transcription of Storm⚡️Watch | "Voldemort" Espionage Unveiled & Legal Firestorm in Columbus
Welcome to Stormwatch by Gray Noise Intelligence.
Each week, we drop the latest info on what's happening at Gray Noise, Census, and Bone Check.
Take a look at a roundup of important and timely cybersecurity topics,
toss out some expert opinions, and, of course, you know, drop the occasional conspiracy theory.
Today, we're going to talk about ransomware.
We'll discuss how the U.S. government has issued an advisory on the Ransom Hub Ransomware Group,
which is believed to be responsible for a cyber attack on oil giant Halliburton.
Then we'll examine this really, frankly, bizarre legal battle unfolding in Columbus, Ohio.
The city has taken the unusual step of suing a security researcher after he publicly
contradicted official statements about a recent ransomware attack.
Then we'll shift gears to examine the controversial legal battle.
I'm reading the same paragraph I just read.
You're killing it.
You nailed it.
We'll also talk a little bit about IPV6, as well as a pretty unusual method for C2,
that ProvePoint covered in a recent post. So we'll talk about that as well.
If you're watching the live stream, you might have realized that I am not Bob.
In fact, there is no Bob and there is no Glenn.
This is particularly timely, as I've just been informed that September 1st is
Women in Cyber Security Day. So here we are.
We exist.
We exist.
There are dozens of us.
there's so many notifications this morning.
For people working yesterday?
You know, all the people who worked yesterday who just cannot, cannot put the work down.
Or maybe they weren't lucky enough to get to put the work down.
Yeah, there's a lot of notifications, but it's good.
Yeah, fair.
It's Labor Day, aren't we supposed to labor?
Exactly.
I feel like that's a good excuse, right?
like Kylie.
labor on labor day it's fine i know that's not the intent of the holiday but like okay um
all right so kimber if you could instantly become an expert in anything what would it be
okay i thought about this a lot i thought about this deeply and i really want to be an expert
in in like plants and just like i feel like i'm really like i'm really getting the hang
of like house plants in general but like all plants like i want to be able to look at a plant
and know what kind of plant it is because the amount of time that i spend on hikes being like oh i
wonder if this is poisonous is actually a pretty high percentage of my time so just the ability to know
mostly like what plants are going to kill me or might kill somebody seems like a really useful skill
as well as like how to keep things alive
seems powerful. Amateur botany is actually a very dangerous place to be because
that's why i think it's so good that you're going to be an expert because you never really want to
guess wrong or be like oh made a mistake when you're trying to decide whether if something is
poisonous so i support exactly
good morning how are you how was your long weekend it was amazing it was amazing and
And it's it was infinitely better because it's officially fall.
I don't care what the calendar says. It's fall. And that's my favorite season. So I'm having a ball.
Ball and fall. There we go. Nailed it. All right. Well, Himaja, if you could instantly
become an expert in anything, what would it be? I did not think very hard about this.
So now I'm having doubts, but I would say probably cooking. I would want to be an expert cook.
But now I'm kind of second guessing myself because I've heard that people who are experts at cooking,
when they have the chance to cook for themselves, usually we'll make like craft mac and cheese
because they're so tired of like being so good at cooking all the time.
But I still, I would do that. I would try it being an expert in cooking for a little bit because I think
that would be such a fun thing to do for other people.
Yeah, I feel like there's a lot of benefits to being able to do that.
Like you host, you can like, you know, gift people,
people.
wonderful things to eat. Like, I think there's probably a whole lot about that. That's pretty cool.
Ashley, what about you? Overwatch? What thing would you want to be an expert? Oh, my gosh. Okay.
I'm going to say something like make money like counting cards or the stock market. I like this.
Yeah. My brain did go there for a second. And I was like, no, I want something wholesome, something pure and good.
But then I was like, oh, you can do murder with plants. So, you know, there is.
no ethical being an expert.
Everything is a weapon if you try hard enough, I think. I think that's the takeaway.
Yeah. Emily, what's yours? I, so mine, I feel like now I'm doing the Glenn thing where I just
like rip off other people's answers. But I actually, so dendrology was the thing I picked. So specifically
like tree, I couldn't remember the word. I like Googled what is tree science? But yeah, so like there are a bunch
of trees in our neighborhood that have like interesting, like I don't know what they are and some of them have like,
No.
like they're diseased, like maybe have a fungal situation going on or things like that. And I would
love to just be able to know like, what's going on with you, Tree? Like what's happening? I don't
understand how all this works. I think it's really fascinating. And so yeah, probably like
Vendrology, like maybe a little bit of botany too because there's also some like, we have some really weird
like mushrooms growing in our yard. I would love to just be able to be like, yep, that's what
that is. That's how to get rid of it or don't touch that. Don't eat that or maybe.
throw them in a pan and saute them. So yeah, I think that would be. Yeah. I think a lot of people are
like very curious about the foraging as a skill lately. And it's been really interesting to see like my
friends post on their Instagram stories like, oh, I found these mushrooms and now I'm going to eat them.
