Risky Business #767 – SEC fines Check Point, Mimecast, Avaya and Unisys over hacks

Patrick Gray

Hi, everyone, and welcome to Risky Business. My name's Patrick Gray, and I am seriously unwell this week. So we're going to struggle through the show the best we can. For those of you watching on YouTube, I'm not going to do the graphical overlays this week. I'm just too sick. I got to finish the show and get it down as soon as possible so I can go back to resting. But we do have a great show to get through this week with Adam Boileau. He'll be along in just a moment to go over the week's security news. And then we'll be hearing from Ryan Calumber, who is this week's sponsor guest. Ryan is the chief Strategy Officer for proofpoint, and he'll be talking to us about the Sock Golish campaign, which is, as best they can tell, number one at the moment, in terms of, like, you know, mass exploitation activity targeting its user base, proofpoint's user base. So he'll be joining us to talk about the evasion steps that they're doing these days, which are actually pretty interesting. So that one's coming up after the news, which starts now. Adam, good to see you.

Adam Boileau

Yeah, nice to see you. I'm glad that you're functional enough to bring us some news today because it was looking a bit sketchy there yesterday.

Patrick Gray

Well, yeah, I would. I would put my functioning level at barely at the moment, but, you know, hopefully in a couple of days I'm going to feel better. So let's get into it. And just some news that broke overnight for us. The SEC has fined a bunch of companies for essentially covering up the extent of the impact of the Solar Winds campaign on them. So we're looking at checkpoints via Unisys and mimecast. And really what the SEC has complained about here is that, you know, they sort of used very general language to disclose these breaches when in the SEC's view, they were sort of material. And, you know, they should have. They should have come clean.

Adam Boileau

Yes. Like some of the statements that we saw around that hack and kind of, I want to say, downplayed it, but maybe kind of made it seem like it was theoretical, when in fact they knew very much that the actors, the Russians, had been in their network through that particular set of backdoors and that they had, in some cases, lost customer data. I think one of them said that some email had been taken, but actually there was a bunch of other stuff. So the sort of just kind of making it seem smaller and less than it was, which is a thing The SEC does not take kindly to.

Patrick Gray

Yeah, I mean, disclosing a breach as a security vendor looks bad. I think getting dinged by the SEC for failing to disclose it looks even worse.

Adam Boileau

Yeah, exactly. And, you know, hopefully it will encourage the others in this world to, you know, say things how they actually are, because we are just seeing a lot of weaselly language around security breaches and bugs lately.

Patrick Gray

Okay, now we're going to talk about probably the most interesting story of the week, which is this. Anonymous Sudan arrest.

Adam Boileau

Right.

Patrick Gray

Or arrests. Two brothers have been arrested in an unnamed country, and apparently they were the ringleaders of this group, Anonymous Sudan. And for a long time we've thought, well, Anonymous Sudan clearly looks like a front for Russian activity. We're not the only ones who think this. The threat intel community also believe this. So it was kind of surprising when DOJ announced that they'd arrested a couple of Sudanese people for actually being behind, you know, Anonymous Sudan. I mean, they've collaborated with Kelnet, they've got shared infrastructure with Russian groups and things like that. So big surprise. And that's much how it's been reported. In fact, even at the DOJ press conference, they came out and they said, look, there's no nexus with Russia here. And that's been the reporting. Although when I started talking about this in Slack, I kind of got slapped down pretty hard by our own colleague, Catalyn Kimpanu. And I really appreciated how he did this because he says so many people have short memory. He didn't say it directly about me, but that's what he meant. So many people have short memories. And then laid out a bunch of reasons why he thinks this has Russia's fingerprints all over it. And indeed, he wrote that up for his newsletter, which we published called Risky Business News. And I've linked through to the web version in this week's Show Notes. And he lays out a really compelling case that just because these guys were Sudanese doesn't mean that Russia wasn't all over this.

Adam Boileau

Yeah, I mean, I guess the easy headline of oh, my God, you mean Anonymous Sudan was actually Sudanese? It does take away a bit from the. The truth of it, as he kind of points out. Right. Which is that whilst they may actually be Sudanese, their purported kind of, you know, motives of Sudanese national interest isn't really supported by their activity.

Ryan Calumber

Right.

Adam Boileau

They have done so many things, and he has, like, a laundry list of the activities that Anonymous Sudan carried out and, you know, kind of, you know, at best, maybe useful idiots and at worst, you know, Kind of actively getting, getting paid by the Russians or you know, getting working direct and closely with the Russians. But the actual things that they were doing, you know, were so diverse from, you know, sort of things that would matter to Sudan and very much, you know, aligned with Russia's interests. Right. I mean there's things that lined up with the invasion of Ukraine. There's things that lined up with, you know, the burning of the Quran in Sweden. There's.

Patrick Gray

Well, that's, that's when any. He points out, that's when this group sort of first emerged. And he also points out that like they threatened France with a DDoS attack if it sent troops to Niger after the country was taken over by a Russian backed military, military junta. And you know, that doesn't sound like Sudanese nationalist ideology. Right? Yeah. And what was the other one? They, yeah, DDoS attacks related to the Ukrainian war or a country would announce military funds for Ukraine and the next day anonymous Sudan and a bunch of pro Kremlin groups coordinated attacks on their schools and hospitals. As Catalan writes, that does not sound like a Sudanese national nationalist ideology. And also, yeah, also the Quran stuff in Sweden and they use all of the terms that are favored by Russians, like, you know, talking a lot about Western colonialism and French imperialism, which is the lingo that's been used by Russian info ops in Africa for years. He also points out like some of the infrastructure overlap is pretty interesting.

Adam Boileau

Yeah, I think also that like their telegram was previously like largely conducted in Russian until they switched. So yeah, like there's a lot of things that point to Russia even though, you know, the indictments that we've seen so far don't really kind of spell it out. I think Catalyn is probably onto something here that, you know, if it quacks enough like a duck, it probably is some kind of duck or duck like thing. And so, yeah, I mean the point is these guys have been arrested. We don't know particularly where, we don't know if they're going to arrive in the US to face American justice. But either way we haven't seen a whole bunch out of a non Sudan, you know, since these were rounded up. So that's probably good.

Patrick Gray

As you say, Catalan writes, there's also the small detail of the anonymous Sudan Telegram channel having a history of Russian posts before switching to Arabic and then to a Sudanese Arabic dialect. They also have a history of cooperating with Russian based groups like Killnet and sharing their infrastructure and tools. And when the feds took down the anonymous Sudan botnet and Arrested the two brothers. Another pro Kremlin hacktivist group popped up out of nowhere. Sharing infrastructure and an MO with Anonymous Sudan. So and that one, at least according to Radware, was actually run by a Russian. And you know, it's just amazing. Anyway, I've linked through to it. I think he's done a terrific job here. So. Yeah, I just think that was terrific. Now look, let's move on to Microsoft. Some Microsoft news here and there's been a bit of an issue involving Purview and like Microsoft logs where they just like lost some of these logs. Can you walk? Because I know you did more of a deep dive on this one. Can you walk us through what actually happened here?

