February 2 – FBI’s Botnet Takedown, Windows EventLogCrasher, and Malware via USB sticks

The Daily Decrypt

February 2 - FBI's Botnet Takedown, Windows EventLogCrasher, and Malware via USB sticks

00:00 / 17:04

In today’s episode, we dive deep into the digital world’s hidden dangers, uncovering how the FBI’s strategic takedown impacts us and the unseen battles fought in the cyber realm. First, we explore the aftermath of a major operation against Chinese malware in SOHO routers, shedding light on how botnets threaten our digital security and steps to safeguard our devices. Then, we shift focus to a critical vulnerability within Windows Event Log, known as EventLogCrasher, revealing its widespread impact and the community’s swift response to mitigate the threat. Lastly, we touch on a sophisticated cyber-attack using popular platforms like Vimeo and Ars Technica for malware distribution. Stay informed and ahead of cyber threats with our insightful analysis and expert advice.

Original articles:

Music provided by http://www.jeredjones.com

[00:00:00] announcer: Welcome to the Daily Decrypt, the go to podcast for all things cyber security. Get ready to decrypt the complexities of cyber safety and stay informed. Today is February 2nd, 2024, the most important day of your life. Here are your hosts, Offset Keys and Doja Span.

[00:00:21] offsetkeyz: Welcome back to the Daily Decrypt. Thanks for tuning in. Today it is Offset Keys accompanied by DojaSpan. You got both the boys in town. We’re back. And yesterday we talked a little bit about SOHO routers. And I had to bring in the expert on home networking, DojaSpan, to talk about a little more in depth SOHO routers.

And if you don’t remember from yesterday, SOHO stands for Small Office. We’re gonna be talking about that a little more. I’m gonna bring you a story about a Windows event log crasher, but don’t worry. I’m gonna help keep it relevant to everybody. And then finally, DogeSpan’s [00:01:00] gonna close us off with some Vimeo USB stick to deliver second stage malware.

[00:01:07] d0gesp4n: The article that was brought up yesterday, I thought was really good. Really relevant to a lot of users. Especially with some of the research that I’ve conducted myself, personally. I’ve gone on different websites that are accessible that you can essentially look at what is being publicly hosted.

From different IP addresses, and one of the common ones that I found were Soho routers, they had their admin pages, which is what offset keys was going into yesterday about typing in that IP address, instead of a www address, and getting in and changing that admin. Some manufacturers like to, by default, expose that from time to time.

Not gonna call any a specific one out because there wasn’t a trend it was pretty much all across the board But the other thing is that they like to expose it and by [00:02:00] expose it publicly accessible Like we talked about you can navigate it navigate to it from anywhere in the internet the manufacturers will do that so that they can give you technical support or whatever.

But the key thing that OffsetKey was talking about was just getting in there and changing the password. So that is first and foremost the number one step that you want to do. The other thing that you can do to mitigate a lot of issues. Is rebooting your router from time to time. Routers are a little bit different than computers where a lot of stuff is stored in short term memory and the way to think about that is, you’re doing tasks throughout the day. And if you don’t write down certain bits of information, you’re going to forget about it when you go to sleep.

And in terms of like computers and routers is when you reboot them, they pick right back up to what they originally knew from the start.

[00:02:54] offsetkeyz: If you’ve ever seen the movie Memento it’s an older movie, but it is exactly that. He cannot remember things for more [00:03:00] than like 30 minutes. Every 30 minutes he resets to a certain point, and that’s how computers work too.

[00:03:06] d0gesp4n: Yeah, so with this , I think it was, CISA, the Cybersecurity Infrastructure Security Agency. They mentioned that, this was going on by Chinese spies and the FBI took down the servers that were leveraging these vulnerable routers for a giant botnet.

on the bright side, the bad guys were taken down on this. But this is a really common theme to use against home equipment because it’s relatively unsecure unless you go in and take, a couple steps. And now, a botnet, it does sound terrible.

The thing about a botnet is a bunch of computers, or routers, or Chromecasts, or printers all communicating back to one brain and doing whatever that brain wants them to do. And it could be, like, just sending out tons of emails. Could be [00:04:00] just monitoring a bunch of information off of those devices, and then also launching attacks.

[00:04:07] offsetkeyz: That’s so interesting. Yeah, I was reading the article yesterday about Soho devices and it was so vague. I think I even mentioned it yesterday. I was like, they don’t really talk much about what’s going on. So really, thanks to Doja Span for talking about botnets. Botnets, I just had this funny analogy in my head that I’m going to share with you guys.