And I'm like, wow, you are braver than I am. That is such a choice. Yeah. Like, do they know what they're
doing? They must. Or they don't and they're just going for it. I mean, the worst that happens is well
that.
I guess.
Yeah.
I was like, the worst that happens is that's it.
That's they die.
Hopefully not.
But you know.
Hopefully not.
Yeah.
So as a reminder, I feel like I have to like give the obligatory.
We have a podcast blurb.
Like Bob might hurt me if I don't.
We have a podcast.
You know this because you are listening to or watching it.
But if you want to catch up on episodes or you want to share with your friends, you can go to
to stormwatch.
I and find all the episodes.
find the back catalog, peruse to your heart's content.
So now, I guess, for a little shift away from, you know, death by plants,
something more uplifting, ransomware. So a couple of stories in the ransomware bucket today.
The first is about this U.S. government issued advisory for a ransomware group that was
blamed for the Halliburton cyber attack. So the U.S. governments recently issued this advisory
around.
Ransom Hub ransomware, which was reportedly encrypted and exfiltrated data from over
210 victims since its emergence in February 2024.
This group is a ransomware as a service variant previously known as Cyclops and Knight
employs the double extortion model to target various critical infrastructure sectors,
including healthcare, IT, and government services.
And they've attracted affiliates from other notorious ransomware variants as well.
So I just want to talk a little bit about this.
So.
I think you mentioned this. It feels like the Halliburton attack was like a long time ago, but it wasn't.
Yeah, it happened like August 21st, but I feel like it happened years and years ago, but that's just the security new cycle, baby.
Yeah, it really moves because I agree. Like this felt like it was so long ago, but and I was like, oh, why are why advisory when happened long time ago?
but it really was too
weeks maybe yeah so Halliburton big deal because gas and oil yes yeah
yeah yeah critical infrastructure but what's interesting that I saw in the original
article is that not like none of the victims mentioned by the advisory were in the
energy or oil sectors so
I could maybe I'm wrong but yeah so I think the jury is still kind of out on
whether it's truly Halliburton but all signs seem to point to that but it'll be interesting to
see what comes out in the next few days. I think it's also like important to
distinguish with this Halliburton one in particular that it was labeled as an
extortion campaigns more so than I mean like in the sense that they didn't
ransomware things with the intent of like, oh, we're going to blow up all the gas and oil.
Like it wasn't a physical attack as like the goal of this thing. It was they grabbed a bunch of information
logins potentially. Like that was kind of the idea was that they were more doing data like grabbing
than like trying to attack systems. If that makes sense. I feel like I'm kind of
like they're not trying to compromise the systems that control the gas and oil but
they're trying to get the data that would allow them more information on how to do so I guess
maybe or like the high value like high money targets so is that the is the is the intent of
the advisory like to say to these targets like here's all of the other ways that you can be compromised
like it's not just going after your critical systems or like what's the intent there?
Yeah, I mean it read to me a little bit like I mean yeah like an awareness document.
And one thing that I thought was kind of interesting too, we linked to this in the show notes with
the Security Week publication about this. I could be wrong, but I don't think Haliburton has
actually like I think right now it's all sort of open speculation that it was ransom
Was Ransom?
somehow like I think it's pretty confirmed but not confirmed, which I think is interesting.
And at the time this particular article was published, this is a couple of days old, so I need to check.
But it looked like their leaked website didn't mention Howell Burton.
That might have changed in the last few days. But like that's also kind of interesting. So maybe
they're negotiating right now, maybe like I don't know. What does that mean? What do you all think
about that?
I don't know. There was an SEC filing. So I think that.
that's pretty straightforward of like if there's a filing there's unauthorized third party access.
So I want I do wonder like, oh, are they taking credit for somebody else's work or
with the the actor? I think that's kind of the thing that comes down to is like
attribution is a really interesting like sketchy field to the end.
And any cyber criminal can claim dins, right?
technically. The other interesting thing I noticed from the advisory was all of the CBEs are older
that were used to gain initial access. I think the newest ones for 2023. Yeah, going back to 2017.
Which I think we noted before. I'm having deja vu right now. But yeah, that timing,
there's something a little bit weird with that too. But again, why use new CBEs when you have
We have...
so many good old ones.
Yeah, don't burn the new stuff. Like, just use the old ones because no one's patching.
Yeah, they still work. They still work for a reason.
I don't have much more to say about ransomware. I'm going to be honest.
No, that's fair. So, so kind of, well, along those lines, we do have one more
Ransomware topic, but I think this is like a slightly different take on it.
