The CVE Saga - Talkin’ Bout [infosec] News 2025-04-21

John

I got the warning for the earthquake before it hit, which was crazy. All of a sudden, my phone blows off as, like, incoming earthquake. Like, duck and cover. And most of the time, like, the earthquakes aren't that strong, right. But it actually flashed the strength of the earthquake on the screen, and it said it was going to be a 6.7. So if you don't know, 6.7 is pretty big in 1994, that's. A 6.7 is what, like, lowered all of LA? Pretty much.

Corey

What? Sorry, what TV is.

John

That's you.

Wade

Sorry.

Mike

Right.

John

Only 6.7.

Wade

No.

John

So I was, like, a little freaked out, and I was like, well, I'm upstairs. I'm not going to be able to run downstairs with that gnarly of an earthquake. And I'm like. I just stood over next to my huge monitor and held it, and I'm like, all right, I'm ready for this.

Corey

Use the monitor. Like, use the monitor to shield your body.

John

Like, it's actually big enough. You are. That. I could have. I could have done that. That.

Mary

And while it's happening, you just scream, no.

John

Oh, dude. I was. I was, like, ready to run, like, the moment it stopped. But it was pretty cool that I actually got the message on my phone before it hit. That was the freaky part.

Corey

Do you remember that missile test from Hawaii a few years ago where it's like, this is not a drill. There's an incoming missile. It's like, what do you do? Be like, well, I guess this is the end. Like, what do I. That one was missile.

John

That was so. Like, there's people. Literally, like, I didn't know which one of my children to go to get at a school before, and I'm like, blue. That was.

Corey

I mean, I would say, save the monitor. Worry about the kids later. No, I'm just kidding.

Mary

Oh, man. Goodness.

John

But, yeah, the earthquake was only, like, a 5.2, so it wasn't bad. Hey, just a little earthquake.

Mary

Just a little bit.

John

Yeah.

Alex

I. I would show my background, but this is. I'm actually in, like, a storage room.

Wade

But it also makes it look like you're the old man yelling at Cloud.

Alex

Oh, really?

Mary

That is perfect.

Alex

Wrong direction, and my camera's following me. Dang it.

Mary

Yeah. You can't get away.

Wade

Yeah, get away now.

Mary

There's no getting away.

Wade

How's my audio? Sounds good.

Corey

It's good. Your camera's a little bit like, this person tried. Or your camera's like, this person tried to unlock your iPhone a little bit.

Wade

Yeah. Let me see if I Can do this without crashing my system.

John

And he's gone.

Wade

No.

Mary

Blink. Okay. He blinked. Okay, he's still there. There he is.

Chris

Yeah.

Wade

How's that zoom? Is that a little better? All right.

Corey

It's less. This person tried to unlock your iPhone meme from 2016.

Wade

It's great. I've got the camera hub software, which works like a champ 50 of the time. The other 50 of the time, it completely seizes up my camera and like freezes my computer. But it's okay because I'm on a Mac and you know Macs, they just work, right?

Corey

That's right. Yeah, that's right.

Wade

It's Mac chick slogan.

Alex

Unless it tells you to restart it. Like. Like Microsoft.

Mary

You got to hit him with that link with the Macintosh. Gotta hit him with the Macintosh.

Wade

Macintosh, yes. That sounds. Dude, it sounds like you should have a monocle and a glass of wine. It's like we call it a Macintosh in my house.

Mary

With a little jazz playing in the background.

Wade

Is that Kenny G? What the hell? That's the thing about jazz, man. That's one of the things I hate about jazz. Like, you know, if you. Somebody's like, yeah, I like jazz. It's like flip a coin. Because it's either Kenny G or it's Calloway, right?

Corey

Whoa, whoa, whoa, whoa, whoa. Neither of those are jazz.

Wade

Blues. That's my problem.

Alex

He hates them all and they're all hijazed to him.

Corey

Okay. Kenny G is. I would define as easy listening. It's basically like elevator music. I don't know.

Wade

Oh, yeah, yeah.

Corey

Not in a bad way. Sometimes I want to be an elevator for like 8 hours.

Mary

Raddus. I am not a Mac user. I use the pure.

Corey

Have you seen his username? Come on.

Wade

Question. Well, what's your operating system? But you. Raddus is right. What's your TCP IP stack? BSD.

Mary

I'm using Pure FreeBSD 14.2 on a.

Wade

Lenovo Mac, Linux and BSDS using the NetBSD TCP IP stack.

Mary

That is correct.

Alex

Where does that fall in the OSI model?

Wade

Fuck you. We live.

John

We haven't given any money.

Wade

Later.

Alex

Have a good one.

Mary

The Mario coins are ringing right now.

Wade

Since we're now we're moving on to funding CVE programs through bank. Spoiler alert.

Corey

Yeah. No. No spoilers. John. Roll the finger.

Wade

Let's roll the finger. Smell the glove. Hello and welcome to another edition of Black Hills Information Security. Talking about news. My name is John Strand. In this edition of going to be talking about how Chris Krebs is a hero. Not mince any words, just jumping straight into that. Then we're going to move into the Sophos annual threat report. Really nice little threat report. We're going to talk about how the CVE program funding is dead. No, wait, it's back on again. Then we're going to talk about how 4chan is dead. No, wait, it's still dead. And then an absolutely top notch blog post from unit 42 about how they were able to track adversaries and their antivirus and what they were doing and how they were trying to bypass stuff. Just really, really super cool, yet somewhat scary little report coming from unit 42. With that, I've got a huge group of people here and I. Out of all those stories, folks, which story. Which story do we want to start with?

Corey

Because we got to talk about the CVE thing. Everyone's. It's the thing. It's a story of the day.

Wade

Those rare things where something is such a big news story that my family members that have nothing to do with computer security were asking me about it on Easter.

Mary

Wow.

John

I thought you were going to give an emergency newscast. I was like, ready for it.

Wade

I was too. Honestly, if we got in today and the funding did not go through, I would probably be doing an emergency newscast. And honestly, what the hell would we do if we lost full common vulnerabilities and exposure?

