Iran Shuts Down It's Own Internet - 2025-06-23 - Talkin' Bout [Infosec] News

Summary5 min read

Podcast Summary: Talkin' About [Infosec] News, Powered by Black Hills Information Security
Episode: Iran Shuts Down Its Own Internet
Release Date: June 26, 2025

Host: Black Hills Information Security
Participants: Corey, John Strand, Wade, Shecky

Introduction to the Episode's Main Topic

The episode opens with a light-hearted discussion about the nostalgia associated with the Muppets, setting a casual tone before delving into the serious cybersecurity topic at hand. John Strand muses on the enduring appeal of the Muppets, reflecting on their role in childhood entertainment and their cultural significance (00:02-01:10). Corey and the team transition smoothly into the main subject, signaling a shift from light banter to critical news analysis.

Overview of Iran's Internet Shutdown

John Strand initiates the core discussion by addressing a significant geopolitical event: Iran's recent shutdown of its national internet. He highlights the complexities of modern warfare, noting, "Iran just shut off their Internet, which I guess if you're trying to keep the USA out, that's a good way, right?" (04:41). The team references a TechCrunch article dated June 20th, confirming that virtually all Iranians lost internet access earlier that week—a move seen as counterproductive but possibly aimed at information management and psychological operations (05:02-05:37).

Cyber Aggression and Potential Retaliations

The conversation explores whether Iran's actions signal an escalation in cyber warfare. Corey brings up a statement from an Iranian spokesperson attributing drone operations to internet control, raising concerns about the implications for U.S. military infrastructure (06:18-07:51). John Strand provides historical context, comparing the shutdown to past events like the Gulf Wars, emphasizing that maintaining internet access is crucial for intelligence gathering and operational effectiveness (05:37-06:18).

Impact on US and Global Cybersecurity

Wade suggests that the shutdown is more about controlling the populace during internal unrest rather than a direct cyberattack, stating, "It sounds to me more like what's happened anytime they've had massive protests there and shut down the Internet, etcetera." (09:50-10:03). John Strand concurs, arguing that if Iran were genuinely concerned about U.S. intelligence agencies like the NSA, they wouldn't allow tech-savvy individuals to bypass restrictions, indicating the shutdown's role in controlling information rather than deterring cyber aggression (06:52-08:16).

Ransomware and Financially Motivated Threat Actors

The discussion shifts to Scattered Spider, a notorious financially motivated threat actor group. Corey details their recent activities targeting insurance companies, including Philadelphia and Erie Insurance, and notes that these attacks predominantly employ social engineering and help desk exploitation (22:14-24:18). The team emphasizes the importance of securing help desk functions and resetting MFA factors to mitigate such threats (32:49-35:38).

Data Breaches and Info Stealers

A significant portion of the episode addresses a purported 16 billion data leak, which the hosts clarify is a compilation of previously breached data rather than a new incident. Corey explains that much of the data is consumer-focused and emphasizes the necessity for robust data monitoring services like Flare or Spy Cloud (33:41-35:38). John Strand adds that while the volume of breached data may seem overwhelming, much of it consists of outdated credentials still circulating in cybercriminal circles (40:00-41:28).

Data Brokers and Privacy Issues

Shecky introduces a critical discussion about data brokers, highlighting a case where a Minnesota lawmaker was assassinated with data sourced from multiple data broker services (58:32-60:10). John Strand underscores the dangers posed by these brokers, asserting, "Data brokers get people killed every day." (60:01). The conversation delves into the legislative gaps in the U.S. regarding data privacy, contrasting it with Europe's GDPR framework, and debates the feasibility of regulating such entities given their profitability and entrenched nature (61:04-64:37).

USB Threats and Physical Security Measures

The hosts recount experiences with physical infiltration tactics, such as dropping USB drives in corporate environments to test security awareness. Shecky shares a successful attempt where laser-engraved USB drives were left in offices, leading to heightened security alerts despite the payloads being non-functional (53:27-56:25). Corey highlights the ongoing relevance of these methods, emphasizing that despite technological advancements, physical security remains a vulnerable point for many organizations (55:19-57:34).

Concluding Thoughts on Current Cybersecurity Landscape

Wrapping up, the team reflects on the multifaceted nature of modern cyber threats, from nation-state actions and data breaches to social engineering and physical infiltration tactics. John Strand poses a critical question to listeners: "Are we improving as an industry?" (37:18), suggesting that while defenses are evolving, the persistent challenges of legacy systems, data privacy, and sophisticated threat actors indicate that cybersecurity remains a pressing and continually evolving issue.

The episode concludes with a brief mention of future discussions, promising deeper dives into the ramifications of Iran's internet shutdown and its broader impact on global cybersecurity dynamics.

Notable Quotes

John Strand (04:41): "Iran just shut off their Internet, which I guess if you're trying to keep the USA out, that's a good way, right?"
Corey (06:18): "It's just a chaos move. I could be wrong, though."
John Strand (14:56): "They’re clearly doing this for information management."
Shecky (58:32): "This is the first time I've actually seen data brokers called out in a crime."
John Strand (60:01): "Data brokers get people killed every day."

Key Takeaways

Iran's Internet Shutdown: Likely aimed at controlling information flow amid internal and external geopolitical tensions rather than a direct cyberattack.
Nation-State Cyber Aggression: While Iran demonstrates capabilities, concerns extend to allies like Russia and China, who may pose more significant threats to U.S. infrastructure.
Ransomware Threats: Financially motivated groups like Scattered Spider are increasingly targeting specific sectors such as insurance, employing sophisticated social engineering tactics.
Data Breaches: Massive data leaks continue to pose risks, with outdated credentials circulating, emphasizing the need for ongoing vigilance and robust data protection measures.
Data Brokers: The role of data brokers in facilitating crimes is alarming, highlighting urgent needs for legislative action and enhanced data privacy protections.
Physical Security Vulnerabilities: Traditional infiltration methods, like malicious USB drops, remain effective, underscoring the importance of comprehensive security training and policies.

Recommendations for Listeners

Enhance Help Desk Security: Implement strict protocols for help desk operations, including limiting MFA resets and password changes.
Monitor Data Breaches: Utilize advanced data monitoring services to stay informed about potential breaches and compromised credentials.
Regulate Data Brokers: Advocate for stronger data privacy laws to control the proliferation and misuse of personal information by data brokers.
Update Legacy Systems: Regularly update and maintain legacy hardware and software to minimize vulnerabilities and reduce tech debt.
Educate on Social Engineering: Conduct regular security awareness training focused on recognizing and thwarting social engineering attempts.

For more detailed insights and ongoing discussions, subscribe to Black Hills Information Security’s weekly podcast and stay ahead in the ever-evolving field of information security.

