Secure With Celerity Episode 3
DAVID TAYLOR [00:00:18] Hello and welcome to Secure with Celerity, the show where we digest, the week’s top cyber security news stories within 30 minutes. My name is David Taylor and I’ll be your host today. And we are going to be mixing it up this time with our guests. So if I’d like to introduce Mr. Chris McCartney from Celerity’s business development team. Hi, Chris. I was going?
CHRIS MCCARTNEY [00:00:36] Oh, that’s going well.
DAVID TAYLOR [00:00:39] And also, we’ve got our Lead Cyber Security Analyst for Celerity who’s here every week, we’ve got Joshua Read. How’s it going Josh?
JOSHUA READ [00:00:45] Hello, how you’re doing?
DAVID TAYLOR [00:00:45] And Josh obviously didn’t get the memo about the fantastic shirts this week. Maybe that’s a highlight of his superior knowledge in security compared to me and Chris. But hopefully we’ll balance that out.
JOSHUA READ [00:00:59] I only have mature selections of shirts.
DAVID TAYLOR [00:01:03] Yeah. All right, guys, so let’s crack on with our first story of the week. So this is about seven hardware even vulnerabilities found in some computers and it’s been going on since about 2011. So for about nine years now. Iit’s been… So Josh, what you’ve got on this one?
JOSHUA READ [00:01:23] Yeah. So essentially these have vulnerabilities, unpatchable flaws in the USB-C ports, which is the charging part on all new laptops, Android phones. It’s the rounded cable for those at home. I don’t know much about hardware parts. It’s the rounded sort of old Android cable it present in all Macs, mobiles, any new Windows laptops. And essentially the process of exploiting it. It’s being released in an article online. The process is extremely easy to exploit. I think the PSC was demonstrated in 5 mins, 51 seconds. You know, if it takes that long, you know, obviously this person had experience and I’ve been practising, but I reckon you can probably get it down to about 4 minutes if it wasn’t video. And so it’s extremely quick to exploit. If you have the tools available to you. But essentially, the process of exploit is system must be in sleep mode. You take the back play off the PC, you then the the pen test and attached to boost pirates the flash storage unit which was holding the thunderbolt controller firmware. It then connected it to his mark. He rewrote the firmware so that the security level on the thunderbolt part was set from change from one to zero. Then he wrote back that phone, went back to the laptop, then used PCI leach to load a kernel module into the memory of the laptop and the on the log in screen literally put no password in and go straight onto the desktop. It was incredibly easy to do that. I don’t think that this isn’t the first vulnerability that’s been found in thunderbolt part was fun to spy on this one and then there was the one called. It was from the thunder Cloud, that was.
CHRIS MCCARTNEY [00:03:36] All great bad names.
JOSHUA READ [00:03:41] There seems to be a trend here, whether it is the fanciest name and the all sound like peace, like police officer, detective codenames. Essentially, the thunder Cloud vulnerability was back in February 2019. And it was a direct memory access renewability. And to patch that they introduced the security level things that Trex Blue explained in this one to patch the previous one. So they added key features that they added to patch the last one, a bit of a now being explained in its new vulnerability. I think the penetration test that went to the Intel and basically said, look, here’s the vulnerabilities on your thunderbolt parts. They were already aware of the vulnerabilities and they commented and said that they were had no plans to patch or disclose it to the public. So this was done as part of a research for research. Well, they apparently found more and is looking to release more information and these will be so named Thunderspy 2. So definitely watch this spaces that were more coming in terms of thunderbolt part vulnerabilities. Kind of like a movie kind of break and sort of hack, isn’t it?
DAVID TAYLOR [00:05:07] Someone’s on a train or whatever. Someone go to the toilet, they go to someone that bad guy runs up, grabs the laptop, and within five minutes he’s hooked open. He’s breaking into a laptop against a government worker or something like that. So I think that’s one thing is that there have to be on that with the laptop.
