Risky Business #782 -- Are the USA and Russia cyber friends now?

Unknown Speaker

Foreign.

Patrick Gray

And welcome to Risky Business. My name's Patrick Gray. We'll be chatting with Adam in just a moment about all of the week's news. And then of course we will hear from this week's sponsor, which is corelight. And yeah, corelight make the industry standard NDR sensor. So if you're looking for something to stick on your network just to collect security relevant information from the traffic traversing your network, that's a great place to start. Of course, corelight maintains Zeek, which is open source, so it's an open source NDR sensor and they also have commercial versions and whatnot as well. Vince Stouffer is Corelight's field CTO and he's joining us to talk through a few things, really. They just published a blog post about the typhoons, the SALT and vault typhoons, and really noting how attackers are going where the EDR isn't these days and how, you know, you might want to spin up some basic network detections, which seems like sensible advice in this year of our Lord 2025. That is coming up later. But first up, let's get into the news with Adam. And just off the bat, if I seem a little off today, everyone, it's because there's a cyclone about to land on my head. So I'm getting today's show out the door and then I'm taking a couple of days off because it is going to be absolutely wild here. But yeah, Adam, let's start the discussion with a follow up on the Bybit attack. Last week we the thinking was that the North Koreans had actually managed to get malware onto devices at Bybit. It turns out that wasn't the case, but funnily enough, that doesn't actually change most of what we said last week.

Adam Boileau

Yeah, the details have come out that the North Korean attackers actually did this by updating the JavaScript. It looks like in the AWS kind of CDN that belong to Safe Wallet, the people who make the multi signature wallet that Bybit use in their environment and these attackers, which like I'm just going to straight up say it, like we said lots of nice things about North Korean technique and hacking, but I gotta hand it to them with this one, like this is so good. So they did this essentially blind using only write access to an S3 bucket that contained JavaScript or maybe an occasion front of it, we don't know for sure. And this was set up to only target the wallets of Bybit. So they had poisoned this JavaScript for everybody in the world that used the web interface for Safe Wallet. But they only targeted the one wallet from Bybit that contained, you know, a billion billion and a half dollars. So that's pretty slick, I got to say.

Patrick Gray

Yeah. Now, funnily enough, last week, you know, there was a bit of a discussion, should they have used a single purpose device like an iPad or whatever? And I was saying, well, no, because, you know, for 1.5 billion, you could probably buy an oday anyway. And the real thing that you have to do is have a process around being very careful with when you whack the yeah, okay button on your hardware wallet. And that advice still stands because indeed, you know, you could, you could just be dealing with a, you know, poisoned chunk of js and it's going to do the same thing. You got to pay attention to that, to that hardware wallet. And funnily enough, like, even in the week since we published our last podcast, you know, just looking through exactly what they had to approve on the hardware wallet and how similar it was to the regular stuff, they would approve. I think there was a thing, the thing that really did them in, it was a change of a single digit on a very long string, wasn't it?

Adam Boileau

Yeah, basically there was a whole bunch of arguments to the kind of the API into the wallet that they were calling. And yet in order to spot that difference, you really would have had to have been checking, you know, a piece of paper, some kind of process, or have a wallet that understands your particular transactions, which, once again, for a billion and a half dollars, you probably could do with some custom code there as well. But I mean, overall, none of this really changes the fact that Bybit needed to verify what they were doing and they didn't.

Patrick Gray

Yeah, well, I mean, they thought it was a much smaller transaction, I think in the order of like $100,000. But that's the point in it.

Adam Boileau

Yes, that is exactly the point. And yeah, the North Koreans, they, they just, they nailed this. They got it so good. So, yeah, my, my hat is unironically off for them. I'm totally standing for North Korea now.

Patrick Gray

I mean, you're, you're totally, like, hoping for Korean reunification, right? So that these people get to come in from the cold and we get to talk to them.

Adam Boileau

Yes, yeah, absolutely. You know, absolutely. Because I bet they got plenty to contribute to the rest of the world if they could do something productive with their time and efforts.

Patrick Gray

Yeah, yeah. Now this is, you know, we are not endorsing North Korea or the, or the regime there, but yeah, boy, oh, boy, do they have some good hackers over there. Meanwhile, their laundering is pretty on point, too. Something like 20% of the funds they've stolen are already untraceable. I think, you know, authorities have recovered, you know, tens of millions or something. But, yeah, 400 million gone.

Adam Boileau

Yep, yep, they managed to get that through, you know, through some mixes somewhere and get it to the point where it's no longer traceable. The rest of it, modular, the very small percentage that's been seized or frozen or that they understand where it is and they have some cooperation. You know, everything else is still in the wild. And, yeah, the North Koreans also know how to launder, it turns out, because, you know, there's so much money sloshing around in that kind of Southeast Asian cybercrime ecosystem that they can use to hide their transactions in that. Yeah, it'll. It'll be gone in days, I expect.

Patrick Gray

So, yeah, I mean, I said 20%. Then I saw from this story that I'm looking at, which is John Griggs one at the record, that that's 400 million, which is clearly more than 20%. So this is a fast moving target, right?

Adam Boileau

Yeah, yeah, it certainly is. And it's, it's big money. So. Yeah, good, good work.

