Secure With Celerity Episode 1
DAVID TAYLOR [00:00:03] Hello and welcome to Secure with Celerity. My name’s David. I’m gonna be your host today and I’m going to be joined by our Chief Technical Architect for cybersecurity, Steve Laidler and our Lead Analyst, Joshua Read. Hi, guys. Yeah. Are you doing. Oh, I see you got the memo about chequered shirt. So let’s dive to what we’re talking about today, so we put the show together to give people an opportunity to hear about the top cybersecurity stories. But not everyone’s got time to be the best social feeds on reading deeply into the news stories. So we’re going to have a look at maybe four or five stories, some explanations about what happened and yeah, let’s go. So first story we’re gonna talk about today, how a GIF could have open the door to Microsoft Teams? Josh? do you want to take the lead on this one?
JOSHUA READ [00:01:01] This one’s quite interesting one. So it was a wormable light vulnerability in Microsoft Teams. It’s like what I had mentioned two weeks ago on the last webinar I did around remote working has been the target of vulnerability aged sons of Patchin and put bounties is this one. All it required was the attacker to and that remote code within a GIF image. It was incredibly easy to do. I almost tried doing it myself possibly patch now. So you were craft a GIFt you gave. It would have a link embedded within it. That would be sent to a user. And then subsequently the user would then provide the attacker with a team’s account access token. The access token could then be used with the API to pull the chat history, all the history with that user in HTML format. It was quite well, and then there was a proof of concept. This is where the wormhole command is. There was a concept where you could, it was like a multi-stage attack so you could spoof the domain. Pretend that you are a new user in the organization and then send a message to one of the users in the organisation. And then subsequently just work your way to the organization. Collect chat histories. I know, I’m well aware that people send passwords on Teams will always happen to be other confidential information that’s conveyed across these platforms. That’s why it was so deadly. I think that patching now. So the impact is minimal but mean this would be the first of many remote working software. It’s just going to be a trend over the next couple of months as we’re in luck. The priority of remote working software will always be the precedent, especially when we’re working from home and especially the patching of the said platforms.
STEVE LAIDLER [00:03:28] And this sort of popularity of the platform almost drives the, you know, the impact of, you know, the cybercriminals trying to exploit them. You know what I mean? Anything gets popular, then jump on the bandwagon for that. Obvious with Teams, and Zoom, and probably a myriad of other remote working and remote conferencing facilities that have maybe never enjoyed, certainly enjoyed a lot of popularity. And now the whole world’s realise that they can actually work remotely. So it becomes more of a more target and you want to do other things as you integrate with other chat technologies as well. You know, allowed people outside the organization to actually have some sort of impact on the team’s platform as well. So otherwise, it probably will be quite difficult to get into to get it into the organisation without the, you know, the external integration. But, yes, you seem to be a bit of a nasty one.
DAVID TAYLOR [00:04:30] From a non-security side of things like GIFs are always going to be funny.
STEVE LAIDLER [00:04:34] Yeah, exactly.
DAVID TAYLOR [00:04:35] Can convey your emotions, you know. If you’re out of words.
STEVE LAIDLER [00:04:38] If you look at that GIF you know what I mean? With the cat, with the big eyes. It’s from Shrek, probably just always gonna leave a click on please click on this.
JOSHUA READ [00:04:54] The proof of concept that they did. That they sent a guy called John a message with a whale from a water saying whale, hello there. Obviously, people are going to be. And that was the danger with it. And they then we’ll send that GIF on to their friends and then the same crafted token, crafted GIF he’s been sent throughout the organization because it’s funny.
STEVE LAIDLER [00:05:20] Again, it’s all done to social engineering, isn’t it, playing on people’s weaknesses to click on these things without stopping to think about them. It’s even more, probably even more dangerous than it really is. A cute GIF.
DAVID TAYLOR [00:05:37] I’ve got the Microsoft Team attack workflow. Josh, I think you were just talking about it. How it was working. Just watch now. Put it on the screen.
JOSHUA READ [00:05:50] It’s a very complicated diagram, but essentially that’s the flow of how the attacker obtains the authentication token from the user. It looks complicated. I guarantee it is not complicated to do. The proof of concept video that I watched was five minutes long. Usually concepts can go on for quite a while and then the show and every little nitty-gritty detail. That did show a little nitty-gritty detail, but it was not short and that easy. It was five minutes long. And, you know, it was incredibly easy to exploit. I do want to see a GIF that makes its way all the way up to a CEO, CFO to CEO, though, just workflow.
