Season 1 | Episode 6
Stu McClure, Chetan Conikee, Chris Hatter, and Ben Denkers return for Episode 6 of Hacking Exposed, Qwiet Edition!
In this episode:
(00:15) Predator Spyware Attacks
- Zero click exploits
- Intellexa Alliance
- malicious spyware
- turnkey hacking solutions
- all-encompassing compromise are discussed
(09:47) Data Breach and FTP Vulnerabilities
- Data breach implications
- credential harvesting
- DNA linking
- metadata clustering
- password reuse
(19:27) Python and Cybersecurity Vulnerabilities
- Python core integrity
- Atlassian security issue
- MGM hacks
- social engineering attack vectors
Resources for this episode:
[00:00:45] Stu kicks off the discussion on Predator Spyware Attacks, delving into cases like US Congress being targeted and the situation in Madagascar.
[00:10:12] The hosts talk about Zero-click exploits, which are as scary as they sound like they would be.
[00:15:30] Intellexa Alliance
[00:20:15] Data Breach and FTP Vulnerabilities–from MGM Hacks to Atlassian Security Issues
[00:28:35] Python core integrity
[00:33:45] A deep dive into Cytrox Information and understanding Malicious Spyware.
[00:38:17] Social Engineering Attack Vectors
00:15 – Stu McClure (Host)
All right, welcome everybody. We are back with the HE podcast, Hacking Exposed, Qwiet Edition. This is where we make the complex cyber attacks of the world very, very simple to understand, or at least we try and do our best. So here we have today my esteemed colleagues Chris Hatter, Ben Denkers and Chetan Conikee. Once again, Ben is calling in from the latest penitentiary he’s been submitted to and how is that orange jumpsuit treating you, big guy?
00:47 – Ben Denkers (Co-host)
You know it’ll be the last time I ever wear orange.
00:51 – Stu McClure (Host)
I’ll tell you that he’s in the interrogation room. Yeah, the stark white background is rough. Yeah, it is rough, I’m not gonna lie.
01:00 – Ben Denkers (Co-host)
You know, I’m just doing some research for my next role.
01:05 – Stu McClure (Host)
Let’s be honest, he doesn’t want to be attributed to anything. And, Chris, where are you at today?
01:12 – Chris Hatter (Co-host)
Yeah, I’m reporting live from Lisbon, Portugal, out here with the family. I think the biggest challenge is bringing the seven month old baby. Well, I don’t have a terrible view, as you can see, so things were not bad at all. It’s been great, I’m adjusted. No jet lag anymore. So yeah, ready to rock and roll.
01:33 – Stu McClure (Host)
What about that seven month old to jet lag? How does that work?
01:38 – Chris Hatter (Co-host)
Not recommended. I probably won’t be traveling with him again for a person time. He’s I think we’re on day three or four and it’s it’s calming down a little bit, but yeah, I haven’t slept that much last couple days.
01:52 – Ben Denkers (Co-host)
So, Chris, just think when you get, when you get back, you’re gonna have the reverse problem. So you get to deal with it twice. It’ll be fun. I don’t even want to talk about a brave soul.
02:01 – Stu McClure (Host)
Brave soul Well, the wife is the brave, the bravest of them all. Let’s be honest. Sure, all right, guys, let’s get on into it. I mean one of the most fascinating and interesting ones. I think we should cover it. We’ll have to cover briefly, because there’s so much detail we might have to actually have a full, separate podcast to cover it, and that is the predator spyware attacks. I don’t even know where to begin with this, Chris. I mean, guys, where do you want to start? Look?
02:31 – Chris Hatter (Co-host)
so this is a topic of interest for me. I’ve been very interested in the Pegasus software from NSO group ever since I listened to a Darknet Diary on NSO, so this stuff’s always been fascinating, especially because they target iPhones. And you know, I think people are notorious for believing that, you know, Apple is super secure, a lot better than Android, that’s that thing. But these really sophisticated attacks coming from the likes of NSO group and the makers of this predator software, for me I’ve always kind of been interesting and confusing at the same time, because people come out and say, hey, it’s one click exploit or no click exploit, and I’m sitting there thinking, what are you talking about?
03:10 – Stu McClure (Host)
So these are zero clicks. Yeah, these are. These are the worst of the worst of the worst. You can’t get any worse than this.
