Risky Business #769 -- Sophos drops implants on Chinese exploit devs

Patrick Gray

Hey, everyone, and welcome to Risky Business. My name's Patrick Gray and we've got an absolutely terrific show for you all today. There's been plenty of infosec news, cybersecurity news over the last week or so. And for those who are looking to get their mind off the US election, boy, do we have a terrific show for you all. So I'll be talking with Adam Boileau in just a moment. And we're also going to hear this week from Sophos CISO Ross McKercher, who's going to talk to us about how they dropped like kernel root kits, essentially on Chinese APT researchers who were doing exploit development against their products. I'm sure a lot of you listening to this and watching this would have seen that report mentioned in the, in the media over the last few days. So we're going to hear from him on that. And then in this week's sponsor interview, we're chatting with HD Moore, who is the chief executive and co founder of Run Zero. And he'll be talking about some new tricks that Runzero has picked up in terms of being able to marry internal asset discovery scanning with external asset discovery scanning. That's all very interesting stuff and it's coming up later. But first, yes, Adam, it is time to talk through the week's news and we're going to actually start with a story that, I don't know, man, I just found it interesting, right? So I want to lead with it. It's proper, you know, security geekery here. But let's talk about this octabug where under certain circumstances you could just enter a username, wac enter and get access. I'm just going to say right off the bat, it's not quite as bad as it sounds. But yeah, walk us through what actually happened here.

Adam Boileau

Yeah, this bug is a good time. So one of Okta's features is that you can have your Okta authentication stack glued to your existing On Premise auth source. So if you've got Active Directory or ldap, you can basically run up a thing inside your environment to its machine that will connect back out to Okta and will then forward authentication requests from Okta onwards to your internal directory. And they had a bug in this process where essentially they cache the authentication requests so that they can operate when the connection to the on premise kind of, you know, interface drops. So you can still authenticate stuff on the network and that caching process stored like a bcrypt hash of the username and password so that it could verify them. You know, offline. And unfortunately no one who wrote this thought about the fact that Bcrypt actually has an upper limit to how long a Bcrypt hash can be, which is about 50 ish characters up. 50 to 70 depending on the implementation. Exactly. But the result was you could turn up, enter a 50 character username, match an existing cache entry and be authenticated.

Patrick Gray

Yeah.

Adam Boileau

Which when you're an authentication product like Okta, clearly is not what you want. But as you said, it does have a few things that have made this mostly a curiosity rather than a practical thing. So you had to be single factor. The connection between Okta and the on premise agent had to be not functional or denied of service or whatever else. And then you had to provide a 50 whatever character username. So pretty niche bug. I think Okta, the code that was vulnerable to this was in production for like three months or something like that. So, you know, overall, like, it's a fun, it's an embarrassing bug, but at the same time, like, I don't know that anyone who. I didn't know that about Bcrypt.

Patrick Gray

No, no.

Adam Boileau

And just for a long time.

Patrick Gray

The other thing here too is someone needs to have previously logged in via Okta with that user. Right. So when you're thinking about a username that's got 52 characters in it, it's got to be a service account. Right. So what are the odds of a service account, you know, like a service account bouncing out through, through Okta from your ad? So what are the, what are the chances that someone's actually used Okta, excuse me, to authenticate like that user? It's very, very low. So I think all in all this is something that like never would have been really practical in the wild, but it's still not, as you point out, it's not a good look for an authentication company. I think another saving grace here too is, as you said, they introduced it on July 23rd and by October 30th they actually had it cleaned up. So that's a sign that the internal review, I guess failed in the first instance, but you know, caught it in the second instance, which I guess you'd call belt and suspender. But I think that one of the reasons I wanted to talk about this is just people were jumping on this, like was affected all Okta SSO and you know, like it was just that the sky was falling. And it's not really that it is a curiosity, but it isn't. It's still an interesting one, right?

Adam Boileau

Yeah, yeah, it's definitely not as bad as some of the social media commentary that, as you say, I want to jump on Okta because, you know, they have had a few clangers over the last couple of years, but you know, this one was not one of them. They did find it internally and obviously code review should have picked this up ideally before it went into production rather than three months after. But you know, they got there in the end, which is a lot better than, you know, when you think about all of the other vendors out there and how long some of those terrible bugs live for before they're, you know, found being used in the wild, you know. Yeah, I think Octa in this case, you know, overall comes out of this looking pretty reasonable.

Patrick Gray

Yeah, we'll give them a B. Right? Like not an A exactly, but they still get a B. But I'm going to call you on something you just said there, which is, excuse me, they've had a few clangers. What were they? I mean, there's this perception out there that Octa's doing really badly and it ties back to a couple of incidents where I just don't think it's substantiated. So there was the case where someone got into a third party support, you know, portal or whatever and took a screen cap and that was it. And that was reported as an Okta breach. And then there was the stuff affecting the casinos where an attacker was able to like federate an external IDP into Okta and maintain persistence that way. But that also affected Entra. The difference is that Okta talked about it and Microsoft didn't. So look, some people are going to say, oh, Octa is a minor sponsor of risky business and that's why you're defending them. But I just think the perception doesn't quite match the reality. And I think that's another reason people jumped all over this, is because of that perception, that unearned reputation that Okta has right now of being sort of lax, you know, I just don't think it's entirely fair.

Adam Boileau

And I guess, I guess the one I was thinking of was one of the OAuth0 bugs, which is like that's an Okta acquisition rather than Okta themselves. But you know, that was a JWT algorithm none kind of bug, which, you know, that I feel happy calling that a clanger. But yeah, I do think overall you're right that, you know, Okta has been tarred with a brush that maybe hasn't been entirely fair.

Patrick Gray

Yeah, yeah, that's it. I think it's just they're One of those vendors everyone loves to hate because Okta is sort of seen like a, you know, like a, like a tax on your budget. You know, it's just money you gotta pay and people sort of grumble about it, which is, you know, which is fair enough. But no, I don't think they're a hideously run vendor from a security perspective. I mean, they're a big vendor, they're always going to make mistakes. But yeah, anyway, moving on and let's talk about some new features coming to Windows 11. Catalan reported on this for us today and it's really interesting what they're doing essentially in future versions of Windows 11. You know, goodbye root. Basically everything's going to be sudo. You will not be able to perform certain high privilege functions without sort of re authenticating via a specified means first. And this is a great idea.