The next thing we want to talk about,
ransomware related, is the city of Columbus suing a researcher after he proved that the stolen data
is actually legit and harmful. So if you haven't seen this story,
Columbus, Ohio has filed a lawsuit and obtained temporary restraining order
against a security researcher after he contradicted official claims about a recent
ransomware attack. So on July 18th, 2024, the city fell victim to an attack by the recital
and
which claimed to have stolen six and a half terabytes of data.
The Columbus mayor stated on August 13th, the stolen files were quote, unusable due to encryption or corruption.
But the researcher actually presented evidence to local news outlets showing that the data published by
Recyta Ransomware Group was fully intact and actually did contain highly sensitive information about city employees and residents.
In response, the city sued this researcher for damages, claiming that his actions have dealt
help.
downloading and sharing the data amounted to interacting with criminals and making sensitive
information publicly available.
What do we think about that?
I love to interacting with criminals.
Consorting, relicking,
just dilly-dally-dallying.
This, this is like a perfect rage bait-bate article.
Like I could not have dreamed up a better one because there is, like, I tried to find, I tried to find,
I tried.
to play devil's eye kit. I tried to find like some nuance, but really what's even,
what's more humorous to me is like I feel like we would not have heard much about this
ransomware attack if they hadn't sued. So if their intent was to like kind of cover their tracks and
hide things, then I think they did the opposite of that very successfully, the city of Ohio.
I think my favorite part is that
the very end of the Ars Technica article mentions this of if you go to the website, the sensitive
data remains available to anyone who looks for it. And so because of this order, the guy can't
disseminate to reporters, but like the data is very much like still there. So what are we really,
what are we really accomplishing here?
It's like a band-aid on the situation.
It's, yeah, it's like a, yeah, I don't even have a good analogy.
Like, it, oh, I think we talked about this pre-show, but a few years ago, I think that it was the
state of Missouri that attempted to, like, sue or, like, charge a journalist who, like, did
view source on a web page. And this kind of, to me, has the same sort of vibe.
It's like this fundamental misunderstanding of technology by people in power.
and then
sort of like trying to get ahead of it and making it way, way worse, a la like stric
in effect.
Yeah, like what is the true solution to this?
Is it just we need more cyber law?
Like we need more lawyers who are like experts in cybersecurity.
Is that the solution?
Well, like, I also wonder, like, who was like, yes, this is a good case.
Let's pursue it to that, to that point.
Like, what?
It's out there.
It's public data at this point.
I mean, public.
I use the term, but like, it's widely available if you want to go get it.
And I think, you know, this researcher was trying to show like, hey, actually, you all are lying about all these people's data.
I want them to know that it's actually, like, it, it, it, the data is like usable by someone who, like, downloads it.
And it's like, getting slapped on the wrist.
for it? I don't know.
And that's the like this is, it's 6.5 terabytes of city data.
Like has anybody from the city like actually investigated what's in there?
Like has there been notifications?
Like what are they, what load are they trying to escape by like effectively punishing
somebody for saying it's out there, I guess?
No.
Oh, sorry, go ahead from the job.
No, I don't.
I was going to say, I feel like there's something else going on here.
Like maybe there's something else being swept under the rug.
But I would kind of argue that the system works a little bit how it should.
Like, there's a lot of friction to filing lawsuits like this, even though we're in America.
And like, the reporter was still, is still able to talk about the situation and like talk about the data.
They just can't disseminate it, which they've already kind of done.
So I don't think the lawsuit did any damage.
And I think it shouldn't.
So it works sort of.
It's just so much.
It's not an illegal system.
Like, the city is the one suing him.
Like, if it were, if it were like some wackity case where he was suing the city for, like,
not doing anything about this, it'd be like, okay.
Annoying.
But like, the fact that you can be a researcher and, like, think that you're doing something
good and then some government authority is like, no, shut up.
Like that's what's a key.
I do not like it.
Emily, what were you going to say?
No, sorry.
I was just going to say, I think, so Kimber at that point that you're making is actually
something that I thought about a lot when I was reading this is sort of like,
there are already some like weird precedents around like being a security researcher
and trying to disclose things responsibly and ethically.
Like that's already sort of.
of a minefield.
And this just feels like more kind of adversarial.
Like let's make it even harder for someone actually trying to do the right thing or
trying to point out like, no, this is actually a problem.
This is actually bad.
You need to know that it's bad.
People of, you know, Columbus, Ohio.
So it's weird.
I'm curious.
Like, do things like this, I mean, are they going to like dissuade people from trying to like do
the right thing?
Is it that important?
Is it that?
Is it that harmful or is it just like just sort of an annoying news story that's going to die?
I feel like we've seen this happen before is the thing.
Like even if it wasn't a full lawsuit, vendors bash security researchers all the time
for publishing proof of concepts, like things like that. And it's still like the wheel keeps turning.
