ERP067 - Security Update w/ Huntress Labs

The gist of it, if I were to give that a thousand foot view, it is a string of CVEs or vulnerabilities and exploits that do take advantage of Microsoft Exchange, practically all the versions, granting the attacker remote code execution. Welcome to Evolved Radio, where we explore the evolution of business and technology. I'm your host Todd Kane. Today on the podcast, I'm chatting with John Hammond, security researcher with Huntress Labs. John and I discussed the recent Microsoft Exchange attack sweeping the globe. The evolution of the antivirus platform and some really cool security training platforms that John reviews on his YouTube channel. It's a scary world out there on the internet and we're here to arm you with some resources to stay safe, so listen in. If you enjoy the show, please consider leaving a rating and review in your favorite podcast app. It really helps to spread awareness and bring more listeners to the show. So we can share the message with more of the community. Now, on with the show. Joining me on the podcast today is John Hammond, security researcher with Huntress. Welcome, John. Thanks so much, Todd. Happy to be here. So John, maybe to kick things off, if you could give us a bit of your background. Always curious, people that end up especially at a high level in security. So how did that happen, where did that come from, your original interest in technology and then the specialization in the security vertical? Ooh, it is a a long and winding road. I guess really the the very, very start when I was a kid, I I told my dad, I told my father like, hey, I want to have a website. He started to teach me HTML and CSS and all these other like kind of web markup languages, etc. And I told him like, all right, if I'm going to have a website, I need to have a server. So he he bought me this machine and we put Linux on it and that really opened the flood gates, so I was all interested in in learning Linux and kind of understanding how computers worked and. I thought just as an kind of a kid would, I was like, I want to make video games when I'm older or I want to be a hacker when I grow up. So I I researched, I'd Google around. Thankfully, I think I stumbled across Eric S. Raymond's blog recently like, hey, if you want to be a hacker, you need to learn how to program. So I I picked up the Python programming language and just tried to be a sponge, learn as much as I could and. And then I found myself kind of for my undergrad with the United States Coast Guard Academy. And with that, it has a little bit more of a government military flare to it. And they don't care so much about like, hey, the cool software you can build, but they care about like, is this thing secure, can we trust it in front of other people, is it safe? So it changed my mindset to not only like making things, but but also breaking things. And that was really where, I don't know, the flood gates opened up. I got a job with the Department of Defense Cyber training Academy. So I was an instructor there teaching about cyber threat emulation, trying to teach other military folks and civilians how to really be an operator on the keyboard. Whether it's offensive PowerShell or Python or Metasploit framework, etc. worked to be an operator with the Defense threat reduction agency and now found myself over at Huntress. Where we're trying to provide security for the 99%, right, raising education and getting everyone in the know about this. I find that that's a sort of a common thread for more of the advanced researchers. That I I talk to in the security channel is having a bit of that government training. Government background. It does make sense, right, because as you say, like security is sort of the the front line of their thinking in any type of software. What do you find sort of in your channels and the people that are at your level? Is there sort of a heavy slant towards that government background or is there a good segment of the people that are maybe self-learned or university trained? Those types of things. What do you find is the split in the industry? Ooh, that's a super good question. Well, truthfully, I think it runs the gamut. Like you'll have some folks that are very, very self-taught and maybe they're putting this together and they've got their own company and business and it's kind of a mom and pop shop that everyone might go to for tech, for for support and all that. Others that are, I don't know, maybe more in the the penetration testing scene or the threat intelligence research scene, those certainly have a little bit more of the the government and military background. Just to, I don't know, a little shady, kind of have the spooky squirrely look, you know. Spooks in the spooky industry. Yep. Oh yeah. We had Huntress, we had Kyle Hanslovan, your CEO back on episode 43. So great to have you guys back. I think you're one of the vendors in the industry that probably I I see publicly gets the most love. I would ascribe part of the reason to this is is that you guys do a lot of education and a lot of sort of outreach, maybe a good place sort of a slight example is some of the research that you guys have done around the the Microsoft Exchange vulnerability recently. A lot of the great information that I initially saw on that that hack and and potential remediations. Again, came from Huntress. Can you maybe give us a bit of Cole's notes? Hopefully people