Adam Boileau

Yeah, we started to see some details because there was a Windows Canary build that has this functionality in it and we're starting to see some people looking into it and digging up the details. Microsoft hasn't really talked super specifically about how it works, but essentially in Windows you have a regular user level token inside an admin account that's used on normal things and then you have a more privileged token that's used for authenticating admin level stuff. And that's when you do like run as administrator to start a privileged process. That's what's going on behind the scenes. And basically what they're doing is moving that privileged token up into a whole other user account so it's more segregated from the regular admin session. So it is kind of like sudo in a Unix environment, as you say. And then there'll be a gate that you have to go through to do that. And it's kind of similar to how UAC the user account control which makes you click. Yes, I would like to do admin stuff worked. But this can now be used to require more authentication. And so ideally multifactor or biometric or U2F or some, because authentication is always more flexible now as well. And as an adversary who lands in a privileged admin account, this is the sort of thing that is just going to make your life more complicated. And yeah, I'm totally here for that.

Patrick Gray

Yeah, it's like just in time. Admin for local accounts. Right. And it's great, like a really cool idea. And yes, before people jump in the comments, I am aware that the concept of root doesn't exist in Windows, but you know what I mean. I also twigged that we have a different pronunciation. For me it's sudo because it's superuser do and for you it's sudo.

Adam Boileau

Sudo? Yeah, like judo. I don't know why. That's just how it is.

Patrick Gray

That's just how it is. You know, it's just one of those things.

Adam Boileau

It's just how it be.

Patrick Gray

All right, so now we're going to talk about the big Sophos report that dropped late last week. This is a fascinating document. Basically Sophos noticed that, you know, some Sophos customers were getting owned and the Sophos team were able to figure out that people were doing Vulndev on a bunch of sophos like trial VMs. So in certain locations in China and you know, they've since tied this activity back to a couple of specific organizations, a university and a company in China that look like we're doing exploit dev for the, you know, for Chinese APT operations. And what they did is they dropped like kernel level root kits on these people to monitor them, were able to get an early heads up on O days, squash them, collect all sorts of amazing telemetry. And they did this over a period of five years and now they've dropped a report on it. And it is, I mean, I'm here for this.

Adam Boileau

Yeah, very, very much so. This was such an interesting story and watching the takes of the story, you know, amongst, you know, infosec, social media and you know, kind of around the various digital water coolers that we all hang out at, it's just been really, really interesting. So as you said, they dropped some kind of like kernel level monitoring implant on virtual machines that were being used for vuln research or vuln exploit development, like weaponizing exploits, but also a physical appliance, physical device that this group had. And then yeah, we're able to identify bugs that they were using identify techniques. Look at how they were chaining bugs together to weaponize them and then deploy either countermeasures or signatures or try and understand what they were seeing out in the wild. And this is, it's really interesting because for a lot of people this seems to be surprising. But yet when you compare it to what antivirus or EDR vendors do on Windows where they have a whole bunch of telemetry or even operating system telemetry from Windows or from Apple, iOS or whatever else, like this stuff gets hoovered up and reviewed and used by security conscious firms. And so seeing a firewall vendor or a network perimeter device vendor doing this just seems like a step in the Right direction, despite, you know, all of the hullabaloo it seems to have caused amongst the commentariat.

Patrick Gray

Yeah, I mean, 100%. Right. I mean, the thing that I can think of that's most similar is when Kaspersky wound up on a computer full of NSA exploits and then extracted them and did threat hunting like that. Right. Like it's the same thing, but it's on a hardware device. And yet somehow this is regarded as controversial. I did a half an hour interview last night with Ross McKercher, who is the CISO of Sophos, to talk all about this. And I'm just going to play an excerpt here where he talks about some of these reactions we've seen, because some people have been quite critical of Sophos saying how dare they drop malware on their possible customer? Which is, you know, I just don't think is a particularly sensible take. But, you know, Ross spoke really intelligently about all of that. And here's an excerpt of that now.

Ross McKercher

By and large, I think, I think the take, the bad takes that we've seen have been pretty, pretty uninformed. There are some exceptions to that. You know, I think there are. I think the whole kind of hacking back debate is an interesting one. Is an interesting one to have. One thing that we've shown, I believe, is that it's not really a binary kind of you're doing it or you're not doing it. There's a lot of shades, shades of gray in that debate. I'm glad we're having that debate because we do want to establish cyber norms in that space, what the right way to operate is. I think we've pushed that envelope a little bit and shown that it's by and large that we're on the right side of history. We've had a lot of support from. Not on our explicit actions, but generally we think that organizations like CISA and ncsc, they're saying things like, we encourage vendors to take accountability and responsibility for customer security outcomes. We felt like as long as we're guided by those principles and following that kind of guidance, then it's probably going to be okay.

Patrick Gray

So there you go. That's Ross just spelling out, I guess, his thoughts on what all of this means for hacking back and whatnot. And if you want to watch the full interview, I'm going to publish it to our YouTube channel. So just find Risky Business Media on YouTube and I've put the whole thing there. You watched it this morning, Adam. I mean, I was really happy with that interview. I Thought he was a terrific guest and said really interesting things.

Adam Boileau

Yeah, I really enjoyed that interview. Like, you touched on a bunch all the questions that we all had because as you said, I think we kind of all had questions in the internal risky biz slack that you then kind of used in the interview. And yeah, like, it just seems like a thing that a security vendor should be doing. And one of the things that he said, you know, was that, you know, as security vendors, you kind of have to pick a side at this point and going after, in this case, Chinese exploit dev being used against Taiwan and being used against other, you know, Western allies, like, kind of what they should be doing. And the level of cooperation with law enforcement, with intelligence agencies, like, reflects the reality of the world that we are now in. And anyone who thinks that, you know, they have, you know, anyone who has a vendor about which they have privacy concerns, like, they want to be secret from their vendor, needs to adjust their threat model because that's just not how the world works anymore. And, yeah, deal with it.

