323 lines
22 KiB
Plaintext
323 lines
22 KiB
Plaintext
|
Episode: 4276
|
||
|
|
Title: HPR4276: PWNED
|
||
|
|
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr4276/hpr4276.mp3
|
||
|
|
Transcribed: 2025-10-25 22:23:47
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
This is Hacker Public Radio Episode 4276 from Monday the 23rd of December 2024.
|
||
|
|
Today's show is entitled, P-Owned.
|
||
|
|
It is hosted by Operator and is about 21 minutes long.
|
||
|
|
It carries an explicit flag.
|
||
|
|
The summary is, I share how I got P-Owned and or allowed myself to get P-Owned.
|
||
|
|
Hello and welcome to the episode of Hacker Public Radio with your host Operator.
|
||
|
|
This one is going to be interesting.
|
||
|
|
It's about how I got completely owned of myself more or less.
|
||
|
|
This was a mistake of one opening RDP to the Internet.
|
||
|
|
Number two, I had a strong password on that account and then because my son kept logging
|
||
|
|
or kept doing stuff on my computer, I had to set the time out and then make it a password
|
||
|
|
that I could remember.
|
||
|
|
That was my fault because I had connected the two together that, hey, I had RDP open
|
||
|
|
on a weird port.
|
||
|
|
I thought that was good enough and then I thought the username being, you know, internet
|
||
|
|
was good enough and then I didn't realize that once I changed that from a complex password,
|
||
|
|
even if they were fuzzing, it would be pretty easy to find, you know, not yours as the
|
||
|
|
password for that account.
|
||
|
|
So I've been an InfoSec for, you know, ever professionally or 20 years, 15 years, and
|
||
|
|
even before Antibirus was a thing I was manually removing viruses for people's computers.
|
||
|
|
So I've been around this world.
|
||
|
|
It's not a matter of if it's win and it's, you know, going through those exercises and
|
||
|
|
having that defense and depth where one thing can get compromised, but it's not going
|
||
|
|
to blow everything up.
|
||
|
|
So I fully expect my password fault to get compromised at some point in time.
|
||
|
|
So that's why I have protections in place and there's dependencies across the board for
|
||
|
|
each thing.
|
||
|
|
There's barriers, there's the layers of depth to that security.
|
||
|
|
So although it's not great, it's still not completely getting completely owned from
|
||
|
|
like the bank all the way up.
|
||
|
|
So it started when I got, it's actually getting suddenly going to a security conference.
|
||
|
|
And I got a, you know, MFA prompt from Uber and I thought, yes, we're here to have it
|
||
|
|
logged into my Uber, you know, that's kind of weird.
|
||
|
|
And then, you know, a little bit of time goes by, maybe like 10 minutes and I get an email
|
||
|
|
saying that, you know, my wife's credit card was added to my Google Play account.
|
||
|
|
And I was like, that's not great.
|
||
|
|
So now, you know, we've got Uber, somebody try to log in about Uber and then somebody
|
||
|
|
adding my wife's credit card number to my Google Play account, which can be done with
|
||
|
|
like a tablet could have been my wife playing with the, she got a watch for my son to
|
||
|
|
track his movements.
|
||
|
|
I was like, okay, maybe she used it to buy something and maybe she's using my account somehow
|
||
|
|
and I'll try to get her not to not do that.
|
||
|
|
But I was like, okay, it could be her doing something with my account, which I don't let
|
||
|
|
anybody mess with my Google account.
|
||
|
|
But I thought maybe it could be something.
|
||
|
|
So anyways, I kind of started to work backwards from there, you know, called Kathy, said,
|
||
|
|
hey, go home, turn off the desktops, I've turned off the server, I've turned everything
|
||
|
|
off, I'll start working backwards from there, I'll try to follow up here at the conference
|
||
|
|
and then head home because I knew I wasn't going to be happy until I knew exactly how we
|
||
|
|
got compromised.
|
||
|
|
At first, I kind of thought it was Kathy, so I said, hey, you know, go home, turn your laptop
|
||
|
|
off, I turn my desktop off and other services off just to make sure.
