Microsoft's OverSharePoint 0-Day Exploit – 2025-07-21

Corey

Where's John? Is he teaching?

Wade

John is. John is literally teaching right now.

Corey

Right now.

Wade

Yeah, he's going till six. Teaching till six.

Ryan

Six.

Corey

Wow. Is Patterson just here to run live IR on someone's SharePoint?

John

Oh, wow.

Corey

Wade's here.

John

Look at all this talk about, like, Kramer showing up, like, smash into the. Into the apartment here. The two of you.

Wade

We're alive, by the way.

Ryan

Oh, man. Okay, good call. Wow. I almost said something there, boy.

Jerry

Ryan sent out the. The bat signal.

Wade

Send out the bat signal.

John

All right. On.

Corey

Wait.

Wade

Well, we're supposed to be live. Oh, there's the number. Okay, now. Yeah, I got the official.

Ryan

Yeah, I was taking a nap.

Corey

Seriously?

John

That's so San Diego. That is so San Diego.

Corey

You're so san. Die.

Ryan

I went paintballing yesterday, and I'm just, like, so sore and so tired.

Corey

Like, are you sore from getting shot a lot or from running around with a paintball?

Ryan

Both. You want to see. If you want to see some battle scars, I'll. I will. I'm fine.

Corey

Are they safe for work?

Ryan

Yeah, there's that, too. Otherwise, I'm have to take my shirt.

Corey

Off, but that's not good.

Ryan

Nah, it's normal. Like, I just wear a T shirt and some goggles. That's pretty much. It was like.

Corey

Do you wear pit vipers, though?

Ryan

What the. What are pit vipers?

John

Wow.

Corey

Okay. I guess you're not American. I didn't know you. Wade's a spy. Wade's a spy.

Ryan

You mean the sunglasses? I don't know what that is. Gosh.

Corey

I mean, have you ever wanted to jump a jet ski over a mountain? That's the correct eyewear to wear for that?

Ryan

No, I am not wearing those. I actually. I will admit the. One of the more expensive things I have is the mask, and it's called. It's cart. I don't. It's called My Gears. It's called a carbon mask. If you look up carbon paintball, you'll find them. But all my stuff is downstairs.

Corey

I have so many questions. This is not on topic for the show at all. Do you have your own paintball gun or are you renting? Are you.

Ryan

No, I have my own. Okay, look up EMF 100 is the.

Corey

There's someone in the audience right now that is so excited that their hobby is getting spotlighted like this. Or they're right now angrily typing that they hate the EMF 100, and you got to get the.

Ryan

It's mag. So it's magazine fed, which is com. Like, completely different. It's not like a hopper where it's gravity. It's fun times. All my stuff is downstairs. Like, I'm cleaning it in the garage because if, like, I were to tell her to go off, I got. Yeah, I got lit up. We played for like six hours. I mean, we lit up several times.

Mary Ellen

Were you up against Dave Kennedy? I mean, you got. You got pretty beat up.

Ryan

We don't so the. So that we play Mag Fed games. So everyone has magazines. It's not like speedball. Like, I'm sure what Dave does where it's just like. It's like more tractical.

Corey

Yeah, it's actual tactical.

Ryan

People run out of ammo all the time. Like, it's. It's pretty legit sounds. But playing in 87 degree weather is not the funnest in my.

Corey

That's so San Diego. Again, it's only 87, dude. In Florida, that's considered winter.

Jerry

Yeah, it was like 105 today.

Ryan

Yeah, I wouldn't have played at 105.

Corey

Oh, it was 87 with 30% humidity. We were all sweating.

Ryan

It's probably less humidity than that. It never gets humid here.

Corey

All right, roll the finger. Let's do this.

Patterson

Oh, oh, oh.

Wade

I wasn't ready. I was tech. I was typing.

Corey

Who went away? Did someone disappear? Where did Patterson.

Wade

Someone disappear. We'll get him back.

Corey

Rest in peace, Patterson.

Wade

All right, finger rolling.

Ryan

Wait, who's this Jerry guy?

Corey

Hello, and welcome to Black Hills Information securities. Talking about news. It's July 21, 2025. It's SharePoint Monday. Yay. There's a SharePoint CVE. Basically, if you don't already know about that spicy one.

John

It's got a name. It's got a name. Does it have a logo?

Ryan

Don't worry about it. I don't have to worry about it.

Corey

Does it have a logo? Yeah. Does it have a logo? That's a good question.

John

It's legit if it has a logo.

Corey

I'm already blanking on the name.

John

Tool. Shell.

Corey

Tool.

Mary Ellen

There'd be a logo if Gossie had it.

Corey

Tool. Shell. That's not even that.

Patterson

I don't know.

Corey

Is that that good?

John

Did he do an Ms. Paint one?

Corey

Did Gossie do an Ms. Paint?

Ryan

Share Nightmare. Sounds like it's already been taken.

Corey

Share Nightmare. That was when we accidentally shared too much. That already happened. Yeah. So basically, you know, I mean, we can start with this. There's a zero day in SharePoint. It's been patched by Microsoft. Go patch or take down your sharepoints. It's Only an on premise sharepoint. Only on premise. Which was why my name is super relevant today. I don't think this is. There's probably a bunch of different articles about this. There's a really good write up in. What is it? EF or something. I forget the name of the company, but Research I Security. There it is. I. We don't know how to pronounce it. Is it E? Y, E? I don't know. But yeah. Basically this added to the Sizza known exploited vulnerabilities currently being actively exploited by threat actors. Super scary. There's a patch. Take it down or patch it. There's 8,000 plus servers as of Friday. If that's one of you, take that down. Get rid of that. Turn that off.

John

I did look at the EPSS score for this one and it was seven hundredths of 1%. The likelihood that you would get exploited in the next 30 days is not very high. But it's also not something to mess around with. Right. If your SharePoint is just vestigial and no one's really using it, I would shut it down and wait until someone calls and complains. Personally, there's no reason to take on that unnecessary risk. But the good news is, statistically speaking, it seems that you're. This isn't a shut, like shut the stream down and go patch it this second. But you should prioritize patching it because it is pretty deep when it does get popped.

Corey

Yeah, I mean, I don't know. Anecdotally we have one customer that already got popped, so I would say take it down to patch it. I mean they actually took it down in the process of it being popped. So I would say maybe there's not that many out there, but if you have one, fix it now.

Ryan

I'm trying to read how to do.

John

Yeah, and I'm definitely not, I'm definitely not. Let me. I should qualify this. I'm definitely not pitching that you should go play around to golf instead right now, but just in the, in the. Like. Like when WannaCry was coming across the ocean. If you guys remember back in the day, that was like a, you know, like just throw your cup of coffee at the table and like just, you know, run into the server room. So yeah, no, I agree it's, it's bad but statistically speaking, it's a lower chance of getting popped.

Corey

I mean there's only 8,000 servers. That's actually not that many. I think most people have moved to Cloud SharePoint at this point. In my opinion.

Jerry

I'll Just tell my ciso, hey, we know we deployed this new honeypot. It's going to be awesome. You're going to love it.

Corey

Our machine keys are all honey pots now.

Jerry

Yeah, we don't have a vulnerability. That's intentional. See, that's a feature.