CHRIS MCCARTNEY [00:05:24] Yeah, I got to play example. You know, I do my job. I travel the country on train quite a lot. So you woul take three, four hour journeys. These 6 in the morning at 9 at night and you see people start on and the laptop right now and then you gradually fall asleep into the corner. Yeah. Perfect opportunity for example, you spoke about that David.
JOSHUA READ [00:05:42] I hope it opens up a whole new fail of of vulnerabilities, you know, because there’s always in every single organization to always be cases of laptops being stolen. You know, you can have your remote wiping software, obviously, that’s dependent on someone dependent on having an Internet connection. Essentially, you don’t need an Internet connection to break into a laptop and without a password. And it’s a severe flaw. Be interesting to see what Intel they almost come back to with these newly announced from vulnerabilities and see what they do to sort of in-depth the attack profile and say and stop it from becoming a widespread problem.
DAVID TAYLOR [00:06:28] So it’s definitely, definitely one to watch, especially on the Thunderspy 2 is gonna be coming out in the future. Should we take a little look to the next story?
CHRIS MCCARTNEY [00:06:38] Thunderspspy 2, again, it just sounds like kids movie document.
DAVID TAYLOR [00:06:45] So this one is kind of, again, I think it’s the third month on the trot where there’s been quite a significant amount of patches released on makes us patch Tuesday and which might be a bit of a sign of the times. But yeah. Josh, what are your thoughts on this one?
JOSHUA READ [00:07:01] Yeah, this one. It is the third month in a row where they’ve had over 110 patches released as part of Microsoft’s OS and OS based program. Monthly patches. Well, you know, the volume of patches released is frankly astounding. It always baffles me how many vulnerabilities they manage to fix but obviously, how many flaws there are in their OS and their programs and how many have been publicly released as a publicly released. I mean, unless not all a 110 patches are going to be affecting every single customer of Microsoft, you know. Unless you want to bring a very varied and versatile environment, you know, encompassing every single Windows OS from, you know, Windows server 2012 all the way through to 2019 and Windows 7, Windows 8, Windows 10. You’re never going to be applicable. You’re never gonna be vulnerable to all 110 patches. Well, you know, there’s two issues here. I mean, I’ve been following Microsoft patches for a while. Well, this two issues I have with this. And I think the first one is the sheer volume of patches of that 110 were released this month, 16 were critical and 95 were important. Now, from a patching point of view and from an infrastructure management point of view, how are you meant to prioritize every patches when everything is either important or critical? You know, there’s no clear differentiation between the two levels. Critical is oh, yeah. It’s probably needs patching straight away. Important again, if an assurance is important, is in your best interest to patch it straight away. So, you know, I think. That’s main pinpoint, one of the main pinpoints for me, especially from the patching point of view and renewability assessment. But then I think also this week, I think the way that they assess prioritization of patches has come under scrutiny as well, is that the traditionally CBSS scores which assess the new misdifferent measures. So how likely it is to exploit it, the impact, if it is exploit it and so on, so forth, are all encompassed into a CBSS score, which is provided to a vulnerability. Now. I think Todd Mitchell, Senior Product Manager at Advanti said that, you know. If you look at the exploit assessment tied to every single patch. You know, it makes sense just to pay more attention to the vulnerabilities Microsoft have labelled lesser as in lesser importance, such as important of medium. But then if everything is important not critical, how is it easy to work out. Where the tenable employees sat in the rang as well, he said that, you know, these vulnerabilities they could be exploited. There’s two important vulnerabilities that could be exploited by tricking a user into opening a malicious email attachment and visiting a website. Now, to me, the exploit ability of that vulnerability is so easy because it is dependent on how educated your user base is if you are users are known for clicking links and opening attachments and emails and compromising systems. Then you’re gonna be really, really vulnerable to that vulnerability. And it’s I think that it’s not just looking at the CBSS score as the best value for your severities towards patches. I think there’s other stuff that you need to look at, such as, you know, yeah, you see CBSS score at the best value, but, you know, are they’ve been exploited in the wild? You know, are they how easy are they to exploit? Are the vendors saying, you know, there’s a whole bunch of different areas you need to look at as well. It’s not just, oh there’s an important patch. You need to look in around those patches and say, you know, how easy are they to exploit? How easy are they to other being exploited in the wild? Has it been publicly disclosed anywhere on the Internet that the patch that the thunderbolt vulnerability that we mentioned before, that one is is very, very important. There’s a YouTube video showing exactly how the research showed a proof of concept of how it can be done. Obviously doesn’t provide the Python scripts that it uses to exploit the credibility, but that won’t be very hard to replicate. Well, it would be hard to replicate. But, you know, some of the security professionals out there that potentially would look to exploit this vulnerability. If they have to share will and determination, if they really know the process, they just need to work out the fine details and the nitty gritty details. So yet there’s been an awful lot of patches. And basically, how do you prioritize something when everything’s important? It’s the two bottom lines for me. It’s a nightmare.
