Risky Business #781 -- How Bybit oopsied $1.4bn - Risky Business

Summary8 min read

Risky Business #781 – How Bybit Oopsied $1.4bn Release Date: February 26, 2025

Host: Patrick Gray
Guest: Lena Lau, Founder of Sintra
Sponsor: Airlock Digital

Overview

In episode #781 of Risky Business, host Patrick Gray delves into the world of information security with a focus on the largest cryptocurrency theft in history—the Bybit hack—and Apple's contentious withdrawal of advanced data protection from the UK market. The episode also features an in-depth interview with Lena Lau, founder of Sintra, who discusses her viral blog post analyzing Chinese incident response reports related to NSA activities. Additionally, listeners gain insights from Airlock Digital on the vulnerabilities of Windows Defender Application Control (WDAC).

Biggest Story: The Bybit Hack

Timestamp: [00:00] - [08:49]

The episode kicks off with a detailed discussion on the Bybit hack, where a staggering US$1.4 billion was stolen, marking it as the largest crypto theft to date. Lena Lau provides an expert breakdown of how the hack was executed, attributing the breach to North Korean operatives.

Lena Lau explains:

"The exchange has most of their funds stored in a cold wallet... The attackers managed to get malware onto the computers of some of the staff, including the boss of Bybit, and faked a user interface for their multi-signature process, convincing them to sign a malicious transaction."
[01:39]

The multi-signature setup at Bybit required multiple authorizations to transfer funds. However, the attackers cleverly manipulated the user interface, leading to unauthorized control over the entire cold wallet. Adam Boileau adds context by comparing this incident to traditional banking systems, highlighting the irreversible nature of crypto transactions.

"With Crypto, once it's gone, it's gone. So you do need to step it up. So they need to have robust procedures around which transactions are approved."
[12:38]

Lena Lau further critiques Bybit's security measures, emphasizing the importance of using standalone, single-purpose devices to minimize attack surfaces.

"That's the main thing is you want something that you don't use for other stuff because that just reduces attack surface."
[11:37]

Apple Withdraws Advanced Data Protection in the UK

Timestamp: [17:25] - [26:42]

The conversation shifts to Apple's decision to disable Advanced Data Protection (ADP) for iCloud users in the UK. This move came after the UK government requested Apple to develop a means to retrieve evidence from iCloud accounts protected by ADP, which Apple refused.

Adam Boileau discusses the implications:

"Apple has withdrawn advanced data protection for the UK market... All of their photos and everything are end-to-end encrypted. They're going to be given a grace period to turn it off themselves."
[17:25]

Lena Lau analyzes the broader impact, contemplating whether British users are better or worse off without ADP.

"Given the relationship between America, where Apple being an American company, like the relationship in America and the rest of the world... it's not a great time for walking back."
[19:38]

The debate touches on the balance between user privacy and governmental surveillance, with both hosts expressing concerns over potential authoritarian shifts in government policies.

"It's pretty messy... use of surveillance demands that are like Signal probably would because they're a non-profit and that's kind of, that's their whole thing."
[26:42]

Other Security News Highlights

Timestamp: [26:42] - [39:54]

The episode continues with a roundup of recent security incidents and trends:

BlackBasta Ransomware Leak: Discussions around the internal conflicts within the BlackBasta ransomware group, revealing insights into their operations and leadership issues.
Signal App Phishing Attacks: Lena Lau explains a sophisticated QR code-based phishing method targeting the Signal app. Attackers, primarily Russian, exploit Signal's device linking feature to gain unauthorized access:

"They have a group chat with a bunch of malicious QR codes... using captured devices on the battlefield to send them to contacts."
[29:34]
Meta's Lawsuit Against Idris Cuba: Meta is suing an individual for running an extortion scheme targeting Instagram users, highlighting the platform's ongoing struggles with account security and abuse.
Cisco Talos on Salt Typhoon: Analyzing how the Salt Typhoon group infiltrates networks by exploiting Cisco devices and leveraging credential reuse to gain extensive access:

"They can use the network routing infrastructure to sniff creds off the wire... it's a thing that I've been doing for 15, 20 years."
[34:12]
Thailand's Handling of Myanmar Scam Hub Victims: Reports on how Thailand is receiving thousands of individuals freed from scam operations in Myanmar, showcasing the complexities of regional cybercrime and human trafficking issues.
Federal Contractor Fine: A US federal contractor faced an $11 million fine for falsifying compliance with federal cybersecurity standards, underlining the importance of integrity in cybersecurity practices.

Guest Interview: Lena Lau on Translating Chinese IR Reports

Timestamp: [39:54] - [48:18]

Lena Lau joins the show to discuss her viral blog post, "An Inside Look at NSA TTPs from China's Lens," where she translates and contextualizes Chinese incident response reports attributing activities to the NSA.

Patrick Gray praises Lena's efforts:

"She took a bunch of articles written in Chinese and rewrote them to match the Western audience... this has gone massively viral."
[39:58]

Lena Lau shares her motivations and discoveries:

"Chinese threat intel write-ups tend to be a little scattered... I took a bunch of articles and rewrote them in a more coherent format for Western audiences."
[40:19]

Key insights from Lena include the unique approach of Chinese IR reports, which often start with attribution and detail the methods used for linking attacks to specific actors, a contrast to Western reports that typically focus on Indicators of Compromise (IOCs) without extensive attribution.

"Most of their IR reports start off with attribution and how they performed the attribution and how they linked it, which isn't something we normally get in our classic intel reports."
[42:46]

The reaction to Lena's blog post was unexpected, as it sparked significant attention and debate within the cybersecurity community, revealing a gap in understanding Eastern perspectives on operations by Five Eyes agencies.

"It surprised me a little bit and made me realize that most Western audiences probably aren't as attuned to what's going on allegedly with the Five Eyes governments."
[45:54]

Lena also discusses the challenges of translating and interpreting Chinese reports, emphasizing the importance of bridging language barriers to enhance global cybersecurity understanding.

"Unless you're sitting there stalking WeChat, you're not going to be refreshing 360's company site and finding every single report."
[44:15]

Sponsor Spotlight: Airlock Digital on WDAC Vulnerabilities

Timestamp: [48:36] - [62:18]

The episode transitions to a sponsorship segment featuring Airlock Digital, represented by Dave Cottingham and Daniel Schell. They discuss recent research highlighting how attackers can exploit Windows Defender Application Control (WDAC) to disable Endpoint Detection and Response (EDR) systems.

Daniel Schell explains the research:

"If you've got admin rights as a user, you can drop a WDAC policy file into a folder on Windows, reboot the system, and it will read that and respect that policy... only trust Microsoft signed files and therefore all EDR and other drivers won't be allowed to run."
[50:32]

Adam Boileau comments on the implications:

"If you've got write permission, you can implement that as a policy and the next time there's a reboot, all of those protections are gone."
[50:46]

Daniel Schell outlines Airlock Digital's approach to mitigating this vulnerability:

"Our policy sort of like don't transfer between customers and stuff... there's a lot of protections in our agent like anti-tampering."
[52:19]

The discussion highlights the challenges faced by EDR companies in detecting such sophisticated attacks, where ultimate control over the system's security policies can undermine existing defenses.

Patrick Gray provides additional context on the broader implications:

"Security is about constraint... allow listings are great, but it's really about beyond that. Let's start to cut down on that attack surface by commonly abused utilities."
[61:12]

Daniel Schell responds by emphasizing the importance of allowing customers to define their own security constraints, enhancing the effectiveness of allow-listing mechanisms.

"You can define your constraints as a customer... beyond that you get another significant bump in security improvement."
[61:12]

The segment concludes with actionable advice for organizations to prioritize minimizing their attack surfaces and leveraging enterprise-grade security builds, such as Windows Server Core.

Conclusion

Episode #781 of Risky Business offers a comprehensive dive into the latest cybersecurity incidents, expert analyses, and emerging vulnerabilities. From the unprecedented Bybit hack to Apple's defensive stance against governmental data access, and from translating Chinese IR reports to exposing WDAC loopholes, the episode underscores the multifaceted challenges facing information security professionals today. Lena Lau's insights and Airlock Digital's technical deep dive provide listeners with valuable perspectives on navigating the evolving threat landscape.