Adam Boileau

So at some point Microsoft made some software changes to an internal like log collection mechanism. So things that were inside Microsoft infrastructure that collects data to stream off into the rest of Microsoft's logging platform. And they, it looks like there was some software flaw. They rolled out a fix for it and that fix introduced another bug that they hadn't really expected. And the net result of this was they ended up losing a bunch of logs, including probably most importantly, logs from Entra, so authentication logs out of their cloud identity service service, which is then like this is kind of one of the upstream sources for things that get fed down into their SIEM product, into Sentinel, into things that they share with customers. So it looks like they lost maybe, you know, three ish weeks worth of data.

Patrick Gray

But hang on, hang on, hang on. So the thing that I'm not clear on here is that across all customers and tenants or is this just some of them?

Adam Boileau

So the answer is it's probably complicated, we don't exactly know. But what Microsoft have said about the bug was essentially there was like a, a deadlock condition that could occur in the logging software. And if enough of the threads of the logging software got deadlocked, then it would stop logging and then it had a local cache where it would store logs and if that got too full, then they were lost for good. If they restarted the agent or whatever else in between before the local cache got too full, then they would get those logs when it subsequently reconnected. So we're not talking 100% loss, we're talking kind of statistical loss.

Patrick Gray

Yeah, random, random. A little bit over here, a little bit over there when that logging box rebooted and you know, it came back and for a while and. Yeah, I see. Where you going with that?

Adam Boileau

Yeah, yeah. And they've got like a timeline on their initial incident write up which Kind of, you know, spells out how it happened which kind of started beginning of September and then they went through a bunch of steps whilst they tried to figure out, you know, what the problems were, how, how to fix it and kind of illustrates the difficulty of troubleshooting very big distributed systems, also multithreaded systems, also all of the complexities of the cloud aspect of it. This stuff is hard, especially at scale and with live data. But on the other hand Microsoft's huge and this is security logs for most of the planet so you got to do good.

Patrick Gray

I like how every time there's a story like this about Microsoft, Kevin Beaumont pops up, you know, always to give him a kicking. And yeah, he's in here. He's quoted in a bunch of the stories we're talking about this week. It's pretty funny.

Adam Boileau

The link through to their write up that I'm working on, he posted a link to that. So yeah, thanks. Thanks Kevin.

Patrick Gray

Thanks Kevin. Yeah. Now let's talk about Apple's plans for TLS certificates because we've got them down to like just over a year, right? That's the sort of accepted standard by what's the body called again?

Adam Boileau

Ca Browser forum.

Patrick Gray

Yeah, CA Browser forum. Right. So you know, we're down to about a year and Apple's come along and they've said no, we're shooting for 10 days which that's, you know, that's ambitious but I wanted to ask you to explain to everybody why we might want to do this because that is, that means that everybody's certs are going to need to be sort of programmatically generated. It's going to be like auto renewal because there's no way admins are going to be manually swapping out certs. I mean for our site we're still on one year certs and we swap them over because there are some complexities there. If you want to use let's encrypt like for example, because we distribute through a cdn, the only way that we would be able to use let's encrypt with our CDN is if we also transferred the domain to the same provider. And I don't want to do that because I like to have multiple providers in these things in case you lose one account, it's not the end of the world, et cetera, et cetera. You don't want to put everything in one basket. So you know, I just think I'm going to have to change if this becomes a reality. I'm going to be absolutely forced to do this programmatically for risky biz. But yeah. Why the push to get it down to such a short time?

Adam Boileau

Well, I guess there's been a bunch of problems with certificate infrastructure over the years, and reducing the timeframe has, I guess, a couple of things, like one you've hit on, which is that it forces people into automation and that means a bunch of kind of good systems engineering practice like rolling certs by hand, you can get away with when it's a year. But then there's a bunch of other challenges with how chemotherapy gets managed and how like the whole process is ad hoc if you do it yearly, if you have to do it every week, every couple of weeks, you have to automate it and you have to automate it probably. Well, I think the other aspect of this is the recognition that the revocation infrastructure and the process for dealing with certificates being stolen or lost is just not working. So by reducing the lifetime of certificates, you kind of solve the revocation problem. Like you kind of make it much less of an issue because turning around a revocation probably is going to take about that amount of time anyway. So if the certificates get rolled, then you've kind of solved that problem in a way that probably is good for the ecosystem overall. Working revocation. There's so many kind of moving parts in revoking stuff that just reissuing things constantly probably is still easier and better. So I think that's probably what they're aiming for here. But there are just such a long tail of ways that certificates and tls are used. Beyond very modern, very hip, very agile and devoppy technology companies. There's a lot of people who do just do it by hand in some cases for good reasons. As you said, with our infrastructure, you know, there is some diversity and some resilience in how we do things that we would have to rethink. So, you know, it's probably still a good idea. But you know, it'd be nice to make those choices on our timeframe instead of, you know, instead of Apple's. And it's worth noting that this is just a proposal. And Google proposed a similar kind of thing to the CA browser forum. You know, a while ago they wanted 90 days and that didn't kind of make it through the process. So yeah, you know, I'll believe this when they actually get, you know, get a yes vote out of the, out of the CA browser forum. But it's, it's bold, you know.

Patrick Gray

It is, it is. I mean, they say they want this to happen between September next year and September 2027, you know, maybe that's achievable, I'm not sure. But I think the point you made about revocation, that's the convincing argument because it is so broken, you know. Oh God, are we still using CRLs? Like, it's just, it's just, it's never worked well ever.

Adam Boileau

Yeah, I mean, yeah, it's not a thing that we ever really exercised at scale and there's a bunch of mechanisms that we've put in place to try and deal with it. So things like OCSP and state and revocation and even just.

Patrick Gray

It's not just CRLs yet like that, that problem's been addressed, but it's still fragile because I remember some of these other more modern ways to do checking for revocation. You could, if you could, if you were upstream, you could block them and then it would fail open. Right. So like there's always been issues there with revocation.