Loading summary

Transcript335 lines

[00:02]
Corey
All right, explain how the Muppets work.
[00:04]
John Strand
Okay, so exactly. The Muppets. Whenever you live out in the middle of nowhere, and the only television station you would get would be, like, pbs. Periodically you would get Muppet specials, right? And you're dealing with, like, Sesame Street. And you would get that as a kid. All the other kids, like, after school, they're getting, like, Mask or GI Joe or any of these things. And you got whatever the hell it was that PBS had. Every once in a while, you would get the Muppets. And Muppets were, like, amazing because it wasn't like the news hour with, like, Bill Lear or whatever the hell his name is. And you would watch the Muppets, and the Muppets were awesome because they were different. Super excited about Muppets and, you know, and then looking at them as I get older, I don't know. It's just. Just a continuation of the Chim Henson empire. I don't know.
[00:53]
Corey
So it's nostalgia. So you're telling me.
[00:55]
John Strand
I would say it's vastly more nostalgia than anything else. Right. Like, for certain people in certain generational lines.
[01:03]
Corey
But there's nothing wrong with the Muppets. It's just a certain type of person really likes the Muppets because it's super nostalgic for them.
[01:10]
John Strand
I would say it's super nostalgic as far as, like, anything wrong, I think. I don't know. Maybe there's a lot of politically incorrect things within the Muppets characters. You know? God.
[01:24]
Corey
But Kermit the Frog is unimpeached. Other than having maybe a little bit of an abusive marriage, possibly. Yeah.
[01:31]
John Strand
But it wasn't his fault, right? He wasn't the abusive one.
[01:34]
Corey
No. Yeah, that's what I mean. I'm saying, like, we normalized that. It was like, haha. But now it's like, not.
[01:39]
John Strand
Yeah, it's not funny looking back on it, but it's a time capsule of the 80s, right?
[01:45]
Corey
Like, you know, there's a reason he drinks.
[01:49]
John Strand
Oh, wait, there's a reason he drinks tea. It's none of my business.
[01:53]
Corey
I just remember all the gifts of Kermit. Yeah, he drinks tea.
[01:56]
John Strand
Yeah.
[01:57]
Corey
But is it tea? I guess it looks like it is.
[01:59]
John Strand
Yeah. It's. Yeah, it's all kinds of things. So I. Stuff that I was drinking. Dude, if you ever see me drinking a bottle of Jack, shit's gotten really sideways. Like, things are not good.
[02:10]
Corey
That's in the category of just run. Yeah, just run. If you see John Strand drinking a bottle of Jack Just run the other direction.
[02:17]
John Strand
It's over. It's over. So before we ready to do this, this is going to be a hell of a show. I think a lot. It's kind of. I. I hate these shows where we're. We're doing the show while we're all watching the news. Like, you know, we're watching, like, the live feeds of what's going on, because you don't want to be in that situation where it's like, oh, and then Iran knocked off this power grid in the eastern United States. You know, it's. That hasn't happened yet. I'm just saying, you know, we're all kind of watching the news real time as it. As things escalate, maybe, and maybe they're gonna stabilize. Who knows? So are we ready? We can read comments. We got it.
[02:57]
Corey
We read all the comments, and if they're bad, we ban you forever. So.
[03:00]
John Strand
Yeah, we do. We do.
[03:02]
Corey
I'm just. I'm just kidding. All right, go for it.
[03:04]
John Strand
Religion and Muppet comics. That'll get you kicked out of here real fast. So.
[03:25]
Corey
Hi, and welcome to Black Hills Information. All right, try again, try again.
[03:34]
Wade
Animal, please, please calm down. Animal.
[03:37]
John Strand
Oh, my God. Jackie's nailing it.
[03:41]
Corey
All right, please do the actual intro. I'm sorry I derailed.
[03:44]
John Strand
Oh, my God. Hey, everybody. Hello, and welcome to another edition of Black Hills Information. Talking about news. Another one of those news episodes were like, hey, there's clearly nothing going on in the world. And I was just talking about it before we went live. We're probably going to be. We're probably going to be refreshing the news while it happens. If it's a bit subdued. If things happen on the cyber realm, please let us know in comments. We'll be watching this as it's developing. I don't think that anything in the cyber end has developed yet, just Iran has launched an attack on some US Military base or just a US Military base if kind of strange. There's news stories that, like, Trump warned Iran of doing the attack a couple of days ago, and then Iran warned Trump that they were going to attack the. The base. And I'm just like, man, modern warfare is weird. It's like drones and pre notifications. It's like two kids swearing off in the. In the block. It's like, well, I'm going to punch you in the head and then I'm.
[04:41]
Corey
Going to kick you.
[04:42]
John Strand
It's just really weird. But we're watching it because there is a cyber component, because Iran is definitely a cyber aggressor. And so is the United States, to be honest. Iran just shut off their Internet, which I guess if you're trying to keep the USA out, that's a good way, right? Guys, just how can we stop the NSA from happening?
[05:02]
Corey
Okay, let's just.
[05:03]
John Strand
So that's the Internet.
[05:04]
Corey
That's the part I don't get. So the article is a TechCrunch article that basically is essentially, virtually everyone in Iran lost access to Internet earlier this week. This was from June 20th. So this is kind of a last week thing. I'm not sure if this is currently still happening or what the status of the Internet in Iran is, but basically they blacked out their own Internet, which we've seen this before, but I'm always like, this seems more counterproductive than productive. I don't know. Like, so are they drones aren't just using the Internet, are they? Like, do I not understand how drones work? No.
[05:37]
John Strand
So going back to some historical context, so whenever we, whenever you're looking at like Gulf War, especially Gulf War two, one of the things, I think I've talked about this on the show, the Internet actually stayed up in large swaths of Iraq. And you know, anytime there was anything that was done in Libya and things like that, people would think the United States government would shut the Internet down. And that's not true because the Internet is one of our biggest intel sources. So if you're looking at recon and how the NSA actually works, a lot of times they can identify where key assets are by tracking the communications of those assets. So in a lot of scenarios, the.
[06:18]
Corey
Guy Fatma, I'm not going to say that I cannot say this person's name properly. So I'm not going to try. But Iranian spokesperson said many of the enemy's drones are managed and controlled via the Internet. Is that true? Because if it is, that's terrifying.
[06:35]
John Strand
Maybe oversell some cell technologies, but honestly, there's also some weird things. If you get down at the bottom of the article there's someone quoting saying that people are getting around these restrictions relatively easily. Where is it? Where is it? Where is it?
[06:50]
Corey
Technical people, it says, yeah, my friends.
[06:53]
John Strand
Are tech savvy, so they can bypass these restrictions. So that last quote, the reason what I was trying to get to is usually the United States wants the Internet to be up and running because they can get intel out of it. They're not going to shut down their biggest source of intel because you can track assets, you can track targets, you can track success of different operations. So them shutting down The Internet in Iran, it could have been self shutdown. When I first read this, that's what I thought that they were doing. But whenever I get down to the bottom and they're talking about how their tech savvy friends can get around these restrictions, that leads me to believe that this has more to do with information management and psyops than it does actual technical ops relating to actual attacks or defense. So that's kind of where I leaned towards this towards the end. Because if you're truly concerned about the nsa, you wouldn't have something where your tech savvy buddies that know how to use a VPN can get around it.
[07:51]
Corey
It's not the NSA they're worried about. The spokesperson said it's Predatory Sparrow, which is a pro Israel hacker group. What pro is Predatory Sparrow is the threat actor name. They haven't really been. Yeah. But even associated with the Israeli government. But it's.
[08:07]
John Strand
Yeah, if you're going to try those guys out, you wouldn't shut down the Internet so your good buddy can get around it. Um, it they. Yeah, they're clearly doing this for information management.
[08:16]
Corey
Well, it seems also counterproductive to me. Arguably the best case scenario if you're a nation state hacker is to take down the entire country's Internet. Like.
[08:27]
John Strand
No, no, no, no it's not. Once again, your best thing is to keep that Internet up and running because that's your source of intel. Yeah, you want people, I guess, phones, you and especially cell phone networks. Right. They can track the cell phones associated with different, let's say different high ranking officials. So if you're looking at how a lot of people do ops like SecOps, if they have a regular cell phone, like let's say I've got my cell phone. Right. And you can track the location of people's cell phones. We've known this for years. People have been doing it in paparazzi for a long time. It's how cell networks work. Right. You have to be able to track the location of cell phones. So what you can do is you can track that cell phone and then in times of crisis like this, a lot of people will switch over to burner phones and they'll shut off their personal cell phones. Well, that switch off from where one phone goes dark in a location and another one lights up immediately in a location is a good indicator. Right. You're looking at like a pattern of life and you can now track that phone. So once again, if you're in a global nation state, on nation state action level event you want that network to be operational because it is one of your biggest places of intel and sigint. So you want to keep it up and running. It's. So there's no real good reason to keep that. If you're trying to attack someone, to shut it down completely, especially.
[09:51]
Wade
It sounds to me more like what's happened anytime they've had massive protests there and shut down the Internet, etcetera, it's trying to go ahead and control their populace. So that way they don't see how bad they're actually doing.
