Risky Business #770 Summary: A Russian IR Guy Discovers Extremely Cool Spookware
Release Date: November 13, 2024
Host: Patrick Gray
Guest: Adam Boileau
Featured Interview: Chris Tarbell, Former FBI Agent
Introduction
In the latest episode of Risky Business, host Patrick Gray engages in a comprehensive conversation with Adam Boileau covering a spectrum of pressing information security topics. The episode also includes an in-depth interview with Chris Tarbell, the former FBI agent responsible for apprehending Ross Ulbricht, the notorious founder of Silk Road. Additionally, the episode features insights from Feroz Abukadize of Socket on software supply chain security.
iOS 18.1's New Reboot Feature and Its Impact on Law Enforcement
Patrick and Adam kick off the discussion with Apple's latest update: iOS 18.1 introduces a feature where an iPhone will reboot if not unlocked within a 72-hour window, entering a state known as BFU (Before First Unlock). This change complicates efforts by law enforcement to access seized devices.
Adam Boileau [02:03]: "Apple's relationship with law enforcement has been pretty complicated... it's a tough set of trade-offs for them and for law enforcement."
Patrick Gray [03:23] elaborates on the shift from the previous status quo, where devices were stored and unlocked when possible, to the new challenge posed by BFU, highlighting concerns about its disproportionate impact on democratic law enforcement processes.
Evolution of Vulnerabilities: Shift from Enda Bugs to Odays
The conversation transitions to a CISA report indicating a significant rise in 0-day (Oday) vulnerabilities being exploited in enterprise software and edge devices. Adam acknowledges the alignment of these findings with industry observations.
Adam Boileau [10:14]: "It's long past time for the vendors of edge equipment to take that stuff kind of seriously."
Patrick Gray [09:07] remarks on similar trends, mentioning Adobe's move to discontinue Flash as a response to such vulnerabilities.
Russian Malware 'Goblin Rat': A Stealthy Linux Backdoor
Adam introduces the topic of Goblin Rat, a sophisticated Linux malware discovered in Russian critical infrastructure. He attributes its advanced features—such as process hiding, configurable port knocking, and strong encryption—to likely being state-sponsored espionage tools.
Adam Boileau [13:33]: "The bits that do the initial persistence hide themselves as various a typo of a system process."
Patrick draws parallels with hypothetical espionage groups, emphasizing the human-driven sophistication behind such malware.
Microsoft Bookings Vulnerability and Certificate Authority Exploits
The discussion moves to vulnerabilities in Microsoft Azure's Bookings feature, where attackers can programmatically create mailboxes that mimic legitimate users, potentially facilitating social engineering or technical attacks.
Adam Boileau [17:20]: "You could create mailboxes that impersonate other people... it's a really interesting tool to go from low priv to I can create new email accounts."
Adam further explores vulnerabilities in Active Directory Certificate Services (ADCS) uncovered by Trusted SEC, where attackers could manipulate certificate purposes, enabling privileged access escalation within Windows environments.
Adam Boileau [19:53]: "They preferring the Microsoft way and then will issue you a certificate... it's not good."
Encrypted Client Hello (ECH) and Its Implications for C2 Traffic
Patrick and Adam delve into the blocking of Encrypted Client Hello (ECH) by Russia and China, discussing its utility in Command and Control (C2) operations while evading censorship. They analyze the technical intricacies and future challenges this poses for network detection.
Patrick Gray [22:05]: "ECH can really be used to bypass censorship... it's going to be a problem eventually."
Adam underscores the complexity of mitigating such sophisticated C2 channels, noting the technical hurdles involved.
Adam Boileau [24:08]: "It does the same things that domain Frontend kind of delivered... it's even harder to observe."
Tor Relays Attack Mitigation and Abuse Complaints
The episode touches on Tor's recent success in mitigating abuse stemming from SSH scanning activities originating from Tor Relay IPs. Adam explains the dual approach of shutting down spoofing origins and addressing the abusive reporting mechanisms that amplified the issue.
Adam Boileau [27:23]: "They managed to get a bunch of people to ignore that particular organization... but they have been a little bit cagey about the specifics."
Operation Synergia2: Massive Takedown of Malicious IPs
Patrick highlights an operation reported by Dan Gooden that resulted in the removal of approximately 22,000 malicious IPs, predominantly located in China. The collaboration involved notable cybersecurity firms like Group IB, Kaspersky, and Team Kumari.
Adam Boileau [28:36]: "Most of the targets of this operation appear to actually be in China."
The specifics of the cybercrimes associated with these IPs remain undisclosed, but the scale signifies a significant law enforcement effort.
Political Ramifications: Donald Trump's Re-election and Ross Ulbricht's Case
In a pivotal segment, Patrick discusses Donald Trump's re-election, anticipating its impact on intelligence, tech policy, and cybersecurity. A particularly controversial topic is Trump's pledge to release Ross Ulbricht from prison, despite Ulbricht's involvement in serious crimes through the Silk Road marketplace.
Adam expresses skepticism regarding the political support for Ulbricht's release, comparing it to the support seen for figures like Julian Assange.
Adam Boileau [32:37]: "The comparison with, say, Assange is the one that is the most obvious... Whereas with DPR Ross Roberts, it was never quite so clear."
Patrick and Adam debate the nuances of Ulbricht's case, adjudicating between his role in facilitating drug transactions and his involvement in more egregious activities like murder-for-hire.
Interview with Chris Tarbell: Unveiling the Ross Ulbricht Case
Chris Tarbell, the former FBI agent who apprehended Ross Ulbricht, joins the show to clarify misconceptions and shed light on the severity of Ulbricht's crimes beyond drug trafficking.
Key Points from the Interview:
-
Murder-for-Hire Allegations: Ulbricht was implicated in six murder-for-hire plots, although no actual murders occurred.
Chris Tarbell [39:26]: "Ross ordered them, he paid for them, and then he bragged about them afterwards."
-
Overdoses Connected to Silk Road: The platform facilitated access to high-grade Afghan heroin, contributing to fatal overdoses among youth.
Chris Tarbell [38:59]: "Kids died from it because they didn't realize what was in it."
-
Legal Proceedings and Charges: Despite the heinous allegations, prosecutions focused on drug-related offenses, partly due to complications from law enforcement misconduct during the case.
Chris Tarbell [44:02]: "The case we had was solid... but it just would have made the case much more difficult."
-
Personal Reflections: Tarbell acknowledges Ulbricht's personable nature during his arrest but emphasizes the dichotomy between Ulbricht's online persona and his documented criminal orchestrations.
Chris Tarbell [50:10]: "I don't believe so. I don't believe just because your crimes are online versus inside a bank or inside a store, it's no less of a crime."
Sponsor Segment: Socket's Software Supply Chain Security
The episode features Feroz Abukadize from Socket, discussing the critical need for robust software supply chain security. Socket's platform, socket.dev, identifies and flags malicious packages in software projects, advocating for a centralized repository akin to the National Vulnerability Database (NVD) for tracking malicious packages.
Feroz Abukadize [53:32]: "We need something analogous to the NVD for malicious packages."
Feroz emphasizes the limitations of current systems in addressing supply chain threats and the necessity for industry-wide collaboration to enhance security measures.
Conclusion
Patrick Gray wraps up the episode by synthesizing the multifaceted discussions, underscoring the intricate balance between technological advancements, security challenges, and political influences shaping the information security landscape.
This comprehensive summary encapsulates the depth and breadth of Risky Business #770, providing listeners with valuable insights into current security trends, vulnerabilities, and the intersection of technology with geopolitical and legal issues.