But I do think this set kind of a scary precedent if it could be like escalated more and
potentially destroy the person's life. So maybe we have like an amnesty.
protection for people who like state the facts on this sort of thing, kind of similar to
the amnesty laws we have about like disclosing like underage drinking and drug use and stuff
like that, where you, you're immune, but you can still talk about when things are hitting the fan.
It's the kind of thing that makes me think like there needs to be better pathways.
Like if there was no, it makes me think about like, okay, why did it?
I was.
this guy do the thing that he did like why did this researcher go the route that he took and
like what caused the city to be like hey the way that you went about this like we're now suing me for
so it's like was there a good pathway for this researcher to to report what he found and maybe
like because there was no good pathway, like he's posting stuff online and it seems like a slander campaign
interstate.
something like that. So like I think about reporting a lot because that's kind of how we get
into the pickle of like this company didn't respond. So or this company like I reported it to them and
they you know they told me I was wrong and all this stuff. So I think that's where things go really
wacky is like not there's no good reporting pathways for things like this where it's like there's something
hosted on the dark web like I honestly like, like, I honestly like,
I'm not even sure how I would get in touch with somebody who like actually gave a damn at a company about that.
like much less a city. Like do I go to a city council meeting?
how would you go about that?
It feels like so kind of along those lines like in some of the research our team has done like earlier this year,
like one of the things we were trying to do was send notifications to companies of like,
hey, you have a thing exposed on the internet that really shouldn't be.
Right.
and it
It was one of the like most depressing experiences I think I've had because one, like, nobody uses, okay, nobody uses security at externally externally.
Security at is internal. It's blocked by Outlook rules. You can't email anything to security at, which, okay, fine. You also don't have like a security.
Dot text file. You don't have like a contact us, like get in touch with us security type of page. And so then you're like running around trying to find the best potential.
contact who might might have some reasonable like understanding of the issue you're
trying to like tell them about and like have the technical understanding to be able to like affect
change or like to be able to explain internally why it's a problem and it's just like nobody responds like
half the time the messages don't get delivered no one responds it's just it's like there is no
no and this is a very specific case right like this isn't like we found a bunch of data on the dark
web or deep web and we're trying to like go tell someone about it this was just
like we found a thing in census data and you need to know about it because it's really it's harmful.
And the hard thing about doing that as like a representative of a company like census,
like then you're accused of ambulance chasing and you're like, no, I just don't want.
Right. We're like we have no. Yeah, like just please we just don't want to see these in our data.
We would love for them to just not be online. That's it. Yeah. It's like that thing I hit you up
about the other day of like, oh, there's some spicy things in this botnet data. Like,
Yeah.
It really should not be in here.
Like, who do you even talk to about that?
Well, and that's a whole other question too, because if I remember correctly, like, one of the things we were talking about was like, it's like Soho kind of equipment.
It's like a lot of it is like router sitting in someone's like closet or something.
And it's like, what do you, do you just contact the ISP?
Like, it's.
Yeah.
Yeah.
There's a comment about if someone at Sissa sent an email, it would get noticed.
Yeah.
And I think that is what it takes, is some sort of government official that's higher up in the government,
some sort of person that they're used to seeing PDFs from about IOS and all of these things,
you know.
Todd, we've got some things to talk about.
Look for some messages after this, Todd.
Yeah.
Well, that got completely depressing.
Yeah.
Okay.
a couple.
Kind of, let's just keep it rolling, I guess.
Keep it like, Gary.
Yeah, you know, for something a little bit less depressing, I guess, and I maybe say that tongue-in-cheek.
I don't know.
IPV-6.
We were remiss and did not talk about this like a couple weeks ago, but we should talk about this.
Kimber, you have strong feelings about it.
Let's talk about it.
I'm just like the resident IPV6 expert of any group that I am in.
I
I look up to so many of us who understand the deep IPV6 knowledge, and it is truly deep.
I've read so many IPV6 RFCs.
This protocol was built to, like, be in place in high-speed, like, data centers.
It was meant to transfer just, like, absolute ass loads of data.
I don't know if we can say ass on the show, but anyway.
Just keep going.
So, like, there's some really interesting things that happen with IPV6.
There's a lot of flags that account for jumbo-grams and the caching of data.
And when you have all of those flags, you have to make sure that your operating system can handle that.
So that's, like, mainly where we see all these IPV-6 vulnerabilities come from is the things that have been added into the protocol to improve,
like the caching of data so that these massive like information transfers can come through
because like that's one of the main benefits of the protocol beyond like we have so much ability
for addressing like we'll never have to worry about an IPB4 address again like if we switch over to IPB6
so like all of that context in mind like the hype cycle around this Windows CVEE that
that had like, I think it was like a 9.8 CVSS score.
So like they were thinking it's super trivial to like throw the PSC
and like get a blue screen from a Windows machine.
