Risky Business #783 -- Evil webcam ransomwares entire Windows network

Patrick Gray

Foreign.

Adam Boileau

And welcome to Risky Business. My name is Patrick Gray. We're going to be chatting through the week's news in just a moment with Adam Boileau and our special guest co host, Mr. Rob Joyce. And then we'll be hearing from this week's sponsor, which is Spectrops. And I'll be chatting with Lee Christensen and Justin Kohler from Spectrops about some new features they've built into Bloodhound, specifically designed to to address risks stemming from the continued use of ntlm, the authentication protocol, which of course is still everywhere, even though it's 2025. Kill me now, basically. But it's a good interview. That one is coming up later. But first up, it is time to get into the news. And let's kick it off now. And we're actually starting this week's run sheet with some more technical research and news. Adam, I want to start off with you talking about CVE 2024 9956, which is a passkey account takeover technique that requires Bluetooth proximity. But it's interesting and we've been talking about passkeys lately, which is why it's been talked about a lot internally here at Risky Biz over the last few days.

Rob Joyce

Yeah, this is some really interesting research. It's from a guy called Tobia Rigi, he goes by Master Splinter, and he came up with an attack that's actually, it's really clever. I'm not sure that it's super practical in the real world, but it's just really clever. So the deal here is if you're using passkeys and your passkey is on a separate device. So like on your mobile phone, for example, there is what we call the cross device authentication flow. So you go to your browser, you want to authenticate with a passkey that somewhere else there's a mechanism for having your phone do that passkey step for you. And the way that's normally triggered is by scanning a QR code. And this guy looked into how those QR codes actually work. So the QR code sends you to a URL, like a Fido scheme URL, which the password manager on your phone associates with bringing up the, you know, kind of the handler for doing passkey auth or whatever else. And this guy came up with a trick where if you're nearby somebody who's got a mobile device with passkeys on it, and you could put a phishing page in front of them. So, like rogue, like rogue wireless AP would be one way of doing this. You send them off to like a phishing login page for like LinkedIn or whatever. And then on your device that's nearby, you go to the real LinkedIn, you go to the like, authenticate with a passkey, get one of the QR codes that would normally trigger interaction with a passkey on a device, pull out the URL and then using your phished connection to the, to the victim, you send them to redirect to this URL. So you can basically make it feel like they had scanned the QR code to their browser, which invokes the password manager. They then get a legitimate passkey invocation request. So for LinkedIn, for example, they hit yes. And the way that this would normally work is to prove proximity, the phone would Bluetooth back to the computer doing the authentication to then pass on the response to the challenge response part of the passkey. And in this case that's the attacker in Bluetooth range. So their browser receives the Bluetooth callback and then authenticates to real LinkedIn. And at that point you've got a session token and off you go to great victory. And that actually works. This guy implemented it. You can do this. And that's actually really cool. So, yeah, like, I mean, impressive research, practically. Like I could see this working in an airport or a hotel or a place.

Adam Boileau

Well, hang on, hang on, hang on. So you're saying the attacker has proximity, but the way I'd describe this is a device under the attacker's control has proximity. Right, which is how these things tend to play out. I mean, the good news here is that this is actually fixable and there have been some patches go out for the major mobile browsers to kind of address this. Right?

Rob Joyce

Yeah. So the patches remove the ability for the browser to like redirect to a Fido Earl internally. So one of the steps of this process gets taken out of the chain. The overall thinking though, about this kind of like attacking the glue between your hardware authenticator and your user agent, your browser, like, that's, this is just, it's interesting. It's really interesting. And I think we'll see some other research along similar kinds of lines because, you know, it's, it's, it's pretty cool.

Patrick Gray

Yeah.

Adam Boileau

What did you make of all of this, Rob? Because I did find this, you know, like Adam, I found it interesting because everything's running towards passkeys now and you just sort of think, oh, you know, we're going to see more of this sort of thing. And like, I don't know, I mean, it's look it's obviously a massive step up from like, SMS multifactor authentication when you're having to have Bluetooth proximity and all this sort of stuff. But, you know, you've probably heard us talking about how complicated, you know, modern auth is and how there's, you know, there's going to be badness at some point, but.

Patrick Gray

Yeah.

Adam Boileau

What did you make of this?

Patrick Gray

Yeah, two big points. The first is passkeys were always touted as phishing proof. Right. You'd use pass keys because you couldn't be phished and lose your token. While this is demonstrated, there is an angle to fish and accomplish a defeat of a passkey. But the second is a point I've made for years, which is details matter. And the attackers study the details in implementation over and over again until they find that crack in the seam. The good news is this was discovered there's going to be patches. The WebAuthn FIDO2 ecosystem passkey are going to be stronger because of it. But we're always going to see people going after the seams of authentication.

Adam Boileau

Yeah. I mean, what do you think of Adam and I? You know, we've been talking about this stuff a while. For a while, and, you know, just the general complexity here and the unevenness of people's passkey implementations, that's the stuff that makes us feel a bit weird, you know. Do you share those concerns?

Patrick Gray

Yeah, those are the cracks in the seams that you investigate for, you know, the oddball interactions like this.

Adam Boileau

Yeah, yeah. Now, this one's interesting. We got a report here from Krebs on security about it. Basically, it's got to the point where it looks almost certain that the people who hacked LastPass in 2022 have been cracking the material that they've stolen and they're using it to steal cryptocurrency tokens. Right. So that's been a theory for a long time. I guess what's changed here is now sort of prosecutors and various US government agencies seem to agree with that. And indeed they've linked this LastPass thing to, you know, victim one in official documents, who looks almost certainly to be Chris Larsen, who's the co founder of the cryptocurrency platform Ripple, who lost, yeah, 150 million bucks in 2024, because I'm guessing he didn't change his password after the LastPass thing, which is, yeah, not great. So, I mean, it just kind of looks more and more like we've got confirmation here. I mean, this Adam, we're always talking about North Koreans Doing amazing stuff with crypto. We've been talking a lot about this, this, this buy bit hack over the last couple of weeks. This one, I don't believe it was actually North Koreans who were behind it, but it seems like this is where all the cool hacking is right at the moment. The people doing the most innovative attacks are all doing it to steal crypto. I mean, you know, incentives, capitalism works well.