|
||
|
|
But I assume it was my wife's computer because my son gets on there and runs stuff and
|
||
|
|
you know kids, they'll just run whatever.
|
||
|
|
So kind of wrongfully assuming it was her, I started working on hers, I didn't see
|
||
|
|
anything.
|
||
|
|
Usually the approach my approach is is, you know, I disconnect, if you have like an advanced
|
||
|
|
IR team, some people will say, don't disconnect, you want the actor on there, you can catch
|
||
|
|
them while they're red-hit, no, 90% of people do not have the qualifications to handle
|
||
|
|
an attacker live on the wire without like whatever.
|
||
|
|
So I would say most times out of not to disconnect the service or if you don't know, you know,
|
||
|
|
unplug the cable and then start going from there.
|
||
|
|
So I had her turn everything off.
|
||
|
|
I started resetting passwords for Uber, Amazon, Google, Google my Gmail and I had her reset
|
||
|
|
her password because I wasn't sure what was going on.
|
||
|
|
I was pretty sure.
|
||
|
|
I had a sick feeling that was somebody's last pass, but I was kind of hoping it was my
|
||
|
|
wife's because then I can blame her or whatever.
|
||
|
|
All of the scary thing is that I sometimes run the browser as my user on her workstation
|
||
|
|
and it has last pass on it without prompting for master passers-code.
|
||
|
|
So in essence, if you got access to my wife's computer, you would have access to not only
|
||
|
|
her last pass, but my last pass and that would give you access to kind of everything.
|
||
|
|
Now Google, I have all my Google accounts under MFA, my bank, I have under MFA.
|
||
|
|
So really there's not a ton of impact there.
|
||
|
|
It's mostly credit cards and having to reset passwords and, you know, defacing or whatever.
|
||
|
|
So in that regard, you know, I think they were after, like I said, buying gift cards
|
||
|
|
or whatever.
|
||
|
|
They didn't seem that sophisticated.
|
||
|
|
I'll tell you why.
|
||
|
|
So with that said, I told her to set it off and then I started kind of the IR process
|
||
|
|
remotely.
|
||
|
|
And then I said, okay, this isn't working.
|
||
|
|
I'm not finding a smoking con.
|
||
|
|
I'm just going to have to go home.
|
||
|
|
So I told my mom not to worry about coming because she's driving down from wherever I
|
||
|
|
go from up north to watch the kid for a few hours so that I could go to this conference.
|
||
|
|
I said, don't worry about it.
|
||
|
|
I'm coming home.
|
||
|
|
If I can't figure this out, I got to come home and figure out why I got popped.
|
||
|
|
So my way home, I kind of started to think about it.
|
||
|
|
It's like, look, this, you know, the facts at the time where, you know, PayPal was logged
|
||
|
|
into.
|
||
|
|
My Amazon was logged into and my wife's credit card, which is shared between the both of us,
|
||
|
|
was used in something.
|
||
|
|
So I said, okay, that has to be, oh, somebody's a last pass and I was hoping it was hers
|
||
|
|
in that mine.
|
||
|
|
So I'm working on her laptop.
|
||
|
|
I've seen you think suspicious, you know, kind of cleared out the temp files and kind of
|
||
|
|
looked around what I use, I like to use is auto runs.
|
||
|
|
Well, you have stuff like malware bytes running in the background, I let that run, but
|
||
|
|
I was doing my own manual IR, use auto runs to kind of look if you know what you're looking
|
||
|
|
for.
|
||
|
|
Like I said, I've been doing antivirus before antivirus.
|
||
|
|
So you know, you kind of know what to look for.
|
||
|
|
You look for DLLs or something loading that's not normal.
|
||
|
|
You can actually filter Microsoft services when you run auto runs, so that kind of helps,
|
||
|
|
but even then I don't have a whole lot running because I run a deep bloat and I get rid
|
||
|
|
of all that crap.
|
||
|
|
Second thing is to run, if you're not on the internet, that's fine.