John

I. I was gonna ask you. You lived in the time before, right?

Wade

Yeah, it was awesome. Everything was 1999. You went to Packet Storm, you did a search, you found it, you exploited that thing. And then you were done for work for like a week. It was great. The before four times, son. They were. They were awesome.

Mary

And then talk about it on Frack.

Wade

Yeah, and then we talked about it.

Corey

And then.

Wade

And then right up, dude. The full disclosure mailing lists. Remember, like, you would go. You would go through Mary Ellen. You were part of that generation too. And Luke, I don't know. Yeah, but we would. That was it. That was the trinity. It was Packet Storm security. It was full disclosure. And then Frack would be the magazine that would have that sometimes. Manuel Goldstein with 26.

Corey

What about 2600. You got to write up.

Wade

But he was kind of weird. I don't know what actually happened with him. I heard all kinds of interesting rumors about him. And. And I don't know. That's what we did back in the day. And is that where we were going to head to if we lost CVEs?

Chris

Take it back?

Corey

I don't know. I mean, I think of CVEs as a. It's like one of those things where like I wouldn't think about it until it was gone and then I'd be.

Wade

Like, oh, and it might take a while. You'd probably coast for a while.

Corey

Yeah, I, I mean a lot of people were joking in the chat like, oh, you know, we don't need CVEs. Most things are misconfigurations and social engineering. Right. Which is kind of true. But also like we do need CVEs because fixing vulnerabilities is the only reason why social engineering works because all the vulnerabilities are fixed. If you, you know, social engineering is a fallback from just the days John's talking about where you just shell something on the Internet. Like it's, you know, the olden days before patching and vulnerability management were a little rough.

John

I like as a detection engineer, they're, they're so vital, they're. Recently I forget what vulnerability came out, but a news source actually published before the CVEs were published and we didn't have enough data to actually build out that detection or even trust that news source. Right. So having the CVEs is one, a trusted news source that we can go to and verify that we all believe in. And the second is it just provides you that a little bit more information in order to protect yourself against it.

Corey

So yeah, John has a spreadsheet he wants.

Wade

Yeah, you know, it's awesome. Spreadsheets people. So this is the last six months at bhis. This is by count, this isn't by severity, but these are the top number of vulnerabilities by count that we have discovered.

Corey

From BHIS pen test reports.

Wade

Yeah, from standard pen testing. From standard straight up normal pen testing. And if you're looking at it like we have server supports, weak tls. By the way, you might say that this is absolutely lame that it should be there. But remember it's required to be reported on for PCI level reports. But right there, number two is unpatched software.

Corey

Well also there's tons of CVEs for number one. There are, there's probably like 30 of them.

Wade

Yep. Then we have information leakage via third party public breach. So Corey. Huh huh?

Corey

No CVEs for that one. Sorry.

Wade

Unsupported software. Number four, weak password policy. We got TLSSL certificate errors, vulnerable and outdated components. So this gives you an idea of what we are actually seeing on the ground at BHIS. So yeah, those CVEs are kind of.

Corey

Important Folks, I mean, some of These don't have CVEs, but most of them do. So I did a little bit of deep diving before the show on just how the heck the CVE program even works. I think I'm more confused now than I was before. So does anyone know what the actual program cost was? It was $55 million. That's how much the contract was for. Wow. And part of me is like, okay, that does sound like a lot of money. But then I'm like, well, they probably have a ton of staff that are, like, validating these CVEs and, like, I mean, their secret, 55 a year. I. I don't know.

John

I. I agree with you. That does seem like a lot.

Wade

We're all like, wait, wait, wait. Let's. Let's back up for a couple of seconds. Okay, so if you're trying to set this up like MITRE was doing, and I do know that Mitre was doing this, we can talk about the scoring of the CBEs. But a lot of what MITRE was doing was trying to validate those. Right? You have a lot of vulnerabilities that are coming in. There's a huge amount of triage that has to be done. Then you have to go through and you have to basically, like, test it and validate that. That is, in fact, a vulnerability talk. Then they coordinate with the vendor. And I want you to think, like, every single time I mention a new thing, I am talking about a different group and a different flowchart of how that's actually done. Then you have to continuously monitor the existing CVEs to see if the scoring has to change due to different circumstances. Right. So 50, 55 million seems like a lot of money. Okay, it totally is a lot of money. But if you look at, like, the fact that it's bureaucracy, you look at it, it's bureaucracy interacting with commercial. And you look at the politics of it. Corey, think about every time we've tried to go to a vendor and have a conversation about a vulnerability we've discovered and what an absolute nightmare that is. And now multiply that by like, a thousand. And I can kind of see why CVEs are that expensive to process.

Corey

Yeah, I mean, I get it. It's resources. A lot of resources. I mean, I will say there's also the National Vulnerability Database, but that is slower. Right. Like, there's. There's like a lag time of up to two weeks for vulnerabilities being added to the nbd, which is, wow, you Know if you're trying to react quickly, which you kind of have to these days, you need something faster than two weeks later. Oops. You should have patched that before that ransomware threat actor found it. No.

Wade

Let's get back to the question of the before four times. So do you think that exploit developers and people that are like writing exploits and loading it into, let's just say metasploit and things like that, are they actually waiting for the cve or do you think that most of them are working, like, as soon as there's wind of a vulnerability, they're working to develop those vulnerabilities? That's what I'm confused about. Like, what is the chicken and the egg with CVEs versus exploits versus threat actors and how that's all in a relaxed, like, are the CVE is coming after the threat actors are using them and these things have been discovered, are they coming before? It seems like it's a mix to me. Like some of them are released. It's all of.

Corey

Sometimes CVs are going to be cut potentially years before vulnerability is ever disclosed. Right? Like, they'll contact researchers who are doing responsible disclosure, will contact MITRE way in advance and be like, hey, I found something. You know, can you assign me a CV so I can report it to the vendor and like make it a real thing? Other times I'm sure it's like this has been observed in the wild, like the log 4J thing. It's like, oops, we didn't get one in advance for that one.

Wade

That one got away. Sorry.