know about this, if you don't, then stop listening to the podcast and go look up some notes on this. But. You want to give us a bit of background and kind of what you potentially know about the the vulnerability that's been found? Absolutely. Well, hey, first of all, thank you. We super appreciate the love, very flattered and appreciate hearing that. But yeah, we do try to do our best to uh bring education and more cyber security awareness for everyone that we absolutely can. We're all about kind of that transparency. The Microsoft Exchange, kind of I've been calling it a skyfall because it's like the sky is falling, there's a lot of panic and chaos. Understandably so, we wanted to outreach and again, show kind of produce information on, hey, this is going down. We originally posted in Reddit just to kind of get folks aware. Like R/MSP, we just wanted to make sure people could see it and they at least knew that it was happening. Eventually, we kind of formalized it into a blog post and even a kind of a webinar with some slides. That we need to keep updating and supplying new information because even what we are seeing in the previous days, well, now we're discovering new things. And we'll have to update those. The gist of it, if I were to give that a thousand foot view, it is a string of CVEs or vulnerabilities and exploits that do take advantage of Microsoft Exchange, practically all the versions, granting the attacker remote code execution. They're dropping web shells. That are kind of known to be indicators of compromise. So we are trying to spotlight all of those that we can find. And just now we're kind of diving into the the post exploitation that might come from it. Okay. And what I've heard, this is a bit of the dummy in the room type thing. I try to stay up on this stuff as much as I can, but I am not a security expert by any stretch. But what I've seen is the assumption that if you have an exchange environment and and to clarify, this is on prem exchange, right? So if you have an on prem exchange environment that you have not patched basically before probably February 28th or March 1st, then you can assume that it's compromised. Is that a fair assumption in your mind? In my mind, yes, absolutely. You had a good note there, this is specifically for on premise exchange servers. And I don't mean to sound so alarmist and paranoid and and going crazy, but yeah, you really need to kind of raise the eyebrow and take some concern. If it is not patched, there's a strong, strong possibility. And this is essentially a foothold, right, like this is something that that people would leverage to create persistent access vector. In the environment elsewhere, right? Absolutely. Yeah. The remote code execution offers that attacker like command and control essentially. It's like they're at the command prompt, they can enter commands, they can really do whatever they want with that box, with that target. So we're still scratching our head as to, okay, what comes next? Are they going to exfiltrate data, are they going to drop ransomware, is it going to become, hey, some part of a botnet? Are they going to mine cryptocurrency? We just aren't sure yet, but this is still really, really developing and kind of breaking news even as we speak. Yeah. It's uh, I mean, the security industry has always been very time sensitive and kind of hot and heavy. Certainly over the last couple of years, it just feels like it's ramping up and getting faster and faster. And the scale of the attacks, I think are also ramping up in scale. You know, what was it, maybe three, four months ago, maybe less than that. Time is a slippery thing in COVID. But fairly recently, the the solar winds attack was probably one of the largest broad scale attacks in sort of modern history. And now this one is shaping up to maybe not be as impactful or big, maybe it will be, but the pace at which this thing rolled out. On the heels of the solar winds attack, I think people are right to be paranoid. It just feels like like you can't take a breath, you know, it's at every corner, there's a new attack and and you need to be on your toes. How do you kind of prepare your psychology around this? You do a lot of research on these things and you know, as I say, you're you're right to be paranoid. But you can't also protect yourselves against all things, what are sort of the basic postures that people should be considering? Yeah. I'll speak I think kind of high level in this because hey, that's a huge can of worms. Yeah. Sorry. Large question. No, no problem. The uh obviously you've got kind of your beer bone basics, the the boilerplate security best practices. That we kind of say all too often, but we we really mean it because it's absolutely necessary. Sure, have long complex passwords, enable two-factor authentication everywhere, make sure there aren't unnecessary open ports to the internet, you're not expanding your surface attack surface really. And those are a little trite because we've said them so often, but really it is necessary. The other conversation that we have is defense in depth. Like having a layered security stack that is multiple components, right, it's not just going to be one silver bullet or magic wand that makes the bad guys go away. We talk about assume compromise or assume breach. Having the mentality that it's not a matter of if, it's a matter of when. So being prepared, being patched, having an incident response