A

Hello everyone, this is Tom Uran. I'm here with the Gruk for another episode of Between Two Nerds. G', day Grak, how are you?

B

G', day Tom. Fine, and yourself?

A

I'm very well. This week's edition is brought to you by Trail of Bits. So Trail of Bits is a cybersecurity brains trust that does all sorts of amazing research and consultancy into cutting edge problems. So they've recently been involved in an AI vulnerability research challenge, for example, and did very well. So if you've got difficult problems and you need help, check them out@trailofbits.com so Greg, I've been thinking about the death of exploits. And the reason I've been thinking about this is that there's this tendency for technologies as they get more and more advanced, more and more amazing, and then all of a sudden they just disappear because they're irrelevant. And so I've been thinking about that in the context of smartphone exploitation, for example, where the manufacturers, Apple, well, Google's not a manufacturer, but they make the software, they implement more and more protections. So you look at the bug chains that people use to get code execution and they're just amazing because they rely on a series of very extraordina exploits strung together, right? And it seems like that's unsustainable. And so I've been thinking about like the prices that these exploits go for how sustainable it is.

B

It, it does feel a little bit like that stage of the Cold War where they were making strategic bombers by just adding more and more propellers. I think they, they topped out at like, you know, at eight or ten propellers on like one plane, right? @ some point you run out of.

A

Wing and I guess in the case of that particular bomber, it just became obsolete. So it was replaced by an entirely different technology. And I guess in the context of exploits, we would replace it with, I don't know, phishing info stealers. So there are already alternatives that some threat actors use a lot.

B

In a way it feels like when strategic bombers were replaced with ICBMs, right? You could have a 20 propeller turboprop strategic bomber and it's not going to be as effective as just one icbm, right? And like it's, it's another technology that just sidestepped all of the problems that you inherently have with that one technology. So in this case I think it would be that exploits fundamentally are brittle, they get patched. They're also incredibly difficult to find and develop and reliably exploit, which we see given that whenever they come to light it's seven changed bugs, each of which is a PhD dissertation on how to do some amazing thing when you've got a two bit overwrite of a linked list that they then use to like create some insane thing. And it's just that cannot continue. It just, it can't keep going on like that forever. And it doesn't need to because you know, with your Android phone, like breaking into the phone to get access to your email account is probably a lot harder to do than just asking for access to your email account.

A

So one of the things I found interesting about this is that last year Google produced this report into commercial surveillance vendors. And in the report it talks about groups like nso, Intellexa, Bariston, they went through a gamut of different organizations that basically sell surveillance as a service. And it said that these vendors are behind nearly half of known zero day exploits targeting Google products. So, so as a class I thought it was very interesting that commercial vendors are willing to invest the time and effort. Presumably they're either developing these by themselves or buying them to facilitate their business. And so I was thinking that is, here's a class of people who don't have particular targets they care about. So they're inherently, we want to go from something that our customers will have, which is maybe a phone number or an email account or something, some selector, and we want to go straight from phone number to access to that device. And so they seem like they're very constrained. If you're selling that as a service, they're very constrained to do that. And I guess you've got the Apple ecosystem and the Android ecosystem and my business depends upon being able to go from phone number to point of presence on a device.

C

Right.

B

And I mean, I think the thing is that those also tend to be very specific types of high value target. I think the issue here is sort of the specificity of what you're after.

A

Yeah. So it's a specific ecosystem and then it's a particular high value target in that specific ecosystem, which means it's very important. Which means someone's willing to pay a lot of money, which means.

B

Right. Which is the only reason it's worth doing of course, is that it's worth a lot of money to someone. And I think it's that specificity that is the hard part.

C

Right.

B

If you just want access to a Google account, an arbitrary Gmail account, you can get infostealer logs, then you'll have a thousand of them.

A

Right.

B

But if none of those thousand are the one that you're looking for, then Infosella logs are not going to help you. The thing is like, I don't think that there's that many threat actors who fall into the. I need this one specific individual as a target. Like that's a small number of elite threat actors. The vast majority fall into the Like, I just need a Gmail account, not this Gmail account.

A

Yep. So I guess thinking about the landscape, there's maybe intelligence agencies have very specific requirements. Commercial surveillance vendors, because their proxies for intelligence agencies have very specific requirements. They're both specific and broad in that they're not related to any particular country necessarily. Then you would have cyber criminals, which are anybody who's got money.

C

Right.

B

So I was going to say I think like Lazarus might be sort of the interesting overlap of those two in that they're very broad, but it's very specific who they want access to.

