What to look out for with scan-and-exploit cyber attacks.
Andrew Morris: The dream that I have is that just by using technology services, security is baked in, and it's included by all of the different vendors and providers out there. And I think that consumers should demand that.
Dave Bittner: Hello, everyone. And welcome to The CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from The CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Got some good stories to share this week and, later in the show, my conversation with Andrew Morris. He's founder and CEO of a company called GreyNoise.
Dave Bittner: All right. Joe, before we jump into our stories, we've got a few follow-up items here.
Joe Carrigan: Yep.
Dave Bittner: You want to start us off?
Joe Carrigan: Yeah, I'll take the first one. This one comes from Mark (ph) in Canada. And I have to make sure I'm saying it right - Canada - because I used to have a Canadian friend who I'd tease and say, Canadia (ph).
Dave Bittner: (Laughter).
Joe Carrigan: Right?
Dave Bittner: OK. Sure (laughter).
Joe Carrigan: But now, I've actually said Canadia (ph) in real conversations, looking like a total idiot. So I have to - Canada.
Dave Bittner: Canada.
Joe Carrigan: So Mark in Canada writes that he loves listening to "Hacking Humans" and looks forward to the show every week. And he also enjoys Hacking Humans Goes to the Movies. His story about - is about something that happened to his son, who plays MMORPG games - that is, massively multiplayer online role-playing games.
Dave Bittner: Right. Yep.
Joe Carrigan: And I did that without looking it up.
Dave Bittner: Wow.
Joe Carrigan: I mean, I'm impressed with myself.
Dave Bittner: Yeah. Get your geek badge renewed.
Joe Carrigan: Right.
Dave Bittner: (Laughter).
Joe Carrigan: So several weeks ago - renewed. I think I have a lifetime geek badge.
Dave Bittner: That's probably true. Yeah (laughter).
Joe Carrigan: Several weeks ago, he was playing a game, "Albion Online," and during the course of play, he got an extremely rare item that is worth 150 million silver, which is a lot of in-game currency.
Dave Bittner: OK.
Joe Carrigan: And he wasn't interested in keeping it, so he put it on - posted it like he was going to sell it. And then Mark asked his son, what happened to the sword or the...
Dave Bittner: The silver.
Joe Carrigan: The - well, the item, right?
Dave Bittner: Yeah.
Joe Carrigan: I don't know. I'm thinking sword because I'm immediately going to the "South Park" episode where they had the sword.
Dave Bittner: OK.
Joe Carrigan: I don't know if you've ever seen it. It's called "Make Love, Not Warcraft" - excellent "South Park" episode.
Dave Bittner: OK.
Joe Carrigan: If you haven't seen it, go watch that.
Dave Bittner: I have not. All right.
Joe Carrigan: It's funny. But he - fast-forward to a couple of weeks, and he says what happened? And his son said he got scammed out of it, and it went down like this. Someone contacted him and said, hey, I'd like to buy it. But during the transaction, he agreed to a price of 150 million silver, and then the buyer wanted a few other items as well, adding a few more items to the transaction - right? - to sweeten the deal, I guess.
Dave Bittner: OK.
Joe Carrigan: So then the buyer goes out of range, right? So in these games, you're within a range of somebody.
Dave Bittner: OK.
Joe Carrigan: You're literally within a - well, it's not literally, but it's if - you're within a distance of somebody, and as they run away, you reach a certain point where you can no longer interact with them. And that cancels the transaction.
Dave Bittner: OK.
Joe Carrigan: Right? So the guy comes back and goes, oh, I'm sorry. I must have moved away. And he re-proposes a transaction, but this time, he removes a zero from the transaction.
Dave Bittner: Oh.
Joe Carrigan: Now, if you remember your elementary math, zeros are very important in large numbers.
Dave Bittner: (Laughter) So I've been told.
Joe Carrigan: Right.
Dave Bittner: OK.
Joe Carrigan: But his son didn't notice that a zero had been shaved off. And that's what's called - shaving - right? And the - so he only got 15 million silver for an item worth 150 million silver. He looks up the character. The character's gone. It's a new character, and the item may not even be with that person anymore. He may have turned around and flipped it and made 90% on that. But he contacts the support forums, and their response is that we don't get involved in user transactions. You got to be careful. That's it. Mark has some comments. He says as his son was telling him the story, two things came to mind. Don't shame the person because it's not stupid. This is just an oversight that the person made. And this is a carefully crafted trick that this guy pulled on Mark's son.
Dave Bittner: Right.
Joe Carrigan: Right? He does this probably for a living. And when this guy comes back in and proposes a transaction, more experienced players are going to be like, hey, wait a minute, you removed a zero. And they're going to - that's going to be the end of it, right? But if you're new to this, and you're lucky, like Mark's son was, you might get scammed out of it.
Dave Bittner: Well, and certainly Mark's son is going to be more mindful of it from here on out.
Joe Carrigan: Right. He'll be mindful of it in the future. He probably won't get shaved again.
Dave Bittner: Yeah. All right. Well, thanks for sending that in, Mark. We got a couple of letters from different listeners, a handful of people who were following up on our question about why people enable macros.
Joe Carrigan: Right.
Dave Bittner: And one of the more interesting ones - someone wrote in and said that they use Office macros because they're not allowed to use other automation tools. So their organization that they work for won't let them use standalone automation tools or use APIs for automation and that sort of thing, presumably for security reasons. But everybody has Excel (laughter).
Joe Carrigan: Right. This is another prime example of security being circumvented by creative people...
Dave Bittner: Right.