Patrick Gray

Well, you know, you and I were talking about this the other day, and I think you and I both have crash dumps turned on for our iOS devices because you want failed exploit attempts being flagged and sent to Apple for their threat hunters to have a look at. Because one day you might get an email or a phone call from someone at Apple saying, hey, someone's trying to own you. You know, like, this is the new reality. Like, it is a good thing. We used to, like, 10, 20 years ago, we used to turn that stuff off. We don't want that data going anywhere. And now you just smash the hell yeah button, right?

Adam Boileau

And especially as companies have gotten better at handling that data, like, I'm much more confident that memory dumps from my iOS devices are going to be treated with due respect at Apple, both in terms of how their staff managed them, but also how they just store them and how they use them or whatever else. Whereas once upon a time, I am sure that Dr. Watson crash dumps from Windows or whatever, we're just kicking around a file share in Redmond. But these days, things have changed and it's just not like it used to be. So I would be a little more wary with less, you know, mainline vendors, maybe the ones that haven't necessarily earned that respect yet. But yeah, the world is definitely not where it once was.

Patrick Gray

Well, Ross actually describes that. Well, he says some people are nervous about it on GDPR grounds, which he thinks is, like, kind of crazy when you think of the privacy benefit you get from, you know, not getting owned. It's probably bigger than the privacy benefit you get by not sharing crash dumps. But again, you know, people should go, absolutely, go and check out that interview.

Adam Boileau

Hell yeah.

Patrick Gray

Okay, now we've got a write up to look at. Adam. It's a, it's Bishop Fox's write up of the Florida Manager vulnerability that's been getting everyone owned. I just think this is a really interesting bug and I mean, I know most of it is all done right now, like in terms of everything's been owned that's on the Internet, but I still think it's worth looking at. I also had a really interesting chat yesterday with a gentleman by the name of Gert Funderberg who works for an Australian sort of defense focused consultancy called cybliminal. And thanks, Gert, for that because I just wanted to understand the, like, how these things work. And it is kind of as crazy as you would expect. Like the Forta Manager thing sits out there at the edge and it is both a client and a server, right? So it has to connect to the devices that it's managing and those devices need to have sort of various open ports where this API like thing sits there and vice versa, right? So when a bug like this turns up, it's just real, real bad. And in this case, essentially how it works is that an attacker that could connect to a fortimanager appliance can just enroll their own device into it. And then from there I think there was like a command execution. Von so this is just really terrible and a great reminder. I was chatting with another mutual friend of ours yesterday actually about this. It's a real reminder that I think we need to go back to first principles somewhat when looking at rolling out projects like this because you can't put this stuff on the Internet, like management interfaces, management ports for firewall orchestrators. You can't put that stuff on the Internet and not expect bad things to happen. And for some reason I think a lot of people have forgotten that.

Adam Boileau

Yeah, I mean, I think you're very right. And the bit that the Bishop Fox writeup digs into is less about the initial, the actual command exec bug and more about the process by which Fortinet tried to make it okay to put this stuff on the Internet, which is to say they use certificate based authentication. But in a management product like this, there's the whole like bootstrapping problem. How do you buy a new Fortinet, take it out of the box and configure it with, with Your Fortinet manager, if it uses certificate auth, there are in this case factory certificates. And if you can show up to a fortnight manager with any old signed by Fortinet cert, then you can kind of start that enrollment process and expose all the extra attack surface that in this case leads to command injection. But from the point of view of an organization that's say, doing vuln scanning, trying to understand their perimeter, all they see is a port that they get nothing back from because they don't have the relevant certs. But from an attacker's point of view, and indeed Bishop Fox's case, they said we actually had some of these certificates lying around from previous work that we did. Pulled them out of a vm, extracted them from a hardware device, whatever it was. And so this impairs defenders who can't understand what's exposed in their perimeter, but doesn't really impair attackers because we know how to get these certificates and so on. And this is a thing that we've seen in all sorts of other embedded device management platforms that have to do kind of over the air order enrollment because they all end up having to trust something and that something is having the software in the first place, which is a bar attack as could meet. So that was the thing I thought was really interesting about it.

Patrick Gray

But I mean, if you architect these things, right, you don't need to have these things facing the Internet, do you know what I mean? You can VPN them in some other way or you know, there are ways to do this without exposing these ports to the Internet. And I just think, given the. And I also spoke to Andrew Morris this week, right? And he says that the border device is getting owned at the moment. Like even though it's a big story in the cybersecurity media. He's like, it is so much worse than people realize. Like it is just crazy out there on the Internet at the moment. And I think the only thing that's going to move the needle on this is to do better networking, right? I mean, HD Moore in this week's sponsor interview said something really interesting, which is that one approach he recommends for dealing with this, just in terms of the problem of actual users connecting into these VPNs, a way to restrict that is you can actually export a list of all of the egress IPs of CrowdStrike clients, right? So any machine running CrowdStrike you will be able to report its IP. You can pull that into an allow list. So that's one way to deal with this, but I think we are really on the cusp of having to seriously lock down like network. I mean, this is why I've been so big on knock knock and whatnot. And that's just a small part of this. I just think we're on the cusp of really having to change the way we think about even allowing network connections to just occur from anywhere. Right.

Adam Boileau

Yeah, I mean, I think you're right. The, you know, firewalling is one of those controls that is simple and basically works. Right. There's not much to go wrong with. You can't talk here, but we need.

Patrick Gray

To make it dynamic, I think is the point.

Adam Boileau

Yeah, like being able to use those controls in ways that reflect the modern kind of like zero trusty mobile post Covid e working from home Internet, you know, but bringing the simplicity and let's face it, the lack of complexity to controls. Right. By using firewalls or whatever else because we can't be trusted to write software, we can't be trusted to ship and deploy complicated systems that are reachable to adversaries because we're bad at computers and you know, controls that actually work like that's super valuable. And you know, not forgetting that, you know, you think about how many things we have been saved from because of IPv4 exhaustion and address translation. Yeah, you know, it wasn't meant to be a security controller. Boy, oh boy, has it bored us a few years.

