Cybersecurity: Amplified And Intensified

Escalate, Exfiltrate & Encrypt - Round 8

September 17, 2021 Shiva Maharaj/Eric Taylor
Show Notes Transcript
Eric Taylor:

Oh god that is a dark humor one. Yes sir it is. Yes sir it is.

Shiva Maharaj:

Good morning. Welcome to another episode of cybersecurity amplified and intensified with your host Eric Taylor, myself, Shiva Maharaj. What's up, dude? We got a lot of things to cut through in 30 minutes or less?

Eric Taylor:

Yeah, it's gonna be a hard one to do to be honest with you and helpful. My notifications are going off all over the place while I'm talking to shut all that off,

Shiva Maharaj:

but that's okay. ransomware is back bitcoins gonna go up? And let's kick it off with the grief ransomware group who is advising their victims not to hire professionals. And I would assume that means don't go to the authorities as well.

Eric Taylor:

That's correct. That's correct. So, you know, they will say they will, quote unquote, we'll burn your data. So essentially, what they're trying to say is they're going to delete any of your decryptors that you may have. There's no way you'll be able to recover your files if you actually get encrypted by the grief Corp ransomware group. But here's here's one thing that people need to really really pay attention to. So there is something called OFAC

Shiva Maharaj:

where it's your as I call the OFAC list because if you get on there Oh fuck.

Eric Taylor:

Oh fuck, that's right. So, grief is been touted to be part of ego corporations, many brands and Evil Corp is subject to the OFAC list and their sanctions. So here's where the rub really comes in. If you get hit by re evil, you pay on our evil sorry, if you get by grieve and you pay you are subject to IRS backlash. When you start filing all your taxes and everything say that you had to buy cryptocurrency, you had to send it off, this is going to be a major problem for people. But

Shiva Maharaj:

that's the point of them telling their victims not to go to the authorities and not to go to people like you who handle the incident response. Aside from the fact you guys get it, what I would consider a significant discount on the ransom if that's the way you have to go. But more so it's their attempt to subvert the OFAC list. And now what I think Treasury probably needs to do and it's hard, it's not an easy fix is really work on updating that list as quickly as they can. So as soon as these guys start popping up, drop them onto the OFAC list. Now, I don't know what the criteria is to get them on there.

Eric Taylor:

So either you blanket name a company like they've done with Evil Corp, or they start blacklisting cryptocurrency wallets. But most of the

Shiva Maharaj:

cryptocurrencies ephemeral in the sense where kill one start a new wallet, retire evil core come out as grief group. If grief gets put on the OFAC list come off as grief part two, well, there's a degree of catching up there, right?

Eric Taylor:

That was a little bit more complicated than that. So most of the ransomware groups will create a separate wallet per victim. So if you got pods that wallet to the Assign is to your quote unquote, case, your ransomware infection now whether they're spinning up, you know, different wallets in Exodus or whatever private, your wallets that they have, where they're using a tumbler like we've seen with some of the reservoir groups, but each wallet is designed to that client. So they're able to easily determine who's paid, who hasn't paid, and be able to discern that because some of the ransomware groups do have a quote unquote, automatic payment system. So once you make a payment and their system detects that that currency has gone through your decrypter is automatically posted on the negotiation page.

Shiva Maharaj:

That's nice of them.

Eric Taylor:

Yeah, little streamline, if you will, little automation for the IT world, but that's kind of the way that they work. So

Shiva Maharaj:

So what's your unsolicited advice? Yeah, because I'm putting on the spot. So say whatever disclaimers you need if someone gets hit by ransomware should they still come to you? Or someone like you? Yeah, absolutely.