So that's where all the hype was coming from was just like the issuance of the CVSS score
mixed with the fact that it was IPV6, which is something that nobody understands truly,
except for those of us who
would hyper fixated on it and then the combination of it being Windows as well.
So like Windows, very widespread IPV6 on by default.
Like there were all of the mixings for this to be a widespread thing.
But thankfully, like looking at the patch diffx on this on this one, like actually getting into the exploit
on this one, like actually getting into the exploit and like
taking a look, slowing down, like actually thinking through it.
Like, there's some really good articles about it, like breaking it down.
And I'm not going to go super in depth to like the memory addressing and everything.
But it's creating conditions where.
Summing it up in my brain, in my understanding of it, like, you have to be able to create
like conditions that are similar to a denial of service.
And then.
where things get wacky is Windows and their handling of that error condition.
So that's what causes the blue screen, like this memory allocation issue, like error handling, not good.
Like, it's just such a niche case that like this only led to improvement of how IPV6 is handled.
So that's cool.
But like, there's no way that you.
you could do mass exploitation of this.
Like, for one, you'd have to actually find the IPV6 devices on the internet, which is getting easier,
but like still-
Really hard.
Yeah. Like, what does census even do for IPV6, like, scanning the internet-wise?
Like, DNS records.
Yeah. So you'd have to have, like, DNS, anything with a DNS record, which is not, yeah, not, not,
I don't know where we're at with that.
But then, yeah, IPV6 just is hard to enumerate.
And then, like, being able to have the network, like, the appropriate network conditions
to even trigger this vulnerability, very particular.
Like, we can even see a lot of the researchers, there's like, hey, this is really inconsistent.
Really just, like, I get the blue screen sometimes, but I can't reliably do it all the time,
because it was
relies on denial of service conditions.
And then on the other interesting side of that, it's hard to detect.
So even if you are able to create the conditions, like you have to be able to be able to
hold in your detection algorithm, or not algorithm, detection, like, your Sigma rules, whatever
you're using your firewall, like it would detect the denial of service before it could even
detect like the exploit conditions being met in the windows.
So like, it would be hard for your detection to even like get to that level of like, oh,
we recognize this exploit being thrown.
So there's a lot of interesting things here.
I could go on about IPV6 forever, but anytime you see an IPV6 vulnerability show up, I think
you're going to see the hype cycle about it is kind of the sum up of my thoughts on on wrapping
that
that all those threads now that we have like all of the proof of concepts all of the research like coming out like all of the walkthroughs on like hey here's everything that happened so maybe collectively we're all a little bit more interested in IPV6 now which is kind of cool but at the same time there's a lot more flags to exploit in that protocol and a lot more devices that need to learn how to handle it so I expect more this year prediction does
say that prediction for what do you know that we don't we might see more well like one thing we talked
about i think before too with this is so right like just the challenge of like finding the devices like yeah you might
happen upon them like in a in a scan and internet scan data set that's obviously not going to be
comprehensive but like to know that someone is using IPV6 you might like just already be in the network anyway in which case you don't
really need this like you have other options um so yeah i this is i b6 is a fascinating
a fascinating thing to me in general and i like many security people just kind of pretend it doesn't
exist a lot of times like IPV4 you're so straightforward i love you um but ipb6 is like yeah i i'm
i'm curious kimber when you think we'll see like an ipv6 cylinder and maybe we have already this is how like out of
the
loop i am on IPV6 like an IPV6 vulnerability that's like actually really bad like concerning
like low complexity of exploitation yeah like how soon i don't think so i don't think that we'll
ever see protocol vulnerabilities are a thing right um they're very rare and well i think they're very rare
i'm i don't know how rare they actually are probably super rare because our uh
protocols generally go through like an rfc process and there's a lot of scrutiny you know
like it until you get down to the weirdo protocols of like all the OT systems and interoperability
of like systems like those are weird so like the vulnerability in IPV6 itself like i don't think we'll
see um it's it's one of those things where it has to be conditions like this it has to be conditions like this it has to be
like windows handles IPV6 in a weird way or i could see like OSX kind of develops toward
ITV6 because they're very like bleeding edge in all their protocol operability so i would be surprised to see
it in OXX but where i think we would see something very like widespread and interesting is in some kind
of routing equipment so something like a firewall
or want to be like a WAF, something like that, I could totally see there being just a weird,
a weird thing, but I do not think it'd be trivial enough to be widespread.
That would be, I mean, I don't even know how many vulnerabilities there were in IPB4, but yeah,
like that, um, Taub brings up a good point about the Torado stack.
Like the IPV6 to IPV4 conversion is where there's a little.
lot of weird errors that can happen i think that stuff is very trivial of like the the
mitigation for like making things talk to each other i think has a lot of potential so we see that a
lot in windows so windows is going to be it if we're going to have an easy one
i feel like windows is just yeah uh yeah windows is like that that ever that ground for
for all of that tends to happen bob has a good question is census seeing
any growth in IPV6? Are you finding more houses with IPV6 enabled? I don't know if the
top of my head, Himmaja, do you, have you looked at this at all?
