 Welcome back to the Cyber Underground where we dig deep to find out how cyber security touches all of a sudden our everyday lives. Today here again I have my exceptional co-host Mr. Andrew Lanny, Andrew the security guy. Hey everybody, how's it? And we have a great guest for you today, Mr. Mike Fafflund. Yeah, what's up Mike? I always dispel his name correctly. A Navy man. Thanks Sam. Right. Thanks for having me. Two Navy guys in a Marine, you know. Oh well, don't judge me. All right. That's a long time ago. You're forgiven. We love the Marines. Well, we have a purpose, right? And let's talk about your purpose. Yeah. We're at the US Navy on the cyber protection team. Wow. A lot of people don't even know it exists. It's true. We don't advertise. We don't advertise. It's not like you do public service analysis. That's all I can say about that. No. That's it? No. Yeah, you don't have to commercialize it. Yeah, I do. I do defense for the DOD and I've had the opportunity over a decade of doing not just defense but also offense. So I've gotten the full information security perspective. So I have a huge respect insecurity for pen testing because I got to do it on steroids with the government. Yeah. So call it to the government, you know. Which you can tell it's all about, right? We need to know the deep details, man. No, but it's been great. I think a big limitation of a lot of security analysts is they don't understand the offensive side. So as you do that and beyond just pen testing but having to really hide yourself, you know, through cyberspace, you can really respect and better analyze when an attack is happening on your network. So I've really appreciated that opportunity. So today you get a console or you get handed a thread and you get to watch it move around and play and fight back. How's it going, man? What are you doing in there? So you can't tell us. Tell us what you can. Like any other, you know, manager and information security and the DOD actually has a lot more money than a lot of industry. Sure. Really? Oh, they have my money. Yeah, that's right. It's just yours. No, but a lot of companies, you know, they just need to make the profit, you know. Right. But executives need the paycheck. But no, but when you have to decide. And that's what's important to them. Like competition is tough. So they just don't have the budget. So thankfully, we... To afford the good tools. We have a decent one. Thankfully, we're budgeting for this in our government. Yeah, we need it in government. But government's a massive target. There's an OPM breach. I'm a victim of that. Yeah, so our information's already... Yeah, thank you. You too. I'm sorry. They're somewhere, yeah. Thank you. OPM, by the way. Thank you so much. Mike's information is valuable. Mine's not. Just so we're clear. That's not true. You should go for someone that's older with a big debt. Yeah, yeah. As if there's actually money in it. You know the older word. Yeah, it's fair. It's fair. It's fair. Just see what audience knows. We're both older than Mike here. So that's okay. That's okay. You can bring out the old words. You guys are 32 and I'm 18, right? Right, right, right. Exactly. All right, all right. Let's talk about some kill chain, man. Can you give us an example? I mean, this WannaCry came out and we don't actually know if it was an e-mail first or if this was a network warm breach across multiple networks. What's the anatomy of just a basic ransomware attack and how did WannaCry work with this? So ransomware is not complicated. It's just malicious software which happens to encrypt usually all the files on a hard drive and then demand a ransom, usually with Bitcoin. What made WannaCry unique is not that it's some big innovation in ransomware. So much as the vast scope in which it propagated around the world because of the exploits it was using. And those exploits happened to be stolen and released by Shadowbrokers, which is an unknown group. But that's what made WannaCry so interesting. People tend to focus on the malware and this goes across most texts. It's just easy to identify so the media says, hey, let's talk about WannaCry. But really it's the exploits which made this interesting because that enabled a couple hundred thousand. I'm not sure what the count's up to right now. Computers around the world all get ransomware. And those exploits are eternal blue and there's a couple others. Now we're looking at 200,000 systems the last count I saw. Yeah, that's a lot of old, right? Can we talk about that SMB mechanism? So it's version one, version two, they're old. How does that work? What was it built for? We're talking about a Windows server messaging block that's attacked in this vulnerability specifically. Yeah, but the old one. Right, and so the old one, the one I used. And there's a lot of, the facts are not allowed yet. So it's unclear why the United States wasn't hit very hard. Maybe it's just because we use legitimate operating systems and we patch. But it's interesting the different parts of the world how the infection rate is higher or lower. But certainly, so Windows released a patch for this I think in April or March. Yeah. And so if you patch your operating system, you're fine. Right. Or if you have, I was reading a report about 30% of antivirus stop want to cry. Actually caught it, cool. So which I'd love to see, and I think they should do this more when