Secure With Celerity Episode 8

Secure With Celerity Episode 8

DAVID TAYLOR [00:01:18] Oh, here he is. Hello Josh. I’m about to rock out the show solo. So I’m very, very happy that you’ve managed to get on it. No worries. So I would just say the very first story we’re gonn cover this week is about LinkedIn job offers targets aerospace military firms with malware on sphere of phishing attacks. So if you want to go into that a little bit further.

JOSHUA READ [00:01:46] Yeah. This one is quite impressive. I was in all of this tactic that was used strictly from a professional point of view. But essentially the LinkedIn jobs page was used as a malware delivery method. And the vector that would mainly malware components target in victims of European andMiddle Eastern aerospace and military companies. And in a spearphishing messages were more of a widespread campaign, which was dubbed operation  in deception. So, I mean, the research is currently, I believe, the primary goal of the attacks, which occurred in September to December 2019 was espionage, possibly state actors over. In over one case, the attackers also tried to utilize the compromised victims emails, business email, compromise attacks, basically using the victim’s email addresses to send further phishing emails out to make them look like the genuine. Well, yes. So there were highly targeted and relied on social engineering over LinkedIn. It was multi-stage malware. The research as it is setting that said, the researchers isset man says analysis. But interestingly, the researchers also note that in order to remain undetected, the attackers are quite versatile with the malware that constantly recompile it. So they avoided detection. So it wasn’t being picked up as easily. And it abused it windows utilities and impersonated legitimate software companies. So all in all, it was a standard phishing campaign. But I think the main interesting thing here is the fact that it’s utilized in the LinkedIn jobs page is a delivery method. So, the examples we have is the ones on the left, he said they was one of the examples that was used as part of the initial communication with the victim and they talk methods is here on the right. So firstly, victims are sent a job offer, via LinkedIn message from a well-known and relevant company pertaining to the victims sector. Examples of the companies were Collins Aerospace, formerly Rockwell Collins a major U.S. supplier of aerospace and defence products. General Dynamics, which is one of the large U.S. supplier. The job offer file was linked where it was linked with a password protected roundup zip file containing the LNK file. Once the file was opened, the messages contained seamlessly benign not PDF document, which showed salary and fake information about a pretend job that never existed. And then the attackers then schedule tasks which were set to execute execute XLS scripts. And they talked to C2 server, pulled down the power shell that its its magic and that they go so that there’s multiple elements in this attack vector and there’s a lot of pulling down files communicating an external label. It’s quite sophisticated attack vector and shouldn’t be overlooked. I think it’s something that’s quite interesting in we had a discussion of before the call around of this attack technique and after I said it was really interesting because. I think everyone watching. You mean you both know the amount of junk you get through LinkedIn mail. The email, you know well, we’ve got the perfect job for you. And you know the idea if someone’s, you know, maybe headhunting you might be desirable to individuals. And it especially with you work in a high pressure and high stressful environment such as, you know, the government and eell, yeah, it’s definitely interesting. And it’s definitely one to watch, see if it develops into more widespread campaigns involving, you know, non-government workers, maybe. But, yeah, it’s definitely interesting to see.

DAVID TAYLOR [00:06:19] I might be wrong about this, but I’m pretty sure you could just say you work at a company, unless it’s just exactly the things get done and, you know, not for no one’s really vetting them I don’t think. So I’m gonno say they worked for one of these, you know, aerospace or military firms. They can’t get LinkedIn and then, you know, they could look legit. And that’s probably you know, most people think that someone is contacting you on LinkedIn. They’re probably hoping that everything’s been checked. Yeah. It’s not really the case now.

JOSHUA READ [00:06:48] No, I could tell that I worked for Google on my LinkedIn. Obviously the only people that would know that wasn’t true is those that I keep good contact with and those that I work with. Well, to an outsider, if I say I as the CEO of Google. I’m the CEO of Google. There’s nothing else to prove that I am. Well, unless you go on Google and have a look and try to see.