|
||
|
|
If you are connected to the internet and you want to see something beginning out, you can
|
||
|
|
use like TCV view, that'll tell you how like the real connections and you can see who
|
||
|
|
is and be like, oh, Microsoft, cool, Microsoft cool, I mean, still could be, you know, an
|
||
|
|
attacker coming from Microsoft, but in general, you know, you see Microsoft just probably
|
||
|
|
just windows updates.
|
||
|
|
If you see some weird, you know, other country, then you know that might be some reverse
|
||
|
|
connection or a reverse shell or some persistence.
|
||
|
|
This being set up on the system.
|
||
|
|
So you know, after looking at her left up for a while, I said, you know what, this doesn't
|
||
|
|
smell like anything is going on here.
|
||
|
|
I don't, you know, they haven't been doing anything else, whatever they were working on.
|
||
|
|
They've, you know, whatever passwords they've gotten they've kind of played with.
|
||
|
|
I might come back later.
|
||
|
|
I don't know.
|
||
|
|
I have to assume that everything is completely breached until I know exactly what they did
|
||
|
|
and how they came in.
|
||
|
|
So the second step I said, all right, well, I know it has to be last pass, so that means
|
||
|
|
a workstation somewhere.
|
||
|
|
Now, there are instances where I've logged into my last pass on someone else's machine
|
||
|
|
and I have forgotten to close it.
|
||
|
|
I'm at a grandparents house or whatever and I log in, but I usually, 99% of the time,
|
||
|
|
I try to be like, okay, I can't leave this computer, you know, this system with it logged
|
||
|
|
into the last pass and I usually use incognito mode just to make sure that happens.
|
||
|
|
So moving forward, my, you know, my standard procedure is what I'm on a system, start it
|
||
|
|
in incognito mode and that will prevent any kind of sessions from dangling around after
|
||
|
|
you've left the system and you can still kind of mostly do everything you need to do.
|
||
|
|
There's some persistent cookie issues in some places where you'll have to re-off, re-off,
|
||
|
|
re-off, but in general, like, you know, incognito mode, which has nothing to do with actually
|
||
|
|
being incognito, will actually help you from getting any persistence connections, whatever.
|
||
|
|
By the full last pass is two weeks for a session, which is very high.
|
||
|
|
I set it for like, I think two hours because if you're not told in a home within two hours,
|
||
|
|
I don't want you in my last pass, so I want you connected and if you're not connected within
|
||
|
|
two hours, I don't want you, I want to re-off.
|
||
|
|
So that was a change I did make.
|
||
|
|
So dialing into the workstation, wind up stairs, the same thing, look to the workstation,
|
||
|
|
look to auto runs, look to kind of the remote, trying to stuff, trying to beacon out, didn't
|
||
|
|
see anything running, nothing else crazy, just windows updates trying to beacon out.
|
||
|
|
I had blocked everything internally, but you can still see stuff trying to beacon out
|
||
|
|
if it's, you know, some kind of third party thing or remote access.
|
||
|
|
If it's doing its persistence, so I said, don't see anything other, we're there, you know.
|
||
|
|
These guys didn't seem like they knew exactly what they were doing, you know, they didn't
|
||
|
|
dump like every single thing, that was, you know, kind of some of how last pass works,
|
||
|
|
you can do a full export, but you have to like, click an email alert, it's an MFA, essentially,
|
||
|
|
and then you have to confirm that you want to dump it, and then it'll dump it, and then
|
||
|
|
you have to put in your, finally, you have to put in your master password to get that
|
||
|
|
dumb, and that's pretty much everything.
|
||
|
|
But you'll get, not only will you get an alert, they have to know the master password,
|
||
|
|
which nobody has a theory.
|
||
|
|
So what they should have done and could have done, and probably should have done is put,
|
||
|
|
you know, just a password logger on there, and blog, you know, I used to just Defender,
|
||
|
|
and I pretty much run as limited user, so you can't really put a password logger, at
|
||
|
|
least you can for non-limited accounts on a user's space, but they didn't put a password
|
||
|
|
logger password, a key logger on there or anything, they could have used that to potentially,
|
||
|
|
but I don't type my master password a whole lot, and I don't want to make that a habit
|
||
|
|
of doing that on a Windows system for that exact reason.