playbook, etc, etc. You need to do all of those things beforehand and prior because otherwise you're going to be in really hot water when the time comes. Okay. And one of the things that I did want to sort of dip into with you guys is a few months, maybe six, seven months after I spoke with Kyle on the last episode. You guys started to release or give indication around a new product that you guys have around this, essentially an EDR and MDR and sort of expanding the solution set and a bit more into the the active measures, defense measures type solution. So I wonder if you could talk a bit about that solution and one of the parts that I did want to focus on that I found really interesting about Huntress's approach to this is that you guys are leveraging Defender. Rather than necessarily kind of building your own AV engine, which I thought was really kind of interesting because. One, Defender, I think is a lot better than people sort of naturally give it credit for. You know, I I know a lot of people that, you know, they're they want to test out some malware and they have a really tough time getting it past Defender. Just as a as a basic measure. So if you could touch on kind of the solution that you guys are building as well as sort of the the thoughtfulness or the approach around leveraging Defender rather than building your own engine. Yeah, there's a lot to unpac here, truthfully. But I'll I'll give you the quick and dirty. COVID-19, right? As you mentioned, the pandemic spurred a lot of new innovation to uh keep partners safe and secure. We brought out services and and really started to build out what we were calling the Huntress security platform. So it's no longer just the the main stage event of finding persistent footholds and hacker back doors and implants, but now we offer ransomware Canaries to kind of trigger an automatic alert as quickly as we can when we detect the presence of ransomware. External reconnaissance to kind of look for those open ports. That we were that I mentioned earlier, like, hey, if you have RDP open to the internet, that's a bad idea. External file shares, things that really shouldn't be public facing, external reconnaissance should lock that down. And the next one, as you've been alluding to is managed AV and managed antivirus. So in my mind, managed AV takes Windows Defender. Takes the free inherent native already installed on your Windows device and and takes that antivirus and kind of fine tunes it, soups it up to the next level. So it is working the best that it that it should. And it's also smartly integrated with the rest of the Huntress platform. So you can manage it not just on one single host as you might kind of default regular Defender, but span that configuration across your entire organization or your entire enterprise. So it's still integrated with all the Huntress telemetry, which is awesome. And you've get this global view and and that's really fantastic. Managed antivirus is out in a public beta. And when we tell people that, some folks kind of get a little shifty eyed. Like, what do you mean it's in beta, why are you running, what do you mean running an antivirus in beta? So we kind of define our our own definition of beta, redefining beta as to like, look, no. This is strong and sturdy and tested, but we're bringing it out to the community, to our partners so that we can kind of get a a gut check. Like, hey, do you like this, does this work, is it is it doing really all that it should for you, what else is it, what is it not doing that you would like to see? What are the other feature requests that we need to actually and and rapidly improve and and bring out to you, so it's solid and sturdy, but hey, right now it's a minimum viable product. And we're just going to keep fine tuning it and making it even better with the community's opinion, with their input and feedback. Yeah, I think that's a that's a really cool approach. Building things on the fly, not in a incomplete fashion, but you know, get the community input and to to build sort of the solution that that people are looking for. I think that's a a pretty neat approach to take. Could you give us a maybe, I don't know, if any of this is public information necessarily, but what would you say are sort of the sort of the next things that you guys are looking at here? Sort of building out that solution or the suite? Are there other things that are kind of in the pipe that are being considered? Yes, absolutely. Kind of on our road map and I and I can't give like details. Real data statistics or percentages of hey, how far along are we? But we know a ton of people are asking for an API. I for one would love an API. And then we know a lot of folks are asking like, hey, this is great on all my Windows end points. But what about my Mac infrastructure, what about even Linux maybe later down the road? So a Mac agent for Huntress is on the road map and uh we're starting to develop that really, really soon. I actually even saw kind of a screenshot, we we had it in the dashboard a Mac agent with the host name returned for whatever OSX is the latest version. We're like, this is awesome. We're super excited about this. Very cool. One of the things that I I did want to touch on as well is the education component. I kind of mentioned it earlier that I really appreciate the education that you guys put out to the channel. And yourself personally as well, when we got connected, I