Loading summary
A
A info stealer today was a password stealer 25 years ago. Same shit. It's. Nothing's changed. The only difference is methodology, the modus operandi, jargon and the tools. Hector Monseager was responsible for some of the most notorious hacks ever committed. Special Agent Chris Tarbell and FBI informants
B
participated in some of the world's most
A
infamous hacks that caused up to $50 million in damages.
B
A life in the shadows.
A
Cyber attacks on the rise.
B
Welcome to Hacker in the Fed. I'm Chris Tarbo, former FBI special agent. Worked my entire career in cyber security. And I'm joined as always by my friend and podcast co host, Hector Monsegor. Hi Hector.
A
Hi, buddy.
B
Hey, how are you today?
A
Hey. Pretty good. I'm chilling, see, hanging out.
B
Hector's a former black hacker who once faced 125 years in prison for his many years of hacking under the codename Sabu. Our stories collided in June 2011 when I arrested Hector and then convinced him to work with me at the FBI. Hector is now a Red teamer, researcher, cybersecurity expert, great guy. And co founder of Sefill.
A
Hey, listen, that was a beautiful introduction. I appreciate that. That was great.
B
I appreciate you.
A
Oh, thank you. Appreciate you too, brother. How you doing there?
B
All right now, enough of this huggy kissy poo poo stuff.
A
Oh, you don't want to kiss or hug or anything?
B
How the hell you doing?
A
I'm doing okay. I'm chilling. I've been working and grinding and, you know, just.
B
Working on what? What's the latest thing coming out of Safill? Is something good you're working on or is it all crazy?
A
Well, if you guys want some nerd stuff, I could give you a rundown. So part of what I do, right, I am always researching it, hence my title, the Chief Research Officer. So I'm always researching different things, technologies.
B
Your title, CRO is Chief Research Officer.
A
Yeah.
B
Oh, I. I thought the R was something different. Sorry. Wow.
A
Wait, whoa, whoa. We thought the R was brother.
B
I guess research. I. I don't know.
A
Yeah. Yeah.
B
Well, all right. Research. Yeah, that makes sense. So what have you researched over there at Sefill these days?
A
Well, so part of my day to day is just to kind of look at the market, look at what people need. I'll sit there with Cecil. So this, by the way, if any see so's listening. Or if you're in the executive side of your business, feel free to add me on LinkedIn. We could have a conversation and you know, I Promise I won't try to sell you anything. But I like to have conversations with executives because they tend to offer me problems. And those problems, I get to sit down and think of solutions, a way to kind of deal with them. You know what I mean?
B
Sure.
A
So right now what we're doing is we had several customers mentioned to us, hey, you know what would be cool? There is a potential or possibility that one of my 50,000 employees could fall for something like an info stealer one. Yes. It would be great if you can notify us as soon as you see it, which we do. Right. We already do that today. But you know what would be even greater, Hector? If you could autonomously validate those credentials. Meaning if the credential pops up in your space, can you, like in an event driven process, immediately, then take those credentials and then try to log into our VPN or our endpoints. What if there's a D. FS portal or something like that? Anything. Right. Are you able to log in? Are you able to circumvent MFA if it exists or not, and then put together a report for us and kind of generate that to us and then alert us of the facts? So those are the kind of things that we're constantly looking at and developing. And now with like agentic AI, all these cool tools, we're able to do that pretty quickly, you know, adding new features to the platform based off of problems that I'm hearing. So that's kind of what I'm up to. Oh, nerd stuff.
B
That is nerd stuff. You were right when you said that.
A
Yeah, I gotta give a warning. You know what I mean?
B
So how many sisos can you talk to in one day? Did you get a feel of it? It's like one a day. A good goal. Or is like a three or four? Like. Or do you enjoy it? I, I said I, I sort of baited the question, saying that it was sort of a negative thing.
A
No, it's not negative. It. Well, look, it's negative if the person you're talking to has zero interest in maturing the security program. Right. All they care about is the quick. Can we, can we, can we just get some quick wins? Which is still fine, but they're not looking at the bigger problem or the bigger problems. Okay. And so, and then, you know, I'll come back, I'll speak to them. Six months later and they're still asking the same question. Which means, yeah, they did not listen to what I was saying. Did they not look into the solutions I provided them or you know, they, they're not trying to even solve the problem. They just want you to kind of figure out a way to, to, to make them feel better. And there's a lot of that, believe it or not, there's a lot of that. I'm not sure why that's a thing, but it is. So going back to your question, I could probably do like a solid three to four a day, hear their problems, have those conversations, make some notes and then get back to them on solutions or ideas. You know, I've done it. There was, there's a concept this, this for the audience here if you guys want to get into like startups and you want to start your own business. As someone that started my own business later in life, you know, in my late 30s, that I had to learn new concepts, things like jobs to be done. Right. Jobs to be done is like, let's say you have a meeting with a C or, or prospective customer and you say, you know, you guys are going back and forth on, you know, what are your problems, what are the things that bother you, what are the things that concern you? They're like, yeah, well, I need to do this, I need to do that, this. And by the way, what you're offering might be able to solve one and three, but two is still an issue. Then you take that information, you take the results of that and then you start working around it whether it's viable for you to implement or what have you. Right? It's a process, but communication is key. You have to have it wait.
