Episode 108: Hack Exposes 150,000 Security Cameras at Tesla, Cloudflare and Others

A data breach exposes 150,000 security cameras used by organizations around the world, including Tesla and Cloudflare. State-sponsored hacking groups exploit Microsoft Exchange vulnerabilities. A fire in a French data center belonging to hosting company OVH affects millions of websites, including some prominent WordPress services like Imagify and WP Rocket. WordPress 5.7 was released this week with many new features.  A zero-day vulnerability was listed for sale in a new way, as an NFT on the OpenSea NFT marketplace.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.

0:19 Defiant is hiring, we have great benefits!
1:03 Security startup Verkada hack exposes 150,000 security cameras
3:55 More hacking groups join Microsoft Exchange attack frenzy
6:46 OVH data center burns down knocking major sites offline
9:48 WordPress 5.7 Released; Chloe’s HTTP > HTTPS demo
13:19 A Hacker Was Selling a Zero-Day Exploit As an NFT

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 108 Transcript

Ram:
Welcome to Think Like a Hacker, the podcast about WordPress, security, and innovation. I am Ram Gall, threat analyst at Wordfence, and with me is director of marketing, Kathy Zant. Kathy, how are things?

Kathy:
Things are very well. We have tons of stories. It’s an active week in security and WordPress this week, isn’t it?

Ram:
And how. Yes, it is. But first we should talk about how we’re hiring. We’re hiring for a sec ops role. If you know AWS, please apply. And a couple of senior PHP devs, and also a senior researcher for basically website performance using our Fast or Slow tool. So if you know what time to first byte means, then-

Kathy:
If you know what time to first byte means and you know how to lower that number and make sites more and more speed, and efficient, and improve the performance of a website, WordPress or otherwise, we’d like to talk with-

Ram:
If you know someone like this, you could also get a $500 gift card if you refer a successful candidate.

Kathy:
Indeed. Yes. Let’s get right into the security news. It looks like Verkada had a hack exposing 150,000 security cameras. What do you know about this one, Ram?

Ram:
It looks like a hacktivist group, including a hacker going by Tilly Cotman, gained access to over 150,000 of Verkada’s cameras, including cameras inside Tesla factories and warehouses, Cloudflare offices, Equinox gyms, hospitals, jails, schools, police stations, and Verkada’s own offices.

Kathy:
Oh my gosh.

Ram:
So it was apparently super simple. They just managed to find credentials for a super admin user to Verkada’s system, and apparently gained shell access to the actual cameras, and the full list of Verkada’s customers and private financial information. And apparently all of this just through a web browser.

Kathy:
So worst case scenario, they basically got access to everything. Customer data, as well as the actual security cameras in very sensitive locations, hospitals. HIPAA requirements fall into play there. Schools, kids. Oh my gosh. This is like a worst case scenario hack. Do you have any information on how this might have happened?

Ram:
They basically found the super admin level username and password publicly available on the internet.

Kathy:
Oh, my.

Ram:
So this is a hacking collective that goes by Arson Cats or APT-69420.

Kathy:
Okay. And an apt is an advanced persistent threat. So it’s a hacking group?

Ram:
Yeah.

Kathy:
Okay.

Ram:
But this is their own self-designation.

Kathy:
Gotcha.

Ram:
This is not what security researchers are calling them. It’s kind of a meme joke, I think.

Kathy:
Oh, okay. I like meme jokes.

Ram:
Anyways, though, yeah. They just found these credentials floating around on the internet. Incidentally, the same hacktivists claim to have leaked over 250,000 sensitive documents from Axial Co., a mergers and acquisitions platform. It looks like their Twitter accounts have been suspended, so I had to look this up on the Web Archive, but they claimed that it was due to neglect of basic security measures. I guess Axial exposed their Jenkins server on the web, and they found some S3 access keys that gave them full access to their sensitive documents. So I’m kind of surprised we’re not seeing more about this, but they’ve been busy.

