PLAY PODCASTS
Research Saturday

Research Saturday

454 episodes — Page 4 of 10

S7 Ep 294It's raining credentials.

Alex Delamotte from SentinelLabs joins Dave to discuss their work on "Cloudy With a Chance of Credentials | AWS-Targeting Cred Stealer Expands to Azure, GCP." As actors find more ways to profit from compromising services, SentinelLabs finds that cloud service credentials are becoming increasingly targeted. The lack of threats explicitly targeting Azure and GCP credentials up to this point means there are likely many fresh targets. The research states "These campaigns share similarity with tools attributed to the notorious TeamTNT cryptojacking crew. However, attribution remains challenging with script-based tools, as anyone can adapt the code for their own use." The research can be found here: Cloudy With a Chance of Credentials | AWS-Targeting Cred Stealer Expands to Azure, GCP Learn more about your ad choices. Visit megaphone.fm/adchoices

Aug 12, 202318 min

S7 Ep 293Who is that stealing my credentials?

Aleksandar Milenkoski from SentinelOne joins to discuss their work on "Kimsuky Strikes Again | New Social Engineering Campaign Aims to Steal Credentials and Gather Strategic Intelligence." Researchers have been tracking the North Korean APT group Kimsuky and their attempt at a social engineering campaign targeting experts in North Korean affairs. The research states "The campaign has the objective of stealing Google and subscription credentials of a reputable news and analysis service focusing on North Korea, as well as delivering reconnaissance malware." Kimsuky has been tracked engaging in extensive email correspondence using spoofed URLs and extensive email correspondence, along with Office documents weaponized with the ReconShark malware. The research can be found here: Kimsuky Strikes Again | New Social Engineering Campaign Aims to Steal Credentials and Gather Strategic Intelligence Learn more about your ad choices. Visit megaphone.fm/adchoices

Aug 5, 202316 min

S7 Ep 291Phishing for leeches.

Ashlee Benge from ReversingLabs discussing their research titled "Operation Brainleeches: Malicious npm packages fuel supply chain and phishing attacks." Researchers recently discovered over a dozen malicious packages published to the npm open source repository. These packages are targeting Microsoft 365 users and appear to target application end users while also supporting email phishing campaigns. Research supports that the malicious campaign encompassed more than a dozen files designed to steal sensitive user credentials. The research states "This most recent campaign caught our attention because of a number of features and characteristics in related npm packages that correlate with malicious intent." The research can be found here: Operation Brainleeches: Malicious npm packages fuel supply chain and phishing attacks Learn more about your ad choices. Visit megaphone.fm/adchoices

Jul 29, 202319 min

S7 Ep 291Welcome to New York, it's been waitin' for you.

Joshua Miller from Proofpoint joins Dave to discuss findings on "Welcome to New York: Exploring TA453's Foray into LNKs and Mac Malware." In mid May, TA453, also known as Charming Kitten, APT42, Mint Sandstorm, and Yellow Garuda, was found sending a benign conversation lure masquerading as a senior fellow with the Royal United Services Institute (RUSI) to the public media contact for a nuclear security expert at a US-based think tank focused on foreign affairs. The research states that "the email solicited feedback on a project called “Iran in the Global Security Context” and requested permission to send a draft for review." Proofpoint shares it's findings and what you can expect from the threat group. The research can be found here: Welcome to New York: Exploring TA453's Foray into LNKs and Mac Malware Learn more about your ad choices. Visit megaphone.fm/adchoices

Jul 22, 202318 min

S7 Ep 290SCARLETEEL zaps back again.

Michael Clark from Sysdig joins with Dave to discuss their research on SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. New research from Sysdig threat researchers found that the group continues to thrive with improved tactics. Most recently, they gained access to AWS Fargate, a more sophisticated environment to breach, thanks to their upgraded attack tools. The research states "In their most recent activities, we saw a similar strategy to what was reported in the previous blog: compromise AWS accounts through exploiting vulnerable compute services, gain persistence, and attempt to make money using cryptominers." Had Sysdig not thwarted SCARLETEEL's attack, they estimated that they would have mined $4,000 per day until they were stopped. The research can be found here: SCARLETEEL 2.0: Fargate,Kubernetes, and Crypto Learn more about your ad choices. Visit megaphone.fm/adchoices

Jul 15, 202317 min

S7 Ep 289Creating PANDA-monium.

Thomas Etheridge from CrowdStrike sits down to discuss their work on "Business as Usual: Falcon Complete MDR Thwarts Novel VANGUARD PANDA (Volt Typhoon) Tradecraft" In May of 2023, industry and government sources detailed China-nexus activity where they found the threat actor dubbed Volt Typhoon targeted U.S. based critical infrastructure entities. CrowdStrike's Intelligence team tracked this actor as VANGUARD PANDA. With CISA’s advisory on VANGUARD PANDA and its link to Chinese adversaries who are increasingly targeting US businesses and critical infrastructure, CrowdStrike’s blog dives deeper into the risks of VANGUARD PANDA. The research says "One specific VANGUARD PANDA incident stands out to review in detail. Falcon Complete responded to a detection that was triggered by suspicious reconnaissance commands executed under an Apache Tomcat web server running ManageEngine ADSelfService Plus." The research can be found here: Business as Usual: Falcon Complete MDR Thwarts Novel VANGUARD PANDA (Volt Typhoon) Tradecraft Learn more about your ad choices. Visit megaphone.fm/adchoices

Jul 8, 202317 min

S7 Ep 288The power behind artificial intelligence.

