Skip to main content
Right of Boom
January 30, 2025

Malicious Innovations (The rise of malware delivering proxy applications & Play Ransomware Group calls out MSPs***

In this video, Andrew, Mackenzie, and Gary discuss the evolving tactics of threat actors targeting MSPs, particularly focusing on the risks posed by the Play ransomware group and the proliferation of proxy servers. They explore how these threats are innovating and impacting MSPs and their customers, emphasizing the importance of threat modeling and proper security measures. The discussion also highlights the need for MSPs to balance efficiency with security to protect their clients effectively.<ul><li>The webinar discussed the proliferation of proxy servers being delivered in a robotic botnet fashion, targeting residential IPs and posing a threat to both MSPs and their customers.</li><li>Play ransomware group is specifically targeting MSPs, including RMMs and privilege access management systems, marking a shift in their attack strategy.</li><li>The importance of understanding enumeration and discovery techniques used by threat actors was highlighted as a crucial aspect of developing effective detection and response strategies.</li></ul>

Guests

Andrew Morgan

Video Transcript

To the door. Alright, welcome everybody. We've arrived. Um, first off, apologies for the, um, five minutes of tardiness, um, getting used to this new platform. Um, so, uh, hopefully in the next few weeks I will understand it. Um, you know, I was joking, chatting with Gary A. Little bit off stage, but Gary typically, like when you go to 2.0, it should be better. Shouldn't it? Easier? I don't know, are you familiar with SaaS software at all? Holy cow.

But it, It doesn't work now Andrew, but I'm sure it's more secure, I'm sure. Oh my god, that was great. Alright, well I know, um, welcome back everybody. Um, Phyllis has got a drop at the bottom of the hour, so let me set the stage and get right on into it. Glad that you think it's better, Steven. Um, I hope from your side it looks better. I hope from your, the performance is better. I hope for everybody on the listening side, experience side, it's better.

Um, alright, so let me kind of set the stage real quick for everybody. Um, alright, one last week. As we know, we had, um, Ryan Weeks with us, which was a lot of fun. Gosh, having him back, going through the csa, um, risk and vulnerability assessment data. Um, as we know, kind of the, the, the reader's digest of that, after looking at another 121, um, organizations of SLTT and Critical Infrastructure was same old, same old right? Threat actors using credentials.

Um, very similar, uh, data sets as Verizon data breach report. Um, and many of the other, um, threat reports released so far in 2023. So what I wanted to do in this session, uh, because it was timely, um, is talk about some actual innovation that is going on that more than likely is going to impact, um, both MSPs and their customers. The first part we're gonna talk about is this proliferation of proxy servers, um, that are being delivered in, um, somewhat of a robotic botnet fashion.

Um, the high level that we're gonna get into with our guests, McKenzie momentarily is, um, a lot's being written on these right now, and the, the, the, the 50,000 foot is these are delivering a payload that can do a lot of different things. Things number one, um, they are targeting residential ips, which is then used to obfuscate your traditional impossible travel that we relied so heavily on. Wes, I remember the days, you know, at Perch where that was such a great feature.

And here we are seeing threat actors, you know, figuring out ways that they're gonna render and basically neuter that detective capability. Um, the other thing that they do in corporate environments is there is malicious C two payloads and other things that Mackenzie's gonna get into coming up here. And the second part of this is gonna be about the play ransomware group.

Um, now play it, it literally came out and said, um, in their, you know, um, the dark web forums that they are unequivocally targeting MSPs, both the RMMs and West for the first time, um, privilege access management systems, which I know you're very, uh, near and dear to right now working with, um, cyber Fox. So these threat actors are very in tune with the tool sets we're using, um, the multi-tenancy, uh, functionality of these tool sets. What nice us What's that, Gary?

It's nicer than to let us know. Yeah. That's why we have people like Mac that let us know. Maybe they wanna come on the cyber call. Maybe They, let's invite him. We would love to have How do we know someone's not on the cyber call right now? It's a bad guy. Gary, Actually. Yeah, Gary. I see a, so with That Episode right now, ripped the Mask knowing that, um, black Point just, um, covered, um, a blog on the proxies. I thought it was really, um, uh, timely to bring back Mac and Mac.

This is the first time we're seeing you in a different role, so get us up to speed what you're doing. Welcome back to the show. It's awesome to have you. Oh, thank you. It's awesome to be here. Um, yeah, last time I was here I was a Microsofty person and you guys didn't have pitchforks and, you know, torches on fire for me. So that was good. But I came from the detection and response team, but now, now it's called Microsoft Incident Response.

So they gave, you know, in the very Microsoft fashion way, let's rename something again. So they renamed my former team, um, which is actually good. They, they encompass a much larger group of teams now at Microsoft between, you know, threat intelligence to the customer security support, all of them.

Um, but yeah, I, um, I think I always, I don't know if I did this last time, but I give credit to Wes 'cause he was the one, um, I really met that he was the gateway drug to cyber call, I guess to write a boom. So Mac I'll say this, when I heard you speak, you know this, I bee lying to you and, and we were at this conference in Boise, which she lives there. I didn't, you know, and I be, I'm like, she's amazing. And I remember Andrew calling you like, Andrew, we gotta get her on the cyber call.

And then to think here you are today, uh, at Black Point with us, I'm just, nothing could be better. I wanna figure out when that call is so I can do like an anniversary thing. And I do have to say though, your your background is so calming. I'm starting like to, I feel very relaxed right now. Yeah. Sorry. Just, you know, hold on tight.

