September 12, 2025 • 37 mins
Hackers left empty-handed after massive NPM supply-chain attack
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
So, guys, last week, I got a lesson in minding
my own business.
Speaker 2 (00:05):
I was long, do I assume?
Speaker 1 (00:07):
Yeah. I was out for a walk and I was
walking past this mental hospital and there's a bunch of
patients outside shouting thirteen thirteen thirteen. The fence was too
high to see over, but I saw a little hole
in the fence, so I looked through to see what
was going on, and some idiot poked me in the
eye with a stick and they all started shouting fourteen fourteen. Hey,
(00:42):
welcome back to Security this week. I'm Carl Franklin. That's
Duaye La Flott and Patrick Hines, and we're getting ready
to head to Orlando to Universal pretty soon and we've
been promised a spot to do a live security this
week's show in front of an audience at cyber Security
Intersection dot com, which is where you can go and register.
Speaker 2 (01:03):
Very exciting. Yeah we'll be there, be awesome, even if
they don't give us a room. Yeah, we'll be there.
Speaker 1 (01:07):
Yeah, that's right.
Speaker 3 (01:08):
And if so, Carl, you've done a lot of podcasting
at these events.
Speaker 2 (01:12):
It's it's a big deal.
Speaker 1 (01:13):
It is, and it also makes for a really fun
podcast because even the people that aren't there get to
hear the crashy, you know, I think, yeah, the heckles exactly,
you know, the groans. So let's uh, let's get into
the first story. This is about our friend WhatsApp. WhatsApp
(01:35):
patches vulnerability exploited in zero day attacks. Now we knew
WhatsApp was vulnerable because it's not really end to end encrypted,
but it's encrypted between you and Facebook and then between
Facebook and the other person. But it doesn't have anything
to do.
Speaker 3 (01:52):
I don't think it's that kind of flawed. It's about trust.
That's about trust. That's about do you trust Zuckerberg right
to like not the robot, to not use the data
in between to train a model, and yeah, do other things.
Speaker 1 (02:07):
And I don't trust. You know, his friends call him
the zuck Zuck.
Speaker 2 (02:12):
I think he sucks.
Speaker 1 (02:13):
He does kind of suck, doesn't he.
Speaker 2 (02:15):
I think because he has no friends. That's not true.
I mean, you know when.
Speaker 3 (02:19):
A guy guy tries to hire somebody for a billion
dollars and they said.
Speaker 2 (02:22):
You know, you know how you must vote no.
Speaker 3 (02:26):
Yeah, yeah, that's more about like their architecture flaw. And
they probably don't see it as a flaw because they
consider themselves one hundred percent trustworthy.
Speaker 1 (02:34):
So what was this about?
Speaker 2 (02:35):
This is super sophisticated. So this is actually a zero
click flaw.
Speaker 1 (02:41):
I hate those.
Speaker 2 (02:42):
Yeah, so this this is yeah, this is actually a
really sophisticated attack in that zero click flaws are awesome,
zero day zero clicks are amazing. That means they're really bad. Yeah,
And we talked about spyware from Pegasus and that sort
of stuff, I'm sorry, monitoring software from Pegasus that governments
(03:04):
used to see your text and whatnot. Like they're they
also had a they would SMS you something, send you
a text message and it would be zero click and
just get absorbed into your phone. And if it got
got displayed, yeah it were your phone would parse it
in a way that it would just install it. So
the company says, uh, this zero clickflaw, tracked as CVE
(03:26):
twenty twenty five five five one seven seven affects What's
App for iOS prior to version two dot two five
dot two one dot seven three is a very long version.
Also What's App for Business and What's App for Mac. Yeah.
So according to the UH, they're not releasing a ton
of details on it. So, but what they are saying
(03:47):
is there's an incomplete authorization of linked devices synchronization messages
in WhatsApp dot dot dot. There's a lot in that
which could allow an unrelated user to trigger processing of
content from an arbitrary URL on the device. So, okay,
so you've got this what's app flaw that can be
(04:10):
zero click and trigger processing of a URL. It can
go out to the internet, grab RL and it can
pull down some software and do something.
Speaker 1 (04:19):
Wow.
Speaker 2 (04:20):
They say, we assess that this vulnerability, in combination with
Apple's OS flaw, which is CVE twenty twenty five four
to three three zero zero, may have been exploited in
sophisticated attacks against specific users. So we're looking at a
zero day flaw with an OS level flaw, with a
(04:41):
zero click flaw.
Speaker 1 (04:43):
That's not good.
Speaker 2 (04:43):
That's targeting users. Yeah, yatzi, yatzi, yachtzi. I didn't have
that on my Bengo guard. Yeah, servoteen. So according to
this article, if you were, let's say working as a
reporter in a war torn country, maybe they were targeting
(05:05):
you with this. But this is a super rare, uh
you know attack. You're not gonna randomly get hit with this.
Zelensky probably gets it once a day, but other than that, yeah, probably, yeah,
exactly where was it in here? WhatsApp has disrupted by
our campaign by paragrim that targeted a number of users,
including journalists and members of civil.
Speaker 1 (05:27):
Society, civil society.
Speaker 2 (05:29):
And members of civil society. Oh wow, huh yeah.
Speaker 1 (05:33):
I wonder if we fall into that cat We not.
Speaker 2 (05:36):
We're not civil I'm from Boston. Come on now, you
guys are Boston adjacent. But none of that's qualified as civilized.
That's true. Story poke, people with six I know, smooth.
So although you will hear about this and it is
(05:58):
super sophisticated, chances already haven't been hit with this. But
i'll go patch if you have. What's happening? So here's
the thing.
Speaker 3 (06:04):
People who have high security needs shouldn't be using WhatsApp.
Speaker 2 (06:09):
True, well, that's true. Shouldn't be not running in lockdown mode?
Speaker 3 (06:14):
Yeah, right right, So I would assume if you're in
lockdown mode and you're not running What'sapp, then you're impervious
to this kind of thing.
Speaker 1 (06:20):
And if you aren't in lockdown mode, if you're not
running What'sapp, you're probably okay, right.
Speaker 2 (06:25):
Right, well in this for this kill chain.
Speaker 3 (06:27):
But there's probably other kill chains that and that's how
we should clarify that. We talk about the steps it
takes to get an exploit as the kill chain. Yeah, okay,
and if you disrupt it, and the Defenders Blue teamers
are trying to always interrupt the kill chain by least
privilege and having extra checks and zero trust and things
like that.
Speaker 2 (06:45):
Right, So, because this is deployed over a URL, could
somebody con you into clicking on the URL in a
phishing email on your phone? And if your phone is
still vulnerable, then yes, it gets delivered. Sure, absolutely, So
you could still be susceptible to this even without WhatsApp
if you haven't patched your phone to CBE twenty twenty
(07:07):
five four three three zero zero okay, And that was
a patch that came out earlier this month, so that's
a new patch. Well, speaking of patches.
Speaker 1 (07:16):
Yeah, oh, are we going to talk about the dogs?
Speaker 2 (07:18):
Can we talk about Can we talk about the mascot?
My best best dog ever mascot?
Speaker 1 (07:21):
Yeah?
Speaker 2 (07:22):
Oh my god, the mascot's awesome.
Speaker 1 (07:23):
We're going to have to put him on the website somewhere.
We'll just at a page or something. But somebody in
Blue sky. I think ye sent this to me. It's
a dog called Patches and it's a sign. That's a sign,
that's his patch. Now, it's so awesome, it's so awesome. Yeah,
we're gonna we'll put it on the website.
Speaker 2 (07:42):
Yes, all right, Patches, Patches.
Speaker 1 (07:46):
The masko out of security this week. So the long
and short of it is, don't use WhatsApp. But you
know what, even if you aren't aren't using WhatsApp, these
things come up from time to time. Just make sure
that you reboot your phone right now, yep, and you know,
once a week at least throw it in a lake,
and that you keep up with updates.
Speaker 2 (08:04):
Yeah, speaking of phones, did you guys all watch the
Apple release this week?
Speaker 1 (08:08):
No?
Speaker 2 (08:10):
You know, I just know I was too busy watching
the paint draying tournament. So the Apple, we always talk
about iPhone being that's sort of cutting edge in protected
chat devices. Right, there's a lot of really cool stuff
(08:30):
coming out with the Apple with the iPhone seventeen, a
lot of neat sort of memory isolation and that sort
of stuff that's gonna make it an even better platform.
So I'm reasonably excited. I'm gonna spend Patrick's money on
getting one.
Speaker 1 (08:47):
There, you go, pretty good. Let me know how it works.
Speaker 2 (08:50):
My wife has plans to do the same. Good, good, awesome.
Speaker 1 (08:56):
Okay, well let's see. The next one is about SAP.
SAP fixes Maximum Severity net Weaver command execution flaw. I
guess net weaver is one of their products. What happened here?
Speaker 2 (09:08):
Yeah, so this is this is a good old de
serialization bug. I love these. Yeah, you get to unauthenticated.