Eric Taylor:

Because you don't know what you don't know. Right? So you know, is it Maria? Is it grief? Is it reavell? Is it Darkside or evil

Shiva Maharaj:

is a thing of the past though they just released swell. bitdefender just worked out a Master decrypter

Eric Taylor:

good segue there. So this is the one that I want to create a shorter about this earlier today. But, you know, people really need to be really, really, really careful. So you know, bitdefender has now released I think, three versions of this thing. There was one earlier this year there was a one tied to Kaseya. And now we have this one, but these are all from before when they oppose supposedly took their servers down and to note re evil is back up and running. As of today. They are getting new victims. They're popping yo servers, they're deploying their ransomware. So we have seen in the past, you run a decrypter on a set of encrypted files in it doesn't work naturally, but it will totally fuck your encryption. And there's no recovering at all.

Shiva Maharaj:

I was flipped through the back the I'm sorry, the documentation of that bitdefender decrypter. Apparently there is an option to backup the files before you attempt decryption. Does that work? And is that a lesson learned by bit by that he sets the bit defenders and all the guys who make these descriptors of what would happen if you use a bad decrypter?

Eric Taylor:

Well, so I'll just give a little nugget out, never test this thing out on a live production system.

Shiva Maharaj:

Why not? The best testers production should go last? Please do it every day.

Eric Taylor:

Yeah, I'm gonna be here in a minute have a search on my CPU while we're doing a live stream. But

Shiva Maharaj:

there it goes, Eric.

Eric Taylor:

What does this do? Um, but yeah, I don't know, it's just best practice is you know, sanitation, right. So making sure that you run these things on a hybrid network or not a hybrid network, but a sandbox system, make sure the file descriptor is working, you know, if you if it's a VM, spin up a clone of it, and see if it'll run so that way, you're not killing your main box. It really, you need to hire a proper internet response firm that will go through these steps of best practices to make sure you don't fuck yourself.

Shiva Maharaj:

But why? So I'm going to throw something out there, I'm sure you've come across in your years new and I our clients don't care to test things, if it means they can get back up and running sooner, what do you have to say to those clients to get them to understand the risk involved in not testing the decrypter on a test system before going live with it,

Eric Taylor:

I mean, let's just let's be like the same as you know, you withdraw all your money out of a bank, I rip it into three pieces, every bill that you got, and I take that middle piece and walk away with it, that's essentially what you're doing, you're taking a chance of losing everything by running a decrypter that does not work is going to try to decrypt it. You know, even if there is a quote unquote, backup mechanism that's built into it. Now you have a decrypter that's copying data over that may or may not copy correctly. And I mean, I'm not trying to be the bitdefender. They're a really good company. They they know most, I mean, they know their shit, right? So but

Shiva Maharaj:

what aren't they working with? Less than desired Intel, you know, they don't exactly know how they're getting some of these decrypter keys. And I'm assuming it's being leaked by someone and real. I don't think that defender has been able to reverse engineer the encryption schema, probably not,

Eric Taylor:

you know, they may, now that because I posted up nuts on the other day on Twitter, that lock bed 2.0 is their website, and then you have the decrypter, that's 2.1. So this may be where reavell has a brand new set of master keys now that they have launched again, and they're just like, whatever for the old guys.

Shiva Maharaj:

I really think regal, for whatever reason, they took a hiatus whether it was induced by government agencies, what have you. And the one thing these rents more guys do that I keep you and I keep talking about is they adapt and overcome. So give out the old stuff, if you if reavell really believes their systems were compromised with, especially with the disappearance of their rep unknown, then chalk it up as a loss, whoever got encrypted, send out the decrypter key, and they're just going to go back in because chances are they still have persistence into the systems that are going to utilize these decrypter keys. That's not going anywhere. And I doubt most companies are getting rid of the persistence post incident unless they have real talent in there helping them like you, or someone of your caliber.

Eric Taylor:

You know, a lot of times we still see companies that will still use the existing You know, it person, the, the MSP that got him into this problem to begin with. You know, it's like, oh, well, they're a good guy. I like Yeah, but you're good guy, aren't you? Yeah, but

Shiva Maharaj:

you know what? I I don't blame technology. For any of these incidents, I blame a lack of process, I'll blame a lack of budgets. And I basically blame people because these are self induced hours, unless it's a zero day. If it's a zero day, then I don't want to say it's no one's fault, but it's less likely to be your direct

Unknown:

fault. Exactly.

