Risky Business #782 – Are the USA and Russia Cyber Friends Now? Release Date: March 5, 2025
Host: Patrick Gray
Guest: Adam Boileau

Bybit Attack and North Korean Cyber Tactics

The episode kicks off with a deep dive into the recent Bybit attack, initially believed to be orchestrated by North Korean hackers deploying malware on user devices. However, it was later revealed that the attackers manipulated JavaScript hosted on Safe Wallet's AWS CDN to target Bybit's multi-signature wallet containing $1.5 billion. Adam Boileau commends the sophistication of the attack:

“They had poisoned this JavaScript for everybody in the world that used the web interface for Safe Wallet. But they only targeted the one wallet from Bybit that contained, you know, a billion billion and a half dollars. So that's pretty slick, I got to say.” (02:44)

Patrick Gray emphasizes the importance of stringent verification processes for hardware wallets to prevent such targeted attacks:

“You just have to pay attention to that hardware wallet.” (03:37)

US Cyber Strategy Towards Russia: Controversy and Normalization

A significant portion of the discussion revolves around controversial reports suggesting that the US Cyber Command was ordered to halt offensive cyber operations against Russia. Patrick Gray analyzes the situation, noting the conflicting statements from CISA and the Department of Defense, which undermine trust in government communications. He posits that this could be a strategic move to normalize relations with Russia:

“Whether you agree with this or not, they're seeking to normalize relations with Russia and putting a pause on offensive actions is a very sort of standard thing to do when you're entering a period of Negotiation that is seeking to normalise relations.” (06:00)

Adam adds that such pauses could have long-term implications, potentially allowing Russian cyber capabilities to repurpose their efforts:

“Depending on how long things are paused for, stuff kind of gets stale.” (08:58)

Concerns Over Post-Ukraine Russian Cyber Activities

Building on geopolitical tensions, Finnish Intelligence warns that an end to the Ukraine conflict may free Russian cyber operators to engage in other malicious activities. Adam Boileau concurs, highlighting Russia's extensive cyber infrastructure and its potential redirection of efforts:

“Russia's been tooling up, you know, both in terms of arms manufacturing, in terms of like a war footing for the whole economy, as well as, you know, intelligence services and hacking and things that we cover that.” (09:44)

FBI's Stance on Crypto Laundering Post-Bybit Hack

The discussion shifts to the FBI's recent advisory urging the crypto community to avoid laundering funds from the Bybit hack. Patrick Gray critiques the timing and effectiveness of such advisories:

“Why didn't they try that before?” (10:06)

Adam humorously suggests a more straightforward approach:

“How about maybe don't do crimes?” (10:21)

Celebrate (Cellebrite) Cuts Ties with Serbian Government: System Working

Patrick highlights a significant move by Celebrate (Cellebrite), which terminated its relationship with Serbia after misuse of its tools for planting malware. This action underscores the efficacy of accountability in cybersecurity:

“This gives them extra motivation to be more careful about their customers in the future.” (12:19)

Adam praises the collaborative effort between Amnesty International and Google in identifying and patching the exploited vulnerabilities:

“It's interesting, we have some nice little blog about a new way to get into a Cisco router.” (13:00)

Belgian State Security Service Investigation on Barracuda Devices

The podcast touches on Belgium's investigation into its state security service following the compromise of Barracuda email gateways by Chinese APT groups. Adam Boileau notes the prolonged undetected presence of the attackers:

“It suggests that the Chinese were in there with them a good couple of years beforehand.” (14:32)

UK's Advanced Data Protection and US Concerns

Tulsi Gabbard, Director of National Intelligence, expresses grave concerns over the UK's demand for Advanced Data Protection from Apple, leading to Apple's withdrawal of the service in the UK. The discussion revolves around the implications for US data security:

“It's important information to have and just kind of useful to, you know, understand because Britain won't be the only jurisdiction that asks for this kind of thing.” (16:43)