There's an unauthenticated endpoint to net weaver. So this article
says net weaver is the foundation of SAP's business applications
like e r P, c r M, s RM and
s c M. So think of it like a communication server,
(09:32):
like it's the BizTalk. Yeah, it's like, oh my god,
did you just throw a BizTalk? Is it's still even
around anymore? Is that a thing? I think it is?
Speaker 1 (09:41):
Still? Yeah? Really wow.
Speaker 2 (09:43):
I remember doing some stand in the hushes on biz
talk long long, many decades ago. So yeah, it's it
is like this central communications piece of software that allows
your e r P and your CRM and all that
to submit a and talk to each other and all
like good stuff. So it's not surprising that there may
(10:04):
be an endpoint that's on authenticated and that there's a
de serialization bug, because you got to imagine something like this. Remember,
a de serialization bug is where I pass an object
where I've manipulated some of what we call the magic functions, right,
and those magic functions always happen, whether it's the destructor
or constructor or whatever it may be on connect something
like that. Right, So when I send that object in,
(10:26):
when it gets de serialized and re serialized back into
a you know, de serialized into back into an object,
those functions execute, and when they do, they run my code.
So it's not too too surprising that this uh this
was by the way, rated with a nine point one score.
Speaker 1 (10:45):
Okay, I tell me, tell me I'm crazy, but I
don't think that it deserves such a high score. And
here's why. In order for de serialization bugs to work,
you have to have something de serializing that is inherently
insecure that will look for code and run it. Yeah,
because just by de serializing and ADJSON let's say object,
(11:07):
you're not running code right exactly.
Speaker 2 (11:09):
Yeah, yeah, you're absolutely right. So you'd have to find
that right magic mix of what object can I send?
How can I get it to execute an OS command
and on de serialization, and you have to find an
endpoint that takes that object. Yeah, in a way that's unauthenticated, right, right,
So you.
Speaker 1 (11:26):
Have to have an insecure system by default, right.
Speaker 2 (11:28):
And on top of that, actually, my bad. The unauthenticated
end point is a nine point nine. The de serialization
bug is a ten out of ten. Okay, so it's
even higher. But on top of that, I mean, I
think the end point would be higher than that.
Speaker 3 (11:42):
You would think, right, not higher than ten, But I'm
just saying I would think it would be to the
other vulnerability.
Speaker 2 (11:48):
This goes to eleven.
Speaker 1 (11:49):
So I guess it begs the question is this server
inherently insecure? Is it running code that it de serializes
when it really shouldn't.
Speaker 2 (12:00):
All that gen that's a great question, thank you. I
would say yes. I would say you should never de
serialize a generic object in a way that you don't
know what it's going to do, right right.
Speaker 1 (12:10):
And by the way, oh, there's something I can run here.
Let me run it within the context of whatever security.
Speaker 2 (12:16):
Is finding something in the forest and eating it right, right,
and then and then asking what it is exactly that
it's like.
Speaker 1 (12:23):
Getting a new stereo and seeing the dry packet in
there and saying, oh, look a chick lit I think
I'll eat that.
Speaker 2 (12:31):
So the other thing that's interesting about this, it's a
ten out of ten, right, and a nine point one
out of ten on the unauthenticated access. But this is
only accessible generally on the internal network. Okay, Like you
don't expose your net weaver server to the Internet. I mean,
in a proper implementation, you generally wouldn't do. It just
(12:54):
doesn't make any sense.
Speaker 1 (12:55):
Right, So contagent score is much lower.
Speaker 2 (12:58):
Yeah, I would make the contagent score much this is
it important? Yes, but somebody's already on your network, And
being a person who breaks into networks, I can tell
you there's a lot of other things I would.
Speaker 1 (13:06):
Do so important.
Speaker 2 (13:09):
You have other problems, right exactly, So I would say, yeah,
you should go patch this is important, But I wouldn't.
I wouldn't believe the high ten out of town.
Speaker 3 (13:18):
Just because you leave the duct tape on the on
the table doesn't mean the murder didn't bring some Okay, Patrick.
Speaker 1 (13:25):
Stay tuned for more pearls of wisdom from Patrick Hynes.
Speaker 2 (13:30):
Horrifying, horrifying pearls of wisdom.
Speaker 1 (13:33):
All right, we're done with this one. We got one
more before the break, we do. Yeah, okay, this is
bypassing waf's for fun and JavaScript injection with parameter pollution.
And this is a blog post, so.
Speaker 2 (13:47):
This is ren and stimpy episode.
Speaker 1 (13:50):
Yeah, and it's from eighth roll, so it's a good read.
But tell us the gist of it, Dwaine.
Speaker 2 (13:55):
Yeah, I actually really like these. You know, usually we're
always talking about the latest secure any things that have
happened in the last seven days, right, and what's the
most important thing and that sort of thing. But I'd
love to bring it back occasionally to just some interesting
tidbits of programming knowledge. Oldie but a goodie. Yeah, and
this one, honestly, I'll be honest, this one took me
by surprise when I was reading it.
Speaker 1 (14:15):
Me too.
Speaker 2 (14:16):
So they talk about they're trying to exploit in this
particular test, they're doing an autonomous pen test, so they're
doing they're scanning, they're doing dynamic code analysis what's called
dynamic code analysis against some sort of website. And in
their dynamic code analysis, there's a web application firewall or wafts, right,
that's sitting in front of it. And what the WATS
(14:37):
does is or wafts, whafs waves, whafs, Yes, whafs not
wafts whafs.
Speaker 1 (14:43):
Somebody tell us we don't know, Eh.
Speaker 2 (14:45):
It's whafs. So what the WAFS does? I always call
it waves and my team makes fun of me. But whafs,
all right. What the wafts does is it looks for
normal It looks for strings that are being passed to
the web server that might be exploits. So if I
do something like alert parenthesy, right, the WAPs is like listen,
nobody's sending that as their name, so it just drops
(15:07):
it before it hits the web server. So you have
this firewall just like a common sense service. Yeah, it's
a content inspecting firewall.
Speaker 3 (15:14):
Right.
Speaker 2 (15:15):
So you have this this firewall in front that knows
what to look for. It looks for SQL injection, it
looks for you know, XSS, cross site scripting, it looks
for a bunch of stuff. Then you have the back end,
which is a web server that also should be doing
a lot of the same things. Right. So the trick
here was the developer said, hey, listen, you know, as
are the pentester. As we were going through and we
(15:36):
were scanning and we were using dynamic code analysis tools.
We found that there was a cross site script payload
that we could send that would cause sort of weird issues.
But the problem was the web application firewall wouldn't allow
us to put a single tick in. It would strip
it out or it would say, you know, deny that
(15:58):
going to the to the server.
Speaker 1 (15:59):
Tell everybody what me my a single tick?
Speaker 2 (16:01):
Good point. So when you're if you're trying to inject code,
let's call let's say I'm trying to inject a crost
site scripting code and cross site scripting is I'm going
to I'm gonna have a web page that asks for
my username and password. Let's say, and I type my
username as you know, bracket script alert you know parenthesy,
tick hello, tick comma, and it's just that single quote,
(16:23):
single quote right, single quote right right, And when I
when I click O can log in. If it logs
me in, then at that point, if it says hello,
and where it would have said hello, Dwayne, it says hello,
and it actually has code there and it pops up
some code on the screen and you you think, okay,
well that who cares if it's just a you know
pop up on the screen that says hello. But there's
(16:44):
all sorts of other things you can do with CROs
site scripting, stealing cookies, that sort of stuff I won't
go into. So needless to say, cross site scripting is
pretty dangerous. So a lot of the tactics, and Patrick
talks about this quite a bit, especially with seql injection.
This isn't this is an arms race. You shouldn't be
taking input from a user and saying, let's look for
the bad stuff. Yeah right, because users are really good
(17:07):
at making at hiding the bad stuff and when they
add something new.
Speaker 1 (17:10):
Users are evil, right y yah? User input is evil.
Never're all stupid. Never trust the users. Never.
Speaker 2 (17:18):
So the problem is if I'm looking for tick, they
may find some other way to put a tick or
a single quote into the string. Well that I didn't
think about.
Speaker 3 (17:26):
The canonical example was some web server was checking. This
is before waves were really a thing, but I'm sure
people are still doing. Somebody was checking for the word delete, yes,
because they want to make sure you weren't going to
like delete their files, and then they would remove the
word delete in the prompt, which I think you should
invalidate the request rather than try to sanitize it.
Speaker 2 (17:48):
But that's a different story.
Speaker 3 (17:49):
So they look for the word delete, and then they
looked for other things, and then they look for the
single tick, the single quote and remove that. Well, what
if I typed in d E L single quote et, right,
you won't find deleite and when you remove the single quote,
you've formed my attack right right, right, So it's an
arms race that you can't win because they can always.
