Secure With Celerity Episode 19
DAVID TAYLOR [00:00:03] Hello and welcome back to another episode of Secure With Celerity? My name is David Taylor and I’m joined, as ever, with Josh Read, who is Celerity’s Lead Cybersecurity Analyst, who’s right back from puppy training of all things. How’s it going, Josh?
JOSHUA READ [00:00:17] Not so bad, lot of sleepless nights, but what can we expect?
DAVID TAYLOR [00:00:21] At least you’ve got a cute puppy at the end of it, right? I’ll just put it out there at the moment. So we are now moved to a fortnightly cybersecurity show. So there might be few stories from within the last two weeks and expect us to be on a fortnightly basis moving forward. So cracking on our first headline of the show is Zeppelin Ransomware has made a return with a new Trojan board. We talked about Zeppelin ransomware before and I think it went on a bit of a hiatus, but it is back with a vengeance, I guess.
JOSHUA READ [00:00:53] Yeah, it sailed back into existence after a short little holiday. The Juniper Threat Lab researchers who have been watching this threat for the last couple of months said at the seen a wave of attacks that were spotted through August using a new kind of Trojan downloader on your family. So from the sample that that labs analyzed the majority stocked with phishing email as ever. It’s the same type vector that’s used in the majority of ransomware attacks. It’s the easy in. Then on that phishing email, there was Microsoft Word attachment document, which was usually themed around invoices begin to sound like a broken record here with no phishing email macro-level document. You open the document, you click enable content and you’re affected. And that’s exactly what happened here. And so once you use it, it enables content and the macros run in the background that downloads a visual base, the VB script. And that basically is the Trojan downloader that communicates with a server wherever it will be in China or Russia, Ukraine, wherever they decide that they want to put that server that downloads the Zeppelin ransomware and the Zeppelin ransomware wreaks hardware on the slides. I’ve got a picture of the same attack pattern in a better context. I’ll say it’s so the initial that was that natural document that was. That much a sample of run that through some box and downloaded it’s vb that the vb scripts that then pulled down the Zeppelin around somewhere. Which then encrypted absolutely everything. So from as far as a somewhere goes, there isn’t much difference. There’s nothing really outstanding here. What was interesting was it’s these methods of sandbox evasion. So usually with ransomeware sometimes what they’ll do is to avoid being detected by sandbox, which is basically like in the safe environment where you can run malware, see where it goes. They they’ll do like a dynamic analysis. Well, this runs from I did a dynamic analysis on the environments. They looked at the IP address. And then it also, if it was deemed to be a sandbox on sandbox characteristics. It would sleep the binary for 26 seconds, which is usually with its a long enough to evade the you know, the sandbox analysis. But I mean, more interests in the fight and the findings that they produced. The Jupiter threat lab. They were able to find the X pupil checks the computer’s language settings and geo location. And then if it’s either Russia, Belarus, Kazakhstan or Ukraine, it doesn’t actually encrypt. Which is rather and probably means that the source then either one of those countries actually begins to stand some sound like a state sponsored attack if the white listing IPs on a country basis. But yeah, this is the latest campaign. It’s affected around 64 non victims, that Juniper found. And so it’s indicating, as you know, quite a specific level of targeting. Also, it was found that the majority of the targets were tech and health care companies in Europe and the US. So, again, you know, the tech industry and health care industry are two of the most two most targeted areas behind manufacturing sector. And just because of the reap the rewards that they can reap from them both. We’ve got that, I mean, there’s loads of stuff out there on this ransomware. This was, of course, a compromise that you can update your AV definition’s, email filters without the key findings that I found. So if you’re particularly concerned about that, I’m sure that David will be kind enough to provide you with the link to the web page telling you what they want to watch.
DAVID TAYLOR [00:05:52] Definitely will pop it on the video London page after the show. With them just on that one? Or should move on to our next headline?
JOSHUA READ [00:06:00] Move to the next one.
DAVID TAYLOR [00:06:02] Allright. So, next one is the the National Cyber Security Centre has released a cyber threat warning for the start of university term. I think we covered it a few times and some other stories, but a lot of universities have been hit over the summer. I think it was about more than 20 universities and charities in the UK being hit. Some of those included Newcastle Uni, I’m from a Uni which is very close to home for us. And a lot of them were ransomware attacks. Following was it blackboard or blackbaud. Sorry I never know how to pronounce it. But that was followed on for those. So it’s quite big that the NCSC is actually come out and say it like with an actual warning and an alert for people and university to be on the watch for, is that?