Corey

What else happened? I don't know. I wasn't here last week. I was on vacation.

Jerry

I'm gonna go with malware breaches.

Corey

What? No, that's not. That's a different show. This show is about uplifting conversations that are not political and no security.

John

Do you guys, like. I'm sorry. Really quick to go back on the 8,000 servers. Like, did you see that on Shodan? Like, is it. Is it. Is it centralized in certain areas of the world? I'm, like, now I'm kind of curious, like, how the. How the adoption of. Of SharePoint Online has gone. Do you have the.

Corey

That's a good question. I can pull that up real quick. There's a SharePoint or a SharePoint. There's a product tag for it in Shodan, so you can see there's also Nuclei plugin. You know, there's a bunch of different ways of picking it out. It actually, it's pretty obvious because it has a server header that it sends back in the response. Yeah, let's see if we can find it.

John

Right on. And sorry to task you, like, in real time on this one. It's just.

Corey

Okay, I got action items captured. I'm ready to.

John

Okay, thank you. I love it.

Corey

But now you have to. Now you have to do the podcast while I look this up.

John

Yeah, no, I love it a lot. A lot of great stuff. Nothing. Nothing broke over the weekend? No, it was the anniversary of the crowd strike. Crowd stroke on the 17th. Have you guys.

Corey

Oh, really?

John

Yeah. Yeah. Right before.

Corey

What did we do to celebrate? Pull out some RAM sticks. In production.

Ryan

I downloaded more ram. It's how I celebrated.

Corey

All right, so here's the count. Iran has the most with 2300, then the US with 1600, then Malaysia with 1300, then Canada with 332, then Germany, then a few others. So somehow Iran's like, we love SharePoint.

John

I love it.

Corey

That's actually not as many as you would think. I linked it in the chat. There's the query with the stats.

John

Oh, very cool. Thank you very much for sharing that.

Corey

Yeah. So what else is going on? John Strand, who isn't even here, submitted a bunch of articles, so let's go through them. The first one is a Reddit post to/r chatgpt which I don't know what that subreddit's like, but I'm just imagining it's a disaster. Basically, someone posted a tweet, or whatever we're calling these things now, of Replit. Replit. AI, which went rogue, deleted an entire database, then tried to downplay it and lied about it. Yes, I deleted the entire database without permission during an active code and action freeze. I violated your explicit trust and instructions at 4:26. I am npm. Run db push. I mean, I guess I have. I have more questions than answers. Like, first of all, why are you giving an AI access to destroy your production database?

Jerry

That's a great question. Because my daughter likes to make images of cats and she can't get it to stop putting bells on their collars, even though she's like, I explicitly do not want a bell on my cat's collar. And it's like, sorry, I'm going to do it anyway.

Corey

So it's trying to protect the birds. It makes sense.

Jerry

Give it to the. Give it to the AI. I'm sure nothing will go wrong.

John

I saw someone write up on this one, so I'm not going to claim it as my own, but I thought of all the things I saw, it was the most insightful take on this was, you know, you should think of AI. I know people have said, like, think of AI as like an internal. So now think of AI as like a junior engineer or an intern or something like that, where you're giving it things. Like, you would never give a junior engineer access to delete the production database. Right. Like you, you would kind of manage that access and make sure that you would hopefully manage that access and kind of scope it so they could only, you know, the blast radius of making junior level mistakes would be managed and that risk mitigated. So, you know, for going forward, for anyone who's listening and even myself. Right. Like when you're messing with AI and playing with it, like, yeah, it's cool. It can do so many things and it doesn't take a lunch break and it doesn't have payroll and stuff like that. Like, yeah, that's cool. But like, you really should think of it as, at least at this time, as like a junior intern or junior engineer and like, treat it accordingly as far as permissions and access and potential impact could go.

Corey

Right.

John

If you were a GRC person, you'd be thinking about this.

Corey

Totally. Yeah. I mean, I will say, I don't know if that's happening with all the MCP servers out there and all the tie Ins and APIs, keys and things. But I fully agree with you and there is a little bit of sanity in the Reddit comments. Like, someone's like, this guy Jason Lemkin, the person who made this post originally is an investor type person who like, makes these posts when he's like, focusing on a subject. And so he's kind of just going through the full range of emotions dealing with AI. And it's kind of just. It's a really funny discussion though. The images that he posted, like, you know, people have been sending them in discord. But it's like you immediately said, no, stop. You didn't even ask. But it was already too late. Yeah, don't trust your production database to AI. I guess if you needed that as advice, then you probably hopefully don't have admin on a database. There's salt typhoon drama.

Ryan

When isn't there salt typhoon drama? I feel like.

Corey

Well, I thought we were over this. I thought this, like, wasn't this all, like, figured out? I don't know, like what? I think we talked about it a couple months ago where they were like, salt typhoon is out of the building, we're okay. But apparently not.

Joff

Isn't it human nature to like, you know, go round robin in. In lots of things?

Corey

I mean, I don't know, but it pro. Posted an article or posted a news article, that's all. U.S. forces must now assume their networks are compromised. So we got another one, another live one. Apparently they were in the D.O. according to the DOD, they breached networks and were there quietly for almost a year. There's a DoD report which was released after a FOIA, a Freedom of Information act request. And yeah, apparently it was National Guard. Pretty scary. I mean, obviously government stuff. Who knows who controls it? I feel like, do we have any, like, anyone who wants to stand in for the US government here? Anyone? Usually John Does.

Ryan

If we talk about it incorrectly, I'm sure someone will message us. That's what usually happens. I don't know about you guys, but I get messages every now and then.

Corey

Yeah, I mean, that's the correct. That's how you use the Internet. You post the wrong answer and then someone will post the right answer in the comments. I think that's like.

Joff

And that's also your own fault for, you know, having your DMs open.

Jerry

Did they say how they got in?

Ryan

So, all right, Jerry, everything's breached. What do we do? What's the first do? We turn it off and turn it back on again? Is that the first thing yeah, yeah. Talking to you.

John

No, no, no, no. I mean dude. So for those who don't know, I worked in federal IT for you know, a long time and there's a couple things here. Number one, I'm a GRC guy and I will point like all of these systems are probably FISMA compliant. That should tell you something about FISMA and the efficacy of FISMA. Okay. A standard that came out in like 2002 hasn't been updated in 23 years and yet it's still the standard, like rubber stamping aos. The people who actually approve these systems are so far removed from like tech or the systems themselves. So like I could go on a whole tirade about that. It's unfortunate that, that we use FISMA as the standard for these large systems that are super important for this particular one. The another element I want to like point at is like it, it blows my mind how and you can if, if the black. This isn't a simply cyber show, this is a Black Hill show. So if I go into waters you don't want, we, that's fine. But like it blows my mind how a country can go into another country's military network and it's like ah, like just let's yell at clouds together.

Corey

It's like darn it. Yeah.