DAVID TAYLOR [00:07:11] So, yeah, on to our next story. So this is quite small still at that small scale attack, even. It’s a phishing campaign that was a managed to compromise just over one hundred email accounts from the NHS.

JOSHUA READ [00:07:29] Yes. So they confirmed the 113 internal email accounts were compromised and used to send malicious spam outside of the health service around two weeks ago. Incident occurred on Saturday, the May 30th. Well, between the metaphor in the first of June and effective. Fortunately, a very small amount of accounts in terms of net chess demand, there is roughly about 1.4 million different email accounts that called into public record of NHS accounts, which is, and this number equates to 0.008% of the accounts are affected. So  it’s the very small scale but essentially, if you’re getting into a health care institute or a centralised government entity, it is big reward is always going to be big news if an element of government is breached in some way, whether it’s a phising email, whether it’s malware, whether it’s DDoS, atttack, whatever. I think interestingly enough, I think NCSC actually warned about these companies back in 2019 in the backend and the email alone is fairly simple in design. It’s that notification received open notification and the link of the authenication if the user clicks the hyperlink logging web page appers. This is usually designed to replicate the victim’s organization with logo design. I don’t think that was what was seen in these campaigns. The NCSC also know that in the campaign, the user received a phishinhg email from a legitimate non email account, which has been previously compromised. Phishing emails were previously sent from contacts in recent email communications and with the recipient and the subject lines offered marriage what the most recent email exchange. So a very, very relevant in some cases to individuals. For me, if I was receiving a link, say, a notification received, new notification I’ll be like, what the heck’s this? It would make any sense. In terms of the strength of the actual email, it’s very, very weak. The post area, the attack method and the latter end of the attack is actually really, really strong. So customizing the landing page make it look like it’s your organisation’s landing page. The delivery method use in uses previous exploited, compromised accounts is also a very, very effective way of doing things. Well, as again, it’s efficient email and people always, always follow victims sufficient emails. It is what it is. I think the main concern here is the fact that, you know, something so simple in terms of an attack was able to compromise over 100 accounts, but I think one thing from me, companies don’t really understand how susceptible they had to phishing. I know we spoke to a few other companies that have undertaken like sufficient simulations and they’ve come back and said that they were very, very pleasantly surprised at how many people were actually clicking links. The you know, the numerous research papers and research reports after myself, the you know, the generic outcome and response to the papers is surprise toward how many people actually clicked links. There’s this persona that everyone conveys that, you know, I didn’t click that link. It’s embarrassing. It’s embarrassing, and it should be talked about. People click links, people submit data. They don’t pay attention. They don’t read the small print. It’s a shame that it’s been so successful, especially in such poor phish name output. Yes.

DAVID TAYLOR [00:11:45] I mean, looking at that. So what you’re saying that this would almost be within a threat. So a conversation that someone might have previously had someone get notification recieved, view notification?

JOSHUA READ [00:11:56] Yeah. It’s a potential potentially that is based on when they were compromised, how they were compromised and walk out was compromised. It’s there’s a multitude of factors, but there were cases where they were able to sort of add in on a thread and almost say this message to a previously known, our previous conversation between two entities. So, yeah, it’s very scary but you know, it’s efficient, at the end of the day, it’s the same same stuff and this bottled up and branded differently.

DAVID TAYLOR [00:12:32] Yeah. So I guess security awareness for employees is like, we all know, super employee important, but then taken a long a company and sort of simulate phishing as a service. Which Celerity do. Casual plug in there. But those two together can be quite a powerful sense of stopping people clicking on links because we’ve said it for technology alone did so much to protect your organization. But you’ve got sort of the other day you’ve just got to click on links willy nilly, then you’re going to be in a lot trouble. So with that, until our next story, it is the largest ever DDoS cyber attack on record has been fought by the giant that is Amazon.

