Tech CEO Pleads to Wire Fraud in IP Address Scheme

/0 Comments/in /by

The CEO of a South Carolina technology firm has pleaded guilty to 20 counts of wire fraud in connection with an elaborate network of phony companies set up to obtain more than 735,000 Internet Protocol (IP) addresses from the nonprofit organization that leases the digital real estate to entities in North America.

In 2018, the American Registry for Internet Numbers (ARIN), which oversees IP addresses assigned to entities in the U.S., Canada, and parts of the Caribbean, notified Charleston, S.C. based Micfo LLC that it intended to revoke 735,000 addresses.

ARIN said they wanted the addresses back because the company and its owner — 38-year-old Amir Golestan — had obtained them under false pretenses. A global shortage of IPv4 addresses has massively driven up the price of these resources over the years: At the time of this dispute, a single IP address could fetch between $15 and $25 on the open market.

Micfo responded by suing ARIN to try to stop the IP address seizure. Ultimately, ARIN and Micfo settled the dispute in arbitration, with Micfo returning most of the addresses that it hadn’t already sold.

But the legal tussle caught the attention of South Carolina U.S. Attorney Sherri Lydon, who in May 2019 filed criminal wire fraud charges against Golestan, alleging he’d orchestrated a network of shell companies and fake identities to prevent ARIN from knowing the addresses were all going to the same buyer.

Each of those shell companies involved the production of notarized affidavits in the names of people who didn’t exist. As a result, Lydon was able to charge Golestan with 20 counts of wire fraud — one for each payment made by the phony companies that bought the IP addresses from ARIN.

Amir Golestan, CEO of Micfo.

On Nov. 16, just two days into his trial, Golestan changed his “not guilty” plea, agreeing to plead guilty to all 20 wire fraud charges. KrebsOnSecurity interviewed Golestan about his case at length last year, but he has not responded to requests for comment on his plea change.

By 2013, a number of Micfo’s customers had landed on the radar of Spamhaus, a group that many network operators rely upon to help block junk email. But shortly after Spamhaus began blocking Micfo’s IP address ranges, Micfo shifted gears and began reselling IP addresses mainly to companies marketing “virtual private networking” or VPN services that help customers hide their real IP addresses online.

But in a 2020 interview, Golestan told KrebsOnSecurity that Micfo was at one point responsible for brokering roughly 40 percent of the IP addresses used by the world’s largest VPN providers. Throughout that conversation, Golestan maintained his innocence, even as he explained that the creation of the phony companies was necessary to prevent entities like Spamhaus from interfering with his business going forward.

Stephen Ryan, an attorney representing ARIN, said Golestan changed his plea after the court heard from a former Micfo employee and public notary who described being instructed by Golestan to knowingly certify false documents.

“Her testimony made him appear bullying and unsavory,” Ryan said. “Because it turned out he had also sued her to try to prevent her from disclosing the actions he’d directed.”

Golestan’s rather sparse plea agreement (first reported by The Wall Street Journal) does not specify any sort of leniency he might gain from prosecutors for agreeing to end the trial prematurely. But it’s worth noting that a conviction on a single act of wire fraud can result in fines and up to 20 years in prison.

The courtroom drama comes as ARIN’s counterpart in Africa is embroiled in a similar, albeit much larger dispute over millions of wayward African IP addresses. In July 2021, the African Network Information Centre (AFRINIC) confiscated more than six million IP addresses from Cloud Innovation, a company incorporated in the African offshore entity haven of Seychelles (pronounced, quite aptly — “say shells”).

AFRINIC revoked the addresses — valued at around USD $120 million — after an internal review found that most of them were being used outside of Africa by various entities in China and Hong Kong. Like ARIN, AFRINIC’s policies require those who are leasing IP addresses to demonstrate that the addresses are being used by entities within their geographic region.

But just weeks later, Cloud Innovation convinced a judge in AFRINIC’s home country of Mauritius to freeze $50 million in AFRINIC bank accounts, arguing that AFRINIC had “acted in bad faith and upon frivolous grounds to tarnish the reputation of Cloud Innovation,” and that it was obligated to protect its customers from disruption of service.

That financial freeze has since been partially lifted, but the legal wrangling between AFRINIC and Cloud Innovation continues. The company’s CEO is also suing the CEO and board chair of AFRINIC in an $80 million defamation case.

Ron Guilmette is a security researcher who spent several years tracing how tens of millions of dollars worth of AFRINIC IP addresses were privately sold to address brokers by a former AFRINIC executive. Guilmette said Golestan’s guilty plea is a positive sign for AFRINIC, ARIN and the three other Regional Internet Registries (RIRs).

“It’s good news for the rule of law,” Guilmette said. “It has implications for the AFRINIC case because it reaffirms the authority of all RIRs, including AFRINIC and ARIN.”

Pedicure Chair For Kids: Is It Worth The Splurge?

/0 Comments/in /by

Pedicures are very common worldwide. Although professional pedicures are not recommended for people under 18, that doesn’t mean that parents can’t get their children a little bit of pampering as well. Is it worth splurging on a pedicure chair for your kids? Or can you choose a cheaper option, and will it do the trick?

What Are Pedicure Chairs Used For?

Pedicure chairs are generally made to be comfortable and to make the pedicure process easier. When thinking of comfort, you can get it all – accessories to get your feet cleaned, massagers for your back, and even music systems.

Pedicure chairs are commonly used in the salon or spa setting. They are perfect for getting a foot massage while giving yourself some UV light treatment for your nails. Most of them also come with extra tools that can be used for many beauty treatments.

Why Should I Get A Pedicure Chair For Kids?

It doesn’t take a lot to convince parents that they should get their children everything that makes them comfortable. A pedicure chair is a perfect gift for kids, especially when your son or daughter starts getting anxious over shaving and cutting nails. It can be challenging to keep them in one place for too long, so why not give them something comfortable to sit on?

What Is The Downside Of Buying Kids’ Pedicure Chairs?

While it is an excellent investment, there are a few considerations you have to keep in mind. First of all these chairs might look nice and comfortable but they also cost a lot more than your regular chairs. It’s not just a matter of buying a high-quality chair; it also has to be the proper size for your children.

Why Go For A Pedicure Chair For Kids?

We must never neglect our own needs and comfort just to serve others no matter what we do. When it comes to treatments and pampering sessions, you can get them all without leaving your home. There are some great deals for spa equipment for your own use. You can also get beautiful pedicure chairs that come with all the bells and whistles.

The parents who have already bought their kids these chairs are satisfied with how it turned out to be a perfect gift. Not only do they give themselves great treatments, but there are no more tears and screams while others try to cut their nails. Pedicure chairs for kids are comfortable, safe, and stylish too.

All in all, it is a good investment for your child’s future. It not only makes the pedicure easier but will help you bond with your children as well. There are so many kid-friendly designs available nowadays that you have plenty of options to choose from.

An economically friendly buy would be a pedicure chair which can be adjusted for both kids and adults. That way, everyone in the family can take advantage of it!

See what the best pedicure chairs for kids on the market are:

  • Happybuy Hydraulic Lift Adjustable Spa Pedicure Chair – There are many reasons to love this chair! First of all, the price is just right. For what you pay, it comes with so much more than you can expect – adjustable height, durable design, and waterproof cushions for easy cleaning. It has a tremendous hydraulic lift, making it perfect even for tall individuals or those who simply want to stretch out. The chair rocks and reclines, making it more comfortable than you can imagine.
  • Lorvain Pedicure Chair Stool with Footrest – This model is an excellent choice because not only it looks really elegant, but the design allows for maximum convenience. The footrest is adjustable and can be easily removed. It also has wheels which makes it easy to move around the house.
  • Kids Pedicure Chair PINK SLEEPING BEAUTY – Everyone loves fairy tales, so why not give your daughter her own salon experience? This model looks like a piece from a storybook and provides everything you need for the perfect kid spa session. It has comfortable seating, temperature control, and safety locks to ensure that it doesn’t move around when in use.

Whether you like one of these for yourself or your child is up for personal preference. All of these are great quality products that offer the same services as salon chairs. They are just more convenient, have the latest technology, and easily move around when needed. With these in your home salon, you can provide treatment for everyone in the family, no matter if they are young or old.

The post Pedicure Chair For Kids: Is It Worth The Splurge? appeared first on Comfy Bummy.

Hoax Email Blast Abused Poor Coding in FBI Website

/0 Comments/in /by

The Federal Bureau of Investigation (FBI) confirmed today that its fbi.gov domain name and Internet address were used to blast out thousands of fake emails about a cybercrime investigation. According to an interview with the person who claimed responsibility for the hoax, the spam messages were sent by abusing insecure code in an FBI online portal designed to share information with state and local law enforcement authorities.

The phony message sent late Thursday evening via the FBI’s email system. Image: Spamhaus.org

Late in the evening on Nov. 12 ET, tens of thousands of emails began flooding out from the FBI address eims@ic.fbi.gov, warning about fake cyberattacks. Around that time, KrebsOnSecurity received a message from the same email address.

“Hi its pompompurin,” read the missive. “Check headers of this email it’s actually coming from FBI server. I am contacting you today because we located a botnet being hosted on your forehead, please take immediate action thanks.”