Kathy:
So you’re seeing some chatter on the internet about what’s happening here and how this all got exposed, and it’s looking like other sensitive information might be a part of this.

Ram:
This hacktivist’s actions. Yeah. And it seems like all of it is basically just based on finding publicly accessible information and credentials that shouldn’t have been publicly accessible.

Kathy:
“Credentials” and “publicly accessible” should not be used in the same sentence.

Ram:
Correct. But it’s not always about credential stuffing. Sometimes it requires an actual vulnerability, like with the Exchange attacks, which we mentioned last podcast, but I’ve guessed they have been keeping incident responders up all night, all week.

Kathy:
Okay. Let’s revisit that a little bit. So there’s four basic vulnerabilities that are being chained together in these attacks on Microsoft Exchange, which is a mail server that a lot of enterprises use. And what do we know about these vulnerabilities? And what are attackers doing with them?

Ram:
First, some background. Microsoft Exchanges was for a long time the default corporate email you would use. I mean, Office 365 and Google Apps for Business, or G Suite, or Google Workspace, whatever they’re calling it now, they’ve changed names like three times, before Google Workspace and Office 365, which is basically cloud-hosted Exchange, became the sort of go-to for corporate email, on-premises Exchange was the go-to for corporate email. But a lot of companies still use on-premises Microsoft Exchange.

Ram:
So there were four different vulnerabilities, four different zero days. One was a server-side request forgery, which is where you can send a request and make it look like it’s coming from a legitimate server. There was an insecure deserialization vulnerability, which by the way, is the same issue that leads to PHP object injection vulnerabilities. It’s not identical, because different languages handle or are vulnerable to insecure deserialization in different ways, but it did let the attackers execute commands, and they combined that with two arbitrary file write vulnerabilities, which let them change the contents of local files.

Ram:
So some state-sponsored hacking groups have joined the ongoing attacks, and one of the biggest ones is a Chinese EPT group named Hafnium, according to ESET, and there’s other APTs going at it as well. APT-27, Bronze Butler, which I guess is also known as Tick, and Calypso are also attacking these. And I think some of the attackers are crime syndicates in addition to the state-sponsored attackers. So this is sort of a free for all.

Kathy:
It sounds pretty intense. Now, there are patches available for all of these vulnerabilities that are being chained together?

Ram:
Yes. It was actually an out of band patch that Microsoft made available. Usually they’ll wait until Patch Tuesday, but this went out more or less immediately. So if you are a company that is being exposed, you’re probably already attacked or already infected, but on the off chance that your incident responders aren’t already dealing with this, installing a patch is probably a good idea.

Kathy:
Yeah.

Ram:
Speaking of good ideas.

Kathy:
Yeah.

Ram:
It’s been a week.

Kathy:
It’s been a week. So it looks like OVH, which is a hosting provider, they have hosting centers in a number of different places, but this particular data center is located in Strasbourg, France. And it looks like the entire data center, OVH’s data center in Strasbourg, has been destroyed by a fire. They are the largest hosting provider in Europe, the third largest hosting provider in the world. I’ve talked to people who work there. I feel bad for them right now. They have all kinds of different hosting solutions, and there are numerous customers that are affected by this. In the WordPress world, Imagify, which is a WordPress image optimization site, and WP Rocket, their site is down. Their plugin is mostly working, but Imagify and both WP Rocket were affected in the WordPress ecosphere. There are numerous other clients that were affected, including Bad Packets, a video game maker. What are they called? Facepunch, that makes Rust?

Ram:
Yeah. They are the company that makes Rust.

Kathy:
Okay. There’s a cryptocurrency exchange bit, Deribit. Their blog and documentation site is down. Telecom company AFR-IX Encryption Utility, VeraCrypt, news outlet EE News, numerous obviously websites have been taken down. The thing that got me was that Facepunch, the maker of Rust, they have total data loss with no way for recovery. Ouch.