B
You don't just tell them that the solution you already have is plug and play and can solve all their problems.
A
There is no solution on the planet that could solve all your problems. You know what I mean?
B
I don't know. I've heard a lot of salesmen tell me that before.
A
Well, that's the problem with the sales industry, right? They're, they're just trying to make a quick sale and get a commission. But that's not how you build long term relationships. You could probably get a few customers like that right off the rip and it might work for you, make some good commissions. Guess what? Your career is not going to last long, right? Your career is going to get stagnated at some point. Then you have to figure out what we're talking about today. And what we talk about today is being able to provide like long term solutions to people. It's actually going to help them. You know what I mean?
B
So speaking of talking to Sisos, we had a wonderful conversation yesterday. With a CISO that we happen to record, that's good. A major CISO that's been in the industry a long time that wants to stay, stay anonymous. And so we need to do a little bit with the audio to change things around and disguise the voice and all that. But really going to be eye opening for the hacker in the Fed audience to hear really what the insight for somebody that's been on the side and this CISO was really freaking honest.
A
Very honest. It was pulling back the curtains.
B
Look at, pulled the meat curtains. Right?
A
Pull the meat curtains right back. But it shows you the importance of being able to give someone a platform where they could speak freely. You know the, the concept behind anonymization is beautiful, right. At least for that. And so what we got from this gentleman was look at you now.
B
You gave away half of it. Could be you gave away half of the people right now.
A
Well, it's unfortunate that most CSOs in the United States are male. So I mean I'm sure people could
B
deduce that you give it a location and the sex. Wow. Why don't you just give it the name away?
A
Well, it just so happens there's only 200 countries on the planet and you know what just happens to be the one that we're in right now. And all jokes aside, right. I think it was a fantastic conversation to have from someone that was willing to speak honestly about the problems that CESO face, the problems that they had to deal with. And I was able to throw little things in there because I, I, I've learned enough from speaking the CESOs that a lot of their problems go back to the board. You know, whether it's budgetary, whether is language, you know how crazy it is, Chris, when you are an executive at a business and you're expected to speak in a different language that you don't really speak on a day to day. Meaning metrics roi. When you look at a Cecil for, for any company on the planet, their job is to enforce policy, validate it, bring in tools, put together security teams, none of which generate revenue. So when you speak it to a board that just wants to hear about revenue and it's about spending money, guess what? Your enemy number one, Public enemy number one, your Persona non grata, essentially. So, so it's a great interview.
B
It was a great interview. I, you know, even though, you know we did it, it was still good,
A
but I think did a great job.
B
I think it's going to be a series. I think the this wants to come back On I think we're going to do another one with our questions and I think we should put it out there to the audience if they have questions they want honestly answered about the ciso. And you don't have to ask questions like, you know, how do I get in the industry? We covered that. We know you guys want to hear about that. So that we did that one already. But real questions too. If you ever want to ask a CISO question and what it's like and some of the things they, they hit us, hit us up at questions@hackerthefed.com and we will make this at least a three part series because I, I know the CISO, he hit me up already a couple times telling about how much fun he had and how great it was and how it was nice to be anonymous and be able to answer these things honestly and not have to protect things. But no matter what you ask us, we'll, we'll see what we can ask, but we will not reveal the identity. So no, it's not gonna be what we do. So. But I think it's gonna be a great show. I hope we can have it out next week. I hope it's next week's episode. So Hector and I'll come on, do a little banter and then we'll put the interview on. Probably be an extra long show because I think the interview was, man, it was at least 75 minutes.
A
Yeah, it was a solid hour of content. And, and of course it went a little bit above, like Chris said, between 60 and 75 minutes. There was a lot there to digest. And I think that we just, it was introductory meaning we got into like the, the beginning of the conversation. This is obviously a three hour conversation. You know, I think honestly, you know, as much as like, you know, Joe Rogan irks me these days, you know, his format would have been perfect for this, you know, nice three hour non stop, you know what I mean?