Rob Joyce

Well, yeah, that's exactly it. The incentives push you to do creative things. And this one was interesting because the, like, it wasn't the passwords that were from LastPass here. It was, I think in the Larson case and the others that we have seen as well. They were storing the, what like the seed phrase that you use to recover the private key, you know, that is linked to the private key or lets you get the key, the randomness of the private key. And they were storing that in the notes field of lastpass. And that was one of the bits that wasn't particularly well encrypted, especially if you had a very old account with a number of iterations on the hashing or whatever that they were using to derive. The keys used to encrypt stuff were pretty limited. So I don't know that you can change that without re homing all of your funds to another wallet, which LastPass somewhat disingenuously have said that's kind of what these people should have done and sort of a little bit victim blamey with the stuff. So it's kind of not a great look for LastPass that it's, you know, that we're still unsure that this is how this is happening. And I'm sure they don't know for sure either. But they could be a little more, I think, proactive and responsible in, you know, taking some of the blame for this.

Adam Boileau

Yeah, I mean, I spoke to LastPass people through all of this and you know, they were very sort of realistic and, you know, somewhat forthcoming actually about how little they knew about what exactly had happened and who and you know what I mean, like, I think they pieced it together, but it was a lot of work. But Robert, my question for you is you've been a, you know, observer of tradecraft for a long time. I mean, do you agree with my take that the coolest stuff these days is happening around crypto thefts? I mean, obviously I didn't see the sort of stuff that you got to see at nsa, but usually when we hear about APT campaigns, they're not nearly this interesting.

Patrick Gray

Yeah, well, clearly crypto theft is paying Better than bug bounties. So I think you're going to continue to see that innovation.

Adam Boileau

Now we're going to talk about a story that has been doing the rounds about a ransomware attack. That what the attackers did here is they popped up on some Windows network somewhere where realized there was EDR all over it and went, ah, that's not good. So then they owned a web, a Linux based webcam and then connected to the network's SMB shares and just encrypted everything through the webcam. So they were like pulling files onto the webcam, encrypting them and putting them back. And I mean, sure, but I just, I wonder like maybe the indicator here, the detection would have been that, you know, why is that webcam so hot? Why is this smoke coming off that webcam? Adam, you and I have talked about this. You know, you don't find anything particularly novel here. It's making, it's, it's doing, you know, a lot, a lot of headlines because it does seem pretty novel when it comes to ransomware crews. But your general take here is that we shouldn't be surprised that someone's done this.

Rob Joyce

No, I mean you go, you go where things work. And I think it's kind of funny that the actors came in here, dropped any desk on a Windows box and then brought in their tools to do ransomware. Those get immediately snapped by EDR and then of course they pivot across using the same anydesk. Right, because they've got initial access into the Linux environment on this cam. And to me that's the thing we've done on engagements in my pentest grid we would quite often pivot through wireless access points. I've run responder to steal NTLM hashes net NTLM hashes off the WI FI access point in the roof because it's Linux box convenient place to run your tooling. No edr, no pesky antivirus. So like work a day kind of technique. But I think the real like the thing that is most amusing about this is, you know, I guess this is EDR working, right? The fact that it scared these cats off the well monitored Windows boxes and into the Trash Linux IoT environment where they have to encrypt at you know, 30 kilobytes a second because of the poor little RISC V core in the web.

Adam Boileau

Yeah, man, I wondered like how long did this take?

Rob Joyce

You know, like, I mean it's funny because some of the rant ransomware crews do like the ones that write the ransomware tooling like they do try and compete on speed of encryption because that's the thing that matters to them. And. Yeah, so I wonder if they, you know, resorted back to, you know, rot 13 or something.

Adam Boileau

I can't remember. I can't remember if it was Crikey Con or Taskcon where they actually used to have like a ransomware race.

Rob Joyce

Yeah, it's like a shootout. Yes. So you can get there fastest. Yeah.

Adam Boileau

See who'd win. I think there was a betting pool as well to see which one would. Which one would do best. I mean, look. Indeed. We had a chat with Vince at corelight last week in the sponsor interview, talking about how, yeah, attackers of all stripes are going where the EDR isn't, which makes a lot of sense, but this is just a great way to turn a Linux shell into, like, Windows, you know, ransoming a Windows network. Funnily enough, Rob, you advise corelight, you also advise Sandfly Security who work on, you know, trying to get their hands around that. But even then, I don't know, like, what can you do about this? Because even if you're like, you know, Sandfly for people who don't know, basically will log into Linux devices on your network and look for indications of compromise. I guess given that this would have taken a while, it probably would have, probably would have got snapped. But this is, this is a. This is a problem and we're going to see more of it, right?

Patrick Gray

Yeah. I think this is the exact use case that Sandfly stood up to defend against. Right. The little Linux servers that could. Those are scattered all around these environments. And people, as Adam points out, just need a shell. And so if it's unsecured, unmonitored, and off somewhere in the dark recesses of your network, that's where you're gonna go. All of this living off the land stuff is focused on that. I'd even point to some of the telco intrusions. Why were they operating in the space they operated in when we had the Salt Typhoon intrusions? It's because there' defenses. EDR and, and other segmentation that protects and keeps these things out of the space where they can have a huge blast radius.

Adam Boileau

Yeah, I mean, I'm guessing. I've got an interview coming up with Benny Lacuna Shock from Zero Networks tomorrow night, I think, and I'm guessing he'll be all over this because one thing that would help here is micro segmentation, which has historically been very difficult, but some of the contemporary tooling is pretty good. Adam, did you get the same thought when you were reading this.

Rob Joyce

Yeah. I mean, anything that segments the network up is going to make this more difficult for attackers. And yeah, I mean, that would be. That would be a. Like, if I. This was my gig. Like, it would be a pain if there was micro segmentation. I probably wouldn't go down the route of trying to find a webcam or a printer or something else.

Adam Boileau

No, because you're going to get snapped.

Rob Joyce

Or at least you're going to get blocked by it. Like, I mean, you know, no one's going to be looking at the firewall drop logs of your Zero Networks microseg, but it would still have the necessary.

Adam Boileau

You know, like, I don't know, man, your webcam. Your webcam trying to connect to all of your network shares is probably something that'll get noticed in a log.

Rob Joyce

You'd hope so.

Patrick Gray

Yeah. And you want to think about those exposed SMB shares. Now, it was exposed internally, but still.

Adam Boileau

You know, convenience jumps, right?

Patrick Gray

Like, they gotta be accessible, should that have access.

Rob Joyce

Yeah.

Adam Boileau

Now let's talk. Now let's talk about a backdoor that wasn't. It's funny, actually, this story, I first heard of it, you know, Dmitri Alperovich, a friend of mine, co founder of CrowdStrike, he was traveling, he texted it to me because he thought I'd find it interesting. And I said to him, man, it's always something left behind by a developer. That was my first reaction. And it looks like. That's right. But even more than that, it looks like what researchers have found here is actually documented functionality. So there's this ESP32 chipset which is used in IoT devices, does Wi Fi and Bluetooth as well. Some researchers have taken a look at it and looked at how to abuse functionality in those chips for great victory. But again, like, not really exploitable over the air, not. Not really that big a deal, but still made a lot of headlines. Why don't you start, Adam, by walking us through what the actual research is here?