Ram:
I’m kind of surprised, because they’re advising customers to enact their disaster recovery plans, but I am really surprised that the company didn’t have any kind of redundancy. That’s kind of shocking. And I mean, this goes to show how important it is to do offsite backups. This kind of thing, just seeing that this kind of thing can happen, as much as we count on our hosting providers to take care of our data, and most of the time when we lose it, it’s our own fault. Sometimes it’s not. Sometimes it’s … Well, we don’t know actually why the fire happened, but anyway, sometimes things just happen.

Kathy:
Things just happen. There could be a tornado. There could be an earthquake. Physical things can happen that affect your data. So physical security is just as important as protecting against cross-site scripting attacks. It’s incredibly important that you have disaster recovery planning, and that you have offsite backups, and that you have a plan in place for disasters like this, so that your business … What do they call it? Business continuity-

Ram:
Business continuity. Business continuity is a very slightly separate, but like they tie into each other so much that-

Kathy:
So much. Right. Definitely. So obviously I think ramifications of this will continue. This just happened. We’re recording on the morning of March 10th, so we just kind of woke up to this news that this had occurred and has affected so many sites. So we will keep you posted of all of those ramifications.

Kathy:
In better news, WordPress 5.7 was released yesterday. We missed you on the live stream, Ram. We talked all about WordPress 5.7.

Ram:
Oh, I’m sorry I missed it. I hear Chloe did some pretty awesome demos though.

Kathy:
Chloe did a great demo. One of the main features that we were excited to see that I think you and I have both raved about on this podcast numerous times, was that WordPress 5.7 now offers an easy way to get your site from HTTP to HTTPS, to get that secure certificate that is generated, affecting your site so that your site is secure. And Chloe demoed how that was done, which I found to be incredibly brave. A new feature in WordPress. She was working off of a release candidate, so it wasn’t even the full released version of WordPress that she was working off of, and she did a great job. We’ll have a link to that in the show notes, but there were other features that were released in WordPress 5.7, primarily affecting the block editor. The most exciting one to me was that you can out drag and drop blocks. So there’s a little blue checkbox up in the corner. You click on that and you-

Ram:
That is a good thing, because honestly, that’s always kind of bothered me about the block editor.

Kathy:
Yeah.

Ram:
The sort of, “Oh, no. You want to move your content around? Well, have at.”

Kathy:
Yeah.

Ram:
That’s the whole point of having a block editor.

Kathy:
It is. And so it’s here.

Ram:
It took them a while, but it’s finally here.

Kathy:
It is here, and there’s a lot of other interesting things that are here that are making the block editor much easier to use. And they also have added lazy loading of Iframes, so if you’re linking in a video, and it’s further down the page, it’s not going to affect your site’s load time or that page load time. It will lazy load that. And another cool thing was that the jQuery had a stay of execution, as you put so well in our last podcast. There was a big hubbub that happened with WordPress 5.6 when it was released, and a number of plugins and themes were not ready for jQuery to be updated, so people had issues with their sites, and no issues like that this time. They’ve kicked that can down the road again. Exciting, huh?

Ram:
Exciting, but sometimes you have to kick cans down the road, especially in WordPress, when it runs so much of the internet that there’s going to be a lot of sites that are just not going to be updated in a timely manner. And I mean, eventually you will have to leave some of them behind, but we try to make as many of them compatible as possible.

Kathy:
Exactly. Yeah. When you’re dealing with a huge install base, 40% of the internet, and there’s all kinds of different permeations of plugins. There’s 50,000 plus plugins in the wordpress.org repo. There are paid plugins on places like CodeCanyon and Envato Marketplace, those types of places. And you need to bring as many people forward as possible, and many sites forward as possible. So kicking that can down the road means that your site is not going to have issues, most likely, with this update.

Ram:
As far as issues, though, I hear that … Well, at this point, we’re basically becoming a blockchain podcast, aren’t we?