Patrick Gray

You know, take it easy, man. Like, let's not go too crazy with the praise for the, for the evil empire over there in North Korea. Now, there's been a huge flap over the last few days because several reports emerged saying that various bits of the US Government were being ordered to, like, stop paying attention to Russia threats. Right. So in the case of Cyber Command, the order was apparently that they should stop preparing attacks and conducting attacks against Russian targets. And then we saw some reporting about an alleged memo at CISA where, you know, people were told to stop reporting on Russia stuff as if it was a national security threat. Obviously very controversial. Then CISA came out and denied it. And that's become interesting because no one knows whether or not to trust CISA anymore, which is a hell of a sign of the times, right, when you're actually saying, well, we're not sure that we believe this statement coming from sister. And I think that's the real story here when it comes to the Cyber Command stuff. That's not actually unusual given what's happening here. The United States is seeking to. Now, whether you agree with this or not, they're seeking to normalize relations with Russia and putting a pause on, you know, offensive actions is a very sort of standard thing to do when you're entering a period of Negotiation that is seeking to normalise relations. Right now you can say that it's a nuts thing to do in terms of like trying to seek that normalisation, but if that's what you're trying to do, then this action isn't so weird. The CISA stuff does seem weird, though. We've got Catalan's report linked to in this, this week's show notes, which I think is excellent. But then Kim Z has come along and really looked at, well, what on earth is happening here and who do we believe? And she's done a tremendous job.

Adam Boileau

Yeah, both of these write ups are pretty good at kind of untangling the sort of, the complicated back and forth here. So, like in the case of Cyber Command, there is the things that are already going on, like the ongoing actions inside Russian networks that may get paused. There's also planning for future operations and preparatory work for future operations and pausing. That would be, I guess, a bit more unusual in the context of a negotiation or things going on. And that's a thing that could have, you know, kind of, depending on how long things are paused for, stuff kind of gets stale. So it can have a, you know, a longer running effect. Kim also noted that I think the Department of Defence has already come out, just recently has come out and said that that's not the case, that cybercom hasn't been told to stand down on offensive operations. So, you know, we are still stuck in this case of, well, what do we believe anymore? What's going on? Is this happening? Is it not happening? Is it? You know, we've seen, you know, all sorts of like, you know, bait and switch stuff with Trump. Whether I say something, Trump entities, Trump organizations and staffers and stuff with, you know, they'll say something crazy and then walk it back immediately after the effect. And we saw that with like sanctions on Canada or whatever else, or kicking.

Patrick Gray

Canada out of five Eyes, I think.

Adam Boileau

Is the ones that are kicking Canada out of five Eyes. That was the one, yeah. Where, you know, it kind of has the necessary effect, but they don't have to wear the consequences of saying it. I don't understand. You know, American politics are so wacky today these days, so who knows, man? Who knows?

Patrick Gray

Yeah, I mean, I just think Kim's done a really good job of unpacking the coverage and how it's unfolded and like, what we know and what we don't, but it's, it's very confusing. Meanwhile, the Finnish Intelligence service, according to this piece by Alexander Martin, is warning that, you know, if the war in Ukraine wraps up, that's going to free up Russian operators to do a lot of other stuff, which I think is a reasonable thing to be concerned about. I'm sure everybody still wants to see an end to that war, but this will be one of the effects.

Adam Boileau

Yeah, yeah. I mean, Russia's been tooling up, you know, both in terms of arms manufacturing, in terms of like a war footing for the whole economy, as well as, you know, intelligence services and hacking and things that we cover that. Yeah. Like if all of a sudden they have less to do, they're going to go do something else. And that's a concern especially for the Baltics, you know, people like Finland and Estonia and so that are right up in Russia's face, as it were.

Patrick Gray

Now we've got a hilarious headline here from Joe Warminski over at the Record, which is, FBI urges Crypto Community to Avoid Laundering Funds from Bybit Hack. This is an interesting approach. The FBI just asking people not to launder money. Why didn't they try that before?

Adam Boileau

Please. How about, how about just for a moment, how about maybe don't do crimes? That's the FBI's advice to just all be nice to each other.

Patrick Gray

I've just had an idea. Why don't they make laundering illegal?

Adam Boileau

Now that's something. Maybe. Yeah. What about all of the horrible stuff? We could just make it all illegal and then that would solve the problem. Good job.

Patrick Gray

Yeah. Obviously we screwed up the order there. And that story was supposed to be part of the discussion, the broader discussion about Bybit, but hey, it's a cyclone coming down. I'm sorry, everybody. Now let's talk about the system working. So we've got a write up here from Catalan again in Risky Bulletin are all about Serbia and Celebrate. And I'm saying it's celebrate. We've always said it's Cellebrite. But Adam, you went off and fact checked that and apparently it is Celebrate. They have banned Serbia. So they've fired Serbia as a customer after it turned out their tools were being used to do things that they didn't agree with, which is good. But it also looks like what's happened is Amnesty International has teamed up with Google to figure out exactly what bugs were being exploited by Celebrate to do this. I think they were planting malware on people's devices. Is that right?

Adam Boileau

Yeah. So they were unlocking the devices to then plant malware. And they were unlocking it using Cellebrite tools that appear to, from the work that Amnesty and Google did be kind of USB bugs. So bugs in the Linux kernel USB stack that then Celebrate was using.

Patrick Gray

Okay, so the interesting thing is here though, that not only has cellebrite fired a bad customer, which we like to see, but they've also had to pay a cost here because Amnesty International and Google have got together, figured out the bugs and they've patched them. And that's going to hurt Celebrate now, you know, celebrate doing the right thing. So, you know, how badly should they be hurt? This gives them extra motivation to be more careful about their customers in the future. Right. So that's why I describe this whole thing as a story about the system working.

