Loading summary
Transcript445 lines
- [00:02]
A
You're listening to the Cyberwire Network, powered by N2K.
- [00:15]
B
Hello, everyone, and welcome to N2K, CyberWire's hacking humans podcast, where each week we look behind the social engineering scams, the phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is Joe Kerrigan. Hey there, Joe.
- [00:31]
C
Hi, Dav.
- [00:32]
B
And our N2K colleague and host of the T minus Space Daily podcast, Maria Vermazes, is at a conference this week. She's actually in Florida at the Space Week conference.
- [00:41]
C
That must be very nice.
- [00:42]
B
I think that's a pretty cool place. Pretty cool conference to be at that time.
- [00:47]
A
The Artemis launch window opening this week.
- [00:49]
B
That's right. That's right.
- [00:50]
C
I just want to be in Florida where it's warm.
- [00:52]
B
Right, right. Well, filling in for Maria this week is our friend of the show, Michelle Kellerman. Hello, Michelle.
- [00:58]
A
Hi, Dave. And hi, Joe.
- [01:00]
B
We've got some good stories to share this week, but first, let's get into our follow up.
- [01:04]
C
Joe, Big chicken news. Dave.
- [01:08]
A
I was so excited when I saw this.
- [01:10]
C
Yeah, we have our first eggs. This is a lot earlier than I was expecting. I think you and I have discussed this offline, not online. Yeah. Oh, have we? When I was gonna. I was not planning on getting eggs until, like, April.
- [01:24]
B
March.
- [01:24]
C
April of this year. But one of our hens, and I believe it is my favorite hen. Snugglebug.
- [01:29]
B
Snuggle buggle bug. Never disappoints. Right. That's all the snuggling. Yes.
- [01:34]
A
What a lady.
- [01:35]
B
It made her feel maternal.
- [01:36]
C
That's right.
- [01:37]
B
She started popping out eggs, and she's.
- [01:39]
C
Laying eggs right now at about a rate of one every day and a half or so, which is actually a lot of eggs for a hen to be laying in winter.
- [01:48]
B
Oh, really?
- [01:48]
C
Yeah.
- [01:49]
B
Okay.
- [01:49]
C
Generally, they slow down in winter, and she is just starting laying and is like, like hooping these things out.
- [01:55]
A
Man, what a weirdly specific detail.
- [01:58]
C
Yeah, it is. I have lots of weirdly specific details about chickens. How is.
- [02:03]
B
So is she the only chicken that's laying eggs so far?
- [02:06]
C
Yeah, I'm pretty sure she's the only one. I know it's her because I was out there doing some winterizing of the run because they can't walk around in too much snow. So I went out and bought some straw, and after the snow fell, I went out and scattered the straw around the run. So the run is just a mess of straw right now.
- [02:25]
B
Okay.
- [02:26]
C
Um, and when I was Doing that. She was out there. She was like, making like, you know, like laying noises, which.
- [02:33]
B
Oh, I didn't know there were such a thing.
- [02:35]
C
There are laying noises.
- [02:36]
B
Okay.
- [02:36]
C
And then when I went and looked inside to see how they had done with the straw inside the. Inside the coop, she is sitting in a nesting box. And right underneath of her is a warm egg. This first egg, this picture on the. On the left is the first egg. And it is, like, still warm when I pick it up. Like chicken temperature warm. So it's kind of weird to pick up a warm egg and know it's the freshest thing in the world.
- [03:04]
B
Right. Know exactly where it just came from.
- [03:07]
C
That's right. That chicken's butt.
- [03:11]
B
Joe, I don't want to, you know, burst any bubbles for you, but I don't think it's actually the butt.
- [03:17]
C
It's actually. Technically, it's called a cloaca.
- [03:19]
B
Oh, that's right. Birds have like one. It's one open, one access point.
- [03:23]
C
Yes. And it's.
- [03:24]
B
You are correct.
- [03:26]
C
It is the same orifice out of which she poops.
- [03:28]
B
Right. I guess it doesn't make sense when you look at the relative size between an egg and a chicken, that there would be a calling out of noise that they would make when this thing gets passed.
- [03:39]
C
I have found. And this is like my horror story, my horror. You know, I keep worrying about things that aren't going to happen but. Or may not happen. But there's a thing called egg binding. When a hen gets egg bound.
- [03:50]
B
Oh, yeah.
- [03:51]
C
That's when they have an egg that's too big for them to pass and it can be let.
- [03:53]
B
Oh, okay.
- [03:54]
C
So I'm really worried about how to find that and how to treat it.
- [03:59]
B
Sure. So how many eggs have you had total so far?
- [04:02]
C
Let's see. We had these. I think we're up to four eggs.
- [04:06]
B
Okay.
- [04:06]
C
Which brings the average cost per egg down to about $400.
- [04:11]
A
Every time you give me a chicken update, I think I know how it's gonna go. And every single time, I'm proven wrong. Every time.
- [04:19]
B
See, Michelle, I'm just looking for the day when Joe walks in here with a dozen eggs to give to me and says, here, I don't know what Joe. When Joe gets to the point where he's like, dave, I don't know what to do with all these eggs.
- [04:31]
C
I have a line of people who have said they want the eggs.
- [04:34]
B
Yeah.
- [04:34]
A
It's like, you don't want a pool. You want a friend with a pool. You don't want Chickens. You want a friend who has chickens.
- [04:38]
B
That's right, Exactly.
- [04:40]
C
But I actually do want the chickens. I don't want a pool.
- [04:42]
B
Now, how do you keep the chickens warm? Because it's been very, very cold. It's been single digits at night here.
- [04:47]
C
Yes.
- [04:48]
B
Do you have any kind of heat lamp or anything?
- [04:49]
C
I don't know. Actually, a couple weeks ago in Montgomery county, just one county south, there was a fire that was started at somebody's house because they had like a heat lamp in the chicken coop.
- [05:00]
B
Right.
- [05:01]
C
And burned the house down.
- [05:03]
B
Oh.
