Welcome And Guest Background

Brandon Parsons 0:00

I knew right away that this was gonna be a thing.

Rachael Tyrell 0:03

Hello and welcome to episode eight of season two of your cyber threat intelligence podcast. Whether you're a seasoned CPI expert, a cybersecurity professional, or super curious about the digital battlefield, our expert guests and host will break down complex topics into actionable insight. On this episode of season two, our host digital consumer point and department, who is our higher United States Marine Court Intelligence Specialist, with over 25 years of expertise in intelligence operations and information warfare, including the system of threat intelligence manager and threat provision, and awarded supporting services provider. Brandon's areas of expertise include threat forecasting and anticipation, intelligence collections management, intelligence support to detection engineering, vulnerability analysis, open source intelligence, and dark lab analysis.

Pedro Kertzman 0:54

Brandon, thank you so much for joining the show. I really appreciate you coming here today and sharing your knowledge with

Why Scores Fail Without Context

Pedro Kertzman 1:00

us. Thank you. It's my pleasure. We're talking about, you know, a bunch of different topics, but if we can start with um some of the main things for me today is a lot of uh CTI teams are still focusing a lot uh on CVSS score, for example. But EPSS is actually on the version four now, and CISA is actually pushing the SSVC. And uh so we might have some some changes from that uh point of view. Any like from the CTI uh standpoint, where do you think the real signals are? And where do you think this kind of a vulnerability um measurement or which kind of analysis uh we're gonna use as standards are are gonna go uh hopefully in the near future?

Brandon Parsons 1:48

Well, I'll tell you, um vulnerability management, in my opinion, is probably the the hardest part of running a good security ecosystem in a in a secure environment.

Pedro Kertzman 2:02

Uh oh yeah.

Brandon Parsons 2:03

You know, and it's and it's there's there's never a shortage in in things to look at, investigate, you know, and the problem is there's just so much vulnerabilities coming in at one time where you still trying to keep up with the ones from the previous month and then the month after that. It's uh, you know, if you don't have a good strategy as it pertains to vulnerability management, you know, you know there's gonna be there's gonna be times and stuff where you're gonna realize that this small little snowball is now a giant, uh, a giant snowball before you know it. So um, but to your question regarding, you know, um common vulnerability scoring system or the stakeholder-specific Vuln categorization or just exploit prediction scoring system, in my personal opinion, I think those things really much take a uh a network-focused threat agnostic um position. I I think as a CTI analyst, I inherently I have to take a threat-focused and somewhat slightly network agnostic position. But that doesn't mean though, that CVSS, EPSS, and SSVC, you know, aren't tools to help me, you know, add to my calculus as it pertains to what threats, you know, could go after said vulnerability, you know. Um, but no matter what, you know, the the scoring systems aside, you know, we have to keep in mind that the threat actors have a say in this too. And as history has shown us, they they have their particulars, their favorites, you know, and uh and as soon as a new vulnerability drops, they they they understand this landscape too. So let me let me unpackage that a bit. Um I know that every time a Citrix Netscaler vulnerability that's that would allow an unauthenticated attacker to, you know, X, Y, and B, whatever the case may be, you know, for that, I already know that it's only a matter of time before one of the various different attack surface management companies or somebody like renowned researcher Kevin Beaumont, you know, comes in and stuff and provides some very good technical analysis of this vulnerability. Um the threat actors know that too, though. So they they wait. And a lot of the times the similar exploits will will work against you know net new vulnerabilities as they come about. So but they wait for these technical, these technical papers, this technical research to come up with another um another way to do it or just to complement something that already exists.

Pedro Kertzman 4:24

So PLCs and stuff, right?

Brandon Parsons 4:27

I think it's important when it comes to scoring vulnerabilities, you know, to assessing vulnerabilities, but it can't be the primary driver

