Risky Business #778 Summary: Musk's Child Soldiers Seize Control of FedGov IT Systems

Release Date: February 5, 2025
Host: Patrick Gray
Guest: Adam Boileau
Sponsor Segment: Josh Kamju from Sublime Security

1. Elon Musk's Team Seizes Control of US Government IT Systems

Elon Musk has reportedly assembled a group of highly skilled young professionals to take over various branches of the US Government's IT infrastructure. This bold move has raised concerns about data governance and the potential vulnerabilities introduced by such an unorthodox team.

• Patrick Gray highlights the potential risks:
  "[...] Elon Musk has assembled a team of bright young things who are sort of forcibly taking over various arms of the US Government and doing God knows what with the data." [00:56]

• Adam Boileau compares the situation to previous tech takeovers:
  "They can sleep there and work around the clock and are going through, you know, doing things that feel quite reminiscent of what happened at Twitter." [01:36]

The discussion underscores the uncertainty surrounding the oversight and management of sensitive government data by Musk's team, with Adam noting the duality of their potential effectiveness versus governance risks.

2. Data Exposure in Chinese AI Startup Deep Seek

Wiz, a cloud security firm, uncovered a significant data exposure from Deep Seek, a Chinese AI startup. The investigation revealed poorly managed infrastructure, including an unsecured Clickhouse database allowing unauthorized SQL queries and access to sensitive log data containing API keys and recovery phrases.

• Adam Boileau expresses surprise at the lack of security:
  "They've got some domain names with no auth and have an interface where you can just browse through and run SQL queries." [04:31]

The incident exemplifies common pitfalls in rapidly growing startups, where infrastructure security lags behind growth, leading to critical data vulnerabilities.

3. Malicious Mobile Apps Target Cryptocurrency via OCR

Kaspersky reported the emergence of malicious mobile applications in both the Apple App Store and Google Play Store designed to steal cryptocurrency. These apps exploit the device's photo gallery by using optical character recognition (OCR) to extract crypto recovery phrases from images.

• Patrick Gray comments on the cleverness of the attack:
  "It's a really clever way because you [...] run OCR on stuff out of your photos." [09:34]

This sophisticated technique leverages trusted functionalities of legitimate apps, making detection challenging and highlighting the evolving threats in mobile security.

4. Keir Starmer's Email Compromise

The Times newspaper revealed that Keir Starmer, the British Prime Minister, had his personal email account compromised. Despite the breach, there was minimal public reaction, reflecting perhaps the normalization of such incidents.

• Adam Boileau notes the lack of surprise:
  "I think that's because so many people have had their email hacked at some point that maybe it doesn't seem like the big deal it used to be." [14:50]

The breach emphasizes the importance of robust email security measures, especially for public figures, yet also mirrors the desensitization to such security failures.

5. Power School SaaS Platform Breach

Power School, a widely used SaaS platform for educational institutions, suffered a significant breach affecting approximately 16,000 schools. The breach was facilitated by compromised credentials of a single staff member lacking multi-factor authentication (MFA).

• Patrick Gray underscores the vulnerability:
  "[...] one-factor auth was a key vulnerability." [16:27]

This incident serves as a cautionary tale about the critical need for comprehensive authentication mechanisms in specialized SaaS platforms to protect sensitive educational data.

6. Australia's Sanctions on Terragram and White Supremacist Links

The Australian government sanctioned Terragram, an online group affiliated with white supremacists, linking them to orchestrated hate crimes. Investigations suggest that Terragram operators financially incentivized petty criminals to carry out acts of vandalism, providing a robust legal avenue for prosecution beyond minor offenses.

• Patrick Gray explains the strategic move:
  "If you can bust them for taking money from a sanctioned entity, like, that's 10 years." [20:45]

This approach marks a significant step in combating online extremism by targeting the financial underpinnings of hate-fueled activities.

7. Paragon Spyware Company's Link to WhatsApp Abuse

Paragon, an Israeli spyware company recently acquired by US interests for approximately $900 million, has been implicated in targeting journalists and civil society groups through WhatsApp. Similar to NSO Group, Paragon employs zero-click vulnerabilities to infiltrate devices and extract sensitive information.