- [05:04]
C
So that's bad news. But the other problem is if you start warming up the chickens and start getting them used to a warm temperature, they become less cold hardy and they're already pretty cold hardy. So what I've done is I put a bunch of straw into the. Into the cooperation and then I put straw on the run so they're not walking around on any snow that may have gotten into the run. I actually did the most redneck thing I think I could possibly do to keep it.
- [05:27]
A
Yeah.
- [05:29]
C
I surrounded the run with cardboard boxes to about 2ft so the snow won't blow in there. They're just zip tied to the cage.
- [05:39]
B
Yeah.
- [05:39]
C
So I will. When the snow is melted and it looks like there's no more threat of snow, I'll just go out, cut those up and put them in the recycle bin.
- [05:45]
B
Sure.
- [05:47]
C
But, you know, I was thinking, do I buy plastic or do I. Or I could just be like farmers are. Which is really cheap and just use what I have, which I had zip ties and cardboard boxes and just put them around the coop.
- [05:59]
B
Yeah, that's good.
- [06:00]
C
In the run.
- [06:01]
B
So I met some chickens over the weekend.
- [06:03]
C
Oh, you did?
- [06:04]
B
There's a picture in the show notes.
- [06:05]
C
I see it. Look at that.
- [06:06]
B
Aren't they pretty golden laced? I don't know what they are, but they are pretty birds.
- [06:10]
C
Yes, they are.
- [06:11]
B
They're pretty birds.
- [06:12]
C
Pretty hens.
- [06:12]
B
So it was my wife's birthday and to celebrate, there's a farm nearby. It's called Mary's Land Farm. Ha ha. Because we're in Maryland.
- [06:21]
C
Right.
- [06:22]
B
And they have a winter barn experience. And that's what we did. And there are little mini goats or. Yeah, little mini goats. There are little mini pigs. There were a couple of donkeys, a couple of baby cows that we got to feed and some sheep. And let's see, there was a tom turkey and a girl turkey and then these chickens. So, you know, you get to spend an hour in there snuggling with all the cute little animals.
- [06:52]
C
Are the chickens holdable? Do you get to hold the chickens?
- [06:54]
B
Yeah.
- [06:54]
C
Awesome. They're used to being handled.
- [06:56]
B
Yeah. And the goat? You could hold the goat. I held a pig, which was something. The pig wasn't happy about it and was making a lot of squealing noises. But got to hold this little pig and little goat. It was fun. My wife loved it. We had some friends join us, so it was just the right amount of time. But I couldn't help thinking about you because of these beautiful hens who are strutting around.
- [07:19]
C
They're some good looking chickens. Full sized. I'm looking. One of them is definitely black lace something. I don't know what it is. That's the gold. The one on the left is, you know, she has gold feathers and then around each feather she has like a little black line that circles, goes around the whole. That's called gold lace.
- [07:35]
B
Okay.
- [07:36]
C
And then the other one looks just like a standard chicken. I don't know what that is.
- [07:41]
A
Oh, what'd she do?
- [07:42]
C
Nothing. She's probably a great chicken.
- [07:44]
B
Yeah. All right. Well, hopefully she doesn't listen to this show.
- [07:48]
C
I hope not. It doesn't matter. I still like her.
- [07:51]
A
Justice for standard chickens.
- [07:53]
C
Yeah, she might be an Easter egger.
- [07:55]
B
They do sell their eggs. Do they? Yeah. Yeah.
- [07:58]
C
How much do they sell their eggs for?
- [08:00]
B
No idea.
- [08:00]
C
Asking for a friend?
- [08:02]
B
No idea.
- [08:04]
C
I've spent fifteen hundred dollars on and try to recoup some of those costs.
- [08:07]
B
It's a lot of eggs, a lot.
- [08:09]
C
Of e. I had to go out and buy a. Spend another 50 bucks on these eggs. So it drove the average cost of eggs up by $12.50. So I can get a water bowl that doesn't freeze.
- [08:19]
B
Oh, sure.
- [08:21]
C
Yeah, that's. Yeah. I'm hoping that works and doesn't set the coupon fire.
- [08:27]
B
Right, right. Because then you have fried chicken. Right.
- [08:31]
C
Roasted chicken. That would be most sad.
- [08:34]
B
I don't know.
- [08:35]
C
Would I throw in the towel then? Probably. Because all my work would have been destroyed.
- [08:38]
B
Yeah.
- [08:38]
A
I'll call an authority if you don't.
- [08:40]
B
That would be. Every attacker counts on one thing. Environments that trust too much. Threat Locker closes that gap with default deny at execution. Unknown software blocked. Trusted apps contained with ring fencing. Configurations verified with Threat Locker DAC so you stay secure and compliant. ThreatLocker delivers the visibility and control CISOs need without adding operational pain, making zero trust real for teams of any size. Stop ransomware at its earliest point. Book a demo@threatlocker.com N2K. All Right. Well, let's get to some stories here. Joe, why don't you lead things off for us here today?
- [09:39]
C
So my story is a little bit old. It goes back starting in 2012, but I recently I found this article thanks to or found this story because of a recent article in Agweb.
- [09:51]
B
You're reading Agweb? Farmer Joe is reading Agweb.
- [09:56]
C
I'm not reading Agweb. But when I saw the story was at Agweb, I was like, ooh, Agweb. I wonder what this is about. So this story is about Nikesh AJ Patel, who. Whereas his friends call him Nick. And in 2012, Nick was the CEO of a company called First Farmers Financial, with a headquarters in Orlando and then other offices in California and Georgia.
- [10:18]
B
Yeah.
- [10:19]
C
So Nick was working with his chief operating officer of this First Farmers financial company called Tim Fisher. And they. Or maybe just Nick, and the article's not really clear, fabricated a bunch of documents to make the company look legit, saying that they had $20 million in assets sitting in the Wells Fargo account. They also created resumes and financial statements and a bunch of other background information. Just completely fabricated a company.
- [10:47]
B
Okay.
- [10:48]
C
Why did they do this? So that they could go to the United States Department of Agriculture and get approval for USDA secured loans.
- [10:57]
B
Hmm.
- [10:58]
C
So the government secures a bunch of different kinds of loans.
- [11:01]
B
Right.
