2024 Security BSides // John Hammond

Al righty hi everyone goodness well hey thank you so much for letting me come and hang out and spend some time with you all uh this is a real treat honestly this is a quite an honor to help close out and it really uh bring this to a wrap up and a close but thank you thank you thank you look I'd like if I may to tell you a story uh going back in time a little bit going into about February of this year uh but try to get into some instant response some tactical stuff I'll admit I lean a little bit more towards the tech the the nerdy the geeky on the keyboard uh

tactical stuff that hopefully there's still a lot of really great lessons to learn from it so I'd like to dive into an instant response instant response Deep dive going over two different vulnerabilities that kind of get a little bit blurry and sort of merge together so all I don't mean to get way too nerdy and tactical with the cve 2024 1708 and 1709 I won't drag us down the rabbit hole too much I hope but I hopefully we'll have this be some fun for you and still something worthwhile and something interesting to dig through uh with that said I do need to cruise through the obligatory credibility Slide the intro the hi hey hello my name is

John Hammond uh hey look I got my feet wet in a lot of cyber security stuff starting with the US Coast Guard I was learning there at the US Coast Guard Academy where I tried to study some electrical engineering uh from there I bounced over to the United States and their Department of Defense cyber Training Academy they have a cyber crime Center and I wanted to be an instructor curriculum developer there that was a lot of fun uh but it tends to get a little bit old trying to keep students awake for all that time of the day you know you like ride a unicycle and juggle a little bit keep the heart rate up but

look then I thought I'll be on the keyboard I wanted to be an operator so I moved over to the defense threat reduction agency as a red team cyber operator there that truth be told had a lot of red tape and sort of slow moving Bureau stuff so I finally found my home where I am now uh over at Huntress um truth be told that's just hey the day job but I'm a principal security researcher there and uh really it's a labor of love it's really fulfilling because we try to bring cyber security to what we say oh the 99% and I know that's like a Cheesy slogan but really that's to hey offer some security and

security platform to manage service providers small men Market businesses and we've grown to a really awesome and super duper happy degree to support a lot um but I do know that that means okay defense I know that means blue team and I know that means protecting a lot of mid-market a lot of small medium businesses and managed service providers and some folks might be a little bit more familiar with a lot of my online activities uh and with that I am extremely grateful and very very fortunate and blessed with all all the supports either on YouTube or Twitter or LinkedIn so if you see me out there making a fool of myself you can totally

track me down online um but look I'd like to try and tell the story again hearkening back to earlier this year February with some software with some applications some programs that folks might be familiar with I have a hunch a good many might be of screen connect um this is connectwise screen connect and it's code it's software it's a program and application that is really meant for connecting to screens hence the name it's it's like remote troubleshooting remote debugging hey offering the capability for a technician for tech support for someone to remote control your computer to solve a problem to help fix their printer to help configure patches but that does mean it's remote control like you might

think of Team Viewer you might think of any desk or you might think of ultra view or rust desk there are plenty like this but screen connect this connectwise screen connect I think used to be called connectwise control is ubiquitous honestly it's just all over the place because it's it's good it works very well and the user the administrator or the technicians has this cool little dashboard where they could click in to any other computer that they need to control to configure to patch to update maybe there are some things you'll do in the moment for like a quick one-off session to just troubleshooting a bug or you'll have have really persistent access to each of the computers that you

with good intentions are trying to protect configure update and work with that is screen connect but a lot of managed service providers a lot of small medium businesses are really using this thing to either work with their clients to work with their partners and it's again just huge opportunity when it's something in the crosshairs of maybe an ill-intended threat actor think of oh your OTE monitoring and management capability rmm solution that I know a lot of folks think of that's screen connect but it had a little bit of an oopsie it had a little bit of a accident mishap and something that we could drill down into to learn a little bit more so hearkening back I know I mentioned

February of this year and I'm if I may going to get a little bit behind the scenes going to show some oh slack DMS direct messages and conversations that we have with our team so you can kind of see how this all unfolds but Jamie my boss truth be told tagged and ping myself and Caleb uh good friend and coworker uh this is pretty late in the evening this is about 6:00 pm uh where we are and it's funny I know it's a Monday Jamie says at least it's a Monday and not a Friday when there's some new knowledge base or security advisor your update some critical awareness notice for software but Caleb and I were just

goofing off we were in the middle of the evening so we're just playing video games and we're thinking oh goodness there's another call from work another something from from the boss but hey we got this notification with this article with connectwise the provider and the author of this screen connect software sharing hey we have a security bulletin some news and some update for this version of screen connect 23.98 and you might be able to see I hope it's not too too hard to read with the text there but uhoh this spawns a thread this spawns a whole lot of us dumping into the conversation and this is where we start to get the team spun

