 Welcome to how they got hacked episode three three we're getting consistent now yes consistency Tom Lawrence Xavier D Johnson more re-snatch all right and we got some stories we're gonna jump into Sophos AWS destroyed well no no I'm sorry I wrote that's what I wrote that's not what it actually happened though let's break this down we should record earlier on a more awake this would be really interesting if that was the title of this story right like okay let me let me think about this Sophos a UTM maker got really angry with AWS and just decided well we're just gonna destroy them like the entire AWS which is not at all what happened no well that'd be interesting to cover this is almost as interesting to cover there's a guy back in the UK who was working for a digital agency what's the name of this agency I can't think of it right at this very second a VUVA VUVA VOOVA VA and basically this guy got laid off for not doing a good job 36 year old and what he did was just insidious he stole one of his colleagues credentials to their AWS logged in and terminated not turned off terminated which means that I actually deleted the data that was associated with it 23 servers 23 servers at a digital agency that's a lot of information wow this tons of information yeah wow this is bad this is not something that should have happened this is but it does this is not the first time something like this happened either so there's a story that we were just home before and I couldn't find the link to it happened several years ago with a guy left the bank and he was letting they let him know we I guess he was gonna get fired but then didn't actually fire him for a couple days so he took that opportunity to purge backups and purge data from the bank cleaning up after himself of course yeah so in this is one of those security hygiene things you know we're gonna throw that word out there again when you get rid of one of these developers for whatever reason you should also at the same time be like going through all the other people auditing them and saying hey who else has access and you know who else should we change your password credentials because he might have looked over her shoulder surf they share credentials and I know you can beat people over the head don't share credentials but hey maybe he had this in his plan maybe that was something he did it all the time he went and looked over and had a credential key had an API key that you'd produce that was for another dev team within their days working with so those are those are like some of those pitfalls that can happen and I mean let's be honest right like I'll be completely blunt here I'm certified from AWS two times have two certifications one of them is a specialty in security you need to have 2FA enabled and if you don't have 2FA enabled you need to have a policy assigned to all of your users that says MFA present bull equals true you want to always make sure that any action that takes place MFA session is is enabled that's the number one only way that you be able to get around this I don't care if you showed her shoulder surfed and got the latest and greatest password of the CEO if you had 2FA enabled if you had a 2FA policy this would not have happened at all and the CEO emits it he comes out his name is Mark Bond which bond Mr. Bond Mr. Bond that's a really interesting name but yeah he's the CEO of Luba and he comes on it says yeah 2FA able to solve this so even the CEO understands his security mishaps so yeah these are it happens a lot so this is it's unfortunate and it happens a lot of these smaller places really destroy and even for some of the small businesses we do sanitization when we've had staff leave and things like that we got a runaround change of passwords to everything instantly instantly it's just part of the let go process what do you think they had access to we do auditing ourselves like for anything so we know what our staff has access and you hopefully have things like that are logging so you know what that person may have been into because they'll give you an idea of what they could do but you have to change the other adjacent working in that same team or just think about what they had access to what were they also working with other staff that they do some job in accounting well then maybe they have the accounting passwords too because they hung out a lot there cover all the bases 2FA all day every day and I know of a company of a friend of mine actually told me about this their security contact for AWS was a person who had already left the company oh so you know these types of things happen especially in smaller environments luckily enough from what I hear the the person who had the phone call who had left the company was nice enough to pass the information along but maybe he was just front of maybe he didn't have to right you have to always have the what if perspective so I felt like that was really interesting want to share right it was a super easy hack someone got credentials by all means and misuse them and of course these permissions were over permissive because no one at the company should be able to delete data at all right we should have to have some kind of administrative process that allows us to go and talk to the systems administrator to actually write a policy that will allow you to delete or terminate instances the worst thing you should be able to do is turn off an instance right so especially in those smaller environments where you know this digital agency may have only been running 23 servers yeah right they may have had a multi tenant environment where they've had you know you know a multitude of customers on each server so I find that to be disturbing to say the least yeah so that's definitely some of the takeaways from now and I'm just clicking on that next story as I get excited reading some of it but the steel company this poor company man they this was a target they they got hit and what is this called the goal logo locker locker go go locker go go bad pronouncing sorry end of the day so locker go go so this is a really interesting malware that hit them that crypto lockered everything now I we're still getting the debrief on this but it's making the news because this is not just some company this is like if I'm