03:17 – Chris Hatter (Co-host)
Yes, and just to set the table, there’s a group called Intellexa Alliance, kind of a shadowy group of a couple of companies, and there’s a North Macedonian company named Cytrox. I don’t know if that’s that’s exactly how to say it. Basically, Cytrox is the maker of the Predator software and Intellexa is the one who then goes and turns around and sells it to governments, other shady characters and whatnot, and ultimately, you know, it’s spyware, it’s targeting politicians, it’s targeting journalists very similar to the NSO group and what we saw with Pegasus, but on Twitter, no X. I guess. I wanna just pull up this diagram because it has helped me kind of understand this notion of zero click. So I’m gonna share this. Hopefully people would see my screen. I wanna say thanks to John Scott Railton for putting this together, because I think it really zeros in on things. You guys see this yeah, yeah, zero click.
So, in a nutshell, what’s taking place here is that you need to compromise or work with the ISP, essentially, so you can see, kind of at the top of this diagram, Telecom Egypt. And this 41 address is what is that? Vodafone Egypt, right? So in the middle of these two, on one side or the other, in terms of being on Telecom Egypt or Vodafone Egypt, there’s an injection box that sits between them. So, as the target is kind of browsing the internet, they get kind of fed a network injection that points them to this injection middle box, which is what’s serving up the malicious spyware onto the victim’s device. And so this is just kind of a simple diagram that helped me kind of understand what’s going on here.
05:06 I don’t know what you guys think about this, but it’s always very targeted, very sophisticated, and tends to hit the likes of journalists and politicians.
05:15 – Ben Denkers (Co-host) The interesting thing you mentioned was the cost, right? And being able to essentially buy a turnkey solution to start your own hacking group, effectively right. The initial pricing I saw, which I believe was from last year, was around 8 million euro, all in, which seems like a heck of a deal considering all of the malicious, nasty things that you could do to potentially earn your income back, right? Whether you’re just looking at spying on foreign nationals, or if you decide to leverage that data that you capture to, I don’t know, launch a ransomware attack right, to get your initial investment back. So for me, I think it’s just besides the effectiveness of the solution right, the ability that you have to buy it turnkey. To me, I think that’s incredibly interesting, especially for the cost.
06:08 – Chris Hatter (Co-host) Some of the articles that were posted, some of the analysis on the stuff, I mean it’s all encompassing compromise. I mean you can get access to the messages, pictures, sent notes, contacts, text message, I mean you name it. The Predator software gives you visibility into it, so it’s super powerful.
06:27 – Stu McClure (Host) Yeah, I didn’t see anything exotic though, I’ll be honest, in terms of the capabilities of any other spyware that you normally have. I think the real interesting part of this story is the injection techniques, because you’re targeting Android, you’re targeting iPhone. You’re supposed to well, not on Android, obviously, but on iPhone you’re supposed to only be able to install either a dev build that you’re owning and signing yourself, or something that’s from the app store, and then, on Android, you can actually back it off and you can load your own APK, but you have to forcefully back that off. So how this execution is actually getting done, I think is a topic for the next Podcast.
07:06 I think it’s perfect because this is, to me, the most interesting part of this. I mean, yes, you’ve got all the shady characters. You’ve got this, like you know, dark world of organizations coming together to give this power and capabilities to a lot of very, very bad people. That’s not as little that new either. Like, yeah, they’re just now getting a little bit more exposed. You know, obviously we saw with NSO and now with these guys. So I think the most interesting is okay, yes, they’re leveraging zero days for iPhone, right, and and these kind of.
07:38 And androids and. Android, and so which ones, exactly like, what are the payloads and and what? What is the actual exploit payload that’s getting sent, that’s executing in memory, somehow to give them access. And you know you’ve got to have something that stands the test of a reboot as well, because otherwise a reboot would just blow that exploit memory away. So I think we need to double back on this one Next week or the week after so we can talk more detail.
08:09 – Ben Denkers (Co-host) What I’m hearing. What I’m hearing Stu is you’re gonna let me expense eight million dollars worth of cool new tech that we can play with. That’s what I’m hearing.