John

You know what I mean? Like the rules of engagement are wildly different in the, the cyber battle space. And I'm sure it's a tit for tat kind of situation because everybody's doing this to everybody. But yeah, you know, this is, this is, this isn't good, right? I mean, is this to me this feels like one of those solar winds incidents where like you will never know if you fully rooted out the threat actor from this environment without replacing all the hardware. Which again in federal IT space budgets the budget for like 2026 is already like appropriated and spent. Like 2027 is already like lined up contracts are multi year length. So even if like you got this all sorted out today, like you would still take you years before you could really take action. The, the US federal government, the Department of Defense, the whole thing, it's like a, it's like the massive, massive cargo cruise ships, you know, container ship things like they don't just spin around like a cigarette boat and take a left turn. Like they're like so.

Corey

Well, hold on. What we're going to do is we're going to call in the National Guard, we're going to get these servers patched right up. Okay? It's going to be fine.

John

Is that, that's the disposition. Okay, good, good.

Corey

Yeah, it's easy. No, so for, for you asked the question how do they get in there's in the document There's a few CVEs ranging from 2018 to 2024. Say no more. So yeah, I think the other thing that is super scary, I totally agree with you that like getting this threat actor out of a network has got to be just a really impossible task. But the other scary thing is that the briefing from the DoD has a lot of. It basically has a lot of information about what was taken like administrator credentials, network diagrams and it does explicitly say it could be used to facilitate follow on attacks. So that's the scary part is it's a big cargo ship that steers one degree per year and they have the network diagrams, the administrator credentials and you know, whatever else they were able to take in the mix. So I think that's why people are jumping to the conclusion of all US forces are compromised. I think that probably is an overstatement. Like I'm sure that the military uses different passwords for different branches, right? Like obviously not. No branch would have more than one password to use but they probably use different passwords. So how are they going to guess the password for the Marine Corps? It's got to be different than the National Guard, right? Oh yeah. There were some airline out outages that I guess were also suspected to be Salt Typhoon which I don't even know. I don't really know. Like it's just, I feel like I'm fear mongering at this point. But yeah, there's an article in Forbes. Alaska Airlines was grounded overnight last night and they halted operations at 8pm Pacific and resumed after or just before 11 Pacific. And they're basically saying that. I guess I don't. Who is saying that Salt Typhoon is the, the threat actor? I'm not 100% sure but that would be terrifying in my book. They're busy, I guess they're like we got the passage from the National Guard. We reused it on we're in. We're airlines.

Ryan

Oh it says likely culprit Salt Typhoon and expand Cyber Battlefield.

Corey

Yeah, I mean I don't know if that's actually, you know, that's dodgy reporting. Yeah, it could be dodgy reporting but whatever threat actor it is, it's arguably national important to have functioning airlines and stuff. I don't know. I was thinking it would be the SharePoint thing if anything else. They had to take it offline to patch their SharePoint.

Ryan

Oh that's it. That's it.

Corey

If I don't.

Ryan

Is that what they share all the movies on is SharePoint?

Corey

No, that's how you buy the ticket. That's how you buy the ticket on SharePoint. It's fine.

Ryan

I wouldn't be surprised if that's how they looped in their technology. Wasn't it like, Southwest, who had, like, such gnarly technical debt that, like, everything was ran on like, an Excel spreadsheet?

Corey

Yes.

Ryan

Like, I mean, every. Most of my life is ran on Excel spreadsheets.

Patterson

Due to logs, we got entire organizations that are run on Excel spreadsheets. What's wrong with that?

Corey

Nothing.

Ryan

It sounds secure. To tell you the truth, like, all you need is Excel. So what, can you just, like, whittle a computer down to nothing but Excel and email and you'll be fine?

Corey

I mean, that's what Microsoft Windows Core is, dude.

Ryan

Oh, is it?

Corey

I've never used it. No. I wish. That would actually be amazing.

Patterson

Actually, that's almost the truth. Corey, if you known a whole lot of Microsoft employees in my life, and historically, especially like in the mid 2000 kind of period, if anybody went against the Office group, they would freak out. Like, Office owned everything, so.

Corey

Makes sense.

Patterson

It actually adds up. But I. Sorry I'm late. Everybody just jumped in here because got a text message that we were kind of light on people, so. Hello?

Corey

Well, that's fake news, so don't believe anything you read online. So there is an article that apparently an FBI breach led to the murder of an informant in this El Chapo case. So this is like another example of lack of. I don't know, I guess it's like a consequence of a cyber thing turning into real. This is like. Gets scary, right? Basically, there was a report made in the Justice Department that or by the Justice Department that a hacker affiliated with the Sinaloa drug cartel was able to access sensitive communications between FBI officials, which led to them figuring out who the informant was, and then that person ended up being killed. Super unfortunate, obviously, for those people, but I mean, I don't know. Like, a cartel is just hacking the FBI. Is that. Is that the world we live in now?

Jerry

I guarantee it.

Ryan

Well, they're buying Pegasus, right? Why not, like, not put in a pastum whatsoever if they're doing that type of stuff? I know there was a couple threat groups that I was following. I wasn't a target. Well, my organizations weren't a target. But I just thought it was interesting because you don't hear about threat groups coming out of Mexico as much so is that is Russia, China.

Corey

There's a lot of redacted in this report which I just posted in the discord. But I don't know, I mean, I guess it seems like they're monitoring communications. There's. I mean this is all stuff that dates back to like 2018. This is pretty old stuff, but I don't know, it's kind of scary and interesting. Hopefully now, I'm sure things are better now. There's no way the government will be vulnerable to like a 2018 CVE or anything.

Patterson

You're a funny, funny man, Corey.

John

Yeah, it was just in the news too that like the president of Mexico or the former president of Mexico had been indicted or something for taking bribes for or from the two guys who like were higher ups at NCC Group or who are not NCC, who NSO group, the ones who were behind Pegasus. Something like $15 million. Like, you know, whatever, like sign this contract kind of thing or consulting fee. And the idea was that he was basically corrupt the President and just kind of bringing Pegasus in on government contracts and stuff like that. So I don't know much about the Mexican government and the cartels and what their relationships are like, but seems like Pegasus might have a really great sales engineer in the. The Mexican market, you know.

Ryan

Man, that is just written 2014.

Jerry

The think tank estimated its range of 320 billion, over 650 billion per year and that they were like 1% of the world's GDP for that year.

Corey

Are you saying the Sinaloa drug cartel.

Jerry

Or are you saying widespread economic. Yeah, drug cartels in Mexico, for instance, are. Yeah, stock.

Corey

Yeah. Yeah. I mean, I believe it and I also totally believe the corruption angle. Do you think there's going to be like a white paper use case? It's like how to convince your government to buy you Pegasus. And then it's like a little nice little marketing brief that's like step one, buy a yacht. Step two, take the president on the yacht. Step three, get them to sign the contract, preferably while intoxicated.

Patterson

Right, right. Don't forget the multimillion dollar consulting fees. Got to put that in there.

Corey

Well, but don't worry because they have know your customer measures in place. There's no possible way this could be abused. It's fine. They know exactly who purchased it. It's totally fine. Don't worry about it.

John

Yeah, it was a. It was a government. It was a federal government, right? Yeah.

Corey

I mean, crazy.

Patterson

I was like a little late, but have we joked about Coldplay?

John

Yet.

Patterson

Or sent off the set, off the table?

Corey

No, I.

John

We haven't mentioned it, but am I not. Am I not young enough or old enough?

