Summary

Risky Business #780 Summary: ASD's Bold Move Against Z Servers, Emerging Phishing Techniques, and More

Release Date: February 19, 2025
Host: Patrick Gray
Guest: Adam Boileau

1. ASD's Counterstrike Against Z Servers and the Medibank Data Breach (00:00 - 06:22)

Patrick Gray opens the episode by commemorating David Jorm, a respected figure in Australian Cyber Security, setting a somber tone before diving into the week's security news. The primary focus is on a significant operation by Australia’s Signals Intelligence Agency (ASD) targeting Z Servers, a notorious Russian bulletproof hosting provider.

Adam Boileau elaborates on the Medibank data breach, where ransomware attackers compromised sensitive medical data of approximately 10 million Australians, traced back to Alexander Ermakov. ASD's intervention involved a meticulous "search and destroy" mission that resulted in the seizure of about half a terabyte of Medicare data from Z Servers.

Adam Boileau [02:58]: "The RMRF shark allegedly got rid of about half a terabyte of Medicare data that was stored on there."

Patrick adds intrigue by describing ASD's strategic approach—waiting until Z Servers' admins were incapacitated by alcohol at a party before launching the attack. This operation not only disrupted the criminal infrastructure but also showcased the depth of ASD's capabilities, including the use of linguists and psychologists to accurately profile and identify Ermakov.

Patrick Gray [04:10]: "They had linguists and psychologists building profiles on these guys, which I think this is interesting because... we know Mr. Ermikov very well."

2. Emerging Phishing Techniques: Device Code Phishing (06:09 - 13:47)

The discussion shifts to device code phishing, a technique gaining traction among Russian Advanced Persistent Threat (APT) groups. This method exploits the device code authentication process used in services like M365, where users enter a code on a separate device to authorize access.

Adam explains how attackers deceive users into providing these codes through seemingly legitimate requests, thereby obtaining long-term access tokens to compromise accounts.

Adam Boileau [07:41]: "This phishing process is designed to kind of capture that code by exploiting the confusion about what you're authenticating to."

Patrick underscores the complexity and confusion inherent in modern authentication flows, making them ripe for exploitation. Both hosts express concerns over the resilience of current authentication mechanisms in the face of such sophisticated phishing attacks.

Patrick Gray [10:13]: "This is really cool... just about how modern authentication flows are just confusing."

3. Website Defacement and Cloudflare's Struggles with Spanish Soccer Piracy (13:47 - 18:24)

Patrick introduces a lighter yet concerning topic: the defacement of the doge.gov website. Citing Jason Cobler from 404 Media, he details how the site, intended for aggregating social media posts and stats, was compromised due to an unsecured data store, allowing unauthorized content postings.

Transitioning to Cloudflare, the hosts discuss a legal battle involving the Spanish football (soccer) league. Spanish courts mandated ISPs to block access to pirated football streams hosted via Cloudflare, inadvertently affecting legitimate services and causing widespread inconvenience.

Patrick Gray [16:30]: "You can't do your code commit on a weekend because of football piracy. It's amazing."

Adam criticizes Cloudflare's stance on freedom of speech, highlighting the platform's challenges in balancing support for legitimate services while mitigating piracy and other malicious activities.

Adam Boileau [17:19]: "Cloudflare has repeatedly warned about the consequences of IP blocking. That fundamentally ignores the way the Internet works."

4. Palo Alto Networks Vulnerability and Qualys Uncovers OpenSSH Bugs (18:24 - 28:25)

Patrick shifts focus to a new vulnerability in Palo Alto Networks' firewalls, exploited actively to gain unauthorized access to PAN-OS devices. This recurring issue underscores the ongoing challenges in securing network infrastructure.

Patrick Gray [18:24]: "Palo Alto Networks has another firewall vuln under active exploitation."

Following this, Adam discusses Qualys’ discovery of critical bugs in OpenSSH, including a privilege escalation flaw and a denial-of-service vulnerability. These bugs, residing in configurations involving DNS-based host key validation, have existed for years and were recently patched.

Adam Boileau [20:23]: "These bugs have been around for a long time and the necessary configuration was on by default on like FreeBSD for a few years."