B
Can't stay anonymous though. That's the problem.
A
That's the problem.
B
Doesn't offer that.
A
No, no, no, no. So plus it would be bad optics. You know, if you're watching this, a guy with a, know a black sheet over them or whatever, it's crazy.
B
Yeah. And people, I'm sure people are somewhat against the anonymous part. Sure. Because, you know, oh, what are you hiding? Well, you have a job, job and you got stock. You know, there's people that, there's stockholders, there's, you know, the board, There's a whole bunch of stuff that some of these answers You. You can't answer honestly. You have to. You have to have guarded answers. But I don't think that was the case in our interview. So it was good.
A
Yeah, Fantastic. Well, I can't wait to hear it, and I can't wait for the audience to get. Give us feedback. For sure.
B
Yep. That being said, guys, if you want to help us out, join the Patreon. We just finished the Patreon episode. Kind of interesting back and forth on the Patreon today, but it was good.
A
I enjoyed it.
B
Yeah. Had a good time. The merch store is up. Hacker in the fed dot com. Go there to get your hacker in the Fed merchandise. There's some feedback on there. If you guys want to reach out to us and tell us you want this shirt in a certain color or you want a certain saying, we're just getting it started, getting it back up. The standard stuff's up there. But there's a way of contacting us on there too. But support the show. Get your merch, guys. Again, we're keeping commercials off the free show, and we will do whatever we can do to. To keep those commercials going, but keeping the show going. So appreciate all the support and definitely the. The.
A
The Patreon episode was great today because we got to hear one thing we never really heard from Chris, that is his complete endorsement of Don Lemon. It was fantastic.
B
Oh, yeah, that's true.
A
It was a good one.
B
But I mean, your spicy language about how much you support Hitler in his ways was crazy.
A
No, no, no.
B
You, You.
A
We're not going that far. We're not going that far.
B
Real spicy take on that, Hector. Our first story is Team pcp. Worm exploits cloud infrastructure to build criminal infrastructure. So Team PCP, also known as. What is that? Dead Cat X3. I don't know. PCP Cat A bunch of other.
A
They operate random names.
B
They operate a large scale worm campaign targeting misconfigured cloud environments. Their primary goal was to compromise systems to build a distributed criminal infrastructure for proxy services, data, data exfiltration, ransomware, facilitation, extortion, and crypto mining. What do you think about what these guys got going on?
A
Yeah, well, look, we've talked about, and we covered before the dangers of having, you know, mass. This is an attack vector and it's accessible in mass. Then the consequences. You would have an adversary or adversaries, in this case, an adversarial group put together or develop code that would automate and distribute and act as a worm. Similar to the Morris worm of the 1980s. Right. And code red and code blue in the 2000s. And that's exactly what we have here. We have an adversarial group that identified a number of different vulnerabilities specific to cloud. Looking at things, issues with kubernetes and looking at issues with misconfigured docker APIs and so on, and then accessing them and distributing malware, creating proxy networks, and then of course, ransomware exfiltration. It makes sense. We've seen little components of this before. But the reason why these guys kind of blew up is because the scale of it, how far they got, and how many victims they had involved.
B
I'm seeing victims being reported in Canada and South Korea and UAE and the United States. Are they, are these corporate victims or are these personal, individual victims or is it just one of the above?
A
Yeah, it's widespread. Is all of the above. The idea here is to get as far as you can and spread as wide as possible. And, and you gotta look at the, like the, the key exploitation targets, right? You're looking at docker APIs, Kubernetes, clusters, you have RAID dashboards. Ray is actually pretty cool. You have Redis servers, Redis servers are misconfigured, no password authentication. And then of course, specific vulnerabilities like react to shell react servers that were vulnerable to like authentication bypass. You know, you take all of those combined and then you use something, a shodan, a census, or you do a mass, kind of the entire Internet. You'll be able to create a, essentially a blueprint of all your targets and exploit them in mass and create a
B
network, you know, but how much data you generate when you're running these mass scans of the entire Internet, like how are they, how are they calling through all this information?
A
Yeah, so it would make sense for them to leverage like a third party data lake, something like a census or shodan, because those scans have already done. They might be outdated. Outdated by a week, outdated by a month, but they exist on the lens nonetheless. And those vulnerabilities are those vulnerable hosts are going to be there for the taking. When you do a full scan of the Internet, everybody sees it, including our friends. Gray Noise are similar. You can have all sorts of detective systems seeing all this activity. And yes, it's a lot of traffic, Chris. There's a lot of probing, there's a lot of noise, a lot of mass scanning. And honestly, you know, it's, it's very detectable. This is why there's multiple reports in this exact group.