- [11:01]
C
So, for example, the one everybody's probably most familiar with is in buying a house. If you are a veteran, you are eligible to receive a Veterans Administration loan.
- [11:11]
B
Right.
- [11:11]
C
And what that is is a lender will give you even a lower interest rate because they know the government is going to guarantee that loan. So if. If the veteran defaults on the mortgage and then they go through the foreclosure process and there's a shortfall that the. That the lender is entitled to, the government will cover that shortfall.
- [11:30]
B
The full faith and backing of the United States government.
- [11:32]
C
Right. Other things include guaranteed student loans are this way. And then there's also apparently some farming loan programs through usda.
- [11:43]
B
Okay.
- [11:44]
C
So Nick saw this as an opportunity. And once he had the approval to offer these loans, he then created 26 fake loans ranging in value from 2.5 to $10 million each.
- [11:57]
B
Wow.
- [11:58]
C
And built a portfolio of $179 million of fake loans. He had forged USDA loan ID numbers and signatures from people at the USDA that did not exist. And then when you have a bunch of fake loans, what do you try.
- [12:14]
A
To do with them?
- [12:15]
B
Dave buys a lot of chickens.
- [12:17]
C
Right? That's. He had Received no money for these loans. So he hasn't. I mean.
- [12:23]
B
Oh, so he's. He's giving out. He's granting the loans to other farmers?
- [12:27]
C
No.
- [12:28]
A
Nope.
- [12:28]
C
He is saying that he has granted the loans to other farmers, but he has not given out any money.
- [12:33]
B
But now he has to figure out how to.
- [12:35]
C
How to cash in. I think he's already figured out how to cash in because he contacts a company called Pennant Management, which is an investment firm.
- [12:42]
B
Okay.
- [12:42]
C
And they were interested, and they did a significant amount of due diligence. Not enough, in my opinion. They fly down to meet with Patel, and he shows them all this fabricated evidence, including audited financial statements from a CPA named Jeff Kane. Spelled Geoff.
- [12:58]
B
Oh, yeah.
- [12:59]
C
British spelling of Jeff.
- [13:00]
B
Yeah.
- [13:01]
C
Jeff does not exist.
- [13:02]
B
Oh.
- [13:03]
C
He's completely fictitious, Completely synthetic. But Pennant winds up taking the bait and buying the fake loans for $179 million.
- [13:13]
B
Wow.
- [13:14]
C
And they wire Nick Patel the money sometime in September. They start to notice. September, this is 2014. They start to notice some address inconsistencies. And they're probably wondering, hey, why aren't we getting paid? Because when you loan money to somebody, they generally pay you if you've ever had a mortgage. One of the first things that happens when you get a mortgage is they sell it to somebody else and then you make your payment to that other person.
- [13:40]
B
Right.
- [13:40]
C
And they'll send you notifications. That happens.
- [13:42]
B
Yeah.
- [13:42]
C
But so these guys did something similar, and they were expecting payments, but none of them came. So they contact the FBI, and they say, hey, what's going on? Help us with this. And the FBI investigates, and they charged Patel in 2014 with fraud, and he gets arraigned in 2015. And by the way, that's the same year that Pennant Management collapses.
- [14:03]
B
Oh, no.
- [14:04]
C
Goes out of business. He ruined this company. Right, Right, Nick. Then during the process of this, Nick pleads guilty in late 2016. So he's been, you know, criminally charged for a couple of years. He's got 196 or 79 million dollars in the bank, and he's spending it like, wild. I mean, if you read this story, it talks about all the things he did.
- [14:27]
B
Okay.
- [14:28]
C
It's crazy. Eventually, he winds up pleading guilty in 2016, and it gets scheduled for sentencing in April of 2017.
- [14:40]
B
Okay.
- [14:41]
C
Nick manages to get his sentencing delayed till April or January of 2018.
- [14:47]
B
Yeah.
- [14:47]
C
Now, here is why this is such a wild ride. During that time in 2017, Nick invents the Persona Ron Elias, who is the vice president of Guaranteed Lending at Banco de Brasil Bill, which is a real bank. But the position vice president of guaranteed lending does not exist. And neither does Ron Elias.
- [15:08]
B
Okay.
- [15:08]
C
He then executes the same scheme again. Selling agricultural loans. Selling loans to Agricultural Mortgage Corporation. That's the Farmer Mac. So I didn't know that Farmer Mac was a thing until I read this.
- [15:22]
B
So, like the agricultural version of Freddie Mac.
- [15:24]
C
Right? And Sallie Mae. Yeah, There's Farmer Mac. And he sells these loans to farmer Mac for $20 million while he is waiting sentencing for the exact same crime.
- [15:37]
A
Wow.
- [15:38]
C
Took down Pennant Management.
- [15:39]
B
Okay.
- [15:39]
A
You can't be a multimillion dollar thief and be shy about it, can you?
- [15:44]
C
We're not done yet. This. This is amazing to me. Three days before sentencing in January of 2020. What was it? 2017?
- [15:55]
B
Yeah.
- [15:55]
C
Or 2018. He. He says, well, I'm not sticking around for this. I know this is not going to go well. And he charters a plane to Ecuador. But the FBI picks up on this and they nab him at the airport. And In March of 2018, two months after that, he is sentenced to 25 years in prison.
- [16:13]
B
All right, you think that would be.
- [16:15]
C
The end of it?
- [16:15]
B
I say justice has been served.
- [16:17]
C
No, sir.
- [16:19]
B
Oh, no.
- [16:19]
C
Then, while in prison for taking out Pennant Management and under indictment for defrauding Farmer Mac, he works with his wife Tricia from 2019 to 2023 to start a third company called Community First Mortgage. Trisha secures a loan guaranteed by the USDA for a company called Precision Powered Products.
- [16:44]
B
Right.
- [16:45]
C
This was a. A company that was. That existed and was looking to be sold. So they. They, you know, she contacted him, asked him some questions, and then she impersonated that company to get another loan to expand into Puerto Rico. And the USDA guaranteed that loan. Then Trisha turned around acting as the lender for Community First Mortgage to sell that loan for another $7.4 million.