Adam Boileau

Yeah, I mean, as a general mechanism, it was never really well thought out and certainly not at scale. I mean, certificate infrastructure, if you are going to design a mechanism to do this at planet scale, like this is not what you would have, would have arrived at. Right. This was designed for a much kind of smaller world where admins had control over their environments and things like this. Just so many reasons why, you know, this infrastructure never was really meant to be like this. And I think, yeah, this is a recognition of that and like it's just, it is such a mess and dealing with all of the weird failure cases, all of the failing open, all of the, you know, other strange things that can happen, you know, this is, it seems sensible. Despite the initial sticker shock of oh my God, I have to roll my certs once a week.

Patrick Gray

Yeah, I mean it will. You know, automation introduces some fragility. We've seen companies have issues before when they haven't been able to get their new cert due to failures in various services. I'm less sold on the idea that it's a giant leap forward in terms of making certificates that you've stolen useless because I think if you can get persistence, if you're in a position to steal the certificates, you're in a pretty good position to get some persistence there as well, in most places at least. But I do 100% agree with you that the revocation piece is the compelling argument here. So let's see how they go.

Adam Boileau

Yeah, exactly. I mean, best of luck to them. I mean, my 10 seems low. I mean even, you know, 45 as an intermediate step that they're proposing. Like that would be pretty cool too. Like I would be happy for smaller.

Patrick Gray

Yeah, yeah. We've got a great story here from Joe Cox which actually looks at some events in Australia where there's this open source encrypted messaging app which is metadata resistant and I'll talk about that part of it in a minute. It's called Session and it has announced that it's moving its operations to Switzerland after one of its employees got visits, was visited by the Australian Federal Police. So the Federal Police came, interviewed this employee and was basically like asking them a bunch of sort of general questions about the platform. There were two visits, asked some general questions about the platform development, roadmap sort of stuff, and discussed an ongoing investigation into a sort of high profile Session user who I presume is Australian. And this was enough for them to say, okay, that's it, we're out of here. And they've pulled stumps for Switzerland. Now, I hadn't actually heard of this app until Joe's story and it looks really interesting because it looks a bit like stuff like Ricochet or talks, but instead of using the Tor network, which. And there are inherent problems with trying to do that on mobile, right, because if you're offline when someone sends you a message and then they dip offline, how do you get the message to them? Right? Everyone, you know, people need to be online at the same time for these sessions to actually work. So what they've done is they've built like their own onion routing network and they've got community volunteers running some of these, which I think for intelligence and law enforcement presents some opportunities there because I can't imagine the network has that much power in it. But yeah, so, so the idea is it's a, is a metadata resistant mobile messaging platform and I've had a look at their website and it is interesting, right, because you go through this story and they're just like, oh my God, you know, Australian regulations want us to collect a phone number or an email address for, you know, for users. And this is unacceptable because, you know, privacy, privacy, privacy. And you go to their website and you know, they are clearly big believers in privacy, absolute privacy being an essential function these days. So, you know, they are true believer types. They don't strike me as the sort of crime phone types, if that makes sense. But I am curious about how well this move to Switzerland will work out for them because it's one thing to move the registration of the company, although foundation or whatever, but if you're not moving the staff. I don't know how far that gets you in front of an Australian magistrate who, you know, if a prosecutor can argue, well, you're in control of this thing, it doesn't really matter where the thing is registered. You know what I mean? Anyway, I want to get your thoughts on this too, because I found this a very interesting story.

Adam Boileau

Yeah, it's interesting because we expressed surprise, I think, a couple of weeks ago about it was a crime phone manufacturer or crime phone operator, something that was running out of Australia. And we were like, well, that seems like a silly choice. Yeah. So seeing another one crop up so soon after is funny.

Patrick Gray

Well, again, again, I think these people are more sort of your open source privacy hippie types. Right? Like, they're not the, they're not the. Give us 10,000amonth and we'll stop you getting intercepted types. That's different.

Adam Boileau

Yeah, yeah. And I think, you know, your point of that moving, you know, in this case, like, it's the foundation that holds the, like, publishing rights for the app stores and sign certificates and things like that, that they're moving to Switzerland if, you know, the actual developers and operators are inside Australia. As you say. I think that technicality may not matter quite so much.

Patrick Gray

Well, I mean, Pavel Durov was arrested in France and Telegram's not based in France.

Adam Boileau

Yes, exactly. Right. I mean, in the end, the law is willing to use its powers in whatever way it sees fit. Right. As to like, the technical aspects of this network, it does have a bunch of interesting properties to it. Like the idea of running your own onion routing because of the problems with Tor, I think is really interesting. Open source and volunteer run like that has worked on some other platforms. Like, I guess Tor is the biggest one that has run a functional union routing network. But we also know a lot more about attacking onion routing protocols and stuff than we did, you know, back when Tor was originally designed. And they've made a bunch of changes over the years. But, you know, I would be a little. I know intelligence agencies are smart and have a lot of resources and as you said, like, if you're at a scale where the network is small and you. The adversary is quite big, you know, things can be difficult, but I'm not an expert on their particular protocol, so I don't know what, you know, how they address the challenges. But, you know, there are, you know, there's a bunch of moving parts to doing this and, you know, you would be kind of worried about.

Patrick Gray

It's one of those things, Adam, where if you have the majority of the nodes in the network, there are things you can do. You know, I think it's really that simple. So if you're, you know, if you're nsa, for example, and you notice that this app is catching on among a subset of people that you're very interested in decloaking, then you know, you're going to be quietly spinning up nodes left, right and center until you've got, you know, a sizable enough chunk of the network, which you can't do with Tor. Now because it's so big, we've seen the number of Tor nodes swell and then contract and that's obviously some agency somewhere trying to get some intel on someone. Right. But when it's something like this early on, you know, maybe there's an opportunity there for them. Not that I agree with it, you know, but I'm just saying that could be something they could do.

Adam Boileau

Yeah. And I guess anything like this, the challenge is what happens when you succeed. Right. Because something like Telegram has gotten so big and now, you know, dear of, you know, arrested as a result. So, you know, let's say that this thing, I mean, the 404 Media story already says like they've got some anecdotal evidence of people doing crimes on the platform because it supports kind of Telegram style group messaging as well as direct messaging. So like, let's say they succeed and they run out of Switzerland and they, you know, do wonderful things and bring lots of privacy, but then what happens, you know?

Patrick Gray

Yeah, so yeah, then they might wake up one day and realize that their platforms being used for crime and Nazi stuff and, you know, maybe reevaluate some choices. But I mean, I don't, I don't think it's a reasonable, I'm sorry, I don't think it's an unreasonable regulation that if you're going to operate a messaging platform that you should have at least a, you know, one identifier for who's going to, you know, in a country like Australia where we have, you know, rule of law, we have protections for political activity and stuff like what's the problem? But you know, I get yelled at for saying stuff like that. So, you know, let's move on. John Greig over at the Record has a write up on a crypto platform called radiant capital having $50 million worth of digital coins stolen. But what's interesting here is the nature of the compromise, which it looks like they got three developers for this platform and they were using hardware wallets. So like walk us through what we know here, Adam, because I think if I had to guess, like, maybe they had, you know, malware in the right spot to sort of, you know, to sort of set up the transactions they wanted in the background while presenting different transactions to the, to the user. But I mean, I thought that's what hardware wallets were supposed to stop.