B
So they do a scan, the, they come Back they find the misconfiguration. What's their next step? How are they, what are they doing to get in?
A
If they identify an attack path, or rather an attack vector, then they're going to try to leverage that vector to get some sort of access to the underlying file system. Once they get access to the file system or essentially the operating system, they'll be able to run commands, infect the machine with their tools. The tools would include things like miners, like cryptographic or cryptocurrency miners. They'll have proxying software, they will have sniffers for sniffing traffic. It's really a mix of things. Now, once they get the targets, they want the ones that are juicy, they'll put a C2 server or connect it to a C2 server and then control it remotely. If they find a bunch of random targets that are not really useful to them, then they'll create a network of proxies that they can leverage in further attacks. And that's kind of how they're kind of. Their modus operandi is nothing. Nothing crazy. But again, these are things to be mindful because there's a lot of you listening right now that either develop and, or have developers, you guys are pushing out or deploying software applications, EC2S instances. You're posting up a Reddit server because you have to do a quick development project. And essentially what you're doing is you're giving these adversaries the potential for pivoting. Okay? And that's a problem.
B
And so what are people going to do to protect themselves from this? How do you, how do you figure out what's going on and how do you block it from you becoming a victim?
A
Well, they have to have strict policies on how they're deploying. If they, if you had to deploy an EC2, you gotta make sure on a. Since EC2s are correlated to AWS, for those that don't know, EC2 is essentially like virtual machines, VMs, right? If you're gonna deploy a virtual machine on an AWS infrastructure or Google Cloud or digital ocean, etc. Then you have to make sure that only you should be able to access said, you know, machine and services. You have to set up, you know, you know, some sort of firewall rules or ACLS access control list that would allow you to access them. If it's all set to zeros, that means anyone on the Internet could access those services and thus you're opening it up to potential compromise. Right? So you have to be aware of your policies, strict them or strengthen Them you have to validate your findings are legitimate. Sometimes it's easy to make a mistake and deploy a server that's sensitive. With open firewall rules, you don't want to do that. So you have to constantly validate and make sure that what you're doing is proper. And then of course, you know, if you have to deploy things that are sensitive to the Internet and you're not setting up ACLs, you're not setting up firewalls, then clearly you're doing it wrong. And you should have to probably reconsider what you're doing and how your deployment's looking. And maybe you should put that behind a VPN or on your internal network rather than on the Internet itself.
B
How difficult is an API exposure audit?
A
It depends. So when we have customers come to us at Seifo and like, they're like, hey, we have a web application, it has like a thousand API endpoints we want you into, we want you guys to engage it and we want a really heavy discount. We want to do this really quickly. We have to push back a little bit. Say, look, you have 1000 API endpoints.
B
Is that a lot?
A
That is a lot, yeah. Most web applications are maybe a couple dozen max add users, one API delete users, another API modify account is another API. So each individual function of your application probably has an API endpoint. And so, and not all cases, by the way, you can have one API endpoint. But now if you're pushing a thousand, which some websites do, some websites applications do have, then you need to be able to provide documentation in API documentation in like a swagger or open API format so that your assessors could properly engage and understand the nuances and context of those API endpoints. Two, you got to give your assessors time. If you have 1,000 endpoints, do you really want your team, your assessor, your vendor to try to rush to a thousand endpoints in about a week's time? Remember, you have, you have the initial, you know, discovery process on day one, you have to do research. Day two, day three, day four, you have to start wrapping up and day five, you have to finish your report. Five days to a thousand endpoints is not realistic. So you have to dedicate time and resources to do a proper audit.
B
Is it a hands on approach or is it an automated tool or I know, you know, even if you use an automated tool, I know you need hands on to at least, you know, go through the data itself, you know, and understand what the output of the tool is. But, but is it, is it you're not. Are you inputting a thousand individuals by yourself?
A
My, my opinion is that the best approach is, could be a hybrid approach.
B
Okay.
A
You're going to train your, your, your tool, whether it's Burp Suite or whatever, to, and configure it in a way that's gonna help you kind of, you know, automate some of the heavy lifting. Okay. But there's gonna be a lot of times where you're going to be doing manual work. All right? This, you could probably automate 80% of it, but the other 20 is validation. The human side. Looking at context. Now, with agentic like AI bots, you could probably automate 90% of it. The last 10% is the final validation. Human validations reporting documentation that AI can still help you with, but you still need a human involved. You can't do that. 100% automation, it's not going to work.
B
And what sort of things are you seeing when you do these API exposures or like, is it just a mistake made by people that implemented it or is it, yeah, misconfigured maliciously? What are you seeing most of the time?