Patrick Gray

Yeah, it certainly has. Now let's look at Wired's report here. A bunch of outlets have covered this. A suspect has been arrested in Canada. He is suspected of being the, you know, the Snowflake hacker, you know, affiliated with the com kind of thing. Alexander Connor Mooker has been arrested this week by Canadian authorities and, you know, in all sorts of trouble. So I think that, you know, you'd expect an extradition to the United States there. I think there is more coming on this story, but I'm going to be good and not talk about it until next week.

Adam Boileau

Very responsible, obviously. Very responsible, yes. So I think this guy, we're going to see him in US custom custody, which is probably where he belongs. And you know, by all accounts he like bought credentials from an infestator and then used them against Snowflake and then, you know, tried to turn that into embarrassment of money for people. So like, as hacking goes, not very hackery but still definitely proper crimes. So yeah, let's hope he gets the book thrown at him.

Patrick Gray

Probably better described as an alleged computer criminal rather than a hacker. Right? Yes, it's a bit of an insult to the word hacker. Now let's talk about like the robots doing some hacking here, Adam, because we got two stories that relate to large language models that are actually really interesting. So John Greig has a write up at the Record about Google's, one of Google's large language models actually finding a bug in SQLite. SQLite. And we've also got a report about Gray Noise discovering a zero day in the wild that was targeting IP cameras with their sift LLM based thing which, you know, we've had Andrew on the show talking about that before but this is the first time they found a good one, went through the whole reporting process, so on and so forth and indeed he's going to be on the show in a couple of weeks talking about that. But you know, this is encouraging, right? When you're starting to see LLMs being used to actually find bugs in code and find bugs being used on the Internet. I mean I'm, I love it.

Adam Boileau

Yeah, no it is, it is encouraging. Although you know, before anyone gets too excited like reading Google wrote up the details of this on their Project Zero blog and it has a bunch of the interactions with the LLM, like a bunch of the conversations and process and it's a really good write up because it like talks through the challenges of getting the LLM to do the right thing. But then also what it was good at, what it wasn't, kind of where it made good contributions, kind of how it relates to fuzzing. They compare it quite strongly to like, why wasn't this bug found with automated fuzzing? Because Google and their OSS Fuzz project already does fuzz SQLite and didn't find this particular bug. So it's well worth a read for anyone who's kind of in the weeds of using LLMs for bug finding and bug hunting and so on. So yeah, I think, you know, we're definitely making progress and it is really interesting to see something proper in real world this way. But you know, it's just not as broadly applicable yet as people want it to be, but it's a great step in the right direction.

Patrick Gray

Yeah, baby steps, baby steps. We're just starting here. And by the way everyone, I'm aware I'm still coughing, you know, not much I can do about it. If I were to stop and try to record clean takes every time I cough, we'd be here all day still recovering. And thank you to people for their continued well wishes. Yes, I was very sick, but the gray noise one's cool, right? Because what they're doing is they've got their big honeypot network out there and they're just seeing these attack attempts come in and to be able to automagically extract an exploit out of that. And I think this was like a real deal command injection bug as well, affecting. And these weren't like little, you know, cheap home cameras, these were serious business IP cameras at sensitive facilities and whatnot. And probably the attackers were trying to just use them as orbs. But being able to stop that in its tracks, you know, to be able to detect a bug like that and just have an. An LLM write it up, I think that's just an amazing achievement.

Adam Boileau

Yeah, Like I could certainly imagine that the kind of volume that Graynoys has to deal with, having anything that's going to help sift through it, dig stuff out and automate, you know, part of this process, the triage. Super valuable. So, yeah, solid work there.

Patrick Gray

Yeah. Now, speaking of orbs, we've got a write up here from Ars Technica about TP link routers being used, you know, as orbs by the Chinese to really obscure the origin of attacks. I mean, this is something that's come up a few times. You know, we've been talking about this a bit, but really, you know, it's a good way to roll. Right. Like it's the old way to roll, which is you have a compromised end user device and you stage your attacks from there because it just looks like a normal home ip. But it's a good write up here and there's some nice details in here.

Adam Boileau

Yeah, And I think the thing that stood out to me about this one was that Microsoft wrote up this initiative, this campaign because it was being used to do low and slow brute force against Azure and Microsoft Identity Services and vendors like Microsoft, really big ones like that, are in a position to spot really scaled low and slow campaigns like this. And I think writing them up and talking about them publicly is just super useful because everybody else who's too small to spot, really low volume spraying distributed very widely, you know, we have to rely on the big people with really big viewports into the Internet to be able to warn us about this stuff. So, yeah, good work. Microsoft for once.

Patrick Gray

Indeed. Hey, that's a bit harsh. Like their threat people are pretty good. Their threat people are excellent. Like our criticism of Microsoft is very much around the, you know, the products, not the people doing this sort of work.

Adam Boileau

Right, sorry. Microsoft people that do good work.

Patrick Gray

Yeah, yeah. Now let's look at you know, it's not dumb if it works. We've got this midnight blizzard attack targeting people with like malicious rdp, like config files. Is that about right?

Adam Boileau

Yeah, yeah, exactly. This is, you know, it's smart because it's dumb and it works. They've been emailing people around with a phishing lure. That is an RDP file that is associated with the, you know, the Windows Remote Desktop software. And if you click on it to launch, it will prompt you to connect to some, you know, server on the Internet via remote desktop. Many people don't understand that Remote desktop can also share local resources like drives and printers and whatever else with the remote server. And so this was set up to basically share your C drive or whatever with the server after auth. And so the attackers in question were then using that drive access to pivot back down into the local machine, infect it with malware and then onwards to come out of your machine and great victory. Which is pretty smooth. Like I had. I've definitely thought about doing this before, but it's one of those things where you just look at, no one's going to respect me in the lunchroom. If I'm going to try and hit my target by convincing the double click on an IDP file, I have to go find a better bug. But, you know, I guess if it's your actual job as opposed to just, you know, something you're doing to try and look clever in the lunchroom, then, you know, it gets it done.

