Risky Business #778 -- Musk's child soldiers seize control of FedGov IT systems - Risky Business

Summary6 min read

Risky Business #778 Summary: Musk's Child Soldiers Seize Control of FedGov IT Systems

Release Date: February 5, 2025
Host: Patrick Gray
Guest: Adam Boileau
Sponsor Segment: Josh Kamju from Sublime Security

1. Elon Musk's Team Seizes Control of US Government IT Systems

Elon Musk has reportedly assembled a group of highly skilled young professionals to take over various branches of the US Government's IT infrastructure. This bold move has raised concerns about data governance and the potential vulnerabilities introduced by such an unorthodox team.

Patrick Gray highlights the potential risks:
"[...] Elon Musk has assembled a team of bright young things who are sort of forcibly taking over various arms of the US Government and doing God knows what with the data." [00:56]
Adam Boileau compares the situation to previous tech takeovers:
"They can sleep there and work around the clock and are going through, you know, doing things that feel quite reminiscent of what happened at Twitter." [01:36]

The discussion underscores the uncertainty surrounding the oversight and management of sensitive government data by Musk's team, with Adam noting the duality of their potential effectiveness versus governance risks.

2. Data Exposure in Chinese AI Startup Deep Seek

Wiz, a cloud security firm, uncovered a significant data exposure from Deep Seek, a Chinese AI startup. The investigation revealed poorly managed infrastructure, including an unsecured Clickhouse database allowing unauthorized SQL queries and access to sensitive log data containing API keys and recovery phrases.

Adam Boileau expresses surprise at the lack of security:
"They've got some domain names with no auth and have an interface where you can just browse through and run SQL queries." [04:31]

The incident exemplifies common pitfalls in rapidly growing startups, where infrastructure security lags behind growth, leading to critical data vulnerabilities.

3. Malicious Mobile Apps Target Cryptocurrency via OCR

Kaspersky reported the emergence of malicious mobile applications in both the Apple App Store and Google Play Store designed to steal cryptocurrency. These apps exploit the device's photo gallery by using optical character recognition (OCR) to extract crypto recovery phrases from images.

Patrick Gray comments on the cleverness of the attack:
"It's a really clever way because you [...] run OCR on stuff out of your photos." [09:34]

This sophisticated technique leverages trusted functionalities of legitimate apps, making detection challenging and highlighting the evolving threats in mobile security.

4. Keir Starmer's Email Compromise

The Times newspaper revealed that Keir Starmer, the British Prime Minister, had his personal email account compromised. Despite the breach, there was minimal public reaction, reflecting perhaps the normalization of such incidents.

Adam Boileau notes the lack of surprise:
"I think that's because so many people have had their email hacked at some point that maybe it doesn't seem like the big deal it used to be." [14:50]

The breach emphasizes the importance of robust email security measures, especially for public figures, yet also mirrors the desensitization to such security failures.

5. Power School SaaS Platform Breach

Power School, a widely used SaaS platform for educational institutions, suffered a significant breach affecting approximately 16,000 schools. The breach was facilitated by compromised credentials of a single staff member lacking multi-factor authentication (MFA).

Patrick Gray underscores the vulnerability:
"[...] one-factor auth was a key vulnerability." [16:27]

This incident serves as a cautionary tale about the critical need for comprehensive authentication mechanisms in specialized SaaS platforms to protect sensitive educational data.

6. Australia's Sanctions on Terragram and White Supremacist Links

The Australian government sanctioned Terragram, an online group affiliated with white supremacists, linking them to orchestrated hate crimes. Investigations suggest that Terragram operators financially incentivized petty criminals to carry out acts of vandalism, providing a robust legal avenue for prosecution beyond minor offenses.

Patrick Gray explains the strategic move:
"If you can bust them for taking money from a sanctioned entity, like, that's 10 years." [20:45]

This approach marks a significant step in combating online extremism by targeting the financial underpinnings of hate-fueled activities.

7. Paragon Spyware Company's Link to WhatsApp Abuse

Paragon, an Israeli spyware company recently acquired by US interests for approximately $900 million, has been implicated in targeting journalists and civil society groups through WhatsApp. Similar to NSO Group, Paragon employs zero-click vulnerabilities to infiltrate devices and extract sensitive information.

Adam Boileau questions the acquisition's implications:
"Having the US government buying your stuff when you're owned by a US firm and now you're targeting journalists via a US company." [23:45]

The acquisition raises concerns about the regulation and ethical use of spyware technologies, especially when they fall under the jurisdiction of Western governments.

8. Zyxel Devices Mass Exploitation through Zero-Day Vulnerability

GrayNoise reported widespread exploitation of a zero-day vulnerability in Zyxel home routers, allowing attackers to gain unauthorized access and control. Despite the initial discovery by Vulncheck, Zyxel has yet to patch the vulnerability, leaving countless devices exposed.

Adam Boileau expresses frustration over unpatched security flaws:
"Zyxel just haven't really publicized it, haven't patched it." [32:09]

This situation highlights the critical lag between vulnerability discovery and patch deployment, emphasizing the need for proactive security measures by device manufacturers.

9. AMD CPU Microcode Vulnerabilities Explored by Google Security

Google Security researchers uncovered vulnerabilities in AMD Zen CPUs that allow malicious actors with root access to update CPU microcode, granting them unprecedented control over the hardware. This includes altering fundamental CPU instructions, posing severe risks in cloud and virtualized environments.

Adam Boileau describes the severity of the flaw:
"They can patch the CPU microcode that is shared across other instances or up in the hypervisor." [34:02]

The discovery underscores the importance of securing CPU firmware and the potential ramifications of such deep-level vulnerabilities.

10. Canadian Hacker Steals $65 Million in Crypto

A 22-year-old Canadian, Medjadovich, exploited vulnerabilities in smart contracts to manipulate cryptocurrency transactions, successfully siphoning off $65 million. Despite his mathematical prowess, his attempt to launder the funds was thwarted when he interacted with law enforcement through fraudulent support tickets.

Patrick Gray reflects on the hacker's downfall:
"[...] he was caught in a really, really dumb way." [35:46]

The case illustrates that technical ingenuity alone is insufficient to evade capture, as operational security and social engineering missteps can lead to significant failures.

11. NCSC's Guidance on Forgivable vs. Unforgivable Vulnerabilities

The UK's National Cyber Security Centre (NCSC) released guidance distinguishing between forgivable and unforgivable vulnerabilities, aimed primarily at manufacturers of edge devices like Palo Alto, Fortinet, and Ivantis. This framework seeks to inform policy and encourage responsible vulnerability management.

Adam Boileau praises the clarity of the guidance:
"Forgivable versus unforgivable really nails the thing that's aggravating when you read about some of these bugs." [39:01]

This initiative is pivotal in shaping industry standards and enhancing the security posture of critical infrastructure providers.

12. Sponsor Segment: Sublime Security on Email Security Threats

Sponsor: Josh Kamju, Co-Founder and CEO of Sublime Security

Josh Kamju discusses the evolving landscape of email security, focusing on how attackers are leveraging trusted services like DocuSign, SharePoint, Dropbox, and Google Drive to execute sophisticated email attacks.