Shiva Maharaj:

And take a look at what what is the TTC? They got popped recently. And they have been a cesspool of poor it hygiene for a very long time. It's it's amazing that it took this long for it to happen, but based on information floating around there, it's pretty bad.

Eric Taylor:

Yeah, yeah. I mean, they've got so many clients that are in Europe and South America that are going to be down for weeks. If not,

Shiva Maharaj:

dude, forget that. Bank of America is one of their clients. Yep. Isn't Bank of America, the largest bank by personnel or office locations in the US? Or some version of that? Yeah,

Eric Taylor:

I mean, they're, if they're not the largest, they are definitely one of the largest right so

Shiva Maharaj:

i think they're top two in terms of size. But you know, I'm not, but it is what it is. But my point is Most of these breaches happen because no one's patching quickly enough. And they're overlooking the basics that need to be done to secure things. And people,

Eric Taylor:

I think the biggest thing that people were not doing is looking at their logs. Now, I can't tell you how many times get

Shiva Maharaj:

rocket cyber.

Eric Taylor:

We're gonna go down that dumpster fire today. This is not gonna end

Shiva Maharaj:

at 30 minutes. This is not me recommending this is not me recommending rocket cyber, I do not recommend rocket cyber, I do not use rocket cyber, other than if I'm trying to make a sarcastic point.

Eric Taylor:

This is true. But yeah, I mean, people need to really start looking at their logs and stuff like that. I mean, most of ransomware attacks except for the new Microsoft Word garbage that's going on with embedded HTML inside of there. These are through RDP attacks, or through, you know, all these other attacks that could easily be detected when you're getting brute force.

Shiva Maharaj:

So speaking of the Microsoft Office attack vector, how are you mitigating that? or How are you protecting or warning against something like that? Especially what the patches that were released for it on Tuesday, and they still don't work?

Eric Taylor:

Yeah. I if it's anything like print nightmare, it's probably the gift that keeps on giving. Yeah, there was a new CV that was reserved earlier this week, and was like, you know, there is more and more of the print nightmare madness that's going on. So you really got to, we talked about this before, but you got to talk to your security vendors that you're using, like CrowdStrike, or whoever it is, and make sure that you're building out iocs. For these injectors.

Shiva Maharaj:

That's technical you and I know to do that, hopefully, end customers and clients who listened to this podcast will understand you need to have a strong technical bench behind you. But how do you convey that to the business owner to understand what's at stake here?

Eric Taylor:

That's a hard one. Because a lot of people will be like, well, we have a firewall, you know, everything has stopped with the firewall,

Shiva Maharaj:

not if it you stop patching it in 2018. But still,

Eric Taylor:

they think the firewall will stop everything that's there. I hear more and more that people think that that's their saving grace is a firewall.

Shiva Maharaj:

You know, firewalls are great, but it's not the end all be all. I think you and I would agree on that. You know,

Eric Taylor:

if they get past a firewall, don't worry, we got Webroot is our Av. So we're good.

Shiva Maharaj:

Person vinegar day. I like it. You started with rocket cyber.

Unknown:

Yes, I

Shiva Maharaj:

did. I guess I did. Okay, let's talk zero day here. The Microsoft Azure Cloud zero day that allows administrative access to 1000s upon 1000s of accounts seemingly been closed. This is the third in two months? I think it is. unless I'm mistaken here.