A review of the email’s message headers indicated it had indeed been sent by the FBI, and from the agency’s own Internet address. The domain in the “from:” portion of the email I received — eims@ic.fbi.gov — corresponds to the FBI’s Criminal Justice Information Services division (CJIS).

According to the Department of Justice, “CJIS manages and operates several national crime information systems used by the public safety community for both criminal and civil purposes. CJIS systems are available to the criminal justice community, including law enforcement, jails, prosecutors, courts, as well as probation and pretrial services.”

In response to a request for comment, the FBI confirmed the unauthorized messages, but declined to offer further information.

“The FBI and CISA [the Cybersecurity and Infrastructure Security Agency] are aware of the incident this morning involving fake emails from an @ic.fbi.gov email account,” reads the FBI statement. “This is an ongoing situation and we are not able to provide any additional information at this time. The impacted hardware was taken offline quickly upon discovery of the issue. We continue to encourage the public to be cautious of unknown senders and urge you to report suspicious activity to www.ic3.gov or www.cisa.gov.”

In an interview with KrebsOnSecurity, Pompompurin said the hack was done to point out a glaring vulnerability in the FBI’s system.

“I could’ve 1000% used this to send more legit looking emails, trick companies into handing over data etc.,” Pompompurin said. “And this would’ve never been found by anyone who would responsibly disclose, due to the notice the feds have on their website.”

Pompompurin says the illicit access to the FBI’s email system began with an exploration of its Law Enforcement Enterprise Portal (LEEP), which the bureau describes as “a gateway providing law enforcement agencies, intelligence groups, and criminal justice entities access to beneficial resources.”

The FBI’s Law Enforcement Enterprise Portal (LEEP).

“These resources will strengthen case development for investigators, enhance information sharing between agencies, and be accessible in one centralized location!,” the FBI’s site enthuses.

Until sometime this morning, the LEEP portal allowed anyone to apply for an account. Helpfully, step-by-step instructions for registering a new account on the LEEP portal also are available from the DOJ’s website. [It should be noted that “Step 1” in those instructions is to visit the site in Microsoft’s Internet Explorer, an outdated web browser that even Microsoft no longer encourages people to use for security reasons.]

Much of that process involves filling out forms with the applicant’s personal and contact information, and that of their organization. A critical step in that process says applicants will receive an email confirmation from eims@ic.fbi.gov with a one-time passcode — ostensibly to validate that the applicant can receive email at the domain in question.

But according to Pompompurin, the FBI’s own website leaked that one-time passcode in the HTML code of the web page.

A screenshot shared by Pompompurin. Image: KrebOnSecurity.com

Pompompurin said they were able to send themselves an email from eims@ic.fbi.gov by editing the request sent to their browser and changing the text in the message’s “Subject” field and “Text Content” fields.

A test email using the FBI’s communications system that Pompompurin said they sent to a disposable address.

“Basically, when you requested the confirmation code [it] was generated client-side, then sent to you via a POST Request,” Pompompurin said. “This post request includes the parameters for the email subject and body content.”

Pompompurin said a simple script replaced those parameters with his own message subject and body, and automated the sending of the hoax message to thousands of email addresses.

A screenshot shared by Pompompurin, who says it shows how he was able to abuse the FBI’s email system to send a hoax message.

“Needless to say, this is a horrible thing to be seeing on any website,” Pompompurin said. “I’ve seen it a few times before, but never on a government website, let alone one managed by the FBI.”

As we can see from the first screenshot at the top of this story, Pompompurin’s hoax message is an attempt to smear the name of Vinny Troia, the founder of the dark web intelligence companies NightLion and Shadowbyte.

“Members of the RaidForums hacking community have a long standing feud with Troia, and commonly deface websites and perform minor hacks where they blame it on the security researcher,” Ionut Illascu wrote for BleepingComputer. “Tweeting about this spam campaign, Vinny Troia hinted at someone known as ‘pompompurin,’ as the likely author of the attack. Troia says the individual has been associated in the past with incidents aimed at damaging the security researcher’s reputation.”

Troia’s work as a security researcher was the subject of a 2018 article here titled, “When Security Researchers Pose as Cybercrooks, Who Can Tell the Difference?” No doubt this hoax was another effort at blurring that distinction.

The Good, the Bad and the Ugly in Cybersecurity – Week 46

/0 Comments/in /by

The Good

In recent weeks, we’ve had the pleasure to report on some high-profile cybercrime arrests. That trend continues this week as FBI Director Christopher Wray announced another arrest and charges laid against two individuals for deploying REvil ransomware.

Ukrainian Yarolsav Vasinskyi, 22, was arrested in Poland after an international effort spanning law enforcement and private security companies across several countries. Vasinskyi is charged with having been a material participant in multiple REvil-centric attacks, including the devastating attacks on Kaseya. In addition, the Justice Department announced charges against Russian national Yevgeniy Polyanin, 28, and the seizure of $6.1 million in maliciously-obtained funds.

Based on the unsealed court documents, Vasinskyi was directly involved in the attack on Kaseya, which took place in early July 2021. This attack exploited Kaseya’s established infrastructure to distribute REvil ransomware and subsequently cripple a devastating amount of machines.

The attack on Kaseya was a sobering reminder of how relentless these ransomware attackers can be. Many of the affected businesses and individuals will likely still be recovering from the economic damage for years to come. We applaud the continued efforts by law enforcement and the private sector to hunt down and eliminate these criminal threats. Cheers to the good guys, and lets hope this trend continues!

The Bad

A recent Cl0p ransomware campaign struck a sizable blow to the privacy of many. The British company Stor-a-File was the unfortunate target of an attack by Cl0p in September of this year. This is particularly concerning given the business that Stor-a-File is in. They are constantly dealing with sensitive documents and processing them for a variety of customers including those in the medical business. To date, Stor-a-File has refused to pay the attackers, which is an admirable decision. However, as a result, there has been some leakage of data on the Cl0p blog.

An important aspect to note in this attack is the initial access vector. According to current intelligence, first stage access was obtained via well-known weaknesses in the SolarWinds Serv-U FTP software. This particular vulnerability is a favorite of Cl0p operators. According to a statement from Stor-a-File, “the incident is limited to the small number of records we hold electronically”, and since the incident, the company has patched exposed systems.

Ransomware operators will continue to target vulnerabilities that work, and this incident is a timely reminder that just because a vulnerability drops out of the news cycle, it does not mean it has gone away. Unfortunately, we get new vulnerabilities to worry about every day, which compounds the issue. But at the end of the day, we all have to be extra vigilant and make sure we understand our environment, have adequate and required visibility, and protect those systems which we deem the most ‘critical’.

The Ugly

This week saw disclosure of a critical vulnerability in the Palo Alto GlobalProtect firewall. The flaw, identified as CVE-2021-3064, is a memory corruption vulnerability (stack-based buffer overflow) in the GlobalProtect portal and gateway interfaces.

Upon successful exploitation, a remote attacker may potentially gain access to a root shell, and thus unfettered access to the target systems. Exploitation can be achieved remotely, without the need for any authentication.

The issue affects PAN-OS 8.1 prior to 8.1.17 on both virtual and physical firewalls. Gaining this level of access is extremely attractive to attackers. Beacheading in a network appliance (such as a firewall) allows for a very well detailed view of the adjacent network, along with the necessary access to extend beyond that initial host. Estimates vary as to the number of devices affected; there could be anywhere between 10,000 and 70,000 exposed devices on the public internet.

The flaw was discovered by the Randori Attack Team and subsequently disclosed to Palo Alto, which responded with advisories and patches for the affected systems. We encourage all those who may be exposed, or are seeking more information, to review Palo Alto’s advisory.

Is SquirrelWaffle the New Emotet? How to Detect the Latest MalSpam Loader 

/0 Comments/in /by

Since early September, SentinelLabs has been tracking the rapid rise of a new malware loader that previous researchers have dubbed “SquirrelWaffle”. The tool has been utilized in multiple global attacks since then and is being likened to Emotet in the way it is being used to conduct massive malspam campaigns.

In this post, we explain how SquirrelWaffle works, what to look out for and how to protect your business from the latest malspam loader.

What Is SquirrelWaffle Malware?

SquirrelWaffle is a recent malware loader that is distributed through malspam – malicious spam mail – with the purpose of infecting a device with second-stage malware such as cracked copies of the red teaming tool Cobalt Strike and QakBot, a well-known malware that started life as a simple banking trojan but has since evolved into a multi-functional framework with RAT (Remote Access Trojan)-like capabilities.

Researchers have noted how the infection chain may begin with an email reply chain attack, in which a threat actor neither inserts themselves as a new correspondent nor attempts to spoof someone else’s email address. Instead, the attacker sends the malicious SquirrelWaffle email from a hijacked account belonging to one of the participants. Since the attacker has access to the whole thread, they can tailor their malspam message to fit the context of an ongoing conversation. Given that the recipient likely already trusts the sender, there’s an increased likelihood of the target opening the maldoc or clicking the link. Email reply chain attacks were a hallmark of Emotet campaigns and contributed a great deal to its success.

SquirrelWaffle first appeared in early September and defenders have noticed an uptick in incidences of infection since then. SentinelLabs researchers have also noticed that the malware drops unique payloads even from the same infection chain and that file path patterns are continuing to evolve.

