 Tom here from Orange Systems, and I'm joined again by Matt and a shady guy over here Jason. How you doing guys? I'm good We did this video just the other day, which will be linked down below You literally yesterday. I think I published it about how I would hack you and Cisco, you know prompting us with an example here, but a good example but this is a fun little breakdown we want to go through for what happened at Cisco and How they did which well too long didn't watch it did a good job but we're gonna break down the attack vectors here and Still some lessons learned and I in one of the first ones is really I got to jump to this right here MFA fatigue This is just clever Where you annoy someone where it's come up and said would you like to 2FA prompts so many times They're like the only way I can make this stop is to say yes Or the action we the user should have been trained to do is probably call someone and say like this thing's broken It's going crazy It's annoying me of course I can picture my wife being a more general end user if I did that with her MFA system. She may just press yes, but I hope that's not true because she works If you press deny too many times right like there's room for improvement there if I hit no 10 times Why is the 11th one coming through? Well, I would probably say that the threat actors offset capabilities of changing IPs rapidly is not happening So if they're hammering on the edge, it'd be really cool to see technology where you could actually Auto-ban that from even hitting the surface for x period of time, right? So this IP you'd have to change you'd force some tradecraft, but yeah, they are coming through its tour I mean like in all honesty, okay So maybe I force a denial of service attack But I can only force a denial of service attack if I have your password and I can successfully prompt you for MFA And in that case is it really should service be denied? I would argue yes Yeah, that's security before convenience for sure. I love it And and this is one of the things that the initial tech factors technically low tech And there's two things that allow them to gain access one This is a BO IOD system where people were logged into the browser to their Personal Gmail with password synchronization. So it's synchronizing passwords in there And so they were somehow able to leverage control over this personal computer Which then gave them the information needed to then swing over to? Logging into their business accounts that were synchronized with those passwords Yeah, but they didn't have 2FA is 2FA will save us until you're annoyed by the 2FA depressing it So it's actually not the most sophisticated levels of attack It's still pretty low hanging fruit here We were joking about this earlier when we started this little chat to lead to this video of people think it's a really Complicated attack all the time like this is really amazing cyber war of things and bits flying by nope They just hammered the 2FA button a lot and called them Yeah, and at this phase right so we have this initial vector We understand where it's coming from the only thing I'd say to Cisco's point is there clearly is a gap in their user Awareness training and the understanding of how they should have reacted what they should do around sensitive passwords and whether or not They should store them in their system, and I think a lot of executives We check off the box because we've given the training But I don't think that necessarily proves the training has been tested in its functional Right, and I think some of those things you might add to this is personal computing reviews Things around password usage testing of those things around this vishing attempts And so I'd say the only piece I will go negative on for Cisco is just that piece I think they may be have a gap in the training and maybe this is something to be added to the training program who pick a person and Annoy them with 2FA request and see what happens. It's actually a good idea. I'm gonna pick Matt Lee Oh, that's very nice of you. I really appreciate it shady guy namelessness Yeah, now from there We're gonna just jump down they did a lot of living off the land here and they did this to kind of evade detection We talk a lot about we're gonna lock it down so they can't run approved apps and things like that But this is something that's running on the system. Let's talk about living off the land for a minute Yeah, I mean it's the concept my dad always taught me of like don't jump me in a rock pile Because I'll probably pick up a rock. Yeah The situation and so I think living off the land is you know much to everything we have very Open and trust first type centrism and most things and once you're on that machine There's a lot of tools and things I can abuse that you know, you pointed to it yesterday Microsoft will not fix list. Well, you know walk the dog or dog walk that was just patched yesterday was known about for almost two Years and was originally on their operating as behaved list And now that it's been exploited and listed So I think the point is living off the land lets a threat actor or an adversary understand that I don't have to Bring tools that'll get me caught I can use the things that are around me that I already have here, right? So I have a media question to ask was this user in question like a local administrator on wherever he was logging into in Citrix Because a lot of these commands would just fail if they weren't right. Yeah, I'm following best practices there and that's why I think that's They had obviously because this person's just using a net local group Administrators so they're adding themselves to an admin username Z So this is a really interesting so they're able to control a lot of high-level privileges This is why we we talked about this and how I would hack you You don't want the users to have too much privilege on a local workstation because the threat actor if it assumes them It assumes the same level of privilege Yep, and then they use Mimikats, which I think one of the things that will speak towards as we go You know Cisco very much touts at how quickly they stopped it Jason You said as we started today, you know, and I saw the same stat 2.8 gigs was all that was ex-filter And so when you look at it, I have to imagine the command about four commands ago was what took triggered their incident response team Yes, my supposition. Yeah, right when you got into that Bringing down many many dump and being able to execute that is probably going to trigger most Effective and I think that's probably what alerted to them and being that they're Cisco They have some really advanced the telos people are no joke. They really good at what they do They probably wanted to go we know we want to watch what they're doing a little bit It's I think there's probably a little bit of that that went on because they wanted to dig deeper. Who's attacking us What's the threat actor group? Yeah, what's the threat actor group because they do attribution and things like that So they dove a lot in this and I think this is where They probably let them go a little further. They did have some redacted things here But they posted like this is just the beginning of more to come, you know them Sending my thing else. Yeah Yeah Wait the more to come like there's literally nothing. Oh, oh, oh, no, they stole they stole any connect mobility client I can't get that from any Look at the juicy bits of name titles we made Yeah, so it's I think they probably In a very controlled way watch them because