Eric Taylor:

Yeah, it's quite a number of there's been a lot of data leaks has been going on from, you know, Azure, and from everything that I'm reading, these are a lot of you know, even this one is, you know, the was research from a root execution of ours, he, you know, I haven't dug into this one a whole lot. But on the surface is definitely looked like more and more misconfigurations you know, not properly putting in a configuration the way you're supposed to. So, when I say that, say a little loosely, it's like, Alright, you're putting, let's just say a control set has five, five things you got to do to fully lock it down. You know, like when you're going to when you're going to bed, you're going to make sure your front door is locked your back doors log, your garage door is April's a little new that Yeah, maybe your alarm system is set. But most of the time your alarm system doesn't monitor your garage door. So they may to see your your gear it well. Maybe not for you. But for MSS. Yeah, I'm more likely to ask events that on Monday, there you go. For those who don't know, we're going to be talking to dark you begin on our next episode, so make sure you subscribe. It's good plug for that. Um, but yeah, I mean, they don't go through all the controls and make sure that 100% it's locked down. So

Shiva Maharaj:

I have a question for you. With all of the RCTs that have been released within the last six months or year to date, how many of these are being seated to us by government agencies for fear of bad actors using what they've probably been used for years?

Eric Taylor:

I don't know. I mean, you made the comment a minute ago, we still see people who have Fortinet firewalls or fortigate firewalls from three years ago being actively exploited. It does. I mean, while it's a good concept, it's like okay, we, you know, the NSA, CIA, whatever, are leaking these things out to help secure and

Shiva Maharaj:

let's not limited to our intelligence agencies, you've got you got them around the world, right. And it's not just us, but I think there comes a time where the threats are so quickly realized that these agencies have no choice but to inform the vendors. Hey, hey, this is how people get in and how they inform them. I have no idea but you got to plug them because if it can be used by you, it can be used by anyone else. Look at I remember Juniper Networks. Yep. They put in the back door for I think it was the NSA and foreign intelligence breached it reconstructed the keys. And for three years federal agencies were laid bare. Yep. So, I mean, what are we going to do here?

Eric Taylor:

I mean, you just got to be diligent. That's really all there is to it. You know, and if you can't talk to one of us, or somebody you can actually trust,

Shiva Maharaj:

okay, I'm happy you brought that up? How do business owners or people who own the risk of it in a company, that their it providers to make sure they have the talent to do what's needed, or the process procedure, whatever you want to call it, although the girl in your eye,

Eric Taylor:

ask questions. And then when you're asking questions, ask him to prove it to you. And I know a little bit of you know, what was going just going on behind the scenes. But you know, when the Microsoft Word exploit was coming out, I was spinning up variants of this, running it against bitdefender, running it against Sophos and Black Point, cyber and CrowdStrike and doing different variations of all these things and recording this, yeah, I'm still debating if I'm gonna put that up on YouTube or not, but do it do it. But, you know, this season of things that you got to do you ask them to prove what they are doing. If nothing else, how then spin up a VM, drop a payload in there with your protections in place that you're providing, or their, that your technology provider is giving you and have them show you that is actively protecting in sending off alerts, if nothing else, they could should be able to easily do that stuff.

Shiva Maharaj:

And most can't. One of the things I noticed what went from you specifically, when you've been doing this, if you are mixing vendors, there will be a blame game and a finger pointing exercise where every vendor who missed it will say, well, another vendor picked it up. So we were unable to see it. I'm not gonna name names here. Yeah,

Eric Taylor:

I thought we weren't gonna go okay.

Shiva Maharaj:

Sorry. That's where the line I'm not gonna name names. But when you're telling me you've got the goods, but another agents on the computer stopped it. So you can't even see it. That doesn't make sense to me. Hmm. And that makes it less actionable.

Eric Taylor:

Yeah, there's a whole thing that I really, really, really wish that we could go down that whole treasure trove of information. But yeah, there's in a nutshell, there is an EDR platform that's out there that if your tenant is not configured for give, I guess you configure a tenant for a specific AV package that you're deploying. And if your tenant isn't, is configured for a different one, like we were using for testing, and it catches it, that EDR solution of that vendors providing as a bolt on will not detect it. And they're just like, oh, we're a little dark over here. And I'm like, Really?