there's big incidents globally, but show how antivirus is performing. You know, consumer reports. Sure, you have a gauge, you know, silence did this, semantic did this. Because some of those companies are pushing the virus. Others are not. If you got antivirus, you still got to update your antivirus. That's true. You don't update your antivirus, it's useless. Silence is more like the machine learning though. So it's looking at stuff coming across the bus, a little different animal. So I have a good friend that works with silence. Oh, I don't. And I think they're going in a whole new direction. Antivirus used to be just blacklist. Yeah, signature. But now it's much more neural networks, machine learning, and that's the future. Yeah. It's a different discussion probably, but it wouldn't surprise me ten years from now if malware is a thing of the past. Yeah, that's awesome. I was talking about baseline. There's a great optimistic viewpoint. I'd like to go for the optimist, but we're in cyber, so he usually goes the other way, unfortunately. The end of malware. I love it. I mean, we have application whitelisting. I mean, whitelisting approaches, of course, are the most secure because anything that doesn't fall on that whitelist can't run. So if you did that on network, you also could stop an attack like this. But with these companies, they know more than government does. They know more than the media does. These big companies that have antivirus on hundreds of thousands of machines or millions, they can get all that data in real time. They can do their own scrubbing of essentially whitelisting, looking for anomalies. And that's how they feed for silence. That's how they feed their AI to learn more and more about what's been bad. It's fascinating. So let me ask your personal opinion. You don't have to represent the government. Oh, that's it. This is my personal opinion. I got to ask your personal opinion because we're on the same kind of sphere here. So I was in the podcast you sent me, and in there they mentioned that the time stamp on that patch was from February. So Microsoft sits on these things. What do you think about that? I mean, there's a business model and then there's the security model, and they seem to be divergent in this case, right? They don't want to patch Windows XP because they don't want to encourage businesses to stay on XP to grind that out to whatever the ROI is going to be forever. And on the other hand, you want the world not to grind to a halt. So do you sit on this patch? Do you release this patch? Which I want to know both your opinions on this one. Sure. It was nice of them to release a patch. That was benevolent. I think very benevolent. I mean, there's some industrial systems or some healthcare systems. There's some other gear out there that's got an XP operating system, and those manufacturers haven't developed a product to run on something else. So unfortunately, there's places in the world that are living with some of this. Should they? I think it's irresponsible. I mean, this could have been a lot worse because we all know, like, are there critical infrastructure systems still using XP, you know? Sure. State of Hawaii still using XP? No. Sure. No. What you show up is the hospitals in England. Yeah. If you read that. And I don't know if anyone died from this. That'd be interesting. I haven't seen that statistic yet, but I did see statistics changed. Like, when this first came out, I thought, oh, people are saying Windows XP is prevalent. And I say it, a national health system in the UK. What I saw was that now the statistics say it's mostly Windows 7. That's what I read that today. One percent was XP. One percent is XP. And Monday, we thought it was 150 million XP machines. Right, right. And I thought that was, oh, my God, that's exceptional. But now, Windows 7 makes a little bit more sense. I mean, people are dragging it out. It's good people have upgraded their operating system. I mean, they're still outdated. Yeah. Right. But no one wants to go to Vista. And they're afraid to go to TN7. There was a patch for 7, but they didn't do the patching, right? So as you mentioned, right? So, you know, just normal routine maintenance, right? You got to do it. You got to stay up with it. And they were saying it could get into the backups. Yeah. So if there's a time bomb in there, they could be delayed, get into the backups. And then even in your backups, when you restore them, you've got the virus again, and it'll go out looking for other computers on the network. And so this was an opportunistic attack where it's a worm that just spread, you know, as it could. And we're not sure if it started by email, you know, or it just spread SMB. I mean, usually you'd block SMB at the firewall, but it's unclear. Maybe it's a USB stick. So right in? Well, it's a lot of USBs to start propagating on May 12th. May 12th? True. Maybe. Maybe? Do you have that sprinkling of them in the parking lot? All over the world? Yeah. That's a big investment, actually. Yeah, I think it was. I know I would have said email. But yeah, there's still some gaps of knowledge of, you know, how else it might have spread beyond the obvious exploits that are built into this worm. I'm amazed at the gaps of knowledge we have even now after five, six days. Well, I think maybe you can't always talk about it. Do you guys have visibility on things, you