Security Now Episode 878 Transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

Leo Laporte (00:00:00):
It's time for security. Now, Steve Gibson is here. Another zero day exploit for Chrome, some new settings you might want to turn on in Firefox. We'll walk you through it. And hacker one has a malicious now X employee. They want you to know about, plus the latest in router exploitation with Zul rat. It's all coming up next on security. Now podcasts you love from people you trust. This is TWI. This is security. Now with Steve Gibson episode 878 recorded Tuesday, July 5th, 2022. The ZuoRat. This episode of security now is brought to you by ZipRecruiter. Ziprecruiter uses its powerful technology to find and match up the right candidates with your job. So travel to this easy to remember web destination, that's where you can try ZipRecruiter for free and by it pro TV, give your team an engaging it development platform to level up their skills.

Leo Laporte / Steve GIbson (00:01:07):
Volume discounts. Start at five seats, go to, and make sure to mention S N 30 to your designated it pro TV account executive to get 30% off or more on a business plan. And by Tanium. Tanium, unites operations and security teams with a single platform that identifies where all your it data is patches. Every device you own in seconds and implements critical security controls all from a single pane of glass. Are you ready to protect your organization from cyber threats? Learn more at It's time for security. Now the show we cover the latest security advances things you should know to protect yourself, your network, your company, privacy information, a little bit of how computers work in science fiction, thrown in for good measure. All thanks to this guy. It's really the mind of Steve Gibson on display. Hello, Steve. Oh, that's a sad statement, but it is true.

Leo Laporte / Steve GIbson (00:02:08):
Thanks to Jason. How did Jason do the show last week or Mikah? Yep. He, Jason. Jason, did he did it last week and we're gonna see him in two weeks when you are off sunny cruising himself in the, in the cruising and the Pacific. No, it's Alaska. Well, it is the Pacific, but I don't think there'll be a lot of sun. Let mean. There will be sun a lot, not a lot of sun it's Alaska. So there will be glaciers that's that's anyway, it was, it was great working with Jason. Yeah. He's he's, you know, he's comfortable with the podcast it's I guess he's the producer of the podcast normally, so, and he also listens to it. So he was sort of up to speed on things. I didn't have to say, okay, now we talked about this three weeks ago and here's what that, so, you know, he had the background and that was great.

Leo Laporte / Steve GIbson (00:02:49):
So we are at our first podcast for July as we started into the second half of the year 878. And no one knows how to pronounce this. Unfortunately, we're going with Zah rat Zu, Sozo rat Zu, rat Zuzu, Zuzu, Zu. It's a Chinese word. It's yes. For the, for those who are as phonetically impaired, as I am, it's spelled Z U O R a T Zah rat, of course, rat is remote access Trojan. Oh and it's on our radar because a state sponsored actor, apparently in China has managed to install this bad remote access Trojan in many Soho routers, taking advantage of the fact that COVID drove people home. And so they, somebody realized, Hey, we got all edit. This is, and, and, and this is us and European targeted routers have been infected with this as a means of getting into the corporate network through a remotely located employee.

Leo Laporte / Steve GIbson (00:04:07):
So, you know, the world in which we live today. But first we're gonna take a look at Chrome's fourth, zero day of the year, and add another welcome privacy enhancing bump that Firefox just received from Mozilla. We're also gonna share the disclosure and forensic investigation of the bug bounty clearinghouse. We've talked about often hacker one and their discovery of a malicious now ex employee among their ranks, you know, could happen to everyone. And we don't talk about insider threats as much as we probably should. So I thought this would be a good opportunity to sort of take a look at that. We also have some listener feedback which has drawn us into a discussion or will of the nature of the vulnerabilities of connecting. And this is, this is a term that we discussed last week, Leo that's. Now we used to talk about SCADA devices.

Leo Laporte / Steve GIbson (00:05:09):
Now these have they're nor sort of more generically being called OT or operational technology systems. Ah, yeah. So the nature of the vulnerabilities of these OT operational technology systems, when they're merged onto the internet, we also have some hope for the future amalgamation of the currently still fragmented smart home IOT industry. And before we start into a deep dive into some of this, this Zu rat prolific malware, we're gonna consider whether we'd rather have one nine inch pizza or two, five inch pizzas. So as always another gripping episode <laugh> of security. Now, all I know is phar squared. So it be just would make the pizza square we'd know, right? It'd be easy. It'd be much, much easier, much easier to deal with our show today brought to you by ZipRecruiter. And when I say brought to you by, I mean, of course they're our sponsor, but I have to say they also hired many of our employees.

Leo Laporte / Steve GIbson (00:06:21):
So in many ways they're brought to you by ZipRecruiter. We love ZipRecruiter. It's the easiest way to hire. I I'm excited to be traveling this summer. Have you ever thought about the people who make your vacation truly great? The tour guide with great stories, the charismatic bartender, the hotel concierge, who can get you tickets to that big show or the friendly souvenir gift shop clerk who will speak English, even though your French is terrible, <laugh> water, the waiter or the server or the chef. You know, these are all really important. They're not, they're not background noise. They're part of your trip. Outstanding talent is crucial for any successful business. If you are hiring in your business, you should know you can find talent for roles like these and any other possible role for any job out there at ZipRecruiter. And you can try it for free at

Leo Laporte / Steve GIbson (00:07:21):
Now, now let me explain why we love ZipRecruiter. Well, first of all, some of our favorite employees came to us from ZipRecruiter. But it's also really easy to use one click of the mouse. You're posting the widest possible net. You know, you're, you're posting on a hundred plus job boards and social networks, and you're really getting your, your listing out there, all of the applicants, you know, don't worry, they're not gonna flood your in inbox. They all go into the ZipRecruiter interface. They don't call your phone. Zipre recruiter, reformats their resumes. So they're all uniform easy for you to scan through. You can do screening questions, eliminate people who don't fit. Yes, no true false, even essay questions. All of this makes it so much easier, but ZipRecruiter has a unique thing that they do that I think is really the key. Their secret sauce.

Leo Laporte / Steve GIbson (00:08:07):
Ziprecruiter has millions of resumes on file because people come looking for work to ZipRecruiter, just as you come looking for employees, they go through those resumes in an automated way, and they pick people whose qualifications match your opening and then send them to you so you can invite them to apply. And this works wonderfully because I could tell you from experience when a company reaches out and says, Hey, we think you'd be a good fit. You're more likely to apply much less likely to ghost the interview. You're gonna show up. You're gonna be excited. You're gonna be enthusiastic. You might be than <laugh> their next employee. It really works four out of five employers who post on ZipRecruiter get a quality candidate within the first day in, in our experience, it was actually within the first few hours. It's really amaz amazing. Ziprecruiter is no wonder the number one rated hiring site based on G2 satisfaction ratings as of the beginning of the year.

Leo Laporte / Steve GIbson (00:09:03):
I think ZipRecruiter is fantastic. So maybe you're going on a vacation soon, but if not, or even if you are, you might want to travel to this easy to remember web destination, you could try it for free S E C U R I T Y N O w security. Now, ZipRecruiter, it really is the smartest way to hire. We thank him so much for supporting Steve's efforts to make you safer online. And and we thank you for supporting Steve by using that address, cuz that's how they know you saw it here. Ziprecruiter.Com/Security now. Okay. Steve picture the week time. So we have the debut of a good friend of the show by the name of Evan Katz know him very well. Yeah. He a great guy. He, yeah, he is. He sent me this picture that I thought was really apropo of what we've been talking about with all these cookie notices.

Leo Laporte / Steve GIbson (00:10:11):
I thought it was what, and what struck me was that for a, for a retailer to put this sign up in their store, demonstrates just how pervasive this issue. Everybody knows about cookies now. Yeah. Yes. And I can't identify the store. It looks kinda like a pottery barn kind of place. It looks like it's in New York city, which is, I know where Evan hangs out. Cause it says NYC tote for 20 bucks. That's not related to this, but anyway, Evan's pointing to this big plaque that says, and, and the, it it's, it's a display of plates. And so the plaque says these plates accept all cookies, <laugh> Uhhuh. And then there's two buttons down below was also printed on this plaque on the left. It says manage cookies. And the right has a, has a old style sort of Macintosh like pointy finger saying accept all cookies.

Leo Laporte / Steve GIbson (00:11:18):
And that's, what's being pressed here. So anyway, sort of fun for the retailer to do this, but also like, look at the degree to which this has permeated, you know, just common experience in the world. It's like, yeah. And that smiling face there is Evan point pointing at that sign. We love Evan. Yeah. Thank you, Evan. Yep. So for our zero day watch, we have Chrome having moved to version one oh 50 60, do 1, 1, 4 yesterday for windows users, Chrome jumped to that version. It was an emergency update to address a high severity zero day vulnerability, which was being exploited by attackers in the wild. It's also the fourth Chrome zero day patch so far this year, but really four's not bad. I th they're like, this is better than they were at this time last year. So cuz here we are already in the second half of the year and this is, you know, only the fourth problem that they've had.