Daniel dos Santos, Forescout's Head of Security Research is sharing insights from a recent exercise his team conducted on AI-assisted attacks for OT and unmanaged devices. Using ChatGPT, Forescout’s research team converted an existing OT exploit developed in Python to run on Windows to demonstrate how easy it is to create an AI-assisted attack that converts the original exploit into alternative programming languages. The research states "our goal was to convert an existing OT exploit developed in Python to run on Windows to the Go language using ChatGPT." This would then allow it to run faster on Windows and run easily on a variety of embedded devices. The research can be found here: AI-Assisted Attacks Are Coming to OT and Unmanaged Devices – the Time to Prepare Is Now Learn more about your ad choices. Visit megaphone.fm/adchoices

Jul 1, 202318 min

S7 Ep 287Unleashing the crypto gold rush.

Ian Ahl from Permiso's PØ Labs joins Dave to discuss their research on "Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor." First observing the group in 2021, they discovered GUI-vil is a financially motivated threat group primarily focused on unauthorized cryptocurrency mining activities. The research states "the group has been observed exploiting Amazon Web Services (AWS) EC2 instances to facilitate their illicit crypto mining operations." This group is dangerous because unlike many groups focused on crypto mining, GUI-Vil apply a personal touch when establishing a foothold in an environment. The research can be found here: Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor Learn more about your ad choices. Visit megaphone.fm/adchoices

Jun 24, 202323 min

S7 Ep 286Managing machine learning risks.

Our guest, Johannes Ullrich from SANS Institute, joins Dave to discuss their research on "Machine Learning Risks: Attacks Against Apache NiFi." Using their honeypot network, researchers were able to collect some interesting data about a threat actor who is currently going after exposed Apache NiFi servers. Researchers state “On May 19th, our distributed sensor network detected a notable spike in requests for ‘/nifi.’” Investigating further, they instructed a subset of their sensors to forward requests to an actual Apache NiFi instance and within a couple of hours the honeypot was completely compromised. The research can be found here: Machine Learning Risks: Attacks Against Apache NiFi Learn more about your ad choices. Visit megaphone.fm/adchoices

Jun 17, 202318 min

S7 Ep 285A new botnet takes a frosty bite out of the gaming industry.

Our guest, Allen West from Akamai's SIRT team, joins Dave to discuss their research on "The Dark Frost Enigma: An Unexpectedly Prevalent Botnet Author Profile." Akamai found this new botnet was targeting the gaming industry, modeled after Qbot, Mirai, and other malware strains. The botnet has expanded to encompass hundreds of compromised devices. The research states "through reverse engineering and patching the malware binary, our analysis determined the botnet's attack potential at approximately 629.28 Gbps with its UDP flood attacks." Akamai researchers do a deep dive into the motives behind the attacks, the effectiveness of the attack, and how the law has been handling similar cases. The research can be found here: The Dark Frost Enigma: An Unexpectedly Prevalent Botnet Author Profile Learn more about your ad choices. Visit megaphone.fm/adchoices

Jun 10, 202319 min

S7 Ep 284Lancefly screams bloody Merdoor.

Brigid O Gorman from Symantec joins Dave to discuss their research, “Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors." Researchers discovered in 2020 that Lancefly, an APT group, is using a custom-written backdoor in attacks targeting government, aviation, educations, and telecoms organizations in South and Southeast Asia. The research states "The backdoor is used very selectively, appearing on just a handful of networks and a small number of machines over the years, with its use appearing to be highly targeted." These targets, though observed in some activity in 2020 and 2021, started in 2022 and have continued into 2023. The research can be found here: Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors Learn more about your ad choices. Visit megaphone.fm/adchoices

Jun 3, 202316 min

S6 Ep 2838 GoAnywhere MFT breaches and counting.

This week, our guests are Emily Austin and Himaja Motheram from Censys and their sharing their research - "Months after first GoAnywhere MFT zero-day attacks, Censys still sees about 180 public admin panels." In early February 2023, Censys researchers discovered a zero-day RCE vulnerability in Fortra’s “GoAnywhere MFT” (Managed File Transfer) software. After finding this the Clop ransomware gang claimed that they exploited this vulnerability to breach the data of 130 organizations and Censys found other ransomware groups were jumping on the bandwagon. They said " A single vulnerable instance has the potential to serve as a gateway to a data breach that could potentially impact millions of individuals." The research can be found here: Months after first GoAnywhere MFT zero-day attacks, Censys still sees ~180 public admin panels Learn more about your ad choices. Visit megaphone.fm/adchoices

May 27, 202317 min

S7 Ep 282Dangerous vulnerabilities in H.264 decoders.

