Srsly Risky Biz: Security vendors are constantly attacked - Risky Bulletin

Summary6 min read

Risky Bulletin Podcast Summary: "Srsly Risky Biz: Security Vendors are Constantly Attacked"

Release Date: May 1, 2025
Host: Patrick Gray
Guest: Tom Uren

Introduction

In this episode of Risky Bulletin, host Patrick Gray engages in an in-depth conversation with cybersecurity analyst Tom Uren. They delve into the persistent threats faced by security vendors, as highlighted in SentinelOne’s recent report, and explore the growing use of Signal group chats in political spheres, drawing on the controversial "Signalgate" incident.

Section 1: Nation-State Attacks on Cybersecurity Firms

Overview of SentinelOne's Report

Tom Uren begins by discussing SentinelOne's comprehensive report on the myriad of threats targeting cybersecurity firms. The report underscores that nation-states are increasingly targeting these firms for espionage and to gain access to their widespread security infrastructures.

Tom Uren [02:02]: "They really detail like the range of different threats that they're facing quite regularly... attackers are putting into owning them."

Historical Context and Motivations

Uren traces the origins of such attacks back to at least 2018, citing the notorious CCleaner incident where Avast was compromised, leading to the distribution of malicious software to over two million users. This example illustrates the longstanding nature of supply chain attacks aimed at gaining illegitimate access through trusted security channels.

Uren [02:02]: "The CCleaner software was pushed out to over 2 million downloads, the malicious version, and I think it was a Chinese group…"

North Korean Threats and Advanced Tactics

The discussion shifts to North Korean cyber activities, highlighting a staggering revelation from SentinelOne: over 1,000 fake job applications submitted by North Korean personas attempting to infiltrate the company. This tactic is part of a broader strategy to exploit SentinelOne’s significant presence in the cryptocurrency industry.

SentinelOne Report Highlight [03:40]: "Over 1,000 job applicants have applied to SentinelOne in like 360 different fake Personas."

SentinelOne's Proactive Approach

Patrick Gray commends SentinelOne for not merely discarding these suspicious applications but instead engaging with them to gather intelligence. This proactive stance provides valuable insights into the attackers' methodologies and informs better defensive strategies.

Patrick Gray [04:08]: "Instead of just deleting these applications, SentinelOne decided that there were some opportunities here to get some insight by continuing the conversation…"

Supply Chain Attacks and Chinese Groups

Uren elaborates on supply chain compromises, particularly focusing on Chinese groups targeting SentinelOne through hacked suppliers. These attacks are motivated by the dual objectives of intelligence gathering and gaining access to multiple environments where SentinelOne’s products are deployed.

Uren [05:39]: "Chinese groups that are trying to compromise cybersecurity firms either for their intelligence value or for access or both."

Impact on the Industry

Patrick Gray and Tom Uren discuss the broader implications, noting that while supply chain attacks have long existed, their frequency and sophistication have increased. The dialogue touches on the reality that any supplier offering high-privilege software is a lucrative target for nation-state actors.

Patrick Gray [06:42]: "Any supplier that offers software that runs with high privilege in a lot of environments… is going to be a target."

Cybercriminals vs. Nation-States

The conversation distinguishes between the motivations and methods of cybercriminals and nation-states. While nation-states aim for espionage and strategic advantages, cybercriminals focus on evading security measures to carry out their operations effectively.

Uren [07:25]: "Cyber criminals… want to avoid security products. They’ve got this motivation to try and understand what they do and how do we subvert them."

Testing Environments and Security Insights

Patrick highlights SentinelOne’s point about cybercriminals using security products within isolated test environments to refine their malware and techniques without immediate detection. This practice provides vendors with critical insights into attacker behaviors.

Patrick Gray [08:43]: "Once you know that a team of ransomware operators is using this tenant over here, you can just slurp up all their malware and burn it."

Section 2: Signal Group Chats in Politics - The "Signalgate" Incident

Introduction to Signalgate

Transitioning from cybersecurity threats, the podcast shifts focus to the utilization of Signal group chats in political communication. The "Signalgate" incident, involving the use of Signal by high-ranking officials for classified discussions, serves as the central case study.

Mark Halperin’s Insights

Tom Uren references comments by political journalist Mark Halperin, as reported by Ben Smith of Semaphore. Halperin describes Signal group chats as the "dark matter of American politics and media," emphasizing their pervasive and indispensable role in modern political movements.

Halperin (via Uren) [12:11]: "Some of the smartest and most sophisticated Trump supporters… are part of an overlapping set of text chains… 20 hours a day, including on weekends."

