Subscribe
Share
Share
Embed
Join Robin Johns, and Bill Carter as we delve into the intricate world of cybersecurity, exploring the critical issues, fundamental concepts, and the latest security incidents that shape our digital landscape.
In each episode, Robin and Bill bring their wealth of knowledge and experience to the forefront, unraveling complex cybersecurity topics and making them accessible to all listeners. Whether you're a seasoned professional, an aspiring cybersecurity enthusiast, or simply someone interested in safeguarding your digital presence, this podcast offers valuable insights and practical advice.
00:00:00:00 - 00:00:22:15
Unknown
I bel. How are you doing today? Hey, Robin. It's a great day to day. I'm doing well. How are you? I am fantastic. Last week of quarter, people are excited. Numbers being closed. Everyone's happy. And Cato has recently secured another $238 million investment, putting up $3.1 billion valuation. Not too shabby for the only true sassy company, but I would say so.
00:00:22:15 - 00:00:47:21
Unknown
Absolutely. I'm not here to brag. You know, business is often a gamble and gambling. You have winners and losers. You do. And on the topic of gambling, I know the MGM have recently been in the news. What's happened? Bill Boy, So they certainly have been in the news not only MGM Resorts, but a little bit of Associated News with Caesars Entertainment.
00:00:47:21 - 00:01:13:27
Unknown
Certainly seems like Las Vegas is under the gun. But you're absolutely right, Robin. MGM Resorts went off the air essentially for about ten days while they attempted to mitigate a cyberattack. And as news has continued to come to light, we find out that they may have been the victims of the same that managed to extort quite a bit of money from Caesars Entertainment.
00:01:13:27 - 00:01:41:29
Unknown
I think the last number I saw was around 15 million USD. Robin So looks like all of a sudden Vegas is under attack. And listen, we would love to say it's because of the blackhat conference or def Con right? But we have a threat actor who is claiming responsibility and of course law enforcement is engaged. But the threat actor, if folks haven't heard about it, is someone claiming the name Scattered Spider.
00:01:42:01 - 00:02:02:12
Unknown
Have you heard of scattered spider rabbit? Oh, I've had a heard a little about scattered spider. But for those who are initiated, who are they? Yeah, that's a good question. We don't know exactly who they are. Now, there have been some who have tried to analyze not only their methods of attack, but also some of the artifacts that come from those attacks.
00:02:02:14 - 00:02:26:08
Unknown
And they've tried to break them down into age groups. I saw somewhere that they thought it was a group of youths between 15 and 21 years old. Again, a lot of speculation going on, certainly speculation in terms of where they're from, where the attacks may be originating. But they do have a pretty specific fingerprint on the way that they operate.
00:02:26:08 - 00:03:04:09
Unknown
So I thought maybe what we could do today, Robin, is talk about how scattered spider works, who are some of their associates or maybe more to the point of whom are they associates and how do they actually carry out their attacks and and maybe even dig? I don't know. You want to dig a little deeper today, Robin. Maybe we actually get into some some questions of the miter attack footprint and maybe we can even talk a little bit about how this could happen to an organization like MGM Resorts that has so much money.
00:03:04:11 - 00:03:22:28
Unknown
How how did they manage to breach? What do you think? Is that that makes sense to them. Great. I'll get my hardhat and harness and we'll start spelunking. Let's go deeper. I love it. I know a lot of the Vegas resorts, they've extorted me for many dollars over the years with, as you mentioned, blackhat def con, right. You know, events.
00:03:22:28 - 00:03:43:02
Unknown
So yeah, let's go deep. So we'll break this. Should we start? Yeah. We have to understand, Robin, that Las Vegas doesn't run the way that it does because of all the winners that they creates, Right? So we have to understand, listen, you know, scattered spider, very interesting. They're not new on the scene. We've been aware of them for a couple years.
00:03:43:05 - 00:04:09:00
Unknown
And there are various designations of their name. But obviously, with the recent news scattered, Spider, is this kind of the one that that seems to be sticking broadly? Let's let's talk about how they work scattered spider knows what so many of us already know when it comes to vulnerabilities, and that is that the end user is probably the most vulnerable part of what they they seek to exploit.
00:04:09:02 - 00:04:42:10
Unknown
So they do they they tend to go for the end point. The thing here is that we are starting with social engineering attacks. Oh, here we go again. Right. So how are they specifically doing it? Well, they are using, you know, mechanisms like telegram. So getting on telegram, potentially impersonating folks, but they're also doing some smishing. Are you familiar with Smishing Robin?
00:04:42:10 - 00:05:09:09
Unknown
What the heck is Smishing? Well, smishing phishing and phishing are all the cacophony of somebody trying to extract or extort your data, in fact have a different path to socially engineer. That's right. What have they been doing in this world of Smishing? Yeah. So in Smishing they are attempting to redirect users. So what they do is they impersonate an IT department for example, and they may send a message over text.
00:05:09:11 - 00:05:26:10
Unknown
And for those who don't know what SMS is, I think we all use it, but we may not know it. So they will send the text CSB files to each other. Yeah. Yeah. But I think we're going to have to get to that at some point. Right on, Bill. Most of the millennial and Gen Zs out there have never sent a text in their life.
00:05:26:10 - 00:05:56:26
Unknown
It's all through Telegram, WhatsApp, Facebook, Messenger, direct messages, and 35,000 other types of e transport. But I tell you, we could have a discussion all in just in that particular vein. But yeah, you know, the truth of the matter is a lot of folks still use SMS, right? It's it's part and parcel of their daily function. And so they may, for example, be phished via SMS to go to what appears to be a corporate site.
00:05:56:29 - 00:06:13:28
Unknown
Hey, this is it calling. There is some sort of an issue, right, that the impersonation begins. This is it. We need you to go here and we need you to log in because there may be a potential compromise. And of course, they have a site that looks just like a corporate site. There's your fish, right? And then they get a hold of credentials.