JOSHUA READ [00:13:18] AWS to be more precise. So AWS defended off as 2.3 terabytes per second data to talk and put that into context. That is just under half of the of all traffic that BTCs on the entire UK network during a normal working day. So the volume of traffic is heading to one particular area. I haven’t detailed what website or what service was affected in this or targeted in the DDoS attempted data attack. But that volume of information heading to any website would cause problems. And so it’s kudos to AWS for being able to weather the storm and stop it. I mean, the previous record was set at 1.7 terabytesTPPS, which is was back in 2018. However, one thing I’ve seen and I know vendors have seen is it’s not just the volume of the attacks, but it’s also the frequency of the attacks is going up. And I think one of the according to Neustar and first quarter of 2020. Neustar mitigated more than twice the number of attacks as in the first quarter of 2019 and the second quarter of 2020 the company also met again at the largest volumetric attack in Neustar history and one of the largest in Internet history at 1.7 terabytes per second. So it’s scary but there are tools out there that can stop it. But I think most concern is that another example was done by or another provider of protection and that sort of areas. They mitigate a massive data attack against an unknown unnamed hosting provider at 1.44 terabytes per second attack. And this was the largest ever seen. So the records are getting broken and also the frequencies are also going up as well. You know that if this is this 1.7 DDoS richter scale is held for two years and then all of a sudden knocking on the door. Well, within a couple of months ago, there’s been three attacks that have been knocking on the record door and one’s actually broke the record. It’s quite obvious that the volume and the size of the attacks is going so well for those that don’t know what DDoS attack is. It can almost be viewed as a zombie army or, you know, the white walkers from Game of Thrones, that their army, you know, that in fact, the white walkers is a distributed bot net they’ve got a centralized leader and that’s telling them to do stuff. If that leader falls over, everything else essentially falls over. It’s a sin. But they, tthis is so named also termed bot net so if each website, each service, each application platform is essentially hosted on a server, whether it’s Cloud or whether you know, that sort of area. Well, essentially, service have a finite capacity. You know, no server in the world has a limited capacity, otherwise would have solved all server issues ever. Know this is seen through everything. So if everyone in the country is requesting the exact same results at the exact same time, the server can’t provide what it’s wanting to provide a way it should be provided. And it just goes, I don’t know what to do. And it gets flustered and says, no way Jose, and falls over. You know, this could be something from a video, could be online gaming, could be monitoring it could be a shop, online shop.

DAVID TAYLOR [00:17:37] It could be actually like tickets couldn’t as well. Like Glastonbury tickets for, you know, when that came out. It’s about trying to get it and sometimes the website does crash.

JOSHUA READ [00:17:47] Yes. So the distributed DDoS attacks on the likes of Glastonbury website going down when tickets go up. That’s just, you know, that’s because the server can’t handle the capacity of people going on. But a distributed denial of service attack is essentially someone who has it out for someone company in the world. And what they’ll do is they’ll build an online by a bot net. And which is it a form that is essentially a group of 30,000 to a million different devices, could be mobiles, laptops, anything with an Internet connection. And then you can basically control as centralized point, can control the bot net and tell them to do certain stuff to one point. And if you’ve got a big enough bot net, you can generate more traffic and you can generate a higher volume of traffic, which essentially could result in a more severe DDoS attack. But like putting this into context, so let’s say DDoS protection, one thing and we’re back in the early know is that if eBay or Amazon shopping was down, taken down for more than five minutes, the revenue money lost from customers not being able to buy or procure is would be substantial to the point where if Amazon down was down for an hour due to DDoS, according to statistics taken back in 2018, this two years old. They would have lost $283,000 per minute. And they would have lost $17 million per hour. So, you know, the financial implications of a details attack is massive and is something that gets pushed over a lot. I mean, now obviously we have all these data protections through AWS at another state. It’s unlikely that Amazon would be taken down due to DDoS because of the you know, you would’ve thought that it would protect their own stuff before they start offering it as a service through AWS but yeah, it’s the and there’s a lot of indirect costs as well. You know, media and the issues, you know, harm to reputation, especially with customers. And, you know, if you want to buy gas to be tickets, then all of a sudden you can’t buy Glastonbury tickets. It can be quite harmful. It’s not going to you know, people want to have a certain amount. Patients are not going to all of a sudden gone, right? And we have to wait for six hours to get these tickets when actually Glastonbury tickets.