|
||
|
|
So I usually keep that persistent connection, so that's kind of, you know, the give and
|
||
|
|
take of, if you type your master password all the time, and you're on a Windows system,
|
||
|
|
every time you type that password, you're exposing a potential risk, because if that system
|
||
|
|
is compromised at any time, and they've got a key logger on there, they're going to
|
||
|
|
have your master password, and then things are not going to go well for you.
|
||
|
|
So with that said, the less you type your password, the better, but you also don't want
|
||
|
|
it dangling around for long period of time on questionable resources or services.
|
||
|
|
So that's it.
|
||
|
|
You know, I'm not sure what's going on, my wife's computer seems fine, I'm not quite
|
||
|
|
ready to turn everything back on yet, because I haven't found the smoking con.
|
||
|
|
Looking around, I start thinking about, you know what?
|
||
|
|
The only thing I have that's Windows and whatever on the word stations is RDP.
|
||
|
|
And yes, I expose RDP to the internet is on a weird port, and you know, the username
|
||
|
|
was weird, it's like, well, not weird, but it's internet, and then you'd have to guess
|
||
|
|
the password, which was like super complex.
|
||
|
|
And I just had it auto log in with that super complex password, but at some point in time,
|
||
|
|
my son was using my computer, and I said, you know what, I'll just, you know, have it
|
||
|
|
auto log and I said, well, crap, I don't know that path.
|
||
|
|
And I don't want to put it on the fob, and then have to like plug in the fob every time
|
||
|
|
I want to log in.
|
||
|
|
So let me just make it like not yours, and that's the password to the account.
|
||
|
|
And that's what, essentially, that, that, that, you know, hindsight's 2020 is what
|
||
|
|
calls my issue.
|
||
|
|
So I had RDP externally facing, which I rarely used, which I don't even know, doesn't
|
||
|
|
even have any throttling on it or all, you can just brute force it to death by default,
|
||
|
|
at least with the, the scanner that they were using.
|
||
|
|
And the, the username was that internet, and the password was not yours, and they weren't
|
||
|
|
able to, I think it was like 160,000 or something.
|
||
|
|
And then what I found out is that it happened on the seventh, which was, I think, like three
|
||
|
|
days prior, something like that, yeah, they got in on the seventh, and then they waited
|
||
|
|
until like the 10th to use those credentials on stuff.
|
||
|
|
So they basically had been rushing, they possibly, they only logged in once on the seventh
|
||
|
|
for a short period of time, and then they logged out.
|
||
|
|
And I think what they probably did is they logged in on the 10th to like pull passwords
|
||
|
|
and stuff like that, and then they started using those passwords remotely when they could
|
||
|
|
have just done it on my box and had a much better success rate.
|
||
|
|
I guess, you know, they assume probably that I'll use that computer during the day, but
|
||
|
|
they didn't know that I wasn't, that was actually out, out of the office.
|
||
|
|
So I'm assuming they rummaged through on that day, on the three days later after they
|
||
|
|
got in, they came back, maybe they got pushed to a second guy, but I head up to five different
|
||
|
|
people fuzzing me from anywhere from 600 to like 20,000 different, different attempts.
|
||
|
|
So one of them got in, and that's kind of where we're at.
|
||
|
|
I went through my last pass, reset all the passwords for anything that I cared about,
|
||
|
|
put organized all my severity passwords, and then the last step is organizing and putting
|
||
|
|
them in like high, medium, low buckets, and then, you know, for the high ones, I would
|
||
|
|
force, you know, MFA, or a repassor prompt on the high ones, like stuff I care about,
|
||
|
|
like, you know, whatever, not big accounts, which I don't even have in last pass, but
|
||
|
|
for social media, or something that would be a pain to recover from, like my, like my
|
||
|
|
club, which has already forced MFA anyways, but that's pretty much where we're at.