00:06:14:01 - 00:06:33:26
Unknown
The other thing that they're doing and this is not unusual either we're starting to see this more and more is what's referred to as a SIM swap. SIM swaps are fun, right? So what do I do with a SIM swap? Well, if I'm a threat actor, what I would do is I would go and impersonate you and I would basically say, Hi, my name is Robyn Johns.
00:06:33:26 - 00:06:52:20
Unknown
You can tell from my stunning good looks, I've had a problem. I know I've had an issue with this phone. Can I please get a SIM card for my replacement phone? And if the if the carrier or the person at the carrier or even one of the third party providers for some of these carriers, you got to think about that, Robyn.
00:06:52:23 - 00:07:22:18
Unknown
They will literally change your sim over. And what good does that do? Well, now I potentially have access to two factor authentication. There's an awful lot of people, Robyn, for, you know, doing logins and so forth that use SMS for two factor authentication and, and your Uncle Bill wants to recommend something, don't do that. That's a really, really dangerous way to do two factor authentication, right.
00:07:22:24 - 00:07:53:24
Unknown
First of all, SMS is not encrypted it's just not. But, but even if it were encrypted, if I can swap Sims now, I have the ability to intercept that traffic for two factor authentication. So between having your credentials and your second factor, I've gotcha. The other one that they will use if you're not using SMS, if you're one of those smart folks who uses, say, an OCTA or the like, they will execute an attack that's known as MFA fatigue.
00:07:53:26 - 00:08:13:12
Unknown
Help our listeners. Robyn What's MFA fatigue? I'm going to keep spamming you until you click that accent button. Please, please accept. Please accept. Just like my kids when they want some candy. Please, can I please, can I please? And eventually you just get worn down so much like a rock stream. You just. That's right. That's right. Yeah, that's.
00:08:13:13 - 00:08:40:28
Unknown
That's exactly it. Robyn. So the lesson here is if you use a, you know, another multiple factor authentication solution and there's, there's many of them out in the market space, if you start getting spammed for, you know, to, to, to, you know, verify that it's you don't get tired of it and simply click accept. I know that's the temptation when your phone is buzz buzz, buzz, buzz, buzz.
00:08:41:02 - 00:09:18:27
Unknown
Is this you? Is this you don't do that. That should be cause right away to contact your i.t department because that means somebody has gotten your credentials or is attempting to change your credentials potentially and it's trying to verify that it's you by hitting that second factor. Right. Something you have. We always talk about multi-factor authentication, something you know, something you have something you are and there's a couple others right somewhere you are something you do but don't hit except if it starts going off and you yourself know that you're not trying to change something or get in somewhere, call somebody.
00:09:18:29 - 00:09:42:11
Unknown
Don't simply hit accept. But this is what scattered Spider will do is they'll they'll do that Multi-factor authentication fatigue hoping that at some point you're going to hit. Yes. And then they've got you right then they're in. So that's kind of the initial access portion. And that is a specialty of scattered spider. Right. They're just very good at it.
00:09:42:11 - 00:10:22:29
Unknown
They use those social engineering techniques. They'll try to fish you, they'll impersonate, they will try to do MFA fatigue and essentially get in. Now, once they're in, they have to start establishing certain priorities in order to to get into the environment. Now, most organizations and even many private individuals will run some sort of endpoint protection. So call it anti-malware, you know, call it EDR or endpoint detection or responses, any number of abbreviations.
00:10:23:02 - 00:10:48:00
Unknown
So I promised we were going to go a little deep here. We're going to have to get to that point now. So there's really kind of two items that scattered Spider likes to use in order to to try to kill that detection software, to try to kill that anti-malware. The first thing that they'll use is something called portray p0rtry.
00:10:48:07 - 00:11:15:24
Unknown
This is actually a malicious driver. And the whole point behind this malicious driver is to give it enough privileges that it can kill any of that anti-malware. Right. That that may happen to be running. And it's really interesting the way that they get this in there. It actually is a supply chain compromised driver. Right. That's so the drivers malicious in that it kills endpoint protection.
00:11:15:27 - 00:11:39:21
Unknown
But the reason that it gets through, particularly on the Microsoft Windows platform, is that it is a signed driver. So it's signed by the Microsoft Windows hardware compatibility, authentic code signature, blah, blah, blah, blah. And so the point is the supply chain has been compromised. It is this new Robin. Have we have we ever seen this supply chain compromise thing before?
00:11:39:24 - 00:12:05:18
Unknown
Because many, many times just go back and listen to our back catalog of how you can easily be breached, because once you get that supply chain compromised, you're effectively taking a trusted party, a trusted advisor with all the right labels and wrappings and everything looks great. But what you're being sold is a duplicate. You might think you're buying that Gucci handbag and you open it up and everything looks Gucci with a label slightly askew.
00:12:05:18 - 00:12:29:07
Unknown
You've actually been sold a replica, a fake in like, Well, it's not just about making money and selling replicas. Once your supply chain has been compromised, you open the door to so many more vulnerabilities. That's right. With this issue, if it's a compromised driver, shouldn't anti-malware tamper protection really kick in or does it go one level deeper? Well, it does.
00:12:29:07 - 00:12:53:00
Unknown
It does go that one level deeper, because keep in mind that a driver gets kernel level access, and that's dangerous because kernel level access is privileged access. So it can even subvert that. It's funny, Robin, you're you're absolutely right about supply chain compromise. Probably one of the biggest ones in recent memory is the SolarWinds compromise. That was a supply chain compromise.
00:12:53:03 - 00:13:17:15
Unknown
You know, and and when you think supply chain compromise, what you're thinking about is trusting the supply chain. But the supply chain gets disrupted by a threat actor. You just continue to let it in. It's the same thing that we're talking about with Portree. We've even seen examples of Portree that are literally signed by an Vedere certificates, if you're not familiar.
00:13:17:15 - 00:13:42:19
Unknown
Right? And video is massive in terms of graphics cards and and even used in some some, you know, high performance computer clusters and so forth. So it does it sort of subverts that in the fact that it is signed. It's trusted because you are automatically trusting it. Okay. It goes ahead and lets it in. Now by itself, it's a little bit difficult to still to kind of get that in.