How Does SquirrelWaffle Infect Devices?

Initial delivery of SquirrelWaffle as a first stage loader often comes courtesy of a phishing email with either a malicious MS Word or Excel attachment or embedded link leading to a zip-compressed malicious document download. These maldocs contain VBS macros which execute PowerShell to retrieve and launch the SquirrelWaffle loader.

The initial SquirrelWaffle files are written to disk as prescribed by the malicious PowerShell script responsible for their retrieval. For example, early clusters of malicious documents dropped SquirrelWaffle using this set of file names:

C:Datoptest.test
C:Datoptest1.test
C:Datoptest2.test
SquirrelWaffle infection following the launch of a poisoned Excel file

Importantly, no two runs of the same malicious document will produce the same SquirrelWaffle payloads. On each execution, the payloads written to disk will have unique hashes.

"C:UsersAppDataLocalTempTemp1_natusut-1501184.zipgrade-2086577786.xls"
C:Datoptest.test - 8d7089f17bd5706309d7c6986fdd1140d6c5b4b2
C:Datoptest1.test - 52452f6f0ab73531fe54935372d9c34eb50653d8

"C:UsersOneDrive - folder, IncDesktopgrade-2086577786.xls"
C:Datoptest.test - bce0e9e1c6d2e7b12648ef316748191f10ed8582
C:Datoptest1.test - 8ba7694017d1cea1d4b73f39479726478df88b20

"C:UsersOneDrive - folder, IncDesktopgrade-2086577786.xls"
C:Datoptest.test - 8aec96029b83d3b226c8c83dd90f48946ee97001
C:Datoptest1.test - 8262cd7029f943a7b6199b5a6c51ec19e085c3b7

SquirrelWaffle has been observed using more conventional file name patterns as well, such as those with .dll extensions:

	ww1.dll
	ww2.dll
	ww3.dll
	ww4.dll
	ww5.dll

In early November, we observed yet another pattern, indicating that the malware authors are continually iterating:

 	good.good
 	good1.good
 	good2.good


SquirrelWaffle Shares Code With Other Attack Frameworks

SquirrelWaffle, in common with many other malware samples, uses a custom crypter. Doing so is attractive for many reasons, not the least of which are obfuscation and anti-analysis to prevent researchers from developing strong indicators of compromise for detection.

Researchers have shown that SquirrelWaffle uses the same custom crypter as other well-known attack frameworks including Ursnif, Hancitor and Zloader. This is used, among other things, to hide the malware’s Command and Control (C2) URL.

Upon infection, SquirrelWaffle can download a Cobalt Strike payload with .txt extension and execute using the WinExec function. The other likely payload that may be downloaded by current SquirrelWaffle infections is Qakbot.

Below we can see process injection into explorer.exe from a SquirrelWaffle infection.

If infected with Qakbot, the malware will attempt to extract email data from the host.

From the above image, we can see the C:UsersEmailStorage___ pattern. The “collector_log.txt” contains a record of the malware’s enumeration and exfiltration process.

How To Protect Against SquirrelWaffle

The SentinelOne platform detects and protects all customers against SquirrelWaffle infection. In the video demonstration below, we set the agent policy to ‘Detect Only’ to observe the infection in action. In ordinary circumstances, customers would use the Protect policy to prevent execution.

Conclusion

Cybercriminals are quick to come up with new loaders to team up with other groups that will help deliver a variety of payloads to achieve maximum financial gain. SquirrelWaffle is the latest such loader, currently being used to deliver Cobalt Strike and Qakbot but which can easily pivot to dropping any payload the operators wish. While SquirrelWaffle is certainly not yet anywhere near as prevalent as Emotet in its heyday, all the hallmarks are there of a campaign and infrastructure looking to grow.

If you would like to know more about how SentinelOne can protect your business against SquirrelWaffle and other threats, contact us for more information or request a free demo.

Example SHA1 Hashes

8d7089f17bd5706309d7c6986fdd1140d6c5b4b2
52452f6f0ab73531fe54935372d9c34eb50653d8
bce0e9e1c6d2e7b12648ef316748191f10ed8582
8ba7694017d1cea1d4b73f39479726478df88b20
8aec96029b83d3b226c8c83dd90f48946ee97001
8262cd7029f943a7b6199b5a6c51ec19e085c3b7

Podcast: “Roided-out Sitting Duck, Part 2” with Juan Andres Guerrero-Saade

/0 Comments/in /by

Principal Threat Researcher at SentinelLabs, Juan Andres Guerrero-Saade (aka JAG-S) talks to Rachel Lyon and Eric Trexler in the second of a two-part To the Point – Cybersecurity podcast. If you missed the earlier episode, you can catch Part One here.

In Part 2, JAG-S tells the story of the MeteorExpress wiper attack on the Iranian railway system and explains how the U.S., while the most powerful cyber nation in the world, is also one of the most vulnerable. He goes on to discuss cybersecurity careers, how to get started and the importance of finding mentors once you’re in the industry.

Click ‘play’ and enjoy the ride!

“Roided-out Sitting Duck” – Part Two Audio automatically transcribed by Sonix

“Roided-out Sitting Duck” – Part Two
this mp3 audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.

Intro:
Welcome to the Point Cybersecurity podcast. Each week, join Eric Trexler and Rachel Lyon to explore the latest in global cybersecurity news, trending topics and industry transformation initiatives impacting governments, enterprises and our way of life. Now let’s get to the point.

Rachael Lyon:
Hello, everyone, welcome to to the Point podcast, I’m Rachel Lyon here with co-host Eric Trexler. Eric.

Eric Trexler:
Rachel, this is going to be a great part two with JAG-S. The stories from last week continue. Yeah, we’re going to move to the Middle East and we’re going to talk about a little modern day story that just happened in July of twenty twenty one. It’s going to be fabulous.

Rachael Lyon:
Yeah, I’ve so many questions, too. I can’t wait. It’s been so hard to wait a week for this episode. I don’t know about you, but I have been so excited for this one to come out.

Eric Trexler:
It’s good to tease the listeners.

Rachael Lyon:
Exactly, exactly. Because how often do you wait for things anymore? Because when you do though, it’s it’s horrible and painful.

Eric Trexler:
Agreed. So anyway, with that, let’s kick off Part two with JAG-S from SentinelOne.

Rachael Lyon:
Yes, let’s do it. Absolutely. We talk to you about Kenny. You know, attackers kind of finding the rhythm or finding their way. You know, you recently wrote about this Iranian train attack, and I love that you guys called it The Meteor Express.

Juan Andres Guerrero‑Saade:
Yeah, it’s it’s the last bastion of creativity and threat intelligence. Sneak in a nice name.

Eric Trexler:
Love the naming. I just I mean, the creative naming just gets me going. It’s awesome.

Rachael Lyon:
But I love everything about this and I don’t want to steal your thunder. But you know, I love that there is kind of like this epic kind of trolling by the attacker and you know how they were directed to, you know, kind of who they were directing to call, you know, with plates or, you know, in the signage and all the things. So I please, please tell, tell our listeners more about kind of what you learned about this.

Juan Andres Guerrero‑Saade:
Ok, so this is a it’s a kind of a complicated story and a really interesting one. And I don’t know when this is going to go out, but like it continues to develop. So there are some things in there that I want to touch on that are not in the report and that it’ll probably keep evolving by the time the plays into this.

Eric Trexler:
Like, how much time do you need? We’ll record it, Rachel and I’ll be quiet, we’ll sign the NDAs.We’ll release it w hen you let us know.

Juan Andres Guerrero‑Saade:
No, let me. I’ll be as forthright as I can be, but I think, you know, this is going to keep evolving beyond today. So. We got into this thing about Meteor Express, right, then there’s a wiper attack in Iran and the sort of the railway system. And it’s particularly funny in a sense because you mentioned that this epic troll, right, they wipe all these systems, they take down the ability to coordinate these trains. And all of the displays have a picture that says, you know, trains delayed due to cyber attack. For more information, call this number. And I think it’s like six, four, four one one or something like that. And it turns out that it’s the supreme leader’s office in Iran. So I think, you know, epic troll, absolutely hilarious. Now that being said, I, you know, I try to keep the glibness in check because the other element of this is, well, somebody just deployed a wiper on critical infrastructure somewhere. So like, that’s the part where like, we’re kind of laughing and it’s Iran. So everybody finds everything acceptable when it’s, you know, when it’s Iran, North Korea, certain places, you’re like, Oh, fair game, but something, you know, I feel like in a sense, someone who is willing to do something that had it happened here, we would have been right over the Moon about right. We sorry, we would have been very, very upset about pretty pissed off. Well, I guess

Rachael Lyon:
That’s a question, too. Is it? I mean, why there, you know, is it a test? Is this like a test kind of kitchen activity or?

Juan Andres Guerrero‑Saade:
I don’t think so. So I think this is where you know, OK, let’s cover the basic ground and then we’re going to go into kind of what’s going on with this right? So there was a report out of an Iranian AV company of some of the components that they saw. And just based on some of that, I was able to rebuild the entire attack chain. You know, thankfully, we were able to find all the files and figure out what happened.

Eric Trexler:
I mean, there’s an Iranian AV company.

Juan Andres Guerrero‑Saade:
There is, I believe it’s called Padvish or something like that.