Adam Boileau

So. Yeah, this is an interesting one. We don't often talk about the specifics of crypto theft because there's so many of them, but. Yeah, so this lot appeared to be doing things kind of roughly. Best practice, they had a multi signature mechanism where to move their coins around the blockchain, they had to have multiple signatures from multiple developers, distributed geographically. And then the private key material was stored inside various models of hardware wallets. And the attackers in this case got onto the computers of these three different developers and then made a fake, like, fake to user interface for their multi sig process. So they had that, the thing that generated multi signatures to approve big transactions. So they made a fake user interface that convinced them that they were dealing with their real piece of software, presented one set of transaction details whilst in the background approving the theft of $50 million worth of ether or whatever else, and then carried out those transactions using their hardware wallets normally. And that's pretty slick. And you know, you've got to wonder like if you were entrusting all of your money and wealth and whatever to cryptocurrency platforms. This is pretty best case what a crypto platform looks like, you know, in terms of taking it seriously and doing the right things and they still get it nicked. So like, but hang on, I thought.

Patrick Gray

I thought the point of a hardware wallet is they have a display which will actually tell you what you're doing with the transaction. Right? Like you don't just trust your computer. Plug in your hardware wallet and go, yeah, sign, sign, sign. That's why I'm a little bit fuzzy here.

Adam Boileau

That's the theory. But I think the multisig part of it probably complicated that display process. Right where they. Right, because they've added extra things to it. There's another layer of, you know, kind of interaction into it. It may have not been obvious what they were authorizing and I think they were. A couple of them were using Trezor wallets and another one was using a different brand of wallet. So there wasn't, it wasn't the exact same hardware, you know, key store. So I don't know exactly what they looked like on the display. But either way, like, whoever pulled this off is pretty Good.

Patrick Gray

You don't. You don't gotta hand it to him. You don't gotta hand it to him.

Adam Boileau

I don't know if it was North Korean, speaking of not handing it to him, I could, you know, I mean.

Patrick Gray

Come on, who else?

Adam Boileau

I mean, it might have been them. I don't know. We just haven't seen any. Anyone manage to figure out, I think, already any ideas that it ties into existing stuff. But yeah, I mean, so maybe you.

Patrick Gray

Do gotta hand it to him, you know, Maybe you do.

Adam Boileau

Yeah.

Patrick Gray

But look, speaking of North Korea, this is great, actually. This is an Ars Technica piece from Dan Gooden and they've got a write up on North Korean activities targeting ATM networks. What's funny about this though, is that they have replicated work that you did years ago and they've almost replicated it one to one. Walk us through this.

Adam Boileau

Yeah. So the North Koreans in question have deployed some malware on payment switches. So these are the things that kind of connect ATMs and point of sale terminals to banks, and then also connect banks together and card brands together and acquirers and all the other bits of that kind of transaction processing ecosystem. There are a number of kind of messaging standards for doing these transactions, and these are standards, by and large, from the 80s and are kind of extensible and pluggable and have all those sorts of problems that come with being extensible and also very old. The North Koreans in this case got software onto some of these payment switches and were reading and writing the messages as they went past. And they would look at, for example, a request to withdraw cash from an ATM that gets sent onwards to the bank that holds the account. The bank comes back and says, no transaction denied because not enough funds. And then the North Koreans would rewrite the message to say, hell yeah, you got enough funds and off you go. And then the ATM spits out cash and onwards to great victory. I think the sample that we've seen of the malware that was doing this was doing it in Turkish lira Lyra so suggests there was a campaign there that they were using to get money out. But yeah, this really warms my heart because. Because this bit of the payment ecosystem is so old and crusty. And I've written a protocol stack for doing this. Like I man in the middle to a point of sale terminal so that I could rewrite balances and rewrite approvals and so on and things like that.

Patrick Gray

We should point out that you did this in a professional capacity.

Adam Boileau

I did this in a professional capacity.

Patrick Gray

You Weren't trying to get a free flat screen, we should probably point out.

Adam Boileau

But most people say surely this is inside TLS and this stuff predates. This is designed for when it was dial up modems sending these messages over, you know, over lease lines or whatever else. Like this stuff predates the Internet and these days people do run it over TLS in some cases. But you know, it's not like this software has search checking revocation support in it or whatever else. Like a lot of the stuff is not done over tls and then where there is crypto or message integrity checking, it tends to be done on like a per field basis inside the actual messages. And then there's things like, like this predates the understanding that padding oracles exist or whatever else. So like this is old, old tech. Anyway, it's fiddly. I gotta hand it to the North Koreans for actually going through the process of doing, but having written it myself, like I know what a pain in the ass this is to actually do and to do it in the wild, stealing actual money. Like, you know, my, my hat is legit off to the north this week, I'm afraid.

Patrick Gray

I mean you read this and you're like, wow, you actually really did the R and D here, you know.

Adam Boileau

Yeah, I mean it's, you know, it's just fiddly. And then they've done this on like old school, like aix, you know, old UNIX platforms, but in this case they were doing on some Linux payment switches as well. So like it's just a, you know, solid hack. And yeah, I'm here for it.

Patrick Gray

Okay, now we're going to turn our attention to a story from Brian Krebs at Krebs on security. And a 33 year old Brazilian man from the state of Minas Jardis has been arrested and apparently he is suspected of being usdod, who is a prolific cybercriminal who rose to infamy in 2022 after infiltrating the FBI's infra guard program and leaking the contact information for 80,000 members. That was quite embarrassing. This guy was also the one behind the breach at National Public Data. Funnily enough we didn't mention it last week, but they've since filed for bankruptcy. This was that really weird former actor who like ran National Public data which was like scraped publicly data and whatever. Brian's done a great job of writing this up because really this guy realized he'd been doxxed by, I think it was crowdstrike got him initially and he's just been doxed that many times. And he actually just came out and said, yep, it's me, I've been caught and let's see if I get arrested kind of thing. And yeah, he's, he's, he's been arrested but he is in all sorts of trouble, you would think.