JOSHUA READ [00:06:48] Yeah, its massive, if I’m honest. I mean, over the past few months, it’s not only been universities, there’s been colleges, there’s been high schools, it’s whatever school you go to, they’ll have a complicated network topology. They’ll have areas of the network which aren’t as well protected because they need it to be open, because they’ve got lots of remote students, especially in the work environment, which we ourselves. Now, everyone’s home schooling at the moment. Well, were home schooling until obviously they got back. But, you know, it’s yeah, it’s it doesn’t surprise me. I mean, we spoke briefly around when about a breach happened. That was a third party vendor that was breached. Blackbaud is responsible for a lot of personal identifiable information for students. And essentially, they were breached. And as a result, the universities data was breached because they were holding it on their behalf. It’s a big. It gets very, very complicated with third party like third party vendor breaches. There’s a lot of complications, isn’t it? So it’s a nice and it’s a rabbit hole, so to speak. But yeah, NCSE come out, I think they’ve basically put their foot down and said we’ve got enough of this. And quite rightly so as well. I mean, the the server, they did a Freedom of Information inquiry, top line comes Digital Public Relations Company, did a Freedom of Information inquiry earlier in the year, in July, and they found that 35 UK universe is out of 105 responses have first ransomware attacks over the past decade, which is very, very high. What shocked me more was there were 25 which had had not attacks, but then a further 43 which declined to answer. But then further on 1 university report, 42 separate ransomware attacks since 2013, which is an average of 6.1 ransomware attacks a year like I was in disbelief that when I read that, I was like, oh, it’s either a typo I meant to put fall or and then split to two is a hit and but my god, if you’ll having 6 ransomware attacks a year, you would seriously be considering either go into NCSE and basically say in helper’s or because you’re a public sector company or really invest in cybersecurity because that is ridiculous. Like 42 separate ransomware attacks since 2013. But it doesn’t surprise me as of keep repeating. I mean, according to the NCSE, they’ve dealt with several ransomware attacks against education establishment un August alone, which caused varying levels of disruption, depending on the level of security establishments that in place. Ransomware has full stop is a pain in. And there, you know, the only there isn’t a one stop way of fixing it. You know, either way, if you say, hey, we’ve run, some already manages to encrypt. I don’t know, 5 or 6 servers, that’s going to cause an outage. You know, you can have backups. She probably had a complicated network topology with isolation’s. It can have competent AV, it can have security luxuries such as the same but essentially, they’re not going to you know, they’re not going to be 100% effective per say, tomorrow. If this is a brand new variant of ransomware released and it hits every single pc in the UK, then, you know, there’ll be only a handful of security tools to be able to stop it based on its characteristics. So behavioural analysis of the file rather than, you know, the characteristics of like sort of like, you know, file hotshots, traditional AV meta-data. So what I will say, though, is the NCSE is probably the best in the world support in its people. And they’re asked to fight the risk stuff out there. There is dozen of free resources available and NCSE website for public sector companies. From documents to exercise in a box, which is basically a free online tool, which, you know, let’s just say I presume you are cyber attacks. And practise response, which is the key thing here. I think when there wasn’t a lot of information released around the Northumbria University breach of cyber incident, it was it was deemed a cyber incident. It wasn’t confirmed whether it was ransomware or not. But it seemed to drag out for an awful long time, especially in the media. So, you know, and summative then, you know, you never really get the full story. And it’s always a diluted fairy tale of, oh those whole server room blew up. So, of course, it probably going to be embellished a little bit in the media, as it always is but I think this NCSE noted that RDP sessions, vurnarable software, and hardware and phishing emails are the main entry point and the staff, the ransomware attacks that they witnessed in August. So I think hold on, this was a hot point for the NCSE. I think that day, whether the information they provided is based off what they had witnessed in August. Same as everything, patch. Make sure that you don’t have any RDP portals available on the world wide web. That is just a recipe for disaster. All it takes is a quick show of hands search and well, you find it at a public RDP poll. And one thing that people will forget is it’s not just software patches. It’s hardware patches as well, a firmware. We’ve mentioned it a couple of weeks ago on a webinar. You know that. How often do you patch your actual physical home router? You know, how many times do you apply firmware patch? A lot of people will know how to do that, but they’ll be inherent vulnerabilities in that room that have been around for years and years and years. And, you know, people just don’t deem it worthy touch in physical appliances. You know, it could be a time where you have an IoT, you know, IoT fridge and you have to buy a patch to your fridge because people could dust the whole fridge and turn it off and that’s the landscape that we’re going down into. Now it’s, you know, all these physical appliances with Internet connections at a potentially vulnerable because they’ve got Internet connection and the computer remotely tampered with, you know.