[10:04]
John Strand
Yeah. Or they could. They can control it completely. Right. Because if you were truly worried about the Israelis, you were truly worried about the nsa, you would literally pull the plug.
[10:13]
Corey
But I'm also super confused because the Foreign Ministry of Iran is tweeting. The world must see the truth. The Israeli regime is commuting aggression against Iran. Like, they're. They're also like, okay, you're allowed Internet to tweet about why we're being attacked. Everyone else is not.
[10:26]
John Strand
Yeah.
[10:28]
Corey
I don't know.
[10:29]
John Strand
Control.
[10:29]
Wade
I mean, how else. How else are they going to keep themselves up so that way they can try and counter attack cyber through the Internet?
[10:35]
John Strand
Yeah.
[10:38]
Corey
I feel like this is just chaos. I'm chalking this up to chaos. I don't think this is really much of a calculated move. I think it's just, whoopsie, we shut down the Internet because someone asked us to, and I guess we'll half shut it down later and maybe turn it back on. I feel like it's just a chaos move. I could be wrong, though.
[10:54]
John Strand
Yep. I agree. But I'm going to go with Shecky, though. Like, I 100% agree they're trying to control information. Right. Because if you're looking at the current regime in Iran, and I'm not an expert in this geopolitical area, they've got two separate things they're dealing with. Right. You're dealing with the bombing, and at the same time, they've had a number of different uprisings over the past few years. And one of the main concerns is that this can lead to a weakness or perceived weakness that could lead to another uprising. And to be sure, if I was in charge of Israel's defense or the United States defense, I'd be doing psyops to encourage those uprisings. So absolutely trying to control the information. Just like Shecky said, dead is right there. I mean, they've got to be good.
[11:36]
Corey
Yeah, it's definitely a way to make your citizens very angry at you, because you can't even doom scroll while you're getting missile striked. That'd be pretty lame.
[11:44]
John Strand
Yeah, it's kind of rough. It's kind of rough. If I was getting missile struck, I need to be able to doom scroll cat.
[11:48]
Corey
I know. I'd be like cat videos. Cat videos. Okay.
[11:50]
John Strand
It's okay.
[11:51]
Corey
Put in the AirPods. Turn noise canceling.
[11:54]
John Strand
Fine. What's going on in Puff Daddy's trial? I need a distraction. What are the Kardashians up to?
[11:58]
Corey
Celebrity fails. Lol.
[12:00]
John Strand
Yeah, so, yeah, but there's a number of articles like census warnings. Actually there's a ton of articles talking about like be prepared for cyber retaliation. And I would.
[12:13]
Corey
How they don't have Internet. I would love.
[12:15]
John Strand
Yeah, right. I'm in North Korea. How would they do that? And I don't know what to say to people when they're trying to talk to me about this. Like, what should we be doing? What does Iran have? What is going on? Are they going to partner with Russia? Are they going to be wide scale cyber attacks against the United States? I. I think that there's been a lot of theories, right? Like Russia has already embedded themselves in critical infrastructure and there's been a lot of theories that Iran is already in critical infrastructure, things like that. Right. And we've even talked about some of those things and it's solar winds, those types of operations and some of the stuff that Iran has done over the years kind of leads yourself to believe that that might be possible. But honestly we didn't know. Right? I mean, we've seen some indications of some really advanced attacks, but right now I'd like to open it up. Do you all think that Iran would use this? Like, do they view this as a high enough attack by the United States to basically bring out and start blowing out all their cyber weapons and all their embedded sleeper cyber cells and start bringing down critical infrastructure in the United States? Or do you think that they're going to pull their punches or are there no punches to pull? Do they not have the level of access that a lot of people in the industry were constantly saying that they did? And a lot of that stuff that we had in the security industry was just fud about what Iran was doing as a nation state adversary?
[13:37]
Wade
I think that there should be a little bit more vigilance. I don't think they're going to activate their cells or anything like that. I don't. I think that that would be more of a last resort situation if they felt they even had a chance at that point in Time. I think right now they're more concerned about preservation and holding up into what they're doing. The other interesting thing about, about it with it all is the age of their supreme leader nearing up that end and reports of. Reports of him going and saying, these are the three people, that one of these three people should be the one to succeed me. And how much is that going to play into it all?
[14:17]
John Strand
Oh, agreed. And I guarantee they're all kind of crazy, just a little bit. I mean, that's okay, I guess, but I don't know. I don't know. Like, there's so many geopolitical things moving so fast and to be honest with you, we got some people are saying they're just trying to save face right now. There's so many things that are moving so quick. I am actually surprised. If they did have deep access into critical infrastructure in the Western, in the western space, I honestly believe that they would have pulled those. They would have pulled those cards.
[14:49]
Corey
Yes, they would have. I think this is.
[14:50]
Wade
They would have. They would have definitely pulled that on Israel at this point, point in time, if they have that sort of access.
[14:56]
Corey
Do you. I think this is fud. I don't think this is, I mean, I agree with like, always an elevated level of threat, but also, like, I mean, let's be honest, who's having better success against US Entities right now? It's financially motivated threat actors.
[15:10]
John Strand
Right?
[15:11]
Corey
Like, that's what's working right now, not nation state. I'm not saying nation state threat actors aren't doing anything, but like the other, other articles we're going to talk about in the show are mostly financially motivated threat actors. So I would argue that's probably a bigger concern than Iran. Unless you're like a very specific, pure government entity or someone, you know, making missiles or whatever, Maybe it's a different concern. But just for the average business, I don't think anyone's taking down a napkin company because they're in the U.S. like, I don't know. I could be wrong.
[15:40]
Wade
Well, I think.
[15:41]
John Strand
Oh, go ahead.
[15:43]
Wade
I honestly think that it's not Iran that we have to keep an eye on, but their allies, which are Russia and especially China. With the reports that we've had of how deep China has been able to get into our infrastructure at times, I think if something goes sideways with Iran to the point where one of those two feels the need to intervene, then we could see that sort of escalation. But it won't be the Iranians themselves, at least in my opinion.
[16:09]
John Strand
And the Other thing that I, that I look at, kind of like to riff on that, that I think is a very important take, is the whole goal of this, if you're looking at Russia and you're looking at China, is destabilization, and then making sure that that destabilization goes as long as possible. So, you know, doing a completely massive retaliation, like what they did against the base seems to be really small. I don't think that I could be wrong. It could just be a simple opening salvo. But I would see from their perspective is they want this destabilization to go as long as it possibly can. So they'll maybe do some attacks against a base the United States runs in the Middle east and then maybe wait a little while, hit Tel Aviv again and just shut down the straight of Hormuz and shut down all of these different things. But hitting up everything all in one shot, I just don't see that in the cards because I feel like they would have done. Done that already. They would have already done the cyber option at that point.
[17:02]
Corey
They also have way bigger fish to fry. Like, this is way more important. Kinetic attacks, critical infrastructure on their side. Like, I don't know, you're right about the allies, but the allies also have big fish to fry. Russia's got missile attacks from a whole different angle coming from Ukraine. And like, you know, China's kind of staying out of this right now, but yeah, Russia's got bigger fish to fry. I don't know. I. I'm not super worried about the cyber, but I'm also not like, super connected in the intel industry, so who knows?
[17:30]
Shecky
But.
[17:31]
John Strand
Well, I've spent a lot of time reading and, like, watching tons of people talking about this. And it's just like I said, the takes are all over the place. Like, either a, they completely compromised critical infrastructure in the United States. We're all going to die horribly all the way through. They really don't have. They're a paper tiger. They really don't have that good of a cyber offensive operations anymore. Or the United States is already taking it down. You know, they're doing that for years through other means and other kind of weird targeted renditions and operations. But I don't know. I mean, and I think everybody on the geopolitical stage, even the experts are like, the biggest concern that they have at this point is nobody knows where the hell we go from here. This has been the thing that people are the most concerned about is it's very hard to kind of like, look at this and Say, okay, this is where it's going to be a week from now. Just because the actors all incredibly unstable.
[18:23]
Corey
Yeah. And they don't even have Internet. So there is that.
[18:27]
John Strand
They don't have Internet, so we don't have to worry. Somebody was saying, we talked about the use of AI propaganda. Once again. I, I like the AI propaganda stuff that I've seen has been absolutely ins.
[18:37]
Wade
Oh, oh, I think we lost John.
[18:40]
Corey
He looks really happy in that like freeze frame though. So what is AI propaganda? What does that even mean? Is that just people posting images like the one posted in Discord of like hilariously outscaled F35 or whatever that is. That's like 10 times or maybe more bigger than it actually should be? Is that what's happening? Sorry, John, you cut out.