Adam Boileau

Yeah, I imagine he is going to be, going to be in trouble. And like you kind of. It's unusual that you feel sorry for these guys, but Brian had a screenshot of a statement that he had made on some hacking forum where he basically says, look, I'm a human like everyone else. To be honest, I wanted this to happen. I can't live with multiple lives and it's time to take responsibility for every action of mine and pay the price. Doesn't matter how much it may cost me. This is not my end. See you around. Don't worry, I'm coming to meet you. I'm not a threat. In fact, fact I can do much for my country. So, you know, like you do get in pretty deep with some of this stuff and a lot of people end up over their head and you know, it's hard to get out. So.

Patrick Gray

Sure. But he's 33, which means he was 31 when he was doing this. You know, I would have a little bit more sympathy if he was like, you know, 18 now, you know, fair, fair call. No, I mean I, I see what you mean about this guy, right? Like he's, you know, he got in over his head, got a bit excited and now he's in, now he's in all sorts of trouble.

Catalyn Kimpanu

What else do we have here?

Patrick Gray

We've got a look at the sim swap that resulted in someone taking control of the official SEC Twitter account and announcing that Bitcoin ETFs had been approved. That was a very interesting takeover of a Twitter account because I thought it was well executed and we said that at the time because they didn't post stuff that was just ridiculous. They posted something where the SEC was kind of expected to announce this and they just announced it early and they were pre positioned with a bunch of bitcoin and whatever and you know, the whole purpose was to, was to make money. They've charged this guy and you know, the indictment has details on the sim swap. I think the interesting thing here though for me is the recon was obviously good if they had figured out the identity of the person who was authorized to log into that account, you know, created false identity documents and then done the, done the sim swap. Although I think in this one Dan writes That, oh, well, they must have had the password already in order to take over the account. But I'm pretty sure you could do it. You could at the time do an account reset on Twitter without the password. So I'm not sure if that's what happened. But anyway, what are your thoughts on this one?

Adam Boileau

Yeah, so this guy, Eric Council Jr. 25 of Athens, Alabama, he is the guy that actually like walked into the phone store and did the SIM swap and then, and there's some interesting details there, like the actual like goes into the shop, gets the SIM card, goes to the Apple Store, buys the phone, goes and does the crime of the phone, takes the phone back the next day to return it for cash. So like, you know, that's, that's clearly wasn't making that much money. They could just throw the phone away. Had to go back to the Apple Store and get caught on the cameras yet again. So, you know, it was probably, you'd hope there was more money in this kind of crime, but apparently not. And then conspirator undefined was the person that instructed him to do it. So as you say, there must have been some good intel somewhere in this process. But then where the wheels kind of really fell off the this guy is that after he had done this process, he went back home and started Googling to see if he was being investigated by the feds, which is not, not a great sign.

Patrick Gray

Google doesn't always have the answers, folks. You know.

Adam Boileau

No. And if the, if the query is how can I know for sure if I am being investigated by the FBI? And what are the signs that you are undervest, under investigation, investigation by law enforcement or the FBI, even if you have not been contacted by them. Like that's at that point probably Google is not the person you should be asking.

Patrick Gray

I would say if you have committed a crime like that, it's a strange query because the FBI are looking at you, you know. Anyway, now let's talk about V because it's spelled V E E A M software that I previously had not heard about, but it's backup software with a absolutely crazy like CVSS 9.8 buggin it. And look, Enterprise crapware with a, with a high CVSS vulnerability in it, not necessarily news. What makes this one worth talking about is like all of the ransomware crews like we got, I think Akira are jumping on this Fin7, a bunch of others, they're going absolutely wild with this one. Adam, walk us through what we know.

Adam Boileau

Yeah, so Veeam is pretty common in enterprise environments, particularly because they are quite strongly integrated or used to be quite strongly integrated with VMware. So if you had large farms of machines that need to be backed up with machines, then Veeam was one of the common solutions that you would see for that. And the bugs in question here are like unauth code exec, remote code exec against the Veeam agent. The actual bug itself comes down to a kind of interesting net deserialization floor, and one that, that they had kind of tried to patch over the years. And it's just really fiddly to get those things right. So if you can see this stuff on the network, then straight up onwards to code exec. And the kind of great thing about landing, you know, almost anywhere in a corporate environment, like wherever you get a shell in the DMZ or, you know, on, on client machines, on servers, in the middle of the network, like most stuff gets backed up in these environments and at that point you've got a network path and often you've got any other prerequisites. In this case it was unauth. But if you do need auth creds or certificates or whatever else, usually the backup solution has those. So when I was doing this kind of stuff, we had a few bugs and backup agents and backup pieces of software and being able to land the DMZ and then immediately pivot into the middle of the backups and then restore the domain controller back to your machine or restore your scripts onto some other system or in this case mechanism, or.

Patrick Gray

In this case just. Just tell it to execute whatever code you want.

Adam Boileau

Yes, or in this case, tell it to exec whatever code. Because once you land in the backups, you've just got everything you need. So that's the reason that these kinds of bugs get hit so quickly, because a 9.8 CVSS captures the individual bug. But it doesn't really explain to you how important these systems are in an enterprise context.

Patrick Gray

Well, I mean, it's just. The irony here is just awful, right? Because one of the reasons you want comprehensive backups in your environment is so you can restore if you get hit with ransomware. And now ransomware crews are using it. So it's like you can't win.

Adam Boileau

It's a beautiful thing. Yeah.

Patrick Gray

So I mean, I mean, I guess the advice here is just to patch. But I think everyone needs to really think about the way that they do backups, because I think one thing that ransomware showed us is that backup technology certainly a few years ago was like really quite bad. It was sort of More of a compliance mandated thing. It was sort of something that you were expected to do but no one ever tested. You know, we even had one of the people from Kroll on, in one of the sponsor sections talking about that, about how you know, people will do like one test restore. But like when you're trying to do large scale restoration, it's a whole different thing and people don't drill on it. And you know, I just think it's one of those areas that I think is often neglected is like thinking about how to appropriately manage backups. And yeah, look at the risks that you get out of using this software, you know, because quite often, even though they're over permissioned and they just, you know, like it's not just code execution flaws, backup backup solutions can be a problem.

Adam Boileau

Yeah, absolutely right. Because you know, backups historically have been for, you know, kind of accidental problems. Right. They're not really designed or they were certainly weren't originally designed really to deal with malice and so dealing with, you know, having someone that wants to disrupt your backups over time. You know, in the case of ransomware, that's kind of a, a use case or a threat model that didn't really exist when a lot of backup solutions were originally designed. And then yeah, you've got the problems of permissions, of storing key material, of being able to restore one file as a thing you exercise, but being able to restore every box in your network at once or bootstrapping a cold start when everything's been destroyed. Like there's just so many cases where they are difficult to test and time consuming and there's not a lot of reward if you're sysadmin or a network engineer or someone else to drilling and exercising your backups other than ticking a box. Right. So a lot of people didn't do it until ransomware came along and all of a sudden, you know, now we actually have to be really resilient. So yeah, yeah, I mean, yeah, the ransomware period of computer security has brought some improvements in how Resilient we are 100%.