DAVID TAYLOR [00:14:08] I’d be so angry if someone turned your fridge off, like when you were away at work quaratine one day. Maybe that’s our future. Do you think that, you know, uni’s are seen as quite like a highly profitable target because when uni must make so much money. You think, how many students out tens of thousands and I guess what they’re paying in fees now? Or do you think. And do you also think that public sector companies are they more likely to pay a ransom or a less likely public thing?
JOSHUA READ [00:14:38] I think that is difficult to say because each organisation is different and they’ll have different sort of security levels and ideas on what they should do in a secure a cyber attack. But I think whenever you delve into the public sector and critical infrastructure, such as, you know, education or networks or healthcare, areas like that, there is an inherent. Prioritisation, above all else, is keeping the services running and keeping the lights gone. And if they go out, then there’s going to be catastrophic repercussions. So that’s why cybersecurity is pushing. The public sector has always been I brushed under the carpit. It’s no longer a priority, but really it shouldn’t be. You know, that a university. That money comes from providing education to the masses and if that whole online learning port is down, that might not lose that much money in the long run because people have already paid their tuition fees. There’s a reputational damage as well, which is also, you know, associated with…
DAVID TAYLOR [00:15:56] …It feels like, you know, a few months over the year.
JOSHUA READ [00:15:59] The one that the university hotspot two times across the last seven years. I wouldn’t go to that university obviously because I’m cyber security professional but, you know, if I had to find out before I applied, when I was on a UCAS pole, I was like, oh, hang on, they’ve been hacked 42 times in the last seven years. It would make it second think it. And that’s the exact same scenario that people think about as well, it’s the long term repercussions.
DAVID TAYLOR [00:16:31] Yeah, no, I mean, I have a feeling that’s probably not gonna be the last time we hear about the university being hit with a cyber attack or ransomware attack, any of them. All right. Moving on to our next story. So we’ve we’ve covered Magento before, but this time it’s actually a Russia hacker is actually selling how to videos on exploiting unsupported agenta installations to skim credit card details for the cheap, cheap price of five thousand dollars. Is that cheap or not?
JOSHUA READ [00:17:03] In relation. Yes. Very differently cheap. How impactful Magecart can be and sort of Magecart can be. I mean, all we have to do is look back a couple years in British Airways and they got royally spanked by the government for the basically the whole cyber attack. And that took a massive reputational damage that the amount of money they had to pay. And that was all because of major cuts given the attack on the British airways website. This is basically like version two. And it’s been dubbed card bleed.
