Talk With a Friendly Human
Matt: You gotta stick your tongue out while you do that.
Attila: I'd rather stick my thong out.
Matt: My thong out, yeah.
You're listening to the Cyber Secured Podcast, helping you become safer in every way.
Now your hosts, Matt and Attila.
Matt: We're starting off on a good note, mispronouncing things today.
Attila: Well, good morning, this is Attila, and...
Matt: This is Matt.
Attila: And we're here to talk about Cyber Security.
Matt: Welcome back.
Matt: Yeah, welcome back to the Cyber Secured Podcast.
Attila: Awesome.
Attila: Well, we appreciate it.
Attila: We got some interesting ones today.
Attila: Matt found some really interesting topics on this YouTube channel, but we're also getting a lot of phone calls from our clients in the community about them being scammed by someone who they think is real, but they're actually not.
Attila: They're AI-generated.
Attila: Weird, right?
Matt: Yeah, we talked about this, what, two, three weeks ago?
Attila: Yeah, and we didn't know it was starting to take hold.
Attila: It's like a tsunami that builds, and now it's at full height.
Matt: Right, but I mean, the craziest thing is I'm seeing it in my YouTube feed.
Matt: I spend a good portion of the day playing YouTube in the background while I'm doing some work, filling out data stuff, and often an ad will come up, and there's just something wrong with the ad.
Matt: I can hear it with the voice, right?
Matt: And then I'll go and watch it, and there's a guy talking there in his lips are moving, and it's going with the words, but my brain just knows that the lizard part of my brain just knows the voice and the face don't go together.
Matt: And I started realizing that this is exactly what we're talking about.
Matt: These ads are AI-generated, the voice is AI-generated.
Matt: And I feel like a lot of them, I don't know for sure because I haven't followed all the way through, but I feel like a lot of them, if you actually went through the links and followed through, quite a few of them are probably scams, I don't know.
Attila: Yeah, yeah, no, that's what YouTube is warning about, is that their own CEO was impersonated by an AI-generated avatar.
Matt: Right.
Attila: And it looks real.
Attila: And to be honest, I mean, you're probably looking at it on your laptop, so it's probably a little bit bigger screen.
Attila: But most people would probably look at it on their phone, which is a small screen, couple inches, right?
Matt: Yeah, exactly.
Attila: You might not be able to catch those little nuances.
Attila: I was watching this video that you showed me.
Attila: It's like there's a lot of little cuts, like quick cuts, and a lot of YouTubers do that anyway.
Attila: They'll say something, and then quick cut to the next scene, quick cut to the next scene.
Attila: You might not catch it, but the AI engine, I guess, can't do it all at once.
Attila: It's not completely smooth.
Matt: Well, and then if you watch it closely enough, if there's no cuts at all, you can kind of tell there's that dead fisheye look in the person's face and their eyes, they're kind of soulless, sucking your soul in while they're talking to you.
Attila: Isn't that the joke that you watch it long enough, then they'll take your soul?
Attila: Yeah.
Attila: Yeah.
Matt: And the thing is with these ads, they're able to do fancy cutting, so you don't even really see that part.
Matt: But it's just enough that they're able to get ad revenue and probably an unfortunate number of people that are actually following through and clicking on the links and then giving money to whatever thing that it is that they're selling, the fish oil.
Attila: Isn't that the dead internet theory?
Matt: That's what it is.
Attila: The dead internet theory?
Attila: Yeah.
Matt: Oh, that everything's going to be AI.
Attila: Yeah, like it's all going to be bots and scripts, and there's going to be very few people actually do anything on the internet.
Matt: Yeah, make AI do everything.
Matt: I mean, that's what operator is now with ChatGPT.
Matt: I don't know if you've seen that, but...
Attila: No, what's it do?
Matt: ChatGPT operator will spawn a virtual browser, and then it can actually do tasks for you.
Matt: It's pretty crazy.
Matt: I've seen a guy that actually did a whole Facebook automation where he wanted to start a business picking up old pianos that people were trying to get rid of, but he used ChatGPT operator to go through, and on his behalf, communicate with people.
Matt: He logged into Facebook for the operator, and then it actually set messages and then corresponded and went back and forth and then filled out Google worksheet for him with all the information, when pick up times would be, just did all this work.
Attila: So this is like one step above what Google was doing with the reservation system.
Matt: Yeah, exactly.
Attila: So for those of you who haven't heard of this, it's pretty neat.
Attila: Like if you want to make a reservation at a restaurant, I mean, you can go to OpenTable, that's great.
Attila: But the Google system also has the ability to call on your behalf to a participating restaurant and then request a reservation by phone.