STEVE LAIDLER [00:06:36] Well, there’s no guarantee that that cat wouldn’t, you know?
DAVID TAYLOR [00:06:41] All right. So we move on to our next story. The World Health Organization confirms email credentials leak. Remembering reading about the story, I think, is about 450 active email addresses and passwords. It sort of found its way onto the Internet.
JOSHUA READ [00:06:59] Yeah, it was and initially, they were found on Pastebin and then linked to that Pastebin basically like a massive textual storage facility and then a link to that Pastebin archive was the ends on 4chan, which is notorious for its hateful and extreme political commentary. And then after it was posted on 4chan it was put on Twitter. And far-right extremist channels and telegram, which is a message. So there was a lot of email addresses, different organisations. The World Health Organisation was in that. Willowbank Centres for Disease Control and Prevention. The National Institute of Health. Yeah. I think the National Institute of National Institutes of Health had 9000 that addresses and passwords included in the textual list. I mean, I think they’ve had it. They’ve had insider employees of the World Health Organisation come out and said that the password complexity is terrible in their organization. There was 48 people had the password is their password of the 2000 users. And then there was so there was hundreds of users that had just a first name or change me as their password. That literally they will be the top of every single common dictionary attack password list. The hackers will have it. I’m not it’s no surprise. You know, there might be an up and then send deficient email from internal user. It’s a common tactic. Well, yeah, it’s no surprise whatsoever.
STEVE LAIDLER [00:08:55] In a very timely sort of really nation as well given the COVID-19 Coronavirus and you know, everything to do with medical or health-related institutions.
DAVID TAYLOR [00:09:12] Right. Zero efficient attacks. Obviously, everyone knows everyone’s you know, a lot of cybercriminals are played on the COVID-19 pandemic. And one of these is official low. Whereas someone gets sent an email from but say, I don’t know a contract suspension might even sort of fellow in the title. And I’ll say you need a meeting with HR. You’ll click on the link and it’s not really going to take your credentials from you. Is that what’s going on?
JOSHUA READ [00:09:40] Yeah, this is really interesting the tactics, I’m in ore of it was it was very well executed. The context I’m talking about here the context of the social engineering attack was phenomenal. There’s nothing more worrying at this moment in time than receiving an email from your manager or your organization with the words contract suspension or termination trial. If I receive the email, I click it straight away and I’d look at it regardless. And that’s the thing. It is the distraction element of this social engineering attack is the key element. It’s distracting people away from the fact that the URL might not be genuine. The email address sender isn’t from the old demand. You’re more focussed on the facts on the subject line contract suspension or termination of termination trial. And, you know, it’s also great on the part of what to comply with authority as well. If you receive termination trial, you’re gonna do everything in your power to comply with what you’ve been told in the email. And that’s the main element is here. It’s people wanting to comply with what they deem to be.
STEVE LAIDLER [00:10:55] Something important.
JOSHUA READ [00:11:00] I think there was a link then they were saying to a fake Zoom domain. And I mentioned this previously in my presentation of the week around how there was a boom in Zoom fake Zoom domains that were developed and published online on the web. So obviously, this come to fruition and these these attacks and I think obviously were taken to this fake Zoom domain. You were then asked to hand over your corporate credentials because it was claimed that this was your organization synched Zoom, which yeah, it’s ridiculous. Both. I think it will have got some people.
DAVID TAYLOR [00:11:44] Do you think that somewhere on the dark web or would have thought is like people doing classes on sort of social engineering text?
JOSHUA READ [00:11:55] There is someone you can find them on YouTube. You know there’s numerous videos. Very easy to find on the website. On the web of how to execute these cyber types of attacks. And it’s it’s scary. But, you know, what can you do that people claim it’s in the art of education and it’s educating users. Nine times out of ten it’s not is teaching people how to become Cyber attackers
STEVE LAIDLER [00:12:29] But again, this one is another example of preying on people’s like kind of the social element. What are these? A lot of these attacks are all very human, human-centric, human-focused and, you know, slightly different angles on people’s emotions to get the result.
JOSHUA READ [00:12:50] Yeah, that buys you know, that at this moment in time, I don’t think there was any other method of vector that could be as successful as HR you know, one thing that people are worried about right now is, will I be able to retain my job throughout this lockdown? Money issues, those types of things. And that, you know, if you receive an email in relation to any of those topics, you’re going to read into it and you’re going to look into it.