Chris

And that kind of gets at like my, my separate rant. Like when we're talking about MITER and responsible disclosures and vulnerabilities and things that you know of ahead of time. Like, I kind of want to go a little bit ranty on the, like, this isn't how we responsibly disclose things. Like you get a, a Miter notice that, hey, there could be a problem tomorrow. And what do you do instead of using all the back channels, the TLPs that we set up, all of the information sharing that we set up now, you just, you just drop it on social media in order to get to increase like your, your Internet fame score. Because like through mitre and when we're talking about like how vulnerabilities are disclosed through mitre, through some other sources, like, I've known things that could potentially break tomorrow. And you go, okay, well you need to keep this on my wraps. Do I keep it under wraps or do I Do the security professional thing and go, you know what? I'm not going to keep this under wraps because YOLO and Internet points. Let me, you know, let me go do this. Because if we have like a. If your organization, let's say you were in a financial institution, you get hit with ransomware over the weekend. There is rumor that, hey, a lot of these banks aren't going to open up on, on Monday unless we get this thing fixed. Do you go out on like Sunday or Saturday night, Sunday, and go, hey, I need to let the world know that all these bank branches might be closed on Monday. There may be a panic, there may be a run on these things. Do I add to the panic or do I just sit there and go, you know what? Why don't I trust our engineers to actually get these backups up and running in time? And lo and behold, they get everything up and running on a Sunday afternoon. Bank branches are open Monday. Really? No disruption?

Wade

Well, depends on the person. I think that that's a huge thing, right? And I think one of the main things that you can look at is if you're an exploit dev or you're somebody that's doing vulnerability research, get out of your own ass. I think that there's a lot of vulnerability researchers that they look at the vulnerability that they've discovered or something like that, and they want to see something done immediately with it. And they hate the bureaucracy. And it's like, no, we've got to let everyone know about this right away. We've got to deal with this right away. And pause, take a deep breath and wait. That's one side of the spectrum, right? You don't want to rush this stuff, especially if it's going to lead to organizations and actual harm to individuals. And I've seen people that have done security research where they're basically like, no full disclosure, immediate. And there is an advantage to that. If you release that vulnerability and you're going through coordinated disclosure, it can take months and it is an incredible pain to do it. If you release it on Sunday, that thing will be patched on Monday or Tuesday. Tuesday, right. But there is going to be harm that comes from that. By the way, speaking of Palo Alto, we'll be talking about them here in a couple of seconds. The other side of the spectrum, the hold on the other side of the spectrum is we absolutely have situations where we have disclosed vulnerabilities to a vendor through a customer, and they're still not fixed. And BHIS has taken the policy of these particular vulnerabilities if we're testing customer A and we find a vulnerability in vendor one, two or three, we leave it up to the customer to notify and coordinate that with the vendor. And the reason why we do that is because it's a huge time suck. It's a tremendous loss of money for us to try to coordinate that with the vendor. And honestly, we see our customers have much better success going to a vendor and saying we're not going to spend money on your product or I'm going to go to my local ISAC and I'm going to release this vulnerability publicly through my isac. It takes BHIS out of that particular context. So it's absolutely a pendulum. It's absolutely kind of like gradient of scale from one side to the other. But going back to a tester or researcher, if you find a vulnerability, get out of your own ass, have conversations with numerous people and don't be so hot to release the vulnerability that it has to get out there as quickly as possible. Be more like Dan Kaminsky where you manage to piss off everybody in the process because if you're making everyone mad, you're moving in the right direction.

John

So how much it costs? Black Hills, it's $55 million they lose. It's about 55 million.

Wade

I will take over the CVE program and I will run it for 20 million.

Mike

Going down that hole with, with the CVE program itself and now the new foundation that is spinning up to try and decentralize it. The 55 million is only one year's worth of budget. Can we get this whole thing decentralized since so much uses it besides the MITRE, ATT and CK, besides your EDRs and a number of your other stuff that are using these CVEs as a way of giving you threat research and threat information.

Wade

There's another whole part of this Mike.

Mike

Will it be able to go ahead and get spun up and decentralized within that sort of timeframe before we're looking at this defunding again?

Wade

And there's a huge problem with that. It's not just the funding aspect of it, but it's also, there's a bottleneck there. There's a whole bunch of vulnerabilities that are not in the queue. I've talked to security researchers that are like, I've got a zero day and I submitted it months and months and months ago. And because I'm not Microsoft and I'm not Google and I'm not a well known security research group like unit 42, my ticket for the vulnerability that I've discovered has gone to the bottom of the queue and it's not being addressed because of bureaucratic overhead. So I agree, but that's been true since 1999.

Corey

That always been the case.

Wade

It has.

Corey

And again. Well, go ahead.

Mary

And I was about to say, and again, that could be the slogan. If you're going to make everybody mad, you're moving in the right direction.

Wade

Yeah. I'll tell you what I thought about it. DHIs can piss off everybody for $20 million. That's the lowest I can go per year. We'll take this over. Will make everyone mad in the process.

Corey

Oh my God. So, okay, I would basically say I think of CVE is kind of like the mitre, ATT and CK framework because they're great and they're useful but they don't cover everything and they never will. It's the same thing about, you know, not every TTP is going to be covered in the mitre, ATT and CK framework. If you're a true novel new nation state adversary, you should be operating outside of the ATTCK framework because otherwise you're, you're, you're not doing too hot. Right. So I think like CVEs aren't going to cover every vulnerability. They're not going to cover like there's no CVE for your employees. Nice. And let someone into the building. Right. Like, but I think it's also like kind of the currency of traditional vulnerabilities of like N days or whatever you want to call them. Those. If there's no cve, that doesn't mean it's unfixable, but it makes it a heck of a lot easier to fix. If there is a cve, there is a patch or there is a responsible disclosure like associated with it. Like it's, it's a necessary service.