C

Right.

B

So they might be willing to take any Gmail account as long as it happens to also include access to a Coinbase account. Maybe like we don't, we don't need this specific Coinbase email account, but we do need a Coinbase account.

A

So I guess North Korea, they seem to survive very well for much of their work without zero days. Like it seems that they get access without them most of the time. Like mostly it's phishing and then they'll use them for very specific things where they need to pull off a particular operation. Which seems like a clever way to use them, a good way, a sensible way to use them.

B

I think that that's how most people use them. Most of the people who use them use them that way.

C

Right, right.

B

In that it's most the time you can get away with throwing a brick through a window, but every now and then you have to, you have to use your lock picks to open the door.

C

Right.

B

Is, I think, I think sort of how it goes is like a lot of the time like it just, it doesn't matter. But then when it does matter, you sort of, you want to step it up. Reminds me of that NSA in China report that we were reading where they were just, they were not using super cool elite O day and like really clever techniques. They were just a very bread and butter stuff. And it's. I think that's probably the vast majority of the work that they do is that that sort of level of like, it's just, it's the, it's solid basics. So just like on the defensive side we'll say, you know, like, you need to have good security, hygiene you just need to have your good basics, you know, like password managers, multifactor, authentic update, your patching, like, stuff like that. I think for attackers, it's the same sort of, you know, like you just need to use phishing. You just need to have like a good backdoor. You just need to have a really good password list. Like, you just need these sort of, these basic things. And then every now and then you need an ode as a treat, you know.

A

So I guess specifically the death of Odays, though it seems like, I want to say it feels like another three, four years, that for certain products, they'll be very, very rare. Now maybe I'm getting ahead of myself, but that for certain other products, they'll still be as common as dirt.

B

Certain VPN and firewall vendors, not to name any names, just saying that if people are finding format string exploits and authentication bypasses using like a single quote.

A

Yeah, so that's an interesting, that's an interesting point there in that it seems that there is a dynamic that has driven at least Apple and Google to actually work very hard to try and create mitigations for phones which are personal devices. And then it seems that as you move down from the most personal device, which is a smartphone, to a PC, like Microsoft's done pretty well. Yeah, sort of up to a point. I've criticized them a lot, but the PC is a lot better.

B

They've worked very hard. If it's been very successful, maybe a little bit open to question, but they've certainly worked very hard on it. There's no.

A

Right, yeah, you can see that there is some incentive for them to make that more secure. Then you look at enterprise products and it seems like for a lot of vendors it's like, oh, I don't care at all. It doesn't.

B

So, you know, and I think that this is actually another point of the death of the exploit is that a lot of corporate environments these days are sort of. They're a whole bunch of software as a service things just sort of welded together, right. And strung together into a service mesh of some sort. And so when you're looking at exploits, you know, it's not sort of like, here is a Windows remote or here's a Solaris remote, or even, you know, here's a zero click, WhatsApp messaging, blah, blah, blah. Like none of those things are relevant because what you need is a Salesforce access bypass, right? But once you have that, it's only good for Salesforce. Now that might give you everyone that uses Salesforce whatever But you can't then use it to be like, okay, now that I've got the Salesforce access bypass, I can use it as like an Oracle access bypass or, you know, a WhatsApp access bypass.

C

Right.

B

It's not transferable in the same way. It's only useful against that one target.

C

Right, right.

A

I guess that brings to mind the recent. What was it? Sales loft drift, I think so just in the last week or so, the. My understanding is that there was some compromise of the AI agent that gave them some access to all the instances of that agent, and it gave them some access to the text in support cases. And the text in support cases had a lot of other access tokens and secrets. And so even though it was in some ways a very narrowly scoped opportunity, it sort of spied it out in a quite expansive way. And it also reminds me of the Chinese hacking of the US Government, where it was, we have a magic token that allows us to get into different email accounts, so no traditional exploit required, but it's still magic access that comes out of nowhere.

C

Right.

B

That case you bring up, actually, it reminds me of there's a bug bounty. And I forget the details now because it was a couple of months ago, but there's a bug bounty instance where this guy found some way where he could send an email through a particular software as a service thing. He could send an email that appeared to originate from them and, you know, it was for support tickets or something silly like that. And he reported it to them and they were like, yeah, it's not a bug we won't fix. Like, it would only be a problem if people don't change the default configuration or something like that. Right. And so he was like, okay, that's fine. And then he went to every single one of their customers and reported the bug individually to them, and they each.

A

Paid him out as a bug bounty.

