Risky Business #769 – Sophos Drops Implants on Chinese Exploit Developers

Release Date: November 6, 2024

Hosts: Patrick Gray and Adam Boileau

Introduction

In the latest episode of Risky Business, hosts Patrick Gray and Adam Boileau delve into a week filled with significant developments in the information security landscape. From critical vulnerabilities in major authentication platforms to innovative steps taken by cybersecurity firms against state-sponsored threats, this episode is packed with insights and expert analysis. Additionally, listeners are treated to an exclusive interview with HD Moore, CEO and Co-Founder of Run Zero, who discusses advancements in asset discovery scanning.

1. Okta’s OctaBug: A Security Flaw Under Scrutiny

Patrick Gray kicks off the discussion by addressing a recently discovered vulnerability in Okta’s authentication system, dubbed the "OctaBug." This bug allows potential authentication bypass under specific conditions involving extended username lengths.

• Key Points:

  • The vulnerability resides in Okta's integration with on-premises authentication sources like Active Directory or LDAP.
  • A flaw in the caching process, where bcrypt hashes exceed their character limit, enables authentication with a crafted 50+ character username.
  • The bug's practicality is limited due to stringent conditions required for exploitation.
  • Okta identified and patched the issue within three months, showcasing effective internal review mechanisms.

• Notable Quotes:

  • Adam Boileau ([02:57]): “Which when you're an authentication product like Okta, clearly is not what you want.”
  • Patrick Gray ([05:31]): “We'll give them a B. Right? Like not an A exactly, but they still get a B.”

• Discussion Highlights:

  • The hosts emphasize that while the bug is technically concerning, its real-world impact is minimal due to the complexity and rarity of exploit conditions.
  • They address the broader context of Okta's reputation, countering perceptions of persistent security clumsiness with examples of past incidents.

2. Windows 11 Introduces Sudo-Like Privilege Controls

Transitioning to operating system security, Patrick introduces upcoming features in Windows 11 that mirror Unix’s sudo functionality, enhancing privilege management.

• Key Points:

  • Future Windows 11 updates will require re-authentication for high-privilege operations, moving away from traditional root-like access.
  • This change aims to bolster security by segregating regular and privileged tokens, mitigating unauthorized administrative actions.

• Notable Quotes:

  • Patrick Gray ([07:49]): “It's like just in time. Admin for local accounts. Right. And it's great, like a really cool idea.”
  • Adam Boileau ([09:09]): “This is kind of like sudo in a Unix environment, as you say.”

• Discussion Highlights:

  • The discussion underscores the security benefits of requiring multifactor authentication for administrative tasks.
  • Adam appreciates the move as a positive step, comparing it to Unix’s long-standing security practices.

3. Sophos’s Offensive Measures Against Chinese Exploit Developers

A pivotal moment in the episode revolves around Sophos’s bold move to implant kernel-level rootkits on Chinese APT researchers engaging in exploit development.

• Key Points:

  • Sophos targeted specific organizations in China identified as developing exploits against their products.
  • Over five years, Sophos monitored these groups, deploying rootkits to gather intelligence and preemptively address vulnerabilities.
  • The strategy has sparked debate over ethical boundaries and the “hacking back” paradigm in cybersecurity.

• Notable Quotes:

  • Ross McKercher ([12:49]): “We felt like as long as we're guided by those principles and following that kind of guidance, then it's probably going to be okay.”
  • Adam Boileau ([14:19]): “Anyone who thinks that, you know, they have a vendor about which they have privacy concerns, like, they want to be secret from their vendor, needs to adjust their threat model because that's just not how the world works anymore.”

• Discussion Highlights:

  • Patrick and Adam explore the controversy surrounding Sophos’s actions, with Ross McKercher defending the approach as necessary for establishing cyber norms.
  • The conversation highlights the evolving responsibilities of cybersecurity vendors in protecting their customers proactively.

4. Fortinet’s FortiManager Vulnerability Exposed by Bishop Fox

The episode also covers a significant vulnerability in Fortinet’s FortiManager, which allowed attackers to enroll unauthorized devices and execute commands remotely.

• Key Points:

  • The vulnerability permits unauthenticated enrollment of devices, leading to potential command execution.
  • It stems from the use of factory certificates, which attackers exploited to bypass security measures.
  • Bishop Fox’s analysis reveals the broader implications for management interface security in network devices.

• Notable Quotes:

  • Adam Boileau ([20:22]): “Suppose we have some attack steps that... doesn’t impair attackers because we know how to get these certificates and so on.”

• Discussion Highlights:

  • The importance of securing management interfaces is emphasized, advocating for strategies like VPN protections and better certificate management.
  • Patrick underscores the need for fundamental networking principles to prevent such exposures.

5. Arrest of the “Snowflake Hacker” in Canada

Patrick touches upon the arrest of Alexander Connor Mooker, suspected of significant unauthorized access and financial crimes linked to the infamous Snowflake breaches.

• Key Points:

  • Mooker is accused of purchasing credentials and leveraging them against Snowflake, resulting in substantial financial damages.
  • The legal process is expected to see extradition to the United States for prosecution.

• Notable Quotes:

  • Patrick Gray ([23:23]): “Heals probably being better described as an alleged computer criminal rather than a hacker.”

• Discussion Highlights:

  • The discussion frames Mooker’s actions within the broader context of cybercrime and law enforcement responses.