The Products Attackers Target First

Brandon Parsons 4:35

behind getting after vulnerabilities because the threat has a say in this too. Um, on a very deeply personal note, uh, I will tell you this. Um there are certain vendors and products that I exclusively screen for when every time we onboard new clients, okay. And I'd like to list off some of them. Okay. Uh, first off, again, Citrix Netscaler. Um I always ask if they have any of that in their environment because you know, if you if you research Sys KEV and just type in Netscaler, you're gonna see years upon years of vulnerabilities that you know known ransomware, right? The next ones, of course, are VMware, ESXi, and VCenter. I always ask for those two. Um, Veeam backup and replication. I'm gonna cook on this one for a second. I always recommend to all my customers every time a brand new Veeam backup and replication vulnerability uh comes about, to priority one or priority two patch this as soon as possible because it's probably only in a matter of about a week, maybe 10 days, depending on it, before somebody like Watchtower Labs or somebody else drops a technical research paper. And oh, by the way, that becomes quickly a proof of concept exploit, and threat actors really just start dogpiling on them real quick. So, and but the reason why threat actors just love the Veeam vulnerability zone, and I don't think and I don't think people really appreciate this. A lot of the times, you know, the point of having a Veeam backup and replication software and having good Veeam backups is in the event something does happen, you can fall back on this. If I was the threat actor, my chances of getting paid are that much higher if I can hit your Veeam backup and replication, because now I've crippled your entire network if you don't have good backups and stuff that are readily available. And I think that's very key. The other ones, 40 net lately, uh 40's having a rough year. Um 40 just recently made my list of uh favorite things. So, but you know, it's I say almost monthly to buy weekly. We see a brand new 40 client EMS, 40 web, or 40 SSL VPN vulnerability that starts to get attacked and targeted by just a myriad of different threat actors, ranging from state-sponsored APTs or in some cases just the e-crime actors that we typically deal with, right? I have a note here for Ivanti Everything. Yes. Enough said. Um any file sharing service like your progress software, your Fortra Go Anywhere, GladyNet Centristack, all those things have one primary group truly in common that goes after them, and that's Klopp. Um, Klopp really deviated though uh last year when they started going after the Oracle EBS vulnerabilities. That was pretty interesting. Um, it's very interesting to see that one and they hit it at scale. Um, the other ones that I always look at are, of course, are RMM software as well. Oh, yeah. Remote monitoring and management software is king. You know, if you can exploit that, I mean, what was it? Uh the Screen Connect vulnerabilities, and I think it was 2024. Like they didn't even get CVEs assigned to them yet before Threat Actors started dogpiling on them, you know, uh, or it could have been they already they were already targeting this vulnerability that was in there. And, you know, now like the you know, the the vulnerability management process and the uh apportionment of a of assigning a CVE, you know, has to come about afterwards. But I always thought that was really interesting. And, you know, and history has really taught us that, you know, these aforementioned softwares, they're they're great products, you know, but that doesn't mean that the threat actors don't take advantage of them, that they don't target them, you know, everywhere else and stuff. Okay. And last but not least, anything on-prem deployment, you know, I look at those and stuff very, very closely as well. So the thing that we learned with Beyond Trust, the things that we've learned with SharePoint, you know, the tool shell vulnerabilities, you know, those quickly got dogpiled on by a bunch of other folks too, you know. So when I think about, so like a the just to kind of bring it full circle, you know, I very much so take the threat-focused networks agnostic, you know, look at these different things. You can have a max sev vulnerability, but if it's behind, you know, three different tiers of a defensive deaf, you know, enterprise organization, then well, yeah, you should be able to do that. Likelihood, but the likelihood of somebody hitting this thing if it's not public facing and it's not really uh, you know, you know, in your attack surface, you know, your public-facing attack surface, then you know, it's gonna it's gonna have a much lower score, you know. Um, it's really funny. Uh EPS, EPS, I think it could be deceptive, though, a little bit too, where you can have something with a very high EPSS score, but at the same time, you know, that vulnerability is is is is not you know public facing, not discoverable. I can't see it, I can't hit it, or it requires user interaction, you know, to to in order to trigger, right? So, you know, you can have the highest EPSS score in the world and stuff, but it's it really depends on how you have your network set up, you know, and that's really what this boils down to is how your network is set up, you know. So hopefully that answers that question.

Pedro Kertzman 9:46

Oh, 100%, 100%. And you mentioned some very good points.

KEV Catalog Limits And Patch Triage

Pedro Kertzman 9:50

Uh, I'm gonna pig back on on some of them. Um, so you mentioned the uh Cav list. Some of us uh I call it Kev list. Um I think it was S2W, they published like a report. They they were studying and doing some stats around it. Uh they found that 45% uh of the CVEs on the on the Cav list, uh, they were actually discovered two plus years uh before they actually got published. The CVEs got published uh for the first time. Uh so you know, we have on one hand the uh you also pig backing on another thing you mentioned, you also have the exploits that even before the CVEs are published, thread actors are already jumping on it, right? I think Google actually published uh a report also mentioning that for the first time last year, the time to exploit CVE came from like positive whatever to negative, right? That last year. So I mean before publication, people were like really at scale, yeah, exploiting things. But on that other end, right? So 45% of the probably most exploited or seen being exploited vulnerabilities uh because of the Cav list were actually two years or plus old. What is your you know, thoughts about uh between this kind of a uh tug-of-war a little bit, like between you know, patchfest, this is critical, you know, they are already POC in this, or don't stop looking at vulnerabilities just because they're not being dogpiled currently for threat actors?