So the only way to win is not to look
(18:10):
for the bad stuff, but instead to only accept what's
known good.
Speaker 1 (18:14):
Right.
Speaker 3 (18:15):
If I'm afraid of being poisoned, I'm only gonna eat
apples from a tree that I know aren't handled by
anybody that I don't trust. Right, that's right, It's not well,
I'm gonna try I'm gonna let the dog try it,
and then they find the poison that doesn't hurt dogs.
Speaker 1 (18:26):
But ki tree is from the snow queen.
Speaker 3 (18:29):
Let me see, Hey, I could use a good sleep.
Speaker 2 (18:32):
Yeah, yeah, I know. So in this particular case, this
is the part that surprised me and I've never even
thought about it. When you pass in a parameter to
a web page, right, so you can say, uh, you
know you have that big long URL up its top
the screen. Browse any website, you're gonna see parameters, right
if you look in the URL on Riverside FM where
(18:54):
we're recording right now. I have a parameter called GW
equals on. I don't know what it means, but whatever
it is, it's on. So you can change those parameters. Well,
what happens if you pass in GW equals on and
GW equals off. M Like if you pass the same
parameter in twice? What happened?
Speaker 1 (19:11):
And this is weird because we would never think to
do that.
Speaker 2 (19:14):
Why would you like?
Speaker 1 (19:15):
And we would never think too, But bad guys, we
would never think to even look for it. Right in
the parsing the u r L.
Speaker 3 (19:22):
That's what fuzzing is is you're trying things that aren't Like,
you know, what's your last name? And you give them
a binary answer, right, you give them a color?
Speaker 2 (19:30):
Yeah, So what's weird? Is like if I had pulled
Carl Patrick and I before reading this article and said,
what do you think each of us would have said, Well,
it takes the first one and disregards the last one,
or it takes the last one and disregards the first one.
Speaker 1 (19:44):
Because that's what it should do.
Speaker 2 (19:45):
That's what it should do. It shouldn't have to make
that choice. That's true too. It should just crash the
page and be like, you know what, you're an idiot.
You pass your parimeter twice. You're being nasty in that
bad request.
Speaker 1 (19:57):
That's what I would say.
Speaker 2 (19:58):
So what happened is the developers, ever trying to be
helpful that wrote web application software like ASP dot net
and ASP and go lang and no JS and all that,
said that's not going to work. Try this password. Yeah,
I know. So what they did is they said, oh,
you passed it in twice, let me concatenate it. No,
(20:19):
so they put in if I have GW equals on,
oh not good, and GW equals off. They now have
on comma off as GW. They've put it together so
the web application firewall doesn't actually see the two single
ticks if you pass the one in the first variable
and one in the second variable, and then the back
(20:39):
end software puts it back together. I thought that was
pretty cool. That's pretty crafty.
Speaker 1 (20:43):
It is crafty.
Speaker 2 (20:44):
It is crafty. So uh yeah, and you know it's funny.
And coming back to Patrick's example, right, it's developers trying
to be helpful. Right, Oh, I see you put a
tick in here. Let me remove it and see if
there's still good stuff here.
Speaker 1 (20:57):
Yeah, right, And what they should do is just return
it request.
Speaker 2 (21:00):
Yeah, and absolutely same here, Like if somebody's putting the
same parameter in nine times, throw it out right right, Yeah.
Speaker 3 (21:08):
I honestly I think we should like ban them from
making requests to the server again.
Speaker 2 (21:13):
Yeah. They they're they're actively trying to do bad things.
Speaker 3 (21:15):
If you catch somebody doing bad things, someone tries to
sneak in my window, I don't say, oh great, you
found the door, come on in.
Speaker 2 (21:22):
Yeah. No, I say you're the mastard to try to
get in my window. Right right now?
Speaker 1 (21:27):
You say, here have some of this blam blam blam,
my finest buckshot, another.
Speaker 2 (21:31):
One of these, my finest shot for you.
Speaker 3 (21:34):
Got to start with bird shot, just so you can
you can beat the the the murder wrap right right.
Speaker 2 (21:41):
I'd say that's criminal career advice, but I know criminal
career advice.
Speaker 1 (21:46):
Lighten up, folks, lighten up. It's just a joke.
Speaker 2 (21:49):
I repeat, I'm from Boston.
Speaker 1 (21:52):
All right, it's a good time to take a break.
So we'll be right back after these very important messages
or not. We'll see. But if there's messages, here go
and we're back. It's security this week. I'm Carl. That's
Dwayne and Patrick. And we got another. We got a
few other stories here. Chili Hell, a deep dive into
(22:15):
a modular mac Os back door Chili hell.
Speaker 2 (22:19):
Chili hell.
Speaker 1 (22:22):
And it is c H I L y not c
H I L. It's not about, you know, going to
Wendy's and getting a very hot bowl of chili or
something like that. What is this?
Speaker 2 (22:33):
Every time I heard the word chili, I think of
that penguin. Was it a penguin. I think it was
a penguin cartoon penguin from the fifties. It was named
chili Chili Willy. I think that was it.
Speaker 1 (22:44):
Just God, I'm.
Speaker 2 (22:46):
Old, all right. Anyways, this was an interesting one. So
this was a uh researcher and uh jam F threat
Labs jams. I've had a jamp threat labs.
Speaker 1 (23:02):
They're from Banef, which is beautiful, I hear is it benf.
Speaker 2 (23:11):
So they were they were hunting around on files on
on virus total. If you don't know what virus total is,
it's a place you can submit files to see if
they match known virus signatures. Yeah, and it's actually really
kind of cool. The thing I would warn you against
is there are threat hunters on the back end, virus decryptors,
(23:32):
the I know the ransomware crew is on the back
end as well, where you can get access to those
files that people upload. So don't upload anything sensitive. Don't
be like, oh, this is all of my banking information
and I think it. You know the PDF is infected.
Let me throw it up on virus totally.
Speaker 1 (23:48):
Now, Dwayne, you never let us have any fun, I know, right,
go up.
Speaker 2 (23:52):
There and search for confidential. I'm sure you'll find one
or two things up there anyways. So, needless to say this,
this team decided they'd start digging into the Chili Hell exploit,
which was there was a Apple validated, signed and notarized
(24:12):
app I'm sorry, an applet Yeah no, sorry Apple. Yeah.
The sample is developed, developed, and signed, successfully passed Apple's
notarization in two thousand and twenty one. So that means
that the app is quote unquote trusted in a way
because it's because of how it was signed. And there
are a couple sort of what they call MT five
(24:35):
hashes for for found known variants, but this particular team
found another one that wasn't quite discovered before, so they've
discovered kind of a new one that meets that variant.
So this, this Chili hell is an interesting piece of
software in that once it gets downloaded and runs, it
creates a modular C plus plus backdoor wow, specifically targeting
(24:59):
Intel ARCT texture and opening up an s s H
secure shell so that people can connect to the server
and do whatever they want to.
Speaker 1 (25:07):
Wow.
Speaker 2 (25:08):
So very hard to find. And the the hashes that
we're seeing on on virus Total or you know, like
I said, this applet looks like it's signed, So is.
Speaker 3 (25:18):
This the kind of thing so that like the applets
signed and it hasn't been patched. Is it possible that
it was harmless when it was signed and then they
patched it or it checks sums the same. That's a
good question because they could be using a dynamic library. Yeah,
and that's where the bad stuff comes in.
Speaker 2 (25:35):
So that I don't know the fact that the team
idea on it comes out the same, but the hashes
are all different and yet it's still notarized. Yeah, It's
it's an interesting one. So We'll probably see more about
this coming in the future, but it is targeting an
Intel architecture, So this is more for i'd assume your
(25:59):
your app, mac laptops and that sort of stuff. So
be careful what you download and run, even if it
is signed and looks like it's been verified by Apple,
if you don't know what it is. I mean, that's
always good advice.
Speaker 3 (26:10):
Yeah, I mean, we know that it's possible to compile
a program, get it, you know, approved, signed, added to
a library, and then it calls other files that are
in flux because you know their signature files or whatever,
and that's where the bad stuff comes in.
Speaker 2 (26:30):
The other interesting thing about this one, so it probes
out to a C two a command of control structure,
So one of the ways that firewalls and endpoint detection
systems will pick up that type of communications because if
I'm communicating over SSL or heck, I'm using DNS as
(26:50):
my xfill for C two commands, the EDER will look
for very consistent communications. If every two sec seconds this
app is spitting something out on DNS, it's probably suspicious, right.
So this app actually has a time stomping routine in
(27:11):
it that varies the communication between you know, two seconds
and sixty seconds, so it doesn't always look like it's
the same communications paradigm. It's interesting, so this one would
be hard to find.
Speaker 1 (27:23):
Curious term time stomping. Why wouldn't it be time varying
or something. Why stomping?
Speaker 2 (27:29):
I think it's a it's a variation on stamping. Yes, yeah, okay,
so it's changing, and it's actually between sixty and one
hundred and twenty seconds, so between a minute and two minutes,
this thing alternates as communications out And it's actually interesting enough.