Josh Kamju explains the two primary abuse categories:
1. Direct Abuse of Trusted Infrastructure:
  "You receive an email from DocuSign.net and it's literally from DocuSign.net, it's passing all sender authentication." [42:14]
2. Embedded Links in Messages:
  "We end up seeing sites hosted on DocuSign, on SharePoint, on even Freshdesk or Zendesk subdomains." [42:14]

He emphasizes the difficulty in detecting such threats due to the legitimate reputation of these services. Josh outlines Sublime Security's approach to combating these attacks through granular behavioral detections and advanced threat hunting capabilities.

Josh Kamju details Sublime's latest features:
"We've got our fuzzy grouping algorithm [...] clusters similar campaigns together." [54:59]

These innovations aim to enhance incident response efficiency and reduce false positives, providing a robust defense against the nuanced tactics employed by modern attackers.

Conclusion

Risky Business #778 delves into a plethora of pressing information security issues, from high-profile governmental IT takeovers and significant data breaches to sophisticated email and mobile app attacks targeting cryptocurrency. The episode underscores the intricate and evolving nature of cybersecurity threats, highlighting the necessity for advanced security measures and vigilant governance. The sponsor segment by Sublime Security further accentuates the importance of adaptive and granular security solutions in mitigating these sophisticated attack vectors.

For those interested in deeper insights and detailed discussions, subscribing to Risky Business is highly recommended.