know, that are coming at you before the rest of the world? I mean, do you get some updates that, you know, everybody else is like, let me find out three days later. No comment. Oh, man. That's terrible. Well, I just hope so. That's just from my perspective. I hope so, too. There are speculations that it's North Korea. Sure. We can see that. It is interesting. It's really disappointing how unsuccessful it is. Well, I imagine the attackers are. So there were a few flaws in this malware, and they haven't made a lot of money. You would have expected an attack on a couple hundred thousand systems would make a lot of money. But very early on, they learned that there were some issues, so the Bitcoin addresses were limited. It wasn't an automated system. Also, there's no reported, at least I haven't heard any reported, people actually recovering their files. It's questionable if the attackers are actually tracking all the private keys to decrypt all of that. So I think once people started hearing that, the number of people paying the $300 or $600 ransom is plummeted. So there's. They've only. I have less than a hundred thousand, I think. There's two tools there. Well, actually there's three tools out that I read about, and one of them is WANAKIWI. It actually looks at the computer's memory and scans to see if it can find the prime factorials, the P and the Q numbers they use in the calculations, to calculate the actual secret key to decrypt this malware so people haven't shut off their computer. So they did find a, have a workaround. Right. There's a one. If you had, you had long January booted your computer. I read that one. As soon as you reboot your computer, the chances are that memory block's been overwritten. Right. So it's active memory, right? You have to keep your power on. Good. So there's a chance you can recover your files, plus the NSA keeps reused keys. And that further shows, you know, it's more amateur. Because there is ransomware out there. Most of it, which we can't decrypt. Some of it is poorly implementing the encryption. Yeah, right. And this does sound like there was one person in accounts payable handling all the Bitcoin transactions. There was, it's not automated at all. So the, the, the podcast was, let's do, that you sent me. It was really interesting. I got it. Who was that from? It was out of risky.biz. The risky.biz, that's Australia. It's a good one. So a couple of Aussies talking about that, and they're really good. You can't watch this show, that's second best. Right. Thank you. So maybe it was a test, right? So maybe it's a test to see what kind of SMB was. I'm scared, you know. But this is testing the water. How do things, how do things crawl around? I don't think so. And this is why. So there's, this exploit's been, been seen already in the wild. So there's a good chance actually the other way around, this actually showed us that these, these computers might have already had malware, maybe even from this exploit. Okay. So this really just highlighted, you know, in a big flashy, you know, week that these vulnerabilities are being exploited and people have all these unpatched systems. But it's possible that these systems were already had malware. They were mining Bitcoin or sending spam or, you know, doing all those botnet kinds of things. Gotcha. So because this exploit's been out. So I think it's really just bringing to attention. So the exploit, you're talking about the mines bitware we found on the podcast from Risky Bids. They said that that exploit that mines Bitcoins turns off SMB. So it protects you from WannaCry. So if you're mining Bitcoin, there was saying it's, it's better to be mining Bitcoin than losing your share. Sure. That's right. It is. So yeah. Somehow it wants to defend its turf. Right. It's interesting that you say so. I heard from a healthcare, a guy came from a healthcare symposium yesterday at this. These folks were saying that it was first found in their backups. And I hadn't heard that. Oh. And so they had lost their backups and they had to go back a long ways. Like he said like 30 or 40 days to find some that weren't infected. And so did they not, you know, notice it and run it in their back? Did it attack? You know, it's interesting that that was there. Even if you tested the backups, you might not know. Right? Because the exploit is not active. So you might not be able to find it except for 30% of the antivirus actually caught this thing. Right. So we're going to take a break right now. Everybody will be right back. Come right back in about a minute and we'll keep on going. Welcome back to the Cyber Underground. I'm your host Dave Stevens. With me here today are my exceptional co-host Andrew Lanning, Andrew the security guy, and Mike Fafflin from the U.S. Navy Cyber Protection Command. Where's it? Team. Team. Okay. You don't have your own command. No. He's working on it. Working on it. Someday you're trying to take over. Lieutenant commander. Soon to be, right? Soon to be. I'm here personally though. I'm not a representative of the government. He's just here to share what he can. Yeah, that's right. You couldn't show up in uniform yet because you can't represent. It's really difficult to get people from the NSA here. I wonder why. I don't know why. Put their face on the screen. I wonder why. They're asking these questions. I don't know how to ask them. They just shut me