- [17:10]
B
A paltry $7.4 million.
- [17:12]
C
This is the smallest take this guy has had so far. So in 2023, the FBI and the USDA inspector general found everything, and they have arrested Tricia. And they cleared out Nick's cell. Right, in his prison cell. They went in there and they found 3,000 pages of documentation in his cell related to this latest fraud.
- [17:32]
A
What, what were they just thinking?
- [17:34]
C
That those were, I don't know, like.
- [17:36]
B
Nick's running a lending library out of his cell or so. Or he stuffed his mattress with papers.
- [17:41]
A
He's an artist.
- [17:41]
C
It was under his mattress.
- [17:43]
B
3,000 pages.
- [17:44]
C
3,000 pages of documentation. Okay, so now Nick has Been sentenced to another 27 years in the federal pen, as Boss Hogg used to say. So, you know, he's got, like, close to 50. He got more than 53 years of prison time. His wife Trisha, got 51 months because I guess her crime was only $7.4 million.
- [18:08]
B
Yeah. And, you know, I mean, who knows? I'm speculating here, but maybe they were able to convince the. The government that she was operating on his behalf or something. He was the mastermind.
- [18:19]
C
Right. She fully cooperated.
- [18:21]
B
Yeah.
- [18:22]
C
I mean, why is this hacking humans? This is. What's going on here is this guy is smooth talking these people, these lenders that are going to buy these loans and showing them all kinds of fake documentation.
- [18:38]
B
Right?
- [18:39]
C
And it seems to me like all of these lenders didn't do their due diligence. Like in this story from. From AgWeb, the USDA, when they were looking at that Precision Powered Products didn't even check the address of the location in Puerto Rico that they were expanding into because that was just an abandoned building.
- [18:57]
A
Yeah, that's what I'm wondering. Like, when I bought my house, I felt like I had to do a blood pact and dental impressions to get my mortgage. No, you're cool. Well, I believe you.
- [19:07]
C
Yeah, that's essentially what happened. They said, yeah, you're cool. And, you know, I don't know about you guys, but if I'm Nick and I run into a hundred, get this $176 million payout from Pennant, I am not sticking around in the U.S. well.
- [19:24]
A
You don't get many cautious types doing this type of.
- [19:26]
B
Yeah, yeah, that's true. I mean, yeah, well. And I think we can learn something about Nick's personality, that he continued to do this even while incarcerated.
- [19:36]
C
Yeah. Yeah. There's something up with this guy.
- [19:39]
B
Like, you know, you think, oh, maybe they're gonna have an eye on me and my family since I'm incarcerated, having already done this twice.
- [19:47]
C
Right.
- [19:48]
A
I feel like when you made, like 2,700 steps without getting caught, you might think that you have a few more.
- [19:56]
B
Maybe.
- [19:58]
C
Maybe this time I'll get real lucky.
- [20:00]
B
Right? Wow, that's. Yeah. I mean, to the due diligence point. I mean, I would imagine that part of this is Nick figured out what the standard degree of diligence was and provided exactly that.
- [20:17]
C
Right.
- [20:18]
B
And that was it.
- [20:19]
C
Nobody ever followed up. Nobody from Pennant said, hey, why don't we call the USDA and verify these numbers, these loan numbers, just to make sure this isn't some kind of fraud? Thing.
- [20:28]
B
Right.
- [20:28]
C
Because if you, if you do that, then the USDA goes, nope, none of these are real numbers. Then you call the FBI before you send any money. And you know, Nick Patel doesn't. Doesn't collapse your company.
- [20:41]
B
Right, Right.
- [20:42]
C
Doesn't run you out of business.
- [20:43]
B
Well, who knows? I don't, you know, who knows what the. What was going on with the management company. But we've certainly seen lots of cases where people get blinded by greed. You know, it was too good of.
- [20:53]
C
An opportunity to be true, I think is going on.
- [20:55]
B
Right. Absolutely. Wow. Well, boy. So I guess lesson learned here is do your due diligence. And also just because somebody has reams and reams of paperwork in their prison cell. In their prison cell. Right.
- [21:12]
C
Yeah.
- [21:13]
B
Listen, I'm gonna take a meeting, but I need to warn you ahead of time that it's a very secure facility. So my office, were they just like.
- [21:25]
A
Hey, I'll throw in an ink cartridge for.
- [21:28]
B
Right, right. All right. Well, we will have a link to that story in the show notes. Michelle, let's move on to you. What do you have for us this week?
- [21:38]
A
So my story is currently breaking. It only came out yesterday and details are still a little squishy, I guess. Story is from cyberscoop where Okta sso, the single sign on provider, they put out an alert that their service was being abused by a group called Shiny Hunters in a targeted voice phishing campaign combined with custom phishing kits against certain corporations. This is a very targeted phishing campaign where they are not just doing the phish to try and get somebody to give their multi factor authentication codes, they are also using that once they get their initial access, they are pivoting to register their own Multi Factor authentication devices to be able to move around the network and steal data, maintain presence. Yeah. The interesting detail is this is so custom and so specific that they are using. They're registering custom domains. Sophos is tracking about 150 custom domains registered for this campaign. That makes it look like a legitimate domain as they are posing as the company's help desk and then making it seem legitimate, like it's on behalf of the company using those custom domains to make it look real. And they mimic the MFA site almost exactly so that you have no idea that you're putting something into a weird site that you've never seen. They have them for not just Okta, but also Google and Microsoft Multi Factor Authentication. So they're.
- [23:09]
B
Let me just back up for a second for folks who may not be familiar, can explain to us what single sign on is because Okta is a third party provider. Provider of that service, right?
- [23:20]
A
Yes. So single sign on is something that corporations use to. You can. It's what the name describes. You have your 1 username and password, either an email or just a regular username and 1Password for the company that will work across multiple services. So when you want to sign onto your email but also sign onto your timesheet to fill out how many hours you worked, you get to use the same logon. That doesn't happen by itself. There needs to be something that if you have multiple services from multiple providers, because Microsoft isn't going to be doing your timesheet, Okta will do that for you on your behalf. So you only have to memorize one username and password instead of like 3,000.
