Risky Business #783 – Detailed Summary: "Evil Webcam Ransomwares Entire Windows Network"

Release Date: March 12, 2025 | Host: Patrick Gray | Guests: Adam Boileau and Rob Joyce

1. CVE-2024-9956: Passkey Account Takeover via Bluetooth Proximity

The episode kicks off with a deep dive into CVE-2024-9956, a vulnerability that facilitates passkey account takeovers requiring Bluetooth proximity. This exploit targets the cross-device authentication flow, leveraging QR codes and Bluetooth callbacks to deceive users into authenticating maliciously.

Key Points:

• Attack Mechanics: The vulnerability exploits the process where passkeys on a separate device (e.g., a mobile phone) are invoked via QR codes. Attackers use proximity to redirect legitimate passkey requests to their devices, effectively hijacking authentication sessions.
• Impact and Feasibility: While the attack is clever, its practicality in real-world scenarios may be limited to specific environments like airports or hotels where multiple devices are in close proximity.
• Mitigations: Major mobile browsers have released patches that remove the ability to redirect to FIDO URLs internally, thereby disrupting one step of the attack chain.

Notable Quotes:

• Rob Joyce [01:10]: "This guy came up with a trick where if you're nearby somebody who's got a mobile device with passkeys on it, and you could put a phishing page in front of them... you send them to redirect to this URL."
• Patrick Gray [05:10]: "Passkeys were always touted as phishing proof. Right. You'd use passkeys because you couldn't be phished and lose your token."

2. LastPass Breach and Cryptocurrency Token Theft

The discussion shifts to the LastPass breach, where stolen credentials are being exploited to siphon cryptocurrency tokens. The attack is linked to high-profile victims, including Chris Larsen of Ripple, leading to significant financial losses.

Key Points:

• Attack Attribution: The breach is attributed to sophisticated actors, potentially linked to North Korean groups, leveraging stolen hashes to access cryptocurrency assets.
• Victim Impact: High-profile individuals like Chris Larsen suffered substantial losses, highlighting the critical need for robust password management and security practices.

Notable Quotes:

• Adam Boileau [06:17]: "It's looking more and more like we've got confirmation here. These are the people doing the most innovative attacks are all doing it to steal crypto."
• Rob Joyce [07:42]: "They were storing the seed phrase that you use to recover the private key... they weren't particularly well encrypted."

3. Ransomware via Evil Webcam

A novel ransomware technique was discussed, where attackers exploit Linux-based webcams to encrypt data on a Windows network. By bypassing Endpoint Detection and Response (EDR) systems, the ransomware operates through compromised IoT devices.

Key Points:

• Attack Strategy: Attackers infiltrate Windows networks but evade EDR by pivoting to Linux-based webcams, which are less monitored and have limited processing capabilities.
• Detection Challenges: Traditional EDR systems detect standard ransomware activities on Windows but fail to recognize malicious operations within IoT devices like webcams.

Notable Quotes:

• Rob Joyce [10:43]: "This is EDR working, right? The fact that it scared these cats off the well-monitored Windows boxes and into the Trash Linux IoT environment."
• Adam Boileau [11:46]: "I wonder how long did this take?"

4. ESP32 Chipset Vulnerabilities: Backdoor Concerns

The podcast addressed vulnerabilities in the ESP32 chipset, widely used in IoT devices for Wi-Fi and Bluetooth functionalities. Researchers uncovered methods to abuse the firmware controls, raising concerns about potential backdoors.

Key Points:

• Research Findings: Spanish security firm Tylogic explored vulnerabilities allowing arbitrary code execution on ESP32 chips, though practical exploitation remains limited.
• Threat Model Considerations: While not immediately exploitable over the air, the vulnerabilities could be significant in high-threat environments requiring rigorous security measures.

Notable Quotes:

• Rob Joyce [15:59]: "The research got pumped for marketing or there’s confusion in how research is presented. Solid technical work, but it just doesn’t mean backdoor like we've seen in the headlines."
• Patrick Gray [19:14]: "You could reflash that through this vulnerability and chain it to that other one. And that's how the most advanced attacks happen."

5. Bybit and Safe Wallet Breach: North Korean Cyber Operations

A critical segment covered the Bybit and Safe Wallet breach, where North Korean actors exploited a compromised developer's AWS account to steal approximately $1.5 billion in cryptocurrency. The attackers used malicious Docker images and MFA enrollment tactics to maintain persistent access.

Key Points:

• Attack Vector: The breach commenced with a developer running a malicious Docker image, leading to malware installation and eventual access to AWS infrastructure.
• Operational Tactics: North Korean hackers aligned their activity with the victim's work hours to minimize detection and maximize operational efficiency.

Notable Quotes:

• Rob Joyce [30:57]: "They started aligning their work hours to his and then they use that access onwards into Safe Wallet’s AWS."
• Patrick Gray [34:20]: "They lit them up. They lit him up."

6. Chinese Hackers Indicted for Treasury Hack and Other Attacks

The episode highlighted recent indictments against Chinese government-backed hackers responsible for the Treasury hack and other significant cyberattacks. These actions demonstrate the US government's stance on state-sponsored cyber activities.