Joe Carrigan: ...Because you're not letting them do something they should be doing. So they're actually - you're actually making your organization less secure...
Dave Bittner: That's right.
Joe Carrigan: ...When you do this.
Dave Bittner: Yeah. And that's exactly what I was thinking, that this is - I don't know. You know, we call it shadow IT...
Joe Carrigan: Right.
Dave Bittner: ...Where people will find a way to get the work done that they need to get done with what you've provided them with. And so by saying no to one thing, you're making them open up a vulnerability somewhere else.
Joe Carrigan: Right.
Dave Bittner: Isn't that interesting?
Joe Carrigan: Yeah. You can think of it like a balloon, like one of those long clown balloons that...
Dave Bittner: Yeah.
Joe Carrigan: ...You make animals. You only fill it up so much, right? So it only has so much air in it. But if you squeeze that balloon, that air goes somewhere.
Dave Bittner: (Laughter) OK. Very good. Very good. What a - you are the king of eloquent analogies, Joe.
Joe Carrigan: I am the king of complex, barely applicable analogies. That's me.
Dave Bittner: OK. All right. Well, thanks to everyone who's sent these things to us. We do appreciate it. We would love to hear from you. You can write us at hackinghumans@thecyberwire.com. All right. Let's jump into our stories here, Joe. I'm going to kick things off for us. My story comes from the folks over at Red Canary. They have a detection and response team. They're a security company. And they published some research recently. This is written by Aedan Russell, and it's about some malware that's called ChromeLoader. And this is a browser hijacker. But it uses PowerShell for some of the things that it does. Now, for folks who aren't familiar with it, Joe, can you explain to us what PowerShell is?
Joe Carrigan: PowerShell is Windows' answer to Linux scripting...
Dave Bittner: OK.
Joe Carrigan: ...Or Unix scripting. It's a very powerful development environment that essentially lets you script a lot of things in the operating system. You remember back in the old DOS days, we had batch files - .bat.
Dave Bittner: Yeah.
Joe Carrigan: This is like that but on steroids.
Dave Bittner: OK.
Joe Carrigan: So that's a really dumbed-down explanation of it.
Dave Bittner: Yeah.
Joe Carrigan: It's really powerful. And you can do just about anything to the operating system that you want to do.
Dave Bittner: Right. So ChromeLoader is browser hijacker. And what happens is you get this on your system, and it modifies your browser settings. Primarily, it's used to redirect you to advertising websites. And also, typically, these sorts of things will take over your - it'll change the default for your search engine. I think I talked about this on a past show. My father fell victim to one of these things, like, many - or several times...
Joe Carrigan: (Laughter).
Dave Bittner: ...Visited my father. And I go - I'd hear, Dave, the computer's not working. And I go over to work on the computer, and I bring up a browser window, you know, that should have popped up with, say, Google.
Joe Carrigan: Right.
Dave Bittner: And it was just something that said search.
Joe Carrigan: (Laughter).
Dave Bittner: But it was in the Google colors...
Joe Carrigan: Seems legit.
Dave Bittner: ...And looked like the Google logo. So for folks, you know, who weren't up on these things, it looked legit. Yeah. But it was not. In that case...
Joe Carrigan: My favorite...
Dave Bittner: ...I don't know how it kept getting reloaded on there.
Joe Carrigan: My favorite example of that - do you remember the Skerple pens?
Dave Bittner: No.
Joe Carrigan: I showed you a logo. This was probably a couple years ago.
Dave Bittner: Oh. Yes, yes, yes, yes, yes.
Joe Carrigan: I showed you a logo and said, what is this? And you said, it's a Sharpie.
Dave Bittner: Right.
Joe Carrigan: And I said, no, it's a Skerple.
Dave Bittner: (Laughter).
Joe Carrigan: And then you look close. And, I mean, this logo for all the world looks like Sharpie.
Dave Bittner: Yeah.
Joe Carrigan: But it isn't.
Dave Bittner: Yeah. Yeah. So this ChromeLoader - there is a Windows version. Evidently, there's also a Mac version, which isn't going to be using PowerShell. But the way that you get this on your system is by downloading pirated things - so movies, software, that sort of thing.
Joe Carrigan: Ah, the old pirated software vector.
Dave Bittner: Right. So there is no free lunch.
Joe Carrigan: Right.
Dave Bittner: You can't get something for nothing.
Joe Carrigan: That is the oldest vector for malware in the book.
Dave Bittner: Ah, Joe, for the old good old days, when you could fire up the Pirate Bay and download some software and not get malware on it. Those days are long gone (laughter).
Joe Carrigan: Those days have never existed, I don't think. Pirate Bay - I mean, this has been around much longer than Pirate Bay.
Dave Bittner: Right.
Joe Carrigan: There used to be - I remember the first time I heard about it. Someone wrote down, warez, W-A-R-E-Z. And I said, Juarez. And they said, no, it's pronounced wares.
Dave Bittner: Yeah.
Joe Carrigan: I'm like, oh, hacker speak, right? And they're like, yeah. And this guy was saying, you can get all kinds of software on these sites. And I'm like, I'm not doing that.
Dave Bittner: Right.
Joe Carrigan: It's just asking for trouble.
Dave Bittner: Right. Right. So they say in this blog - we'll have a link to this blog post in the show notes, which has all the technical details, has the indicators of compromise, all the things you should look out for. But the bottom line here is, obviously, don't go downloading things you shouldn't be downloading.
Joe Carrigan: Yes.
Dave Bittner: But also, be suspicious of ISO files or DMG files on the Mac - so basically disk image files.
