00:00:00
Yeah, the title is not clickbait here,
00:00:02
ladies and gentlemen. Yes, the US
00:00:04
nuclear weapons agency did in fact get
00:00:07
breached. Now, you know, I love talking
00:00:09
about computer cyber security. I love
00:00:10
talking about crazy hacks, especially
00:00:12
when things are out of our control
00:00:14
because uh sometimes all you can do in
00:00:16
this crazy world is sort of laugh. Okay?
00:00:19
And uh that's really all you're able to
00:00:21
do right now, ladies and gentlemen. So,
00:00:23
for anybody that doesn't know what's
00:00:24
been going on, this is the United States
00:00:28
Department of Energy. And underneath the
00:00:29
Department of Energy is again the
00:00:32
National Nuclear Security
00:00:34
Administration, the NNSA.
00:00:37
Now, what is the job of the NNSA? Their
00:00:41
core missions, meaning this is literally
00:00:43
what they're made for, is to ensure the
00:00:45
United States maintains a safe, secure,
00:00:49
and reliable nuclear stockpile through
00:00:52
the application of unprecedented
00:00:55
science, technology, engineering, and
00:00:57
manufacturing.
00:00:59
So, their job is to maintain all of the
00:01:02
nuclear weapons that the United States
00:01:05
has, which for anybody that doesn't
00:01:06
know, if you look at the grand list of
00:01:08
how many nukes people own, there's
00:01:10
really not all that many countries that
00:01:12
have nuclear weapons. But the two
00:01:14
biggest, the United States and the
00:01:16
Russian Federation, I think the Russians
00:01:18
have more in number, but the United
00:01:20
States has a guarantee
00:01:23
that all of the ones that they have can
00:01:26
blow up. Now, obviously, you only really
00:01:28
need a few nuclear bombs to end
00:01:30
humanity. Somehow, we've made hundreds
00:01:33
upon hundreds to the point where you
00:01:35
could end the world several times over,
00:01:38
okay? And still have enough nuclear
00:01:40
weapons to raise the party even higher.
00:01:43
Why would somebody need that many
00:01:44
nuclear weapons? To be honest with you,
00:01:46
I will let the government answer for
00:01:48
that, okay? Because it makes no sense to
00:01:51
me. Now, when I read that apparently
00:01:54
that they got breached, that's some
00:01:56
scary headline. Whoa, the nukes got
00:01:59
breached. Now, I want to demystify and,
00:02:02
you know, basically call the
00:02:03
misinformation. Okay, I'm somebody that
00:02:06
knows my fair share about cyber
00:02:07
security. I know what I need to tell to
00:02:09
the audience that nothing sensitive or
00:02:13
nothing classified, no nuclear codes,
00:02:16
none of that was actually distributed to
00:02:18
the world. So again, just to give you an
00:02:20
idea, if you're worried that the bombs
00:02:22
are going to be hacked and fly above
00:02:23
you, they're most definitely not. Okay,
00:02:26
to give you a quick idea about how
00:02:27
nuclear weapons sort of work, the actual
00:02:30
technology behind nuclear weapons and
00:02:32
the measures that we have are pretty low
00:02:36
tech to be honest with you. So first
00:02:38
off, a lot of these nuclear weapons are
00:02:39
airgapped. So meaning that they are
00:02:42
completely isolated from the actual
00:02:43
internet. Meaning that no hacker should
00:02:45
in theory be able to breach into the
00:02:47
computers that run them. Now the other
00:02:49
thing is there are a lot of legacy
00:02:52
systems that are still used in nuclear
00:02:55
weapons. Okay? And that's literally by
00:02:57
design. Having things that are low tech
00:02:59
makes them ultimately actually less
00:03:01
vulnerable to modern methods. So you
00:03:03
don't have to really worry. And just to
00:03:06
give you a final action over here,
00:03:08
there's things like permissive action
00:03:10
action links, which are actually
00:03:12
failsafe electronic locks. And of
00:03:14
course, you need more than one person to
00:03:16
fire nuclear weapons. Okay? So, trust me
00:03:19
when I say this. There are a lot of
00:03:21
actual safeguards we as human beings
00:03:24
have made to prevent ourselves from
00:03:26
blowing each other up. And the reason we
00:03:28
do it is because we've made nuclear
00:03:30
weapons. They can end lives.