Eric Trexler:
Seriously.

Juan Andres Guerrero‑Saade:
Well, you have to think about it. Most companies can’t do business with Iran, right? If we wanted to create the EDR and make it interesting. Ok, yeah. It puts them in a particularly disadvantageous position, to be honest with you. You know, most countries, this is a the inside ball, but most countries want to develop their own navy because nobody trusts foreigners. Right. Then they try to do it and they realize it’s a monumental task. And they, yeah, they they claw back.

Eric Trexler:
And who’s buying Iranian AV software? I mean, there’s

Juan Andres Guerrero‑Saade:
An American market, either. Probably only Iran. Maybe a few other Middle Eastern partners, but

Eric Trexler:
Who thought their trains would run on time if run at all? So, I mean, Anyway, well, it’s.

Juan Andres Guerrero‑Saade:
No, no. I think you know, they’re getting.

Eric Trexler:
Yeah, she’s back to acting. Go ahead, JAGS.

Juan Andres Guerrero‑Saade:
We’ve gotten their teeth kicked in enough for the past few days. But you know, again, there’s the glib side of this. There’s the funny end of it. And then there’s a really serious one, right? Like, they’re being ravaged by COVID. They have this horrible political system that that’s showing all kinds of of terrible abuse of folks and so on. And this story actually transcends into that. So again, getting to the basics, right? We rebuild this toolkit. It’s an interesting wiper. I sort of got the detail of everything, and the wiper is called a meteor. That’s why we call it Meteor Express. I think it’s particularly important to if you discover something, get to put your stake in the ground and name it artistically. So we call it the Meteor Express, and it’s a really interesting set of activities because first of all, it doesn’t relate to any known threat actor we have seen at the time. And also it’s. Oddly clunky and poorly deployed and yet there are elements of it that are very, very well done. So to me, it’s not clear cut to say, Oh, this is a very advanced, sophisticated threat actor. It is not, but it’s definitely not somebody that just came out of the woodwork and figured out how to use a computer yesterday. Like, there’s something happening here.

Eric Trexler:
It’s probably an Israeli college classes like a final project or something.

Juan Andres Guerrero‑Saade:
Well, you know, what’s funny about that is, I think a lot of this is where we get into some of the complicated parts of threat intel, right, it’s very easy for this to get politicized, it’s very easy to kind of misstep, and I’ve written a couple of papers about this because it causes a lot of anxiety for folks, and I don’t know how many people had seen this activity before I wrote on it. But I do know of some folks that looked at it and said, Oh, this is probably Israel, and they backed off. And I personally don’t like that. I try to, you know, I’ve worked on American stuff. I’ve worked on European stuff. I’ve worked on, you know, Israeli stuff in the past. And I really don’t like the idea of just backing away from something because you think that it’s a friendly country. And in this case, I’ll be honest with you, if you asked me for my gut instinct, I don’t think it’s that. Yeah, it’s underestimating the diversity of threat actors in the Middle East to think that every semi-sophisticated attack in Israel, and to be honest with you, the quality of stuff coming out of Israel is drastically higher. It is.

Eric Trexler:
Maybe it was like a middle school class project. Well, let me put it, let me ask you a question because I saw it in the press, and I’ve only as far as I’m involved. I only know what’s in the press and probably not even half of what’s in the press, because I’m not spending a lot of time on this. But the first thought that comes to mind is. Who the hell Rachel decides to attack and the Iranian train system? I mean, who even thinks about Iran and the trains?

Rachael Lyon:
Well, that’s my question, too. I mean, that’s why I wonder is, was it a test kitchen kind of scenario, you know, where you kind of like it’s, you know, kind of low hanging fruit to go?

Eric Trexler:
It seems like an oddball target, right?

Juan Andres Guerrero‑Saade:
It absolutely is. Yeah, an oddball target, but that’s where it’s OK. So I put on my research and then checkpoint came out, and I believe it’s Itai Cohen and a couple of other folks over at Checkpoint picked up on it and wrote their own follow-up, and they found something interesting. Based on this meteor express stuff, they are able to find earlier versions of that wiper that are called stardust and comet by the attacker. And. Ok, let’s try to follow along here because it gets complicated.

Eric Trexler:
Right, I’m doing my best. I’m a podcast, but we’ll do OK.

Juan Andres Guerrero‑Saade:
I just wish we had a whiteboard right now because I think the timeline is really important. So Check Point finds these and they realize that in the code, there’s a reference to a group called Indra. And Indra is a quote-unquote hacktivism group that’s interested in attacking Syria, and they claim a couple of Syrian hacks. It’s they’re really interesting targets. It’s like a company that does money exchange services that they accuse of laundering money for the Quds Force and a private airway company that’s doing private jets for Soleimani and other folks in Iran. And so very, very interesting, very well chosen targets. And then I like to point this out because if you ask me and this is where kind of checkpoint and I stand in direct opposition, they think it’s hacktivism. I do not. We have seen a lot of examples of nation-state groups pretending to be hacktivists. The North Koreans did it. They’ve done it several times with Guardians of Peace for Sony. They used to do the WHOIS team. There are new Romanian cyber army. They’ve created a bunch of fake fronts for their activities, and so have the Russians. The Russians did Guccifer 2.0 and Poland cyber breakout cyber caliphate. Yemeni cyber army. They’ve created a bunch of these things where they make it look like it’s organic hacktivism, and in reality, it’s the same old threat actors that you can think of, and they’re using fake fronts to justify their hack and leak operations, right? Rather than saying, Look, we’re we’re the GRU providing you with stolen info, it’s well, no, we’re patriotic hackers out of Ukraine or whatever.

Speaker4:
So maybe I’m overly primed to look at it this way. But to me, this has all the markings of a fake hacktivism front. And the reason I said, you know, this is a continuum. This is a story that continues to develop and will probably develop further beyond when this podcast is revealed or released. It’s because. What Checkpoint finds to me is a specific time to limited campaign. You see a couple of attacks in Syria with this toolkit under the banner of Indra in November 20 20 in Drug Goes Dark. They stop posting on Twitter, they stop posting on Facebook and they stop using Stardust and comet the way that they were coded. Instead, we see Meteor being coded with no reference to Indra in January of 2021 and deployed in July of 2021, along with a couple of other mysterious hacks in Iran that we haven’t been able to investigate. The latest of which is Evin Prison, and I don’t know if you guys got to see the news out of this. It is really interesting and kind of terrifying, right? So a hacktivist group quote-unquote hacks Evin Prison, which is believed to be one of the darkest places on Earth. It’s basically where the Iranians take political prisoners and whatnot, and they steal tons of footage from the security cameras inside of this prison, publicly release it and then lock up and wipe the machines. And in that footage, you can even see the machines being locked up and wipe. You can watch the operators in that prison basically see this happening. And frankly, you know, I can’t make a solid assessment because I’m not doing either on those systems and I don’t have any samples. It looks like the same functionality as media or express that is not enough for anybody to make a solid assessment. I’m not going to put my hands in the fire about it, but I’ll say that it looks very similar. And the day that this hack is announced, we get a new account called EDR Ali, a new hacktivism front that claims the Evin prison hack and does the same megaton see a massive dump of stolen stuff and continues to have a social media presence and promises more attacks. Wow. So me my speculation. Is we’re seeing a group adopting fake activism fronts first for a campaign in Syria now for a campaign in Iran. And to me, that’s foreign influence. To me, that’s an established group of some sort that is basically whitewashing their exfil through seemingly, Oh, this is organic activism. People have had enough. They’ve decided to do this hacking. We would all love to believe that activism is alive and well, and maybe it is in places like Belarus, but I don’t think that that’s the situation here. That’s my honest take on it.

Eric Trexler:
So who attacks an Iranian-trained system? Right? An Iranian prison? Well, you just I’m trying to put that together like motivation, you know? Yeah, it’s the motivation disruption.

Juan Andres Guerrero‑Saade:
Let’s put it this way. Again, folks tend to immediately think about, for example, Israel in this context, but not only is Israel there, but the United Arab Emirates is there. Bahrain, Jordan, there is. Lebanon has been shown to have their own cyber espionage capabilities. There are quite a few well-resourced groups and in particular, I mean, we’ve been seeing a lot come out about the Emirati cyber program between stuff with dark matter and everything that happened post Cyber Point contract and the amazing stories of Chris being put out on Reuters about karma and how former NSA contractors had basically been helping them build capabilities in the Emirates. I’m not pointing at them in particular, but I’m saying we’re oversimplifying the Middle East. If we think that it’s really one one attacker and a one victim in either direction. I mean, the Iranians have been pissing plenty of people off with their own wiper attacks for years now, including the South. But who

Eric Trexler:
Do you? Who do you hurt if you hack the prison and the train system?

Juan Andres Guerrero‑Saade:
Well, I think in a sense, you in a sense what you are doing is chipping away at the legitimacy of that government. It’s not that you are really going to disable them, it’s that you’re essentially showing this general uncoordinated weakness that comes along with being unable to stand up to some ephemeral force. Worse yet, when you can claim that it’s locals right, the idea that your own people are against what you’re doing is part of the propaganda force that comes along with the hacktivist group.