up into action right this is when uhoh we are sounding the alarm to kick off a process that we like to call like rapid response where it's genuinely literally oh how many folks how many people how many team members can we get together to go fight this thing whatever it might be so a little bit of a Cheesy meme there but this was the security bulletin the knowledge article and the update the notice that they had shared February 19th 2024 product to screen connect with severity being critical priority being a high critical High importance something we really need to dive into right now and uh I note and I don't again I don't know how well the text is visible on the

screen but they say look this is something that is a tonight problem not a tomorrow problem this is going to be a big deal and it needs your immediate attention immediately upgrade or patch to the latest version of screen connect 23.98 and prior there was some big scary spooky vulnerability that threat actors adversaries and hackers could compromise could exploit and take advantage of that screen connect instance and again I mentioned this is when we're starting to get the team up in action this is where we have the Avengers Assemble sort of moment and we suit up and we spring into action wondering what the heck this thing could be because it's screen connect I try to add enough background

context at the start to say this is a big software used by hundreds tons thousands of those managed service providers our partners businesses and organizations all out and about so we thought we would take a look we thought we would do some reverse engineering and I promise this is the first and last time we'll have code up on the screen please I don't want to have anyone's eyes glaze over I don't mean to drag you down through this but that is the process really as we're getting nerdy and geeky we try to Pride this thing open and we'll try to analyze reverse engineer and understand what is that software made of how does this application work and where are those

gimmicks where are those whoopsies those accidents and those mistakes that could really be taken advantage of leverag and compromised by a adversary thread actor and hacker and there is an interesting process in this if I may say uh thankfully because they have now shared an update we get to do something that kind of speeds up and streamlines that work that reverse engineer in that analysis we can do patch diffing where we could oh look at the differences genuinely between what was the latest version now that they've released and the old version and we could find the Delta we could see the difference what has changed where when and how and those Snippets of code and Caleb I'll admit is

one of the genius Wizards over on our team uh good friend of mine that I had gone to school with over at the US Coast Guard Academy but he picked up on this interesting thing where you might be able to see just on the left hand side um the arrows over on the far far end that say Hey this was in the previous version of the software but might have differed in that new version and he's thinking and rumbling around this idea I wonder if you could set up or install or configure like a first installation wizard you know the first time you install new software you get to configure all the settings what if you

could set that up even if it has already been set up before you'll see some of the changes in the code and I don't again mean to make that too too nerdy here but there was an if statement there was just a conditional that would say hey you're trying to visit this page to set up the application in our Setup Wizard but it's already been set up normally it would not let you do that but this gimmick this idiosyncrasy this little little mistake said that you totally could and without getting too nerdy again forgive me but he hey this is server side code this is a web-based application because you might have just as you saw in that picture earlier

there's a nice beautiful front end that's displayed to you that's built in like a net application with aspx and all the server side code on a lot of Windows machines if you were to dig through the documentation if you were to try to get laser focused and oh the pieces of code that really put this all together there's that one little trick whenever you try to access a URL or you navigate to a page in your address bar it builds out these different objects and all these variables and properties where it stitches together and concatenates that location that address that URL and it takes these two different sort of properties or parameters file path and path info and these all make up

the path the URL in that address bar but tiny trick here if you were to add some forward slashes and some trailing locations or add on to a location well that would mean that it's going to be added into path info but not specifically add up to the file path while this all makes for a larger Path property I know that makes no sense when spoken aloud but note that there's a gimmick there o we could hide in some capability that where only the application is looking at one of those properties and not all the it should be so with that technical jargon out of the way I'd love to teach you all I'd love to tell each and every one of you

how you could hack this screen connect 23.98 version and compromise this remote monitoring and management tool that has Downstream access to all of your other clients computers and servers and workstations that you might have used for good purposes I'll tell you how to do it step one you can go to the setup wizard page over in your address bar type in /s setup wizard. aspx and then if you were to add a forward slash step number two there is no step two that's it uh that's the hack and I didn't think that there's a whole lot to this but just because of that small little gimmick you suddenly get to that setup page that installation that new configuration as

if it were a fresh totally new screen connect instance the old administrator account is gone you flushed them out and now you get to step through the door with your administrator account nothing else has changed that instance and that server still has all of the capability to connect and call back to the servers computers that it's worked with prior and you'll get to see all the details all the settings all the configurations that were there you've just given yourself a new back backd door admin account and you could have your Heyday wreak havoc do whatever damage you might like that is all that it took and now if I may I didn't mean to split hairs but