Notable Quotes with Timestamps:

Lena Lau [01:39]:

"The attackers managed to get malware onto the computers of some of the staff, including the boss of Bybit, and faked a user interface for their multi-signature process, convincing them to sign a malicious transaction."
Adam Boileau [12:38]:

"With Crypto, once it's gone, it's gone. So you do need to step it up. So they need to have robust procedures around which transactions are approved."
Lena Lau [19:38]:

"Given the relationship between America, where Apple being an American company... it's not a great time for walking back."
Patrick Gray [39:58]:

"She took a bunch of articles written in Chinese and rewrote them to match the Western audience... this has gone massively viral."
Daniel Schell [50:32]:

"If you've got admin rights as a user, you can drop a WDAC policy file into a folder on Windows, reboot the system, and it will read that and respect that policy."
Patrick Gray [61:12]:

"Security is about constraint... allow listings are great, but it's really about beyond that. Let's start to cut down on that attack surface by commonly abused utilities."

For More Information:

Lena Lau’s Blog Post: [Link in Show Notes]
Airlock Digital’s Research on WDAC: [Link in Show Notes]
Risky Bulletin Subscription: risky.biz
Mike Burgess’s ASIO Annual Threat Assessment 2025: [YouTube Link]

Thank you for listening to Risky Business. Stay tuned for more in-depth analyses and expert interviews next week.