Joe Carrigan: Yes. Absolutely.
Dave Bittner: And then also be on the lookout for PowerShell execution on the Windows side.
Joe Carrigan: You know, one of the things I say is if you can stop people from using PowerShell in your organization - this is an organizational thing...
Dave Bittner: Yeah.
Joe Carrigan: ...Then you should disable PowerShell because the vast majority of your users don't need it.
Dave Bittner: Yeah. And for the folks who do, they can come and ask, make their case.
Joe Carrigan: Right.
Dave Bittner: And you can enable it for them...
Joe Carrigan: Yes.
Dave Bittner: ...But not globally.
Joe Carrigan: Correct.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: PowerShell should be an exception not the rule.
Dave Bittner: Yeah. All right. Well, again, this is from the folks over at Red Canary, interesting thing to be on the lookout for. That is my story this week. Joe, what do you have for us?
Joe Carrigan: Dave, once again, I have two stories.
Dave Bittner: OK.
Joe Carrigan: And - but the first story I'm talking about comes from Michigan. It's from 9 & 10 News. Michigan State Police are looking for a con artist in Emmet County gas station scams.
Dave Bittner: OK.
Joe Carrigan: So this is the standard gas station scam where - or side-of-the-road scam where somebody is pulled over, and they say, I have this jewelry - you can watch - you know, they've always got some reason. They need money for gas.
Dave Bittner: Yes. Yes.
Joe Carrigan: Right.
Dave Bittner: I fell for that one once.
Joe Carrigan: Right. And you got some...
Dave Bittner: Talked about it on this show. Yeah.
Joe Carrigan: You got some crappy jewelry in exchange for 20 bucks.
Dave Bittner: That's right.
Joe Carrigan: Right? And, you know, I often say that if you really think someone is in a jam, it's better to help them out than to leave the fellow human stranded.
Dave Bittner: Sure.
Joe Carrigan: But when you see this scam, when somebody says, look, I'll give you this jewelry, just hold onto it, that should be a red flag, right? But what happened in this case was somebody gave the family money and later found them not buying gas or food. And then the person follows this family to another gas station, and they saw them asking someone else for money. Now, this person did something that they probably shouldn't have done. They confronted the family, and they were assaulted by this person.
Dave Bittner: Oh - by - so the scammers assaulted the person who was following them, or the person who was following them assaulted the family?
Joe Carrigan: The scammer assaulted the person following them.
Dave Bittner: I see.
Joe Carrigan: OK?
Dave Bittner: Yeah.
Joe Carrigan: So this is one of those things I immediately think back to the Penn Jillette interview we had where he's talking about the three-card Monte scam.
Dave Bittner: Right.
Joe Carrigan: And he goes, if you - even if you beat these guys, you're still losing your money...
Dave Bittner: Right.
Joe Carrigan: ...Because there's, like, five of them.
Dave Bittner: Right.
Joe Carrigan: Right.
Dave Bittner: And oh, they're going to follow you and beat the crap out of you...
Joe Carrigan: Right.
Dave Bittner: ...And take the money back.
Joe Carrigan: They're just going to haul you down the alley.
Dave Bittner: Right.
Joe Carrigan: It's right there.
Dave Bittner: Right.
Joe Carrigan: It's - you're not going to win. And that's the same case here. Don't engage these people. You know, if you really think they're committing a crime, call law enforcement and let them engage.
Dave Bittner: Cut your losses.
Joe Carrigan: Cut your losses.
Dave Bittner: Write down their license plate number, something...
Joe Carrigan: Yep.
Dave Bittner: ...Like that. Yeah.
Joe Carrigan: Yep. So...
Dave Bittner: Take a picture.
Joe Carrigan: ...I really wanted to bring that. I saw this story. It's a short story, but the key point is that someone actually got assaulted by accosting one of these people. And remember, these people are...
Dave Bittner: They're criminals, Joe.
Joe Carrigan: They're criminals.
Dave Bittner: They're criminals (laughter).
Joe Carrigan: I don't want to say they're criminals. Panhandlers aren't really - might not be criminals, but...
Dave Bittner: Well, scammers are criminals.
Joe Carrigan: Yeah, scammers are criminals.
Dave Bittner: Yeah. I...
Joe Carrigan: So...
Dave Bittner: There's nothing - I mean, a panhandler who's just saying, I'm down on my luck, could you give me some money?
Joe Carrigan: Right.
Dave Bittner: That's one thing.
Joe Carrigan: Right.
Dave Bittner: But that's not necessarily...
Joe Carrigan: You're right.
Dave Bittner: ...Scamming.
Joe Carrigan: These guys who are going from one position - or one place to the next, scamming people out of money...
Dave Bittner: Right.
Joe Carrigan: ...They're criminals.
Dave Bittner: Yeah. Yeah. All right. What else you got for us?
Joe Carrigan: The second one comes from John Matarese at Denver7. That's out in Colorado. And I got a question for you, Dave.
Dave Bittner: OK.
Joe Carrigan: Do you ever buy anything on Facebook Marketplace?
Dave Bittner: Uh, I do not. I am not on Facebook.
Joe Carrigan: You're not on Facebook, but your wife is a big Facebook user.
Dave Bittner: She is. And actually, my oldest son does quite a bit of buying and selling using Facebook Marketplace. He's been quite - that's been quite lucrative for him.
Joe Carrigan: Very good.
Dave Bittner: Yeah.
Joe Carrigan: My wife loves Facebook Marketplace...
Dave Bittner: OK.