Ryan

I guess you're not.

Joff

Cory, do you really know what we're talking about?

Corey

No, I don't use the Internet.

Patterson

Oh. Oh, my. Okay.

Ryan

He only uses the Internet for the show.

Patterson

Let's keep going. Let us not.

Corey

No. Please explain in detail what the kids. What are the kids these days? What are the kids these days?

Ryan

It's the worst OPSEC you've seen in a while.

Patterson

Okay, let's just say that unfortunately, a certain CEO got busted at a Coldplay concert with his arms around a woman who was not his wife and ended up on the kiss cam, Right? And this. This turned out to be the. The most insane, embarrassing moment ever captured and destroyed his job, obviously.

Jerry

She was also the head of their HR department.

Patterson

And she was the head of hr. And this is nothing to do with information security, but this is the most monumental F up ever seen on the Internet.

Corey

The cameraman knew.

John

No.

Corey

Like, do you think the cameraman was like.

Patterson

Was he paid off? I don't know. But the. The Internet lost its mind, Corey. For. I mean, it still lost its mind for. It's still going.

John

And, dude, it's so awesome. Like, I love it. I love the. All the mashups and stuff like this.

Jerry

Like, the dude tries to hide like it's a sitcom, right?

Corey

Well, it's. You can see on their faces.

Patterson

Yeah.

Jerry

And he just ducks down and she turns around.

Patterson

I just made.

Corey

Totally.

Patterson

Just made it worse.

John

Anyway, look, this is not.

Patterson

This is not about information security, so we shouldn't.

Jerry

Discord is winning right now.

Corey

I don't know. I mean, I guess. I guess what I would say is it is kind of about Internet security because it's interesting to see how fast things can change. Right? Like, I mean, there was this book, like, what is it? Five, 10 years ago that was like, so you've been publicly shamed? That was like, basically a person who tweeted. They got on a plane, and when they landed, they had no job. And what had happened was during the plane, they got, like, a tweet that they didn't actually make, but it was under someone with the same name. And, like, it got reported to their HR department. They got fired, like, without even being involved. So, I mean, I don't know. It is crazy how fast the Internet, like, can take something like this and just spread it like wildfire. What is the company CEO of?

John

What is it?

Corey

Like, astronomer.

John

Astronomer.

Patterson

I think they were an AI related astronomer.

Joff

He's already resigned. Like, he's. He's already quit.

Corey

He's. Why? Why resign? Is it. Are we really in a world where it's like, oh, the CEO cheats on his wife?

Joff

Well, it's because the person he was with was the head of HR and the board.

Corey

Okay, but still, that's only two people out of how many people at the company? Like Elon Musk.

Jerry

Right.

Corey

Elon Musk did this to multiple VPs at Tesla. Right.

John

You know what?

Patterson

Asked him to leave. Okay. I asked him politely. I think you ought to leave.

John

I think he had just promoted that woman, too, like, recently. Yeah.

Corey

Oh, okay. So you're saying that the reaction in the video where they're like, we've been had, Hyde. Also is how their careers went. They were like, well, had a good run. My career's over now.

John

Yeah.

Jerry

Yeah, I'm sure they're gonna be destitute soon.

Corey

Yeah, well, with the golden parachutes. I mean, those things only last, like, what, 40, 50 years? But, yeah, no, I mean, I would say this is a great example of why don't let your friends like Coldplay, I guess.

Joff

Or, you know, maybe don't do inappropriate things in public.

Corey

In public? When it's a live taping concert.

Patterson

Yeah, I. I was actually more amused by Chris Martin's reaction as he was talking about it. It's like, oh, are you having enough? Oh. Oh.

Joff

Okay.

Corey

Well, let's.

Joff

Let's be honest. This is like a dream for Coldplay. Right?

Corey

Although apparently they're selling out massive stadiums, so maybe they don't need this. Maybe.

Patterson

Anyway, look, we. We should move on to infosec stories.

John

I'm just saying I had a. Go ahead.

Mary Ellen

Yeah, I was gonna say, I. I can give you a cybernexus. I mean, having a background in forensics, maybe Patterson will appreciate this, but, you know, you get put on a case, and you start going through the files, and you're looking. You know, you have your keywords and stuff, but inevitably, you often find there are relationships, like romantic relationships, but, you know, it's like, stay in your swim lane. That's out of scope. Okay, but. But you notice them in an office environment, so that's my cyber nexus for you on this.

Corey

I mean, I. Is it?

John

You're right.

Corey

They're going out in public. Isn't it a decent possibility that out of the 50,000 people there, someone will be like, hey, I know you. Why are you. With you, like, even without the Internet in play at all, anyway.

Patterson

Wow. When you're yeah, when you're swimming, the pool just became the Internet and you know, life gets way more interesting anyway.

Joff

Yeah, the world is very small.

Patterson

Yeah, there are other stories.

Corey

There are other stories now that we're done being derailed by Joff.

Patterson

Sorry, Sorry. Not sorry.

Corey

It was fun. Apparently there was a go ahead.

Patterson

It's your job.

Corey

You're doing your job. It's great. Yeah, we all love it. So apparently there was also a Chrome zero day for a sandbox exploit that got hot fixed that button at the top that's like restart to update Chrome. Just click that. It's not a fish.

Patterson

Yeah, for real. Oh, reminds me, you should make a plugin that says click here to restart.

Ryan

I feel like every other time I'm on, like every other time I'm on like a vendor call or something like that and like the dude shows they.

Corey

Share their screen and it's just like.

Ryan

A million tabs and not updated. And I'm like, bro, like, I know you think I'm gonna take you seriously. If you can't just close your Chrome.

Corey

Real quick, it's like having food in your beard. You can't save it for later.

Patterson

Look, I mean, it's inconvenient, man, because then all your password manager plugins need to be re authenticated and it's so painful.

Corey

Yeah, you've got a point.

Ryan

But also, that is security, I'll give you that. That's why you just download the executable instead of the plugin.

Corey

All right, like Chrome Exe from what was it the website that always distributed malware?

Patterson

Not like it was just. What was it called?

Corey

No, it wasn't sourceforge. I want to say sourceforge, but that's.

Patterson

Yeah, yeah, actually, I think you're right. Sourceforge pretty much did.

Jerry

Just for a while. Yeah, yeah, it was not Salttypoon.com.

Corey

No, Saltyhoon CN is the one you want there. But yeah, so basically there's a couple other volumes. There's a max severity Cisco Vuln. We already talked about the SharePoint one at length. Apparently something a bug in Wing file transfer, which I've never even heard of, but it's an FTP server. Super hot topic. Every FTP server is probably a high target after Move it like.

Patterson

Yeah, but those were. Those were gold back in the day. I actually did find a stack overflow in an FTP server way long ago. I actually got creds somewhere in the Metasploit project for that.

Corey

I mean, back in 2013 when I took my OSCP you had to buffer overflow and FTP server, so it's not like this is new.

Patterson

Yeah, well, I mean, you got to get your wheels sung there, Corey.

Corey

Come on.

Patterson

You know.

Corey

Yeah.

Ryan

Can we classify it as our chicken news? The wing, since it's a wing. File transfer server.