|
||
|
|
It's not a matter, again, it's not a matter of when it's in, it's when it's defense
|
||
|
|
and depth, it's understanding what to do when there's an incident, and trying to hunt
|
||
|
|
down and figure out, okay, well, it's not matter, it's not something, something obvious,
|
||
|
|
it's something, oh, great, RDP, and as soon as I started dumping the RDP, I had like four
|
||
|
|
log entries that were like, you know, somebody from wherever, some Amazon logged in, and then
|
||
|
|
they logged out, and then that day, they logged in and logged out three days later.
|
||
|
|
So I knew that was the smoking gun, now the second question is, you know, what were they
|
||
|
|
doing, did they dump anything out, how many passwords they clicked, there's no way
|
||
|
|
to know.
|
||
|
|
So you have to assume that every single account is compromised, and it's not fun, but
|
||
|
|
you're better off assuming that then, you know, three weeks later, two days later, two
|
||
|
|
months later, oh, I can't log in to, you know, LinkedIn, or whatever, because I put it
|
||
|
|
in the, I don't care about it.
|
||
|
|
So with that said, you know, I think it's important to share these things, people are shamed
|
||
|
|
and, oh, I'm, you know, you're stupid, and you know, aren't you Mr. Information Security
|
||
|
|
guy?
|
||
|
|
No, it's not, it's not a matter of, I mean, obviously, it's a component to have externally
|
||
|
|
facing stuff.
|
||
|
|
The only time I've ever had another issue is when I put a way back, I put a remote
|
||
|
|
shell on my web server, and I just left it there, somebody just went to that address
|
||
|
|
using Google, got indexed it, went to that address, and they were able to like deface
|
||
|
|
the website or whatever.
|
||
|
|
This one was probably the worst compromise I've ever had, and again, I thought it was
|
||
|
|
important to share that story because it's not a matter of if it's when, it's the defense
|
||
|
|
and depth, it's understanding how these things are connected, what the risks are using them,
|
||
|
|
and I still would rather have all my passwords and password vault than have to manage, you
|
||
|
|
know, 200, 100 passwords manually, or even locally.
|
||
|
|
I don't trust myself enough to do that, and as far as sessions go, you know, across
|
||
|
|
whatever, you know, having that flexibility to use a phone, to log into stuff, to have
|
||
|
|
the layer, to share it, and want the family plan.
|
||
|
|
So I'm going to be kind of evaluating last pasts kind of sessions and how they stay persistent
|
||
|
|
and all that.
|
||
|
|
So I'm going to be evaluating that.
|
||
|
|
I think the two weeks is taking you from two weeks down to like two days or two hours,
|
||
|
|
I think that's going to make a big difference because that would have saved me from any issues
|
||
|
|
in theory.
|
||
|
|
So I'm going to kind of create it, set it up to so where if I'm not, if I'm idle after
|
||
|
|
two hours, re-author, re-authenticate for the master pass that way, if someone does
|
||
|
|
remote into my system, they need to put a key lawyer on there to get that master password,
|
||
|
|
which theory, you know, you can't do with normal user privileges, but these guys didn't
|
||
|
|
seem to be sophisticated attackers, I want to say Germany or something, it's where they
|
||
|
|
came out of.
|
||
|
|
But anyways, I will drop the indicators in there and kind of, that's kind of my approach
|
||
|
|
is, you know, just go through the motions.
|
||
|
|
That basic scan, nothing, what else could it be?
|
||
|
|
Well, it has to be last past because of these things.
|
||
|
|
Well, if it's last past, it has to be a workstation somewhere.
|
||
|
|
My computer, maybe a computer, I went to somewhere else, maybe a grandparents computer,
|
||
|
|
who knows?
|
||
|
|
I had no idea.
|
||
|
|
I bogged into last past, trying not to log into the last past all over, so I thought that
|
||
|
|
was fairly minimal risk there, I figured my wife didn't see anything, I said the only
|
||
|
|
other option is my computer and my desktop that I use for stuff that I realized, oh, let
|
||
|
|
me check RDP because that's the dumb thing that I left open that I soon would be obfuscated
|
||
|
|
enough for people not to mess with.