STEVE LAIDLER [00:13:20] It’s almost like if you think about it and, you know, the social engineering methods tend to tend to piggyback whatever, whatever the thing of the moment is. Yeah. But with this one especially, you know, it’s almost like the stakes have been raised a bit higher in the human response is not a little bit more than an ego. If it had been something a little bit less kind of high importance, et cetera, then maybe people will stop and look for put up with this type in all this. They just click on things that got a little bit quicker, if we maybe that’s a perception that you know people will perceive in people a lot more frantic about their responses to this.
DAVID TAYLOR [00:14:07] Yeah, it depends what they use it as well. I know. You know, we all use teams that should we be able to use Teams and not to use Zoom or Web-X for that call so maybe getting a HR from Zoom might be less inclined to click just because you’re like, why would I be on Zoom of all places?
STEVE LAIDLER [00:14:27] It’s like Josh says so it’s you know, it’s that destruction thing, isn’t it? Distract me with the bold sort of you know, that makes you ignore all the rest of the evidence that’s in front of you. Yeah. Phishing one on one I think.
DAVID TAYLOR [00:14:49] Let’s take a look at the next story. Josh, you’re pretty keen on this one.
DAVID TAYLOR [00:14:57] This one’s really annoyed me. So, South Yorkshire Police and Sheffield City Council. Basically, the powers that be put a basically a management dashboard on the worldwide web of its basically back and database to the MPR system for South Yorkshire on that dashboard. There were 8.6 million records of road journeys made by thousands of people across five months. So it was basically the internal management dashboard for the city council and police. It could be accessed by simply just entering an IP address on a web browser. But that isn’t really what annoys me. It’s more the privacy element of it, there is no consideration for privacy in this at all. You know the reports that I read into the dashboard, what it held, what it was doing was phenomenal. I was in disbelief that they were actually doing this type of thing. The privacy expert said the AMPL use must be proportionate to his problem. He’s trying to address is not supposed to be a tool of mass surveillance. Both the council and police have a responsibility to ensure that they use proportionate and subject to their protection impact assessment. They both must now both explain how exactly they were using the system. How they use is consistent with data protection rules, how it came to be. This data was exposed. And what the changes they’re going to make. So it doesn’t happen again. Now, you know, if I I feel a bit uneasy about this, to be honest because I can guarantee that won’t be the only city council. Out there doing this and you know that there were 8.6 million records of vehicle movements. By the time, location and a number plate that could be searched through and you could track accounts journey from AMPR camera to AMPR camera. There’s some screenshots on the screen. So basically, the number play where you start this national why was the first AMPR outcome of the picture and the finish from. Now to me, it seems like a very slap and dash way of support and remote working. So all of a sudden COVID-19 mark so we need to get this out so that people working from home or in remote locations can access this without, you know, having to VPN in, which seems such a mundane task. No, it isn’t. But due to the configuration was astounding and there was also a separate AP account, as well as an additional link to dress of a storage drive filled with raw AMPR images, which could have easily been forced by the cyber attack. There was also the IP addresses of every single AMPR camera that was exposed in the Sheffield and South Yorkshire area. So yeah, they also had a live update in map, which on any dashboard is is quite good. But on this one, it was terrible. It could allow you to pinpoint the precise location of a vehicle. As it showed up and I pay our systems in real-time.
DAVID TAYLOR [00:18:55] I think I been a bit naive, but I didn’t know these kinds of cameras existed. I know you got speed cameras take you a photo. You go through a red light or whatever. And then as the cameras that go check people that pay their tax. So is this a similar kind of thing?
STEVE LAIDLER [00:19:11] Yeah, it’s just read your number plate of think. I mean, I think this one was Sheffield given maybe like a congestion zone, a bit like London tracking people coming into the city and then being able to potentially charge whether they would then track particular types of vehicle a particular organisations vehicles and then charge them for the congestion, trying to run a cleaner charge. And as you would be, that’s what we’re going to use it for. I mean, AMPR is generally used anyway. You know, I think by law enforcement, it’s a trucking car as they move across the country basically but use it some car parks as welfare. When you drive it to a car park and you so you don’t have to you’d have to put any information. You just put your reg in and pay your charge rather than having tickets or something like that.