Patrick Gray

I remember like 15 years ago chatting with, I think it was Brett Moore who was your boss technically at Insomnia at an early Kiwicon. And I think you can do similar things over Citrix. You can like remote mount drives and stuff like that. And. Yeah, yeah, I had no idea. Right. So that's why, because I think he was presenting on some Citrix stuff. Was that him who did that Citrix Gateway talk? Like, was that like 2008 or something? Yeah, an amazing talk, like using notepad, like remotely served unauthor notepad to get great victory like through Citrix. And then talking to him after that, he's like, oh, yeah, you can mount drives. You, you can do this, you can do that, you can print stuff if you want.

Adam Boileau

You just have to print a sharing. There's all sorts of microphones if you want to hot mic people. It's just. Yeah, it's super useful.

Patrick Gray

Yeah. So, I mean, we shared a lot.

Adam Boileau

Of things over the years like that insomnia.

Patrick Gray

Yeah. So I guess it's worth Pointing out that thin client, you know, can probably do a little bit more than just remotely display a screen. And I think a lot of people don't know that. So. Yeah, so as dumb as that is, it's like, you know, it's sort of like forgotten knowledge.

Adam Boileau

Yes. Yeah, yeah. I really enjoyed, you know, smart, dumb hacking. It's the way.

Patrick Gray

Yeah, yeah. Now we got this other write up here. We'll go with the record version. James Reddick has the write up. It's about Chinese intrusions into government agencies. I mean, this is all, you know, so far, so normal stuff. But then we've got interesting stuff here. It's all Canada this week, right? Because it turns out Canadian officials, it looks like we're maybe leaking some significant to the Washington Post about senior figures in India greenlighting assassination attempts or assassinations on Canadian soil of, like, Sikh separatists. And then you've got bodies in Canada releasing threat reports saying that, you know, India is now a, like, cyber adversary. Things have just got hot. Right. So, you know, for those who haven't been following, like, the diplomatic relations between India and Canada have been deteriorating over this, over this assassination plot, and it's just getting bad. And I do think it's interesting that when you've got these national threat assessments coming out, you know, when you've got these bureaucrats basically saying, and I'm not using bureaucrat as a pejorative, they're bureaucrats basically saying, yeah, look, India is now our adversary in the cyber domain. It's just amazing how quickly that all turned around.

Adam Boileau

Yeah, it has. It has moved very quickly. And, you know, when we see, you know, like, there's been so much talk about, say, like, iPhone production, you know, with Foxconn in China being moved to Malaysia, moved to India, you know, and doing that because India is seen as more stable, seen more as geopolitically aligned with the west, et cetera. It's funny how quickly that kind of thing can change. And, you know, as infosec professionals, we're always thinking about, you know, how do we manage supply chain risk? How do we manage our exposure to geopolitical realities? And it can move so quickly, but, you know, what are you supposed to do when it's on the timeframe of like, can I buy, you know, iPhones made in India? Now if you're a Canadian, you know, supplier to the Canadian government or whatever, like, you know, it doesn't take much to look, you know, this gets worse, you know, another three months worth, another six months worse. What would that Mean for, you know, people having to, you know, buy hardware, buy software. Yeah, it's just hard to keep track of, you know, so things can change quick, right?

Patrick Gray

Things can change.

Adam Boileau

That's why we've become so much a geopolitical podcast as well as a tech one. Right.

Patrick Gray

Well, you know, on that topic, we've got a great report here from Wired which really looks back into a, you know, failed regime change attempt by the Americans targeting Nicolas Maduro in Venezuela. And the reason we're talking about it here is it looks like there was a cyber element of this. The reporting is a little bit vague on exactly how this happened, but it looks like the Americans were able to actually shut down the payroll system for Venezuelan soldiers. And this was seen as a way of, you know, generating some discontent there in concert with. With other activities. As we all know, you know, these attempts failed and Nicola Maduro is still very much in charge in Venezuela, sadly. But it's. Look, it's an interesting read nonetheless. Right. And it's a, It's a little bit of an insight into, you know, how governments can use some of these techniques to try to tilt power one way or the other.

Adam Boileau

Yeah, I thought it was a really fascinating read. I mean, A, because of the kind of cyber angle which is in our beat, but also be the extent to which it's clear that the CIA really didn't want to have to do what it was being asked to. Like their reluctance to get all Bay of Pigs up in there or, you know, put, you know, operatives on the ground in Venezuela to do things and how cyber was kind of seen as a way to have some effect, like enough that they could claim that they were doing what, you know, the President Trump had told them to do, but, you know, without it really turning into something particularly effective. And like, that's just, you know, when you imagine what the American national security bureaucracy is like, you know, A, sounds super believable and B, you know, it's just kind of a funny about face from the CIA that, you know, you read about in the spy novels and so on. But, yeah, it's just. I think it's a good read for anyone who follows, you know, sort of the intersection of natsec and cyber.

Patrick Gray

And there's some juicy little details in there as well, where the people who are running this operation were trying to get access to better resources on the cyber side from within CIA and nsa, and they got told to pound sand, basically. So you get the impression that, like, the entire sort of, you know, IC bureaucracy was not marching as one on this one.

Adam Boileau

Yeah, well, exactly. Yeah, yeah. And then once, John Bolton was one of the main kind of architects of this, pushed out Cuckoo Johnson, the walrus. Yes. Yeah. The kind of wheels all fell off and then, and then onwards from there. But it's just I, yeah, I think this is a good read. You know, if you're looking for something to read in your lunchtime, this is our recommendation of the week from Risky Business.

Patrick Gray

Now we're going to talk about some reporting from our colleague Catalyn Kimpanu, which looks at recent goings on at Mango park in Cambodia, which is where a lot of these sort of, you know, scam compounds and whatnot operate. There's been arrested workers and some strange goings on with the Cambodian government. Can you walk us through this, Adam?