08:16 – Stu McClure (Host) I’m telling you there’s some really cool capabilities inside of this thing. If you haven’t looked at the Amnesty International article on it, it’s probably one of the de facto best pieces of deep dive into any hacks we’ve seen out there. It’s right up there top 10%. So I would take a look at that. We can send that as well off, but it’s really cool and very quick point that I want to add.
08:44 – Chetan Conikee (Co-host) It just occurred to me across my mind. You know, the common substrate across all APKs and apps is a keyboard you know, and typically most of the phones, let you load up custom keyboards for fast typing etc. So that substrate, if exploited, can act as a gateway without dealing with APKs.
09:07 – Stu McClure (Host) Hey, we used to do, I mean, Hacking Exposed. You know, countless times we would go up on stage and we would do like a, you know, a backdoor mouse. As soon as you plugged it in, it became a network gateway and so everything went through the mouse, which then, of course, went through to our server and we could see every, everything ever sent on the wire. There’s a lot of those capabilities that Android when I wasn’t, I mean, it makes sense, you know. You plug it into keyboard, you can have access. Maybe you have the same vector path there. So we’re just speculating now, but we’re gonna dig into that one.
09:39 – Chris Hatter (Co-host)
All right, and there’s a lot some back there.
09:41 – Stu McClure (Host)
Yeah, let’s, let’s move on, though, because we got a whole bunch of stuff to cover. Alright, I, we just saw this 23andMe hack I mean this one and initially just freaks you out because you’re like wait, did I put my? You know? Did I send my DNA to 23andMe? And now, what can my? Who can exploit my DNA? Right, I don’t know if it’s all that bad, but I think it’s worth talking about12.
10:06 – Ben Denkers (Co-host)
No, I mean, that was my first thought. Right is is okay. Well, you know, with the, with the process of synthetic DNA, you know what, what was actually compromised, what can happen. And then you start to dig into it to your point and you know it’s still bad, but it’s not as initially as terrible as I had, you know, put a place to my mind for sure3. Yeah, I mean, it would try to frame it up.
10:28 – Chris Hatter (Co-host)
We try to frame it up. So, basically, from from what I can gather, 23andMe users Unsurprisingly recycled their credentials. Attackers were able to get out a credential dump. They would log in, you know, using those legitimate credentials that were harvested, and they would get access to a profile. That profile, if you’ve submitted, you know your information and your DNA Basically, with 23andMe, is doing is linking your DNA traits to communities.
So you could go let’s just say I was one you would be able to go into my profile. You see my name, you know my age, all that information that you would assume. But you’d also see that I come from a Polish background. You’d see that I come from part of my family is Irish, and so tag me in communities and communities An interesting one that like would potentially come out, would be like early settlers of Pennsylvania, as an example. So tag you these communities. But what it would also do with the DNA is Tag relatives, so create a one to many relationship For the information that you’re able to harvest. So this is a bit of an assumption, but they did the credential harvesting. They compromise a certain number of accounts but then got access to a lot of different people via not only these communities, but direct DNA links, metadata associated with those linkages and you know the interesting part here is just the, the clustering of information.
11:55 – Chetan Conikee (Co-host)
Right, there’s a lot of assumptions in here, say in terms of how this was Executed, but for the most part, if you compromise a few accounts, those accounts might not necessarily carry the same trait, the trait to cluster them to an ethnicity, to a zone. So this, this has to be a little smarter than what has been proposed in the press, meaning you know they’re potentially first of all profiled a certain state of mind, first of all profiled a certain sector and zone. Because if you notice, by running a business, the business logic of 23andMe is they provide deals to conduct your DNA analysis and the seasonality to best deals meaning North America, south America, during Christmas get 25% off if you run your profile. So the question is you have chaining of multiple vulnerabilities that have caused this extraction of data. So we’d love to hear more in the upcoming weeks8.
12:53 – Stu McClure (Host)
Yeah, it doesn’t smell like there’s some huge exotic hack or usage for this stuff, but it’s something I think we need to think about, especially with our DNA going everywhere. I mean, especially when it impacts according to the court documents, it impacted Mark Zuckerberg, Elon Musk and Sergey Brin. That’s at least cited in the lawsuit. So we’ll see. I mean, someone’s got to be tracking the lawsuits involved with cyber breaches somewhere, but that, if not, that would be a great material research project for somebody.