Joe Carrigan: ...Right? And recently, actually, we were looking for a patio set - or she was browsing for a patio set. We don't need a new patio set right now. But she was looking through Facebook marketplace and came across some really good prices on patio sets.
Dave Bittner: Fine Irish girl.
Joe Carrigan: Right - with patio furniture.
Dave Bittner: Right.
(LAUGHTER)
Joe Carrigan: Well, that's one of my favorite jokes.
(LAUGHTER)
Joe Carrigan: Always gets told at all the family reunions...
Dave Bittner: I'll bet.
Joe Carrigan: ...By one of - by somebody that married into the family that isn't very Irish, by the way.
Dave Bittner: Never gets old.
Joe Carrigan: Never gets old.
Dave Bittner: (Laughter).
Joe Carrigan: We all laugh at Uncle Bill's jokes. Yeah. We make a point of buying things from local people.
Dave Bittner: OK.
Joe Carrigan: Like, we recently bought a grill, and the way we bought the grill was I drove to some guy's house. I saw the grill. I put the grill in the car, and my wife transferred money to the guy via Venmo - right? - which is fine. That's a fine model. But these folks that are in this story - by the way, we love the name of these folks. They're the Fishers.
Dave Bittner: OK.
Joe Carrigan: Right? Here at "Hacking Humans," we love that name.
Dave Bittner: Sure.
(LAUGHTER)
Dave Bittner: It's like they were custom made for us.
Joe Carrigan: That's right.
Dave Bittner: We called up central casting and said, get us some folks who have been scammed. And they brought us the Fishers.
Joe Carrigan: The Fishers.
Dave Bittner: If it was in a script, people would say it was too on the nose.
Joe Carrigan: Right.
Dave Bittner: OK.
Joe Carrigan: That's right. But their name is spelled F-A - F-I-S-H...
Dave Bittner: All right.
Joe Carrigan: ...Not P-H-I. Anyway, that was a long way to go for a terrible joke. The - in this story, they were scammed by someone impersonating Home Depot on Facebook Marketplace. And I got to tell you, Dave, this scam actually seems pretty believable because it looks very much like - when they click on the link, they actually go to a site that looks very much like Home Depot. And they're showing you screenshots in the video story of this. And you have to look really close to realize you're not on the Home Depot website because, again, they're doing this on a mobile device. This is how my wife does almost everything on Facebook marketing - Marketplace. She does it all on her mobile device. I don't like interacting with Facebook on my mobile device at all. In fact, the only thing from them I have on my mobile device is the Messenger app.
Dave Bittner: OK.
Joe Carrigan: And again, like I said, it's to communicate with my family. And if I didn't have to do that, I would delete my Facebook account yesterday.
Dave Bittner: Right.
Joe Carrigan: I really hate Facebook.
Dave Bittner: Yeah.
Joe Carrigan: But this link on Marketplace led them to this fake impersonation site that they were saying, look, we have this stuff that's been returned. It's perfectly good. We're selling $175 worth of patio furniture for a little bit less than 40 bucks. Now, I know that seems like it's too good to be true, but I've seen all kinds of open-box things at these kind of stores go for prices like this.
Dave Bittner: Sure.
Joe Carrigan: Right?
Dave Bittner: Yeah.
Joe Carrigan: And you pull it out, and you go, well, there might be something wrong with it. Or you - maybe you go to a scratch-and-dent place. You ever been to a scratch-and-dent appliance store?
Dave Bittner: Sure.
Joe Carrigan: Now, they have really good prices on scratch-and-dent appliances. But you're at a store, right? You know - and you're saying, I'm taking this one, putting it in the truck, and I'm going.
Dave Bittner: Right.
Joe Carrigan: Here's the money. Don't call me again. Even if this is shady, I don't want to know about it.
Dave Bittner: (Laughter).
Joe Carrigan: But these folks said, OK, well, fine. Well, we'll go and buy this because they were looking for new patio furniture. They paid it, and then they got a confirmation via PayPal with - I think it was Chinese across the bottom of it.
Dave Bittner: Uh-oh.
Joe Carrigan: And then they try sending emails, and they get no response from the emails. And their patio furniture has still not arrived. They've gotten scammed out of this money. So - couple of things about this - Facebook Marketplace is a great place to get good deals. Make sure you're dealing with somebody that's local, right? Another Facebook user is the way I like to do it. Don't go to a website and buy things, even though that - you know, I'm sure that there are plenty of people on Facebook - how does your son do it? Does he put - have a website, or does he just sell things on the Marketplace and...
Dave Bittner: I think he just does it right on the Marketplace. I'm not sure. Because I'm not on Facebook, I haven't actually witnessed it. But I know he does a lot of buying and selling of things. You know, like, he'll go shop at a yard sale or something and find something of value and stick it on Facebook Marketplace and profit.
Joe Carrigan: Awesome.
Dave Bittner: Yeah.
Joe Carrigan: Sounds like a fun hobby.
Dave Bittner: It is. You know, it's just a little - it's a little extra cash for him, and he...
Joe Carrigan: Maybe after my NFT thing, I'll try that.
Dave Bittner: (Laughter) Right. OK.
Joe Carrigan: Joe's get-rich-quick schemes.
Dave Bittner: Yeah. Oh, yeah.
Joe Carrigan: So good news - couple good news points here. One, these folks lost less than 40 bucks, wasn't a big hit for them. I mean, still disappointing, but it's - 40 bucks is a cheap way to learn this lesson.
Dave Bittner: Yeah.