It is using port fifty eighty three, one thousand and
one and eighty eighty, so a lot of those are
classic HDP ports or DNS ports. DNS is fifty three.
Speaker 1 (27:53):
You know, I would be looking for the content of
that message going out, not just the time of it
as a red flag.
Speaker 2 (28:01):
So that's a good point. If I am communicating to
an HTTPS server, right, that traffic's going to be encrypted
from you know, my communication process to the server, so
it will be hard and less unless we were doing
traffic inspection, right, So if at the firewall we had
traffic inspection, then yeah, absolutely, we would push a trusted
certificate down to the client and I could see all.
Speaker 1 (28:24):
That trip or just look at the URL like you know,
it may be every minute, might be every half minute,
but it's the same URL it's going to. Yeah, absolutely,
you know base URL and it's not one that is
part of our system, So what the what the heck?
Speaker 2 (28:37):
Yeah? And in this one, this is there's two hard
coded IP addresses in there, ninety three eighty eight seventy
five two five to two and one forty eight seventy two,
one seventy two fifty three. So there are You're right,
absolutely right, Carl. You would see this is weird. This
computer is talking out to these two IP addresses constantly.
Speaker 3 (28:54):
Yeah, but in the Devil's and the details, if I
got one hundred thousand uses, I may have fifteen million
right requests an hour.
Speaker 2 (29:01):
Yes, but I'll also tell you this. Do you guys
ever you ever install a Hugh light, like one of
those color changing hue lights. Yeah, yeah, okay, so I
did once. Uh Phillips Hughes. And I'm not saying that
they're they're doing anything to Farius not but Phillip's Hugh
those hue lights. You have the Hugh hub as well
(29:22):
to control the lights and automation and that sort of stuff.
That hub communicates out to a data center in China
every thirty seconds or something along those lines, like so
like and listen. They have a data center there, they
have manufacturing facilities there. It's not I don't think it's
(29:43):
anything to farious. I think it's literally just hey, this,
do I need to get an update type thing?
Speaker 1 (29:47):
Still don't right now.
Speaker 2 (29:49):
On top of that, Hugh just released I think it
was this week or last week. They said, oh, by
the way, we got a new feature with all of
our color changing light bulbs. If you buy the new hub,
they will actually sense motion in the room and can
turn on when you walk in the room, and when
you leave, the lights will turn off. And people asked,
(30:10):
do I need to buy new lights for that, and
they said no, it works with our existing lights. Now
I'm like, okay, well is it the lights doing this sensing.
Speaker 3 (30:20):
They wanted to share that data with the users because
they've been using it all along.
Speaker 2 (30:25):
They're like, you should know if you're in the room too.
So I don't know. It could just whatever. It could
be the hub that detects your phone is close enough
and it turns on. I have no idea the way
I am too, But there again, how many people inspect
that traffic?
Speaker 3 (30:38):
I think this is very similar to the to the
the Chinese solar inverters that happen to have a modem listen.
Speaker 2 (30:47):
I'm not I don't want to get sued, but yeah, Phillips,
I'm not saying it's I Actually we should tear a
hub apart. We should and find out what it's actually saying.
Speaker 1 (30:55):
There you go in your spare time. So, Dwayne, you
were impressed that I suggested that we look at the
outgoing U r L. Does that mean I'm coming to
work tomorrow?
Speaker 2 (31:04):
Yeah? Hell yeah, I'll bring you on tomorrow.
Speaker 1 (31:06):
All right, very good?
Speaker 2 (31:08):
Yeah that was place for an apprentice.
Speaker 1 (31:11):
Wow an intern, look at your coming, mister Dwayne unpaid. Okay,
so that's chilli. Hell let's talk about Akira Akira ransomware
exploiting critical Sonic Wall s s l VPN bug again,
(31:34):
Sonic Wall, Sonic Wall.
Speaker 2 (31:37):
I have seen a lot of people moving off of
Sonic Wall, Sonic Wall, WordPress, of firewalls. No anyway that
will get assumed. Man, if we had more than seven listeners,
would company man. So what happened to here is Okay, so, uh,
(31:59):
Sonic Wall, they're getting a lot of calls for ransomware
being deployed, and it looks like the VPN on the
Sonic Wall is getting compromised. And Sonic Wall did some
analysis and they said, hey, they it looks like they're
breaching this over the thing we told you about in
twenty twenty four a year ago that you should have patched.
(32:20):
Go patch. So CVE twenty twenty four forty seven six
six last year was off. It was an unauthenticated bypass
where you could gain access to the SSL VPN. Once
you're on the VPN, you obviously are on the network
and you can ransomware people.
Speaker 3 (32:38):
Right.
Speaker 2 (32:40):
So what what Sonic Wall is saying is either you
didn't patch, or you didn't you patched and you didn't
follow our advice, because our advice was if somebody patch,
if somebody had hit you and broken into the Sonic Wall,
they could have put their own keys on there. They
could have pulled other usernames and passwords off there, like
you had. You had to flash it, right, yeah, you
(33:01):
had to reset it, flash it and reset everybody's user
names and passwords on there for the for the VPN
and if you didn't do that, and they don't do that,
I don't know what to tell you, right, so burn
it down. This is our this is our warning to you. Yeah,
go go patch those devices if you haven't. If you have,
you really should have reset it when you did. So
keep an eye on it all right.
Speaker 1 (33:23):
And our main story, hackers left empty handed after a
massive NPM supply chain attack. And by massive this is apparently,
according to this article, the largest supply chain attack in history.
Speaker 2 (33:39):
And they got almost nothing.
Speaker 1 (33:41):
Well yeah, okay, you dude, you spoiled it, right, nor
give us a chance to get build it up? How
many billions of people were potentially affected? Dwyane?
Speaker 2 (33:53):
Uh? This So in this supply chain attack, attackers injected
malware into NPM packages with over two points six billion
weekly downloads. Wow, so two point six billion potential downloads
were gonna happen? Was the ransomware like one cent? How
the hell does this happen?
Speaker 1 (34:11):
What the hell? Yeah?
Speaker 2 (34:12):
They do?
Speaker 1 (34:12):
So they only got four hundred odd dollars.
Speaker 2 (34:15):
Right, Yeah, So what happened is security groups and watchdog
groups noticed eighteen packages update at once, and they dug
into them and saw the code and notified the developer
immediately and he was able to contact NPM, recover his
account and remove them.
Speaker 1 (34:33):
All right, Brandon, play the song, go ahead, play the song.
It's so Our advice to criminals is don't patch eighteen
MPM packages at the same time, you idiot, what do
you think?
Speaker 2 (34:50):
And small up big red flag, small up date. Hey,
you know what you get?
Speaker 1 (34:54):
You get antsy when you're only twelve.
Speaker 2 (34:57):
Right, four hundred bucks A lot of money when you're
t uh.
Speaker 1 (35:00):
It is.
Speaker 2 (35:02):
Yeah, the whole bucket of Bazooka Joe. The way that
these packages were compromised is Josh Juanan I think is
his name, is the developer who maintains these packages, and
he received a phishing email that looked like a legitimate
(35:23):
email from m PM saying that they were resetting his
two f A because they saw weird activity, and he
clicked okay. He literally gave the attackers access, and an
hour later he got notified hey, by the way, a
lot of your packages are updating, and that's when he
went to fight to get it back. So okay, So
it was fast. It didn't it didn't linger, Nope, nope. Yeah,
it's impressive. It's impressive that they found it VX Underground
(35:46):
posted on Twitter, and this is I'm sorry, I won't
call it x VX Underground is. It does great work
identifying some of these things, but it says breaking news,
the largest supply chain attack and history pulls off massive
cryptoized at twenty dollars and five cents of eth. The
entire world is crumbling. So yeah, for what is worth.
(36:08):
But good job on keeping an eye on on open
source NPM packages. Yeah, that's impressive. Not only did they
see all eighteen update, they pulled them down, reverse engineered
the highly obfuscated code that the developer, the malicious developers
that put in there, saw that it was malicious, and
then contact the maintainers. That's awesome, good job.
Speaker 1 (36:27):
That is great.
Speaker 2 (36:28):
And the maintainer believed them. Oh yeah, well there's that.
I think. I think the maintainer was like, no, that
can't be true and tried to log into his NPM
account and couldn't and went oh wait.
Speaker 1 (36:39):
Wowow, well lo that it were better news, but you know,
that's the nature of this show, so at least we
can have a little laugh here in that.
Speaker 3 (36:52):
Right.
Speaker 1 (36:52):
Hey, thanks for listening, and we'll talk to you next
week on security this week, Bye bye guys, oh oo t.
So, guys, last week, I got a lesson in minding
my own business.
Speaker 2 (00:05):
I was long, do I assume?
