Risky Business #775 -- Cl0p is back, SEC hack disclosures disappoint - Risky Business

Summary6 min read

Risky Business #775 Summary: Cl0p Returns and SEC Hack Disclosure Shortcomings

Hosted by Patrick Gray | Released on December 18, 2024

In the final episode of 2024, Patrick Gray delves into significant developments in the information security landscape, discussing everything from regulatory challenges to emerging threats. This comprehensive summary captures the episode's key discussions, insights, and conclusions, enriched with notable quotes and timestamps for reference.

1. Launch of the New Risky Business Website

Patrick Gray kicks off the episode by celebrating the launch of Risky Business's revamped website. This new platform consolidates all content—written articles, podcasts, and videos—providing a centralized hub for listeners and readers alike.

Patrick Gray [00:08]: "Head on over to Risky Biz and instead of just seeing a horrible, horrible kind of joke website that looks kind of like it's just an RSS feed, you're actually going to be able to find all of the work from the Risky Business team there."

2. SEC Cyber Incident Reporting Rule: Underwhelming Impact

The episode examines the SEC’s cyber incident reporting rule, initially feared to overwhelm organizations with either underreporting or a flood of insignificant disclosures. However, after 11 months, only 71 filings have been made, primarily indicating minor incidents.

Patrick Gray [02:30]: "...no, it hasn't really worked out like that at all. There's been 71 filings over the last 11 months and most of them are just people saying, well, we had an incident."

Adam Boileau [03:14]: "There's some questions about the utility of it... it's not a fire hose of disasters like we kind of half expected."

Despite initial concerns, the rule hasn't led to the predicted chaos, though questions remain about the quality and usefulness of the disclosures for investors.

3. ExxonMobil's Alleged Hacking Activities Under Scrutiny

Patrick discusses the growing political attention on ExxonMobil for allegedly using lobbyists and private investigators to engage in illicit hacking activities against protesters. This has prompted calls for accountability from senators like Sheldon Whitehouse and Ron Wyden.

Patrick Gray [05:39]: "Some accountability. Seems like it would be natural... whether that will actually happen, I'm not super confident about."

4. Misreporting on Biden Administration's Retaliation Against China Telecom

A New York Times report inaccurately portrays the Biden administration's actions against China Telecom as a direct retaliation for cyberattacks. Patrick clarifies that the move is part of long-standing efforts to limit Chinese telecommunications operators in the U.S.

Patrick Gray [07:46]: "...it's not a response to Salt Typhoon. You talk to anyone who works in American SIGINT about China Telecom and they've been trying to kick them out for like at least half a decade."

5. Potential Separation of Cyber Command from NSA

The discussion shifts to former President Trump's 2020 plan to separate Cyber Command from the NSA. While the initiative didn't materialize during his lame-duck period, it remains a topic for future administrations. Experts remain skeptical about the feasibility and timing of this separation.

Patrick Gray [10:44]: "Probably not, no."

6. EU Investigation into TikTok Over Election Interference

The European Union has launched an investigation into TikTok's role in interfering with Romanian elections. This marks the first instance of an election being annulled due to unlawful interference, raising concerns about the platform's influence and the EU's regulatory measures.

Patrick Gray [13:06]: "It's a bad time to have these headlines and a bad time... it's not good."

7. Cl0p Ransomware Group's Resurgence and Exploits

A significant portion of the episode is dedicated to the Cl0p ransomware group's return. Cl0p has exploited new vulnerabilities in CLIO file transfer systems, distinguishing their recent activities from the Termite ransomware crew. The group has also been targeting Apache Struts, highlighting persistent vulnerabilities in widely-used frameworks.

Patrick Gray [15:04]: "Cl0p have been quite busy... They've exploited a new bug."

Adam Boileau [17:18]: "It's classic Java, enterprise software... standard sorts of bugs."

The discussion emphasizes the challenges of patching legacy systems and the ongoing threats posed by sophisticated ransomware actors.

8. Japanese Company Pays $3 Million to Russian Hackers

Darina Antonio reports on a Japanese game and anime publisher that succumbed to a $3 million ransom demand from Russian hackers. This incident underscores Japan's vulnerable cybersecurity posture despite its robust economy, hinting at potential future ransomware attacks targeting large corporations.

Patrick Gray [28:59]: "Japan just looks like a great target is what I'm getting at."

9. Arrest of Baron Martin for Cyber Terrorism

The episode highlights the arrest of 20-year-old Baron Martin from Tucson, Arizona, charged with producing child sex abuse material and cyber stalking. His activities are linked to online terror networks aiming to manipulate societal norms and exploit minors, marking a concerning escalation in cyber terrorism.

Patrick Gray [37:42]: "These are the people who are coercing people into doing self-harm on video... kids as young as 10."

10. Russia Bans Viber Amid Accusations of Facilitating Crime

Russia has banned the Viber messaging app, citing its role in facilitating terrorism and drug trafficking. Viber was previously the third most popular messaging app in Russia, indicating significant implications for communication within the country.

Patrick Gray [40:26]: "Viber is a reasonable option... probably your time is up too."

11. Canada’s Cryptocurrency Money Laundering Nexus

Greg Otto's investigation reveals a complex web of crypto services and money remittance providers operating out of a single Vancouver address, involved in extensive money laundering activities. This highlights the opaque and constantly evolving methods used to move illicit funds globally.

Adam Boileau [35:57]: "The mechanics of moving money around kind of opaque and constantly shifting."

12. Sponsor Interview: Spectre Ops on Evolving Penetration Testing

In the sponsorship segment, Robbie Winchester from Spectre Ops discusses the transformation of penetration testing in the modern cybersecurity landscape. Emphasizing a shift from traditional “capture the flag” methods to identity-centric assessments, Robbie highlights the increasing complexity introduced by cloud services and identity management systems.

Robbie Winchester [46:55]: "What are the risks you are accepting? How is it working? Is it set up the way you think it's set up?"

Robbie advocates for objective-focused red teaming that aligns more closely with organizations' specific security concerns, moving beyond mere vulnerability scanning to comprehensive evaluations of attack paths and identity configurations.

Robbie Winchester [50:07]: "Our main focus is not around specifically the phishing or trying to break in through a web application or crack passwords to get in from the outside."

13. Reflection on 2024 and Looking Ahead to 2025

As the episode concludes, Patrick and Adam reflect on the tumultuous cyber landscape of 2024. They acknowledge both progress in certain areas, like securing Windows environments, and ongoing challenges, such as persistent vulnerabilities in enterprise software and the rise of sophisticated cybercriminal activities.

Patrick Gray [43:13]: "Wonderful year. Looking forward already to joining you again in 2025, my friend."

They express optimism for continued advancements in cybersecurity while recognizing the need for vigilance against emerging threats.

Notable Quotes:

Patrick Gray [07:46]: "You can feel it because... they're desperately looking for an angle."
Adam Boileau [21:14]: "I hate hack Java. It aggravates me so much that I want to punish it."
Robbie Winchester [55:07]: "It's less about capturing a flag, it's more about sitting down and looking at how things are set up."

Conclusion

Risky Business #775 offers a thorough examination of the most pressing issues in information security as 2024 draws to a close. From regulatory impacts and high-profile cybercrimes to the evolving methodologies in penetration testing, Patrick Gray and Adam Boileau provide listeners with invaluable insights and expert analysis. As the new year approaches, the episode underscores the importance of adapting to emerging threats and refining security strategies to safeguard against increasingly sophisticated cyber adversaries.

For those seeking in-depth discussions on cybersecurity news and expert interviews, Risky Business remains an essential resource for information security professionals.

