Talkin' About [Infosec] News, Powered by Black Hills Information Security
Episode: InfoSec CEO Charged with Installing Malware!
Release Date: April 30, 2025

1. InfoSec CEO Charged with Installing Malware

The episode kicks off with a gripping discussion about a shocking incident involving the CEO of a cybersecurity firm. This individual, portrayed as a one-person company, was arrested and charged with installing malware on hospital systems. The malware included a PowerShell backdoor that transmitted screenshots to his own server, raising immediate red flags about the legitimacy and scope of his activities.

Corey expresses skepticism about the situation, highlighting the red flags:
"[03:24] Corey: That's exactly what it sounds like. That's like, exactly what I was like, okay, when does it come out that this was all legit?"

Wade delves deeper into the nuances, suggesting that the CEO's actions might be indicative of malicious intent rather than a misguided pen test:
"[05:08] Wade: But I mean, I guess I would say, like, I hope the person gets the treatment he needs. Right? Like, I'm not saying, like, but that's not going to, that's not going to hold up."

The team ponders whether the CEO's defense—suffering from psychosis and drug use—would stand in court, with Corey emphasizing the severity of the offense:
"[05:23] Corey: He says, he thinks, he thinks while he's in psychosis, he believed that he was actually on a job and actually doing a pen test. So, like, that's interesting."

2. Verizon Data Breach Incident Report (DBIR) Insights

Transitioning to the Verizon DBIR, the hosts dissect several key findings from the report. They note a significant increase in info stealers and credential abuse, with phishing remaining a persistent threat.

Evan summarizes the initial access vectors:
"[13:09] Wade: What do you think? Just guess."
"[13:13] Evan: Well, there were several reports that came out and I, I saw like an overview of all of them. It was like a 45 minute overview and so M Trends came out as well, I believe. And they said that the initial infection vector was brute force password spraying and RDP was like the top."
"[13:31] Wade: That seems wrong, but I don't know."

A notable statistic discussed is the remediation time for leaked secrets, which stands at 94 days, highlighting the challenges organizations face in swiftly addressing vulnerabilities.

Corey reflects on the report's tone, appreciating the snark injected into it:
"[12:10] Corey: I love it, I love it."
"[12:44] Corey: Yeah, honestly that, that brings so much light to like one of these security reports as you're reading it."

The team also touches on the alarming rise of AI-assisted threats and corporate data leakage to AI, emphasizing that while AI can aid in both defense and attack, the leakage poses a more significant risk.

Wade cautions against writing malware in PowerShell due to its detectability:
"[07:53] Wade: Erase secrets before they get used."

3. Whistleblowing at the National Labor Relations Board (NLRB)

A controversial whistleblower case is examined, where an individual from the NLRB claims unauthorized access and data exfiltration within the organization's cloud environment. The whistleblower alleges that they were granted global admin privileges on day one, subsequently removing admin rights from others and exfiltrating 10GB of data.

Wade questions the legitimacy of the whistleblower's claims, pondering if it was a breach rather than insider malfeasance:
"[29:11] Wade: There's a big Krebs article, Brian Krebs. I mean, this is going to get a little political."
"[31:04] Gina: But, well, there's also, there's also, there's also the follow the money aspect."

The discussion hints at potential underlying motives, such as anti-union sentiments linked to major companies like Amazon and SpaceX, adding layers of complexity to the case.

Corey remarks on the unsettling nature of the breach:
"[33:11] Corey: Yeah, that's what I was looking at. I'm pretty sure I'm part of one of these breaches."

4. AI Security Concerns: Note-Taking Apps and Deepfakes

The hosts shift focus to the rising threats posed by AI, particularly in the realm of meeting note-taking applications. These seemingly benign tools can act as worms, silently infiltrating organizational systems by requesting Office365 login credentials and spreading malicious apps internally.

Evan highlights the stealthy method of these AI note-takers:
"[22:27] Wade: Oh yeah, it's consent grant attacks during those. Exactly."
"[22:58] Corey: They wonder."

The conversation also touches on real-time AI deepfakes demonstrated at DEF CON, emphasizing the potential for fraud and unauthorized impersonation.