not mistaken the largest aluminum provider in the world their global and a US office if I understand all this it was opened at the US office but then spread across the network that is tells me there's a couple flaws in their network yeah maybe their networks a little flatter and less siloed right and this is the way the security should be working is the US should be very locked down from the different markets different places are in from their home office and each silo should not be able to infect the other well this is really bad because it went across every network and there's actually I love it because I'll leave a link to the TechCrunch article I don't know if you've seen this but the they had a they put signs in the windows because it affected like down to the manufacturing and it said hi Joey are under cyber attack don't use computer till next week it's like stickers and windows like just don't use the computers they're all offline everything's online show you guys that picture we will flip it I'll flip it around and edit it in to show this under but it's on the TechCrunch article yeah that's that's definitely great that's so problematic so problematic there but once again this is one of those things that if there's a debrief from this and I hope I'm gonna get some real good details here this means they were not they that lateral movement across the company so you someone in the US opens it up you end up a lateral movement that spreads across all the sites now that's the sites it went down because this picture is at one of the factories on the production places for us that means this went all the way across which affects whether you're gonna have in that instance is the controllers if you're not familiar with the way industrial control systems work your skater controllers and things like that they're going to be internet enabled for monitoring we don't know if these were effective but they generally do their data logging across their network this is how we keep checks on the steel production machines how much steel was made and things like that we deal with this in the automotive market and a lot of controllers so when this gets shut down this is why they can't just well we'll just make it the manual process there isn't one anymore these machines have to have data logging and the data is not there anymore so we don't know what's going in or what's coming out of the steel production yeah this is why you have to have all this so locked down this is really really bad this is about as bad as it gets especially when you think about the type of attack that happened right this wasn't like something that was like a praying spray they seemed like it was something more methodical right yeah it seemed very targeted because where there's another link I found that I thought was really interesting is the the ransom where they hit them with they had uploaded a virus total and it looks like it passed all the at that time of course there's a signature for it now because it's popular but this is the problem with signature based systems and even silence seemed to pass it which also if you're not here who silences or they seem to have a really innovative machine learning slash AI system but whatever things I also want to know is what protections they had in place but it sounds like they probably were really good in security really good on protections but the other side of that is it still went through there and as Xavier will tell you if you develop something targeted for one company and we don't have a signature for what happens it works it works a hundred percent of the time a hundred percent of the time and to be honest with you you know I've been on engagements where I've actually ridden my own malware to be able to attack the company and legally legally it's always legally right and it's gotten caught by AV even though I've written the code right so there are ways that you know some of these newer antivirus systems actually do know the framework in which you're coding in and maybe be able to tell based on the behavior of the cause and types of cause that you're making to the actual it within the actual code that you're doing certain things right and that's when you go to the next level and maybe you start to write things at a lower level and not necessarily at a higher level programming language like C and you can start to control your logic flow a little bit different maybe start to put in more garbage maybe start to move polymorphic there's there's a lot of different ways to be able to get around these these types of antiviruses right that's why the Singers like I said are very interesting the machine learning AI systems they have our behavior but and then we've dealt with this with Hunter Slabs we have Hunter Slabs watches for things added to startup so he does have to get his malware into some type of startup sequence which I did see I even had a chance to read to proof of concept but someone found a way to get things to start with PowerShell without in start being set up so there's the new angles where they're memory persistent that's interesting yeah interesting and because they're realized that's the next level okay we're watching startup but the way that works in how it's worked with us working with Hunter Slabs is they will flag something that was added to startup as kind of like a yellow alert to let us know hey this is added to startup we don't know what it is because we don't have a signature for it and what it was is we have some transportation clients that use some unique software custom written that has the startup run so they had no baseline for it but they did let us know that something was added good news is we knew we added it so we're good so you need that human element this is what like a managed security service providers do is that's add that human element for us to actively look at it and make a rational decision that we just can't get the machine learning to do to say hey this is now running in startup so oh man and I mean you know this is I hit at the the risk of sounding like shameless plug guy here this is the perfect opportunity for something like deception to come in your environment right we like to talk about ways to be able to solve this one way is to install something