Kathy:
The world is becoming blockchained. We’re all in the blockchains.

Ram:
No! I refuse.

Kathy:
Well, we’re all non-fungible and immutable now.

Ram:
I would like to be non-fungible. I feel like that’s a good thing to be, as a person.

Kathy:
It is. So our last story, a hacker is selling a zero day exploit as an NFT. You want to talk about what an NFT is, if anybody isn’t following along with the whole crypto world?

Ram:
I will let you handle what an NFT is. I’ll cover what the exploit was about.

Kathy:
All right. Okay. Sounds good. NFT, non-fungible tokens. So non-fungible means that there’s only one. It’s just a big hype thing right now. There’s lots of celebrities who are doing NFTs, lots of digital artists who are doing NFTs. And basically you pay with crypto, and you get the only version of a cartoon cat that can ever exist, because it is non-fungibly on the blockchain.

Ram:
It’s the only one that can exist on the blockchain, at least.

Kathy:
Exactly.

Ram:
I’ve seen people stealing each other’s tweets and selling other people’s tweets as NFTs too. So there’s a bit of craziness to it at the moment.

Kathy:
Don’t believe the hype, right?

Ram:
Yeah. Though I have to say that selling a zero day exploit as an NFT, actually this seems sort of unfortunately like a … I don’t want to call it a legitimate use case, but the sort of use case that I could see this actually being used for, usefully, to the kind of people who sell zero days. So this was a post-authentication memory corruption vulnerability in the ioquake3 engine, which is basically an open source game engine based on Quake 3 that developers can use to make their own online first person shooting multiplayer games if they want to. And I guess there’s already 28 games using this engine, so an exploit along remote code execution on this particular game engine is for sale as an NFT.

Kathy:
Okay. So it looks like a proof of concept exploit is redeemed with the NFT. So basically you pay for it and you get the POC, and it can be used to trigger the issue on network game servers. Single sale item sold exclusively, one time. No additional information will be provided publicly or resold. I mean, we obviously know that zero days are bought and sold in dark corners of the internet. This is not anything new. What’s new about it is that now it’s-

Ram:
You have assurance that no one else will buy it, at least not via the blockchain. We think we’re hopefully a little ways away from that being enforced in other types of data.

Kathy:
Yeah. It’s just interesting to watch different ways that people are using the blockchain. It’s interesting. This is kind of bleeding over into our world, that this is now a zero day exploit that’s being sold as an NFT. So we’re watching things. Usually these types of things end up affecting … You start seeing something happen in criminal enterprises or sort of unethical enterprises, and then it starts spilling over into more ethical-based businesses. So it’s just something interesting to watch and definitely not going to affect your WordPress site, but maybe someday. Maybe someday we’ll see a zero day for a particular plugin vulnerability as an NFT.

Ram:
Not if I find it and report it first.

Kathy:
That’s what we have to hope for.

Ram:
We have to do all the responsible disclosure before people can NFT these exploits.

Kathy:
Yes. So please make sure that you’re using Wordfence Premium, because Premium is what funds Chloe and Ram’s research to make sure that no zero day vulnerabilities in the WordPress space ever end up as an NFT. We must stop this.

Ram:
I can’t promise that, but I can promise not to ever sell any as an NFT. I can promise that.

Kathy:
We need to make sure you find them before the bad guys do.

Ram:
Exactly.

Kathy:
The NFTers do. So that’s all the news we have this week. Thanks for listening to Think Like a Hacker. If you are not subscribed to the Wordfence podcast, Think Like a Hacker Podcast mailing list you might want to do that. You can go to wordpress.com/podcast. There is a little form there where you can sign up and you’ll get notified, but if you have us on your podcasting app, you already get notified. So we just want to provide as many ways possible that you can get to Think Like a Hacker. Thanks for listening, and we’ll talk to you again next week.

Ram:
Bye.

Kathy:
Bye.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.