Loading summary

Transcript142 lines

[00:08]
Patrick Gray
Hi everyone and welcome to Risky Business. My name is Patrick Gray and this is the last Risky Business weekly episode for 2024. What a year it has been. And we're going out with a bang because we actually launched our new website last week. Head on over to Risky Biz and instead of just seeing a horrible, horrible kind of joke website that looks kind of like it's just an RSS feed, you're actually going to be able to find all of the work from the Risky Business team there, including written work, podcasts, videos, all in the one place. We're pretty proud of it. So, yeah, head on over to Risky Biz. I should say thank you as well to Dave Snellgrove, who is the designer. Also to Dylan O'Donnell, who did a lot of the front end web dev work. And gee, some jerk who did all of the back end work by the name of Adam, Adam Boileau, who's been slaving away recoding our content management system over the last few months and did a wonderful job. But it's nice to have that done, isn't it, Adam?
[01:06]
Adam Boileau
It is. It was very nice because I was the one who mostly interacted with it these days because you had PTSD from our, you know, old content management system. And yeah, I very quickly understood why. So there was a little bit of rip and replace to go on.
[01:21]
Patrick Gray
Yeah. After 18 years of being the person who posted all of the content into the Risky Business content management system, that was the first thing when you came on full time. I said, I don't want to do this ever again, basically. So thank you for that. This week's show is brought to you by Spectrops, which of course they are both a services and a product company. They make Bloodhound Enterprise based on their open source Bloodhound software project, which is a really great way to do identity attack path mapping through organizations. And it started off just for active directory, but now it does a whole bunch of stuff. But today we're talking more about the services side of Spectrops. Robbie Winchester works on the services side over there and he's going to be joining us to talk about how pen testing has changed. And it really, really has. These days it's less about trying to, you know, do a, to send someone a malicious executable and pop a shell. That way it's getting increasingly identity centric and there's a lot of interesting stuff in that interview. So I do hope you will all stick around for that one. But mate, let's get into the news now and we're going to start up, start off with a brief write up on cybersecurity dive from Matt Capco, looking at the SEC cyber incident reporting rule. Right. Which everybody said was either going to result in people covering breaches up or, you know, deluge of meaningless reports. And basically, no, it hasn't really worked out like that at all. There's been 71 filings over the last 11 months and most of them are just people saying, well, we had an incident. I don't know if it's material, you know, so it's, it hasn't quite turned into the disaster that people said it was going to be where, you know, oh my God, it's going to eat all of our time and we're all going to go to prison for not appropriately disclosing incidents. And it's just, it's just turned into, you know, hardly anything's happened with this so far.
[03:15]
Adam Boileau
Yeah. And the kind of the quality of the information it's collecting, there's some kind of questions about the utility of it. There's quite a lot of pretty generic words, you know, in these boilerplate language.
[03:27]
Patrick Gray
In an SEC filing. No, that would never happen.
[03:34]
Adam Boileau
I mean, it's not a fire hose of disasters like we, you know, kind of half expected and at the same.
[03:39]
Patrick Gray
Time kind of half hoped for.
[03:41]
Adam Boileau
I mean, you know, we do love a good disaster fire hose around here. But it's also like, is it helpful for investors to make meaningful choices about how they invest? I don't know that it meets that bar either. So, you know, it's.
[03:56]
Patrick Gray
Well, we did see, you remember, earlier this year, we saw the SEC sort of come out and say, issue a bit of guidance saying, well, you know, if it's not, if you haven't determined its material, you don't kind of need to do the filing. So, you know, I feel like this has, you know, there was so much hype about this, like it was going to be the worst thing ever and onerous and whatever and it just hasn't turned out that way. But I mean, let's see. I mean, maybe next year the SEC starts going nuts and like, you know, cracking down or something. I don't see it happening, actually. I think this is a fairly basic requirement that's, you know, that's just working out about how probably the SEC expected it to.
[04:30]
Adam Boileau
Yeah, you know, we do see people keeping an eye on those filings. We've certainly covered a few reports, you know, in the news of people that have been breached that we found out through their. Was it the 8K filings that they have to do. So, you know, it has some utility for people like us. Yeah, but for investors, I don't know.
[04:48]
Patrick Gray
Yeah, yeah, that's right. We've got some US politicians looking at, they're looking to investigate and you know, they're calling for accountability over the ExxonMobil sort of hacking allegations that we talked about last week. This is where Exxon, you know, apparently used their lobbyists to gather information on protesters and whatnot. And they then in turn outsourced it to some private investigator who then bought a bunch of, you know, allegedly bought a bunch of hacking for hire services out of India to like pop these people's mailboxes and, you know, leak damaging information, whatever. Real dirty, dirty stuff that you expect to see in movies, not in real life. But, you know, it looks like a couple of sort of powerful, you know, senators and whatnot are looking at this and saying, no, we gotta, we gotta do something about this. Which is good. This is a response you want?
[05:40]
Adam Boileau
Yeah, yeah, it is. I mean, obviously, of course, the publicity firm that Exxon used and Exxon themselves said like, you know, we didn't do it. Wasn't us, we had nothing. You know, we would never commission hacking, but.
[05:51]
Patrick Gray
No, but we would commission a private investigator who might do that, you know. Yes, exactly.
[05:55]
Adam Boileau
So, yeah, you know, some accountability. Seems like it would be natural. Like that's, that seems natural justice to have some kind of accountability for this. Whether that will actually happen, I'm not super confident about. But, you know, it's nice to see them getting a bit of heat for it because at the very least, it might give other people, you know, the slightest amount of pause before they do the same sorts of things.
[06:18]
Patrick Gray
Yeah. So we've got the Senate budget chairman, Sheldon Whitehouse, you know, natural born politician with a name like that, you know, saying in a statement that, you know, we need to take a good long look at Exxon and its fellow fossil fuel flunkies. There we go. And I think Ron Wyden's in there as well and a Democrat from California broken talking about that one. So, yeah, I mean, hopefully we see some comeuppance for Exxon, but, you know, the incoming administration is not exactly hostile towards oil companies. So, you know, I don't expect it to be a top priority.
[06:58]
Adam Boileau
Probably not, no.
[06:59]
Patrick Gray
Yeah, for the White House at least. But anyway, now let's take a look at this report from the New York Times, which, sigh, the headline is, Biden Administration Takes First Step to Retaliate Against China over Hack. And that is not what is happening here. So it's by David Sanger over at the Times. The lead paragraph reads, the Biden administration has taken its first step to retaliate for China's broad hack of American telecommunications firms moving to ban the few remaining operations of China Telecom in the United States. That's not what's happening here. This is not a response to Salt Typhoon. You talk to anyone who works in American SIGINT about China Telecom and they've been trying to kick them out for like, I don't know, at least half a decade. Probably a decade. Because.
[07:46]
Adam Boileau
Hive of scum and villainy.
[07:48]
Patrick Gray
Oh my God, the badness that emanates out of China Telecom. Like, I'm amazed they haven't been yeeted until now. But you know, people are desperate for a hook. Desperate, desperate for an angle. And the, you know, the New York Times being. The New York Times has just written it up like this, which is just extremely misleading.
[08:05]
Adam Boileau
Yeah, yeah, it is. I mean, it's been a long time coming and you know, the people we've thrown out of the industry before, people like Huawei, et cetera, like it was, that was a kind of an easier sell because it was more visible and a bit kind of more egregious. Whereas being a backend kind of telco, it's a bit less visible and people don't see Huawei shops and Huawei phones, you know, so they don't like, you don't see that kind of thing with, with China Telecom. So yeah, it's taken a while to push through, but you know, they didn't do a whole bunch. I mean, they had really been whittled down in the US over time. So you know the word.
[08:44]
Patrick Gray
Well, because using the, you know, The PLA and MSS's telco of choice, allowing it to peer into American networks is prob. Probably not a great idea. Right.
[08:56]
Adam Boileau
No, Good riddance, I guess. And I don't know, I don't know what other Chinese telcos there are still operating in the US as well. But probably your time is up too.