5. Salt Typhoon's Campaign Against Cisco Devices (28:25 - 35:32)

The conversation progresses to Salt Typhoon, a group targeting over a thousand Cisco devices, predominantly within telecommunications companies and universities. Using two specific Privileged (Privesque) vulnerabilities, they exploit Cisco’s iOS XE, a Linux-based operating system underlying many Cisco devices.

Adam emphasizes the stealth and persistence of Salt Typhoon, noting the difficulty in remediating compromised devices once the attackers have established a foothold.

Adam Boileau [30:46]: "Once these guys are in your network, boy, oh boy, you're not going to get them out in a hurry."

6. Sandworm's Tor-Based Command and Control Operations (35:32 - 38:21)

Patrick introduces a Microsoft analysis of Sandworm’s recent activities, highlighting their innovative use of Tor hidden services for command and control (C2). This shift signifies a strategic move to enhance the resilience and stealth of their operations.

Adam theorizes that Sandworm employs Tor to mitigate the risk of C2 infrastructure being easily disrupted, balancing the trade-off between operational complexity and effectiveness.

Patrick Gray [31:31]: "This seems like sacrificing a little bit of stealth on target to get more of a, you know, a result from a macro perspective."

7. Chinese Criminals' Phishing Schemes to Compromise Mobile Wallets (38:21 - 45:32)

Brian Krebs' investigative work is spotlighted, revealing how Chinese criminals are phishing credit card holders to add their cards to mobile device wallets like Apple and Google Wallet. The compromised devices are then sold with pre-loaded wallets, enabling unauthorized transactions.

Adam draws parallels between these modern phishing techniques and traditional methods, emphasizing the sophistication and adaptability of current cybercriminal strategies.

Adam Boileau [32:39]: "This is kind of what modern credit card gimmick looks like... they send you something that tricks the LLM into going and grabbing sensitive documents."

Patrick questions the effectiveness of banks and phone manufacturers in detecting and preventing such fraudulent activities, suggesting that more robust measures are needed.

Patrick Gray [35:32]: "It's a bit scary... because you have a lot of options for taking away a lot of access all at once."

8. Prompt Injection Attacks on Large Language Models (45:32 - 44:29)

Dan Gooden's exploration of prompt injection attacks on Large Language Models (LLMs) like Gemini is discussed. These attacks manipulate LLMs to execute unauthorized actions, such as exfiltrating sensitive documents or performing malicious operations.

Adam likens these attacks to traditional memory corruption exploits, where the boundary between code and data is blurred, leading to unintended behaviors.

Adam Boileau [37:03]: "It's all about a new technology that requires boundaries to be better defined."

Patrick ties this back to the broader theme of data governance, highlighting the complexities introduced by integrating LLMs into various services and products.

Patrick Gray [53:22]: "Ultimately the thing you want to do is just put some boundaries around stuff you don't want going into LLMs and don't let it go anywhere it's not supposed to go."

9. Remembrance of David Jorm (44:29 - 46:38)

In an emotional segment, Patrick Gray pays tribute to David Jorm, a cherished colleague and friend in the cyber security community who recently passed away. He shares heartfelt memories of David’s contributions, including organizing security conferences and his unique presentation style using his alter ego, Lord Tuskington the Walrus.

David's struggle with bipolar disorder is addressed with sensitivity, clarifying that his passing was due to an accidental alcohol-induced incident rather than suicide.

Patrick Gray [43:55]: "He was an avid outdoor adventurer... and he was a devout Hare Krishna as well."

Adam reminisces about their collaborative moments and David’s vibrant personality, underscoring the significant loss felt within the community.

Adam Boileau [45:48]: "He was absolutely one of them. So, yeah, we, we had that in common and we shared some good bugs over the years."

Closing Thoughts

Patrick Gray concludes the episode by reflecting on David’s impactful life and the broader implications of the week’s discussions on cyber security trends and challenges. The episode underscores the evolving nature of cyber threats and the continuous need for robust defense mechanisms.