Leo Laporte / Steve GIbson (00:12:29):
Anna's usual Chrome Chrome, Google is saying very little at this point. And there's really no reason for them to say more except, you know, fix it. The only thing we know is that Google was made aware of this by the Avast threat intelligence team last Friday, July 1st. So I have no problem with the idea that they were told of this on Friday before the long us holiday, 4th of July weekend and that micro Chrome browser was already updated, had already updated itself as I'm writing this Monday evening on of July 4th. You know, and I just that thank goodness Microsoft didn't win the browser wars with their track record of slow or non-existent responses to known critical problems. We do know that the trouble was a high severity heap based buffer overflow weakness that was found within Chrome's web RTC. That's you know, the web realtime communications component.

Leo Laporte / Steve GIbson (00:13:38):
We also know that this was report. This reported problem was promptly assigned a CVE, which is nice to know 20 22, 22 94, even though it didn't require any user involvement. And of course we recently learned that Microsoft doesn't bother assigning CVEs to their problems. If no user action is required, you know, is that a rug? Oh good. Just lift the corner and we'll sweep it under. So anyway, Google did the right thing and they're also, you know, cruising along well with only having, you know, this being the fourth zero date so far and they made it to the second half of the year. Mozilla released Firefox 1 0 2 last week, which includes a new privacy enhancing feature, which I, I have mixed feelings about it strips some of the URL parameter crap from the ends of URLs that are used to track us around the web. That certainly it's good for any of that to be stripped.

Leo Laporte / Steve GIbson (00:14:49):
The problem is that it's gonna be kind of problematic. You know, we, we talk a lot about tracking cookies, but another more blatant way of tracking us is to customize each individual URL to embed in the, in the link, a unique tracking tag, which will just get passed along many companies, including Facebook Marketto otics drip, VE Vero and HubSpot all and, and more, but you know, that's just some utilize. They embed these custom URL query parameters because it's gonna go wherever you click it. So when the click comes in, the URL, you know, essentially closes the tracking loop to let them know where when and whom it was issued to. And for example, Facebook, appends a big, long, hairy query parameter named FB C L I D that looks, you know, I put a, an example of it. I mean, it's, it's like after the question mark F B C L I D edits, God knows, looks like it's about 50 characters of gibberish.

Leo Laporte / Steve GIbson (00:16:10):
It's a go right. Or something like a GoIT. Right. It it's very much like that. This looks like about two GOs worth it's long. Yeah. I mean it's but they have 3 billion users. They gotta have long GOs. That's right. You got a lot of those people to differentiate among. Yeah. So now though, it's reportedly not as complete and as thorough as the brave browsers, current URL stripping at least Firefox version 1 0 2, which I already had. So it, it was updated last week, it's added this new query parameter stripping feature. It will automatically strip various known and recognized query parameters. And this is part of the problem which are used for tracking from the URLs where they appear. And, and for example, we could generically refer to third party cookies as being bad, regardless of what the cookie is. You know, I mean, like there's no good reason for a third party cookie to, to follow you among across domains.

Leo Laporte / Steve GIbson (00:17:20):
Whereas it's necessary to specifically recognize F B C L I D in order to strip it from a URL. And it also wasn't clear that it's, that it's specifically Facebook F B C L IDs that is on links. It looks like it's maybe any domain that has, that has the misfortune of naming part of their URL tale, F B C L I D. So, you know, maybe this explains why Firefox is reportedly not doing as good as thorough a job as brave is, you know, they're not wanting to break things cuz this, you know, this is gonna tend to be a little bit flaky. This Oll ticks company ha embeds, something called O L Y underscore E C underscore ID, then an equal sign and then a big blob of crap. Then there's also Ollie O L Y underscore a non underscore ID drip, the, the company drip has underscore underscore S equals and then some, you know, blob Vero is zero underscore ID HubSpot uses underscore H S E N C equals and then something Marketto M KT underscore T K equals.

Leo Laporte / Steve GIbson (00:18:54):
And Facebook actually has two F B, C L I D and also MC underscore E I D anyway. Okay. it's good. As I said, that Firefox is doing this, but you know, stripping stuff from URLs is error prone. And to me it feels a bit messy. And you know, if Facebook were to change the name of their C L I F B C L I D parameter to F B C L I D two or something, presumably that wouldn't match and Firefox would let those go until they updated themselves. So, eh, it doesn't really grab me okay. In any event I'm still using Firefox and I'm glad to have that incremental improvement since my enhanced tracking protection is already set to strict, as I would imagine is the case for most of our Firefox using listeners, this was already enabled for me when Firefox updated itself to version 1 0 2 last week.

Leo Laporte / Steve GIbson (00:19:57):
What's weird. However, is that until, and unless an additional tweak is made, these, this tracking parameter stripping will not be enabled when using Firefox in its private browsing mode. It's like, what <laugh>, why would you not want it there? And I don't get it. Okay. So, and that's even when strict mode is enabled. So Firefox using listeners go to about colon config and you know, about colon config has a gazillion individual little things in there now. So search for the string strip S T R I P, and that'll reduce the number to something manageable. I don't know. It looked like about eight, as I recall, you'll see one that's already enabled and set to true and that's privacy dot query underscore stripping dot enabled. And that was true, probably because I'm in strict browsing mode. And so that was probably a co that's something that the strict browsing mode setting turns on, but the one directly below it is privacy dot query, underscore stripping dot enabled dot PB mode, which is doubtless private browsing mode.

Leo Laporte / Steve GIbson (00:21:22):
It was not enabled and it should be. So you wanna double click on that to flip it to true. It'll get bold and then you should be good. And did you not find it? Oh yeah, there it is. Yeah. It's right above it's right above the cursor. So there's enabled and the one below that Leo is enabled dot and then say PB mode over and now it's true. Yes. Good. And that's what you want. Just that one. I don't need to do the stripping enabled or, yeah. I wonder why I had the, the, the one above it stripping got enabled the non PB mode, right. Mine was already set to true because prob at the true cuz probably I assumed cuz I was in enhanced tracking protection as a main feature. You definitely want that, but you do want that turned off.

Leo Laporte / Steve GIbson (00:22:11):
They should all be true. In other words, they should all be true. Okay. And, and, and, and just as an aside, if, because this is sort of a problematic thing on, on the other hand, I don't know what else we're gonna do if we don't have our browsers stripping, tracking crap from URLs because you know, that's a thing. If it, you know, it could tend to break something. So if you turn this stuff on and a website doesn't work the way you expect it to, then you might try turning it off briefly to see if that fixes the problem. I, you know, again, knowing Mozilla, they are tiptoeing very cautiously into this. I'm sure they didn't turn it on for everybody. I had it turned on for me cuz I was already in the the, the highest level of, you know, strict browsing protection.

Leo Laporte / Steve GIbson (00:23:07):
I don't think they would turn it on if it was causing problems. So I'm sure it's been well vetted and it's safe to enable you just also want to enable that, that, that, that private browsing mode as well. Okay. One thing this podcast probably doesn't spend a knife enough time focusing on probably cuz we don't get enough information about it is the very real threat from insiders gone bad. Naturally nobody wants to advertise. No enterprise wants to advertise when they find someone being malicious inside their organization, you know, they're quickly escorted out and that's the end of it. So it, consequently doesn't make the news. Of course it doesn't matter how strong one's perimeter perimeter defenses may be. If someone with malicious intent walks right through the front door, smiles at the security guard, swipes their badge and then settles down in their cubicle.

Leo Laporte / Steve GIbson (00:24:14):
Now with full internal access to the corporate network, we've briefly touched on the notion that our government's own three letter agencies might bring an existing employee of some other company or two, you know, who have critical access into their fold under the auspices of patriotism and national security. And we certainly it's the case that private company employees were aware and stayed silent when the NSA was establishing those massive internet listening post taps at the major domestic network exchange points, you know, that had to be known by the employees who worked in those facilities. And we have deep suspicions that some of the older crypto designs remember the Dr B pseudo PR NNG the, that, that pseudo random number generator that that was like the weakest of all possible versions that could be chosen. And for some reason that was the RSA default, which always sort of raised so eyebrows which made us wonder whether maybe there was some influence, you know, under the dis U U under the guise of this will be good for uncle Sam in these instances, people knew and were keeping quiet.