started surfing around and checking out your YouTube channel. You got an awesome, awesome channel. It it's one of those channels that's great for people that either if you know a lot about security or you kind of know nothing about security. There's some great information for you to to find there. The feature video, I think is is definitely one that should people should check out. Because you spotlight this website/service. What was the name of it again? Hack me? Oh yeah, so that video specifically. Is uh try hack me. It's an online war game or like a practice cyber range where you can sharpen your skills, try and play pretend, put on your hacker hat and and act as the adversary. I am a huge proponent personally in like capture the flag exercises and training activities and war games like try hack me or hack the box. And there are plenty of others even kind of their own different flare. Pico CTF is a great one for beginners. There's plenty of other smash the stack. The list goes on and on for educational free online resources. And I try and showcase a lot of those because I think it makes learning security really tangible and and really something you can get your hands on and really be on the keyboard as an operator. So I love to showcase that stuff. Yeah, I agree, I think to to make it a bit more fun, right? Almost gamifying the exercises, I think is a really cool way to go about it. And to me, it's it spotlights the sort of the exercise of doing this stuff. And one, you may build up your security skill set, which is excellent, you know, just to to be able to build upon that and and be able to leverage those skill set for your career, obviously. But also, I find the you guys are removing a bit of the mystery around the the security components and what the actual sort of tactical work looks like is great education in and of itself. So that people understand sort of the components and what goes into an attack. What builds malware, what do they look for, what are the the components that need to be covered? What are your risk points, all of those things are excellent ways to understand the sort of the threat framework. By better understanding what the mechanics look like when someone is attacking you. And I find the traditional kind of security education can be a bit stale. So I love the fact that you kind of build this stuff in where there's a bit more activity rather than just sort of like looking at a at a problem on paper. And it's it's just sort of a written exercise that you have to think about, but actually tinkering with essentially live like boxed systems. I think is a much cooler way to approach this, so I love the fact that you guys highlight this stuff. If anyone wants to check this out, definitely check out, just search for John Hammond on YouTube. And you'll probably come up and and there's some really, really cool stuff there to check that out. Thanks so much. I super appreciate it. Yeah, absolutely. And also sort of in addition on the education piece. So you guys have an online forum coming up called Hack it. And you know, you got some great presenters, some additional materials. Again, kind of great educational material for the security threat landscape. And I think you can talk more broadly about the session overall. I think you have a session called making a malware. Which of course, again, sort of like the practical components and and sort of the interesting pieces. Even mentioned that there's a choose your own adventure component. I love those books when I was younger. So you want to tell us a bit more about your session as a part of the online webinars and the webinars in general. Yeah, absolutely. We are over at Huntress super duper excited to bring out hack it. It is truthfully the second time we've put together this event. We did kind of the first round of hack it back in October of 2020. And that was excellent. It was really heartwarming. It was just such an awesome event. I think we had about 2,000 or so folks that registered. But really what we want to do with hack it is continue that growing and education. But we want to make an event sort of for the MSP community by the MSP community. So IT practitioners, security professionals, just us shady underground hackers, we want to make it for everyone. This is the first time we're offering a pre-day, which is going to be March 22nd. That'll be like hacking Windows as a course and a class and that should be very, very much akin to kind of the the try hack me war games. Or that hands-on application-based learning, so we're excited about that because we hadn't done it for last October hack it. But day one and two, when we get into March 23rd and 24th, it's going to be jam packed with three awesome sessions. Truthfully, we we try to just do, hey, we'll do one one hour show and then just three of them back to back, right? So we don't want to make this weekend long conference or huge event, we don't want to bore you to death with some eight hour plus thing. We just going to do three good shows and presentations. The second day will be kind of a repeat of the original content, but at a later time. So it's more friendly to those like have to miss it because of work or whatever particular time zone you might be in if you're over across the pond. We just want to make it friendly for others as well. The first session is making the malware, as you mentioned, a choose your own adventure. The second one is tales from