Adam Boileau

Yeah, so the basic gist of this is that I think a South Korean got, you know, lured into working at the scam, you know, kind of taken, offered a high profile job or high paying job in Cambodia, gets their password taken away, imprisoned at Mango park and forced to do cyber scamming. Eventually his family in Korea paid a ransom, firms he released, he went back to South Korea, kicked up a hullabaloo and that led to a South Korean television station doing kind of an expose about it. And that was sufficiently embarrassing for the Cambodian government that they actually then went and raided the compound, et cetera, et cetera. Then where it kind of gets interesting is that the result of this was a bunch of people have been, you know, freed and no one's quite clear whether they're being, you know, kind of repatriated or have just been sent back to the compound or whatever else. And there's been a bunch of kind of downplaying and cover up from Cambodian authorities. And we've seen previous reports about the kind of the tie ins between Cambodian officials, Cambodian leadership, you know, all the way up to kind of the top levels of government with both the company that was providing kind of money laundering services, but also the camp scam compound operators themselves. And, you know, the kind of overall vibe is that, you know, Cambodia as a state has kind of been captured by the sheer scale of the scamming business. And then, you know, that's been turning into a mess for everybody. Both the people, you know, running the scams, people imprisoned, the people being scammed, the governments of the countries, you know, whose citizens are involved, real mess. And like, you know, it's going to take a while for us to, you know, see any real resolution here because there's just so Much money involved.

Patrick Gray

Yeah, I mean it's Cambodia, Myanmar and Laos where the bulk of this activity happens. And I think they're earning these scam compounds something equivalent to 40% of the combined GDP of those countries. And anytime it's just, it's the scale. That's right. And any time you've got numbers that are that out of whack, you've got kind of a Colombia in the 80s situation where the crime is worth so much money that the crime groups become immensely powerful and start to co opt politicians. So that's one of the things that makes this so insidious is it's so profitable that they're going to get top cover from governments. Which is why I think the response so far from the EU and the United States to this has been about right because we've just seen sanctions flying involving these scam compounds. I think this is one tool that the west can use to try to put a lid on this stuff. I don't know how effective they'll be on their own, but I feel like gradually things are going to ramp up and we might see some, you know, more offensive cyber style operations against these compounds because they rely on an awful lot of bandwidth to do this sort of stuff. They rely on an awful lot of Internet to do their, their cyber scamming. And that's something that can be taken away remotely fairly easily. And I just wonder how long it'll be before we get to that point.

Adam Boileau

Yeah, yeah, exactly. I mean we've seen, you know, some of the people who do it sort of at an amateur level on YouTube, you know, like doing the breaking into Indian scam call centers, for example, and like, you know, publishing with their video, you know, feeds from their security cams and outing them like that kind of thing on a larger scale against some of these compounds would be interesting to see. But it's just, you know, seeing this happening at such, you know, as you said, like tens of billions of dollars scale, you know, is just kind of different than anything we've really seen before. I mean the scale of ransomware is what, like single digit low billions and we're talking tens of billions here. Like it's just, it's massive.

Patrick Gray

Well, ransomware is disruptive, but it's never been the earner. You know, it's bec and scams. That's what, that's what makes the money. But I guess they're less, they're less cyber these days and it's just amazing how they've refined these scams because these days like, you don't even need mule accounts to run a scam like this. You just get people to buy crypto from some exchange, right, and then send it to you and that's it, you've got the money. So, yeah, it's hard. I mean, I'd like to see these, these places getting dosed. I would like to see their upstream ISPs suffer as well. I mean, why not sanction the upstream ISPs that give these people connectivity that might get you somewhere. You know, I think these are the sort of approaches that we need to think about to try to try to combat this fraud. But it's. Yeah, it's, it's horrible stuff. We're going to finish with a story from Jonathan Greig over at the Record. He never did get back to us on whether it's Greg or Greg, by the way, but apparently a crew in North Korea, the North Korea's Reconnaissance General Bureau, were involved in a attack involving the Play ransomware. So, I mean, that's good news, everyone. You know, North Korea just operating like any other affiliate. If they really, and we've been saying this like all year, if they really decide to branch out hard into ransomware, that's going to be bad. Yeah.

Adam Boileau

This was based on some reporting from Palo Alto's Unit 42, which saw a case where the North Koreans have been in there and then after they've been in for a while, the Play ransomware was delivered through the same mechanism. So like through the same user accounts on the same entry points. And it very much looked like one had introduced the other like that the North Koreans had brought the Play crew or had deployed the Play ransomware either by selling access or deploying themselves. And yeah, that's, I mean, it's a tie up, I guess we've all been expecting to happen. And yeah, maybe this is the hot collaboration of the season. North Koreans bringing, bringing the good ransomware and onwards from there rather than just, you know, fake rubbish stuff. So, yeah, innovation, maybe.

Patrick Gray

All right, mate. Well, that's actually it for the news this week. Thank you so much for joining me and again, apologies to listeners for my coughing through this, this interview. I Hope to be 100% real soon, but yeah, we'll pick it all up again next week. Adam, thanks again.

Adam Boileau

Yeah, thanks very much, Pat. I will talk to you then.

Patrick Gray

That was Adam Boileau there with a check of the week's security news. It is time for this week's sponsor interview now with HD Moore, who is the co founder and chief executive of Run Zero, which is an excellent sort of chasm product, it does like attack surface measurement and all of that good stuff. So it can find stuff that you own that's out there on the Internet that shouldn't be there. And HD is joining me to talk about some new tricks that RunZero has where it can actually marry internal scan data from the inside of your environment to external scan data. So you can really know that this thing you're seeing on the inside is that thing that you're seeing on the outside. So he's going to talk through how Run Zero is doing that. Here he is.

HD Moore

So the biggest challenge with external attack service management is knowing where to start. So you need to attribute your entire external IP space, domains, third parties, everything that basically comes back into your organization. And the tricky thing about that is you'll be able to know some of it and you'll be able to use tools and other techniques to get a handle on a lot of it, but you'll never get all of it. And that's the biggest challenge. So the idea is that because we already have great data about your entire internal environment, we can then precisely fingerprint an internal asset and be able to use that to find it on the Internet anywhere, regardless of attribution. So we don't need to know what your external IP space is to figure out whether you've got a workstation with RDP exposed to the Internet.

Patrick Gray

I'd imagine that is useful context as well. Right. So when you find something outside and you're like, that's bad currently. I mean, I know people have used this sort of software, these sorts of scans, to find stuff on the outside, and they're like, okay, that thing shouldn't be there. But then they don't know who it belongs to, who's managing it. Right. Whereas I'd imagine once you've got the internal scan data, you would have a better starting point at least. Or am I off base there?