Brandon Parsons 11:38

So I got a couple of things to pull out of that one, and it's a great question, too. Um, I'm gonna preface, I'd like to preface though with something that I learned uh in the Marine Corps. Um uh so I spent 20 years in the Marine Corps. Um uh I spent most of my time down in infantry battalions, uh, and then the other half was with information and cyber units and stuff, and a little stint on recruiting duty in Beverly Hills, California, too. That was pretty interesting. Um uh I'm gonna drop some Marine Corps knowledge on you. We got this saying it says junk in and junk out. Okay. Um, whether it has to do with managing the normal day-to-day grind or the next bright, shiny object that you know our leadership elects to chase, you know, uh that day, junk in, junk out, right? Yeah, so that saying unfortunately does not apply to vulnerability management whatsoever. Um, but I bring it up because because of this reason. If we switch out within, junk in, junk in. Okay. When it comes to vulnerable management, if you don't do something about it, somebody will in this case. And in this case, it's the threat actors. So going back to that threat focused network agnostic thing, you know, these guys know that, you know, things like mythos, things like more vulnerabilities, more, you know, the vulnerability counts every year are only increasing. So the security teams don't have an don't have the most ample amount of time to address every single vulnerability. Um, sometimes in some

Adobe Zero-Day As A Decision Point

Brandon Parsons 13:05

cases, it requires a third party to come in there to help you evaluate these things to stay on top of them, right? Um, so about that though, the Adobe vulnerability, the zero day that just came about in this month, um, I think it taught everybody a really interesting lesson. Uh, a really, really interesting lesson. Adobe is one of those, you know, programs, you know, that sits in your environment. And if you don't open up the uh, if you don't really open it up, it and you don't actually like update it, or you don't have your Microsoft Intune firing or your patch my PC firing, that thing is just gonna sit there unopened uh on your uh on your desktop. And uh and it's gonna accumulate just a multitude of vulnerabilities and stuff over time. And now with this new vulnerability that came about, like everybody um everybody had a pretty good reason if they were actually paying attention to patch their Adobe. Or in in our case, uh we we we talked to our customers about it for our threat and vulnerability management as a service offering that we have. We basically told them like you have a lot, you've got over X amount of vulnerability specific, uh, you know, uh Adobe specific vulnerabilities in your environment. Um, do you really need Adobe Reader as an application? Because you have things like Edge where you can open up uh your Adobe document if you need to. You have things like Chrome that you can open up in Adobe document. In fact, you can probably edit the Adobe document from these two things, you know. And it was pretty interesting. It was uh I like to call it uh back to the Marine Corps terminology, a decision point. But for those folks who said, no, we need Adobe, it's fine, we're gonna patch it, and they actually did patch it and they brought it up to its most current version. If they have any kind of vulnerability management service or something that tracks the amount of CVEs that you have in there, they all just put a significant dent in the net, you know, total quantity of vulnerabilities that they have in their environment by releasing a patch and pushing it across the entire enterprise. Because depending on how big the enterprise is and how many workstations actually have Adobe installed that required you know the update for Adobe Reader, you know, there's probably a good chance that more than nearly all of them had not been updated for years. So, you know. So, and then you multiply that by you know each workstation, and now you've got quite the quantifiable uh amount of CVEs that just kind of fell off your radar and stuff because you had a reason, this is zero day, you know, to exploit. Uh, I mean that that was under active exploitation, but very limited. You actually had a good reason to to get after it. Um, and uh and it's pretty interesting, right? So I I like to use I wanted to use that to kind of scope and and shape, you know, to kind of answer your question. Um the K E V is a good list. It's a good list. Um, it's a good list where confirming that if said vulnerability that you're evaluating has any kind of history of exploit behind it, but that's about it. Um it's a good baseline to to use and stuff, but it's not uh it's not, I wouldn't say the um I wouldn't say it's the it's the it's the standard, you know. Um and I and I say that because there's plenty of vulnerabilities that get exploited before they make their way onto the the KEV, you know. Um, but a lot of times people use the KEVs like, well, I have this uh this vulnerability, it's a 9.8, and uh oh, and uh and an unauthenticated attacker can do X, Y, and B, you know, stuff on it, but it's not in the KVE. So I guess I can I can go I can go chase after this one that is on the KVE that some random state sponsored uh APT hit uh a year ago, and uh they went after another government organization, and I'm part of a I don't know, um a retail organization. You see what I mean? That could be exceptional. So it's it it it context is key when it comes to this stuff. Although the KVE, you know, has that level level set baseline that you can use and stuff when you're looking at a vulnerability and you're analyzing it, it's not the end-all be-all. It's not the standard, you know. Um, the real standard is is using your other tools to take a look at things. So, and I think that um I like to get into the vulnerability itself. I like to research specifically and look at the language that's in the vulnerability, right? And I also like to take a look at where that thing sits within the attack surface, you know, uh, and and I think that's the most important thing, you know, um, is really looking at that. So combining C VSS, EPSS, and actually taking a look, well, this group hit something very similar to that, you know, that's important. Um, going back to the Adobe vulnerability, even though whoever was, you know, throwing that thing as an you know and exploiting it, you know, against the Russian-speaking audience, that doesn't mean though, that researchers upon researchers did not put forth a whole bunch of technical analysis talking specifically about that CVE before it got a CVE assigned, right? On top of that, you also have a whole bunch of proof of concepts now specifically for that CVE sitting out there, publicly available as well. What's stopping one threat actor from coming up with his own weaponizer and using that against a widely available, probably most widely available, Adobe Reader vulnerability and coming up with their own exploit? So that's what I was watching for. Well, after I obviously I published our report, you know, over the weekend too, because I think Adobe dropped the vulnerability on a Saturday, and I mean, you know, the world was graced with this wonderful vulnerability on the Sunday morning. So right before church, it's like too important. Okay. Um anyway, um, so uh where I'm really heading with this though is you know, context is key. You know, context is super key. And uh and the threat actors, you know, they're they're watching and they, you know, um, I learned something uh when I was in Afghanistan. Um a Taliban leader once said, you can own the watch, but we'll own the time. And uh the same rules really apply with threat actors too, especially if they're waiting to, you know, coming up with exploits for vulnerabilities that are two years old. You know, people have probably forgotten about those vulnerabilities at this point. They probably and they and they don't realize the stuff that these guys are are watching and they're waiting and they're coming up with their own stuff too, you know, inside. So the best thing that you can do is just learn how to pay attention and navigate this CTI ecosystem