[09:08]
Patrick Gray
Yeah, yeah. Well, I mean, it depends where all of the villainy goes to. Right. I think that's, that's going to be the determining factor. I mean, China Telecom is not being kicked out because it's Chinese. China Telecom has been kicked out because that's where all the attacks come from. You know, I think that's, ah, sigh. Anyway, we got one from Martin Matoshak here over at the Record and it's look, congratulations to him. Because this is absolutely a really great write up and a great summary of what's going on. And it's looking at how under Trump, you know, he planned to end the Cyber Command and NSA dual hat role where the, you know, the head of the NSA is also the head of Cyber Command. You know, he introduced a plan in December 2020 to end the dual hat thing. And of course it didn't really happen because at that point he was a lame duck president. But, you know, it's, it's back on the agenda and it's probably going to happen. There are arguments for this. What's funny though is like, probably he's not doing it for the right reasons, but it's, look, it's, it's gonna happen. I would, I would expect sometime over the next four years. And I think, look, you can't make a determination on whether or not this is a good or a bad thing until you see how they're plan implement it. Is it just going to be, you know, different heads or, you know, like, how separate are the organizations going to be? Because it's very clear that the reason they haven't done this already is because Cyber Command's not ready to stand on its own. So as long as they execute this right, and there's like just different heads and they get the management bit of it right, it could work, but God, who knows, right?
[10:45]
Adam Boileau
Yeah, well, that, that's the, I mean, that's the kind of thing with the whole Trump presidency coming in is there's quite a lot of, well, who knows, we're just going to have to wait and see how mad it actually is once they start implementing things. I mean, the relationship between the two, I guess, like from the outside is difficult to, you know, as an outsider, it's kind of difficult to judge how much disintegration there is between the two or how much integration there is and kind of what, to what extent this, as you say, like there are different ways they could implement this change and how much effect that would have as an outsider is kind of hard to judge. So we are really just going to have to wait and see how it shapes up. But certainly people inside the IC have all sorts of varied opinions about it. So, you know, if they don't know, then neither we.
[11:31]
Patrick Gray
Well, look, I think the consensus from the people I speak to in the IC is that it's just what I said earlier. Cyber Command's not quite ready to stand on its own, which is why this hasn't happened. So, yeah, let's see what Happens, right?
[11:43]
Adam Boileau
Yeah, exactly.
[11:43]
Patrick Gray
I did a great. I published it too. I did a great podcast with Chris Krebs. That was the one that we recorded live in Sydney. And yeah, some real interesting stuff there. All about, all about China and some interesting stuff there. Some interesting insights about the approach to US Cyber under Trump and how it was, you know, more aggressive, more defend forward, you know, changes to NSPM 13 that allowed them to do things like target C2 nodes in, you know, even in friendly countries and whatever. So I think we could see. And, and, you know, Chris said that the intelligence community part of Project 2025, which is the alleged policy roadmap for the Trump White House, the intelligence part of that is actually pretty good. You know, the DoD stuff is different in tone, but the IC stuff is good. So, you know, it's going to be a mixed bag. I mean, it's hard to look back on the Trump years and say that the cyber policy side was terrible. You know, really like he had Rob Joyce writing the executive orders and he had Sister stand up and, you know, a lot of good stuff and, you know, changes to an SPM 13. So got to keep an open mind, I guess, is what I'm saying.
[12:53]
Adam Boileau
Well, I hope it goes well for all of us because, you know, it looks, there's quite a lot of crazy as well mixed up in this.
[13:01]
Patrick Gray
It makes it fun, right? Just think of it that way. Accentuate the positive.
[13:05]
Adam Boileau
Adam, interesting times.
[13:07]
Patrick Gray
Yeah. Meanwhile, the European Union has opened an investigation into tick tock over the Romanian election stuff that we talked about on the show. I think last week they'd already issued some sort of data and evidence preservation order to TikTok, but this is being taken very seriously in the EU, given that this is the first time we've had an election annulled over what was found to be unlawful interference by one of the candidates. But I mean, I spoke about this with our colleague Tom Uren on last week's Seriously Risky Business podcast. You know, what were they thinking? Like, why were they not on top of this? Because it probably wasn't like a state directed thing, but it's just such incompetence to allow this to happen at such a critical time for the company.
[13:52]
Adam Boileau
Yeah, yeah, exactly. It's a very sensitive time and this is absolutely not what they need right now. You know, staring down the barrel of a ban in the us, you know, investigations in the eu. Like, it's a bad time to have these headlines and a bad time, as you said, to have a historic annulling of an election like, that's not good. No good.
[14:12]
Patrick Gray
No, it's really not. And meanwhile, a detail catalytic. You know, of course, one of our, one of our colleagues, Catalyn Kimpanu, he lives in Romania, he is Romanian. And I think they've. There's now all of this anti EU propaganda spreading on TikTok in Romania, saying that the EU had ordered the election be annulled.
[14:29]
Adam Boileau
Yeah. Undermine Romanian democracy and.
[14:32]
Patrick Gray
Yeah, yeah, yeah, yeah. So, I mean, still up to it. And you would just think if, if you know what's good for you, you're going to stop this. And of course, by the time we come back in 2025, it's going to be around Trump's inauguration. Actually, we come back like a couple days before that, but a couple, like a day after, I think we come back on the day that Tick Tock is supposed to have been divested. So next time we talk, we're going to know a little bit more. Now to some bread and butter. Infosec and KLOPP is back, baby.
[15:05]
Adam Boileau
Yes, they have claimed responsibility for a bunch of the attacks against the CLIO file transfer servers that have been being breached over the last couple of weeks. They, of course, were the group behind Excelion and go MFT and move it, most famously MoveIt, a bunch of other file transfer hacks. And they have a proven model for monetizing, stealing data from file transfer systems, ransoming it off. And apparently they have stolen so much data that they have cleared out their Darknet leak portal to make room. They ran out of disk space with all of the old leaks, so they've junked them all. Said, we're only working with new companies, which is a nice way of framing it because they've stolen so much data through the CLIO bugs. And they said they've been using both the current CLIO bug and the earlier one that this was initially the most recent one was written up as a variant of. Turns out, actually that's not the case. It's a whole new bug. But, yeah, clearly KLOPP have been quite busy.
[16:05]
Patrick Gray
Yeah. Now, initially, because there's been some bad reporting around this, because when we spoke about it last week, we were like, oh, they're exploiting a bug that was already patched and it wasn't patched correctly. It turns out that's not accurate. It is a new bug. Also, Huntress Labs were out there saying, tying this to Termite, which is a ransomware crew that in turn is responsible for the Blue Yonder incident. Right. So they're saying, you know, we believe it's the same crew. Turns out, not so much it is Clop. There are also people saying, well, Blue Yonder ran a Clio box on their edge, so maybe that's how they got ransomware. And that was, you know, further meant to substantiate that Termite was behind this. It looks like that's not right. You know, we've, we've got Clop back now. I've heard from other sources that, you know, the team have filled me in on this and they've spoken to their sources as well that there's really nothing linking Termite to this campaign. But I wonder, you know, I don't know because I haven't spoken to Huntress about it. I wonder if they've got a bit of intelligence that maybe ties some of these clot people to the Termite people because, you know, it's all one big sort of soup of bad actors. But it certainly looks like that original take, that it was a exploitation of a failed patch and tied to Termite. It looks like that was bad info.
[17:19]
Adam Boileau
Yeah, and I can kind of see why with the technical aspects of the bug because there were quite a lot of similarities between the two. The first bug that was patched was a arbitrillar unauth file upload and also read. And the way it was exploited was by uploading a shell and then reading a password file off this to get to be able to trigger the file that had been uploaded to then execute. And that triggering process required auth. So they used the read to get auth and then the write to upload a shell and then cause it to be run. The second bug is only write and it's quite closely related but they have to use a different exploitation mechanism as well which involves like writing a configuration file that subsequently led to command execution that was processed automatically. So there was sort of a folder where you could drop configuration updates into and they would get processed automatically. So a little bit, you know, of very similar functionality but slightly different and a whole different bug. I think Rapid7 had a pretty good write up of the specifics of the bug and you know, it's classic Java, you know, enterprise software where that's so kind of so over architected and componentized that no one really knows what anymore looks like when you're writing it. So yeah, standard sorts of bugs. But yeah, nice to actually have some concrete details now.