00:13:42:19 - 00:14:04:05
Unknown
So there's another piece to the puzzle called Stone Stop. Stone Stop is it's a loader, it's an orchestrator. So that's what actually loads the poor try, you know, malicious driver and gets it into that level where all of a sudden it has privileged access. There's even another one. Not everybody's talking about this and this is going to lead us down another path.
00:14:04:05 - 00:14:33:08
Unknown
Robin, but there's another piece that can potentially be utilized to pull in portray, and that is Black Lotus. What the heck is Black Lotus? Black Lotus is a new EFI boot kit. Mm hmm. What in what is a you EFI boot kit? You want to give this one a shot? Robin, What's. Well, let's start. What's you. EFI? I forget what it stands for, but I remember staring at many old flashing blue efi bootloaders and bootloaders and that's looking good.
00:14:33:08 - 00:15:04:16
Unknown
Dang it. Why can't I get this OS to install a runtime bootloader, effectively compromising your device before your OS even get started? You nailed it. Yeah. Perfect. Most people would think of it in an old term called bios. Right? So it's that part when you first boot up a computer that is responsible for, well, you know, not only making sure everything is up and running from a hardware perspective, but that's the piece that then kicks off the operating system loader.
00:15:04:23 - 00:15:24:10
Unknown
So if I can compromise before I ever get to the operating system level, then I can potentially either load this malicious driver or heck, I might even just short circuit the entire thing and booted in a mode where that endpoint protection never comes up and where this comes to play. Now I'm going to use a term here that's not my term.
00:15:24:10 - 00:15:44:15
Unknown
I didn't create this. But where this comes to play, for example, is in something known as an evil made attack. Now, if you're not familiar with an evil made attack, normally when I say that when I'm talking to folks, they think, what? What on earth are you talking about? So the easiest way to to give the example is how it got its namesake.
00:15:44:21 - 00:16:05:17
Unknown
If you've ever stayed in a hotel room, right, you're traveling for business, you're traveling for pleasure, and you bring along your laptop and you utilize your laptop, but it's time to go out and see the sites. Most people will simply hopefully shut off their laptop and leave it on the desk, close it up. Right. Because that way nobody can log into it.
00:16:05:20 - 00:16:30:23
Unknown
The evil maid attack gets its name because threat actors will literally give malicious USB sticks to the housekeeping staff and pay them to plug the USB stick into the computer and power it on wait until it does its magic and then power it back off. No kidding. All right. So Black Lotus is one of those things that that can actually do that.
00:16:30:26 - 00:17:03:09
Unknown
And multiple ways that you can load that up. So beware the you know, the leaving the laptop on the table, that's that's potentially dangerous. But again, these are methods that scattered Spider is using to get that kind of kernel level access to drop the processes. I did have opportunity to hear a system engineer for a particular endpoint protection solution and we got into it was a pretty good discussion over over some adult beverages.
00:17:03:11 - 00:17:29:00
Unknown
And I said, you know, well, you know, how does your solution protect against threat actors? Who's first, you know, order of business when they compromise the endpoint is to drop your product, right, to to literally kill off your product. And his response to me was, they can't do that. They're not doing that. Are you a gambling man? Would you like to go to Las Vegas?
00:17:29:00 - 00:17:51:29
Unknown
Right. And would you like to to talk to the folks at MGM? Come on. I mean, that's how naive It's I know it's very it's trivial. It's almost tribal to do well. We have these protections and so forth. My suspicion was the individual just didn't have the depth and didn't understand that anything can be dropped like that. So end points are very, very mutable, shall we say.
00:17:51:29 - 00:18:23:12
Unknown
And this is why a lot of people are moving towards thin clients. It's like Chromebooks are becoming even more popular. But even if that's compromised and you have your EFI or your BIOS bootloader messed up. Yeah, those terminals are still an attack surface. They are just being a fully. I'm sorry. After you. Oh, no, no. I'm sorry to interrupt you, Robin, but you kind of I love what you said just now because the next step in the process is to establish persistence.
00:18:23:14 - 00:19:02:04
Unknown
And one of the ways that scattered Spider establishes persistence is you talked about desktops, but but they'll they'll utilize a virtual desktop infrastructure. So you talk about thin clients. You talk about that being protection. They know that, too. So they will potentially, if they get in and they find that we're in a thin client scenario, they will go after the virtual desktop infrastructure and establish a malicious virtual desktop, which again, if we're setting up defense in depth for an organization, we're going to figure, well, our virtual desktops, those are okay.
00:19:02:06 - 00:19:21:09
Unknown
You can let those do what they want to do. So you're right. And the threat actors know it, too, right? For for most people aren't aware, Windows has a built in sandbox. So any Windows device you can go into, add and remove programs, feature and just enable sandboxing so you don't have to install VMware or any of the other virtualization platforms.
00:19:21:11 - 00:19:48:00
Unknown
So Windows comes with sandboxing and virtual machines included. That's right. That's right. Right. It is. But you know, going back to that, that establishing persistence. So again, we've got the initial access taken care of and now we're going to try to establish persistence. And there's a reason we want to establish persistence. The first one in the most obvious is that, you know, I don't feel like working for 72 hours straight in order to compromise.
00:19:48:00 - 00:20:25:19
Unknown
Right? I might want to be able to disconnect and come back. In fact, it's wise to do that because if you have this long term connection as a threat actor, you you risking exposing yourself, right. And nobody wants threat actors exposing themselves with that. But, you know, there we are, right? Let's establish that persistence and the way that scattered Spider's doing it, in addition to what we talked about, you know, setting up virtual desktops that are that are compromised, they'll use normally acceptable remote access pieces of software like teamviewer or or log me in.
00:20:25:19 - 00:20:52:06
Unknown
Right. These are these are legitimate. Typically, if an organization uses those, you're going to see that is approved traffic on a firewall. Right. Or a secure web gateway, you're going to see that is legit. So even if somebody is watching out, what they're going to see is, oh, it's just teamviewer. We would expect that everything's fine. So that that's the way to utilize legitimate utilities in order to establish that persistence.