Leo Laporte / Steve GIbson (00:25:48):
It seems. And then there's the insidious possibility that a truly malicious foreign agency might bribe someone or perhaps extort them if there's some embarrassing weakness, you know, and, and say, okay, just wipe all of your fingerprints off of this little USB device that we're gonna give you, then plug it into the back of the break rooms printer, and just walk away. We'll know when you have, and a parcel with $50,000 in crisp $100 bills will be delivered to you practically, where do I get that job? I'd like to do that. Yeah. This makes, ah, just make sure you wipe your fingerprints off quite thoroughly. Absolutely. That's right. So yet another possibility is the self corruption of a trusted employee. Who's able to subvert their employer's own business model to make money on the side. And that's what was revealed last Friday by the famous bug bounty program, hacker one, because it's possible and often appears to happen that the same bugs are found nearly at the same time, by different researchers who just happen to be looking at the same place.

Leo Laporte / Steve GIbson (00:27:15):
Bug collision reports and bounty collisions are not uncommon. So it's not unusual for a hacker to complain when a bug they confidentially submit for consideration for a bounty is denied and paid instead to someone else, it can happen when no one is at fault, but to hacker one's credit, they investigate all such reports. And in this case, once clear evidence of an insider gone bad was found. They went public with the details. So here's what hacker one's disclosure started out explaining. They said on June 22nd, 2022, a customer at now about when they say customer, they mean someone who is using them to manage their company's bug bounty, you know, payments, payouts, and, and so forth. A customer asked us to investigate a suspicious vulnerability disclosure made outside of the hacker one platform. Okay? So that meant that that this customer was informed of a, a vulnerability, not through hacker one, but through some outside agency, the submitter of this off platform disclosure reportedly used intimidating language.

Leo Laporte / Steve GIbson (00:28:48):
As in like extorting this customer in communication, they said with our customer, additionally, the submitter's disclosure was similar to an existing disclosure. Previously submitted through hacker one. They said bud collisions and duplicates were multiple security researchers independently discover a single vulnerability, commonly occur in bug bounty programs. However, this customer expressed skepticism that this was a genuine collision and provided detailed reasoning. The hacker one security team took these claims seriously and immediately began an investigation upon an investigation by the hacker one security team. We discovered a then employee had improperly accessed security reports for personal gain. The person anonymously disclosed this vulnerability information outside the hacker one platform with the goal of claiming additional bounties. This is a clear violation of our values, our culture, our policies, and our employment contracts. In under 24 hours, we worked quickly to contain the incident by identifying the then employee and cutting off his access to data.

Leo Laporte / Steve GIbson (00:30:16):
We have since terminated the employee and further bolstered our defenses to avoid similar situations in the future subject to our review with counsel, we will also decide whether criminal referral of this matter is appropriate. Our full discussion of the incident is below. Okay, now then they lay out a detailed nine day blow by blow timeline, starting June 22nd and finishing last Friday, the 1st of July. And I'm gonna skip that. But I think that the discussion of their investigation would be interesting to our listeners. So they said our investigation has concluded that a now former hacker one employee improperly accessed vulnerability, data of customers to resubmit, duplicate vulnerabilities to those same customers for their personal gain. The investigation began after a customer notified us of re of reportedly receiving a threatening communication outside the hacker one platform about a vulnerability disclosure. We immediately launched an investigation within 30 minutes of the investigation, additional evidence surfaced that caused us to escalate the priority of the incident.

Leo Laporte / Steve GIbson (00:31:32):
We began to run down every scenario of a possible exposure to disclosure data, including potential exploitation of our application, a remote compromise of the hacker customer or analyst, a leak by misconfiguration and others. There was information to support. Only one of our hypotheses, an internal threat actor. Upon this discovery, we began a separate investigation into the insider threat with what they described as a contained group. These steps were necessary as we worked to investigate and eliminate the prospect of multiple insiders, thus, they immediately went to a, you know, to, to a constrained investigation with only a few people being on the inside. They said, we are now confident that this incident was limited to a single employee who improperly accessed information in clear violation of our values, culture, policies, and contracts. And then they repeated within 24 hours of the tip from our customer. We took steps to terminate that employee's system access and remotely locked their laptop out pending further investigation.

Leo Laporte / Steve GIbson (00:32:54):
We were able to reach our conclusion quickly using the following methods, our internal logging monitors employee access to customer disclosures for regular business operations, namely vulnerability intake and triage analysis of this log data suggested a likely actor. Soon after our internal investigation kicked off only a single employee had accessed each disclosure that our customers suspected of being redisposed by the threat actor, the threat actor had created a hacker one, what they described as a sock puppet account and had meaning, you know, an alternative identity as if they were an external vulnerability researcher and had received bounties in a handful of disclosures. After identifying these bounties as likely improper hacker one reached out to the relevant payment providers who worked cooperatively with us to provide additional information. Following the following the money trail, we received confirmation that the threat actor's bounty was linked to an account that financially benefited a then hacker one employee analysis of the threat actor's network.

Leo Laporte / Steve GIbson (00:34:25):
Traffic provided supplemental evidence connecting the threat actor's primary and their sock puppet accounts. We identified seven customers who received direct communication from the threat actor. We notified each of the customers of our investigation and asked for information related to their interactions. We are grateful for their involvement in our investigation, and we thank them for their willing cooperation facts shared from their own investigations, corroborated the conclusion from our investigation and allowed us to act more quickly. We've issued platform bans for the employees known hacker one accounts. We've terminated the employee for violating our values, culture, policies, and contracts, subject to review with counsel, we will decide whether criminal referral of this matter is appropriate. We continue forensic analysis on the logs produced and devices used by the former employee. We're reaching out to other bug bounty platforms to share details in case their customers receive similar communications from R Z L R.

Leo Laporte / Steve GIbson (00:35:42):
That was the handle used by this guy, the suck, the sock puppet account R Z L R. The threat actor's motives appear to be purely financial in nature. The threat actor had access to hacker one systems between April 4th and June 23rd, 2022. So not a long term employee, somebody that they hired at the beginning of April who went south or sour pretty quickly, maybe that was the entire intent of the employment was to get on the inside and then, you know, grab these things and try to get additional bounty payments. So insider threats are always a real possibility. The best outcome is to prevent them from happening in the first place. But if they do anyway, it's clear that having extensive previous access and traffic logging becomes invaluable for post incident forensics and casually disclosing through, you know, water cooler conversation that such logging is always being done can go a long way toward preventing such abuse in the first place.

Leo Laporte / Steve GIbson (00:37:00):
We've talked a lot about the fact that while no one likes the idea of being watched and their activities being logged and enterprises network and the traffic it carries is not the sovereign property of its employees. It belongs to the corporation. So a casual reminder of the fact that what's done on the enterprises network is being monitored can go a long way toward preventing such abuse from occurring. And Leo let's take a break. I'm going to prevent further abuse of my vocal cord <laugh> by giving them a bit of hydration, no hydration we're going here. No, we're, we're gonna use some of our closing the loop feedback from our listeners to bring us into some interesting discussions. Great, awesome. I look forward to it, but first a word from our sponsor, the great folks at it, pro TV, your it team needs the skills and knowledge to ensure your business is a success.

Leo Laporte / Steve GIbson (00:38:02):
And with it pro TV, more than 80% of users who start a video, actually finish it. They're gonna love it. It pro TV is engaging. Your team will enjoy learning on their platform. And after all, isn't that a key to success. You could sign 'em up. You could assign them courses, but if they don't enjoy doing it, it ain't gonna work. Give your team the tools they need to make your business thrive. Courses are entertaining. They're binge worthy. Keeping your team interested, invested in learning. The tech industry is constantly changing involving rapidly. So your team needs constant training, right? Get re-certified get new skills, learn new versions of software, a new software release, a system upgrade, or a cyber threat faces your business. It pro TV will give you the training. Your employees need to handle these disruptions. Why is it pro TV, right for your business?

Leo Laporte / Steve GIbson (00:38:57):
Well, you'll get all your training and certifications for your team done in one place. They've got every vendor, every skill you need for it. Team training from Microsoft, it training to Cisco Linux, apples, security cloud. So much more 5,800 hours, total all brand new, all fresh. They keep it fresh all the time. They're always recording. They have seven studios running all day, Monday through Friday to make sure that that content is sparkling fresh, 5,800 hours worth ranging from technical skills to compliance. Even to soft skills, you can do so much with an it pro TV business plan. You could track your team's results, manage your seats, assign and unassigned team members, access monthly usage reports. So, you know, you're getting the ROI. You can see metrics like logins, viewing, time tracks completed, and more. It makes it very easy to manage the teams. You can, you can create subsets of users by providing them with a customized assignment, monitoring progress and reporting on usage of the platform.