Loading summary

Transcript123 lines

[00:00]
Patrick Gray
Foreign and welcome to Risky Business. My name is Patrick Gray. We've got a great show for you today. We're going to be chatting with Adam Boileau in just a moment about all of the week's news. And then we're going to be hearing from this week's sponsor, Sublime Security. Sublime makes, I guess, the contemporary email security platform. Like, it's the most modern one and lets you do things like write your own detections and it has, like, amazing customizations and whatnot. And Sublime's co founder and chief executive, Josh Canrew is this week's sponsor guest and he'll be joining us to talk about how attackers are abusing trusted services these days. And they're really getting quite creative. He's got a laundry list of really, frankly, quite cool tricks that spammers and hackers are using via email and using trusted services. And he'll also talk a little bit about, like, what email providers can do to deal with them because it's. It's hard. Right, so that's a fun chat and it's coming up soon. But first up, it is time for a check of the week's security news with Adam Boileau. And, mate, we're going to start with, but not get bogged down in, some news from the United States, which is that Elon Musk has assembled a team of bright young things who are sort of forcibly taking over various arms of the US Government and doing God knows what with the data. Now, as much as, I think that, you know, US Government systems could, having dealt with them recently to renew a visa, could do with a kick in the pants and maybe some re engineering by said bright young things, you would have to worry about the data governance side of what's happening at the moment.
[01:37]
Adam Boileau
Yeah, it's definitely been a pretty wild ride watching some of the reporting. Reuters has a piece about the Office of Personnel Management and, you know, Musk's people have gone in there and, you know, apparently dragged sofa beds onto the executive floor so they can sleep there and work around the clock and are going through, you know, doing things that feel quite reminiscent of what happened at Twitter, which, you know, I don't feel like that went super well for them. But.
[02:03]
Patrick Gray
Yeah, well, that depends on who you ask. Right. Like, that's a bit of a Rossash test right there.
[02:08]
Adam Boileau
Yes, yes. But, yeah, the data governance aspects of this, we've seen plenty of people concerned around, you know, like, what's happening with the data, where it's going to end up, what kind of things being, you know, kind of what it's being used for. Although on the other hand, I guess the Office of Personnel Management did famously get hacked by the Chinese as well. So, you know, they weren't doing a super great job of managing the data by themselves to start with.
[02:33]
Patrick Gray
Well, you know, I don't think the argument that we should let that happen again is, is, is a solid one to be honest. But it's not just opm, you know, like they've got their, their hands into all of these treasury systems and stuff and yeah, it's just the possible lack of oversight here. We don't know. They might be being very careful. But you sort of just, you, you do wonder.
[02:53]
Adam Boileau
Yeah, I mean it's possible they're doing everything right.
[02:57]
Patrick Gray
Yeah.
[02:57]
Adam Boileau
But it's also possible that they're not. And I guess the important thing is that we don't know which.
[03:04]
Patrick Gray
That's right.
[03:05]
Adam Boileau
Yeah. Especially with OPM and Treasury, these are important systems and you know, seat of the pants has its place. But I don't know if that's it.
[03:15]
Patrick Gray
Yeah, it's like, yeah, amateur brain surgery, I don't know, on the government's brain. Let's see how that goes. But the treasury thing, interestingly enough, I've spoken to a few govies and policymakers and whatever about all of this and the thing that they're concerned about is a possible like accidental default on a debt payment from the Treasury. Like stuff like that is what's keeping a lot of people up at night. Because that would have potentially some serious knock on effects. Although I do wonder like perhaps if there's a missed payment and people explain, oh, you know, it was just a batch job that didn't fire or something in some new system, you know, what, what would the market reaction actually be like to that? But either way, yeah, things are getting spicy in the United States. But let's move on to some more sort of bread and butter, meat and potatoes. Infosec news. We've got a great write up here from Wiz where they've found a whole bunch of exposed data from Deep Seq, which is the Chinese, of course, the Chinese AI startup that's, you know, that everybody's talking about. What I find amazing about this is it's like any accidentally massive startup, you know, any startup that sort of goes viral seems to have this moment where someone takes a look at their infrastructure and it's just a mess. But this is hoo boy, this is really bad. Like they're exposing basically everything, right?
[04:31]
Adam Boileau
Yeah, it's not super great. And you Know, Wiz does a lot of very technical, very advanced things, but, but in this particular case, I don't think they really needed to bring their A game. They found some database services on Deepseek's kind of address space. They found some, they brute force some domain names to discover what was available. And on dev.deepseek.com, they found some stuff listing on a high port. And the thing that was listing on a high port was a database system called Clickhouse, which, which I guess is kind of like a snowflake competitor and has no auth and has an interface where you can just browse through, in this case port 8123 and you get a web interface where you can just type SQL queries in and run them. And so that's not great. And then this system was ingesting log data and a bunch of the logs had API keys and query strings and all sorts of gubbins from the inside of their operation, which ye when you're going viral and everyone's trying stuff out, not a super great look, but as you point out, just like every other startup. So maybe startup culture, you know, in China is very much like startup culture.
[05:49]
Patrick Gray
In the US we're all just people, you know, it's that sort of story. Right. But I mean, in Wiz's write up there like, oh yeah, you could just straight up plug in SQL queries. And they kind of did that. And I wonder, I guess that's not controversial anymore. Like I remember the days when you wouldn't do that because it would be considered cybercrime. And now it's just, I mean, they've got some line in there about how, oh, we just enumerated stuff like to adhere to ethical boundaries and whatever. But like, you know, firing off a command to show tables like that would have been considered controversial not that long ago.
[06:20]
Adam Boileau
Yeah, I mean, in the old days you would have done that via Tor because you were doing crimes. Unless you had a bug bounty agreement which said that you could because, you know, otherwise you're doing computer crimes. But as you say, like the world has changed enough that apparently that doesn't matter anymore. You can just do as you please. And it's kind of, you know, you rely on, you know, the discretion of the prosecutors.
[06:41]
Patrick Gray
Yeah, which I don't, I don't think American prosecutors are going to go after him for this, this sort of thing. Maybe the Chinese will, but yeah, it's funny, right? So it's sort of like a cyber overton window of what's acceptable to do. But the other, the other funny thought I had is like, this is normally the situation where Alex Damos would parachute in and start writing press releases and, and, you know, implement some sort of program. But I don't think he can do that here because they're trying.
[07:09]
Adam Boileau
Probably not. I. He might be somewhat constrained about, about doing that over in China. But dear One thing I thought was particularly funny in this is that Clickhouse, the database system was actually originally developed by Yandex Ru. So Russian database, Chinese startup. I think Wiz is Israeli Israeli cloud security firm. And here we are in Australia. Talk about so truly a global, a global firm, a global industry that we're.
[07:35]
Patrick Gray
In a multipolar world. Yes, as they, as they like to say. All right, so we're going to talk about some research from Kaspersky now. And you know, this one we were alerted to via our colleague Catalan Kimpanu's reporting. So this one's going out in today's newsletter edition. Go subscribe at Risky Biz if you haven't already, and you can subscribe to Risky Bulletin, where you can get all of our other podcasts. Find that wherever you get your podcasts. But yeah, this is really interesting. The original post is a. It's in Russian. We'll drop a link into this week's Show Notes. But basically some apps popped up in the iOS and Apple's app Store and the Google Play Store that was trying to steal crypto through a really interesting technique. And I just, I love this. Walk us through it.
[08:26]
Adam Boileau
Yeah. So this was a set of malicious mobile apps. There were a bunch in the Android App Store and Kaspersky did find one using the same backdoor SDK in the Apple App Store. And what it would do is when you were using one of these apps, the apps were like legitimate, I think, legitimate food delivery applications. And they had a support function where you could chat with support who had some trouble. And when you fired up the support functionality, it would ask you for access to your pictures so that you could submit look, here's my wrong food order or whatever else. And, and it would use their photo access to run optical character recognition on photos in your photo gallery and look for crypto recovery phrases. So it would look for patterns of five words or whatever your recovery phrase wallet recovery phrase would happen to be. And if it found something that matched that, it would upload that image off to the attacker systems and then they would use that to recover your crypto wallet key and drain your wallet, which it's. That's pretty clever because, I mean, you.