CHRIS MCCARTNEY [00:12:38] Coming from being a lot in going customer engagements to help improve security operations. You know, those two key points touched on. There’s so much information out there. So much patches coming through. And if you haven’t got much resource internally, you know, not much shame, I.T. resource, dedicating the time trying to find out actually which are the important patches tools. Which ones do we need to roll out? Which ones do we need to focus on? And, you know, looking to outsource to supply, you know, functionality. And who can do this pacthing mmanagement more often… You see real value in that. Again, Townsley, how educated all your users as well, that was put on by the guy from Tenable. And again, I think we discuss all the time, you know, your first line of defence is you end users on human firewall. Does it matter how much you spend your new security on Blue Chip technologies or processes? You know, it just takes one book to open one email on all that’s it. It’s expensive.
JOSHUA READ [00:13:34] Yeah. I think the interesting thing here is sat in the rang said, the two vulnerabilities that were raised important by Microsoft, which are the Microsoft cooler management vulnerability and Microsoft media foundation vulnerability, they could be exploited by tricking you into open ended malicious email attachment obviously, in a website which contains code to design, to exploit different vulnerabilities. Well, Microsoft rated these front ability’s as exploitation less likely and they’ve given harder. Well, vulnerabilities that require physical access or harder mode advance code. They’ve given an exploit more likely. Is there severity rate in it? It will it be good to understand how they grade it and, you know, how do they assess the vulnerabilities? And because I don’t know how you can say that everybody is less likely to be exploited if it’s you know, it can be pushed through phishing emails. Awesome and loving has done. That is the primary delivery mechanism for night. Over 90% of cyber taxes. Yeah, it’s the bottom line. It’s an easy way shift by way of getting malware or credentials to systems.
DAVID TAYLOR [00:14:58] Go back to saying there was about 95 important ones and 16 critical, you can imagine a company that does suffer a cyber attack. And then when the questions are being asked and they go, all right, what patches did you do? And then if you like, why didn’t you push this one? It was down as important. You know, it was important, but there was over 90 before important ones. It was a great one. So I can see why it’s a difficult one. And is this you were talking about the trends, how this is about third month in a row, which has been over 110. And like is this you see this directly linked to sort of COVID-19 threats or is not just a…
JOSHUA READ [00:15:33] It’s difficult to say because not all of Microsoft, you know, there seems to be a lot of vulnerabilities being released at the moment to do a round remote working software such as WebEx and Teams, Zoom, all them tops types of platforms. What’s difficult to understand is obviously the old Microsoft Windows OS patches are remote working, it just seems to be I’m not sure whether, you know, the patches that they’re pushing now are causing more issues because they’re being rushed, because they don’t have the resource or whether there’s other issues that are both, you know, essentially the volume of vulnerabilities. It could just be a coincidence that there’s that volume of vulnerabilities. I don’t know that the exclusive details on that one. But yeah, I think it’s either an upward trend. I’d be interested to see what the number of patches that are being released next month.