Attila: Like it's strictly 100% robot talking to a human.
Attila: And then you get your reservation, you get your confirmation, and you're done.
Attila: What you're saying is that GPT can go one step further and say, well, that's great, that's a unique application.
Attila: Why not use it to randomly call people about their pianos?
Matt: Yep.
Attila: Ask if they're willing to donate it or have it picked up.
Matt: I don't think it can do any voice stuff right now, but it can do full text automation.
Matt: It does have guardrails in place where anytime you get to a page that requires authentication, it asks you to either log in or do I have approval to do things on your behalf?
Matt: So you kind of, it's a supervised session, but I mean, we're only at the beginning, and the implications of this are pretty far reaching.
Matt: There's open source variation of this that I saw that was pretty cool where it actually uses your computer's browser to do similar tasks, and it is pretty on par with GPT's operator.
Matt: The catch though, in the demonstration I saw, was that the guy Network Chuck.
Matt: Love that guy.
Matt: In his demonstration, he was trying to buy a VPS, Virtual Private Server.
Matt: Okay.
Matt: He wanted to buy one and use his code to get a discount, just to demonstrate what it could do and to also promote his code on Linode.
Matt: And the funny thing was, it went through, skipped putting in his coupon code and bought 20 VPSs.
Matt: And he couldn't stop in the time, so he's got to figure out something to do with all those servers.
Attila: Isn't it true that gamers use this to do mining or farming all the time?
Attila: Like, this is a macros or like, it's like a keyboard repeater where it will do the same thing over and over again.
Attila: So this is like a more advanced version of something we've had for some time.
Attila: So it's not completely unfamiliar territory.
Matt: No, no.
Matt: But it's pretty cool where we're at with that.
Matt: But, of course, going back to the implications and what you can do with that, hacking and pen testing.
Matt: I've already been using GPT Deep Research for doing OSINT on my behalf, and it's cool.
Matt: You can actually watch its process in the background.
Matt: It's writing out Python scripts to do some of its OSINT activities, visiting websites, looking up stuff.
Matt: In fact, it revealed some stuff on me that I didn't know was out there.
Matt: So, you know, I went out and patched that up.
Attila: Oh, interesting.
Attila: So, you can use it to kind of clear up your digital exhaust.
Matt: Yeah.
Attila: Yeah, CISA has a guidance document on how to clear up your digital exhaust, and they have, you know, resources.
Attila: But, you know, to be honest, I think it's above the head of most people.
Attila: We're going to be able to just pick it up.
Matt: Yeah, for the most part.
Attila: And then the flip side of that is that it also has really simple recommendations that are kind of obvious, you know.
Attila: Like, you know, for example, if you have a call from an unknown number, don't pick it up, things like that.
Attila: Because then they have your phone number, right?
Matt: Right.
Attila: A predictive dialer is finding you and then scrubbing their own list.
Matt: Yeah, I made the mistake of doing that one day, and now I get, well, I used to get a dozen or more calls per day.
Matt: Luckily, it's kind of gone down, but...
Attila: I think there's some changes coming down in legislation.
Attila: You know, we could probably do a whole show just on what's happening in the telecommunications industry.
Attila: Because it's really changed.
Attila: For the same reason, you're getting a lot of scammers and hackers, and they're all using the phone system to break in.
Attila: That's how it's been since the 90s.
Attila: It hasn't really given up.
Attila: So now that we have these kind of staring us back towards our vulnerabilities that are coming in through AI-generated phishing videos, you know, that's a whole new angle of social engineering.
Attila: And it seems to be working.
Matt: Yeah, the common thing is people.
Matt: If you can get past people, you can get into their systems.
Attila: And the problem is now Microsoft is vulnerable in a way that's pretty much impossible to stop unless you have a quick fix.
Attila: Yeah.
Attila: Let's talk about that.
Matt: Yeah.
Matt: So on one of the recent bleeping computers articles that came out, they talked about privilege escalation path that number of high level APTs have been using.
Matt: And it's been around for a while.
Matt: It's pretty well known that you can do process injection, get into memory and escalate privileges and take over a system.
Matt: But what they revealed in here was there's a vulnerability with partition software, Paragon Partition Manager.
Matt: I've used the software before.
Matt: It's a legit company.
Matt: We've been out there for a long time.
Matt: And what they discovered is that this driver has this vulnerability where you can inject commands and get privilege escalation in memory through this driver.
Matt: The crazy part is you don't have to install the software.
Matt: Even the bad actor, if they've got access to the system, doesn't have to install the software.