Loading summary

Transcript144 lines

[00:00]
Patrick Gray
Foreign.
[00:05]
Adam Boileau
And welcome to another edition of Risky Business. My name is Patrick Gray. We'll be chatting through the week's security news in just a moment with Adam Boileau. We're going to talk about the Bybit hack and Apple withdrawing advanced data protection out of the UK market. All sorts of fun stuff to talk about there. And then we're going to chat with Lena Lau, who is a regular guest on Risky Business. And she wrote a blog post about where she took a bunch of like Chinese incident response reports that attributed activity to the NSA and then rewrote them into a good English report, English language report, and that's gone viral and everybody's talking about it. So we bring her onto the show to have a bit of a chat about that. And then we will be hearing from this week's sponsor, which is Airlock Digital. And I chat with Dave Cottingham and Daniel Schell from Airlock about some kind of hilarious research work some people did, a third party, I can't remember who, where. They basically figured out how they could get, how they could use disk write access, like privileged disk write access, to essentially create a Windows W DAC rule which would prevent EDR from loading, which is a funny way to solve that particular problem. So we'll talk to them about that a little bit later on. But Adam, let's get into the news now. And obviously a big story this week is the biggest crypto theft in history. We're talking US$1.4 billion and frankly, I hoped it would be a little bit harder to do this. And that's what we're going to talk about now.
[01:40]
Lena Lau
Yes. So this was an exchange called Bybit and they appear to have been hacked by North Koreans. The, you know, the blockchain evidence suggests it was probably North Koreans plus some of the tradecraft. And the way this went down should have been, as you say, a little bit harder than, you know, to steal $1.5 billion. It ought to be a little more work. So the basic shape of this is this exchange has most of their funds stored in a cold wallet. Like that is a wallet where the key material is not on the computers that run the exchange. In this case, I think they have hardware wallets, ledger hardware wallets, I believe. And when they want to move from the cobalt into the hot wallet, a group of them have to get together and authorize that transfer using their hardware wallets to do so. And this kind of like multi signature setup where you need, you know, like three out of five people or whatever to sign off as you know, kind of, we see similar controls in regular, you know, financial institutes or businesses or whatever else. So they were compromised by some North Koreans who managed to get, it looks like they managed to get malware onto the computers, the desktops or whatever of some of the staff, including the boss of Bybit, and then fake up a user interface for their multi signature process that convinced them they were signing a normal looking transaction to move some money from their cold wallet into their hot wallet. But instead what actually happened is they signed a transaction that essentially gave the North Koreans control of their entire cold wallet. Whoops. Which, not ideal. And you might ask, how could this possibly happen? How can you look at your hardware wallet, which, you know, part of the thing of these like ledger hardware wallets or other hybrid wallets is they have a little screen which shows you what you're going to be signing and then you can decide, do I approve this transaction? Yes. No. And so the attackers in this case have fooled them with a fake user interface on their computers. But then presumably the point of the hardware wallet is to allow you to make an informed decision about what you're signing.
[03:52]
Adam Boileau
Because you can trust your computer screen.
[03:54]
Lena Lau
Because you can't trust your computer screen.
[03:55]
Adam Boileau
Thus hardware wallets exist.
[03:58]
Lena Lau
Exactly. That is the whole point of hardware wallets.
[04:00]
Adam Boileau
But it's a screen you can trust. So that's the one you want to look at. Glad we understand this.
[04:06]
Lena Lau
Yes, yeah, exactly. So that makes sense so far. Now the North Koreans are smart and what they did was. So normally if you were transferring money around on the blockchain, this is all Ethereum blockchain. And if you just wanted to move coins from wallet A to wallet B, the wallet, the hardware wallet, the ledger or whatever understands that transaction. It will show you you are from this account, paying to this account this much money. And your wallet will give you good information. You say yes or no. In this case, because they're using multi signature for security, they're not actually moving coins around. They are calling into a multi signature smart contract on the blockchain, calling into an API in that smart contract and asking it to transfer the coins around. And the smart wallet doesn't know about that kind of transaction because that's kind of custom to. So they were using Gnosis Safewallet, which is probably the most common multi sig, you know, kind of wallet, smart contract. So they were using an instance of that to hold their coins. And so their ledger wallets are signing an API call into a function in their smart contract. And I don't have A ledger smart, like a ledger like hardware wallet. So I'm not 100% sure, but the documentation suggests that signing these kinds of transactions involves the wallet showing you the API it's going to call and then all the parameters for that API and you have to approve each one. And so you're going to be sitting there clicking like 17 times to be able to approve this transaction and in this case the thing. So there's like the transaction that they were doing basically had sort of like an opaque blob of hex and a couple of option parameters, and they were supposed to approve that. And clearly they didn't have a written procedure or something to verify that against, or they had just turned that stuff off because there was a mode called blind signing where you just go, look, this wallet doesn't understand. I'm going to just hit yes, don't bother me with the details. Which is kind of what most people will tell you to do when signing smart contract transactions.
[06:16]
Adam Boileau
But doesn't this wallet might be a crazy question here, Adam, but doesn't that sort of negate the purpose of having a smart wallet in the. A hardware wallet in the first place?
[06:25]
Lena Lau
$1.5 billion says yes, Pat. It does negate the point. There's also a few other interesting nuances here, like, of how the North Koreans actually pulled it off, because if the function in the smart wallet they were calling into kind of allowed them. So there's sort of a pattern in Ethereum land where when you store code in the blockchain, which is kind of what smart contracts are, you can't change it. So if you want to change code in the future, there's kind of a mechanism for extending code. So like, I guess you could think of like logic, kind of like inheritance in regular software programming, but there's sort of a mechanism where one smart contract can proxy execution of a particular bit of logic to some future upgraded version of the same smart contract. And the North Koreans deployed a malicious contract some days in advance that pretended to be the transfer function of the legitimate smart wallet, but actually basically changed the ownership. Like, allowed the North Koreans to just kind of take control of the entire cold wallet and that they laid that groundwork in advance and then tricked them into signing a transaction that they thought was normal. Anyway, while I was unraveling all this, went and dug through the blockchain, the Ethereum blockchain history, because the question I wanted to know was, is this the normal process for Bybit to move money around? And like, did they normally call this kind of opaque API endpoint where they didn't want.
[07:55]
Adam Boileau
And then just smash the. Yeah, whatever button. Yes, yeah, yeah.
[07:58]
Lena Lau
And the blockchain suggests that they did. Like before they move money between wallets, between cold wallet, the hot wallet, there is an API call that does the multi sig process. And they did that basically every time that they were moving money around. So I feel like the complacency of just smacking yes on their hardware wallets came along and, you know, the North Koreans used it to bite them in the ass. And that's, you know, on the one hand, deeply understandable because humans love just clicking next, next, next. But on the other hand, when you are securing $1.5 billion in a giant cryptocurrency exchange, you kind of need to do better than this. And all they needed to do was have a single standalone, you know, iPad or whatever to run the front end for this, you know, multi sig wallet. Like, presumably they had Windows boxes or Mac desktops or something like that.
[08:50]
Adam Boileau
Well, well, well. So this is, this is where I want to jump in. Right. So first of all, one note is you might see similar processes at banks.
[08:57]
Lena Lau
Yes.
[08:58]
Adam Boileau
The thing is, when $1.5 billion gets transferred out of a bank, people are going to notice pretty quick and then recovery efforts begin. And because this has gone to other banks and whatnot, you're going to get most of it back. You might lose a little if the attackers or thieves can outrun you. But if 1.4 billion goes, you get, I mean, let's just say 1.3 of it's coming back. Right. Minimum. Right. Like that, that's fine. So whereas with Crypto man, once it's gone, it's gone. So, you know, as you point out quite rightly, you do need to step it up. So I've got questions about what the malware was, because you could do this with a malicious Chrome extension and we've seen people trojaning that supply chain. I mean, do we actually have any detail here on what the malware was? Because it was on five, apparently five boxes that were, you know, involved in this, in signing this transaction. And I would suspect, you know, I mean, really, if I'm them, I want to be in the browser. I don't really care about touching the OS and getting snapped by edr.
[09:55]
Lena Lau
Yeah, I mean, I think, like, if you were going to do this cross platform, then my first, like, if you weren't sure if they were Chrome on Mac or Windows or whatever else, like, my feeling would be drop a browser CA certificate on the OS and then do it in the network with a proxy. But there's also multiple because the Gnosis Safe has a browser based interface, but also has apps that presumably make API calls to a back end and they have, I think you can run your own version of their interface as well. So depending on kind of how that software was working in their case, would kind of lead to how you did it. You could absolutely. If like if they're running a thick client application, you know, or a thing that's not running in a regular browser, like maybe you would do it in the user interface on the end use on the computer. You could do it if it's in the browser with a browser plugin kind of style thing. You could do it with TLS Intercept if you can control the browser certificates.
[10:51]
Adam Boileau
Well, and so this is why I wondered about, like you, I wondered about, well, why not use an iPad that has this app on it and you can connect that to your hardware wallet and you don't use that device for anything else. And I thought this would seem to be a sensible way to do it. First of all though, is there MDM involved for iPads? Can you put certificates onto iPads through MDM? I don't actually know if you can.