[09:34]
Patrick Gray
Don'T gotta hand it to him, right? Like, it's that, it's, it's that whole vibe. And I, I mean, I just think, who among us hasn't taken the occasional sneaky photo of a secret. Right. As a way to stash it.
[09:45]
Adam Boileau
Right? You mean, like whether it's a. You know, I'll often do that with stuff that I don't want to keep the physical object. Like, sometimes it's warranty codes or, you know, like sometimes you get a device that has a setup QR code. You think, well, one day I might need this. Again, I'm not going to keep the box with sticker, so why not? And yeah, I guess recovery phrases, why not? And before the age of ubiquitous machine learning, you know, scanning of your pictures, it wouldn't have really occurred to you that someone was going to ocr, you know, stuff out of your photos. But I mean, these days Apple does that by default, right? You can search for text in your, in your photo spool.
[10:21]
Patrick Gray
And you can search for objects too. Like if you, if you put, if you put car into your Apple Photos thing, it will show you all of the photos you've taken of cars.
[10:28]
Adam Boileau
Yeah, it's honest machine learning sometimes actually useful. Weird.
[10:33]
Patrick Gray
I wonder though, if there's like some Mechanical Turk thing going on and there's a whole bunch of people in a building, you know, just tagging them. Yeah, probably not just a joke there, everybody. Don't get alarmed. But look, as you pointed out, like, it's a little bit unclear exactly how this malicious code got into these apps in the first place, because it does look like they're legitimate. Again, it's not entirely clear, but it does look like they were legitimate, legitimate apps. And possibly, and maybe it's the translation or whatever, it's not entirely clear, but it looks like possibly the developers of these apps used a malicious SDK. And we used to see that back in the day with people using Xcode that they got over torrents because downloading the actual Xcode could be a bit of a pain or whatever. So people would just torrent it and they'd get a Trojan version, develop their app, publish it to a store, and it would be loaded with malicious code. And I think possibly that's what's happened here.
[11:25]
Adam Boileau
Yeah, it could be. Like, it's not super clear. I mean, one of the, like the most prevalent app, and the one that was on the Apple App Store, that was also on the Google App Store, that one, the backdoor, didn't appear until like version two something of the, of the app. So it's possible that it was, you know, compromised developer or compromised supply chain or added, you know, at some point after it had been through its initial onboarding process and vetting and so on. So yeah, we don't really know. But either way, like makes you think twice perhaps about storing important stuff in your, in your photo reel.
[12:00]
Patrick Gray
Yeah, I mean I love that they've got a way to actually, you know, there's the dumb way to do it, which is to just look for OCR phrases like recovery phrase, you know what I mean, and things like that. But you do wonder if they're actually trying to identify like strings that look like they could be recovery phrases because, you know, that's actually quite hard. That's when you've got, you know, you're almost reimplementing your own version of Truffle Hog just to find crypto seed phrases or recovery phrases or whatever and then, you know, matching it to ocr. I dig this, I'm not going to lie.
[12:29]
Adam Boileau
Like, I think it's multi language support. So like this was looking for phrases in like Korean and Japanese and English and Italian and Polish. Like it was actually, you know, probably quite good. And the apps they were targeting generally weren't English first language countries. Like they were other places around the world. So, you know, kind of a. I suspect this probably worked pretty good.
[12:54]
Patrick Gray
Yeah, I. Impossible to know, right? Like sometimes you see something really cool and you think, you know, wow, they must have got paid and you find out later they just absolutely didn't. And meanwhile, someone who just hacked a WordPress, you know, you remember back in the day when people used to have initial coin offerings and they'd host the websites for them on WordPress, someone would just pop the WordPress and change the address for the bitcoin and like they'd make gajillions of dollars because no one noticed that the address had changed.
[13:19]
Adam Boileau
But oh God, this whole industry is so stupid.
[13:22]
Patrick Gray
Yeah, man. I mean, we don't really see that anymore. I mean, it's not like crypto is not going missing, but at least they have to work for it now. That was like that, that's a time back then. I don't know when was that like last crypto boom nonsense, you know, six years ago or whatever. I mean that's a time when I was tempted to like just say, Adam, let's lead a life of crime instead.
[13:40]
Adam Boileau
Let'S go do some crimes.
[13:41]
Patrick Gray
Yeah, it's all there for the taking. One WordPress shell millions of dollars. Anyway, moving on. And the Times newspaper is serializing a book and publishing bits of it. It's about Keir Starmer, who's now the British pm. And it looks like, according to this book, he. His personal email address, I'm guessing some sort of webmail, Gmail, whatever, it got owned and he was alerted by security services who just told him, don't go anywhere near that account again. Apparently he wasn't. It was very his address and quite easily discoverable. So I'm guessing it had been linked to him publicly somehow and he wasn't using mfa. And, you know, this is just what happens. In a way. This is good news, though, if they're having to go after their personal email accounts. But I don't know, that might be reading too much into it. But, yeah, an unsurprising bit of news. And I guess the, the most fascinating thing about this is it has been reported widely, but it's. There's no buzz around it. Like nobody is like, oh, my God, wow. You know, it is just everyday stuff these days. So that's what I found interesting about this one.
[14:51]
Adam Boileau
Yeah, I think you're right. I mean, so many people have had their email hacked at some point that maybe it doesn't seem like the big deal it used to be. And, you know, public figures, I mean, he wasn't Prime Minister then. He was, I think, the leader of the opposition when. When this happened. You know, reasonable to expect him to be targeted. Reasonable that they would find a, you know, a credential in a data dump that they could reuse or something like that. I did notice that the Times characterized this as a sophistic sophisticated campaign, which, you know.
[15:19]
Patrick Gray
Well, I mean, he wasn't the only one targeted. I think that's sort of where they're going with this. And they make the point that, you know, there was nothing particularly tactically sensitive in there, but it would give them insight into how the leader of oppos, the opposition. So it was Russia that did this shortly after it invaded Ukraine. And, you know, the. The thinking is they were looking for insight into his thinking about, you know, sort of strategic affairs. And it's just. It's just a great example of how, you know, stuff that doesn't necessarily have immediate tactical value can still have strategic value because you can start to get it. You know, you read someone's email, you start to get a sense of how they think and, you know, what they. How they might feel about certain issues.
[15:53]
Adam Boileau
So, yeah, yeah, that makes total sense. I Mean, I would absolutely read people's mail spills when we were on the job because it lets you see how the sausage is made and what's happening and, you know, it's just useful situational awareness. So, yeah, you know, good job, Russia, I guess.
[16:07]
Patrick Gray
Well, anyway, moving on. And last week we spoke about that company, what were they called? Power School. Yeah, Power School, who makes SAS that's used for, you know, by all sorts of schools around the world. Something like 16,000 of them. They got breached. It looks like they've paid. You know, the hacker sent them a video of deleting the data or whatever, but you never know, you know, sometimes they want to preserve their credibility so they actually do do it. But according to this report from Kevin Collier, there's like a leaked draft of a crowdstrike incident report into this. And it looks like really what happened is they got creds for one staff, like, no mfa, there was some, like, maintenance portal that they just logged into with those creds and got all of the data. And, you know, this really underlines that point I was making last week, which is that we're going to see more and more of this sort of thing targeting, you know, specialized SaaS, platforms that just dominate particular sectors. And in this case it's schools. But next time it might be hospitals, it might be psychology clinics, it might be, you know, whatever. Yeah, this ain't good.
[17:16]
Adam Boileau
Yeah, I mean, really just deeply, deeply underwhelming, you know, that. Of course. Of course there's a one factor auth, you know, maintenance interface. You know, I mean, it's one.
[17:25]
Patrick Gray
It's one step away from an open bucket, really.
[17:27]
Adam Boileau
Yes, exactly Right. And, you know, data breaches of, you know, and credential reuse are just so common and so such a widely used entry vector that, you know, this is as yet, it's just deeply predictable and it's going to happen on every little niche SaaS provider because you grow quickly. You don't have time to go back and clean up these things. And, you know, no one really thought that we would just put everything on the Internet like this and simple stuff like one FA actually matters these days.