Um, it's mostly cloud right now. That's just like big, just a ton of edge nodes, but I can look in more
I think it feels again, it's like the Wild West, which is kind of why.
just having Wi-Fi problems maybe?
The Wi-Fi struggle. Yeah.
I know there's a, there's some metric about mobile networks where the mobile networks are like almost
100% IPV6 at this point, except for like the main routing, like nodes and things. Like,
all of your mobile devices are run on IPV-6. If you're connected to 5G or LTE.
Yeah, I think it's a matter of time. Like, I think it's a matter of time. Like, I think it's a matter of time.
Yeah, I've noticed that.
IPVs, yeah, are you having IPVs at six problems?
But yeah, I think it'll be interesting to see how that grows.
I mean, I imagine like a lot of telcos are probably also like on that adoption path as well,
or have them for a long time.
I'm, yeah.
Cool. Any other thoughts about IPV6 before we?
You know, I will always love IPV4 more.
I mean, who wouldn't? Like, it feels much more tangible and, I don't know, like a problem that you can kind of get your arms around. IPV6 does not.
Yeah, but I will say learning how addressing works in IPV6 makes you feel like a wizard.
So I actually don't know how that works. So now that's that's on my list. I have a special, a special stormwatch where you like walk us through how that works.
Oh, I think it's just.
just me and you now we lost himmaja oh no we lost himmaja oh no
himmaja has been having activity issues oh um all right well we're going to keep
rolling and hopefully she regains connectivity that was very ironic um yeah we talked too much
crap about IPV6 and she was just out or her device was like nope i'm done internet said no more packets
so so next up there was one so Kimber you brought this story up I think
I think this is really interesting.
The proof.
The proof of researchers have uncovered a suspected espionage campaign delivering custom
malware called Voldemort in August 2024. This campaign impersonated tax
authorities from various countries in Europe, Asia, and the US and targeted dozens of
organizations worldwide. This attack chain utilized both common and uncommon
techniques, including the use of Google Sheets for command and control.
I'm just going to let that sit for a second.
Yeah, flip that marinade.
Yeah, Voldemore is a custom back door written in C, and it's got capabilities for information gathering and delivering additional payloads.
And one thing that I think we should talk about too is the campaign's large volume and targeting characteristics tend to align more with like cyber criminal activity.
But the nature of the activity itself and the malware's capability suggests an espionage objective rather than financial gain according to ProPoint researchers.
So let's.
Let's talk about this. There's a lot to unpack in this story. This is interesting.
I know your favorite part is that Google Sheets is C2.
It's incredible, but there's like more about this that's interesting. But like that is just so
like I hate but also love to see it. I don't know.
And like isn't the condition of that is like the good. It's not just like Google
sheets like they're not just getting into the cloud. It's like Google sheets, but specifically
the offline version that gets stored on your computer if you're doing like the desktop sync.
Like is that the deal?
Actually, that's a good question. I actually don't know. I know it's related to the API or like using like,
but I don't recall if it's the offline piece actually. Yeah. That's where I got kind of kind of lost.
and also
So there was a section in this where they were like really just deconstructing everything.
I've never heard the term egg hunting when it comes to malware, like threat research.
But I thought that was just such a fun term.
Like Easter eggs, egg hunting.
!
like Google.
Yeah. Yeah.
Yeah, the Google Sheets infrastructure for C2 was definitely, I think, what caught my eye about this too.
And it's really interesting because they're not using, like the researchers point out, they're not using dedicated infrastructure.
They're not using compromised infrastructure.
They're just, you know, using cloud apps, which tail as old as time, I guess.
Because if they're there and accessible, like why not?
I actually got a fairly good fishing campaign over the weekend that was it was like a
Spotify impersonation saying that my premium subscription had lapsed and I need to like go fix my payment.
I was like, oh, it landed in my inbox because they used a service provider that, you know,
checks all the DM, SPF, like everything's good. But as soon as you like start to look at the
from and you kind of actually look at the headers, you're like, oh, this unravels really quickly.
but leveraging
like cloud services, software as a service for these types of things.
Like that's not new.
I think it's just using like different ways, using these in different ways than maybe we've seen use before.
And the Google Sheets thing kind of reminded me of that.
Like what an interesting, what an interesting mechanism.
Yeah.
It's something that I didn't even think of like being a vector, but when you read through
and understand like how easy it is to manipulate a Google sheet,
with Python, that makes sense as to why they would be using it as their X-Fill or
C2 mechanism. I don't think they actually did any X-fil through those C2s, or through the sheets,
but more just like storing information. I don't know.
Information gathering.