[18:41]
Patrick Gray
Yeah. So I've linked through to Lawrence Abrams write up for Bleeping Computer. And yeah, I've also linked through to a report from Jonathan Greig, which looks at cisa, you know, issuing warnings about this. I mean, I don't know if this will be as big as move it and but given the fact that we're shutting down this week and stuff, you know, normally chaos normally reigns when we're off. Probably will be. Right.
[19:01]
Adam Boileau
Yeah. And it certainly sounds like clop have been pretty busy. I mean they were talking to Lawrence Abrams from Bleeping Computer and said like, you know, we have completed our project which you know, in the past has meant pillaging all of the ones they could find on the Internet and then starting to drop them. So yeah, we may be in for the traditional risky biz holiday times.
[19:19]
Patrick Gray
Well, it's funny actually because Klopp say, well, we delete data from government agencies from medical clinics and stuff like that, which is, you know, their policy, which I think, I mean if you're going.
[19:28]
Adam Boileau
To be responsible ransomware actors, I mean.
[19:30]
Patrick Gray
Well, it's, it's, it's not, it's data extortion. It kind of annoys me when those two things get conflated. But I think if you're going to do this like at least having some scruples like is, I don't know, I don't think it's bad actually. Like I think that's fine.
[19:43]
Adam Boileau
Yeah.
[19:45]
Patrick Gray
But you know, in the John Greig write up, I mean this is where we are, right. As an industry and as a discipline where you've got CISA instructing civilian government agencies that they have to patch this by January 3rd. I mean, come on, Adam, you and I both know how many of these are going to be Left standing by January 3rd, right? Yeah.
[20:02]
Adam Boileau
I mean I think Klopp has probably already been through them all. I think we're obviously directing people to roll incident response.
[20:08]
Patrick Gray
Yeah, 100%. And you know, this is something that comes up time and time again and it's great that CISA has the authority to demand that agencies do this stuff but like it's too late.
[20:18]
Adam Boileau
It is, it is too late.
[20:20]
Patrick Gray
Which is why. Yeah. I mean again, I'm on the board of a company that's doing, you know, zero trustee style stuff to prevent people from being able to access these things in a pre auth condition. Right. Because again, that's that go to line. Which is for so long we've thought of authentication as access control and it's not because pre auth bugs exist.
[20:39]
Adam Boileau
Yeah, exactly. Especially with nasty Java Enterprise.
[20:42]
Patrick Gray
We're like this and you know those bugs like. And Rapid7 has a great analysis and we've linked through to that one. You dug that one up. But you know these bugs, I know you, I know and I know where your skill set is. Like you would have found these on a review, you know, like, what are they? What are they doing?
[20:59]
Adam Boileau
Yeah, I agreed. Like, I enjoyed reading the Java. It's quite a nice throwback because I, I have read a lot of enterprise Java in my time and this is exactly the sort of thing you find just threading the needle through the file upload, handling hit and disk. And Bob is your Java uncle.
[21:15]
Patrick Gray
I mean, most people listening to this would know, but Adam is a pen tester with over 20 years of experience who's an old hand who's come up all the way through network and whatever and has written DMA exploits and all sorts of stuff, but wound up with a bit of a specialty in Java, which is quite funny. Like. And it's a love hate relationship.
[21:34]
Adam Boileau
Oh yeah, it's a deep, deeply hate. I mean, I hate hack Java. Like, it aggravates me so much that I want to punish it.
[21:41]
Patrick Gray
But you're good at it.
[21:42]
Adam Boileau
Leads to good bug hunting. Yes. Also, it's easy. I mean, Java bugs tend to be pretty easy once you can read the Java. And not very many people have the patience, patience or sickness necessary to read the Java.
[21:56]
Patrick Gray
I've seen him do it, folks. I've seen him do it, I've watched him do it and he's, he's very good. Now look, talking about bugs that just, just get us owned and you know, this is another Emperor has no Clothes moment. Just like the last one where it's like, hey, would you mind patching that by January 3rd, like weeks after they're all owned and you know, exploits are available. You know, this is another one where what, what do you do about this? Right? Which is there's another critical in Apache Struts, which, okay, if you're using struts in some critical application that's well maintained, you'll just patch it and move on. But that's not where struts tends to pop up. Right? So this is going to be a perma bug and it's a real dumb one that frankly it's very surprising that this one's like still there to be found. Walk us through it.
[22:42]
Adam Boileau
I mean, to answer your first question, what does one do? One gets wrecked is what one does about this. So Apache Struts, for those who are lucky enough not to be enterprise Java developers, is a framework used for building Java apps from the Apache foundation and it's very widely used. Like it was one of the early kind of enterprise scale, robust web application frameworks for Java and everybody uses it and it has a lot of risky functionality in it. This is a bug in the file upload handling and honest to God, this is a straight up path traversal write file through the ApoHandler thing that is just, you know, bugs like that really shouldn't exist in this day and age, but they do. And struts has had bugs like this in the past and it probably will continue to have them in the future, clearly. But the really hard thing about this is what the way that they've patched this is by deprecating the file upload handler like piece of code, the controller that handles file uploads and saying, just don't use this. We built a new beta one that's more robust and hopefully it is. But the problem is this is not a patch. This is a replace the file upload handling mechanism in your application and recompile. And if you don't have access to the source or you don't maintain the source, or you're using an appliance that happens to use struts on the inside, that's out of support, or you can't get a patch from the vendor, or the vendor might not patch for months, you're just screwed. And you can't put the stuff on the Internet and survive. There's already exploit code out there like this is. I mean it really is. If you can find the file upload handler, then you can your way to upwrite kind of level things. So there's code out there to do this, to test it, to discover them. You're just going to have a bad time. And we saw struts as the root cause for a heap of bugs in VMware products, for example. So if you are one of the customers that no longer has a great relationship with VMware's owner, Broadcom, and you're not expecting to get patches from that. Well, tough.
[24:43]
Patrick Gray
Yeah.
[24:43]
Adam Boileau
So. And there's just like there is so much banking and middleware and all sorts of things to use struts that the source code's long gone. Right. There's no development team anymore, it's abandoned, it's never going to get recompiled and updated and there's nothing you can do about it except not put it on the Internet.
[25:01]
Patrick Gray
Yeah, and watch it like a hawk. If your internal network has enough space, sufficient scale, that that's something you need to worry about, Right?
[25:08]
Adam Boileau
Yeah.
[25:08]
Patrick Gray
I mean, yeah, bad times, definitely bad times all around. But again, it's an, it's an emperor has no clothes moment because we've got good at some stuff. I feel like, you know, I'm in a reflective mood, right? It's the last, it's the last show of the year. We've got reasonably good at defending Windows networks, for example, you know, and I think we can thank. People love to crap on edr, but properly configured edr, you know, gets you a long way running a Windows network. And there's a whole bunch of stuff you don't really have to worry about anymore. An attacker is only going to get so far before they get snapped and evicted. And you know, you got these all singing, all dancing orchestration solutions to re image boxes and whatever. I feel like for the first time in a long time it is possible with a reasonable amount of effort to run a reasonably secure Windows environment. But then all this sort of stuff's out there. You know, your file transfer bugs, you know, file transfer appliance bug that you just talked about is an embarrassment. And then you've got this stuff in Apache Struts, which is a framework for making appliances and all sorts of other stuff and that's an embarrassment. And there's no, you can't just roll EDR for this. You know, there's no simple solution here.
[26:17]
Adam Boileau