Joe Carrigan: OK? And the other thing is, the Fishers came forward and told their story, right?
Dave Bittner: Right.
Joe Carrigan: It's embarrassing to get scammed out of any amount of money, but these folks went on the news and told their story. So I'm always a big fan of people doing that...
Dave Bittner: Yeah.
Joe Carrigan: ...Because every single person that hears the stories now is less likely to fall for the scam when they see it.
Dave Bittner: Right. Right. All right. Interesting stuff - we will have a link to both of those stories in the show notes. And, again, we would love to hear from you. If there's something you'd like us to consider, send us an email to hackinghumans@thecyberwire.com. All right, Joe. It's time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Dave, our Catch of the Day comes from a listener named Jon (ph), who sent us this doozy. We've done these kind before, but I think this one's pretty funny. It's a - it's the typical trunk box scam, and I'm waiting to see what voice you do with this one.
Dave Bittner: OK. It goes like this.
Dave Bittner: I'm David Morris (ph), inspection manager, Hartsfield-Jackson International Airport, Atlanta, Ga. During our investigation, I discovered an abandoned shipment through a diplomat from the United Kingdom, which was transferred from JF Kennedy Airport to our facility here in Atlanta - two consignment boxes worth $8 million and other valuable items, which were abandoned due to false declaration and unable to pay for custom and clearance fees of $750. I assure you that the consignments is in your name, and you are advised to provide all details such as your full name and resident address for delivery and confirmation of your consignment. After custom clearance, charges of $750 are perfected. Yours, faithfulness, David Morris.
Joe Carrigan: You sound a lot like Dodsworth from the old "Dodsworth" cartoons.
Dave Bittner: (Laughter) OK.
Joe Carrigan: Do you remember those?
Dave Bittner: No. I don't know - I'm not familiar with that.
Joe Carrigan: It was a Warner Brothers cartoon. He was a fat cat that always tricked a little kitten into doing his work for him.
Dave Bittner: Oh, OK. Yeah, yeah, yeah. All right.
Joe Carrigan: (Imitating Dodsworth) One of these days, I'm going to have to buy me a mousetrap.
Dave Bittner: (Laughter) OK.
Joe Carrigan: I love this. It's a typical trunk box scam. And if you do anything with these guys, first, you're going to be out 750 bucks and your...
Dave Bittner: Right.
Joe Carrigan: ...PII. And if they - if you give them the 750 bucks, there's going to be just more fees tacked on. You're never getting anything that's worth $8 million delivered to your house. That's just not happening.
Dave Bittner: (Laughter) Right. Count on it.
Joe Carrigan: Right.
Dave Bittner: Yeah, yeah, yeah. All right. Well, thanks to Jon for sending that in. We do appreciate it.
Dave Bittner: All right, Joe, I recently had the pleasure of speaking with Andrew Morris. He is the founder and CEO of an organization called GreyNoise. Here's our conversation.
Andrew Morris: Basically, the metaphor that I'll give people is kind of the equivalent of the miscreant criminal or villain who walks down the street jiggling car doors and house doors to try to just see what's unlocked and if they happen into something that's unlocked, checking the inside to see if there's anything valuable, but not necessarily going after anyone in particular - just looking to see what they acquire in doing that. This is basically the cyber equivalent of that, which is when usually a villain, bad guy, et cetera, scans the internet, port scans the internet, conducts a technical bit of reconnaissance - but instead of it being on one host, it's on many hosts or on every host that is routable on the internet - checking for the presence or the existence of a certain kind of software, then checking for the existence of - in the subset of devices that are running that software - checking for the existence of a vulnerability and then if it comes back in the affirmative, attempting to exploit that vulnerability for gain in some purpose. And that is effectively what we're talking about when we talk about scan and exploit.
Dave Bittner: Well, walk me through the process here. I mean, suppose I was someone who wanted to go about, you know, doing these evil deeds. How would I do it? What sort of infrastructure would I need to set up, and how are they generally going about it?
Andrew Morris: I can't believe I'm about to give you a blueprint on how to do this.
Dave Bittner: (Laughing).
Andrew Morris: But I'm going to do it. I'm going to do it nonetheless. So basically, if you're going to do this, the first suggestion that I have is, don't. The second suggestion that I have is, you know, you're going to need to acquire one or many hosts that you're going to be conducting the scanning from on the internet. So that might be a host in AWS. Less likely, it's going to be - more likely, it's going to be a host in some bulletproof hosting provider, or it's going to be an existing compromised device that you already have access to. So you need one, five, 10, a handful of hosts that you're going to be conducting this activity from. Then you're going to run some kind of tool, like maybe ZMap or MASSCAN or Unicornscan or Nmap, or maybe you're just going to use an existing dataset such as from Censys or Shodan, et cetera. Then what you're going to do is, you're going to actually scan the internet for whatever the port is or the ports are that that service is generally running on. You're then going to filter it down, and you're going to check for the existence of the software. That's where you're going to want to use something like Nmap or something that banner grabs, et cetera. Then you're going to take the subset of hosts that you've found that are running the software that you're looking for, and you're going to check for the existence of those vulnerabilities. You may use Metasploit to do that. You may use a custom script to do that. You may use a POC or an exploit code to do that. You may use some bug bounty code to do that. And then finally, once you have the list of vulnerable hosts, you're going to actually deliver the exploit with the payload that you're trying to deliver. And all of those things together are how you conduct a scan and exploit attack on the internet. But again, just to reiterate - super illegal. Unless you're trying to get your door kicked down by the bureau, I would advise against it.
