Good Morning everybody. Welcome to another podcast episode. Petronella cybersecurity with Craig Petronella, Erin Dotsey and BJ on the line. We're going to talk about the latest cybersecurity news. I thought a good topic to kick off would be how the FBI and the CISA put out a warning today. In regards to the Russian hackers exploiting DUO MFA and the print nightmare bug. Do you guys know what those are?
I know what MFA is. I do not know what the print nightmare bug is.
Yeah. So obviously Ms. MFA is multi-factor authentication. It says in this article that was posted, it says as early as may 21 Russian state sponsored cyber actors took advantage of a misconfigured account set to default on MFA protocol protocols at a non-governmental organization or NGO. Allowing them to enroll a new device for MFA and access to victims networks. Wow. So basically misconfiguration of the MFA allowed the hacker. To configure their own MFA and bypass so they could get in.
So they then exploited a critical windows principle, or a vulnerability called print, might print nightmare CVE 20 21, 3 4 5 2 7. And this print nightmare bug has been out for quite some time. Now. I remember back a client of ours at the time had us do a security risk assess. And they had a lot, their manufacturing firm and they had a lot of printers on their network and Microsoft, it still didn't have a solution. So we had to help them air gap.
A lot of their computers and air gap means disconnect them from the internet and basically use network segmentation and get them off of any connected internet ways out to the internet. So this print nightmare bug allows the bad actors to run. Arbitrary code with system privileges. So basically like administrator, so it's really nasty. So they say this th this attack that was just posted was pulled off by gaining initial access to the victims organization via compromised credentials.
They obtained by means of a brute force password guessing attack. And then they enrolled the new device into the organization's duo MFA, which was misconfigured. So this goes back to what I was talking about. I think it was a few days ago. I think that I ever show you guys the there's like a little info graphic on passwords and passwords.
I might've helped. I might've helped make it. Okay. All
So there's a little chart that shows how long your password is and how easy it is and how fast hackers can brute force or basically try various combinations to crack the password.
No.
This was maybe last week, but anyway, we'll post that infographic so you guys can download it if you want. But basically in a nutshell, if you're not using long complex passwords that have lowercase capitals numbers, special characters, and they're not really long. Ideally, I like them to be more than 20 characters. I know that might seem crazy, but I don't know any of my passwords because I use an encrypted password manager.
So I usually go for as long as possible that the system on the other side will let me some systems only let you use 16 characters, but anyway, I try to use. The longest length of complex password that the system will allow. And I use an encrypted password manager to keep track of it.
But this basically is illustrating this article here from the FBI and SISA are illustrating how it's a very bad idea, especially nowadays, but everything that's going on, never to reuse that same password that I know is your favorite password. It might be your anniversary, your dog's name or whatever it is. But don't reuse it on multiple websites and better yet get a password manager that's encrypted and start changing your passwords immediately and maxing out the length.
And if you can if it's a possibility employee hardware or token based solutions like a proximity token to further enhance the password manager. But yeah, this is a pretty, pretty bad nasty gram. That came out this morning.
It's funny too. Cause I feel like looking at this and looking at the way that they got into it. And also when you're telling the story about how the person that you were, the company that you worked for before, had the issues with the printers. It sounds like to me, when I see stuff like this, I automatically think about our password manager, which you just brought up and also XDR because. Like you were saying they didn't have they weren't able to patch it. Cause there wasn't a patch.
So how do you protect yourself if you're not patched? You can't, unless you have something like XDR right.
Yeah. Yeah. If it's a networked computer then yeah. You're basically open to attack for exploitation through. The patches that you're unable to apply. So you either have to disconnect it from the internet or use a technology called XTR.
It's not like it's not like patches are going to save you completely, if you do your patches though. Cause there's more than that. That's not the only nasty gram that's out there. I don't know if you guys watched the video that I made this morning. About a braking event also related to cybersecurity yesterday. So this one anonymous hacker he goes by Byler kid 89. He shared the details of his hack.
He didn't do anything with the access that he gained, but he gained access to the Russian ministry of. And Craig you'll find this. Interesting. You may remember a few years ago. We did some writing and some education around one of the tools called show Dan S H O D A N. That was the tool he used. So this is where I say patches aren't patches.
Aren't going to just be the catch all that's people like it needs to go a step further, like Irwin was saying it needs to go a step further way further because this guy used showdown and he was able to using showdown target precisely. So it's interesting that it crashed right at that time, because I was thinking this morning, like this could be a big deal. This showdown situation, it's like showdown right on the cybersecurity front.