DAVID TAYLOR [00:16:33] Well, we’ll pay close attention to that one right onto the next story. So this is the US government has warned of three new malware strains coming from North Korea, from the loss of its grip. And I think if I’m right, I think they actually announced it on the third anniversary of the WannaCry attack. Well, very timely. So I think we’ve got the names up on the screen already Josh but please.
JOSHUA READ [00:17:05] I think the three when there were advisories released by the US government and there were so named TaintedScribe, CopperHedge and until now, and of all names, PebbleDash again goes back to who comes up with these names, it’s essentially these three malware variants of malware types were capable of remote reconnaissance and exfiltration and sensitive information. Basically spyware according to but according to the Joint Advisory by Cyber Security Information Agency and the FBI, the three new malware strains the latest edition in 20 or so malware samples by North Korea’s hidden cover or more commonly known as Lazaro’s Group. Again, two very, well, detective names, as I like to call them. But yet, I mean, the the reports that the US government put up were very, very detailed. And they said, I told you absolutely every single indicator of compromise, every single domain, every single url. and I had to look at some of the samples that they managed to get. And yet they basically just spyware. They’ll certainly system. See, read what? you know, information that you’re typing in that sort of thing. I mean, CopperHedge was the first of the three variants and that’s normal action. Remote access Trojan tool capable of running arbitrary commands, performance system reconnaissance exfiltrate. And it’s been used a by advance to actors to target cryptocurrency exchanges and related entities. So it would be interesting to see where this one develops. I think the US government found 6 variants of the virus. That is quite a lot, so it seems to be quite sophisticated Trojan. We’ll have to see more about that one. The second one, TaintedScribe, this one was backed up implant, which masquerades itself as Microsoft’s mirror screen reader utility, which is present on all Windows systems, and it downloads malicious payloads from the command and control server. So your server uploads and executes files well and even creates the ability to create and terminate processes. That was quite a nasty Trojan. And finally, my favourite of all, the PebbleDash trojan is pretty much the same as Tran10 it’s scribed. It’s another Trojan with capability to download, upload and delete, execute files. It can perform target system and immigration as well. So it is quite sophisticated piece of the malware. Well, the reports that are available on the US government website are very, very detailed and they have a lot of information. And so being from my standpoint. And you seem to update you on a virus, softwares with the samples and the patches of the files is the best you can do, blocking proxy community, blocking the eyepiece and demands on your proxy. And that I mentioned in the malware reports as well, that that’s also very important. Essentially, that I think do the 20 malware samples that were found by the US government earlier. They all have similar names to CopperHedge and TaintedScribe. I think this seems to be some sort of targeted by the US authorities for this loss of a scrape but there’sEvery little thing that happens is documented 100 percent, every little nitty gritty detail.
DAVID TAYLOR [00:21:22] So I think we’ll put some links to this story and to those sample files maybe on the show after the record on our page. So anyone will want to go to the Celerity page. I will put the LinkedIn post later on. This might be a silly question, but these guys, they use it, it’s probably going to be a target, I guess, government agencies around the world stuff. Is there do cyber criminals get their hands on this kind of stuff and then target, you know, corporate companies, you know, big global cirporate companies they can target.
JOSHUA READ [00:21:57] It’s these malware as they can be copied in and used in a similar way. These malware types, usually unique to an attack group and then so they can be assessed. That’s how they’re associated to the largest group. I think that can be adapted in ways that can be almost copied, like for like the architecture of the malware can be copied and there’s a lot of development in especially the malware on the malware front around when when WannaCry was released by Lazarus Group, that supposedly a Lazarus Group to the US authorities. The architecture and design of the ransomware I was almost copied like for like and there’s like slight adaptations made by the ransomwares because it was so successful. So if it is if these do come out as being successful and do come hours has been you know, deadly as such. I will probably see more variants of this, I mean, the remote access Trojan is used by numerous attack groups. The design of that will is this, but it’s spyware, basically. Yeah, the yeah. It’d be interesting to see that the sort of organisations that I report and see in these types of malware, as I think I’ve managed to find samples uploaded to virus total and any run which amount basically malware submission platforms and obviously can’t see who submitted them, but there was quite a lot of submissions of them. So it will be interesting to sort of see and know who is being targeted by these malwares. I think the US government said that it was only cryptocurrency exchanges and related entities that were being targeted. Well, essentially, if it’s a good Trojan, it can be targeted at anyone. If it’s got you know, they’ve got business case and they’ve got a need to target particular healthy institutes, then I don’t see why it wouldn’t.