Patrick Gray

Just like LulzSec did for web application security a million years ago. And it's funny though, because I remember like a decade plus ago when you were doing a lot of pen testing, you were very much on the tools and you would achieve great victory by targeting enterprise software. I remember you found a whole bunch of bugs and stuff like you know, various CA agents and whatnot. And you would always say to me, oh, you know, attackers are going to get on this and you know, I think correctly at the time I said, eh, you know, not now, like it's not happening yet. And I think here we are like 10 years later and it's finally happening that the chickens are coming home to roost for poorly written enterprise software because finding general platform and browser bugs has got a lot harder. And you know, staying in that vein, we spoke about a bunch of Fortinet vulnerabilities that I think were being exploited in the wild and added to the Siskev list last week. It looks like we got a different set of vulnerabilities, although it's hard to really know, isn't it? I think these are different vulnerabilities. But there's a bunch of bugs in fortigate and so far Fortinet are staying quite mum on the details of the reports, which makes you think it's a doozy.

Adam Boileau

Yeah. So there's been. So I think these are related bugs because Fortinet, there's so many products and so many bugs and in this case one of the bugs we're talking about like is in the management product that interfaces with a bunch of products. So like it all gets a bit murky but it's really not helped by how badly Fortinet communicates about it. Like they're very quick to point out issues with other people's products and to distract from them, from their own issues. But some of these are pretty nasty looking ones. Like one of the fortimanager bugs, essentially you could take a certificate or key material from other Fortinet products and then use that to kind of enroll yourself in the manager. Exploit bugs get code. Exactly. If you've got one Fortinet product then you're kind of in a position to talk to the manager and go upstream, downstream to other products. So like it's pretty messy looking and yeah, like Fortinet are just kind of weaselly.

Patrick Gray

Yeah.

Adam Boileau

About how they communicate and their willingness to go kind of distract everybody with sleight of hand from, you know, quite frankly some really shoddy engineering in their products.

Patrick Gray

Yeah, I mean this is like a 25 plus year problem, a 30 year plus problem of vendors doing this sort of stuff. You know, you just would have expected a little bit better in 2020. But another Beaumont quote in this one where he says people are quite openly posting what is happening on Reddit now. Threat actors are registering rogue fortigates into fortimanager which is the affected product with host names like localhost and using them to get rce. So I don't know, I mean that's not necessarily verified, but, you know, I'll take his word for it. And it's, you know, just more fortinet drama. Just an interesting one here. Dorina Antoniok over at the Record has written up a campaign which is targeting Israeli organizations and the attackers are posing as Eset and, you know, using that as their lure. And ESET has come out and said we haven't been breached and whatever, it's just someone using our brand. This story also includes a Kevin Beaumont quote.

Adam Boileau

Yeah, so I think this is Eset had a partner in Israel that seems to be like maybe they got the mating list compromise or something like that. And so then the customers were being emailed with the messages looking like they came from the local partner. And then they were like, oh my God, we're the government. You know, the team that tracks government attackers at eset. And we've seen some government backed attackers trying to compromise your stuff. But don't worry, we've developed a piece of software which will help you stop this. And we attach it conveniently to the.

Patrick Gray

Zip file and here's the password and just click through the warnings.

Catalyn Kimpanu

Okay.

Adam Boileau

Yes, exactly. What was it? The Advanced Threat Defense Program designed to counter advanced targeted threats, which apparently very generously, you could install up to five devices. So.

Patrick Gray

Yeah, yeah, I just think as far as lures go, that's a pretty good one.

Adam Boileau

I mean, it's not bad, especially if you can send it from a place that they might be expecting to get communication. So, you know, yeah, I guess. Nice try.

Patrick Gray

You know, now I probably massacred Darina's name there. I think it's Antoniok, by the way. Sorry about that. I am sick. I'm doing the best I can. Also, we also introduce Jonathan Greig because his last name is spelled G R E I G. I realized recently that Americans would probably pronounce that, Greg, wouldn't they?

Adam Boileau

It's a good question. Let us know, Jonathan.

Patrick Gray

Yeah, let us know. Anyway, we're going to finish with a story from John Greig or John Greg, whichever you prefer. I'm sure he will advise where, you know, the North Korean fake IT work thing has been a big issue over 2024. You know, we've seen a number of arrests for people running essentially, you know, proxy farms in their basements and whatever in the United States. And it's been, what a world. Yeah, it's been delightful to cover, really. It's fun stuff. But now it looks like there is some evidence that some of these, some of these North Korean. It Workers, when they are discovered and fired, they're now threatening to release data that they've collected and they're demanding ransoms, which I, you know, we shouldn't be surprised that this is happening, but as far as I know, like, this is a recent development.

Adam Boileau

Yeah, it's weird that it's a recent development because it seems like a pretty logical thing to do. Like, once you're an insider, you have a whole bunch of interesting access. You know, it saves you the initial. Initial compromise point of your, you know, part of the process. So why not steal a bunch of data and then, you know, try and find some value in it, be it intellectual property, be it ransomwing it back to them, you know, be it just. Just passing it on to other people who are looking for, you know, reconnaissance information, selling it in that way. So, like, there's so many ways to monetize access to people. And the North Koreans are pretty good at, you know, innovating crime.

Patrick Gray

So, I mean, they really do roll just like a really well funded, well organized criminal organization at this point.

Adam Boileau

Right, yeah, that's what they do.

Patrick Gray

And they've got just so many human resources, they've got so many skilled operators.

Catalyn Kimpanu

It's.

Patrick Gray

I mean, it's the mind boggles.

Adam Boileau

Yeah, exactly. I mean, you know, I suppose we've been saying so many nice things about North Koreans. It's a North Korean hacking fan club episode of Risky Biz.

Patrick Gray

Yeah, I think we. We're praising them as just being really effective criminals. So I don't know if that's like praise. I don't know. We get. You got it. Game is game, right?

Adam Boileau

Yes, exactly. Right, exactly. And certainly, like in the case of hijacking ATM payment switches, like, game recognizes game. There's so. Good job, norcs. Good job.

Patrick Gray

That's right. All right, we're going to wrap it up there. Adam, thank you so much for joining us to talk through the week's news. A pleasure as always. And we'll do it all again next week.

Adam Boileau

Yeah, thanks very much, Pat. Hopefully you'll feel better by then. And we'll do it all over again.