Matt: I don't know the exact specifics, but with that driver, the system recognizes that the driver should have kernel level access.
Matt: Kernel level meaning like it's like access to the entire system.
Matt: And using that, they can get in, escalate the privileges, turn off AV, and launch their ransomware, move laterally through a network.
Attila: Well, so let's walk through this kind of attack pattern.
Attila: So bad guys, somewhere out in the world, get wind of Microsoft's vulnerable driver blacklist, right?
Attila: So this is like software programs that Microsoft has digitally signed.
Attila: So they're okay to be used on Windows computers, but unfortunately, it's a vulnerable driver, right?
Attila: So it's a.sys file.
Matt: Yeah.
Attila: And that.sys file exists, you know, out in the wild.
Attila: So the bad guys say, okay, well, we have this list of, let's say, 30 programs.
Attila: We know that if we take this.sys file, and we somehow get it on to a user's computer, we can take over everything.
Matt: Right.
Matt: And they don't need to change the.sys file.
Matt: They don't have to.
Matt: Because then, of course, you change the hash, and then that's detectable by virus total, or an antivirus tool.
Matt: And that's what they want to avoid.
Matt: They want to avoid being detected.
Attila: And the bad guys don't have to actually write any software.
Attila: All they have to do is try to get that one file from that vulnerable piece of software.
Attila: So, as you know, a piece of software isn't just one file.
Attila: It could be hundreds of files, but they just need to get just that one, just extract just that one file.
Attila: So they install the software on their own computer, extract that one file, then they do social engineering.
Attila: So they can create an AI-generated phishing video.
Attila: They can call you up and try to trick you into doing a tech support scam, whatever.
Attila: Any way they can get access to your computer, they just need to get that one.sys file, that single.sys file, onto your system.
Attila: And the moment they do that, now they can disable your antivirus or your EDR program.
Matt: Yeah, whatever you've got as your security, yeah.
Attila: They completely break through it.
Attila: And Microsoft is aware of these files, but the problem is most people don't have this little toggle switch turned on in the core isolation section in their computer.
Matt: Because from what I understand, this is actually a new feature within Windows.
Attila: It's a new feature.
Matt: So if you don't have your systems up-to-date patched, one, you may not be getting this feature.
Matt: Two, this feature may not be up-to-date.
Attila: So as a system administrator, you should make sure A, all your patches are in, and B, that you turn on the Microsoft Vulnerable Driver block list.
Attila: It's under the core isolation settings.
Attila: If you don't have that done, then this attack pattern will work, and there's nothing you can do to stop it.
Matt: I've seen it for a little bit and actually wondered what its feature was, what it was for.
Matt: Turns out, you can get to it through Windows Defender, but it's actually not part of Windows Defender, it's part of the system itself.
Attila: Like security center, right?
Matt: Yeah.
Matt: And on some systems, was not able to turn it on.
Matt: I was wondering why.
Matt: And after researching this and seeing what I found, I realized that the systems I couldn't turn it on, were systems that already had vulnerable drivers loaded on.
Matt: Like out of the box?
Matt: Like out of the box, yeah.
Matt: Yeah, it's freaky.
Matt: So the only way to actually turn it on would be to remove those drivers, to uninstall them from memory, and then I could turn it on, and then I have to find actual driver that work that is not considered vulnerable.
Attila: So I can assume that this new feature showed up because it's out in the wild, right?
Attila: So vulnerable drivers exist on systems out there today that are undetectable.
Attila: How do we detect this?
Matt: So if the bad guys somehow found a vulnerable driver that is not on the list and is not being blocked by Windows, let's say you did turn on this feature, and you're doing your due diligence, you're up to date, but they still somehow found a driver that is vulnerable.
Attila: Like a zero day or something?
Matt: Like a zero day, yeah.
Matt: You know, they're in your system, and they've turned off EDR, and let's say, you know, they're maybe getting ready to launch an attack, or they're doing reconnaissance.
Matt: The only way that I know that you could potentially stop this would be using what we call a SIM.
Attila: Okay.
Matt: What does SIM stand for?
Attila: Security, instance, an event, monitoring.
Matt: I only ask you because I can't remember all the letters.
Attila: Some people call it seam?
Matt: Yeah.
Attila: Like the seam of a clothing, but seam, SIM, I don't know.
Attila: It's an industry term.
Attila: I didn't make it up.
Matt: Yeah.
Matt: I was actually talking to my wife about this last night.
Matt: What your system is doing on a day-to-day basis is millions of transactions, and that all generates logs.
Matt: It's happening every moment on every device, whether we're using our phones or computers, tablet.