JOSHUA READ [00:20:04] Yeah. But then, you know, it’s all well collecting this data. You know, even if that is the data. You have to have a use, you have to have a reason for collecting the data. You can’t just collect data for the hell of it. Well, I know Newcastle we’re looking at introducing a congestion charge. So they may be doing it in Newcastle
DAVID TAYLOR [00:20:32] Who knows? We might have all been tagged on that one. Right. Let’s look at the next headline. This one’s for you game as other especially the Nintendo users. So it looks like 160,000 user accounts and Nintendo user accounts were hijacked. Which kind of started at the beginning of the month. Steve, do you want to take the rounds on this one?
STEVE LAIDLER [00:21:00] Yeah. So I think there was a number of Nintendo accounts were hacked and then used to purchase various gaming currency and in other games. And I think there’s a big outcry on Twitter and social media to that that highlighted this. I think it was it was a Nintendo linking to all the accounts and from previous generation consoles that could cause some of the damage. And let and let people in. I think since that development from the usual thing and advice but then you know, game change their passwords. But I think people were using it using the information. But you had to buy a currency that then let them buy in-game purchases and then all the components that you can buy within computer games now. And since then, I think the other game companies like EPIC have then since mandated things like two-factor authentication. So it has had a bit of a knock-on effect to other parts of the industry to try and secure things. A lot of people around this time of buying more consoles. So there are more users who are maybe not as good at setting the security up. I know certainly gamers don’t like turn in two-factor authentication on it’s not at the forefront of people’s minds. You know, they just want to get in and play the games with my kids are exactly the same. You know, it wasn’t forced on them. They probably never even look at it.
JOSHUA READ [00:22:44] I think the main thing for me here is its legacy systems, built-in security immaturity which have basically been merged with and security precedent. So now the old this is an old and ID legacy system, which Nintendo had. Yeah. It was, you know, probably merged it with this new system. Badly. But, you know, the security wasn’t the main focus around, you know, this new this legacy system has been merged with a system that is the key focus. It’s yeah, it’s is what it is. I think that Nintendo triggered the password resets on everyone’s accounts since then. And they’ve also depreciated the ability to log into Nintendo account using the old and ID profiles.
STEVE LAIDLER [00:23:46] I would have found problems. There’ll be some fixes. Obviously, if all the companies and look at it in and mandate, two-factor authentication or more secure methods.
DAVID TAYLOR [00:24:01] Right. So with a switch it up a little bit from gaming accounts hacked on to the next day, which is generally a bit of a taboo topic. People do like to talk about a little too much just with the connotations of it. But the news story that came out, I think it was Sofos who put out a report that found that cyber-criminals were netting around half a million dollars in five months. This generally tends to be, you know, you get sent an email and it might have you know, they use your password that you use in the email copy, the body of email. And it probably tells you, you know, report you do certain things or we’ve call your habits what you’ve been looking at on the Internet. And if you don’t pay as ransom, we going to send it to all your contacts. And this is just all spam sent out a mass numbers, usually some sort of passwords taken from that data breaches that are posted online. It’s mainly down to people not changing their passwords, isn’t it, guys is that what you get?
JOSHUA READ [00:25:07] Yeah, but it’s difficult, isn’t it? Sextortion full stop it’s a taboo, it’s a taboo subject. But it’s something that needs to be educated against it. I’ve mentioned it previously. On some of the shows and, you know, it shouldn’t be a taboo, taboo subject. You know, it’s all it is, is people. It’s social engineering. There’s no evidence that it’s directly related to people visiting pornography websites and each people, you know. It’s a simple fraud scheme. Well, according to the final analysis, that Sofos did, there was accumulative, ranked figure of 473,000 pounds over analysis that they did alone. That isn’t analysis of sextortion as a whole. That’s interesting analysis that they got their hands on, which is about $3,101 a day. Well, you know, there was it used to. I think that what they’re saying here is that it used to peak and dive. So there would look the spikes would usually last around one three days, but that would only happen across a weekend. So it’s suggesting that it’s not directly work-related, more personal related, which makes it even more potent because people obviously in their spare time do what they do. So I think that is another element as well. They did some analysis on some of the Bitcoin addresses that were linked in the emails. And basically, they tracked what they went to the vendor and tracked what they did, what they did with the currencies. After that, it was everything from that web marketplace is buying stolen credit card debt and basically, just reimburse in the cyber scale cybercriminals economy. I think now was announced as the third-largest economy in the world. The other week cybercriminal economy. Well, you know, this is a common tactic. It’s something I try and talk to people about or they’re always like, oh, no taboo topic. I don’t want to talk about that but ultimately, sextortion is just a phishing email with a taboo topic. They use that data collected from published usernames and passwords from old website breaches that are widely published online. It’s not difficult to find. If you know what, we’ll know where to look. That getting hold of them is quite hard because obviously, you have to pay money for them and that sort of thing. Oh, do to say if you go on. I’ve been pawned, it’s a web site where you put your email address in and it tells you if you’ve been involved in any data breaches. Chances are if you are involved in a data breach on a website and usernames and passwords are included, probably being somewhere on the dark web part of being sold some. I get these emails and it shocked me because the password is, you know, one of my very old passwords, I remember all my passwords, but, you know, at one point in time, that was my password. So they are very, very scary. It’s just simple as changing your password and everything. That’s authentication and don’t bother paying the bitcoin. That’s the last downfall of this attack type is Bitcoin. It’s the only way of them getting money without them being tracked because it’s a peer to peer encryption and all the shenanigans around crypto currencies but not everyone knows how to tread. If an old grandma received the same should go up that was Bitcoin. And then they can’t, you know, they can’t sell. So you can’t get the money and send it. And that’s what the real downfall these attacks are is the fact that these in Bitcoin. But there’s no easy way of doing it, really.