13:30 – Chris Hatter (Co-host)
And I find interesting real damages. We should do that, but I mean, we’re still talking about passwords too, like recycled passwords.
13:38 – Stu McClure (Host)
I know we’re talking about. This is just gone of time, gone of password reuse.
13:42 – Chris Hatter (Co-host)
Password reuse, and it’s not sophisticated. It’s kind of the same things we have always been advocating not to do is occurring to people really, and so I mean in the reports it’s 7 million customers9.
13:56 – Ben Denkers (Co-host)
So this isn’t like five accounts were compromised. We’re talking, and depending upon how they’re calculating, that like 7 million was a number reported to the media. So that’s just the common problem that never goes away10.
14:08 – Chris Hatter (Co-host)
And that’s just one of the accounts.
14:11 – Stu McClure (Host)
But also, I mean you have to think about how do you get that many accounts? It has to be a botnet that is trying to basically log in with these passwords that have already been harvested from another breach or something else. And I mean, for you to get those type of guys, which are clearly sophisticated, you’ve got to have passwords that are being reused all the time, and I know we all do it too. I mean, we as cybersecurity professionals do it. I always say, dr Shield myself is the big problem for us. It’s like, yeah, of course we have that problem. You want to do two factor with every single thing, but even two factor can be bypassed. So you’re like give me a break, man.
14:55 – Chetan Conikee (Co-host)
It’s the same stories too, no matter what. Every week you wake up, same story, different twist.
15:02 – Ben Denkers (Co-host)
You would think they would have had some visibility, considering the massive amount of accounts that are being reported. Right, that’s what I would do. How do you not?
15:10 – Stu McClure (Host)
Catch this? How do you not catch this thing? I mean, I don’t know. I don’t want to point fingers because we don’t have the detail, and I consider every defender a hero. Ok, no matter what level of competency. They are all heroes in my mind, but yeah, there’s clearly something else going on here. All right, guys, we got a bunch more to go through. All right, what about the WS FTP vulnerabilities? So Progress Software is having a rough, rough couple of months, man12.
15:40 – Ben Denkers (Co-host)
Yeah, and for those that don’t know, they’re also the producers of Move it right and so Move it was a thing we talked about on the podcast a couple of times in terms of the impact, and so now you have another product of theirs that has a remote code execution issue, a new serialization attack that allows essentially an attacker to run commands and do things at their will. And again, I think one of the reports that I read affected like 2,900 customers, all large enterprises, and again it’s just a bunch of bad press and bad luck for the organization for sure34.
16:21 – Stu McClure (Host)
Well, yeah, and this is a great opportunity to explain this real quick so we tried to do it with the Progress stuff before. I think it doesn’t hurt to do it again and again. But so this is CVE I think the one we’re talking about really 2023 40044, which is this NET deserialization vulnerability. So basically, net is the programming framework and language that is being used to build WS, ftp and a deserialization attack again, and Chetan to jump in. You’re my expert, but at a high, high level. It’s basically you need to serialize to create a stream of data, and you do it in one way or another. But if you can serialize, you have to deserialize. On the other end, if it’s easily deserialized in any step in that process, you can actually put whatever you want into that stream so that it can execute. Is that basically the idea56?
17:18 – Chetan Conikee (Co-host)
Exactly, I mean serialize. If you further simplify it, in every business you have on representation of your customer, you create an object to say this is my customer, this is their account, this is their transaction, and all that information is typically given. That’s represented as an object. What you need to do is figure out a way to convert it to bits on the network, send it back and forth and it again takes the shape of the customer on the other side. And you need instruments for that. You need libraries to serialize and deserialize. So what these malicious entities are doing is figuring out ways to compromise that instrument so that they can serialize, deserialize anything of their choice, which is malintention, Exactly7.
Basically inject into the deserialization process anything they want, which can then, of course, execute whatever if there’s a vulnerability in it and more or less I mean to your point, it’s the tailwinds, Because first we saw the headwinds of Move it, now we’re seeing the tailwinds because many are catching up in patching. So still they are compromised entities and now, as the CVs keep piling up, what you can do is figure out ways to chain the CVs together and increase your attack surface more or less8.