Speaker 1 (00:07):
Yeah. I was out for a walk and I was
walking past this mental hospital and there's a bunch of
patients outside shouting thirteen thirteen thirteen. The fence was too
high to see over, but I saw a little hole
in the fence, so I looked through to see what
was going on, and some idiot poked me in the
eye with a stick and they all started shouting fourteen fourteen. Hey,
(00:42):
welcome back to Security this week. I'm Carl Franklin. That's
Duaye La Flott and Patrick Hines, and we're getting ready
to head to Orlando to Universal pretty soon and we've
been promised a spot to do a live security this
week's show in front of an audience at cyber Security
Intersection dot com, which is where you can go and register.
Speaker 2 (01:03):
Very exciting. Yeah we'll be there, be awesome, even if
they don't give us a room. Yeah, we'll be there.
Speaker 1 (01:07):
Yeah, that's right.
Speaker 3 (01:08):
And if so, Carl, you've done a lot of podcasting
at these events.
Speaker 2 (01:12):
It's it's a big deal.
Speaker 1 (01:13):
It is, and it also makes for a really fun
podcast because even the people that aren't there get to
hear the crashy, you know, I think, yeah, the heckles exactly,
you know, the groans. So let's uh, let's get into
the first story. This is about our friend WhatsApp. WhatsApp
(01:35):
patches vulnerability exploited in zero day attacks. Now we knew
WhatsApp was vulnerable because it's not really end to end encrypted,
but it's encrypted between you and Facebook and then between
Facebook and the other person. But it doesn't have anything
to do.
Speaker 3 (01:52):
I don't think it's that kind of flawed. It's about trust.
That's about trust. That's about do you trust Zuckerberg right
to like not the robot, to not use the data
in between to train a model, and yeah, do other things.
Speaker 1 (02:07):
And I don't trust. You know, his friends call him
the zuck Zuck.
Speaker 2 (02:12):
I think he sucks.
Speaker 1 (02:13):
He does kind of suck, doesn't he.
Speaker 2 (02:15):
I think because he has no friends. That's not true.
I mean, you know when.
Speaker 3 (02:19):
A guy guy tries to hire somebody for a billion
dollars and they said.
Speaker 2 (02:22):
You know, you know how you must vote no.
Speaker 3 (02:26):
Yeah, yeah, that's more about like their architecture flaw. And
they probably don't see it as a flaw because they
consider themselves one hundred percent trustworthy.
Speaker 1 (02:34):
So what was this about?
Speaker 2 (02:35):
This is super sophisticated. So this is actually a zero
click flaw.
Speaker 1 (02:41):
I hate those.
Speaker 2 (02:42):
Yeah, so this this is yeah, this is actually a
really sophisticated attack in that zero click flaws are awesome,
zero day zero clicks are amazing. That means they're really bad. Yeah,
And we talked about spyware from Pegasus and that sort
of stuff, I'm sorry, monitoring software from Pegasus that governments
(03:04):
used to see your text and whatnot. Like they're they
also had a they would SMS you something, send you
a text message and it would be zero click and
just get absorbed into your phone. And if it got
got displayed, yeah it were your phone would parse it
in a way that it would just install it. So
the company says, uh, this zero clickflaw, tracked as CVE
(03:26):
twenty twenty five five five one seven seven affects What's
App for iOS prior to version two dot two five
dot two one dot seven three is a very long version.
Also What's App for Business and What's App for Mac. Yeah.
So according to the UH, they're not releasing a ton
of details on it. So, but what they are saying
(03:47):
is there's an incomplete authorization of linked devices synchronization messages
in WhatsApp dot dot dot. There's a lot in that
which could allow an unrelated user to trigger processing of
content from an arbitrary URL on the device. So, okay,
so you've got this what's app flaw that can be
(04:10):
zero click and trigger processing of a URL. It can
go out to the internet, grab RL and it can
pull down some software and do something.
Speaker 1 (04:19):
Wow.
Speaker 2 (04:20):
They say, we assess that this vulnerability, in combination with
Apple's OS flaw, which is CVE twenty twenty five four
to three three zero zero, may have been exploited in
sophisticated attacks against specific users. So we're looking at a
zero day flaw with an OS level flaw, with a
(04:41):
zero click flaw.
Speaker 1 (04:43):
That's not good.
Speaker 2 (04:43):
That's targeting users. Yeah, yatzi, yatzi, yachtzi. I didn't have
that on my Bengo guard. Yeah, servoteen. So according to
this article, if you were, let's say working as a
reporter in a war torn country, maybe they were targeting
(05:05):
you with this. But this is a super rare, uh
you know attack. You're not gonna randomly get hit with this.
Zelensky probably gets it once a day, but other than that, yeah, probably, yeah,
exactly where was it in here? WhatsApp has disrupted by
our campaign by paragrim that targeted a number of users,
including journalists and members of civil.
Speaker 1 (05:27):
Society, civil society.
Speaker 2 (05:29):
And members of civil society. Oh wow, huh yeah.
Speaker 1 (05:33):
I wonder if we fall into that cat We not.
Speaker 2 (05:36):
We're not civil I'm from Boston. Come on now, you
guys are Boston adjacent. But none of that's qualified as civilized.
That's true. Story poke, people with six I know, smooth.
So although you will hear about this and it is
(05:58):
super sophisticated, chances already haven't been hit with this. But
i'll go patch if you have. What's happening? So here's
the thing.
Speaker 3 (06:04):
People who have high security needs shouldn't be using WhatsApp.
Speaker 2 (06:09):
True, well, that's true. Shouldn't be not running in lockdown mode?
Speaker 3 (06:14):
Yeah, right right, So I would assume if you're in
lockdown mode and you're not running What'sapp, then you're impervious
to this kind of thing.
Speaker 1 (06:20):
And if you aren't in lockdown mode, if you're not
running What'sapp, you're probably okay, right.
Speaker 2 (06:25):
Right, well in this for this kill chain.
Speaker 3 (06:27):
But there's probably other kill chains that and that's how
we should clarify that. We talk about the steps it
takes to get an exploit as the kill chain. Yeah, okay,
and if you disrupt it, and the Defenders Blue teamers
are trying to always interrupt the kill chain by least
privilege and having extra checks and zero trust and things
like that.
Speaker 2 (06:45):
Right, So, because this is deployed over a URL, could
somebody con you into clicking on the URL in a
phishing email on your phone? And if your phone is
still vulnerable, then yes, it gets delivered. Sure, absolutely, So
you could still be susceptible to this even without WhatsApp
if you haven't patched your phone to CBE twenty twenty
(07:07):
five four three three zero zero okay, And that was
a patch that came out earlier this month, so that's
a new patch. Well, speaking of patches.
Speaker 1 (07:16):
Yeah, oh, are we going to talk about the dogs?
Speaker 2 (07:18):
Can we talk about Can we talk about the mascot?
My best best dog ever mascot?
Speaker 1 (07:21):
Yeah?
Speaker 2 (07:22):
Oh my god, the mascot's awesome.
Speaker 1 (07:23):
We're going to have to put him on the website somewhere.
We'll just at a page or something. But somebody in
Blue sky. I think ye sent this to me. It's
a dog called Patches and it's a sign. That's a sign,
that's his patch. Now, it's so awesome, it's so awesome. Yeah,
we're gonna we'll put it on the website.
Speaker 2 (07:42):
Yes, all right, Patches, Patches.
Speaker 1 (07:46):
The masko out of security this week. So the long
and short of it is, don't use WhatsApp. But you
know what, even if you aren't aren't using WhatsApp, these
things come up from time to time. Just make sure
that you reboot your phone right now, yep, and you know,
once a week at least throw it in a lake,
and that you keep up with updates.
Speaker 2 (08:04):
Yeah, speaking of phones, did you guys all watch the
Apple release this week?
Speaker 1 (08:08):
No?
Speaker 2 (08:10):
You know, I just know I was too busy watching
the paint draying tournament. So the Apple, we always talk
about iPhone being that's sort of cutting edge in protected
chat devices. Right, there's a lot of really cool stuff
(08:30):
coming out with the Apple with the iPhone seventeen, a
lot of neat sort of memory isolation and that sort
of stuff that's gonna make it an even better platform.
So I'm reasonably excited. I'm gonna spend Patrick's money on
getting one.
Speaker 1 (08:47):
There, you go, pretty good. Let me know how it works.
Speaker 2 (08:50):
My wife has plans to do the same. Good, good, awesome.
Speaker 1 (08:56):
Okay, well let's see. The next one is about SAP.
SAP fixes Maximum Severity net Weaver command execution flaw. I
guess net weaver is one of their products. What happened here?
Speaker 2 (09:08):
Yeah, so this is this is a good old de
serialization bug. I love these. Yeah, you get to unauthenticated.
There's an unauthenticated endpoint to net weaver. So this article
says net weaver is the foundation of SAP's business applications
like e r P, c r M, s RM and
s c M. So think of it like a communication server,
(09:32):
like it's the BizTalk. Yeah, it's like, oh my god,
did you just throw a BizTalk? Is it's still even
around anymore? Is that a thing? I think it is?