The Necessity of Group Chats for Political Engagement

The discussion highlights how participation in these group chats is almost obligatory for those deeply involved in political movements. This constant engagement fosters a sense of identity and purpose, as Uren explains.

Uren [12:15]: "To me, it feels like it's part of your personality, part of your self worth…"

Security vs. Functionality Dilemma

Patrick Gray and Tom Uren explore the tension between maintaining security protocols and the practical need for flexible communication among policymakers. They debate the feasibility of implementing record-keeping requirements without stifling the essential collaborative dynamics of political group chats.

Patrick Gray [17:13]: "We need to update some of the rules around this stuff… perhaps… take a couple of notes about… pertinent things that were said or decisions that were reached."

The Signalgate Incident

The podcast delves into the specifics of Signalgate, where classified information was allegedly shared via Signal by the Secretary of Defense, Glenn Hegseth. Different reports surfaced regarding his setup, from using a personal computer on an unmanaged network to having a monitor outside his office for phone notifications.

Uren [16:00]: "If you're kinda…"

The ambiguity surrounding Hegseth’s setup underscores the challenges in balancing security with the need for effective communication.

Proposed Solutions

Uren suggests practical solutions, such as designating a meeting chairperson to manage communications and record-keeping within Signal, ensuring that critical information is documented without compromising security protocols.

Uren [19:32]: "If you're going to have those kinds of meetings. Not meetings, group chats with officially designated positions…"

Conclusion

Patrick Gray and Tom Uren conclude the episode by emphasizing the importance of vigilance both in protecting cybersecurity firms from nation-state attacks and in regulating the use of secure communication platforms like Signal in political contexts. They advocate for updated policies and clearer guidelines to navigate the evolving landscape of cybersecurity threats and digital communication in governance.

Patrick Gray [20:05]: "It's a changing world. Well, mate, let's wrap it up there."

Listeners are encouraged to subscribe to Risky Bulletin for more insights and to visit Risky Biz for detailed newsletters and additional resources.

Notable Quotes:

Tom Uren [02:02]: "They really detail like the range of different threats that they're facing quite regularly."
Patrick Gray [04:08]: "SentinelOne decided that there were some opportunities here to get some insight by continuing the conversation…"
Mark Halperin (via Uren) [12:11]: "Some of the smartest and most sophisticated Trump supporters… are part of an overlapping set of text chains…"
Patrick Gray [17:13]: "We need to update some of the rules around this stuff…"

This episode of Risky Bulletin offers a comprehensive examination of the persistent threats to cybersecurity vendors and the intricate use of secure communication platforms in politics, providing valuable insights for professionals and enthusiasts in the field.

