Secure With Celerity Episode 4
[00:00:05] Hello and welcome to Secure With Celerity, the show where we digest the week’s top cybersecurity news stories so you don’t have to. I’m David Taylor and I’m your host. And today I’m joined by my trusted cybersecurity expert, Josh Reid.
[00:00:20] Yeah, not bad. Look down, but not down. Right. I think the top story that everyone’s talking about has got to be the easyJet data breach. So that’s about nine million customer records were exposed. I think we’re looking at sort of emails and passwords. And then it did note that just over two thousand credit card details of their customers was was exposed, basically, and breached.
[00:00:50] I think there’s no passport details stolen in this attack. And I think the interesting thing for me at this point in time is they apparently made aware of it back in January and they have waited until April to tell people that while they wait until April to tell the people who have their credit card details stolen.
[00:01:16] That their credit card details have been stolen in the breach and they’ve wait until May to tell people that their email addresses and passwords have been breached as well. Now, they have no in the statement online that it was quite a sophisticated cyber attack. Now, I think they know they branded it a highly sophisticated attack. And I’m interested to know how. They did it and how they attack was executed on easyJet, as there’s been a lot of speculation, it could be an efficient email, phishing emails are probably the most common way breaches happen, exploits of vulnerabilities, probably second malware equal to that. It’s they haven’t released any information as to how how it came to fruition at the moment at this moment in time. And it will definitely be interesting. And I think more interestingly, though, is. Eh, the timing of this and be. How in the GDPR sanctions will be on easyJet? I dread to think the stress that easyJet staff are going through, especially cyber security team, at this moment in time. So hot tips to them? Well, I mean, last year, British Airways was fined two hundred eighty three million for that breach where they had to Magica like attack on their website, which Harvest’s was I think it was around ninety thousand credit card details and that it was a credit card style credit card skimming an attack on their website. And this the magnitude and the scale of users breached in this is much, much larger. The the severity of the data that’s been exposed is slightly different. There wasn’t as many credit card details breached, but there was an awful lot of email addresses and passwords breached. So it be very interesting. To see how the information commissioner’s office handled this breach and and basically how how they’re going to impose the sanctions if they do on easyJet, according to easyJet, I think everyone should be notified by Tuesday, next week if that information’s been breached in this in this attack and. Well, essentially, it’s a massive, massive breach. I think it’s still ongoing with the investigation at the moment. Obviously, they haven’t they haven’t released any. Sort of dedicated or any specific information about how the attack was executed, but it is very, very interesting and I think it’s definitely one to watch over the next couple of weeks, especially as we move through covid-19 as well.
[00:04:25] Yeah, definitely. I mean, you know, you mentioned about the attack where there was about three million. Did you say they find this on the Internet?
[00:04:35] Three million for three hundred and eighty thousand payment cards compromised.
[00:04:39] So, I mean, at this time in the current climate or the aviation aviation industry is like struggling. So I would I would hate to think, what, at least 100 hundred million pounds flying would do to you at the moment. So I’m pretty sure I’ve got an account with easyJet. I definitely book with them. So I’ll be checking my box to see if I’ve been affected by that.
[00:05:03] And then, yeah, I mean, if anyone is with them and just sort of good sort of cyber cybersecurity hygiene, it just constantly change your passwords.
[00:05:13] Don’t keep using the same passwords for everything. There’s no doubt this is going to end up on the dark web or it’s going to end up somewhere on the Internet and just get used to password spread as well.
[00:05:24] Yeah, especially for users. Who is password common password, the same password across multiple platforms. I think this highlights the reasons why you shouldn’t do that. Obviously this happened back in January. They’ve had almost I mean that we don’t know the nitty gritty details of this breach, but essentially they’ve had four months where they’ve had access potentially to your username and password if you used it on another platform. So Facebook, Twitter and you have a one password for everything, essentially they would get free access to it. They’ve breached it in the breach and they can essentially have one password for all. It’ll be interesting to see when the details come out of exactly how long they manage to have the data when it was actually breached, how they went about stopping it. Yeah, definitely. Watch this space.
[00:06:23] Definitely will. All right. On to our next story. So this this is quite, quite astounding, isn’t it, really?
[00:06:31] You know, everyone knows that enterprise network access into a single server access data is available on the web, but it’s been quite remarkable.
[00:06:40] Search some sort of Q4 last year to Q1 this year of about sixty nine percent increase.