00:03:32
Okay? You got to be real careful with
00:03:34
the nuclear weapons you make. Now, I've
00:03:36
known that some people have said, "But
00:03:38
Muda, I heard they ran nuclear weapons
00:03:40
on floppy discs." According to Sachs,
00:03:43
they've moved to a highly secure
00:03:45
solidstate digital storage solution. And
00:03:48
highly secure is all you need to hear in
00:03:50
this story. So, you might be like,
00:03:51
"Well, Muda, if they didn't hack the
00:03:53
nuclear weapons, then what did they hack
00:03:55
out of the actual nuclear agency?" Well,
00:03:58
according to the actual nuclear agency,
00:04:00
it was really a small number of systems
00:04:02
that were impacted. However, this is
00:04:05
part of a much larger hack called the
00:04:07
Microsoft SharePoint hack or the tool
00:04:10
chain hack. And for anybody that doesn't
00:04:12
know what's going on here, as of like
00:04:13
the last couple days, around 400
00:04:17
institutions
00:04:19
were actually hacked internationally.
00:04:21
Okay, this is a pretty massive hack
00:04:23
that's been happening. So, one of the
00:04:25
chief boys on the actual update over
00:04:27
here, some of the chief people from
00:04:28
Microsoft literally did say that there
00:04:30
were multiple threat actors, but they
00:04:33
assessed that one actor for the early
00:04:35
exploitation is a Chinese nexus threat
00:04:38
actor. Now, what is a nexus threat
00:04:40
actor? Well, a nexus threat actor is
00:04:42
somebody that basically is affiliated
00:04:44
with the government. Remember, cyber
00:04:46
warfare is pretty much legal as long as
00:04:49
the government backs you. Okay? So
00:04:51
whether you're an American NSA hacker,
00:04:54
whether you're some Russian hacker,
00:04:56
whether you're an Iranian hacker or a
00:04:57
Chinese hacker, a North Korean hacker,
00:05:00
ain't no way you're getting
00:05:01
extradited for hacking some of the
00:05:03
biggest players in the game. But I think
00:05:05
we're at a point where maybe it should
00:05:07
be considered somewhat of a war crime
00:05:09
when you're trying to breach into the
00:05:11
nuclear military weapons apparatus of a
00:05:15
rival country. So how did this
00:05:18
hack actually happen, ladies and
00:05:19
gentlemen? Well, through something known
00:05:21
as Microsoft SharePoint. Now, for
00:05:23
anybody that doesn't know what
00:05:24
SharePoint is, to give you a quick
00:05:26
understanding of how SharePoint works is
00:05:29
it's basically a content management
00:05:31
system and an internet platform. What an
00:05:34
internet platform is is people actually
00:05:36
in companies or corporate areas or even
00:05:38
locally can make their own internal
00:05:40
internet with things like website
00:05:42
portals, document management, a lot of
00:05:44
collaboration tools. You can make your
00:05:46
own local internet. Okay, your internet
00:05:48
if you will where again all of these
00:05:51
websites should in theory be accessible
00:05:53
internally or you can use them as part
00:05:54
of your big business. So for instance,
00:05:57
if you want to get access to something
00:05:59
like SharePoint for instance, you can go
00:06:01
to Microsoft and you can purchase plans
00:06:04
as low as $6.80
00:06:06
Canadian per user each month. And of
00:06:10
course some companies go at 17 bucks a
00:06:12
user a month. Sometimes if you want
00:06:14
like Microsoft's AI, you can pay 40
00:06:17
bucks per user a month. And you might be
00:06:19
like, who's willing to do that? Well, in
00:06:21
this case, it was a lot of organizations
00:06:23
like the United States government, okay?
00:06:25
For them, burning money is no
00:06:27
problem, okay? It's just ask them to
00:06:29
spend $100 million. They will.