This hacker used shodana you don't hear much about showdown and maybe it's obscure still a lot of people aren't using it, if people really start using something like that's so dangerous. This hacker was able to target his intended victim, that the Russian ministry of health, and by using showdown, he was able to pinpoint the IP addresses for the devices. He was looking to target based on their location.
So when you think about people using this tool in a situation like we're in with a war going on and basically a cyber war that opens up a whole new can because people can use locations. There are targets to find IP addresses for IOT connected devices, which is exactly what this guy did. Yeah. So when he did that, he found IP addresses at the Russian health ministry and he stand and he found something called he found an open virtual network computing port of VNC port.
With disabled authentication. And so Craig, you probably can elaborate on what that is or maybe we don't even need to, but basically it's, for remote access and stuff for the device. So they didn't have it configured correctly. They had the authentication disabled and he found this open VNC port and he slid right in. He didn't do anything. He was just testing his process. But he showed screenshots proving how easy it was for him to get in.
And he could have, then he had access like free rein to everything because he was remote remoted into that, to that computer. So then he was then, took over. So something like that could be catastrophic and people, how many people are checking to make sure their VNC port is not open,
yeah. So let's kind of VNC is a. Like you said, like a remote control software. That's a graphical user interface. It's it was really popular years ago before more modern replacements, go to my PC or log me in, came out. So what it is it like, let's say you got a computer on the next.
And you need to, it runs maybe some software that you need, but you're maybe a hundred feet down the hall and you don't want to get up and go to that computer every time you can open up, what's called a VNC session and set up that computer so that you can see the screen and that remotely control it with the keyboard and the mouse at your desk. So it makes, and you can do that locally on your network, or you can configure it such that you can remote control a computer from anywhere in the world.
So this goes back to ports and your firewalls. If your firewall was configured properly. Then you would not be able to get to that ports on the VNC server. If it was misconfigured or the bad actors had access to like a VPN that was misconfigured, then they can get into it that way. But it goes back to ports and port scanning. So hackers are always going to be scanning the port. So if your network and there's 65,000 plus of them, I think it's 65,587, I think is the number.
Of how many courts that are available and those points by the way are per IP address. So you can get 65,000 ports per
IP address. This is the kind of intelligence that people don't understand. They don't understand the magnitude because on a side note or related to that, there's this new de dos attack process that they're using, where basically they're again, using automated type software and stuff. And they're able to now do this DVOs attack, like from one device and like literally disable something with this style of dos vendor doing.
As we know a lot of people take the cyber strategy of it's not going to happen to me, or, I'm we think that the cyberspace is just this weird place and nobody can find you. And everyone's just there, but that's not the case. Like it's tools like showdown. Change the game in this regard. And people can literally, if they have someone they want to target, in a situation like this, they can use your location and they can find the IP addresses at that location that are connected to the internet.
And then they can try all these different new. Complicated and sophisticated exploits to, then, hit you with a barrage of, these different types of attacks. This is an unsustainable problem at this point. And people really need to be aware of how serious this is,
yeah. So I was two off 65,535, not 37
on one
device. Yeah. That's per TCP, IP port.
That's unbelievable. That's that blows my mind literally. And it takes a lot to blow my mind that blows my mind. That's do people realize the gaping hole?
And so let's bring that back. So every device. On your network has between zero and 65,535. Oh my box. Or close windows or ports, like I said, per device. That's why when we talked about, I know we keep drill and XDR in, firewalls are the first line of defense of ports. And then after the firewall you have, if you are fortunate to have something like XDL.
Or extended detection and response that technology will then be scanning your network constantly for vulnerabilities and open ports or exploits.
Yeah. That's why we need to say we keep drilling. XDR the reason we keep drilling. Yeah. Because what we, FDR stands for extended detection and response, but lit literally, if you were to describe XDR, it's the culmination of all this intelligence funneled into an algorithm. And the algorithm told now go and stop these threats. That's what an SDR truly is. It's the sum of all the intelligence that we know about cybersecurity vulnerabilities set to purpose. That's what XDR is.
It's all of our intelligence about that we know thus far about cybersecurity coded into an algorithm and the algorithm set loose on the network and devices. That's what XDR truly is.
So what's also A common practice of hackers is what's called port scanning. So show Dan is like a search engine for IOT or internet of things, devices, but
does
every device, right? It kind of sorta, it's more Like a smart device, like a smart TV is more of like an IOT device. Anything that connects to the internet could be classified under the IOT umbrella, but. Port scanners have been around forever at a common one. It's called end map and map is free and it's available. Open-source on Linux operating systems, but hackers are using those kinds of tools all day long and have been for many years to find these open windows and doors.
