitely got some more calls. Coming up with you know, camera who's been on our show several times.

Shiva Maharaj:

There'll be on this Monday.

Eric Taylor:

Yep, he will. And we will, we'll have some more conversations. So there may be something that we have him back again next week to talk about these type of things. And it's not to, you know, say you bless us CrowdStrike. But I'll show you how we believe we you should

Shiva Maharaj:

or Eric or myself, don't go to any other partner. We only endorse ourselves.

Eric Taylor:

But the thing that people need to understand like, okay, we're using CrowdStrike as an example. And the reason why we went to CrowdStrike is because of this example, when you start seeing these CVS coming out, you need to be having conversations with whoever your security adviser, wherever your security platform is, whatever your EDR platform is, and say, Hey, this CV is out what are you doing to help me to detect and or mitigate these threats? And surely you've been on those email chains I I'm quick to email everybody across Reich and they are awesome. Yeah, I never got that with bitdefender by any means. And, you know, I know that they're, you know, overseas, they're not a base in the US, but

Shiva Maharaj:

that's their role. That's not I mean, listen, if you want to do business here, have local talent have local Tech's here that can do something Don't make me wait for Romanian time. Absolutely. So the data side, you know, this really goes back to having defense in depth and layering security with all the CVE ease and all the approaches that can get in almost all mistaken here. What do you think of the top three things people should do right now, aside from doing that basic baseline mitigation, what should they do to harden their systems to attempt to prevent unauthorized access

Eric Taylor:

lease privilege? You know, we talked about that a couple of times, you know, making sure that people just don't have blind add administrative rights to do whatever they need to do by either, you know, leveraging GPOs or auto elevate, or any of the other tools that are out there that can help mitigate that. Make sure you have proper MFA. And what is proper on that say,

Shiva Maharaj:

we're talking tax masters here, right? Yeah, yeah. And for those listening, I am joking.

Eric Taylor:

Exactly. Yeah, we, we strongly recommend duo. But you know, you do have authy. Why only recommend do this? Because the push notification, right?

Shiva Maharaj:

so lazy, give me the push, let me decide if I want to ignore it or not, not just blindly accept it.

Eric Taylor:

Push has a level of complexity that I like, you know, not only some phase,

Shiva Maharaj:

so having something you have to do,

Eric Taylor:

exactly. You're not generating a code. So if something of mine gets popped somebody guess my username and password is something I'm getting a notification versus a T OTP code that has to be entered. And we know I've done it before with several partners where I can brute force that to TP code for days before getting in.

Shiva Maharaj:

That goes about a lot of vendors talk this year to game but they're so far from it. You know, you I'm sure you've enumerated certain things that would make me cry, knowing that my vendors have those in place. The last thing on the docket here today, before I let you go for that chick fil a, because as soon as we're off here, I'm driving to go get some myself

Eric Taylor:

got to go and Oh, hell yeah.

Shiva Maharaj:

Locksmith 2.0. A couple of weeks ago, our very first Friday series we mentioned locked it in there ttps. And the fact that they're looking for insider threats, and a lot of the news agencies or cybersecurity news news agencies have said that lock the 2.0 is finding great success with their new affiliate program. And I do want to highlight or highlight again, that their affiliate program is going directly to insiders to gain access. And if this is true, how are you protecting your company against insider threats? And you know, my typical question, Eric, what would you recommend top three things for them to defend against insider threats?

Eric Taylor:

If this you love put me on the spot top three things? What's your timeline? Not? So I mean, we just talking about lockdown. I mean, this really goes back to, you know, what I just said, you know, locksmith is known for using insider threats. So making sure people don't have the access that they're supposed to, you know, have the least permissions invoked on a user, you know, even the domain admins, they need to have their own separate user when they're going in as a domain admin, and we're not sharing credentials anymore. Now you have suppose this should be two users?

Shiva Maharaj:

Do you think the average IT person or company is going to spend the extra money for that license? Whatever is only security at stake here? I mean, if we can, if we can use three year old software on firewalls, what's a shared credential? Oh, I see it. I see it, you see it.

Eric Taylor:

Alright, everybody. So if this doesn't get edited out, that's my little guy, Hunter. So

Shiva Maharaj:

anyway, he's the boss. So this podcast, so

Eric Taylor:

right now, all, but anyway. But the other thing, the third thing I would recommend is logging. Because most of these ransomware attacks have a lot of signatures, they have IOC s that are key indications of a ransomware. You know, there's, you really need to make sure you're doing your logging and ingesting that neck and looking for those iocs that, you know, Matt, massive amounts of data being changed at one time is an indicator of compromise, you know, either somebody deleting a metric foot on files, or you're getting encrypted.

Shiva Maharaj:

The only thing I would add there, too, I mean, you're basically giving the same answer as before, because let's be honest, once you do the basics really well, you're in a better position. And the only thing I would add to that as a must is stay on top of your updates and your patching or your software. And please do not miss out on firmware upgrades. I know, providers tell their clients, we don't upgrade your drivers because we don't want things to break. Well. That's how people get in. Don't be a sucker don't believe that it's better to break functionality than to break security. A lot of the breaking of functionality can be mitigated. You know, there depends on the functionality that you're talking about. But yeah, I mean, you're updating your firewall doesn't break a whole lot of functionality on your internal network shouldn't break any, right. I mean, worst case it breaks your VPN. You can't use that I'm not crying for reducing a surface that threat threat surface area. Nothing

Eric Taylor:

The only thing I've ever seen even back in the Sophos days when Oh, firmware was being updated on your firewall was the DNS filtering would get all jacked up on one of the versions and make it seem that sometime

Shiva Maharaj:

but we're limited with how much cell phones we use these days.

Eric Taylor:

Exactly. So there's no reason to have don't tie the balls hatches.

Shiva Maharaj:

Yeah, just patch it so kids are

Eric Taylor:

if you can't proactively do it call Shiv or myself we'll be happy to talk to you about actually doing it for you

Shiva Maharaj:

I charge when I say I help I charge capitalist there we go with that I'm done unless you have anything else you want to add

Eric Taylor:

nope certainly is getting cold Alright ladies and gentlemen thanks again for tuning in for yet another episode of amplified and intensified if you're watching this on YouTube please give us a rating share so somebody if you're watching the listening to the audio version of this please go to Apple podcasts and give us a rating let us know how we're doing and if we're suck, let us know to again always check us out amplified and intensified if you have any questions comments concerns you wanna bring up please email info at amplified and intensified calm and until next time, take care