Dark Web Chatter As Prioritization Signal

Brandon Parsons 19:50

and watch for things as they come about.

Pedro Kertzman 19:52

No, that's that's very interesting. You mentioned uh uh some very good points. Uh, if we could expand, for example, for for companies that are more, let's say, on the top of the the vulnerability threat landscape, uh, have a good patching system. I really like on the top of vulnerability-related uh stuff. Um for those cases where and I'm gonna I'm gonna flip to kev list now. So on this, it's not even there, it's uh sometimes not even uh have a CV associated to it yet, but they know it's coming or just dropped. Uh, if they have like a really good system or framework to really be on the top of vulnerability, what kind of uh uh signals they could look, for example, on dark web forums or telegram channels, like what how they could monitor to really uh on that fine edge of being on the top of it, they still can prioritize what's going to be the first one to patch and the second one, so on and so forth.

Brandon Parsons 20:56

That's a great question, too. Um so I'll tell you about how my team and I do it, okay? Um we have this tool. Uh it's called uh it's called Dark Owl. Um, I'm not sure if you've heard heard of it before, but what a fantastic tool. It's it's it works so good. I use it for a lot of different things. I I monitor organizational mentions and stuff on the dark web and telegram chats, all sorts. I monitor email domains, website mentions, all sorts of different things. And they and you know, they're not shy about what their data sources are and where they pull their data. So it's very, very helpful. Um one thing that they have in there as it pertains to vulnerability management is you can do a CVE based search, right? So, as new, like case in point, this brand new uh Linux vulnerability, copy fail, that's what it's called. Um, that's the one I was talking about just a second ago. Not packed to uh to the root, but this new one that uh you know that just popped in, right? Um right after I published the report and I kicked this out to my customer. The second thing I do is I go take a look at that CDE and do the CVE-based search, you know, using Dark Owl. And from there, I'm able to see exactly what the appetite from threat actors is based off of the different Telegram channels, based off of the different forums and stuff, who's talking about it. If it's on, you know, like let's hypothetically say something like dark forums or some of the other dark web channels, and they're already talking about it, and they're already asking for, hey, does anybody have a POC for this yet? Hey, did anybody test the POC that came in with this vulnerability already? Hey, can we do this? Can we do, you know, like who's got something that's weaponized for this already? Like, I'm seeing that in real time. That is what I use, and that criteria is what I use to tell some of my larger customers, like, hey, there's a lot of chatter about this vulnerability right now. They're talking about it. Apparently, somebody has a weaponizer up for sale for it. You should probably, if you haven't patched this already, you should probably P1 this as soon as possible. And this is why, or you need to probably implement or put these mitigations into place right away. So Dark Owl does a phenomenal job at that. Um, we've uh we've been partners with Dark Owl now for three years or so, and uh I couldn't be I couldn't be a more happier customer, to be honest with you. They're a great, great organization, it's a great tool, um, and it and it gives you that granularity, you know. So that's awesome. A lot of good stuff with that. So that's how I that's basically how I uh stay kind of at the cutting edge, you know. Um, and that's how I'm able to watch and maintain some level of persistence on what the actors are saying about

Device Code Phishing Gets Industrial

Brandon Parsons 23:35

this, right?

Pedro Kertzman 23:35

Great testimonial. Yeah, that's awesome. Um, and switching switching gears a little bit, uh, when it comes to fishing, for example, uh the techniques being used, tactics, uh, you know, TTPs for fishing, if you will. Um, what are you seeing like for the most prevalent ones, uh, like recommendations and insights, if you see any like changes on that uh type of TTP? Any new things around that?