Adam Boileau

Yeah, yeah, and I agree, like they are having some cost imposed on them and that's good. It will make them think twice about who they give their tools to or who they sell their tools to. And it also makes, you know, every bug that we get patched is good overall. And you know, it's interesting like Amnesty provided the sort of the technical artifacts off people's phones and then share them with Google and then they work together to identify the bugs. And so that cooperation is also quite nice to see, you know, from an organization like Amnesty, technical organization like Google, everyone working together. And you know, in the end, real losers here, I guess are the, you know, the Serbian government officials who signed off on this plan.

Patrick Gray

Yeah, yeah. Darina Antoniok over at the Record has a report about the Belgians looking, looking at, they're launching an investigation into their state security service, which is the vsse. They apparently got owned as part of that whole Barracuda device thing. So that was back in 2023 when, yeah, it turned out that Chinese APT crews had a presence on like, you know, zillions of Barracuda email gateways. And this is one of the ones where when authorities sounded the alarm, they just dug in deeper even though everyone was going to do an incident response. And like those, those devices had to go through log chippers, you know, pretty awful violation of norms really. But it's just interesting seeing the fallout of this extend into 2025.

Adam Boileau

Yeah, it's interesting. Some interesting detail here is that the Barracuda in question was on the outside of their network and handled relaying mail to and from some external entities, which included things like HR communications, which if you're working at an intelligence service, personnel files are perhaps kind of more sensitive than average. Plus some other interactions with government entities and law enforcement and so on. The reports also said that they had siphoned off 10% of the agencies incoming outgoing emails between 2021 and 2023. And that's interesting because the Barracuda bugs became public in 2023.

Patrick Gray

Right.

Adam Boileau

So it suggests that the Chinese were in there with them a good couple of years beforehand. So, you know, good dwell time there.

Patrick Gray

Yeah. And I mean, we've seen time and time again over the years that, you know, you can get a lot of good stuff by targeting unclassified systems because this wasn't classified stuff. Right. But if you get on the Barracuda belonging to a defence contractor. Yeah, we saw this with the Chinese going after like various, you know, specifications for the F35, like years and years and years ago, stuff that wasn't classified, probably should have been, but yeah, it wasn't classified, just popping up in mail spools. So, you know, there you go. Now we've got a report from Suzanne Smelley where Tulsi Gabbard, who is the Director of National Intelligence in the United States, is gravely concerned about this alleged technical capability notice that the Brits dropped on Apple, which resulted in them withdrawing Advanced Data Protection from the UK region. I think this is an appropriate thing for the DNI to take a look at. I mean, her argument here seems to be, well, the Brits wanted to be able to get access to American data as well. I don't necessarily buy that. I would suspect that a TCN of that type would be limited to a particular region. Right. So they would have been demanding access for a certain region, but that's just me guessing. Right. So I think a little bit of this is like tub thumping, but I also think it's appropriate that the DNI take a look at it. Right, where did you land on this one?

Adam Boileau

Yeah, I think I agree with you there. Like, it felt a bit like posturing in the way that it was being communicated here. But ultimately, like, if Apple has to be in a position to, to provide that capability to the uk, it increases the chance that other people are going to ask for it and if they have to make changes to support it, that could weaken protections elsewhere. Or we can make it more straightforward for other people to get hold of their data through legal or whatever other means. And that's a concern for American regulators. And I think it makes sense for them to go have a look, understand the implications, understand from Apple, what's the actual implementation of this going to look like and what are those controls and safeguards that restrict it to British jurisdiction? You know, what do they actually look like?

Patrick Gray

Well, I mean, there aren't, there aren't going to be any changes. That's the whole Point. But I think it is interesting. Like, it would be interesting to look at exactly what the Brits were asking for and how and what sort of changes that could result in. I think is more what this is about, you know, So I think that's good.

Adam Boileau

Yeah, I think so, too. It's important information to have and just kind of useful to, you know, understand because, you know, Britain won't be the only jurisdiction that asks for this kind of thing.

Patrick Gray

Now, let's talk about Starlink again. So I was a Starlink customer for a little while when I had, you know, funnily enough, storm damage to the Internet infrastructure around here, and I had to subsist on Starlink for a while. I think it's an incredible service. Very frustrating to use if you're doing content like I do, because the upload speeds are atrocious. Talking like 3 Mbps, like, really bad. But it is a remarkable achievement. It's a remarkable product. But I have never seen so many captures in my life as when I was using Starlink. Right. Because there is clearly a lot of abuse emanating from Starlink IPs, right. So every second website, you'd get a capture, which was amazing. And, you know, this next piece kind of, you know, supports the idea that, you know, of why that might be happening. We spoke a week or two ago about how the Thai government had cut power to certain regions to take off, take out the power of these scam compounds. They also cut Internet connectivity and whatnot. Funnily enough, at the time we spoke about, well, I wonder how granular that was and whether or not it impacted civilians. I heard subsequently from someone else who pointed me to some work from the Economist that it did actually affect civilian populations in some remote areas. They were having trouble getting fuel and electricity and whatever. So it is. It is a mess. But it looks like they found at least a solution to the Internet connectivity problem. Adam. And it is Starlink.