A
I'll be honest with you, bro. In most cases it's access control. Most cases access control. In some cases it's type confusion. So we're about to get. I'm gonna break it down for both of these. So in most cases, when I say access control, what we're talking about here is can a user that's authenticated get access to their resource and resources? Only if the answer is yes. Yes. That's great. That's what the developer intended. If an unauthorized user is able to access someone else's resources, that's bad. That's an access control failure. If you're an authenticated user and able to get access to someone else's resources, that's terrible. That's an eye door vulnerability, right? No, that's bad. That's what we need to avoid. Now those are kind of access controls that I'm talking about being able to access things or perimeters you're not supposed to. It's a logic issue. The next one is type confusion. You know what that is? That is basically like when you send an HTTP request to an endpoint API endpoint and the, the method for that request is puts or posts, meaning that you're, you're putting, submitting something to the server. That's great. Now what if that's the adversary? You change it to delete. Delete is a proper ACP method. And delete can delete things. Now if you don't have controls to block that, then you be deleting data. Now let's combine this. Let's say you're able to access other people's resources whether you authenticated or not. Great, that's a problem. Now what if you're able to delete other people's resources as a result of those two issues? Now you just change the vulnerability to destroy other people's resources. Yeah, API testing is extremely important.
B
Hopefully people take this to heart and they understand what they have out there and the resources available to them. Our next story is Romania's oil pipeline operator hacked how an info stealer infected infection paved the way for a ransomware attack Khanpet sa, Romania's nation state owned oil pipeline operator managed the country's critical oil transportation infrastructure. Quillin Ransomware Group, a Russian speaking ransomware as a service operation. They use an info stealer infection in January 11th. The credentials indexed in January 12th and the ransomware was deployed and public disclosure around February 3rd. The initial credential theft, which was 268 logins including the VPN then had lateral movement to domain compromise and an exfiltration of approximately 1 terabyte of data that include financial records, internal docs, passport scans and then the ransomware encryption of the corporate IT systems. The business IT infrastructure was disrupted and the public website was taken offline and core operation technologies were taken down. Another info stealer. That leads to a further infection.
A
Yeah, well that's the reality of where we are today. The reality is, is that you have employees downloading games. Those games lead to, hey, I'm curious, I want to cheat in this game. They'll go to a forum, download a cheat, boom, you're infected. Or you download a piece of software like Notepad plus plus. You saw that Notepad plus plus had a supply chain attack recently. Boom. Info stealer. That's another way to go. There's a famous story of putty. Everybody loves putty. Buddy is the best SSH client for Windows. I think you can even use it on Linux. Guess what? They had a supply chain attack recently as well. Not recently, but a couple years ago. You have malvertisement campaigns which Chris, you personally investigated in the past. You know all about malvertation campaigns and boom. Info stealers there. Yes, you have employees being targeted in every possible direction, including social engineering for the purpose of getting them affected. And once they run or execute one of these ransomware payloads. Sorry, one of these info stealer payloads. We're talking about a tiny payload that Executes, exfiltrates, everything needed within seconds, and that's it. It doesn't have to run forever. It just needs to run once. And once it runs that one time, it's over. So what I would love for any of our Romanian listeners, I know there's at least one. Give us some feedback, because the last time we had a story like this from Norway, was it Norway or the Netherlands, Remember, we had a listener reach out to us, say, yeah, this happens. It wasn't that bad because they did modify some things, but they did not try to purposely crash the water system. So in this case, in this pipeline, I would love to hear what the news is saying locally in Romania.
B
That was Norway. You're right. I remember it now. So, yeah, so the initial vector was the info stealer malware was on a personal side business computer used by an IT employee for personal sites. So. But that computer contained work logins.
A
So. Yeah. So if you were to come to me and be like, yo, hey, bro, what can we do here? What's the actionable item here? Well, the one thing I tell customers, if it's within your budget because it becomes expensive, then you have to look at providing your employees a work phone, work laptop. Okay. Because at that point, you can control those devices over MDM policies remotely. There's a whole bunch of things you can do. But once they start using their work credentials on personal devices, that goes beyond the scope. You can't control that. So there are conditional policies that you can set in Google Works. Well, not Google Workspace, maybe, I don't know, but I don't. Like in the Azure Office 365, etc. You could deploy, you could set conditional policies defining where those credentials could work from. It could work from a work computer, but. But not from like a side device. Yeah. Now it, again, it requires probably upgrading your license. It's a ridiculous thing. From Microsoft, like, always, couple bucks. But hey, now you're in control of where those credentials are coming from. There's not really much you could do here except for education. And to be honest with you, judging by the fact that this guy had a separate computer for side work and they still use their corporate computer credentials on this site, laptop or device tells you that education wouldn't have done for you here. It would have been the same result.