like Hunter Slabs that looks for a change in behavior on the endpoint but another way to do it is at the network level actually putting these decoys inside of your environment because when I move laterally I'm looking for a domain controller I'm trying to be the king of the castle and if I land on a domain controller that's deceptive and I get in with credentials that seem correct I'm now found and I've been pushed into maybe a few other areas where deception has been enabled because these breadcrumbs are left and I'm following these breadcrumbs leaving forensics I've already alerted the hunt team they're watching my movements now so we're moving just as fast as that you know us blue teamers because I'm on the purple team as blue teamers are moving just as fast as the people on the red team mostly because we do have that purple team aspect and this is a little bit more elaborate is like putting honey pots on your network are really important I once you set up a honey pot that you know you put on a network so nothing should ever touch it every alarm should go off when something touches it right like that when you have something you you know you have something pretending to be an AD controller that's just looking for active connections you see connections come to it you're like my users shouldn't know about this that means someone's plucking through the network we talked to us in last episode these that guardian product that IBM makes where it looks like someone poking at the database same concept where we're looking at the network security layer and going something poked over here and I even even with a smaller now like we have we use our watch to even look for anything new added on to our DMZ network where our servers are or the secure network where the servers are so we can notice any change like anything on there that is alerts me to something happened I need to know what which my guys have given me a heart attack because they spun up I have an old database server and I freaked out I'm like calling answer to phone right away and he needed to reason wise because around the phone with a client and I spent up our old database to get some old information out boy man it I'm like how did I think it started up yeah I didn't think yeah my guys my guys did it so so if you ever want to play if you ever want to prank this guy yeah it just spent something up on this network have one of my guys have one of my staff and without calling me first let me know and I told them they need to let me know so there you go so I did kind of related note to watching it did I talk about the the end result actually because you guys were here last time and I don't think we got the end result we didn't talk about a show I don't know of that the what was going on with the person pinging it oh right yeah yeah yeah someone won reverse engineer something on my website and they wanted to see how we did remote support we haven't embedded our website and then what set off all the flags is we got rate limiting we got Seracada we're watching stuff and there was a bunch of page refreshes nothing nefarious but a bunch of page refreshes which was enough to trigger a rate limit log so I'm like okay why am I getting really like 7,000 hits from one person a reverse engineered it turned out to be an IT company down Florida hi if you're watching because these he watches the YouTube channel there's a relationship here so super nice guy was confused why I was calling up but then understood right away once I said he way was you're the guy that I was watching your YouTube videos I seen your website and I wanted to see how you did the embedding on that well he hand off to his web developer who works there as well and she had put it in like some bookmark manager that kept refreshing the page it was kind of weird he didn't know it did that but I seen the logs of it refreshing the page because it was an iframe set to refresh because we do it an iframe embed for this remote support and that's what to flag but he was impressed that he goes he says something lines of well you don't talk security you actually noticed that and found me I was like yes I did we see you yeah he made it easy at an SSL start with his name in it so you know so you're able to wasn't real wrong I didn't it wasn't that in the reverse you didn't have to break anything yeah show Dan IP address oh look it's 443 allegedly yeah yeah yeah yeah he was listening show Dan they had his and they had his certain name right in there so you show Dan hosts because of the command line I if you don't have a show Dan account get one so you can use the command line way faster than looking at website so you can just grab the IPs throw it in show Dan boom I'm probably gonna do a video about it just so how quick that works it's actually really easy and you can script it pull the SSL sir find out the name SSL sir find a company name and give them a call was easy because it was an IT company so they had their phone to run or so like once again not real rocket science in my part it wasn't that wasn't like I spent a lot of time researching and finding someone but it was so fun nice well good to know that you're watching and I'm always watching we are enjoying the traffic as it comes yeah I'm sure someone might tell me watch this is then going to my website and figure out what I'm talking about and I'm gonna get a bunch more hits and I'm gonna call those people too maybe shut my website down for a day and just gonna go offline I go dark for a little while so we also read you guys comments and we have feedback so you guys say I don't talk enough so here I bring you a story a low-tech hack with major repercussions the story first broke in 2017 Google and Facebook were scammed out of a hundred and twenty three million a 50 year old Lithuania man set up a company with the same name as a company that Facebook and Google have been using and then proceeded to send emails to them posing as a company and acts for a hundred and twenty three million and they sent it quickly they thought it was the other come because what's a hundred million when you're trying to buy servers just I can't believe that companies that large still don't have don't look in-depth into queries like that well let's walk people through a