uh I know we were talking about these two vulnerabilities 1708 versus 1709 blah blah blah this what you see right here that single forward slash as dumb and as stupid as that is was just the first one that's the authentication bypass right where you no longer need to log in you don't have any credentials you just added a forward slash to the end of a URL you can point and shoot across any server that's out on the internet hosting the screen connect software but that's only number one number two is remote code execution and that's where we get to the spooky scary stuff right and you probably already knew with screen connect oh getting access to that remote monitoring and

management tool meant you could push Downstream code to all the connected computers but you can still compromise This Server itself because now that you're an admin you get to add those plugins or extensions and you can write some Scrappy code that will exploit and take advantage of that computer on its own that server and workstation so with this you've got the Keys of the Kingdom and you've got a one to many domino effect poison the roots of the tree supply chain whatever you want to say to take advantage of all of the connected computers SP spooky scary nightmare scenario for a lot of managed service providers and businesses right now we got to get to Brass tax

though we're thinking okay we have recreated this vulnerability we understand the impact kind of along the very same day same current timeline as this advisory coming out and now we're going to start to put together the response or the communications the best that we can we're going to figure out a statement to talk about this and because we really like to we we want to get that transparent information out and about but we realized this is kind of hard to talk about because the mitigations or like oh the the response you might do to investigate and analyze whether or not you've been affected if you're looking in the logs and you were telling you folks to look for a forward

slash well that is telling threat actors and adversaries and bad people how to exploit all the very same super duper weird scenario where like the instant response work the analysis investigations the mitigations the remediations everything that we could say to help people will inly end up arming threat actors and helping them exploit and do damage with this so this was a super weird ethical conundrum rocking a hard place but at the very least we need to say okay we have got this understood we know the problem here so if I may I tried to get a little video put together um and I'm not sure if we need anything special in the back to help play that I'm not quite

positive but that way then you hopefully could see let's see if I can press play to let it go over on the left I have my attacker machine there's that c Linux special hacker dragon and over on the right you can see the screen connect instance now we could turn this into a script some Standalone code that will fire it off staging at that end point that whatever server out on the internet to do the forward SL authentication bypass and then update and Stage uhoh our own admin user perform remote code execution just to drop a note on the desktop to say hey this is really bad but that could just as easily be ransomware right that could that could

just as easily be crypto mining crap the threat that we deserve here in 2024 that could be defacing a website that could be anything else an aisle of service That Could Be You Name It Whatever adversary wants to do here but that was again just one instance of that screen connect server don't forget that could be pushed down to all the connected computers just as well anyway sorry I don't mean for all the Doom and Gloom I do mean to say though this was a big deal and really really trivial right I I hear a couple Giggles out there like yeah whoops this is embarrassingly easy there's no memory corruption there's no leap buffer overflow there's no konel zero day it's

a stinking forward slash uh so hey again we're caught in that rock in a hard place ethical conundrum where how could we start to share and get good thread intelligence and information out and about for the whole world uh we started to try to put together some detection guidance where we kind of got scrap and some of the other temporary artifacts that might be left over when oh there's a new change to the administrators and that actual users controlling the screen connect instance but I got to admit I feel like this is a scrap in the bottom of the barrel this is just trying to say hey there are some of these tidbits these small breadcrumbs

that you could look at but they're not going to be as telling as the logs themselves if you can see those web server is logs HTTP connections or any of the other files that would have been updated here so as we drill down into some of the detection guidance we're trying to tell you hey look in the Event Viewer try to look through some of these edge cases where there'll be a temporary artifact left over you get to see some of the strange guid the unique identifier with some XML artifacts blah blah blah blah blah and again I don't mean to get too nerdy here I don't want to have anyone's eyes glaze over but

this was was not what it could have been this was still us trying to politely dance with and delicately handle the scenario where threat actors have not yet caught on to this and exploited it in Mass we know the secret sauce and we want to help arm other people but we can't let the cat out of the bag strange Balancing Act while we're there though in that hot spot again thinking okay can we get Scrappy can we get creative can we have some more Innovation on how we can protect people our partners the rest companies and businesses and if I may I thought you know I mentioned just a bit ago this is serers side code this is

something that aspx or the do net server and all that dude ads will really come to life with like a PHP file if some other Linux folks in the room are more familiar with that that really all depends on like the file extension for the web server serving you that code and offering the capability to load and detonate and run okay here's a new admin console for you to log in with so a scrappy thought some Innovative thinking maybe we could totally change that by just saying okay it's no longer an aspx or web server file but it's a nope file it's a nuh-uh it's a not today thread actors and hackers what if we were to

