Risky Business #781 -- How Bybit oopsied $1.4bn - Risky Business

Summary

Risky Business #781 – How Bybit Oopsied $1.4bn Release Date: February 26, 2025

Host: Patrick Gray
Guest: Lena Lau, Founder of Sintra
Sponsor: Airlock Digital

Overview

In episode #781 of Risky Business, host Patrick Gray delves into the world of information security with a focus on the largest cryptocurrency theft in history—the Bybit hack—and Apple's contentious withdrawal of advanced data protection from the UK market. The episode also features an in-depth interview with Lena Lau, founder of Sintra, who discusses her viral blog post analyzing Chinese incident response reports related to NSA activities. Additionally, listeners gain insights from Airlock Digital on the vulnerabilities of Windows Defender Application Control (WDAC).

Biggest Story: The Bybit Hack

Timestamp: [00:00] - [08:49]

The episode kicks off with a detailed discussion on the Bybit hack, where a staggering US$1.4 billion was stolen, marking it as the largest crypto theft to date. Lena Lau provides an expert breakdown of how the hack was executed, attributing the breach to North Korean operatives.

Lena Lau explains:

"The exchange has most of their funds stored in a cold wallet... The attackers managed to get malware onto the computers of some of the staff, including the boss of Bybit, and faked a user interface for their multi-signature process, convincing them to sign a malicious transaction."
[01:39]

The multi-signature setup at Bybit required multiple authorizations to transfer funds. However, the attackers cleverly manipulated the user interface, leading to unauthorized control over the entire cold wallet. Adam Boileau adds context by comparing this incident to traditional banking systems, highlighting the irreversible nature of crypto transactions.

"With Crypto, once it's gone, it's gone. So you do need to step it up. So they need to have robust procedures around which transactions are approved."
[12:38]

Lena Lau further critiques Bybit's security measures, emphasizing the importance of using standalone, single-purpose devices to minimize attack surfaces.

"That's the main thing is you want something that you don't use for other stuff because that just reduces attack surface."
[11:37]

Apple Withdraws Advanced Data Protection in the UK

Timestamp: [17:25] - [26:42]

The conversation shifts to Apple's decision to disable Advanced Data Protection (ADP) for iCloud users in the UK. This move came after the UK government requested Apple to develop a means to retrieve evidence from iCloud accounts protected by ADP, which Apple refused.

Adam Boileau discusses the implications:

"Apple has withdrawn advanced data protection for the UK market... All of their photos and everything are end-to-end encrypted. They're going to be given a grace period to turn it off themselves."
[17:25]

Lena Lau analyzes the broader impact, contemplating whether British users are better or worse off without ADP.

"Given the relationship between America, where Apple being an American company, like the relationship in America and the rest of the world... it's not a great time for walking back."
[19:38]

The debate touches on the balance between user privacy and governmental surveillance, with both hosts expressing concerns over potential authoritarian shifts in government policies.

"It's pretty messy... use of surveillance demands that are like Signal probably would because they're a non-profit and that's kind of, that's their whole thing."
[26:42]

Other Security News Highlights

Timestamp: [26:42] - [39:54]

The episode continues with a roundup of recent security incidents and trends:

BlackBasta Ransomware Leak: Discussions around the internal conflicts within the BlackBasta ransomware group, revealing insights into their operations and leadership issues.
Signal App Phishing Attacks: Lena Lau explains a sophisticated QR code-based phishing method targeting the Signal app. Attackers, primarily Russian, exploit Signal's device linking feature to gain unauthorized access:

"They have a group chat with a bunch of malicious QR codes... using captured devices on the battlefield to send them to contacts."
[29:34]
Meta's Lawsuit Against Idris Cuba: Meta is suing an individual for running an extortion scheme targeting Instagram users, highlighting the platform's ongoing struggles with account security and abuse.
Cisco Talos on Salt Typhoon: Analyzing how the Salt Typhoon group infiltrates networks by exploiting Cisco devices and leveraging credential reuse to gain extensive access:

"They can use the network routing infrastructure to sniff creds off the wire... it's a thing that I've been doing for 15, 20 years."
[34:12]
Thailand's Handling of Myanmar Scam Hub Victims: Reports on how Thailand is receiving thousands of individuals freed from scam operations in Myanmar, showcasing the complexities of regional cybercrime and human trafficking issues.
Federal Contractor Fine: A US federal contractor faced an $11 million fine for falsifying compliance with federal cybersecurity standards, underlining the importance of integrity in cybersecurity practices.

Guest Interview: Lena Lau on Translating Chinese IR Reports

Timestamp: [39:54] - [48:18]

Lena Lau joins the show to discuss her viral blog post, "An Inside Look at NSA TTPs from China's Lens," where she translates and contextualizes Chinese incident response reports attributing activities to the NSA.