00:06:32
Now, I want to just stress and say that
00:06:34
this wasn't Microsoft actually getting
00:06:37
hacked. So, there are two key
00:06:39
differences here. There is SharePoint
00:06:41
online which is what we just looked at
00:06:43
where you can go to Microsoft and buy a
00:06:45
subscription for a cloud version of
00:06:47
SharePoint or there is on premise. Now I
00:06:50
want to specifically say the onremise
00:06:52
version actually got hacked. So for
00:06:54
anybody that doesn't know the difference
00:06:56
when you go to Microsoft you can
00:06:57
actually download something like
00:06:59
SharePoint 2019 and you can download
00:07:01
this install this and actually try it
00:07:03
yourself for like 180 days. They give
00:07:05
you a whole uh user key for it and
00:07:07
everything and you can actually do
00:07:09
SharePoint stuff on your local system.
00:07:12
So you can run things on your local
00:07:14
devices, your local servers and they
00:07:16
never touch Microsoft. Okay, it's a
00:07:18
locally self-hosted version of
00:07:20
SharePoint. Now again when it came to
00:07:22
the Department of Energy, the nuclear
00:07:25
division got hacked with the SharePoint
00:07:27
on premise. So that's why they actually
00:07:30
had a limited number of systems. They
00:07:32
also had a lot of good cyber security
00:07:34
practice. So realistically they were
00:07:36
able to snap onto this pretty quickly,
00:07:38
capture it and lock it down and start
00:07:40
cleaning it pretty rapidly. A lot of
00:07:42
this hack just happened very rapidly
00:07:44
across the board. Everyone's kind of
00:07:46
just trying to survive it right now. But
00:07:49
there are other organizations that got
00:07:50
hacked like the US education department.
00:07:53
You had Florida's Department of Revenue
00:07:55
and you had plenty of other government
00:07:57
systems that got effectively hit and
00:07:59
that is something that is very
00:08:01
worrisome. So the actual attack that
00:08:03
happened was something that is now
00:08:05
categorized as CVE 202553770.
00:08:10
So this is the deserialization of
00:08:12
untrusted data in on premises SharePoint
00:08:15
servers allowing an unauthorized hacker
00:08:17
to execute code over a network. Now,
00:08:20
that's a lot of nerd speak, but
00:08:22
basically what's happening is they were
00:08:24
able to use a post request and using a
00:08:27
vulnerability in the SharePoint server,
00:08:29
they were able to get SharePoint to
00:08:31
process something in an untrusted manner
00:08:33
and basically run remote code. Now, if
00:08:36
you've ever heard of an RCE, you
00:08:38
probably have if you watch my channel
00:08:40
with virus investigations and all the
00:08:41
cyber security I talk about, it
00:08:43
allows a hacker to run code on
00:08:46
somebody's system. And that code could
00:08:48
be anything, okay? It could be code that
00:08:50
allows them to persist for a long time
00:08:52
on a server, move laterally, or grab a
00:08:55
whole bunch of information. Remember,
00:08:57
the people who are discovering and doing
00:08:59
these kind of hacks are some pretty
00:09:01
scary types of people. Now, this was
00:09:03
given a code of 9.8, which basically
00:09:05
means this needs to be patched
00:09:08
ASAP. That's what that code means. Now,
00:09:12
to give you an idea, this was something
00:09:13
also known as a zero day. Now, for
00:09:15
anybody that doesn't know what a zero
00:09:17
day is, a zero day is effectively a hack
00:09:19
that people have discovered. A lot of
00:09:21
malicious guys, in this case, allegedly
00:09:24
the Chinese Nexus group, but really it
00:09:26
could be anyone. These people discovered
00:09:28
a hack. They did not report it to
00:09:30
Microsoft. They didn't report it to
00:09:31
anybody. They kind of waited until they
00:09:33
could use this to basically attack a
00:09:36
whole bunch of organizations. So rapidly
00:09:38
this exploit was used against 400
00:09:41
agencies, nuclear group included, and uh
00:09:44
yeah, everyone just kind of faced the
00:09:46
whiplash. Now Microsoft came in and
00:09:49
obviously they released a bunch of
00:09:50
patches which they highly
00:09:53
recommend, highly recommend you install
00:09:56
them onto your systems, especially if
00:09:58
you're running that SharePoint locally.
00:10:00
And if you're not running it locally,
00:10:02
move that into the cloud as
00:10:04
Microsoft would recommend because the
00:10:06
cloud stuff, it's all totally fine. So,
00:10:08
how did this exploit basically work? And
00:10:11
you can actually try this for yourself
00:10:13
and sort of lab it out if you want.