00:20:52:06 - 00:21:21:15
Unknown
You know, I know it's very sexy to talk about rootkits and and all those good things. But again, I mean, why, why reinvent the wheel if if you're able to get an account in Teamviewer and I know I keep clicking on Teamviewer the reason I keep talking about it is not because Teamviewer is necessarily vulnerable, but the fact is when we when we look at the threats that we are our monitoring as an organization, Teamviewer generates a lot of traffic, a lot of flows.
00:21:21:16 - 00:21:44:23
Unknown
So it it's it's a big one and it can be used. So because, you know, it's never good to talk positive about other vendors, but the user experience and teamviewer is so easy to see. He has a nine digit character string. You type in book, you have access that's right. To do is go on to YouTube and look for like scammer payback videos and just see people recording them.
00:21:44:25 - 00:22:08:06
Unknown
Yeah, contacting call centers, downloading the file, watching what they do. Team view is great, but then with that simplicity comes this level of risk. I think if you have that implicit trust with who you're dealing with, it goes back to trust again. So I've now established my persistence, which means I can come back now. Why establish persistence while I've still got more tasks to complete?
00:22:08:06 - 00:22:32:10
Unknown
So far, all I've done is managed to add myself as a trusted user, even though I'm a threat actor. But my next step is I mean, your laptop, for example, might have some good stuff on it, but I want the really good stuff, right? Because chances are I'm not going to extort you, Robyn, for $15 million. I know you only have 13 and a half million.
00:22:32:10 - 00:22:50:08
Unknown
So yeah, I mean there's yeah, it's not worth the effort. I'm working on it, Bill I And then one day we'll get. Yeah, I get you, I get you. But I'm going to want to do lateral movement, right? This is kind of the normal progression of events, which means I'm going to try to branch from your system out into other systems.
00:22:50:11 - 00:23:08:13
Unknown
And there's a few ways I can do that. You know, I may want to escalate my privileges, and a lot of times I can do that by checking to see if maybe you're a member of a domain admin group or, you know, I can dump credentials out pretty quickly from something like a mini cats or or any number of ways.
00:23:08:13 - 00:23:35:02
Unknown
Right. But I want to start slowly moving through the environment and and scattered Spider is known to be good, not only at moving laterally through kind of a, you know, what we might call an on prem infrastructure. But they're really good at as you're we've actually observed them they're very good at traversing as you're so they've got the skill set they're right to be able to move laterally even through the cloud.
00:23:35:04 - 00:24:00:02
Unknown
And what am I moving laterally for? A couple of things, right? Number one, I'm looking for the valuable data. Number two, I'm looking for potentially additional credentials, right? I'm trying to open up as many ways in as I can. And and I'm going to see if you can make a guess. What do you think the tool is that scattered Spider uses to actually do that lateral movement?
00:24:00:04 - 00:24:26:14
Unknown
Is it simple robo copy or FCP Well, they certainly could do that. And that is very much a living off the land approach, right, doing using some of those commands. But their big one is simply RTP, right? They simply use remote desktop. All right. So so far everything about the scattered spider attacks seems very basic. I nothing here is really complex.
00:24:26:14 - 00:24:59:13
Unknown
So technical. That's right. It seems like anybody with the intent and a little bit of research time can achieve this. But yeah, kind of scary. Hopefully there's more technical stuff coming in the future. If not, then if MGM and other resorts as well as some employee education required for this continue on. Yeah well no and you know there's rationale behind this Robin as you you already understand I want to use remote desktop because that's probably an approved application in the environment.
00:24:59:13 - 00:25:27:07
Unknown
So this is you know, as a threat actor, I'm keeping my evil intent secure by simple obscurity. Hey, I'm just using remote desktop, right? RTP, that protocol usually accepted. So that is the one that they tend to use to move laterally. But as you said, there's other ways that they can do that, right? You can use WMI. There's any any number of ways this is simply what we've observed that that scattered spider uses.
00:25:27:07 - 00:25:59:27
Unknown
Now I've got my credentials, I've established persistence, I've started moving laterally through the environment and I have found the good, the good stuff, right? The things that I want to begin to operate on. And this is where ransomware comes in, because again, ransomware is is typically used for financial purposes. And in our case, we have a double extortion.
00:26:00:00 - 00:26:22:29
Unknown
So single extortion, when it comes to ransomware, is I've encrypted your files, give me money, and I'll give you the key. That's single extortion. Then there's double extortion. Number one, give me the money and I'll give you the key. But the second part of the extortion is if you don't give me the money, I'm going to expose your data on the web.
00:26:23:03 - 00:26:41:24
Unknown
That's the double. And there's actually a triple. And I think we've talked about this, but the triple extortion is now I go to your end users or your customers whose data has been compromised and say, look, they're not paying the ransom. We're going to expose the data. But if you send us $100, we won't expose yours. That's the triple extortion.
00:26:41:27 - 00:27:05:14
Unknown
Typically, we're looking at a double extortion with scattered spider. Now, scattered spider so far has really served as sort of that initial access organization. Right. And that lateral movement. I found my good stuff. Now we want to do ransomware. And this is where we made allusion to this at the outset, actually scattered spider is an associate of Black Cat.
00:27:05:16 - 00:27:33:23
Unknown
Now, what is Black Cat? Who is Black Cat? Black Cat is well known as a ransomware as a service provider. They make the ransomware. So at this point, scattered spider pulls in Black Cat Ransomware. Now we'll talk a little bit further about the, you know, that whole process of them pulling it in. But what is Black Cat ransomware?
00:27:33:26 - 00:28:01:25
Unknown
Well, first of all, it's written in rust. If you're not familiar with rust. Rust is a cross-platform, let's call it a programing language for for lack of a better term, which means it runs just about everywhere. Now, in order for this ransomware written in Rust to Run, you have to have what is called a token. It's a it's actually a 32 bit token.