Rob Joyce

So the research here is really looking into the internal plumbing of the ESP33 system on a chip, which is a combination of a microprocessor and then the radios for Bluetooth and WI Fi. And these things are cheap and pretty widely available, and so you see them a lot in small IoT devices. Basically, the researchers here look at a bunch of this thing. It's a Spanish research company called Tylogic, Spanish security firm. And they were looking at ways to use these devices for more creative kind of Bluetooth attacks or research. So as a more flexible Kind of general purpose thing, radio device that they can use. And they explored the functionality that the firmware of these devices uses to control the radio hardware. And it has a bunch of things that really amount to if you have arbitrary code execution, you can execute arbitrary code. So not really any privilege boundary being crossed here. And where some of the, I guess the confusion comes in is that in more full featured devices, so like Android phones or, you know, anything where you've got really user controlled general purpose applications, the radio chip is kind of separate. And if we were talking about this kind of functionality being exposed in like a Qualcomm modem on an Android device that you could hit from an Android app, that would be bad. And sort of, you know, all Rob's colleagues back at the nsa, that's the sort of thing they would love. Like laminar box pivot sideways into the bass band. Now you've got a great place for long term access. You're in a privileged place to do interesting stuff. You can abuse other hardware functionality. If you are using an ESP32 in that kind of context, this might be interesting, but that's not really what these chips use. They're small, they're low power, they're not full featured like that. And so I think the research in this case either got pumped for marketing or, or it's a kind of some confusion between, you know, if you had someone who's really technically gifted but doesn't necessarily have enough experience to understand the overall kind of context, you sometimes get this kind of confusion in how research is presented. So like solid technical work, but it just doesn't mean backdoor like we've seen in the headlines.

Adam Boileau

Yeah, I mean you would have probably had the same take on this one, Rob.

Patrick Gray

Yeah, I think powerful commands that aren't well understood or a poor choice, but not a backdoor for me. I frame this up as it depends a lot on your threat model. So Adam talked about, you know, some of the fun things you could do if you had this isolated processor that somebody had to trust. You know, I don't want a compromised user space on the host to automatically guarantee that you can get to a compromised Bluetooth controller for firmware. So you could do interesting things with that. But it's a lot of work for something that you can probably achieve in another way. Unless you're, you know, protecting against the most serious attackers with the most well resourced kind of ideas, in which case.

Adam Boileau

I think the point is those chips are unlikely to be present in those sort of environments. Right.

Patrick Gray

Yeah, probably. But you know, well in.

Adam Boileau

In the United States, in the five eyes countries at least.

Patrick Gray

Yeah, we talked in the first segment about remote access to then do your bidding to get a passkey fish. You don't have to be local if you can get a local device. Well, here's a little local radio that might be in your environment. So you reflash that through this vulnerability and chain it to that other one. And that's how the most advanced attacks happen. Our North Korean crypto bros. Maybe fishing pass keys on this next week. Who knows?

Adam Boileau

Yeah, let's see.

Rob Joyce

ESP32s in the tans. Good target. Yeah, good point.

Adam Boileau

Yeah, yeah, yeah. So look, we don't really need to talk about this one. It's just funny. One of the co founders of Guarantex, which is you know, doing crypto, it's a cryptocurrency exchange that's done a lot of laundering. It's been in trouble with the US and sanctioned and you know, dismantled and whatnot. So years of trouble with these guys. He got picked up on a holiday in India with his family, which is quite funny. So now he's headed to the United States to be presumably imprisoned for a very long time. And I just again, I think it's very funny that these people who are already sanctioned by the US government take holidays to places where they can be arrested. Right? Like that's the takeaway here.

Patrick Gray

See no, Patrick, I had a different takeaway too though. He got sanctioned. This exchange got sanctioned for facilitating crypto money laundering. And as soon as they were sanctioned, there was a surge in the amount of crypto that was laundered through that exchange. I think the US government sanctioned announced that they were a bad actor and you could move your currency through there with impunity.

Adam Boileau

Incredible advertising.

Patrick Gray

Yeah, it's kind of the old adage, right? There is no bad press.

Adam Boileau

Well, it's funny, right, because you talk to Brian Krebs and there's like a lot of these people want him to write about them because. For the same reason, right? Which is like you get covered by Krebs and business goes stonks, right? That's so funny just how it be. But yeah, he's going to have a bad time. Now let's touch briefly on this story About a VMware ESXi vulnerability or vulnerabilities which when chained together are a guest to host. Which is obviously really bad. You know, VMware less relevant than it was say 10 years ago, but there's still so much of it out there. Right. Which is what makes this a problem. But the real story here is that there was a bug in the Broadcom like licensing panel or whatever that prevented people from being able to install a fix. I imagine there's plenty of CISOs listening to this who would have been pulling their hair out over this over the last few days. I mean, I mean, that's basically the story in a nutshell, isn't it, Adam?

Rob Joyce

Yeah, yeah, exactly. Like Broadcom did bad things to your vm, where you're going to have a bad time and. Yeah, I. I don't know what we expected. You know, this is what totally what we expect from Broadcom.

Adam Boileau

Yeah. And Shadow Server reckon There's like 37,000 of these things, like on the Internet. God, yeah. Does this depress you? As someone who was formerly the cybersecurity director at nsa, like.

Patrick Gray

Well, the people that have public facing ESXI servers are not the kind to patch quickly, so it doesn't surprise me that those numbers are high and will not go down fast.

Adam Boileau

Yeah. In other news, Apple's just patched a couple of WebKit bugs that they say are extremely sophisticated. So I'm guessing they just rumbled one of the big spyware companies or an intelligence service that was using one of these bugs, which is unlucky for them, but they have now patched that. I don't think we really need to talk about that anymore. So you do have something here. Yeah, go on.

Patrick Gray

After you upgrade, go turn off Apple Intelligence because it gets Force enabled after the damn update.

Adam Boileau

Well, that's assuming you don't want to run Apple Intelligence. And I for one love getting my notifications turned into garbled, meaningless text. It's such a great feature.

Patrick Gray

And it paused through all your signal messages as well.

Adam Boileau

Yeah, yeah, Fantastic. All right, thanks for the tip. I'll get onto that. What else have we got here? Does it go through your signal messages or just through your notification? Your signal notifications as they come through notification services, because I don't know, would they actually go into your archive though?

Patrick Gray

I thought you have to turn off the access to it, but I don't know if that's for notification or the archive.