Adam Boileau

Yes. And not just one, like a whole bunch of Starlink dishes bodged on top of their scam compounds. We've seen pictures out there of these sort of the roofs festooned with Starlink dishes at a number of these compounds. And this story from Wired looks at some of the other options that they've had to do to get connectivity into these places, which are in many, in this case are on the border between Myanmar and Thailand. So there's quite a lot of using Thai mobile networks. So just buying SIM cards and getting on the mobile network, you know, even though you're geographically across the border, you're close enough for signal. They're also buying, you know, wired access from Thai ISPs. And I think there's some suggestion they might have like strung fibre across the river between the two countries to get connected. Whatever gets the job done seems to be the main takeaway here. And Starlink, it's not fun, but, you know, when you're working in a, you know, when you're human trafficked into enslaved labor, the quality of your Internet uplink probably isn't really very high on, you know, the list of concerns of your captors. So if it gets the job done, then, you know, clearly they're using it and you know, Starlink and SpaceX have, you know, I guess received a bunch of information about, you know, where these places are and, you know, maybe there's options for blocking it based on geographic location. But you know, that for them has been a thing. They've been a little bit, so far, it feels like they've been a little bit reluctant to actually go ahead and do well.

Patrick Gray

But why? Why?

Adam Boileau

That's a good question. Like if they could identify which terminals, you know, as opposed to just turning off service in geographic regions. Because we've seen like in the war in Ukraine, where they were turning off coverage as the borders or as the edge of the conflict moved around, that's kind of one way to do it. The other is, yeah, if you're going to identify the individual subscriber terminals and turn them off, then great.

Patrick Gray

But, but Starlink dishes, self report, GPS coordinates, you know what I mean? And there's going to be ways you can mess around with that and do spoofing or whatever, but like, it just feels like they don't really do a lot. And as I said, this is why I was seeing Captchas for a few months, like constantly. Right. Is because it just doesn't seem like they do a lot to address abuse on the network, which ties in seemingly with Musk's sort of broader ethos. You look at X nowadays and it's just crawling with Nazis and whatever and you know, it's just very light touch. Moderation and abuse.

Adam Boileau

Yeah, yeah, you can definitely see how X's abuse moderation could spill over into SpaceX and how they, you know, police use of the network. So, yeah, it's not, it's not good. It's not good.

Patrick Gray

Now we got a spectacularly hilarious follow up here from Brian krebs about that U.S. army soldier who was behind a lot of these, A lot of these snowflake hacks was that a year or two ago? You know, this guy basically self docs himself to Brian. Well, you know, to the world really. But it was Brian who pulled the threads and like found out who he was and then he got arrested and now he might be looking at, you know, he's in a bit of trouble, Adam. And you know, the whole thing just looks worse and worse for this guy. Why don't you walk us through the guy's Google search history? Because that's just so good.

Adam Boileau

So Brian's headline, which is a Beautiful thing, is US soldier charged in at&t hack searched can hacking be treason? Which that's not if you're googling that like you know, you're not not doing doing particularly well. But his other searches are also not great. For example, where can I defect? The US Government? Military? Which country will not hand me over? So A bad grammar. B not going to get great results. C that's not again, not make good life choices. If you're googling that he also googled US military personnel defecting to Russia, he's clearly considering the Snowden route and embassy of Russia, Washington D.C. so handy thing to have if you are going to be a walk in there. So yeah, along with, you know, is hacking treason not a good, not a good time?

Patrick Gray

No, not a good time. I mean I don't expect that he's going to be charged with treason, but that's not the sort of thing that tends to count in your favor when it comes time for sentencing. You know what I mean? Like, it's just, it's just, it ain't.

Adam Boileau

No, it's just, it's really not a good look. And yeah, I wouldn't enjoy being his defense lawyer.

Patrick Gray

Now let's talk about the Google Password Manager being synced to iOS. Man, I just, I just. Credential management in 2025 should not be this hard and confusing. There are steps afoot to try to make it easier. You're not exactly a huge fan of all of this. Like walk us through exactly what's going going on here because we've got another story too about how Google is replacing SMS MFA with QR codes for Gmail authentication. Like all of these major services are starting to make big changes to the way they authenticate their users and sync their various credentials, whether they're passkeys or passwords or whatever. And the whole thing, it just feels like a bit of a mess or maybe I'm just getting old, I don't know.

Adam Boileau

Certainly the OAUTH ecosystem is a lot more complicated than it used to be. But that's because we used to have username and password, and most people had one password that they just reused everywhere. And that kind of level of simplicity, you know, is not realistic. And I guess that's what we're kind of comparing against. So, yes, it's getting more complicated, but no, it was not working well. So what they're proposing at this point is if you are using passkeys for authentication, right now, if you use passkeys across, like if you only use passkeys in Chrome on a desktop, then everything works as you would expect. The browser stores your passkeys, you use them to authenticate. Everything is great. If you're in the Apple world and you use Safari on your Mac desktop or you use iOS, those passkeys are stored in your iOS keychain or in the Apple icloud keychain. So they're synchronized between your Apple devices, but they aren't shared with other browsers. And if you are a person that moves between Chrome on desktop and mobile, Safari in a phone, then your passkeys are not shared, and it's kind of confusing. So what Google has done is done the necessary integration work with Google's password manager on iOS that you can use Google Password Manager synchronized and stored passkeys in Apple apps and in the browser, and then they will also sync across to your desktop and everything. So in that particular use case, everything now synchronizes well. And that's a good user experience improvement, you know, for the subset of users that are in that kind of, you know, in that configuration.

Patrick Gray

Well, but I mean, that, that is kind of the default configuration these days, which is people use Chrome on their computers and they just use Safari on their. On their iPhone. I'm one of those people.