Botnets are like, yeah, you just bought a new house. And there’s a little troll in the basement who just lives there until the troll master needs him to do something, right? So he’s not it’s not terrible. He does take up resources like air and probably needs water and food. So he might suck on that a little bit, But if you have Millions of houses with each having one troll in that house and then all of a sudden they get really mad at let’s say Walmart and Every one of those trolls goes into Walmart and I have a million trolls in Walmart.

No one else can go in no one else can [00:05:00] do anything So that’s an example of what we would call a DDoS attack, which is a distributed, using the trolls, denial of service, right? Every troll goes in, denies anyone else access to Walmart.

Walmart doesn’t like that, because now they get no money. Of all the hacks I’d like to have done to me, I wouldn’t want any done to me, but having a botnet, it’s, they’re not really trying to get you, they’re just trying to Have access to your resources when they need them, and then attack somebody else using your resources.

[00:05:28] d0gesp4n: I like that.

[00:05:29] offsetkeyz: Little trolls.

[00:05:31] d0gesp4n: A little troll.

[00:05:32] offsetkeyz: thanks DojaSpan for bringing that to us.

[00:05:34] d0gesp4n: Yeah.

[00:05:34] offsetkeyz: The key takeaway from yesterday’s episode is that most people have what’s called a SoHo device in their home. Most of them are insecure. they were likely being used for botnets. if anyone has actually noticed an increase in their internet speed in the last month, I’d love to hear about it in the comments, because DojaSpan talked about, the servers being used have been shut down, so [00:06:00] likely the resources that those little trolls were using have gone away, or, come back to you and will show up as probably an internet speed boost, I would imagine.

Do you agree with that?

[00:06:12] d0gesp4n: Yeah. And I didn’t think about the direct impact. I’m thinking of crypto mining and stuff, how that can burn up your energy, but that’s big computers and, running your GPU or your graphics. even just your internet speed.

[00:06:24] offsetkeyz: if you’ve experienced that kind of a boost, you’re kind of like, Oh, it’s working really well today. We’d love to hear about it. That’s very interesting to us. So drop a comment below.

Okay, so moving on to our next story, I’m going to be discussing What’s known as a zero day vulnerability surprise, surprise from Microsoft in the windows operating system, which has been coined event log crasher. So before I go into that, I just wanted to explain what a zero day is.

A zero day essentially is something that came out [00:07:00] in a product when the product was released that the company didn’t know about and there’s no fix for it.

It’s just sitting there. undiscovered until one day it’s discovered by attackers, and then they can exploit it as long as they can keep it secret from the company. Once the company finds out, they declare it a zero day, they fix it. Sometimes those fixes take a long time, but they’re always delivered to you in security updates.

So one of the things we will harp on On this show is keep your phone up to date. If you’ve got the big red blinking button at the top of your chrome that says, please, for the love of God, update me, just do it. It’s all the tabs are going to open back up. But what that update is doing is fixing security vulnerabilities.

More often than not.

So what’s really cool about this article from Bleeping Computer is it talks about how this event log crasher vulnerability has not yet been patched by Microsoft.

But what’s cool is that a third party service called [00:08:00] Zeropatch has stepped in with unofficial fixes. Which is so cool, we’re gonna need to start leveraging the community on these fixes, they’re gonna start coming out quicker and quicker.

One of the things I briefly touched on yesterday is What’s called logs. Logs are just generally text files in a certain format that Write down everything that you do.

[00:08:23] offsetkeyz: Everything that your computer does. I can’t really think of a good analogy other than a sign in roster, maybe? If you went to the YMCA last month, you probably had to sign in and say that someone, got killed on that day. The police are probably going to go check that sign in roster.

So that’s what we would call logs. So when something happens in your network, the first thing that a security investigator is going to do is go check the logs for around the time that event happened. Attackers, we don’t really think about this too much until we get into [00:09:00] network defense, but attackers want to cover their tracks.

Just like murderers probably do as well, right? They want to go in and Maybe they signed in before they killed someone at the YMCA and they want to get their name off that roster, right? So that’s essentially why this vulnerability is so bad, right?

I didn’t even explain this vulnerability so first of all attackers can use simple credentials and stop the service That logs events in windows computers for an indefinite amount of time. So the first thing they’re going to do when they launch an attack is they’re going to go stop that service.

They’re going to launch their attack and maybe they start it back up and maybe no one notices, but now there’s no record of that attack. So this is pretty bad. It affects. All versions of Windows between 7 and 11. And, it’s especially concerning for corporate networks, where, they need to know what’s going on.

[00:09:54] d0gesp4n: I really like that there are unofficial security patches coming out, even though you do want to be careful, [00:10:00] but it just pivots to the whole open source community. And the open source community is a collective of people for the most part trying to do the right thing and write useful software and help everybody out.