00:28:01:25 - 00:28:33:01
Unknown
What what on earth? What is a token? Why would you need a token in order to run ransomware? You have any idea? Mm hmm. Why do you need keys to start a car? Right. So much. Same question. You want to be in control of what happens? It's all about the power. That's right. That's right. Yeah. And actually, the way the way Black Hat does it is if you become an associate of theirs and they're going to supply you with the ransomware that you want to use, you have to quote unquote, buy a token.
00:28:33:07 - 00:28:50:04
Unknown
This is how Black Cat makes their money. And typically the way you buy that, it's not like you swipe a credit card for them. You may negotiate. If I'm a threat actor like Scattered Spider, I may negotiate with Black Cat and say, we will give you 15% of the ransom that we extort if we can use your ransomware.
00:28:50:04 - 00:29:12:19
Unknown
And Black Cat will say, Yes, we have an agreement. Here you go. And here's your token. Now you can actually run the software. And this is a model that everybody knows Belle of Scott the Spider. There are managed service provider, right? They are your your vendor. Effectively. You have a vendor partner, a relationship with approved discounts and rev rec and all deals have to be booked accordingly.
00:29:12:21 - 00:29:39:11
Unknown
This is just the world of regular business, but with a shady a hat one, maybe a darker shade of black. Yeah, it's true. And there's there's even an advertising budget because black cat all it's they're also known as alfalfa actually advertised that hey we were the ones that worked with scattered spider to do MGM and Caesars Entertainment right so you're very right about this, Robin.
00:29:39:11 - 00:29:58:01
Unknown
This is something that we know. And as far as the mechanism of black and now we're going to start getting a pretty technical here. So just a warning for for, you know, the users and I'm probably even going to share some screens out here momentarily, Robin, just to kind of talk about it. But here sort of how it works.
00:29:58:04 - 00:30:37:23
Unknown
So Black Cat also attempts to do some privilege escalation by by doing some UAC bypass on com interfaces. Okay. Let's let's unpack that. First of all, what is UAC? Look, if you if you work on the Windows platform and you've ever tried to execute something and it says, Hey, this is attempting to do such and such, are you okay with that and you have to hit approve that's that's UAC right that's user account control that is a mechanism that Microsoft put in place in the Windows platform to avoid threat actors being able to automatically do things with privilege, even though we've seen that there's ways that that can be bypassed as well.
00:30:37:25 - 00:31:00:28
Unknown
So Black Hat actually tries to get around that because we're going to start working much higher in the operating system stack at this point. So they'll use a comm interface, a communications interface that is unprotected, that typically has privileged level of access, and they will use that to bypass that window popping up on the system so that, you know, there's a threat actor in there, Right.
00:31:01:00 - 00:31:23:19
Unknown
Hey, I'm about to do, you know, encryption of your files. Do you accept you don't want that window coming up? Right. I'm being facetious, but yeah, So so that's the first thing that they'll do is they'll bypass user account control, call it privilege escalation. Then on the on the disks themselves. And you get what I mean by disk.
00:31:23:19 - 00:31:44:14
Unknown
I don't care if it's spinning roster, it's SSD use or whatever it is, but in the operating system within Windows they have this concept of volume shadow copies. So these are essentially hidden little pointers that literally you can roll back your file system if something bad happens. Why? Why would they want to delete those? Why would they want to delete file system rollback?
00:31:44:14 - 00:32:12:09
Unknown
Robin Well, if you delete the rollback, then it's easy to undo all of the nasty work. Why should I pay your ransom when I can just lose two weeks of work and still have business as usual and just rollback? Yeah, that, that's exactly right. So they're going to want to delete those because they don't want you. And if you know, if you're if you're super conservative and you you take those those snapshots every day, you've only lost a day's worth of work, you're certainly not going to pay this massive ransom for that.
00:32:12:09 - 00:32:30:19
Unknown
You're going to chalk it up as a loss and move on. And black, it doesn't want that to happen. So first they delete all those copies and then, of course, they're going to try to tamper with event logs and do some event stomping and so forth. But here's where the fun stuff starts, where we're going to start encrypting.
00:32:30:19 - 00:32:56:03
Unknown
So Blackheart uses a yes, right? The advanced encryption standard. They use A. S 128 So analysis of the malware shows that they generate a random symmetric key where we could do a whole program on symmetric versus asymmetric keys, right? Yeah, right. So they generate the key with with a s and S and symmetric key encryption. It's very fast.
00:32:56:09 - 00:33:19:12
Unknown
Right? So once they generate their encryption key, they begin the encryption process and then they that encryption key, they will actually exfiltrate that to one of their command and control servers using their public RSA key. That's an asymmetric key. So they generate the key, they start the encryption process and they exfiltrate the key. Why do they exfiltrate the key?
00:33:19:12 - 00:33:41:12
Unknown
Well, they don't want to leave the key on the system. If they leave the key on the system, then you can decrypt your files, right? Symmetric key encryption means the key used to encrypt can also decrypt versus asymmetric, which is a key pair. One key is used to encrypt, the other key is used to decrypt. And they you know, the two cannot be derived necessarily from each other.
00:33:41:14 - 00:34:07:21
Unknown
So they will exfiltrate that. And you know, Robyn, they're smart about it because when they exfiltrate that to their command and control server, they have a tendency to hard code the IP address. Why is that smart? You can just kill IP address, you can remove the IP address or you have the authentication control. If you if things are hard coded, it's easier to work with it, work around it, and also hide if need be.
00:34:07:21 - 00:34:31:14
Unknown
Yeah, that's true. Well, you know, when we even think about the defense in depth solution that we try to bring to the market, DNS reputation is is a very important control. Right. And if we if we do a DNS query out to our command and control server and it's, you know, low reputation or it's been created in the last 14 days, it's going to get intercepted, it's going to get sent cold.