Willy R. Vasquez from The University of Texas at Austin discussing research on "The Most Dangerous Codec in the World - Finding and Exploiting Vulnerabilities in H.264 Decoders." Researchers are looking at the marvel that is modern video encoding standards such as H.264 for vulnerabilities and ultimately hidden security risks. The research states "We introduce and evaluate H26FORGE, domain-specific infrastructure for analyzing, generating, and manipulating syntactically correct but semantically spec-non-compliant video files." Using H26FORCE, they were able to uncover insecurities in depth across the video decoder ecosystem, including kernel memory corruption bugs in iOS and video accelerator and application processor kernel memory bugs in Android devices. The research can be found here: The Most Dangerous Codec in the World: Finding and Exploiting Vulnerabilities in H.264 Decoders Learn more about your ad choices. Visit megaphone.fm/adchoices

May 20, 202324 min

S7 Ep 281Running away from operation Tainted Love.

Aleksandar Milenkoski and Juan Andres Guerrero-Saade from SentinelOne's SentinelLabs join Dave to discuss their research "Operation Tainted Love | Chinese APTs Target Telcos in New Attacks." Researchers found initial phases of attacks against telecommunication providers in the Middle East in Q1 in 2023. The research states "We assess that this activity represents an evolution of tooling associated with Operation Soft Cell." While the exact grouping is unclear, researchers think it is highly likely that the threat actor is a Chinese cyberespionage group in the nexus of Gallium and APT41. The research can be found here: Operation Tainted Love | Chinese APTs Target Telcos in New Attacks Learn more about your ad choices. Visit megaphone.fm/adchoices

May 13, 202322 min

S7 Ep 280Phishing campaign takes the energy out of Chinese nuclear industry.

Ryan Robinson from Intezer to discuss his team's work on "Phishing Campaign Targets Chinese Nuclear Energy Industry." The research team discovered activity targeting the nuclear energy industry in China. Researchers attributed the activity to Bitter APT, a South Asian APT that is known to target the energy, manufacturing and government sectors, mainly in Pakistan, China, Bangladesh, and Saudi Arabia. The article states "We identified seven emails pretending to be from the Embassy of Kyrgyzstan, being sent to recipients in the nuclear energy industry in China. In some emails, people and entities in academia are also targeted, also related to nuclear energy." By luring recipients in, invites them to join conferences on subjects that are relevant to them, they are then able to social engineer the victims. The research can be found here: Phishing Campaign Targets Chinese Nuclear Energy Industry Learn more about your ad choices. Visit megaphone.fm/adchoices

May 6, 202320 min

S7 Ep 279HinataBot focuses on DDoS attack.

This week our guests are, Larry Cashdollar, Chad Seaman and Allen West from Akamai Technologies, and they are discussing their research on "Uncovering HinataBot: A Deep Dive into a Go-Based Threat." The team discovered a new Go-based, DDoS-focused botnet. They found it was named after the popular anime show "Naruto," they are calling it "HinataBot" In the research it says "HinataBot was seen being distributed during the first three months of 2023 and is actively being updated by the authors/operators." Akamai was able to get a deep look into the malware works by using a combination of reverse engineering the malware and imitating the command and control (C2) server. The research can be found here: Uncovering HinataBot: A Deep Dive into a Go-Based Threat Learn more about your ad choices. Visit megaphone.fm/adchoices

Apr 29, 202327 min

S7 Ep 278Don't let the Elon Musk crypto giveaway scam swindle you.

Shiran Guez from Akamai sits down with Dave to discuss their research on "Chatbots, Celebrities, and Victim Retargeting and Why Crypto Giveaway Scams Are Still So Successful." Researchers at Akamai have been on the lookout for crypto giveaway scams. These scams have been impersonating celebrities and brands, most notably Elon Musk and his associated companies. The research states "the scams are delivered through various social media platforms as well as direct messaging apps such as WhatsApp or Telegram." These scams have helped add to the existing damages that exceed $1 billion caused by crypto fraud. The research can be found here: Chatbots, Celebrities, and Victim Retargeting: Why Crypto Giveaway Scams Are Still So Successful Learn more about your ad choices. Visit megaphone.fm/adchoices

Apr 22, 202319 min

S7 Ep 277New Dero cryptojacking operation concentrates on locating Kubernetes.

Scott Fanning, Senior Director of Product Management, Cloud Security at CrowdStrike, sits down to talk about the first-ever Dero cryptojacking operation targeting Kubernetes infrastructure. The research defines Dero as "a cryptocurrency that claims to offer improved privacy, anonymity and higher and faster monetary rewards compared to Monero, which is a commonly used cryptocurrency in cryptojacking operations." CrowdStrike was the first organization to discover Dero, and has been observing the cryptojacking operation since the beginning of February 2023. The operation focuses mainly on locating Kubernetes clusters with anonymous access enabled on a Kubernetes API and listening on non-standard ports accessible from the internet. The research can be found here: CrowdStrike Discovers First-Ever Dero Cryptojacking Campaign Targeting Kubernetes Learn more about your ad choices. Visit megaphone.fm/adchoices

Apr 15, 202314 min

S7 Ep 276A dark side to LLMs.