Leo Laporte / Steve GIbson (00:39:56):
Assignments can be full courses or individual episodes within courses. All episodes are 20 to 30 minutes long. So it's a great thing to have for, for break time for lunchtime and employees enjoy it so much. They're glad to do it. They love doing it. Advanced reporting too gives you immediate insight into your team's viewing patterns and progress over any period of time with visual reports that make it easy to, you know, send upstairs to the C-suite. So they know that you, you know, you're getting the right training and it's working. And of course, as always, we talk about it pro TV's individual plans. They're still there. In fact, you could still get a huge 30% discount when you use the offer code SN 30, just whisper it in the year of your it pro TV account, executive 30% off or more on a business plan for teams from two to a thousand volume discounts, start at five seats, give your team the it development platform.

Leo Laporte / Steve GIbson (00:40:51):
They deserve to level up their skills while enjoying the journey it Now, again, that offer code SN three, zero SN 30% offer more on a business plan, 30% off on consumer plans for as long as you stay active it Now we love 'em. They're great people and they do a great, great job almost as good as this guy right here. Steve gives <laugh> now fully hydrated, a different job. Yes. Hydrated. So <laugh> someone on Twitter calling himself relief, Twitter. He said at SG GRC, I thought of you today. When I re, when I reached around to the back of my computer, well, my back, the back of my computer tower, he says, yes, I still have one to plug in a USB, a cable. There is a USB 3.0 expansion card back there. And I know the orientation of the ports from years of experience.

Leo Laporte / Steve GIbson (00:41:59):
I thought, I know for sure, this port is upside down time to prove Gibson wrong <laugh> but then, but then as I turned the plug to the correct orientation, as I knew it to be, I noticed that the cable seemed to want to lay oh, in a, in an unnatural way. Didn't like it, that I, that I had not noticed when it had been connected, last neck did last. This caused me to doubt my own certainty. So I turned it over the cable lay more naturally this way, shaking my head. I thought maybe it's time to prove Gibson. Right? <laugh> he said, I move to plug it in and sure enough, it did not go in. I turned it over again. The way I had it first, the, I had it the first time and in it went, it seems that even when I know the correct orientation, the bug in the simulation introduces a chaotic variable to make me wrong.

Leo Laporte / Steve GIbson (00:43:07):
The, to make me wrong way the first time. Anyway. Wow. So I'm just saying, there you go. Or it's Schroer's USB T that could be that as well. That's right. Yes. Yes. There actually, we did have I think I shared it a couple weeks. A couple weeks ago. Yeah. Yeah. The, no, the notion of it existing in both states. Yes. Until you observe it and exactly, you know, attempt to plug it in and then it says, oh no, no, no, no, not so fast. <Laugh> so Stephan bang he said, I rarely have the chance to bring something useful to the table, but I have some insights to the OT, operational technology subject of last week, which I hope will not waste your time. And I also think I can fix reality for you. He said, so regarding operational technology said, I work as a developer in the OT business in Denmark.

Leo Laporte / Steve GIbson (00:44:04):
And I think it makes a lot of sense that OT protocols are insecure. They should be most protocols like Modbus over TCP, or backnet over IP are really old from the seventies and eighties. He says, RS 4 85 protocols that have been made to work over ethernet. These protocols don't use any authentication and backnet IP is even a UDP protocol, but they're fast and reliable. And if I need to close a valve in order for heat exchanger to not explode, I'd rather have it be insecure on a local isolated network. Then have people hurt because a certificate had expired and no one had noticed the control units are also probably insecure because they are rarely updated. Most OT controllers are installed and forgotten in kindergartens and homes and such. They don't need to be secure if they're not accessible from the internet, because if you have physical access to the device, then it's easier to pull the plug on the pump than to break into the system.

Leo Laporte / Steve GIbson (00:45:23):
When an OT system is accessible from the internet, it is often through a supervisory system on a server. The server is likely to be located in the cloud or on-prem at a service partner. Like the company I work for. He said, the sec, the security of the supervisory system is easier to maintain as the server can auto update. And the firewall only needs to allow HTTPS traffic. A site to site server VPN will eliminate any protocol insecurities and is much easier to maintain instead of securing and maintaining the security of every SCADA protocol, renewing certificates, securing private keys and so on. He says a quota wise, man, security is hard and complexity is the enemy of security. He said by using a VPN, the only things that need to be secure is the VPN and the web server of the supervisory system. This is easier and much less complex than securing every single OT protocol as there are a lot of them.

Leo Laporte / Steve GIbson (00:46:34):
And then he just finished on his fixing reality. For me, he said regarding reality, I don't think the simulation is broken. I think the person who writes and maintains the simulation listens to security now. Oh, that would be a nightmare. Yeah. Oh my God. The reason why you need to turn the us B a plug three to four times for it to be allowed to enter the socket is because you need to brute force the physical port knocking sequence of the us B a socket. Yeah. So apparently if that's the case, it is a security now listening, simulating overloading. Yeah. That's right. Okay. So the trouble with operational technology over IP is that it's a classic case of convenience, trumping security. I completely agree with Stephan, but worrying about things like expiring certificates is a nightmare. But I think that the proper way to think about security is that it's the cost that's incurred when any non IP technology wants to become an IP technology that shares the Internet's inherently ratable IP network.

Leo Laporte / Steve GIbson (00:48:03):
And now, you know, I, I heard what stehan said. I get it that in, in his mind sequestering, a local or a private network behind a firewall or behind a VPN or behind an HTTP only an H C D PS server is the solution. But you know, those packets want to get out Leo. They want, they, they want to be free. Dana wants to be free. Yeah. Yeah. Yes. And they're gonna, they're gonna find a way just like those Jurassic park dinosaurs that were all female, they somehow they reproduce anyway, you know, there NA nature will find a way. So the problem is that that the global insecure network is IP. You know, while that pressure regulating valve was using the RS 4 85 protocol for its signaling, it was speaking an entirely different language and was fundamentally inaccessible to hackers in Russia. You know, computer users are more familiar with RS, 2 30, 2 RS, 4 85 is closely related.

Leo Laporte / Steve GIbson (00:49:27):
It used differential signaling, meaning that two wires, rather than one were used where the data was contained in the difference in the voltage, on the two wires, rather than their absolute voltages. This creates a great deal of environmental, electrical, and magnetic noise immunity which could be a problem in heavy in industrial environments. And whereas RS 2 32 is a simple point to point system RS 4 85 uses device addressing to allow multiple devices to share a so-called multi drop connection. So it was a very early form of a serial bus architecture. So it existed, it was secure. There's no way any, I mean, you know, it didn't use packets, so they couldn't have escaped it. They wanted to cuz there weren't any, but the world back then was suddenly flooded with ethernet cabling and ethernet switches and routers whose cost dropped to near nothing as high manufacturing, volumes and massive inter vendor competition fought for market share.

Leo Laporte / Steve GIbson (00:50:46):
Wired ethernet is also a highly noise immune differential signaling system. So it only made sense to move to it. However, it wasn't absolutely necessary to also move to IP. Other non routable IP protocols. Remember net, what was it? UDP the, no, no. I'm thinking that other Noel Noel had a yeah. You know, Noel net networking was on ethernet. It just wasn't IP. So, you know, you could have had all of the advantages of all of those economies of scale without using a protocol that could escape. So other non Roundtable, non IP protocols have been carried over ethernet and they would've been a far safer choice, but ultimately being non IP protocols, they too would've suffered the same fate as non ethernet RS 4 85 by ultimately being more expensive to deploy because they were in any way different from the IP technology that has completely overtaken the world.

Leo Laporte / Steve GIbson (00:52:08):
There was, I mean, I agree there was probably no way to resist the allure of that near zero cost. Okay. But now our mission critical pressure regulating valves are actually connected to and potentially reachable from Russia. And remember as con the, you know, was famously heard to say in the second, in, in the second star Trek movie, when he was explaining why Kirk didn't raise his own ships' shields, he said, we're all one big happy Federation. <Laugh> just before he blew the crap out of Kirk's ship chip God now with operational technology systems supporting IP protocols, we're all one big happy global network. What could possibly go wrong? Yeah. Yeah. <Laugh> so there is a simple and elegant solution to this. I've mentioned this a few times in the past when it has, when its application has been appropriate. And, but it just sort of like deriving one, like deriving all of websites, pass keys from a single master key rather than just using random number generators.