Wade underscores the danger of AI-assisted threats:
"[25:02] Wade: All right, honestly, if your secretary isn't using PowerShell, you should ask them what they do."
"[25:16] Corey: Could be subpoenaed though, right?"

5. Data Leak Incidents: Work Composer and S3 Buckets

A case study of a data leak involving a time-tracking company, Work Composer, is discussed. The company inadvertently exposed employee screenshots to Amazon S3 buckets due to misconfigurations, underscoring the persistent risks associated with cloud storage mismanagement.

Wade expresses bewilderment over the ease of making S3 buckets public:
"[33:30] Wade: Well, okay, go back and watch it at your own risk."
"[35:16] Corey: Yeah, there's some dev out there that's just like, this was the easiest way to do it."

The team debates the feasibility of such breaches in modern cloud environments, considering enhanced security measures yet acknowledging human error as a recurring vulnerability.

6. FBI Annual Internet Crime Report Highlights

Referencing the FBI’s 2024 Internet Crime Report, the hosts present alarming statistics on cybercrime. With 859,000 complaints and $16 billion in losses, the report paints a dire picture of the current cybersecurity landscape.

Corey points out discrepancies in state-specific data, hinting at potential reporting errors:
"[37:25] Wade: I'm not sure 100 CVE is exploded."
"[47:14] Wade: But I see they're still building this PDF in COBOL. No, I'm just kidding."

The discussion highlights the prevalence of phishing, spoofing, and extortion as top complaint categories, while also critiquing the potential underreporting of breaches.

Wade muses on the financial implications:
"[52:18] Corey: Could be subpoenaed though, right?"
"[54:10] Wade: Financial."

7. Vulnerabilities and CVE Discussions

The episode delves into the persistent issue of exploited vulnerabilities, especially within legacy systems. The team discusses the challenges organizations face in patching CVEs swiftly, with some reports suggesting exploitation within 24 hours of disclosure.

Corey criticizes the ambiguity in CVE exploitation metrics:
"[38:57] Wade: Yeah, I mean, yeah, they published a tool."
"[40:44] Corey: They explain a bit more in Vulnchek's actual report, but still then it's still marketing."

The conversation also touches on specific high-severity vulnerabilities like those in SAP Netweaver, emphasizing the ongoing threats posed by outdated software frameworks.

Evan reflects on the evolution of exploit techniques:
"[43:42] Wade: So we're good. But the Java back in 2002 they."
"[44:39] Evan: Yeah, that's something that's funny about the CMS."

8. Closing Remarks and Final Thoughts

In wrapping up, the hosts reiterate the critical need for robust cybersecurity measures, including continuous penetration testing and proactive vulnerability management. They emphasize that while advancements like AI present new challenges, foundational security practices remain paramount.

Corey concludes with a light-hearted yet poignant remark on ransomware:
"[57:26] Wade: Yeah. Yeah, that's a good one."
"[57:33] Evan: Yes, no, it's."

The episode underscores the multifaceted nature of cybersecurity threats, urging listeners to stay informed and vigilant in an ever-evolving digital landscape.

Notable Quotes:

• Corey at [03:24]:
  "That's exactly what it sounds like. That's like, exactly what I was like, okay, when does it come out that this was all legit?"

• Wade at [05:08]:
  "But I mean, I guess I would say, like, I hope the person gets the treatment he needs. Right? Like, I'm not saying, like, but that's not going to, that's not going to hold up."

• Corey at [12:10]:
  "I love it, I love it."

• Evan at [13:13]:
  "Well, there were several reports that came out and I, I saw like an overview of all of them. It was like a 45 minute overview and so M Trends came out as well, I believe. And they said that the initial infection vector was brute force password spraying and RDP was like the top."

• Wade at [22:27]:
  "Oh yeah, it's consent grant attacks during those. Exactly."

• Corey at [43:42]:
  "So we're good. But the Java back in 2002 they."

These quotes encapsulate the hosts' insights, skepticism, and critical perspectives on the discussed topics, providing listeners with a nuanced understanding of the complexities within the information security realm.