just slightly change that so that it wouldn't actually execute and open the door for vulnerability one our authentication bypass and then vulnerability two remote code execution where the real damage can happen this is interesting because it would in fact stop the problem stop the bleeding and in a certain sense maybe sort of micro patch or vaccine kind of taking a snippet of what connectwise had prepared but being able to push that out preemptively for partners for businesses for organizations and we did it this is strange again conversation do we take that action on behalf of other businesses should we go ahead and do this for them really weird to make that decision but considering the cost impact what could come from

this we did it we thought okay let's preemptively add this little countermeasure or a vaccine that some might say to prevent that scenario and now following along our timeline if we kind of walk this back we know February 19th was when this all kicked off The connectwise Advisory came to light we were playing video games goofing off from the dead of night but then we got to spring into action and we recreate that proof of concept we can see and understand this little slash and that's why we called it we got this little nickname cutesy like slash and grab I know everyone tries to put together a log for Shell or a Felina or whatever those names are might be for

some vulnerabilities that make big news so we called this slash and grab and we've recreated it but we do not share or publish that proof of concept or exploit because that would just be handing the gun to the threat actors bad idea February 20th we try to get out some of those detection guidance try to do the best that we can in talking about this for mitigation sake and then we try to put out that little vaccine that countermeasure that small tiny trick that could save the day then we start to see the community catch a wind of this we get to see some other folks like nextron systems maybe some folks are familiar with flori and

Roth or Nas bench or other community contributors that like to share detection rules in Sigma or Yara Etc so that was really cool now we can see the world wake up to this catch on and we are able to help in that fight here and there has not yet been a proof of concept or public exploit hit in the streets but as we all know all good things must come to an end and suddenly soon enough there is a simple quick and easy just little script tool capability out on GitHub published for any old attacker any old adversary maybe you just as I mentioned quick and easy just add a slash to that thing and you could

compromise exploit and now gain control and own that screen connect server I don't mean to be pointing fingers I don't mean to be uh Throwing Shade um but we do get to see wat tower out and about given some new sweet capability to do that and they say this is really trivial right it is embarrassingly easy and there's no leite hacks here it's just slash slash and grab and with that the floodgates open because I got to say we've been trying to a arm and amp up and get ready for everything that we can share and distribute and get that threat intelligence out but we really didn't want to be the ones to jump on that

grenade here with that we put out our write up our blog post all of the infro that we could get out and about for how this happens that strange net idiosyncrasy of the file pass the pass info those weird properties and parameters and how you could potentially leverage now your admin access to get a update like an extension or Plugin where you could get cone execution and how this all unravels these are laying out all the puzzle pieces on the table and I note this has come across a couple different days now right we went from February 19th to the 20 the 21st and now that we can really the cat's let out of the bag so we can spill the beans

and spill the tea on how this all happens now I got to admit good many of us are a little tired not going to lie chasing this thing trying to chase ambulances you might know the feeling and I am grateful I am extremely dup extremely grateful for our security Operation Center because that is something that hey they're really the ones doing the grunt work they're the ones on the dashboard triaging alerts looking through notifications all the time day in and day out a lot of the research folks we just kind of get to explore and tinker and play with what's new hot and flashy sock is really doing the great work so Kudos if I may to our

security Operation Center and truthfully a whole lot of the analysts that are across the pond we've got some folks that are over in the UK some Australia some all over the world so that we don't have anyone working the graveyard shift and I hope maybe this is a good Testament and maybe a good notion for you all just in case hey make sure there are fresh eyes on glass not to use that buzzword but really genuinely making sure we can follow the sun model and no one's awake until 2: 3:00 a.m. unless they want to be and with that they put together all of our UK Australian analysts put together an incredible write up on what they are now

seeing as the internet in the world is caught on fire as the screen connect exploit has hit the streets it's easy hey you grab it off GitHub load the gun fire it away this could be spraying and praying any single screen connect server out and about in the real world and they were the ones that were up at least from my perspective in the dead of night given that time Delta but I'm extremely grateful for all of their hard work in this incredibly beefy write up if I may say there's a lot to scroll through here but they covered and if folks are willing to take a look I won't drag you through the whole article but

we saw of of course deploying ransomware just as I mentioned uh a little bit of a gimmick here a lot of the tradecraft that we saw there was lock bit and folks in their ears and eyes might pick up because they're thinking wait lock bit around that time weren't they on a break weren't they in like a Hiatus sabatical if if ransomware cyber crime syndicat do that uh sort of kind of lock bit three or their lock Bit Black Version was the one that was leaked over in September uh just a little bit before 201 23 timeline and uh that again was another quick easy commoditized tooling for anyone to become a ransomware cyber crime