Adam Boileau

Yeah, and me too. Right. I mean, that's how I work as well. And this, you know, I have been kind of, you know, it's a pain having two sets of pass keys, one in the Google key store and one in the, you know, in the Apple Life key store. So synchronizing, that's useful and good, but the problem with passkeys overall is that they are just more difficult to understand and the threat model is more difficult to understand. And trying to explain a passkey to a boomer is difficult. And if it sinks more, that's good. But then of course, there's also the risks of how far does that syncing spread. And in corporate environments, things get more complicated. And this is where the whole parski ecosystem starts to get concerning as if you're a CISO when you're trying to understand where are the authenticators? For my staff now things are a bit more complicated.

Patrick Gray

So this is funny because like a very minor sponsor of this show is Yubico and their COO comes on basically once a year and does a soapbox conversation where he'll always say something like, well, these things are a bit complicated and difficult to manage for enterprises or whatever. And you know, this is why hardware keys have a role, blah, blah, blah. And you always get comments in mail saying, well, of course he'd say that, he's the COO of Yubico. And it just consistently plays out the way he says it's going to play out like a year later, you know, which is funny. But. So I'm presuming that this also synchronizes passwords and whatever.

Adam Boileau

Yes. I mean, passwords were already synced across Google Password Manager.

Patrick Gray

Okay, cool.

Adam Boileau

And you could use Google Password Manager in Chrome on iOS or on, on macros. Yeah, so yeah, that was.

Patrick Gray

I don't like credential managers, which is why I didn't know that. But anyway, I've got it written down on a piece of paper somewhere.

Adam Boileau

It's perfectly, perfectly cromwell and solution.

Patrick Gray

Yeah, exactly.

Adam Boileau

On a piece of paper. I like it.

Patrick Gray

Exactly.

Adam Boileau

So the other thing, sms. So sms.

Patrick Gray

Oh yeah, yeah, yeah, yeah, yes.

Adam Boileau

So there was an article in Forbes which quoted a source at Google saying that they are going to introduce QR code authentication as a replacement for SMS second factor, which I think is a pretty universally good thing. It's not perfect, but it's definitely better than the current situation. So the way this will play out is instead of doing when you user and password auth to Google and then you have to provide a second factor. Instead of SMSing your code, which we've seen SIM swapping make complicated, you will instead be shown a QR code which you have to scan with your phone and that QR code is going to. We haven't seen the implementation detail, but the way I imagine that will work is that will launch Google Password Manager or Google Google Authenticator, sorry, on your phone, which will then call back into Google and say, hey, this is device number 437, blah, blah, blah, blah. I have seen this QR code and that's does the same thing as SMS second factor. Because the ultimate thing you're trying to do is bind the phone that existed in the user's possession at the time of enrollment to a phone that's in the user's possession at time of authentication and that will be able to do this in a way that's less fishable and also avoids SMS traffic pumping schemes, which unfortunately is probably the main reason they're doing this rather than security is because it will save them some bucks.

Patrick Gray

I mean this is, this is the one time that we defended Musk on, on this program, which is when they, they binned SMS MFA for like non subscriber, you know, for people who weren't paying for a subscription and people are saying, oh, they're making security, you know, you know, something you have to pay extra for. But that really wasn't it. It was just that the fraud they were having to pay so much for like, you know, fraudulent SMSs going to like, you know, virtual telcos in Tuvalu or whatever. Like it was actually kind of reasonable that they, that they did that. But I do wonder because like one of the reasons the majors have not wanted to do this previously is because there are a subset of users out there who don't have smartphones. Right. So I don't know how this is going to play out for them.

Adam Boileau

Yes, I mean, I think if you are in that circumstance this is going to be a hard, you know, a hard problem. And the alternative of like what, falling back to phone call auth same problem with sim swapping. Yeah, and same thing.

Patrick Gray

But then again, I mean if you're someone who's just using a dumb phone, you're probably not a prime target for sim swapping, you know what I mean?

Adam Boileau

I mean, once again, yeah, probably not, you're right. But you know, also older people with those kind of setups are probably also reasonable targets for scams. So like it is difficult to come up with something because you know, if you're sitting there at Google and you're trying to design an auth scheme, you've got to design something that works from, you know, everywhere on the planet. All the different, you know, like amounts of coverage of quality of devices, of social circumstances, of all of the other complicated things that happen, even things like naming people is different around the world. It's just hard to come up with a universal solution. And there will be losers whenever they make any change like this.

Patrick Gray

Yeah, I'm just wondering if they're going to completely kill SMS auth, that's all. Or whether or not they're just going to change some defaults or whatever. I guess we just have to wait and see.

Adam Boileau

Yeah, we'll just have to wait and see because there are probably going to be Some edge cases where it really is the only option. But it would be nice if it wasn't to the default because right now, getting to the point with many services where you don't want, where you want to disable SMS based auth, you just have to take their phone, take your phone number away from them because otherwise they'll use it. And so it's difficult to disable that if that's the only tool that you've got as a user.

Patrick Gray

Yeah. Now let's talk about a confusing botnet. We got some reporting here from David Jones over at Cybersecurity Dive. There's this massive botnet that's been linked to Iran that is responsible for like the biggest DDoS in history. But we've looked at the numbers. Well you've looked at the numbers and it's really hard to tell like what's going on here because like apparently this botnet has more capability than there should be like connectivity going into Iran in the first place. And like apparently most of the botnet is actually based in Iran on Iranian devices. It's all just very confusing. Like what do we know here?

