Darknet Diaries - Ep 15: Ill Tills
Episode Date: April 1, 2018A major retailer was hacked. Their point of sales machines were riddled with malware. Listen to hear how digital forensics and incident responders handled the situation. What malware was foun...d? Where was it found? How was it stopped? And most importantly, how much data was leaked?
Transcript
Discussion (0)
I was having trouble sleeping one evening and I had gone to bed and then I woke up.
So I went downstairs to just futz around for a little bit and I turned on my computer and
I was looking at my email and here was a message from my bank, B of A,
saying that my account had dropped below $25.
And at the time, it didn't trigger anything in me
because I knew I had about $30-something in it.
And it was an account that I used to keep money for equipment, materials,
that type of thing for my business. But anyway, so I thought of that and just, yeah, okay, fine.
And then I went back to sleep. And when I finally got up in the morning, all of a sudden I'm sitting there making my coffee and I'm going, well, why did my account go down below $25?
I haven't used that account in a couple of weeks.
This is Tom. He's just found out that somebody's used his credit card without his approval.
So obviously things are shot. So I immediately
called the bank and I said, I don't know what's going on, but I got a notice from B of A that I
was overdrawn. So their fraud department said, okay, fine. And they started a deal and immediately
notified me that my accounts were frozen and that I couldn't do anything.
So this was kind of a frustrating thing.
I'm sitting there saying to myself,
how in the hell could that happen?
These are true stories from the dark side of the Internet.
I'm Jack Recider.
This is Darknet Diaries.
This episode is sponsored by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive. It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore. Now I use the help of Delete.me. Delete.me is a subscription
service that finds and removes personal information from hundreds of data brokers' websites,
and continuously works to keep it off. Data brokers hate them because Delete.me makes sure
your personal profile is no longer theirs to sell. I tried it and they immediately got busy scouring
the internet for my name and gave me reports on what they tried it and they immediately got busy scouring the internet for my
name and gave me reports on what they found. And then they got busy deleting things. It was great
to have someone on my team when it comes to my privacy. Take control of your data and keep your
private life private by signing up for Delete Me. Now at a special discount for Darknet Diaries
listeners. Today, get 20% off your Delete Me plan when you go to joindeleteme.com slash
darknetdiaries and use promo code darknet at checkout. The only way to get 20% off your Delete Me plan when you go to joindeleteme.com slash darknetdiaries and use
promo code darknet at checkout. The only way to get 20% off is to go to joindeleteme.com slash
darknetdiaries and enter code darknet at checkout. That's joindeleteme.com slash darknetdiaries.
Use code darknet. and use code DARKNET.
Support for this show comes from Black Hills Information Security.
This is a company that does penetration testing,
incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there,
and I can vouch they do very good work.
If you want to improve the security of your organization,
give them a call.
I'm sure they can help.
But the founder of the company, John Strand, is a teacher.
And he's made it a mission to make Black Hills Information Security world-class in security training.
You can learn things like penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more.
But get this.
The whole thing is pay what you can.
Black Hills believes that great intro security classes do not need to be expensive,
and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what
services they offer and find links to their webcasts to get some world-class training.
That's BlackHillsInfosec.com. BlackHillsInfosec.com.
This is the story about a time when a major retail outlet got hacked.
I'm not going to give the name of the store or even when this occurred because those details aren't important.
This story is fascinating enough without it.
This company is huge, though.
They have thousands of stores in the U.S. and many more all across Europe and Asia.
They do business both online and with physical stores all over the world.
And, of course, each of their physical stores have computers that are connected to the network.
The story starts out with an email.
One of the credit card brands had found some cards on the black market being sold,
and they were linked to this store.
The card brand emailed the store, letting them know some cards that are on the black market
have a common purchase point of these retail stores. Specifically, they found 10 credit cards on the black market
whose last purchase was this store. Now, 10 credit cards found on the black market is not
really that big of a deal, especially when credit card dumps have tens of thousands of cards in them.
But the store wanted to investigate anyways, so they called a consulting firm called Kroll.
Hello?
Hey.
And they asked Kroll to investigate their network and try to find if there was any traces of malware on it.
And they got a team to help them out.
Let's meet two of the members of that team.
My name's Courtney Dator. I'm a senior managing consultant.
And my name is Matt Brumley.
Both Courtney and Matt are incident responders.
Their job is to go into a network that is breached or may have been breached and find, isolate and fix the problems.