[00:06:47] Yeah, this little report was done by. I was doing this last week, sorry, and they found the advertising costs for enterprise access for malintent was up six per cent on the Web compared to the period Q4. Twenty nineteen at the end of twenty nineteen, over 50 accesses of networks and major companies from all over the world were publicly available on the Dark Web. So there’s yeah, it’s it’s an epidemic and it’s a problem. But, you know, I think the main the main thing here is just the. How cheap is it may seem expensive to get enterprise access to a large corporation without having to put in all the groundwork of phishing attacks. It’s basically a shortcut to a cyber attack by posting this. You know, I think in general, the asking price was ranged from five hundred dollars to one hundred thousand dollars based on the organisation’s size and also what the organisation did. Obviously, government entities are going to cost a lot more money. The lower down smaller organisations are going to be down towards the 500 dollar mark. Well, you know, some some buyers were offering lucrative terms and in terms of ongoing relationships as well. So there were often a commission of up to 30 percent for any potential hacks. So they offered out a commission of 30 percent to of the potential profit of a hack of infrastructure of a company if their annual income exceeded 500 million. So a large organisation, if they managed if you managed to hack them in that very infrastructure, a ransomware attack, obtain information, then, you know, you would pay a profit towards the the profit your pay commission. Sorry to all the profits that you made from the cyberattack, selling the debt around on the web and whatever whatever they do to generate their income, they would have to pay some sort of commission back to the person they bought access from. Well, I think yeah, it’s it’s shocking. And I think positive technologies do release. The report said that access for sale on the Web is a generic term, referring to software exploits, credentials or anything else that can allow for illicit control over one or more remote computers. So it could it’s not just literally a login credentials for the admin domain controllers are the platform or whatever. You know, whatever it is. It can also be proof of concept exploits for one of their Web applications that’s holding all the credit card information, or it’s basically a packaged cyber attack in a box and they purchase it and they have the ability to, you know, attack these organisations. I think on the graphs, the graphs that were on the on the slides, there was a lot of, I think, the share of organisations that were being. So Target are shown on the. On the dark web, I think the majority of them were industrial and government entities, which again is no surprise, if you can, you know, you’re obviously going to be paying a lot more money for those types of organisations. But if you can be seen to have cyber attacks, a government entity or a large corporation that is operating in manufacturing or industrial, then you’re you’re affecting essentially the heart of a country. You know, if you can shut down power plants or you can affect the supply chain of hundreds of millions of businesses and also affect the system that runs those rooms, the organisations, i.e. the government, then you’re going to get a lot more publicity and a lot more say hate for doing it. So it’s obviously that’s probably why the prices were so, so high.
[00:11:30] But I think first, you know, if you are you talking about your state sponsored attacks, if you are looking to shut down stuff like power plants and other places like that, that could really affect a country’s infrastructure. One hundred thousand grant.
[00:11:46] There’s nothing is that nuts to them? Absolutely. Yeah, and I think the average cost of some of the I think the average cost was five thousand dollars, which is, again, nothing to the amount of revenue that they could potentially generate from the five thousand dollars is ridiculous, obviously. Yeah, they might have to pay the 30 percent commission back to the person who sold the access. Well, again, it’s. It’s miniscule amounts of money. It’s it’s frightening, it really is. And I think on the picture, on the top right of the slide there, that is the that’s one of the dark, dark web advertisements for US government access. I think it was priced to eighty thousand dollars, which again, is nothing. And, you know, I think they talk all the time around. How the government is supposed to be the industry leaders in cybersecurity, especially the US and the UK, but again, it’s. It’s everyone fall victim to and it seems to be that these large profile organisations and entities are falling victim to it. There’s no way of policing it against the dark web. It is what it is, I think. I think the fact that these this access can exist without anyone being informed of it, all I identified of it is shocking as well that it shows that potentially the security technologies aren’t up to standard to detect and illicit access. But then again, it depends on the scope of the package. Dealing with it could be an exploit. It could be credentials. And if you have compromised credentials is to tell you is to tell your security technologies that, you know, that user is malicious or if they using a registered user, a user account, there’s no way of identifying it. So, yeah, it’ll be interesting to see how people react to this. So another in the long line of. Shocking cybersecurity news this week.
[00:14:08] All right, let’s go on to our next one.