[11:11]
Lena Lau
I mean, yeah, you can.
[11:13]
Adam Boileau
But then it got me thinking more. Well, when we're talking about $1.4 billion, some sort of iOS ODA is kind of worth using at that point. Right. Even then, at that point is it actually worth, you know, is how much is that going to get you out of trouble? Right. And I'm just not sure. I think at the very least that would be a recommendation is to use standalone, like kind of unmanaged, locked down, single purpose.
[11:37]
Lena Lau
Right. That's the main thing is you want something that you don't use for other stuff because that just reduces attack surface. And sure, you could probably get odaid, but it's just I would much rather a single purpose and like they've got multisig even if one person in the multisig pool is doing it on a single purpose device. Right. Or you have, you know, and this.
[11:57]
Adam Boileau
Is, and this is where I was going, right, which is ultimately, okay, you can use a standalone device, but with a $1.4 billion payday, I don't know how much you can rely on the security of that device, which is why hardware wallets work in the first place. And ultimately the thing that would have prevented this is is having robust and serious procedures around which transactions are approved. And that's what they didn't have. So bye bye. $1.4 billion.
[12:21]
Lena Lau
Yeah, exactly, exactly. If this was a real financial institution, you would hope that they had some process for managing $1 billion transaction.
[12:30]
Adam Boileau
But again, you know, it's less critical in the traditional financial system because you.
[12:34]
Lena Lau
Can recover funds when this happens, like compensating controls or.
[12:38]
Adam Boileau
But, you know, thanks to the immutability of the blockchain, that money's gone, right?
[12:42]
Lena Lau
Yes. And gone off towards North Korea, but not quite there yet. I mean, money laundering is in fly. I think Zach XPT has been, you know, following some of the coinage around. Then it's going through the normal kind of North Korean laundering patterns. And I don't know what kind of loss rate they get on laundering. You know, even, you know, a very small percent of $1.4 billion is still, you know, quite a lot of dollars, especially if you're a, you know, largely isolated hermit kingdom. But, but yeah, I. $1.4 billion. Whether pressing a button on a little USB hardware wallet, like, man.
[13:17]
Adam Boileau
But I mean, this is just. We keep seeing. I'm just amazed really, anyone has confidence in this stuff anymore. Right. Like, it is incredible to me that people have confidence in it when you can see these sorts of. And look, this is the biggest. But we've seen billions of dollars worth of crypto go walkies and, you know, North Korea has dedicated its state resources to doing this. I mean, you know, at what point do you just say, I don't know that being involved in this stuff is a great idea?
[13:44]
Lena Lau
I mean, there's many reasons why being involved in the cryptocurrency world is not a great idea. And this is one of them. But there are certainly plenty of others as well. You know, environmental concerns and the giant thing, the whole thing kind of being a giant effect. They're kind of giant Ponzi scheme like this. Yeah, yeah, yeah. Just. Just don't, dear listeners, just don't.
[14:04]
Adam Boileau
Meanwhile, I'm going to link through also to a piece from Dorina Antoniok over at the Record talking about how someone's compiling. They're basically putting out those Trojan versions, versions of Xcode. So when people create apps with them, they're Trojan and, you know, they're using that to steal crypto. And this isn't new. The only reason I mention it is because we actually talked about that a couple of weeks ago about like, hey, remember when they were doing that with xcode? Turns out they still are. Another one from Dorina. The EU has actually sanctioned a North Korean general, Lee Chang Ho who's a 58 year old, you know, head of the North Korean Reconnaissance General Bureau. They did a bunch of, you know, Lazarus stuff. Lee did it was involved in Lazarus and also involved in deploying North Korean personnel to fight in Russia, fight Ukraine, Ukrainian troops in occupied areas of Russia. So, you know, lot going on there. But then, you know, coincidentally, we have this wonderful report out from Chainalysis talking about crypto and bad stuff being done with it. It's a mixed bag because it shows that sanctioned jurisdictions and entities received $15.8 billion of cryptocurrency in 2024, which accounted for about 39% of all illicit crypto transactions. But more broadly, illicit transactions were actually down by 25% or so year on year. But it's, you know, Chainalysis do great work and this is a terrific report that if people wanted to understand the state of bad stuff happening in the cryptocurrency ecosystem, it's not a bad place to start.
[15:41]
Lena Lau
Yeah, there's a bunch of interesting insights in here. And I think the thing you said about the volume being kind of down in the last year, I think 2023 was kind of an outlier, looking at the graphs, sort of the general trend where 2023 is just like wildly more than the previous year and kind of 2024 is kind of in line with that anyway. But there's a bunch of other interesting insights, things like how cryptocurrency gets used in Iran, for example, and when they saw things kicking off between Iran and Israel, the kind of amount of cryptocurrency facilitating capital flight out of Iran. There's a bunch of details in here about some of the sanctions because we've often talked about, you know, there are places in the cryptocurrency ecosystem where it makes sense to apply pressure on exchanges, on tumblers, things that facilitate the use of it for crime. And, you know, we've seen quite a lot of sanctions targeting some of those kinds of areas of that ecosystem. So, yeah, like if you are impacted by, you know, financial cybercrime, understanding how people cash out and what that looks like, you know, is an important part of that process. So definitely worth a read, I reckon.
[16:54]
Adam Boileau
Yeah. And funnily enough, tornado cash, according to Chainalysis, is down but not out. People are still using it. Right. But the volumes are down somewhat. I will say too, that like, you know, you and I, we are crypto skeptics, we think that there are a lot of illegitimate uses for it. That, and, you know, the legitimate uses don't seem to sort of outweigh the negatives often. But I will say too that $16 billion in the context of like all ofax sanctioned entities doesn't actually seem like that much, if I'm honest. But let's keep an eye on that number over time, I would suggest.
[17:24]
Lena Lau
Yeah, exactly, yeah.
[17:25]
Adam Boileau
Now, crypto wars. Crypto wars. There's been a big spat between Apple and the UK government. Apparently, you know, a short time ago, some weeks ago, I think the British government asked Apple to, you know, develop a capability that would allow them to retrieve evidence from icloud accounts that were protected by advanced data protection. And what it looks like has happened is Apple said, yeah, we're not going to do that. So they're just turning off advanced data protection for the UK market. So that means no one can actually enroll in advanced data protection and those who are using it, which means all of their photos and everything are like end to end encrypted. They're going to be given a grace period where they have to turn it off themselves. Otherwise Apple's just going to presumably nuke their stuff out of icloud or maybe just lock it up until they go through that process. You know, interesting development because we've seen these sorts of things bubble up before and usually the government's back down. But I guess that's what's interesting in this case is that's not how it worked out this time.
[18:29]
Lena Lau
Yeah, yeah, that is normally how it goes. And you know, we've seen lots of kind of hand wringing about this, but it's. There's actually a few bits of nuance I guess in here. Like one is advanced data protection enables end to end crypto with end user control key material for a reasonable amount of icloud services and properties, but not all of them. There are some that are already end to end crypto that are not included in this kind of conversation. And I'm curious as to whether the UK's Technical Capability Notice or whatever also extends to some of the other things that are not ADP but are end to end encrypted. Like which kind of bits of icloud. And that certainly could be clearer in Apple's communications. And then yeah, there's the bigger kind of like, given the relationship between America, where Apple being an American company, like the relationship in America and the rest of the world and the American political situation at the moment, now is not a great time for walking back. It doesn't feel like it's a great time for walking back.
[19:36]
Adam Boileau
Some technical protections for Privacy, Yes.
[19:39]
Lena Lau
Yeah, so like it's going to be an interesting, you know, next few years and you know, I'm not quite sure how this is going to play out, you know, because we've seen tech companies, you know, like Signal, we're going to talk about in a second kind of playing brinkmanship with governments and governments as you say, mostly have back down but you know, governments may be feeling a bit emboldened lately, I don't know.
[20:01]
Adam Boileau
Well look, my opinion on this is I wonder, right? Just ignore what's happening in the United States, ignore what people's attitudes are with regard to trusting their government in the United States at the moment. Just think about this from a UK perspective. Are Britons better off, you know, is their privacy better off and their general security better off with Apple having done this? Because Apple's whole rationale for introducing these features and I was on the press call, right, their rationale for introducing this feature was very sound. They're like, look, we see mass scale data breaches quite regularly. We fear that it's a matter of time before something like this happens to us. And indeed there was the, you know, the whole scandal years ago, like a decade ago when celebrities photos got leaked because people were brute forcing icloud passwords and, and whatnot. So they've kind of been there. So they're like we're going to put ourselves in a position where, you know, if we have an incident, you know, the impact of that is going to be somewhat contained. Excellent rationale. I agree with them. And now they're just turning it off for everyone, like instead of allowing selective decryption. Now look, it's one thing for them to say oh but we can't because it's end to end encrypted. I mean look, they have control over the handsets. They could do this if they wanted to. They could certainly introduce a silent feature that would migrate their users away from the encrypted version of their icloud. It would take some changes to iOS or whatever and they wouldn't want to do it. And I think there are good reasons they wouldn't want to do it, but they can't argue with a straight face to me anyway that this is something that they are technologically incapable of doing. Right, that's just, to me that's just silly and a little bit disingenuous. So I think this is complicated. I think that people in the UK are worse off because of this and I think this move is, you know, there's politics in it which is that people in the UK can now point to the government and say, look what you made Apple do. And Apple gets to come out of this looking certainly shinier than the government does there. But look, you're right and we don't like to talk about American politics on this show, but there's been some pretty alarming developments in the United States with regard to, you know, recent appointments to the FBI. We just saw this morning actually that Trump has revoked the security clearances of a, everyone at a law firm that he doesn't like because it had done government work that he, that he disagreed with. So it does look like certainly at this point that the US is sort of sliding towards a more authoritarian system of government. And I can understand why people would want to cling to these sort of protections because they do protect you against, you know, governments that don't respect the rule of law. And, you know, I'm going to get comments and dislikes on YouTube and angry emails and stuff, but it does really look like the rule of law in the United States States is, you know, it's not over, but it's not on the right trajectory.