B

As a bug bounty. He went. And he went to like all of these thousands of customers. He's like, you know, here's a problem, here's a problem, here's a problem, here's a problem. And all of them had the configuration where he could exploit it. And so all of them reported it up to the vendor and they were like, hey, you have this bug, you have to fix it. It's affecting our infrastructure. And they got very upset. They're like, you've violated all of these things. After we said it wasn't a bug and we weren't going to fix it, you should have dropped it because you've assigned An NDA that means you're not allowed to, you know, all of this stuff. And I think the thing that struck me there as funny is that this is a bug that existed only in this one infrastructure, this one service provider. Right. But then it allowed him to access all of these hundreds of thousands of customers because they were using it. But he couldn't have taken that and said, like, okay, well, this service provider isn't going to pay me for the bug. I'll go to a different service provider who has the same bug and have them pay me.

A

Right.

B

Like, it doesn't transfer that way. So it doesn't transfer laterally. It only transfers vertically, I guess.

A

Well, I guess it's a variant of a supply chain thing.

C

Right.

A

And if you happen to be in the supply chain, it's a problem.

B

Yeah. Well, I think the thing I'm getting at here is that if you have a Windows exploit, you can use it against any Windows system. It's not like if you have a Windows exploit, you can use it only against Acme Corp. This is the Acme Corp Windows exploit. And if you want to go against a different corporation, you have to find a different Windows exploit. Whereas in this case, that's true. Right. Like, and I think the thing is, if you look at the problems that people have these days, they're much more the we're using a vendor that's being compromised and a lot less someone's going after our Windows boxes. I think it was Cloudflare that came out the other day with a report.

A

Yeah, yeah, that was the sales loft drifting. Yeah.

B

Right. So that, like, there was a Compromise. There was 104 auth tokens or keys of some sort that were compromised that they detected immediately, and they rotated them immediately. And I was just thinking, like, if you go back 20 years and you said like, 104 SSH keys have been stolen, or 104 Kerberos tickets are stolen or whatever, that would be a cataclysmic critical event that would end a company if they weren't careful. Like, it would just be so, so difficult to remediate or detect or any of these things. And these days it's like, oh, yeah, well, we just click, you know, select all. Then we clicked revoke.

A

Yeah, I read that blog post, and I think, if I recall correctly, they said that they wrote regex to try and find where the secrets were, to, I guess, grep through the text and find the secrets and keys. And it's like, oh, geez, that's. That's some high Pressure regex writing.

B

Well, I was going to say, well, this is where AI is probably helping people do exploits.

C

Right?

B

You can turn to an AI and be like, hi, I want to take.

A

All this text and find keys in it.

B

Yeah. Or even just write me a reg ex that I could use to search for a key that has this format. Right. So, yeah, I'm going to say that AI is going to be a lot more helpful with writing regular expressions to pull out secrets from blogs, rather than just going to be writing exploits.

A

The other thing that struck me about that is that that seemed like in retrospect, it's obvious that we're going to need to be able to search text for secrets, and that should be something that we've done before and have prepared. I guess not. I guess it's a brave new world.

B

Well, not so much, because at one point very long ago, I wanted to do a hacking without exploits training course. Because even back then there used to be a lot of tricks that you could do. And one of them was that you would search in bash history for when people would type su and then immediately afterwards they would have. They'd type like CD space SU and hit Enter. And it'll be like, you know, CD cannot change to su. And then they would automatically be typing in the root password and that would end up in the logs. So what you would do is you'd be grepping for SU and then you take the line immediately afterwards and print that out, or sudo and then the line immediately afterwards and print that out. And it wasn't guaranteed. But inevitably in some cases you would find the password would just be in there, the history file.

C

Right, right.

A

Ironically, the more of an Uber administrator you are, the more likely you are to just like Machine Gun, it's all muscle memory.

B

And so if you make any minor error, by the time you've figured out that an error has showed up, you've already typed in everything. Yeah, yeah, that was the sort of thing that used to exist. Similarly, you might be grepping through log files to see if people have put the password in the username space and it's been logged as, you know, couldn't login password 1, 2, 3, no such user. So, like, that's always existed to a degree, but I think that the value has gone up a lot now, and I guess the scope of what you can look for has gone up a lot. You're not on an individual box trying to get root through some administrator error. Like you're on a software vendor who's providing a service, and you're looking through all of their logs generated by their customers to find secrets that their customers have uploaded. So it's just a much larger pool that you're looking through. All of which does not require an exploit. All of these things, just the secrets and the stuff that you're gaining access to that allows you to do things, don't require exploits. In terms of death of the exploit Lapsus and Scattered Spider, these guys are not using exploits. They don't have ode and they are super effective. No one's looking at Lapsus and being like, well, you don't stand a chance. They've got a $25 million exploit budget that they' burning on.