Patrick Gray

That was Adam Boilau there with a look at the week's security news. Big thanks to him at for that. And we're going to finish this week's show with our sponsor interview now, and it's with Ryan Cullenber, who's the chief security. Oh, I'm sorry, chief strategy officer for Proofpoint. And yeah, we're going to be talking about Sock Golish because this is a large, widespread sort of malware campaign. And it's, you know, at the top of all of the charts at Proofpoint at the moment. And they're doing some really interesting things with evasion and trying to evade detection. So, Ryan, join me to talk about all of that. So here he is, first of all, just talking a bit about Sock Gollish. Enjoy.

Ryan Calumber

So it's something we've tracked for a very long time, but it's been on the top of our data sets for months and months and months now. If you look at kind of a post emotech post, major broad email campaign landscape, it's very, very hard to get around basically this combination of compromised legitimate websites, fake browser updates, which is the social engineering, and actually a malvertising angle which makes it a lot less detectable than a lot of the other malware families we look at that come across in targeted attacks that have the same sort of sandbox evasion techniques that look and feel like phishing campaigns. Because it is fundamentally structured differently. And maybe most perniciously of all, because of the way it works, they don't really have to serve up the payload to everyone who visits the compromised website. They can look at cookies that are there in the browser. They can look at other aspects of the user agent and be extremely selective, which gives us not only a detection problem, but a perception that some of these are false positives when really that website remains compromised.

Catalyn Kimpanu

Yeah, I mean, I've been chatting with some others recently about how, you know, phish kits as well are doing a lot of evasion these days. I mean, we've always seen them do evasion, but now they're getting good at doing evasion, which I think is one of the issues here. So, I mean, that's less of an issue, I think, for security companies that are making products that are present on the host. Right, because that's where you're in a really good position to actually detect the payload or the page or the whatever, once it actually arrives at the host. But if you're trying to detect and block this at scale, I mean, what do you do?

Patrick Gray

Right.

Catalyn Kimpanu

What is your response to this sort of, you know, challenge?

Ryan Calumber

You know, conveniently, there's a reason we announced a browser extension that has these features just this month, actually, because you're absolutely right, it is much easier to solve this if you see what the user sees. But ultimately, one of the things that I think is an interesting detection challenge is if you do have traditional forms of sandboxing, meaning you can take that URL and load it and manipulate the Sandbox in various different ways you will get it to serve the payload if you have smart enough people operating that sandboxing infrastructure. On the other hand, there have been a lot of kind of modern solutions trying to solve this at scale with pure, say, behavioral AI, where they're just looking at the pattern of the email sending. And again, you're not going to see anything unusual there because the email in some of these campaigns is something like the Google alert for Chrome is what ends up delivering the malicious URL. There's nothing unusual about that. There's absolutely nothing defined, no matter how smart your analysis of that communication pattern is. So it just goes back to good old fashioned URL sandboxing in terms of how we detect it at scale. But you're absolutely right. The other way to skin this particular cat is to be in the browser and see the fake browser update that gets served up to the user because their machine meets the criteria and the traffic distribution system chooses them as one of the unlucky ones.

Catalyn Kimpanu

Yeah, it's interesting that you've gone for the browser extension as well. I feel like it's an acknowledgement that the sandboxing stuff ain't going to stay that reliable.

Patrick Gray

Right.

Catalyn Kimpanu

Like, I mean, would you, Would you. Because you're kind of saying both, right? You're saying, oh no, if you know.

Patrick Gray

What you're doing, you can totally get.

Catalyn Kimpanu

It to load in a sandbox. But we've also released a browser extension. Like if it is the case that.

Patrick Gray

You can do all of this with.

Catalyn Kimpanu

A sandbox, why bother with the extension?

Ryan Calumber

It's a good question. I think the sandbox still works really well at scale. And when you talk about a SAG Dollish campaign, you're going to see this operate very, very much at scale. And if you look at the other high volume campaigns right now you can look at Balada or vdarstealer or a ton of others that all basically have the same social engineering zphp and they're all basically copycats because the approach is working so well that a scale campaign like that, with proper detection, you're going.

Catalyn Kimpanu

To catch it with a sandbox at least somewhere.

Patrick Gray

Right?

Ryan Calumber

You'll catch it at least somewhere, but not everyone again will see it. But you're absolutely right that at some point the cat and mouse game that is evasion, that happens on the fish kit side and happens on the malware side has frankly a longer history on the malware side means it actually is great if you can just see what the user sees and be right there. With them so that no matter what the redirects look like, no matter how bizarre the infection chain, you're always there when the payload arrives. So to keep the noise out of the system and to keep the volumes down that ever get to end users, I still think sandboxing plays an incredibly important role. But you're right, I should be shrugging and saying, why not both, right? Because we're used to defense in depth for lots of things and because this is, is literally the number one malware family we see dropped, it's a really obvious thing to have defense in depth for.

Catalyn Kimpanu

Yeah, I mean, I, I'm a big fan of like actually instrumenting browsers, as you know, because I know you're a regular listener of the show. The thing that surprises me is that, you know, for all of the acquisitions they're doing, you know, the most cashed up organizations in the security industry are the EDR companies. And they've just totally slept on this. I mean that. But honestly, it really surprises me that they're going off and buying companies that do PAM modules and doing log analysis and doing this and doing, and vulnerability scanning and they already have a presence on the host and yet they're not doing this. What are they thinking?

Ryan Calumber

It's a great question. The whole landscape has pivoted to URLs, and at the same time, all of these chickens are coming home to roost around end end encryption and lots of other kind of trends where, you know, I do see some cybersecurity organizations that have managed to pull off the always on VPN for most of their users, where they are literally on the network most of the time and they can do some interesting things there. But everybody else gave up that fight long, long, long ago. So when it comes to a threat like this one, that is going to be particularly irksome because it's not showing up for everybody. You know, it does make sense to not build something into the network side, but to build something that can follow the user around. EDRS will obviously see when, say, well.

Catalyn Kimpanu

They'Ll see the payload, right? They're going to see the malware. But you know, what happened to trying to detect early?

Patrick Gray

Right?

Catalyn Kimpanu

Detect and block early. Again, it just boggles my mind. I just wonder like why there's no one working in strategy at these companies that says, gee, we're already on the host. This would be a good, you know, thing for us to do. But anyway, I, you know, we didn't spin up this interview to talk about.

Patrick Gray

CrowdStrike or, you know, any of the others. Right.

Catalyn Kimpanu

But it just. Yeah, I do find it surprising, I.

Ryan Calumber

Mean, if just given how much malware has pivoted to URL based delivery, you know, independent of how you get the URL in front of the person.

Catalyn Kimpanu

Exactly. Like, what if it, you know, as you've always said, what if it comes in via LinkedIn or whatever?

Patrick Gray

Right.