00:10:15
Basically, you can make three different
00:10:17
virtual machines and you can grab
00:10:18
SharePoint and provided you don't update
00:10:20
it obviously to the latest patches,
00:10:22
which would mitigate this actual
00:10:24
malware, you can kind of examine how
00:10:27
this attack would work, you know, in
00:10:28
theory. So to give you an idea that zero
00:10:31
day when it was exploited and again it
00:10:33
could have been organizations like linen
00:10:35
typhoon, it could have been violet
00:10:37
typhoon. So to give you an idea how this
00:10:40
kind of works from a technical level is
00:10:42
the attacker would send a post request
00:10:45
to the endpoint of that onremise
00:10:48
SharePoint server and that code could
00:10:50
look something similar to layout 15 tool
00:10:53
panes aspects display mode edit. Now the
00:10:56
trick here is the header for it. The
00:10:59
referer header should basically be
00:11:01
setting to layout/signout.aspix.
00:11:05
So for having a spoofed header for
00:11:07
instance, what SharePoint will do is it
00:11:09
will think it comes from a signed out
00:11:11
page and therefore it bypasses from what
00:11:14
I understand some level of
00:11:15
authentication. Now once you've bypassed
00:11:18
a level of authentication, you can send
00:11:20
a malicious payload and it looks
00:11:23
something similar to this as a post
00:11:25
request. Now once that is effectively
00:11:28
sent to the actual individual at
00:11:30
toolpane.aspix,
00:11:32
SharePoint deserializes all of that
00:11:35
untrusted data in an incredibly insecure
00:11:38
manner that effectively will trigger a
00:11:40
remote code execution and then it allows
00:11:43
the hacker to basically do whatever they
00:11:45
want. they run the code that they want
00:11:47
and they can do whatever nasty that
00:11:49
they want to do. Now, obviously, this
00:11:51
is dangerous because you never need
00:11:53
to log into anything. It's completely
00:11:56
unauthenticated. And a lot of those
00:11:58
hackers after they've stolen the actual
00:12:01
keys involved can basically remain
00:12:03
incredibly stealthy. And again,
00:12:05
thankfully, this was only for the
00:12:07
onremise servers. I believe a lot of
00:12:09
people still have moved up to the
00:12:11
online cloud side which you know after
00:12:14
today after what has just happened. Yeah
00:12:17
I think a lot more people are going to
00:12:19
be paying those subscription fees to
00:12:20
Microsoft just to get that just to get
00:12:23
off the premise especially if this kind
00:12:25
of stuff exists. Now luckily this is a
00:12:28
perfect proof of concept made by got
00:12:31
ocve all right where they can actually
00:12:33
show you how this stuff kind of works in
00:12:35
a more code manner. Okay, so they again
00:12:38
have entire sections where they check if
00:12:40
the tool pane ASPX is accessible. They
00:12:42
send a malicious web part payload to
00:12:45
tool pane.aspix. Okay, so you can see
00:12:48
layout 15 tool pane aspects, display
00:12:50
edit and yada yada yada. But yeah, it's
00:12:52
pretty bad ladies and gentlemen when
00:12:55
again this level of attack can happen.
00:12:58
Now, thankfully in a lot of this
00:13:00
situation, especially when it came to
00:13:01
the nuclear agency, the NNSA, they never
00:13:05
had to worry too much because a small
00:13:07
amount of those on premise SharePoint
00:13:09
servers were actually hit. And
00:13:11
thankfully, nothing classified, nothing
00:13:13
super duper sensitive actually ended up
00:13:15
getting hacked in here. In fact, from
00:13:17
what I understand, the government does
00:13:18
primarily use those 365 cloud services
00:13:22
as much as they can. So, that actually
00:13:24
probably was one of the big things that
00:13:26
ended up saving them. And again, just
00:13:28
having good practice for your cyber
00:13:30
security is always going to help you
00:13:32
down the road. It's one of the things
00:13:33
when I've talked about like, you know,
00:13:34
as long as you have things like password
00:13:36
managers, your two-factor
00:13:37
authentications, and again, I'm speaking
00:13:39
for like a very local user. As long as
00:13:42
you have good practices on setting that
00:13:44
kind of up and keeping it
00:13:46
maintained, which honestly isn't really
00:13:48
all that much work. A lot of it is just
00:13:51
what you do initially. You can kind of
00:13:52
set and forget in some cases. you
00:13:55
literally don't have to worry when
00:13:56
everything gets hacked. That's one of
00:13:57
the reasons why when we talked about
00:13:59
that 16 billion password story, you
00:14:02
know, a lot of it was just a it was a
00:14:03
nothing burger. And second of
00:14:06
all, as long as you followed good
00:14:08
practices, you literally could just fall
00:14:10
back asleep and never worry about your
00:14:12
because as long as you practice
00:14:14
good things, you're fine. And that's
00:14:16
kind of at a bigger scale what saved the
00:14:19
government. But to me, what's really
00:14:20
just scary about this is like all these
00:14:22
organizations are targeting a lot of
00:14:25
critical infrastructure. You know, this
00:14:27
isn't the only thing happening to us.