Both of them are used to working on larger cases and specifically cases involving finance and retail.
So doing an incident response for a global retail company is what they're good at.
And these two got right to work looking for any signs of hackers in the network.
We usually start with two different approaches.
Number one, we'll start to understand what's already been out there.
So what type of data has been leaked and is it something that could actually be resulting from a breach?
That's kind of number one.
Number two is we'll also come in and drop in whatever tech we use.
So the tool that we use primarily is Carbon Black, which is an
endpoint monitoring tool, endpoint monitoring and analysis tool. We use Carbon Black and we
deployed that throughout the environment. So it's usually that two-step approach is to quantify the
data that's been exposed, drop in our tech, and we start to kind of get deployment throughout the
entire environment. This particular customer has over 10,000 systems globally.
They're acting in every major country that's out there.
They've got outlets in every single one, if you will.
And we were deployed on a global scale
to almost every system that they owned
that was running Windows
and that could handle the agent software.
So basically everything Windows XP and above. The computers at each of these stores had antivirus running, but it wasn't
picking anything up. And the endpoint monitoring software wasn't finding a lot either. But the
store's IT team had noticed one system was acting funny. So they took it offline and asked Matt and
Courtney to look into it. So originally the company had identified that first system for us.
It was actually already identified. They had pulled it offline.
So that was somewhere where we were able to look.
And this particular system, it looked like a bloody murder scene.
When you just take a look at this system, it's just stuff everywhere.
There's malware all over the place.
And we also found several directories full of non-sensical binary data files that just didn't have much of anything inside of them.
But there was there was size to them. And on Windows environments, very rarely do you come across just kind of blobs of data
that don't have any structure or purpose or are in the wrong place, like these files were.
And we came across thousands of them.
And every single file, believe it or not, also had the same naming convention.
It was a six-digit date, so month, day, year, followed by a host name, followed by a seemingly random string of digits.
These weird and unusual files were encrypted, so neither the company or the team could see what was in them. in different logs, we were able to basically track via different IP addresses where that
account that was owned was also reaching out to.
So from doing that, we were able to see where it was reaching out and where they were pushing
malware to from that machine as well.
And then in doing so, we also found additional malware as we kept going out.
There was just more and more specific variations of the same malware.
So from there, we were able to get most of it.
And then we got to a second major host machine.
And we were able to then spawn out from that one as well.
And then we got to a third one.
And we identified basically upwards of about 1,200
compromised systems.
The malware sits on these systems,
scrapes all this data out of memory,
and then it pushes that data over the wire
to the central repository system.
So this particular malware was writing to an output file.
So we knew that this malware was
writing to a particular output file with a particular file extension. So we were going,
looking across the network for all the files with the same similar naming patterns and similar
file extensions. And we also looked at the different malwares because some of them have
a different naming convention in each of the different output files. So we made sure we were able to determine all the output files. We pulled them
all together. So at this point, the team had found over 1,000 computers, all in the network
with the same malware. But here's the worst part. Want to guess what these computers were used for?
They're the cash registers where you go buy something and you swipe your card,
or you insert your card. These days you insert pen and chip. Sometimes you still swipe the
penny, but the systems that are compromised are those particular systems. Malware that
exists on 1,200 computers that are cash registers is terrifying. So the team began studying this
malware to try to understand what it's doing.
The output files were encrypted using XOR and the company couldn't decipher it. But Matt and
Courtney spent some time and eventually cracked the encryption. They were able to see what was
in those files. What they saw confirmed their fears. The malware was grabbing every credit
card that was swiped on that register
and putting it in this file. The way that they were scraping cards were they were scraping from
memory but they did it basically using 15 and 16 digit characters. So they were pulling anything
that was 15 to 16 digits and usually it's followed by something along the lines of an equal sign or
some sort of delimiter and then it gives you the four digit expiration number.
So based off of that, that's where they were able to pull car data down from memory.
And using that basic algorithm, they were able to get mostly positives, but occasionally
you do get a few false positives and some of the things that are scraped.
This company is now in a nightmare scenario.
So many of their cash registers have malware on it
that's scraping every credit card that's being processed
and then sending that data out of the network.
As the credit card data leaks out of the company and into the wrong hands,
the criminals who get these cards can use them for themselves.
They do things like write the card data to a blank credit card company and into the wrong hands. The criminals who get these cards can use them for themselves.