- [24:02]
B
Right.
- [24:02]
A
Depending on how large your corporation is.
- [24:04]
B
Okay.
- [24:05]
A
So it's a single point of failure if you have access to the multi factor authentication.
- [24:10]
B
So for the user it makes life a lot easier because you have as as it's named, a single sign on that basically logs you into everything you need to do at work. For example.
- [24:21]
A
Yes. And so you only have to memorize one, but there's also then just one authentication to get access to anything that you may need for that company.
- [24:29]
C
So if they get there, there's a Keys to the kingdom.
- [24:31]
A
Yes. So they had this single sign on attack. And normally when you have a voice phishing campaign, it's kind of a spray and pray you just try and hit as many as possible. You try and just hope that you get your hooks in one thing. This is very targeted and very specific. The domain registration is that shows that you have very specific companies that you are going after. This is not just for everybody. This is they are looking for specific information once they get the MFA solution and then they register their own bad devices to be able to maintain that persistence. So they only need to do the phishing once and then they have their device where they can continuously log on. Then they try and get an elevated account. So privileged access. Then comes the data exfil and the extortion. So this group has been known to extort the companies that they are targeting. It's not just pure data. Exfilm.
- [25:30]
B
Let me just ask Joe. They're using voice phishing here. What's the short important name for that joke?
- [25:36]
A
I specifically left it out because I have to be down the hall from him. Okay, I am being very intentional.
- [25:42]
B
What do they call that? Joe, what's the phone calls?
- [25:46]
C
Dave, what's the word they Use for.
- [25:47]
B
No, there's something else I'm thinking of.
- [25:50]
A
It's called vishing.
- [25:52]
B
Aw, Michelle, you ruined it for me.
- [25:55]
A
Vishing is my favorite word.
- [25:57]
C
It's my least favorite one of my actually smishing and quishing are actually.
- [26:01]
A
Quishing broke me.
- [26:02]
C
Yeah.
- [26:03]
B
Quishing is pretty bad.
- [26:05]
A
I had to take a walk when I read that. That for the first time.
- [26:07]
C
Quishing.
- [26:08]
B
Yeah, definitely. It's. It's a.
- [26:10]
A
It's a.
- [26:11]
B
You're diving off a cliff with. With quishing. But y.
- [26:14]
A
We commuted here together. If I get in an accident on the way, it was not my fault.
- [26:18]
B
Right. Right. Joe steers the passenger side of the car into a telephone pole.
- [26:22]
A
He's taking us all down. Right.
- [26:25]
C
Least to never hear. Have to hear the word vishing or.
- [26:27]
B
Quishing or squishing again.
- [26:29]
A
There's so many better ways to not do that.
- [26:32]
B
Yeah.
- [26:33]
C
Yeah.
- [26:34]
A
So this has been a developing story. There hasn't been a lot of information about the specifics of what they're exfilling. But the phishing kits that are after the. That are part of the attack. It demonstrates the real time capability to mimic the authentication flow. So it's not just the user interface. They are also programming that user interface that the victim is putting their MFA into to mimic legitimate traffic. So it looks so it doesn't get caught by, you know, an intrusion detection system. They are going multiple steps beyond. Let's just hope that they don't look too closely. They're even mimicking data paths and data flows amongst the Microsoft, Google and Okta sign in flows.
- [27:20]
B
Is there a sense here that they're going after high value targets? I mean, they must be with this amount of effort.
- [27:26]
A
Yes. It was for financial institutions. Healthcare, banking. This actually I first saw this on banking info Security to get more detail, to get additional details. There are. It's very high value. It's very interesting that Shiny Hunters took credit for it publicly when they have a very well known reputation for not following through on their end of the bargain. So I was kind of confused about that. They have a reputation even in the press releases. They're just like, hey, these guys don't hold up their end and they will re extort you. Don't bother. And so I was surprised that they said, yeah, it's us.
- [28:07]
B
Right, Right.
- [28:09]
A
You don't have the reputation to be doing that.
- [28:11]
B
It's interesting, but it's not them.
- [28:13]
C
They're just trying to ruin somebody else's take.
- [28:17]
A
Maybe.
- [28:17]
C
Could be. That's me just speculating wildly.
- [28:20]
A
Yeah. Bad guy PR is Not in my.
- [28:22]
B
Wheelhouse, but no honor among th thieves.
- [28:25]
A
Yeah. So I thought that that was really interesting. But it kind of. This story struck me also because Joe mentioned the Crouch deck report that I sent him a couple weeks ago about how 79% of attacks are now malware free and they are going through people and it's not. This is going to show how far they are willing to go to not do malware and how much even with all this effort and creating all these data flows, you know, making sure that they have the right domains, they're putting a ton of work into it. And that is still, I guess to them, less work than creating a piece of malware. Like this is clearly a better path for them to get what they want, even with all this extra work attached.
- [29:07]
B
Right.
- [29:07]
C
It's much more successful probably.
- [29:09]
A
Yeah. So that just speaks to like the degree of difference and difficulty that they're willing to do all of this to just not use malware.
- [29:16]
B
Yeah.
- [29:17]
A
Which was interesting to me.
- [29:18]
B
How what are there in this article? Have recommendations for how folks can best protect themselves. Because if what I'm logging into looks and feels exactly like my single sign on provider, it's going to be tough to differentiate.
- [29:32]
A
Yeah. Using physical MFA tokens. So something like a yubikey is a.
- [29:38]
B
Big one because you can't pass that on to the bad guy.
- [29:41]
A
Yeah. You cannot pass that on to the bad guy. And so that's really the biggest one. And double checking the fake domains, but really just nope. Your help desk is not gonna call you ever. Like, that's just. They're not going to. If they're gonna do something, it's gonna be an email that goes out to people as a blessing. Hey, this service is down not click here to go and fix something. They are never going to mass prompt their users to do something. That's just not how help desks work. They have too much to be doing. They're not gonna reach back. I had to get into my help desk today for something simple. They said, yeah, we'll call you back. They didn't. They're not calling you. Like, that's just, just don't, don't listen to people who call you on the phone. I'm a millennial. If my phone audibly rings, I'm already doing something wrong. I'm already irritated.