CHRIS MCCARTNEY [00:24:07] I think you’re right upon Lazarus Group as well. Back in last year, there was no repost them targetting energy organisations like nuclear power. You know, a lot of green energy stations and knocking them down and shutting them off as well. And it was a big report on the Indian nuclear power plant that they got back into last year. Well, some.
DAVID TAYLOR [00:24:28] Very, very, very busy. Right. Should we go on to our final story of the day? So, yeah, this is quite big. I think there’s a report done by Salesforce and basically found that companies who actually paid up the ransom when they suffered a ransomware attack were actually their recovery costs were almost double then if they didn’t pay. Which I think might add fuel either way to the debate of whether organizations should be paying the ransom. If there’s ransomware attack. What are you guys thougths?
JOSHUA READ [00:25:03] Yeah, I mean, it is long been debated, remember when that was when ransomware first came to fruition and there was a lot of debate around, you know, how do you manage ransomware? A lot of organisztions rush to create regular backups and, you know, regular backup schedules. That obviously is the right way of dealing with ransomware. But then there’s also the human centred part of education against ransomware, educating against phishing and that type of area. I mean, there was there was debate amongst some. Individuals around pay in paying off the ransoware. Now, for me, that is a big no no. Obviously there is important, your systems are important but essentially, all you’re doing by paying the ransomware is boosting the economy of cyber crime. It’s you know. And obviously this report as well, it is found was the average cost of holding in your own and fixing the issues that ransomware causes was 593,000 pounds. Where is the average cost of paying the ransomware for similar size organisation was 1.1 Million. So it’s bang on table. So it’s a no brainer for me. Obviously, the resource, the why incalculable costs as well if we remidiate the ransomware attacks that they had its calculate. It’d be interesting to see I read a little bit of research, but it also be interesting to read the methodology of how they calculate the costs. But I’ve long been a believer of, you know, if you are infected with malware and you go your systems are encrypted, then it’s a failure of your why does security technologies and something for you to go then go away after and fix. If you don’t have a suitable backup solution, then maybe you need to look at backup solution. The number of organizations falling foul who runs from this moment time is massive. When it first around, it was only the larger organizations. Well, a slow jeepneys went through into small organisations. And it’s a you know, a lot of ransomware ability to travel sideways and upwards in organizations. All it takes is one infected computer. And you can have your whole file shares, all your file servers, your email exchange encrypted in a matter of hours. So for me, paying the ransom, it might seem like the right idea, especially when you’re in the thick of it. And you. Yeah. You’ve all you’ve managing directors breathing down my neck saying we need to get this, this and this done right to get back up. Well, essentially. It’s a feeling of both your security technologies and you also have to have the ability to rollback to a backup. And also a clean backup as well. It is not quite rolling back to a time where the ransomware there’s been use cases where ransom has been dropped on a system of server. And a state that dormant for, you know, 20 days booked for months. And then it’s then executed. And that’s where the danger really lies, is yeah. If you’re doing that air gaps backups, then that’s all well and good. But if the ransomware has been on the system for four months and it’s a straight line that Dallman where I went for the time to go ping and then it encrypts everything, then, you know, you’ve lost four months worth of work.