When you talk cyber security, Craig, you're all at you. You've always talked about layers and that's exactly what we can see happening on the other side is layers on the bad guy side. CT scanning has been around for years, but then you have on top of that technology, like showdown that lets you hunt a location for IP addresses connected to the internet. That's how they define internet connected IOT devices. If it's connected to the internet show, Nan can find it.
And so when you add that support scanners, that's a serious problem.
Yeah. And I remember distinctly being interviewed and one of the news outlets and how the reporter was asking you about how do these security cameras get online? And the security camera is a type of IOT device. And oftentimes people put these cameras on their networks and they don't properly configure them. So they're just open to the world. And sadly, sometimes these cameras are displaying, whatever the cameras.
For the entire public to see there's actually websites like showed in that will help you see all these cameras that are misconfigured for security or have default username and passwords and the people, the recipient side, those they don't even know.
Oh my gosh. Th this is complete. It's completely unsustainable without the help of. W when you have 60,000 courts, th that's the recipe for unsustainability, unless you have help from something that can scale at that level,
yep. It's all about layers. Like I've always
said. And if they, if this catches on, like we were talking yesterday about 300,000 and counting volunteer hackers fighting this now, what seems to be a partial physical war, partial cyber. If they all started using tools like show Dan and, things like that oh my gosh, like this thing can escalate to a point that like this can't go very long before escalation. And it becomes very dangerous with the situation like this.
I would go on to say that those tools are pretty. One-on-one basic level tools that pretty much every hacker is using all day long. So I wouldn't say that they're going, they are using them. I would say it would create confidence. They are, they're scanning all the time. Scanning, looking for open doors, open weak points. And then when they find that open port that's when they go a step further and figure out.
What application, like we talked about VNC that is a certain port remote desktop protocol or RDP. You typically use this port 33, 89, there's these different ports that programs by default use unless they're configured properly or changed or better yet nowadays, it's never a good idea to have an open port it's best to use a VPN to have that wall, that layer so that you don't have an open port. But my point is once. Determines and finds open ports.
They can then go deeper to figure out, oh, what applications use this port? And then what they do is they figure out and they talk to that application through the port to figure out what version is it running? And then they find that it's running an outdated version. Then they look up all the exploits for that particular program. And then ma'am.
And if all else fails, if they just want to be. Cause we, one of our partners was interviewed about one of the people that writes the algorithms for the XDR tools was interviewed and made the comment that when you have situations like this, like cyber war, they're not necessarily looking to steal your money on your credentials. They're looking to do destruction.
And so if all else fails and they can't find an open port or a vulnerability, then they might just hit you with a DVOs that you can't withstand.
Yeah. Or use your, the victim to participate in the dos
To,
yeah. So it just depends, once the hackers are in, they make the determination. Is this a big corporation? Do they have a lot of money that they can steal or extortion with ransomware or it's this this organization have more devices on their network. We can infect and use, like you said, for slave devices and then use them for a DDLs future attacks.
When you just lay down all preconceived thoughts and all opinions, and you just simply do nothing, but take the facts and apply logic and reason to them, it paints a picture that. Culmination of all these things happening at once, leads us no other pathway, but to use algorithms that can stand for all of this at once, because there's just no
other
way. There's just, it also goes back to what we've always recommended. Would vulnerability scanning and security risk assessments and the importance of them. Because the average, like you said, the average person, the average business owner, the average consumer. They're not going to know that there's 65,535 potential open windows. And then they're not even going to know unless they educate themselves on how to close those windows or poor. And secured themselves, so it's just a huge undertaking
and that's actually, I feel like that's a really good analogy there. Craig, you're talking about windows, right? So if you think about windows in the realm of like your home, can you imagine like leaving 65 or having 65,000 windows that you have to close? You know what I mean? And like quickly turns into a house of cards. Yeah. Or it's just a house of labor. Right? So if you have to walk around, making sure that everything's closed all the time, that's a lot of time and energy.
There's just no way a human can keep up with all this.
I'm lucky that even if you just drank, take it down to 10 maybe you. Doors in your home. Maybe you've got 10 or 20 windows in your home. You don't, all of those are entry points into your home, right? And if a bad actor or a criminal is profiling your home and they're driving by and they see your house. Maybe you got a nice yard. Maybe you have a nice car, they're profiling you.
And if you don't have a dog or a sign or an alarm system or cameras, I use all those examples as layers, but it all goes back to my layer, methodology, and approach. If you've got a dog, that's a layer, you got a sign. We've got stickers on the windows. Those are layers. The more stuff you have. Then the hack or the bad actor in this case looks at your house. They see you have five security cameras. They see you have a ring doorbell. They see you've got signs in the yard.