they actually go down and list of all their commands everything they were doing they also Break it down here. Let's see go down. They have the whole midter attack mapping in here So they really did a nice job of laying this out But this probably took a little more time They have the hashes and the IP address used for talking to the C2 server So I think they probably took some time to let these people they wanted to gather intel And they may have known the fences on the sensitivity of data and how do you Gresh and control at that point? I mean it became a honey pot to some extent Yeah, I was gonna say if they maybe the user did report it and they turned the user's account into a honey pot 100% that would be that'd be next-level awesome Yeah, the one thing I will say, you know when we talk about cyber security for anybody who's still listening to me drone one When we talk about cyber security, we think about it as identify our assets and our systems that are touching them, right? Protect put out the systems, but most marketing focuses on protect. It's all about we're gonna be the best We're gonna stop it all no bad thing will ever happen to you Then why the hell is there three-fifths of it after that because you have detect which is figure out the boom Right of boom being you know Respond, how do I stop it? How do I honey pot this account? You know to shady guys point down there, right? And then how do I then recover and I think I partially more value is gained in Cisco's response Right then the failures in the front end and the weaknesses because they'll always be there So anyways, I'll get off my soapbox, but that's the takeaway. I would say no It is and right here's kind of in Cisco's response, you know, they observe the TTPs They are looking at exploits they created two clam AV signatures of it So Cisco's like, you know, merely putting this information back out there That's what kind of leads me to think the once they seen and it triggered on their side internally They let it kind of like you said turn a user into a honey pot So we understand the full scope of what this threat actors capable of they even commented I like this this proves they have a lot of detail in the logging. They said we noticed typos So we know these were manually done late like we typo'd something here type out something there So this is a threat actor being very careful in the thought of not just running They may have a playbook, but it wasn't a script. They were running on here You know, you typo a few things occasion. I know I do that Well, if I recall the three the three attributions that are being floated around are all somewhat Intelligence affiliated in some form and so stealing intellectual property from a Cisco user is a very targeted human at a keyboard Is not all that unexpected in my mind. So yeah, I think a few takeaways from this are really simple 502 user and user training are two of those low-hanging fruits Simple as that don't let people use the same personal devices They log into their personal Gmail and their work one that is just you know, even my work from home employees They have completely separate workstations for this reason Because I just don't it the risk isn't there you got to treat those separations Oh those yeah, the any the 502 keys and UB key being one of the most popular ones on the market But there are others out there and even the UB key was a relatively affordable They're just so simple to do and if you really dig into I have a video I broke down on how like SSH works with 502 and things like that you look at some of the details You're like, oh, that's just clever and that's yeah, think about how hard is to get in the middle of I wish we had more support for it in like the common tool sets we use especially as MSPs as an MSP like nothing I use supports it other than like github and like yeah But you can but you can bring it in as a method of part of your MFA Structure so that as you do SSO and as you do extensibility of these tokens in different places It works and I'll give it the five second ELI five on these Essentially the difference is with my cell phone. It's on the publicly switched telephone network It can be stolen in many ways. It can be stolen on signaling system seven from a text message perspective Right, there's tons of things that can be done to attack that side. This is literally the eye of the beholder There's only I think one side channel attack against these. I think it's against the google token If I recall the titan token they found a certain token Yeah, but that's the only one and they had to have it and pry it out of my hands and take this plastic piece apart Even if you get my pin number that pin is only to this It has no transportability to anything else public facing. So 502 ELI five is it is a cryptographic way of saying I'm me that's not reachable out of the outside world only by my fingers. Yep. Yep. Yep saves you a lot of 2fa that's a good one and uh Locking down power shell usage making sure people aren't local administrators pretty pretty simple stuff And obviously having a high-level monitoring like Cisco does to be a lord of this Yeah, a huge thing there, right? It's like clearly they had like sysmon running on these boxes because they were able to get everything that people did And a lot of people don't do that, right? So once you have an incident you're playing like schrodinger's like breach Like what did they do once they were in right because you don't have any visibility into into what was actually run Yeah, they knew I mean they didn't just know the commands type. They knew the typos. Yeah Yeah, 100 the inter didn't work go again. Please Yeah, absolutely In the final further reading Ali people with is going to be the dark night diaries episode 36 with tinker sack Which is called Jeremy from marketing Great one because it's a fun listen because it's storytelling It's a red team engagement and it's basically a red team are walking through everything they did with the you know Obviously targeted adversary like Cisco was and what happened next and it's just a fun I won't spoil the ending for you But uh it walks through almost this scenario of living off the land using power shell These are these same type of techniques were used in that particular episode So I always like give people something to listen to something further reading and that one's fun Also, I'll take your sec on twitter. He's uh, he's fun Cool So all right, I'll leave links to where you can find more information about the shady guy and matt and of course our Other video of how I would hack you. Uh, that's been a lot of fun. I'll link you down below and thanks Yeah And thank you for making it all the way to the end of this video If you've enjoyed the content Please give us a thumbs up if you would like to see more content from this channel Hit the subscribe button and the bell icon If you like to hire a short project head over to laurance systems.com And click the hires button right at the top to help this channel out in other ways There's a join button here for youtube and a patreon page where your support is greatly appreciated For deals discounts and offers check out our affiliate links in the description of all of our videos Including a link to our shirt store where we have a wide variety of shirts that we sell and designs come out Well randomly so check back frequently and finally our forums forums.laurancesystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel Thanks again for watching and look forward to hearing from you