Um, yeah, I came from the right of boom side and, and you know, I went and spoke at the right of boom conference and met many amazing folks there and, and my now employer Black Point Cyber. Um, and I'm absolutely loving it there. And you know, as in my role, internal security strategy is what I do.

But also a big chunk of my role is getting to work with our threat operations center and our adversary pursuit group, which is like our internal threat intelligence group whom wrote this article essentially. Um, and, uh, going over, you know, the proxy server stuff and even play ransomware. I think we put out a notice on it, but I couldn't find, I had to look back for some of our internal stuff on it, but yeah. Yeah. So that's, that's how I got here. It's great to have you with us again, Mack.

And, um, hey, and what we're gonna do is, um, Phyllis has gotta drop at the bottom of the hour. Um, and Phyllis, do you want to go into why? No, I'm kidding. Um, Freshman high school orientation. There You go. Oh, that's so cool. Aw, why don't you just bring a face. I just remember, it just seemed like yesterday Phyllis was in 10th grade. I know. I'm just starting high school now. I'm What do you mean I'm a ninth grader?

Take us around Phyllis, like you bring face time and we'll see everything on the cyber call. There You go. There you Go. All right. So we're switching things around and Phyllis, I'm gonna let you play Gary's, uh, questions out and uh, Gary will switch it up with you. But, um, this is, uh, this, this, I'm, I'm really unfortunately fascinated by this topic. It's, um, it's, it's, it's unbelievable how I shouldn't say unbelievable.

It's, it's, it's very believable just how they keep, um, uh, innovating. Mm-Hmm. Um, so take it away, Phyllis. Yeah, sure. Great to see you again, Mackenzie. Um, as Andrew said, um, this past week researchers uncovered this massive campaign where, um, proxy server apps were delivered to at least 400,000 Windows systems. Um, amazingly Mac os went unscathed, but Okay. Um, which is why I have a map today. Yay. Mm-Hmm.

So, um, can you help us understand, um, what, what kind of attack is this and what do these proxy server apps actually do? Yeah, so I mean, in a nutshell, based on kind of our research and, and what we, anything our, our friends anywhere post something, um, that's gonna be a new technique or tactic, a PG is gonna jump right in and start doing some r and d and some rapid prototyping, which is basically means we have a simulation lab, we like to blow things up.

And so the minute we hear something, we're gonna start looking on the dark web for Intel. And then we're gonna start, you know, playing around with concepts. So, um, I'm hoping that we're gonna be start putting out, we're going to start putting out a lot more videos of these simulations from our team. In a nutshell, really from the proxy side, uh, of this situation, this is, um, essentially an unlisted proxy provider. And I think I was talking to our head of a PG this morning.

He was looking up this company or so, and it's right next to like, um, a Mexican restaurant and a 24 hour fitness, like legitimately, he was able to locate some of these. So just to show you how not legitimate some of these are, it is shocking. Um, but really they just use this malware to install these proxy exit nodes. And essentially this has created a giant 400 k, 400,000 plus level bot network of residential based computers that are now infected. And they do have some capabilities to it.

So, um, you know, I should preface that from our side. MSPs aren't the concern in this. Um, mostly everyone is concerned in, in this campaign and this capability. Um, so, you know, our first recommendation is, um, make sure you use a legitimate proxy or VPN service or whatever your, uh, corporation is, is gonna approve. But, um, ultimately, um, our concern is, while this is used for threat actors to mask their ip, it also has that C two capability.

So at any point we basically have this giant marketplace that if it was compromised, it could eventually be used by threat actors to legitimately access any resource that they want. Right. And Andrew just did correct me, and I'll go into the it, you know, Mac os did, did get hit, but it was detected as I read in your blog post versus, um, which leads us into the next question. Um, it was digitally assigned, so it was, you know, essentially undetected 'cause it appeared, um, okay.

Or authentic, um, by EBR. So, um, like you said, it does have some C two, um, other things also were getting deployed. Um, but how sophisticated, um, is this type of attack and, you know, what is it that's exactly being deployed on victim systems? Right.

So, um, essentially the malware is designed again to do kind of that masking of the IP service or IP from if they're a bad guy and they wanna be able to, from an investigative point of view, make sure that you can't figure out who's actually attacking them. This is where that impossible travel or impossible, um, or risky user risk detections come into play.

Um, the C two, while technically right now, it's not something that's observed as being used, it's still a built-in capability, which means that, you know, the snap of a finger at any point they could just open this up and it brings in the conversation or topics around like initial access brokerage, right?

And how if we really wanted to pinpoint a specific target or we really wanted to get access to a system while we could potentially build this bot network bigger and better, and now have access to many systems, um, at, at, you know, the snap of a finger. But right now it's not the C two portion of it because it's really a proxy service and control of a proxy software. It's not something we're concerned about. Um, but it is possible. So that's what's concerning to us in the realm of bad guys.

Right. So Alien Labs, um, uh, said that it was programmed in go meaning, um, the significance of that is that it can be installed on multiple OS oss, including Windows and Mac. Um, so can you share with us what was discovered a few weeks ago with Ad Load, including Yeah. Turning Macs into proxy exits? Yeah.

Basically the exact same thing, but on the Mac OS side, which is, um, always concerning, I think when anything hits headlines where there's a Mac OS based, um, vulnerability or potential exploit, because like you said, you have a Mac, you're like, oh, we're all good.

Um, because usually we are, uh, although I will say we could all do a lot better at controlling the inside our organizations that we never seen inventory or have pinned down, but it was the same, um, same capability essentially, but through adware. So annoyingly unknowingly, the victim would get something downloaded on our system.