Sahar Abdelnabi from CISPA Helmholtz Center for Information Security sits down with Dave to discuss their work on "A Comprehensive Analysis of Novel Prompt Injection Threats to Application-Integrated Large Language Models." There is currently a large advance in the capabilities of Large Language Models or LLMs, as well as being integrated into many systems, including integrated development environments (IDEs) and search engines. The research states, "The functionalities of current LLMs can be modulated via natural language prompts, while their exact internal functionality remains implicit and unassessable." This could lead them to be susceptible to targeted adversarial prompting, as well as making them adaptable to even unseen tasks. Researchers demonstrated these said attacks to see if the LLMs needed new techniques for more defense. The research can be found here: More than you've asked for: A Comprehensive Analysis of Novel Prompt Injection Threats to Application-Integrated Large Language Models Learn more about your ad choices. Visit megaphone.fm/adchoices

Apr 8, 202317 min

S7 Ep 275Blackfly flies back again.

Dick O'Brien from Symantec’s Threat Hunter team discusses their research on "Blackfly - Espionage Group Targets Materials Technology." Researchers say the Blackfly espionage group (aka APT41), has been mounting attacks against Asian materials and composite organizations in attempts to steal intellectual property. This group has been known as one of the longest known Chinese advanced persistent threat (APT) groups since at least 2010. The research shares that "early attacks were distinguished by the use of the PlugX/Fast (Backdoor.Korplug), Winnti/Pasteboy (Backdoor.Winnti), and Shadowpad (Backdoor.Shadowpad) malware families." The research can be found here: Blackfly: Espionage Group Targets Materials Technology Learn more about your ad choices. Visit megaphone.fm/adchoices

Apr 1, 202313 min

S7 Ep 274Popunders are not the good kind of ads.

On this episode, Jérôme Segura, senior threat researcher at Malwarebytes, shares his team's work, "WordPress sites backdoored with ad fraud plugin." WordPress is an immensely popular content management system (CMS) powering over 43% of all websites. Many webmasters will monetize their sites by running ads and need to draw particular attention to search engine optimization (SEO) techniques to maximize their revenues. The Malwarebytes team discovered a few dozen WordPress blogs using the same plugin that mimics human activity by automatically scrolling a page and following links within it, all the while a number of ads were being loaded and refreshed. The blogs would only exhibit this invalid traffic behavior when launched from a specific URL created by this plugin, otherwise they appeared completely legitimate. The research can be found here: WordPress sites backdoored with ad fraud plugin Learn more about your ad choices. Visit megaphone.fm/adchoices

Mar 25, 202324 min

S7 Ep 273ChatGPT grants malicious wishes?

Bar Block, Threat Intelligence Researcher at Deep Instinct, joins Dave to discuss their work on "ChatGPT and Malware - Making Your Malicious Wishes Come True." Deep Instinct goes into depth on just how dangerous ChatGPT can be in the wrong hands as well as how artificial intelligence is better at creating malware than providing ways to detect it. Researchers go on to explain how the AI app can be used in the wrong hands saying "Examples of malicious content created by the AI tool, such as phishing messages, information stealers, and encryption software, have all been shared online." The research can be found here: ChatGPT and Malware: Making Your Malicious Wishes Come True Learn more about your ad choices. Visit megaphone.fm/adchoices

Mar 18, 202316 min

S7 Ep 272Files stolen from a sneaky SymStealer.

Ron Masas of Imperva discusses their work, the "Google Chrome “SymStealer” Vulnerability. How to Protect Your Files from Being Stolen." By reviewing the ways the browser handles file systems, specifically searching for common vulnerabilities relating to how browsers process symlinks, the Imperva Red Team discovered that when files are dropped onto a file input, it’s handled differently. Dubbing it as CVE-2022-40764, researchers found a vulnerability that "allowed for the theft of sensitive files, such as crypto wallets and cloud provider credentials." In result, over 2.5 billion users of Google Chrome and Chromium-based browsers were affected. The research can be found here: Google Chrome “SymStealer” Vulnerability: How to Protect Your Files from Being Stolen Learn more about your ad choices. Visit megaphone.fm/adchoices

Mar 11, 202313 min

S7 Ep 271New exploits are tricking Chrome.

Dor Zvi, Co-Founder and CEO from Red Access to discuss their work on "New Chrome Exploit Lets Attackers Completely Disable Browser Extensions." A recently patched exploit is tricking Chrome browsers on all popular OSs to not only give attackers visibility of their targets’ browser extensions, but also the ability to disable all of those extensions. The research states the exploit consists of a bookmarklet exploit that allows threat actors to selectively force-disable Chrome extensions using a handy graphical user interface making Chrome mistakenly identify it as a legitimate request from the Chrome Web Store. The research can be found here: New Chrome Exploit Lets Attackers Completely Disable Browser Extensions Learn more about your ad choices. Visit megaphone.fm/adchoices

Mar 4, 202315 min

S7 Ep 270The next hot AI scam.