syndicate because that was just now their Builder out and about so it may or may not have been real genuine threat actor lock bit but you still have the capability unfortunately out and about we got to see enumerating the environment simple reconnaissance looking for those Network shares looking for any other active directory capability looking for printers looking for whatever servers or workstations are out and about and running crypto miners boring dumb stupid but I guess it's a slow way to make money fast installing additional remote access tools this is kind of interesting uh for one thing screen connect on its own is an rmm it is the remote Monitor and management tool but they will add

persistence into their own persistence to keep adding the redundancy so threat actors and adversaries hey trying to make sure they've got a foot in the door really common one we saw was simple help if folks are familiar with that there's a simple help C2 uh or you could just as well add a screen connect client to your screen connect server and get very meta in Inception if you wanted to downloading a whole lot of other tools and payloads especially Cobalt strike that's one of the huge massive post exploitation Frameworks and everyone might kind of groan and roll their eyes like oh yeah more of that yeah it is genuinely though what probably the easiest thing they can reach and grab um

there is one other note that I would add in a little bit more persistence um and especially I think one that I did want to drill down into so you could see the lock bit 3.0 in action here kind of the cheesy process chain the graph as to what looks from here there and when uh funneling down to screen connect service finally running and then underneath it what might be able to be shown there in the very bottom corner uh lb3 that lock bit re executable forgive me nerdy stuff but some of those might be interesting for you has anyone ever heard of Google Chrome remote desktop that's a thing I didn't I don't know if anyone knew I

don't I mean it's feel like it's one that you don't hear of that often but Google Chrome genuinely has a native capability to offer remote desktop capability um and they would use that alongside uh we could go down the list if anyone was interested but I don't really want to beat you over the head with it uh if I may some some folks might have tuned in to Matt Kylie in his presentation just the other day he had a talk over on the technical track and we showcase this very same slide if just because it is so gosh darn piy and perfect and sharp um Matt Kylie is a good friend at Huntress and Dre just as

well he's one of our security Operation Center managers in the United Kingdom and he said look while we're enumerating this laundry list of crap and code that the threat actors put out there I know none of it is all that cool it's not all that leite it's not sexy it's stuff that we've talked about scream and shouting about forever for all too long most of the tradecraft that we documented here in this blog post in this writeup is not novel it's not outstanding it's not original really these cyber crime actors aren't that sophisticated and I know that's a buzzword we tend to hear a lot in the news or media oh uh company XYZ was victim of sophistic Cyber

attack but if we did R into it if we really take a closer look it's the same stuff we've always seen that's why we're always screaming and shouting about the stupid basic boiler plate oh don't plug in USB drives oh multifactor authentication everywhere hey strong long complex passwords blah blah blah I think it goes to show though when we get to share a lot of the information when we get to hey get some of threat intelligence out and about we can be better armed and stronger and have stronger defenses to help beat those threats and beat out in the fight with that um there was some cool Scrappy Improvement to even our own work even our own internal dog food right

what we tend to use to try to combat threat actors and bring the fight and just even knowing what is out there knowing what is the attack surface for a business for an organization or a company because then often times maybe some of you in the room like oh we use scen like naturally natively so if there were to be a threat we would want to know what's real what's not what's illegitimate and what's regular legitimate uh something that we tried to do was hey get a better inventory of what is in our Network by default are we going to be looking for and hunting down any other Rogue screen connect instances just things if I may I don't I don't

want to get too too deep in Leeds here but I hope that kind of get gets you thinking and some gears turning of like okay in the moment when something hits the fan can we get Scrappy can we start to augment our own tooling our own insight and to add to our Telemetry because we need to right then and there I will uh beat up that point a little bit later uh but I would like if I may to share kind of a safari ride of that sweet Security operation Center work because I think this is real I think this is genuine I think this is hey what we were all chasing in the moment

and I think that might add to the frenzy when you're in a remote environment when folks tend to be working from home which may or may not be the norm maybe for you um but some of our analysts were saying look we're getting a flood of these alerts in our manage service queue or multi-service queue about 117 at the moment it's just popping off all from screen connect and downloading from this transfer. website I don't know if folks have seen that or heard of that it's uh equivalent to like a paste bin past. where anyone can just slap some text some data up on a website and now it's public to the whole world they would use