Eric Trexler:
So then if you take the train system, which a lot of people use. Right. I’m assuming the administration, the people running the company of private cars and planes and helicopters and things, but the people are on the train system. They use six four four six four four one one. The phone number, I guess, for the supreme leader’s office. Right. So I understand that in the prison showing what’s going on in this very dark place, maybe you start to pull it together. I guess you’re right. I mean, your question does make them look bad.

Juan Andres Guerrero‑Saade:
You’re putting into question the legitimacy of it. I think it’s important in a sense, because it’s a lot easier to deny obscure hacks that happen inside of, you know, the ministry. Apparently, they also hack the Ministry of Urban Development and Roads or something. Yes. Yes. You know, it’s like, I mean, who knows, right? They can just say nothing happened. And the Iranians often do they either that government will either come out and say, Oh my God, we are being pummeled by cyber attacks, and it turns out to be nothing. Or they’ll say nothing happened here. And it turns out that a whole ministry got taken down. So in a way, targeting something that normal everyday people rely on is a fantastic way of just showing egg in their face, right?

Eric Trexler:
This is not powerlessness. The powerlessness of leadership. Right, right, right.

Juan Andres Guerrero‑Saade:
It’s something that you began with with Stuxnet. I mean, we’re talking about part of the and I hate to invoke the ghost of Stuxnet because it’s brought up in every conversation. But part of the power of Stuxnet was psychological. Once the Kim Zetter wrote such a fantastic book on this, if folks haven’t read it. Countdown to zero days. Probably the best threat Intel story out there. Kim Zetter Fantastic journalist for this, but part of the effect of Stuxnet was they were doubting their own competence. They were firing scientists. They were chasing their own tails, replacing equipment. It’s a psychological effect to say, Oh God, we just can’t get our act together to get this done. And now we’ve got something similar. You know, we’re experiencing it in the U.S., too, right? The ransomware epidemic for enterprises is definitely making us look like this horrible. I think I use the expression royd it out sitting duck, right? Like we were the most powerful cyber nation on Earth. But we’re also just getting slammed all day and we can’t do anything about it. And you know, the show situation in Iran.

Rachael Lyon:
I know that’s what I laying down..

Eric Trexler:
Sitting duck with Jags. But you’re right. I mean, they’re incredibly vulnerable, easy targets, and we can’t do a lot about them.

Juan Andres Guerrero‑Saade:
It’s I mean, it’s a sad situation to have what is arguably the most power in cyberspace and to have your hands the most tied out of anybody else, right? The U.S. is

Eric Trexler:
The most vulnerable too

Juan Andres Guerrero‑Saade:
Yeah, we’re all that all comes down to dependency on technology, right? It’s such an enabler. It’s such a source of our power. And we have the largest corporations economically, the largest corporations on the planet. They’re all technology companies, right? And that shows the great promise of America is largely built on the tech sector right now. So if if you can chip away at our ability to depend on that, you know, I think that’s part of the ridiculousness of the arguments that we have about cyber war and particular cyber on cyber, right? It’s like, Oh, if we get hit, then we’re going to retaliate with cyber. It’s like if you take down some systems in Russia or in Iran or in China, I mean, the trains aren’t working. We’ll walk like there’s fine. If you do that in the U.S., like look at what happened with Colonial. They didn’t even hit the OT system. They just took down the billing and I had to pay like seventy five dollars to fill up my tank here in Miami, even though that pipeline doesn’t even reach here. But what about the people who

Eric Trexler:
Are putting gasoline into into plastic bags?

Juan Andres Guerrero‑Saade:
Oh yeah.

Speaker3:
So to show some problems,

Juan Andres Guerrero‑Saade:
Our collective wisdom is not what it what we’d like it to be.

Eric Trexler:
That could be a different show title.

Rachael Lyon:
Yeah, we had someone there was someone in Texas that had filled a trash trash can in the back of a pickup truck, and there wasn’t even a top on it. So I’m like, How do you how do you drive it?

Juan Andres Guerrero‑Saade:
Well, you’re just getting high on the way out on figuring out how you one

Eric Trexler:
Spark, though you’re you’re you’re your firework.

Juan Andres Guerrero‑Saade:
I don’t know what to tell you.

Eric Trexler:
Yeah, we’re not going to fix that one today. So. So Jags, I think we’re going to turn this into a two parter. The stories are awesome.

Rachael Lyon:
Absolutely.

Eric Trexler:
How did you get? How did you get into this career path? Like you say, this is where I want to go.

Juan Andres Guerrero‑Saade:
So my career path is super unlikely and I’m incredibly fortunate to have ended up where I did. I was a. Philosophy major, and that was my whole thing, I was just going to kind of stick to really obscure German philosophy that nobody ever wants to read. And somehow that that turned into a lot of intelligence analysis work, which I really enjoyed and eventually being on the receiving end of a lot of cyber attacks and know having no local expertise, you know, develops into a fascination for something that was not immediate to my skill set, but that was interesting enough to be worth the dedication and devotion to try to learn and learn and learn. And I credit my time at Kaspersky a great deal. I had the pleasure of working in global research and analysis team for four or some years, with amazing researchers like Coson Ryu and Kurt Baumgartner and Brian Bartholomew, and all these fantastic folks who took the time to teach a lowly analyst how to do things. And it’s just been getting into trouble ever since, right? Like I mentioned, I I don’t. I lack the common sense, or at least the survival instinct to not look at certain things. And it has led me down some really interesting roads

Eric Trexler:
That but you’re not you’re not getting a job as an obscure German philosopher at Kaspersky on that right? I mean, like, where are you working? Where you determine like that path? Because we have a we have a tremendous amount of need for people like you. Yeah, not not Rachel. And I was like, How do you get started? Because we get a lot of people want to know. How do I get into the business, yes, like, what’s that journey?

Juan Andres Guerrero‑Saade:
So I think my journey isn’t necessarily the one that I would immediately prescribe for others, but I would say I am definitely not an outlier in the thread intel research space in the sense that there’s a lot of folks that I know a lot of folks have never graduated high school. They got their GED and they just, you know, went into this because it’s what they loved. And I know people that are PhDs in physics and just people that are just all over the spectrum who just love puzzles and love doing this kind of research. And I think that should be encouraging, particularly to folks who have a mind for critical thinking, who have a mind for everything that would make you a good intelligence analyst or somebody who’s into international relations and geopolitics to say, Look. Just because you don’t have the technical information right now doesn’t mean you are barred from the space. I’ve gone on the record and I did this at a Carnegie Mellon lecture, which was probably not the nicest thing to do for a tech, a purely technical department. But I’ve gone on the record to say that I would rather hire a really smart international relations or intel analyst and teach them the technical stuff the way it was taught to me. Rather than take a course grad and try to get them to think more broadly and try to understand motivations and and cui bono and international relations and what happens between Iran and the Emirates and so on. It’s so much harder to broaden a technical person’s thinking than it is to take a broad minded individual and teach them technical things.

Eric Trexler:
It reminds me we had George Randall on, I don’t know, a year or two year and a half two years ago. Probably he’s from an air talent acquisition perspective, and he wrote a book on. The talent weren’t he talks about one of the major themes is higher for characteristics, train for skill, don’t hire for skill, right? And one of the stories they use in the book is Navy SEAL Story. Like every Navy seal, who’s a Navy seal already went through buds, the Navy SEAL training program. You can’t get non Navy SEALs with Buds qualification, so you’ve got to look for the characteristics you can’t say looking for a navy seal to be a navy seal because they already are.

Juan Andres Guerrero‑Saade:
Right, right.

Juan Andres Guerrero‑Saade:
You’ve got to look for the people like you out there that have those characteristics. So when you say you’re an obscure German philosopher, like, that’s what you like, that was your interest. Yeah, to me, having having actually worked with and, you know, I was managing, overseeing, I guess, a malware, an advanced malware lab capability. They were all over the place. I mean, we provided Xboxes, Nerf guns, you know, crazy wacky lunches. But but the the spread of a variety of the people in the lab who you’re working with Marco Figueroa right now, I mean, Marco is not normal, let’s be honest, right? But he’s he’s amazingly capable and brilliant, right? You’ve got to look for people who have characteristics. Yeah, we’re going to put a job ad out for looking for obscure German philosopher.

Juan Andres Guerrero‑Saade:
Right? Like, it doesn’t work. Do not do that.

Eric Trexler:
So that’s why I ask about your journey, because I think it’s I think it’s something that there are a lot of people across the globe who would be really good. Yes, at this business,

Juan Andres Guerrero‑Saade:
I think so. There’s a couple of things here. One of them is it’s a shame that we don’t have a good talent pipeline. I think a lot of universities are kind of failing to put this together. And it’s just it’s a shame that we don’t have a way to really churn out talent because we need it. I mean, I am not worried about job security. Nobody in this space should be worried about job security. We have enough work for ten times the amount of people that we have here, so please bring them along, right? The issue is right now we’re kind of living in the apprenticeship model. You’re if you’re lucky enough to go somewhere with great folks, then you learn from them how to do things. And then someday you, you pay it forward and you teach somebody else how to do things. And that’s tough. But the corollary for me is look at something like Bellingcat, like Bellingcat is fantastic. It’s brilliant. It’s I’m not

Eric Trexler:
Familiar with Bellingcat. Forgive me.