Adam Boileau

So this botnet 1111 bot seems to be mostly made up of compromised hikvision devices or cameras and network video recorders. Some researchers from, I think it was Nokia's like network defense unit said they had seen six and a half terabit sustained or sustained traffic from this thing, which like that is a lot of packets from about 30,000 sources. Gray noise set up their honeypot network to detect connections or packets from devices running this malware. And they saw something in the order of 1000 endpoints hitting their sensors over a month. So a small fraction of the Overall estimate of 30,000 devices and of those thousand, something like 60% were in Iran. Now that doesn't necessarily say the whole botnet's in Iran and certainly getting 6.5 terabits out of Iran. Like I went and tried to look up like how much international capacity is there out of Iran and numbers range between three and maybe six terabits. But you know, those numbers are also very hard to, that's like Iranian government boasting numbers and then looking at the actual cable capacity of like subsea stables cables in, in the Persian Gulf. You know, you can't just look at a cable number and go all of that capacity is available to Iran because it's shared with all the players and blah, blah, blah. Anyway, the net result is we don't really know except there is quite a lot of packets flying around and you know, anyone getting hit by six and a half terabits of traffic is probably going to fall off. The networks are probably quite effective, but as usual, who knows, right? It's so hard to say when you're operating on a, you know, a fraction of the information and a fraction of the visibility.

Patrick Gray

Yeah, I mean, I think it's just. Yeah, I mean, that's a big number.

Unknown Speaker

Right.

Patrick Gray

So that's why we're talking about it. Like, wish we had better intel for everyone out there to tell you exactly what's going on. The why as well, we don't quite know, but, yeah, I suspect we'll be talking about that one a little bit more in the future. Just a pretty workaday story here from Rob Wright over at Cybersecurity Dive, which is that there is a. What is it? Paragon partition manager driver. So this is one of those legitimate Windows signed drivers. It's being used in ransomware attacks because it has a bug in it. This is, you know, bring your own vulnerable driver is something that we've seen a zillion times. But I guess it's a good news story because Microsoft will probably just add this driver to the recommended driver block list, which will be rolled out, I'm guessing, through some sort of update, and then they'll have to find another vulnerable driver to do this sort of thing.

Adam Boileau

Yeah, exactly. That's exactly. The driver lets you basically have arbitrary kernel exec, kernel write. So that's a bad time. But yes, if you're running Microsoft's updates, then you're probably not vulnerable, so that's good.

Patrick Gray

Yeah. And these sort of drivers often used to do things like what, stop edr, encrypt disks, all that sort of stuff. I mean, we saw that with like shamoon in like 2010 or whatever it was, you know, like.

Adam Boileau

But back then no one checked the signatures or anything, so it doesn't matter. You could just. Yeah, it's a good news story. It's a good news. The fact that we actually check signatures on kernel drivers, that's. That's good news.

Patrick Gray

It is. It's a good news story. Yeah. And finally, a piece from Alexander Martin that we're not really going to dwell on is that this guy, Richard Amir, I don't know how you pronounce that. He's from East London, linked to the comm. He's been convicted of making indecent images of children. Looks like, you know, the typical thing where they, you know, befriend, quote, unquote, a youth online and then coerced them into producing that sort of material. I mean, this is the sort of stuff that's revolted in, you know, real trauma, suicides, all sorts of stuff. Horrible, horrible stuff. He's been arrested. Hope he goes to prison forever and has a really bad time there.

Adam Boileau

Yep, Amen. I am with you on that one.

Patrick Gray

And yeah, just for those who aren't aware, people who harm children generally do not have fun in prison, which is why they're often segregated. But not always. Sometimes there's clerical errors. So something to keep in mind. But that is actually it for the weeks news. Adam, thank you so much for joining me. And I should let everyone know too. Like, normally tomorrow I would be posting seriously Risky Business and, and whatnot, but I'm actually going to be. Well, I'll be in my office the next couple of days, but I'm probably going to be sleeping in it with my family because it's the strongest part of the house, so I'm not going to be around. So thanks in advance for filling in for me for all of my Risky Business duties and big thanks also to our new producer and editor, Amberly Jack. So thanks. Thanks to you guys and I'll, I guess hopefully I'll catch you next week, mate.

Adam Boileau

Yes. Yeah. Yeah. Well, best of luck to you, Pat. Time to go batten down your hatches and yeah, good luck.

Patrick Gray

That was Adam Boileau there with a check of the week's security news. It's time for this week's sponsor interview now with Vincent Stouffer, who is the field CTO at Corelite Networks. Or is it Core Light Networks or just call it. Anyway, it's corelight. They maintain zeek, which is the open source network detection and response thingy, and they make their money by selling basically ZEEK setups that can deal with like unimaginable amounts of network data. Very cool stuff. And yeah, so Vincent has written up a blog post for corelight, which we've linked through to in the show notes, which is really looking at how Salt Typhoon, Vault typhoon, these Chinese APTs that are doing some pretty scary stuff about how they're just going where EDR isn't, right? They're going to these blind spots of enterprise IT environments and critical infrastructure environments because, yeah, you can't put EDR on your ancient Cisco box that's vulnerable to CVEs, first disclosed in like 2018 or whatever. Right. So that's basically the gist of the blog post. But, you know, the good news here is that Vincent, I guess, you know, for anyone at corelight, they feel a bit crazy because anyone who's just doing some extremely basic NDR is going to spot this activity. So I talked to Vincent all about that and I started off by asking him what sort of detections, what sort of simple detections are getting the best results or the best yields. And here's what he had to say.