Brandon Parsons 24:08

Well, I think right now, if I had to pick three, and this is the three that I brief my sock every morning um during our during our morning standup, we're uh we are very much so on the alert for in in this order too. Device code phishing right now is kind of a big deal. Um, it was uh it was a really big deal two and a half, three weeks ago when uh everybody all of a sudden started learning about this brand new phishing kit called Evil Tokens, where it's able to throw device code phishing emails out there at scale. And threat actors, threat a lot of threat actors, you know, really switched over to using that uh primarily because if you can steal the refresh token and the access token and all those different things, like you are king at that point. Uh, you basically own that machine, you know, you own that device that you just popped, you know. So, and then what really kind of shook uh what really shook uh a lot of the CTI ecosystem too with that was when people started talking about Venom, the other, you know, device code phishing as a service that just kind of popped up. But that one's used against executives, which is why everybody, uh which is why everybody started really talking about it. Um we actually published our device code phishing uh intelligence bolt, and that's kind of our flagship product. Uh a week, a week prior to you know, bleeping computer, you know, putting out the the thing on evil tokens, they I think they they got caught up with something else. Usually they don't miss things and stuff that come about. But uh I'll tell you, um Abnormal Security put together a really, really, really good report uh on um on uh on Venom. And uh and I think uh Sequoia did a great job of talking specifically about evil tokens and everybody else. So um you put two and two together, yeah. Uh those two right there, uh, you know, uh just uh evil tokens and venom, very, very interesting uh to see. But it kind of follows the natural you know maturation of what we've been seeing with device code fishing. If you recall earlier this year, Shiny Hunters was, of course, you know, throwing some device code phishing, you know, uh emails and stuff out there as well. Um, but what are they really after? What do what do all these things really have in common? Well, they want your access token or two, they want to register themselves on your on your uh on your entrepreneur. You know, they want they want what you have, which is placement and access into the uh organization. And no matter what kind of fishing you're looking at, that's kind of the the key right there is placement and access, right? Um, you can get placement and access, meaning you can own this account and establish persistence there. Well, what can you do? Well, if you're shiny hunters, you can go dump every SaaS, every SaaS that you got in there. Um, if you're an initial access broker that's just throwing device code fit, you're you're you're a proud, you're a proud user of evil tokens. Uh you well, you can go get persistence, you can go uh you can go steal an account and stuff in the live refresh. You can go establish persistence, and then you can go sell that on the dark web, like dark forums or somewhere else, right? Um if you're a ransomware you know operator or a ransomware you know affiliate of some sort, well, you get access to that account, you can start swimming around and start dumping domain controllers depending on your capabilities and skill sets. You can you can get in there and you got your beach head, you got your foothold, you know. So I think uh I think we haven't seen the last of device code phishing. I think that it's gonna improve, it's gonna upgrade, and it's gonna get better and better because it's now become like kind of the thing, you know. We we remember when clickfix like started coming about, clickfix was a huge thing. Why? Well, because people fell for it, you know. Yeah, the same rules apply with device code phishing because people fall for it, you know. Uh it's that easy. Yeah. The second one, the second

Teams Phishing And Callback Lures

Brandon Parsons 27:50

one that I'm seeing a lot of too is is Teams based phishing. Um Teams-based fishing, you know, Teams phishing, right? Uh, that one is interesting too. People still for some somehow or some, I know my customers don't, thank God. Um, because we talk, we've been talking about this for two and a half years, right? So um Teams-based fishing, right? A lot of people still feel that if you're on Microsoft Teams, you're probably have a good intent. You know, if you're if you're using Microsoft Teams, you're probably here for official business. You're valid. Yeah, you know, it's something that you know, it's a people feel safe there. I I guess I guess that's what it is. It's a safe room or a safe space, you know. But that's exactly why you had groups like Storm 1811. That's why these guys were so, you know, became so prolific. It was new, it worked, it was highly effective. Um, now what we're seeing with Teams-based fishing is it it's it's really interesting. Um, either it's a it's it's it's it's one group doing it all with a whole wide variety of different tools, or it's many, many, many different groups that are using a tried and true uh attack chain, and uh, and they all are coming to the table with different uh with different tools and different capabilities and different payloads and different motives and different intent. But the fact of the matter is, you know, there's a reason why my team and I, we write what we call the patching the human firewall blog, is because we catch these things and we start to see, you know, hey, this, you know, this is a trend here. So let's put this out there in our patching the human firewall blog. Because right now, as and we actually just talked about callback fishing, that's the third one I was gonna bring about. We're seeing a lot of that too. Um, you know, I I'm a firm believer um in if you put something in front of your average user and say, hey, this is bad, you know, report this if you see it. There's a good chance that they are gonna report it if they see it. If you tell people that not everybody on Teams is got is got your best interest or our organization's best interest in mind, and this is this is kind of what we're seeing. As soon as that happens, you know, you're gonna you're gonna peak their vigilance.