Dave Bittner: Well, so help me understand that as well. I mean, are there any benign reasons for port scanning the internet?
Andrew Morris: Port scanning the internet - absolutely. There are tons of them. The way that Google really started is that they decided that they were going to index the internet and allow people to search it. And the way that you do that is by scanning and crawling the internet for content, then putting that content into a searchable database and then allowing people to search that database to find stuff on the internet. That's just the oldest example that I can think of. That's just search, right? Building a search engine. Separately, I mean, there are countless cybersecurity researchers who scan the internet to find risk exposure to new vulnerabilities for totally benign and honestly positive purposes - tons of research organizations that do this, tons of individual cybersecurity researchers who do this. There are entire companies that are built around this - good, positive security companies that are scanning the internet to try to warn their customers and their users of the presence of vulnerabilities on their perimeter. And so there are a ton of reasons to scan the internet and crawl the internet. And even - there are a ton of benign reasons to vulnerability check hosts on the internet. There are approximately zero benign reasons to exploit hosts opportunistically on the internet unless there are wildly extenuating circumstances.
Dave Bittner: I see. So what are you and your colleagues tracking here? I mean, my understanding is we're seeing a real uptick in these sorts of attacks.
Andrew Morris: Yeah, that's exactly right. So I think fearmongering is generally a bad thing. And I think that it's generally something that most of the time cybersecurity companies do when they're trying to sell you stuff. And granted, my hands aren't completely clean on this. Like, we have a product that is geared toward solving this problem. But we give a lot of stuff away for free, also - just to kind of put our money where our mouth is. The long and the short of why this matters and why we're sort of sounding the alarm on it is that our professional opinion - having studied opportunistic internet-wide scanning, internet background noise, mass exploitation for five-plus years - is that opportunistic exploitation, scan and exploit is increasing in volume, and it is increasing in frequency. And the amount of time that it takes to go from effectively vulnerability being disclosed to some nefarious actor attempting to exploit every single vulnerable host on the internet for nefarious gains has shrunk drastically over the last two years in particular. And so our sort of warning message to the technology community and the security community is that this is going to continue to happen. This is going to continue to get worse. Things like Log4j are going to continue to happen. They may not be as bad as that. That was actually a pretty, kind of, worst-case scenario. But they're going to keep happening. There's no reason why they're not. And so the existing security products that are out there and the existing technology solutions that are out there do nothing to prevent this kind of attack from happening and being successful. And so we're trying to build solutions to this problem to help people kind of deal with it. And at the end of the day, we believe, at GreyNoise, that more of the attacks that defenders care about than not are actually completely opportunistic, and they're actually hitting everybody in the entire internet, not just them specifically. And so if we can eradicate this entire class of threat, we can save people an insane amount of time. And that's what we're really focused on at GreyNoise. But to answer your question, it's because scan and exploit is getting worse. It's absolutely getting worse.
Dave Bittner: You know, to kind of mix metaphors and go back to what you were saying about someone walking through the neighborhood, checking car doors, you know, there's that old saying about how if you and I are being chased by a bear, I don't have to outrun the bear. I just outrun you. And I think similarly, when it comes to car doors, you know, I think, speaking to the opportunistic element of this, if I lock my car door and my next-door neighbor doesn't, that may be all it takes to keep my car from being rummaged through. Is it similarly that, you know, there are some things folks can do to kind of make sure that they're not the low-hanging fruit?
Andrew Morris: So I think that that's generally a good metaphor. The only place where it really breaks down is that computers don't care because computers have an unlimited amount of time. They don't put sweat into things. They don't have attention spans. They can do many things at the same time, whereas a person can only really do one. So that's the only place where the metaphor really breaks down is just that, like, the computer doesn't care. Code doesn't care. Computer programs don't care. Aside from that, as a general rule, that's a sound metaphor. You do want to - there's a concept called H.D. Moore's law, and I haven't heard anyone talk about it in a little while. But the long and the short of this is that if you're going to have something on the internet, it needs to be able to withstand at least any kind of exploitation of publicly available, publicly known vulnerabilities that have been weaponized by common exploitation platforms. And all of that is to say that, yes, it is important for you to be secure atomically. It's important for you to at least have some bare base level of security expectations on your perimeter. And I do think that it's important to be more secure than your neighbor, but I don't want to overly fixate on that. And I do think that it's important to just effectively, I'd say, be as secure as you know how to be based on the information that you have available, the threats that you know for sure are actually real and true, what your risk posture is, what your threat model is. I think that it's important to be as safe and secure as possible under those circumstances.
Andrew Morris: And separately, I think that it's important to not necessarily fixate on using things like intelligent block decisions or data that's provided by security companies to be safe forever, but rather just to buy you enough time to put yourself into a better position, to actually apply that patch, to actually, you know, implement that WAF rule or that IDS or IPS signature or whatever it is that is going to really put you in a stronger place. But at the end of the day, like, I think that more so than being more secure than your neighbor is being secure enough to get you to a more permanent solution. That's what I think really matters. That's the way that I'd like to frame the conversation and take it away a little bit from being more secure than your neighbor, which, again, that's a great place to start. But the place that you really want to be is to be safe and secure enough for a long enough period of time that you're able to put in - implement a much stronger, more permanent solution, such as a more effective lock on your car doors.
Dave Bittner: I see. So - OK. Well, then what do you recommend there? I mean, what's available for folks to get where they need to be?