Things like this are what make it me nervous about how, like we have more things
more things being integrated.
it into Google Sheets, like Gemini is now something you can invoke from within them,
like all these other things. I don't know. I was just stunned by how many different, like this is
not to be that person, but this is really clever. I'm kind of impressed.
It is totally is.
Like I kind of admire it in a twisted way. Like it is so interesting and such a hodgepodge
of different techniques. Yeah, and they did include, they updated the E.
like proofpoint updated their rule set that they have with the detection for
Google Sheets activity. So now that's a thing you have to think about in your environment.
We added Python functionality to Excel, so why not? Let's just throw Google Sheets in there too.
Right. Like, what other things are there that have that that I don't even know about?
because like it's been a minute i talk to enterprises all the time
but like it's been a minute since I've been like a systems administrator and or like
assessed the true state of shadow IT like how bad is it out there gang what are the people
using that can be manipulated by Python that also sinks to the cloud like that's my next thought
that's what my threat hunting brain says probably quite a lot um this story also made me think a lot
about how
how so I'm always interested in the different threat models that organizations have.
And having worked at a couple of like software as a service companies versus like security vendors,
one of the things that I used to really struggle with was making the case that as a software as a service
company, very large email service provider will say.
Yes, customer data, user data, employee data is like of the utmost importance. We have to
protect that that is that is included in your threat model. But the thing that I
was surprised I kept having to like make a case about or like to certain people was that,
you know, it's not so much about our app getting hacked. It's about how our app is going to fit
into this whole like cybercrime ecosystem. Like it's not about the app itself like,
you know, SQL injection and dumping a database, which also would be bad. But like how might this
fit in? And you think about like common things that get abused.
do you think about email service providers, hosting providers, like all kinds of stuff like that
where it's like, it's not that they're necessarily having hacked, they're getting abused.
And then you get into this conversation about like anti-abuse or like trust and safety kind of
versus security. And I think this is another one of those things that kind of shows,
I feel like the line is sort of like very fuzzy. And I don't know, this just made me think of that
because I've some interesting conversations I've had about that in the past.
Yeah. That's probably pretty hard to justify for us.
from a business perspective of like, hey, like, while what we're doing is not necessarily like
vulnerable itself, here's how it can be utilized. So presenting that kind of use case as like a
security issue is probably pretty difficult. Like if there's no evidence of that happening
is where my brain is going. It's all hypothetical until it's not because the thing is, right,
like you want to make something easier for your users. You want to remove friction. Well, you're also
removing friction for people who want to use your
your service for nefarious purposes. And so there's always this like kind of back and forth
of like what's the trade off. Like I know everybody doesn't want to have to go through a CAPTCHA
or like multiple rounds of like validation or verification, but like, you know, it's it's an
interesting kind of balance, I think. Well, I guess that's the case for having like an internal
red team of just like, hey, sit here and pontificate on the ways that
we can be used as crime. Yeah, not even like us getting hacked, but like, how do we fit into
all of this? Yeah. How are we the problem? Yeah.
A fun, a fraud experiment. Yeah, I really like that idea. Because I, it makes me also want to
encourage, like, pen testers, like, get good, you know? Like, don't just throw mini cats at things,
like. 100%. Like, beat my service up. Like, please, use it.
it in ways that it shouldn't be used, like, destroy it. And by that, I don't mean dump a database
or, like, own, like, don't get rude on my box. I don't care about that. I care about how are you
using this to, like, perpetuate some other sort of criminal activity? That's something we also don't want
on platform. It makes me think of the Roblox kids and the Minecraft kids where, like, they're doing all kinds
of wild things out there in the Roblox and Minecraft. Like, the gaming, like, all the gaming has so many, like,
weird vectors and like things that you wouldn't even think of. So kids are all right or not,
depending. Yeah, I was like, I feel like anti-cheat devs could very easily like cross the bridge
into like anti abuse or like trust and safety. Because it's the same, it's the same thing,
just a different flavor. Like it's that same type of mindset, I think.
Yeah.
I love to see it. All right. So I think now we've got to see it. All right. So I think now we've
got a little bit of self-promotion we want to do. This is a rousing round of topics.
Let me see if I can share my screen.
You can do it. Fingers crossed. Let's see how...
I believe in you.
Here we go. Maybe. You got it.
You got it.
All right. Okay, this works. Look at this. I'm driving. Bob, I'm driving. It's working.
Yeah. So Kimber, do you want to talk about this? This is a blog post from you all about
weaponized vulnerabilities deserving, deserving of the prioritization
table. Yes. I will give the quick rundown of this. Patrick wrote a blog posted on the
Voluncheck blog about the comparison of Metisploit modules and mapping them to known exploited vulnerabilities
and kind of giving an idea around like we have the known exploited vulnerabilities, but then we have
all of these potential modules for exploites. So the comparison there is pretty interesting. Lots of
pretty Patrick Grav.
to look at to communicate that and you know just something to think about
exploitability versus what we know about that is my shameless self-promotion for the week
that's actually patrick's no hey all whole check stuff is is welcome all sense of stuff all
drain my stuff um let me switch um hemija do you want to talk us through we have a couple um
This progress, What's Up Gold, get file without Zip RCE.