[22:54]
Lena Lau
No, it's certainly not. And you know, it, you know, it's defending against your own government, obviously that's kind of not how these things work. Right. But when you're defending in a global context against, you know, multinational companies that, you know, where other governments in their world have different interests, like things do get kind of complicated and end to end crypto is one of those controls that ultimately is pretty straightforward. Math says no.
[23:24]
Adam Boileau
Well, I disagree with it. You know, I disagree with that. You know, math said no. Unless you do something on the endpoint that makes sense.
[23:30]
Lena Lau
Unless I do something on the endpoint.
[23:31]
Patrick Gray
You know what I mean?
[23:32]
Adam Boileau
Like, come on, man.
[23:33]
Lena Lau
Yeah, yeah. But in the case of the uk, right, it would, you know, the only really pragmatic solution is that Apple provides law enforcement access to end devices. Right. They don't change it globally, but they provide, you know, an entry point for legitimate access to go deploy an implant on a device. I think, you know, where I've landed.
[23:56]
Adam Boileau
On all of this is I think there is actually room for the lobbyists, for the major technology companies to work with legislators and say, look, we will consider building some sort of access capability, but we want to overhaul surveillance legislation so that it's deployed only in the, in the instances where it's really important. When there is a murder investigation, large scale corruption, terrorism, counter espionage, you know, these are the sorts of things where we're happy to help, but it will require changes to the law. And I think, you know, that's the only thing I can think of where, you know, the last thing the tech companies want to do is build some sort of capability and then the local constable at a police station is all up in someone's iPhone because, you know, reasons. Right, Like, I think there is room for a lot of this to be renegotiated and I just can't see it happening at the moment, just in the current climate.
[24:47]
Lena Lau
Things like we can't even agree on basic stuff like, you know, vaccines and climate change, let alone really complicated nuance issues like this where, you know, there are complicated equities to trade off, you know, and even we were editing this today's Risky bulletin and there's a story about an Italian priest getting paragon spyware by presumably the Italian government because he was involved in, you know, migrants shipping across the. Like, he was a priest on a migrant boat across the Mediterranean. And that, you know, that doesn't feel like the sort of thing that, you know, legitimate law enforcement, you know, access should be used for. But, you know, they were buying tools and using them in that context, allegedly, you know, like, it's just a really complicated set of issues and we're bad at simple issues. So.
[25:37]
Adam Boileau
Yeah, yeah, yeah, that's right. And meanwhile, something similar happening in Sweden at the moment, which is the Swedish government is demanding some sort of backdoor in signal or message recovery, right, whatever you want to call it. And the Signal foundation president Meredith Whitaker had said, no, we will in fact withdraw from offering our service to people in Sweden. If, you know, this is what you insist upon. And you know, the Swedish government is saying, well, look, crime is up over the last decade and you know, we need this capability to try to get a handle on, on serious organised crime and blah, blah, blah, blah. And security. Signal said no. So let's see if Signal winds up being withdrawn from Sweden as a region, much like Apple has withdrawn advanced data protection for ICloud from the UK.
[26:18]
Lena Lau
Yeah, I mean, in the end, you know, Signal will commit corporate sepuku before they do that. Whereas Apple, kind of big enough, has enough investors, you know, you know, they're not gonna in the end walk away from their whole business because they get surveillance demands that are like Signal probably would because they're a non profit and that's kind of, that's their whole thing. So, you know, both are interesting to watch how they unfurl.
[26:42]
Adam Boileau
Yeah, that's right. What else have we got here? The Black Buster Ransomware crew has had a whole bunch of its messages leaked. Fun. Fun. I find it interesting that SIGINT agencies get involved in combating ransomware and all of a sudden there's like massive infighting. But this probably, this actually looks like organic infighting, to be honest.
[27:01]
Lena Lau
Yeah, and why not both, right? You know, these kinds of groups are made up of a whole bunch of people, you know, working online, you know, in forums and message groups and whatever else. I think this was all chats on the Matrix platform. And yeah, people talk a lot of crap on the Internet, so it makes no surprise that some of this stuff is, is kind of funny to read. But yeah, like a couple of hundred thousand messages from inside blackbasta over the course of a year. So, yeah, there's some juicy insights. Somebody's loaded it into a, you know, into a GPT engine so that you can ask questions of it without having to read all those messages in Russian. And yeah, it's just kind of funny seeing the, you know, all of the inner dirty laundry that comes from running a crime operation.
[27:45]
Adam Boileau
Well, the most important bit of the Goss, I think, and I think we've got Dan Gooden's version of this piece linked to in the show Notes this week, is, and I'll quote from it, it turns out that the personal financial interests of Oleg, the group's boss, dictate the operations, disregarding the team's interests. So, yeah, apparently just like a bad boss situation and quote, under his administration, there was also a brute force attack on the infrastructure of some Russian banks. Yeah. Which means people were getting a little bit nervous about like, hey, maybe don't, you know, crap where you eat and yeah, a lot of them defected to some other crew and whatever. But I would also think too that if you were a western sigyn agency with access to a ransomware as a service platform, maybe doing a few brute force attacks, you know, with no payloads deployed against Russian banks, might be a good way to stir up this sort of drama. Just saying.
[28:33]
Lena Lau
Exactly. Exactly. Yes, they spooks are creative and they will have lots of fun on target, I'm sure.
[28:40]
Adam Boileau
Yeah. Now another one from Darina over at the Record. And we covered this in Risky Business News the other day, which is now called Risky Bulletin. I'm sorry, you can subscribe to that at Risky Biz. But there's some QR code based phishing for the signal app, basically allowing the attackers to, you know, add a device to a signal account so that they can then operate that account as if it were their Own. And they're doing this. It's Russians doing this. And they're, you know, capturing devices on the battlefield and then sort of, you know, getting access into those Signal accounts and then using that to spread more QR codes and on and on and on. I mean, I don't like this linking devices feature of Signal. We've talked about it before. I don't do it. I don't use Signal on the desktop. I like it on my phone. IOS, I think, is a more secure platform than macros, and I'm totally happy for it to just live there. But, yeah, what are your thoughts on this one, Adam?
[29:34]
Lena Lau
I mean, it's a smart methodology, right, because your attack options against Signal are on the endpoint or link a device. Right. That's basically what you've got. And some of the tradecraft here is kind of interesting. Like they have a group chat. They'll have a group chat with a bunch of malicious QR codes in it and then invite people into it. And then they read the scroll back and check out some of the QR codes. So you've already got scroll back. That establishes legitimacy, which feels different than just starting a social engineering fish right from Bear. When you've got that to work with, that's kind of interesting. And then, yeah, as you say, using captured devices on the battlefield as a method to then send it to contacts and so on and so forth. So, yeah, interesting kind of tricks. And yeah, to be honest, that Signal feature would be nice if it was kind of off by default or gated behind some kind of thing for the people receiving them.
[30:29]
Adam Boileau
I'm with you, but yeah, I just don't like it as a feature. I don't think, you know, you can always socially engineering people engineer people into turning stuff back on, you know, I just don't like it as a feature. I understand why they have it. It's sort of table stakes for a messaging platform these days. But, yeah, don't like it.
[30:45]
Lena Lau
Yeah. And also Electron, at least I assume it's still Electron.
[30:48]
Adam Boileau
Yeah, the Signal app was Electron. I'm not sure if it still is, but yeah, do not. Do not like Electron either. Although we haven't really heard. I think we've heard of a couple of issues in this, in the Signal Electron app, but it's, you know, a cut above, not surprisingly. Right, yes.
[31:00]
Lena Lau
Which is good.
[31:01]
Adam Boileau
Now we got one from Samantha Cole over at 404 Media. This one's real interesting. Meta is suing this guy Idris Cuba, who ran the Unlocked for life extortion Scheme where this guy would basically take over or ban people's Instagram accounts, get them banned, and then sort of sell them back to them and figure out, you know, how to. He would sell the unbanning of them. But he was also threatening to kill people whose accounts he'd taken over. Like, you know, you've got to give me money to unban your account and if you don't, I'm going to kill you. You know, this seems like it would be more of a criminal kind of indictment than a lawsuit, but I guess Meta has taken things in, you know, taken matters into its own hands and they're doing it through the civil courts. The reason I wanted to talk about this one is, you know, for half a decade now I've been talking about how matters like account handling, particularly with Instagram, is just terrible. You know, I've, I've personally worked with people who have had their accounts taken over by people who've abused things like trademark violation complaints and stuff to say, no, no, this person is impersonating my brand, when really it's the other way around and they'll just do it. And there's no solid appeals process or anything like just truly, truly woeful stuff. And I mean, you know, it's great that they're suing this guy, but you would hope that they would actually put some effort into fixing this. I've always thought a paid for support service for this would make a lot of sense because Meta just stretched their people too thin because they got so many accounts and this is the result, this stuff like this happens.