No, there isn't. And I mean, you know, the struts and Java in general, pretty cross platform. So it crops up on Unix boxes, it crops up on Windows boxes. You know, it gets into all sorts of places. And there aren't, you know, consistent controls like EDR on non Windows platforms. Right. There are products, but they're not consistently deployed, they're not consistently reliable, they don't have the kind of depth, even incident response on non Windows platforms. You know, the tooling is just not as mature, the expertise is not as mature. Like it's still, you know, I guess I'm reflective too. And in the other way, like it's all terrible, still different, terrible, different, terrible. Which I'm glad for because it was a boring career. It was the same terrible, you know, every day for 20 years.
[26:58]
Patrick Gray
But, well, and I think we're going to see more attacks targeting stuff like this that aren't just smash and grab, like data extortion, ransomware, whatever. So you look at like salt typhoon. There's no CSRB report yet, but when that lands, it's going to show us that the attackers did not come in via the Windows networks. They came in through owning Linux boxes, owning old telco switches, owning all that, owning a bunch of, you know, pizza box rack mountable crap loaded up with stuff like struts. Like, I know, I can feel it, I can feel it in my waters that that's what that report is going to look like.
[27:30]
Adam Boileau
That's how I owned telcos.
[27:31]
Patrick Gray
Right.
[27:32]
Adam Boileau
I didn't like going to, I don't like Windows boxes. I don't want to own Windows users. Like that's a terrible place to be in the network. I would much rather own Unix boxes and have a good time.
[27:40]
Patrick Gray
So after a long time working on sorting out like big deal, you know, custom web applications and stuff and Windows networks and whatever, like this is the stuff that's looking juicy again. And I just think in 2025 we're going to see more of it. Now a report from Darina Antonio over at the Record. Some Japanese game and anime publisher has paid $3 million to a bunch of hackers in Russia. Now this on its own, whatever, it's a day of the week sort of story. I think Japan could be in for a rough time. And I've seen people on social media at various points over this year sort of float a similar idea where you've got a, you know, a country with a $4.2 trillion GDP, some very large companies and a surprisingly immature cybersecurity posture. Yeah, and I have a feeling that once, once these attackers figure it out, they, I mean, I think Japan could be heading for some, for some ransomware drama. And I also think that there are other motivations to go after companies outside of the Five Eyes alliance in that, you know, word on the street is that the counter ransomware operations by the Five Eyes agencies are ongoing and actually showing some success. So I think, you know, staying away from those countries if you're an attacker would be the prudent thing to do. Japan just looks like a great target is what I'm getting at.
[28:59]
Adam Boileau
It does, yeah. No, I completely agree with you. And I think, you know, I think back to some of the hacks we've seen of, you know, like a weird, sort of weird for us, like Japanese specific applications for like, you know, government document sharing and other bits and pieces where, you know, we've seen like Chinese intelligence and other people busting into Japanese government and big, you know, Japanese corporations through really quite, you know, bugs that are not technically, you know, crazy but like are there in bits of software that are kind of crazy. So I think it's a pretty target rich environment. The language barrier has bought them Some things.
[29:34]
Patrick Gray
Well, not now because of freaking AI man. You just gotta say the state of.
[29:38]
Adam Boileau
Machine translation and stuff has gotten good enough that, you know, that's not as much of an insulating factor as it once was. So yeah, I, yeah, I think Japan's a great target.
[29:49]
Patrick Gray
I mean, when everyone was saying that AI was going to turbocharge cybercrime, I don't think they realized it was just because it would allow ransomware actors to negotiate with like Japanese victims. Right. But it's probably where we are. God, you know, it's been a couple of years now, hasn't it, since chatgpt. Is it? When did they release that?
[30:05]
Adam Boileau
Yeah, I guess, Yeah, I suppose it has been a, somehow longer than that.
[30:10]
Patrick Gray
We still have jobs, right? Remember when I was going to replace old journalists and you know, anyway, I.
[30:15]
Adam Boileau
Think anyone who's actually used those things for serious work will discover why it has not replaced journalists.
[30:20]
Patrick Gray
No, I mean it's, and it's funny because I always said it's a better Siri. Right? Remember I said that on the show a bunch of times. That's what I thought it was. It was a better Siri, a better interface. And what's really funny is now I'm using Apple intelligence, which allows you to get Siri to interact with ChatGPT. So it literally is a better Siri at this point. So I feel like. Yep, called that one. Moving on to this piece from AJ Vicenz over at Reuters and an American firm and a US investment group has acquired an Israeli spyware vendor called Paragon, which was a competitor to, which is a competitor to NSO Group. I think this is good news. I, interestingly enough though, this company like it, it has a, you know, it claims that it's very serious about who it does business with in job listings. It says that it applies strict moral restrictions on itself and only works with government agencies that meet the standards of an enlightened democracy. So rather than just going for growth as NSA did, it seems like they've taken more of the azimuth style approach which is to be very careful about who they work with. And as a result there's an acquisition here for I think it's $500 million and then like another 400 million in incentives. So a total deal worth about 900 million. And this is great because we're seeing a reward for a company that's kind of doing business the right way and now it's going to be overseen, you know, by a US interest where the US government will have more oversight. You know, over an American company. And we've got to find jobs for these, all of these very talented people in Israel because if they don't get folded into quote unquote, our system, they're going to work somewhere and it might be for the next NSO style company that's selling all of its stuff to God knows who. So in my mind this is a positive story.
[32:16]
Adam Boileau
Yeah, I think I'm inclined to agree with you. I mean, I know that we have listeners who are of the opinion that all spywares, you know, is bad. Like the capability itself is too tempting to not be abused. But I think you are right, like much like we, you know, gave jobs to Nazi rocket scientists or ex Russian, you know, weapons developers or stuff at the end of the Cold War to stop them from going and working for everybody else. Because like you look at the sources.
[32:43]
Patrick Gray
Hey guys, how about we try to go to the moon instead? Yes.
[32:47]
Adam Boileau
Yeah, exactly. You guys love that. Yeah, but like, you know, you look at the state of like say nuclear proliferation and how few really expert people it can take to bootstrap entire separate proliferation risks. And I'm thinking of like a Q. Khan, I think he was the Pakistani guy, you know, So I think it, you know, I think this is a smart move and keeping the stuff inside the fold is great. And yeah, you're right. As a reward for doing this better than NSO Group, you know, a trillion dollar billion dollars or whatever ends up being worth like that's a good carrot for other people who are considering it. And you know, NSO got the stick, so.
[33:27]
Patrick Gray
Yeah, well, I mean, briefly it looked like L3Harris were going to buy NSO Group. And I think that was actually an initiative that might have emanated from within certain agencies of the US government. But then when the White House caught wind of it, they crushed it. And I think it really was at the point where there would have been some positives in that. You would have had all of that talent all of a sudden working in a way that was more closely aligned with US interests, which would have been a positive. But then there's the rewarding bad behavior component, which is why I think they actually killed it. So it was a more of an ideological decision than a pragmatic one. And I can go either way, I can argue either way on that one. But now we've seen this and this is a good thing and hopefully this will. And this is they're not doing this. This company that bought them is not doing it as a, you know, as a way to improve our world. They're doing it for dollars. But I just like seeing when the sanctions and whatever have sort of punished nso. And now here's a group who did it differently who are getting rewarded. I think it's a sign that government settings around this stuff are actually working. Yeah, and how often can you say that?
[34:33]
Adam Boileau
Yes, exactly. You may not necessarily agree with this being an uncomplicated good thing, but I think we can agree that this is a better outcome than what we've seen in the past. Like it's a step in the right direction, I think, even if it's imperfect.
[34:50]
Patrick Gray