Notable Quotes:

Adam Boileau [02:58]: "The RMRF shark allegedly got rid of about half a terabyte of Medicare data that was stored on there."
Patrick Gray [04:10]: "They had linguists and psychologists building profiles on these guys, which I think this is interesting because... we know Mr. Ermikov very well."
Adam Boileau [07:41]: "This phishing process is designed to kind of capture that code by exploiting the confusion about what you're authenticating to."
Patrick Gray [10:13]: "This is really cool... just about how modern authentication flows are just confusing."
Patrick Gray [16:30]: "You can't do your code commit on a weekend because of football piracy. It's amazing."
Adam Boileau [20:23]: "These bugs have been around for a long time and the necessary configuration was on default on like FreeBSD for a few years."
Adam Boileau [37:03]: "It's all about a new technology that requires boundaries to be better defined."
Patrick Gray [53:22]: "Ultimately the thing you want to do is just put some boundaries around stuff you don't want going into LLMs and don't let it go anywhere it's not supposed to go."

Conclusion

Risky Business #780 delivers a comprehensive overview of critical security developments, from ASD's effective disruption of criminal hosting services to emerging phishing techniques targeting modern authentication systems. The episode also delves into vulnerabilities within pivotal infrastructure like Palo Alto Networks and Cisco devices, highlights sophisticated cybercriminal strategies involving mobile wallets, and explores the intricate challenges posed by integrating Large Language Models into everyday applications. The heartfelt remembrance of David Jorm adds a personal touch, emphasizing the community’s resilience and camaraderie in the face of loss.

Summary

Risky Business #780 Summary: ASD's Bold Move Against Z Servers, Emerging Phishing Techniques, and More

Release Date: February 19, 2025
Host: Patrick Gray
Guest: Adam Boileau

1. ASD's Counterstrike Against Z Servers and the Medibank Data Breach (00:00 - 06:22)

Adam Boileau [02:58]: "The RMRF shark allegedly got rid of about half a terabyte of Medicare data that was stored on there."

Patrick Gray [04:10]: "They had linguists and psychologists building profiles on these guys, which I think this is interesting because... we know Mr. Ermikov very well."

2. Emerging Phishing Techniques: Device Code Phishing (06:09 - 13:47)

Adam explains how attackers deceive users into providing these codes through seemingly legitimate requests, thereby obtaining long-term access tokens to compromise accounts.

Adam Boileau [07:41]: "This phishing process is designed to kind of capture that code by exploiting the confusion about what you're authenticating to."

Patrick Gray [10:13]: "This is really cool... just about how modern authentication flows are just confusing."

3. Website Defacement and Cloudflare's Struggles with Spanish Soccer Piracy (13:47 - 18:24)

Patrick Gray [16:30]: "You can't do your code commit on a weekend because of football piracy. It's amazing."

Adam criticizes Cloudflare's stance on freedom of speech, highlighting the platform's challenges in balancing support for legitimate services while mitigating piracy and other malicious activities.

Adam Boileau [17:19]: "Cloudflare has repeatedly warned about the consequences of IP blocking. That fundamentally ignores the way the Internet works."

4. Palo Alto Networks Vulnerability and Qualys Uncovers OpenSSH Bugs (18:24 - 28:25)

Patrick Gray [18:24]: "Palo Alto Networks has another firewall vuln under active exploitation."

Adam Boileau [20:23]: "These bugs have been around for a long time and the necessary configuration was on by default on like FreeBSD for a few years."

5. Salt Typhoon's Campaign Against Cisco Devices (28:25 - 35:32)

Adam emphasizes the stealth and persistence of Salt Typhoon, noting the difficulty in remediating compromised devices once the attackers have established a foothold.

Adam Boileau [30:46]: "Once these guys are in your network, boy, oh boy, you're not going to get them out in a hurry."

6. Sandworm's Tor-Based Command and Control Operations (35:32 - 38:21)

Adam theorizes that Sandworm employs Tor to mitigate the risk of C2 infrastructure being easily disrupted, balancing the trade-off between operational complexity and effectiveness.

Patrick Gray [31:31]: "This seems like sacrificing a little bit of stealth on target to get more of a, you know, a result from a macro perspective."

7. Chinese Criminals' Phishing Schemes to Compromise Mobile Wallets (38:21 - 45:32)

Adam draws parallels between these modern phishing techniques and traditional methods, emphasizing the sophistication and adaptability of current cybercriminal strategies.

Adam Boileau [32:39]: "This is kind of what modern credit card gimmick looks like... they send you something that tricks the LLM into going and grabbing sensitive documents."