Loading summary

Transcript33 lines

[00:00]
Tom Uren
Foreign.
[00:05]
Patrick Gray
And welcome to another episode of Seriously Risky Business, the podcast we do here at Risky Business hq, which focuses on policy and intelligence, I guess, in the, in the cyber domain, in the cyber realm. My name is Patrick Gray. We're going to chat with Tom Uren in just a moment to cover off everything he wrote about in this week's Seriously Risky Business newsletter that you can subscribe to by heading over to Risky Biz. This edition of Seriously Risky Business is supported by the William and Flora Hewlett foundation and Lawfare Media, who syndicate Tom's column or Tom's newsletter. And we do have a corporate sponsor for this week's episode as well, which is Drop Zone AI. And this is a company that I advise. I have an advisory agreement with them and they make basically a AI agent that acts like a tier one SOC analyst. And it's better than you would think it is. It is actually really quite cool. And interestingly enough, a lot of people are using this for doing things like out of hours monitoring of security events. Right. So you know, people can leave the SOC for the day and have the AI watch things. That's just one use case. There are many very cool stuff. You can find them@DropZone AI. But Tom, thank you for joining me. Let's just dive right into it. You've written two sort of feature style articles for this week's newsletter and one of them is actually you've taken a look at the Sentinel 1 report where they really went through and detailed all of the efforts attackers are putting into owning them. This was a great report. I in fact discussed it with Steve Stone, who is a threat intel person over@Sentinel1, and Alex Stamos, who's their CISO and CIO that's in a podcast that's going to go out next week. And we should disclose that Sentinel 1 are a sponsor of Risky Business. But that's not why we chose to talk about this. We selected this on editorial merit because it's actually a fascinating report.
[02:03]
Tom Uren
Yeah. So they really detail like the range of different threats that they're facing quite regularly. And I broke it down into basically it seems like nation states attack cybersecurity firms, not just SentinelOne, because they're either a great place to learn things like for espionage and to figure out what the opposition is up to, or they're using them potentially as a method of gaining access to all the places that their security products are installed. And so people tend to forget. But the first kind of attacks like that date back to 2018, if not earlier. The one I'm thinking of is CCleaner where Avast was compromised. The CCleaner software was pushed out to over, I think 2 million downloads, the malicious version, and I think it was a Chinese group and they just went after 40 of the second stage malware. So that's a great example of why you would go after a cybersecurity firm. They've got lots of points of presence now when it comes to Sentinel 1. They talk about the North Korean IT worker threat and the numbers were actually like really surprising to me where they talked about having over 1,000 job applicants have applied to Sentinel one in like 360 different fake Personas. And they believe that they're trying to get into Sentinel One because their products are widely used in the crypto industry.
[03:40]
Patrick Gray
Yeah, yeah. So 1,000, we should say those thousand applicants, they were all believed to be sort of fake North Korean workers. What was really interesting is instead of just deleting these applications, Sentinel One decided that there was some opportunities here to get some insight by continuing the conversation with them and seeing what they could learn. Which I thought was really cool because that's the sort of thing that sounds cool but is a lot of effort and most people don't do. But they actually followed through on this.
[04:09]
Tom Uren
Yeah, it's a program because you have to have like they involved recruitment, they also involved sales. I don't really understand what sales had to do with it, but they said that was very fruitful because the recruiting team picked up on patterns and were like pretty cluey about recognizing the threat once they knew what it was and that informed their processes to try and flag and detect and then potentially just ditch those applications in the first place. So they kind of describe a virtuous circle where they learnt more by actually taking that effort. And I guess part of their pitch is that if, if you do that at an industry level, that makes people more robust to that threat. So that was one threat, then there's the other, where Chinese groups have been trying to compromise Sentinel 1 in a supply chain attack. So they believe that's the case because a firm that supplies them was hacked in a supply chain attack and that firm supplied hardware to Sentinel 1 and it had very few customers. So it seems like now I don't know if this is just self importance, we're the most important customer, but I think that seems plausible that there would be Chinese groups that are trying to compromise cybersecurity firms either for their intelligence value or for access or both.
[05:39]
Patrick Gray
Yeah, I mean, I do want to push back on something that you said, which is, oh, you know, we first started seeing this around 2018. Like, I think these sort of supply chain attacks against critical suppliers in software. I mean, they've been around as long as software, basically. But I think what has changed is we're seeing just more and more of it. I mean, there was one part because, you know, as I mentioned earlier, I did a podcast about this which isn't published yet with the Sentinel One people. And, you know, Alex Damos believes, I think, reasonably that there's probably 30 or 40 people in China whose only job it is to hack Sentinel One. Right. So I think that's what's changed is instead of it being, you know, very targeted special operations to, you know, hack into a cryptography company and subvert some algorithm or something like that, now it's like we're just going to hit at the supply chain. I also think, though, that to a degree, security vendors aren't special. Right. They just happen to provide software that runs with high privilege in a lot of environments. I think any supplier that offer that sells software that gives you access is going to be a target. Right. Like this is just the reality these days.
[06:43]
Tom Uren