- [30:34]
B
Right.
- [30:34]
A
And I'm going to extra not do what you told me to do because you're bothering me during my work day.
- [30:38]
B
Take that.
- [30:39]
A
Take that with you.
- [30:40]
B
Yeah, I understand. Yeah.
- [30:41]
A
Physical, Physical keys can't be Passed. And the same kind of similar. It's not quite juicy enough to make you feel secure. But don't trust when somebody says, hey, we're here to help you. Yeah, we're here to help you figure this out. That doesn't happen, right?
- [30:58]
B
Yeah. The brief time that I was working for a company that was big enough to have a help desk, they were on a different floor from us. And I bugged the heck out of them because anytime they asked for something, I would physically go up there and knock on the door and be like, hey, guys, did you send this to me? Yes. Yes, we did. Okay, just checking. And then, you know, off I went. But I figured, why not, right? You know, better safe than sorry so you can have face to face. It's like the thing about your boss asking you to buy gift cards. Yes. Right. Go down the hall, right? Knock on your boss's door, check in. Just make sure. Face to face is a great way to diffuse these things.
- [31:43]
A
Face to face is a great way to diffuse things. For a bunch of work stuff. Having the ability to go down to my boss's office and annoy him personally, that's so much stuff.
- [31:53]
B
I can't be afraid to complain about Joe.
- [31:55]
C
I do that a lot to him.
- [31:57]
A
I told him today, I'm like, I'm judicious with my botherings. This is me being toned down. And he's just like, well, isn't that tragic?
- [32:04]
B
Yeah. All right, well, we will have a link to that story in the show notes. Let's take a break right now to hear from our show sponsor. We will be right back after this. Most environments trust far more than they should, and attackers know it. Threat Locker solves that by enforcing default deny at the point of execution. With Threat Locker allowlisting, you stop unknown executables cold. With ring fencing, you control how trusted applications behave. And with Threat Locker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. It's powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com N2K today. And we are back. My story this week comes from the folks over at Infosecurity magazine. And this is about a campaign that's going after LastPass, which is one of the big names in password managers. They're warning companies that there's an active phishing campaign that is impersonating the company to try to steal master passwords and take over people's accounts. So kind of like we were talking about with the single sign on, if you get someone's master password and access to their password manager, that's it, that's the ball game.
- [34:07]
A
Same thing with email, right?
- [34:09]
B
Same thing with email, right, right. So LastPass is their threat intelligence mitigation and escalation team, which they cleverly refer to as time.
- [34:22]
C
That's a good acronym.
- [34:23]
B
Yeah, it's not bad.
- [34:23]
A
It's a not irritating acronym. And I'll take that.
- [34:25]
B
Yep. Yeah. Makes me think of Morris Day and the time.
- [34:28]
C
Yes.
- [34:29]
B
Oh, E O. E O. Jerome. Yeah.
- [34:32]
C
So I think we just. Michelle is shrugging.
- [34:35]
B
Yeah, Michelle has no idea what we're talking about.
- [34:38]
A
I'll get that. Too long. Don't read later.
- [34:39]
B
She doesn't want her empty. So this started happening mid January, and the phishing emails say that the users need to urgently back up their password vaults within 24 hours because there's gonna be maintenance happening soon. So, Joe, artificial time.
- [34:57]
C
Artificial time horizon. Exactly.
- [34:59]
B
That's right.
- [34:59]
C
Do it now.
- [35:00]
B
Yeah. And so links in the emails lead to a fake LastPass login page and that gets their usernames and then their master passwords. And then, as we said, they gain access to not just your LastPass account, but everything stored within there. And that, of course, can be all your passwords. But lots of people store things like credit card information. There are all sorts of things you can trust a password Manager like LastPass with.
- [35:28]
A
Yeah, they have secure notes and stuff.
- [35:30]
B
Yeah, sure, yeah. All kinds of things. So LastPass says that these emails are circulating widely. They're seeing a lot of. And as we said, they rely on the urgency to pressure the victims into clicking through because they threaten you basically by saying, if you don't do this, you're going to lose access to everything.
- [35:50]
A
And a common rule of thumb is companies will not. They will not prompt you for the action. They will wait for something to not work and then you call them. I think that's a good general rule of thumb. Right, Yeah, I feel like that's a fair, like, assessment.
- [36:06]
B
Yeah, that's true.
- [36:07]
A
Not a guarantee, but yeah.
- [36:09]
C
So I just went to the LastPass website and they have authentication using desktop biometrics or a security key, and they have Fido 2 compatible authenticators like Yubikey and Google Titan and all those. So if you're going to store your passwords in a password manager, and even if that password manager is not in the cloud, I mean, I would recommend this for, like, the one I use. What, Passkey xc. I can't remember what it's called. I have it open right now. Let's see. Give me one second. Yes, it's Passkey XC or Keepass. Keepass XC.
- [36:50]
B
Okay.
- [36:53]
C
If you can protect that with a FIDO2 compliant device, your password doesn't do any good to these guys because they still need physical access to that device to get to your password manager.
- [37:05]
B
Right, right.
- [37:07]
C
So again, here we are. Why aren't we using more hardware tokens?
- [37:11]
B
Yeah, yeah, hardware. I mean, anything's better than nothing in this case. Yes, but a hardware key is pretty much top of the heap when it comes to protecting something. And to Michelle's point, I would say adjacent to your email account is the access to your password manager. Yeah, of course. Email accounts are important because everything flows through there, right?
- [37:35]
C
All the password changes, password right through it.
- [37:37]
A
Unfortunately, people don't like being inconvenienced, which is why password is a common password, and then password1 is just as common because we don't like being inconvenienced.
- [37:46]
B
I was. How do I describe this? I was doing a little tech support for a friend of mine who was having trouble logging on to a community volunteer group website. And she's just having trouble time and time again. And at one point I said to her, what I'm going to ask you to do, my friend, is I need you to create a password for this site and this site alone. And her face dropped like I was asking her to sell a child or something. She's like, what do you mean, a password just for this site? So I sighed and she agreed to do it. And so far, so good. But you're right, Michelle. I mean, it's just. And I get it, right? It's human nature, and everybody thinks it's not gonna happen to them, but we're past that point. Yes, we are past that point. Especially with this critical stuff like your password manager and your email account username and password aren't good enough anymore.