down. Twitter working right now, and we just got a comment here. Mike got a rash from WannaCry. Is this true? It's true. Had to spend a long time in the chair. Really? Let's go show you. Is it? Can you show us? Yeah. We don't have FCC rules because we're not broadcasting. You can do whatever you want. We can have the black fuzz. Nice. You should just do it. Keep it behind the screen, right? There's a question I want, number six. Who are the shadow brokers, Mike? It's a great question. Well, they've been linked to Russia. What do you think? They have. I mean, they've been linked to Russia. What's that link? Is that a strong link? Is there proof there? I'm not an expert at shadow brokers. But yeah, what's interesting though is so shadow brokers, they've been releasing information about the Equation Group, which everyone thinks is the NSA. And how it relates to WannaCry is the exploits that are being used by WannaCry were leaked by the shadow brokers. So Microsoft released a patch in March. Shadow brokers released this exploit publicly in April. Yeah. Which is interesting. So what that shows is the shadow brokers, when they see that Microsoft patched what was a zero day, they then released, well, now the exploit's known. Or at least... Maybe they're just training us to do our updates. Maybe we'll be working together. I hope that's true. Yeah. I hope people start doing their updates now. I mean, this taught you that, right? I mean... If you have a plan to keep your company working 24-7 and making money, paying people, serving your customers, the best thing to do is never to go down. And the best way to prevent that, update your system. Have tested backups. Mm-hmm. Train your staff. Don't let this happen in the first place. Hopefully there's a good wake-up call for most of the world. I mean, the U.S. is pretty good. Again, the U.S., you know, we weren't hit that hard by this, but most, a lot of the world, you know, China, Southeast Asia, Middle East, they don't patch. That's what it seems like, right? The whole world will be more secure if we all patch. Because then you reduce botnet sizes, you know, from 10 million, you know. Yeah, you reduce your threat landscape. Because a lot of those botnets are taking over machines that are just unpatched. What's the history of Shadowbrokers? Have they been around for a while? Have they been active? Have they caused trouble like this before? What do you know? He's working great questions, Dave. So what about Vault 7? What about Vault 7? Do you know anything about WikiLeaks and Vault 7, which is where they dump all the stuff that they get from people like Shadowbrokers? So again, not my area of expertise. I think that's Vault 7 is more of the CIA. Oh, okay. Which is how we learned that our TVs are listening to us. Even that one. I heard an interesting interview with James Clapper, former head of the CIA. Is that James Clapper? And he was saying that you might not want to stop this exploit of the Samsung TVs. CIA is not supposed to spy on its citizens, but if a foreign actor, a bad actor, got inside the U.S. boundaries, inside the U.S. borders, and was operating inside of the country, you might want them to be able to spy on that person via a Samsung TV. Now, they don't want to watch me walk around naked in the house. I don't think anyone wants to watch that. My wife wants to watch that, but I wouldn't want to watch that. What is he talking about? Spies. You might want to watch that. What does this have to do with want to cry? Do I want to cry? Do I want to cry if we see him walking around like this? You'd want to cry. Where is the content? There's a question of, you know, are exploits potentially good? They can be used for good things versus bad. There's a balancing act. So NSA, they developed this exploit for good reasons. If you think NSA does good things, which I think they... I want to believe that. I do. They defend America, right? But then it got leaked, and now it's been used, and potentially, again, people could have died from these hospitals where the systems were helpful. I haven't heard that yet. I haven't heard it all day, so this is good news. But certainly, it's had a big impact, and so it's hurt people's health. Surgery's delayed. That's the fact. Yeah, definitely. I was with a show last week, and Matt Rosenquist was there. He's IBM's cybersecurity strategist, and for sure, not want to cry, but already there's been a patient on the table, and the gear needed was ransomed when they turned it on. So they bring in the IT in the operating room. They're like, dude, you've got to get this working now. So there's been threats to life, for sure, but not want to cry related, but ransomware related. So want to cry exploits SMB, and one of my kids in their 20s asked me to... I kind of described in her terms what this want to cry does, how we exploit on a network on SMB. And tell me if I'm too off on this, because here's how I described it. There's a hallway, and there's a bunch of locked rooms, and each one has a digital keypad, and someone finds out that there's a secret override code on all those digital keypads. So they go down the hallway, and they try that secret override code on every single door. But somewhere in that last week, someone had gone around to five of those doors and updated the keypads to take out that secret override code. So only five of the doors can be entered. So five of