They do things like write the card data to a blank credit card and then withdraw cash from ATMs or use these cards to buy gift cards and sort of launder the money. The thieves found a spring
of seemingly endless money and they were making some serious cash off this retail company.
Our initial feeling was there's going to be a lot of data here.
I don't know the initial thing that you think about.
And it's not it's like an investigator's curse.
You never you never want this number to be high.
But one of the first things you think about is how much data has been stolen,
how much data has actually been accessed.
Because when you've got that much malware in an environment that big,
the first thing you have to think is, I've just found thousands of
output files. What are the chances that I'm also looking at millions of credit card numbers? You
never want to be in that target world, right? Those tens of millions of numbers and that kind
of stuff. You never want to be there. But unfortunately, when you uncover a breach this
big, one of the things that creeps into your mind is, you know, please, please, please don't be that.
Don't be that large.
But wait, that was North America.
We found the exact same type of infrastructure in Europe as well as in Asia Pacific.
We had these central pivot points that the attackers were using basically as clearinghouses. And malware was directly writing over the wire,
right to these systems as they were going,
thousands of systems at a time, simultaneously as well.
And like I said before, the registers all had antivirus installed on it.
But it wasn't picking up this malware in particular.
So this is actually a new variant that we've uncovered.
It was not previously known.
So there's a couple of little surprises about this malware.
So first off, it was an unknown variant, but it's a derivative of TinyPOS.
There's a legitimate TinyPOS point of sales software.
Then there's a TinyOS piece of malware. And tiny POS is a piece of malware that is pretty, I don't want to say sophisticated, but for what it's able to do, it's pretty well developed.
And I'd say that, you know, knowing I just complimented a malware family.
But it's pretty well put together.
But the kicker here is every single piece of card-shaping malware that we came across on this case was less than six kilobytes in size.
As we kept adding more and more source it was definitely a point where we're
like are we gonna have millions of cards here? I think especially as we saw the
output files go higher and higher in number I was like oh let's hope
some of these overlap yeah definitely no shit moment
but wait but wait hold on it's worse than that about 80% of the systems was
the point of sales the point of sale registers the other 20% was the point of sales, the point of sale registers. The other 20% was the back of house systems as well.
The back of house systems that sit in the back of the store
that no one has access to,
aside from the store themselves.
But those systems had malware on them as well.
And those systems also had data
that was being scraped in them too.
Delivering this kind of news to the client is never easy.
The team had to call the client to tell them what they found.
Yeah, I would say it was us, them, and lawyers.
That was a fun chat.
So I guess to give you a very brief perspective,
there's always that moment of when you receive that external alert or when your client receives that external alert, there's always that moment of like, is this bullshit?
Or like, how real is this?
So when we had that call and we said, hey, FYI, we have uncovered this.
We have uncovered this malware.
We found what it's able to do.
We've uncovered all these output files. The very first reaction, because the output files were encoded, they actually had a custom
encoding that the malware was using. Because they were encoded, there was a little bit of like,
well, that data is just garbage, right? There's nothing in there. And we're like, well, we actually
decoded it. There was definitely a little bit of an oh shit on their part as well, because it becomes real once you find out that, you know, kind of your greatest fear has come true, which is someone's been hanging out in your house for a while.
The lawyers, they do a very good job of letting us get everything out and then they process it and then they come back and ask questions.
But there's always a little bit of hesitancy.
They want to make sure you're correct.
Because if you come out of the gate and you say, yeah, we have evidence of a credit card breach, there's a lot of wheels that start to turn.
You're on a clock depending on the state.
Some states, you're on a clock then about disclosure and that kind to turn. You're on a clock depending on the states. You know, some states you're on
a clock then about disclosure and that kind of stuff. You've got to file for protection
with the credit card brands and everything like that. So they ask as many questions as possible
to make sure you're 100% positive and what you see backs up. You know, technically you can back
up what it is you're saying because they know that there's a lot of money about to be spent based on that, based on that finding, based on that opinion.
So next, this is where Courtney and I then fall into the quantification mode, where now,
okay, we've got a breach.
Now we need to understand how wide, how big and how much data is at risk here.
That's kind of the next step that you want to answer is, is how much data is at risk here. That's kind of the next step that you want to answer is,
is how much data is actually at risk when you have one of these breaches here
and just how far back does it go?
Doing some digital forensics,
the team was able to see when the malware was originally installed
and where it came from.
And from this investigation, they found the hackers were in the network for...