STEVE LAIDLER [00:29:36] Totally being driven by money, isn’t it?
DAVID TAYLOR [00:29:39] Yeah, I think.
DAVID TAYLOR [00:29:41] Yeah, and obviously it’s more personal than sort of business-related, but go back to sort of have I been in pulled I know I put my email address in and it show me where I’d like my email and passwords come up in breaches. I think it was LinkedIn like years ago. So a lot of people have been, you know, people working on LinkedIn. Well, we have had an old passwords gone and if they haven’t changed that LinkedIn password in, what, five, six plus years, there’s a good chance that they get an email saying this is your password. There might be more inclined to panic about it, even though, you know, nothing’s happened to them. Say. I think sometimes and I’ve spoken to friends who have had situations where they received it quantitatively. And I just cybersecurity expert obviously working in the industry know a little bit about it. I’d say, I know it’s just spam. My friend was always kind of freaking out because a password was in there and it wasn’t necessarily she knew she hadn’t done anything. But, you know, it was someone else in the household. It wasn’t around anymore. If an email went out to a contact, stuff like a video, that would be terrible. So she shows you didn’t pay the money. But it’s that kind of like the fear that agency is against them too if they are able to pay cryptocurrency, no pay.
JOSHUA READ [00:30:56] That element for me is it’s the fear of they’ve been sent to your contact list. You know, what you do in your private time is what you do in your private time. People have habits. People do what they do, you know, and that be made publicly available is well, the thought of it would be scary to anyone. And that’s the element here is pay them to put people’s fears is it’s distracting them from the fact that it’s a terrible social engineering attempt.
DAVID TAYLOR [00:31:27] Thing we’ve got on the next slide is an example of an email that either you’ve got it necessarily came to you Josh back in 2018 but generally quite…
JOSHUA READ [00:31:42] The very texty. And that’s one thing I also picked up on as I did some analysis of these awhile ago. And what they do is to avoid textual analysis from email fellows. They’ll just pack out the raw html of the email with an invisible ask your characters so that you can sort of can’t be analyse, obviously, textual analysis of email filters. It’s been around for a while. If you will look at the words and email, you know if it’s demanded, if it’s authority. And from an unknown sender, it’s asking for something quite specific in the email context is quite broad, then most likely gonna be picked up by email fill it as spam. This one in the email bag was on the screen. That’s about 600 as invisible ask your characters that don’t format in Outlook. So the email looks fine, but then if you look at the bill, like the raw source code behind it is massive. Does not it make sense because they’re just pocketing out with a load of jargon and a load of rubbish to avoid being painted by email filters? Which is probably plenty strength is one of the strengths of this social engineering attempt. You know, as a whole, it’s a very poor attempt because bitcoin is very easy, accessible to the non-technical, and it’s a very poorly designed email.
DAVID TAYLOR [00:33:16] I don’t know how to I’d love to be Google and try to find out how to pay Bitcoin if I was that way inclined. Right. I think that’s all we’ve got time for today, guys. Yes. Thank you for coming on for a chat about these stories. I hope the people watching it don’t interest in the cybersecurity news roundup. Save them a bit of time going through all that social fees, reading the cybersecurity news and hopefully such. Shed some light on some of the attacks and how they’re working. So for everyone else, guys, thanks for joining us. Next time for another episode of Secure with Celerity, where hopefully next time we will all be matching in check. We’ll catch you then, bye.