18:31 – Stu McClure (Host)
Yeah, all right, we got to move on. So there’s a Python discussion I think we want to cover. I mean, how would you characterize this guys?
18:42 – Chetan Conikee (Co-host)
So first of all, you have Python as a common substratum, binary, which is just the compiler, and the evaluator, which has to be installed in every operating system and in package that’s carried on, and then you have the supply chain that comes with it, various utilities and libraries used by core Python and the community of Python.
19:04 – Chetan Conikee (Co-host)
So the two interesting plays are the supply chain vulnerabilities continue where someone with mal intent is inserting themselves into the development process, installing root kits and then taking advantage of the distribution, and that just repeats itself, no matter what we say, speak or do on a weekly basis1. At least what we’re seeing is some proactive, fundamental changes and how the Python core is being built today, which is the creating something called as verifiable artifacts2. Because when you typically look at the build process, you have many community developers working in tandem and cohesion to build this core. So how can you make sure that they’re doing it in the proper way? So good deal of measure being in infiltrate, you know, I would say instilled in the process. So hopefully we’ll see less compromises because of this proactive measure.
20:01 – Stu McClure (Host)
And that’s what we’re hoping, right. So the changes inside of the development process of Python as a library and as a community, etc. Is starting to be, I guess, taken a bit more seriously around, especially the integrity right of the build artifacts3. That’s the key. So I am hopeful. In Python, I mean gosh, that thing is used everywhere, especially data science. I mean, I don’t think you can get a degree in data science without being a near expert at Python4. So the AI community, let’s hope we’ll have a bit of sleep, a little bit easier and better with this, these changes, All right, Atlassian. So zero days, zero days abound.
20:47 – Chetan Conikee (Co-host)
Popular product Confluence5, GEDA, you know, I would say Omni present in the development ecosystem, and this one’s an interesting one. I like to double click into it. Typically, when we build an app, a web app, we are servicing the customer by providing value, and somewhere embedded in the app are admin controls. Like if you have a web route that’s a slash log in customer logs and slash do something serving the customer, and then somewhere in it you have a slash admin, slash services. Now these are controls that enable you to effectively administer the app. So someone figured out a way to compromise those routes and essentially expand their horizon of the controls and take control of the entire app6. So some of the patches and the arguments are you know, hey, when you deploy the app, make sure that your proxy web server does not expose these controls, which is kind of weird, because you’re again postponing the problem.
You’re saying I will not fix the app, but it’s not my problem anymore, let’s just blame it on the proxy guys because they exposed it Right, and it’s just again. You know how do you become a more effective developer? And I’m saying this again. You know, for the past few weeks I’m not reading about security, I’m reading a lot about gaming and in gaming, this God mode and mods and anyone is often not disparaged for creating mods there’s sorts of celebrate people who break and cheat the system, but not with mal intent, because these people know how to grok the system, they understand what the system surfaces and figure out ways to enter.
22:56 – Chris Hatter (Co-host)
My understanding of the Atlassian vulnerability and applies to on-prem implementations of compliments. First of all, is that right? Secondarily, it’s not. Um, you know most of the folks that I work with and move this stuff to sass how big I don’t want to, you know, say this is not as serious as it is. It’s just you know who’s really using confluence on prem these days, hopefully it seems well. No, I mean, I see, no, I know many are, but like it seems like it should be, it should be moving.
23:26 – Stu McClure (Host)
No, but the. The way the Atlassian support article reads is it’s been um. They’re exploiting a previously unknown vulnerability in publicly accessible Confluence data center and service services7. Now, if your argument is, well, those shouldn’t be publicly accessible, okay, I think that’s fair. But I mean, how often do we see this kind of stuff pop up all over the place because people are testing or troubleshooting or whatever? And maybe it’s by it’s nature and design. It shouldn’t be book, but it is something that that is being obviously put up on the internet. And I would say, if you did a search on um what’s the show, dan, these days, like for Confluence, data center and server instances, you probably would find thousands of them, right, yeah?