[00:14:11] So, yeah, this is this is about Mercedes Benz, specifically the vans that I think a belief on board logic unit source code was leaked and an online GitHub repository was found by a Swiss software engineer. Remember his name off the top? My head.
[00:14:30] Yeah, there’s a few angles to this isn’t that’s not just it was the source codes on that.
[00:14:35] But there’s a few of the implications in that. Yeah. I mean, until company managed to essentially it was a login portal to Daimler AG, which is the the automotive company behind Mercedes Benz.
[00:14:54] He was able to register an account on the Daimler code hosting portal, which was get Lapapo and then downloaded more than 580 git repositories containing the source code for the onboard logic units, as you mentioned before, which are installed in Mercedes vans. And the onboard logit unit component is the thing that sits between the car and car’s hardware sorry and the software and connects the vehicle to Mercedes Cloud. Essentially it can do everything from live vehicle there. So how awful the petrol tank is. If there’s any code faults with the engine, if there’s a third party, sorry, if this if it’s the one stolen, you can freeze the volume this many uses of it. But essentially the apps they usually employed to features phone tracking while on the road and internal status, whether the engine is turned on are turned off. But I think, yeah, it there’s a lot of there’s a lot of other different stuff.
[00:16:05] That’s the debate. Automotive companies all around the world that use the lights and it’s a good tool is what it is. But incorrect configuration. Same thing with SharePoint. You can configure SharePoint to be internal only. But, you know, mistakes happen, I think. The obviously the code wasn’t painted in any way. Apparently there was no.
[00:16:38] There was no set of warnings that was proprietary technology, and I think a lot of people have questioned the legality of Coffman’s actions and said, you know, it didn’t attempt to notify the company before publishing the source code online over the weekend. Now, you shouldn’t have to if it’s available in a public repository, is available in a public repository. It’s not his fault that Daimler AG haven’t got this the proper scheme in place for that developers to access source code it. You know, if anyone’s to blame, it’s Daimler and Mercedes because it’s it’s their incorrect configuration of that get lab. It’s not the developer, the researchers fault that he’s you know, he’s the one that discovered it. And, you know, yeah, there might be some malicious malintent or actions taken as a result of this, but. You know who’s to blame here is Mercedes Benz and Daimler. It’s not the person, the research that found it. You know, it’s I found it very infuriating and I find it you see a lot with these types of things. It’s all the research you shouldn’t have done. It is like you are the person who developed the programme. All platform should have, you know, maybe configured it in the correct way rather than misconfiguration it. But mistakes happen. I’m not one to question, but these things happen. You know, I think the main thing here as well, I think that although the league seemed harmless and all it did was there was source code for the ACLU, the on board logic unit, but there was also epic secret tokens and usernames and passwords for some of Daimler’s internal servers included in that, which, again, it can be part of the development process of an on board logic of operational technologies. It is what it is. It’d be interesting to see. I highly doubt that Tillicum was the only one that worked this out and I’m not sure how long it’s been the way it has. Nobody’s passed comment on how long it has. Apparently, Phil Kaufman did it over the weekend. It could have been like that for a very long time prior. Nobody’s obviously tested it on known. Well, yeah, there’s no way of tracking that type of thing.
[00:19:17] It’s definitely an interesting, interesting concept, and then I think I’ve read stories in the past around insecurity and insecurity, so you get home and get lab repositories, share in codes, proprietary information, proprietary code for technologies and the legalities around it and how, you know, but developers are and developers will they will develop in the way that they they do.
[00:19:52] As they as the old saying goes, developers and security never really get on board. And they will take shortcuts. But, you know, they are and they will. So it’s it is what it is.
[00:20:06] This one. All right. I think we should move on to our next story of the week, so. Yeah, yeah.
[00:20:12] Again, another some more covid-19 themed fishing. This one was a there’s an email with an attachment for a graph or a hot shot even. And they actually call it horrible shots in the subject line, which again, is trying to lure people in who are worried about what’s going on, statistics, and probably are spooked into opening it because everyone’s worried about covid-19 or just curious. So you get the hell out of them.