HD Moore

That's exactly right. Half the time when you get an external attack service report, you're like, great, this thing's exposed, but what is it? How is it connected? What can someone do when they get there? When you're starting off from the internal side and you have the full context of your chasm and overlays of your edr, et cetera, you know exactly what it is, you know exactly what data is access to, where it lives in the network, what it's connected to, and what the risk of it actually being exposed is one of the things we can do as well, is actually identify is this machine. So let's say we see the same cryptographic cert on an Internet facing asset in an internal asset. There's a bunch of different scenarios that could play out. One is that machine is directly exposed. Two, the machine has been cloned. So someone took a copy of an internal workstation and put it in AWS as an ami. Three, that key is actually widely copied all over the place. So it doesn't really matter which one of those outcomes it is. You've got a problem somewhere. So we're able to tell you either 1, 2 or 3 pretty quickly if you see anything exposed. So it may not be directly connected to the Internet, but it could be a copy of a machine that was directly connected or a cloat of machine. That's actually pretty important.

Patrick Gray

I think what you're getting at is it's something worth looking into.

HD Moore

Absolutely. So it's really no false positives, which is the great part about it. If you see a machine internally that has the same fingerprint, if you will, on the external side, you know you've got a problem somewhere. It's either a cryptographic problem, it's an exposure problem, or it's a, you know, hard coded weak firmware key problem.

Patrick Gray

So talk to me about how this actually works. Right, because you're talking about doing detailed enough fingerprinting on the inside that you can know that that's the same asset that you're seeing from the outside. How can you get a fingerprint that works in both directions? Because I would imagine some of the stuff that enables you to do high quality fingerprinting on the inside, I don't know. I mean, you know, you might be accessing more ports on the inside than are accessible externally. Or you know, does it need to present externally the same way it does internally? Or how do you marry those fingerprints when sometimes you've got access to more information on the inside?

HD Moore

Yeah, I mean, the good news is most of the remote access protocols you're going to care about have built in encryption and they've got built in encryption, they've got a hard coded crypto key of some sort, a public key that rotates every so often or so on. So you can use the fingerprint of the encryption key or the public key of the asset, whether it's an SH host key or a TLS fingerprint, to get pretty close to truth. You can say at least it's the same public key on the same machine. Right. Now the question is, is it actually the same machine? So there's a bunch of techniques you can use for that. So crypto keys aren't the only way we do it. But to give an example of one that's not a crypto key, SNP version 3 allows you to leak what's called the engine ID pre authentication. This is a opaque kind of hex value that also often includes the Mac address of the machine. So it's true you can have the same hard coded Mac across multiple routers, but in reality when we scan the whole Internet, we see that these things are almost you unique per physical hardware. However, if they're not the same for physical hardware, we got ways to tell them apart. So in addition to the engine ID leaking out, there's also a bunch of counters. So if we hit the counters in the internal side and say the counter is currently 35 and then we do something to bump it up to 36, then we query the external side and say is it currently 36? Bang on. You know exactly that it's that physical asset. If it's not, you know, it's a copy of that asset.

Patrick Gray

So we can actually making changes on the inside and waiting for them to pop up on the outside. That makes a lot of sense.

HD Moore

It's other attributes of the protocol you can leak out. So rdp, for example, even though you've got a TLS certificate which has the common name, expiration date, serial number, all this great stuff you can fingerprint. You can also start the NZMSSP authentication process and leak out the DNS domain name and some other bits about the authentication handshake, which you can then use to confirm that it's the same machine. Most protocols like SMB is another good example. There's two or three unique values in the SMBSession that are monotonically incrementing on that particular server. So if you see the session ID bumping up within a certain range, you know it's the same physical box.

Patrick Gray

Yeah, right. So I understand that this isn't released yet. This is going to be early December release, but I'd imagine you would have some beta testers out there who are using this. What sort of stuff are they turning up with it? Right, because normally when I talk to someone like yourself who's released a new feature like this, they will say we created this feature for all of these use cases, but this one is killer. Like is there anything there that people are just going, oh my God, this has turned out to be very useful in this specific situation.

HD Moore

That's a question. So we haven't released it to A big beta group. Yet we've been using it internally and doing a lot of boil the ocean research to figure out what percentage of customers have particular exposure. And we're doing it in a way that's like the have I been pwned model where we're not taking internal data and pushing it out to the Internet. Right. We're taking a database of the whole Internet and then querying a hash of that against an internal only service so that we're not having to leak information about internal systems out to any kind of third party hosted service. So in doing it that way we're able to quickly say does this partial hash of this internal server exist in the public database? Yes or no. And what we found so far is obviously you find lots of misconfigurations, lots of hard coded Mac addresses, things like that. But we are seeing cases where there's crypto keys that were previously unknown to be widely shared across customers are there. So they're popping up out of the weeds immediately. We see those everywhere. That's step one is look for any duplication across more than one customer. If you see more than one in one place like it's already a problem, dig into it, figure out.

Patrick Gray

But why is that happening?

HD Moore

It's usually lazy vendors. It's an appliance that is a hard coded key, it's a firmware. It's a lot of systems where it has either the key always gets generated a certain way because the way the RNG is or it's hard coded to the firmware itself. Those things are easy. So we take all those out of the equation, throw them away and say great, those are ones that we can flag as being weak crypto key but not emergency. Now what else is out there? And this is where we start to find the really fun stuff. So we're finding a lot of cases where an internal core router that's responsible for segmenting like PCI network from non PCI is also Internet facing with SNP exposed.

Patrick Gray

Whoops.

HD Moore

Yeah, you don't expect it to be quite that prominent. Like it's amazing how many what should be internal networking devices have external attack surface. And that's probably been the biggest surprising so far.

Patrick Gray

And how are people usually. And I know that these particular features aren't out there yet, but I'd imagine people are already using just like the external discovery component to find that sort of thing. What are they generally doing when they like, how successful are they at actually cleaning up stuff that gets discovered by chasm because that's Always something that I've wondered about because chasm is a great thing to do. It's great to do some external attack surface mapping and all of that, but sometimes people get a list of 100 things and they're limited in what they can do. So 50 of them, boneheaded stuff like you just described, just nuke it off the Internet. But other stuff might be a little bit more tricky. Like how successful are people at dealing with the results of external scanning? I guess is the question.