Leo Laporte / Steve GIbson (00:53:40):
Yeah. Okay. The same IP technology that creates this problem in the first place offers a solution operational technology equipment, or for that matter, any equipment that doesn't want or need to be reachable from across the globe. That is that that is designed for local network access only simply needs to set the TTL value of the packets. They emit to a very low number. The absolutely universally honored fact of IP packet routing is that every router which encounters any IP packet, first decrements the packets, incoming TTL, its time to live value, which is contained at the, in the header of that packet. If that TTL decrements two zero, meaning if it was one, when it arrived at the router, the router decrements that it hits zero, no router on the internet will forward that packet period. Nothing would kill the internet faster than packets, which refused to die.

Leo Laporte / Steve GIbson (00:55:06):
So every router honors that requirement before any other, therefore the simple expedient of emitting packets with a TTL of say two or three, just to be safe, will never affect any local networking use of such equipment while at the same time, flatly, elegantly, and completely preventing them from ever reaching foreign soil. This use of deliberately short TTLs is something as I, as I said, that never seems to gain any traction, but it's a beautiful solution when adding another security fail safe to a system might be useful, especially when you've got a system designed for local only use and its packets should never be allowed to escape. Just, you know, right. In fact, we talked about this a long time ago because there was a time when TTLs were set to 32, just sort of arbitrarily early on is that seconds. And no, it, it it's it's hops 30 twos hop hops Uhhuh.

Leo Laporte / Steve GIbson (00:56:19):
So, so for example, when, when we do a trace route, the way the trace route works is it deliberately sends out a packet with a TTL of one, which, which is returned by the router that rejects it. And that's what we get that router's IP. Then it sends a packet with a TTL of two. So that first router says, okay, fine, it's got some time left and forwards it to the second router, which decrements the TTL from one, which the first router set it to, to zero, which the second router set it to. Now it dies at the second router. So that second router sends back a sorry your packet died. So by successively emitting packets with greater and greater TTLs, we're able to trace or trace route the, the, the, the router to router hops, that packets take. And so, so it wasn't, there was a point during this podcast, cuz I remember we talked about it where packets were just, you know, our operating systems were, were the, the TCP P I P stacks set the IP TTLs to 32.

Leo Laporte / Steve GIbson (00:57:30):
And because it was just, you know, it was a nice number that engineers tend to use two to the power of five and that should be plenty. Right. then the internet net kept getting bigger and bigger and more and more ISPs got sort of like shimmed in between others. And what happened was the so-called the, the transit diameter of the internet in some locations became greater than 32. There were, there were two points on the internet greater than 32 hops apart and they were unreachable to each other. And so it was necessary to go, oops. And it just simply we doubled the the the TTL to 64 or in some cases it went to 1 27 or 2 55 because it it's an eight bit count. It doesn't take up very much space in, at the front of the packet, just a little eight bit header or AIT field and it gets decrement. And so if these systems that never wanted to allow anyone in Russia or China to get ahold of them, even if the firewall fails, even if a flaw is found in the web server that they're hiding behind, then just emit packets with a TTL of two or three and they can't get out. They can't go far, but far as I know, it's never been done for security and it would've been a, you know, I'm a belt and suspenders person. And so it would make sense to do that.

Leo Laporte / Steve GIbson (00:59:10):
Dr. Nathan P. Gibson got another, he said another tweet that I thought was actually, it gave me a perfect segue. He said, I haven't gotten into smart home devices among other reasons, because of all the security issues you talk about with them. I was wondering about two things and I quoted the first of those two. He said, when you talk about isolating your smart home network from your internet network, it sounds like a lot of work. Are there any secure, smart home hubs that can do this for you? For example, you talk about, he says, you talk to the hub on your regular network, but it sets up another air gapped network and talks to the other devices on that. He says, my Fritz box router actually has a setting for smart home devices, but I'm not really sure what it does. Well, my feeling is that we are still on the don't have it yet side of the smart home compatibility revolution.

Leo Laporte / Steve GIbson (01:00:16):
So I haven't yet invested in any single vendor's hub technology because they've all been hoping to own the market for themselves, you know, reminiscent of not syncing pass keys across vendors. So I have currently I have individual Hubli O T wifi devices running on their own isolated guest T network courtesy of my Asus router, which offers up to four individual isolated guest networks, no matter how the T market sorts itself out, I would strongly recommend that anyone who purchases at, from this point forward a wifi access point or router in the future, be certain that it supports isolated guest wifi networks. That just it's a terrific technology. And it's just trivial to set up, you just turn on a guest network, give it its own you know, S S I D, and password, and, and then click a check box. Typically that, that where you affirm that you do not want this network to have any access to the other land networks, wifi, or wired, and it becomes isolated.

Leo Laporte / Steve GIbson (01:01:37):
Now, all that said there is encouraging news on the O T home front last summer, Ben Patterson for tech hive wrote we've been eagerly awaiting the arrival of matter, the new open source and platform unifying standard that promises to make our various smart home devices play nicer with each other. And now comes word that will have to wait a little longer. Initially the connected standards Alliance at CSA formerly the ZigBee Alliance had announced that we might see the first matter enabled smart products by the end of the year. But as Stacey Higginbotham at Stacey on O T reports, I know her yes, we do. The CSA now says that a software development kit for matter, won't be finalized until the first half of 2022, which means the first mattered devices won't arrive until sometime next year. Well, he was writing this in August of 2021.

Leo Laporte / Steve GIbson (01:02:52):
So he's saying this year 2022 in a release announcing the delay CSAs, and that's again, the connected standards, alliances CEO, Tobin Richardson cited, the quote need to get it right words, dear, to me, in terms of ensuring the upcoming matter, specification on SDK are stable deployable at scale and meet market expectations for quality and interoperability, you know, amen to all of that. According to Stacy CSAs CEO, Tobin Richardson also blamed the resurgence of COVID as well as the addition of nearly 30, 30, more companies to the matter group formerly known as project chip C H I P, which stood for connected home over IP matter is an IP based protocol. That's compatible with wifi, ethernet and thread matter has the backing of some of the biggest names in the smart home market, including Amazon, Google signify. I didn't see apple, but I Apple's name is somewhere signify is the owner of the Phillips hue, smart lighting brand.

Leo Laporte / Steve GIbson (01:04:21):
And Samsung's smart things. Last month, Amazon announced that all of its current Alexa enabled echo speakers and displays will support matter while Google had previously said its nest speakers and displays will support matter. Also Apple's home pod mini comes with its own integrated matter radio. So it looks like Apple's on board too matter promises to unify the Thicke of competing smart home platforms. As matter certified devices will be able to recognize each other and work seamlessly together across different ecosystems, including Apple's home kit, Amazon's Alexa and Google's assistant powered nest platform. In other words, if you buy a matter certified smart gadget, you ideally will be able to control it with Alexa, Google assistant, and Siri, and it should also work with any other matter enabled devices you own. That's a welcome prospect. He finishes for anyone who's pulled their hair out, trying to make different makes and models of smart home devices work well together for now.

Leo Laporte / Steve GIbson (01:05:33):
However, it looks like we'll have to keep co co codling. Oh yeah. Codling are stubborn, smart gadgets. You wrote it, dude end the year <laugh> <laugh> and probably even longer. So, oh, I did also note that DigiCert and we mosts names were also associated with matter and WikiEd had just had this to say, they said matter formally project connected home over IP C H I P is a royalty free home automation, connectivity standard with manufacturers only incurring certification costs. So using it costs nothing. Thank God. And that gives it a chance to be the chosen solution announced on December 18th, 2019 matter aims to reduce fragmentation across different vendors and achieve interoperability among smart home devices and internet of things. Platforms from different providers. Wikipedia says the project group was launched and introduced by Amazon, apple, Google Comcast, and the Zigby Alliance now called the connectivity standards Alliance CSA.

Leo Laporte / Steve GIbson (01:06:45):
And then they said, subsequent members include Ikea Wawe and Schneider matter compatible products and software updates for existing products are expected to be released in 2022. Although the matter code repository is open source under the Apache license, the matter specification is licensed by the CSA. So the connectivity standards Alliance for anyone who is interested, again, CSA, hyphen And this couldn't be better news. It sounds like we'll be needing to do a podcast on this soon. And of course I won't be able to resist titling it what's the matter. Oh, we've been talking about matter for quite some time. Of course, Stacy is all over it. Yep. But this is good. I'm glad they're starting to make some progress instead of just being a, you know, empty suits and, and a hope. Yeah. Yes. Yeah. So that's really great. I mean, basically that's what we've been waiting for.