that to Stage another payload or some other code and execution that would follow soon in their attack chain this spawns a giant thread of 152 replies as we're all still learning and trying to chase it Dre in the mix says hey we see some instance ID and all these screen connect IDs that have been compromised delivering Cobalt strike of course and that's actually present on seven other posts and other machines that they've reported that they've got out and about faith is continuing up and again hey we see that lock bit still up in action granted may or may not be the real lock bit threat actor uh chatting about oh what other it Department could very well

be compromised and I've redacted a lot of the host and endpoints here I acknowledge not the most pretty thing to read or look at uh but I do think that goes to show just how fre quently and how easily and how rapidly this would spread out we got to see JB start to take a look at some of the more of the interesting tradecraft and I mentioned some of the enumerating of different hosts or different other uh resources available in the environment um often times they would end up using some payload and Stager that this is probably super duper tough to read forgive me uh but trying to say hey can we actually get any update. files or fake PDFs or

parts of the attack chain that will look legitimate but clearly are not and another tidbit I don't mean to get too far gone here but this I think was a cool one because they would use some of the Powershell capability to reach out and grab uh enumerating the environment like their host name or other computers other capabilities that they might have this is one that would we see push Downstream to other endpoints because screen connect on its own the server and the application will run as a system service that means n Authority system that means the highest level of privileges on that Windows host above administrator so they've got the Keys of the Kingdom they can do whatever

they want but when screen connect is used on other hosts or you're connecting to another computer to do that remote troubleshooting to do that debugging that could be any other user that could be Joe Schmo that could be Alice that could be Bob they might not have that system capability so they would try to use this smart syntax to just exfiltrate and pull out what is the environment that I'm in what user do I have what host am I up against etc etc just trying to tag and collect all the possible victims started to see this more and more with Josh started to see more and more and I realized this is going to be

a longer basically useless slide of just how many specific hosts had now been compromised and now think in the works um I don't think that's all that valuable for you but I do think when we start to summarize when we get to the end of this long little Extravaganza here look we're sending these IR incident response or either infection reports to organizations and endpoints we sent it for over 1,500 end points like over a, over 1,600 endpoints that had a vulnerable version of screen connect whether or not they were exploited or compromised yet they were in the crosses in very could be soon and what we had tried to do with our little micro patch or the vaccine or

countermeasure was about 600 669 almost 670 different end points and that might be due in the really large Delta is because of either the host are offline we don't have the capability to connect to them or an old version of screen connect where it wasn't going to be appropriate to have that patch deployed this goes on and on and on we got to see some of the threat actors trying to enumerate different exclusions for antivirus try to see where could they hide their payload etc etc etc and I don't mean to drag you down the rabbit hole on all of those I don't mean to hey keep trying to show you the tech and the

nerd stuff because I don't know if that's super duper valuable but I will start to wind this down because I hope while we've been laser focused on this one example on this one O mass of two vulnerabilities really the simple tiny slash and grab authentication bypass with just a simple forward slash 1708 and then how that could be leveraged to go beat up remote code execution 1709 there's much more Sinister damage there in that supply chain threat of that latter one but I think whatever you might be thinking or what you're going to end up taking away from here this talk this presentation or any of the others that you've had here at besides Cayman

Islands I know there've been a whole lot of cool about cyber resilience and cyber security and the big kind of approach that we want to have while we protect and defend the recurring theme I hear a lot of that is is planning and preparing and I have a hunch that's the big motivating thing that we tend to get when we go to a conference when we go to an event like hey now we're pumped up we're going to go back to the office Implement all those cool things that we learned and prepare and plan I also tend to think that doesn't always happen because life gets in the way because other new things pop up or

because other work gets in the way and everything that you had big wide-eyed ambition to plan and prepare for sometimes still gets kind of kicked down the road and I I don't mean to be Doom and Gloom I don't mean to be pessimistic there I just think there is a certain amount of reality in that so I hope when we get to some scenario maybe like this or maybe something that where something hits the fan and we're currently backed into a corner with some weird ethical conundrum with some horrible technical issue well we can get creative we can get Scrappy we are willing to acknowledge and know okay maybe we didn't have everything planned out