Andy Patel from WithSecure Labs joins with Dave to discuss their study that demonstrates how GPT-3 can be misused through malicious and creative prompt engineering. The research looks at how this technology, GPT-3 and GPT-3.5, can be used to trick users into scams. GPT-3 is a user-friendly tool that employs autoregressive language to generate versatile natural language text using a small amount of input that could inevitably interest cybercriminals. The research is looking for possible malpractice from this tool, such as phishing content, social opposition, social validation, style transfer, opinion transfer, prompt creation, and fake news. The research can be found here: Creatively malicious prompt engineering Learn more about your ad choices. Visit megaphone.fm/adchoices

Feb 25, 202325 min

S7 Ep 269Implementing and achieving security resilience.

Wendy Nather from Cisco sits down with Dave to discuss their work on "Cracking the Code to Security Resilience: Lessons from the Latest Cisco Security Outcomes Report." The report describes what security resilience is, while also going over how companies can achieve this resilience. Wendy talks through some of the key findings based off of the report, and after surveying 4,751 active information security and privacy professionals from 26 countries, we find out some of the top priorities to achieving security resilience. From there the research goes on to explain from the findings which data-backed practices lead to the outcomes that can be implemented in cybersecurity strategies. The research can be found here: Cracking the Code to Security Resilience: Lessons from the Latest Cisco Security Outcomes Report Achieving Security Resilience Learn more about your ad choices. Visit megaphone.fm/adchoices

Feb 18, 202320 min

S7 Ep 268Knocking down the legs of the industrial security triad.

Pascal Ackerman, OT Security Strategist from Guidepoint Security, joins Dave to discuss his work on discovering a vulnerability in the integrity of common HMI client-server protocol. This research is a Proof of Concept (PoC) attack on the integrity of data flowing across the industrial network with the intention of intercepting, viewing, and even manipulating values sent to (and from) the HMI, ultimately trying to trick the user into making a wrong decision, ultimately affecting the proper operation of the process. In this research, they are targeting Rockwell Automation’s FactoryTalk View SE products, trying to highlight the lack of integrity and confidentiality on the production network and the effect that has on the overall security of the production environment. The research can be found here: GuidePoint Security researcher discovers vulnerability in the integrity of common HMI client-server protocol Learn more about your ad choices. Visit megaphone.fm/adchoices

Feb 11, 202319 min

S7 Ep 267Can ransomware turn machines against us?

Tom Bonner and Eoin Wickens from HiddenLayer's SAI Team to discuss their research on weaponizing machine learning models with ransomware. Researchers at HiddenLayer’s SAI Team have developed a proof-of-concept attack for surreptitiously deploying malware, such as ransomware or Cobalt Strike Beacon, via machine learning models. The attack uses a technique currently undetected by many cybersecurity vendors and can serve as a launchpad for lateral movement, deployment of additional malware, or the theft of highly sensitive data. In this research the team raising awareness by demonstrate how easily an adversary can deploy malware through a pre-trained ML model. The research can be found here: WEAPONIZING MACHINE LEARNING MODELS WITH RANSOMWARE Learn more about your ad choices. Visit megaphone.fm/adchoices

Feb 4, 202318 min

S7 Ep 266Flagging firmware vulnerabilities.

Roya Gordon from Nozomi Networks sits down with Dave to discuss their research on "Vulnerabilities in BMC Firmware Affect OT/IoT Device Security." Researchers at Nozomi Networks has revealed that there are thirteen vulnerabilities that affect BMCs of Lanner devices based on the American Megatrends (AMI) MegaRAC SP-X. The research states "By abusing these vulnerabilities, an unauthenticated attacker may achieve Remote Code Execution (RCE) with root privileges on the BMC, completely compromising it and gaining control of the managed host." As well as mentioning what patches could be in the future to help fix these vulnerabilities. The research can be found here: Vulnerabilities in BMC Firmware Affect OT/IoT Device Security – Part 1 Learn more about your ad choices. Visit megaphone.fm/adchoices

Jan 28, 202315 min

S7 Ep 265Billbug infests government agencies.

Brigid O. Gorman from Symantec's Threat Hunter Team joins Dave to discuss their report "Billbug - State-sponsored Actor Targets Cert Authority and Government Agencies in Multiple Asian Countries." The team has discovered that state-sponsored actors compromised a digital certificate authority in an Asian country during a campaign in which multiple government agencies were also targeted. The research states they believe Billbug, which is a long-established advanced persistent threat (APT) group has been active since about 2009. They say "In activity documented by Symantec in 2019, we detailed how the group was using a backdoor known as Hannotog (Backdoor.Hannotog) and another backdoor known as Sagerunex (Backdoor.Sagerunex). Both these tools were also seen in this more recent activity." The research can be found here: Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries Learn more about your ad choices. Visit megaphone.fm/adchoices

Jan 21, 202314 min

S7 Ep 264DUCKTAIL waddles back again.

Mohammad Kazem Hassan Nejad from WithSecure joins Dave to discuss the team’s research, “DUCKTAIL returns - Underneath the ruffled feathers.” DUCKTAIL is a financially motivated malware operation that targets individuals and businesses operating on the Facebook Ads and Business platform. The research states “The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account.” WithSecure has found that after a short hiatus, DUCKTAIL has returned with slight changes in their mode of operation. The research can be found here: DUCKTAIL returns: Underneath the ruffled feathers Learn more about your ad choices. Visit megaphone.fm/adchoices

Jan 14, 202321 min

S7 Ep 263Stealer malware from Russia.