Adam Boileau

Yeah, right. It's still. Yeah, I get where you're coming from though, so I'm going to take a look at that when we're done. Now, let's Talk about this. DDoS against X, formerly Twitter. They started having outages. Was that yesterday? Day before they started having massive outages and it looked like it was a DDoS attack. Musk did what Musk's going to do and came out and said probably because there were some Ukrainian IPs in the data set, he's like, it's Ukraine, you know, because they don't like me, because I'm. I don't know, whatever. Who knows what goes through that guy's head?

Rob Joyce

Because everyone DDoS is from their house, Right. No one deals with other devices.

Adam Boileau

Exactly. But it's like an interesting enough attack because it looked like the reason this was possible is because the attackers decided discovered the like X origin servers which weren't being protected by Cloudflare and just hit them. Which is a story as old as time. So, you know, thankfully it's pretty easy to, to mitigate that kind of thing, which shouldn't have really happened in the first place. But since then a pro Palestinian group has claimed credit for this attack. So you know what, what more do you say about that one? But the reason we're starting off with that one is because there's actually a bunch of like botnet related news these days. I mean, Adam, you and I started out in this field and certainly Rob did, when botnets were made up of Windows machines, right? Like they were all WinXP boxes pre service pack 2. Those were your botnets. Now it's all gone. Mirai. Everything's a Mirai variant these days. We've got people building botnets out of TP link routers. We've got Chinese apt crews building essentially giant orb networks with IoT. I mean this is just, this is just where we are, right? I mean, Twitter, it's almost certain that Twitter was getting dosed by a Mirai like variant. Rob, you know, you were, as I mentioned earlier, NSA's cybersecurity director until last year. You know, how much time do you put into worrying about this sort of stuff from a macro perspective? Because it's always seemed to me to be more of a nuisance than anything else.

Patrick Gray

Yeah, so the botnets for DDOs are a nuisance and commercial industry does a really great job of mitigating that. But what we did worry about were the use of botnets for infrastructure. So everybody knows to block dirty IPs, but the attackers have gotten more and more sophisticated about how to bend their traffic through things that have reasonably good reputations. And so if you can just pwn a bunch of TP link routers all over the us Those endpoints often look like your work from homes. They look like your customers. They look like people that should be touching the edge of your networks. And so that's a good way to get better reputation and shed the stink of dark corners of the Internet or attacker origination IPs. So that's the concern with these botnets. And that's, you know, why you hear us talking about the TP link concerns significantly.

Adam Boileau

So that's the headache. It's less about the DDoS traffic and more about one that is sitting there compromised, not having like mass scanning coming out of it. So it doesn't pop up in gray noise. Right. It's just sitting there waiting for someone who needs a jump box to go and do stuff.

Patrick Gray

Right. And there's enough of them you can use it single use and pop out one time. And so you will never have that in a threat feedback. You will find the ability to block and understand. Those are very hard from point data if you don't have kind of a view above the fray.

Adam Boileau

Yeah, yeah. I mean there's the TP link stuff. If you want really good reputation, you might attack some enterprise kits sitting at the edge of a small to medium business. We saw those attacks, Chinese attacks against Sophos equipment where they were able to actually fight back in hilarious ways. I'm sure you saw that news and enjoyed it, Rob. But you know, just on that, do you think the vendors need to be doing a better job here? Because honestly, I just don't understand how it's 2025 and we've still got like, you know, equipment designed to sit between an ISP and a user that doesn't collect or transmit any telemetry. I would have thought that's table stakes these days. And even among the enterprise ones, they don't do it like forget about your TP links. Even like firewalls that cost tens of thousands of dollars. The manufacturers aren't instrumenting them. Do you think they should?

Patrick Gray

Yeah, I think we need not only instrumentation, but we need a lot of care in the, you know, the firmware and the underlying code that's inside those so that they are not as easily exploitable.

Adam Boileau

Yeah, but they're always going to be exploitable, which is why I sort of keep leaning on the telemetry thing. Right. Because when people start doing stuff at scale against these boxes like it would be good to know about it, I think. I mean, crazy idea.

Rob Joyce

The TP link bug in this case was like straight up shell meta character injection in a web parameter. So yeah, clearly more care in the underlying software. But I think you're right that you know, having visibility of this stuff is good for the big, you know, the kind of Big scale things. But you know, when, when it's a one off proxy like Rob's talking about, then yeah, we're just, you know, that's a, that's a bad time.

Adam Boileau

Yeah. Now look, something to follow up on. Last week you and I spoke about this 1111 bot which apparently did a 6.5-terabit per second DDoS attack and it was coming from Iran devices in Iran. And we talked about this and said, well, like it doesn't quite feel right this story. Turns out your instincts there were pretty, pretty on point there. Guy, walk us through this report from cybersecurity dive.

Rob Joyce

Yeah, it looks like we're seeing some walking back of the scale of that particular botnet. It was a Mirai variant, it turned out that was hitting I think high silicon devices that make, they make cameras and network video recorders and that kind of thing. The idea that it was all coming out of Iran certainly didn't stand up from a bandwidth point of view. But it looks like that is actually smaller than we thought and kind of just another Mirai which can kind of muddy the waters a bit because people, some of the Mirai botnet users, because that code is open, sometimes people will add bugs to them without even really checking that they work or that they're usable in the way that they think. So we've seen exploits that straight up don't work added to Mirai botnets. And then all of a sudden you see thousands of exploit attempts hitting stuff on gray noise or whatever else and in fact actually it's never worked. Then it ends up in the cisakev list even though the bug never actually worked. So yeah, some of these metrics can be confusing using.

Adam Boileau

Yeah, yeah, that's funny, right? Known, exploited, made up bug. That's great. Yeah, known, tried, exploited, exploited bug that doesn't exist. Now we got some follow ups here on the Bybit thing. You know, this will be our third stab at this story. So as it stood last week we talked about how it was a developer at what's the company called? Safe Wallet. Yeah, that got owned. Now it looks like we know how they got owned.

Rob Joyce

Yes. So the developer Safe Wallet apparently downloaded a malicious docker image from somewhere, ran it up on his Mac and it compromised him with some fairly like common garden Mac malware that we've seen North Koreans using before. And then the North Koreans attempted to gain access, attempt to enroll MFA devices for this guy's AWS account. So he was logging into AWS to go about his business in Safe's Wallet's infrastructure they called the API endpoints to add a new MFA token failed. And then at that point, the North Koreans like, okay, we are going to have to stay on this guy's box and only use AWS when he's active because they can post auth, grab a session token out of his, you know, AWS command line or whatever tooling he's using. So they started aligning their work hours to his and then they use that access onwards into safe wallets AWS from there, as we saw, Trojan the CDN to deliver bad JavaScript and onwards to $1.5 billion worth of crypto. So good job. We've seen Safe Wallet published a bunch of details. Mandiant's in there investigating at the moment, and this seems to be. They've got a timeline of kind of what this looked like. But I mean, overall, as I have said, every time we talk about this, like, North Korea. Hell yeah. Like, these guys know how to hack. They're so good at it. Yeah.