Picture Perfect plan rehearse and everything but we're thinking on our feet in the moment because that will pay in dividends really really hard and with that if I may I think I would really like to kind of go say this was a humble brag when we were living through that situation of the screen connect slash and grab Chronicles here we felt like given a strange scenario where we can't talk about this because it's its own double-edged sword of the vulnerability is the exploit the exploit mitigations remediations it was just a can of worms we still hope that we had some Grace in not sharing the exploit and arming threat actors and just giving the gun to adversaries so we helped that was

the right personal perspective and opinion to have and alongside that okay we thought we could add to our own toolkit add to our Arsenal capability and I hope you might do the very same if you're thinking look this is some poh code I can put in place these are some technical controls I can add to just in the moment while something's going wrong and the communication the transparency the partnership is absolutely Paramount because when you can have the conversation just to hey this is happening this is ongoing these are things that you need to know these are things that will be coming soon as we have more details to follow that is all absolutely vital and important and I

don't know if while we're zoomed in on this scenario if we zoom out for others I hope those are things that you can kind of carry along with you um thank you so much though I appreciate and I hope that was a fun story for one

thing with that said I am early I would love to n out with any of you if there are any questions if there are any thoughts uh good bad or ugly um I'll here for you hey thanks for oh thank you for presenting today um this is a really good highlight of uh pre-authentication uh application chains so I was wondering kind of from a personal perspective or professional perspective did it really change how you feel about the software and the developer because kind of from a application security perspective you know that should have been caught in Dynamic testing that should have been caught in pre-release testing would you still recommend that software to your clients or have you kind of suggested to

your clients maybe to find alternative sources based on what you've been seeing in the environment oo super good question and I'll try to repeat it and hopefully regurgitate correctly um hey seeing this scenario uh John do you still think that I don't know are there lessons to be taken away even from like a developer perspective of software like this given the mistakes or would I still recommend that to clients Etc is that is that right did I get capture that correctly cool um thank you so much I recently tie this to kind of a previous investigation that we got to chase uh and I don't want to fall down I don't mean to go on a

tangent but previously we saw a another handful of different servers and other workstations and other hosts that were compromised all from different organizations all at the same time so we're thinking like oh no another and Gloom another nightmare scenario some software some way somehow is vulnerable and being exploited in like another nightmare scenario like this um speed running through that story turns out it was a wrapper around Microsoft SQL and they all had default credentials which could parallel well to this they're thinking oh at this point screen connect scenario it's as if there were no credentials at all but in this other scenario I'm kind of cooking up well every everyone knows the default credential so that gets my gears turning

on like is that what we aiming towards and who do we particularly blame because when we can point the finger and say oh the technician the administrators CIS admin or network Engineers they should be the one where the onus is on them to fix this and have those credentials changed at the same time I like to Hope hey our vendor or the provider could make this a little bit stronger and better with just secure defaults and that is really where I would put my hat and and lean into can we get those secure defaults without a doubt there there could be some other technical implementation of some secure randomly generated thing specific to a onetime

case for setup and for login uh undoubtedly that is what we should be striving towards and I think that's what we hear in either government or agency folks that talk about secure by default secure defaults all these things that can get over the gimmicks and gaps that could make for a bad day later down the road uh so at the end of that without a doubt do I still recommend it and would I suggest oh using software like this for an end user for a customer for business Etc I am understanding that it's going to happen anyway if just because of convenience if just because of its utility the use case for it um I would

just advise and recommend hey make sure you you can kind of keep your ear to the ground on what those vulnerabilities could be what that track record has been security updates security advisory just kind of see what's out there about that solution if you go towards it yeah oh hi John uh first off Kudos on all your efforts for getting cyber security on social media hu huge LinkedIn bump for me connecting with you so uh um joking aside uh wanted to thank you for your work and work on the the crowd strike update yeah saw you online and um what my question there is what I started to hear was as the updates came in everyone said hey you should reboot

maybe 15 times maybe try 23 and um the the the trend turn to what's your IR doing because this is a real fire drill and so kind of don't don't hate the player hate the game could you comment on on the crowd strike update and the relative unevenness on how long it took some people to get back oo okay I'll try my best um crash course on crowd strike scenario right look hey tons of computers started to blue screen uh blue screen to Death stuck in a boot loop because of the kernel driver update that had some logic bug and ultimately meant that okay it would not be able to continue its startup process I don't

think I have to tell you the rest of it that made for a good internet Firestorm and worldwide show um with that I would probably go to say that could have happened to any cyber security provider if just because of hey the privilege and access that they tend to need for the Telemetry and visibility on getting Insight that threat actors could be doing not going to lie Huntress myself other vendor ABC product XYZ and I don't want to do sales pitch crap but they're going to have a kernel driver we have a kernel driver that could happen I think sorry your actual question on instant response and teams digging into it that is really hard to measure if just because

of the amount of personnel that are able and willing to spring into action given the time given the day given the vacation given the holiday sense um and especially do they have the capability and competency to go fix this thing uh sometimes it's easy to say oh you boot into safe mode and you run this command and that works sometimes but other times you got to say hey I need you to recover the bit locker key which we don't know we don't have no one particularly does good luck um and that I think was pretty common um with that it do you I I would think do you have a question with your people like hey are