[19:01]
John Strand
Yeah, I don't know.
[19:02]
Wade
I think to answer your question, Corey, it goes more along the lines of deep fakes that are being produced at this point in time.
[19:10]
John Strand
Well, getting into the, getting into the deep fake thing, like as this thing progresses, you're going to get a lot of information coming out from the places. And this is. We've already seen this in Ukraine and we've seen this in Russia. Right where. And God, you keep even go back like seven, eight years ago, or wasn't even AI generated, but kind of creating these campaigns. Like, look at all the people that have died here. Look at this horrible thing that happened. And it's AI generated. You know, it's getting weird to try to. You almost need to verify something happening from multiple different locations. Like the original missile strikes against Tel Aviv whenever the first retaliation came back. One of those things. It's like, okay, from the news perspective, we have the same event happening from multiple different cell phone cameras, from multiple different angles, multiple different geographic geopolitical places. Okay, this is probably some real news.
[19:59]
Corey
Yeah, we know, we know. Decided to self. Self switch to the non nation state backup Internet that he has.
[20:09]
Wade
We'll know this gets real. We'll know this gets real when we start seeing Muppet news flashes on.
[20:14]
John Strand
Are we just gonna hang on the Muppet thing? I just. Yeah, I think. Yeah, yeah.
[20:20]
Corey
So moving on from nation state on nation state action, unless anyone else has any final thoughts on that. I mean, I, I think we're gonna.
[20:27]
John Strand
Have more, I think next week for that.
[20:31]
Corey
I mean, I guess like to kind of, you know, put a point on the Iran thing. Like they have confirmed breaches. Iran has confirmed breaches of their. One of their major banks and an cryptocurrency firm. So like there are Active campaigns against Iranian assets. You know, there's lots of history of disrupting key services and things in Iran. So you know that is a factor. There's also kinetic stuff.
[20:59]
John Strand
I don't see a lot new. Yeah, a lot of that crypto level stuff, it's not new. I mean it's been happening for this.
[21:06]
Corey
It's pretty new. I mean it happened on June 18th. So basically they're like on June 18th Iran announced Nobitex or Nobe Tax, I don't really know how to pronounce it. On Wednesday got their funds drained. Right. So they got $90 million stolen.
[21:21]
John Strand
What I mean is we've seen attacks on crypto exchanges before that. Like it's.
[21:26]
Corey
Yes, but this is clearly tied specifically to this. If it's done by Predatory Sparrow, it's Iranian. Like it's. I don't know, it's intentional. And they've announced they took credit on X. They said they targeted them for financing terrorism for the Iranian regime and evading international sanctions. So like this is interestingly enough, like I agree with the overall approach that we're taking which is that they're doing it to self, you know, to avoid as censorship. They're doing it for censorship. But there are two active breaches of Iranian companies that are legitimate and real. So there is that. We have to call out both things. Two things can be true. They can do it for censorship and they can do it because they're getting actively breached. And this will stop the bleed a little bit.
[22:10]
John Strand
Yep, absolutely. So do you want to talk about insurance companies?
[22:14]
Corey
Yeah. So we Scattered Spider has been kind of our poster child of the scary boogeyman for the last couple years because congratulations.
[22:24]
John Strand
Scattered Spider Better want to say job.
[22:25]
Corey
Congratulations. We have, we have your, we have your posters up in our offices here. Yeah, no, basically they're financially motivated threat actor. They've gone after they went off, they're famous. Like they kind of broke onto the scene with MGM. That was their big one back in April 20th or June 2021 or whatever. Then they kind of went quiet for a while but now they're definitely back. The main thing that's unique about Scattered Spider is they're English speaking, they're young males mostly from the US and Canada. So they have limited accents. They have knowledge of how companies work. They have, you know, I guess culturally relevant knowledge that helps them in their ransomware campaigns. Basically they're now appear to be going after insurance companies. There was an article posted in on bleeping computer that basically Google, which I don't this is like a rare thing from Google, but I guess they own Mandiant. They call it Google Threat Intelligence Group. They basically are saying, we're aware of multiple intrusions in the US which bear the hallmarks of scattered spider activity. We're seeing incidents in the insurance industry. So just to kind of list, you know, Philadelphia Insurance is down or was down and had like a data breach notice. Erie Insurance was also down. That one I think we should dig into a little bit more because the Erie Insurance one, specifically on their website, they say it's not ransomware. But I'm like, it seems to be ransomware. So, yeah, I don't really know what's going on there. I had a bunch of companies reach out to me or clients and just say, like, hey, do you have any information about this? And I was like, we know what you know, Like, I don't have any. It fits. It makes sense. Oh, yeah, also aflac, which I'm just thinking of the Goose. The Goose, yeah. Aflac is in the list. Yeah, I guess. Did you, John, did you read the Erie Insurance, like, statement? My question is, how can you be down for two weeks and not be ransomware? What scenario possibly is it?
[24:19]
John Strand
Let's say that it's not ransomware. It's actually more terrifying than ransomware. Right.
[24:24]
Corey
What is that, though?
[24:27]
Wade
Incompetence?
[24:28]
John Strand
No. So let's. Let's throw out some things because random speculation is what.
[24:33]
Corey
Okay.
[24:34]
John Strand
Right.
[24:35]
Corey
One of the.
[24:36]
John Strand
At the heart of a lot of these companies is incredibly decrepit legacy hardware and legacy software.
[24:43]
Corey
As 400s.
[24:44]
John Strand
As 400s, we joke about it all the time, but I have people all the time that are like, dude, no, we're running as four hundreds with Rack apps.
[24:50]
Corey
Oh, yeah. No, it's not a joke.
[24:51]
John Strand
It's not a joke. Right. And those systems are getting harder and harder to maintain. We've talked about it over the past couple of years how going and trying to get components for some of these legacy systems is next to impossible on ebay. And if this thing goes down, who the hell maintains it? And I kind of. The only other thing I can think of, if it's not ransomware, it's ridiculous tech debt. It's absolutely.
[25:16]
Corey
That's what I was thinking. Like, they messed up their backup restore and accidentally deleted all their backups. It's got to be just incompetence, like.
[25:23]
John Strand
Shecky said, really bad incompetence. Right. And this is one of those things. Remember, whenever we're testing, we'll find legacy technology and we'll Put in the report. It's like, hey, you're running unpatched and unsupported systems, right? And they're like, yeah, but did you hack it? It's like, well, that's not the point. You're going to need to replace this at some point. They're like, well, you didn't hack it, so we don't have to fix it, right? And it's like, no, no, at some point, point this will be bad. But this has been a fight that we've been fighting for the past decade. Right? And even probably earlier, I think the.
[25:55]
Corey
Funniest comment so far, Flackvest says the threat actors ran updates on their AS400. That was what happened.
[26:02]
John Strand
If you don't pay me right now, I'm going to update this as 400.
[26:07]
Corey
I will patch your system.
[26:09]
Shecky
They'll get hired. Not many people can patch those.
[26:12]
John Strand
Yeah, well, they didn't say patch it successfully, but enough.
[26:15]
Corey
It was an unsuccessful patch based on the fact they've been down for two, two weeks.
[26:20]
John Strand
Oh, and XP is talking about Solaris. That's DOD's favorite, right? Like, you get into defense systems and they're running Solaris Spark 8 and 9 system still. And the people that know how to code that or fix it are gone. And this is one of the. They kind of kept taking a detour over to artificial intelligence. That's got me completely spooked is all of these companies are like, effort. We're done with developers. We're doing all of our stuff through vibe coding. We can replace all these developers with artificial intelligence. Who the hell is going to maintain that crap? Like, like, what is the tech debt curve of doing code that has artificial intelligence behind it? If you're looking at tech debt, like, we're just speculating on Erie. I'm guessing it's tech debt. Some horrific change management process failed. Because it's either that or ransomware. And at this point, if they're lying about it not being publicly traded.
[27:11]
Corey
Yeah, they're a publicly traded company. They can't lie. I mean, well, I guess they can, but they'll go to jail. You can't do that.
[27:18]
John Strand
There's a lot of times they'll be like, it's always like, well, is there evidence? I guess with ransomware there would be evidence because there'd be the ransom, but I don't know.
[27:25]
Corey
Yeah, they can't get away with that. No, you cannot. You cannot explicitly say it's not ransomware and have. Like, there's no way. I don't know.
[27:35]
Shecky
But I guess we got to come up with a good. We gotta come up with a good word for like, vibe coding. Debt.
[27:41]
John Strand
Vibe. Debt. No, it's too.
[27:43]
Shecky
It's not vibe. That's not good enough.
[27:44]
Corey
I mean, let's just call it Skynet debt. Just call it Skynet. That's what it is.
[27:49]
John Strand
It's debt to Skynet. Skydive. I don't know.
[27:52]
Corey
Yeah. You're like, all right, we got to get more AI to fix the AI code that. Yeah, I just.
[27:57]
John Strand
I. Guys, I got to be honest, this whole AI thing, it feels an awful lot like outsourcing back in 2002, like the. The dot com boom. It really, really, really feels like everybody was outsourcing to India and that was going to be it for a ton of American jobs. We can. We don't need developers in the United States. We can get them in India much, much, much cheaper. Cheaper. Look at all the money that we're going to save. CEOs coming out saying it. And what was it? The. What was the book? The Four Hour Work Week? Like, the whole premise of that book was outsourcing your professional life to some people in India. Right. And it feels just like that again. It just feels like the same level of crap all over the place. It's just coming back around again.