Yeah. The way I would describe cybersecurity firms as special in this case is that of all the firms that are targeted, they are the only ones that have the motivation to publicize these attacks when they happen to other people. So we know a whole lot because it's basically marketing for these firms. So it's, I think, optimistic. Me says I hope we learn a lot more about these kinds of attacks because that makes it more likely that people take them seriously and do stuff about them. So I think in that one respect they're special. Almost everyone else who's attacked, like, no motivation to publicize it.
[07:25]
Patrick Gray
Yeah, yeah. I mean, it's sort of implied here in what you've written that you're giving Sentinel One a bit of a pat on the back for being so open about this stuff. Because I think there is a tendency for companies to not, you know, companies involved in security where security is all about confidence, to not talk about, you know, possible threats introduced by their products. So I think it is, it is a positive.
[07:46]
Tom Uren
Yeah, so that's the sort of nation state bucket where they're attractive because they've got access and they know stuff. Now cyber criminals, on the other hand, they just want to, you know, air quotes, do their job. They want to avoid security products. So they've got this motivation to try and understand what they do and how do we subvert them. And so in that respect, it's what they would like to do is ideally set up a test bed with all the different EDR products and figure out how does our malicious tools and techniques, how do they work against these products? Do we get pinged? Can we sideset them? What are mitigations? And it's not immediately easy for cybercriminals to buy security products like the vendors. They try not to sell to cybercriminals. But there is a market apparently for, for basically sort of like test beds, I guess.
[08:43]
Patrick Gray
Yeah, almost like a private virus. Total. I mean, look, in the conversation that I had with them, I mean, that was a really interesting thing because you can have all of the, know, your customer stuff you want, but when you're a big software company and you've got resellers and you've got MSSPs who offer like EDR as a service. Right. Like someone's always going to be able to get in there. But they did make an interesting point, which is that once you discover someone is using your software in a test environment, given the nature of products like EDR products in particular, you get incredible insight there. Right. So once you know that a team of ransomware operators is using this tenant over here, you can just slurp up all their malware and burn it.
[09:23]
Tom Uren
Yeah, yeah. So they did describe some of the testing services as semi private. And so they said that the test beds, like, my interpretation of what they said was that the test beds are isolated so that if you fire off alerts, the malware is not getting siphoned off to the security vendor. So I guess that would be, if you're a cyber criminal service provider, that's the value add. That's why you would, that's why you would be able to charge a bit more for it. So I thought that was very interesting. And they also talk about just buying credentials. And so sometimes those credentials can be used immediately when you get onto a network to subvert the security protections.
[10:08]
Patrick Gray
Well, that was interesting too, because the way that they're doing that is they're not just flipping off EDR because that's too obvious, they're just sort of changing the configuration a bit and hoping that their activity gets buried. I thought that was interesting.
[10:18]
Tom Uren
Yeah, yeah, that all makes sense. It's not immediately obvious from the outside, but when you know, that's like, oh, yeah, I understand that. Yeah. So I thought the whole report and your discussion was very interesting. Yeah, I think it makes sense that there are teams focused on particular vendors that Absolutely makes sense to me. And you don't get a series of different attacks because people have set up, you know, discrete operations. That feels like a campaign where there's an ongoing planning. And, you know, for someone like Microsoft, you could imagine that it's absolutely worth it to set up a team like that. So it's, you know, definitely Microsoft, definitely Google. It's just. Where exactly is the cutoff line?
[11:05]
Patrick Gray
Yeah.
[11:06]
Tom Uren
As to how many teams there are just focused on that full time.
[11:10]
Patrick Gray
Yeah, yeah. I mean, just to make the CISOs of these companies sleep bright, you know, sleep well. That's what that's all about. That's what Beijing is concerned with. All right, so you've written up another thing here, which is looking actually at comments that political journalist Mark Halperin gave to Semaphore, talking about the use of Signal group chats in sort of policymaking and politics in the United States, which I think are revealing, because I don't think this is something that is unique to the United States. You know, politicians, policymakers, officials, they've been using group chats now for a long time. And I guess this Semaphore piece just really drives home how much of a part of the scene it is now. Right. So I think Halperin described them as a. As the dark matter of American politics and media, which is probably a little bit lurid, if I'm. If I'm honest.
[12:11]
Tom Uren
That was the author of the article, who was Ben Smith, who's at Semaphore.
[12:16]
Patrick Gray
Okay, okay, right. Still a little lured. But, you know, why don't you walk us through why we're talking about this? And I guess the easy explanation is, well, we had Signal Gate, which was this Houthi PC small group chat where, you know, classified information was disclosed. People can argue that it wasn't, but it was. But, you know, this has caused people to step back and take a bigger look at this sort of stuff. I mean, I think, and I mentioned this in a previous conversation we had about this. You know, we need to kind of update some of the rules around this stuff, because the idea that politicians, officials, policymakers are not going to use group chats to have these sort of conversations is ridiculous.
[12:55]
Tom Uren