B
Yeah, I mean, they didn't use a zero day at all. This, this was just a classic, you know, they got in through a credential, you know, stealing, and they did recon network technology and then lateral move it to the Windows update server and then they pushed out a fake update that of course had the payload the for the ransomware. No zero day whatsoever. They just used the what was available to them.
A
They lived off the land and they lived off the human. They got the credentials and they were able to move laterally and pivot. And guess what, Chris, you know this. Well, guess what, audience? If you've been following us and listening to us, you know this shit happens every freaking day. It's been happening for years. With the exception of the technology and jargon and language. Because info stealer today was a Trojan 20 years ago. Yeah, Info stealer today was a password stealer 25 years ago. Okay? Same shit. It's nothing's changed. The only difference is methodology, modus operandi, jargon and the tools.
B
Why and of course change.
A
Well, you know, the jargon being an info stealer, that sounds fucking, you know, amazing when in reality it's the same that we've been dealing with for the last 25, 30 years is because 25
B
years ago I sold you a thing to stop the Trojans. And so I can't keep saying that, that you need. You have Trojans come coming. Or is that the only reason is because I've already sold you a tool that stopped Trojans. This isn't Trojans, this is info stealer.
A
Yeah, no, this is an info steel. It's more sophisticated because it only needs to run once the Trolls is back 25 years ago, needs to stay on to maintain persistence. That's the only difference. The Trojan 25 years ago did exactly the same thing as this. This is here, right? Expiration of credentials.
B
This is a dirty, dirty business.
A
It's a dirty business and you're hoping that there's more folks like myself and companies like Seal, you know, the cheap promotion there that are coming into this ethically. There's a lot of companies that, you know, they've changed language around to kind of, you know, to market themselves to do one thing that they should have been doing. The fact that we have Trojan horses or info stealers or password Steelers still working on modern operating system 20 something odd years later, 30 years later is very telling. You know, there should be default policies to block things like this and they're not something to think about. Food for thought.
B
Yeah, the whole thing is just, it's off putting these stories just become the same week after week after week.
A
Oh yeah.
B
But we should go back to Susan's idea and have good news. Cybersecurity news.
A
Well, we do have good news. We have a good news story coming up right now.
B
Which one's that?
A
The seesaw on the directive.
B
Oh, you think this is a good story?
A
That's a beautiful story.
B
All right, well, CISA directive agencies must disconnect unsupported network edge devices. CISA has a binding operation directive 2602, mitigating risk from end of support edge devices. This is not a traditional incident. This is a binding operational directive, a BOD issued by CISA to address persistent high risk vulnerabilities in unsupported end of support or end of life edge devices across federal networks.
A
This is where Will needs to put like a little applause, you know, the people clapping. Right? Yeah, this is great. You know, people ask me, but why is it great?
B
This is, this is shit you're supposed to do. I think Chris Rock talked about this years ago. Well, you raise your kids, you're supposed to take out your end of life systems on that are edge devices.
A
You're supposed to, but people don't. And that's the problem. So you know what, let's set a directive. If you have devices, especially networking devices, that have reached end of life and lack support, they must go. Well, it's crazy.
B
First explain end of life to people. Some people might not know that.
A
Yeah, so in, so in the industry, folks, end of life or you know, end of support eol, eos, depending on who you talk to. Right. Two different phrases. What it means is a piece of software or hardware or hardware hosting software. Anything that's provided to you by a vendor or third party that has reached is operational conclusion, meaning that they once existed and they were a great product and now the vendor has decided to move away from the product and go with something else. They're pushing a new product on it.
B
So you mean I should be turning off my Windows 95 machines?
A
Yeah, throw that shit out the window or take it to a museum, you know. But the goal here is to phase out legacy equipment devices that are no longer getting security updates, they're no longer being supported by anybody, and they have to go. And yes, you're right, these agencies within the US Federal government should have been doing this, but they weren't. And this is why it required a cease abiding operations directive. You know, if you were to ask me, Chris, you know, when people listen to me talk politics, like, oh, you're so anti this, anti that. No, I'm not. You know, one of the best things that our president has done for us, that's Donald J. Trump. Beautiful, most beautiful man. Right He. He supported. He funded Cesar. Okay, people don't want to talk about that shit, but I will talk about it. He supported cesa. He gave us this beautiful fucking agency here in the United States that has taken security here in the United States to the next level. Right? Whether. Whether you, you, you could critique it for whatever decisions made in the past. CISA is beautiful. And this right here is a good reason and example why we need a cease in our. In our government. We need someone to say, hey, jerks, throw your shit away. Stop using it. If you need a new router, give us a call. We'll fund it for you. Right, so that's my take, Chris.