bit how hard is it for company I was very easy to set up a company I mean that's 35 dollars in Michigan I think about 35 dollars yeah yeah I fax it in I mean you can just set up an escort I can set up this so that they're step one the next step is figure out who they use now that's not hard to figure out either public or traded companies have a lot of documents online yep 10 K's 10 Q's actually list off how much they're willing to invest in how much they typically spend on certain services and certain things you can see what their technology spend is pretty easily I mean even if you're just an industry and you know people that work at these companies they're pretty open about like who they go through as far as like bars and stuff like that it's social engineering gets really easy at that level because they never anticipates you you know assuming the identity of the people that they're buying the service I mean but me personally still seeing a request for a hundred and three million hundred and twenty three million come across my desk even if it is from a name that I'm used to I'm still gonna double and triple check to make sure this is okay well and I brought something similar up I think I told you guys about the hardware scams with the recycling one things that the recyclers had done and appeared to make it confusing was they registered the name of their company in the same city as another company with the same name so it made it very ambiguous and confusing because they were in unrelated somewhat related but unrelated directly businesses and they shared a company name so which company was it and when you Google it it was funny because it made the local news of them it's the other company being in the news going it's not us quit asking we're not involved in this scam thing going on and you can legally do that someone you you have to change things with the way the company rules work so I register a DBA and I can use DBAs that are similar to others I can't register exactly the same company name but if you register it with a slight variations or a misspelling it's just like a phishing attack on a website where you have that targeted cyber squatting attack where you misspell a company name so it looks like it came from there the was the company quantum quantum yeah so change your company a little bit just enough and no quantum with the you to quantum with the quanta this name of the company that they deal with so he changes to quanta with an extra a yeah it's it's a little unclear exactly how they pulled that part off but it was posing as another company man that's complete social engineering you just set it all up you build it all on there what was that older movie from a long time ago boiler room where they were in all the fake stocks it's the same concept I mean these are social engineering it's not like we're we may be talking about how they got hacked in 2019 and we talk a lot of technical details but this is why I said this guy over here at the end is a scary one yeah I mean like you know the dude who destroyed those servers made no money and went to prison he just got sentenced so you know these dudes who did the ransomware I doubt they doubt they get paid right even though the FBI just go ahead and tells you you should just pay them for the data if you if you want to get your data back but yeah I doubt they get paid someone's probably want to come out with a unlocker shameless plug here I have a friend who runs no more ransom org if you are hit with the ransomware go to no more ransom org they will help you out there's probably a unlocker thank you been Potter yeah that's a craziness there yeah just to deter the fishers and scammers this guy did get caught oh he did you not underestimate the power they went to Lithuania and got this man yeah there's probably a company's if you're not that I'm suggesting you ever hack anyone but those are really awful it's like yeah yeah there's general electric Facebook Google and then like all of the dot gov's and dot mills that you just don't aim at allegedly please and around you this in the sad reality I'll bring it back to the small business we've we see this less I know we hear about it from a surface level because it's not really a technical hack but we just know because we deal with some of these companies they've been scammed a smaller amounts of money from these companies setting up looking like vendors I talked before about the manufacturing company that was hit via email scam they did hack their email but sometimes they don't even do that they just send out invoices so and actually oh man I wonder you know what he might be I went to take up the details to see if I can turn into the full story but a copyrights on books the guys got greedy and made a few million dollars selling copyrights on books so my friend owns a publishing company and like books actual physical book publishing book publishing is royalties paid out when the author dies royalties are no longer paid because the author dies and then no one asks royalties the way the royalty system works is as long as the author's alive he lets you know and there's like a process you re-sign up for another year royalties so these guys get this clever idea people die I'll just assume the royalties of dead people and it's it's so basic and stupid clever they started invoicing and because they got greedy and someone noticed that books that they're like that guy died what if it's paying royalties well and it is true sometimes even after people die the family may assume the royalties of it you may not necessarily go into public domain so they Dr. Seuss like yeah and they got greedy is where it all went to wrong and everything else but yeah once again complete social engineering someone just got this idea going you know what no one does they don't collect on this and now their entire company basis I think they were getting they got up to over two million a year only thing they had was a bunch of people and they got all those giant machines and stuff envelopes and like that loaded the envelopes and just they'd preprint and mail out bills to all the royalties and just contracts out all over the place to ones they didn't have the rights to but no one else did either so there wasn't like they would get it