Starlink Abuse and Scams in Thailand and Myanmar

Patrick shares his experience with Starlink, noting a surge in abusive traffic from Starlink IPs, particularly in regions like Thailand and Myanmar. Adam Boileau explains how scam compounds are leveraging Starlink to maintain internet connectivity despite government crackdowns:

“They’ve been using Starlink and SpaceX... they are using it and you know, Starlink and SpaceX have, you know, received a bunch of information about, you know, where these places are.” (20:04)

US Soldier Charged in AT&T Hack: Google's Investigation

A case involving a US Army soldier charged with hacking AT&T is discussed, highlighting the individual's troubling Google search history, which included queries like “can hacking be treason” and “where can I defect.” Adam Boileau underscores the severity of these actions:

“He is clearly considering the Snowden route and embassy of Russia, Washington D.C.” (22:41)

Google Enhances Password and MFA Systems

The episode delves into Google's efforts to streamline credential management by synchronizing Google Password Manager with iOS and replacing SMS-based MFA with QR codes for Gmail authentication. Adam Boileau explains the technical improvements, while Patrick Gray questions the impact on users without smartphones:

“The whole thing feels like they don't really do a lot to address abuse on the network.” (21:13)
“It just feels like they don't really do a lot to address abuse on the network.” (20:04)

Mysterious Iranian Botnet Raises DDoS Concerns

A mysterious botnet linked to Iran, responsible for the largest DDoS attack in history, is examined. The complexity surrounding its origin and capabilities raises concerns about attribution and defense:

“Anyone getting hit by six and a half terabits of traffic is probably going to fall off.” (31:43)

Vulnerable Windows Drivers Exploited in Ransomware

Patrick discusses a vulnerability in the Paragon Partition Manager driver, a legitimate Windows-signed driver now exploited in ransomware attacks. Adam Boileau highlights Microsoft's swift action in addressing the issue:

“If you're running Microsoft's updates, then you're probably not vulnerable, so that's good.” (34:25)

Conviction of Child Exploiter Richard Amir

The podcast briefly covers the conviction of Richard Amir from East London for producing indecent images of children. Patrick Gray underscores the severity of such crimes and the importance of stringent penalties:

“He’s been arrested. Hope he goes to prison forever and has a really bad time there.” (35:38)

Sponsor Spotlight: Corelight on Detecting Advanced Threats

In the concluding segment, Vincent Stouffer, Field CTO at Corelight Networks, discusses the significance of Network Detection and Response (NDR) in identifying sophisticated threats like SALT and Vault Typhoon. He emphasizes the ease of deploying basic NDR using open-source Zeek:

“It's super powerful and something that the network level visibility can get you at all devices that you have that sort of level of monitoring at.” (38:02)

Patrick Gray and Vincent explore strategies for rolling out Zeek, recommending starting with passive monitoring to minimize operational disruptions:

“You start by just finding out what's coming in and out of the door.” (43:24)

Notable Quotes:

• Adam Boileau (02:44): “They had poisoned this JavaScript for everybody in the world that used the web interface for Safe Wallet. But they only targeted the one wallet from Bybit that contained, you know, a billion billion and a half dollars. So that's pretty slick, I got to say.”

• Patrick Gray (06:00): “Whether you agree with this or not, they're seeking to normalize relations with Russia and putting a pause on offensive actions is a very sort of standard thing to do when you're entering a period of Negotiation that is seeking to normalise relations.”

• Adam Boileau (10:21): “How about maybe don't do crimes?”

• Adam Boileau (38:02): “It's super powerful and something that the network level visibility can get you at all devices that you have that sort of level of monitoring at.”

Conclusion:

Risky Business #782 offers a comprehensive analysis of current cybersecurity threats and geopolitical maneuverings, highlighting the intricate interplay between nation-state actors and cyber defense strategies. From sophisticated North Korean cyberattacks to the controversial US-Russia cyber dynamics, the episode underscores the evolving landscape of information security. Additionally, insights from Corelight emphasize the critical role of network monitoring in safeguarding against emerging threats.