JOSHUA READ [00:17:43] So I think over the weekend, almost 2000 Magento ONE… Oh, sorry. Okay. I’ll rewind. Magento or basically is the infrastructure around sort of online shopping. I think it’s by Adobe, although I don’t want to try and embarrass myself here, but that’s all I know. Over the week. Yes, over the weekend there was over 2000 Magenta ONE online stores that have the Magenta backend across the world have been hacked in the largest operand company to date. It was a typical match, kind of injected malicious code to intercepts, payment information from unsuspected staff, customers and inspected stores were found running Magenta ONE which is actually announced end of life last June. So people really shouldn’t be running mission or one because he’s already end of life. So I don’t know why they still run. It seems everything it’s Magecat. It’s dangerous because a lot of time it can go unnoticed. A scene on the front end, essentially a weak object built into the back end of the star blades bases it on the front end. Extracting credit card information is so valuable that there is a limit that there’s unlimited amounts of money that you could in a a way from transactions onto that website. If you hit someone who you know, let’s say you’ve put a Magecat skimming on the backend of Amazon and you manage to, you know, how much money does Amazon make every single second? I mean, that’s the value of these Magecat skimming attackers. It’s not really in the tool, it’s more in the victim choice. If you managed to get someone big, but yes the people who did the founders estimates that tens of thousands of customers had their personal information stolen over the weekend via one of the compromised stores. So it’s interesting to see how much caught news coverage just gets in the next couple of weeks, especially. But more interestingly, than going back to the store, the title of this story on the dark web beforehand, it was identified by San Security that there was a user. Now, basically selling a Magento ONE remote code execution exploit method for five thousand dollars. And it included instructions under video. So it’s basically an IKEA, flatpack, build your own wardrobe. And, you know, allegedly no primary on account was required. The seller was stress that because Magenta ONE is end of life. No official patches would be provided by Adobe to fix the bug, which renders they exploit extra damaging to store owners that use using legacy platform. But then to sweeten the deal, they actually put this in the forum to sweeten the deal they would only be 10 copies of this dangerous exploit. So he’s been obviously he’s built this and he sold only gonna sell ten people which I found was quite odd but I suppose if he’s made 50 grand, then he’s laughing. But yeah, I think there’s the concept of a multi-media video being used to sell something. It’s much more effective if you’ve got a video demonstrating the effectiveness of this exploit tool. Then they’re going to be more inclined to pay. You know, they get in to see what the tool can do, that can see what they can buy. It’s a weird concept. It’s not so often been really widely used on specially on dark web. There’s all secrecy in itself. Yeah, just give me the money and I’ll send it, you know. But this is very user friendly cyber security, user friendly cyber crime, as I like to call it.
DAVID TAYLOR [00:22:02] Well, this seems to be a bit of a shift, isn’t there? Well, like a lot of cyber criminals are selling their tools and their services. So you’ve got this this is the how to videos. I think it’s ransomware as a service. I think you can get DDos for hire. So it’s kind of it’s making it more available to maybe Public. Is that right? Yes. So that’s I mean, that’s obviously not helping. You know, people who are victims of it, but it will be interested to see what else comes out and bucket back there.Do you think the videos you know how you said, you know, a lot of cyber criminals are sort. You know, it’s all behind smoking mirrors or in the dark. No one wants to sort of reveal themselves. It’s all codenames and stuff. Is there any fear that if you did do a video and somehow got the hands on it, if you were to speak on it, it could be analyzed in one of the authorities could find you that way?
JOSHUA READ [00:22:56] Well, I don’t know, really. I didn’t actually get to watch the video. I would I would have thought it would have just been a screen recording of a VM that you would have made that would have been completely anonymized, IP wise and identifiable wise. I don’t think it would have ever been able to put these videos face or a voice.
DAVID TAYLOR [00:23:20] Maybe not. All right. And you go on that one or should we move on to our final story? which is that bit of a funny one. This is a story that ex-Australian Prime Minister Tony Abbott was hacked. Basically, he put up a Instagram post of his boarding pass a few months back, I think, in March. And from that, there was a guy, I guess we call him a hacker or an ethical hacker. He then saw that, you know, you had the boarding pass number. He must’ve gone to Qantas. He was flying with the Australian airline, putting the boarding pass number. Go to the website and then sort of had to look around the HTML code, and acrually get his passport number and his telephone number and some other comments about where I guess its staff had been requesting that he was put, you know, maybe as a window guy, and I’m not too sure. But, yeah, I mean, it’s a big no. I think I feel like even before I kind of came to work at Celerity and got involved in sort of cyber security, I always knew that you should never put up a photo of your boarding pass. I thought that was just like bog standard.