Pedro Kertzman 30:04

Yeah, yeah.

Brandon Parsons 30:05

They will remember, people will remember, you know, this is bad, watch out for it, you know. So the most part. I'm not saying, you know, like this is the the this is the surefire way to protect your organization, but I'll tell you what, it's uh it's it's definitely a very smart thing to do to keep your workforce informed, you know, about what's what's the latest and greatest is, you know. So that's that's kind of how I see that. Uh callback fishing is unique. Um what we're seeing with callback phishing is is very unique. Uh, we're seeing a lot of the the different, you know, the different um, I would say, you know, just services out there, like no reply at azure.com getting abused to uh to get a callback phishing email in front. It's gonna it's gonna pass through everybody's email filters, it's gonna land in their inbox. And that and that's the key. You know, if it works, if if I can get this in front of somebody with the intent that um that there's a there's a chance that they may call back this number, I can I I will take something like that and send it out at scale if I'm the threat actor. Somebody is gonna call that number on there. But the emails themselves are benign for callback phishing, it's the number that you gotta watch for, right? Yeah, but we're gonna continue to see variations of that. Uh, I think the the most recent one I just seen was with GitHub. So it's like, ooh, this is smart, you know. And these guys are getting better at this too. Whether it's a uh a callback phishing, um, you you're past you on this bill-based, you know, lure, or it's uh we noticed some interestingness on your account. Uh, you need to you need to do this and call this number, or what was it? Well, the Robin Hood one was really interesting that we've seen. That really wasn't callback fishing, that was legit fishing, you know, on that one. But it was uh kind of the same themes and the same you know theme and stuff behind it. But at the end of the day, you know, at the end of the day, it's all about can I get this in front of a user? Can I can I can I can I dupe them into following, you know, following this lure? Can I can I bait them into doing it? And that's what all three of these things have in common. Um, the more on a more interesting note, back to device code phishing, the other thing that we're seeing a lot too is the abuse of workers.dev, pages.dev, versal.app. Uh, there's there's so many more. I think I just did a re I think I just read about cush.ai or q qes.ai this morning. And we're seeing a lot of these uh, you know, these these these website builder apps and stuff being abused. Well, why? Because most of the time they're not really blocked. And uh, and two, it's it's it's burnable infrastructure that you know, if if if if Cloudflare schwacks my my my fake Microsoft landing page on workers.dev, okay, I'll just go put up another one. Um, and I don't have to pay to register that on some GTLD, you know, at this point, you know, or or on Namecheap or any of that stuff, right? So, you know, these these these uh these things, they enable the threat actors and stuff to uh essentially save money and and and do things at scale, you know. So that's that's the other interesting piece, you know, to this too. Um so uh you know, I actually uh I did a patching the human firewall blog on this, uh I think about a year ago, where we were when we were talking about um generic top-level domains and you know, country code top-level domains being persistently abused and stuff when it comes to phishing or just I don't know, malvertising or pick one, you know, but that really did that really did, you know, kind of change the landscape, you know, where instead of spending a lot of money on a on a dot-com that's hosting something malicious there, you know, now you can spend five bucks and register on Namecheap or someone of the other name, you know, name silo or something like that, you know, and you know, and and if you lose it, oh well, oh well, five bucks, I'm asking whatever, whatever, whatever, whatever it costs to register this domain on this uh on this GTLD. Um, and that's the other thing, though. We're gonna see we're gonna see a lot more GTLDs come about. You know, there's there's they've really they've really moved the goalpost, I think, when it comes to fishing and malvertising and everything else and stuff that's sitting out there, you know, the the abuse of GTLDs. Um we see them all the time. Uh I see them all the time personally.

Phishing As A Service And Hiring Callers

Pedro Kertzman 34:20

Yeah, no, that's that's that's a great uh great information. Thank you. The uh what I would say from a fishing standpoint, so you mentioned all these uh new fishing techniques or the way threat actors are kind of changing. Actually, because the industry is changing from uh being more efficient and blocking quote unquote traditional fishing, right? So they obviously need you need to like change the way they're trying to do things on their on their side as well. So I think uh uh Intel 471 uh came up with the report, they're seeing like services being offered uh in the dark web for like uh call operators, right? Uh so basically, if you don't have uh if you're just you know if you just have the knowledge to do one of the components of the whole end-to-end phishing campaign, you can rent part of those services. You don't have uh ways to deliver. Uh, do you see this like becoming on the fishing side something like as big as quote unquote normal to see as ransomware as a service, for example, like phishing as a service?