Unknown Speaker

Yeah, I think for the stuff we talked about in the blog, specific to kind of solve problems Typhoon and Volt Typhoon, finding some of those initial access attempts are places where we can shine. Right. So we identify, I don't know, few hundred different types of VPNs and we look across a bunch of different protocols, right? So it could be IPsec, it could be, you know, over TLS, it could be a bunch of different protocols. So we use a variety of techniques to identify those and then just label them and put them into the metadata. So you can examine, ah, let's see who's using which VPN type from what place to where. Right. So it'd be pretty quick to pick out, you know, an unusual usual set of originating hosts and using a strange VPN provider and going to, let's say something like a router or a firewall or a switch that you would not expect to be having that sort of traffic come from. So I think even examining something as simple as management access to places that you wouldn't expect to or from is super powerful and something that the network level visibility can get you at all devices that you have that sort of level of monitoring at.

Patrick Gray

Yeah, well, how do you recommend people control access to those devices? Management interface. I mean, this is something that I work on with another startup. But like, what's your recommended approach there?

Unknown Speaker

I mean, I think there's a pretty simple set of kind of risk based management ideas there that are not rocket science. Right. I mean you want to use kind of local networks for management, you want to have those locked down, you don't want to have things available from the outside. I mean some of the examples of what we saw in these breaches were, you know, routers and switches being exposed to the Internet for goodness sake. Right. Even if it's over SSH like that, that's just not common sense, nor is it part of a good security program. So you know, you want to have layers of defense and one of those layers should be managing your devices with good ACLs, with segmentation, with, you know, management infrastructure that's controlled and you know, is using a least common, you know, denominator approach so that only the right People are getting in there. So I think.

Patrick Gray

But that sounds like a lot of work, Vince. I mean, let's just put it on the Internet and cross our fingers, I think seems to be most people's approaches, right? Yeah.

Unknown Speaker

And I think, you know, things like Shodan and others have, you know, limited that in terms of, you know, almost blaming and shaming people for doing that sort of thing. But it's certainly still out there. And when a new vulnerability comes out or, you know, even one that's been around where these devices aren't patched, then people are going to be scanning for it, people are going to find it and people will abuse it. So you may have been safe six months ago, even though this thing was exposed to the Internet, but now someone else has published a nice little blog about a new way to get into a Cisco router. And you know, you haven't updated your router. So I think a lot of the guidance that, you know, CISA provides is just this really common sense, straightforward, you know, approach to making sure your devices are patched, making sure your ACLs and access control and user access is maintained. And use the belt and suspenders to make sure that you're watching these things with not just network tools, but also with your logs, with your syslog, making sure that you're auditing the sort of access and any sort of changes that are happening with these devices as well.

Patrick Gray

Yeah, I mean, that's all good advice. I mean, what would you say the lift is in terms of being able to get spun up with some basic ndr? I mean, Zeek is open source, right. So it's not like people have to write some huge check to get started. I mean, as you pointed out, like a lot of your enterprise customers, they're pushing a lot of packets, right? And that's where you guys really make your money. And, you know, the open source version of Zeek is perfectly adequate for probably most organizations out there. You know, what, what would you recommend they do in terms of like a strategy just for rolling out the, the open source version of this? I mean, are you talking about just putting one north south sensor in and like what, you know, what sort of GUI or monitor, you know, what is your recommendation for a bare bones Zeek deployment? For anyone who might be listening to this, who thinks, yeah, it's probably a good idea that we watch some of this?

Unknown Speaker

Yeah, I mean, it's a good question. There, there are certainly a lot of projects out there that, you know, attempt to bundle Zeek with some other tools, probably security Onion's the most popular out there. Right. But you know, if you just go and download Zeek and install it yourself, it can take quite a bit of a learning curve just to get it kind of up and running. Even though it's, you know, it's become easier with package managers and such. But I think going for one of the pre bundled distros and just being able to spin up a VM plug into a span port at the edge of your network somehow and start getting that data into a place where you can search and store it. You know, there's plenty of ways to get started on that without a big investment. And it will immediately yield results. Right. If nothing more than being able to identify what's coming in and out of your network in terms of the number of devices, the sort of software they're running, the types of unencrypted traffic that you can see right out of the gate, and then thinking about how you could go and start building some detections or using some other packages that the community has available.

Patrick Gray

Yeah, I mean, ultimately you want to be doing something internally as well, but what you seem to be saying is like, for goodness sakes, just start by dropping a sensor at the, at the point that your network connects to the Internet. Seems like a sensible idea.

Unknown Speaker

Yeah, I mean, I think we generally see a maturity curve of that sort of network monitoring. And that's where it starts. Right. So you've got to start by just finding out what's coming in and out of the door. And once you have that, then you'll start to become addicted to that data. Right. You'll start becoming reliant on it and saying, oh, I wish I had this on my data center A or maybe I want it on some high value assets, my, you know, AD servers or my DHCP and DNS server. Some of these things that, where you put network monitoring right in front of you will then start to get a lot more context about that other data that you're capturing elsewhere, including from other tools like EDR or others.

Patrick Gray

Well, and I would have thought the more interesting thing is when you actually see something from Zeek, which you're not seeing anywhere else, because that's what these attackers seem to be doing is they're just avoiding the most common detection stacks, assuming people aren't monitoring networks. So, you know, you might actually find. Well, let me ask you, is it the case that quite often people find stuff that is only showing up in Zeek and it can't be correlated against, you know, other log sources and that. That is a big red flag right there.