JOSHUA READ [00:24:30] So people would be surprised. They would be surprised. The amount of boarding pass pictures, I, just out of interest. I read the blog this guy did, and it was incredibly funny, like was the most humorous blogs I’ve ever read. And it was it was just full of sarcastic humour. It was just my type of humour. And he basically said, write the star, go on Instagram and search #boardingpass and is basically a minefield, a literally they couldn’t have scanned it with a brand, you know, brand spanking new printer any better. It was actually just a boarding pass like you had in front of you with the barcode, the booking reference, you know, upsetting everything. And that was what the pin point here was, was Tony Abbott put a picture up of his boarding pass but he also put a picture of his baggage receipt and that had his booking reference on. And the funny thing is, is the blog went through how he tried to do it, so he got a barcode scanner on his phone and he tried scanning the Instagram screen of the back, the barcode on the ticket, and it didn’t come back. So he looked through the image much closely and he saw this booking reference. So he went on Qantas his website. There was a manage my book in page of I’m sure everyone’s booked onto a flight. You put your booking reference in and all it ask for was it was his last name. Now everyone knows Tony Abbott’s second name. So you put Abbott in, and lo and behold, he was then managing the booking for Tony Abbott and he was literally it could have moved seats for him. He didn’t do that. It was strictly ethical. Although he has been hiding for the last six months just in case. After he got into Qantas into the actual booking. It was going through, couldn’t find anything on the front end. There was nothing that was really standing out that you didn’t know already. Searches, you know, booking reference. What you see I.D. was all the flight information where he’s going to. Where was London? But then he did the hackers favour. Right. Click inspect, which is basically looking at the raw hitched email code. And you can basically look at essentially a snippet at the back end. And in that, I was actually shot at this. There was I put on the screen. It was a picture of the his passport number is phone a match to find his phone number after. And the way that he did that is he did it Ctrl+F and find and put in the style in number for the Australian extension, which is a plus six, six, seven. And then after that, it was justr actually just number pair like four or five times in the in the metadata of the text. Yes. It’s on the screen that the orange bit. That was all of the information that you needed. Then he then sat there and thought, oh, no. I accidentally got the prime minister’s passport number, phone number, and he tried ringing him to find, to see if it actually was him. And he went to his aunt’s phone. It was actually Tony Abbott. So was he was right. I need to inform someone of this. He went to the National Cybersecurity Centre for Australia. When I’ve accidentally stumbled upon the prime minister’s passport number and mobile phone number, what do I do? And then there were incredibly chill about it. They weren’t bothered at all.
DAVID TAYLOR [00:28:39] He’s the former prime minister’s isn’t he? He’s now the UK trade advisor or something.
JOSHUA READ [00:28:48] What an appointment that was. And basically the cyber security centre was yeah. Okay, we’ve got your evidence. Then he went back to him and said, can I put this in a blog and they were like, um, I don’t know, really. So he did it. You put it in the blog. It was a great read. I think, David, I think you should linked it is incredibly funny. Yeah. And he’s also gone to Qantas and told them that their website is terrible and needs fixing. And I was shocked to how bad it was, like from such a leading company as well like qantas. I mean, the recognised worldwide. And you basically just go on their website. There was nothing stopping you put it in a book in reference. And the last name and find in the passport ID. So, yeah, in summary, it’s both Tony Abbott’s fault and Qantas’s fault. That’s one of the depths that corners should have a better built website for. You know, especially for an airline company. And Tony Abbott should know better than person boarding passes on his Instagram. For those people, watching, don’t put your boarding pass on Instagram.
DAVID TAYLOR [00:30:04] Don’t put it. Allright, is there anything else that someone might take a photo of? You know, it’s like a boarding pass. That is just a big no no. Obviously not your driving licence and your actual…
JOSHUA READ [00:30:22] Cards, your computer screens.
DAVID TAYLOR [00:30:28] Would it be maybe like, you know, if you buy something and you take a picture of it, like a screenshot of like, I don’t know, you bought Glastonbury tickets, if that ever happens again, but, you know, things like that, could people maybe get reference numbers from there?
JOSHUA READ [00:30:39] Yeah, essentially is dependent on what the website is. I think the whole, I mean, it wouldn’t have been an issue, but the whole the whole lack of security on Qantas website basically hired cyber attacks to do what they can do on that website.
DAVID TAYLOR [00:30:53] And isn’t this a prominent figure as well? It’s not, you know. Yeah. I mean, you look at that. And, yeah, definitely not. You know, someone else does that in any politicians or, you know, high government advisors. Yeah. You definitely don’t want them to be getting them over members of foreign press. And so that’s a good show. So everyone watching. Yeah. Make sure you’re not putting pictures up of people and places and anyone who’s a, you know, airlines maybe just saw you websites. So anything else? Anything for anything else?
JOSHUA READ [00:31:28] Well privacy is a luxury, make sure that you keep it that way.
DAVID TAYLOR [00:31:32] Well said, that’s a great point to finish on. All right, guys. Well, that’s all we’ve got time for on this episode of Secure with Celerity. Josh, thanks for your input as ever. And catch us in two weeks time for the next episode of Secure with Celerity. We’ll see you then, guys.