Juan Andres Guerrero‑Saade:
Oh my god, you’re missing. You’re missing out, you’re missing out.

Eric Trexler:
So you educate me. That’s why we do the show.

Juan Andres Guerrero‑Saade:
Bellingcat is a UK collective of citizen journalists. Ok? Basically, people who really like are passionate about some obscure subject and decide to use open source intelligence to figure out what the hell’s going on. They’ve done a really notable work, for example, investigating the downing of MH 17, the poisoning of the Skripals and the U.K. they’ve done a lot of very significant work. They’re also helping to track, you know, human trafficking victims like anything that they can basically take some leads of information and use open source intelligence to just figure out what’s really going on, identifying videos of victims in Africa. You know, what country is this? Who did this? You know, it’s fantastic because honestly, there isn’t a there really isn’t any gatekeeping about who can be a part of this effort. It’s very easy for folks to come in and say, You know what, I just really care about this. I’m going to learn the tools and techniques, and I’m going to contribute and other folks are going to check my work. And if it’s worthwhile, we’re going to publish it. And I think there should be a similar mentality when it comes to threat intel and infosec, which is to say, Look. Start your blog, start your journey. Tell us what you’re working on. Show us what you’re learning. And it’s I think, yeah, you’re not going to put out a job requirement for someone who’s into obscure German philosophy. But I think it’s much easier to extend the hand to somebody who has a blog and you’re like, Wow, like, I mean, they don’t know everything, but you know this this person, they’re a student or whatever, or they’re just a random individual who really cares about this, like they’re on to something. Let’s hope so. I think that’s an easier way to get a foot in the door to show your curiosity and show what you can do on your own. And good hiring managers should be able to say if they can do this on their own. Imagine what they’ll do with our tools and our mentors, right?

Eric Trexler:
And when we’re mentoring them and working with them. So one of the pieces of advice then is get creative, get out there. But also when you look for that first or second job, find a good mentor, find somebody who can teach you because it is an apprenticeship model. I would argue with that. The only difference I would say is you can look at things like maybe DHS, but definitely NSA, Cyber Command, CIA in the States, GCHQ in the UK. You know, I’m sure the Iranians have a have a good training program to over there and the offensive work. Does in my experience, anyway, it does make good defensive people like that’s probably the most structured training program. You’re not going to go to a college necessary and B and figure this stuff out overnight. But if you’re doing the offensive stuff, you get to think like the adversary and then can defend somewhat against them.

Juan Andres Guerrero‑Saade:
Yeah, I think that’s an interesting argument for folks to consider going the government route. I mean, obviously great to be able to serve your country. And to be honest, even though you’re going to be underpaid, you are going to get opportunities to do things. You’re never going to be able to do anywhere else, right? I can’t I can’t hire you and say, Hey, go pop those command and control servers. Let me know what you find. So there’s some there’s definitely something to be said for that. I think from the industry we can. I think we have to admit that, for example, Unit Eighty two hundred has figured out how to churn out amazing talent they are on to. Something is real, Rachel. Yeah. I mean, there the rest of us are not on to. I mean, they just churn out a massive amount of great people. We should probably ask them how to set up a talent pipeline and

Eric Trexler:
Look at the flourishing cybersecurity industry in Israel. I believe yes, much due in part to the work that’s done over there.

Juan Andres Guerrero‑Saade:
Mm hmm. So I mean, there’s something to be said for there is a way to do this. I think we’re being, you know, maybe we’re being failed by the rigidity of the academic space not to set up better programs for it. But in any case, this is also a space where knowledge isn’t obscure. You can find most of the great tutorials for learning how to reverse and debug are freely available online. Back from the late nineties, early two thousands when people were just trying to crack software because they lived in Eastern Europe and they couldn’t buy it. Most of the stuff you need is freely available. No starch press does sales on their books basically every month. And if you are a starving artist and you really can’t pick that up, you could probably steal them online. Forgive me, Bill Pollock, but I’m saying you can get your start. You can do it. It’s it’s more about dedication, and I think that’s something that we really shouldn’t underestimate, even for people that already have their foot in the door. If you are purely an intel analyst, find the time to learn the technical side of the house. The more that you need to depend on other people for your technical end, the more you’re missing parts of the picture. So not to not to preach against Work-Life Balance or whatever, but this is your passion. There’s a lot of room to grow.

Rachael Lyon:
Absolutely.

Eric Trexler:
Great advice and even reach out to famous published researchers. I’m betting nine times out of 10 they’re going to if somebody reaches out and says, Hey, I have a question about the industry, I’m betting people answer.

Juan Andres Guerrero‑Saade:
Yeah, absolutely. I mean, there’s a reason why, you know, DMs are open for a lot of folks, and Twitter has given everyone a voice for better or worse. And you can you can reach out to amazing individuals and half the time they’ll answer. So yeah, might as well try.

Eric Trexler:
And fascinating, Rachel.

Rachael Lyon:
I know

Eric Trexler:
Know to end the week.

Rachael Lyon:
Stunned silence.

Eric Trexler:
That you didn’t have this on the set with all my children.

Rachael Lyon:
No, no, it was quite different.

Speaker4:
It was given her such a hard time about her.

Eric Trexler:
Oh my god, I love it. I’m so are you kidding, Jags? I am so impressed.

Juan Andres Guerrero‑Saade:
It’s a diversity of skills. It’s a wide range of skills.

Rachael Lyon:
Exactly, exactly. And cyber takes all comers. I love that

Eric Trexler:
Rachel is amazing at what she does. So a couple of years ago, we were at RSA and we did a show. Rachel was going to listen in one of the podcasts and. We surprise her, I was with our CTO at the time we were doing a show about RSA, and Rachel was the featured guest she was supposed to listen in. She had no prep or anything. We’re huddle around a little Blue Yeti mic in a room right off of Moscone Center. Yes, and we put Rachel on the spot and she was freaking amazing. I don’t know the podcast episode. Yeah, but I believe, yeah, if you’re in marketing, if you’re in PR and you’re running shows and things, go listen to it because she talks about what it takes to put the show on what’s right? Anyway, she was a pro day one. I mean, I mean, she had no idea she came in live about, I don’t know, Rachel, 30 seconds into the show, we announce you as the featured guest and she just rolled with it, and that’s her acting experience. She’s a pro.

Rachael Lyon:
Well, it helps when you have good people to talk to. Like today. I mean, it’s, you know, fascinating people with all these amazing stories. I mean, it makes it really easy to have a really good conversation.

Juan Andres Guerrero‑Saade:
Thank you. Thank you for the opportunity. I mean, honestly, I don’t get to nerd out about these things often enough. You know, you’re running looking at the next case, but there are so many great stories in this space and

Eric Trexler:
There are great stories that we can’t wait to hear. What do you think is next? Are you working on anything next?

Juan Andres Guerrero‑Saade:
Oh, all kinds of things. So I mean, we try to. There is a bit of a competitive streak and we all kind of try to impress each other and come out with new things. So I’m actually

Eric Trexler:
Challenge out there now, lay the gauntlet down for everybody in the business.

Juan Andres Guerrero‑Saade:
Well, so I’m working on some, some special techniques to analyze go malware. There’s there’s some, really. I like to do something that we’ve nicknamed cyber paleontology like. I like to look back at stuff we tend to. The industry tends to be very now focused, you know, Monster of the week. Oh my God, SolarWinds, oh my God, say, oh my like every week is a different thing. And the truth is that we don’t have the resources to ever fully analyze any of these incidents. So I like to, you know me and review a few other folks really like to take old incidents and say, Well, what? What can we understand now, right in the vein of Moonlight Maze? What do we understand now? So I’m working on a really old school operation now, and honestly, I’m just waiting for the in-person conferences to really come back so that I can have a good venue to be like, All right, like, this is this thing I’m working on now.

Eric Trexler:
You’re hitting my area of expertise. Guess what? They’re shutting down. We just had another government shut conference shut down today. I don’t think you’re going to be back in person until probably second half of twenty two at this point.

Rachael Lyon:
January, January, January,

Eric Trexler:
Maybe April. I’m betting I put a dollar down. No, no January. But I don’t. I don’t want to bust your bubble. I just want to be honest with you. We’re seeing them cancel.

Juan Andres Guerrero‑Saade:
I’m selling myself the dream just because, you know my inner attention whore, you know? Yeah, they can’t take it. I need to get on stage and show

Eric Trexler:
I’ll come back on the podcast.

Juan Andres Guerrero‑Saade:
I love to do it. Yeah, please.

Rachael Lyon:
Yeah, we’d love to have you. It’s amazing.

Juan Andres Guerrero‑Saade:
We’ll have a lot more stories to cover.

Eric Trexler:
Ok. Well, Rachel, it’s Friday evening this time we’re recording, is that a wrap?

Rachael Lyon:
I think that’s a wrap. Yes.

Eric Trexler:
Take us home.

Rachael Lyon:
All right. Well, everyone, thanks again for joining us for this week’s podcast with Juan Andres Guerrero Sodhi. Well, there you go. Close. Yes, that’s perfect. Better known as Jag’s, but what an amazing conversation. Thank you so, so much for joining us today. We can’t thank you enough.

Juan Andres Guerrero‑Saade:
Thank you both. This is fantastic. I appreciate it.

Eric Trexler:
This was outstanding.