Wade

So Corey, think about, think about it like this, right? And this, this is, this is going to enrage you even more, right? CVEs are foundational for vulnerability analysis tools, right. As vulnerabilities are discovered, you have to set the CVE level and you going to set what is the remediation for pci. Right. So that's another layer that's on top of it. And I think that that's part of my frustration is CVE is the bedrock of kind of the mediocrity of computer security where whereas you're basically saying, well, you got to fix everything with a cve score of 7.2 or higher. Right. Like these are just arbitrary crap numbers that people pulled out of their ass for these things. And then they basically are building our vulnerability scanning, they're building our remediation plans and everything else on top of it. And while I think that that's, that's stupid and we absolutely could be better at doing it, like Mike was talking about, let's open this up, let's try to find a way to decentralize it. But at the exact same time, there's so much like process and we want to have formulas and we want to say these are the levels of vulnerabilities we're going to address first and we're going to ignore anything with a score of 5 or lower. It's kind of like we need that mediocrity for a lot of organizations to even begin developing a functioning security program. And that's something that just burns me is that's kind of the foundation for all of this stuff that becomes mediocre computer security all the way through.

Corey

Well, but you need mediocre.

Wade

You do security. Yeah, and I agree.

Corey

And also you did kind of combine CVE and cvss, which are technically two different things, but yeah, I mean, basically, I guess before we spin on this forever, that we're talking about an effort to decentralize this. Have there been steps taken to do that by certain people that might be in our community? And if so, what is that going to look like? What is the CVE foundation? What is that?

Wade

Well, and for me, I'm just throwing poop at the wall. It's like, I don't like these things and I honestly don't have a better solution for it. But it is something that's bothered me for a long time in my career.

Corey

Well, I would argue you do have a better solution for it. It's called pen testing. But anyway.

Wade

Yes, yes. Oh, that's right. That's the company I have.

Corey

Yeah, you totally bring it up because.

Wade

I'm totally not biased at all.

Corey

You did that thing where you were like, vulnerability scanning isn't everything. Maybe it doesn't tell you the full picture. Maybe you should get an expert to look at your CVEs and make a decision intelligently.

Wade

Yes. And I did in my rant, conflate CVEs and CVSS scores. That's absolutely 100% correct. I did.

Corey

But they are, they're all in the same. You basically have like, if we're talking about, to use the term John coined, mediocre security baselining or whatever you want to call it, you have CVEs which are the numbers assigned to specific vulnerabilities. You have CVSS scores, which is 0 through 10 rating of how much should you care about this. And then you also have the, like, there's a bunch of other components. You have the actual. What is it called? The number authority or whatever that assigns. There's like a whole list of things, but yeah, basically have multiple components and these. I want to be clear, this whole CVE world is extremely. There's a. The Brian Krebs article has a diagram of how vulnerabilities and CVEs work, which I can link here. But basically it's like, I mean, yeah, you can see this article just. Or this diagram it has, you know, you. I found a vulnerability. Okay, so it goes to Mitre. Mitre's like, okay, maybe we'll assign a CVE number. Then it goes to the vendor. Then they, the vendors pick the numbers, by the way, like Adobe or Microsoft picks the number. What? So, yeah, I mean, it's a huge group of. A huge group of companies and resources. And yeah, it's a really complicated system.

John

But this took me like two minutes to figure out just where we start on this map. That's how complicated it is. I was like, is my. Coming from the left, the right.

Chris

And then, yeah, I was, I was a CNA for like a year for a company. And yeah, saying it's complicated is an understatement, I believe. Like, you get a block of numbers pre assigned to you, though. So they go, it's like, how many vulnerabilities do you anticipate having this year? And they kind of carve out that block for you going, okay, whenever you have something that you know, internally you're working on, you can just assign it to this number. So then when I can got wind of, hey, there's a researcher that's reaching out to us. Here we go. Okay, all of that work, we're going to assign that to CVE. 20, 25, whatever we were assigned. And we just cross that off the list and work on creating it.

Wade

But I've got a timely thing. Alex. Banjo Crash Land. Joseph just came up with a T shirt idea that says, my CVSS score is 11. We need that shirt.

Corey

Yeah, it goes to 11 on it.

Mary

You should put that on the front and on the back it should say, what's yours?

Wade

Yeah, there you go.

Chris

And my experience is where I came up with the. The kind of the phrase of like, we're not. I'm not here to call your baby ugly. I'm here to make sure that crib is safe. Because try going to engineers and arguing with them about like what the CVSS score should be. Like, how much risk is there in this little like granular area of the calculations? And they're like, see, I've been, I've been an engineer for longer than you've been alive. And I'm like, but I still need to release the cve.

Wade

And that gets back to what Corey was talking about. There's we, we have these people all the time that are like, we need to get rid of pen testing as a field, right? We don't need pen testing or we can completely automate pen testing. And I think that if we're looking at the top of that pyramid of soc, right? You got cve, CVSS score, vulnerability scores, you have all these things and then you have companies out there that are like, well, we can just automate pen testing because all we need to do is find the vulnerabilities with the CVSS scores, make sure that we have exploits for the ones that are available, we exploit those and it's basically creating this self sniffing fart where we're watching like we're trying to define the entire security vulnerability community with CVEs and CVSS scores. And that's like, if you're an idiot and you know nothing about computer security, it becomes really, really easy for you to say, well, these are the vulnerabilities we've got to fix. So we just had a magical tool that could automatically exploit those vulnerabilities. That's a pen test. And I go back to like my chart, you know, of some of the things that we've discovered. A lot of those don't have CVSS scores. They're not CVEs, they're just kind of vulnerabilities that the pen testing community finds out. So now I'm going to get an angry email from a bunch of AI automated pen testing and I want you all, I love those emails, please send them in because I've got my own folder and it's a dumpster fire folder. I'll put a dumpster fire on it. And sometimes when I go to bed and I worry about whether or not I've done the right thing in my life, I just go through that folder and I read it and it helps me sleep like a baby at night. So send me your hate. It helps me sleep.

Corey

So, okay, I have one joke and then I do want to wrap up the CVE discussion. So my joke is, what is the CVE number for The DOS of the CVE system. Is there a CVE for that? Because apparently the US government, a nation state, can just DOS the entire CVE system. That's a 10 critical CVSS, right?

Wade

Yeah, it's got to be a perfect 10.

Corey

Should I report that? Should I responsibly disclose that?

Wade

You should. Let's see where it goes. Goes. If I'm looking at the chart, it will go nowhere. It'll go absolutely.

Corey

I'll use my work email. I'll use my work email.

Wade

Yeah, be sure to do that, Corey. I appreciate it.