They see you might have ADT or CPI or whatever security is the big one near you. Then they look at your neighbor's house and they see it's dark and it doesn't have any stickers. It doesn't have any signs, no sense of or no dog or animal. So which one are they going to target?
Exactly. And also, think about it. What if, because most likely you're the person that's like the neighbor, most people are like the neighbor. Most people don't have that stuff set up and it's just easy pickings, but if you're, yeah, everything's smart home.
And then BJ, you have an electronic robot. You don't even know if it's real.
Yeah, I haven't liked the dog barked when I went there, they literally, they bark and they sound really mean, but my baby was holding. I have this little like a cheap, like $7 smoke detector and he was holding, I let him hold it. Cause I had a bunch of stuff in my hands and I was trying to move it and he was holding it and he's looking down and he's oh, that's not all I saw. He wants everything to talk to him now.
Yeah. But my point is that, you want to try to make yourself less of a mark and less of a victim. Yeah. Some of those layers are very inexpensive. Some of them are free that you could
implement, take you from victim to like actually standing your ground. Because again, for example, with the XDR. The fact that this thing, okay. It has machine learning, right? So whatever it starts at on your network, that's not the finished product. That's the starting point then as it learns. So you have 60,000 ports, it's going to learn what the status is on all of this stuff on your network and your devices. And it gets smarter and smarter.
And eventually, as we know, it actually lures bad guys in with honeypots like an intelligent and proactively. Honeypots in, in your network, in the background so that it can lure bad guys in and then gain threat intelligence from them. Now that is a game
changer. Yeah. So just for everyone listening dog, that's an
attack dog in your, honeypot
is a a way to attract. Bad actors or hackers, just it is like this bright, shiny object of, Ooh, there's a server that's vulnerable that I can attack, but it's not real. It's a honeypot. It's a trap, really, that's
And those traps those, like those bright, shiny tokens that are real and other people that don't have these tools, they're real they're vulnerabilities. But when you have tools like this on your. That is a trap. You're actually trapping bad guys and like taking, instead of being a victim you're now instead of being on the defensive and running all the time now, and you get to stand your ground and you get to do a 180 and turn I say no more, I'm not going to let you chase me anymore.
I'm coming back and I'm luring you in now because my, these algorithms have the ability to learn at such a rate that now they're going to learn about you. And now you're going to go on the defense. It's a game changer. Truly. It is. Yup. And that's why, like you said, not to beat a dead horse or bring it up all the time, but there's a reason why we bring it up. It's presenting itself organically. It's unfolding as the solution to these problems. It's not silver bullet yet.
But it's learning, it's continually learning. And the more people that start using these tools, the more they learn and the more it all starts to connect. And then the more these bad guys start to stick out like sore thumbs, because the machines will pick up threaten intelligence that we would overlook and miss. And they'll start to notice things that these people have in common. And they'll start to learn how to block them proactively. That's what can happen with this?
It's a very
powerful. Very powerful. It's yeah. I mean it's yeah. It's, that's why we're so excited about it. Cause it's actually, there's a glimmer of hope. Finally. It's this is not just a sinking ship. It doesn't have to be, we can turn it around, yeah. Anyway, I guess we hit our hard stop, but that's the good news. There's a way to possibly turn this around, but we have to all think real, real smartly and strategically and understand it.
Yeah. Understand why it's good and why it's very like the fact that Craig brought up the 60,000 ports, like why is that not common knowledge? People should know the risks they're taking by being online like that. People should know that by going online with your computer, you're exposing yourself on 60,000 ports. Know that.
Yeah the honeypot for most people is the game, the video game, the thing to do, they don't, people oftentimes don't think about how it all works or how it connects together. They just go on Facebook or they just want it to play that game or whatever. They don't see all of the depth of how it all works. These
tools will gather data and data. As you taught us Craig data doesn't lie. Data is so valuable. That's why they all love data, big tech, and then they just love data, because when you compile enough data patterns start to emerge. And so these. They have a knack for sniffing out patterns, like at a way higher level than we can things that would be, we would be blind to, they can find and they'll find patterns and they'll start to learn patterns of the bad guys that we would've never figured out,
Sign up for you r proof of concept, or if you're not ready for a proof of concept, then call us and get a free consultation., 919-601-1601.
Take action. It's past time to take action. Then the more people that take action, the more of a fighting chance collectively we have, it's like everybody has to band together now and be smart,