[32:35]
Lena Lau
Yeah, it's pretty messy. I mean, in some cases he was able to ban accounts like basically same day because he would sell the account banning service to some people and would also sell, you know, the unlocking service and fake likes and all of the other kind of social media fraud sorts of things. Apparently he was making what, like $600,000 a month?
[32:53]
Adam Boileau
Well, he claimed, he boasted that he did 600k in one month and who knows if that was his regular income, but either way it was worth doing for him.
[33:01]
Lena Lau
Yeah, exactly. And then all sorts of other nasty stuff that he was doing as well. So, yeah, kind of good that Meta is going after him, but as you say, like their account handling is pretty woeful and too much automation, not enough kind of sense is the vibe that you get from them.
[33:17]
Adam Boileau
Well, and impossible to get human review quite often. And when there is human review, it's obviously someone who spent five seconds looking at it and just said, whatever next you know, it's just. It's a mess. It's a mess.
[33:27]
Lena Lau
Yeah, it is. I mean given what it must cost them in lawyers to go after these people, like you think you could go plow some of that back into making the process a little better?
[33:34]
Adam Boileau
Support costs. Support costs for something like Instagram, man, you even want to marginally improve that, it's going to cost you money. But it's not like Meta's broke. And again, I think, you know, we did see a glimmer of hope. They've got some of these like, you know, meta for business services and whatever and that is going to be better, right? But yeah, they need massive improvement there. Link in the show notes to that one. Now we've got a blog post from Cisco Talos who've looked at the way Salt Typhoon is doing at Salt Typhooning and some. They're doing some cool stuff with like basically what, like you know, chaining their shells through a bunch of Cisco devices and whatever. You, you talk us through this one, Adam.
[34:12]
Lena Lau
Yeah, this is. It's a good write up of their general tradecraft. Cisco Talos is somewhat at pains to point out that it's nearly all not Cisco bugs. They're using Cisco's to pivot through, but they're not actually exploring exploiting that many of them, which, you know, maybe a bit too much protesting there. There's a lot of credential reuse to get access and then technical means for getting more credentials out of Cisco. So once you're in the network routing infrastructure, you've got lots of great options for sniffing creds off the wire. In the case of routers that do authentication via Radius or Tacax, you can usually turn that into cleartext credentials off the wire. I know, I've done that in the wild. It's good times. And if that's ad integrated now, you've got password access onwards into active directory and it's great times being in the network plumbing and that's really kind of where Salt Typhoon is and what they're into. There's some other specifics about the things that they do on the underlying Linux of some Cisco devices, which is good for seeing some of their trade off there. There's also a great trick where they can use routers in the network to pretend to be somewhere else in the network. Like if you're on the network path between A and B, you can pretend to be anyone from A to B and they can use that to bypass access lists and other controls for moving onwards and you know, that's once again a thing that telco hackers have been doing for a long time. But, you know, it's kind of when this is described as like, super advanced and well resourced and it's a thing that, that, you know, I've been doing for 15, 20 years, it makes me feel good. Like, I feel like, yeah, I'm super advanced. I'm not well resourced, but I'm super advanced. Go me.
[35:52]
Adam Boileau
You're reasonably resourced.
[35:54]
Lena Lau
Insomnia was reasonably resourced, I guess, but not like, you know, Chinese, you know, Chinese intelligence services resourced. But yeah, so I quite enjoyed it just because I love, you know, telco hacking gubbins and. Yeah. Just, you know, useful detail, actual technical detail about what they do and how they do it.
[36:11]
Adam Boileau
Yeah. And the way they were pivoting around and stuff like, that's the bit that I found interesting as well, which is just like, you know, router to router comms, but it's them and it looks all normal and, you know, it's pretty cool. That's what I meant by chaining together their shells, you know.
[36:21]
Lena Lau
Yeah. And no EDR on those platforms. And yeah, it's just.
[36:25]
Adam Boileau
I got an idiot. I got an interview with one of the core, like, people coming up next week actually talking about how, yeah, like, just specifically Assault Typhoon, they just go where the EDR isn't, which, you know, you can read that as like, oh, EDR doesn't save you. It's like, well, it can only save you where it is, where it exists. And the fact that attackers are having to go around it and hit stuff that doesn't have it is actually more of a good news story about EDR than a bad one. But anyway, yet one more from Dorina Antoniouk over at the Record. And Thailand is about to receive 7,000 people who've just been freed from these scam hubs in Myanmar by a militia. Crazy.
[37:05]
Lena Lau
Yeah, I mean, it is. It's so wild around some of these border regions in Myanmar. The militia is. I tried to. I read a bit about like, Myanmar politics and, and like how these militias relate to each other and the government and so on, and it's all very, very confusing. Anyway, they are handing over 500 people a day into Thailand. You know, like showing up on a bridge, handing them across to the authorities there. And, you know, I guess even if the political motivation. These groups are kind of complicated. Shutting down scam centers is still. Is still good. So, you know.
[37:40]
Adam Boileau
Yeah, thanks. Yeah, that's right. I just want to mention it Quickly. But there's an IVF provider in Australia called Janea who've apparently had some sort of data breach. This is obviously making the news here and I just sort of wonder at what, what, what sort of response we're going to see or what sort of response are we not going to see that still occurs as a result of this given, you know, ASD and the AFP have this whiz bang task force that was put together by our previous Home affairs minister, Claire O'Neill. So it'll just be interesting. I'll be watching out for signs of activity on that one. We've got another story from James Reddick over at the Record, which is a federal contractor that supports the US military's healthcare system, will pay an $11 million fine basically to settle allegations that it lied about hitting federal government cybersecurity compliance standards. So we'll drop a link into this week's show. Notes on that. And just quickly, Adam, one thing that's like our reading list item this week is Mike Burgess, who is the director general of ASIO, has given his annual threat assessment for 2025. It's available as a YouTube video and also there's a transcript here that I've, that I've published. It's just an interesting read. One thing I admire about Mike Burgess is he has always been much more sort of transparent about what Australia's domestic intelligence agency is actually focused on and thinking about that his predecessors and it's just a good read if you, if you're interested in, to get a bit of insight into the thinking of, you know, an intelligence leader from a five eyes country. You know, although he does focus mostly on, you know, domestic stuff, it's still a very interesting read. But mate, that's actually it for the week's news. But do hang around because now we're going to chat with this week's feature guest who is Lina Lau. Lena is the founder of Sintra, which does cyber security training and makes all sorts of cool like cyber ranges and stuff. And she wrote a blog post this week or last week actually called An Inside look at NSA TTPS from China's Lens. And what she essentially did was pulled together a whole bunch of Chinese incident response write ups and wrote them up in a more, more in the sort of Western way, I guess. And this has gone massively viral, resulted in a bunch of press coverage and controversy. Lina Lau, thank you for joining us.
[39:55]
Dave Cottingham
Thank you for having me.
[39:56]
Adam Boileau
How did I go with the summary there?
[39:58]
Dave Cottingham
Yeah, I mean I assumed most Western people weren't sitting there on WeChat reading Chinese blog articles in Chinese. So that's exactly what I did. I took a bunch of articles that were written about a specific incident that happened and then just rewrote it to match the Western audience. Because Chinese threat intel write ups tend to be a little scattered in how they approach the writing.
[40:20]
Adam Boileau
Yeah, like they don't write their reports the same way that in the West. Right. And that's been the interesting thing here. But the response to this, I mean, first of all, why don't we just talk about what you learned by actually going through this process. What was interesting here, I guess for.
[40:35]
Dave Cottingham
Me, because my background is in incident response. I came at it from the angle of wanting to understand the ttps that were used.
[40:41]
Adam Boileau
So.
[40:41]
Dave Cottingham
So for me what was interesting was that they actually tracked three different threat actors that they attribute to North America. So the NSA TAO group is APTC 40. They also track the CIA as a separate unit. They break that out. And then there's also a third group called APTC 57 that they haven't really published much about. So they actually track three different orgs in America.
[41:07]
Adam Boileau
Yeah, well, I mean that makes sense because they are, they do have separate crews, much like, much like everyone else. Now to be clear too, this, this campaign was first, it was, it was a hack of like, what was it like some sort of university in China. And they first spoke about it publicly in 2022. But it looks like it was a very like long running campaign. And there's some nice overlap there with things like the shadow brokers tools which eventually got, you know, disclosed publicly and what 2016 or whatnot. But to be clear, like this is not ongoing. Like as far as we know, this isn't describing activity that's happening now. This is historical stuff.
[41:42]
Dave Cottingham
This is not 2025, 2024. This is in 2022. They received phishing emails that they attribute to the NSA. And then that led to the convergence of two security firms, 360 and then Seabirk, which is like Chinese cert team to collaborate on an incident response investigation. And basically the write up that I wrote were my learnings from the IR reports that they had published. And these are the only two companies that published these IR reports on what actually happened. But based on the IR reports, it was clear that the NSA was allegedly breaking into this university over the course of an entire decade.