Corey

So let's talk real quick about the CVE foundation, which I don't super understand exactly what this is. My understanding of the CVE foundation is these are the people who care the most about this staying alive. Right. Is that basically the goal of it? It's, it's saying I'm a person and here's my name and I care and I want this to keep, I want to keep CVEs alive. Is that the idea?

Wade

Yes. And this gets into Shecky's thing like we're spending $55 million a year on this. And Mike, I want you to kind of speak to this a little bit more. This CVE stuff is foundational for every vulnerability scanner in the world. It's foundational for any of the attack surface management tools that are out there. If it went down, I would like to think that those vendors, including Microsoft, including Google, including Palo Alto, including cis, would step the hell up and help keep the program going.

Mike

The question is, and you're probably right because it would affect their bottom line in the long run, but with it affecting their bottom line now all of a sudden, do you get a pay for CVE system inside of it? The foundation, from what I was understanding, is the board members that currently run the CVE for Mitre, trying to take it out of government and into a privately private org that can go ahead and work with the government in Mitre. That way the budgeting port gets completely removed out.

Corey

Well, Mitre already is a private org, so.

Alex

Private.

Wade

Kind of like Lockheed Martin and Raytheon, they're kind of private organizations too. Kinda.

Mike

But going back to the idea of paying for CVEs, if me as a customer of XYZ volume scan goes ahead and now has to pay for every single cv. Oh, you want the latest cvs, we've got to go ahead and charge you for them. Yeah, because we're taking the time to validate them.

Wade

Ones like the most recent hot ones like.

Mike

Exactly. And then what about Sharing between the different companies. Oh, this company is releasing this cv, but these companies can't go ahead and do it. You get into a complete and total mess if it becomes commercialized and stuff.

Wade

What's that?

John

What?

Mary

It'll be different tiers of the packages.

Wade

Oh, my God.

John

What's the paint? What's the paint company that owns all the paint codes?

Corey

It's something with like a P. You're talking about Pantone.

John

Pantone. That's what I would imagine it would be like with cv. So Pantone owns like this color book, and it has codes for every single color. And then they also sell you the paint to match that color. So they extend those out to people trying to make advertisements to match colors. But then they also send it out and sell it to the people who now have to make the paint so they know exactly the right amount. Right. So they own this entire system. I would imagine that's how like the cv.

Wade

We need to table this whole conversation because people are going to listen to this and not take any of these things as bad ideas. They're going to take notes and be like, wait a minute, hold on. We can make money off of this.

Corey

I mean, I've been joking for years that if you pay for a CVSS plus subscription, you never get a full 10. So, I mean.

Wade

I donated $5 million to CVE last year. I. I should get no tens at all.

Corey

All right, let's. Let's talk about. Anyone got a news article or should I go post something on 4chan?

Wade

I want to talk briefly about Chris Krebs. The dude had all the things happen against Sentinel 1. He's resigned from Sentinel 1 to pull the heat off of his co workers. I'm just going to say legend move. And I know that we're seeing articles and we're seeing people on Twitter saying, why aren't we standing up for AM I? Well, this is awesome. I hate the fact that it has to happen and we should never have a government go after an individual like this in the private sector and then go after the company. And part of me is frustrated with this because I have an email which I'm not going to share, but it's like, Notice to DOJ Commercial Vendors Court Order regarding Sections 135 of Executive Order 14263, adjusting the risks from specific company that we may or may not have done work with. And they're pushing that down to vendors to not work with these other corporations. And that is garbage. I don't want to spend too much time talking about it. This will just spin around and around and around. But God damn it, people. Chris Krebs is one of ours, right? He basically worked at cisa, worked at securing our infrastructure, lost his job over this, and now is being hounded by the government. We do need to stand up for Chris. So pretty please, if you haven't, if you're in a position where you can give some support, you absolutely should. Hey, let's talk about something else now.

Corey

Talk about 4chan.

Wade

4Chan.

Corey

The attacker known as 4chan. Yeah, I will say 4chan.

Wade

4Chan. Oh, that's a jump. One. Okay.

Corey

Yeah. Well, so 4chan has been kind of under the radar, I feel like, for a long time. I mean, they had their run back. I grew up on the days of 4chan. That's where I, you know, that was my Internet Internet era of just unfiltered, horrible things on the Internet. Now we have like, content moderation, which is much better. Well, but yeah, I mean, basically the article is that 4chan got hacked, which is like a pretty. A big deal and not really that big of a deal at the same time. If the data that gets disclosed is, you know, IP addresses of posters, things that can de. Anonymize posters, then it's going to be real bad because 4chan has been the garbage disposal of the Internet for many years. You know, it's pseudo anonymous. It's, you know, anyone that's been there knows exactly what I'm talking about. But I guess the. The big thing is that I guess, you know, it's changed ownership over a few years and. But yeah, I mean, basically it's been down since April 14th. So now that's almost a week.

Wade

So a couple of things like, to learn from this is if you're on something on the Internet and it's like it's anonymous, you have nothing to worry about. They might be lying about that at worst. Or just somebody just said, john Strand's about to say we should stand up for 4chan. No, that's not what I'm going to say. But I think that people are a little bit smarter than they were a few years ago in the heyday of 4chan. Like, they now know that a lot of the stuff that you post on the Internet is something that can come back to you at least. I hope that kids are getting smarter about those types of things. But I think that is this really a surprise for a lot of people in the industry? I remember talking about what happens when 4chan gets hacked like 10 years ago, thinking it's Just a matter of time. I don't. I don't know.

Corey

I mean, I would agree. I think it's. Yeah, it's not really that big of a deal. I mean, I don't think. I don't think anyone is like, oh, this is a key thing for me. Without 4chan, where do I get my threat intel or whatever.

Wade

Yeah, exactly.

Corey

It's just like.

John

It's not like Reddit. That's.

Corey

I will say, while we're here. While we're here, let's throw in the fact that the new breach forums is also down. So lots of things are going down. So, like, yeah, I mean, websites go down. 4chan. I will say, though, to their credit, they have been one of the longest running websites out there. Considering the content, considering the people who post there, the content there. It has been one of the longest lived websites. It's like.

Wade

It's like the Rolling Stones of the Internet. You. You've been expecting them to die. 1971. They just keep going, right?