Brandon Parsons 35:30

Well, I think a lot of these things, they they all whether it's whether it's you know the paid caller service or the new phishing kits, throwing device code phishing, they all have one thing in common. People understand that there's a market for this. And the dark web is really, really good about saying, hey, there's a market for this, and this is and and and this is how it is. Like, you know, there's a there's a lot of entrepreneurship in cybercrime. So um that's an interesting way to put it, yeah. It's it there really is, you know, and uh and these guys are you know, if you can, if you can find a way to monetize, you know, some of the things behind uh you know, you know, some of the things and stuff that enable you to, you know, steal more people's credentials uh or enable you to establish more initial access in different organizations. And you just you have a good tool, but you don't have a workforce. Well, why don't you just hire the workforce to deploy your tool? And that's kind of the concept behind ransomware as a service, you know, it's I have a great encryptor. Um, and I I think I think the Black Cat and Lfie had a had a really good, had a really, really, really good offering behind that. And so if they uh they they put a lot of focus on the leadership aspect and the management of their ransomware as a service, and they had a good encryptor. Uh that that's one, you know, if you if you are a brand new ransomware as a service offering right now, it's it's gonna be uh it's gonna be very challenging for you to to compete with some of these ransomware groups like Killen, uh some of these other, you know, like long-standing veterans, you know, groups and stuff and whatnot. So um, but yeah, it's to answer your question and be just to be you know fully transparent and stuff. Um, if there's a if there's a if there's a will, there's a way. And if there's a way to monetize, then we're gonna build a service around it. You know, I mean, there's there's no shortage of random services like this where you have people that are are in most cases witting to to participate in these things. Um and case in point, I was going through the Black Basta leak logs and uh it was it was very, very interesting uh just to see, you know, how you know Storm 1811 was interacting with the the ransomware operators at Black Basta. You know, it was very, very interesting to see, you know, the the the the actual you know the discussions between you know the the affiliate and the Black Basta or you know vice versa and stuff on that one. But yeah, if you can if you can find a way to to hire, you know, uh if you can find a way to hire and economize your service, then why wouldn't you do it? Um you know right now I think we I think Reliquest uh about a couple of months back put out a really good report that is basically saying, you know, that you know one of the one of the one of the most sought-after jobs right now on the dark web is an English speaking um an English speaking professional social engineer.

Pedro Kertzman 38:26

Professional social engineer. Oh my goodness.

Brandon Parsons 38:29

So and what's crazy is they're they're now it's it's branched out a little bit. Uh I I it escapes me when I read this, but um I'm a sponge. If you can't tell, like I'm kind of a sponge. I think we all are, yeah. Uh you know, the a uh a female, uh a professional female uh social engineer that can speak English. And now I think they're looking at dialects too, like like, you know, like a like somebody who speaks their somebody that speaks this or somebody that speaks that, you know, and uh it really depends on you know the group and what they're trying to hire for. But uh, you know, if they're willing to put uh if they're willing to put emphasis and job announcements together that look specifically for those exclusive things, you know, that tells you exactly where they're where they're hedging their bets. You know, they're hedging their bets on why uh you know why why why spend all this money, time, and and and capability on trying to find a way to you know build an exploit for this CVE for when I can just call and ask for access instead.

Pedro Kertzman 39:35

Oh yeah.

Brandon Parsons 39:37

Yeah, there you go. Exactly. If I get the right charismatic person, aka my professional social engineer, then

A Real Scam Call Reality Check

Brandon Parsons 39:45

that guy's probably gonna make me some money. You know, all I have to do is give him a script. Uh all I have to do is is is is do that. Um, I actually had uh somebody from the com that that called me and was telling me about my how my Coinbase, um, my Coinbase was involved in a uh in a a recent uh sanctioned transaction and the FBI is now investigating me and or or whatever whatever their script told him. And I'm like, uh, are you almost done with your script? You know, I'm like asking him, like, are you almost done with your script? And he's like, I'm like, oh man, you're not very good at this. It's like first off, Chief, I don't even have Coinbase. So um that's one. Uh two. My number, I'm curious. And he's like, Well, I'm like, it's so it's okay, man. You're you're not gonna win on this one, okay? But let's let's have the conversation. Uh and it was it was pretty interesting. I I talked to this, I talked to this kid, and it was a kid. It was about probably probably 19, you know, 24-year-old kid. Wow. And uh, you know, and I asked him, you know, I was asking him pretty pointed questions too. Like, uh, I'm like, you know, I don't need to know your name, man. You know, I you know, who are you rolling with? Are you with Scattered Spider? Are you with uh are you with the comm? Like, like which one? He's like, Oh, I'm with the hacking command. I'm like, okay, that's cool, man. That's that's uh that's most not cool, but uh telling me that. Um, he's like, well, and he he told me something really interesting. Um, he said he had some success and they sent him a Rolex. Holy fascinating. Like they said, cartel drug dealing all together. You know, and I'm like, how important is that watch when you get caught, though? Like what can you take it with you to prison? And he's like, Well, of course not. I'm like, well, there you go. Uh next question. Um, have you been watching what's been happening to quote unquote com affiliates that get caught? Have you been seeing that? Well, they don't just get the bars thrown against them, they get the book, they get everything, and they get heavily scrutinized by pretty much every law enforcement official. Is this really worth it? You sound young enough to make better choices. Let's talk about that. You know, and he's like, I'm like, how about this, man? How about this for a scoring rubric? If you told your mom what you actually do for a living, what would she say to you? He's like, she wouldn't be very happy. And I'm like, well, there you go. Is this something that you would brag about to your to your friends? Is this something that you would just tell anybody else? Because I'll tell you what, as soon as, as soon as, uh, as soon as the com figures out, you know, that uh that you you might be uh you may not be um as productive as you are, they will absolutely throw you to the wolves. This is this is a dog eat dog game with these guys. So you you choose, man. You choose just how far you venture into this, and you still have a chance because you haven't been caught yet. Yeah, but I but I preface with yet, you're going to get caught one day because you're gonna talk to the wrong person. Today you talk to somebody who's on the blue team that has just a bit of empathy, okay? You may not get that the next time. You may get somebody that's savvy enough to trace your phone to figure out exactly where you are and who you are and turn it all over to law enforcement. And next thing you know, your mom has to watch you get escorted out of your house while wearing your Rolex, probably. And then she's gonna, it's all gonna make sense to her at that point why these things were happening.