Marisa Atkinson, an analyst from Flashpoint, joins Dave to discuss a new blog post from Flashpoint’s research team about “RisePro” Stealer, malware from Russia, and Pay-Per-Install Malware “PrivateLoader.” “RisePro” is written in C++ and appears to possess similar functionality to the stealer malware “Vidar.” It's also a newly identified stealer, that began appearing as a stealer source for log credentials on the illicit log shop Russian Market on December 13, 2022. The research states, "Samples that Flashpoint analysts identified indicate that RisePro may have been dropped or downloaded by the pay-per-install malware downloader service “PrivateLoader” in the past year." Analysts identified several sets of logs uploaded to the illicit underground Russian Market, which listed their source as “RisePro.” The research can be found here: “RisePro” Stealer and Pay-Per-Install Malware “PrivateLoader” Learn more about your ad choices. Visit megaphone.fm/adchoices

Jan 7, 202317 min

S5 Ep 235Encore: LemonDucks evading detection.

bonus

Scott Fanning from CrowdStrike's research team, joins Dave to discuss their work on "LemonDuck Targets Docker for Cryptomining Operations." LemonDuck is a well-known cryptomining botnet, and the research suggests attackers are attracted to the monetary gain from the recent boom in cryptocurrency. LemonDuck was caught trying to disguise its attack against Docker by running an anonymous mining operation by the use of proxy pools. Scott shares how its unknown which organizations have been targeted and just how much cryptocurrency has been stolen. The research can be found here: LemonDuck Targets Docker for Cryptomining Operations Learn more about your ad choices. Visit megaphone.fm/adchoices

Dec 31, 202215 min

S5 Ep 232Encore: Vulnerabilities in IoT devices.

bonus

Dr. May Wang, CTO of IoT Security at Palo Alto Networks, joins Dave Bittner to discuss their findings detailed in Unit 42's "Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organization" research. Unit 42 recently set out to better understand how well hospitals and other healthcare providers are doing in securing smart infusion pumps, which are network-connected devices that deliver medications and fluids to patients. This topic is of critical concern because security lapses in these devices have the potential to put lives at risk or expose sensitive patient data. Unit 42's discovery of security gaps in three out of four infusion pumps that they reviewed highlights the need for the healthcare industry to redouble efforts to protect against known vulnerabilities, while diligently following best practices for infusion pumps and hospital networks. May walks us through Unit 42's work. The research can be found here: Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organization Learn more about your ad choices. Visit megaphone.fm/adchoices

Dec 24, 202222 min

S6 Ep 262Hijacking holiday spirit with phishing scams.

Or Katz from Akamai sits down with Dave to discuss research on highly sophisticated phishing scams and how they are abusing holiday sentiment. This particular threat, most recently has focused on Halloween deals, enticing victims with the chance to win a free prize, including from Dick’s Sporting Goods or Tumi Backpacks. It then requests credit card details to cover the cost of shipment. From mid-September to the end of October 2022, Akamai's research were able uncover and track this threat. This kit mimics well known retail stores in hopes to hijack credit card information, feeding off of people's holiday spirit. The research can be found here: Highly Sophisticated Phishing Scams Are Abusing Holiday Sentiment Learn more about your ad choices. Visit megaphone.fm/adchoices

Dec 17, 202219 min

S6 Ep 261Cybersecurity during the World Cup.

AJ Nash from ZeroFox sits down with Dave to discuss Cybersecurity threats including social engineering attacks planned surrounding the Qatar 2022 World Cup. The research shares some of the key threats we might see while the World Cup is happening this year. Researchers say "During the World Cup, there will likely be threat actors aiming to acquire personal information or monetary value through phishing and scams." In the research we can find how the venue host is preparing for these claims of attacks. The research can be found here: Qatar 2022 World Cup Event Assessment Learn more about your ad choices. Visit megaphone.fm/adchoices

Dec 10, 202225 min

S6 Ep 260Old malware returns in a new way.

Jeremy Kennelly and Sulian Lebegue from Mandiant sit down with Dave to discuss their research "From RM3 to LDR4: URSNIF Leaves Banking Fraud Behind? One of the oldest and most successful banking fraud malwares, URSNIF, which caused an estimated “tens of millions of dollars in losses”, has been discovered by researchers to have been re-tooled into a generic backdoor, dubbed “LDR4”. This new variant was first observed in June 2022. Mandiant researchers believe that the same threat actors who operated the RM3 variant of URSNIF are likely behind LDR4. They say "given the success and sophistication RM3 previously had, LDR4 could be a significantly dangerous variant—capable of distributing ransomware—that should be watched closely." The research can be found here: From RM3 to LDR4: URSNIF Leaves Banking Fraud Behind Learn more about your ad choices. Visit megaphone.fm/adchoices

Dec 3, 202224 min

S5 Ep 227Encore: The secrets behind Docker.

bonus

Alon Zahavi from CyberArk, joins Dave Bittner on this episode to discuss CyberArk's work in conjunction with Patch Tuesday. CyberArk published about how Docker inadvertently created a new vulnerability and what happens when it's exploited. CyberArk's research concluded that an attacker may execute files with capabilities or setuid files in order to escalate its privileges up to root level. CyberArk found the new vuln in some of Microsoft’s Docker images, caused by misuse of Linux capabilities, a powerful additional layer of security that gives admins the ability to assign capabilities and privileges to processes and files in the Linux system The research can be found here: How Docker Made Me More Capable and the Host Less Secure Learn more about your ad choices. Visit megaphone.fm/adchoices

Nov 26, 202220 min

S6 Ep 259Another infection with new malware.