[28:37]
Corey
I think that's accurate and I think similar to what happened with outsourcing is long term. Some stuff will make sense to outsource and some stuff won't, and some stuff will. AI will have applications that work really well and it also will have places where it doesn't belong.
[28:51]
John Strand
So I. Dude, we've talked about it. I think AI is phenomenal for pseudocode, for like, not even pseudocode, but like, like functional kind of shift for shiv code.
[29:01]
Corey
Like we write for hacking. It's great. You don't need anything. It needs to work once. Right.
[29:05]
John Strand
Hand components off to a competent development team that can actually build it appropriately.
[29:11]
Shecky
Is shiv code a term you guys use? I've never explore.
[29:15]
Corey
Yeah, it's a total industry term. You didn't know about shiv code? It only has to work once, man. I'm launching a python. Python exe. Python Exe exploit py. As long as that functions once on one system, I'm good to go one time.
[29:30]
John Strand
And for hackers, we just need it to work once. That's it. That's all that we need. So an AI is.
[29:36]
Corey
But if Facebook's doing it, it. That might be a problem.
[29:39]
John Strand
Yeah, I. I've talked to companies lately that Are like, yeah, we're. We're completely just reskinning our entire development team and doing all of our stuff with AI. I'm like, it's going to hurt. It's going to hurt real bad here at some point. And eerie. Like, I know it's probably not AI, but there's some tech debt. There's clearly. Either they were ransomware or horrific tech debt occurred. And it, you know that I think we're going to see that type of tech debt, catastrophic failure happen more and more and more moving forward, especially as more and more of the code is getting abst it through artificial intelligence as well. Somebody said, that's me with C. Wreck that. There we go. So what. So I guess go ahead. What you got? What's new?
[30:21]
Corey
I was going to say, Wade, tell us about you got any good threat intel about Scattered Spider that you're willing to share here? I. I mean, I don't know anything about intel, so I, I just like read news articles and I'm like, that's intel, but.
[30:32]
Shecky
So you mentioned intel and it summoned me. But I have been internetless for the last three weeks.
[30:39]
John Strand
Weeks? Yeah.
[30:40]
Corey
Were you in Iran? Are you in Iran?
[30:43]
John Strand
Wait, hold on. Are you working for Erie Insurance in Iran?
[30:49]
Shecky
I can't confirm or deny the existence of me working for insurance firms on site for three weeks, but let's just say there's some better detections in place. They're not shiv detections for sure.
[31:00]
John Strand
Yeah.
[31:00]
Shecky
So what happened with Scattered Spider? Like, I honestly have no clue.
[31:03]
Corey
No, I mean, basically not to read anything. No, you're good. The. The article was basically just that now they're going after insurance companies. There's Aflac, Erie, Philadelphia. There's a bunch that are currently out dev tunnel claim.
[31:17]
Shecky
That's all it is. It's dev tunnels. I'll tell you.
[31:19]
Corey
Just dev tunnels all the way down.
[31:20]
Shecky
I keep seeing dev tunnels everywhere.
[31:22]
John Strand
Yeah, but it's good. This is the way like the hacking community has been for the longest time. Like I go back to like early Microsoft, right. Like we're looking 2003, 4 and 5 that people were looking for RPC and LSAs remote. Well, LSAs through remote procedure call vulnerabilities. Right. And it was just like the attackers were focused like a laser beam on that. You can move up to Adobe, right? Like Adobe had tons of vulnerability, especially in like their compression software. And every attacker was just exploiting the hell out of Adobe. Before that it was Flash. You move forward a little bit and you start seeing exploits in Oracle, whoever The latest exploits surface du jour. We're seeing a ton of news stories now and we'll talk about one maybe a little bit later. RMM tools where attackers are going after these RMM services that MSPs and MSSPs are using and they're just popping them all over the place like, you know, just seeing exploit after exploit after exploit. So when you see like the insurance company I think was last year, it was a bunch of credit unions across the United States. It's just the attackers are weird in the fact that it's like a dinner bell goes off in a certain market segment or a certain technology stack and they just pig pile on that until something else shows up and then they kind of pivot over there and they start nailing it. So this is just the next iteration. Right. We're just seeing it. They're going to insurance companies again and I guess it's insurance companies time in the tank.
[32:49]
Corey
Yeah. And they're. And just to kind of like give a little bit of. Because we try to, you know, give information that could actually help our, our, our audience. So their primary technique is social engineering. They have a few different social engineering tactics, but the main one is help desk social engineering. We've talked about this ad nauseam on like Alice did a talk about it at Wild West. We've talked about this a lot. But basically remove the ability for your help desk to reset MFA factors and potentially even passwords and you're good. That's all you gotta do. There's also some SIM swapping happening, but for the most part it's social engineering. It's targeting employees directly and it's targeting help desks. And so just be on, be on the lookout for social engineering. We should, I guess let's address this 16 billion data leak. Yeah, this is one like a bunch of people.
[33:42]
John Strand
We're a news podcast and it's like, oh, crap, this shit again.
[33:46]
Corey
Yeah. So this is A lot of people hit me up and asked me about if I had this data or, you know, if I, you know, this is worth going after. I think so. Yeah. This isn't a new breach. There was a bunch of news circulated about, oh, Apple, Apple accounts are breached. But it's just stealer logs, people. It's nothing new. It's just someone catted a bunch of files into one file and now that's a new breach. Like this data is nothing new. It's mostly consumer data. It's not employee data. It's not like, yeah, these are info stealers. They're just Combined together. They call them combo list. They attackers. Just combine them together and market them as new things. If you have something like flare or spy cloud or Intel X or you know, any data breach, dark web intel source, you're already covered. If you don't have that, you should get that. But yeah, definitely, this is nothing new.
[34:39]
Shecky
Just, just go on. Have I been pwned? Sign up for it for your company.
[34:43]
John Strand
Lagging a little bit. I don't know. Did you guys see that trauma now? Yeah, a bit of an outage. It was brief but yeah, it was brief but also like people are bringing up, they're like, I don't know what the acceptable time limit is for data broke. Not data broker but breach notification services. Like have I been phoned to get this? People were kind of flaming Troy a little bit and saying oh this isn't, this isn't on have I been pwned yet? So I don't know.
[35:09]
Corey
I guess I would say have I been pwned is not info stealer data and it never has been and it never will be. So if don't. If you're expecting to go after credentials like this, don't do it. On have I been pwned? Have I been pwned is awesome, don't get me wrong. But they're dealing with data breaches. It's a different thing. So I would say if you really want, if you're a consumer and you need to look at this, I believe Hudson Rock has a place you can type in your email and see if it's in any info stealers.
[35:39]
Wade
So I think this is another case of where people need to realize when this sort of information first comes out, take a look and think logically about it. We've seen this not just with the 16 billion, but didn't we have like 3 billion last year and another one the year before that or six months before that where it all was just regurgitated again. And what's happening is that a lot of news outlets, especially Forbes and I don't like calling people out but Forbes winds up sensationalizing it because well, it's to them something important without waiting to see who actually is reporting what on it from reliable news sources.
[36:18]
Corey
Yes.
[36:18]
Wade
Well, we had, we had it my. At my work. All of a sudden somebody went ahead and popped into a teams chat about this and myself and my CISO both at the same time type back with this is going to be nothing. Wait for bleeping computers to go ahead and put a report out and 10 minutes later, sure Enough. There it was from bleeping computer regurgitated data. Yep, not a big deal.
[36:38]
John Strand
Waiting for it.
[36:39]
Corey
So what happens is journalists go on RAID forums or breach forums and they see the post that says for sale 16 billion credentials for Apple, blah blah blah, and they kind of get taken for a ride by these hackers. Marketing. That's basically what it is. They're falling for marketing by hackers because hackers are trying to market to people buying this data. So they're going to make it look really juicy to the people who are going to be sending them bitcoins. So it really comes down to just doing like, you know, understanding basic. You know, if an attacker claims it to be true, that doesn't necessarily mean it's true. Just because someone posted it on breach forums doesn't mean it's a real breach, right?
[37:19]
John Strand