Shiva Maharaj:

I don't think that's true. I just think they missed it. I don't think they were looking for it. Yeah, because in an EDR, is in EDR, right, you're gonna pick up on what is there. We have a colleague who came over to our preferred EDR solution of CrowdStrike. This week, and this person came over because there was an incident, well, a benign incident, or there was a alert that popped up and bitdefender never saw it. And the reason bitdefender never saw it is because it is not a canned alert. So their EDR was worthless to go back in to investigate. And we told us colleague of ours, you know, with CrowdStrike, you're searching raw data. So you don't need to trigger an alert for it to be there and be searchable.

Eric Taylor:

That's great. A lot of lot of edrs are that way. So unless there's a trigger, a trigger bubble, that's a hard word, an alert that was triggered. Let's try it that way. There's nothing to parse data off of. And we see that with a lot of edrs. Here,

Shiva Maharaj:

here's where I'm going to turn into an asshole. What's the point of an EDR? If it's not a defined alert, and you can't go back into search for it? That's not an EDR? Well, I

Eric Taylor:

think that's part of the the DEA of EDR of detection. Okay, but

Shiva Maharaj:

correct me if I'm wrong here, to me, an EDR is a platform that is continuously monitoring the logs and capturing logs and events and happenings on a system so that if something does happen, you can go back in to search those logs and events to create a detection or at least gain intelligence into what happened.

Eric Taylor:

Correct. So there's two mindsets, right. And this is kind of why we are with CrowdStrike. And some of the other part and

Shiva Maharaj:

my mindset is always right, sometimes,

Eric Taylor:

it's sometimes of all the time, but EDR is, you know, there's really two things. So if it, there's nothing detected, there's nothing to report on. There's nothing to search on. Which is true, but to your point, and this is kind of why we change from where we are. If there is a new thread if there's something that's not detected, but we need to find out if it was so like, all these new iocs that we're talking about that are being dropped and we're pulling them from thread feeds and things of that nature. You bitdefender may not detect it right away. But if it's been going on for the past 30 days with at least CrowdStrike, we can go back in and say, okay, we need to build up algorithms and everything like that. Let

Shiva Maharaj:

me ask you a question here. Asshole coming in hot strukton? How the hell are you building an IOC with bitdefender? If you can't search for the goddamn event when a firewall flagged it, you can't. So

Eric Taylor:

it detects that there's nothing to search.

Shiva Maharaj:

That's my point. So can we, at least for our little world have to in this podcast define an EDR is something that gives me visibility into logs going back a certain amount of time. Okay, and up for now. Or if nothing else, maybe

Eric Taylor:

you can at least have, you know, a sim that's tied to your workstation, there's got to be some way to what there's

Shiva Maharaj:

no artifacts, there's no artifact to track. So if you're using that defender EDR, to rely on having that artifact, you're going to miss out on it unless you put your Sims agent to pull all the logs to search.

Eric Taylor:

Yeah. If you're going to use a bitdefender, if you're going to use you know, one of these others and the ones or whatever, you're going to have to have a third application that's pulling workstations server all these other logs to aggregate and start going back and be able to find those IO C's,

Shiva Maharaj:

because so we're increasing. So we're gonna increase the threat surface area because of the inadequacies of other products. Fantastic. Okay. I like it. That's fantastic.

Eric Taylor:

Let's do this. Onward and upward.

Shiva Maharaj:

If you're using the right EDR, or what I would call an actionable EDR, that one goes out to you, Brian. What's next on the Hot Topics debate today? Because I can sit here and shit on bitdefender all day for that particular incident?

Eric Taylor:

Yeah, now that one had you route up for a while there? That was a good 36 hours at least. Dude. I know, I'd fail argue. I totally agree. 1,000%. Agree. I guess the last one just to try to be respectful of time he goes to the ER trying to get us into 30 minutes. But, you know, there's been numerous. I think even as of today, or yesterday, or whatever, there was another exchange exploit that was put out and Microsoft just kind of thrown up their hands were like, Yeah, what, you know, whatever moves to the cloud, but you know, there are certain industries that will never move to the cloud fully, you know, not every client's gonna go as your pure Azure AD or anything like that. But, you know, I did see this come out earlier this month, where people, I guess, have come to Microsoft is like, hey, how do we clean up our ad? If it's no longer using? I'm

Unknown:

like, two people not do this. This to me off? Yeah. So

Shiva Maharaj:

go ahead, and now open up my kennestone. Polls will pass.