Catalyn Kimpanu

Teams.

Ryan Calumber

Well, again, that's, that's a great reason. And that's in fact the first use case that we shipped for that browser extension. Right. Making sure that you could get that malicious URL if it came in by any of those platforms. Because interestingly enough, as we've looked at the data sets here, malvertising is something that Google has a whole team that is working on and then obviously they don't want actors buying ads or doing other things to distribute these same payloads, which happens pretty frequently. The Mandiant team actually did some really nice work around some of these campaigns, in particular the ones linked to Dark 8 and Danabot. But at the same time, there are so many ways to get a URL in front of a user and we just keep seeing those things proliferate and get creative. So right now I think the attackers are trying to torture us by only showing up that payload in a very small fraction of cases. Which means some of our users actually report that as false positives when we know actually that that website is more than capable of sending them the first stage of something that's eventually going to end up in Ransom Hub. That is something that for them is a workable technique and it's a lot different than classic phishing. And to your point, architecturally, there's no reason that we have to stay chained to the models of the past. It works just as well to be in the browser as it does to work out of email telemetry here.

Catalyn Kimpanu

So what sort of websites are we talking about here that might selectively drop the malware? What are these websites that some users are like? No, that's a false positive and we really want to be able to access this website. Are they compromised forum pages or things like that where the attackers managed to get some sort of PHP or JS or something into that website that can do selective dropping of nasty stuff?

Ryan Calumber

Yeah, that is definitely part of the typical M.O. maybe I'll just talk through a simple example. But yeah, you're right that the original compromises a legitimate website that has malicious JavaScript injected a really good percentage of the time. One of these campaigns, that was one we Track as threat actor 569 recently, you know, a thousand plus of our customers saw that couple hundred thousand malicious messages went through all 14 other tools that we actually look at to see if any of the protected it. And just one single organization actually based in Texas got a huge number of these. The email itself basically promoted a healthcare conference. Again, the email is completely legitimate. It's written by that organization and not the threat actor, much less something like AI. And the URL link was again to a real webpage that happened to be compromised. So what happens is you get that email that again the user is expecting and some percentage of the users that click on that end up basically getting served up the classic kind of fake update notification, which is the social engineering that frankly shouldn't still work in 2024, but amazingly still does well.

Catalyn Kimpanu

And what are the criteria that the attackers are using to make that determination as to whether or not to serve the payload? I'm curious about that.

Ryan Calumber

Yeah, it's a really good question. Some of it does move around quite a bit and some of it seems to, on the malvertizing side, link to who they're targeting to begin with. So if you're looking at ad targeting, it's of course incredibly powerful. You can target GEOs, IP ranges, or even things about organizations that, you know, obviously anyone who's in marketing buying Google Ads takes advantage of. If you look at kind of just the malware itself and what it's technically looking at, usually based on the browser, cookies, other kind of system information and other things around the user agent. And then they of course use tdss, some of which are completely legitimate, I should say traffic distribution systems, to basically serve up the payload some percentage of the time. And it's different for every campaign.

Catalyn Kimpanu

Yeah.

Patrick Gray

Wow.

Catalyn Kimpanu

I remember years ago, this is just an aside. Someone figured out that they could create a Facebook advertising target group which was just their roommate. And you remember this, they ran a whole like psychological warfare campaign on their roommate. It was absolutely hilarious and, and resulted in Facebook actually making some changes. So you couldn't do targeting that granular.

Patrick Gray

Right. Because it was.

Ryan Calumber

Exactly. And there talk about targeted threats all the time. And interestingly, it is a good question to ask whether some of these are targeted or not. It's very hard to tell in a way that's not usual for us because we're not targeted.

Catalyn Kimpanu

And this is the thing, maybe they're putting some sort of conditions, you know, on whether or not it's served because it's again, it's a way to evade a sandbox.

Ryan Calumber

Absolutely. And that's the One thing I think that also gets really interesting here because there are clear links between the malvertising actors, the ones who compromise these websites, and the actors that we see in email overlaps with Data Bot being a really good example. So I think it's just that same group of. And it might not even be that many people that are responsible for this aspect of the ecosystem, particularly the ransomware ecosystem, that have now figured out that this is much more irritating for security vendors taking part of the traditional approaches to detection than other things that they do and I have done in the past.

Catalyn Kimpanu

Yeah, so Sock Golish, again, that's a, that's basically a first stage payload, right? Like it's a loader and then it can be used for ransomware, data theft, whatever.

Ryan Calumber

Exactly. And I think the part that's interesting is that you look at which one of your security vendors is supposed to catch stuff like this. To your point earlier, the EDR is waiting until a payload drops because again, it comes in URL form, but half the time there's an email behind it, which is how people encounter URLs that are novel most of the time. But the email again, could be a newsletter that that person signed up for, pointing to the URL for a conference that they plan to attend. And that's what makes this so tricky, that the attacker didn't have to do any of that targeting in order to make something that's so convincing. And the social engineering that is the sort of thing you'd hope a user would recognize doesn't show up until the fake browser update, which is one of the most reliable common elements of these sorts of campaigns.

Catalyn Kimpanu

Yeah, well, I mean, as you said, defense in depth, right? You've got to have, yeah, your email stuff, detecting this stuff at scale. You've got to have something in the browser to detect funny stuff. You've got to have something on the host to detect code execution and weird stuff, exploitation, whatever. Yeah, I mean, it's an old saying, but it's true. You need to do defense in depth. Ryan Cullenber, thanks a lot for joining us to talk about SEC Goal. Is it SEC Goalish or SEC Ghoulish, everyone?

Ryan Calumber

Sock Ghoulish.

Patrick Gray

Sock Ghoulish. It should be Sock Ghoulish. Ghoulish ghost.

Ryan Calumber

It really should be. But yeah, no, it's always a pleasure path. I think the thing that is really interesting, I think here is what we look at actors doing when there's not an easy vulnerability going around where they can pop a ton of boxes, like just how they keep the lights on. It really does seem to have pivoted. And it's a threat landscape that has been the same for so long. Talking about bec ransomware and assorted apts that this genuinely does represent a meaningful change and I think everyone would do well to pay attention to it.

Patrick Gray

All right.

Catalyn Kimpanu

Well, again, thank you very much for joining us. It's always, always a pleasure to chat to you.

Ryan Calumber

Cheers back.

Patrick Gray

That was Ryan Calamba there from Proofpoint. Big thanks to him for that. And big thanks to Proofpoint for being a long term sponsor of the Risky Business podcast. That is it from us this week. Excuse me. I am going to go and try to recover from my illness, but I'll be back soon with more Risky Business for you all. Until then, I've been Patrick Gray, thanks for listening.