• Adam Boileau questions the acquisition's implications:
  "Having the US government buying your stuff when you're owned by a US firm and now you're targeting journalists via a US company." [23:45]

The acquisition raises concerns about the regulation and ethical use of spyware technologies, especially when they fall under the jurisdiction of Western governments.

8. Zyxel Devices Mass Exploitation through Zero-Day Vulnerability

GrayNoise reported widespread exploitation of a zero-day vulnerability in Zyxel home routers, allowing attackers to gain unauthorized access and control. Despite the initial discovery by Vulncheck, Zyxel has yet to patch the vulnerability, leaving countless devices exposed.

• Adam Boileau expresses frustration over unpatched security flaws:
  "Zyxel just haven't really publicized it, haven't patched it." [32:09]

This situation highlights the critical lag between vulnerability discovery and patch deployment, emphasizing the need for proactive security measures by device manufacturers.

9. AMD CPU Microcode Vulnerabilities Explored by Google Security

Google Security researchers uncovered vulnerabilities in AMD Zen CPUs that allow malicious actors with root access to update CPU microcode, granting them unprecedented control over the hardware. This includes altering fundamental CPU instructions, posing severe risks in cloud and virtualized environments.

• Adam Boileau describes the severity of the flaw:
  "They can patch the CPU microcode that is shared across other instances or up in the hypervisor." [34:02]

The discovery underscores the importance of securing CPU firmware and the potential ramifications of such deep-level vulnerabilities.

10. Canadian Hacker Steals $65 Million in Crypto

A 22-year-old Canadian, Medjadovich, exploited vulnerabilities in smart contracts to manipulate cryptocurrency transactions, successfully siphoning off $65 million. Despite his mathematical prowess, his attempt to launder the funds was thwarted when he interacted with law enforcement through fraudulent support tickets.

• Patrick Gray reflects on the hacker's downfall:
  "[...] he was caught in a really, really dumb way." [35:46]

The case illustrates that technical ingenuity alone is insufficient to evade capture, as operational security and social engineering missteps can lead to significant failures.

11. NCSC's Guidance on Forgivable vs. Unforgivable Vulnerabilities

The UK's National Cyber Security Centre (NCSC) released guidance distinguishing between forgivable and unforgivable vulnerabilities, aimed primarily at manufacturers of edge devices like Palo Alto, Fortinet, and Ivantis. This framework seeks to inform policy and encourage responsible vulnerability management.

• Adam Boileau praises the clarity of the guidance:
  "Forgivable versus unforgivable really nails the thing that's aggravating when you read about some of these bugs." [39:01]

This initiative is pivotal in shaping industry standards and enhancing the security posture of critical infrastructure providers.

12. Sponsor Segment: Sublime Security on Email Security Threats

Sponsor: Josh Kamju, Co-Founder and CEO of Sublime Security

Josh Kamju discusses the evolving landscape of email security, focusing on how attackers are leveraging trusted services like DocuSign, SharePoint, Dropbox, and Google Drive to execute sophisticated email attacks.

• Josh Kamju explains the two primary abuse categories:

  1. Direct Abuse of Trusted Infrastructure:
     "You receive an email from DocuSign.net and it's literally from DocuSign.net, it's passing all sender authentication." [42:14]

  2. Embedded Links in Messages:
     "We end up seeing sites hosted on DocuSign, on SharePoint, on even Freshdesk or Zendesk subdomains." [42:14]

He emphasizes the difficulty in detecting such threats due to the legitimate reputation of these services. Josh outlines Sublime Security's approach to combating these attacks through granular behavioral detections and advanced threat hunting capabilities.

• Josh Kamju details Sublime's latest features:
  "We've got our fuzzy grouping algorithm [...] clusters similar campaigns together." [54:59]

These innovations aim to enhance incident response efficiency and reduce false positives, providing a robust defense against the nuanced tactics employed by modern attackers.

Conclusion

Risky Business #778 delves into a plethora of pressing information security issues, from high-profile governmental IT takeovers and significant data breaches to sophisticated email and mobile app attacks targeting cryptocurrency. The episode underscores the intricate and evolving nature of cybersecurity threats, highlighting the necessity for advanced security measures and vigilant governance. The sponsor segment by Sublime Security further accentuates the importance of adaptive and granular security solutions in mitigating these sophisticated attack vectors.

For those interested in deeper insights and detailed discussions, subscribing to Risky Business is highly recommended.