Like, I want to go back to the Forbes thing too, right? And this is, I had a family friend this weekend that brought this up and it was a thing, right? And I was like, usually what this is a collection of other breach data that they mold together into a big list and all this stuff. And then it always, always kind of devolves into this thing where it's like, yeah, but if Google doesn't want you to know and it was real, they could stop the information from getting out there. I'm like, well, that's not really true. That's not how that works. But you know, people, somebody put in the, in the comments. It's like the news people do it for the clicks and it kind of drives the panic around it. And that's, that's concerning. Especially whenever it's a quote unquote reputable group like Forbes, it's like, God damn, think this stuff through before you actually put it out. Now that's one side of it. But this is something I want to get everybody's take on. Like, aren't we supposed to be getting better in computer security? Like with all the new technologies and all the EDRs and all this stuff getting really, God damn, there's a lot of info stealer data. There is a lot of breached data floating around. It's just, are we that I brought this? I haven't brought this up in a long time. I put it away in a case. I'm going to bring it out. Are we actually getting hurt? Like, are we the baddies? Like, is it still just as bad as it's ever been? Because it kind of feels that way. Because this isn't new, right? This is just a collection of a Whole bunch of previous breach data. But damn, that's a lot of breach data that they're pulling in and then they're trying to sell it out there. It's kind of concerning to me about whether or not we're improving as an industry in a whole, like kind of a holistic view.
[38:54]
Shecky
I think there's just, there's just more people with default creds, just more snowflake databases out there that are just wide open, right. And just everything's being pulled.
[39:03]
Corey
There's more people using the Internet, I think.
[39:05]
Shecky
Look at the md, the Verizon, like, whatever, Verizon, dbr. Right? Like meantime to detections down, right? Like, yeah, but how much of it.
[39:13]
John Strand
Detection is because the ransomware folks are like, hey, we breached. It's like, hey guys, congratulations, you detected this breach in less than 24 hours. Like, that's because they told you, like, this is not.
[39:26]
Corey
It still counts. It still counts.
[39:29]
John Strand
Okay, it still counts. Right? But Corey, I don't know if you saw, but like the red team side of the house at bhis, I think there was two separate organizations that they got into with infosteeller logs last week. Right. And kind of the cadence at which the red team is taking advantage of that data and gaining access to corporate, corporate level access to our customers, or they're using it to kind of reset 2fa. It seems like it's getting to be a higher tempo than it was even like, like two, three months ago.
[40:01]
Corey
So I think it's getting better. That's my opinion. Having been doing heavy info stealer research for like two years, it's definitely gotten better.
[40:07]
John Strand
Wait, wait, wait, wait.
[40:08]
Corey
I would say clarify, Corey.
[40:10]
John Strand
Better for us, the pen testers, or better for the community defending? I think, because that can be two different things. When you say, no, no, it's good.
[40:18]
Corey
I think the volume of infostealer data has gone down. I think the amount of credentials coming out of botnets, I mean, we've seen also talked about on this show, shutdowns of major stealer networks that have happened over the past year. I think the volume's going down, the data doesn't go away. And that's the thing, that's the really important thing to understand about info stealers is if you don't have a service like, you know, Antisoc or Flare or whatever, pick a thing, someone needs to go through all the backdated data and make sure that you aren't continuing to be vulnerable to that data. Data. We've seen cases where we'll pick up an info stealer from six months ago, a year ago, two years ago, three years ago, and it's still valid. That's the problem. It's that the data is still valid after, you know, it being disclosed three years ago. I think less and less is being disclosed over time. As we see some Steeler families going away, we see better anti malware. We've even seen people moving away. Like, Google now has their, like, more secure browser credential storage. They're like, like the industry has adapted. But if the data's still valid from three years ago, then it doesn't really. You can't unpublish that.
[41:25]
John Strand
So you almost look at this like it looks like it's getting worse, but it's more of a snowball effect.
[41:29]
Corey
Yes.
[41:29]
John Strand
Because it looks like there's monster amounts of infosteeller logs. We're seeing a lot of infosteel logs that maybe are three, four years old that continue to roll forward. So even though it's going down, we're still dealing with all that traditional huge amount of infosteeller logs. That's maybe a period of.
[41:46]
Corey
Yeah. And it's. It's like. I guess what I would say is, from my perspective in security, if credentials are. If a username and password gets me into your company, you're screwed. Like, you don't.
[41:58]
John Strand
Do you remember the fight that we had with our customers whenever I made it a high vulnerability if you had.
[42:03]
Corey
Just used your single factor.
[42:05]
John Strand
Yeah, yeah. Single factor authentication. I think I was on the phone with our customers at least once or twice a month. Month defending that. Right. Like saying, this is a critic. I can't remember if I said it was critical or high, but if you add it right there. Instant high. Instant high. Single factor authentication, do not pass. Go. Go directly to instant high. I haven't had to fight that Corey.
[42:27]
Corey
In like a year because info stealers happened and then they got hit legitimately with this and their customers got hit and. Yeah, I mean, well, and that'll one.
[42:36]
John Strand
Of the reasons why we started anti sock. Right. Because that point in time. This is turning into a commercial. I apologize. But that point in time security assessment for pen testing doesn't really work as well as it used to. It's like something that needs to be monitored over a longer period of time.
[42:52]
Corey
Yeah. I mean, it's still good to check in your annual pen test if you have exposed dark web data, but we can also check it like 20 minutes after it's posted. So that's definitely faster time to react. But. But I definitely think that info stealers like this are still. I, you know, the reason we harp on it so much is because I still think the average person has no concept of it. Also, we are seeing on, you know, to kind of like argue against myself. We are seeing an uptick in the ways that people are deploying it. Right. Like one of the articles we have this week is more watering hole attacks on GitHub for open source tooling that that deploys info stealers.
[43:27]
John Strand
Excellent.
[43:28]
Corey
Right. So, like, can we bring up this is because this story scares me.
[43:32]
John Strand
Go ahead.
[43:33]
Corey
Yeah. I mean this is, it's like all supply chain attacks where it is scary but you're also like, well, I usually don't just decide to run a new open source tool that I've never used before on my, you know, but people do.
[43:43]
John Strand
But Corey, I don't think that that's, that's not the thing that scares me. The thing that scares me is the XKCD comic when they're talking about like legacy apps where it looks like a whole bunch of different Lego blocks and all the technology that we're building on today is built on a ton of technology below it. You know, that's the thing that concerns me is one of those downstream open source packages that everyone uses. Like what was the 1xz, the crypto library that was used in SSH that was like a 3 to 4 year like op to allow them to install malware into that package. I think we're going to see more attacks like that. Right?
[44:17]
Corey
Yeah. I mean this isn't that. This is totally just.
[44:19]
John Strand
You're right, it is.
[44:20]
Corey
This is a Trojan.
[44:21]
John Strand
This is a Trojan worst case scenario. Right. Like this is. Is people completely putting up malicious packages in the hopes that someone downloads it and runs it.
[44:31]
Corey
Yes. I mean the XKCD comic is accurate and the vibe that, you know, you being scared is totally accurate. This specific attack is more just Trojans. It's making something that looks really juicy on GitHub. Like this tool will get you DA in 2 seconds and then it has power.
[44:48]
John Strand
They're just going to fall crap again and again and again. New TBA exploit. Right. Or I mean the other thing asks us where they fork existing packages that are heavily used.
[44:59]
Corey
Yep.
[45:00]
John Strand
Come up with the modification and they say something like, oh, this fixes a detect and this product X like crack map exec and at the back door. And in that situation.
[45:09]
Corey
And this is also poisoning. Yeah. Like, yeah.
[45:14]
Wade
What about also adding in the tools that come in such as Pypy, which we've talked about plenty of times in.
[45:20]
John Strand
This article that there's still more malicious PYPI packages than packages like PI. PI is still like the dregs of like the Internet right now or a lot of malicious packages coming in.
[45:32]
Corey
Totally. And I think this article more is interesting as how sophisticated they're getting and how kind of like prolific this is. More than you might think. Like this is definitely. They're embedded the Visual Studio project files different. They're deploying this kind of malware in a bunch of different ways. It's not just like shellcode. Don't modify this before running, please.
[45:57]
John Strand
Because this gets into the forever day category because there's no legitimate pen testing firm that can use this as a technique to gain access to an environment. It's kind of like the malicious. No, I'm serious. If we spot up up a GitHub repository and we have it out there and it's publicly accessible, it's very hard to limit that test to just the target organization. Right?
[46:19]
Corey
Yeah.
[46:19]
John Strand
I mean create malicious PIP my packages to break into an organization or malicious Google Apps or Apple apps. It's really hard. Possible. It's absolutely possible, but it's really hard to limit that to just the target organization. So it doesn't get the level of review that a lot of traditional tactics that we use in pen testing like it.
[46:39]
Corey
Yeah, I mean we totally can. You're going to want to have your lawyers check that one out before you do it. But yeah, that's totally possible. It's just. Yeah, like you said, no one's brave enough to actually do it because it's just straight up dumb. Yeah, but yeah, I mean you could simulate it pretty easily. Right. If you're breaking into an organization, you don't do a watering hole attack on SharePoint then. Are you really trying?
[47:01]
John Strand
Yeah, true. Well, that's kind of a different variation of this, right? It's kind of. Yeah. Variation of this. All right, what else do we got? I mean there's Help rmm, another RMM tool that attackers are attacking.
[47:16]
Corey