HD Moore

I guess that's kind of my claim for why you need to have the internal side as well. And the kind of full chasm picture is because if you're starting with external only, all you have is like, okay, when is machine exposed or we see sh exposed, you don't really know if it matters. So the nice thing about the chasm piece is you can overlay your vault management data, your EDR data, all your internal controls on top of that, and say, okay, this device is exposed but doesn't have any doctor on it. Does it actually have access to this network? Does it have a critical vulnerability? So you can start really narrowing down how much you have to care about that exposure with that other data.

Patrick Gray

Right. So it's not just this thing is vulnerable, it's this thing is vulnerable, unmanaged and has access to a lot of stuff, which, yes, is more of a five alarm fire.

HD Moore

Yeah. And for anything else, like let's say you do have a jump box that's RDP and you know it's exposed, that's fine. Right. You know it's contained to your VDI environment or something like that, it's not the end of the world if that's hanging on the Internet because the way it's set up. But then again, if you see a machine that absolutely should not be on the Internet, an executive laptop where it's got an LTE card and RDP is exposed to a random IPv6 address, that's a bigger issue.

Patrick Gray

So talk to me too, because it's been a while since we've had you on the show. Talk to me too about just some broader trends in the way people are using Runzero because you always have an interesting answer there.

HD Moore

Probably the most surprising trend last year is just the amount of OT interest. So for us, we always treat OT like anything else. We scan safely. We do so many things to make sure we don't impact the end device, the local broadcast segment, middle devices between us and the device we're talking to. We rolled out passive detection last year. Which made it easier for folks to just upload PCAPs or do span port monitoring if they weren't comfortable doing full on scanning. But we've seen a huge increase of people scanning OT environments in the last six months alone. That's probably been the biggest trend we've also seen.

Patrick Gray

That's interesting because I remember when you released that stuff and it was safe, right? You could scan an OT environment and not make robots go crazy. Right. Which is, which is fantastic. But you did hit a lot of resistance in the market where people just didn't want to actively scan. So then you released passive tools. And what now you're saying they're coming around?

HD Moore

That's kind of what we figured too. We figure putting the passive discovery out there wasn't necessarily because people were going to use it, it's because it's going to use it to build trust and then use the active. That's exactly what happened.

Patrick Gray

So what sort of IT environments? Just general, all sorts.

HD Moore

Manufacturing everything from automotive. We've got a few customers in that space, telcos all the way down to warehousing logistics. One of my favorite customers runs a fish farm. And so out of the middle of Mediterranean there's a bunch of cameras and stuff turning around and you're looking at some fish and some feeders and some cameras and run zero monitors, all that. It's a really wide variety. But I just love how much stuff is out there and the fact that we're able to basically provide really detailed data about those assets that you just can't really get any other way.

Patrick Gray

Look, just going back to a question I had earlier just about how you can't, you know, it's great to have asm, but you know, you can't necessarily take stuff down even after you've discovered these vulnerable things on the edge of the network. I mean one of the issues here is actually security devices on the outside that need to be accessible or you fortinate fortinets and sonic walls and whatnot. Do you have any sense of like, first of all, do people already always know that they're using those things or are they having to discover them using discovery tools? And then secondly, what are they doing in response to that? Because that is a real pickle at the moment for people.

HD Moore

Yeah, it's a great question. So usually the security team or IT team realize they have at least one of these devices. Let's say it's Apollo Auto with slvpn. They know they have it because that's how they connect to the network. They've got an SLVPN client. What typically they don't know about is the backup connection. They've got a failover, they've got a secondary one, they've one hooked up to a small office in place. So it's one thing to know you've got a particular technology in place, it's another to know exactly where each of those instances of that appliance are. And it's really easy to forget your backup line or your secondary appliance.

Patrick Gray

So what are they doing when they've then discovered this backup appliance that maybe doesn't have the correct monitoring, controls things on it that way? Like what do they do? Do they just then firewall that and then you know, if they need the backup they can un firewall it. Like what do you even do then?

HD Moore

I mean typically what folks will do is turn off the backup options, only have one device left exposed, and then monitor the hell out of it. But if you listen to the vendors, what they recommend is putting another device in front of it of the same make. Which doesn't make any sense.

Patrick Gray

No, it doesn't, it doesn't. I mean, you know, you know, I've talked to you about it before, but I'm a big fan of like knock knock for that particular application because you can actually cut it off, which I don't understand. And I don't understand why, why it's up to a third party vendor to like why on earth when we live in a world with sso, would you not instrument network connections based on SSO status? It makes no sense to me that they're not doing it. But hey, it's an opportunity for other people, right?

HD Moore

There's a great shortcut for it too. So if you're in a position where you have a VPN device, you need to have A list of IPs that allow access to it. And you get that list really quickly. Go to your EDR and export the public IP's of all your assets and you're done. It's literally a two second process. Go and run Xero, search for CrowdStrike, export the egress IP of all your CrowdStrike assets, stick that in your allow list and you don't have to worry about it till Monday.

Patrick Gray

That's a really nice idea actually. I like that one. That's great. And you can update them. You should be able to instrument that dynamically too.

HD Moore

Yeah, absolutely. You can export it directly out as a CSV from RunZero, pick the fields you want, pass it into IP acl. It should be pretty easy to automate. But I mean, the nice thing is you already have the data. It's already sitting there on the EDR side. Just pull it in and use that as your allow list because you know who those clients are.

Patrick Gray

Yeah, that's a great idea. That's a fantastic idea. All right, H.D. moore, thank you so much for joining me for that conversation. Always great to see you.

HD Moore

Thanks for having me, Patrick.

Patrick Gray

That was H.D. moore, the chief executive of this week's sponsor, Run Zero. Big thanks to him for that. And yeah, Run Zero is a terrific tool and you should all absolutely go and check it out. But that is it for this week's show. I do hope you enjoyed it. I'll be back soon with more Risky Business for you all. But until then, I've been Patrick Gray, thanks for listening and watching.