[17:58]
Patrick Gray
Yeah, I mean, I think there's some technical work that could go towards fixing this to a degree. And, you know, you look at some old approaches to things like card data, like tokenization and whatever, and you've got field encryption and you can do stuff like distribute keymat to each individual site, and there should be things you can do to prevent this sort of thing from being quite this bad. There's going to be some engineering work involved, but I don't think the solution is just going to be more regulation, I guess is where I'm going with that.
[18:28]
Adam Boileau
Yeah. I mean, being more responsible steward of your data. Right. Understanding that every bit of data you hold has a benefit, but also comes with liabilities and that you have options like blinding and tokenizing and so on to reduce the liability of the data that you need to hold to do business. And so there's not making these technical mistakes. There is regulation options, there's data minimization, like, you know, all of these things work together to just reduce the likelihood and then failing that, reduce the impact. And yeah, that kind of blended approach is where we have to get to.
[19:01]
Patrick Gray
I mean, it used to be really fashionable to say data is the new oil. And then I think the person, I can't remember who it was, but someone said, no, it's the new nuclear waste, which is, you know, it needs to be stored very carefully and it can, it can hurt you. Now the Record has a report up on something about Australia. This is Dorina Antoniuk has, has written this one up. The Australian government has sanctioned Terragram. Now this is that Telegram channel and sort of online white supremacist group. We've spoken about them previously because after Pavel Durov was arrested, one of the first thing that happens happened was telegram gave up the identities of a couple of the operators of this channel. So Australia's wound up sanctioning this. And the reason this is interesting is because there's been a series of. I mean, they're absolute Nazis, these guys and they, they often encourage people to commit violent acts and whatever all around the world and there's been spate of like anti Semitic, like vandalism style attacks, right? So burned cars and someone put some petrol around a synagogue as like really awful stuff, right? Spray painting swastikas on cars in Jewish neighborhoods. Just the worst. And a couple of weeks ago the Prime Minister said something curious, which is that it looked like some of the people who were doing this were actually getting paid by people outside of the country. Because you would see these arrests and it was just like trailer park meth head type people who had no sort of political ideology or motivation. And now we see these sanctions come in and various comments by political leaders here, which, which I don't think it's taking too much to connect the dots that this is related, right? So it looks like what might have been happening is people affiliated with this group have been paying petty criminals in Australia to do this sort of stuff, just giving them money to go and do it. And then of course you arrest them. You know, you can't really throw someone in prison for graffiti ing a car or malicious damage of property. I mean, you can. It depends on their record and everything. But if you can bust them for taking money from a sanctioned entity, like, that's 10 years. So I have a feeling that's why this has happened. And I just wanted to mention it because in the global press on this, they haven't really connected those dots.
[21:17]
Adam Boileau
Yeah, that kind of makes sense. That gives you an avenue to kind of take this a bit more seriously, to have, you know, to hit them in the courts with something that's a bit more serious than, than graffiti. Right. And though obviously it's tied to, you know, kind of hate crimes, but I imagine like the bar for, you know, those kinds of, you know, prosecuting people for hate crime is probably.
[21:41]
Patrick Gray
Especially when they're not actually ideologically motivated. Well, yeah, especially when they can say, well, I just got paid $200 to do this, you know, so, you know, that's. You're sort of limited in what you can do to someone for doing that. But now I would think it's. It's a great deal more serious.
[21:56]
Adam Boileau
Yeah, that seems like a smart move to, you know, kind of level up the. Just give law enforcement some more options that they wouldn't have otherwise had. So, yeah, an interesting, kind of interesting catch because when I read this at first I didn't really, you know, flag this as.
[22:12]
Patrick Gray
Yeah, people are seeing it as like symbolic. It is the first time that we've sanctioned a purely online group as well. So that's another interesting dimension to this. And it really. The reason I wanted to talk about it is because we did spend a bit of time last year talking about Telegram and I think people forget that there are, you know, real world harms from some of these platforms that just totally yellow it and don't do anything with law enforcement and, and whatever. But yeah, the Prime Minister said. What did he say? I'm reluctant to say anything that compromises investigations, but it's important that people understand where some of these attacks are coming from. And it would appear, as the AFP commissioner said yesterday, that some of these are being perpetrated by people who don't have a particular issue, aren't motivated by an ideology, but are paid actors. And indeed, our foreign minister was asked whether or not there was a link here and they said, yeah, she said the same thing. I'm not going to get into ongoing investigations because blah, blah, blah, blah blah. But this is an online network which is all about extremism, white supremacists, people who spread hate. And so we have to use all the tools at our disposal to keep people safe. So you do just sort of get the impression they did this for a reason and it wasn't just symbolic. So I thought that was interesting. Moving on. And WhatsApp says Paragon, which is that Israeli spyware company that was recently bought by US interests for something like $900 billion. It turns out they'd been targeting a bunch of journalists and people who worked for like ngo' like civil, you know, civil society groups. Which is, you know, somewhat NSO of them.
[23:45]
Adam Boileau
Yeah, yes, exactly. They had something like WhatsApp, like minimal interaction, like zero click kind of thing where they would drop a PDF on you via WhatsApp and that would lead to CodExec on your device and onwards to compromise. Which yeah, if you're trying to be a slightly more legit than NSO spyware company, having a whole bunch of journalists get that is not super great. And we've obviously seen, you know, WhatsApp go after NSO in the courts and I guess this was sort of a, you know, you get the feeling this was kind of a bit of, a bit of a warning shot across the bowels. But then we also had a piece from, was it Lorenzo over at TechCrunch saying that Paragon has said that the US government is one of their customers. So that's also a sort of A, not super surprising, but B, kind of an interesting difference to kind of how NSO have gone. Like the Paragon was saying, like we only sell to good governments and Western interests and so on, which of course NSO has said similar kinds of things. But you know, having the US government buying your stuff when you're owned by a US firm and now you're, you know, targeting journalists via a US company.
[25:01]
Patrick Gray
Well, I mean, keep in mind this acquisition is very recent, so we're not sure that it happened while under US ownership. I also wonder if this complicates their deal. You know, if there's earn out periods or like warranties or whatever. Like that could get complicated for the people who've done this deal depending on what warranties they've made to their American buyers. You know, I would have said previously that regardless, you know, them being sold to the United, United States interests will sort of bring them under the umbrella of the US legal system and it would probably, you know, clean them up a little if they had been doing naughty stuff previously. I think all bets are off at the moment with the way the US Government's heading, though.
[25:41]
Adam Boileau
Well, yeah, exactly. I guess it's hard to. It's hard to predict at the moment. I mean, I guess in Paragon, when they were talked to by media about this, said that their terms and conditions prevent their customers from doing this kind of thing and they shouldn't be able to target civil society and journalists and blah, blah, blah, blah. So, you know, I guess we'll see how this develops. And as you say, the U.S. who knows?
[26:07]
Patrick Gray
Who. Who knows? But keep in mind, you know, Donald Trump is not a king. There are, you know, other politicians with power in the United States, and we might see various committees and whatever look into this eventually. But, yeah, just, it's a, it's a tumultuous time. Let's just say that now we've covered this here and there. Suzanne Smelley has a report up for the record. The former Polish Justice Justice Minister has been arrested for signing off on the use of spyware to target, like, political opponents and whatever. You know, Poland is still cleaning up after the previous government's, you know, crazy use of spyware within their own borders. And this is just the latest development in that. So there is some accountability here and, you know, ties back to the previous piece. Right. Where things could get a little bit out of hand under Trump. Trump, you know, depending on who, you know, wins the election in, in four years from now, you know, do you really want to roll the dice on doing a whole bunch of stuff that a future government in the United States won't like? And you might get Poland, you know, you might get the same treatment as the former Polish justice minister is what I'm getting out there.