Andrew Morris: So the first step, the most important step is to know thyself and to know where your perimeter is, where all of your different data services are that are on the internet and what you're running on it - what software you're running, what patch levels, what operating systems, you know, what programs are running on that, et cetera. The most important thing is to know thyself. That's really kind of step zero. The next thing that I would really suggest for organizations that are protecting perimeters from nefarious actors is that not all, I would say, security intelligence and security data is created equally. I think it's really important to probe the vendors and the providers of that data and information to get an understanding of how and why they have that data, where it comes from, where they're sourcing it from, so that you can get a little bit of a better picture of whether or not you could trust it because the trust is what really matters a lot. And then, once you have developed some of that trust on the quality of data that you're receiving in terms of, like, making preeminent block or preventative steps towards patching and mitigation, etc., I think that it's really important that the, I would say, block logic or data that you're using is relevant to your organization. Why would you spend money, time, resources, etc., blocking a thousand bad IPs that are attempting to exploit a vulnerability in a piece of software that you don't even run, right? That's a waste of time, and it's not going to get you anywhere. It's not going to get you any security value whatsoever.
Andrew Morris: And so scrutinize the data that you're receiving from your different vendors, your different providers. But at the end of the day, know yourself, know what technology you're running, know exactly where your perimeter is. And then, when a new vulnerability comes out - or rather, when you are considering or evaluating using data in order to make block and route decisions to buy yourself some time or to stave off exploitation from a scan-and-exploit campaign, the important thing here is that it's relevant to you and you have faith and confidence and trust in that data so that it can really deliver the results that you're looking for. And I would just basically say, don't let your providers or vendors handwave you. Really scrutinize that because you're talking about, you know, the safety and security of your organization. So that's where I think, you know, the quantifiability, that scrutiny, that trust is really, really important.
Dave Bittner: What about for the small business folks - you know, the mom-and-pops, the folks who really feel a little overwhelmed by this, or they feel out of their element - any words of wisdom for folks in that sort of situation?
Andrew Morris: Most mom-and-pops probably aren't going to have an internet perimeter, more than likely.
Dave Bittner: Right.
Andrew Morris: They're more than likely going to be behind, like, a network that has no internet exposure because maybe they're just running a payment processing system on an internal network. Maybe they've got, like, an ATM, some video cameras - like, whatever. If things aren't exposed - if you don't have a perimeter, and if you're confident in that, then you don't have to care about the specific class of things that I'm personally qualified to discuss today. You have to care about another number of things. I'd say the important thing for the mom-and-pop shop is - someone needs to care about security, right? And maybe you're at a point where it's not a top priority because you're still struggling to keep your business off the ground - that's an important conversation to have with yourself. Once an organization goes above a certain size and requires a certain amount of technology enablement, and thus has a certain amount of technical exposure, someone's going to have to care about the security of that. And, ideally, it's going to be you. But, you know, if you neglect it, then it's also possible that you're going to be in sort of, like, a world of time and money hurt from a breach that, you know, is embarrassing, and it's kind of difficult to deal with. So consider paying someone else to care about it, like an MSSP, an MDR. Consider outsourcing it to a firm who specializes in working with an organization such as you.
Andrew Morris: And honestly, like, the panacea is the wrong word that I'm looking for - but, like, the best solution that you could possibly find is just ask for security by default from your network and your internet and your technology providers. Like, make sure that the products that you're buying - the technology products that you're buying and that you're implementing are secure by default, and that security is going to be guaranteed in those products, or at least with the service that you're using. That's going to be the really important thing. If you're paying people money to give you technology, then you really shouldn't expect that they're going to make you unsafer as well.
Andrew Morris: And so I would say, for the mom-and-pop shop, until you get to a certain size, you're going to want to almost certainly pay other people to think about it for you if you have the resources to do that. And if you don't, then I think that it's important to be as educated as you need to be on the threats to your organization or your business in particular. And I think that that's the really important part. Honestly, though, the dream that I have is that, just by using technology services, security is baked in, and it's included by all of the different vendors and providers out there. And I think that consumers should demand that, and I would really like to see people continue to demand that.
Dave Bittner: Joe, what do you think?
Joe Carrigan: You know, Dave, when you're learning security stuff...
Dave Bittner: Yeah.
Joe Carrigan: ...You know, when you're going through this, scan-and-exploit is one of the funnest parts of that...
Dave Bittner: Oh, OK.
Joe Carrigan: ...Right? I mean, 'cause you normally have an environment where it's perfectly fine for you to scan and exploit things. You have your own - they're are all your own machines, so you can do whatever you want to them - or they're your training environment's machines. But it's really fun. It's good stuff. However, I like his suggestion when he says, you're going - if you're going to do this on the internet, he just flat out says don't, right?
Dave Bittner: (Laughter).
Joe Carrigan: Generally, this is a bad idea unless you're with some organization that conducts legitimate security research and has a good set of lawyers.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: Like with our vulnerability disclosure process, and our - we do research there, and, like, we were recently talking about in the CyberWire - we talked about the ProbeTheProto vulnerability, where we found thousands of vulnerable sites on the internet.
Dave Bittner: Right.
Joe Carrigan: But, actually, all of that analysis was done on our local machines, not on the vulnerable websites or any anybody's - any website's machines - right? - or anybody's machines. And that's really key - is there is a limit to how far down this process you can go, even if you're doing bona fide research...
Dave Bittner: Right.
Joe Carrigan: ...Right?
Dave Bittner: Right.
Joe Carrigan: You can never run an exploit on somebody else's computer.
Dave Bittner: Yes.
Joe Carrigan: Regardless - that's just reckless and dangerous. Andrew mentions ZMap, which is a fantastic tool developed at University of Michigan. I have a great story about ZMap.