B
Yeah. And so this directive is effective immediately upon issuance. So it was issued on February 5. So no if, ands or buts. Get that shit off your networks. And it applies to all federal civilian executive branch agencies. Requires inventory and immediately patching where possible, and decommissioning of listed EOS devices. So, yeah, I agree with you. I mean, I guess I like your positive attitude towards it. When. When I saw it and I read it, I was like, well, this is just something we already know, that you should do this. But. But you're right. Now we have something with a little bit of teeth behind it that forces them to do this. You know, I am guilty of this. I need to do this at the pantry. The pantry is running Windows 10 right now in our devices. I need to update them. It's a lot of money for organization like us, but I got to do it. I think I found a place where I can get a discount on Microsoft devices or Microsoft upwear because we're a nonprofit, so I can check that out. But this is going to push me to get this done this week.
A
Well, and I'm glad you said that, because that right there, that's. That's true leadership, brother. And for the rest of the audience, I know this is a cease of directive towards the government, but look what Chris just said. He's going to apply it within his own pantry. I would recommend you guys look at your own networks. If you have end of life or end support systems, follow it. It works. And it's going to. It's going to avoid. It's going to help you avoid and mitigate a potential compromise. You don't want to compromise in your life.
B
So I bet where a lot of people have this is when they set it and forget it on home routers. I bet there are a lot of old home routers just sitting there and
A
they're back Doors, Most of them are full of vulnerabilities and most of them are developed in China. I'm not here to shit on China. What I'm saying is they've released devices with old firmware to, to the American public that are not getting auto updates. That's 1, 2. They've stopped updating those firmwares. Right. The firmware is basically the entirety of the operating system in userland and software running your devices. And because of that, we have a whole bunch of back doors in the United States. If you go to show then and look up an old vulnerable router version, you're probably going to see the majority of them. Where are they in China or. They're in United States? They're in the United States. Okay, so listeners, please, guys, I love you guys. Follow the directive, make believe that you're part of the federal government and just start throwing out now when it comes to money, that's the problem. It would be dope as hell. Oh, and by the way, before I get to that, some of these routers you can reset or recycle with like open wrt, those open networking operating systems, you know, Chris, you know, yes, you have to go online, yes, you have to follow the instructions, but by the end of it you have a modern version of your old router.
B
But yeah, my problem with that is aren't there malicious sites out there that you follow these instructions? So like, how do you, how is the audience going to know if they're literally installing good software on their routers?
A
Well, that, that's where I would love. See that might be beyond the scope of seesaw, but it'd be so cool if she could do like an open source, you know, router firmware. If they could do that and give you directions, that would be so dope. But I know that costs money.
B
So you would like it if the government told you which software to run on your edge device so they could get into your ring cameras and pull your.
A
No, no, but, no, but at least offer the option because there's a lot of old people out there that are technically savvy. They've been around.
B
Yeah.
A
And if you give them and you say, hey, look, by the way, this open source router, you know, image, take these three steps, you can upload it to your router and going to save you 60 bucks. Fine. You know, give him the option. That's what I'm saying.
B
Do you know of any place, is there other countries that require this for people for like home users, like in China? Can you have out of date edge devices or do they force people or do you not know? I don't know.
A
I, I don't know hon. That's such a great question. If, if our, if our international listeners can chime in, if you guys know if there's any similar guidelines in your countries, please let us know. But even that in this case it's not ceases and civilians, it's ceases to.
B
Yeah, right. Yeah. So I was just going off on a little, little out there but because you would think they wouldn't want, you know, the connection. China wouldn't want people.
A
Yeah.
B
Hector. Sorry. Another ransomware attack. Bridge PAY Ransomware attack causes nationwide outage so. So BridgePay Network Solutions, a Florida based US payment gateway and solution provider serving over 100,000 merchants, local governments and integrated for card processing, virtual terminals and hosted pages, APIs and municipality utility building was attacked through a ransomware. An unattributed ransomware group attacked on February 6th escalating to a full outage by mid morning and the ransomware confirmed the same day. System wide disruptions across the core services. No payment card data was compromised per initial forensics. I think that will come out later. I think 90 days from now we're going to hear a bunch of people getting free credit monitoring software.
A
Yeah, yeah, that's right.
B
What are we gonna do about this stuff? This ransomware? It doesn't seem to be slowing down whatsoever.