CHRIS MCCARTNEY [00:28:58] Yeah, I think that’s right. I think, you know. I said correctly, making sure you got the security infrastructure in place to try and prevent this, but also very key, making sure you’ve got the education of your entire workforce. Again, going back to that point of, you know, the human element, stop from your first line of defense is human firewall is educated enough not to click on those links to get infected. But again, have an insurance policy in place. You know, everyone has a backup solution. They never really think about it. It’s kind of used in a worst case scenario, like you said, with the rising threat of cyber crime. Not just say no big, big firms anymore to take what they want. You know the solution is 50 purpose delivers on, you know, appeals on RTOs is fully automated and can be accessed remotely as well, taking the time that we are now. We still have those physical backups that you need someone going to sites. So what do you have to plug it in and do all the way cabinet out having to outsource them in the Cloud we can actually take from any point at any time and upload it within a couple of clicks. That’s really key for to make sure you can get your data fully back and opportunism and transact and business again. Really?
JOSHUA READ [00:30:05] Yeah, I think they its 56% percent of those who did the survey finds out, 56% of I.T. managers surveyed said that they were able to recover that data from backups without paying the ransom. Now, that’s the correct way of dealing with it, in my mind. Obviously, they have an anti virus or some sandboxing solution on your air gaps is key as well. Understanding what’s been backed up, making sure that it’s safe to be locked up. You don’t want to be backing up malware because then you just create an almost duplicate copies of malware, which is another nightmare. The next story as well, Measuredly Health Gutsier they have also fallen foul to ransomware, this fortune 500 company. I think I don’t think any customer information was breached or at least the report didn’t say any customer information was breached. Many employee for me is really interesting. A lot of the time, the focus around the breaches is what customer that was being breached when its employees slightly different because it’s the morale of the people fixing the breach that’s been impacted. I think its American company, I think employee I.D. numbers, Social Security numbers, taxpayer I.D. numbers, and in limited circumstances, usernames and passwords were breached. But the source of this issue was a phishing enail. Now, if you wanna educate new users against phishing, that’s a big, big no no. Phishing European entities with the information commissioner, because you’re not seen to be doing the best you can be doing in terms of your education to stop these issues. If you’re educating your users around phishing, then you stop in the issue with the both nipping at the bud. But I mean, the phishing emails impersonating a measuring client and then they and the investigation that it did after revealed that they prior to the launch, the ransomware were they the individual was much actual chest subside day, which was the deterrence test that we mentioned before. It’s basically a textbook ransomware attack via efficient email delivery, that much to get into systems, gather information, and then just as a sour turn, they’ve encrypted all this stuff on the way out. It’s quite brutal interesting to see, again, the full report after it’s been released. They’re holding back on information a lot if time.
CHRIS MCCARTNEY [00:32:47] You know, end users I think, you know, always saying it’s end users fault all the time and that they’re the ones that gettibg it but these phishing emails and phishing attacks are becoming more and more sophisticated. And, you know, it was obvious what was what the ones where, you know, we’re not even this phishing, there’s spearphishing similar reports come out on deep fakes as well for phishing effectively as well. There’s a great use case where an organization in Germany with the CFO in this year, you know, so giving it and uses the tools and the tools and education to be able to to fight this and not just leave them in the dark, you know, it is key.
DAVID TAYLOR [00:33:22] Yeah, that’s what I said, all right, guys. Well, unfortunately, that’s all we’ve got time for this week. So I’d like to thank you for both good on. Chris, thanks for coming on. Appreciate you you and your fancy shirt.
CHRIS MCCARTNEY [00:33:37] No, that’s fine. I look at ….values and the effect that your second favourite scouser. I want to know who you first is. I thought it was me.
DAVID TAYLOR [00:33:46] Our CEO is a Scouser. So in it.
CHRIS MCCARTNEY [00:33:48] Yes. Well, I suppose he pays the bills does he?
DAVID TAYLOR [00:33:53] Keep him happy. So, yeah, it just strikes coming on. All right. Thanks very much for watching. You’ve been much insecure with Celerity. Join us next week for another weekly roundup of the our cyber security… Catch you then.