It offers a lot of transparency which we’ve talked about in a previous episode. opens up the window so that everybody can go in and see what is running on this software. But you have a lot of major players in the industry like Apple, like Microsoft that tend to shy away from open source because they want to keep so much control over their devices.

And this is really cool. I have come across this, I think just a small handful of times.

[00:10:49] offsetkeyz: Yeah, there’s a there’s essentially a sect of people out there in the tech world that do really complex professional work for free and It’s fun. It’s [00:11:00] great Resume building. It’s great community building great networking. It’s probably gonna lead you to a very nice job, very high paying job because of your generosity.

And that’s really respected in the industry. But when we talk about open source, that’s what that means is it’s community funded, all of the code is available to anyone who wants to see it. And things like Microsoft. And Windows itself are closed source, where we can’t actually see the source code. We can’t contribute to it, etc.

So when we say open source, all we’re saying is, yeah, somebody from the tech community opened up their coding environment and wrote a fix for this Windows Event Crasher and distributed it for free. Did you ever see those old Budweiser commercials? Where real heroes, what was it? It was like, real American heroes. And then they would, do you remember those? It was like the 90s and they would just like pick. They would just pick a To you, sir, who [00:12:00] stands behind the bowling alley desk.

Like a real American hero. They have a cool slogan. So yes, to you, individual who made this patch, we salute you.

[00:12:10] d0gesp4n: The desk at your home office, and types away for the benefit of all humankind, we salute you.

[00:12:20] offsetkeyz: real American hero right there.

[00:12:23] d0gesp4n: All right. So this next one is brought to us by a combination of resources I pulled from different sources, but Ars Technica, Mandiant and HelpNet Security. Essentially what’s going on is that this thread actor is using USBs to deliver malware that then go to websites that we commonly use.

They’ll plug them into their computer and it has a simple application that you may be familiar with. If you’ve used Windows, it could be explorer dot [00:13:00] whatever. And then you’re clicking on it because you’re curious. And what happens is it pulls up one of these websites. Now, baked into the website, could be in the description of the video. It’s a little series of letters, numbers what’s called an encoded string that is issuing the command for this malware to go and do its thing. So depending on where, what website you go, could be directing to a specific comment on a website. But depending on where it goes, Might be directing your infected machine to behave a certain way.

It’s gonna pick up CNC traffic, which is command and control. It could go do something else and just harvest your passwords and so on. It’s really simple to do. It’s simple for users to, to fall into this because you’re just generally curious to see what’s on a USB drive. Even as a security practitioner, I’m If I see something like that laying on the ground, I definitely want to plug it in,

Yeah, [00:14:00] so it’s running various programs. This one is called empty space, takes over your computer, steals info mines for cryptocurrency, which is similar to the botnets that we were talking about.

Now, this kind of Stuff could if it has infected your computer could cause your energy bill to go up because your computer’s starting to eat up a lot more power to run and try to make somebody else money through cryptocurrency. But really, the interesting side of this is the fact that they’re using regular websites.

So when you download a piece of malware, it could be an attachment. If you execute it by, double clicking on it, and then some website comes up and it seems benign a Vimeo video, could be YouTube. I know previously the website formerly known as Twitter X, was used to distribute and control different forms of malware.

[00:14:54] offsetkeyz: I’ve not seen too many USB sticks on the floor. I’ve never been tempted to plug in a USB [00:15:00] stick, but I’m wondering, these attackers can get pretty creative when they’re doing these sorts of things. And so I’m wondering if there’s like maybe a Facebook marketplace or something where people are selling like used USB sticks or

[00:15:14] d0gesp4n: This one’s targeted at businesses. And that’s usually where I hear about it is somebody would want to get information or trade secrets from a business in particular. So then they’ll leave it outside of there, I could leave it outside of Starbucks.

A lot of people go and they work remotely and go in for their afternoon coffee and a little bit of a. I don’t know. Coffee and work?

[00:15:35] offsetkeyz: Yeah, curiosity killed the cat.

[00:15:44] offsetkeyz: I think that’s it for today. I really appreciate Doge’s Band coming on and

[00:15:49] d0gesp4n: I appreciate Offset Keys showing up for this and giving us your expert opinion.

[00:15:55] offsetkeyz: I’m a little sleepy. Because y’all have me delivering news to you [00:16:00] every day, alright? Demanding it of me. Thanks for demanding it of me. I really appreciate you guys listening.

It’s been a blast. Happy Friday! If y’all are bored this weekend, or you need to go on your jog, we have a little intro teaser interview between the two of us coming out that’s gonna talk about how to break into cyber security and how we broke into cyber security and it’ll be an all around good time so check that out tomorrow or sunday whenever we get to uploading it and thanks

[00:16:32] d0gesp4n: Thank you! [00:17:00]