A

Yeah.

B

You know, it's like these are teenagers with, like, $10,000 in crypto that they're using to gain access to something. Like, they. They have $25 million in budget. They're just not spending it to gain access because they don't need to, you know.

A

Yeah. This reminds me of the Snowflake data breach, where it was just access credentials, and it turned out to be. I think it turned out to be like some army person in his spare time.

B

Yeah, Right. And, you know, I think when Nvidia, I think it was that got hit, it was, you know, infosteeler logs. So someone just went on a dark Web site and bought Infostealer logs for $100 and then grept Nvidia.com or whatever, and then found, you know, vpn.invideo.com and they just went through and they tried every single combination. One of them worked, and that was it. They're in. You know, they're not looking at, oh, okay. This is a Cisco device that's running a blah, blah, blah, and we can access it on this port. Let's go and buy a Cisco device of the exact same model and then fuzz it until we can find a bug and then develop it. Like, they're not doing that stuff because no one needs to.

C

Right.

B

I mean, NSA is doing it because they can't guarantee the Iranian Republican Guard probably don't have access information in infosteelo logs. They might not be vulnerable to the exact same attack chain. So you probably do need your OD for that, but that's a niche case. How many NSAs going after Iran are there? Not all that many.

A

Yeah. I think, like we said at the beginning, intelligence agencies have very specific requirements that can be very important. And so they fall into that special bucket of organizations that have the need and the budget to be able to do that.

B

And I think the flip side of that is that very few people fall into that special list of being of interest to an intelligence agency. And if you are, you know it already.

A

Do you know it already. I reckon that a lot of our audience might fall into that category, but I reckon a lot of them would think that they're not in that category. Like, I think it's quite common for people to be told that they've been targeted by foreign espionage or intelligence services. And the initial reaction to be denial.

B

See, I obviously come from the wrong circles because the group of people I'm with, if one of them got told they were being targeted, everyone else would be like, oh, I'm. My, my, my notification is probably still in the mail. I'm just, I'm still waiting for it. Maybe it got lost. It's. I'm sure I was targeted as well. I'm just.

A

Yeah, I think I've heard from a journalist to an Australian journalist who used to work in Beijing that if you weren't subject of state hacking, it was like, well, what good are you?

B

Yeah.

A

A point of. To be. Yeah.

B

How interesting could you be?

C

Right?

B

It's. I guess it's like being a PLA hacker and not having an indictment, right? Like, what are you going to put on your performance review when you're trying to get a promotion if you haven't even been recognized by the US as being an. An important member of the PLA hacking team?

A

As an aside, I actually wrote about that because there was the salt typhoon attributions and I said they were kind of pointless because I think it was riffing off something we talked about where they just dig in deeper. Yeah, you can attribute them, but if you don't evict them, like you've got a named intruder instead of an unnamed intruder. I was like, okay, good. At least I know what to call you.

B

That reminds me of the Russian ransomware threat actor. He printed out his FBI wanted poster as a T shirt that he wears, which I think, I mean, that kind of sums it up completely, right?

A

Like, depends whether he wears it in public, though. I think wearing it in private.

B

Well, I think, I think he can wear it around in Russia and people will just think it's cool. I think the theme of the death of the exploit, there's a few things going on. One of them is that exploits are very, very important for very, very few people. They're still relevant, but mostly they're not. So they haven't gone away. It's just that they've become more niche, more limited in utility, and fewer people can afford them, but fewer people need them, so it's sort of okay. Whereas the things that actually matter these days are getting easier and easier to do. Right. It's like you need access to someone's AWS credentials. That's the thing you're looking for. You're not trying to break into Amazon, you're not trying to break into aws, you're just trying to break into one account. And it doesn't necessarily matter which account either. It just needs to be like an account.

C

Right, right, right.

A

So you're describing a dynamic where as exploits become more and more niche, the media interest in them will in fact, get bigger and bigger because they're more unusual, they're more exotic.

C

Right.

B

And the price tags go up, which is bigger and bigger. It's like they're just bigger and better, even though they're less and less relevant.

A

So even though we're declaring the death of the exploit, we're going to continue hearing more and more about them.

B

The exploit is dead. Long live the exploit.

A

That's right. Thanks, Grok.

B

Thanks a lot, Tom.