Attila: Smart devices, too.
Attila: Yeah.
Matt: Smart devices have this as well.
Matt: But the device can't store all those logs.
Matt: Logs are really just for reference.
Matt: If it did, then it would run out of space.
Matt: So that's where something like SIM or SIM comes in, is those logs can be shipped over to Collector, and you can either just store that information for forensics later on, or you can actually use special tools that will sit and look at the logs, and look for anything that looks suspicious.
Matt: And so that's where we can see malicious activity or something suspicious going on if the bad guys got in through one of these kinds of attacks.
Matt: They disabled EDR.
Matt: That's going to be number one.
Matt: If you whitelist an entire drive, the SIM, the SIM should be able to see that.
Matt: But once a new user gets created or a user gets escalated, it turns into a system admin.
Matt: You know, we get alerts for that kind of stuff.
Matt: If they move laterally through a network and connect to another system, that's kind of an odd thing to see on the network.
Matt: We're going to see that.
Matt: But that's only if there's a SIM in place.
Matt: And this is something that compliance requires.
Matt: So that's where a lot of our work is.
Matt: And a lot of what we do is we have this kind of monitoring and we sit and look at these logs.
Matt: If anything happens, then there's forensics involved, and then we'll go through the logs and look at trajectory and how they got in.
Matt: But without this kind of tool, that's kind of impossible to do.
Attila: You mentioned compliance, and compliance is a vague word.
Attila: So maybe we can kind of talk about what that is.
Attila: Some companies deal with sensitive data, either with the federal government or with patient records, financial data, anything like that.
Attila: And those records and those companies need to be secured to a certain extent.
Attila: So they are subject to compliance requirements, and it's usually a long checklist.
Attila: On that checklist, they'll request something like, do you have monitoring of your devices present?
Attila: And are you able to look at those logs and find out if there's a problem after the fact?
Attila: And if you don't, you need to put in a SIM plus a SOC.
Attila: And so let's talk about what that is.
Attila: So the SIM, as we discussed, was the Security Instance and Event Management.
Attila: That means that those logs that Matt just described are all being sent somewhere.
Attila: Those logs will be stored.
Attila: Walking into my life.
Matt: Yeah.
Matt: Endless interruptions.
Matt: If we include this in the podcast, Attila's phone has just been going off nonstop.
Attila: And it really is irritating because it doesn't go off nonstop unless I'm either recording something.
Attila: I was recording-
Matt: Talking to somebody.
Attila: Yeah.
Attila: I was recording a video about scammers.
Attila: I think this was like I was being abducted by aliens or something.
Attila: And literally, I'm getting a phone call from a scammer while I'm recording the YouTube video.
Matt: It's ridiculous.
Matt: Maybe it just means you're doing something good.
Matt: You're out there.
Attila: I'm out there and getting the attention.
Attila: Yeah.
Attila: Maybe the bad kind of attention.
Attila: So, all right, maybe I'll just not edit this out.
Matt: Make it real.
Matt: Make it real.
Attila: Make it relatable to people.
Attila: I think people are probably trying to listen to this at the same time, and their phones are going off.
Attila: Probably.
Attila: All right.
Attila: So, Sim and Sock.
Attila: So, Sim, taking logs from anything that has electricity and sending it somewhere.
Attila: The sock team is the one that's actually watching the logs for anything interesting.
Matt: The sock for if we didn't say to Security Operations Center.
Attila: Right.
Attila: It's not like the socks on your feet.
Matt: No.
Attila: But the Security Operations Center is watching that.
Attila: They're doing a combination of things, right?
Attila: So, they're using tools plus AI to go parse through all this data, looking for unusual events.
Attila: If those events are flagged as being unusual, then they let us know, and then we check it out for true positive to see if it's, is it real, right?
Matt: Right.
Attila: And then if it is real, then we'll either hop in there quick and, you know, shut things down, let the customer know, that kind of thing.
Attila: If there is an incident, then we have to take those logs and ship them.
Attila: When I say ship, that's, we're not putting it in a box in an envelope.
Attila: It's, you know, we put it on a USB drive or secure link, and then we send it to the FBI and then they do some more forensics on it.
Attila: So that's kind of like after the fact.
Attila: So having those logs in the first place is super duper important.
Matt: Yeah.
Matt: And I just want to give an example of like what that can look like.
Matt: The other night, we got two alerts, one at 8.30 and one at 10.30 or 11 at night, that there was a PowerShell script ran on two separate systems, two different locations within a company, and that the script was run with a Base64 obfuscation.
Attila: So that means it's encrypted, no one can, like we don't know what it's doing.