And the key thing to these proxy services or these new types of malware going out or even adware, is they're finding sophisticated ways to obfuscate it so that EDR may not necessarily pick it up, or AV may not necessarily pick it up. And so anything that's That's bad, right? What yeah, that's bad, right? That's bad.

So anything in the category, like for our group, if we're gonna study things like this that are hitting, hitting, you know, the headlines, anything in that category is concerning because we also know a large group of downstream customers don't likely have EDR let alone have sufficient A across the board. So that's, that's a big one for us.

Um, but yeah, essentially it's, it's the same concept of, you know, we talked about this, uh, internally a week ago around the strategy of an organization that's, hey, that decides, hey, we're gonna put spyware on all of our employees computers and technically 'cause it's a corporate owned device, it's okay, you kind of consent to it.

And if you think about this new proxy server app or malicious use is that the big debate is that people are not consenting to it and or some of them are consenting to it, but Alien Aliens Research went out and found that no, there's evidence pointing towards a lot of people that didn't. And the easy thing is just say, Hey, block it, revoke the certificate, clean it up, right? Do some white listing, use an approved service, all those things. But those are easier said than done, right?

Especially when it's residential. It could be, you know, your high school kids' computer and you would never know, but you're on the same network that your corporate device is connected to. So, yeah. Yeah. I'm glad you pointed that out, that you know, that, um, you know, Alienware did point out that people were actually perhaps not agreeing to it 'cause that was the initial response. Um, That's important. Yeah.

Um, so as you said, black Point a PG wrote a blog post about, um, about this attack or proxy campaign. So was there anything in particular that the threat team saw that MSPs should be aware of, um, for themselves or their clients? I think that for us, for MSPs, the concern is, again, going down, like we really wanna think of a scenario or use case.

It's that residential aspect and it is the potential aspect that on the dark web at any point we've essentially created, we haven't, but this bot network is a giant new tour network without having to be a tour network. So we've created this potentially very malicious capability of bad guys going on the dark web and saying, Hey, click here now and have access to these systems if you, you know, quickly search for an IP you're looking for. Um, so targeted phishing potentially.

Um, certainly looking at like the adware example, if they could find a way, if they wanted to utilize this malware and target specific users, especially at home networks. So children or spouses or roommates or you know, plumbers, whatever, like who whomever's in your house that has a laptop connected or something they might be looking for, um, that social engineering opportunity, um, to infiltrate. Hold that, hold that thought.

McKenzie, let's go to this commercial break about advertising on the dark web for Gary. Gary, this is, I always love showing this kind of stuff and getting your opinion. Can you see this okay? Can you guys see this? Oh yeah. So, so how about that packaging and pricing, Gary? Yeah, I mean, just think you can apply that and probably make more, way more money than an MSP. Yeah. Yeah. Blazing. You know what, I'm waiting for Mackenzie.

I'm waiting for some dark web private equity that starts buying up these groups at a multiple and reselling them to just complete the whole economy. I'm sure they have a much faster acquisition process for that. It's just like, sure. Sounds good. Let's do it. I'll get you the pitch deck. Gary? Yeah, Over to you, Gary. Oh, sorry, mc.

Oh, I mean, the only thing I would add on this of why we wrote the article is, um, you know, we're our team, our expert hunters and sniffers of looking at thi at things that are hitting the headlines or even potentially news or something. Hacker News is posted. And like I said, we wanna go back home and, and blow it up because there's always potential to impact, um, MSPs. So education is the goal here. Education and awareness. Yeah. So let's, let's talk for switch gears a little bit.

Let's talk about, um, uh, we opened Andrew talking about play ransomware. Um, historically they've not been after MSPs, right? They're more in the SLTT space. And I guess we heard about 'em through, um, the city of Oakland shut down. So now they have figured out MSPs are good targets. Can you talk a little about their technique, intermittent encryption? Explain that, what it is and why it's an issue?

Yeah, so the concept around intermittent encryption is essentially it's just encrypting, uh, the, the malware's designed just to encrypt, um, x number of data or data within the system. So not really the totality of the data, but just chunks of it. And we actually, I remember we back in the day, um, in an anonymous fashion of mentioning this without getting in trouble, we definitely came across a lot of lock bit cases that used to do this too.

And really the goal is for it to spread fast and it also makes the data still unrecoverable so it'll spread fast and you still get screwed over essentially. 'cause you carry your data back and you have to go through the full IR of a ransomware situation. I'm sorry, let me, it's a question. Is the idea there, like, in a normal situation, you're trying to encrypt everything.

It gets picked up, it gets maybe shut down before 'cause it takes however many, you know, minutes or hours that this can spread more quickly, have the same effect and they don't need to encrypt everything to be effective. Yep. Smart. And they'll even even shoot, or, you know, back when Lock Pick was doing this, we came out the, the, the cool thing is we came out a decrypt with a decryption key, right?

We were able a decryptor tool, but then they patched because they have a good patch strategy, not us. So they were able to, to update, update what they could. So this concept of just doing this, um, intermittent encryption is, is probably gonna become a lot more prevalent of what, what we're seeing across ransomware so that they can act quickly. And also they're gonna be a lot more destructive.

They're gonna focus on, you know, they're gonna aim for ESXI, they're gonna aim for your hypervisor, they're gonna do hypervisor jackpot, and they're gonna make sure they destroy things in the area that we often also have really important data and or, um, potentially our backups or other situations that might be, um, really important for business continuity. So, uh, those, that's, it's, it's definitely an advanced technique and, um, targeting MSPs is also an advance motivation and strategy.