- [38:55]
C
No, they are not.
- [38:56]
B
You need more than that.
- [38:57]
A
It's also just we have to do it so often. Like, your light bulbs have a username and password now.
- [39:01]
C
My light bulbs.
- [39:04]
A
And some days it's like I'm one poorly timed MFA request away from a bad mood, right?
- [39:09]
B
Oh, my gosh. Oh, yes. Are you. Oh, yeah, I get it. No, no, I mean, I get the irritation. Oh, boy. Yeah, I don't. I generally don't like to curse, but when I'm in username, password, hell, I mean, I'll be by myself and say it under my breath, but, man, that. Yeah, that boils my blood.
- [39:33]
A
You know what? I don't need to do this anymore. It's fine. Right?
- [39:36]
B
Right?
- [39:38]
A
This is optional now.
- [39:39]
C
I don't need to pay this bill right now.
- [39:40]
B
No, you need me to pay this bill. I'll work in the dark.
- [39:42]
A
Get out of my way about it.
- [39:43]
B
These lights don't need to turn on. I will light a candle in the darkness. Yeah. All right, well, we will include a link to this story in the show notes. And of course, we'd love to hear from you. If there's something you'd like us to consider for the show, you can email us. It's hackinghumans2k.com. All right, Joe, Michelle, it is time for our catch of the day.
- [40:05]
C
Dave, can I provide one update before we go to catch of the day, please? I have another egg today. My wife just sent me a text.
- [40:13]
A
With a times with a date stamp, like a library date stamp on it.
- [40:17]
C
My wife has purchased a date stamp for the egg so we know what day the egg was laid.
- [40:21]
A
Is that gonna get put up?
- [40:22]
B
Oh, that's funny.
- [40:23]
A
Are you gonna, like, frame that in a way where you can see it's like the first dollar ever made of a business? And it's like the egg timestamp.
- [40:30]
B
That's a good idea. I figured that at me, like, I'm crazy.
- [40:34]
A
Like, you wouldn't absolutely do that.
- [40:35]
C
Yeah.
- [40:36]
B
I'm also waiting for the day when you install some kind of automation that has a camera that keeps an eye on the coop and automatically texts you with a time and number of laid eggs.
- [40:50]
C
I just hear that Bugs Bunny industrial music playing it dun dun, dun, dun, dun, dun, dun.
- [40:55]
B
And then, yeah, automatically prints a barcode on the eggs. All these kind of things.
- [41:01]
A
That's why I was chuckling when he was like, yeah, I think I'm gonna do something redneck. I was like, you have an automatic tine door with a light sensor. Nothing about what you're doing is redneckery. Get out of here.
- [41:11]
B
No, he's got more technology in that chicken coop than we had in Apollo 11.
- [41:14]
C
Yes, yes.
- [41:16]
A
Your chickens could go to the moon.
- [41:17]
C
I told you about my daughter's plan for building an industrial control system. Yeah, yeah, it was poultry Was it poultry pulse reoperational technology on a raspberry PI? She was gonna call it pot pie. The chicken pot pie.
- [41:33]
B
You know what that means? I don't know if you. If either of you are familiar with this, and this is kind of a deep cut, but. You know the industrial control system company Dragos?
- [41:42]
A
Yes.
- [41:43]
B
So in their lobby, they have a giant Lego set that has Lego versions of basically everything that could be controlled by industrial control systems.
- [41:52]
A
That sounds like a very.
- [41:54]
B
So their Lego set has a nuclear power plant. It has a treatment plan as. I wonder if they have a chicken coop. Joe.
- [42:01]
C
I don't know.
- [42:02]
B
Right.
- [42:02]
A
I doubt it, because nobody's like, nobody looks at chickens. Is like, you know what this needs Technology.
- [42:07]
C
Right.
- [42:08]
A
Nobody looks at homesteading and is like, I'm missing a computer.
- [42:11]
B
They probably have, like, Purdue, you know, the industrial control systems that run a major chicken processing plant.
- [42:17]
C
Right.
- [42:17]
B
But what my point is, I think your daughter needs to make a little minifig scale chicken coop, send it over to Dragos with a little letter, a picture of her setup, and have it added to the Legos set that's in the Dragos lobby.
- [42:35]
C
I think she bought Robert Lee's children's book.
- [42:38]
A
Solid.
- [42:38]
B
There you go.
- [42:39]
C
See, Robert Lee, president and CEO of Dragos, wrote a children's book about cybersecurity, and I think she bought it for her kids.
- [42:45]
B
There you go. Perfect.
- [42:47]
A
Yeah, it's a book for children and managers. He has like four of them. They're excellent.
- [42:53]
B
Gap between the two sometimes.
- [42:55]
C
Yeah.
- [42:55]
B
All right. Catch of the day, Joe.
- [43:05]
C
Catch of the day. Yes. This one comes from the scambait subreddit. Who's gonna do these? Do you want me to read it? You want?
- [43:13]
B
I. I will. So this first one, I will do the part that is in gray. Joe, you can do the part that's in green. So this first one is very short, but also very funny. Okay, go ahead. How have you been lately?
- [43:28]
C
Who is this?
- [43:29]
B
This is Annie, darling. Didn't you save my number?
- [43:32]
C
Annie? The same Annie who beat my brother to death?
- [43:35]
B
Yes. I just love the. Yes, yes.
- [43:44]
C
That's awesome. Isn't that great?
- [43:46]
B
Yeah.
- [43:49]
C
Cause they're fishing for something here, you know, looking for you to go like Annie. The Annie I met at the conference.
- [43:54]
B
Yes, Yes.
- [43:56]
A
I really don't take enough advantage of my free will.
- [43:59]
C
Right.
- [44:00]
A
I'm missing the bar.
- [44:01]
B
Yeah. Yeah.