Speaker 1 (09:41):
Still? Yeah? Really wow.
Speaker 2 (09:43):
I remember doing some stand in the hushes on biz
talk long long, many decades ago. So yeah, it's it
is like this central communications piece of software that allows
your e r P and your CRM and all that
to submit a and talk to each other and all
like good stuff. So it's not surprising that there may
(10:04):
be an endpoint that's on authenticated and that there's a
de serialization bug, because you got to imagine something like this. Remember,
a de serialization bug is where I pass an object
where I've manipulated some of what we call the magic functions, right,
and those magic functions always happen, whether it's the destructor
or constructor or whatever it may be on connect something
like that. Right, So when I send that object in,
(10:26):
when it gets de serialized and re serialized back into
a you know, de serialized into back into an object,
those functions execute, and when they do, they run my code.
So it's not too too surprising that this uh this
was by the way, rated with a nine point one score.
Speaker 1 (10:45):
Okay, I tell me, tell me I'm crazy, but I
don't think that it deserves such a high score. And
here's why. In order for de serialization bugs to work,
you have to have something de serializing that is inherently
insecure that will look for code and run it. Yeah,
because just by de serializing and ADJSON let's say object,
(11:07):
you're not running code right exactly.
Speaker 2 (11:09):
Yeah, yeah, you're absolutely right. So you'd have to find
that right magic mix of what object can I send?
How can I get it to execute an OS command
and on de serialization, and you have to find an
endpoint that takes that object. Yeah, in a way that's unauthenticated, right, right,
So you.
Speaker 1 (11:26):
Have to have an insecure system by default, right.
Speaker 2 (11:28):
And on top of that, actually, my bad. The unauthenticated
end point is a nine point nine. The de serialization
bug is a ten out of ten. Okay, so it's
even higher. But on top of that, I mean, I
think the end point would be higher than that.
Speaker 3 (11:42):
You would think, right, not higher than ten, But I'm
just saying I would think it would be to the
other vulnerability.
Speaker 2 (11:48):
This goes to eleven.
Speaker 1 (11:49):
So I guess it begs the question is this server
inherently insecure? Is it running code that it de serializes
when it really shouldn't.
Speaker 2 (12:00):
All that gen that's a great question, thank you. I
would say yes. I would say you should never de
serialize a generic object in a way that you don't
know what it's going to do, right right.
Speaker 1 (12:10):
And by the way, oh, there's something I can run here.
Let me run it within the context of whatever security.
Speaker 2 (12:16):
Is finding something in the forest and eating it right, right,
and then and then asking what it is exactly that
it's like.
Speaker 1 (12:23):
Getting a new stereo and seeing the dry packet in
there and saying, oh, look a chick lit I think
I'll eat that.
Speaker 2 (12:31):
So the other thing that's interesting about this, it's a
ten out of ten, right, and a nine point one
out of ten on the unauthenticated access. But this is
only accessible generally on the internal network. Okay, Like you
don't expose your net weaver server to the Internet. I mean,
in a proper implementation, you generally wouldn't do. It just
(12:54):
doesn't make any sense.
Speaker 1 (12:55):
Right, So contagent score is much lower.
Speaker 2 (12:58):
Yeah, I would make the contagent score much this is
it important? Yes, but somebody's already on your network, And
being a person who breaks into networks, I can tell
you there's a lot of other things I would.
Speaker 1 (13:06):
Do so important.
Speaker 2 (13:09):
You have other problems, right exactly, So I would say, yeah,
you should go patch this is important, But I wouldn't.
I wouldn't believe the high ten out of town.
Speaker 3 (13:18):
Just because you leave the duct tape on the on
the table doesn't mean the murder didn't bring some Okay, Patrick.
Speaker 1 (13:25):
Stay tuned for more pearls of wisdom from Patrick Hynes.
Speaker 2 (13:30):
Horrifying, horrifying pearls of wisdom.
Speaker 1 (13:33):
All right, we're done with this one. We got one
more before the break, we do. Yeah, okay, this is
bypassing waf's for fun and JavaScript injection with parameter pollution.
And this is a blog post, so.
Speaker 2 (13:47):
This is ren and stimpy episode.
Speaker 1 (13:50):
Yeah, and it's from eighth roll, so it's a good read.
But tell us the gist of it, Dwaine.
Speaker 2 (13:55):
Yeah, I actually really like these. You know, usually we're
always talking about the latest secure any things that have
happened in the last seven days, right, and what's the
most important thing and that sort of thing. But I'd
love to bring it back occasionally to just some interesting
tidbits of programming knowledge. Oldie but a goodie. Yeah, and
this one, honestly, I'll be honest, this one took me
by surprise when I was reading it.
Speaker 1 (14:15):
Me too.
Speaker 2 (14:16):
So they talk about they're trying to exploit in this
particular test, they're doing an autonomous pen test, so they're
doing they're scanning, they're doing dynamic code analysis what's called
dynamic code analysis against some sort of website. And in
their dynamic code analysis, there's a web application firewall or wafts, right,
that's sitting in front of it. And what the WATS
(14:37):
does is or wafts, whafs waves, whafs, Yes, whafs not
wafts whafs.
Speaker 1 (14:43):
Somebody tell us we don't know, Eh.
Speaker 2 (14:45):
It's whafs. So what the WAFS does? I always call
it waves and my team makes fun of me. But whafs,
all right. What the wafts does is it looks for
normal It looks for strings that are being passed to
the web server that might be exploits. So if I
do something like alert parenthesy, right, the WAPs is like listen,
nobody's sending that as their name, so it just drops
(15:07):
it before it hits the web server. So you have
this firewall just like a common sense service. Yeah, it's
a content inspecting firewall.
Speaker 3 (15:14):
Right.
Speaker 2 (15:15):
So you have this this firewall in front that knows
what to look for. It looks for SQL injection, it
looks for you know, XSS, cross site scripting, it looks
for a bunch of stuff. Then you have the back end,
which is a web server that also should be doing
a lot of the same things. Right. So the trick
here was the developer said, hey, listen, you know, as
are the pentester. As we were going through and we
(15:36):
were scanning and we were using dynamic code analysis tools.
We found that there was a cross site script payload
that we could send that would cause sort of weird issues.
But the problem was the web application firewall wouldn't allow
us to put a single tick in. It would strip
it out or it would say, you know, deny that
(15:58):
going to the to the server.
Speaker 1 (15:59):
Tell everybody what me my a single tick?
Speaker 2 (16:01):
Good point. So when you're if you're trying to inject code,
let's call let's say I'm trying to inject a crost
site scripting code and cross site scripting is I'm going
to I'm gonna have a web page that asks for
my username and password. Let's say, and I type my
username as you know, bracket script alert you know parenthesy,
tick hello, tick comma, and it's just that single quote,
(16:23):
single quote right, single quote right right, And when I
when I click O can log in. If it logs
me in, then at that point, if it says hello,
and where it would have said hello, Dwayne, it says hello,
and it actually has code there and it pops up
some code on the screen and you you think, okay,
well that who cares if it's just a you know
pop up on the screen that says hello. But there's
(16:44):
all sorts of other things you can do with CROs
site scripting, stealing cookies, that sort of stuff I won't
go into. So needless to say, cross site scripting is
pretty dangerous. So a lot of the tactics, and Patrick
talks about this quite a bit, especially with seql injection.
This isn't this is an arms race. You shouldn't be
taking input from a user and saying, let's look for
the bad stuff. Yeah right, because users are really good
(17:07):
at making at hiding the bad stuff and when they
add something new.
Speaker 1 (17:10):
Users are evil, right y yah? User input is evil.
Never're all stupid. Never trust the users. Never.
Speaker 2 (17:18):
So the problem is if I'm looking for tick, they
may find some other way to put a tick or
a single quote into the string. Well that I didn't
think about.
Speaker 3 (17:26):
The canonical example was some web server was checking. This
is before waves were really a thing, but I'm sure
people are still doing. Somebody was checking for the word delete, yes,
because they want to make sure you weren't going to
like delete their files, and then they would remove the
word delete in the prompt, which I think you should
invalidate the request rather than try to sanitize it.
Speaker 2 (17:48):
But that's a different story.
Speaker 3 (17:49):
So they look for the word delete, and then they
looked for other things, and then they look for the
single tick, the single quote and remove that. Well, what
if I typed in d E L single quote et, right,
you won't find deleite and when you remove the single quote,
you've formed my attack right right, right, So it's an
arms race that you can't win because they can always.
So the only way to win is not to look
(18:10):
for the bad stuff, but instead to only accept what's
known good.
Speaker 1 (18:14):
Right.
Speaker 3 (18:15):
If I'm afraid of being poisoned, I'm only gonna eat
apples from a tree that I know aren't handled by
anybody that I don't trust. Right, that's right, It's not well,
I'm gonna try I'm gonna let the dog try it,
and then they find the poison that doesn't hurt dogs.