If you think about it, Listen, as long to don't come after my fantasy team lineups, that would be a problem as a six time champion. You're like, take my money, take my money, but don't take my football. Gary, this would've been a big issue, um, in your first MSP when your guy was streaming, you know, things and making money. Yeah, exactly. Yeah, but we'll tell that story Money that, Yeah.

So, uh, MAC researchers, um, threat researchers, they call out, you know, RMS as a target obviously all the time, but now calling out ous access, uh, management as well. So what does that say kind of about the sophistication or their understanding as MSPs our supply chain? I mean, it's certainly know of the sophistication level in this, right?

Because, um, once they're able to say not just, um, infiltrate or compromise an MSP environment, focusing on privilege access is kind of the business model of, of MSPs, if you think about it. Of that is a big part of how the business model works so that we can do the services that we provide. Yes. Um, we're gonna need a degree of domain administrative level or enterprise level privileges to an environment.

So, uh, you can imagine too with downstream customers that are gonna be SMB space, that are maybe even larger organizations that don't have, um, that don't note a contractor account that has administrative privileges doing certain things, or in this case using legitimate RMM tools, especially if they can find out what the tools are on their target, then it's not gonna seem weird at all.

Um, so if you are able to look at privileged access management tools and automatically get a leg up on having those normal accounts with privilege access and being able to always authenticate in that way, then um, yeah, you're just gonna be more successful. Yeah, I mean if you think about it like, look, over the last couple months we keep coming back to this Andrew, right?

That, and the thing is, there's a level of inefficiency that it provides in an MSP model a little differently than in a, uh, you know, an IT shop. And again, we get back to the same thing every time. There's a cost associated with that. And it's, this is one where it's hard to get customers to understand like, Hey, we're not gonna be as efficient because we're doing these things in order to protect you. That's harder. That that's not the easiest conversation.

You have to be pretty mature, like in your stance, you know, to be OR, or Gary, like, I mean, hey, by the way, we're gonna roll out, you know, a we network access control solution, you know, a high end enterprise like, like an app gate or something across the board and add five bucks an endpoint, my cost. But I mean, you know, do you think, do you think we're gonna get there?

I, I'd like the audience's thoughts too, and whatever your flavor of ZTNA is, but are we gonna be at that point, you know, with these types of attacks where we're just gonna have to say it's by MAC address, it's by ip, it's by, you know, there's gonna be all these different parameters to authenticate to, you know, the applications and services you need. So Yeah. You know, Everybody's feedback on that.

But go, So I was thinking about something else as I was listening to Mackenzie and you know, I feel like the MSP, the risk right now is growing much faster because every quarter I'm watching the numbers, like in my peer group of how many larger accounts they're working with. Mm-Hmm. Coman is like, it's up and to the right. So now an MSP, you know, that has, you know, 80 accounts, they might not just be, you know, they may be touching two or three times, you know, the amount of endpoint.

So like the exposure, um, not just to MSPs, but to the SMB community, right? I is, uh, is a lot higher now. Yeah. Gar just real quick, but you, you know, you look at the macro economy, this, this isn't hard to predict that outsourcing is gonna continue. Like, there, there's the positive for MSPs that are ready to go after the mid-market that have the maturity and capability has never been greater and, and the macroeconomic environment of outsourcing, right?

You know, meaning is continuing to increase because cutting costs is it, is that, is it those two twin forces that you see too? Yeah. Yeah. And then we'll see, like we're, we're gonna be heading, if not to a, um, if not to a recession, right? We're heading into some type of a, an adjustment, right? Sure. Uh, in the economy. And that has effect on, usually people tend to outsource more, they're looking to, so yeah, I, I just think it's gonna, I think it's gonna continue that way.

Um, you know, and kind of following along with that, uh, Mackenzie, you know, last week, Ryan Weeks, again, we're just talking about si he, as he always does, talks about cyber resilience and MSPs historically have focused really more on protecting their customers, right? Um, then they have with cyber resilience, um, wanna recover, that's gonna have to change, right? Moving forward. Yeah. That's why I got out of it. I'm just kidding. No.

By John promised I'd never have to be a murder cleanup crew ever again. No. Um, it, they do. Uh, yeah, they do. In this case, especially when it comes to, um, some of the things that we would honestly recommend, or back in the day I'd used to recommend to customers, um, in a proactive fashion, is not just having playbooks and incident response, having really specific ones to ransomware. 'cause it's an entirely different game. Like from a response perspective.

You know, call your lawyer, get your lawyer on the phone, call the cyber insurance guy, cyber insurance guy, know who the partners are gonna be. And honestly, MSPs, if it's like an SM B situation, you'd want the MS P to be a part of that partner list that gets called right away. And then ransomware is gonna be really dependent upon what do we know? Is there a sample? Is there a vari variant that we know that we're dealing with play, for example, um, what is it gonna be the scope of damage?

And then what is their current, um, uh, backup strategy that they have in place? Do they have a domain controller they can take offline? You know, we go down a full list of containment recommendations that those are things that can be easily documented today. And then when it comes to your recovery, that's full on disaster recovery. These are why we should be testing our backups. And immutable backups are a really great solution.

Um, ensuring that we, if you're using something like a hypervisor that you have, you know, local creds stored somewhere else and not ad joined right. Or ad domain join, like those are the things that we see response teams recommending, but it's often after the fact we have to recommend it. Yeah. Versus making this a conversation now of let's just prepare for the worst.

