image of breaking badness
Breaking Badness
Breaking Badness

7. Fending Off Canadian Tuxedos

Here are a few highlights from each article we discussed:

Aluminum Giant Was Foiled by LockerGoga Ransomware

  • Norsk Hydro share prices had fallen by almost 40% in the last 13 months because of a court-ordered shutdown following a spill.
  • The company’s shares are down 2.1% since the attack.
  • Switched from automated control to a manual control of their plants.
  • There isn’t any public data indicating this was an explicit targeted attack.
    • Ransomware is in this fuzzy area, where we see it being leveraged by sophisticated and unsophisticated threat actors across the board.


  • Windows based ransomware.
  • LockerGoga first hit with a major attack on a French consulting company.

Traditional Ransomware Behavior LockerGoga Mimics

  • Drops ransom note for accessing the decryption method via BitCoin payment.
  • Target’s MS Office file extensions & PDF’s.
  • Sandbox aware.
  • No network traffic involved, ransomware note and capabilities are all self-contained.

Non-Traditional Ransomware Behavior LockerGoga

    • Targets Javascript and Python scripts.
    • Modifies passwords for each user – which is interesting. This must occur post-ransomware note.
    • Otherwise, you lock users out without giving them the ability to pay to decrypt their files

Defending Against LockerGoga?

  • Leverage network segmentation (in case of wormable).
  • Data segmentation and backups.
  • Behavioral based AV, something that will detect the behavior of ransomware such as bulk API calls to Windows crypto and file-writes.

Shocking Heart Defibrillator Vulnerabilities

  • The impact is huge here, obviously, but vulnerabilities are normal in software. It’s all about the patch-response process each of the manufacturers adhere to.
  • Tarik is scared of abandoned hardware akin to Android. What if I got a defibrillator is installed and 6 years later there is a public exploit and the manufacturer doesn’t support it anymore?
  • CVE-2019-6538 & CVE-2019-6540 – The protocol used for communication with the Medtronic defibrillator does not do any checks for data tampering or authN or authZ. NO ENCRYPTION EITHER.
    • Attacker needs to be in close range.
    • Attacker will likely use HackRF.

Introducing Endlessh: The Pit of Despair

  • Name came from the La Brea Tar Pits.
  • Tarpitting is a technique used to slow down attackers, often implemented with a honeypot service.
  • Tarpitting is neat, but Tarik generally doesn’t think they have a place in the Enterprise world unless they are internally facing and stood up independently.
  • DON’T INSTALL ON A PRODUCTION SERVER! Even then, be sure you don’t have automated services trying to connect to every endpoint as you’ll bork those. Whitelist your honeypot from automation!
  • After the TCP 3-way handshake is established but before the SSH handshake is completed, EndlessSSH sends tons of randomly generated data payloads back to the client without completing the handshake.
    • This leaves the connection effectively open but not complete, and prevents it from timing out.

This Week’s Hoodie Scale

Aluminum Giant Was Foiled by LockerGoga Ransomware

[Tarik]: 5.5/10 Hoodies
[Tim]: 4/10 Hoodies

Shocking Heart Defibrillator Vulnerabilities

[Tarik]: 10/10 Hoodies
[Tim]: 6.5/10 Hoodies

Introducing Endlessh: The Pit of Despair

[Tarik]: 1/10 Hoodies (Briefcases/Johnny Cochranes)
[Tim]: 1/10 Hoodies (Briefcases)

That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included in our blog. Catch us next Wednesday at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!