Mary

They keep firing up. Yeah, they keep firing back.

Corey

So, yeah, I. I guarantee it'll come back.

Wade

I think I did pick the year the bass player passed away, so probably a bad thing on my part.

Alex

Well, this isn't the Channel 4 British news station. 4chan. Channel 4.

Wade

Channel 4.

Corey

It was launched in 2003. So it's. It's. It's 21 years old. It's older than most of the interns at Black Hills. And yeah, so that's pretty much the.

Mary

Same age as Blaster, if anybody remembers.

Wade

There you go. Blaster030.

Corey

Is that a coincidence?

Wade

Yes. Nice. This guy parties.

Corey

All right, let's talk about this. Let's talk about this Palo Alto article, I guess. Wade, did you take a look at this? Have you taken a look at this?

John

I have read no news for the past, like, three weeks.

Wade

So, no, I love this.

Corey

Like, it's a pretty cool article.

Wade

Go ahead.

Corey

It's. So, I mean, basically, it's kind of a. I guess I want to call it a mic drop. It's a little bit of a mic drop because it's basically Palo Alto. Or I guess unit 42. I don't know. I guess unit 42 is funded by Palo Alto, but they're not the same. But they are the same. You know how big companies work? We don't know. Unit 42 was called in to do an incident response for a company. The client had been breached via an RMM tool called Atera. Now, the threat actor bought access to this company, and then they installed The Cortex XDR agent onto one of the compromised computers. I guess. I guess they did this intentionally to basically test their bypass tools. So, you know, we love testing.

Wade

When you're saying they. The attackers installed it.

Corey

Correct. Not the incident responders.

Wade

Yeah.

Corey

The attackers purchased the threat actors, purchased access to a customer of Palo Alto in a. You know, maliciously. Then they installed Palo Alto products onto those compromised systems and started testing their own payloads and byobd. Bring your own vulnerable driver techniques. If you keep scrolling in the blog, it just gets funnier and funnier. So first of all, the name of the tool was just called Disabler exe.

Wade

Great name, by the way, which is a great name.

Corey

It's using basically open source code from EDR Sandblast with minor modifications.

Wade

They did strip out. That was interesting. They stripped out the command line options.

Corey

Which are the only IOCs, obviously.

Wade

Yeah. Which I think that's literally what people were writing signatures on for, which is like really lazy IOC signature writing. But go ahead, keep going.

Corey

So the other thing that. And yeah, this is old. Sorry, I just thought it was funny. Basically the other thing that's hilarious is they got access to the threat actors computer. So they actually threw this XDR that was deployed. They got access to their computer and they pulled down all their files that were on the computer, which the attacker just copied their entire folder to the computer for some reason. And it included their, it included their names on it, like their, their usernames. And then they just went out and pulled the usernames from the, from their, from like they were posting as themselves on these forums. It's just, I just thought it was hilarious hacker tears. I just.

John

At first I thought maybe this was like epic tier trolling, right. Where like they installed it to test it. They're. They're like, we're testing it. Of course it's going to get caught. That's how we're going to just make it disabled. But then once you said that they pulled their whole file with their names, I was like, all right, maybe not. This was just like some kid or someone just playing around. I was like, oh, did they install Cortex from the company they hacked or was it a version of Cortex?

Wade

Version of Cortex that they installed? It wasn't even up to date. It was like an old version of it just hanging out.

John

Yeah, because usually when you install those EDRs, right, you need an activation code. So that means they had a version of the EDR older and an activation code to activate it on the.

Wade

I don't know if I Was Cortex in every AV vendor out there. Like, get rid of the activation codes. This could be very useful.

Corey

I just wanted to call it out because it's hilarious. The threat model is so silly here. It's like, so you compromise a network, then you use it just to test edr. Is it? Are you that desperate to test?

Alex

Well, it's free infrastructure, right?

Corey

Yeah, I guess it's free infrastructure. I, I just.

Wade

So we've got, we've got two examples of this at bhis. Like one of them. Let's start with one of them. Let's start with CrowdStrike. Now, I was told by some people that worked at CrowdStrike this may not be true. So although I'm pretty sure it's true that CrowdStrike found out. Corey, I don't know if you remember this, but. But they found out that one of the licenses that we were using that wasn't attributed to Black Hills Information Security was used by Black Hills Information Security. And there was the license that we were using to test bypasses around CrowdStrike. And they were literally monitoring everything we did. And as soon as a bypass worked, they would let that bypass continue to work and then they would shut it down for all of their customers. So there was a period of time where it was like, would test it, it would work be just fine. We'd go to a customer and then we get smoked immediately. I want to be blunt, not even mad.

Corey

Like, it's fair. It's fair play.

Wade

It's fair play.

Corey

Fair play.

Wade

And I was damn impressed by that. So if that is in fact true, which I'm pretty sure it is at CrowdStrike. Kudos. Kudos. CrowdStrike. That's, that's amazing.

Corey

I think of this as in scope. If you're an EDR vendor and you can find what accounts we're using to test, then you can go ahead and just nuke those payloads. I will say approach with caution because we can poison the well.

Chris

Right?

Corey

And so can everyone. True, but. True.

Wade

But we've never had there like a checkpoint poison the well and start deleting things like Chrome from customers.

Corey

Well, just change. Rename Chrome to disable or exe.

Wade

You got to kind of cut it into smaller. There's more to it than that. But yes, basically.

John

But didn't checkpoint do something like this too?

Wade

Not even then. The other story with this, that now this one pissed me off. Silence. We did a series of blog posts on bypassing cylance on Black Hills information securities blogs. A long time ago, David Fletcher did this one. And after that whole entire thing happened, Silance was able to look at the blogs and they were able to look at the file names that we were using on the different days and they were able to correlate back which vendor or sorry, which customer of ours was the customer that we were doing the testing because they had it set up and the customer was like go, this sounds like fun. And then they threatened legal action against the customer for that, which our customer was then like hahaha. We have lots of attorneys. Bring it. The customer was great. Loved that customer, had a great time. But at that point, roughly I think it was CrowdStrike got busted for using VirusTotal and was pulling data back and forth and silence came out and said we don't ever pull any data from any of our user systems that could be then dumped on the Internet. I was like, no, silence. You totally did. They were tracking that as well. So this, this whole entire story is great because we've seen it at Black Hills Information Security and once again we've never gotten that mad. Whenever that happens to us. It's just like, like say lovey, like Corey said, it's, it's part of the game that we're playing right now.