Now, um, as much as I don't wanna do incident response, like I know that part of preparation and hardening protecting our environments means we are thinking about recovery now as if that we have to basically press the button Yeah. And keep it going immediately. And sometimes recovery doesn't work. So we need to make sure we've tested that. Yeah. And for an MSP, we'll add one more level.

I mean, of all the sessions I've been to, uh, I've been to thousands of them, you know, one of the ones that sticks out to me is from right of boom that, um, that, that Ryan did where he talked about, you know, recovery at scale. So an MSP, you know, had been testing recovery, but not for all 80 customers, you know, at one time. And literally rendered the plan. Completely useless. And so that's the other thing we always have to think about different than an IT department.

We have to think about it across all of our growing customers, customers and their complexity. That sounds expensive. Recovery isn't cheap. Recovery's probably more expensive than just installing the doing security the right way. Recovery's way more expensive. There's one thing more expensive than it, and that's not recovering. Yeah, exactly. Yeah. Yeah. It's the one thing that calls, that's the call in A day. Clocking out for work forever. Definitely. That's it.

One thing I'm about recovery, I'll, I'll brag on Andrew Ole for a minute from, um, uh, Prota, he's done something really revolutionary and, and we really ought to get him on the cyber call to sort of talk about it. Andrew. So he's an MSP, um, uh, security person. And one of the things he talks about when he shares the cyber defense matrix, he's added a new column of cost. And how cost goes sky high is you go right past detection and he uses that as a talking point.

Mac to your point of, Hey, look, one of the things, one of the reasons we invest in, in identify and protect is 'cause we don't wanna get to response and recovery. It's super expensive. And that's one of the reasons that we align our defenses this way. And also there's not a lot of tools that exist over there as well. And, and man, it's just a revolutionary way of looking at he shared Sunil. Sunil loved it.

Um, so yeah, I just thought I'd throw that out And that's awesome because that concept could help weaponize your competitors' lower price. Yes. Right. Let me tell you why people cost less. You can cost less if you stop here soon as you go here, here's what happens. Does that make sense? So again, that is so much more effective to show people in simple ways, simple concepts and knocked down in the weeds. So I I I love that. Um, before I hand it over to Wes, just I want you just to circle back.

Andrew talked about, um, you know, zero trust, right? And the fact that it's probably a direction around all the platforms, 40 plus platforms that the average MSP right. Is using. Um, just give us a little more of your perspective, you know, on this, you know, understanding how that works, but also you understand now the SP business model. Absolutely. Yeah.

Every day I learn a little bit more about the MSP business model that's gonna, so hopefully I'll have a PhD like you, Gary, in the next, you know, 10 years or I'll feel like I'm keeping up with the Joneses. But, um, that when I joined Black Point, we had just released our managed application control product. And this is not a plug for that. I don't get paid, nor am I spon. I do get paid by block point. What am I saying?

But, um, it, it, the reason being is the focus wasn't just on doing, you know, application whitelisting and here are like the common bad actor tools that could be used that you may not need. Here are the bad actor tools that are used that are legitimate, that admins use, and maybe you don't want to use those.

And then RMM tools had their own beautiful special list and it went down to like controlling the versioning because you should know for, you know, all my customers say I have 80, 80 customers and they only, we only use, um, ConnectWise, or we only use a Terra, or we only use these certain RMM tools. Well, now we have a way of saying, well, we wanna make sure all of our customers from a monitoring point of view also are standardized so that we can look when new tools are downloaded in the event.

Because that's what bad guys are gonna do. They're gonna bring down their tools, um, the minute they hit a system. And they're especially gonna use tools that aren't gonna be abnormal in the environment. And especially if they're in this instance of downstream customer, um, targeting, if they've already, you know, compromised an MSP, now they have normal creds. So attach that to a normal tool, it doesn't look that suspicious. And especially if no one's looking.

So I would say that it's becoming more and more important that we start spending time really looking at all of this approved software and applications that we use and saying, you know, here's from a white list, here's what is allowed.

And everything else is going to not only be default denied, but it's also going to produce an alert so that if you are using an MDR service or equivalent, um, you maybe just even an automated alert to let you know, um, you have an idea that, hey, we might have a compromise of credentials still. So it isn't even just like we now have an alert that a bad or, or that the, a temp of splash top because that's what we used to see all the time, um, was downloaded and installed on this server.

Worse the domain controller. Um, but we also know that they have administrative privileges at some point those creds were popped. So that's, you almost have to work backwards, but without knowing what is allowed, you don't really know what's abnormal and you don't, especially if there's legitimate credentials utilized in the process. So sorry for bringing this up a little early, McKenzie, I just wanna show everybody, um, what you're talking about. So this is what play does.

Um, and John talks a lot about this when he does his presentations about the enumeration phase. And so picture they bought, bought credentials, they've compromised and then they do an additional reconnaissance mission and take a look. They, they know exactly what we're running. Mm-Hmm. So these are the, um, this is what their scan is looking for. Um, but wait, there's more, uh, hold on. We're getting to the things that we all, all right.

So the point being, I think what you're saying Mackenzie is like, hey, if we use it, um, automate and we don't use a terra, well don't let a terra run. Mm-Hmm. Fair. Especially with this enumeration capability and the tools, um, that you're highlighting here is gonna spend more time mapping out what tools you use so that they can create their attack path that they wanna now execute. So it even gets down to like the versioning of tools and who can download those tools.

So they could still technically find enumerate and find out the exact RM M tool you're using and download a version of that on another system. And so now you have to look for that needle in a haystack of abnormality at that degree. Not to scare everyone. This is a really depressing topic actually. Yeah. Scare Everyone. Well, And there Won't have you, we probably won't have you back. Yeah, that was great. Knowing everyone, Like there are some capabilities.