00:34:31:14 - 00:34:55:08
Unknown
And now I can't get the data out of the environment. If I hardcoded my IP address, no DNS necessary, I just don't need it right. There's no need, no reputation checks. No, no, none of that. So they will do that. So I'm sorry. Go ahead, Bill. I saw it very, very exciting piece of malware out in the field last week where somebody had a dynamic IP address.
00:34:55:08 - 00:35:18:27
Unknown
It was a regular website, is a command and control server. And that had a good popularity. It was categorized in bright cloud or webroot straight cloud as business and everything was good. However, behind that initial DNS was a solid proxy leading to legitimate and illegitimate services. That's what I'm just saying. Even though we're blocking all the bad stuff, there's still a chance people might be hiding in plain sight.
00:35:18:29 - 00:35:44:16
Unknown
So sorry Bill interrupted you. It was just popped to the top of my mind that it's such a great point. And we're going to talk more about that when we get to the kind of the might or footprint of scattered spider right there. You can mitigate. But this is a race. This is always a race, right? It's it's it's you whether you want to call it good guys versus bad guys, whether you want to call it corporations against threat actors or nation state actors.
00:35:44:19 - 00:36:11:17
Unknown
It is constantly a race. So, you know, they're really and I think about this in terms of what we might refer to as a legacy appliance model. Even in a legacy appliance model where you've literally got hardware sitting somewhere that's trying to protect you, you have to go through the constant work of updating. Listen, you have to do that with end points, with laptops, with desktops where you're constantly patching.
00:36:11:24 - 00:36:37:06
Unknown
This is a race where we're constantly going back and forth on this all the time. So, yeah, you're right. I mean, there's there are ways that, you know, threat actors, they get smarter and smarter. Really what we're trying to get to, at least initially, is eliminate the 80% of the easy stuff, the easy attacks, write the script kiddies, or or the stuff that's commodity on the market.
00:36:37:08 - 00:37:05:09
Unknown
But that's very important. And part of this conversation because, you know, if we get back to what Scattered Spider is doing, so they've they've already they're encrypting their exfiltrating data for the you know, for the second part of the double extortion. Right. They're exfiltrating so they can potentially broadcast it. And then, of course, they do. They create a file that they then set as the wallpaper right on the system so that a wallpaper pops up and says, Hey, your stuff has been encrypted.
00:37:05:16 - 00:37:28:16
Unknown
Here's The Tor, you know, you have to get a Tor browser and you're going to communicate this way and our demands and, you know, so on and so forth, establish that communication with the victim. So we've kind of essentially gone all the way through. If you want to use the Lockheed-Martin kill chain, which great two dimensional keychain or kill chain, you know, we've gone all the way to actions on objectives, right?
00:37:28:16 - 00:37:57:10
Unknown
We're we're all the way over there and and game over literally right slot machine over or whatever the case may be where it game over. So this raises a few questions and these have been asked of me multiple times when it comes to ransomware And I'm Robert I'm going to share my screen out here in a second with you because I kind of want to show you the flaw in this thinking.
00:37:57:10 - 00:38:24:09
Unknown
So the thing about ransomware is it's it's kind of a piece of software. And so I get asked things like, why can't we detect the signature of this software as as the threat actor is bringing it in? Man, I've got I've got firewalls, I've got intrusion prevention engines, I've got anti-malware. How, how come I can't detect a signature right.
00:38:24:09 - 00:38:50:22
Unknown
Like the ransom note. The ransom note should be the same. Or, you know, a lot of times they'll they'll in the in the malware, they'll, they'll put the stolen credentials in there or, or, you know, certain malware when it, when it does its encryption. Right. So when the malware is actually encrypting the file system, it'll skip certain file extensions because it doesn't want to make the system unstable and crash it by encrypting important file system files.
00:38:50:24 - 00:39:25:10
Unknown
So why can't we detect that signature when that malware is inbound? And the answer to that is we have to understand what a signature is. A signature is nothing more than a hash. And what is a hash. So I have people ask me all the time, and in fact, I've I've kind of made folk stumble a little bit on this where I'll ask them what what type of encryption is hashing and they go and is it symmetric or is it asymmetric?
00:39:25:10 - 00:39:57:04
Unknown
Well, that's a trick question. Hashing is not encryption. It's not hashing is a mathematical function that actually results in information being lost. Right. You're creating a fingerprint of some plaintext, right But but what you're doing is you're diffusing the data, diffusing, not diffusing it. There's there's data diffusion here. It's a digest. You're using a mathematical formula to basically break it down into a fingerprint.
00:39:57:04 - 00:40:21:03
Unknown
Now, here's the interesting thing about hashing, and this is how signatures are built. If I changed so much as one bite of my file, my, my, my ransomware malware, the hash changes, that's what hashes are supposed to do. That's what data diffusion is supposed to do. So that if so much as one byte changes, that hash utterly changes.
00:40:21:08 - 00:40:46:17
Unknown
We use this to guarantee integrity and things like email messages or or validating that the person who sent it is the one that actually sent it. So hashing is not encryption, hashing is fingerprinting. If I as black cat change one bit in my malware, I've just blown your signatures right out of the water. I'm going to show you an example.
00:40:46:17 - 00:41:05:24
Unknown
Robyn. This is this is where I want to share the screen. Let's actually look at this in action, if you'll give me just a moment. So this is where you finally show that you're part of black Cat yourself. Oh, that's funny. That's funny. So what I've shared on my screen, I've got a Windows 11 running here in a virtual machine because I want to be safe.
00:41:05:24 - 00:41:28:00
Unknown
And you can see that I've got two files. I've got a file called Hello, and I've got a file called a Race. You can see that they're actually the same size. Okay. If I execute. Hello. It basically says Hello World and I can press enter to quit. Right? If I execute Erase. Oh, I'm erasing your drive. Just kidding.
00:41:28:00 - 00:41:57:17
Unknown
Right. Hit enter to continue now obviously very different files even though they're the same size right. They're executing different code. Interestingly if I if I drop out here and I'm going to execute a diff command so there's my erase. So this is a command that says are these files different? And of course they're binary files, but you can see the diff says, yeah, these, these files are absolutely different.