Corey

So you're saying the only reason we do pen testing is just so we can get access to our client environments and test a bunch of sick pages.

Wade

Only for the customers that are on board with that type of game where they really, really enjoy that because it helps, it helps them negotiate the contract lower. Like we've had customers where they're like yeah, BHIS came in and found a bunch of bypass techniques and you know, that was awesome because the more contract came up we could actually negotiate a cheaper price with the vendor that actually was cheaper than the cost of the, of the service that we were doing. So yeah, there's more to it for coming up with bypass techniques.

Corey

Don't try this at home. Disclaimer. All right, let's talk about the Sophos annual threat report.

Wade

Good report.

John

Is it?

Corey

What's Main Street? Does anyone. What. What's with the Main street theme?

Wade

Cyber talking about in terms of the number of attacks that they've been seeing and watching are really kind of pivoting over to medium sized businesses. I actually think a lot of this has to do with the fact that Sophos is more so to do with the fact that only their data business is moving into this area for MDR MSSPs like you have. Sentinel One is in that space. Sophos is starting to get some traction in that space as well. So I don't necessarily think that this is indicative of a trend across the industry. I just really think it's sophos view of the elephant as they're expanding into the SMB space a little bit more. But it's a nice write up of the types of attacks that they're seeing, I think.

Corey

I also like how they call out where they got their data, they explain like you know, where they got it.

Wade

And then nice write up on what are the ATTCK tools, what are the Steelers? I didn't know there was this many Steelers, Corey. Like what is it?

Corey

I tried to explain it every news episode for the last two years.

Wade

Yeah, but there's a lot of different names of dealers that I've never seen.

Corey

Oh, you're talking about like variants, the.

Wade

Variants of the Steelers that are out there. No, you talk about Steelers all the time.

Corey

I, I will not shut up about it.

Wade

Yeah, but there's a lot of different Steelers that are out there. It's kind of crazy. I also like their non ransom malware. If you scroll down to their top ransomware threats about three quarters of the way down where it's like web shell Cobalt Strike called out by Name is number 2 Red Team C2 tool with information stealing modules in it as well. So very cool. But then the other one was interesting is Chrome Loader. We've been talking on this show for a long, long, long time how the browser is the new endpoint and starting to see Chrome Loader starting to move up, up that, that rank a little bit more was kind of cool. And then some other tools that we love at bhis like Brute Retell is on there with I think about 1% usage. Nice little write up with good detail. So hats off Sean Gallagher and Anna.

John

I want to, I want to light a fire here. I'm gonna say this isn't a good report. This is a marketing report for you and you red teamers are taking it that way. Okay, as a blue teamer, like as, as I'm looking at this report, right? Yeah. There's good stuff on malware, there's good stuff on different types of attacks. But the overall summarization of this report as well as in providing like active like ttps or any type of quick references at the end, right? Oh, like this is a cool report, but it's not. As a blue teamer, I would look at this real quick and go completely to somewhere else you need.

Corey

Hold on, hold on. Read the, read the conclusion, Wade. Okay. It says right here, migrate from passwords to pass keys. Did you, did you not do that?

Wade

Done. Problem solved.

Corey

I mean, okay, that is fair. I feel like they probably what happened internally is that they wrote a really cool blog with a bunch of IOCs, and then the marketing team was like, so you're just going to give these away for free? You can't do that. We're going to have to paywall these. And so that you know, I wouldn't blame the authors. I'm assuming that. But yeah, all of the, all of the like sections are followed up by here's the product we have. That's the silver bullet for this thing. And it's like, well, that's not really how it works.

Wade

But I still think as a blue.

Mike

Teamer, though, all we have to do is take each of those sections and go to the MITRE, ATT and CK framework and look up the CVEs for each one.

Wade

He's learning to believe.

Corey

He's learning to.

Wade

But for me, one of the things that I really like about it, Wade, is I agree, they're not like, here's a bunch of files where you can ingest this and you can start detecting these different attacks. But one of the things that I took away from this is a lot of the attacks they're seeing aren't rocket science. Like, they're not cutting edge, brand new malware that we've never seen.

Corey

Yes, Exec is alive and well weighed. How does that make you feel? Yeah, just. Just let that sink in. 20 of all attacks use PS exec. How does that make you feel?

John

Yeah.

Wade

As a blue tamer, deep down, what do you feel?

John

I can't. I can't. I. You think I don't. Everything. Every single organization I've been in has had a PS exec detection. And knowing that I was protecting 20 of all attacks ever is really makes me feel really good. So I guess it's reassuring.

Corey

Okay, next thing. Have you ever blocked any desk in your environment? Because if so, you were blocked another 18 of attacks.

John

Oh, look at me.

Wade

See, this is why I love this report.

John

Maybe, maybe I rewrite, look at this report and be like, look how much good I've done. Look how many attacks I've blocked.

Corey

Those two attacks alone is like 40. Dude, you are sick.

John

We're so. We're so protected right now.

Corey

Okay. The other thing that I found really surprising is they don't no Quick Assist on this list. No Quick Assist, Are you kidding me? Quick Assist is like the peanut butter and jelly of hacking These days, but it is 24.

Wade

Maybe it's from the earlier part of the year, I don't know.

Corey

We were using Quick assist back in 23. It was installed by default.

Wade

I know, but no, this, I, I do kind of agree with that. Like, you know, I, I always think that people that are part of like the bhis tribe of businesses in our Discord servers and our customers generally feel like we're at the tippy top of the spear on these things. And when I read these reports, I'm not. Like a lot of our pen tests, we aren't using these things because our customers, these things wouldn't work on them at all. So it's like, why are we putting so much time and money coming up with new bypass techniques when all we really need to do is put time and money and marketing to lower tier customers? Like, can't we just go to customers and like, do you, do you, do you allow PS Exec everywhere? You're one of our favorite customers of Black Hills Information.