Yeah. So what struck me is at the time of Signalgate, I wrote a piece and I ended with the question, why did no one say, perhaps we should have this conversation elsewhere? And this article on Semaphore, I think, really gets to the heart of what people need to do and what they find super valuable. And so the quote from Mark Halperin is that. And I'll read it. Some of the smartest and most sophisticated Trump supporters in the nation, from coast to coast, are part of an overlapping set of text chains that allow their members to share Lynx, intel, tactics, strategy and ad hoc assignments. Also clever and invigorating jokes. And they do this, not kidding, like 20 hours a day, including on weekends. So if you're politically involved, this is like not an option. You don't optionally participate in these. If you want to be part of a political movement, you must be involved. You must be on those group chats. And to me it feels like it's part of your personality, part of your self worth. I exist to try and make the world a better place and this political movement is a way that I participate in that. And so that to me totally explains why they were using signal, why they were putting so much on it more than was wise, I think, especially in Hegseth case. And it speaks to me to the tension between security and actually what people think is really important. So all the time, if you work in a classified environment, you can have conversations with people where there's procedures that are in place for sensible reasons, but you can always come up with a hypothetical like if someone's life is at risk, are you going to bypass those security considerations to save that life? And the answer is yeah, invariably. And it's because that is more important than security at that point in time. And I think this article really speaks to that. So Hegseth, there's varied reporting about how he has access to signal in his office at the Pentagon. One version of that at one end is that he has a personal computer on an unmanaged Internet line, which is obviously terrible, like in his office, which is a skiff. And then at the other extreme there's. The Department of Defense told CBS News that he's got a monitor that basically looks at his smartphone, is the way I interpreted it. And when you get the notification, he can go outside his office, outside the skiff to where the smartphone is to use signal. And that to me it sort of felt true. Is that like if, if you're kinda.
[16:01]
Patrick Gray
I mean, what, he's just got a monitor there so he can see notifications? Is the screen locked? Is his phone just sitting on a chair in the hallway? Like, you know, it's.
[16:10]
Tom Uren
I think there's problems with both like and like clearly being able to type in your office is way better. But that story also struck me like the, if there was an IT security hard ass, that's the Thing that they would suggest because it's a clunky. Yes, it kind of works, but is extremely painful. To me, it seems ludicrous that you'd have the Secretary of Defence walking outside his office every five minutes to check Signal on his phone. But, like, that's possible. Anyway, the point is that whatever the security situation is, it doesn't matter if you're just going to type the secret stuff in there in the first place.
[16:46]
Patrick Gray
Yes.
[16:47]
Tom Uren
Like you're just bypassing whatever physical security you've got. But this story spoke to me about why it is so important to be on Signal, because it is involved in. It seems to me anyway, that it feels like this is what Hegseth thinks is really important, is to be involved in this movement and to achieve political goals. And Signal is intimately wrapped up. And those group chats are intimately wrapped up in that process.
[17:14]
Patrick Gray
Yeah, I mean, I think we need. So where it gets complicated is around things like record keeping requirements. But when you think about some politicians maybe having a beer together or going out for a lunch and they're just having a bit of a chat, it's all very casual and whatnot. You know, I don't think necessarily there needs to be a record of every word said at a conversation like that, but perhaps, and politicians are quite accustomed to doing this, they need to take a couple of notes about, you know, pertinent things that were said or decisions that were reached while those conversations occurred, so that if they're asked about that later, they have those notes to go back on. So I think, you know, we could apply similar sorts of expectations to people who are having these sort of informal group chats when, you know, discussion starts turning towards policy direction and decisions. Yeah, you know, there needs to be those notes there. But the problem that we have is that there's not much of a. The rules are really like, you know, don't talk about this stuff here. Right. Which just isn't realistic anymore. I said this on a show recently and I sort of got shouted at a bit in listener mail by saying that I think, you know, policymakers need to be able to have private conversations. You know, not every word they utter should be. Should be subject to foia because that just will stop conversations from happening. So I think there's going to need to be a lot of work done here. But to your point, you know, under no scenario will it be okay for classified material to appear in these group chats. Right. Like, so I sort of wonder if we. If we update the rules, we can update the guidance we can give people a simple manual that says, well, here's what you can do, here are your note taking requirements and here's the stuff that you absolutely can't do. And I don't feel like we've really got that at the moment. We don't have those sort of rules in a form that are realistic at the moment.
[19:07]
Tom Uren
No, it seemed reasonable in Signalgate. There was a whole lot of official positions there and like, well, you know, in that scenario it makes sense that one of them in them be designated as the, I guess the secretary of the meeting in the sense of taking notes. And you know, here's. If there was a decision made, this is what it was. Yeah.
[19:33]
Patrick Gray
I mean, in that case, like having a note taker wouldn't have made that. Okay.
[19:35]
Tom Uren
No, no, no, no. I'm just saying from a record keeping point of view, if you're going to have those kinds of meetings. Not meetings, group chats with officially designated positions. Well, it's not, it's no extra work. Not much extra work.
[19:49]
Patrick Gray
Maybe you need a meeting taker who can say, hey, we shouldn't be talking about this here. Let's all meet in a skiff.
[19:54]
Tom Uren
That would make sense too. Like, I guess that would be a chairperson. Right?
[19:59]
Patrick Gray
Yeah.
[20:00]
Tom Uren
To do that. Good old meeting. Procedure updated for Signal.
[20:05]
Patrick Gray
It's a changing, changing world. Well, mate, let's wrap it up there. Anyone who wants to dive deeply into Tom's analysis analysis this week again, head over to Risky Biz and check out our newsletters. There's of course Catalyn Kimpanu's three times weekly news newsletter as well, which is more focused on sort of technology news. Great stuff. Great to chat to you, Tom. A pleasure as always, mate. We'll do it all again next week. Thank you.
[20:29]
Tom Uren
Thanks, Patric.