I didn't see that one. I saw. I saw the local privesque on when on Linux. That one's kind of interesting. What else we got so I can.
[47:25]
John Strand
Put in the link? It's another. It's just another RMM tool. Once again you're having attackers that are, you know, they're really focusing on that space because there's been multiple RMM vulnerabilities. These are great, you know, exploit once compromise multiple organization type exploits. It's very similar to the insurance thing. That we talked about earlier, where you're seeing lots and lots and lots of attacks against insurance companies because they have that focus, the Isaron is on them right now. And this RMM level attack is. We're seeing these vulnerabilities being targeted by a ton of attackers. This also is one of those spaces where kind of the Venn diagram of like a lot of our customers at Black Hills Information Security don't deal with this. Right. Because we kind of tend towards more enterprise large enterprises. And the MSSP space, MSP space is heavily impacted by this. But they tend not to be the same space that we run in with a ton of what we're doing on this as well. So if you're listening to this and you have RMM software, this may not be the RMM software that you are using, but I'm just going to throw this out there. Maybe, just maybe the management interface for your RMM tools shouldn't be publicly exposed to the Internet. Try to set up some access to where you have to VPN before you actually gain access to it. Something like that. Because.
[48:42]
Corey
And patch your stuff if you are going to leave it on the Internet.
[48:46]
John Strand
Patch, yes. Pay for licensing. Patch. Wade, you got something to say, man?
[48:51]
Shecky
Yeah, I got a good. I got a good chicken. Chicken story.
[48:54]
John Strand
Okay.
[48:54]
Corey
Oh no.
[48:55]
John Strand
Chicken. Report.
[48:56]
Shecky
Report this one. It's chicken adjacent. This is kind of funny. Report. I just threw the link in the chat reports link los pollos and rich ads to malware traffic operations.
[49:06]
Corey
I saw this one, whoever threw this.
[49:10]
Shecky
And I. I applaud you. So pretty much Infobox came out with some good threat intelligence. How legitimate cybercrime groups are teaming up and actually use using legitimate ad space in order to infect people.
[49:24]
Corey
Right.
[49:24]
Shecky
Pretty much exactly what you're saying. Like there's no way a legitimate pen testing company could throw or could pull something off like this.
[49:34]
Corey
But they're using smart links which are like. Yeah, I mean this is like the whole. What is it called? The click Click fix? Is that what it's called? Click fix. It's like the new tactic to deploy malware where it's like an ad and then the ad redirects you to malware.
[49:50]
Shecky
Well, I knew there was one.
[49:52]
John Strand
Is this kind of a variation of like, you know, we've been talking about it for a while how like NSO Group has the capability of delivering malicious ads and advertisements to deliver malware at a very sophisticated level. And is this just attackers kind of taking. I haven't read this article yet. Just kind of taking that pathway to gain access to environments I think the most.
[50:11]
Corey
Yeah, that's basically it. I mean it's more focused on consumers. These are watering hole attacks, right? So they're not really going after like enterprise with this, I don't think. Yeah, they're, they're targeting, you know, it's crypto stuff, viruses, Steelers, like you're, it's consumer attacks, which is why we, you know, don't see it a lot. But yeah, I mean it's an ad, it's malvertizing or whatever you want to call it. I think the most shocking part of this article for me is that here are the names of, of seemingly legitimate firms and I'm just going to list them. 1. Los Pollos 2. Bro Push.
[50:46]
John Strand
Ooh, wait, that's not legit.
[50:51]
Corey
3. Rich Ads. Yeah, those are apparently legit.
[50:55]
Shecky
Yeah bro Kush, I totally thought Las Boyos was one of the, was one of the cyber crime groups.
[51:02]
Corey
I know, I there it says. Okay, it does say, it does say seemingly legit. Legitimate. It's like, is it legitimate?
[51:10]
Shecky
This goes into like I've had to deal with a couple like domain fishing for organizations. Like all of a sudden there's a domain that looks like your organization and then next thing you know people are emailing you and there's all these registrars and stuff out there that are quasi legitimate. Right. So it's like they're hosting on these three websites. They're using several different tunnels to get way to get through you. But I feel like a lot of these ad spaces are lad companies are right there on seemingly legitimate where they probably have something to go and like hey, this is malicious and tell them. But they're not looking at it. They're never looking at. They don't care. They already got their money. So it always just fine as long.
[51:49]
John Strand
As their spice is flowing.
[51:53]
Corey
The world of ads and the world of hacking or I guess malicious hacking are so, so close. Like it's just a nasty business to begin with and yeah, but this goes.
[52:03]
Wade
Back to what I was that way for a long.
[52:05]
John Strand
You know, you talked about this as a transition. It's like this is a tough space for people to pen test. Right. So it doesn't get that level of attention. Maybe a couple of news stories, but it's like good night. This is definitely a great area of research that's very shady to try to do any research in.
[52:19]
Corey
Well, it's also an industry where the customer says what do you mean? I can't target John John Strand specifically with this ad for really cool Cowboy boots. That's bs. I'm gonna go to another provider that will let me target specifically John.
[52:34]
John Strand
John Oliver. Do it.
[52:36]
Corey
Yeah, like, yeah, exactly. It's that, like, the customers demand privacy invasion from the beginning, so it's not super surprising that it.
[52:45]
John Strand
And that's getting rare. In. In all fairness, right? Like, we don't get a lot of customers. I think we had maybe a handful in the past two years that want us to do something that, you know, I saw it on a movie once, you know, I saw it on Mr. Robot. Could you guys please create Android malware and deliver it to my company? It's like, okay, no, for a number of reasons, but, you know, it's getting. It's getting rarer and rarer, but I can see why people are asking for it, right? Because there are attacks like this that are hitting. And it's like, as a pen testing firm, it's like, no, I can't deliver. Deliver malvertisements to you and only you.
[53:22]
Shecky
When's the last time you dropped USB sticks? Right? Like, dude, I had a customer asked.
[53:27]
Corey
Me to do that last year. And here's the most surprising part. It actually worked well, so it isn't.
[53:34]
Shecky
The one where you, like, mail them, right?
[53:36]
Corey
Like, okay, so. No, no, we didn't mail. Okay, so just full disclosure. Remember, full disclosure here? Yeah. Well, okay, so here's the thing. They. They did it for Social Security awareness testing. The payloads would never have worked because they have USB devices blocked in their EDR policy. So, like, there was never any chance of real success in C2 and actual initial access. But from a security awareness perspective, what we did, they were actually pretty fancy. We bought wooden USB drives off of Amazon and we laser. We laser engraved the company logo onto the USB drive. And the people just assumed. And then we had the company, you know, drop them in their own offices. So it's kind of cheating, but basically, you know, it. It worked. It was blocked. I think nowadays most companies are blocking USB devices. So it. But yeah, right, it's a thing. I mean, what's old is new.
[54:26]
John Strand
Again, I'm going to call out most. No, most of the companies we work with tend to block it. I think that's. Once again, we're kind of at the pointy end of the spear. I'm going to say the vast, overwhelming majority of organizations are not blocking USB devices at all. Just because it's just. It's kind of a pain in the ass to enforce, right? Like, you know, I go to credit unions. They're like, oh, I've got this file in a USB stick and they die a little bit every time they plug it into their computer.
[54:50]
Corey
You just be like, here, use this. You just give me USB killer.
[54:56]
John Strand
Tell me, what does your company do, John? Like, nope, nope, nope. Give that one back. That was a bash.
[55:02]
Corey
Give that one back.
[55:03]
John Strand
So, and then even if they do block USB sticks, a lot of the protections that I see, especially trying to protect against Hak 5 style attacks. Attacks for like bash bunnies and things like that.
[55:13]
Corey
Yeah, they.
[55:14]
John Strand
They only block the HID associated with the Bash bunny or any of those different things.
[55:20]
Corey
It's.
[55:20]
John Strand
But they still. If you. You can still go in and modify that on the fly.
[55:24]
Shecky
Tiny pilots, if anybody knows what those are.
[55:26]
Corey
So I guess it still works. The long story short on Wade's comment is still works.
[55:31]
John Strand
Still works. Kind of like the infiltration, but also expensive.
[55:35]
Corey
It was way more expensive than fishing, I'll tell you that. Much.
[55:37]
John Strand
Much. Yeah. But that kind of gets into the. The big attack that we did closing out last year with the gift cards, right? Like, and that. That's kind of one of those weird barrier to entry things. If you put a little bit of money and a little bit of class into an attack, like, you know, you actually spend money on real Amazon gift cards, all of a sudden the success rate goes up. You do laser etching on wood things for USB sticks, all of a sudden the success rate goes up. Because I remember this attack now because they approved the pricing for.
[56:05]
Shecky
I remember, like, how. How. How do you think, like, threat actors would do this? Like, it sounds like, really cool, but for me, I'm also thinking, like, it's just another way to be tracked down, right? What like doing the fancy stuff. Like, you bought these USB drives that, like, had laser. What if I then took that USB drive, figure out who made that, then ask them, and then subpoena them for, like.
[56:25]
Corey
Right.
[56:26]
Shecky
It's like, it leaves more.
[56:29]
Corey
Yeah. 100. Our rule of thumb when we're operating in anti Sock, we have a rule where we don't try to go. We don't try to evade subpoena power because it's not really possible for us. Yeah, we try to evade you, Wade. Specifically you. We try to evade a quick check by a CTI investigator, Sock analyst person. But yeah, subpoena power. I mean, yeah, you're all over the map with legitimate Amazon gift cards. There's stolen accounts for every. For everything. There's a stolen account. Account.