Matt: Yeah.
Matt: So I mean, that right away sets off alarms.
Matt: It looks really odd.
Matt: So I was, you know, I was looking at my computer doing some stuff.
Matt: I was at home, saw this.
Matt: I went ahead and messaged the client, let them know, and decided to dig in, because that's a priority to alert, not really sure what it was.
Matt: So I went to a decoder, took the Base64, decoded it, and saw right away it was a bunch of commands to check the user, their domain credentials, and like what the privilege is.
Matt: Which, you know, again, very suspicious, something that malicious actor on a network, on a system might do.
Attila: Like a recon event.
Matt: Yeah, to try and figure out who the user is that they're emulating, what kind of privileges they have, so they can do other things.
Matt: It's a pretty basic step if you're a bad guy.
Matt: I keep digging around.
Matt: I am not seeing anything else that looks suspicious, but we have a RMM, remote management tool, on these systems, and I decided to go there and take a look at the logs as well.
Matt: I can see, at those exact times, the user logged in.
Matt: I could also see that the remote management tool also ran a script to find out who that user was and what kind of access that they had.
Matt: So it was actually part of the RMM itself.
Attila: And we were taking inventory of that system, and that's how we can get info about it.
Matt: And then the tool, the reason why it was obfuscating the commands, PowerShell commands, is because the command itself had some programmatic languages with quotation marks and brackets, which if you write that out as a single line, can often get disrupted.
Matt: So a way to get around that is to write that in Base64 because it's just a block of text.
Attila: I wonder why they don't call it compiled because that's kind of what it's doing.
Attila: It's a compiled command.
Matt: A little bit.
Attila: So that goes right back to what we were talking about earlier, where a social engineering attack would then allow a vulnerable driver file to be inserted onto that computer, which then gets remote access to the bad guy, and it's completely undetectable.
Attila: And they start turning off antivirus, they start scanning the network, doing some recon.
Attila: The simsock is pretty much your only line of defense to be able to detect their activity, right?
Attila: This is why a simsock is so important.
Attila: It's because, like you said, there could be a zero day that comes out, and it's being actively exploited in the wild for months before Microsoft decides to put it onto its vulnerable driver list and the manufacturer finds a way to patch.
Attila: So the only way is really to try to detect after the fact and then respond quickly to shut it down.
Matt: And this all points to something that I've said, a lot of security people have said, that most general computer users don't really know or understand is there's no perfect security solution.
Matt: It's really about putting up as many guardrails and hurdles as possible, and then having something to monitor the activity.
Matt: If you're really doing something critical and you need to keep your data safe, you need to keep your client data safe, these are the kinds of things that you need to have in place to be able to mitigate against an attack.
Attila: The analogy I like to use because we're in Hawaii and it's sunny most of the time, if you go outside and you're completely naked, you might get burned.
Attila: So you want to put a few things on, and you put on some swimwear, maybe some sunscreen, a hat, sunglasses.
Attila: You got to put on three or four things.
Attila: Same thing with security.
Attila: You can't just say, I got an antivirus, I'm done.
Attila: Oh, I got patch management.
Matt: I got Windows Defender.
Attila: Yeah.
Attila: No, they break right through.
Attila: So let's not get burned.
Attila: Let's put on a few layers.
Attila: Good practices.
Matt: And at the end of the day, it really comes down to the human firewall as well, because most security is pretty strong.
Matt: It's going to do a great job, but where things are falling short is where they get in, which is social engineering through people.
Attila: Through people.
Attila: And remember, if you are under stress, if you are being pressured by a bad actor into handing over some information or giving access to your computer, you can bet that your guard is going to be down.
Attila: You might make some poor choices in the moment when you are stressed out.
Attila: People's resistance goes down under stress, so we don't want you to be stressed, trying not to make any decisions while you are driving or multitasking.
Attila: That's a sure way to get hacked and then spend months, if not years, trying to clean up that mess.
Attila: Anyways, if you do come across that, well, feel free to reach out.
Attila: Might be able to help you, at least guide you in the right direction and maybe even get you back on the road.
Attila: But yeah, that's our episode.
Attila: Feel free to follow us on, we're on every social media platform.
Attila: This podcast is available on every podcast platform.
Attila: You know, of course, our company is Cypac, so you can always reach out to us here and give us a phone call or send us an email to support at scipak.com.
Attila: I'm Attila.
Matt: And I'm Matt.
Attila: Stay safe out there.
Attila: Cool.
This episode was brought to you by Cypac.
To learn more about keeping your business safe from threat, crime, and disaster, visit Cypac.com.