24:14 – Ben Denkers (Co-host)
You know what’s interesting, though? It’s a privilege escalation issue, right? And so, generally speaking, you would still have to have credentials, and then escalate those privileges, but that article you’re referring to says in some rare instances it can be remotely and anonymously exploited. I’d like to dig in and figure out exactly what that process looks like, because that’s typically something you don’t see as part of a privilege escalation. Like generally, you have to have an account, and then you’re escalating privileges, uh, you know, to that of admin or what not, but for some reason they’ve decided to classify this. In certain circumstances it can be done remotely and anonymously.
24:54 – Stu McClure (Host)
Yeah, the technique for how it is actually exploited is not really clear. It is not really clear on this, so we’ll have to dig a little bit deeper. I think there’s a little bit more to this, but once they do get on, they have full admin rights so they can do anything they want. Um, it’s a serious deal, but maybe not too prominent of a problem. All right, let’s. Uh, I guess my latest thoughts that I’d like to have is around.
Everybody heard about the MGM hacks and the social engineering vector of attack. Uh, it impacted Caesars as well, a bunch of other companies, but it looks like Clorox was also hit and they admitted that as such in their SEC security filings. And I think you know it’s an important pause here on this that back in the day, like when I was at McAfee and we got pulled into the Operation Aurora work, um, with Google and Intel and all that stuff, we saw the first real effects of having to admit that a cyber attack impacted revenues or may impact revenues, and I’m super happy and proud that these sort of things are continuing to get exposed. I know we now have the requirements. Um, that you must within, I think it’s.
What is it? Six days. I think you’re supposed to announce reports um on these kind of attacks, but if they impact a business materially, they have to be disclosed. So I sort of applaud Clorox and the defenders in that scenario. Um, we consider all of them heroes, so we really appreciate all their work trying to prevent these kinds of attacks. But, um, all they have to do is find one way to get in. Yeah, go ahead.
26:46 – Chris Hatter (Co-host)
So I’m reading that net sales are expected to decrease by about 487 million dollars. It’s crazy. That’s significant right.
27:00 – Stu McClure (Host)
Um, it’s crazy, and it’s one of these things that it’s due to their order processing. So, apparently, whatever the bad guys got into, the one that impacted them greatly is the order processing. So they couldn’t process orders. And yeah, that’s a natural revenue loss vector, that’s no doubt about it. So that seems to be what’s happening.
27:30 – Ben Denkers (Co-host)
I’m just imagining like you’re riding a bike and somebody sticks a stick in a spoke and then like it’s just very difficult to get back up, right, and you know, I imagine it’ll be interesting to see how quickly they can recover from this, even after they’ve removed the threat, right, because like you kind of have to reboot all of your processes, you have to reboot everything, and so that’s going to take some time so you could see future losses as well, moving into the next quarter for sure.
27:58 – Chris Hatter (Co-host)
Yeah, I mean this is just their net sales losses right. It probably doesn’t even take any consideration how much money they are spending defending? How much money they are spending recovering? I mean, this is significant. It puts into perspective, I think, when CISOs and security teams want to invest in tools and technology and people that cost a lot less than a half a billion dollars. Um, it’s certainly easy to play Monday morning quarterback, but there’s probably a lot of regret there in terms of decisions made or not made. I can’t say for sure, but that’s a lot of money to be leaving if, if I miss this.
28:35 – Ben Denkers (Co-host)
So it’s a great example to go show to the board why I need additional investment.
28:39 – Chris Hatter (Co-host)
It’s so hard to quantify right, and as CISOs, we do our best to quantify things. Um, it’s kind of a double-edged sword. Like you, I kind of like to see this quantification because to your point, it’s a phenomenal message to carry, but at the same token, I do certainly empathize with the Clorox leadership and the Clorox defenders there for sure.
29:04 – Stu McClure (Host)
Yeah, yeah, the side of the equation, I guess for sure reports are that they engaged third-party security firms, so hopefully it’s one of the top-tier firms and they’ll get to the real bottom of it and be able to share it one day, because it’s not us doing so you know, I thought us, but that’s.
That’s all right. You know they could think about us for the future. Um, all right, guys. Well, thanks again. Hopefully, everybody enjoyed it. Hopefully, Lisbon takes good care of you and those prison guards are nicer.
29:33 – Chris Hatter (Co-host)
Yeah, Ben, after they ride, or it works well yeah exactly, all right, thanks everybody.
29:38 – Stu McClure (Host)
Well, we’ll see you next time. All right, thanks guys.