just it's so stupid but it worked until they got caught because that is illegal by the way we're laughing at it not because they made money or we think it's because it's so silly that you paid out on these royalties yeah that's why we're laughing and royalty payments are small and books you don't get a ton per book so it's you send it to all the different places they have the book in France it's a small amount of money so it takes thousands of envelopes getting mailed out but then cumulatively starts at about a couple dollars here $10 royalty here $100 royalty there oh well we'll leave you with that if I can find the link to that their conviction it'll be fun because it was it's happened a long time ago but I thought that was such a clever basic someone said around and just kind of said you know what we could do and they were all for more people who worked in a publishing business that just got together to do this intense yeah if there's a better audit system in place now for that as he told me but but there clearly wasn't for Facebook and Google but um yeah the guy got greedy and got caught so it's a horrible idea to do and Google yeah trying to go up those companies man yeah I'll bring you update the guy gets sentenced June 28th so okay I'll bring you update on his lengthy sentence was I'm sure it will be looking forward to that yeah it's a nice thing once all this gets there's actually someone who goes by the title skip Olivia you can find on my forums he posts a lot of these things hi because he's also sent show notes here hey he has done some legal research and things like that I think he's got a blog but there's links in my forums and he's posted some of these legal debriefs because he takes the time to lead because once these cases get out and finally get published they get published in some of the court papers that's when people like that will go through and you get to read those technical details and we're gonna use we're gonna be using more of that as some of our technical debrief on some of this because then you get all those juicy details like the court hearing we read last week for how we know what happened over at Starwood like that's testimony it becomes part of public record where we can pour through it and find out they got pop-up me me cats all right also they have high-pie cats now so if you want to have a little fun at the office yeah I want to you know violate a little CFA allegedly allegedly we didn't have time to cover because we didn't really get in depth on it but we're working on we have an interview we're gonna be publishing to the channel with some hacker just some guy does the thing with playing some hacker some guy some guy didn't think with playing if that's not enough clues and trains oh and trains and cars and cars so ships apparently the future is going to be a brain a human brain oh yeah so he's gonna move on from a hacking transportation of moments because well actually it looks like he's gonna be doing a little bit more okay of that in the airplane space now with the whole bowling issue really relate relaying that the you know to be honest with you guys security is fun cyber security is awesome but really at the end of the day it boils down to safety yeah and the more and more of these things that we put online the digital twins of the world I used to work for General Electric it's all about security because safety because we don't want PLC's to be blowing up plants and you know we don't want gas you know gas tanks to be discharged and we don't want trains to be sped up ever so much so that they fly off the tracks so you know security very much so it's related to safety these days because all the time real serious issues yes and it happens in the past you know I don't know if General Motors is but I know Ford is on hacker one GM is definitely a hacker one okay they're they're actually doing a very very good job with responding to yeah vulnerabilities and bugs I remember being at GM when the porn star thing happened and they responded immediately and I actually worked on those systems and they took it very serious so kudos to them kudos to Tesla another really really yeah they're working really hard to make sure that we are safe and secure and they're owning every failure that they've had so yeah that's good stuff and yeah dad because car hacking is we've been having a lot of discussions about it because it's in its infancy it's gonna get as cars get more complicated we're gonna see more car hacks and yeah but but treat cars like locks never pick a lock that you need that's critical never hack a car that you need to drive to work in oh yeah I'm gonna leave you with that yeah sometimes it doesn't go well yeah you have a really hard time to split into the dealer while all of a sudden you know he can't even reflash your computer because some reason well Tesla has the beta sign up too you can sign up to hack your Tesla they have a whole program they have a program for bug bounties and everything that you sign up and they can offer you some like develop modes of the car and even help you they said his best to their abilities that one you're not voiding your warranty that's actually something stage they also say will help you reflash the firmware if you you know end up stuck not you know try to work so poor Michigan because we don't have any dealerships so you have to tow your car to Toledo is it close to Tesla I think there's a little further maybe a little further cooperating with the public because I know people gonna hack it anyway yeah so we might also invite you to hack it with us and we can come up with better solutions together yep exactly check out hacker one and stuff all those big companies are on there it's pretty cool look what they're offering for some bug bounty so and come out to DC 313 yeah this Wednesday when you watch this because it's coming out yeah this Wednesday when you watch or when you see this this Wednesday come on down to DC 313 DC 313.org but data set that's 27 it's gonna be this Wednesday the 27th okay I think it's the 27th yeah 27th bamboo Detroit so if you're watching this after March 27th there'll be another one check out DC 313 and yeah I will leave links all that all right thanks thank you so much for your time later later cool