Corey

Oh, nice. I didn't even think of that.

Ryan

You guys got.

Patterson

I see what you did there, Wade.

John

I see what you did.

Corey

This is why you're the best, Wade. This is why you're the best.

Patterson

So.

Corey

Yes, the chicken wing Transfer. Transfer. File transfer server and port 20s for drums and 21s for flats. Is that how it works?

Patterson

That's how it works. You nailed it.

Corey

Yeah, nailed it. Apparently there's another Citrix Bleed. Did we not already talk about that? I thought we did, but it's in the list. Citrix Bleed 2. Electric Boogaloo hilarious vulnerability. Basically the exact as the original vulnerability, if you haven't already. Citrix. I don't know if it has a logo. It doesn't really need one because it's just an Electric Boogaloo scenario. You got number two.

Patterson

True.

Corey

But yeah, it's literally just basically the same as it was before.

Ryan

Yeah, there's one there. There's one A little bit heavier article since it is the year. A year's anniversary since CrowdStrike. It's down at the very bottom.

Corey

We already talked about that.

Ryan

Have we talked about it?

Corey

I mean. No, we didn't talk about the article. It was. Jerry brought up that it was the Crowdstroke anniversary.

Patterson

Yeah.

Corey

So let's. Let's dig into it.

Patterson

I just love the fact that CrowdStrike broke the entire world, first of all. I mean, we got to revel in that a little bit. CrowdStrike did it worse than. Than. Than, you know, the CEO at the Crowd Coldplay console. I mean, they actually did.

Ryan

Yeah.

Corey

So basically, the article, Wade, is any Greenberg. It's a. Is it like kind of an after action report kind of thing? Like.

Ryan

Yeah, it's looking at all the hospitals that got taken down. Right. And then theoretically, like, people died because of crowd strike type of deal. Right. And then I don't have access to this anymore. For somebody, it was a lot like, scroll up.

Patterson

People died.

Corey

That's unresponsive Networks number.

Ryan

It's a number, yes. But people like having to be rerouted. So that's the general feel that I got. If people have to be rerouted from hospitals or the chances, there's triages. The chances. Yeah. People are most likely gonna die. So the impact of that was Pretty crazy. And it's not something that I think was talked about a lot. Like, of course we talked about the impact, but every now and then we got to think about the medical sector because they get rocked all the time, and if they're down, that's actual lives.

Patterson

Well, actually a reminder for us, because, you know, in offensive security consulting all the time, we're saying, hey, patch your. And if you're in a medical environment, the medical people will always say, life safety first. Then I'll patch my shit. Right. That's a good illustration. Right? Life safety first. Then I'll deal with the patches because, you know, human life and death is.

John

That's.

Patterson

That's a different level than, oh, oh, dear. My Windows box got, you know, exploited. But my Windows box, blue screen to death, all at the same time as the rest of the network. Well, it crossed over with human life and death pretty quickly. Right.

Corey

I mean, I will say, like, to, you know, since we usually share both sides on this show, CrowdStrike did reply, or they, like, made a statement basically saying they called the paper junk science. They noted that their researchers didn't verify the disrupted networks ran Windows or CrowdStrike. So there, the researchers were literally just looking at raw data on when were hospital networks inaccessible last year. And there's a huge spike at the exact time of CrowdStrike. It's like, well, it wasn't us. Okay. It just Internet happened. Go down that day. I will say, like, I think it is kind of the thin, thin data. The data is definitely pretty thin, and it being scientifically rigorous or whatever is up for debate. But it is interesting that if you just look at the stats on hospital network outages, you can see the CrowdStrike incident in the stats. Just raw data wise.

Patterson

Yeah, that's sobering. I mean, it really is.

Corey

Yeah, yeah, yeah. So, I mean, where.

John

Where are the stats.

Corey

Where are the stats for all of the attacks that CrowdStrike prevented? Yeah, that's. I mean, well, they aren't. Yeah. Well, you can. If you go back to the graph, Ryan, the one at the top. So, like, there's other outages or are unresponsive. Like, obviously there's a spike there it goes almost up to 50. But there's other instances. Like what happened on July 28th. Right. Like, I don't know. But almost 10 hospitals were unresponsive. I don't know. Like, it's. Yeah, I mean, that's a good point too. There's no data for that. I think no one is really debating that this type of thing is a public health or public safety or whatever you want to call it, concern. I mean, that's why the whole world lost their mind when it happened. But I think it's one of those things that of all the things to really focus on, our EDR broke everything is not the war game we should all be worried about, in my opinion.

Patterson

Yeah. I wonder though. I know there's been some follow on activity of Microsoft talking about, you know, again, trying. Trying to push developers more out of the kernel.

Corey

Oh, they are, they're moving everyone out of the kernel. It's a huge, I mean that's a sea change for the EDR game for sure. It's a huge deal.

Patterson

Yeah. And. And there's already been a substantial sea change, you know, way many years ago.

Corey

Right.

Patterson

When they, when they actually introduced this idea of kernel callback notifications and, and you know, stuff that came along when the. Back in the Vista days when they actually did kick them out the first time. Right. It'd be interesting to follow that story to see where the balance lies. Right. Because there's going to be, I expect, increased telemetry being required by these defense vendors again from the kernel. And so we're going to see extra layers of kernel software that Microsoft is going to be forced into implementing, I suspect.

Corey

Yeah, I mean, we'll see. The EDR game is about to change a lot. I mean, I don't know exactly when it's going into effect, probably sometime in 2026. But yeah, the EDRs are getting kicked out of the kernel and they're going to have to go back to user land.

John

Not all of them. Not all of them. Defender's not true.

Patterson

Well, it also means. I wonder. So user mode hooking at dlls has been a huge thing before they really had access to the kernel. Right. There's a whole history there. So, you know, it's funny that like kind of malware game is going to go focus back on user land and look at the, you know, user mode code redirection that's been happening in DLL space for a long time. So we're going to see everybody pivot again, kind of back to the old days. It's going to get interesting.

Ryan

You know, I'd almost rather go to sysinternals. Right. And just have logs rather than have a crummy edr. Like that would be my next step. Which is kind of crazy.

Patterson

Yeah. So in what form? Like Sysmon is an example, right?

Ryan

Yeah, yeah. I would go full Sysmon on everything.

Patterson

And then Just Sysmon is probably going to get kicked out of the kernel because Sysmon requires.

Ryan

I thought they were, I thought they were like in lieu with Microsoft, like oh, quasi there, right?

Patterson

No.

Ryan

Am I wrong?

Patterson

It might be. They might be. I don't know. I cannot answer that question.

Corey

I mean Ronald Adams comment is probably accurate that it's going to lead to a class action lawsuit because it definitely has the vibe like CrowdStrike is going to lobby against this. Right? Like it has the vibe of anti competitive behavior to just be like, oh, be gone. Other, other competitors. We're the only ones. Yeah, yeah. I mean I don't know if you guys talked about it last week. I wasn't here but John sent us an article that was like AI can bypass Microsoft def.

Patterson

Oh, that's funny.

Corey

I don't know.

Patterson

Like we are seeing, we are seeing AI being used quite a lot in the process of, you know, zero day and CVE discovery. So that's not, not surprising to see an article like that.

