Risky Business #783 -- Evil webcam ransomwares entire Windows network
Mar 12, 2025
auto_awesome
Rob Joyce, former Special Assistant to the US President and cybersecurity director at the NSA, shares his insights on national security challenges. He discusses groundbreaking cyber threats, including a ransomware attack using a Linux webcam to infiltrate Windows networks. Lee Chagolla-Christensen, Principal Security Researcher at SpecterOps, dives into the vulnerabilities of NTLM authentication in Active Directory and the potential of Bloodhound to address these issues. The conversation highlights the evolving landscape of cybersecurity and the importance of robust defense mechanisms.
A new Bluetooth-proximity phishing attack demonstrates how attackers can exploit authentication flows to intercept session tokens and gain access to accounts.
The ongoing repercussions of the LastPass hack illustrate the critical importance of robust security practices and how compromised credentials can lead to substantial financial losses.
Innovative ransomware tactics reveal the need for comprehensive security measures across all devices, particularly IoT, to prevent sophisticated attacks and lateral movement by intruders.
Deep dives
Passkey Account Takeover Technique
A new passkey account takeover technique has been reported, which requires Bluetooth proximity for execution. This technique involves an attacker using a phishing page to lure a victim into authenticating with their passkey while simultaneously redirecting the victim's device to an attacker-controlled URL. By exploiting the cross-device authentication flow, attackers can intercept the authentication request and ultimately gain session tokens. While this exploit demonstrates a creative vulnerability, it has prompted discussions around its practicality and the potential need for further security measures.
LastPass Breach Fallout
The repercussions of the LastPass hack from 2022 continue to unfold, with links now established between the breach and significant cryptocurrency thefts. Prosecutors and government agencies have connected the hacking incident to high-profile victims, including the co-founder of Ripple, who reportedly lost $150 million due to inadequate password management following the breach. This incident highlights the criticality of robust security practices and the long-lasting effects of compromised credential management. Moreover, it raises concerns about the seemingly ongoing exploitation of stolen data in the cryptocurrency space.
Ransomware Attack Innovation
Innovative techniques in ransomware attacks are evolving, demonstrated by attackers who circumvented traditional defenses by exploiting a vulnerable Linux-based webcam to access and encrypt files on a network. After being thwarted by endpoint detection and response (EDR) systems on a Windows network, the attackers pivoted to access the network through the less monitored IoT device, illustrating an adaptive approach to ransomware tactics. This incident underscores the growing necessity for comprehensive security measures across diverse system platforms, including IoT devices. It also emphasizes the importance of monitoring and securing all devices within a network to prevent lateral movement by attackers.
ESP32 Chipset Research
Research into the ESP32 chipset, commonly used in IoT devices, has uncovered potential vulnerabilities that, while not easily exploitable, could be concerning if misused. Experts found that arbitrary code execution on the chipset could allow attackers to manipulate its functionality, although this would typically require significant effort and is not a direct backdoor. The investigation was triggered by reports of unusual behavior within devices using ESP32, revealing the need for thorough scrutiny of IoT device firmware to ensure robust security. While these findings might not represent an imminent threat, they serve as a reminder of the need for ongoing vigilance and proactive security measures in the IoT landscape.
NTLM Authentication Protocol Risks
The risks associated with the NTLM authentication protocol continue to persist in modern networks, with many organizations struggling to disable it due to legacy compatibility concerns. Even well-resourced entities have been found vulnerable to NTLM relay attacks, highlighting the protocol's prevalent usage despite its known weaknesses. Recent updates are aimed at addressing these concerns, with upcoming features promising to provide organizations better visibility into where NTLM is most problematic. Adopting a strategic approach to tackle NTLM vulnerabilities may empower organizations to enhance their overall security posture and mitigate associated risks.
On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news with special guest Rob Joyce, a Former Special Assistant to the US President and Director of Cybersecurity for NSA.
They talk through:
A realistic bluetooth-proximity phishing attack against Passkeys
A very patient ransomware actor encrypts an entire enterprise with a puny linux webcam processor
The ESP32 backdoor that is neither a door nor at the back
The X DDoS that Elon said was Ukraine is claimed by pro-Palestinian hacktivists
Years later, LastPass hackers are still emptying crypto-wallets
…and it turns out North Korea nailed {Safe}Wallet with a malicious docker image. Nice!
Rob Joyce recently testified to the US House Select Committee on the Chinese Communist Party, and he explains why DOGE kicking probationary employees to the curb is “devastating” for the national security staff pipeline.
This week’s episode is sponsored by SpecterOps, makers of the BloodHound identity attack path mapping tool. Chief Product Officer Justin Kohler and Principal Security Researcher Lee Chagolla-Christensen discuss their pragmatic approach to disabling NTLM authentication in Active Directory using BloodHound’s insight.