Adam Boileau

Bring on reunification so that we can have them on as guests. Yes. Because this is like state activity. I mean, is it criminal or is it a state activity? Like, are they going to get in trouble when they're just doing their jobs for the military and under duress, we can probably have them on his guests.

Rob Joyce

I wonder if that'll be amazing. I'm so here for this. We should absolutely do that. One other tiny bit of Safe. Safe Wallet things that I stuck in the news list this week was.

Adam Boileau

Well, hang on, hang on, before you go there, I mean, there's an interesting thing that you didn't touch on here, which is how did that Docker container, like, wind up getting onto their computer? And this to me is like, the North Koreans have such an amazing track record of throwing out Trojan and compromised tooling that is used by people in the crypto space. So the question is, were they targeting Safe Wallet specifically or did they just throw this out there and they. They accidentally caught a whale, right?

Rob Joyce

Yeah, it's a good question. Like the. The Docker image was called MC based Stock Invest Simulator Main. So that sounds like it may well have been pretty broad brush targeting and just see where you land. And clearly they, you know, very much landed in a good place or in.

Adam Boileau

Which case this completely validates their approach. Right. Which is to hit the supply chain and then, you know, instead of just doing a, oh, well, we got code execution and you know, and then really leaning into a proper operation. Like, again, I'm with you on this, man. It's impossible not to like respect this and, you know, respect the game. Game is game.

Rob Joyce

Yeah, yeah, yeah. I mean, I imagine, Rob, you must feel like if this was your guys doing this, you'd be like, hell yeah. Be as on me buddies.

Patrick Gray

Yep, Pretty proud. But I think, you know, in this space they got them to accept a Docker image because it's a container, it's got to be safe. But if you provision that the wrong way again, the devil's in the details, right? The details make you secure or insecure. They lit them up. They lit him up.

Adam Boileau

So help me, help me settle an argument here that I've been having with Dimitri for like a couple of years now where he says, you know, during his crowdstrike time, he always thought the North Koreans were. He thinks the perception of the North Koreans is like a second rate actor historically, are wrong and that they were, they were you know, always really creative and really, really good. My argument is more that, okay, that might be true, but they hadn't really scaled their capability until more recently. And it seems like they're sort of everywhere at once. You know, what, what's your feeling on that as someone who was, you know, more actually directly concerned with this in recent times?

Patrick Gray

Yeah, I think they had a couple high end actors who were world class even in the early days, but they couldn't do the scope and scale. And now they've trained out that tradecraft, they've developed a larger pool, they've got some standard methodology they use and then you can bring in the next generation who brings new thought and ideas. But necessity is the mother of invention, right? They don't have things. They need things. They're going to try stuff nobody else will.

Adam Boileau

Maybe we can have a new operation paperclip after reunification, you know what I mean? Get these, get these guys a condo in the D.C. area, you know, what do you think? What do you think, Rob?

Patrick Gray

Yeah, I don't know about that.

Adam Boileau

All right, now, Adam, you were going to follow up too on another angle to the Bybit thing.

Rob Joyce

Yes. So they also published some advice about how you should verify transactions that are going through Safe Wallet multi signature process. If you're using a hardware wallet, which was like, this was the core guts of how Bybit got hacked. And so they published some advice and I've linked through to it because I think people would want to see, like, what do you actually see in this interface? What do you actually sign on your hardware wallet? They've got some screenshots of the interface from Safe Wallet's web UI and Then also what you also see on your hardware token, and you will note when you read it that one of the things you have to do is look at the raw, what they call raw data value in the screenshot, decode it using some third party tool to see if it's what you expect, and then check that that matches the same kind of string of hex that you're signing on your wallet. And when you read this process, and then you ask yourself, does this feel appropriate for authorizing a $1.5 billion transaction? And the answer, of course, is, hell to the no, it does not. What were you thinking? And if people are wondering how this happened, this is how this happened. Thanks.

Adam Boileau

Crypto. Yeah, I mean, I kept thinking back. You ever see the Adam Sandler movie, the Wedding Singer?

Rob Joyce

I have, I guess. What was it, early 2000s?

Adam Boileau

Yeah. I mean, I just keep thinking, okay, you've published this advice, but you remember when he gets left at the altar towards the start of his movie by his fiance and she winds up explaining to him, no, I'm just not ready to get married, and blah, blah, blah, blah. And he says, that's great, but this would have been useful information yesterday. That's kind of where I'm at. Yes, with that one. But, you know, great that they've published the advice. $1.5 billion later, we've got John Greig report from the Record here about indictments against a whole bunch of criminal charges against, you know, Chinese government backed, you know, some in government, some working for contractors, including isoon. They were apparently behind the treasury hack and a bunch of other things. This is when they actually got on Yellen's computer. It occurs to me here that there's a very solid reason to do an indictment like this. Because the argument is that China was using contractors to kind of be hands off and to try to provide a little bit of deniability. An indictment like this says to China, nice try. We know it was you. We see what you were doing. It didn't work. I mean, is that, is that. You know, Rob, I think you're the right person to answer this. I mean, do you think that's a reasonable take on this indictment?

Patrick Gray

That is certainly one of the pieces, right? I love the isoon leaks. Those are the gift that keeps on giving. That showed us a whole bunch about the ecosystem, the tradecraft, the types of tools, and the fact that some of these companies are just frocked to go out there and operate on behalf of China or even independently to pull back data which they have Every intention of selling and marketing back into the intelligence services and the military. So it really just outlines the ecosystem and the way they operate.

Adam Boileau

Yeah, I mean, it's a wild idea.

Patrick Gray

Right.

Adam Boileau

Which is the equivalent here would be, Adam, go pull together a few people, go hack a bunch of stuff in Beijing, collect a bunch of data, and then see if ASD wants it.

Rob Joyce

Sounds like fun, honestly.

Adam Boileau

I mean, it does, but it also doesn't sound like a really good way to run intelligent services.

Rob Joyce

It's only a problem if I wanted to go to Hong Kong or Macau. Right? I mean, if I don't want to.

Adam Boileau

Go, I wouldn't recommend it already, pal, but, you know.

Rob Joyce

Yeah, yeah, exactly. Right. So in that case, like, what's my. What's my incentive not to. FASD was buying.