Unknown Speaker

Yeah, absolutely. And I think primarily these kind of dark corners. Right. Of the network that just end up hiding devices and things that people forget are either on the network or unintentionally put them on the network. Right. And for an example, you know, we run a bunch of OT protocol analyzers. And so we've got maybe a dozen of those that run BACNET and Modbus, et cetera, and show those off. And, you know, we don't focus like some of the other companies on that specific part of the market, but we've got visibility for it on the network. And so we went to, when we were introducing this capability, we went to a bunch of our customers and said, okay, we're going to test some of these OT analyzers out and on your network because we have some research partners where they allow us to do that. And they said, sure, go ahead. You won't find anything. Right. There's none of that. That stuff connected to our IT network.

Patrick Gray

You got. You got to love it when they say that.

Unknown Speaker

Right, yeah. You know where this is going. So every single one we found, you know, at least one, if not several devices that, whether they were, you know, H vac controllers or cameras or, you know, door stuff, machinery from, you know, the actual manufacturing side of things, whatever, we found them at every single organization that we looked at. And so even just being able to find that sort of dark corner or connected device that you did not expect will be worth the investment in some simple ndr.

Patrick Gray

Yeah, I mean, it's something that people tend to experience when they run something, a tool like Run Zero as well. I mean, you've got the passive approach, which is to do it via this NDR sort of stuff. You've got the active approach, which is like Run Zero and stuff. But yeah, it's rare that people don't find stuff they're not expecting to. And it's all network. You can't do that any other way except for throwing some packets around or observing some packets.

Unknown Speaker

Yeah, absolutely. Yeah. And I mean, the passive approach, you know, we would argue is probably the place to start. Right. I mean, it's less disruptive to operations. And also.

Patrick Gray

Well, this is a holy war discussion that you're getting us into right there. Right. Because hdmore is a good friend of mine. I do work with Run Zero and they would say, well, that is true for most of them, that it can be disruptive. But there are people who've put a lot of work into being able to do active Scanning. Oh, for sure of that stuff and not, you know, knock things over basically. I think that's, you know, and it's.

Unknown Speaker

Pretty valuable to have that sort of capability. I wouldn't suggest, you don't go with both. I would just suggest that you start with passive if you're going to start somewhere.

Patrick Gray

Well, and I just think the, you know, reward to effort ratio on just doing some sort of network monitoring is pretty high. Especially now. Are you seeing, you know, because quite often when you're a company like corelight, right. Like where you're seeing the adoption might not necessarily be where you would want the adoption to be when it comes to the, you know, comes to your salt typhoons and your vault typhoons and whatever. Like among the likely target set of those campaigns, are you actually seeing decent.

Unknown Speaker

Uptake in terms of customers of ours that are in that those segments?

Patrick Gray

Well, I mean, it's hard, right, because there's a lot of open source Zeke out there as well. I just thought maybe anecdotally you would have a sense sense of how much those target sets are sort of embracing some basic network monitoring.

Unknown Speaker

Well, let's take Volt Typhoon for example. Right. So we have, I think, often seen that the targets for that campaign were very unsophisticated, you know, municipal government waste facilities or some.

Patrick Gray

Well, this is why, this is why I'm asking. Right.

Unknown Speaker

Yeah. And you're right that those people are not coming to Corelight to, you know, write a big check for ndr. In fact, they're barely scraping by trying to get their operations done and do the basic levels of security. So you're right. Now the question is, would they have the, you know, capabilities and time and know how and resources to even do something like NDR on their own? Maybe not. So there, there's programs like Cyber Sentry that is sponsored by CISA that helps actually protect some of these, you know, critical infrastructure companies that are.

Patrick Gray

Is that like a managed gateway sort of thing?

Unknown Speaker

It's, it's almost like a. Yeah, like a managed monitoring or managed response. So they, they provide sensor, they do a, you know, centralized correlation of the data that's coming back and then they watch for indicators and even do, you know, threat hunting against their.

Patrick Gray

Well, that's an extremely worthwhile and useful thing for a government to be doing in my view.

Unknown Speaker

Absolutely.

Patrick Gray

Yeah.

Unknown Speaker

And so they do use Corelight and Zeek as part of that effort. That's why I mentioned it.

Patrick Gray

Yeah. And I'm guessing though that these municipalities and whatnot, they need to opt into.

Unknown Speaker

That Yeah, I don't know what the opt in procedure is, but yeah, most of them I think are probably like, yeah, sure, we would love that. We, you know, because we have regulations coming down upon us and we need to be able to meet those. And if you're telling us you can do that for free or for very low cost, sign us up.

Patrick Gray

Well, there you have it. Investing in some basic ndr, probably not the worst thing people listening to this could be doing. If you're completely not doing that and you are operating, you know, any sort of network of scale, that's probably a bad idea. Vin Stofer, thank you so much for joining me for that conversation. Very interesting stuff.

Unknown Speaker

Thank you, Patrick. Great to be here.

Patrick Gray

That was Vincent Stouffer from Corelight there. Big thanks to him for that. And big thanks to Corelight for being a long term sponsor now of the Risky Business podcast. I really like Corelight. I like what they're about. Community driven, lots of people submitting stuff to it. It's like the industry standard for ndr. Yeah, go check them out. And that is it for this week's show. I do hope you enjoyed it. I'll be back next week with more security news and analysis, but until then, I've been. Patrick Gray, thanks for listening.