00:41:57:19 - 00:42:25:20
Unknown
However, if I want to generate a hash and I'm just going to use MD5 because it's well, MD5 is weak anyway, but MD5 is very quick. It's an older one. You can see my fingerprint that gets generated. You can see the last digits here, right? If I do the same thing, if I do an MD5 on hello, which we know is a different file, do you notice that the hashes are the same?
00:42:25:23 - 00:42:54:19
Unknown
So this is what's referred to as a hash collision, Meaning I've got two different files with different make up, but the signature is the same. That's the other problem. Hashes can collide, which may lead me to a false positive. So changing one bit changes things dramatically, can lead to a false negative, but collisions can lead to a false positive.
00:42:54:19 - 00:43:23:16
Unknown
What's my point? What am I getting at? Well, my point is if you are relying on signatures, Black Cat knows that they actually know that. So what they do is they will not only will they change the contents of the malware, but the malware itself gets encrypted before they bring it into your environment. Now, once they bring it into your environment, they don't decrypt the entire thing all at once.
00:43:23:19 - 00:43:54:16
Unknown
They do what's called progressive decryption. They decrypt individual portions of the functionality so that any of your engines that are running, hopefully they're able to dodge those engines. And it's it can be very, very effective. How on earth do you prevent something like this? Well, obviously, MGM had a hard time in MGM's case. They, at least to date, didn't pay the ransomware.
00:43:54:16 - 00:44:27:18
Unknown
And by the way, when we're talking about MGM or we're talking about Caesar's, keep in mind that that law enforcement is currently engaged and they're investigating. So a lot of these things could, you know, information could could come forth soon. Right. That that changes the conversation, so to speak. But just using those as an example, they're examples. This could happen to any organization, company or individual 100%, not keep the lawyers happy just in case.
00:44:27:20 - 00:44:54:28
Unknown
Exactly. But you're 100% right, Robin, on that. And so, you know, keep in mind that simply looking at signatures of a file coming in, number one, it's so easy to change. The signature number to the file is going to come in encrypted anyway. Right. And any key could be used to do that encryption. And then they will progressively decrypt just to try to stay even quieter.
00:44:55:00 - 00:45:21:02
Unknown
So what's to do? What do you do? Well, the key here is really elevating that security conversation, not only by using defense in depth. So, you know, one example and it's we've talked about this on prior episodes, folks will say, hey, you know, can't I, I, you know, if I have endpoint protection, I don't need next generation anti-malware in a sassy solution setting on a point of presence.
00:45:21:02 - 00:45:55:08
Unknown
While I beg to differ. Right. If I'm able to drop your malware, your anti-malware on your endpoint and there is no other anti-malware in the environment, I'm like a kid in a candy store as a threat actor, Right? Okay, cool. Got him. Right now I just do my lateral movement completely unchecked. Now you really want to have that anti-malware Also at the point of presence, the converse holds true to, oh, if I'm if I do always on with my end users and I know that they actually have to connect to a point of presence that has anti-malware, then I don't need End point, do I?
00:45:55:10 - 00:46:16:23
Unknown
Well, no, I think you still need End Point because especially if you do ad hoc, but even with always on, you know, there are ways that I can get around that too, like plugging in that USB stick and compromising the bootloader. Right now I can stop. You're always on from coming on, right? If you don't lock your laptop in a safe when you're in the hotel room.
00:46:16:24 - 00:46:41:10
Unknown
Right. So just just examples why that defense in depth is really necessary. But really, Robin, to kind of to kind of wrap this up, how can I make sure that a threat actor like you know, Scattered Spider is not able to compromise and you've already said it. Robin, step one, educate your users. You have got to educate your user.
00:46:41:16 - 00:47:05:29
Unknown
So what are we educating users on? Well, essentially what we're educating users on is how to identify potentially malicious behavior. That's really what we're doing, right? If my two factor authenticator is pinging, pinging, pinging, that's probably bad behavior or literal alarm on your phone. That's all it is. It's that's right. That's right. But you need to understand that.
00:47:05:29 - 00:47:21:25
Unknown
You need to understand that that's behavior. You know, one of the big compromises I see happening right now for for Smishing is, hey, your package is held up. Click here for the postal system so that we can get details because your address is wrong and you click on it and you log out, boom, they got your credentials right.
00:47:21:25 - 00:47:48:28
Unknown
That's happening a lot right now. Educate your users on these behaviors. But when we talk about behaviors, I'm going to share my screen one more time. Robin, with you. I want to talk about this. This is the mightier attack framework. You know that. I love it. People have called me a minor fanboy, Robin, but the minor attack framework, I think is is beautiful for so many reasons.
00:47:49:00 - 00:48:18:03
Unknown
The minor attack framework isn't going to keep your system safe at night. Let's keep that in mind. You don't install minor, you don't have a minor product, right? The minor attack framework is a framework that begins to look at things from a behavioral perspective. It a framework that provides data sources that you can investigate for potential compromise. It is a framework that gives mitigation techniques.
00:48:18:05 - 00:48:43:22
Unknown
It is a framework based upon real world observations. In this case, in this minor mapping that I have on the Attack Navigator. And by the way, this is free for anybody to use, right? The minor attack Navigator. You simply go out to the website and you can use it. All of these items that you see colored in, these are behaviors that scattered spider uses.
00:48:43:24 - 00:49:15:01
Unknown
Okay. And you can almost think of it like the Lockheed Martin kill chain. You start from the left and you progressively work your way through each of the steps. Here's the lateral movement step. Here's where it's collecting information, right? You can see where they do the data exfiltration. You can see where they actually impact the environment. So based on known behaviors, this is how we see scattered spider work, you know, even from the very start, where you see multiples in here of how they're collecting information from users.
00:49:15:01 - 00:49:38:07
Unknown
Right. Whether it's pulling stuff from browsers, redirecting them to sites and so forth. Now you'll notice that there's green and there's yellow. So the reason that there's a color difference is that the solution that you and I are so fond of that we bring to the marketplace. Now, I'm not trying to turn this into a commercial, but these are areas where our solution mitigates those things.