Key Points:

• Indictment Purpose: The indictments serve as a deterrent, signaling that the US is aware of and actively pursuing state-backed cybercriminals.
• Operational Insight: Leaks from companies like isoon reveal the extensive ecosystem and tradecraft employed by Chinese hackers, including the use of contractors for deniability.

Notable Quotes:

• Patrick Gray [38:16]: "It really outlines the ecosystem and the way they operate."
• Adam Boileau [38:55]: "It's akin to pulling a bunch of data and seeing if ASD wants it."

7. US Cybersecurity Talent Crisis and NSA Testimony

Rob Joyce shared insights from his testimony to the House Select Committee on the Chinese Communist Party, emphasizing the impact of recent US government layoffs on cybersecurity talent and national security.

Key Points:

• Probationary Reductions: The US government laid off employees in probationary roles, including those transitioned from military to civilian cybersecurity positions, risking the loss of highly skilled personnel.
• Long-Term Implications: These layoffs could deter future recruits and weaken the nation's cybersecurity defenses, undermining efforts to counter sophisticated threats.

Notable Quotes:

• Patrick Gray [42:11]: "These probationary employees were panicked to be able to support their families... These are the people that were impacted."
• Patrick Gray [44:36]: "Cybersecurity is national security, and so we don't want to erode the special talent and pipeline we have."

8. DDoS Attack Against X (Formerly Twitter) via Botnets

The panel discussed a recent DDoS attack against X, previously known as Twitter, executed using a variant of the Mirai botnet targeting exposed servers not protected by Cloudflare.

Key Points:

• Attack Scale and Attribution: Initially attributed to Iranian devices, further analysis suggested a smaller scale, typical of Mirai variants targeting specific IoT devices.
• Botnet Evolution: Modern botnets exploit a variety of devices, including TP-Link routers and other IoT hardware, complicating detection and mitigation efforts.

Notable Quotes:

• Rob Joyce [24:23]: "Everyone DDoS is from their house, right? No one deals with other devices."
• Adam Boileau [25:54]: "Botnets are now made up of devices like TP-Link routers and IoT gadgets."

9. Apple Patches Sophisticated WebKit Bugs

Apple addressed critical vulnerabilities in WebKit, the rendering engine for Safari and other browsers, which were likely exploited by spyware companies or intelligence services.

Key Points:

• Patch Details: The vulnerabilities were sophisticated, suggesting advanced threat actors were leveraging them for espionage or data exfiltration.
• User Impact: Users are advised to update their devices promptly to mitigate potential exploitation attempts.

Notable Quotes:

• Patrick Gray [22:41]: "After you upgrade, go turn off Apple Intelligence because it gets Force enabled after the damn update."
• Adam Boileau [23:05]: "Apple's just patched a couple of WebKit bugs that they say are extremely sophisticated."

10. Sponsor Interview: Spectrops on Bloodhound Tool and NTLM Risks

The episode featured an interview with Lee Christensen and Justin Kohler from Spectrops, discussing new features in their Bloodhound tool aimed at mitigating risks associated with the legacy NTLM authentication protocol.

Key Points:

• NTLM Vulnerabilities: NTLM remains enabled in Active Directory environments due to legacy compatibility, posing significant security risks through weak hash mechanisms and relay attacks.
• Bloodhound Enhancements: Spectrops is introducing new edges in Bloodhound to identify and visualize NTLM relay attack paths, providing actionable insights for both penetration testers and defenders.
• Mitigation Strategies: The tool assists organizations in pinpointing high-risk areas, enabling targeted disabling of NTLM where feasible without disrupting legacy systems.

Notable Quotes:

• Lee Christensen [50:16]: "NTLM is enabled by default as an additional method, so it'll try and use something more secure like Kerberos if it can. But NTLM is still there."
• Justin Kohler [56:46]: "We can pinpoint the servers that have the most amount of risk for NTLM relay attacks and then give you specific guidance to remove that."

11. Conclusion and Final Thoughts

The episode concluded with reflections on the evolving landscape of cybersecurity threats, emphasizing the continuous arms race between attackers leveraging legacy systems and defenders employing advanced tools and strategies to mitigate risks.

Final Remarks:

• Patrick Gray [45:43]: "Cybersecurity is national security, and so we don't want to erode the special talent and pipeline we have."
• Rob Joyce [48:03]: "Always great to talk to you, Pat and Adam."

Listener Takeaways:

• Stay Updated: Regularly patch and update systems, especially addressing known vulnerabilities like CVE-2024-9956 and NTLM-related issues.
• Use Advanced Tools: Implement tools like Bloodhound to visualize and manage attack paths within Active Directory.
• Enhance Security Posture: Adopt micro-segmentation and robust authentication protocols to defend against sophisticated attacks.
• Maintain Talent Pipeline: Support and invest in cybersecurity talent to ensure national and organizational security resilience.

For more insights and discussions on the latest in information security, tune into future episodes of Risky Business.