About seven to eight months they were in there
they were in the network probably at least a solid month of just reconnaissance before they built
their perfect piece of malware and then even throughout time we saw them make slight modifications
to it as they kept going forward they knew exactly where to go get the credit cards on every system.
Unfortunately, the system that they first compromised with, that they first came into,
was no longer available. I think personally they came in with a fish, only because there was very little exploitation of systems.
Even though there was a very vulnerable environment, there was very little exploitation of those vulnerabilities.
And that may be, again, because they didn't need to do that.
So I don't want to rule that out immediately, but I don't know.
Most of these cases I always see start with some sort of a fish.
Especially to set up the infrastructure that these guys had, that the attackers had set up here.
It makes me want to think it was likely a targeted approach.
But you never know, you know, you never know until you find it.
Phishing is when a hacker targets an employee to try to get them to click something they
shouldn't click on.
It could be an email with a malicious link.
It could be a Word document with macros enabled. Once the person clicks the malicious link, that computer can become infected and then
under control of the hacker. And when the hacker is in the network, they can move
over to another machine to start setting up their malware.
With Simple Cocktail Map and Math, you're scraping, you know, 600 stores, five to 600 stores for a period of eight months.
And that period of time includes the summer, it includes multiple sale weekends, it includes the
build up to Christmas, and that kind of stuff, you know, including all those various time periods,
you could very easily get into the hundreds of thousands or millions of cards easily with kind of those
considerations and those factors.
So the next step is let's get these output files parsed, let's start to concatenate this
data together and let's start to dedupe it and see just how much data we've got exposed
here.
Yeah, I want to say it took us at least two weeks to get through all of the credit cards
and really dedupe them and make sure that everything we had were actual card numbers.
Something particular in this case that we ran into was credit cards that looked like
credit card numbers but weren't actually valid card numbers.
So that was something that we had to do a lot of
deduplication and verification with,
both on our end and with a little bit of help
of the card brands to determine if what we were seeing
were all actually card numbers.
We started uncovering card data that was expired.
We're like, how are we finding so much credit card data that's expired? Like, it's one thing if you find, you know, let's say you have 20 numbers from the day and you find one is expired.
You're like, oh, OK, someone accidentally swiped an old card or something. Right.
But then you start to wonder, you're like, why am I seeing a significant percentage of
cards that have already expired?
What was happening in this case is, if you remember earlier, I mentioned that the malware
was on the back of house systems.
The back of house systems were running SQL servers.
And the SQL servers had historical, unencrypted track data that was being loaded into memory.
And the malware was picking that up.
They were picking up transactions from as long as four years ago.
The attackers were effectively peeking back in time.
They were looking at transactions from three to four years ago,
that they had no visibility to,
which is another unique angle
because most of this malware exists at the swipe
or it exists to steal at the swipe.
This episode is sponsored by Shopify.
The new year is a great time to ask yourself,
what if?
When I was thinking, what if I start a podcast?
My focus was on finding a catchy name, some cool stories, and working out the best way to record.
But oh, so much more goes into making a podcast than that.
If you're thinking, what if I start my own business, don't be scared off.
Because with Shopify, you can make it a reality.
Shopify makes it simple to create your brand, open for business, and get your first sale.
Get your store online easily with thousands of customizable drag and drop templates.
And Shopify helps you manage your growing business.
Shipping, taxes, and payments are all visible from one dashboard,
allowing you to focus on the important stuff.
So what happens if you don't act now and someone beats you to the idea?
The best time to start your new business is now with Shopify.
Your first sale is closer than you think.
Established in 2025.
That has a nice ring to it, doesn't it?
Sign up for your $1 per month trial period at Shopify.com slash Darknet.
Go to Shopify.com slash Darknet and start selling with Shopify today.
Shopify.com slash Darknet.
Now the team is ready to begin removing the malware from the network.
They needed to understand every hole that was in the network and patch every one so that the hackers could not get back in.
We didn't actually have to take any of the source offline.
Once we were able to really find those pivot points,
taking those offline or at least making sure that we had process blocking in place was able to stop it for the most part across the network.
Yeah, we ended up shutting down the clearinghouses, the central points that they were using.
We ended up taking those off first and then waiting to see what would happen next. The first time we had kicked them out,
we actually saw them reenter through Asia.
And within about three seconds of reentering,
they had re-compromised 40 different systems.
I never want a company to actually be breached,
but part of my job is to find that stuff.