00:49:38:07 - 00:49:58:16
Unknown
And you can see it's not all of them right there. There are some pieces that we are not able to directly mitigate, But what I'm always looking for on the monitor attack framework is can I disrupt an entire column? If I can disrupt an entire column, I've stopped you. Right? You may use this technique and it fails in this technique and it fails.
00:49:58:19 - 00:50:18:19
Unknown
But all of this one, this one suddenly works, right? This is as you can see, this is the supply chain. Remember we talked about that that that that driver, that sign, that's that's a vulnerability that happens on that particular endpoint. That is at the kernel level that, you know, maybe we're not able to mitigate it. But as we go down the kill chain, look at persistence.
00:50:18:21 - 00:50:43:00
Unknown
Persistence is completely disrupted. This is where the miter framework is very valuable, where I can identify those potential points to stop them. You also notice that privilege escalation, we're able to stop cold. We're way left on the chain here before we've ever gotten into, for example, lateral movement, which we can potentially stop right the entire column. Here's the point.
00:50:43:02 - 00:51:05:00
Unknown
Miter attack framework is very useful in this case of understanding how scattered spider works because it's giving you the opportunity and the knowledge base that says here are the choke points. Even if we weren't talking about the solution that you and I, you know, it's so near and dear to us, I can still use the miter attack framework because it will say monitor these data sources.
00:51:05:07 - 00:51:35:14
Unknown
And if you notice that it's happening in these data sources, here are the mitigation techniques. Problem is, that's a lot of work. It's a lot of work. Robin, you're going to kind of one at a time. It so I share that information because I think it's very important to start looking at things from a minor attack perspective. It's not the end all, be all, but it gives you real world intelligence where you can not only potentially mitigate, but now you can do things like adversary emulation.
00:51:35:21 - 00:52:08:25
Unknown
You can practice in your environment because when the attackers come and they'll come, incident response is critical. You have to know how to react in a way that is effective and efficient, right? That that stops that attack when you have the opportunity to do a SARC assessment. Right. If you happen to have the security operations center and you you do an assessment, you begin to identify areas for improvement in your incident response.
00:52:09:01 - 00:52:34:19
Unknown
When you can do adversary emulation, you can check your security posture, you can check the solution, or if you're unfortunate, the solutions multiple that you have to manage from a security perspective, the miter attack framework gives you the ability to do that. So boy, what a what a tour into Scattered Spider. It worked, right? They were effective. They compromised users.
00:52:34:19 - 00:52:54:07
Unknown
And and you know, for ten days MGM was down in the case of Caesars they they paid the ransom. And look, we've talked about paying the ransom. You remember Uncle Bill six is we might say, don't pay the ransom because you don't know for sure that they're going to act in good faith. Well, you know what? The threat actors are smart in that, too.
00:52:54:09 - 00:53:26:13
Unknown
They're starting to say we will act in good faith because they know that they're not going to make any money if they don't act in good faith. So they're they're being just as intelligent about it. To Ramon, at the end of the day, it's business and customer satisfaction, customer service and respect matters. Whether that be black hat, promoting the good work they're doing, like outbound marketing or having people like scattered spider providing a positive customer experience to increase those retention, renew and upsell rates.
00:53:26:15 - 00:53:47:11
Unknown
At the end of the day, business is business and it depends on the ethics of the individual and perception of what you were saying just from Mannequin Skywalker and Star Wars. From my point of view, the Jedi are evil, and that's exactly the same that is happening out in the cybersecurity landscape. And people are it as defense in attacks.
00:53:47:12 - 00:54:05:11
Unknown
But in reality it's just a constant evolving war. And just like the military there, you need to constantly practice, you need to constantly simulate and you need to constantly prepare because one day it won't be a drill, it will be reality. And if you're not ready to tackle that, well, you're going to be in a very, very poor situation.
00:54:05:13 - 00:54:37:15
Unknown
You know, Robin, I want to kind of end my comments in the human and social aspect of this scattered spider in particular. And and there, you know, the affiliate agreement without the has said that the reason they did then they spoke specifically about MGM that the reason they did this is that they felt that MGM Resorts treats their customers poorly in the whole lodging experience.
00:54:37:17 - 00:55:02:06
Unknown
And they felt that MGM made and these are allegations, but that MGM had some shady practices concerning shares in the stock market investing and and so forth. So they feel justified in doing what they're doing. This is kind of the Robin Hood syndrome here. Right. We're going to to rob from the Rich, but we're going to keep it.
00:55:02:08 - 00:55:38:29
Unknown
But, you know, they're making a point and we need to realize that, look, we understand that. We're just trying to do business. That's all we're trying to do. We're trying to do business. And, you know, companies that, you know, mine for lithium to make those beautiful long living batteries that work in your laptop that enable you to conduct business, you know to them that's a good that they're doing and they're bringing solutions to the market and yet you know somebody with a deep concern over the environment may see that as literally stripping the planet of its resources and causing irreparable harm.
00:55:38:29 - 00:56:04:26
Unknown
And damage to innocent people, to innocent creatures and so forth. And so they feel socially compelled to do something about that. So you're absolutely right. We have to think of this in human, psychological, behavioral terms. This isn't just bits and bytes. And so the race, as you say, will continue. And we need to as as people in this industry of cybersecurity, we need to keep that in mind and we need to practice that way.
00:56:04:26 - 00:56:24:28
Unknown
I think that's very important. So I love what you said. Well, the race is on and I think that's we're kind of over time today, Bill, but we are for that deep dive. It was very much appreciated. And I've come away thinking I'm not going to leave my laptop unsecured in hotel rooms and I'm also not going to trust the safe in hotel rooms either.
00:56:25:00 - 00:56:34:15
Unknown
I think I'll just keep that device firmly attached to my body. The plane. Thank you, Bill. Until next time you stay safe out there. Take care, Robin.