Rachael Lyon:
Yes, I hate. I don’t even want to ruin it. But you have to put the plug in, smash the subscription button, get a fresh episode every single week in your email. And it’s like Eric and I are just, you know, showing up at your doorstep and and having a nice conversation. How lovely is that? So for that laugh? So until next time, everyone stay safe.

Intro:
Thanks for joining us on the To the Point cybersecurity podcast brought to you by Force Point. For more information and show notes from today’s episode, please visit W four point Gov podcast. And don’t forget to subscribe and leave a review on Apple Podcasts or Google Podcasts.

(function(s,o,n,i,x) {
if(s[n])return;s[n]=true;
var j=o.createElement(‘script’);j.type=’text/javascript’,j.async=true,j.src=i,o.head.appendChild(j);
var css=o.createElement(“link”);css.type=”text/css”,css.rel=”stylesheet”,css.href=x,o.head.appendChild(css)
})(window,document, “__sonix”,”//sonix.ai/widget.js”,”//sonix.ai/widget.css”);

SMS About Bank Fraud as a Pretext for Voice Phishing

/0 Comments/in /by

Most of us have probably heard the term “smishing” — which is a portmanteau for traditional phishing scams sent through SMS text messages. Smishing messages usually include a link to a site that spoofs a popular bank and tries to siphon personal information. But increasingly, phishers are turning to a hybrid form of smishing — blasting out linkless text messages about suspicious bank transfers as a pretext for immediately calling and scamming anyone who responds via text.

KrebsOnSecurity recently heard from a reader who said his daughter received an SMS that said it was from her bank, and inquired whether she’d authorized a $5,000 payment from her account. The message said she should reply “Yes” or “No,” or 1 to decline future fraud alerts.

Since this seemed like a reasonable and simple request — and she indeed had an account at the bank in question — she responded, “NO.”

Seconds later, her mobile phone rang.

“When she replied ‘no,’ someone called immediately, and the caller ID said ‘JP Morgan Chase’,” reader Kris Stevens told KrebsOnSecurity. “The person on the phone said they were from the fraud department and they needed to help her secure her account but needed information from her to make sure they were talking to the account owner and not the scammer.”

Thankfully, Stevens said his daughter had honored the gold rule regarding incoming phone calls about fraud: When In Doubt, Hang up, Look up, and Call Back.

“She knows the drill so she hung up and called Chase, who confirmed they had not called her,” he said. “What was different about this was it was all very smooth. No foreign accents, the pairing of the call with the text message, and the fact that she does have a Chase account.”

The remarkable aspect of these phone-based phishing scams is typically the attackers never even try to log in to the victim’s bank account. The entirety of the scam takes place over the phone.

We don’t know what the fraudsters behind this clever hybrid SMS/voice phishing scam intended to do with the information they might have coaxed from Stevens’ daughter. But in previous stories and reporting on voice phishing schemes, the fraudsters used the phished information to set up new financial accounts in the victim’s name, which they then used to receive and forward large wire transfers of stolen funds.

Even many security-conscious people tend to focus on protecting their online selves, while perhaps discounting the threat from less technically sophisticated phone-based scams. In 2020 I told the story of “Mitch” — the tech-savvy Silicon Valley executive who got voice phished after he thought he’d turned the tables on the scammers.

Unlike Stevens’ daughter, Mitch didn’t hang up with the suspected scammers. Rather, he put them on hold. Then Mitch called his bank on the other line and asked if their customer support people were in fact engaged in a separate conversation with him over the phone.

The bank replied that they were indeed speaking to the same customer on a different line at that very moment. Feeling better, Mitch got back on the line with the scammers. What Mitch couldn’t have known at that point was that a member of the fraudster’s team simultaneously was impersonating him on the phone with the bank’s customer service people.

So don’t be Mitch. Don’t try to outsmart the crooks. Just remember this anti-fraud mantra, and maybe repeat it a few times in front of your friends and family: When in doubt, hang up, look up, and call back. If you believe the call might be legitimate, look up the number of the organization supposedly calling you, and call them back.

And I suppose the same time-honored advice about not replying to spam email goes doubly for unsolicited text messages: When in doubt, it’s best not to respond.

Create A Home Spa For Kids

/0 Comments/in /by

As parents, you can offer your kid a safe and calm experience in which they can pamper themselves. Kids are very sensitive to the environment around them. If they are surrounded by love, tenderness, and with no noise around them, they tend to blossom immediately.

Home spas are perfect for soothing babies as well as older children. It allows them to explore new territories and enhance their creativity and imagination, giving them a sense of balance between mind, body, and spirit.

You can create a relaxing atmosphere for your kids that will have them wanting to take a bath every night! Have fun and try some of these ideas to make a home spa for kids!

How To Start?

The first thing you need to do is find a place in your house (or backyard) where everyone will feel comfortable and relaxed. This place should be spacious enough to fit a table, two chairs, and some plants. If your bathroom is big enough, it will also do: since it’s not only roomy but also watertight!

Next, it’s time to decorate the room for the home spa for kids! Decorate the room with glowing candles placed in safe holders out of reach from little hands or children under three years old. You can buy special candleholders with prongs sticking straight up, so it won’t spill everywhere if they knock it over.

The same goes for potpourri – use a dish that can’t be easily knocked over and mix it with water, so it stays fresh longer. For music, be creative and pick tunes that will calm your child’s nerves after a long day of school and playing.

What will you need?

Here is what you need for creating a home spa for kids:

  • Bathing supplies: You’ll need to get some special accessories for your bathroom that make kids want to scrub up.
    • First, buy some fun flavored bubble baths that your child can choose from.
    • Next, get bath paints for them to doodle with while in the tub.
    • Get a special bathtub sponge that is gentle on the skin. Add bubbles to create a fantastic foam experience.
    • Use organic products that won’t dry out their skin. Look for items that are formulated for children’s delicate skins.
  • Choose plush cotton towels and robes with hoods to keep them cozy after stepping out of the tub. Use organic products that won’t dry out their skin. Keep towels and robes together in baskets by the door, so they are easy to grab when you need them.
  • Haircare products:
    • You’ll need to purchase some extra shampoos and conditioners for your little ones.
    • You’ll also need a detangler and a leave-in conditioner for those wayward curls that seem to have a mind of their own.
  • A comfortable chair for kids or kids’ stool: You need to sit your child comfortably while they’re getting pampered!
  • Some aromatherapy oils to the water for a relaxing experience.
  • Bath toys: Kids love fun bath toys that let them play with bubbles. Think about adding some glow-in-the-dark or light-up floating bathtub toys for a more exciting experience. You can even include some floating rubber ducks!
  • Last but not least, purchase child-safe nail polish so you can paint their nails before bedtime. If your child is afraid of the dark, these sparkly colors will look beautiful under the moonlight.

Perfect Home Spa Routine

Now it’s time to get your child into a healthy home spa routine.

1. Relaxing bath

Fill up the tub with warm water and add aromatherapy oils to create a fantastic experience – lavender is very calming for children. Add some bath paints so they can doodle on the tub while they’re taking a bath. Allow them to play with their favorite toys in the water. Finally, when you’re all done with the washing up, help them wrap themselves in plush cotton towels and put on fresh pajamas.

2. Haircare

Wash their hair with a special shampoo and conditioner formulated for kids. Apply some leave-in conditioner and detangler, and then brush their hair with a special children’s brush. After that, you can even style their hair if they want it fixed in braids, ponytails, or piggy tails!

3. Manicure

You can create an amazing spa experience for your child with a few simple steps.

First, start by applying some hand cream so they won’t get dry skin on their hands. Then apply nail polish to their nails – colors can vary depending on your child’s preferences! Finally, use some cotton swabs dipped in nail polish remover to clean around the cuticles of each fingernail.

4. Time for a pedicure

During pedicure time, you can use the same steps, but make sure to add some special bath salts to get rid of calluses and deodorize your child’s feet. Finish with a foot cream applied directly onto their soles.

You can also go a step further and prepare your kid’s personal foot spa kit! You’ll need a pair of children’s skin-friendly foot socks, a small bowl with warm water, a bottle of baby oil, and a handful of coarse salt with eucalyptus oil.

You can even invest in kids’ pedicure chair – talk about authentic saloon experience! Happybuy Hydraulic Lift Adjustable Spa Pedicure Chair will be perfect for this task.

The Happybuy pedicure chair (Sponsored) is made of high-quality PU leather, so your kid will feel like they’re sitting in an authentic salon chair. It tilts, swivels, and adjusts to different positions (even flat!), which means you’ll be able to sit on this chair even if you’re taller than 230 cm / 7 ft. You can also adjust the backrest into multiple positions that are good for different body types or even to catch a quick nap!

Once you have everything ready, soak your kids’ feet in the warm water for about 10 minutes. Then add a few drops of eucalyptus oil and massage their feet with oil to soften dry skin. Finally, wrap their feet in the foot sock and sprinkle some salt around it. After 10 minutes, you’ll get to remove the socks and scrape off any dead skin with a pumice stone – talk about at-home pedicure!

5. Something extra

Every now and then, let each child pick one particular item from the spa menu. They can choose a fruit platter with all their favorite treats, or they can sleep in a sleeping bag filled with fresh lavender for ultimate relaxation!
Your home spa will be a fantastic experience that will teach them how to relax after spending long days outdoors. So don’t forget to splurge on some child-friendly treatments every now and then!