[27:12]
Adam Boileau
Yeah. Yeah. Anyway, it is really nice to see the Polish government going through this process because, you know, we've seen other places in the world where, you know, there hasn't barely been the appetite to go pull this thread and, you know, the polls are doing it. What's good on them, you know, because it was, you know, it's pretty egregious. And if it warns other people, makes them think a little bit, then great.
[27:35]
Patrick Gray
Well, I think it's pretty easy for them politically to target their opposition. Right. Like, they win the election, they go after the last people, but, you know, if they've committed genuine misdeeds, genuine crimes, then, you know, fair enough. Now, last week, we briefly touched on the issue of cable brakes in various oceans and seas. And, you know, we said at the time, we don't know whether this is deliberate or not. The Swedish government had detained a ship for a while to investigate whether or not it had deliberately broken cables. They've now released that ship and said that it was clearly not sabotage. So still as clear as mud.
[28:12]
Adam Boileau
Yes. I mean, the Swedish authorities are pretty clear that in this case it was incompetent. So I guess that's nice. You know, you were wondering, like, how.
[28:21]
Patrick Gray
Do you drag your anchor for, you know, miles and miles and miles and not notice? Apparently it's possible.
[28:26]
Adam Boileau
Yeah. So being. Apparently being a bad mariner and bad infrastructure and bad, you know, seamanship or whatever else they said about it. So, yeah, not. Not great for your resume as a mariner, but no longer being detained by the Swedes. So, you know, I guess that's probably a win for, for them, the crew of the ship.
[28:44]
Patrick Gray
I mean, being detained by the Swedes would probably be quite nice if you're used to spending your time on a, you know, large boat that smells like diesel.
[28:51]
Adam Boileau
A Russian tramp steamer. Yes.
[28:53]
Patrick Gray
I was guessing there would be potted plants and tai chi in the mornings. It's Sweden.
[29:00]
Adam Boileau
It's sweet. Sounds good.
[29:02]
Patrick Gray
Now, let's talk about this huge flap about these medical devices. CISA put out this big warning saying that the context CMS 8000 devices, which are used to do patient monitoring and healthcare, like, I guessing heart rate and whatever it, you know, quietly sent patient data to a remote IP address and downloads and executes files on the device. So big song and dance about this. We've got a report here from Lawrence Abrams over at Bleeping Computer and he's updated his to say, a report from a company called Clarity says that what CISA is warning about is just the, like, auto update mechanism for these devices and to activate it, you need to, like, reboot it while holding a button. And. What are you talking about? Cisa. So awkward.
[29:49]
Adam Boileau
Yeah. This is a little bit embarrassing for CISA because the initial reporting was quite breathless and they had some screenshots of, oh, my God, patient data, you know, being sent across the network. And then there was a little detail we said, oh. And then they use NFS to. And I'm like, excuse me, you what now? Like, no hacker is going to rely on NFS to deliver their data across the Internet. Like, that's a terrible idea because you're just not going to get very many callbacks because NFS is going to get, you know, blocked in all sorts of places. It's terrible idea. And so that to me, didn't ring super authentic. It's, you know, smelt like, you know, maybe someone was just, you know, maybe an internal. Whatever.
[30:26]
Patrick Gray
I mean, I hadn't thought it through. I can confirm that when this first popped up in one of our Risky Bulletin newsletters and we were preparing the podcast script for that day, you did express reservations. You're like, I don't know about this one. I don't think this looks like malware. So you were. You were ahead on this.
[30:41]
Adam Boileau
Yeah, well, you know, you just got that kind of Spidey sense, you know, for. That doesn't. I wouldn't do that. And I'm a hacker anyway, so Clarity bought one of these devices, popped the Flash chip off its main board, dumped the Flash out, reverse engineered the firmware, went and dug up the kind of functionality that implements this. And it actually is just upgrade functionality. In fact, the IP address in question is in the manual.
[31:08]
Patrick Gray
Yeah.
[31:08]
Adam Boileau
Which again, if you're doing a secret.
[31:11]
Patrick Gray
Data exfiltration operation, you wouldn't necessarily put the IP address in the manual. And, you know, I'll just read a comment here from the report as quoted by Lawrence Abrams. Although the full update process is very dangerous and risky to us, it does not appear to have a malicious intent behind it, especially when considering the manual boldly refers to this IP address and white label vendors ask users to configure their internal CMS with this IP address.
[31:35]
Adam Boileau
Yeah, so that's. I mean, I feel like for cisa, this is a bit of a, you know, it's a bit embarrassing because, you know, so many times we are relying on advice from government agencies or whatever else that do have classified sources. They have, you know, things that we as general public can't see. And there's a degree of, look, we just have to trust them to get it right because obviously they can't share all of the source material with us. And there's a degree of. We just have to, you know, accept that. But then it's kind of incumbent upon them to put out good information and not do.
[32:10]
Patrick Gray
But everybody makes. Everybody makes mistakes, Adam, us included. And, you know, sometimes you just got to chalk it up to, well, they made a mistake.
[32:19]
Adam Boileau
Yeah. And, and, and they did. But, yeah.
[32:24]
Patrick Gray
Yeah. I think the reason you're particularly firm on this one is because, as I say, you immediately saw that and said, oh, yeah, yeah. So let's talk about this zero day vuln in Zyxel. Is that how you actually say it? Or is it Zychel or.
[32:42]
Adam Boileau
I've always said Zyxel. I think that's. So that's what I write in the pronunciation notes for Risky Bulletin. So if I'm wrong, then, you know, then you're wrong.
[32:50]
Patrick Gray
Big as it turns out. Yeah. So Gray Noise wrote a post about mass exploitation of these devices. I guess they're like home routers or whatever, right?
[32:59]
Adam Boileau
Yeah, yeah, Zyxel makes a bunch of that kind of thing, home routers and things. This one I think was interesting because Vulnchek originally found the bug, publicized it, reported it to Zyxel who just haven't patched it. I don't know whether the devices are end of life or whatever, so there's no real information. Then Gray Noise saw mass exploitation start to kick off. I think this got added to one of the Mirai variants. So you know, hitting the Internet and there's a bunch of devices that are vulnerable out there. But yeah, Zyxel just haven't really publicized it, haven't patched it. So yeah, Grey Noise was blowing the whistle a little bit saying hey, pay attention.
[33:34]
Patrick Gray
Yeah. So is this like discord kids or state backed behavior? Who knows these days?
[33:41]
Adam Boileau
Why not both?
[33:42]
Patrick Gray
Why not both? Exactly. What else have we got here? Ah, now this is one where again I don't, you know, it's all Greek to me but talk to us about this AMD research out of Google Security which looks at what is it like being able to update CPUs with like malicious microcode. Is that about.
[34:02]
Adam Boileau
Yeah, OK. This is the research. I think this only got dropped I think like today or yesterday. So pretty recently AMD have published an advisory. There's not really any details yet, but what Google has reported and demonstrated is the ability to as a like ring zero so like root or administrator on an operating system running on AMD Zen CPUs they can patch the microcode, patch the firmware of the CPUs and that lets you do basically anything. And Google's demo is they change it so that the id rand instruction which returns random numbers always returns 4 and the bug appears to be some kind of like either hash collision or like Google described as an insecure hashing process. When they're validating the microcode patches the specifics, we'll have to wait and see once Google does actually drop those. But yeah, like great research and obviously in a cloud environment this is a thing where you could probably do this in a guest vm but you're patching the CPU microcode that is shared across other instances or up in the hypervisor. So interesting class of bug. And the Sort of thing that you would expect Google to be paying attention to given that they operate large public cloud. So cool.
[35:18]
Patrick Gray
They have a few computers.
[35:19]
Adam Boileau
They do have one or two CPU cores to worry about I am sure. But yeah, good work them and yeah, like cool bug.
[35:28]
Patrick Gray
Yeah, nice. Now let's talk about a 22 year old in Canada who can control smart contracts. He stole 65 million bucks like by manipulating smart contracts. So really smart with the math, but then gets caught in a really, really dumb way.
[35:46]
Adam Boileau
Dear. Yes. So a while ago we talked about an attack on a blockchain crypto thingy called Kyberswap K Y B R and this guy from Canada called Andean Medjevik, Medjavik 22 had come up with a bug where he could kind of manipulate.
[36:11]
Patrick Gray
Medjedovich, I think Medjidovich.
[36:14]
Adam Boileau