- [44:02]
C
Well, you've heard me. Answer my phone. Is Mabel Johnson.
- [44:05]
A
Oh, yeah, yeah.
- [44:06]
B
All right, so we have a second one here. Cause the first one was short, so Tell you what, Michelle, you can do the gray part. Joe, you can be in blue.
- [44:15]
C
All right?
- [44:16]
B
And I'll sit back and enjoy the fun. And we will. Well, we'll stop with the where there's a big X and you can abbreviate the profanity there. Michelle, if you please. All right, go ahead.
- [44:29]
A
Long time no see. Are you back?
- [44:31]
C
Yes, I am. Are you? I heard your sentence was extended for poor behavior. That's pretty good.
- [44:38]
A
I'm planning to host a small barbecue party tomorrow and have invited a Texas barbecue chef. Are you free tomorrow?
- [44:44]
C
I thought you were still locked up, though.
- [44:46]
A
My name is Jack. May I ask, are you Mr. David? We met at a jewelry exhibition.
- [44:51]
C
Ah, I see the mix up. I thought you were my homie, Big T, but he is in lockup right now. So I was thinking to myself, how is Big T gonna invite me to a barbecue party with a Texas barbecue chef when Big T is currently in the big house? You know what I mean? Lol. All good, man. You cool, though?
- [45:14]
A
I'm so sorry. My assistant must have dialed the wrong number. I hope my mistake didn't ruin your day.
- [45:19]
C
Your mistake only slightly ruined my day. I think I'll survive.
- [45:23]
A
You. You should die early. You.
- [45:27]
C
Well, that's. Hmm. Well, on that note, I won't be taking you up on your invitation to the Texas barbecue party with re. With the real Texas chef. I could give you the number of a very good therapist, though. Someone who is really top notch with helping people work through their anger management issues. Shall I text her number to you?
- [45:47]
B
And scene.
- [45:48]
C
Right. Yeah.
- [45:49]
A
That was the surprising thing to me is like, you would think doing the most irritating thing in existence, being the most irritating person. Like, you pull worse than staph infections as a scammer and you have this short of a temper. Like, you're in the wrong game. My guy. What are you doing here?
- [46:05]
B
Yeah, that's true.
- [46:06]
A
Like, that's. That's very surprising to me. You're the annoying one here.
- [46:10]
B
I wonder if they have macros for these heated responses.
- [46:14]
C
Copy and paste. Oh, for the heated responses, probably not. That's probably them actually typing.
- [46:18]
A
I get to be the one cursing. You're messing my day up.
- [46:21]
C
Right? Yeah, I actually have a Texas barbecue story. You guys want to hear it?
- [46:24]
A
As long as you don't call the Texas barbecue guy a chef.
- [46:27]
B
Do we have a choice? Go for it.
- [46:29]
C
Okay, so my wife and I were in Houston. We were driving to our friend Joel. You met Joel? Yeah, driving to his ranch out in the middle of San Saba County. And my wife says, where do you want to stop for lunch? I'm like, well, let's stop at that guy's place. And it says, I think it was Dave's. No, it wasn't Dave's. Not the famous Dave's? No, it was not famous Dave.
- [46:49]
A
Imagine if he had a barbecue store.
- [46:50]
C
It was Nathan's barbecue.
- [46:51]
B
Okay.
- [46:52]
C
And it's between Houston and so it's just outside of Houston, like about two hours.
- [46:56]
B
Okay.
- [46:57]
C
Which in Texas is just outside of Houston.
- [46:59]
B
Right.
- [47:00]
C
So I said, well, there's that place there. And she goes, that's 150 miles away. I'm like, we're going to get there eventually. We might as well stop. And it's wood fire barbecue. So we walk into the wood fire barbecue place and I go, what's good here? And of course, the people there go, everything's good here. This is wood fire barbecue. And we sit down and we're eating. It's kind of like the old, like Ponderosa. You walk through and you get stuff and then you get barbecue sauce on it. And you sit down and Nathan comes out from the back and he's like, hey, you guys are from out of town. I'm like, yeah, we're from Baltimore. And he goes, oh, my favorite baseball players from Baltimore. And I'm thinking he's gonna say cal Ripken. Right?
- [47:39]
B
Sure.
- [47:39]
C
Because you say, who's your favorite baseball player? And he goes, boog Pal and Kayla. And my wife says, I got a picture of me and my daughter with Boog Powell. We just got last week. And she pulls up her cell phone and shows this guy a picture of her and Boog Powell.
- [47:53]
B
Wow.
- [47:54]
C
Boog has that barbecue joint outside of Camden Yards, right?
- [47:57]
B
Exactly. Yeah, yeah, he has. Is a famous barbecue place where you go to the Orioles game, you can enjoy some delicious Boog Pal barbecue.
- [48:06]
C
And you can get your picture taken with Boog because he's almost always there.
- [48:08]
B
That's true. Yeah. Yeah. Is he a Hall of Famer?
- [48:12]
C
Good question.
- [48:13]
B
I don't know.
- [48:13]
A
Cause that's critical to this story.
- [48:15]
C
This story is critical to nothing.
- [48:19]
B
That's true. Too many rabbit holes.
- [48:21]
C
Yeah. But yeah, it was Nathan's barbecue. Really good barbecue. It was wood fired barbecue, which not a lot of places in Texas do.
- [48:28]
B
All right, well, that is our catch of the day or our catches of the day. So again, we would love to hear from you. If there's something like us to consider for the show, please email us. It's hackinghumans2k.com. Most environments trust too much and attackers know it. Threat Locker enforces default deny at execution blocks unknown apps and limits what trusted apps can do. Stop ransomware at the source. Get your demo@threatlocker.com N2K. And that is our show, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cyber security. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to hackinghumans2k.com this episode is produced by Liz Stokes. Our executive producer is Jennifer Ibin. We're mixed by Elliot Peltzman and Trey Hester. Peter Kilby is our publisher. I'm Dave Bitner.
- [49:40]
C
I'm Joe Kerrigan.
- [49:40]
A
And I'm Michelle Kellerman.
- [49:42]
B
Thanks for listening.