Patrick questions the effectiveness of banks and phone manufacturers in detecting and preventing such fraudulent activities, suggesting that more robust measures are needed.

Patrick Gray [35:32]: "It's a bit scary... because you have a lot of options for taking away a lot of access all at once."

8. Prompt Injection Attacks on Large Language Models (45:32 - 44:29)

Adam likens these attacks to traditional memory corruption exploits, where the boundary between code and data is blurred, leading to unintended behaviors.

Adam Boileau [37:03]: "It's all about a new technology that requires boundaries to be better defined."

Patrick ties this back to the broader theme of data governance, highlighting the complexities introduced by integrating LLMs into various services and products.

Patrick Gray [53:22]: "Ultimately the thing you want to do is just put some boundaries around stuff you don't want going into LLMs and don't let it go anywhere it's not supposed to go."

9. Remembrance of David Jorm (44:29 - 46:38)

David's struggle with bipolar disorder is addressed with sensitivity, clarifying that his passing was due to an accidental alcohol-induced incident rather than suicide.

Patrick Gray [43:55]: "He was an avid outdoor adventurer... and he was a devout Hare Krishna as well."

Adam reminisces about their collaborative moments and David’s vibrant personality, underscoring the significant loss felt within the community.

Adam Boileau [45:48]: "He was absolutely one of them. So, yeah, we, we had that in common and we shared some good bugs over the years."

Closing Thoughts

Notable Quotes:

Adam Boileau [02:58]: "The RMRF shark allegedly got rid of about half a terabyte of Medicare data that was stored on there."
Patrick Gray [04:10]: "They had linguists and psychologists building profiles on these guys, which I think this is interesting because... we know Mr. Ermikov very well."
Adam Boileau [07:41]: "This phishing process is designed to kind of capture that code by exploiting the confusion about what you're authenticating to."
Patrick Gray [10:13]: "This is really cool... just about how modern authentication flows are just confusing."
Patrick Gray [16:30]: "You can't do your code commit on a weekend because of football piracy. It's amazing."
Adam Boileau [20:23]: "These bugs have been around for a long time and the necessary configuration was on default on like FreeBSD for a few years."
Adam Boileau [37:03]: "It's all about a new technology that requires boundaries to be better defined."
Patrick Gray [53:22]: "Ultimately the thing you want to do is just put some boundaries around stuff you don't want going into LLMs and don't let it go anywhere it's not supposed to go."

Conclusion

wavePod

Risky Business #780 -- ASD torched Zservers data while admins were drunk

Powered by Wave AI

Summary

1. ASD's Counterstrike Against Z Servers and the Medibank Data Breach (00:00 - 06:22)

2. Emerging Phishing Techniques: Device Code Phishing (06:09 - 13:47)

3. Website Defacement and Cloudflare's Struggles with Spanish Soccer Piracy (13:47 - 18:24)

4. Palo Alto Networks Vulnerability and Qualys Uncovers OpenSSH Bugs (18:24 - 28:25)

5. Salt Typhoon's Campaign Against Cisco Devices (28:25 - 35:32)

6. Sandworm's Tor-Based Command and Control Operations (35:32 - 38:21)

7. Chinese Criminals' Phishing Schemes to Compromise Mobile Wallets (38:21 - 45:32)

8. Prompt Injection Attacks on Large Language Models (45:32 - 44:29)

9. Remembrance of David Jorm (44:29 - 46:38)

Closing Thoughts

Summary

1. ASD's Counterstrike Against Z Servers and the Medibank Data Breach (00:00 - 06:22)

2. Emerging Phishing Techniques: Device Code Phishing (06:09 - 13:47)

3. Website Defacement and Cloudflare's Struggles with Spanish Soccer Piracy (13:47 - 18:24)

4. Palo Alto Networks Vulnerability and Qualys Uncovers OpenSSH Bugs (18:24 - 28:25)

5. Salt Typhoon's Campaign Against Cisco Devices (28:25 - 35:32)

6. Sandworm's Tor-Based Command and Control Operations (35:32 - 38:21)

7. Chinese Criminals' Phishing Schemes to Compromise Mobile Wallets (38:21 - 45:32)

8. Prompt Injection Attacks on Large Language Models (45:32 - 44:29)

9. Remembrance of David Jorm (44:29 - 46:38)

Closing Thoughts