A
Well, it doesn't slow down. It's not slowing down because adversaries are finding vulnerabilities in devices inside of organizations. We just literally covered that from cesa.
B
Yeah.
A
You know how many times a lot of these companies are hit by, hit by ransomware are because they're running outdated software? End of life software. Yeah. Externally accessible or is it info stealer? So two of the stories we covered today, either or the adversary gets in, they move laddering, they compromise active directory and get a domain admin. They get control of the network and bada bing, bada boom. You know what's the scary part though? What, what if this would have happened during a natural disaster, let's say in Texas, you know, the power went out and you went to go get food, your family, but you can't get food because at least we're looking at what the town of Frisco. Frisco. Yeah. So the city of Frisco in Texas, they were hit very hard because a lot of the merchants was using this, this, this, this POS system. Now a lot of folks are not walking around with money anymore. Chris you know that it's, it's, it's a cashless society now.
B
Yeah, but you and I lived through a big hurricane in New York where the power was out for nine, 10 days. I didn't have power for 10 days in my house. You didn't have cash. You, you weren't buying food.
A
Well, you know, then you do like, you do like us brown people, we just started looting. What?
B
Whiteies don't loot. You know that.
A
No. Oh, yeah, yeah, you. I forgot. I remember the, the Katrina articles. It was like a black, the black family said they were looting and then the white people, they were the white family. They were like, you know, xx. Appropriating or they were surviving or some. Surviving. Yeah, they're just surviving. No, put all jokes aside. Yes. If you're dealing with a natural disaster and you got to go to a store to pick up some water or sodas or food and, and they're not trying to give you anything off the arm, so you have to use your card. But the POS system is down. What do you do? You know, Bitcoin? Yeah.
B
All right. Now, I mean, I, I'm not like. And we talk about not having valuables in your house, not having huge, you know, cold storage of cryptocurrency and all that, but you know, have, have some, some, some cash and not, not big bills. You want, you want ones, fives and tens. You want to be able to, you know, make. You not have to make change. You know, either that you're taking the gold bar and you're shaving, making shavings off of it.
A
Yeah, you got, you go back to the barter system, you know, and depending on, on who you're talking to, you know, their barter might be a cheap or expensive, you know, or.
B
I'll suck your dick
A
for a cheeseburger. You know what I mean?
B
Maybe, maybe two cheeseburgers. Yeah. Yeah. All right. That's a good way to end it, guys.
A
Yeah.
B
Reach out to us at questions@hackerthefed.com. remember, the merch is up hacker the fed.com. buy yourself some Hacker the Fed merch. Support us on Patreon. Join the hacker in the Fed Patreon. A brand new episode every week on Patreon. We 5 star reviews on wherever you get your podcasts. Share us on social media. Putting out the LinkedIn stuff. We have a meeting with Alanis coming up tomorrow, so we're going to be expanding on some of the social media stuff. She's got some fantastic ideas. Shout out to Alanis. But we'll get that done. Tell your co workers, tell your friends, tell your lover, tell everybody. Listen to Hacker and the Fed. All right, brother. I had another fun time. Love and respect.
A
Had a beautiful time, brother. Thank you so much.
B
All right, I'll see you next time. Cheers.
Hosts: Chris Tarbell & Hector Monsegur
Release Date: February 12, 2026
This episode of Hacker And The Fed centers around the persistent and evolving threat posed by credential theft—a single stolen password can compromise not just companies, but nation-critical infrastructure. Chris Tarbell (former FBI Special Agent) and Hector Monsegur (ex-LulzSec/Anonymous blackhat, now ethical hacker) dissect the latest cyber incidents, highlight attack methodologies, talk about systemic failings, and discuss regulatory responses. The episode also teases a forthcoming, candid CISO interview series, offering rare behind-the-veil executive insights on cybersecurity realities.
Case Study 1: Team PCP Worm (13:00)
Case Study 2: Romanian Oil Pipeline Ransomware (25:09)
CISA Binding Operational Directive 26-02 (mitigating risk from end-of-support edge devices) (31:22):
Quote on Federal Policy:
The hosts blend sharp wit, occasional dark humor, and deep technical expertise. They layer industry insights with practical, unvarnished advice targeted at practitioners, executives, and laypeople alike. The banter is irreverent but informed; moments of levity balance the gravity of the subject matter.
Credential theft—in the form of “info stealers,” Trojans, or classic phishing—remains the number one vector for catastrophic cyber incidents. The only things that change are the names and technical nuances.
Automation, regular audits, strong credential policies, and proactive replacement of end-of-life technology are essential defenses—for companies, agencies, and home users.
“One stolen password can take down a nation. Don’t let it be yours.”