Leo Laporte / Steve GIbson (01:07:49):
I, I would not move to a single, I mean, a hub based solution is gonna be better because it's gonna integrate much more tightly with your other devices and potentially solve the security problem. I mean, it's, it is nervewracking knowing that my individual light switches and, and, and smart plugs each establish a persistent connection to China. That's just like, you know, that's, that's not what you want. Yeah. So having them instead connect to a, to a centralized hub from some, some from a security conscious company like apple, Google, or Amazon, that's a way better solution. So looks like that's gonna happen soon. And you know, couldn't happen soon enough. Yay. Ivid neon. He, he tweeted, he said, Hey, Steve, I have a question about pass keys. Why would I want my pass keys on my PC at all? Isn't the whole point to keep the keys on the phone with its high security chip and use that to log on.

Leo Laporte / Steve GIbson (01:08:58):
If so he says, so if someone hacks the PC, they won't get any past keys and Ivan, that's a good point. And it's potentially true. I'm not sure how I'll come down on this issue at the moment. For example, I have all of my T O T P second factor time varying keys on an iPhone that I have sitting next to me. I use the iOS app OTP space off, which I like a lot. So obtaining a token for me takes little time. We're gonna need to see how the flow works with smartphone cross device authentication. This was of course the original mode for squirrel. When I first described squirrel to this podcast's audience squirrel S QR L stood for secure QR code login, which was back then a novel concept. And of course we Rena, we later renamed it secure, quick, reliable login as its application space expanded.

Leo Laporte / Steve GIbson (01:10:10):
And we saw something like that in Apple's presentation, though, all the mechanics were not exactly clear. So if it's super easy to present a website's 5 0 2 Q QR code, whatever it is that it's showing to a smartphone to then have the smartphone authenticate the user, that indeed might be sufficient. And for many people ideal and perhaps we'd, for example, only have our PCs storing pass keys that are less critical and keep the, you know, like our banking pass keys on a non shared environment. So anyway, we don't know yet. We'll need to see how all this shakes out. And the good news is we'll probably have a couple years to <laugh> to, to wait for all that to happen. Jonathan tweeted he says, he, he said noted that he notes that math geeks make difficult customers <laugh>. And he pointed me to a tweet thread, the tweet thread read, I ordered a nine inch personal pizza.

Leo Laporte / Steve GIbson (01:11:25):
After a while the waiter brought two, five inch pizzas and said the nine inch pizza was not available. So he was giving me two, five inch pizzas instead. And then I was getting one inch more for free five plus five equals not 10. That that's right, baby. Of course we know where this is going. Yes, <laugh> the person tweeting. This said, I requested the waiter to call the owner over. I showed the owner the mathematical formula to calculate the area of a circle. As we know the area of a circle is pie times are squared and you'll, don't actually need to know about pie. You could sort of throw that out, right? You could just use R squared, but this tweet thread says, so the area of a nine inch pizza is 63.62 square inches, or is a five inch pizza has only 19.6, three square inches.

Leo Laporte / Steve GIbson (01:12:25):
The two, five inch pizzas together. Add up to 39.2, six square inches. I said to the owner that even if he gave me three, five inch pizzas, <laugh> I would still be losing out. Ah, his guy is absolutely math litter. I love it. So not the owner, obviously. How can you, right. Or, or, or the server? Yeah. How can you say you're giving me an extra inch for free. I bet it fools everybody except this guy. Absolutely. Yeah, the, yep. The owner was speechless and he says, and gave me four, five inch pizzas. Happy ending, happy ending. That's that's great. And really, as we know, you can do the math easily in your head cuz you can, you could ignore the pie and just do R squared because that's all you really cared about. You're talking about sit there. Yeah. That's right, exactly. Although you could say that pizza is a pie Uhhuh, so there is that and well, you know, yes.

Leo Laporte / Steve GIbson (01:13:25):
Yeah. <Laugh>, you know, we're headed. <Laugh> okay. We're headed to our final sponsor. And then we're gonna talk about the hard to pronounce Zu rat. So Zuzu rat, Zuzu rat. It's all right. Our show today. Thank you. Steve brought to you by Tanium. One of those companies that is really disrupting its space, the industry's approach to cyber security, as you probably gathered, as you listen to this show is fundamentally flawed. It management and security point tools only offer a small piece of the solution needed to protect your environment. Many of them, you know, promise they can stop all breaches. They, they, they just can't making decisions based on stale data, trying to defend your critical assets from cyber attack, with tools that don't communicate with one another, no way for it teams to navigate today's attack surface. You know, by now you need something better.

Leo Laporte / Steve GIbson (01:14:24):
You need a different approach. You need Tanium. Tanium says it's time for a convergence of tools, endpoints and it operations and security. They have solutions for government entities, education, financial services, retail, healthcare. You could trust their solutions for every workflow that relies on endpoint data. And you know what workflows don't with Tanium, you get asset discovery and inventory so you can track down every it asset you own instantaneously, but that's not all you guess get risk and compliance management. You could find and fix vulnerabilities at scale and seconds, you get threat hunting. You can hunt for sophisticated adversaries. In real time, you get client management. Of course you need that automate operations from discovery to management and you need sensitive data monitoring that can index and monitor sensitive data globally. In seconds. Tanium, you've heard the name. I'm sure protects organizations where other endpoint management and security providers have, have just utterly failed with one platform.

Leo Laporte / Steve GIbson (01:15:28):
Tanium identifies where all your data is across your entire it estate patches. Every device you own in seconds, implements critical security controls all from a single pain of glass. Just ask Kevin Bush. He's vice president of it at ring power Corp. He says quotatium brings visibility to one screen for our whole team. If you don't have that kind of visibility, you're not gonna be able to sleep at night. I presume Kevin is sleeping soundly every night because yes, with real time data comes real time impact. If you're ready to unite operations and security teams with a single source of truth and confidently protect your organization from cyber threats, it's time you met Tanium T a N I U M break down those silos between operations and security. One, one pan of glass. You could see it all to learn more. Visit T a N I U M

Leo Laporte / Steve GIbson (01:16:29):
We thank of so much for their support of security. Now with Mr. G you support us too, by the way. And it's very important when you use that address. So don't just go to, go to Very, very important. Now let's talk about sewer rats <laugh> yes, last Tuesday, black Lotus labs, which is the threat intelligence arm of lumen technologies, which is, was formally known as CenturyLink. They've been tracking elements of what they say appears to be a sophisticated campaign, leveraging infected Soho, you know, small office home office routers to target predominantly Northern America and European networks of interest. So generically rats, remote access Trojans are a dime a dozen, and wouldn't usually command much of this podcast's prolonged attention. But in one of those kind of it's obvious after the fact that this would happen. Disclosures black Lotus labs revealed that they had uncovered a complex campaign that had gone undetected for nearly two years.

Leo Laporte / Steve GIbson (01:17:47):
And that the trigger for the campaign was apparently the COVID driven shift to working from home, how to remote well financed nation, state, actor, bad guys get into well protected corporate networks. They enter through the avenue of lease protection and resistance, less secured remote employee networks. And from there they pivot onto the corporate land or as black Lotus explained, quote Otis explained the rapid shift to remote work in spring of 2020, presented a fresh opportunity for threat actors to subvert traditional defense in depth protections by targeting the weakest points of the new network perimeter devices, which are routinely purchased by consumers, but rarely monitored or patched small office home office Soho routers actors can leverage Soho router access to maintain a low detection presence on the target network and exploit sensitive information. Trans excuse me, transiting the land black Lotus labs is currently tracking elements of what appears to be as sophisticated campaign leveraging infected Soho routers to target predominantly north American and European networks of interest.

Leo Laporte / Steve GIbson (01:19:27):
We identified a multi-stage remote access Trojan rat developed for Soho devices that grants the actor, the ability to pivot into the local network and gain access to additional systems on the land by hijacking network communications to maintain an undetected foothold. While we currently have a narrow view of the full extent of the actor's capabilities due to the limited state of Soho device monitoring in general, using proprietary telemetry from the lumen global IP backbone, we've enumerated some of the command and control infrastructure associated with this activity and identified some of the targets we assess with high confidence. The elements we are tracking are part of a broader campaign. Okay. So some powers of darkness realized early in the COVID lockdown that large numbers of employees of north American and European enterprises would begin working from home. And that many of those employees would be inherently weakening their employer's security by effectively extending their previously well curated and secured network out into the periphery.

Leo Laporte / Steve GIbson (01:20:59):
Of course, this also occurred to many of those enterprises whose employees suddenly needed to have access to corporate resources, which were once protected by virtue of having everyone physically located within the same internal land. And we talked about this at the time that this sudden workforce migration to home was going to be straining enterprise security. Obviously this occurred to others as well. Zoo rat may not have been explicitly and expressly created to fulfill this agenda, but it appears to have been perfectly designed for this role. The campaign consists of several components. There's the first stage rat that was developed specifically for Soho routers. We'll come back to take a close look at that in a minute. There's also a simple loader for windows machines, which was compiled in C plus plus. And then third, there are three separate, fully functional agents, which the rat and the windows loader, which is just a simple remote file retriever downloads.