the doors are vulnerable systems, whereas five of them have been patched, and you cannot get them. Is that close to how want to cry works on a network? Can you tell us? Yes. So it's a really good exploit. This is a top... So I think Eternal Blue is the initial exploit, which was released by Shadowbrokers, but it's really effective. I mean, I don't know if it's 100%, but it seems very... if a system's unpatched, I don't know if it's a buffer overflow that the mechanism is for running malicious code on the system, but it takes advantage of that open port for SMB, and it's able to run malicious code. And then it does some other things, uploads the next payload. So it goes out there to the network, see if there's any more machines on the network, no more computers. Sees if this vulnerability exists. If it does, knocks on the door, tries to exploit it. If it can, it's on the system. That's interesting when you have a mixed network, some XP, some 7, some 10s that have been patched. So some of your systems aren't vulnerable at all. So theoretically, you can keep those systems running. For want to cry. Absolutely. I think most backups probably have not been targeted. It depends on how the backup is running. That's what I was wondering. I thought it was odd. Maybe it's a backup on a Windows 7. Maybe it's a good reason to go with cloud backups or another type of solution where someone else is going to patch it if you're not responsible to do that. It shouldn't be hot, right? I mean, your backup should be isolated. And there should be some kind of rotation. Right. That's what you're doing, not just one backup. And check them, too. Restore your backups. Make sure they work. People messed that up. So Mike, put yourself into the security role, CIO role of a corporation, right? What's your incident response like? You hear this is a couple of computers have got ransomware. What do you do? Because they call you first. So ransomware, I'm like it. So in this case, though, it's not a targeted attack. When I think it's a response, if it's just computers that are opportunistically targeted like this, there's not an adversary actively moving across your network. So there's a big difference between a targeted attack versus an opportunistic attack. So this is opportunistic. If it was a targeted attack, I'd want to maybe take a little bit more time to understand, before taking any action on the network, what I want to understand all the indicators of compromise and where are they on the network? And I want to deploy signatures to my ideas. So you're information gathering. Information gathering. But before really taking much action, maybe isolate some systems. But the idea is if it's targeted, you don't want to alert the adversary that you know they're there because they could become destructive. They could change out their implants to something else so that you can't find their backdoors that are hidden so you clean them off and they're still there. So there's a big difference between how you respond to a targeted attack versus an opportunistic. If it's opportunistic, there's no adversary actively watching what you do on the network, which is the case with WannaCry. So in this case, you can just isolate those systems. And in this case, we know it's ransomware. So maybe you wait until you get a decrypter that works, which most ransomware, you don't get that luxury. But in this case, it seems like it wasn't the top experts that wrote WannaCry. So we could do that. It looks like that, yeah. So at this point, I mean, maybe just isolate those systems, patch the rest of your network, install a good antivirus, and then maybe you can get the data back if there's data you want to get back. The crazy thing is most IT departments would inform everybody to take their systems offline and they'd probably send out an email. Well, in this case, because it's a rapidly spreading worm, you probably do want to disconnect the organization from the internet. Right? Right. Immediately. And if there are systems, isolate them and then patch. And then you're nice and good. This is a good case for subnetting your network, right? Finance has this, CIO Group has this, and CEO and the marketing, they're all different networks that you can unplug from the collective to get them offline. So if they're infected, they don't affect anybody else. Right. You want to subnet that. So that takes good planning. And that's one of the things we fail at as U.S. businesses overall, I think. We don't plan ahead very far. We have this mentality of just, get the shareholders there, they're cut, and then we'll take our bonus, and then six months later we do the same thing. We don't plan year over year how are we going to patch these systems, how are we going to secure these systems. Let's hire a CIO. Let's give them a budget, the main thing you don't get right to get a CIO. A lot of this is basic network hygiene, which is just not being maintained. Very common in business, very common in municipal government with strained budgets. I mean, it's hard when you have an organization of 10,000 machines. I mean, it's hard to keep them all patched. That's right. And especially if you only got one or two guys. Well, that's all good news, everybody. Thanks for joining us on this armor and a crown. Thanks for being with us, Mike and Andrew. Thanks as always. You guys are exceptional. Stay safe, everybody. Aloha.