Pedro Kertzman 43:21

Yeah, kids don't really know what's what they're doing. Uh they don't have like they're not tech savvy, right? They're just following some, you know, yeah, exactly. Some quick scripts procedures, and they have no idea what's all involved, the traces they they they leave and and all that. That's that's

Patch The Human Firewall And Stay Curious

Pedro Kertzman 43:40

really sad. But Brandon, man, awesome conversation. I really appreciate all the insights. Any like final thoughts for the listeners?

Brandon Parsons 43:52

Uh well, you you get uh that's a crazy question for me. Uh that's a that's a crazy question for. Me um because I have so much to say in such little time to say these things. Number one, patch your human firewall. It's so important. It's so important to patch your human firewall. The more that your users know about what's going on, the more that they're going to be paying attention to what's happening. And I think that's super key. Second, you know, threat actors, um, you know, I would say threat actors are very much so predictably predictable in many different ways. Uh and let me let me unpackage that a little bit. When I first seen ClickFix, I I knew right away that this was gonna be a thing. Um, it was going to be a thing because it seems like something that a lot of people would fall for. So that just that natural as a CTI, you know, person, that natural, like this is probably gonna work really well against a lot of people, and just asking yourself that question, hmm, you know, yes, this probably will. Uh what what can you do about it now? Well, you can take a look at something like ClickFix and and you know, in the early onsets, and you can say, okay, well, Mishta.exe seems to be the thing that really sets these conditions in motion, you know. Also, obviously, you know, user uh user uh interaction. Okay, so I need to teach my user, you know, I need to teach the users that are within my customers how to recognize a clickfix attack because they all have a very similar presentation. Um, but I also need to come up with some detections and stuff for if I see PowerShell plus, you know, Mishda.exe, you know, in very short amount of time, I can assume at that point somebody is getting click fix and stuff if you have the right, you know, you know, you know, you know, XDR and your the right detections and stuff in place, you know. Um and uh and I'd say the last thing and probably the most important thing is is pay attention. You know, pay attention to what's happening beyond, you know, beyond what just a few flagship CTI outlets tell you to. Um I personally, I probably go through at least 100 to 200 daily resources a day. You know, I go everything to I go down to the vendors, I go down to the I go down to the blogs on Medium, I peruse through LinkedIn, I figure out what's happening and stuff on X and all the other different echo chambers and spaces, Discord, pick one. Um and you know, CTI, CTI is one of those things where it does take a village. It takes people that can see different perspectives. Um I'm I'm very fortunate enough to have uh be a part of uh the ransom ISAC, uh a lot of very intelligent people in there. But at the same time, I'm very fortunate to be a part of other different channels and other different echo chambers where you know you you you see what everybody else is seeing, you know, at the same time. You only have one set of eyes. But if you can build a coalition of like-minded people that all kind of have the same intent, is how do we get ahead of this before you know we have to get in front of it, then then you're cooking with gas. So um, and it's important. It takes a village, it takes a village, essentially. So those are my final thoughts.

Pedro Kertzman 47:10

Uh yeah, no, and I I could not agree more. I uh yeah, it takes a village. Brendan, thank you so much. I really appreciate bringing all your knowledge to the show and insights to the listeners, and I'll hope we'll see you around. Thank you. Absolutely, thank you for having me.

Closing And Listener Next Steps

Rachael Tyrell 47:28

And that's a wrap. Thanks for tuning in. If you found this episode valuable, don't forget to subscribe, share, and leave a review. Got thoughts or questions? Connect with us on our LinkedIn group, Cyber Threat Intelligence Podcast. We'd love to hear from you. If you know anyone with CTI expertise that would like to be interviewed in the show, just let us know. Until next time, stay sharp and stay secure.