DAVID TAYLOR [00:20:34] I’m not surprised, I imagine that number you’re talking about 17 million per hour. That was two years ago. I’m pretty sure it was. Jeff Bezos also even Amazon got into like a trillion dollar company or something like that. So we’ve never made it home. And I know I’m been ordering more stuff online that I ever have before. So I think, yeah, that the downtime at the cost to these companies is going to be like way, way, way more now. So I just go back to you talking about what bot net is? All the different devices like I was reading of previously. Am I right in thinking that a lot of those devices might be like compromised and that’s how they get sort of brought into the.

JOSHUA READ [00:21:15] Yes. The bot net is a collection of compromised devices that could have been a Trojan on them or essentially is anything that can be controlled. So if I had something on my PC which had a roouter on your PC that allowed me to do stuff on your behalf without your permission, then I’ve technically due to my bot net PCs, it’s the definition of a bot net is quite broad. There’s no clear definition. You know, there’s no easy way of describing what a bot net is and what it isn’t. But essentially, if it’s using the data to talk, you know, and you’ve got a herd of sheep on a herd of white walkers that can do your dirty work for you is a hard to trace. And B, it’s hard to stop because of the volume of the amount of white walkers. I apologize for reference and getting a friend. I was telling about how I can describing bot net before. And I almost think that analogy is the easiest way to describe it is the white walkers. It’s that’s exactly what bot net is. They’re under the control of some slave master server. And then and they’re carrying out stuff that they might not even be aware that is going on. So, yeah, obviously the financial implications of DDoS attacks are huge, and that’s not something that should be overlooked.

DAVID TAYLOR [00:22:57] Now, I think it’s a great analogy. Like I said, and more stuff everyday but I think it’s quite good put it into terms that people recognise in a lot of people probably watch Game of Thrones. I think it was a decent one. So we move on to our final story for the week. So this is about the Zoom, a video conferencing platform is actually done, a U-turn on its initial statement that it wasn’t using end to end encryption for all its users. It was just gonna use it for its premium. But now, thanks to Zoom, it can have an encryption encryption party.