But yes, he could manipulate some smart contracts and basically use that to drain a pool of equity run by Kyberswap. And he stole 40 ish million dollars, $48.8 million worth of cryptocurrency using this. And he did basically similar kinds of tricks where he would take out a big flash loan, use that to manipulate the value of a pool of cryptocurrency that smart contracts are operating on, and then kind of trick them basically through a rounding error, into making a transaction that was beneficial to him. He stole a bunch of money. He then went on with to try and launder it through, you know, various mixes and so on. Extracted a bunch. And he has now been indicted by the US but he's on the lam, he's on the run with, we don't really know how much cryptocurrency. But unfortunately for him, when he went to go and launder these funds, some of it was being blocked because the people had blacklisted the source of the funds in the exchanges and so on. And he was actually submitting like support tickets to the exchange, threatening to call the police on them if they didn't launder his funds for him, which I don't know how that worked, and bribing them to launder his funds. And one of the people that he struck up a relationship with in this process turned out to be an undercover cop, which may not go well for him if he gets arrested if they actually figure out where he's got to. But yeah, the story is pretty grim because he was like a math, had a master's in math from some university in Canada and he had these, you know, detailed schemes and he made lots of notes about his, you know, criminal conspiracy about how he was going to launder and how he's going to get away with it, so on and so forth. But yeah, we will see whether you know, his very smart but not very. You don't get social adept from, from the indictment notes. We'll see whether that, you know, stands him in good step while he's on the run.
[38:17]
Patrick Gray
Now finally, Adam, we're just going to preview this one because our colleague Tom Uren is writing up. This is one of the things he's looking at for tomorrow's Seriously Risky Business newsletter and I'll be talking about it with him in detail tomorrow. Again, head to Risky Biz and subscribe to both the Risky Bulletin newsletters and and podcast feed. But yeah, and NCSC I think this goes back to. Yeah, January 28th. So it is very, very recent. They have written some guidance on what is a forgivable vulnerability and what is not a forgivable vulnerability. And you really get the sense that this is targeted towards the makers of these edge devices like your Palo Altos, your Fortinets, your Ivantis. Like that's what this feels like to me.
[39:02]
Adam Boileau
Yeah, absolutely. And I really love that characterization because it's so easy to weasel on CVSS scores or weasel on 10 technicalities. But I think like forgivable versus unforgivable really nails the thing that's aggravating when you read about some of these bugs, right? I mean, you know, the especially like the Fortinets and the Avantis, you read them and you just go like how can you possibly do this and still be in business? So I like this characterization and it speaks to me.
[39:32]
Patrick Gray
Yes, I'll be going over that with Tom tomorrow because I think, you know, this could form, this could really inform policy, this sort of thing. It's about time someone actually sat down and explained in simple terms, like you can have a bug in this and it's not the end of the world like even a serious bug if it was like a whole bunch of weird stuff happened. And you know there are forgive even high CVSS bugs can be forgivable and there are others that aren't. And I think I don't know that that's something that's well understood by the sort of people who are responsible for making the laws and regulating this space. So well done ncsc. But mate, that is it for the week's news. Thank you so much for joining me to chat about it all. Always a fun time and we'll catch you again next week.
[40:13]
Adam Boileau
Yeah, thanks Pat. I will talk to you then.
[40:22]
Patrick Gray
That was Adam Boileau there with a look at the week's security news. We're going to hear from this week's sponsor guest now, which is Josh Camden from Sublime Security. He's a co founder and the chief executive there. And a full disclaimer. I am also an advisor to Sublime Security. So Sublime makes the most modern sort of kick ass email security platform that there is these days. So one of the things that makes it different is it's sort of customized per environment and you can do things like write your own detection rules, do threat hunting. It's just, just, it's just a modern redevelopment of a email security platform and it's sort of like what email security platforms should be this day. And obviously they're in the coal face now. They've got a bunch of customers and yeah, they see all of the cool new stuff, all of the new attacks that are hitting their users and hitting them as well as you'll hear like DocuSign abuse to send malicious stuff to people through DocuSign. But it turns out this is a big trend at the moment is people using trusted services to distribute malicious stuff. So here is Josh Kamjoo to walk us through how some of the bad actors out there are actually abusing trusted services to do all sorts of creative things. Enjoy.
[41:38]
Josh Kamju
Ultimately, the idea is to blend in with normal behavior, normal traffic to evade detection. And the translation to the email layer is leveraging similar types of trusted infrastructure that you see legitimately being sent to and from an organization's email domain. So examples of this are like DocuSign or SharePoint or Dropbox or Google Drive. So there's a lot of overlap actually between the types of services that we see malware abuse that we also see adversaries use to send email attacks.
[42:15]
Patrick Gray
Yeah, I mean, I was just thinking as you were talking that the sort of phase one of this would have just been people hosting malware on trusted domains. Like, like OneDrive. Malware was a big thing for a long time, right? Like huge.
[42:27]
Josh Kamju
Yeah.
[42:28]
Patrick Gray
And now they're going one step further and actually generating mails from those types of services. And that's the mail part as well. Right. So how does that work?
[42:35]
Josh Kamju
Yeah, so we see, we see a few different types of abuse. There's really two categories of trusted infrastructure abuse that we see. There is the infrastructure abuse that ends up delivering mail from the trusted infrastructure service itself as the sender. So that's where you receive an email from DocuSign.net and it's literally from DocuSign.net, it's passing all sender authentication, SPF, DKIM, DMARC. So that's category one of the abuse that we see. And then the category two is the, the infra abuse of links embedded in the message. So we see for malware delivery, like link based malware delivery in particular or credential phishing delivery, we end up seeing sites hosted on DocuSign, on SharePoint, on even Freshdesk or Zendesk subdomains. And so these are all inheriting the reputation of these legitimate services. So they, they tend to be much more difficult to detect.
[43:39]
Patrick Gray
I mean you haven't mentioned the big one, which is Cloudflare, where, oh my.
[43:43]
Josh Kamju
God, don't get me started with cloudflare. God, there is so much of Cloudflare.
[43:48]
Patrick Gray
Like it is amazing how much badness there is on cloudflare. And just with the flexibility of their cdn, people are actually hosting fully featured phishing sites on trusted cloudflare domains. So yeah, I mean as a detection signal, it's hard enough to figure out when a mail is bad when it's only got legitimate links in it, but when you've then got the added complexity of the messages themselves coming from trusted services, from actually DocuSigns and you know, I've got a blog post to yours I'm going to link through to so people can have a look at it themselves. But it shows that, you know, you can deliver like a PDF through DocuSign that it's like click, click, click through and that eventually takes you to like Crabfish or whatever. So it's like an end to end attack handled on DocuSign. I mean, how do you deal with that as an, you know, as a company that's like filtering email? I'm guessing it's going to be deep inspection of those sort of payloads and are there any complexities there like you know, you operating a mail server or mail security platform, can you go and then get that PDF and then analyze it? And I'm guessing that's the game, right?
[44:54]
Josh Kamju
We can, yeah. So, so it's really tricky and we've seen other folks get this wrong recently and it's caused a ton of pain. We've seen, there's been, Google in particular has been really causing a lot of frustration here as we've seen DocuSign in particular get abused. Even us, our company, we've seen tons of legit docusigns for our sales team literally getting sent to spam by Google. And we're hearing this, we're hearing this from like, a lot of other people.
[45:27]
Patrick Gray
I mean, this is exactly what a startup needs, is signed purchase orders being deleted. Right? Like, thank you, Gregory.
[45:32]
Josh Kamju
Seriously, like, we see these like, DocuSigns that are just sitting in spam for the last, like week or two weeks. And some of these are like legitimate communications that are getting sent after like multiple replies from the sender. I mean, it's, it's, it's really hard basically to solve this purely using like a global ML model, basically, because so much gets scooped up with that because there's so much legitimate mail coming from DocuSign. So you have to really get granular and know what specific signals that you're looking for. So when we saw this, you know, the way Sublime works is, you know, we've got our models that run behind the scenes, but we have a detection, we have an abstraction layer of above our models that lets us describe attacker behavior and we can push that out to all of our customers. So it's a dsl, so our team can actually build really granular behavioral detections. So when we see this, like, evolution of DocuSign, we can build a really targeted detection that says, okay, when we see a message come from DocuSign and it's passing sender authentication. So all the checks are green there, but the reply to domain is a domain that you've never spoken to before. Because that's what a lot of them will do is they'll set the reply to domain. So if you reply, they'll get the.