Third anniversary, Just just to throw in, there are some capabilities, like we do have insights into this. The problem is we just don't leverage it well enough. So for example, I sh it is there are tools out there. I might happen to represent one that Ty and there are others that are really good at saying this signed certificate authority with this version is okay and approved for use in these cases with these users.

Nothing else is like, there are things that we can do to put stuff in play, we just don't, when it comes to privilege management, it's something that we just typically is a red-head stepchild. And it's difficult 'cause MSPs have to juggle this for all their clients. But I do think MSPs need to start with their own stack and their own tool delivery. And it's hard.

You got a lot of customers, you start to roll out some of these things, especially if you're not getting the right support and services to think it out and all of a sudden you're getting buried with approvals. Do you know what I'm saying? And I've seen it happen to MSPs, like, they were like, what are we gonna do? Like we didn't factor this in to the cost. Like they almost need an approvals team. Yep. Yeah. Alright, Mr. West, over to you. Cool.

Well, um, I love that you shared that link, um, Andrew, 'cause I do think you, you need go check it out. I, I, uh, Andrew just posted that Symantec link. I can't believe we're sharing a Symantec link, but the article's actually really good and the, the tool they use is called grpa. Um, I don't even know if I'm pronouncing that correctly, but Mac, I'm, I'm curious, like it makes sense you just, what's that? Let's Just say yes. Yeah, we'll just say Yes.

Mac, you mentioned that one of the, the tactics that the, that that play and others are using is let's do, let's understand our environment, right? One thing Ryan Weeks and I talked about a year or two ago was understanding that bad guys don't just get access and it's like, you know, snap of a finger and you know, bad things happen. They have to learn our network, they have to learn what's where they have to learn, what users do we want to attack, what software can we go after?

They have have to escalate privileges, move laterally, and these are all opportunities to detect. So I I I guess it shouldn't surprise us that they developed a tool to, to let them do that a little bit better. But can you expand on that? Like, um, are the, should we be doing anything about tools like grpa? Should we, are there ways we can get visibility into it? Are there like things that, I'm just thinking out loud here.

Is there anything with in particular that tool in like that we should be thinking about from a defensive counter mechanism, so to speak? Yeah, I mean it definitely goes back to, of course you can grab some sort of IOC or something and look for the tool and see if it's there in your environment. Create detections, but that doesn't necessarily mean you can't swap a hash and change it way to get it in there anyway.

And also there's a lot of ways to enumerate an environment without using a tool like this. So enumeration is kind of like, the key thing to understand is that discovery methodology that bad guys are using. So if I'm a bad guy and I'm, I'm going in, the first thing I'm gonna wanna do is discover basically the list that you just shown is a really great example of what they wanna identify from a software perspective and from a security detection mechanism perspective.

And then also, like you said, like where, who are the privileged users? Who do I need to be looking for? What are the privileged groups? Um, they're gonna look at the identity and access side of it too, once they get that mapped out. The key thing for many of these, um, some of, so I always like will, you know, caveat that there's probably some, um, threat actor groups out there that are loud and noisy and don't care and they know who they're targeting. So it doesn't take long.

But a lot of them are, are gonna be a lot more sophisticated and thorough about their plan and strategy. Not only that, they do this as enumeration is a very normal part of their process and methodology. So they know how to do it, they know how to do it quickly, and once they get a map of attack, then they know exactly where to go, who to target, how to who, what system to traverse to. And depending on what their end goal or motivation is. Stealing data often goes hand in hand too.

Deploying ransomware. Um, you know, I think understanding enumeration really goes down to, uh, having a good, you know, starting with identity and access, like having some sort of privileged access control. The principles of Zero Trust is controlling the network and also controlling the identity aspect of it. But this, this software side of it is really important.

And this is where, you know, I, I have my CIS controls map on, on my, on my wall because I wanna make Phyllis proud every single day. But that inventory and control of software assets is, is really something we need to be talking about more and we need to be doing and we need to be also providing that guidance to other customers because they don't know, they don't necessarily care.

But if you can lock down, you are managing that device and what that device is able to have access to, like, let's start there and then focus on the next thing that we have to tackle. But enumeration is a, a normal discovery, normal thing technique that bad guys are doing. Yep. That's really well said. And I, I do agree, like we just, I just led a workshop a couple weeks ago on, um, software inventory because it's challenging and tricky.

There's not one tool that gets the job done and there's a lot of process that goes into it and there's a lot of things around onboarding and offboarding. There's a lot of things around, you know, ha handling client installation of things cloud. Like, it gets really tricky. We actually spent an hour and a half doing a, a really good workshop on how we can start building that process of building software inventory. And it's not easy. It's not at all. Um, but, but it is, right.

And I think if, if I'm just gonna post this link into chat. If you really want to go and make yourself wanna just quit this business, um, check what Mitre talks about, we don't really talk about, so this is a whole category in Mitre around discovery, they call it. And Andrew, this would make a great, great cyber call as well at some point if, if we could talk to someone that really knows the discovery side of Mitre attack really well. 'cause it's something I don't think we talk about enough.

How do we, how do we leverage a bad guy's desire to do discovery against us? To, to find, to use that as opportunities to detect and respond, right? So I I think that's powerful. Um, I, I'm, I'm curious, McKinsey, have you, I'm guessing black points run into play. Um, can you, what steps should MSPs be taking and be thinking about when it comes to fighting back against this adversary in particular? Um, so with any sort of ransomware situation, black Point, we are managed detection response.