Larry Cashdollar, Principal Security Intelligence Response Engineer from Akamai Technologies, joins Dave to talk about their research on "KmsdBot: The Attack and Mine Malware." Akamai's Security Research team has found a new malware that infected their honeypot, which they have dubbed KmsdBot. The research states "The malware attacks using UDP, TCP, HTTP POST, and GET, along with a command and control infrastructure (C2), which communicates over TCP." The botnet targets weak login credentials and then infects systems via an SSH connection. The research can be found here: KmsdBot: The Attack and Mine Malware Learn more about your ad choices. Visit megaphone.fm/adchoices

Nov 19, 202219 min

S6 Ep 258An in-depth look on the Crytox ransomware family.

Deepen Desai from Zscaler sits down with Dave to talk about the Crytox ransomware family. First observed in 2020, Crytox is a ransomware family consisting of several stages of encrypted code that has fallen under the radar compared to other ransomware families. While other groups normally use double extortion attacks where data is both encrypted and held for ransom, Crytox does not perform this way. The research says "The modus operandi of the group is to encrypt files on connected drives along with network drives, drop the uTox messenger application and then display a ransom note to the victim." It also shares how you may be compromised with this ransomware and goes through each stage in depth. The research can be found here: Technical Analysis of Crytox Ransomware Learn more about your ad choices. Visit megaphone.fm/adchoices

Nov 12, 202214 min

S6 Ep 257Over-the-air 0-day vulnerabilities.

Roya Gordon from Nozomi Networks sits down with Dave to discuss their work "UWB Real Time Locating Systems: How Secure Radio Communications May Fail in Practice." Ultra-wideband (UWB) is a rapidly-growing radio technology that, according to the UWB Alliance, is forecasted to drive sales volumes exceeding one billion devices annually by 2025. In an effort to strengthen the security of devices utilizing UWB, Nozomi Networks Labs conducted a security assessment of two popular UWB RTLS solutions available on the market. Their research reveals 0-day vulnerabilities and other weaknesses that, if exploited, could allow an attacker to gain full access to all sensitive location data exchanged over-the-air. The research can be found here: UWB Real Time Locating Systems: How Secure Radio Communications May Fail in Practice Learn more about your ad choices. Visit megaphone.fm/adchoices

Nov 5, 202221 min

S6 Ep 256Bugs and working from home.

Federico Kirschbaum from Faraday Security sits down with Dave to discuss their research on "A vulnerability in Realtek's SDK for eCos OS: pwning thousands of routers." The team at Faraday found a vulnerability that made it to DEFCON 30, labeling it high severity. With more and more people working from home for their companies, the research team went looking for where there may be vulnerabilities as employees are working from home. The research states that the team was "seeking and reporting security vulnerabilities in IoT devices, which led to the finding of an exploitable bug in a consumer-grade router popular in Argentina." They also stated in the research that it was escalating quickly and shares about how protecting home networks is important while working remotely. The research can be found here: A vulnerability in Realtek´s SDK for eCos OS: pwning thousands of routers Learn more about your ad choices. Visit megaphone.fm/adchoices

Oct 29, 202227 min

S6 Ep 255New tools target governments in Middle East?

Dick O'Brien from Symantec's Threat Hunter team sits down with Dave to discuss their work on "Witchetty - Group Uses Updated Toolset in Attacks on Governments in Middle East." Their research has found that the group known as Witchetty aka LookingFrog, has been progressively updating its toolset, including the new tool, backdoor Trojan (Backdoor.Stegmap) to launch malware attacks on targets in the Middle East and Africa. The research states "The attackers exploited the ProxyShell and ProxyLogon vulnerabilities to install web shells on public-facing servers before stealing credentials, moving laterally across networks, and installing malware on other computers. The researchers describe more on the new tool being used and why this new group is a threat. The research can be found here: Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East Learn more about your ad choices. Visit megaphone.fm/adchoices

Oct 22, 202217 min

S6 Ep 254Noberus ransomware: evolving tactics.

Brigid O Gorman from Symantec's Threat Hunter team joins Dave to discuss their research on "Noberus Ransomware - Darkside and BlackMatter Successor Continues to Evolve its Tactics." The research states that Noberus ransomware (aka BlackCat, ALPHV) is more dangerous than ever because attackers have been using new tactics, tools, and procedures in recent months. In the research, Symantec says, "Among some of the more notable developments has been the use of a new version of the Exmatter data exfiltration tool, and the use of Eamfo, information-stealing malware that is designed to steal credentials stored by Veeam backup software." They go over an in-depth look at how its affiliate program operates. The research can be found here: Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics Learn more about your ad choices. Visit megaphone.fm/adchoices

Oct 15, 202221 min

S6 Ep 253Google Drive used for malware?