John

There was a news story this morning about a proof of concept that got released and like within very short time, like within less than a few hours, it was like being widespread, actively exploited. And I had speculated that once you have the proof of concept and what it is, you can feed it into AI and be like, here's the thing that does the exploitation. Let's have this now pop calculator, something kind of benign and now you kind of use AI to vibe code a little bit faster. Go from POC to weaponized. I don't know, I'll leave that to the red guys on the team here. In the red ladies on the team here. But what do you guys think about that? Do you think there's any merit to a faster POC to weaponized?

Patterson

Definitely, yeah, absolutely.

Corey

I mean today I was literally using it for that SharePoint PoC. Literally before this call I was literally vibe coding my way.

Patterson

And right after that he went to a Coldplay concert.

Corey

It turns out I did not because I have taste. But basically the, Yeah, I, I would say 100%. There was an, the New York Times email this morning had like the AI versus AI discussion and I thought it was interesting. It entered a lot of cyber topics but basically the, you know, the, the article, you know, the like email from the New York Times, it's kind of like AI is used on both sides pretty equally and it, especially for social engineering, it makes the numbers game much more better for the attackers because they can have flawlessly grammatically correct emails, they can have perfect Vision calls. They can have, like, they can do a lot of things that they couldn't do before because of language barriers or other things. But at the same time, defenders have access to the same thing. They can now defend in different languages. They can defend and analyze code in languages they don't understand or in, you know, programming languages they don't understand. So it's like, I don't know, it's kind of an arms race. The only people who really lose are the ones who don't have access to AI at all.

John

Right.

Patterson

Yeah. I don't, I don't think you can be an AI curmudgeon because I think you're absolutely right. The, the task acceleration factor that you get as a defender, if you've got good workflows in AI can be significant.

Corey

Totally.

Patterson

So it's, it is kind of an. It will end up being a kind of even, even race. I think it's, it's just the thing that bothers me, especially as somebody who's, you know, just turned 39 recently, is everything's moving so much quicker. It's like, slow down, everybody slow down. Anyway, what can I say?

Corey

That's why you got to use AI to analyze all the news articles and.

Patterson

Tell you, I want a neural interface so I don't have to type because the fingers slimmed me down. That's the problem.

John

Yeah.

Corey

Good luck with that, man. Good luck. Okay, Joffs, have you watched the latest season of Black Mirror?

Ryan

I was about to say. Oh, my. That episode where she gets the brain twice replaced. I watched that with my mom and she cried.

Corey

Yes. Go watch the first episode of the latest season of Black Mirror and then decide if you want to get a neural link installed. Yeah.

Ryan

You know what?

Patterson

I've been meaning to write that down. I'm going to write it down right now. See, this is all.

Ryan

Write it down right next to your password.

Corey

What you're going to want to do. Show us the password. That looks like a really fancy pen.

Patterson

Actually, it is. It's a military grade, just indestructible.

Corey

The military doesn't use pens. They use Microsoft SharePoint.

Patterson

Black Mirror. That's the name of the show.

Corey

Black Mirror. If you don't. How do you not know this? You're like, you're, you're. They're 10 years. This is like me not knowing this Coldplay thing, man.

Patterson

Well, I mean, Corey, we've talked a lot about how with Sympatico on some of these things. So it's, it's all.

Corey

That's true. I'M kind of a cyber curmudgeon a little bit, yeah. So what else is happening, Jerry? You got any spicy meatballs to drop in here? What's, what's on your radar?

John

So I guess one kind of spicy personal thing that people may have seen. So maybe whatever. Amazon Prime Day was July 8th through 11th and leading up to that there was a big splash of, you know, cyber threat actors had started procuring lookalike domains and they were going to be ramping up on attacking individuals around. Hey, like you're, your, your purchase is jacked up. Click here or it's going to get returned. Click here or whatever. And I didn't really see anything personally but like in the last two days I personally have seen either myself or my mother in law get emails and I actually got a really compelling text message yesterday and I actually have a, an order that like got screwed up and I didn't fall for it, but I was like, oh yeah, this has to do with it full thing. But it had a bitly link. So I don't know if just kind of like the almost like the toll booth late fees text messages that were like surging maybe two, three months ago. I'm seeing a massive uptick in the Amazon spam or kind of phishing things. I don't know if anyone else on this panel is getting them or chat is getting them, but I personally am seeing an uptick and I suspect others are.

Corey

It's really funny you mentioned the toll ones because I got a toll one this morning. Literally this morning I got the. You have unpaid tol the state you no longer live. I mean it, it makes sense. Has anyone gotten one? Like with all people, I've ordered so much stuff on Amazon. I've always said like years ago I was like, if someone stole my credit card and just bought like 42.99 purchases on Amazon, I would never notice who's cross referencing these things. Right. So it makes sense. Like orders do get screwed up. There's all these different sellers in the mix. Amazon will just email you and be like, hey, do you still want this? And you're like, is this a fish? What is happening?

Patterson

Yeah, I saw a bit of an uptick. I can relate to that, Gerald. And the parking toll thing has definitely been on a rampage lately as well.

Ryan

But yeah, let's pick up that Amazon one that someone just threw in the chat because this one I fell for.

John

The ring doorbell one.

Ryan

Yeah. Did you hear as if think it's the.

Patterson

Wait, wait, this show is not about confessions Man.

Ryan

All right, fine. I think that's the same one. There's claims that Ring Doorbell got hacked and that if you logged into your Ring Doorbell. I think this is something else though. Now I look at it.

Joff

But I saw that.

Ryan

Yeah, okay. So his claims that Ring Doorbell got hacked. And if you go into your. Everyone right now, if you go into your Amazon or go into Ring and look to see logins, you'll see a bunch of logins around May that are not you. Theoretically. Or from. They look like they're not you. Like several different devices. My wife immediately messages me and she's like, they got us. And I was like, God damn it. Like, now I'm gonna have to go do all this stuff. But suppose the article. You got it. Okay, cool.

Corey

Yeah.

Ryan

Which I would 100 everyone claimed that they got hacked. I would have. I totally fell for it. Believed it. Supposedly Ring pushed some type of update.

Corey

That made it AI writing their database.

Ryan

Oh, definitely. This is totally vibe coded. They're like. And all of the past logins from all your devices got moved up to one single day on May 28th.

Patterson

Ooh, whoops.

Corey

Yeah. Wait, but. But hold on. Was there. So there was just stuff you didn't recognize? It was like a thing.

Ryan

If I log in right now and go look on May 28, there's like several different devices pretty much like that. That saying that that logged in. Like, I had old pixels that I saw. I didn't see anything that, like, immediately stood out to me, to tell you the truth.

Corey

But who doesn't like salt typhoon's iPhone 13 or whatever.

Ryan

Yeah, definitely not.

John

Yeah.

Ryan

But it was a good, like, almost red herring. Like a good fire drill.

Corey

For me, it's really crazy to be the person on the development team who has to be like, guys, we just suck at coding.

John

Okay?

Corey

We didn't get hacked. We just suck at coding. It's fine.

Ryan

Yeah.

Patterson

Yeah, you're fine.