So we're far more left of boom. And you guys have all heard John talk about definition of boom and where he sits with it. Um, so we are really focused, our SOC is act, you know, bad guy comes through your door, pew, pew, he's done. And then we move on to the next thing. Like we try to act as quickly as possible.

That being said, it's really important to gather any sort of telemetry or intel we can to understand what that threat actor's intent was or that adversary's intent was after initial access or lateral movement. Generally lateral movement is where we are more critical in acting faster.

Um, and this is also where, you know, we've pushed out our Mac tool within our tool stacks and also our cloud response so that we can really balance out of identifying anomalies, um, that our customers are potentially, um, being impacted up. So anomalies on software, um, you know, obfuscated, PowerShell or use of PS execs, um, uh, encoded PowerShell would be another one. Um, or then just use of privileged identities moving from system to system.

You know, we have a whole thing that all of our analysts, a whole host of things that our analysts are being alerted upon and then following up with customers on. But really our goal is to isolate quickly, play, um, a black cat. You know, we've talked about a lot, a lot of these ransomware groups that come across as it takes time for us to be able to do attribution. So it requires us to pull an IP address, which really full circle back to this proxy thing, masking their ability.

So we may not necessarily know where we can do attribution. We may not know the ransomware group. I have no doubt, you know, when I asked internally to see if we had any specific known play instances, um, we didn't. But we have a lot of pre ransomware instances where we couldn't do attribution and it's only, I think it's gonna get more difficult, except it sounds like Play has their own PR rep and social media page and everything. So maybe it won't get difficult. Maybe they'll let us know.

They're like, we'll handle the attribution for you. We got that one for you. Exactly. They'll have no problems with that. They Don't seem to bashful about their attribution. Great. No, great, mark. I'm sure not at all. So how about this then? If, if I'm, if I'm an MSP, I probably wanna start thinking about some of these, these evolutions and say, are we threat modeling these things? Are we have, we have, we considered some of these things?

So I'm curious to know from you Mac, any areas of like threat modeling and just thinking about how a bad guy would operate and what would we do about it in this more like a a a court staying up to date with our bad guys? Anything you'd point to from a threat modeling perspective that MSP should be thinking about and talking about inside their companies? Oh, that's a loaded one. Um, I know, Or, or, or even Wes maybe like another look at this.

Mac should, I mean with these, with the evolution of a a play, is it you should maybe have, that's where you spend your money. You know, certainly a pen test is warranted, um, as Ryan talks about like at least A-S-V-A-S-P-S level one. But do, do, do we start looking at maybe pooling resources and you know, but, but having a third party red team come in and do this kind of stuff? Um, I think red teams are great. Uh, they're usually really successful.

I think the thing with red teams is, uh, don't let 'em leave their tools behind and certainly understand the scope of the pen test, right? Because there's so many things that you could focus a red team on, and you never really get the big picture of what your environment is vulnerable to. And that's where other types of assessments, like cloud hardening assessments, like Microsoft does a lot of those for O 365 to say, Hey, here's all the things you don't have enabled.

Here's all the accounts that are your more risky users. Here are all the things you need to clean up. And it does give you a stockpile of activities now that you have to like remediate and follow up on. But those types of assessment services in conjunction with red team at least gets you some semblance of where your attack surface is.

And it's more difficult when we talk about things like this where we are concerned about new tools, new adversary tools or tactics that, um, evade detection mechanisms and then tack techniques that focus on living off the land. So using built-in systems that our admins are already doing. So really it's looking back at, okay, who, who is the most risky person that has the access to the most things and how do we just threat model around that scenario?

Because threat modeling as a whole, I mean, you could really pull apart like, well, what if they accessed our partner portal and then they were able to now implant something on the partner portal. So anytime someone logged in, I'm not even gonna bring that up because I could, I'm not gonna add more horse stories to this campfire session. But, um, I think red teaming is great. Um, I think you need to understand the scope of the, of the service that you're getting.

And I, and, and that's fine to do multiple pen tests. I also think what's really important, and it's more advanced to be honest of what organizations do this, but it's war gaming and purple teaming. So it's kind of like not quite a white box, black box agreed upon pen test, but you maybe wanna test out what your MDR service is picking up. We pick up a lot of pen tests at Black Point. We pick up a lot and we contact the people and then they let us, oh yeah, no. Oh, that's our pen tester.

We're like, all right, well we might mess, mess with 'em a little bit. But ultimately, you know, that's important is making sure like, are we actually detecting what the pen tester's doing? Because it's not just a, Hey, what did the pen test? How fast were they able to get in and what did they compromise? It's also how did we not see any of this? And now you can point, okay, so what do we need to invest in? Because we had no visibility on where they went and what they did. Yeah.

You know, I learned a little bit, um, this quarter around pen testing. I'm not, you know, I'm not an expert on pen testing, but Sure. What for our, for our, um, special project for our peer group, uh, this quarter, um, we gave everybody like, uh, Kaseya acquired, uh, anahi, like automated semi-automate pen testing. And um, so we gave everybody licenses to run it on their own environment.

And I got a real education and what I came away with was, and tell me if this is like, this is rudimentary, but you could find a hundred vulnerabilities, but being able to say, Hey, there's a hundred potential vulnerabilities. These seven are the ones, they're actually potentially an issue. Some of them really aren't. And knowing the difference between the two. So to me, the idea is to be able to take action mm-Hmm.

Coming outta this and to have a better, you know, security, you know, posture, you know, afterwards than before. Yeah. The idea with, you know, around zero trust and even back in the day, I don't know what they call it now, Microsoft, big Microsoft did tiering methodology of, you know, tier zero, tier one, tier two. And the idea behind it, very similar to um, concepts within zero trust is you create security buffer zones.