[00:20:44] Yeah, so I think this was done by Microsoft Threat Research Labs, and they are basically tracking a massive phishing malware campaign that delivers the net support manager tool. However, the net support manager tool has got a bad name as a team viewer DDoS as many of the remotes put software tools do. And it’s something that. You know, hackers use everywhere, it’s an easy tool to use. It’s infamous in vision attacks and your tech support. Oh, your Internet’s not working. Let me dial in and fix that for you. In actual fact, I’m just going to install a basket of malicious, powerful scripts on your PC that communicates to my malware server. But they essentially this attack, the email IoT attachment on IoT, which included it with an Excel file with a a macro embedded in it. And covid-19 themed campaign started on my M.V.E 20, the 12th sorry. And so far I think Microsoft has seen several hundred different unique attachments. So it’s very, very versatile and changes very, very often. So that follow the IOC and the you know, the malware that’s being used is very adaptable and very hard to detect. The email itself supposedly comes from John Hopkins Centre as they seem to be at the centre of a lot of phishing attacks at the moment. And with the subject who covid-19 situation report. And I think the relevance of the email, I think they’re referencing the horrible charts and claiming that the US government pumping out horrible charts that make the distorted the data and you open the Excel file, the macro runs and installs net support manager, and then that’s when it gets into the juicy goings on. I think the net support manager is known for its abuse by attackers and its access to remote commands on compromised machines. I think it’s used in this campaign was used to further drop the multiple components, such as several Dellal files to IRONI files and other AIX cable files and DDoS also cases of VB script being pushed via this net support access to those also folksier, its possible best scripts, which all communicate back to a command and control server which allowed for further attacks and further commands to be touched on the machine. So this is really a multi-stage attack. It’s a very, very hard to detect phishing email, which results in remote access tool being installed, which then remotely involves in scripts being run, which then results in a command and control server, then running, executing remote commands, installing further secondary malware, anything from ransomware to, you know, spyware, Trojans, you name it, worms. It can be a whole lot of things. And I think obviously I think Microsoft is not really giving any specifics around it. I think the screenshots on the slides of the emails that were used again is not the first time we’ll see covid-19 related chats, emails. This is very generic. It looks like a mark in email. It looks like a load of jargon and a load of rubbish. You know, people will be as they are. They’ll always be intrigued by something that is of importance to them. And currently their health is of importance to them. So they’ll open that attachment will enable enable which enables the macro scripts, which does its things. Yeah, it’s. It’s a shame that people are exploiting it. I’m not surprised they’re exploiting it. I think there’s a couple of reports out about how apparently the covid covid-19 fishier threats have been a bit of a. Of hypersensitive and people are saying, oh, it’s not as bad as it is, but essentially, you know, yeah, the volume of phishing emails related to covid-19 has essentially stood out, or it’s the context of them, you know, likelihood of clicking on something.
[00:25:56] Yeah, I guess it’s not it’s not the I wrote the article and was saying, oh, yeah. Well, you know, the number of phishing emails isn’t going up and think, wow, it’s covid-19. Well, it’s not around the volume of emails. That’s the issue. It’s more the context of the email. Know if you receive a covid-19 email, you’re going to read into it and you’re going to know if it’s telling you something you need to do instantly. You’re going to read it. You’re going to do that thing. So, you know, it’s it’s preying on the weaknesses. And I found the article quite hilariously stupid at times that I read.
[00:26:34] But I think the bits that we’re talking about, just by how you can point and spot these are phishing emails is the fact that this is coming from John Hopkins University, which is set up as a centre of sort of covid-19 research.
[00:26:48] And so is the subject line is covid-19 horrible shot, which is is kind of like get an email, I guess, from Oxford, you know, that there probably are you Tractable in terms of doing some biomedical research on it, getting an email from Oxford and then saying, horrible Trott’s.
[00:27:06] I mean, first of all, I’d probably question why I’m getting an email from me at least at least used to at least use them. The Microsoft synonym feature and change, horrible to another fancy word to make it sound data.
[00:27:20] Well, for that trouble, you might as well just get someone to get someone to do an editorial check on your subject line. I mean, granted, I’m happy that not that easily. They’re easy to spot, but think English is enough.
[00:27:34] English probably isn’t a native language.
[00:27:36] So, um, you know, but I let them off it. Right. I think that’s all we’ve got time for today, Josh. But we haven’t it.
[00:27:48] But yeah. Thanks for your time. I think we’ve done a good job on this one, just the two of us. So I think we’ve done a really good analysis of those four stories. We’ll obviously keep an eye on the easyJet, and I’m sure we’ll probably touch on that at next week’s segment. So we will catch you next week. Everyone else, thank you for watching Secure with Celerity and we will catch you next week for your other weekly dose of cybersecurity stories that you then.