[42:21]
Adam Boileau
Yeah, I mean I was just thinking like as you said, that if they received these phishing emails in 2022 and that's what led Them to discover this. Holy dwell time, Batman. Basically is what I was thinking. Yeah, yeah. So look, you alluded to the differences in, you know, the way that Chinese companies write IR reports. Like what are the most striking differences there? Because you did mention things like not only just differences in reporting, but differences in thinking and the way that they do ir.
[42:47]
Dave Cottingham
Yeah, I guess the first thing is normally in Western reports you just get a report that says, oh, Mustang Panda hacked into X company without much attribution as to why do we think it's Mustang Panda. Most of their IR reports start off with attribution and how they performed the attribution and how they linked it, which isn't something that we normally get in our classic intel reports. You just get, okay, this tool is linked to this. But not much more than just like an IOC being linked. The second thing that I noticed was a lot of the IR activity that happened from the two firms was based on a lot of collaboration with even foreign governments. They didn't specify which ones, but I'm guessing it was some of the neighboring countries that were also used as proxy servers for the attack. So there was a lot of collaboration going on.
[43:32]
Adam Boileau
Yeah, right. And included they actually managed to dock some of the front companies that were used to like obtain IPs and whatnot. And it's just amazing. Like, as you say, like this is all stuff that's been out there publicly, but no one actually, I think because of the language barrier, no one really tore it down and like rewrote it into something sensible like you have here.
[43:49]
Dave Cottingham
Yeah, I think it's more than that. Like Chinese firms don't really, they don't rely on publishing blogs on their website like you know, Western companies do. They rely on pushing news cycles through Wei xing, which is WeChat. And most of the security researchers read these write ups on WeChat in Chinese. So unless you're sitting there stalking WeChat, you're not going to be refreshing 360's company site and finding every single report there because they don't publish everything on their website.
[44:16]
Adam Boileau
Yeah, right. So basically you have to be a Chinese speaker who hangs out on WeChat.
[44:19]
Dave Cottingham
Which apparently you are going to talk to my family somehow.
[44:24]
Adam Boileau
Yeah, that's right. All right, so what do you make of the reaction to this? Because it has been uneven. Everybody seems to have an opinion on this. I think initially when we spoke the other day about it, you were like, yeah, I put this on my personal blog because I didn't want to link it to my company because I thought it might be a bit controversial. So you were expecting that perhaps it could be controversial, but maybe not this controversial?
[44:47]
Dave Cottingham
Yeah, I mean, I think that everyone is reluctant in the Western world to really publish or talk about what's going on, especially with firefights, threat actors. But at the same time, I think there is something there that we could learn from in terms of how we perform form detections and just get a better understanding of what it is that we're doing and how the whole ecosphere works and how all the different countries interact. I wasn't really expecting people to think that I was the one saying that the NSA hacked into China. That I thought was very clear that I'm not the one saying this. That surprised me.
[45:21]
Adam Boileau
Yeah. Right. So you're just saying the Chinese said this?
[45:24]
Dave Cottingham
Yeah, I'm just getting information that's on WeChat and expressing it to the Western audience, basically. And I guess that final point that I wanted to say was that it surprised me a little bit and made me realize that most Western audiences probably aren't as attuned to what's going on allegedly with the Five Eyes governments and what their operations are, what their toolkits are. It kind of elucidated that maybe we're not as educated on what the Eastern countries are saying about Five Eyes.
[45:55]
Adam Boileau
Yeah. I think there's also reasons why, you know, we don't talk about that because Five Eyes agencies aren't typically targeting the sort of companies that Western IR firms are doing IR work for. Right. So. And I think also when people do stumble across like Five Eyes infrastructure, perhaps by accident, it's not something they're going to put in a report because they don't want to undermine the goals of the governments. Right. And that's just, that's just how it be like. And that's a question for you. Like, I can't imagine that you would have done original reporting. Right. If you had a found 5i stuff, you'd be like, no, never. I'm going to leave this alone.
[46:28]
Dave Cottingham
Right, yeah, of course.
[46:29]
Adam Boileau
Yeah, yeah.
[46:30]
Lena Lau
Did you think that, like, the way the Chinese attribute this to the US was like, do we expect the Five Eyes to be better at not getting snapped? Because that's kind of their whole shtick. Right. Is not being caught in the first place. Like, do you think that how they got snapped here was interesting or is this just workaday, you know, every. Every day in Chinese universities?
[46:52]
Dave Cottingham
So I think that the attribution to the nsa, they can only base that on the evidence that they uncover during the incident report. But with that said, it's not unusual for different threat actors and APT groups to leverage tools that are attributed to a different threat actor and try to get a misattribution occurring. So that's definitely something to think about.
[47:15]
Adam Boileau
Yeah, I did find it interesting here that when they went back and looked at some of this stuff, they found tools that had since been publicly disclosed in the Shadowbrokers leak. Right. Which made the attribution pretty, pretty solid. But yeah, it is. And again, I mean their dwell time was lot like a decade. Right.
[47:30]
Lena Lau
So I mean some of these exploits are some of the things they're using like exploits and Solaris boxes and tooling because there was so much good stuff in Shadowbreakers. And yeah, it's kind of, it's fun seeing it all used in the wild in a way, seeing how they use Fox Acid, which was their like exploit from the side, using their passive collection network and seeing, you know, some of the other stuff they were using. I did like the bit about attribution based on unique US public holidays.
[47:59]
Dave Cottingham
Yeah, yeah. No hands on keyboard during Memorial Day and weekends. I like it. I like it.
[48:04]
Adam Boileau
Yeah, yeah, yeah, that's it. All right, we're going to wrap it up there. But look, thanks so much for joining us on the show. To talk through your blog post, we're going to drop a link into this week's show notes for everyone to read. Thanks again.
[48:17]
Dave Cottingham
Thank you.
[48:18]
Adam Boileau
And Adam, that concludes us as well. Thanks a lot for joining us for the news and to chat with Lena and we'll do it all again next week. Thanks.
[48:25]
Lena Lau
We certainly will, Pat and I'll see you then.
[48:37]
Adam Boileau
That was Lena Lau and Adam Boileau there with a check of the week's news and a chat about Lena's blog post. It is time for this week's sponsor interview now with David Cottingham and Daniel Shell from Airlock Digital. Airlock Digital makes an allow listing platform, which I love. I think it's a terrific bit of technology and you know, if you run a high security environment, it's one that you should definitely take a peek at. But they uncovered some really funny research. Actually one of the reasons Airlock does so well is because the baked in Windows allow listing stuff like W DAC is actually pretty difficult to use at scale. But some people have done some research on this which is quite funny, which is if you can get disk write permission on a targeted host, you can actually rewrite the WDAC rules to prevent EDR from loading. So you can introduce an allow listing rule that says if it's not signed by Microsoft, don't let it run, which is obviously very useful to attackers. So I'll drop you in here where Daniel Schell explains that research. Enjoy.
[49:41]
Daniel Schell
So some research came out late last year. It was really interesting where someone thought about how can they disable security controls on Windows. And what they did, decided to try was using the Windows Defender application control. So the allow listing functionality natively in the Windows 11 platform to block all non Microsoft code from running. And they then built some tradecraft around this to package it so you can sort of run it against remote machines, run it locally, deploy as an exe or through inline assembly and such like that. But at the end of the day, I guess what the research showed or what they've proven is that if you've got admin rights as a user, you can drop a WDAC policy file into a folder on Windows, reboot the system and it will read that and it will then respect that policy. And I guess the example policy is like only trust Microsoft signed files and therefore all EDR and other drivers and everything is just not allowed to run.
[50:32]
Adam Boileau
Yeah, I mean it's a really clever idea when you think about it, which is if you've got write permission, you know, privileged write permission on a disk somewhere, you can just implement that as a policy and the next time there's a reboot, all of those protections are gone.
[50:47]
Daniel Schell
That's it. Yeah, the services won't start, the drivers won't load. It's as if it wasn't there.
[50:52]
Adam Boileau
Now they've implemented this as like an executable. Right, which obviously you would be able to block because you know, allow listing, et cetera. But ultimately the only primitive you would need is that disk write.
[51:03]
Daniel Schell
Yeah, that's it. So yeah, they've made some tooling around it. They call it Kruger is the name of their project. But at the end they drop the file in the folder and reboot. Now from a WDAC side of things, like you think about what's the controls in that, it's sort of an interesting story as well because by default anyone admin rights can apply a WDeck policy. But if you want to protect yourself from that occurring, you actually need to implement a WDAC policy that's signed and then you can have a flag as well that requires that future updates to that policy will also be signed. So you have to sort of turn that on.
[51:40]
Adam Boileau
Well, and I'm guessing not many people have actually done that. Right. Because they're not using wdac, so why would you bother?
[51:45]
Daniel Schell
Yeah, and that's exactly it. And there's no way to turn off wdac and in fact that's probably a bad idea anyway because you've got the Windows recommended driver blockless rule. And so there's all these Windows security functionality that's built into WDAC at the moment. There are some deny only policies in there at the moment as well. So you can go remove all the policies, but again someone can just copy that file and it's back. You can only disable policies. You can't disable the feature.