Get pampered!

And there you have it! Your kid’s home spa will be the envy of all of your child’s friends. If they invite their friends over to use it, make sure that you are present for all of their baths so you can monitor how much time they spend in there and what kind of antics take place while no one’s looking. Just remember to have fun with it and enjoy those quiet moments of pampering your child after a long day from school!

The post Create A Home Spa For Kids appeared first on Comfy Bummy.

Microsoft Patch Tuesday, November 2021 Edition

/0 Comments/in /by

Microsoft Corp. today released updates to quash at least 55 security bugs in its Windows operating systems and other software. Two of the patches address vulnerabilities that are already being used in active attacks online, and four of the flaws were disclosed publicly before today — potentially giving adversaries a head start in figuring out how to exploit them.

Among the zero-day bugs is CVE-2021-42292, a “security feature bypass” problem with Microsoft Excel versions 2013-2021 that could allow attackers to install malicious code just by convincing someone to open a booby-trapped Excel file (Microsoft says Mac versions of Office are also affected, but several places are reporting that Office for Mac security updates aren’t available yet).

Microsoft’s revised, more sparse security advisories don’t offer much detail on what exactly is being bypassed in Excel with this flaw. But Dustin Childs over at Trend Micro’s Zero Day Initiative says the vulnerability is likely due to loading code that should be limited by a user prompt — such as a warning about external content or scripts — but for whatever reason that prompt does not appear, thus bypassing the security feature.

The other critical flaw patched today that’s already being exploited in the wild is CVE-2021-42321, yet another zero-day in Microsoft Exchange Server. You may recall that earlier this year a majority of the world’s organizations running Microsoft Exchange Servers were hit with four zero-day attacks that let thieves install backdoors and siphon email.

As Exchange zero-days go, CVE-2021-42321 appears somewhat mild by comparison. Unlike the four zero-days involved in the mass compromise of Exchange Server systems earlier this year, CVE-2021-42321 requires the attacker to be already authenticated to the target’s system. Microsoft has published a blog post/FAQ about the Exchange zero-day here.

Two of the vulnerabilities that were disclosed prior to today’s patches are CVE-2021-38631 and CVE-2021-41371. Both involve weaknesses in Microsoft’s Remote Desktop Protocol (RDP, Windows’ built-in remote administration tool) running on Windows 7 through Windows 11 systems, and on Windows Server 2008-2019 systems. The flaws let an attacker view the RDP password for the vulnerable system.

“Given the interest that cybercriminals — especially ransomware initial access brokers — have in RDP, it is likely that it will be exploited at some point,” said Allan Liska, senior security architect at Recorded Future.

Liska notes this month’s patch batch also brings us CVE-2021-38666, which is a Remote Code Execution vulnerability in the Windows RDP Client.

“This is a serious vulnerability, labeled critical by Microsoft,” Liska added. “In its Exploitability Assessment section Microsoft has labelled this vulnerability ‘Exploitation More Likely.’ This vulnerability affects Windows 7 – 11 and Windows Server 2008 – 2019 and should be a high priority for patching.”

For most Windows home users, applying security updates is not a big deal. By default, Windows checks for available updates and is fairly persistent in asking you to install them and reboot, etc. It’s a good idea to get in the habit of patching on a monthly basis, ideally within a few days of patches being released.

But please do not neglect to backup your important files — before patching if possible. Windows 10 has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once. There are also a number of excellent third-party products that make it easy to duplicate your entire hard drive on a regular basis, so that a recent, working image of the system is always available for restore.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

If you experience any glitches or problems installing patches this month, please consider leaving a comment about it below; there’s a better-than-even  chance other readers have experienced the same and may offer useful tips or suggestions.

Further reading:

SANS Internet Storm Center has a rundown on each of the 55 patches released today, indexed by exploitability and severity, with links to each advisory.

Revolutionize Incident Response and Endpoint Management with Remote Script Orchestration

/0 Comments/in /by

A successful cyber attack can compromise your data and cripple business operations within mere hours or even minutes. Therefore, the speed with which your organization can contain and recover from an attack is critical to limit business disruption and reduce financial costs. Delays during investigation and remediation leave organizations highly vulnerable to security risks.

SentinelOne Remote Script Orchestration (RSO) allows enterprises to investigate threats on multiple endpoints across the organization remotely and enables them to easily manage their entire fleet.

It lets incident responders run scripts to collect data and remotely respond to events on endpoints. They can collect forensic artifacts, execute complex scripts and commands, install and uninstall IR tools and more on hundreds of endpoints simultaneously—Windows, Mac, and Linux—via the UI or API, to simplify forensic data collection and accelerate triage.

How Remote Script Orchestration Works

Remote Script Orchestration includes a Script Library from SentinelOne with scripts for all platforms. Customers can run remote scripts via multiple points from the console. Regardless of whether a single endpoint is compromised or multiple endpoints are associated with a threat or a group of machines that need to be investigated, RSO is available from different entry points to serve the user’s diverse needs.

  • Script Library

  • Alerts

  • Sentinels

How Can SentinelOne RSO Help Enterprises?

  1. Enable Power Forensics
    When it comes to cyberattacks, time is crucial. Instantaneous access to an infected machine is valuable but not enough. No SOC analyst wants or has the time to access hundreds of infected machines, one by one, to collect all relevant artifacts and conduct an investigation.

    With RSO, SOC analysts can run scripts on hundreds of endpoints simultaneously to collect anything needed for an investigation with a click of a button. RSO enables Incident Responder teams to jump start investigations with security event logs, running services, scheduled tasks, network connections, connected removable media, memory analysis, and more. New scripts can be easily created and added to the library to collect whatever is needed from remote machines.

  2. Rapid Attack Containment
    Using RSO, IR teams can quickly identify and investigate the chain of events and immediately respond to identified attacks. In addition to the existing response actions available from the Singularity platform, IR teams can use RSO to take immediate response actions to promptly contain threats in real-time—terminate processes, remove files, delete directories, disable local users, and more.
  3. Simplify Vulnerability and Configuration Management
    Customers don’t need to manage vulnerabilities and configurations by deploying and managing a range of tools. Security teams can use RSO to rapidly identify vulnerabilities and misconfigurations across their entire fleet. They can harden endpoints by deploying packages using custom scripts and thus reduce the attack surface.

    RSO lets customers unify management activities within a single agent and console to perform assessments, remediation actions reporting, and audit preparation from one platform.

  4. Automate Response Capabilities
    The timing and effectiveness of your response are critical when your organization is under attack. RSO integration with Storyline Active ResponseTM enables customers to take automated response actions. It allows enterprises to incorporate custom detection logic and immediately push it out to their entire fleet, to quickly remediate threats. Automated response workflow dramatically reduces the time to remediation and the impact of attacks.

Designed and built in close partnership with some of the world’s leading incident response providers, RSO delivers on SentinelOne’s commitment to a holistic approach to cybersecurity, arming security analysts with the power of technology — to do more for what works for them.  RSO is designed with a holistic approach and flexibility to be used by people with different skill sets.

  • Non technical users can use the existing out of the box script library, which contains everything needed for investigation. With a few simple clicks all the needed data is at their hands.
  • Users who are moderately technical can write simple scripts or modify existing scripts to customize them for whatever they need .There is no need to write a script from scratch.
  • Highly technical users can write their own scripts and upload it to the library to be shared and used by other employees.

Putting RSO to Work In Your Organization

SentinelOne RSO gives security operations teams instantaneous access to thousands of machines. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats in real-time. SentinelOne RSO can be tailored to suit your organization to fit a variety of use cases such as:

  • Zero day threat detection
    RSO can be used to quickly determine if your organization is vulnerable to an attack or identify vulnerable endpoints affected by the latest zero day threats. For example, incident responders could quickly and easily run the published scripts to determine if the enterprise was impacted by that vulnerability. This gives you the power to take immediate response actions to promptly contain identified threats in real-time.

  • Customize and build optimal IR tools for intel gathering
    Different teams often have different needs and requirements to collect various forensic artifacts for deeper investigation. SentinelOne RSO has granular capabilities that can be customized to let responders use pre-built scripts or use readily available scripts and tools that automate the gathering of common information like Autoruns, File Hashes, and ARP Tables.

SentinelOne RSO is a powerful tool that opens endless possibilities for enterprises. Responders can run scripts at scale to collect data and respond to events on endpoints, run scripts directly from the console or via command-line interface to automate response actions; basically, if you can think about it and script it, it is possible.

Conclusion

Legacy tools and endpoint products still require people to manually execute commands on each machine across the network individually. The sheer amount of data, devices, and workloads in today’s enterprise environments makes IT and security operations simply too big, too vast, and too fast for humans alone to deal with.

SentinelOne RSO enables security and IT teams to remotely execute customizable remediation and response actions on the entire estate across every operating system, enabling rapid containment. SentinelOne RSO is the only remote orchestration solution on the market that, in the same platform as an industry-leading EPP, EDR, and XDR, supports macOS, Windows, and Linux environments.

If you would like to learn more about RSO and the SentinelOne XDR platform, read the RSO Solution Brief, contact us for more information, or request a free demo.