Corey

Okay. No, John, what we could do is we could just have a discount. That applies if you, if you. Okay, here's how. A pen test costs a hundred thousand dollars. You can't afford it. However, if you use PS Exec, do.

Wade

You have an EDR?

Corey

You don't have an EDR 50 discount right off the bat. 50%.

Alex

I'll take that deal.

Corey

Also, if you don't have EDR, that's 50%. If you use PS Exec, that's another 5%. If you use any desk, that's another 25%. You're down to like 30 grand.

Wade

I just, I just know that I'm gonna end up talking to Dave about this report. We're gonna be like, do you see this shit with your customers? And he's gonna be like, no, me neither. Who, who's testing these companies? And the answer to that question is nation state threat actors are.

Corey

No, no, these are syndicates. These are all syndicate. These are all crime war syndicates. If you look at their, their number one campaign was fish. Was Facebook fishing. Come on.

Wade

What? That's gotta be 20 off. If we can successfully.

Mary

All this for 19.95.

Wade

Yeah.

Corey

Unclaimed money sites. Unclaimed money sites. I would, I would claim it. I mean, I will say, John Strand, every time you text me and ask me to get more gift cards. I always do it every time. Keep doing that.

Wade

Keep texting me and asking contract negotiations, I'll send you a text that says that you haven't paid your speeding ticket, okay?

Corey

You need to also, John, just as a warning, you didn't pay those tolls in a state you've never been to.

Wade

That's right. I didn't pay those tolls. And you fell for it.

John

Another 10% off to go for the tolls thing. The go. I actually sold a car and they went into toll roads and then the. To the actual toll company called car hadn't been officially removed from the DMV yet out of my name that I owed the money on the toll roads. So when I got that toll fishing email, I'm like, there's no way that car is still in my name.

Corey

No. See, what you should have done is change your license plate to null and then you get 50,000 unclaimed tolls.

Wade

I love Christopher. Unclaimed money is something like $55 billion a year. Click here to find out how you can get your unclaimed money assets. So, yeah. And another 10 off like, this is great. This is marketing. I hope Andrew Crashland is dying a little bit inside right now. He's just like, oh my God. This is what we're doing. This is what we.

Corey

So during scoping, we just fish the customer and if they click it and they get half off.

Wade

Yeah. And at some point we just feel really, really, really bad. And honestly, we just show up and be like, oh, oh, you're running on prem exchange. Yeah. This test is free. This one's on the house.

Corey

It goes below zero. At a certain point, we just pay you.

Wade

You take my money because. Yeah. So we've got some interns we need trained up real fast.

Mary

I just hear the prices. Right. Music playing in the background as you're saying this.

Alex

Have a big wheel that spins around verbal agreements account. Right.

Wade

Totally gonna get somebody that's gonna call me on that, Luke. They're gonna be like, well, John told us it was free. If we do this, I mean, there's.

Corey

Got to be a discount for letting us tell your hilarious pen test stories on the news. Right. There's got to be a discount for that.

Wade

That would be great if we could.

Corey

Do like war stories. That's got it. Because you know, we're always got to be so tight lipped.

Wade

But I. One of the things I talk about in my classes whenever I tell stories is I make it clear to everybody that I'm lying. Like if I'm Talking about a DoD customer, it was probably a medical company. If it's a medical company, it was probably finance. If I say it was like a Fortune 50, it was maybe Fortune 1. Hundred or not even that it could be a mom and pop bicycle shop. So I obfuscate the hell out of a lot of my stories. But the actual things that happened did the really fun thing for me over the years is whenever I was teaching live, I would tell a story and I'd have like three, four customers in the audience while I was teaching. And that breaks like all three of them for different companies would come up to me and be like, dude, why did you share that story about us? I'm like, no, no, no, Snowflake, you're not the only one that had that vulnerability. That's something that we see in a lot of companies and they're like, oh, we thought it was just us. Nah.

Corey

Yeah, let me just, Let me just dovetail off of that. So we're soon at some point gonna have our own anti soc continuous pen testing version of the BHIS scene. And in that you might feel personally attacked if you're one of our customers. And I will guarantee you any story in that zine has affected like 25% of the customers to make it into the zine. It was never just one customer.

Wade

There's always. We put up that top 100 link. And I was presenting this to MSSPS on the Cyber call last Friday. Part of me is like, I never, ever, ever want to report on these vulnerabilities ever again. Like, there was like IPMI management interfaces being open. It's like, that should not. That should not be a thing. Like, what are some of the ones that are just really awful? SNMP default community strings. We're still finding that that shouldn't exist. IPMI Password #Disclosure NTP Mode 6 queries enabled. IKE Aggress Internet Key Exchange Aggressive mode with Pre shared key. Like 24. Like, these are vulnerabilities we never want to report on again. Please make them go away. We're tired of reporting on these, but it's just something that just keeps showing up. PowerShell version 2.0 available. There you go, Wade. We still have that in some of our customers, right? So Corey's right. You have people that are like, are you talking about us? Yeah, but we're also talking about a huge percentage of the industry that still has these things floating around. Oh, oh, default passwords. Yep. Somebody just put in default.

Corey

There's no CVE for that one.

Wade

No, I think there is a miter.

John

There is, there's a CVE.

Corey

There's no CVE.

Wade

There's CVEs for default passwords in specific products that show up, but I don't think there's an overall CVE for default.

Corey

There's going to be like 40,000 CVEs. Would you just list those in the table? Appendix A through appendix A through 9999 CVE is affected.

Wade

Default Apache, Tomcat, Brute Tour. Yeah.

Mike

CVE 000P.

Corey

No, no. It would be 1999 0001. The first ever.

Mike

There we go.

Wade

Nice. All right, everybody, I think that that that's a wrap. I just want to say thank you so much for attending. We do appreciate it. It was nice to be able to do a show and not teaching this week or like being on an airplane. It's nice to be a little bit more chill. But it was great having you all. I want to say thanks to all my hosts for showing up as you always do. And with that, we're going to be back here next week. We hope. Maybe. I just got to keep looking for those DOJ emails. We'll see. But thanks again and we'll see you in the next episode.

Corey

Bye. Bye.

Mike

It.