Dave Bittner: OK.
Joe Carrigan: One of our grad students, one of our Ph.D. students went out to University of Michigan and worked with the people that developed it. He spent a summer out there. And - including Michael Bailey, who is now at University of Illinois Urbana-Champaign. I've met Michael, talked with him. I really like him. What - Michael's done some interesting research in social engineering as well. I think I've talked about his research with the USB dropping. But the other thing that he's really good at is - or he's done is IP fingerprinting - right? - which I think is interesting, and that's part of the scan and exploit thing, right? It lets you know exactly what's going on there. Anyway, this Ph.D. student brought the N map (ph) software - or ZMap software back to Hopkins and did a scan of the internet for certain ports just to see what was open. And (laughter)...
Dave Bittner: Yes (laughter).
Joe Carrigan: And the phone started ringing (laughter).
Dave Bittner: Ah. OK.
Joe Carrigan: Did somebody just run a massive port scan out of your organization...
Dave Bittner: (Laughter).
Joe Carrigan: ...Essentially scanning the entire internet to see if any of these ports were open? And the answer to that question was, of course, yes. This has happened.
Dave Bittner: (Laughter) OK.
Joe Carrigan: Now we have a - our own separate network where that happens. So we don't get the phone calls from our network security guys anymore.
Dave Bittner: I see. Someone get a stern talking-to?
Joe Carrigan: Someone did get a stern talking-to, yes.
Dave Bittner: (Laughter) OK.
Joe Carrigan: This was just a little bit before my time, so I've only heard the stories. I wasn't around for it.
Dave Bittner: Ah, OK (laughter).
Joe Carrigan: It's a good story. And ZMap is an interesting tool as well.
Dave Bittner: Yeah.
Joe Carrigan: This kind of - these kind of attacks are exactly why patch management is important. OK? These are opportunistic attacks, and you don't want to be the opportunity. Andrew makes a great point. These exploits go from concept to actionable software remarkably quickly.
Dave Bittner: Right.
Joe Carrigan: You don't have a lot of time. When you hear about a zero-day patch, you need to patch that now. One of the things I like to say is they should have that in negative numbers, right?
Dave Bittner: (Laughter).
Joe Carrigan: It shouldn't be a zero day. It should be, like, a negative seven day.
Dave Bittner: (Laughter) Right.
Joe Carrigan: Right? Because chances are, if the security breacher has found it, somebody else may have found it as well.
Dave Bittner: If I have - power up the time machine.
Joe Carrigan: Right.
Dave Bittner: Yeah.
Joe Carrigan: Exactly.
Dave Bittner: OK.
Joe Carrigan: Computers are very patient. They will do everything asked of them, and they really don't care about time. That's your analogy with the going around checking car doors. The computer can not only check car doors - it can check every single car door and the trunk and the hood, and to see if it has any key fobs that can get in, and can spend all the time in the world doing that and you don't have to be around for it.
Dave Bittner: Right.
Joe Carrigan: It's an interesting way that Andrew talks about the analogy breaking down there.
Dave Bittner: Yeah.
Joe Carrigan: Its key takeaway - temet nosce. Know thyself, right?
Dave Bittner: (Laughter) Yeah.
Joe Carrigan: This is one of the biggest issues in the IT industry, is you need to have a handle on all the equipment that you're responsible for and what's running on it. And that kind of inventory management gets much more difficult the larger your organization gets.
Dave Bittner: Right.
Joe Carrigan: Right? You start off with maybe five computers. It's easy to know what those five computers are. But now you've grown to a company with 50 computers or 50 people. And maybe some of those people have two computers. Maybe they're bringing their own devices, like we talked about earlier - shadow IT.
Dave Bittner: Yeah.
Joe Carrigan: What kind of software are these folks running? They've probably gone out and install open-source software on all these machines to make sure that things are out there. You know, you can use this scan and exploit technology to your own advantage as well. There are tools out there that actually do vulnerability scanning on your network to see if there's anything that you don't know about.
Dave Bittner: Right.
Joe Carrigan: There are plenty of tools out there for that.
Dave Bittner: Yeah. Just think about how many times somebody, you know - oh, Bob, run down to Office Depot and get an inkjet printer.
Joe Carrigan: Right.
Dave Bittner: We need to print some labels or something, you know, just...
Joe Carrigan: Yeah, and put it on the network.
Dave Bittner: Yeah. Just plug it in.
Joe Carrigan: Yep.
Dave Bittner: We got to get this job out, whatever it takes.
Joe Carrigan: That's right. And that's an important point, Dave. People aren't doing this because they don't care about security. They're doing this because they want to get the work done.
Dave Bittner: Right.
Joe Carrigan: Right? They have a job to do and they want to do it and they want to do it well.
Dave Bittner: Right.
Joe Carrigan: So.
Dave Bittner: Yeah.
Joe Carrigan: It's important that security is part of that. For smaller organizations, be mindful of security and ask for it from your vendors. Limit your exposure as much as possible. Like we talked about earlier, if you don't need it, turn it off. That's one of my favorite things to tell small organizations, is just get rid of your - make your footprint as small as possible. Right? And then, if you can, outsource it. Outsource it to somebody where that's their job.
Dave Bittner: Yeah.
Joe Carrigan: Like a managed service provider or something else.
Dave Bittner: Yeah. All right. Well, again, our thanks to Andrew Morris for joining us. He is the founder and CEO of GreyNoise.
Dave Bittner: That is our show. We want to thank all of you for listening. Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.
Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