[56:59]
Shecky
So my wife was paying for someone in Mexico's Amazon for like two years before she noticed.
[57:05]
Corey
I have. So I have some Microsoft. Okay, so I have a Microsoft invoice that hits my credit card every month. I don't know what it is. I can't stop it. It's just like a tenant. I don't know what it is, but it's like Azure. So I probably set up a tenant like five years ago, and I. I can't stop it. So. Yeah, how much is it?
[57:20]
Shecky
Just too scared to cancel the card.
[57:22]
Corey
It keeps getting more expensive, but only by like $2. So now it's like $30. And I'm like, okay, now I start caring.
[57:28]
Shecky
You can't happen. BHI just falls over.
[57:31]
Corey
Like, that's what I'm worried about. I'm like, what phishing infrastructure is this that I don't know about?
[57:35]
John Strand
Weeks ago, our systems team was doing an audit and they're like, we have these like, four Azure systems that are just up and running and they're not getting any love. They're really not getting, like, updated the way that they should. What are they used for? And no one would answer, right? And it was. They. They finally got it up to me and they're like, john, we need approval from you to shut these off. And I'm like, well, what are they doing? No one knows. And I'm like, God, like, shut them. Pause them. And while we did it, everyone was just kind of hunkered down, like, okay, is the company still functioning? All right, we're good. All right. So, yeah, it's the equivalent of the server in the closet, but it's the server in the cloud that's been neglected. All right, any other final stories? Has there been any updates in the news? Like in the middle of US Launches large scale scale cyber attack against the United States? No. All right, sweet.
[58:30]
Shecky
Did you see the data broker? One that's a little bit hardcore.
[58:32]
John Strand
I don't know, dude, do you want to talk about that one? Because you popped it in. I don't think we have it in our link. Did you share the link out? Let's go ahead and talk about that.
[58:39]
Corey
Yeah, close it out with some heavy.
[58:43]
Shecky
Some heavy, right? So this is like the first news article I read when I came back and had Internet too.
[58:51]
Corey
Oh, really? You're like.
[58:53]
Shecky
I was like, what is going on? Going on. Right. And what a. What a couple weeks to be gone. So pretty much in. If you know about, like, the latest news where a Minnesota lawmaker was assassinated by.
[59:04]
Corey
Yeah.
[59:05]
Shecky
A person. We won't go crazy.
[59:07]
Corey
Crazy person, crazy person.
[59:09]
Shecky
But as they searched his vehicle they actually found a list of 11. 11 data brokers that he used in order to find figure out where people assumingly live and information about them. Right, right. Our. We've talked about data brokers so much and I'm sure he probably only paid $11 for all that information to get that and free.
[59:31]
Corey
I doubt he paid anything.
[59:32]
Shecky
Ridiculous. I think this is the first time I've actually seen data brokers called out in a crime.
[59:39]
John Strand
I think I'm gonna have to agree.
[59:40]
Corey
Is the list been published? Has the list been published of data broker.
[59:44]
Shecky
Let's see. There's an.
[59:46]
Corey
There is a list by the FBI.
[59:47]
Shecky
We can go into it. I hate data brokers.
[59:50]
John Strand
Data brokers get people killed. I'm like, well, they can. I just don't. I don't.
[59:57]
Corey
I mean, yes, you're not wrong about the logical leap, but here it is.
[60:02]
John Strand
Data brokers get people killed every day. The problem is cops just don't look for it as a methodology.
[60:08]
Corey
I'm just like, oh, yeah, it is.
[60:10]
John Strand
And. And that comes. Dude, whose company is obscuring your digital footprint? Print. I. I don't. I don't know. I would like to see. I'm going to do a Wikipedia citation needed on that. I mean.
[60:23]
Corey
Yeah, well. So, yeah, I mean, basically this is one of those things. I think it's kind of like the other one where there's two things can be true. One, this can get blown out of proportion because it's the classic save the children type argument. Right. Two, this can be an egregious oversight by U.S. law that a lot of this data is public, which is how these businesses operate. Right. There is a genuine legislative issue where it is totally legal and okay to operate a business in this that discloses this information for free or for a fee. Yes, it is also, which is wrong and bad. It is also possible for people to do this even with no data brokers. Right.
[61:04]
John Strand
So it's like somebody made a joke on, I don't know, a joke. They made a comment about. Before this, we had the white pages. Right? Right. You know, phone books had people's addresses and that's.
[61:15]
Corey
Oh, they would just put people's addresses in the freaking newspaper, dude. They'd be like. They'd be like, john, who lives at 432 Maple Lane, will. Will be having a wedding ceremony on Sunday. Like that's in the newspaper anyway.
[61:29]
Wade
All right, so. So in the affidavit.
[61:32]
Shecky
Yeah, go for it.
[61:33]
Wade
I was just gonna say it. There's true. People search. There's been verified ownerly.com us, search.com spokeo all the standard ones that you go ahead and hear everybody talk about.
[61:44]
Corey
If you Google Data broker, it's the same results. Yep.
[61:47]
John Strand
And once again, I don't know what the solution to this is. Right. Like.
[61:51]
Corey
Well, the solution is to make this business non viable, to make it illegal. That's the. You just. This shouldn't be giving up people's PII for a fee. Should not be a legitimate data.
[62:01]
John Strand
Yeah, but then you're cutting off a revenue stream to a bunch of organizations that are.
[62:04]
Corey
Yeah, exactly.
[62:05]
John Strand
Correct.
[62:06]
Corey
That is exactly what I'm saying. We do.
[62:08]
John Strand
Like what I was talking about, like whether we're talking about data broker or we're talking about ad tracking data, whenever you're surfing the web, it's like that should be classified as phi, right?
[62:17]
Corey
Yeah.
[62:18]
John Strand
And then it should have all the protections of HIPAA around it. No one's going to do that.
[62:22]
Corey
Or gdpr.
[62:23]
John Strand
There's just. Or gdpr. I think it's more protected under GDPR than it is under the United States right now. But that would be the solution to it. But it ain't going to happen because there's way too much money being made at that particular point.
[62:35]
Corey
Dude, how much money can these companies possibly be making? It just can't be that much.
[62:40]
John Strand
I.
[62:41]
Corey
Okay. Ads are big business. Ads are big business. I'm not. I don't think we can lump ads in with this because the dude didn't use Google Ads for this. But a website where you just go and for free, you type in anyone's name and it gives you their address can't be making that much money. It's literally free. Free.
[62:58]
John Strand
What is the biggest one that you guys can think of?
[63:01]
Shecky
I just go Fast People Search.
[63:02]
Corey
True people search. Yeah, I mean any of these I would. I personally use Fast People Search. But that's probably the exact same message.
[63:09]
John Strand
I'm gonna check that one.
[63:11]
Corey
That's the one I use.
[63:12]
Shecky
You think delete me is gonna, gonna really jump on this?
[63:15]
Corey
Well, so the other thing is delete me and all the others are just another data broker that just keeps your data. And just to be honest, I mean, do you trust them more than you trust Fast People Search? That's your call. But ultimately delete me is just a place you put all your sensitive data and they hold on to it for you.
[63:30]
John Strand
So.
[63:30]
Corey
So it's the same thing.
[63:32]
John Strand
People search made roughly $5 million.
[63:35]
Corey
Yeah. Okay, so just delete that. That's not enough money to be worth.
[63:38]
John Strand
Lobbying over 1414 million.
[63:41]
Shecky
Even still two people working there.
[63:44]
Corey
I don't think they do GDPR solve this. I don't, I really don't know if Europe has this problem.
[63:48]
John Strand
Why in Europe a lot of these different circumstances, they're specifically for US citizens so. Right.
[63:53]
Shecky
I was wondering if we do we have can.
[63:56]
John Strand
Well, well, California is developing something very similar.
[63:59]
Corey
Gpr. Yes.
[64:01]
John Strand
On these. So.
[64:02]
Corey
But then also there's political things with that where they're also trying to make it so you can't do that. Right. So it's like, I mean basically my, my. I mean this is kind of a political take. But yes. That we need to as a country say our data is private.
[64:16]
John Strand
It.
[64:16]
Corey
We are not allowing businesses that. That are basically taking my data and selling it to exist. And we just have to make that cultural decision and accept ads. Okay. That's a whole different can of worms. But literal data brokers, I think most people aren't like supportive of data brokers. Like no one's like, I love data brokers. They're great. Like everyone's against them, but it's so.
[64:37]
John Strand
Abstract from them that it's hard for them to understand that something like that even exists. Right.
[64:42]
Corey
Like, I don't think it is.
[64:43]
John Strand
We show people some and it's weird because you're right because people use it all the time to like find an ex boyfriend or girlfriend or something like that. But I don't think that it quite clicks that that's something that, that that door swings both ways that it can come back on them. I just, of course this might be.
[64:59]
Corey
That moment for people I guess is maybe the, the subtext here. I mean obviously I agree with you John, that like finding where someone lives without a data broker is not impossible. It's not like this is the only way. And if you close it, like, like, you know, it's a logical leap, but at the same time it is overly easy and.
[65:17]
John Strand
Yeah, yep, exactly. All right.
[65:20]
Corey
Also, yeah, we're going to just going to spin on this just because we.
[65:24]
John Strand
Get stuck on privacy. It's like that privacy, privacy is right because you know, privacy and AI man, those two gears are really stuck. So with that, everybody, thank you so much for attending this edition of Talk About News. We'll see you next time. Sweep.