Leo Laporte / Steve GIbson (01:22:17):
And that's the there, there are three fully functional agents, two of which were custom developed. And the one that isn't is the well known cobalt strike beacon, which we previously discover previously covered in some detail together and independently. These full function agents allow for full enumeration of the infected device downloading and uploading of files, network communication, hijacking process injection, and more. And I'll go into those also in some detail in a minute. So this Zo rat is a MIPS chip file compiled for the MIPS chip, which will run on routers from Asus, Cisco Dray, tech, net gear, and others. It can that executable can enumerate a host and the internal land capture packets being transmitted over the infected device and perform man in the middle attacks, including DNS and HTTPS hijacking driven by predefined and actually softly defined rules. We've often talked about the threat and power of deliberate DNS corruption.

Leo Laporte / Steve GIbson (01:23:43):
As we know, DNS still transit over unsecured and unencrypted UDP packets. The reason Dan Kamenski was able to get the entire internet to update DNS overnight when he realized and quietly shared how I at least shared how vulnerable, how vulnerable it was to spoofing was because DNS really has no other protection than relying upon the Goodwill and good behavior of all the interconnecting networks. Therefore, if malware is able to set up shop on the router, that's linking a residential land to the internet, a great deal of mischief and damage can be done. Black Lotus notes, that what they found surprised them because attacks as severe as these true DNS and HTTPS hijacking have mostly been theoretical and remain rare. This is what they wrote. They said while cons while comprising, I'm sorry. While compromising Soho routers as an access vector to gain access to an adjacent land is not a novel technique.

Leo Laporte / Steve GIbson (01:25:07):
It has seldom been reported. Similarly, reports of man in the middle style attacks such as DNS and HTTP, hijacking are even rarer and a mark of a complex and targeted operation. The use of these two techniques congruently demonstrated a high level of sophistication by a threat actor indicating that this campaign was possibly performed by a state sponsored organization. Mm. Now notice that when we talk about certificate spoofing, it's one of the concerns is that our computers now trust so many certificate authorities, including foreign actor. Yeah. I mean like foreign state certificate authorities. So, so the reason we are not that worried is that the IP, we assume that the IP address we are getting from DNS is correct. So even though a foreign actor, a foreign state could produce a certificate for some high profile website, like say Facebook or a bank, our traffic will go to the bank.

Leo Laporte / Steve GIbson (01:26:37):
So it doesn't matter. I mean, we're not gonna believe, you know, we're, we're still gonna get the bank certificate. But if you combine the ability of a high level state actor to create certificates with the ability for them to change the IP address, that your DNS lookups return, which is exactly what this thing does now, you think you're connecting to your bank, you're instead connecting to a server elsewhere, which has a certificate not issued for the bank, but issued under the bank's name for a foreign actor. And you, so your browser's happy, no alerts are shown and you are completely compromised. Everything you do on that site is decrypted at that location and can be relayed anywhere. Hmm. So, so it's a serious attack. When, when you get somebody who has the ability either directly or indirectly to get certificates, who's also able to redirect traffic.

Leo Laporte / Steve GIbson (01:27:54):
They said the windows loader that was analyzed, reach out to obtain a remote resource and then ran it on the host machine. They assessed that it was used to load one of those three functionally second stage agents. And the one that was chosen dependent upon the environment, there was something known as C beacon, which was a customized developed rat written in C plus plus, which had the ability to upload and download files, run arbitrary commands on the machine where it was installed and persist on the infected machine, through a component object model, you know, calm hijacking method. Well, the fact that it's calm means that it's windows only and C beacon was windows only, however, go beacon. The second of those three is a custom developed rat written and go. This Trojan had almost the same functionality as sea beacon, but also allowed for cross compiling on Linux and Mac OS devices.

Leo Laporte / Steve GIbson (01:29:01):
So that, that one was used to infect non windows, Linux, and Mac OS. And then finally the third one cobalt strike. They said, we observed that in some cases, this readily available remote access framework was used in lieu of either sea beacon or go beacon. They said analysis of multiple windows samples revealed the consistent use of the same program database that's PDB is one of the, is an internal Microsoft development term. They said some of which contained Chinese characters while others referenced a possible name or Chinese locality. So strong evidence that this was that this was Chinese in origin. Although, you know, you could have a false flag operation too. Additionally, there was a second set of actor controlled command and control infrastructure used to interact with the windows rats that was hosted on internet services from China based organizations, Alibaba and Tencent given the age of the first observed router sample, which was first submitted to virus total in December of 2020, as well as a sampling from black Lotus labs telemetry over a period of nine months, they said, we estimate this multi-year campaign has impacted at least 88, 0 specific targets likely many more.

Leo Laporte / Steve GIbson (01:30:37):
And that was one of the problems was, you know, they recognized that due to the structure of this system, they didn't have visibility into everything that was going on. These are individual Soho routers. So how are they ever gonna see what's going on? Well, one of the things they could do because they are, they are lumen, which is century link. Thus a tier one backbone provider is they can look at the traffic that at least their own backbone is carrying, which will certainly, it's far short of the global internet, but it's a big chunk of smaller ISPs who, who buy their bandwidth from century link now lumen. So by if they, for example, if they see one compromise Soho router connecting to a specific command and control server at a given IP, they can then look for all other traffic connecting to that IP and see what they can learn from it.

Leo Laporte / Steve GIbson (01:31:42):
So, you know, they are in a, in a privileged location by being a, such a large tier one provider. They said during their invest of actually, I said that during their investigation of Z rat's activity they observed telemetry in indicating infection stemming from numerous Soho router manufacturers, including as I noted Asus, Cisco Dray tech and net gear, but they were less lucky in capturing any actual running code on those. They were only able to obtain the exploit script for a model Q 20 of a router manufactured by a company C or sorry, J C G. So it was the JC G hyphen Q 20. In that case, the actor was found to be exploiting known CVEs 20, 20, 26, 8 78 and 26, 8 79 by using a Python compiled windows XE that referenced a proof of concept called ruckus 1 51 0 2 1 P Y Python script. So I looked and I found that Python proof of concept over on GitHub from before it had been weaponized and it obtained the credentials and well, it, it was weaponized to then obtain credentials and to load zoo rat the weaponized script first performed a command line injection to obtain authentication material.

Leo Laporte / Steve GIbson (01:33:24):
Then it used the output from the command line injection, namely that authentication material to authenticate itself in order to bypass the, the, you know, you know, in order to, to get the access that it was looking for. So this chain of vulnerabilities allowed the actor to download a binary onto that router, then execute it in order to gain the access. They wanted the script that they were able to obtain contained four functions. There was one called get password, which sent a SP a specifically format request to the remote host requesting its password. There was get login sys off exec command and tell net basically a little toolkit providing everything that they needed. The final stage of the exploit script downloaded the Zo rat agent framework. That framework enables in depth, reconnaissance of target networks, traffic collection, and network communication hijacking. And that that can be divided into two components.

Leo Laporte / Steve GIbson (01:34:41):
The first contains functions that would auto run upon execution of the file. The second component contains functions and 2,500 of them believe it or not, that were embedded into the file, but were not explicitly called black Lotus believes that these additional functions were intended to be called by additional commands. And they wondered why are some active and some appear to just be along for the ride. It appears that this Zo rat was a heavily modified version of the Marai malware, which of course was a, a, a strain of ma of ransomware that we've talked about before. So the core functionality of that first component, it was designed to obtain information about the router and its locally connected land to enable packet capture of network traffic. And to send the information back to the, the command and control servers, black Lotus believed that its purpose was to acclimate the threat actor to the targeted router.

Leo Laporte / Steve GIbson (01:35:48):
They landed on as well as the contents of the router adjacent land to determine whether or not there's anything worthy of further exploitation. You know, I mean, they don't know anything about the router that, that they've managed to get into. They've gotta look around and decide whether they wanna spend any more time there. The capabilities included functions to ensure only a single instance of the agent was present and to perform a memory dump that could yield useful data in memory, such as credentials, routing tables IP tables and so forth. The file was initially executed by the threat actor via the command line, specifying an IP address and port for the command and control node. So that, so it would execute the command and say, send this package of information to this IP and port, if the IP and port was not provided in the exploit script, the Z rat code contained a default command and control host name listed as, which was a domain originally purchased in October of 2020.