Adam Boileau

Who knows, maybe in the future you'd get arrested in, you know, going on.

Patrick Gray

Holiday in India down Apt for hire.

Adam Boileau

Yeah, yeah, that's it. Alrighty. So now we're going to talk, Rob, about. About you and comments you made to a committee in the United States. It was the. It was the House Select Committee on the Chinese Communist Party. So you turned up and said that you had some pretty serious concerns about some of this sort of doge stuff about various people being laid off in the US Government and in the intelligence community. Specifically, you said, you know, so for those who have. Haven't been, who aren't caught up, and it is hard to keep up. At the moment, it looked like the US Government, a bunch of US government agencies, started laying off people whose employment status was listed as probationary. And the thinking, presumably among the people who made this decision is if you're probationary, you're a new hire. It subsequently transpired that, well, no, you know, if you're promoted, you know, if you're moving up through the ranks, you know, there's a good chance you're in a probationary role and these people were losing their jobs. You, your testimony basically said, this is a problem for the national security of the United States. Do you want to just give us a quick recap of the guts of what you said?

Patrick Gray

Sure, Patrick. So the reason I was there was talking about that Chinese threat and what we need to be doing about it. And I talked about three legs of a stool. There is some actions to deter, there's some actions to defend, and there's actions to make us resilient. And in that defense space, you've got to have talent, and industry has talent, but government needs talent as well. And the current environment is just undercutting A lot of the talent base, the special capabilities we have. I spent 34 years at NSA. I could have added a zero to my salary at multiple times during my career had I walked out the door. But I stayed for the mission. There was cool stuff to do, but it was the mission, it was the importance of that. But I felt safe and secure now when I came into nsa. For nsa, the first two years after you're hired, you're in probationary status. It's perfunctory. It is, you know, unless you're, you know, you're screwing up and you're doing good things, you expect to be able to ride through your probationary period. Well, this took away the understanding that, you know, people were safe in that two year period.

Adam Boileau

But to be clear, this isn't just new staff, is it? This includes people promoted into other roles.

Patrick Gray

So in some cases there's some special programs that were established that required people to enter probationary status. So NSA has always had special hiring authorities and some specialty pay scales for technologists. CISA got some new authorities and part of those authorities took people who were in jobs and transitioned them into these new roles. And at that point in time, part of the transition was they had to enter a probationary period. So it put them at risk. For nsa. The other place it impacts was the military hires. So we get people who have served a full military career, they're retiring, they've done jobs inside nsa, inside Cyber Command, inside the Cyber Service. They're skilled, they're exceptionally talented. Now they're coming on board and they enter this probationary period and again, you know, we've already tested them in the chair that they're in now, but they just wore a uniform at the time. So we know they're performing. So it's perfunctory, but now they're at risk. And so there were carve outs for national security, but there's a lot of ambiguity about what that did or didn't apply to. And so what you've got are all these probationary employees who are panicked to be able to support their families. And so they're looking at the options. So the best of the best are the people who are going to have options, feel secure, to be able to pull the ripcord and to leave the national security pipeline and go out and do something else. And you know, those are the people that were impacted. The other thing we do is, you know, we have a lot of skills that aren't taught in university. So we bring in people and we put them in Development programs for a couple or three years. And, you know, those programs are just our talent, lifeblood of exceptional people that will come up through the ranks. And what you had here was those programs were almost entirely probationary employees. So, you know, this is a huge problem. And not only is it a problem for today, but all the recruits that we would want to bring in next year and the year after and the year after are going to wonder, you know, am I going to come in and a few months later be the subject of this probationary reductions in force?

Adam Boileau

Yeah. We were chatting earlier, too, and it looks like Elon Musk is making some noise also criticizing the NSA for trying to recruit new talent at historically black universities as well. Is that right?

Patrick Gray

There's been some posts. You know, our recruiting pipeline is diverse in both schools, people and skills. So, you know, that's, that's important. I mean, to be clear, equate to dei.

Adam Boileau

Well, I mean, this is the thing, right. I mean, I think people might misunderstand. Some people at least might misunderstand that, you know, recruiting is a challenge for agencies like NSA and reaching out to, to, you know, reaching out to a diverse number of candidates. It's not about being nice to minorities, per se. Right. It's about actually fulfilling a need, which is to get bums on seats, as we'd say, and to get people in, recruited and actually working on the mission.

Patrick Gray

Yep. So, you know, my, my mantra all the way along has been cybersecurity is national security, and so we don't want to erode the special talent and pipeline we have.

Adam Boileau

Yeah, yeah. So, look, first of all, it is kind of unusual that someone of your standing is actually prepared to come out and actually criticize the, the Trump administration. The silence from everybody is quite deafening. You know, did you have any reservations about saying what you said in that committee?

Patrick Gray

Yeah, it's important. You know, I talked about the concerns that the workforce has, but it's important for them to see somebody speaking up for them and. Right. I'm, I'm not NSA anymore. I don't speak for nsa, but they understand that. I get it. And, and I understand the stresses and the concerns. And so, you know, it was nestled into a much larger, thoughtful, I think, conversation I had with Congress. But, you know, yes, it did get plucked out and got some, got some press.

Adam Boileau

Yeah. I mean, I guess my question is more about were you concerned about blowback?

Patrick Gray

Yeah, this is important and, you know, at times it's important to talk about those truths.

Adam Boileau

You mean, sometimes it's important to Show a spine and actually speak the truth. Good. Good for you. Now, look, one other thing we're going to talk about here is the United States withdrawing signals intelligence support from Ukraine. And then overnight, just as we record this, they have now restored that sharing. You know, I imagine that would have been difficult to watch from your perspective. Do you have any thoughts that you can share on that?

Patrick Gray

Yeah, I just know how important that intelligence sharing is. Right. It enables the understanding of what attacks are coming, you know, the technical capabilities from cyber to kinetic that people are up against. And so if you're going to defend and save lives and face it, there are a lot of civilians in the path of these attacks. You need intelligence. And so I am really, really pleased to see that we got that turned back on.

Adam Boileau

Alrighty. Well, look, we're going to wrap it up there. Rob Joyce, thanks so much for joining us on this week's show to talk through the news. You know, pretty technical run sheet this week as well. So that was, that was a lot of fun. And of course, thank you for sharing the details of your congressional testimony.

Patrick Gray

It's always great to talk to you, Pat and Adam, thanks.

Adam Boileau

And Adam, that's it for us, mate. I'm going to wrap it up there and onto this week's sponsor interview. Thanks for joining me. We'll do it all again next week.