the trenches or kind of hacker horror stories, sea stories and talk like shop talk. And the very final session, which I am helping lead up, which I'm very excited about is slipping past prevention or an introduction to antivirus evasion. So that's a big one. I want to touch on that a little bit, the antivirus evasion. What are your thoughts on sort of traditional AV engines versus sort of the more modern solutions where, you know, some are still list-based and require some downloads versus sort of active measure? More advanced and looking for just heuristics rather than a particular pattern set for viruses and things. Then there's also the stuff that is just memory resident and just, you know, code execution and and those types of things. It is getting a lot harder to be able to detect this stuff. It's a bit of an arms race. So what are your thoughts around like sort of the those modern approaches that that do evade sort of the older AVs and and sort of what the future looks like around that? Yeah. That is exactly what we want to be breaking down in that session. We definitely want to introduce the concepts and have the discussion on signature-based detection versus heuristic-based detection. We'll talk a little bit about sort of those fileless malware techniques where a lot of it runs in memory. What we hope to do is take kind of a a classic vanilla like payload to uh get command and control on a victim or target machine. Maybe just a flat interpreter payload, something to hey, get a callback and Metasploit, kind of the the cookie cutter demonstration and showcase. But then we kind of want to fine tune it and kind of iteratively design and and keep tweaking it a bit so, hey, will it bypass signature detection? Can we get it to do some odd or peculiar things maybe before and after it really fires a gun and can we kind of move past heuristic-based detection? We talk a lot about next gen AI or slapping in whatever buzz words you want to to make this crazy thing. But really we want to showcase how that all works under the hood and make it as hands-on as we can. The sessions in hack it are meant to have a sort of a trajectory. The first couple sessions we want to keep conversational, really high level and kind of conversational. Then as we move further and further to the third session, when we're working on that antivirus evasion, we're going to get really, really hands-on, we're going to be deep diving into code, should be pretty nerdy. Yeah, right on. And I think if that scares anybody of like, oh, it sounds a little too technical for me. I've taken the hacking Windows class, you know, I sat in on on that session that you guys had a had a conference. And it was awesome. Again, like I'm not a security researcher, I've I know enough to be dangerous with security. But I found it really, really practical and approachable. Like you guys kind of had these step-by-step lists of build this machine, you know, attached to it in this way. And then all of a sudden, you know, within 15, 20 minutes, I was doing remote code execution on a Windows box. So I was like, oh my God. You're a hacker. Hey, hey. So that's awesome. Yeah, I love. I love that session and it just to give people that perspective of it. It's not deeply complicated. And that was sort of the biggest eye opener for me in seeing that that session is like, this stuff is really not as black arts as I kind of assumed it was. Without some level of education. But, you know, once you actually sort of see the things with Metasploit that are basically code execution out of the box, like it comes pre-loaded. Like it's almost like like off-shelf software, which was, I mean, it makes sense. But it was also kind of shocking at how easy some of this stuff is to do. But again, I think it's it's really practical and approachable, regardless of your technical knowledge, it's it's good to sort of build up an understanding of how this stuff works. And then, you know, if you're a bit more nerdy and a bit in the trenches. Then stick around for for some of the later on stuff and and get into the weeds, right? Absolutely. It should be a ton of fun. We're super excited. We have Felicia King coming to join us, Jason Slagle, Matt Lee. Some really great gurus or head honchos in the community, so we're just so excited. If you're interested, you can register online, there is a hackitmsp.com. That's the link, just no underscores, nothing there, just flat text. All lowercase hack it MSP. Okay, and we'll provide links in the show notes as well. Thank you. Perfect. Anything else that we want to touch on before we look to wrap up here, John? Truthfully, no, I think this has been a pleasure, it's a real treat. I appreciate all your kind words for one thing. And thanks so much for for letting me come and and hang out with everyone. This has been great. Yeah, cool. Okay, and if people will want to check out your YouTube channel, any other socials that people should check out? Obviously, the the hack it MSP website or any others? Oh, certainly. Yeah, you can probably cyberstock me pretty easily. You can track me down on Twitter, track me down on YouTube, of course. Hit me up on LinkedIn, I'm happy to to chat. I don't want to be a hermit, we're happy to communicate and be friends here. Okay, awesome. Well, appreciate your time, John, and all the work that you guys are doing over there to keep the rest of the channel safe. Thanks so much. Todd, take care. See you.