[46:56]
Patrick Gray
Response the attacker and then they can say, yes, no, this is absolutely a legitimate document. Please go ahead.
[47:00]
Josh Kamju
Yeah, please. Yeah, this is all legit. Exactly. So we can actually get granular with the signals and say, yeah, this is a recently registered reply to domain. We can go out to the link and if we see like a PDF icon that, you know, they're like, they're impersonating a PDF document on the legitimate DocuSign document, we can like detect that as a signal. So we can adapt really, really rapidly to any changes in the landscape that we see and we can push that out to our customers. So you really have to have like a granular detection engine to do this super well, at least to do it quickly and often.
[47:38]
Patrick Gray
You can't even get to the payload. Right, because they put them behind things or the final phishing page because they put them behind things like Turnstile. Right?
[47:45]
Josh Kamju
That's right. That's right. In which case you really need to, you really need to use the fact that it's hosted on cloudflare as a signal.
[47:53]
Patrick Gray
Well, this is actually. This is actually what I was going to ask you. I was thinking, surely if there's a DocuSign thing with a link in it that goes and hits a turnstile, like, I'm thinking that's actually a pretty solid signal that.
[48:05]
Josh Kamju
Yeah, well, but the thing. Yeah, exactly. You have to be able to go out to the link in the DocuSign and it's actually the. The actual payload is hosted on DocuSign.net like official, like a document that you sign. So they actually are creating a template in DocuSign that you send. You click on, like, yes, I want to sign. It opens up docusign.net there's like a fake PDF there, and then you click and then it goes to wherever Cloudflare, turnstile or whatever. So, yeah, if you can get multiple layers deep there and see where it's going, you're good.
[48:41]
Patrick Gray
Yeah, yeah. So, I mean, it's always like that with mail, right? You've got your big signals, your medium signals, and then you start getting a little bit more granular. And that's. I think that's really where most mail providers compete, right? It's less on the big stuff and more on the. On the little stuff. Although, you know, the example you just gave of Google, like, they're. They're kind of failing at the big one there.
[49:00]
Josh Kamju
It's tough. It's a tough problem to solve with, like, with just training a model.
[49:04]
Patrick Gray
Yeah, yeah. So talk to us, too. You sent me something about, like, using legitimate sites, distribution lists or something. It was something that I don't completely understand. Explain this one to me, please, Josh.
[49:17]
Josh Kamju
This was super clever. So it's a way that we've seen an evolution of the abuse of these infrastructure services to send it at mass volume without getting blocked by the provider. So if you start to send. If I start to abuse DocuSign, let's say, or PayPal or, you know, Microsoft or whatever it might be, and I start to send like, thousands and thousands of messages. Some of those services will have by now had some, like, volumetric detection to say, hey, you can't send this many in this short a period of time or something. Not all of them have that, to be clear, but some of them do.
[49:56]
Patrick Gray
Well, they will eventually, right?
[49:57]
Josh Kamju
Because they will eventually.
[49:58]
Patrick Gray
That's just the trend, you know what I mean? Like, it's. Everyone's having their. Having their happy time right now, using this as a vector. And then, yeah, eventually it turns into enough of a headache for the providers that they have to rate limit it.
[50:09]
Josh Kamju
That's right. So what we started to see was super is kind of clever. So they would go into Microsoft and they would create a distribution list. So they would spin up an account, they would create a DLC and they would add all of their targets to that distribution list. And then they would go into whatever service that they were abusing. Whether it's like, I'm going to send a callback phish through PayPal, or I'm going to send a fake Microsoft invoice, I'm going to abuse Microsoft invoicing to send it to them. So they'll send it from PayPal to the DL and then the DL will fan out from there. So from the infrastructure, from the Trusted services perspective, you're only sending one message and then the DL and then from like Microsoft's perspective, and they're just like, yeah, this is what a DL does. It just fans out.
[51:01]
Patrick Gray
So tell me how, like a callback fish with, you know, tell me how I can generate a callback fish with something like PayPal and why I might do that. Like, what sort of control does an attacker have over those sort of messages?
[51:15]
Josh Kamju
Yeah, so you would basically go into PayPal and you would generate an invoice for, you know, quote, unquote, customer. And in that invoice you would embed a phone number for like, customer support, or if you don't recognize this or. Or PayPal support, there's a bunch of different variants of this. And. And then there would be a charge of like 500 bucks or something, you know, whatever. And so that. And then you say you go, you click send and it sends the invoice to the DL or to the target, and then they end up calling the number. And then for Callback Phish, it's typically like a rat that they're installing. And then there's a lot of consequences from there.
[51:57]
Patrick Gray
What? So they click. I mean, there's a phone number, but is there also a link there or something where they can click through?
[52:01]
Josh Kamju
And that's where they get malware, typically not for Callback Phish. So Callback Phish will be like the, the payload list style, which is actually why it was such a big deal and still continues to be. So there's no link, there is no malware directly on the email. It gets delivered after you call the phone number, and it gets routed to one of these scam centers.
[52:24]
Patrick Gray
Okay, Right. So that's how.
[52:26]
Josh Kamju
And then they are like, hey, yeah, like, happy to support you install this, you know, remote access tool. And then they have control over your computer and then they'll do all sorts of nefarious things from there.
[52:37]
Patrick Gray
So before we wrap it up, Josh, you've built a few, you know, we've got some platform updates to talk about. Basically you've got some improved incident response features and sender domain exclusions which, you know, just, just to make life a bit easier, just give us a quick rundown on, on the latest, the latest bells and whistles in Sublime.
[52:59]
Josh Kamju
Oh yeah. So we've, we've released some pretty rad stuff recently. The most recent one is our fuzzy grouping algorithm. So this is a way that we cluster similar campaigns together. So if you imagine in particular for like mass volume attack spray and pray type stuff where you're hitting like thousands of people at an org, they're typically targeted or tailored to each one. So like there's the first name and there's like some special, you know, the subject is customized and there's like all kinds of different variations that you might see. So we built like a clustering algorithm that'll be able to see all those changes and like cluster those together. And so we can basically present those to, we can remediate them all at once and then we can present those to analysts if and when they want to review it in a single alert. So they're not seeing like a thousand or ten thousand or their SOC is not getting like a thousand alerts. So that's a really cool one. It just makes IR more efficient too. Like if you're looking for a campaign, you'll see all of them at once and you can see if you know if it was remediated or remediated with one click if you want. So that's one of the big ones. We also released some really cool new reporting for tactics and techniques that we see hitting an environment. So we have this taxonomy that we've created that describes, that's super granular and it's, it describes like the tactics and techniques or the attack type of the attack. And we started to show that in our reporting now. So you can see, hey, I'm getting hit with like QR codes or you know, PDF links to PDFs or HTML smuggling, you know, you can get down to the actual tactics and techniques being used and then there's a bunch more. But the last one I'll mention is the, the sender domain exclusions which is just this like huge pain point that people would typically have with any sort of real time detection engine really, but in particular with email security is when you when, when you have a false positive and everyone has false positives. What happens when you have a false positive? Well, typically you end up just filing a ticket and then waiting for it to be resolved. One day we released a super granular exclusions feature where in two clicks you can just mitigate at a really granular level without creating a global exclusion. So it's like, specifically for this behavior, we will no longer flag it. So it lets you instantly resolve false positives. So that's a really, really rad one that we also released recently.
[55:41]
Patrick Gray
Awesome. All right, well, Josh Kamju, thank you so much for joining me. It's always good to see you, my friend. And we'll be chatting again a bunch of times throughout 2025.
[55:50]
Josh Kamju
It's so, so good to see you. Thanks for having me on.
[55:54]
Patrick Gray
That was Josh Kamju there from Sublime Security with this week's sponsor interview. And that is it for this week's show. I do hope you enjoyed it. I'll be back tomorrow in the Risky Bulletin podcast feed with my weekly discussion with Tom Uren about his newsletter. But until then, I've been Patrick Graham try. Thanks for listening.