Speaker 1 (18:26):
But ki tree is from the snow queen.
Speaker 3 (18:29):
Let me see, Hey, I could use a good sleep.
Speaker 2 (18:32):
Yeah, yeah, I know. So in this particular case, this
is the part that surprised me and I've never even
thought about it. When you pass in a parameter to
a web page, right, so you can say, uh, you
know you have that big long URL up its top
the screen. Browse any website, you're gonna see parameters, right
if you look in the URL on Riverside FM where
(18:54):
we're recording right now. I have a parameter called GW
equals on. I don't know what it means, but whatever
it is, it's on. So you can change those parameters. Well,
what happens if you pass in GW equals on and
GW equals off. M Like if you pass the same
parameter in twice? What happened?
Speaker 1 (19:11):
And this is weird because we would never think to
do that.
Speaker 2 (19:14):
Why would you like?
Speaker 1 (19:15):
And we would never think too, But bad guys, we
would never think to even look for it. Right in
the parsing the u r L.
Speaker 3 (19:22):
That's what fuzzing is is you're trying things that aren't Like,
you know, what's your last name? And you give them
a binary answer, right, you give them a color?
Speaker 2 (19:30):
Yeah, So what's weird? Is like if I had pulled
Carl Patrick and I before reading this article and said,
what do you think each of us would have said, Well,
it takes the first one and disregards the last one,
or it takes the last one and disregards the first one.
Speaker 1 (19:44):
Because that's what it should do.
Speaker 2 (19:45):
That's what it should do. It shouldn't have to make
that choice. That's true too. It should just crash the
page and be like, you know what, you're an idiot.
You pass your parimeter twice. You're being nasty in that
bad request.
Speaker 1 (19:57):
That's what I would say.
Speaker 2 (19:58):
So what happened is the developers, ever trying to be
helpful that wrote web application software like ASP dot net
and ASP and go lang and no JS and all that,
said that's not going to work. Try this password. Yeah,
I know. So what they did is they said, oh,
you passed it in twice, let me concatenate it. No,
(20:19):
so they put in if I have GW equals on,
oh not good, and GW equals off. They now have
on comma off as GW. They've put it together so
the web application firewall doesn't actually see the two single
ticks if you pass the one in the first variable
and one in the second variable, and then the back
(20:39):
end software puts it back together. I thought that was
pretty cool. That's pretty crafty.
Speaker 1 (20:43):
It is crafty.
Speaker 2 (20:44):
It is crafty. So uh yeah, and you know it's funny.
And coming back to Patrick's example, right, it's developers trying
to be helpful. Right, Oh, I see you put a
tick in here. Let me remove it and see if
there's still good stuff here.
Speaker 1 (20:57):
Yeah, right, And what they should do is just return
it request.
Speaker 2 (21:00):
Yeah, and absolutely same here, Like if somebody's putting the
same parameter in nine times, throw it out right right, Yeah.
Speaker 3 (21:08):
I honestly I think we should like ban them from
making requests to the server again.
Speaker 2 (21:13):
Yeah. They they're they're actively trying to do bad things.
Speaker 3 (21:15):
If you catch somebody doing bad things, someone tries to
sneak in my window, I don't say, oh great, you
found the door, come on in.
Speaker 2 (21:22):
Yeah. No, I say you're the mastard to try to
get in my window. Right right now?
Speaker 1 (21:27):
You say, here have some of this blam blam blam,
my finest buckshot, another.
Speaker 2 (21:31):
One of these, my finest shot for you.
Speaker 3 (21:34):
Got to start with bird shot, just so you can
you can beat the the the murder wrap right right.
Speaker 2 (21:41):
I'd say that's criminal career advice, but I know criminal
career advice.
Speaker 1 (21:46):
Lighten up, folks, lighten up. It's just a joke.
Speaker 2 (21:49):
I repeat, I'm from Boston.
Speaker 1 (21:52):
All right, it's a good time to take a break.
So we'll be right back after these very important messages
or not. We'll see. But if there's messages, here go
and we're back. It's security this week. I'm Carl. That's
Dwayne and Patrick. And we got another. We got a
few other stories here. Chili Hell, a deep dive into
(22:15):
a modular mac Os back door Chili hell.
Speaker 2 (22:19):
Chili hell.
Speaker 1 (22:22):
And it is c H I L y not c
H I L. It's not about, you know, going to
Wendy's and getting a very hot bowl of chili or
something like that. What is this?
Speaker 2 (22:33):
Every time I heard the word chili, I think of
that penguin. Was it a penguin. I think it was
a penguin cartoon penguin from the fifties. It was named
chili Chili Willy. I think that was it.
Speaker 1 (22:44):
Just God, I'm.
Speaker 2 (22:46):
Old, all right. Anyways, this was an interesting one. So
this was a uh researcher and uh jam F threat
Labs jams. I've had a jamp threat labs.
Speaker 1 (23:02):
They're from Banef, which is beautiful, I hear is it benf.
Speaker 2 (23:11):
So they were they were hunting around on files on
on virus total. If you don't know what virus total is,
it's a place you can submit files to see if
they match known virus signatures. Yeah, and it's actually really
kind of cool. The thing I would warn you against
is there are threat hunters on the back end, virus decryptors,
(23:32):
the I know the ransomware crew is on the back
end as well, where you can get access to those
files that people upload. So don't upload anything sensitive. Don't
be like, oh, this is all of my banking information
and I think it. You know the PDF is infected.
Let me throw it up on virus totally.
Speaker 1 (23:48):
Now, Dwayne, you never let us have any fun, I know, right,
go up.
Speaker 2 (23:52):
There and search for confidential. I'm sure you'll find one
or two things up there anyways. So, needless to say this,
this team decided they'd start digging into the Chili Hell exploit,
which was there was a Apple validated, signed and notarized
(24:12):
app I'm sorry, an applet Yeah no, sorry Apple. Yeah.
The sample is developed, developed, and signed, successfully passed Apple's
notarization in two thousand and twenty one. So that means
that the app is quote unquote trusted in a way
because it's because of how it was signed. And there
are a couple sort of what they call MT five
(24:35):
hashes for for found known variants, but this particular team
found another one that wasn't quite discovered before, so they've
discovered kind of a new one that meets that variant.
So this, this Chili hell is an interesting piece of
software in that once it gets downloaded and runs, it
creates a modular C plus plus backdoor wow, specifically targeting
(24:59):
Intel ARCT texture and opening up an s s H
secure shell so that people can connect to the server
and do whatever they want to.
Speaker 1 (25:07):
Wow.
Speaker 2 (25:08):
So very hard to find. And the the hashes that
we're seeing on on virus Total or you know, like
I said, this applet looks like it's signed, So is.
Speaker 3 (25:18):
This the kind of thing so that like the applets
signed and it hasn't been patched. Is it possible that
it was harmless when it was signed and then they
patched it or it checks sums the same. That's a
good question because they could be using a dynamic library. Yeah,
and that's where the bad stuff comes in.
Speaker 2 (25:35):
So that I don't know the fact that the team
idea on it comes out the same, but the hashes
are all different and yet it's still notarized. Yeah, It's
it's an interesting one. So We'll probably see more about
this coming in the future, but it is targeting an
Intel architecture, So this is more for i'd assume your
(25:59):
your app, mac laptops and that sort of stuff. So
be careful what you download and run, even if it
is signed and looks like it's been verified by Apple,
if you don't know what it is. I mean, that's
always good advice.
Speaker 3 (26:10):
Yeah, I mean, we know that it's possible to compile
a program, get it, you know, approved, signed, added to
a library, and then it calls other files that are
in flux because you know their signature files or whatever,
and that's where the bad stuff comes in.
Speaker 2 (26:30):
The other interesting thing about this one, so it probes
out to a C two a command of control structure,
So one of the ways that firewalls and endpoint detection
systems will pick up that type of communications because if
I'm communicating over SSL or heck, I'm using DNS as
(26:50):
my xfill for C two commands, the EDER will look
for very consistent communications. If every two sec seconds this
app is spitting something out on DNS, it's probably suspicious, right.
So this app actually has a time stomping routine in
(27:11):
it that varies the communication between you know, two seconds
and sixty seconds, so it doesn't always look like it's
the same communications paradigm. It's interesting, so this one would
be hard to find.
Speaker 1 (27:23):
Curious term time stomping. Why wouldn't it be time varying
or something. Why stomping?
Speaker 2 (27:29):
I think it's a it's a variation on stamping. Yes, yeah, okay,
so it's changing, and it's actually between sixty and one
hundred and twenty seconds, so between a minute and two minutes,
this thing alternates as communications out And it's actually interesting enough.
It is using port fifty eighty three, one thousand and
one and eighty eighty, so a lot of those are
classic HDP ports or DNS ports. DNS is fifty three.
Speaker 1 (27:53):
You know, I would be looking for the content of
that message going out, not just the time of it
as a red flag.