Yeah, well, Israeli hackers and exploit devs are going to hack an exploit dev, so I think it's better if they are doing that within a framework that is more conducive to human rights and those sort of things. Right, Funny that. So let's look at a story from Krebs on security now. And he's taken a look at the Canada nexus of crypto money laundering. Like, I don't think there's an easy way to summarize this piece because you and I were talking before we got recording and it is dense. It is extremely dense. But the upshot is there's a whole bunch of like fairly shady looking crypto services and money remittance, you know, providers that are all based out of a single address in, in Vancouver. And that's just the tip of the iceberg. There's like thousands of these places and they're often sharing addresses and the registrations are funny and whatever. And it's just a fascinating look into how some of this money moves around. And also the nexus with doing business with sanctioned Russian banks and whatever, it's just, I mean, it's great work. How did you find this?
[35:57]
Adam Boileau
Yeah, no, it is, it's really interesting because you're like, you know, the mechanics of moving money around kind of opaque and constantly shifting. And so it's always interesting to see, you know, what's the current state of the art look like. So for example, some of these organizations were cryptocurrency, you know, kind of brokers, agents or whatever that would spin up new wallets for every transaction and all sorts of things to try and make it, you know, possible to do the laundering across, across the blockchain. So that's interesting, that part of it. And then there's the like, all of the shell companies and all of the waste that you kind of hide it from accountability. And you do have to wonder about what, you know, what exactly are the Canadian Regulators doing when, you know, there's 122 money services businesses in one building that contains a massage therapy clinic.
[36:46]
Patrick Gray
Yeah.
[36:47]
Adam Boileau
You know, probably not exactly legit. And then Krebs ties this through to a bunch of similarly named companies or companies with similar directors or agents or whatever else in the uk and then there's other ones in Europe. And it just turns into that full, you know, crazy map on the wall with lots of string connecting important points. The sort of thing that you imagine Brian's, you know, Brian Krebs office probably looks like.
[37:13]
Patrick Gray
Yeah, he was. He was profiled recently by one of the broadsheet newspapers and he had the journos and their photographer leave their phones at home when coming to his house. You know, he'd previously been swatted. He's moved somewhere very undisclosed sort of location. And when he's writing stories like this, you see why, it's not just paranoia, you know, so we've linked through anyway, go have a read. It's really, it's just a really interesting story that sort of peels back the curtain on. On something that's normally, you know, quite well hidden.
[37:43]
Adam Boileau
Yeah. And you end up in like the Western Sahara Central Reserve. And it's just. Yeah, it's a, it's a wild ride.
[37:48]
Patrick Gray
It is. Now we got one from cyberscoop by Greg Otto, looking at this guy called Baron Martin, who's 20, 20 years old, he's from Tucson, Arizona, and he was arrested on charges of producing child sex abuse material and cyber stalking. But his arrest is connected with these, what they're describing as online terror networks, specifically one called 764 and another called CVLT. And I think they're kind of offshoots of the com or in that part of that whole mix. And you think, ah, cyber terrorism's not real. Don't be ridiculous. And then you read this and you're like, oh, cyber terrorism's real.
[38:25]
Adam Boileau
Yeah, yeah, there's some pretty horrible stuff in here. And also like so young, 20 years old and doing all this kind of real nasty, nasty stuff.
[38:32]
Patrick Gray
Yeah, I mean, these guys, that's the thing, right? The underground. I mean, back in our day, right. Might look at spam carding, you know, hacking for exploits or whatever was more I got. Was that grey hat, whatever. But it was. Even the serious stuff was a little bit more tame. These guys are psychopaths.
[38:51]
Adam Boileau
Yeah, yeah. I mean, really exactly like that juxtaposition. Definitely. This is. Feels very strong and I think, you know, the, you know, I didn't roll with a particularly Brad, Bad crowd as a, as a teenager. But, you know, even amongst the people I knew, there was no one doing worse than, you know, carting a pizza maybe, you know, or I mean, I.
[39:09]
Patrick Gray
Knew a few doing carting for profit. Right. Or people who had done that. And, you know, that's about getting paid. And people who were doing that would sort of see it as a bit of a victimless crime because it was spread. You know, the people who were losing the money could afford it. They were large corporations. Right. But this is, you know, and they say that they, you know, this network is noted for its use of cyber criminal tactics and manipulation of societal norms to exploit minors, guided by a broader agenda of societal chaos. So I think that's why they're sort of treating these people as terrorists, because they seem to want to bring it all down.
[39:47]
Adam Boileau
Yeah, well, this guy Baron Martin, he went by the alias convict.
[39:52]
Patrick Gray
Yes.
[39:52]
Adam Boileau
So rather foreshadowing there, buddy.
[39:56]
Patrick Gray
Yeah, so he could face up to 30 years in prison. But these are the people who are coercing people into doing self harm on video and whatever. It's like kids, kids as young as 10. So anyway, let's see what the future brings in terms of categorizing these people as terrorists and locking them up for a long time and whether or not that has any impact whatsoever on unlocking further law enforcement resources to go after these groups as networks. And. Yeah, I don't know. That's another thing to look out for in 2025 because you get this sense that authorities are onto this now and they've taken it seriously.
[40:26]
Adam Boileau
Yeah, exactly.
[40:27]
Patrick Gray
Another one from Darina at the Record. And Russia has blocked and banned Viber, which is a Japanese sort of voiceover IP and messaging app. And they're claiming it facilitates terrorism and drug trafficking. Who knows if that's the real reason? Probably not is my feeling.
[40:44]
Adam Boileau
Yeah. And Viber apparently is actually quite big or was quite big in Russia. It was the third most popular messaging app after what, like Telegram, WhatsApp and Telegram, yeah, WhatsApp. Yeah. So like that's, that's pretty big. And you know, we've seen restrictions against, you know, WhatsApp as well in Russia here and there. Like they haven't been as, haven't been consistent, but, you know, they're definitely cracking down and they crack down on VPNs for circumventing. Some of these restrictions are also, you know, changing the game a bit in Russia. Like it's a pretty tough time, you know, to be on the Internet there and you know, to want to be able to communicate without, you know, being, you know, being surveilled or being seen or, you know, being tracked.
[41:25]
Patrick Gray
I mean, you've got. You've still got options, right? WhatsApp is a reasonable option. But I wonder how long it's going to be before Russia launches a reskinned version of WeChat. That Xi hands over the sauce and it's, you know, congratulations, get on Ruchat. You know, like, it's coming. You can feel it.
[41:42]
Adam Boileau
Definitely. Yeah, you definitely feel. Feels that way because, you know, the, you know, they have to keep kind of cranking the handles on control there because, you know, Putin's feeling threatened, so.
[41:53]
Patrick Gray
Yeah, well, Putin is threatened. I mean, the economy there is really not doing well at all. And the slide appears to be accelerating. The only thing keeping the ruble, you know, keeping it at all buoyant is a whole bunch of controls on foreign exchange trading that the Russian Central bank introduced. Like, things are looking pretty bad there. Whether or not that leads to a collapse in Putin's government. I mean, that's something different. I mean, I was having this conversation with a friend recently, and they pointed out that, you know, the Turkish economy experienced extreme inflation and all sorts of issues as well, and Erdogan survived. So we don't know what's going to happen over there. But certainly, you know, things in Russia are not as good as they were a few years ago, for sure.
[42:37]
Adam Boileau
Yeah, that certainly seems to be the case. And, you know, Russia is. It's a. That conflict is just. It's so harrowing. Keep watching all of the updates. When we get so much, you know, kind of insight into what's going on over there, and it's just. Yeah, it's pretty horrific.
[42:51]
Patrick Gray
Our current update is North Koreans, you know, shooting at drones instead of running away from them and getting mowed down in open fields. Like, it's just. It's just. Just unbelievable. Unbelievable. But, mate, that is actually it for this week's news, and that's actually it for us, for you and me, for 2024. Do we do a star rating for the year? Like, is this, like, Yelp? I'd give it a four star.
[43:13]
Adam Boileau
You think? Four star. Been. There's definitely been a lot of interesting stuff to talk about this year, and there's been a bunch of great hacks and. God, the. I think the thing that really stood out for me this year is the sheer scale of the. I suppose we're not supposed to call it pig butchering anymore. Interpol asked us not to call it.
[43:30]
Patrick Gray
Pig butchering, because it stigmatizes the victims. Fair enough, too. Which don't call the victims pigs, you know, that are getting butchered. I think that's, you know, we can all be a little bit more sensitive.
[43:38]
Adam Boileau