Leo Laporte / Steve GIbson (01:37:03):
So coincident with the first development of all this upon execution, the agent would launch a new process with a randomly generated 32 character string using the character's a through Z and zero through nine. Next it gathered host based information by running the you name command to send to the command and control server. It also attempted to gather the router's public IP address by querying the following web services. It would, it would query what is my Ient.Me, my IP, DNS Omatic <laugh> dot com and IP If Z rat was unable to obtain a public IP address, it would immediately delete itself and terminate under the assumption that it was being run in an isolated sandbox, probably being analyzed next Z rat would connect to the command and control server and attempt to bind a listen on port 48,000 1 0 1. If the bind failed because the port was already in use, it would also immediately terminate the current process to ensure that only a single instance of the Trojan was running on the compromised device, cuz you're not allowed to bind to locally bind two different applications to be listing on the same port cuz it's the binding that decides when a packet comes in, which which process will receive a notification and access to that packet.

Leo Laporte / Steve GIbson (01:38:49):
Z rat then used a scan function designed to survey the adjacent land's internal IP addresses. So it would do a, an internal scan of the entire, you know, behind the router land. It scanned for a hard coded list of open listening ports, including 21 22, 23 81 35, 1 39 and 4 43, 4 45, 8 0 8, 9 0 2 9 12 17 23, 23, 23 33 0 6 52 22 52 69, 52, 80 53 57, 80, 80, 84, 43 and 9,001. And I know that many of those ports are familiar to our listeners as they are. To me, it then performs an internal land scan of all machines on the land, across all the IPS. So in doing so it's on the trusted internal network. It's inherently trusted by windows firewall on those machines and able to bridge traffic from the external command and control to anywhere within the network, giving this thing a lot of power. And once that's done, Zula rat would send the reconnaissance information. It had obtained to the previously sub supplied command and control. If the connection was being established for the first time, it would occur over port 5, 5, 5 56.

Leo Laporte / Steve GIbson (01:40:35):
If the connection was being refreshed, communication switched to port 39, 500, and I have no idea why if the connection was successful, data would be transmitted. If errors were returned, the program would sleep and then repeat the attempt in a loop. And finally, in preparation for establishing network capture capabilities, zoo rat, allocated memory for increased performance allocated memory to itself for increased performance in order to have room to, to capture packets and also allocated a Tex SEMA four to ensure that only one instance would be running at a time. Then if initiated by subsequent commands, an array of network functions would allow the remote threat actor to collect network traffic on UDP, DNS, and some TCP connections where data might be sent in the clear.

Leo Laporte / Steve GIbson (01:41:37):
So anyway, we have a, a, a like breathtakingly sophisticated and severe and, and and serious remote access Trojan, which is, is designed to avoid detection in, in their in, in their write up. They also talked about something that we had talked about before, how rather than connecting directly to command and control servers, they also often bounced through innocent routers that were being used as simple IP proxies routers that have universal plug and play ports open are able to be asked to serve as public routers. And so the, the people behind this know where those routers are and they're able to set them up to, to bounce traffic through the router, making it much more difficult to, to track down the location of the command and control servers. So they are being, you know, very deliberately and carefully protected.

Leo Laporte / Steve GIbson (01:42:50):
They said based on their telemetry, they observed 23 devices maintaining a persistent connection to a single command and control server during September and October of 2021, all 23 devices were located in the us and Canada. The majority of IP addresses communicated with the command and control server over TCP port 9,000, but a few communicated over other ports, including 5 5, 5, 5, 6, 5, 5, 5, 5, 8 and 39,500, the device types, which were infected included, but were not limited to Cisco's RV three 20 Cisco's RV 3 25 and Cisco's RV four 20 Theus RT AC 68 U the, the Theus RT C five 30, the RT C 68 P and the RT AC 1900 U also a Dray tech V gore 3,900 and an unspecified bunch of net gear devices based upon their analysis of the router malware and their telemetry. The Trojan first attempted to establish a TCP connection over port 5, 5, 5 56.

Leo Laporte / Steve GIbson (01:44:17):
And as a noted above subsequent port or connections were made to port 39,500 may said more recently, they'd seen activity from a separate command and control 40, do 180 7, 1 31 on port 6, 6 66, which is occurring that was occurring from February 22nd, 2022 through May 16th, 2022. And that's been acting similarly. So anyway, the black Lotus report contained much more detail, but I'm sure that everyone now has a good idea how much work someone apparently in China has put into building deploying and maintaining a powerful network intrusion capability. And as not just theoretical, it is an active use in summarizing what they had what they had done black Lotus wrote though, advanced actors have long demonstrated the capability and intent to target sensitive networks. The industry has uncovered only a handful of router based malware, specifically designed to covertly, target them the sudden shift to remote work spurred by the pandemic allowed a sophisticated adversary to seize this opportunity to subvert the traditional defense in depth posture of many well-established organizations, the capabilities demonstrated in this campaign, gaining access to Soho devices of different makes and models, collecting host and land information to inform targeting sampling and hijacking network communications to gain potentially persistent access to inland devices and intentionally stealth command and control infrastructure leveraging multi-stage siloed router to router communications points to a highly sophisticated actor that we hypothesize has been living undetected on the edge of targeted networks for years.

Leo Laporte / Steve GIbson (01:46:32):
What <laugh> like the unit bomber, I mean, living on the, he not, not physically living on the edge, he's just, no, not all he's out there somewhere. Probably China, right? Yeah. Well, well they're on the edge of targeted networks, right? So, so they are in, they're in the Soho routers of employees right. Of major networks and they're, they are using that location to get into major enterprise networks. I get it. I get, yeah. So it's a stepping stone. Yeah. And it actually exists and it just like a sewer rat, just like a sewer rat, Leo living on the edge. Oh, wow. All right. I guess what can you do? What can we do? We can update our routers, I guess. Yes. I, I would say make sure that your routers are running the most recent firmware and running and, and, you know, re flashing the firmware when, you know, you've got good firmware that will clear them out of the file system. And, and then just, you know, make sure that your perimeter security is up. Yeah. Turn off any, you know, universal plug and play should never be bound yeah. To the land port. And remote management should never be turned on. Just, you know, find some other way to do it. Yeah.

Leo Laporte / Steve GIbson (01:47:59):
Well, it's a never ending litany of threats and that's why we love him. Steve Gibson, <laugh> If it weren't for him, you might not even know about it. Right. So you know, that's why you gotta listen every single week. You can get a copy of this show at Steve's site. In fact, he's got some unique copies, an eight kilobit version for the band with impaired. He also has the transcripts handcrafted by Elaine Ferris. Those are great for not only searching, but reading along while you listen all of that plus 64 kilobit audio while you're there pick up spin, right? Not too late to get versions, six of the world's best mass storage, maintenance and recovery utility. If you have drives, you need spin, right. Works on SSDs as well as hard drives 6.1 is coming soon and anybody will buy 6.0 now will get 6.1 as a free upgrade when that happens.

Leo Laporte / Steve GIbson (01:48:56):
Yep. There's also lots of other stuff there that Steve puts up for free. It's a really good site to browse around does rat hole does that term? God don't know. It's a rat hole rat hole. We even have a rat hole jingle somewhere, which I will not take your time up. Thank you. Digging up. You can also get copies of this show at our website, for security. Now there's a YouTube channel dedicated to security now, so you can watch it there, share it from there, which is a good way to share the video. If you wanna share it with somebody. And I know a lot of times there's stuff in here, you wanna tell people about raise the alarm as it were. You can also subscribe in your favorite podcast player. That's probably the best thing to do that way. You'll get it automatically.

Leo Laporte / Steve GIbson / Jason Howell (01:49:42):
The minute it's available, you won't miss an episode at all ever that way. And you can also leave us a five star review that way, which is very much appreciated. We record security now on Tuesdays at about one 30 Pacific five four 30 Eastern, 20, 30 UTC. You can watch us do it live if you wish or listen, If you want the very freshest version of security. Now, if you're watching or listening live chat, or in our discord chat room, open to club TWI members actually club TWIs, a great thing to get because you get ad free versions of all the shows you get the discord, you get the TWI plus feed a mere seven bucks a month. Just go to TWI. If you're interested, we thanks in advance. We really appreciate your support. I will be back next week with you, Steve. Yep. And I look forward to another exciting edition of security now, and we'll see you then. Thanks buddy. Bye. Ready? Bye. The world is changing rapidly so rapidly. In fact that it's hard to keep up. That's why Micah Sergeant and I, Jason Howell, talk with the people, Macon and breaking the tech news on tech news weekly. Every Thursday. They know these stories better than anyone. So why not get them to talk about it in their own words, subscribe to tech news weekly, and you won't miss a beat every Thursday at twit TV.

All Transcripts posts