JOSHUA READ [00:23:37] Yeah. I take every one as a pinch of salt. So, yeah, essentially, they announced that they were going back on their previous decision to restrict access to end to end encryption standard users to on the premium users. But now it will feature on those that use both free and premium services. I think it’s a good move, especially and in light of what the competitors are doing, like so Facebook Messenger, WhatsApp. If you call them competitors, Zoom is very, very popular. Well, essentially Zoom calls don’t use end to end encryption at this moment time. They use all they supposedly are meant to use AES 256 encryption but that was also called out and said that that was a lot of pit fall. Right. That was in previous story we’ve covered for, I think some citizens lab found that they were using actually using AS 128 which isn’t quite as secure. Well, it still is encryption. But it is interesting to see they’ve gone back on their initial ideas, providing E to E end to end encryption, as I said, as a premium entity. I think personally it’s down to a number of elements. I think the first one is the security concerns have been voiced across the last three or four months, specially around lockdown. And I think everyone’s just so vain over just over a third of Zoom users were concerned around their privacy when using Zoom. It’s not something you want to convey when using your platform, especially, you know, if you probably put that into comparison with the video conferencing platforms. There’ll be a lot less people worried about their privacy on them. So there’s also a notable problem that another addition was that there was over half the accounts of asylum,  half a million sorry accounts still for sale on the dark web. So, again, that sort of stuff spreads like wildfire, especially in the media. People are getting a sniff of the news. There’s also problems of that meeting, I.D. being late. I think most notably was the UK government’s been a bit like online due to photos, you know, and kudos to to Zoom. They have very, very quick developing new stuff, pushing it out, making it more secure. I think when the meeting I.D. issue got first brought to the fruition in the news, they were very, very quick at turning things around and making it so that meeting I.D. were more difficult to get hold of and they weren’t so publicly available on the front screen. Well, they’ve given a very light road map for what they plan to do. So Zoom will begin beta testing and providing it to beta customers. As of July 2020, and all Zoom users will continue to use the AS 256 GCM transport encryption, which is what is currently as a default encryption, which is probably one of the strongest encryption standards in use today. But, then encrypt encrypted end point template encryption will be an optional feature as it currently limits being functionally now because they haven’t actually done any beta attention and be quite interesting to know why actually limits. Whether he actually stops means functioning as me instant. It just doesn’t work. It’ll be interesting to say I think the whole point of an end to end encryption is that it’s functional and it doesn’t impede on the user’s experience. But if it has to be asked to. But then also the divided control as well. So if you have like almost second a premium support for Zoom, you can get an account comission, as can enable under several enter an encryption on an account level. And also like high level group. So if you want everyone in your organization to use and to end encryption, i.e. the government, especially the government, if they’re using Zoom that transferring documents or talking about confidential stuff, is that interesting? I think moreover, I think I’ll go so so of what is meant by end to end encryption. There’s a lot of confusions around what end to end encryption is and isn’t. So essentially your standard encryption. If I was to send a message to David, it’s encrypted to the Zoom hedge cube server where Zoom hedge Q, they decrypted and then re-encrypt it in the key that David has. So I share a key with the Zoom hedge Q server and David shares a key with his Zoom hedge Q server. Well, our two keys are different. So essentially I send the message it’s encrypted. Whether it goes out to the Internet and then back into Zoom and then from Zoom to David, it’s also encrypted. So David can unencrypted it. That is standard encryption is what is currently there. What end to end encryption is, is if I me and David, if we’re sending a message to each other, we share a key. So if it goes to Zoom hedge Q, the people of Zoom. If they tried to read that message it would be a lot of gibberish because it’s encrypted and they don’t have the key to decrypt it and read it. So and WhatsApp has had this in place for years. So obviously I’m not sure on the technicalities around how Zoom is going to implement this. They haven’t released the information for obvious reasons. Well, if I want to send a message to David using end to end encryption, it goes to Zoom hedge Q the same way, it’s encrypted, but it isn’t decrypted. And because we share the same decryption key is that he just slid straight across the bar, straight into David’s hand without the issues of decrypted and re encrypted. So essentially it’s encrypted from when I leave it to when David picks it up rather than it being decrypted and read encrypted, et cetera, et cetera. So it’s quite promising. And I think it will be interesting to see the turn around, especially how fluid and agile Zoom have been previously with developments and additions to that platform. Will, it’ll be very interesting to see, you know, how long it’s gonna take for them to roll out this in end to end encryption. Well, essentially, it’s secure and hardening something she’s used by a great deal of people so it is important.

DAVID TAYLOR [00:30:41] Because I think WhatsApp just recently brought their own version of like a group video call, haven’t they? Yeah, I’ll use an end to end encryption. Interesting to see how that sort of flows on.

DAVID TAYLOR [00:30:54] Yeah, especially when, you know, when when it comes to messaging apps, there is a lot of hoo ha around the end to end encryption because people believe that terrorism, gangs and terrorist groups are using Wha’sApp to communicate. And they probably are. But, you know that it’s a really bad topic to talk about because it sounds like you’re siding with one side or the other, but essentially end to end encryption is there to protect the user if the user is a terrorist and what can you do? It’s, you know, the services that for the public, it’s always difficult topic to talk around but yeah, it’s end to end encryption is always been a frosty topic in the general public side. Essentially, it’s making you sick, more secure and it’s stopping third party sniffing on your messages and your attachments and not so.

DAVID TAYLOR [00:31:48] I definitely I mean, maybe it’s a conversation in front of a time or another show, but unfortunately, that’s all we’ve got time for today. Josh, thanks for your security expertise, as always. Apology’s anyone watching from the beginning. We did have some technology gremlins at my end, but everyone else catch us next week for another daily weekly dose of your top cyber security new stories with Secure with Celerity. See you then.