|
||
|
|
So anyways, if that was important to share, if you have any input, if you'd like to come
|
||
|
|
on and do, you know, your thoughts and stories about how you've been compromised, I think
|
||
|
|
it's important to share your approach and how you deal with the response and how to quickly
|
||
|
|
have a professional that understands how these things are connected to quickly figure
|
||
|
|
out what happened, find that smoking gun, I don't have logging, I don't have any kind
|
||
|
|
of thing, I'm actually standing up a supportable security operations center and that information
|
||
|
|
will actually go to the server, so the idea is that, you know, I have like a ubiquity
|
||
|
|
router that I can turn on stupid stuff that has a pretty high impact, but with this setup,
|
||
|
|
you know, I'd run an endpoint tools and I would have two, you know, agents on that system
|
||
|
|
that would report back in and I would get alerts like this, but this is just normal stuff,
|
||
|
|
like RDPing into a system from wherever else, I don't, you know, even if I had something
|
||
|
|
like Wazoo and Velociraptor, unless they were trying to do persistence, this is all just
|
||
|
|
normal stuff, like I have no reason to block anything in that situation, so it's one of
|
||
|
|
those things where, okay, if you want to do RDP, you know, put it on a VPN, you know,
|
||
|
|
VPN in first and then RDP, which I have, and I need to, you know, think about that,
|
||
|
|
I mean the VPN service, making sure it's, you know, stays up to date and make sure that
|
||
|
|
that's my only entry point into a third party, other services, so I do have other services
|
||
|
|
like Plex, I have Umbi and that was also a risk, but I knew it was based on last fast because
|
||
|
|
they were going across multiple accounts that I didn't, that weren't mine, so I have
|
||
|
|
Plex, I have Umbi externally facing and I also have, sometimes I'll have a torrent
|
||
|
|
client externally facing, but that's not often, but persistent services is Plex and Umbi,
|
||
|
|
and I think maybe that's pretty much it, so anyways, if you all have any questions,
|
||
|
|
want to reach out, let me know, but it happens, it's going to happen, and you know, it's
|
||
|
|
not a matter of if it's when and everyone we're human, we're all going to make mistakes,
|
||
|
|
this unfortunately is probably the worst mistake, I have a security mistake, I've ever made
|
||
|
|
probably in my entire life professionally and personally, so I think it's important
|
||
|
|
that I share it with you guys, and I'm old, 40 years old, and I have a child and I get
|
||
|
|
stressed out, and it's also important to have a security professional kind of do like
|
||
|
|
a yearly, you're accordingly, I mean, if you work at a corporation, these things happen
|
||
|
|
automatically, but do a review on yourself, have someone say, hey, here's my IP address,
|
||
|
|
can you do an external scan, see what you see, oh, shit, RDP, how did you find that
|
||
|
|
RDP port, it was on a weird port number, well duh, I just scanned all these 5000 ports
|
||
|
|
in like 8th of a second, you can scan the whole internet in some crazy amount of time,
|
||
|
|
like two hours, four hours, something like that, if you had the right bandwidth and had
|
||
|
|
the right scanner, so with that said, you know, it's unfortunate to have to share, and
|
||
|
|
it does feel, you know, bad to have to share, so you know, but I think it's more important
|
||
|
|
that I share it with the community, and that people know that, you know, it doesn't
|
||
|
|
matter who you are, it will happen, it can't happen, and you just have to plan and have
|
||
|
|
the defense and depth in place, and have the response in place to minimize the impact
|
||
|
|
of whatever that thing is, so anyways, let me know if you want to do anything with Jane
|
||
|
|
Bri or share stories, and hit me up, have a good one.
|
||
|
|
You have been listening to Hacker Public Radio, at Hacker Public Radio does work, today's
|
||
|
|
show was contributed by a HPR listener like yourself, if you ever thought of recording
|
||
|
|
broadcast, you click on our contribute link to find out how easy it really is, hosting
|
||
|
|
for HPR has been kindly provided by an honesthost.com, the internet archive and our
|
||
|
|
things.net, on this advice status, today's show is released on our Creative Commons
|
||
|
|
Attribution 4.0 International License.
|