Speaker 2 (28:01):
So that's a good point. If I am communicating to
an HTTPS server, right, that traffic's going to be encrypted
from you know, my communication process to the server, so
it will be hard and less unless we were doing
traffic inspection, right, So if at the firewall we had
traffic inspection, then yeah, absolutely, we would push a trusted
certificate down to the client and I could see all.
Speaker 1 (28:24):
That trip or just look at the URL like you know,
it may be every minute, might be every half minute,
but it's the same URL it's going to. Yeah, absolutely,
you know base URL and it's not one that is
part of our system, So what the what the heck?
Speaker 2 (28:37):
Yeah? And in this one, this is there's two hard
coded IP addresses in there, ninety three eighty eight seventy
five two five to two and one forty eight seventy two,
one seventy two fifty three. So there are You're right,
absolutely right, Carl. You would see this is weird. This
computer is talking out to these two IP addresses constantly.
Speaker 3 (28:54):
Yeah, but in the Devil's and the details, if I
got one hundred thousand uses, I may have fifteen million
right requests an hour.
Speaker 2 (29:01):
Yes, but I'll also tell you this. Do you guys
ever you ever install a Hugh light, like one of
those color changing hue lights. Yeah, yeah, okay, so I
did once. Uh Phillips Hughes. And I'm not saying that
they're they're doing anything to Farius not but Phillip's Hugh
those hue lights. You have the Hugh hub as well
(29:22):
to control the lights and automation and that sort of stuff.
That hub communicates out to a data center in China
every thirty seconds or something along those lines, like so
like and listen. They have a data center there, they
have manufacturing facilities there. It's not I don't think it's
(29:43):
anything to farious. I think it's literally just hey, this,
do I need to get an update type thing?
Speaker 1 (29:47):
Still don't right now.
Speaker 2 (29:49):
On top of that, Hugh just released I think it
was this week or last week. They said, oh, by
the way, we got a new feature with all of
our color changing light bulbs. If you buy the new hub,
they will actually sense motion in the room and can
turn on when you walk in the room, and when
you leave, the lights will turn off. And people asked,
(30:10):
do I need to buy new lights for that, and
they said no, it works with our existing lights. Now
I'm like, okay, well is it the lights doing this sensing.
Speaker 3 (30:20):
They wanted to share that data with the users because
they've been using it all along.
Speaker 2 (30:25):
They're like, you should know if you're in the room too.
So I don't know. It could just whatever. It could
be the hub that detects your phone is close enough
and it turns on. I have no idea the way
I am too, But there again, how many people inspect
that traffic?
Speaker 3 (30:38):
I think this is very similar to the to the
the Chinese solar inverters that happen to have a modem listen.
Speaker 2 (30:47):
I'm not I don't want to get sued, but yeah, Phillips,
I'm not saying it's I Actually we should tear a
hub apart. We should and find out what it's actually saying.
Speaker 1 (30:55):
There you go in your spare time. So, Dwayne, you
were impressed that I suggested that we look at the
outgoing U r L. Does that mean I'm coming to
work tomorrow?
Speaker 2 (31:04):
Yeah? Hell yeah, I'll bring you on tomorrow.
Speaker 1 (31:06):
All right, very good?
Speaker 2 (31:08):
Yeah that was place for an apprentice.
Speaker 1 (31:11):
Wow an intern, look at your coming, mister Dwayne unpaid. Okay,
so that's chilli. Hell let's talk about Akira Akira ransomware
exploiting critical Sonic Wall s s l VPN bug again,
(31:34):
Sonic Wall, Sonic Wall.
Speaker 2 (31:37):
I have seen a lot of people moving off of
Sonic Wall, Sonic Wall, WordPress, of firewalls. No anyway that
will get assumed. Man, if we had more than seven listeners,
would company man. So what happened to here is Okay, so, uh,
(31:59):
Sonic Wall, they're getting a lot of calls for ransomware
being deployed, and it looks like the VPN on the
Sonic Wall is getting compromised. And Sonic Wall did some
analysis and they said, hey, they it looks like they're
breaching this over the thing we told you about in
twenty twenty four a year ago that you should have patched.
(32:20):
Go patch. So CVE twenty twenty four forty seven six
six last year was off. It was an unauthenticated bypass
where you could gain access to the SSL VPN. Once
you're on the VPN, you obviously are on the network
and you can ransomware people.
Speaker 3 (32:38):
Right.
Speaker 2 (32:40):
So what what Sonic Wall is saying is either you
didn't patch, or you didn't you patched and you didn't
follow our advice, because our advice was if somebody patch,
if somebody had hit you and broken into the Sonic Wall,
they could have put their own keys on there. They
could have pulled other usernames and passwords off there, like
you had. You had to flash it, right, yeah, you
(33:01):
had to reset it, flash it and reset everybody's user
names and passwords on there for the for the VPN
and if you didn't do that, and they don't do that,
I don't know what to tell you, right, so burn
it down. This is our this is our warning to you. Yeah,
go go patch those devices if you haven't. If you have,
you really should have reset it when you did. So
keep an eye on it all right.
Speaker 1 (33:23):
And our main story, hackers left empty handed after a
massive NPM supply chain attack. And by massive this is apparently,
according to this article, the largest supply chain attack in history.
Speaker 2 (33:39):
And they got almost nothing.
Speaker 1 (33:41):
Well yeah, okay, you dude, you spoiled it, right, nor
give us a chance to get build it up? How
many billions of people were potentially affected? Dwyane?
Speaker 2 (33:53):
Uh? This So in this supply chain attack, attackers injected
malware into NPM packages with over two points six billion
weekly downloads. Wow, so two point six billion potential downloads
were gonna happen? Was the ransomware like one cent? How
the hell does this happen?
Speaker 1 (34:11):
What the hell? Yeah?
Speaker 2 (34:12):
They do?
Speaker 1 (34:12):
So they only got four hundred odd dollars.
Speaker 2 (34:15):
Right, Yeah, So what happened is security groups and watchdog
groups noticed eighteen packages update at once, and they dug
into them and saw the code and notified the developer
immediately and he was able to contact NPM, recover his
account and remove them.
Speaker 1 (34:33):
All right, Brandon, play the song, go ahead, play the song.
It's so Our advice to criminals is don't patch eighteen
MPM packages at the same time, you idiot, what do
you think?
Speaker 2 (34:50):
And small up big red flag, small up date. Hey,
you know what you get?
Speaker 1 (34:54):
You get antsy when you're only twelve.
Speaker 2 (34:57):
Right, four hundred bucks A lot of money when you're
t uh.
Speaker 1 (35:00):
It is.
Speaker 2 (35:02):
Yeah, the whole bucket of Bazooka Joe. The way that
these packages were compromised is Josh Juanan I think is
his name, is the developer who maintains these packages, and
he received a phishing email that looked like a legitimate
(35:23):
email from m PM saying that they were resetting his
two f A because they saw weird activity, and he
clicked okay. He literally gave the attackers access, and an
hour later he got notified hey, by the way, a
lot of your packages are updating, and that's when he
went to fight to get it back. So okay, So
it was fast. It didn't it didn't linger, Nope, nope. Yeah,
it's impressive. It's impressive that they found it VX Underground
(35:46):
posted on Twitter, and this is I'm sorry, I won't
call it x VX Underground is. It does great work
identifying some of these things, but it says breaking news,
the largest supply chain attack and history pulls off massive
cryptoized at twenty dollars and five cents of eth. The
entire world is crumbling. So yeah, for what is worth.
(36:08):
But good job on keeping an eye on on open
source NPM packages. Yeah, that's impressive. Not only did they
see all eighteen update, they pulled them down, reverse engineered
the highly obfuscated code that the developer, the malicious developers
that put in there, saw that it was malicious, and
then contact the maintainers. That's awesome, good job.
Speaker 1 (36:27):
That is great.
Speaker 2 (36:28):
And the maintainer believed them. Oh yeah, well there's that.
I think. I think the maintainer was like, no, that
can't be true and tried to log into his NPM
account and couldn't and went oh wait.
Speaker 1 (36:39):
Wowow, well lo that it were better news, but you know,
that's the nature of this show, so at least we
can have a little laugh here in that.
Speaker 3 (36:52):
Right.
Speaker 1 (36:52):
Hey, thanks for listening, and we'll talk to you next
week on security this week, Bye bye guys, oh oo t.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
CrimeLess: Hillbilly Heist
It’s 1996 in rural North Carolina, and an oddball crew makes history when they pull off America’s third largest cash heist. But it’s all downhill from there. Join host Johnny Knoxville as he unspools a wild and woolly tale about a group of regular ‘ol folks who risked it all for a chance at a better life. CrimeLess: Hillbilly Heist answers the question: what would you do with 17.3 million dollars? The answer includes diamond rings, mansions, velvet Elvis paintings, plus a run for the border, murder-for-hire-plots, and FBI busts.