you willing at whatever time of day whatever time of night could you spring into action to save this scenario that we never predicted and no one could expect um very hard conversation to have and sometimes you might say like no that onus has to fall on me if it's a personal thing I don't know if that answers your question I'm [Laughter] sorry cool first of a great presentation John um just a quick highle question actually so we've touched on AI throughout the the conference a few times um and I know in in Tech uh it's still viewed kind of as uh gimmicky at times and so forth depending on context from your perspective though as on the research

side are you seeing any emerging Trends or any particular use cases um that utilize AI from a adversary perspective that you're noticing super good question um if I may say I have not personally drank the AI cool-aid yet and that's totally just a John opinion um use cases harder to find well Trends I think are are we had seen open AI I think specifically put out their report where you could see some using the llm and their model to look up specific o tradecraft that they might be able to weaponize I think the easiest one that we can just think of is oh Mass creating fishing emails or social engineering campaigns and permutating that not just

one time but 10,000 times um because ultimately the AI is not going to give you anything new because it's not going to find the zero day unless you can give it gidra or Ida disassembly and just say hey please find something something for me which still takes the manual and human intervention to go get that data to begin with to feed the L um for the offensive capability though I think that is as far as we've gotten that I know of uh if I may say I think there is much more fun and interesting stuff in the defensive bucket however I think that's going to have a whole lot of nuance because it's going to have to have some

human in the loop guidance thing people in the mix some way somehow uh I do really love the idea though of baselining and taking a good Benchmark of what is normal in your environment and then having at least the assistant AI buzzword helping detect those anomalies help detect what's weird what's odd there um I haven't seen that done at a wide or large scale for it to be impressive yet though I don't know does that answer your question sort of cool hi John um great presentation you have a gift to be able to take something that's geeky and really tell a real meaningful story um from it um uh the question I have though is so my understanding is that you you

you proceeded to patch or release the vaccine without permission or you know it's a risk that you took was what would have inspired you guys to do that like was is there some kind of was it covered in an agreement like did you have any legal basis to do something like that or was it just simply a risk that you were just doing the right thing yeah that is always a strange gray area uh our in-house legal team is on board and cool and understanding and we are authorized to do it it is something that we are always that that we you know find is a very rare and strange scenario uh the only other time I think that has ever

happened where we have made a proactive thing where we want to push a preventive measure was uh CA ransomware incident way back in 2022 where we had uh that small simple file if if there were an extra agent file it wouldn't be able to download and continue the attack chain um and it's very strange and odd to say did that help did that make a difference have we actively and actually prevented it um I'll unfortunately say I don't know because we we can't measure and Vary that I would like to think though that if that had saved the day for one person for one company for one business one organization then that's enough then that was good we did it and that that

felt like a really good thing um uh I don't know if I'd be able to give you too much more on oh the ins and outs red line gry line legalities of it though um I'm grateful that we are in the position where we can help with that any other questions complaints General queries okay it's hot up here I can complain about that right the lights I'm not taking your questions or complaints John sorry I'm sorry that guy kind of stole my question but I still G to try to ask it um so they patched it right they officially patched it but you still went out of your way to call The Avengers right I'm wondering um and you you just

commented that you did that before as well I'm wondering what is your inspiration to to go out and do that um are they a separate company from you or did they pay you for it or did you just enjoy doing all of this without a doubt loaded no uh you're were right absolutely from the very start of the story in the timeline it began with that connectwise advisory knowledge based update and saying telling everyone please go patch here is our patch release to go fix this problem uh and then we sprung into action Avenger style to go figure out what that was and then we realized how severe how bad it is and that's why we would think

okay let's get our little vaccine or a countermeasure or micro patch out and about the reason that we would want to help with that is because there is inevitably lag time between the advisory coming out from the vendor and then the actual users and businesses and companies doing the effort doing the action to patch um for some hey maybe your head's stuck in the sand and you have no idea that there was this horrible the skies falling Doom and Gloom vulnerability uh some may be thinking uh this isn't something that we can do because it's a whatever day of the week because my team is out on holiday because we have someone on vacation there is unfortunately a lot of

different variables where as to whether or not someone does in fact roll out the patch that's why we wanted to make that slight tweak that tiny file change because that could be what closes the door for that potential remote code execution Downstream effect um that was really the motive behind it because knowing while however many people again the 1600 or potentially more even just that we had the purview over across the world there could have been many many more uh so trying to help and do our part to get that out and about well hey thanks hopefully any other questions all right Perfect Hey thank you so much everyone this was a real treat I hope it was fun to get Tactical

for a little bit and I'll see you soon