Eric Taylor:

Yeah, this is really, I, I would have thought, at least from my world, and I guess maybe it's just because we're canned and our own little environment. But you were thinking, if you're deprecating certain roles and functions inside of your domain, that you will remove everything that's not applicable with reducing your attack surface or your threat landscape, or whatever the case is,

Shiva Maharaj:

you're going to have. But Eric, we upgraded to Office 365. Why do we need to do this?

Eric Taylor:

Because your potential leave is still a backdoor. You don't know how many times I still got, you know, ECP logins available for an old deprecated Exchange Server.

Shiva Maharaj:

But there's nothing wrong with leaving the Exchange Admin there and available for everyone to use.

Eric Taylor:

Yeah, because it doesn't tie into your domain controller at all. Not

Shiva Maharaj:

at all. And it doesn't leave Kerberos tickets around like no other. So yeah, we'll

Unknown:

put the

Eric Taylor:

link in this into the sources of the podcast, there's definitely a PA PowerShell script on GitHub that Microsoft put out for you to do go through and clean up your frickin Active Directory, please, for the love of people start going through and clean up your environment crap, I can't tell you how many times pen testers like me go through is are finding old legacy stuff that was just left around because you forgot the sanitizer shit,

Shiva Maharaj:

I see a proliferation of pentesting coming out just to mitigate the stupidity of deprecating on prem systems and moving to the cloud.

Eric Taylor:

Not only that, but insurance companies are starting to really, really require more and more pen testing to be done.

Shiva Maharaj:

Yeah. But I can look at a sheet of paper and call it a pen test. And they'll say, Okay, this is you're not really but you get one call with us. So, exactly.

Eric Taylor:

So you said you had some comments on this whole ad issue. What are your comments,

Shiva Maharaj:

I just think it's kind of stupid that people are moving on prem assets and resources into a cloud based system and not deprecating the old logins. The fact that people are doing that makes them a trunk slammer, doesn't make them an IT professional is in my book, but I started this thing. Well, I didn't start this thing. I'm not Al Gore. I started in the IT world where you actually needed to know what you were doing, as opposed to being able to google it go on Reddit or slack group to figure it out. So maybe that's why I kind of believe in process and procedure. But hey, what do I know?

Eric Taylor:

Yeah, we've made the comment before I'm not sure if it was on a podcast or just in our own private conversations where you know, the whole MSSP Is crowdsource technology or troubleshooting? And I like that because the amount of Reddit groups and Facebook groups and all this other stuff and I'm just like, holy crap, you know,

Shiva Maharaj:

that's the that's why they, they always talk about the MSP community, it's crowdsource support.

Eric Taylor:

Yeah.

Shiva Maharaj:

You know, there's no barrier to entry not those are those are barrier to entry in any part of it. Other than programming, I guess, but it is what it is, like, you know, I'm, I'm done. Not even done and ever started. I'm not into raising the tide. I am in to be and the people I surround myself with being better and doing better. Yeah,

Eric Taylor:

it's really interesting. So

Shiva Maharaj:

with that, I am done for the day. Hey,

Eric Taylor:

we're gonna maybe do the 30 minute Mitch bark is awesome. Alright, ladies and gentlemen, thanks so much for tuning in for yet another episode of amplified and intensified the weekly podcast that we talked about some of the security threats if you found this valuable and once you share please, please please do that. Find us on amplified intensified.com if you have any questions, comments or anything else you want to talk to us about, send us an email at info at amplified and intensified calm. And check us out on YouTube at YouTube dot barricaded cyber.com and until next time, take care