We could, absolutely. But, yeah, the scale of that in Southeast Asia, that's a thing that whenever I explain it to other people who are, you know, not in the industry, you know, friends and family and stuff, people are like, what you mean like thousands, hundreds of thousands of people are enslaved. I assumed this was all, you know, willing hackers, you know, ripping people off and running romance scams and not victims of human trafficking and, you know, enslavement. So that, for me, I think, has just been a, you know, that's not a thing I would have predicted, you know, five years ago when we were wrapping up the year.
[44:12]
Patrick Gray
That's your big. I don't even know what my big takeaway from the year is, man. You know, people will say, well, that conversation you had two weeks ago about XYZ was really interesting. I don't even remember it. I'm like, did I talk about that? I knew I was thinking about it, but I can remember. But, mate. Yeah, we'll wrap it up there. Wonderful year. Looking forward already to joining you again in 2025, my friend. Have a great summer. Have a great break.
[44:36]
Adam Boileau
Yeah, thanks much, Pat. And I wish everybody, you know, Pat yourself, a great break and all of our listeners. And, yeah, feel free to come check out our new website.
[45:00]
Patrick Gray
That was Adam Boilo there with the final News discussion for 2024. Big thanks to him for that and big thanks to all he's done for us this year, including, you know, developing our new. The back end of our new website and, you know, taking on a lot of the work that I used to have to do as well. It's great to have him on board. It is time for this week's sponsor interview now with Robbie Winchester, who works for the services part of Spectrops, which of course also makes the Bloodhound Enterprise attack path enumeration tool, which is fantastic if you don't know it. Just go and Google. Go and Google for Bloodhound Enterprise. But Robbie joined me for this interview, which is all about how pen testing has changed what buyers are looking for out of pen tests these days, and so on and so forth. So I'll drop you in here where Robby explains to us, like, you know, the answer to the question of, well, what's changed? Here he is.
[45:52]
Robbie Winchester
It's simultaneously a lot of the same because I guarantee that Windows XP still has a beating CPU somewhere in someone's network and certain things never can really fully die. But there's a lot of new emerging issues and threats especially around or things to be concerned with. Especially with the new adoption of services like cloud services and cloud integration, migration to the kind of identity focus and it's tough to keep track of when you're going and building all that out. What are the, what risk are you accepting? What are you provisioning? How is it working? Is it set up the way you think it's set up? And oftentimes, you know, especially with some of the remote or cloud type services, as new features or capabilities are added, is that adding different things from when you configured it, that maybe you're adding additional risk and you're not aware of it because when you set it up there was A, B and C and now there's A, B, C, D, E and F and you didn't go back and update for those new additions. So it's kind of an emerging threat of this hybrid growing, sprawling, difficult to kind of grasp network at times.
[46:56]
Patrick Gray
Well, where you're not the admin and you don't really control the box. Right. So that's, you know, how you, how are you even supposed to get on top of that? I suppose you call in some pen testers and they go and beat you up and show you, hey, they introduced this new feature four months ago and you didn't know about it.
[47:10]
Robbie Winchester
Right. Well, and especially if you have, do you, do you have an identity team and a cloud team and a data analytics team and all these different parts of the organization. So like you said, is it hard to find that central belly button for who knows the whole picture?
[47:21]
Patrick Gray
Yeah, yeah, well, that is tough. But it also sounds, you did say something interesting there, which is, you know, there's always these like hype claims that come out in security where people say X is the new Y, but like identity is the new perimeter. I'm kind of sympathetic to that one because it really does feel like that's where the action is these days.
[47:43]
Robbie Winchester
Yeah, I think that's the kind of core of our perspective. Bloodhound Enterprise is big and just Bloodhound in general is big about understanding the identity and the attack path problem. And we see this a lot in all of our testing services where it's not just finding, or I shouldn't say it's not finding a vulnerability and taking advantage of an exploit like potentially 08067 Windows back in the day, it's keeping track of and what are the different permissions that are attributed to all these different sprawling identity providers and identity implementations and not realizing that a person or a computer or a group can access all these other things that are not necessary. And especially when you go from the complexities of your local computer. And then I have sessions in my browser and are each of those sessions protected or can I hijack a browser session? And so now everything you're logged into in the cloud is potentially exposed. So it opens up a very, very interesting kind of new frontier of this big identity centric. It's not a patching problem. This is how computers work well and.
[48:49]
Patrick Gray
You'Ve got all of these sort of OAuth style applications that are essentially just offer limitless privilege escalation opportunities in the cloud as well. So it is possible sometimes to go from a fairly low privileged user through one of these apps that's got way too much access to everything and normal users can interact with. I mean I'm guessing you spend a lot of time there, right?
[49:10]
Robbie Winchester
Yeah, well and again it's part of the challenge is as you the easiest way to enroll and onboard and do anything just like in computers networks back in the day, the easiest way to make everyone be able to do anything they want on their computer is to make them a local admin and so over permissive entitlements, overly permissive, you know, granting of privileges is kind of an endemic. It's a human problem of it just makes it easier when you have more access than you need because then you're not butting up against that just enough. And it's hard to figure out what is that just enough.
[49:41]
Patrick Gray
So this begs the question then, is the market sort of across this like what type of assessments are the most popular at the moment coming from, you know, I mean Spectrops is known as a good pen test red team shop. Right. So I'm guessing, you know, you would attract customers who are at the more serious end of the, of the type of people who buy those services. Like what has their, what are their purchasing habits telling us about how much they actually understand about, you know, the risks that they face.
[50:07]
Robbie Winchester
Yeah, it definitely varies. The perspective is going to change very differently between companies who've felt the pain firsthand. So if they've dealt with a compromise, they've dealt with an incident and they have firsthand knowledge and experience of how painful, frustrating, confusing that can be, that's obviously going to change their perspective in some ways. I'd say in general the kind of trend that we're seeing is, and this is where we try and focus and operate is less on proving that you can get access. So we're not as much trying or our main focus is not around specifically the phishing or trying to break in through a web application or crack passwords to get in from the outside.
[50:45]
Patrick Gray
It's less about capturing a flag, it's more about sitting down and looking at how things are set up.
[50:49]
Robbie Winchester
Right. And answering that.
[50:51]
Patrick Gray
Sorry to cut you off there, but I got a friend here in Australia or you know, someone I know in Australia who tried to start a business like, you know, they're exigent and they tried to start a business doing that like I don't know, 12, 15 years ago. And just like no one was interested. So they just wound up doing capture the flag style pen tests and red teams. But I'm guessing, you know, from what you're telling telling me, because it was a good idea then, it's still a good idea. But what you're saying, people are actually buying that now? Yeah.
[51:18]
Robbie Winchester
And you have to have a certain. It's tough because I don't think that those things are not important, it's just only part of the problem. You people will click on phishing emails, there will be vulnerabilities, there will be zero days. That's all going to exist. Credentials are going to get leaked. So that's kind of that assumed breach mentality which has become more and more accepted, I would say. And so it's.
[51:40]
Patrick Gray
Well, I mean that's on a similar trajectory is this idea that all vulnerabilities in your organization should be patched. And finally people are like, okay, we can let go of that as an aspect inspiration because it's completely unrealistic. And I think what you're saying is now there's a bit more of a realistic mindset creeping into enterprise understanding of how this all works.
[52:01]
Adam Boileau
Yeah.
[52:01]
Robbie Winchester