And part of Courtney's job is to find that stuff.
So our initial reaction was first off like, ah, shit.
You know, we knew this was going to happen.
We didn't know it was going to happen this fast.
That's reaction one.
Reaction two, usually what happens if you successfully kick an actor out 100 percent usually you'll see like a
phishing campaign or something like they're trying to get back in the beginning to see them come
through the network with that speed the next thing is like oh shit there's another backdoor
out there which uh which we gotta go track down which there ended up being a system we didn't
have visibility to number three there's that moment where you see how quickly the attack is
doing what they're doing that speaks volumes to how long they've been's that moment where you see how quickly the attacker is doing what they're
doing. That speaks volumes to how long they've been in the network. You know, if you're watching
an attacker, if you're seeing artifacts from an attacker very recently, and it looks like they're
fumbling around in the dark looking for a light switch, then you're like, there's a very good
chance this person hasn't been here that long. To watch someone re-compromise four dozen machines
in, you know, 10 seconds. Okay, this
person has come back home, they put their feet up on the couch, they know exactly where the remote
is, and, you know, it's a very easy thing for them to slide right back into.
I think it was interesting to see them come back in so quick, but it was also interesting to see which tools they were immediately using.
Because at that point we had the live response there, so we were able essentially to sit
there and basically track what they were doing and see exactly how they were moving.
We had some of these records before, but it was just nice to actually sit there and be
able to confirm like, oh, they came in through here, okay, well they ran an IP scanner,
and then they hard-coded and were able to log in to all these IPs in a matter of three minutes.
The team had discovered that besides the malware, there were also backdoors installed on many systems,
which is how the hackers kept getting back in. They had added 350 backdoors, however, they weren't pushing the malware, there were also backdoors installed on many systems, which is how the hackers kept getting back in.
They had added 350 backdoors. However, they weren't pushing the malware to each.
Like, all 350 systems didn't have all the malware on it.
It was almost as if they were just allowing themselves access back in in case they ever got closed off.
But the team was able to find each and every backdoor and take every pivot point offline and stop any more credit cards from leaving the network.
It was a good feeling to finally get this malware under control.
There was about a month where every call got worse and worse.
So there was definitely a moment of, really, is this ever going to end?
You know, you can definitely get bad news fatigue after a while. But eventually,
once we started taking things offline, it then turned into positivity and we were able to
actually deliver good news calls, which is, you know, hey, we've actually remediated things. So
the attitude started to shift when once we had kind of figured out the way the global,
the attacker's global infrastructure was set up. But it was only, you know, it's only when you when you get to that point where you've kind of mapped out the whole world that that you
can start to actually breathe a little bit luckily this malware was not ingrained to the point where
it kind of became symbiotic with the environment like some malware families do but uh this one was
this one was pretty easy to delete and I don't say that as a challenge.
I say it as it was definitely a pain in the rear.
But it was simple enough to delete and then disable the services to prevent it from running again.
As the team was cleaning the malware off the network, they gave some suggestions to the company to improve their security.
Yeah, some password changes were necessary.
Maybe something down the line of changing their network infrastructure so it's not so flat.
That was definitely one of the things that enabled this malware
to get as far as it did
because every system could essentially reach every other system.
And there was similar password-shared administrator accounts,
like privileged accounts that were accessible on many, many
machines across the network. So I think this was a big learning point of how to properly secure
your network and make sure your encryption is in place to prevent this from happening again.
To try to trace this hack down to the person who was responsible is sometimes impossible. You can
look for clues in the malware like the language that
was used in writing it or the time zone that it's set to, but these things are just small clues that
aren't very strong. Trying to figure out who did a hack is called attribution. I'm a firm believer
that attribution doesn't really get you anywhere unless you're sitting in a political or an
executive role and you've got to make decisions off of who may be behind this keyboard and that kind of stuff.
However, it's always interesting to know.
The only thing I can say about this one is one thing we haven't mentioned yet.
North America, there was one server that was treated as a clearinghouse.
And then there was two additional systems that had backdoors on them.