00:14:29
Like I was reading like the other week
00:14:31
that Singapore was going through a very
00:14:33
concentrated level of testing and cyber
00:14:36
warfare that's happening against their
00:14:38
critical infrastructure. What just
00:14:40
scares the out of me is obviously
00:14:42
how much these things are getting
00:14:43
targeted because, you know, for the last
00:14:45
couple years, you know, when we looked
00:14:46
at things like Colonial Pipeline, Solar
00:14:48
Winds, a lot of stuff, a lot of these
00:14:50
hacking groups are now going after
00:14:51
things that if they hack energy grids,
00:14:54
if they hack logistics, if they hack
00:14:56
critical infrastructure like
00:14:58
communications, it literally could be
00:15:00
stuff that can actually cost human
00:15:02
lives. Obviously, right? You know,
00:15:04
because if you take away people's power,
00:15:06
if you take away people's access to
00:15:08
resources, if you take away
00:15:10
communication, you probably are also
00:15:12
impacting things like hospitals, you
00:15:14
know, nursing care, a lot of things
00:15:16
where again these critical
00:15:18
infrastructures are are are literally
00:15:20
the the thread that holds people's lives
00:15:23
in balance. That is the that
00:15:25
scares me. You know, obviously,
00:15:28
thank God that the Department of Energy
00:15:30
has kept our nuclear weapons far away
00:15:32
from hackers, and the thankfully that
00:15:35
will forever be the case. But when it
00:15:37
comes to all the other stuff as well
00:15:39
too, a lot of the other organizations
00:15:41
that are in here that probably don't
00:15:43
have that level of IT support, that
00:15:46
level of cyber security, like
00:15:47
cleanliness, that's the you have to
00:15:50
watch out for, okay? Because ultimately
00:15:52
when the blackouts start happening and
00:15:54
the you know, uh, when when the
00:15:56
really hits the fan, okay, these
00:15:58
are the organizations that these
00:15:59
scumbags are going to target first. And
00:16:01
that's the stuff that freaks me, right?
00:16:03
Like in a normal world, this should
00:16:05
be an act of war. But we live in a
00:16:07
society where it just this stuff just
00:16:09
happens and we just keep pointing
00:16:11
fingers with nothing like actually being
00:16:14
resolved. You know, maybe we as
00:16:16
countries have to probably come together
00:16:17
and and and have some level of of they
00:16:20
call it the uh what what is that? Um
00:16:23
what is the what is the U the Geneva
00:16:25
Conventions, right, for like warfare.
00:16:27
Maybe we need to have something updated
00:16:29
to prevent each other from like cyber
00:16:31
attacking all the time because
00:16:33
ultimately what they're targeting
00:16:35
actually has some serious implications.
00:16:37
This is not some no nothing story. We
00:16:40
can laugh and be thankful that the
00:16:42
nuclear arsenal is safe and sound, but
00:16:44
we still should be vigilant and a little
00:16:46
cautious about why the all of our
00:16:48
critical infrastructure is getting
00:16:50
targeted on a day-to-day basis. That
00:16:52
is scary. Anyways, if you like what
00:16:54
you saw, please like, comment, and
00:16:55
subscribe. Dislike if you dislike it. If
00:16:57
you learned something, let me know in
00:16:58
the comment section below. I am