Jen Miller-Osborn from Palo Alto Networks' Unit 42 joins Dave to discuss their work on the Cloaked Ursa group, with a recent report released called "Russian APT29 Hackers Use Online Storage Services, DropBox and Google Drive." The research shares insights into an active campaign from Russia’s Foreign Intelligence Service, that is leveraging the use of trusted, legitimate cloud services including Google Drive as a staging platform to deliver malware. The research states that when these tactics are used, it is extremely difficult for organizations to detect the malicious activity in connection with the campaign. These tactics are used to collect victim information, evade detection, and deliver Cobalt Strike. The research can be found here: Russian APT29 Hackers Use Online Storage Services, DropBox and Google Drive Learn more about your ad choices. Visit megaphone.fm/adchoices

Oct 8, 202222 min

S6 Ep 252Targeting your browser bookmarks?

David Prefer from SANS sits down with Dave to discuss how a new covert channel exfiltrates data via a browser's built-in bookmark sync. David goes on to describe how this research will "describe how the ability to synchronize bookmarks across devices introduces a novel vector for data exfiltration and other misuses." In the research, he shares how he tested his said hypothesis and goes on to describe how the interesting find was tested on multiple browsers including Chrome, Edge, Brave and Opera. In his research, he found that bookmarks are able to keep data and synchronize it, making it easier to infiltrate and extract data from. David shares the rest of his findings, as well as what organizations and browser developers can do to work on this new threat. The research can be found here: Bookmark Bruggling: Novel Data Exfiltration with Brugglemark Learn more about your ad choices. Visit megaphone.fm/adchoices

Oct 1, 202218 min

S6 Ep 251Keeping an eye on RDS vulnerabilities.

Gafnit Amiga, Director of Security Research from Lightspin, joins Dave to discuss her team's research "AWS RDS Vulnerability Leads to AWS Internal Service Credentials." The research describes how the vulnerability was caught and right after it was reported, the AWS Security team applied an initial patch limited only to the recent Amazon Relational Database Service (RDS) and Aurora PostgreSQL engines, excluding older versions. They followed by personally reaching out to the customers affected by the vulnerability and helped them through the update process. The research states "Lightspin's Research Team obtained credentials to an internal AWS service by exploiting a local file read vulnerability on the RDS EC2 instance using the log_fdw extension." The research can be found here: AWS RDS Vulnerability Leads to AWS Internal Service Credentials Learn more about your ad choices. Visit megaphone.fm/adchoices

Sep 24, 202216 min

S6 Ep 250An increase in bypassing bot management?

Sam Crowther, CEO of Kasada join's Dave to discuss their work on "The New Way Fraudsters Bypass Bot Management." Kasada researchers recently discovered a new type of bot called Solver Services, which is used and created by bad actors to bypass the majority of bot management systems. The research states "Now it’s easier than ever for mainstream bot operators to scrape content, take over accounts, hoard inventory, and commit other forms of automated fraud against organizations using legacy bot management solutions." Attackers are able to buy these “Solver” bots, APIs, and services for less than $500 per month to make a profit. The research can be found here: The Emergence of Solver Services: The New Way Fraudsters Bypass Bot Management Vendors Learn more about your ad choices. Visit megaphone.fm/adchoices

Sep 17, 202214 min

S6 Ep 249Evilnum APT returns with new targets.

Deepen Desai from Zscaler ThreatLabz joins Dave to discuss their work on "Return of the Evilnum APT with updated TTPs and new targets." Zscaler’s ThreatLabz team recently caught a new Evilnum APT attack campaign that uses the document template on MS Office Word to inject malicious payload to the victim's machine. There are three new instances used of the campaign, including updated tactics, techniques, and procedures. Researchers have been closely monitoring Evilnum APT’s activity. They ssay ThreatLabz identified several domains associated with the Evilnum APT group. Which has led them to discover that the "group has been successful at flying under the radar and has remained undetected for a long time." The research can be found here: Return of the Evilnum APT with updated TTPs and new targets Learn more about your ad choices. Visit megaphone.fm/adchoices

Sep 10, 202221 min

S6 Ep 248LockBit's contradiction on encryption speed.

Ryan Kovar from Splunk sits down with Dave to discuss their findings in "Truth in Malvertising?" that contradict the LockBit group's encryption speed claims. Splunk's SURGe team recently released a whitepaper, blog, and video that outlined the encryption speeds of 10 different ransomware families. During their research they cam across Lockbit doing the same thing. After completing the research, the researchers came back to test the veracity of LockBit’s findings. The research showed three interesting finds. The first find showed that LockBit’s fastest and slowest samples were closely aligned between the tests, but the other results were very different. They also found that LockBit continues to be the fastest ransomware, but LockBit 2.0 was more efficient yet slower than its previous counterpart, LockBit 1.0. Lastly, once ransomware gets to the point of encrypting your systems, it’s too late. The research can be found here: Truth in Malvertising? Learn more about your ad choices. Visit megaphone.fm/adchoices

Sep 3, 202219 min