Rob Joyce

Yeah, thanks so much, Pat, and thanks a lot, Rob. Always great to have you along.

Adam Boileau

That was Adam Boileau and special guest co host Rob Joyce there with a recap of the week's news and a bit of a discussion there about Rob's testimony to the US Congress. It is time for this week's sponsor interview now with Lee Christensen and Justin Kohler of Spectrops. Spectrops, of course, makes the Bloodhound tool which can help you work out an attack graph basically for your Windows network and really help you to improve things there so that it's not just a free for all if someone gets a shell like anywhere. So, you know, always a worthwhile exercise to go through some bloodhounding. But they've been doing some work recently on figuring out how to address some of the risks presented to networks by the legacy authentication protocol NTLM, which despite being something like 30 plus years old, is still rattling around and functional on Windows networks and quite difficult to turn off. This is going to be a problem for another 10 years. So, yeah, Justin and Lee, join me to talk through all of that. And here is Lee Christensen first of all, to kick off that interview. Enjoy.

Lee Christensen

NTLM is an authentication Protocol first and foremost. So Active Directory has a lot of different ways that you can authenticate. NTLM is one of them, but it also supports things like Kerberos or Active Directory certificates. Now NTLM has been enabled in Active Directory for like what, 25 years? Since the early 90s. So it's been around since the NT days and just due to compatibility, it's stuck around all these years. And because of that, like naturally attackers want to abuse it because it's still here, it's still enabled, it's used for authentication. That's our favorite thing to abuse as an attacker is trying to impersonate people. So obviously if it's there, we're going to use it and abuse it as much as we can.

Adam Boileau

So look, it has inherent weaknesses for those who weren't around in the, and by the way, early 90s, that makes it more like 35 years old, man. Like that's, that's how far times, times got away from us. But like, why don't you tell us what those inherent weaknesses are for those who might not be familiar?

Lee Christensen

Yeah, so there's, there's a lot of different ways that we abuse it on like our pen testing or red teaming engagements. But some of the different ways that it can be abused are the hashes it uses are just weaker. So if you get access to the hashes you can crack them much quicker. There's also weaknesses in terms of when you use, when you try to authenticate with ntlm, you can potentially relay that somewhere else. So let's say I coerce Justin here to authenticate to me as the attacker. When he authenticates to me, I can relay that or just pass that on to another machine and impersonate Justin when I log into that other machine.

Adam Boileau

Yeah. So basically once you're on the network, it's pretty easy to impersonate basically anyone if you're on the right bit of the network.

Lee Christensen

Yep.

Adam Boileau

Yeah. Which as a pen tester comes in handy.

Lee Christensen

Yeah. And I'd say as a pen tester, like when I was first getting started in this industry, this is one of the first things I learned. You spin up responder or do arc poisoning and then you'll coerce somebody to authenticate to you and then NTLM relay to get access into Active Directory. So super old like pen test 101 technique.

Adam Boileau

Yeah. So I mean, how many people are actually using this as their authentication method these days? Because as you pointed out earlier, there are better alternatives now available for you to use in Active Directory. Like why aren't people Turning this off?

Lee Christensen

Yeah, I'd say the biggest reason is just because it's on by default. Like it's been there since, you know, Active Directory started and Microsoft just hasn't disabled it. You can disable it in a variety of different ways, but out of the box it's not disabled. And so people aren't going to change it if it's not breaking things.

Adam Boileau

Are they changing this, though? Because I did see something. I mean, I'm just. It's a bell ringing in my head that they're ripping it out of like future versions of Server or turning it off by default. I can't remember exactly what the change is, but it does sound like Microsoft is glacially moving towards kind of trying to address this. Like, where's that all at?

Lee Christensen

Yeah, I'd say glacially is the right choice of words there. They've stated that they are going to be removing it, but so far I have not seen any movement towards that. So Windows 11 is slated to have it removed in, I don't know, this year, but we haven't seen that happen yet. There's been a lot of improvements in the server versions of Windows, but they've stated still in the release notes that it's now deprecated, but it's still enabled, so it's still there. It's just considered deprecated. Like it's not going anywhere yet.

Adam Boileau

So, like for an organization that is using a different authentication protocol for Active Directory, you say it's turned on by default. Like, is NTLM still the default way that the clients talk to the server or it's just enabled by default as an additional method?

Lee Christensen

It's enabled by default as additional method, so it'll try and use something more secure like Kerberos if it can. But NTLM is still there and I as an attacker can choose to use that if I want to and it'll still work.

Adam Boileau

Yeah. So you can ARP spoof and then say, I'm your directory, you must authenticate to me with NTLM and the client will do it. Yes, yes. Okay, that seems extremely not great. So the question becomes if this is such a glaring issue, and you know, as best I understand it, for the last 25 years it has been what is stopping people from then just disabling NTLM as an authentication method.

Lee Christensen

Yeah, so there's a few different reasons. So Microsoft allows you to disable it at a variety of different levels. You could do it throughout the entire domain itself, but that's very difficult to do because of compatibility issues. Whether that's with older versions of Windows or maybe there's third party appliances or Linux products that are out there that use NTLM underneath. Like it's a much simpler protocol. So a lot of application developers, like, if they want to integrate with Windows, they'll just choose to use NTLM because it's a simpler protocol rather than trying to set up Kerberos. So there's a lot of these compatibility problems. Microsoft itself for a long time had hard coded the usage of ntlm. So part of this effort that they're having now to get rid of NTLM is they've gone through their entire code base and removed hard coded usage of NTLM in a lot of their services and client applications.

Adam Boileau

Yeah, I'd imagine things like printers and whatnot are going to use ntlm. Right. If you want to join them into your Windows network, that's how they're going to do it.

Lee Christensen

Yeah, exactly. There's also some weird fallbacks that happen in active directory environments. So if you try and authenticate to like you're trying to access a machine by its IP address that uses ntlm, it doesn't use Kerberos underneath.

Adam Boileau

So to use Kerberos you've got to use like proper host names and whatever. Yeah, yeah, right. So I mean, obviously it's still a problem, otherwise we wouldn't be talking about it in this year of our Lord 2025. I can't believe we're still having this conversation. But you know, I guess the question is with it being difficult to disable because it's, you know, because it pops up so often, like how prevalent is it out there? You guys do an awful lot of pen tests, like how often are you seeing it everywhere?

Lee Christensen

Like there's only been a, I'd say a couple organizations that I've been into that have disabled like quote unquote, disabled ntlm. And even in those organizations it was enabled domain wide still. So we see it everywhere, all the time. And even our most, I'd say our best Bloodhound Enterprise customers, we've gone in there and our consulting teams have gone in there and they're secure against what was present in Bloodhound Enterprise. But we come in and just do these relay attacks again and we'd have plenty of success. So even these super mature companies that have a lot of resources, they're fixing things, they're still vulnerable to a lot of like these same attacks.