John

Anyway, that reminds me of. Do you guys remember this was like this. I think I was in college. Like, this is like the 90s. There was a Microsoft. Microsoft operating system, right? There was like an app that came in Microsoft and the icon looked like a little teddy bear. Do you remember this? And people were like, oh, if you have this teddy bear, that's malware. Like, the. The threat actors made the icon a teddy bear, and you just got to delete it to get rid of it. And for some reason, it was like a legit Windows executable that came preloaded with the operating system. Did anyone ever fall for that?

Corey

No. But I did delete system 32 a lot.

John

Bruh.

Corey

I found it. There's a Wikipedia about it. There is literally a Wikipedia about it. And I will link it right now.

Patterson

Because several people jumping in on the.

Corey

Chat going, yeah, somehow I found it.

Patterson

Really fell for it.

Corey

It's very hard to remember JDBG manager or JDBGMGR.exe virus hoax.

John

Yeah. Yes. Like, yeah, yeah. I totally remember falling for it because, you know, I fancied myself a bit of a techie at the time and I was like, oh yeah, this is definitely bad. This is definitely bad, man.

Ryan

Look at that hover over MSN and look at that ui.

Corey

But for the record, all it was is the Java debugger registrar, which you definitely don't need. You don't need that. There's no bugs in Java. You don't need to be debugging Java.

Patterson

Yeah. Microsoft is a malware. Yeah, yeah.

Corey

It's really funny though.

John

That's just a throwback to yesteryear. We recently started a fun drinking game over at Simply Cyber. If I make like a 90s rough cultural reference, we yell drink. Like you. Obviously no one's actually drinking.

Corey

Or do you drink more if you know the reference?

John

Or you probably should. But it's, it's, it's. There's quite a few like this. This would definitely fall into that category.

Patterson

Oh, I was going to say this 2002, I wouldn't make it past 9 o' clock in the morning.

John

Yeah, yeah, yeah. Careful, careful. When we're out of Wild West Hack Invest, we will be doing the. Just fun fact, we will be doing the daily Cyber Threat brief live from Dale's saloon downstairs at the Mountain View Grand Lodge there in Deadwood. Live from Wild West Hack Infest. This year, I've got it all arranged with Dale, or there's really no Dale, but I've got it arranged with the, with the crew over there. So if you guys are interested, you can come to a live taping of the stream.

Corey

Do we bring the drinks or.

John

I mean, I. I've got coffee and pastries.

Corey

Oh, is it an early morning thing? It's not.

John

Yes, it'll be, it'll be 6A. It's it's mountain time out there, right? Yeah, yeah, it'll be 6am that's why we can use it, because there's. I mean even degenerates gamblers are asleep at that time.

Corey

So it's a coffee drinking game. It's a coffee drinking game. That still applies.

Patterson

Yeah. The gamblers are just rolled up under the table, snoring somewhere. Right, so by the time you drink.

Corey

Enough coffee, you'll get all the references.

John

Exactly. It's all about good times. Yeah, but it'll be 6am we go live, so you got to be there by 5:30.

Ryan

Damn about a slow Newsweek.

Corey

Gosh, I do. We got SharePoint zero days, Crowdstroke anniversary.

Ryan

I want some like stunt hacking.

Corey

There's a vulnerability in Vim. Okay, but I've never been able to exit Vim, so I'm not vulnerable. Nah, no. Basically file overwrites. There's a CVE in Vim apparently is a path traversal with.

Patterson

Come on, Corey. It only takes like 10 or 20 keystrokes to exit.

John

I have a story that I'd love the panel's thoughts on. I'll drop it in in chat here. Basically it was in the news today. Aruba or hpe, Hewlett Packard Enterprise, they release a. It's an SMB designed network solution that you, you basically just drop it and it produces like a wireless cloud with like a guest segment network and an internal one and all these things. And it's got hard coded, you know, admin credentials in it that allow you to like, you know, obviously take it over and everything. It. I, I believe you can exploit it through a SQL injection so it doesn't seem like it's super complicated to exploit. And to me this really got down to the root of like usability versus security. Right. These are designed for small mid sized businesses that probably don't really have IT or dependable recurring IT people. So they're trying to serve that audience by making it super easy and super simple. But when you do that, you know, you, you end up with these hard coded creds. I guess I feel like they don't need to have hard coded creds. I feel like you could still offer this solution without giving that type of vulnerability to it. But I was curious what other, you know, practitioners thought about this. Is this just an oopsie mistake or is this like what you would see in more product design for small mid sized business? I mean Aruba is a big player. This isn't like.

Patterson

I find it really, really amusing, right, Because I used to run very, very large networks in a prior life and I was working with Aruba for quite some time. But the thing I find amusing is that we can make a joke out of this because, because self configured wireless network like that would call it a pop in a box, right? That's what it is. But in this case we're Just going to reverse it and say the box is already popped. Not funny.

Corey

Okay, well I was just reading this. Sorry, I was reading this vulnerability. So I mean hpe, how many companies own this? I'm so confused. Is it HP or is it Aruba? Is that somehow the same now?

Patterson

I think HP acquired it at some point.

Corey

HP owns Aruba now.

John

Yeah.

Corey

My question is basically how old are these devices in calendar years? Are these like recently released or are these things from a long time ago? Because the thing about access points is they have a super long lifespan. Right. Like access point technology hasn't changed a whole lot. This kind of thing was super normal 10 years ago. So if they're 10 year old APs, I'd be like, eh, no harm, no foul. If this is something recent, this is like unforgivably bad in my opinion.

Patterson

Yeah, I, I would put it more in the category of unforgivably bad, but in terms of running very large wireless networks, pop in a box is one thing. If you're running a network and I was once in my life of like 3,000 radios. That's a whole different thing. Right. You know, it's, it. There's a lot of software complexity in there.

John

Yeah. I mean Aruba has this. HPE has this on like their. If you Google like HPE networking instant on access point wireless like, like they like. It goes right to their main selling like landing page to sell these things. So I mean it, I don't know.

Corey

The show is sponsored by Aruba Networking. No, I'm just kidding. Yeah, I mean hard coded creds, Isn't that in the OWASP top 10? Like it has to be or it's in the. It's definitely in some top 10 list of things you shouldn't do.

John

It's gross.

Corey

It's gross. It's not. Yeah. If you're. If I buy a product and it has default creds and I paid more than like $20 for it, I'm pretty upset. Like, I'm like this is not that hard to just have it make it like the serial number or whatever. You know, make it. It doesn't have to be totally random. 85 character password. But yeah, I mean even WI Fi doesn't have default creds anymore. Right? Like home networking. I don't know.

Patterson

Yeah, I mean admin. Admin has always been my username and password. I mean I, I like it, but.

Corey

Why not change me? Why not admin change me? That's way better.

Patterson

I don't like telling me to change.

Corey

No, it's a message to your future self to change.

Patterson

I'm talking to myself in the future. Okay.

Corey

Yes, correct.

Patterson

Change me. Yeah.

John

Thanks for weighing in on it guys. I had a similar opinion so I'm glad. I feel affirmed. So I'm good.