And I think it's also, I think to a certain extent if you're practicing for any sport, football, be it my American version or the European version, doesn't matter any type of football. Every time you practice, you don't just play full games and have to start and do 90 minutes. And then if you want to practice a corner kick or a penalty kick or whatever, you don't only have to do that in the course of when it happens in a game, you, you control practice time so you can go and set up different scenarios and set up certain circumstances. And so I think that's, that's kind of the attitude to a certain extent with, with the offensive services of let's not just try and do everything from I have to send an email, the user has to click it, we have to go through. But let's figure out what are those specific areas or scenarios or things that we're, we're worried about and then can we demonstrate and provide something that might not happen all the time in a real world scenario or a real world situation, but it's something you're really worried about. Let's, let's practice that in a controlled environment where there isn't actual risk. And then you get, you get to know, are things working how I think they are? Am I seeing what I think I'm seeing? You know, oftentimes there's one understanding of how things exist and then when Pentester.
[53:13]
Patrick Gray
Does generating some traffic and trying to have a look to see if it falls out the other side of a detection stack is a good idea. I mean I've always thought this sort of approach is better where you get some specialists to come in, they look at your apps, they look at your services, they look at your network diagrams and they say, okay, here would be a pretty good place to have a shell. Let's pop a shell there. And you don't need to go and do the recon and the exploitation, the phishing, because it's just a bunch of wasted time. But let's give one of our people a shell. There's. And you know, let them go wild for a little bit and see what pops out of the detections and whatever. And it's just, you know, it's better bang for buck. Right? Like I feel like we've spent so much time as an industry, like wasted dollars, wasted hours just on that bit of like getting the shell on that box, which isn't really the important bit.
[53:59]
Robbie Winchester
Well, you can, you can test that in so many more effective ways as a standalone circumstance of, you know, can I, if I want to test, for example, fishing. If you break that down, we had a, one of our team members wrote a blog post a while ago, but basically talking about if you break down what is the phishing challenge you're trying to answer, you can kind of decompose that into what are users going to click something? And you don't have to have a payload execute to figure out if users will click on something they shouldn't, be it an attachment or a link. You can, you can design that where there's no risk. And that's an easy thing to test. You can see are things getting delivered through my stack that I don't want to get delivered. You can test that just going to a sample email box. You don't have to go and do a full thing. And then once something does get delivered, if I'm curious about will it actually detonate or call out or do something. On the endpoint, if we take this kind of combined problem of, you know, doing phishing, we can break it down into this, these elements and then better test each of those individual things. Not that it's not a valuable circumstance, but why kind of test some of them some of the time instead of deliberately testing it?
[55:03]
Patrick Gray
So is this the most sort of popular assessment type that you're doing now?
[55:07]
Robbie Winchester
I'd say for us what we're typically doing is more of a objective focused red team or pen test. And predominantly it's just going to be based on are we trying to evade, are we trying to evade detection, are we trying to kind of go low and slower or are we trying to just identify from that starting point? Not necessarily smash and grab, but we're, we're not conscious of the noise that we would make or if we run into a challenge, we're wanting to kind of document and move on of okay, this thing stopped us, but if it didn't, this is the next step. And so it's taking more of. We kind of try and focus all of our assessments more in that objective of what are you worried about? Are you worried about a user becoming a domain admin? Are you worried about sensitive information leaving the system or leaving the environment? Are you worried about financial institutions like can I get into or touch ach Swift, some type of sensitive system information companies where they have their crown jewel secrets of this is the proprietary stuff we don't want anyone to get to and no one should be able to can you get here? And so we try and start from that, that perspective and then work towards answering that question instead of going through kind of a. The more you call it the ctf but like the compliance style of we're scanning things, we're looking for things that are open, we're checking through, we go, we got to the end of the list and then we provide a report card and move on.
[56:30]
Patrick Gray
Yeah, yeah. So I'm guessing most of your staff are pretty au fait with bloodhound though, right. And that doing this sort of, you know, you know, identities graph based analysis is something that you would get with most of your assessments.
[56:46]
Robbie Winchester
Yeah, in general, where, especially when we're operating in like a Windows Enterprise, I mean there's a Reason a lot of companies and not just us use especially the Community Edition version of Bloodhound for that I have access here. I want to get their mapping. It does get interesting. We have some of our customers who are Bloodhound enterprise customers and then we also do Red Teamer penetration test and that does kind of change the perspective because it's less an easy way to privilege, escalate to domain admin or take over the enterprise. And the focus is a lot more than kind of in that objective of potentially even evading elevating as much as we need to and just can we move in a way that is not triggering those detections. There's also a lot of interesting new windows is both new and old constantly. So we've done a lot of research, some of our team members done a lot of research on sccm, both some new features and things that have come out and then also we'll go forward into some of the Intune and just the general whole device management process where there's similar, it's a similar challenge or a similar perspective I would say to that identity where if you implement everything the right way as Microsoft designed it, then you're probably going to be mostly okay, but some of the stuff is maybe confusing or it's not as clear how you should implement it.
[58:06]
Patrick Gray
And then I heard a story of someone doing IR here in Australia for a large enterprise and it wasn't related to the incident, but they discovered that every single user, every single365 user was an intune administrative.
[58:19]
Robbie Winchester
Right?
[58:20]
Patrick Gray
That was like, whoa, okay, that's not great.
[58:22]
Robbie Winchester
Well and it's, it's not a problem until it's a huge problem until that, that's kind of part of the problem. And for some of those, those features and stuff it's again, it's a. And that's the challenge of that as you go into the cloud if you, if you don't use Intune and you might, you could see that and just have no, you're very familiar with SCCM let's say, but you just haven't happened to come across or mess with Intune. And you see that and you don't think anything of it, you think it's some media player, I don't know and you just like okay, this is fine.
[58:48]
Patrick Gray
So there you go. If you're after some red teaming, pen testing, offsec consulting against your network, that isn't just capture the flag based kind of silliness which I mean, I know there's a place for that as well, but it's nice to see people offering different services these days. You can get in touch with Spectrops. One thing we'll quickly mention is you're having a conference next year, March 31st in Arlington, Virginia, two day main conference and then you're going to have some four day trainings. I'm guessing that's going to focus on, you know, offsec and, and with an emphasis on bloodhound as well.
[59:24]
Robbie Winchester
Yeah, so we're, we had an open cfp, got a lot of really interesting applications. Super looking forward to that. We should be announcing the exact talk list here pretty soon. But predominantly, again, that identity and attack path type focus is really kind of what we're going for there. And then the training classes we have are Red Team Operations. We have a new Identity Driven Operations Tradecraft or Operational Tradecraft or Operator Tradecraft, I'm not sure. But it's an identity driven course centric. It's kind of an evolution of the Red Team Operations course, acknowledging all of these new identity centric challenges with the cloud and Entra and Okta and some of the other types of implementations that are there. So, yeah, very, very exciting. Should be a good time.
[60:11]
Patrick Gray
Should be a good one. All right, so that is Soconso con 2025 by spectrops. And I'm sure I have given you enough information, dear listeners, that you may Google that one. Robbie Winchester, thank you so much for joining me for that conversation. Very interesting stuff.
[60:25]
Robbie Winchester
Thanks a lot, Patrick. Appreciate it.
[60:27]
Patrick Gray
That was Robbie Winchester from Spectre Ops there with this week's sponsor interview. Big thanks to him for that. Big thanks to Spectre Ops for being a risky business sponsor. And that is it for 2024. I do hope you've enjoyed being with us through the whole year. It's. It's been a fun one. It always is. And we will be returning for our 19th season in 2025 and I look forward to talking to you all then. Have a great break, have a great Christmas, have a great New Year's and I'll catch you all next year. Cheers.