Adam Boileau

Okay, so that is the state of ntlm. Justin Kohler is also joining us. So now Justin, the question becomes what do what do about ntlm? What do.

Justin Kohler

Yeah, so that's, that's, that's the, that's the problem. Probably why Lee sees it so much on the attacking side. Right. Like Lee said, they see it all the time. And I know from talking to a bunch of our pen testers, it's probably the one or two top most like, prevalent ways that we take over Active Directory environments. It's just so common. Like, why not use it? You can't really do anything against it too because people can't disable it because it's such a, like an unwieldy thing to tackle. So that was kind of our, our basis for like, trying to model this in Bloodhound. So if we could, we knew that when we executed it in pen testing engagements, the results that we were delivering were actionable. So it wasn't like, hey, we, we abused NTLM in your environment and you should disable NTLM across the domain to prevent that from happening again. That's not the time.

Adam Boileau

I mean, that's not a, that's not a helpful finding, right?

Justin Kohler

No, no, no, no. I mean, it's kind of like, I kind of feel like this is the same experience that we had with Bloodhound and Active Directory. Right. Active Directory was an unsolvable problem. And then Bloodhound comes in and makes it approachable. Right. And now we can pinpoint where we should fix problems. So that was kind of our genesis for NTLM when we would engage or relay attack, you know, like execute relay attacks in customer environments. The advice that we gave them was actionable and it removed the risk. So we're like, well, okay, well if we can do that in a pen testing engagement, can't we do that in Bloodhound? And now it's really hard. There's a lot of moving pieces around that. But we've been known to do hard things. So that's what we tackled in Bloodhound.

Adam Boileau

Yeah. So how do you actually tackle this as an issue with Bloodhound? And is this kind of newer or. I mean, I imagine you've been doing this for a while, right?

Justin Kohler

This is actually. So we've been working on it for quite some time. The research was like, pass the mic back over to Lee here in a second. But the research was started late last year. We've been testing it.

Adam Boileau

And so this is new.

Justin Kohler

This is releasing in March.

Adam Boileau

Yeah. Okay, Right, cool, cool.

Justin Kohler

This is going to be brand new.

Adam Boileau

Excellent. Okay, well, Lee, walk us through that. Like, what are you doing with Bloodhound to try to get A handle on this because, you know, I like the way you described that just in terms of like. And it's good to hear a vendor say we make this problem with Active Directory approachable, not we come in and pew, pew, single click solved. Right. So I'm guessing you're taking the same approach with the NTLM stuff, like, how do you take this problem and you know, turn it into something that you got a better chance of getting your hands around.

Lee Christensen

Yeah. So I'd say we're going to be introducing some new edges into Bloodhound. So if you, you know, for people who haven't seen Bloodhound, it's just as an attacker, it gives me an attack path of how to compromise, you know, a host or a machine in Active Directory environments. So what this is going to do is it's going to add some new edges that state, you know, I can use NTLM Relay to compromise this, this IT administrator's machine or this server machine over there. And in particular, we're adding in three new type of edges. We call them the coerced and relay edges. Which is basically we're able to coerce a machine to authenticate to us and then we can relay that and impersonate that machine that's authenticating to us to, you know, whether it's to activate directory or to log into another server and impersonate them.

Adam Boileau

This sounds great from an attacker's perspective, but like, how, you know, to talk through the defensive case here?

Justin Kohler

Yeah, I can, I can try to take some of that. So for like we have two different versions of the of Bloodhound, right? Bloodhound Community Edition, which is free and open source, and Bloodhound Enterprise. So first, starting with Bloodhound Community Edition, everybody's going to be able to visualize the attacks and understand the risk posed by certain principles within their organization. So for a pen tester, they can understand what they would abuse to get to their objective. For a defender, they can articulate the risk of that configuration and then take steps to remove it. On the Bloodhound Enterprise side, they're going to do that at scale. So like again, that unwieldy problem of let's disable NTLM across the domain is a non starter. We can pinpoint the servers that have the most amount of risk for NTLM relay attacks and then give you specific guidance to remove that. And that again is approachable guidance. We've seen work for our customers on consult engagements.

Adam Boileau

I'm getting it now, right, which is the idea is that it can narrow it Down. So the advice which might come out of a pen test report, you know, 10 years ago, which is, hey, just turn off NTLM and everyone ignores it and throws the report in the bin. Whereas now it's like, well, hey, maybe if you could disable NTLM here, here and here, that's going to put you.

Justin Kohler

In better shape or even better, like disable it for this protocol, but preserve it for this protocol, for this legacy system only that is not supporting more modern authentication protocols and Windows servers, like.

Adam Boileau

Capable of supporting those sort of configurations quite easily.

Justin Kohler

Yes. So Lee can back me up here, but you can disable it on the protocol level, on the host level or at the domain level, all with different levels of, like, difficulty. Right. And that's where we can help organizations understand and take that action.

Adam Boileau

I mean, it sounds worthwhile. I'm guessing, Lee, that you've been through, I mean, you know, as you pointed out, this is going into the product in March, but I'm guessing you've used this on professional services engagements already. You know, I mean, how would you rate the success here once your customers have been through that process?

Lee Christensen

Well, I will say that on engagements, I haven't used this because I've just been on the research side. But I can guarantee that this is going to find a lot of stuff that has not been highlighted before just because, like I said, our most mature customers have fallen to these attacks. And I know it's going to light up a lot of definition, a lot of people's networks as well.

Adam Boileau

Yeah, yeah. All right, well, we're going to wrap it up there. Lee Chagola Christensen and Justin Kohler, thank you so much for joining me on the show. To walk through, yes, some new features coming to Bloodhound which will let you pinpoint where NTLM in your Windows networks is most problematic. Great to chat to both of you.

Justin Kohler

Thank you.

Lee Christensen

Thanks, Patrick.

Adam Boileau

That was Lee Christensen and Justin Kohler of Spectrops there. Big thanks to them for that. And yeah, you can find Bloodhound Enterprise just by googling Bloodhound Enterprise, I guess. And definitely a worthwhile exercise if you're operating any sort of Windows Network at scale. It's an exercise you want to go through. Just even the attack graph stuff, the NTLM stuff, nice to have as well. But yeah, Bloodhound is something you should be looking at. But that is it for this week's show. I do hope you enjoyed it. I'll be back tomorrow with Seriously Risky Business with Tom Uren in the Risky Bulletin RSS feed. But until then, I've been Patrick Gray. Thanks for listening.