Corey

Well, you should know a couple weeks ago we talked about the Cisco vulnerability where if you deployed the Cisco cloud appliance at the same time as someone else that had the same credentials, like the, their credentials were randomly generated but they were like per version randomly generated. So like if you deployed a Cisco cloud appliance then you could just take that password that was randomly generated and use it to log into anyone else who generated or deployed that.

Patterson

The multi tenant ICE thing.

Corey

Cisco. Yeah, yeah, yeah. It's hilarious. So like just know that this is still a problem. Cisco had to issue a patch and vulnerability alert and they're, you know, they're not going to be able to. People will have to manually change the credentials. So. Yeah, I don't know.

Patterson

That's awful. Really?

Corey

We can't have nice things? That's the conclusion of the show.

Patterson

Well, yeah.

John

I do wonder, Mary Ellen, like as a red teamer do you find how often do hard coded creds ever come up in real practice? I'm just curious. This sucks. But is this a common thing or is this just kind of an obscure thing?

Mary Ellen

That's a good question. I mean I, I haven't done full on red team for a couple of years now. I'm more on the hunt side of things. But back in the day, I mean I think it came up a couple weeks ago we were talking about in guardians. So when I was with, in guardians, I mean it was, you know, we, we, we came across it, I mean but that was a long time ago, so.

John

Yeah, interesting. So I mean the proof is there, right? Yeah, go ahead.

Corey

I would say nowadays it's more common on internal networks. Yeah, it's rare on the Internet to see it but on like. Yeah, I mean this stuff like these Aruba APS, no one's. These things haven't changed in 15 years. So like if you do get inside a network then it's more common.

Patterson

Especially if you get on a network that's like if you get, if you get on the inside of a network that's academic or medical or even worse combination of both. Public teaching hospital, you will find so many devices that have common creds that are just default creds everywhere and most of those devices go to nowhere. They're like little cameras and stuff but you know, occasionally you would jump in and find like a beautiful camera with pan tilt and zoom that's like in the network sock. So you can like zoom in on sock analyst sticky notes for their creds which really cool.

Corey

I've seen hard coded IP cameras in every camera environment I've ever tested.

John

Yeah.

Patterson

And that's, that's kind of awesome when that happens. As a, as offensive operator a long time ago in the pen testing business and I don't pen test as much anymore. But everything is about credential, not just hard coded credits, just about everything's about credentials. Like you go after creds and you go after them hard because they get you traction.

Corey

No, we're past for this now. I don't know what you're talking about.

Patterson

Yeah.

Corey

Someone asked in LinkedIn, what are your view on aspects of passkeys? I love passkeys. Web authn is the saving grace of America and the world. I'm just kidding. It's fine. But I will say when we're talking about passwords, people are bad at passwords. We've proven like we can't have nice things, we can't have passwords. Passkeys are better. They cryptographically verify where they're supposed to be used. That means no adversary in the middle. Super nice.

Ryan

So. So I've put in passkeys for everywhere and I have yet to look up how it works. Like it just tells me you want to use a passkey and save it. I was like, yeah, sure. I don't know how this works yet. And I don't like want to go into it.

John

Yeah, it's pretty good coming out. I got a video coming out on it because I had. Yeah, I had the same question.

Ryan

Of course you have a video.

John

I went and did the research on it. Yeah.

Corey

Yeah.

Patterson

I mean eventually. Eventually you're like, okay, I gotta know how this thing works.

Ryan

Well, you guys don't work for a password company, so.

Corey

That'S really funny. I didn't think about that. But yeah, you should probably. Was that not in the interview?

Ryan

Not that I recall.

Corey

I cannot recall how passkeys work. Next question.

John

Okay.

Patterson

The one that still gets me, and I bet you I could find this today is to be on an internal test of some sort of and still find a really old service account, you know, one that was put in when the active directory domain was first born, that has a six character password and is administered.

Ryan

I would love you. On my network, the first thing I do is find the oldest account. I Can promote it to admin and then lock it down with login times so then everyone thinks it's an old, super old account. Honey pot.

John

Yeah.

Patterson

Yeah, It's. It's a common. Common.

Ryan

Yeah, I have one article I know we didn't talk about yesterday.

Corey

Plugs or chicken wings? What do we got?

Ryan

Plugs. When's. When's the blue team summit?

Corey

Mustache?

Ryan

Oh, it's fine. I almost got rid of it. Now, Now. Mask. Mask.

Patterson

The stash. That's so itchy. I don't know how you deal with them.

Ryan

I don't either. Did you know. You know, I. I grew it because of Bhis. Like, I was gonna do it. Yeah. I was supposed to do like a DND cyber thing, and I was playing Ted Lasso. Like, I made a tryout video and everything. And then I just kept it. And then now too many people know me by the mustache and I can't get rid of it.

Patterson

Oh, my God.

Ryan

It can fix the works.

Patterson

Coming out of way today. Just like, off the work.

Corey

Yeah. We have a blue team Summit coming up August 27th, post DEFCON. Post Black Hat Hacker Summer Camps is two weeks from now. So that's happening. Yeah.

Patterson

Scan this QR code. It's totes legit.

Ryan

Are you going, Corey? Are you going to defcon?

Corey

I don't know. It's kind of. It's kind of funny because I actually have a client who wants me to be there and do, like, a physical engagement during DEF con. I'm like, is that a good idea? That doesn't seem like a good idea. But we're probably gonna do it anyway because, you know, when a client asked me to do something, I do it because it's fun. Anyone else? Jerry, you got any plugs? Yeah, Plugs? Yeah, got a video. Video about MFA coming out?

John

No, about pass keys. About pass keys.

Corey

Oh, yeah, sorry.

John

Yeah, that'll be coming out. I'll be in Vegas at hacker summer camp if anyone sees me. I got my 2025 edition of my stickers out right now for Simply Cyber. The QR code goes directly to a playlist that I made you. It's full of 90s hip hop music. So if you're down with that, come find me and I'll slap one of these.

Wade

Show that again. Show it again. One more time.

Corey

QR codes work reversed. I don't think it matters.

Wade

Yeah, but it looks so nice. I wanted to get that. There we go. That's a cool sticker.

John

Yeah. Thank you.

Corey

Now everyone can leak your sick mixtape.

John

That's right. Yeah, go check it out. I think it's dope. I curated it myself. And we are throwing a bit of a mixer on August 8th, the Friday of DEF CON. So if you're down with. I know this is Black Hills thing, but if you're down with Simply Cyber and you're part of the community and you want to come hang out, high five. And have a beer with other community members, we'll be out there from 4 to 7. My treat. So where it is at Zombie Beer Brewing, there's actually a. If I'll put it in chat right now. There's actually a registration page because we have a hard headcount for the number of people that can fit in the building before it becomes a fire hazard. So we have to do registration, but I'll send that over. There it is. Not directly. You have to take an Uber to get to it. It's like a five minute Uber away, though.

Patterson

Forget Black hat, man. I'm. I'm gonna fly to Vegas just to come to that.

John

Yeah, come on down, Josh. I'm gonna drop it in chat right now. Are we about to end the stream? Well, I guess discord will persist.

Corey

Discord will live forever. It's okay. Thanks.

John

Thanks, everybody.

Corey

Yeah, see ya. Have a good week. Bye. Bye.

Patterson

Bye, Sa.