[52:12]
Adam Boileau
Theoretically they could do this with your software as well, couldn't they? Or are your policies all signed when they're written to disk?
[52:20]
Daniel Schell
Well, yeah, I guess at the end of the day it will stop our code from loading as well because again, that policy that they.
[52:27]
Adam Boileau
No, I just mean like could they also write to the airlock policy file and get airlock to start blocking stuff?
[52:35]
Daniel Schell
Yeah, that's a little bit different because we've got tons of sort of encryption and such. So I guess rather than signing you can't just go modify our policy. And also our policy sort of like don't transfer between customers and stuff like that very easily. And there's a lot of protections in our agent like anti tampering. I guess admin rights isn't enough. Yeah, because you wouldn't be able to stop the service to replace the files and all this other stuff as well. There's a lot of layers there that would be less effort. And if you have admin rights at that point, it's probably not the best use of your time.
[53:04]
Adam Boileau
Yeah. So I guess the question becomes like, how should the EDR companies best deal with this? Would they have to have some sort of, you know, would they just have to watch that file for changes sort of thing and like be able to detect when someone's writing a malicious WDAC policy? I mean that seems like it would be pretty hard to do.
[53:23]
Daniel Schell
Yeah, it's a tricky thing because it's okay, there's a couple things. I guess one part would be just detecting maybe that your rustle is running a policy file to the folder that Windows stores them in. I guess that could be a detection. But then if a customer is legitimately running wdag, that's going to happen all the time. It's not. There's sort of like it's not a malicious policy file. It's one that's generated through the Windows app Control Wizard. It's Saying trust. It's the default one to trust Microsoft files. So, yeah, it's a challenge.
[53:52]
Adam Boileau
So here's a question for you. Can you use Airlock to actually allow list a W DAC config file?
[53:58]
Daniel Schell
We could at the end of the day, as far as preventing it being implemented while our service is running, I think that's the level of control. So the stuff that me and David talked about was when someone writes a wdac, there's obviously a magic header to these files. So we could go, someone's trying to write a thing to this folder, don't deny it. Or unless the file itself is allowlisted. So we just treat it as a script or in the.
[54:27]
Adam Boileau
Yeah, just treat it as any other file.
[54:28]
Daniel Schell
Yeah. So we go. Well, before WDAT can be applied, it needs to be trusted by Airlock. But no customer should be running WDAC and Airlock really side by side anyway.
[54:38]
Adam Boileau
So you should be able to just nuke that or a policy.
[54:40]
Patrick Gray
Anyway, I'm just thinking of the edge case that ultimately comes in when Windows Update comes and pulls down some new driver block list.
[54:46]
Daniel Schell
Well, they have a new driver. Like they update the driver block list all the time and stuff like that. So it's got to be interesting. But then again, which process is allowed to do the Windows updates? Okay. To do it?
[54:54]
Patrick Gray
Well, that's it.
[54:55]
Adam Boileau
Yeah. So there's a way around that.
[54:56]
Daniel Schell
Kruger Exe is not.
[54:59]
Patrick Gray
I think the main mitigation is a lot of the endpoint vendors have, you know, tried to stop the executable or flag the packing of that Kruger executable. So Windows Defender, when you get that EXE on the box and try and run it, actually detects it as a W dac. What did it. What was it called, Daniel? It was WDAC something. The detection was like it was a malicious WDAC policy because it came from the executable. But the policy itself wasn't necessarily the bad thing.
[55:25]
Daniel Schell
Yeah, like as soon as I compiled it, Defender's like eight different detections. Right. Because they've put that in the defs. The tooling is in the defs, but the tooling is not the problem here. Possibly the tooling.
[55:39]
Adam Boileau
This is just one facet of a bigger problem right now, which is just attackers using LOL bins. It's not new. Right. This has been around for a very long time, but it's become just standard attacker behavior. And you really get the sense, David and I want to hear from you on this. You really get the sense that this is because they have to do this because EDR is actually doing a reasonable job of detecting like malicious binaries and files and when those things execute and start doing weird stuff. So, you know, I guess you might say this is a good news story.
[56:11]
Patrick Gray
Yeah, absolutely. The bar has been raised so high now that it is a more viable option for, you know, many more sophisticated attackers to utilize LOL bins to achieve their objectives than to, you know, try and, you know, write code which is avoiding, you know, signature or behavioral based detection. At the end of the day, if you can become the administrator, just like, you know, the identity boundary, you want to steal creds, you want to blend in. If you can become the shadow admin in the environment, that's the best place you want to be as an attacker. And LOL bins are just across that path and enable that to happen because it's not unusual for an administrator to use an administrative tool.
[56:51]
Adam Boileau
Yeah, I mean, I think also it's not just about LOL bins per se, but abuse of other trusted bits of services and platforms like we saw from the Cyber CX report recently that we spoke about on the show. Actually it was a case study that kind of was released around the same time about an attack against a Pacific organization. Gee, I wonder who could have been behind that one, where they were using like Microsoft's eDiscovery tool to do exfil and like how are you going to instrument a detection for that? Right. So I think it's, it's spreading beyond the OS and OS platforms and into cloud service platforms as well. But this just seems to be the contemporary way that attackers think, I guess.
[57:35]
Patrick Gray
Yeah, and I think as a vendor, you're Microsoft, you want to make the platform more usable and more great. I've got this functionality at my fingertips, but that value cuts both ways. For example, they put open SSH in Windows Server 2025. So now you've got a native Microsoft signed open SSH capability inside the os. You don't need to bring it or even install the feature. It's just on disk ready to be invoked. And I actually did a bit of work where I looked at the number of files that were included in Windows operating systems over the last 10 years. And Windows 10 Long Term Servicing Branch between Windows 1123 H2 saw a 46% increase in files. And I know that file counts don't necessarily equal features. However, it highlights a significant increase in code at the very least, and therefore complexity. And it's hard for us as sort of consumers, even us in our position where we look at, you know, abuse of these utilities to understand all those changes, because it's not really readily available unless you really dive in and reverse this out yourself. And what I would say is that organizations should really preference the use of long term servicing channel builds of Windows wherever possible. Because between Windows 10 LTSB 2015 and Windows 11 LTSC 2024, there was a 21% increase in the number of files compared to the Consumer Edition, which was that 40% odd number. So it's sort of shown that the consumer version of Windows has about 20% more stuff than what the actual enterprise builds do. So, you know, if you as a company can use the enterprise builds, build your SOI on that. And that just cuts out a whole bunch of stuff that's just kicking around that you're probably not going to use anyway.
[59:23]
Adam Boileau
Yeah, but you're still looking at an awful lot of stuff there that will be used. And I guess, I mean, I guess this comes back to the point of like Windows host hardening. There's not all that many tools that do it. Well, I mean, obviously yours is one of them. And I, I do feel that like with the EDRs, as this stuff becomes more and more popular, they're going to need to have a bit of a think about, you know, they're going to have to think about some fundamentals here in terms of how to deal with this. Because they were the next generation of sort of av. I mean, they're very good at spotting funny stuff happening. Right. But they do sort of come from a time when Endpoint security was a lot about files executing on your Windows box. And that's not, you know, that's changing, I guess.
[60:08]
Patrick Gray
Yeah, the challenge is, you know, at the end of the day, security is about constraint. And the challenge for any security company is how do I implement security and not impact anyone. Ideally, you know, so that constraint is this gigantic circle which is drawn around the entire customer base. I think the tooling where we need to get to is you can define your constraints as a customer. So you as a customer are the only ones that know that you don't need WMIC anymore or you're not using WMI in your environment. Well, to find that out is a difficult thing and far more difficult than it should be as it is. But let's say you could, you know, you're not using it then to be able to define that and say I want to turn that off really starts to provide that security uplift. And it's something that we're pushing into in our tooling. You know, allow listings are great control, but it's really about beyond that. Let's start to cut down on that attack surface by commonly abused utilities. And that's where you get another significant bump in security improvement. But context is king.
[61:13]
Adam Boileau
Yeah, we did a demo recording recently which is published to our YouTube, just showing off the latest version of Airlock and that was something that was interesting there, which is you can kind of use an allow list to constrain the use of a platform to something that resembles an SOE actually better because you've got more granular control. But you know, it almost feels like the days of trying to rely on a standard corporate SOE are like kind of done at this point because there's just too much stuff. There's too much stuff.
[61:40]
Patrick Gray
Too much stuff. You used to be able to pair it back much better. You know, I would encourage people as well to use Windows Server Core wherever they can for their workloads at least. That cuts out a lot of the GUI aspects and a lot of the applications just won't run because they need a, you know, a user interface to actually, actually load. So you know, to deploy that, that cuts down on it. Again, Windows long term servicing builds and then when you're building your images, just try and cut out as much as you can if you don't need it.
[62:06]
Adam Boileau
Less is more.
[62:08]
Patrick Gray
It really is.
[62:09]
Adam Boileau
Yeah. All right, Dave Cottingham, Daniel Schell, thank you so much for joining me for that discussion. Interesting as always.
[62:14]
Patrick Gray
Thanks, Patrick.
[62:15]
Daniel Schell
Thanks, Patrick.
[62:18]
Adam Boileau
That was Dave Cottingham and Daniel Schell there from Airlock Digital and that is it for this week's show. I do hope you enjoyed it. I'll be back soon with some more news and analysis for everyone. But until then I've been. Patrick Gray, thanks for listening.