Patrick Gray praises Lena's efforts:

"She took a bunch of articles written in Chinese and rewrote them to match the Western audience... this has gone massively viral."
[39:58]

Lena Lau shares her motivations and discoveries:

"Chinese threat intel write-ups tend to be a little scattered... I took a bunch of articles and rewrote them in a more coherent format for Western audiences."
[40:19]

Key insights from Lena include the unique approach of Chinese IR reports, which often start with attribution and detail the methods used for linking attacks to specific actors, a contrast to Western reports that typically focus on Indicators of Compromise (IOCs) without extensive attribution.

"Most of their IR reports start off with attribution and how they performed the attribution and how they linked it, which isn't something we normally get in our classic intel reports."
[42:46]

The reaction to Lena's blog post was unexpected, as it sparked significant attention and debate within the cybersecurity community, revealing a gap in understanding Eastern perspectives on operations by Five Eyes agencies.

"It surprised me a little bit and made me realize that most Western audiences probably aren't as attuned to what's going on allegedly with the Five Eyes governments."
[45:54]

Lena also discusses the challenges of translating and interpreting Chinese reports, emphasizing the importance of bridging language barriers to enhance global cybersecurity understanding.

"Unless you're sitting there stalking WeChat, you're not going to be refreshing 360's company site and finding every single report."
[44:15]

Sponsor Spotlight: Airlock Digital on WDAC Vulnerabilities

Timestamp: [48:36] - [62:18]

The episode transitions to a sponsorship segment featuring Airlock Digital, represented by Dave Cottingham and Daniel Schell. They discuss recent research highlighting how attackers can exploit Windows Defender Application Control (WDAC) to disable Endpoint Detection and Response (EDR) systems.

Daniel Schell explains the research:

"If you've got admin rights as a user, you can drop a WDAC policy file into a folder on Windows, reboot the system, and it will read that and respect that policy... only trust Microsoft signed files and therefore all EDR and other drivers won't be allowed to run."
[50:32]

Adam Boileau comments on the implications:

"If you've got write permission, you can implement that as a policy and the next time there's a reboot, all of those protections are gone."
[50:46]

Daniel Schell outlines Airlock Digital's approach to mitigating this vulnerability:

"Our policy sort of like don't transfer between customers and stuff... there's a lot of protections in our agent like anti-tampering."
[52:19]

The discussion highlights the challenges faced by EDR companies in detecting such sophisticated attacks, where ultimate control over the system's security policies can undermine existing defenses.

Patrick Gray provides additional context on the broader implications:

"Security is about constraint... allow listings are great, but it's really about beyond that. Let's start to cut down on that attack surface by commonly abused utilities."
[61:12]

Daniel Schell responds by emphasizing the importance of allowing customers to define their own security constraints, enhancing the effectiveness of allow-listing mechanisms.

"You can define your constraints as a customer... beyond that you get another significant bump in security improvement."
[61:12]

The segment concludes with actionable advice for organizations to prioritize minimizing their attack surfaces and leveraging enterprise-grade security builds, such as Windows Server Core.

Conclusion

Episode #781 of Risky Business offers a comprehensive dive into the latest cybersecurity incidents, expert analyses, and emerging vulnerabilities. From the unprecedented Bybit hack to Apple's defensive stance against governmental data access, and from translating Chinese IR reports to exposing WDAC loopholes, the episode underscores the multifaceted challenges facing information security professionals today. Lena Lau's insights and Airlock Digital's technical deep dive provide listeners with valuable perspectives on navigating the evolving threat landscape.

Notable Quotes with Timestamps:

Lena Lau [01:39]:

"The attackers managed to get malware onto the computers of some of the staff, including the boss of Bybit, and faked a user interface for their multi-signature process, convincing them to sign a malicious transaction."
Adam Boileau [12:38]:

"With Crypto, once it's gone, it's gone. So you do need to step it up. So they need to have robust procedures around which transactions are approved."
Lena Lau [19:38]:

"Given the relationship between America, where Apple being an American company... it's not a great time for walking back."
Patrick Gray [39:58]:

"She took a bunch of articles written in Chinese and rewrote them to match the Western audience... this has gone massively viral."
Daniel Schell [50:32]:

"If you've got admin rights as a user, you can drop a WDAC policy file into a folder on Windows, reboot the system, and it will read that and respect that policy."
Patrick Gray [61:12]:

"Security is about constraint... allow listings are great, but it's really about beyond that. Let's start to cut down on that attack surface by commonly abused utilities."

For More Information:

Lena Lau’s Blog Post: [Link in Show Notes]
Airlock Digital’s Research on WDAC: [Link in Show Notes]
Risky Bulletin Subscription: risky.biz
Mike Burgess’s ASIO Annual Threat Assessment 2025: [YouTube Link]

Thank you for listening to Risky Business. Stay tuned for more in-depth analyses and expert interviews next week.