So maybe in one tier two layer of workstations or things that don't have access to data and end users and random things there, there's 200 vulnerabilities sitting out there. Well, that's a lot that actually would be concerning.

But say you have seven vulnerabilities, but you're more concerned about, like you said, tier zero, the things that can be externally accessed and are scanned and discovered like an exchange server that never has never ending vulnerabilities that everyone's aware of or, you know, Fort Appliance or in the case of this proxy service situation or not the play conversation or, um, you know, what we've seen.

So we've just pushed out new research on SonicWall and they have a lot of zero days that come out, but we just pushed out a new one on that and we had two MSPs that were hit through that vulnerability. So like you said, I think the idea is there's, you're right. Like we have to focus somewhere and that's that tier zero layer. It's really focusing on the things that would gain, if you're a bad guy, you'd get the most access right out of the gate.

And you have, you wouldn't have to do going up the tiers from two to zero, you'd go straight to zero. Yeah. And, and Wes, what's interesting, and you know, I was talking to Ryan about this, he did several um, assessments, you know, when he was at da like each year he would do a, uh, like he'd sit down with an MSP and spend like one or two days with them. It was really cool that data would allow him to do that.

And just simple things about kind of what you're talking about, McKenzie was he would discover that even with the access where the RMM and the PSA on the network was, he would find, Hey, why are your salespeople on the same, um, uh, segment of the network? Why are your marketing people on the same segment of the network? So, you know, just Wes, is it sometimes simple hygiene there that can, those little things can make a huge difference. It it's often, it's often that way, isn't it?

You know, and, and so that's why I think, you know, I think we all talk about this often of like, quit buying the shiny new thing and start doing the necessary reps inside your own company with good follow CIS controls and really make it a mission to say, darn it, we're gonna get through IG one and start pursuing IG two within 365 days.

You know, because you're right Andrew, it does come down to those things and oftentimes you go and look and CIS controls map through these things and talk about some of these obvious things. So, um, yeah, I think that's well said. You know, in maybe the last two minutes, Mac, I know you and Phyllis are gonna do an all star session at um, right of boom. So I hear will you kind of tease us a little bit on what, what you, what you're both talking about and why everyone wants to go pack the room?

Yeah, So we are doing, have you guys seen the movie Casino? I had to watch it. It is very violent. So I dunno. I record, I'm like, You're starting off perfectly. I like this going, Apparently we're in the MSP space, so I'm like, let's do a theme and it's casino because this is where it's acceptable. Microsoft would be like, no way. You can't do casino. I don't know where we're gonna dig all the holes, but it is Vegas.

So it felt very appropriate with the theme this year of right of Boom Bean in Vegas. So, you know, we're getting our De Niro really themed into us, but we're gonna do a CTF uh, challenge, but we're actually gonna use our Black point, uh, technology, our platform, we'll break people into groups. And the idea is we have a lot of scenarios that are gonna, that are basically gonna be time scenarios and, um, uh, your team will be responsible for being the defender essentially.

It's almost like a backward CTF, which I think is awesome. Um, they're gonna be time scenarios to find certain, um, flags, uh, within our system. And then there's gonna be some Easter eggs and some bonus, uh, bonus points you could gather from that. And we're gonna break up the team so that there's gonna be some roles.

And one of the roles is really that incident handler role where you're going through this process and at the end of it, there's gonna be a fun after action activity where Phyllis and I will be kind of making sure to provide like the mapping to CIS controls because CIS has a really good mapping to Mitre. And so ideally, hey, we found all this bad stuff. This was the technique. Here's the official Mitre technique, boom, here's the CIS recommendation.

So we can make it really fun and, and not too difficult. And of course the winning team. Um, you know, John, I don't, I can't say we're gonna give away a Ducati this time, but maybe we'll give away something cool. I don't know about a, not a boat. Maybe a little Mini scooter. Yeah. Yeah, actually that would be great. E scooter. You can't take it on the plane though, but we do, we ship. So the Ducati wasn't a fun thing we had to ship.

The guy who won it was in the uk, so we really wanna make sure right. Boom. Whoever wins is in the US that way we don't pay fees. Very cool. Thanks for giving us preview on that. Gary, by the way, I, not that I should be shocked, but, um, your Vanna High pre day, A mini bow. Yeah. Selling out almost. Yeah, it's awesome. I mean, it is been a great special project.

Um, you know, we're careful about how much time we ask our members, you know, peer members to work on a project, you know, um, each quarter we do one, but this one have, we've gotten like some of the best feedback and this is what it takes. You gotta bring things that have been hard to bring to our marketplace and, um, you know, because of pricing and then the technology comes and we can start to, you know, expand what we do. So, um, but Mackenzie, thank you so much for, for being here.

And Andrew, you know, this just goes to show you like, you know, being here every week, all of all of us. Like I know for me, I came here almost three years ago because, you know, dealing with MSPs and as a thought leader I need, I need to, you know, raise my game around security maturity. And I can't tell you how many people tell me that this was how they got started. Like this is what led 'em on their journey, was coming here every Monday with us. So that's Awesome. Great stuff. Mackenzie.

Thanks a million for joining us. It was great to see you in the new, uh, new spot at Block Point. We always Awesome seeing you. We'll see everybody next week. Thanks as always. Thanks.

Related Videos

Malicious Innovations (The rise of malware delivering proxy applications & Play Ransomware Group calls out MSPs*** | Right of Boom