That's actually the name of my upcoming SoundCloud EP.
Make sure to stream.
It was a mouthful. Like I can't say all of these words all at once without tumbling.
Banger. So this was a, so this was a another unauthenticated RCE.
This this like what's up gold thing was kind of interesting. It's like a network monitoring.
So I every day, every week, I learn about a new product offering from Progress Software,
incorporated. But yeah, this one was kind of interesting because it's pretty easy to to exploit.
Although we, last week, I think when we published this, we saw something like 1200,
exposed potentially vulnerable things on online instances. And I just checked today, and it went up,
by like 100, which could just be the internet fluctuating, but also could just be people
messing with their configurations and things going awry.
But yeah, patch now, exclamation point. Yeah, it could also be honeypot, but I didn't look like that.
But yeah, what's up, gold?
Really good honey pots, gray noise.
Mmm. We don't talk about those.
We don't see those. We don't know about them. We, yeah.
All right.
I actually didn't realize that this was the same people as move it.
Yeah, progress. They've moved it.
IP switch, WSFDP.
Yeah. They're real diversified set of offerings, which is.
Well, good for them. They're clearly nailing it.
Along those lines.
Let's talk about this.
this versus director, a dangerous file type upload. This was Volt Typhoon goodness.
Yeah, we talked about this last on last week's episode of the pod. This is the one where I think it got
a lot of buzz because it was added to Kev on a Friday night, which is kind of interesting.
And Black Lotus published a little ditty about how they're seeing similar techniques
as used by Voltaxan.
But it is pretty hard to exploit.
This is like a, you have to upload a malicious file as a favicon.
But you do need, you need to be authenticated to exploit it, so it's relatively harder to exploit.
Although, if you are exposing one of your management ports, it is a lot easier to exploit.
So take your management points offline.
it's offline.
or just hide them.
That is just really good advice for everybody, probably.
Tried and true.
Hide them away.
All right.
So now I think we have to talk about Kev and I just went to Kev to look.
And Todd, you've, I think, here we go, I guess.
We're going to talk about Kev because there's some new things today.
A couple.
So Dreitek Vigor Connect Path, traversal vulnerability from 2020.
from 2020.
21, which is sad.
Here's a second one, it looks like.
Dreitech Kviker Connect Pass for Reversal vulnerability.
Cool, cool.
Everything's cool here.
And then KingSoft, WPS Office Pass, reversal vulnerability, which is from this year, which is
from this year, which is, you know, I guess always a good thing.
Since when does Kev have a due date?
And who's going to give me?
Give me.
me the points off of the assignment if I do not turn it in by the due date.
So I, so yeah, so Todd says this has been there forever.
I don't know if it was surfaced in the UI forever, but it's been around.
I think this is specifically for like federal civilian executive branch agencies due date,
but like everyone else should probably like pay attention to that too because if the due date is
super quick, I would imagine there's a reason for that.
Like it probably has something to do with the severity.
See, Glenn, I listen to your talk.
I learned about Kev and all the hidden things to know.
So if the, yeah, if the turnaround is pretty quick, I suspect that means they know something we don't.
And we should probably just treat it accordingly.
So it's not always like three weeks.
It's sometimes less than that.
Or more.
Yeah, I think.
Yeah.
Today I learned.
Yeah.
That's cool.
If you haven't watched Glenn's talk, you should go back and check it out because, yeah, I learned.
Yeah, I learned a lot from it.
It's really.
Is it recorded?
Yeah.
Wonderful.
I will post it on LinkedIn later with what I learned.
There you go.
I'd like a five point summary, please.
Report to Glenn.
Do by September 24th.
Yes.
September 24th is the due date.
Cool.
All right.
I'm going to stop sharing this now.
Okay.
I think this is everything for us this week.
I think this is everything for us this week.
parting thoughts. I do have a sign off, but are any parting thoughts folks here before we hang it up this week?
Happy women in cybersecurity. Yes.
Time because it should be always.
It should be always.
Infinity time.
Especially in the month of September. I'm not sure why.
Just because I think women in cybersecurity as an organization declared September like first
September, like first.
the date. I'm not sure who came up with it. But if there's a woman on your team, tell her you
appreciate her.
Listen to her when she tells you things because she's probably not making it up and she probably
does know what she's talking about just a thought.
Yeah.
All right. Well, in the spirit of Bob, thanks everyone for tuning into our cyber chat.
Remember, in the digital world, stay secure, stay savvy, and don't let the hackers steal your thunder.
steal your thunder.
Until next time, keep your firewalls high and your passwords stronger.
Bye!