6. Large Language Models (LLMs) in Security: Bug Discovery and Exploit Detection

Exploring the intersection of AI and cybersecurity, the hosts discuss how LLMs are being utilized to discover software vulnerabilities and detect zero-days.

• Key Points:

  • Google’s LLM identified a bug in SQLite, showcasing AI’s potential in proactive threat hunting.
  • Graynoise utilized an LLM-based system to discover a zero-day targeting IP cameras, marking milestones in automated threat detection.

• Notable Quotes:

  • Adam Boileau ([24:53]): “It's well worth a read for anyone who's kind of in the weeds of using LLMs for bug finding and bug hunting and so on.”

• Discussion Highlights:

  • The conversation highlights the nascent but promising role of AI in enhancing cybersecurity measures.
  • The practical challenges and current limitations of integrating LLMs into security workflows are examined.

7. TP-Link Routers Used as Orbs by Chinese Attackers

Patrick and Adam analyze reports of Chinese actors leveraging TP-Link routers to obscure the origins of cyberattacks, effectively masking their activities behind seemingly innocuous devices.

• Key Points:

  • TP-Link routers serve as intermediary “orbs” to hide the true source of attacks, complicating attribution efforts.
  • Microsoft identified and reported a campaign targeting Azure and Microsoft Identity Services using these methods.

• Notable Quotes:

  • Patrick Gray ([27:35]): “It's a good write up here and there's some nice details in here.”
  • Adam Boileau ([28:17]): “Good work, Microsoft for once.”

• Discussion Highlights:

  • The robustness of large vendors like Microsoft in identifying and mitigating such sophisticated campaigns is commended.
  • The hosts discuss the importance of public reporting to aid smaller organizations in recognizing and defending against these tactics.

8. North Korean Engagement with Play Ransomware

In a stark reminder of nation-state involvement in cybercrime, the episode covers North Korea’s Reconnaissance General Bureau’s linkage with the Play ransomware, as reported by Palo Alto’s Unit 42.

• Key Points:

  • North Korean operatives have been implicated in deploying the Play ransomware, indicating a deepening of their cybercriminal endeavors.
  • The collaboration exemplifies the blending of state resources with ransomware-as-a-service models.

• Notable Quotes:

  • Adam Boileau ([41:23]): “That's a tie up, I guess we've all been expecting to happen.”

• Discussion Highlights:

  • The potential escalation of North Korea’s ransomware activities and its implications for global cybersecurity are discussed.
  • The episode underscores the challenges in combating sophisticated, state-backed ransomware operations.

9. Run Zero Sponsor Interview: Enhancing Asset Discovery with HD Moore

The episode shifts focus to an insightful sponsor interview with HD Moore, CEO and Co-Founder of Run Zero, where he elaborates on the company’s latest advancements in asset discovery scanning.

• Key Points:

  • Run Zero introduces a feature that marries internal asset discovery data with external scanning to accurately identify and attribute exposed assets.
  • The technology utilizes detailed fingerprinting, including cryptographic keys and protocol-specific identifiers, to ensure precise matching between internal and external assets.
  • This integration minimizes false positives and streamlines the process of securing exposed resources.

• Notable Quotes:

  • HD Moore ([43:53]): “The nice thing about the chasm piece is you can overlay your vault management data, your EDR data, all your internal controls on top of that.”
  • HD Moore ([49:17]): “It's usually lazy vendors. It's an appliance that is a hard coded key, it's a firmware.”

• Discussion Highlights:

  • Patrick and HD Moore discuss the operational benefits of integrated asset discovery, emphasizing its role in proactive security management.
  • The conversation highlights real-world applications and early findings from internal testing, showcasing the tool’s effectiveness in identifying critical misconfigurations and security weaknesses.

Conclusion

Patrick Gray and Adam Boileau wrap up the episode by reflecting on the dynamic nature of the cybersecurity field, underscored by rapid technological advancements and evolving threat landscapes. They express optimism about innovations like Run Zero’s integrated asset discovery and the growing role of AI in enhancing security measures. As always, the hosts encourage listeners to stay informed and proactive in their cybersecurity endeavors.

Key Takeaways

• Vulnerability Management: Even reputable platforms like Okta can harbor critical bugs, emphasizing the need for diligent security practices and swift remediation.

• Privilege Controls: Operating systems are advancing to incorporate more granular privilege management, enhancing overall security posture.

• Proactive Defense Measures: Sophos’s controversial yet effective strategy against Chinese exploit developers highlights the expanding role of cybersecurity firms in active threat mitigation.

• Nation-State Cybercrime: The involvement of nation-state actors, such as North Korea’s engagement with ransomware, underscores the complexity and severity of modern cyber threats.

• Innovative Tools: Run Zero’s integrated asset discovery approach demonstrates the potential for sophisticated tools to bridge internal and external security gaps seamlessly.

Recommended for Further Reading and Listening:

• Sophos’s official report on the deployment of kernel rootkits against Chinese exploit developers.
• Bishop Fox’s write-up on the FortiManager vulnerability.
• Google’s Project Zero blog detailing the discovery of the SQLite bug using LLMs.
• Unit 42’s report on North Korea’s collaboration with Play ransomware.

Stay tuned for more in-depth analysis and expert interviews in future episodes of Risky Business.