In Europe, it was very much the same thing. Europe and EMEA and whatnot was very much the
same way. There was one or two systems that served as central pivot points. Asia, on the other hand,
Asia had somewhere between 350 and 400 unique backdoors installed at it. Almost every system got a backdoor. And a lot of the
compromise itself actually started in Asia. It actually started in mostly Southeast Asia
and that kind of stuff. And that doesn't lend to any attribution whatsoever. It's just when you're
going after credit card data, it's a very interesting place
to start if you catch my drift. Even if you pinpoint it that specifically, what are you
going to do, right? You're a company that's headquartered in the United States. What recourse
do you have? You've got to get your network back up. You've got to get to a point where you are not, you know, you gotta get to a
point where you're not having to fight fires every day. You don't really have time to, what are you
going to hire a team to go after these guys or something like that? You know, I mean, good luck.
So what was the final number of credit cards that were stolen?
So that, that number is to the best of my knowledge, still being sussed out.
But I think after everything we had come across, we landed a little shy of 100,000.
That was all.
Which was a very surprising number and a very relieving number as well.
I don't know a lot about the current carding black market conditions,
but it's safe to say these are probably too many cards for these hackers to try to scrape money out of themselves.
So they're probably selling these cards in bulk somewhere.
And the cards go anywhere from $10 to $100 each.
So even if they got $10 per card,
that means these hackers made a million dollars off this company.
So now the company has to do what it can to try to clean up the problem.
Primarily then it falls onto the company to So now the company has to do what it can to try to clean up the problem.
Primarily then it falls on to the company to work with the banks and work with the credit card companies and get new cards out there. This breach was publicly announced and it hit the news,
but the public's reaction to it wasn't a huge deal.
It was, in short, it was not as crazy as you'd think. It was not that big of a deal. And I say that because you've got predecessors like Home Depot and Target and some of those huge major breaches. You've got predecessors like that, which received weeks, if not months, of news. And this one was not as prolific as that, you know, from kind of the world view.
That and then on top of it with the whole network infrastructure right now
and how often we're almost seeing these reported in the news
and some of the larger breaches that we've recently seen, including social security numbers.
I guess credit cards kind of a little bit fall to the back.
I know you're always worried it gets stolen, but in the back of a lot of people's minds,
they're like, oh, I'll just replace it, get a new one.
Besides this being a major headache for this company and even a bigger headache for the
credit card companies and banks, this also can severely impact the people whose cards got stolen.
At the beginning of this episode, you started to hear from Tom.
It's possible that Tom's card data was stolen and sold on a black market, just like in the story you just heard. Someone used his card fraudulently, and his bank was investigating
to see what went wrong. So let's hear how his story pans out. Well, the morning that they did
it was the 12th or 13th of December.
So this effectively wiped out Christmas.
And I'm a licensed contractor, and I receive some of my business through an outfit.
And with my accounts frozen and nothing able to go in or come out,
the first thing I found was that they stopped working for me. And they said, well, your bill is overdue and your bill is overdrawn and we can't
get any money. So you're stopped until something happens. But luckily, I had a financial backup on this. And so I was able to survive, but I could not work until this
was finally taken care of. So it made a couple of months where things were very, very difficult. My main bank had gone through and they said, okay, we have found the problem.
And they had now put everything back the way it was supposed to be.
And I was now able to do business with the account.
But even having done that, it still took a couple of months to get things squared away. So it was a major interruption in my life. SAS summit earlier this year. In their talk, they went into detail about this new strain of malware.
They also reported this new strain of malware to the antivirus companies
so it can be detected in the future.
Matt has since moved from Kroll and is now working at Silence
and has most recently been accepted as a SANS instructor
teaching digital forensics and incident response. You've been listening to Darknet Diaries. For show notes and links,
check out darknetdiaries.com. If you want more InfoSec podcasts, there's one that does an episode
almost every day. They do a daily wrap-up of the news and interview some really smart people. It's called The Cyber Wire, and I recommend it for
your daily commute. A lot of you are asking how you can help with this show. Right now, I'm just
trying to grow the audience, and it's hard to get the word out. So you'd be a big help to me if you
would tell others about this podcast. Think whose phone number you have of someone who might like
this show, and text them right now to tell them about it or post about it on social media or tell your
co-workers. These kinds of things make me super excited to make more episodes. This show is made
entirely by me, Jack Recider. Theme music for this show, including this song, is made by Breakmaster Cylinder.
Hey, one last thing.
I made something you might like.
I made a random password generator.
Yeah, it's a website that creates some fresh new random passwords for you.
Just in case you ever need to create a random password, I've got you covered.
Oh, and there's an extra feature too.
It has an API, which allows you to use it in your own programs.
Anyways, if you want to check out the site, it's called passwordwolf.com. That's passwordwolf.com. See you there.