Risky Business #790 -- Bye bye Signal-gate, hello TeleMessage-gate

Patrick Gray

Foreign and welcome to Risky Business. My name's Patrick Gray. This week's show is brought to you by Nucleus Security, which makes a vulnerability management platform. And we'll be joined by Nucleus Security's very own Aaron Unterberger in this week's sponsor interview. And we're talking to him about how vulnerability management as a discipline and a tool set hasn't really kept pace with cloud. Not that cloud's new, but yeah, it's just like things got a little bit weird there. And he'll be joining us to talk through some of the issues involved in trying to apply decent VM practices to cloud based tech. That is coming up later. But first up, of course it is time for a check of the week security news with our good friend Adam Boileau. And Adam, obviously the big story of the week is it turns out Signal Gate, in which a bunch of senior Trump administration officials were discussing sensitive stuff over signal. Turns out Signal Gate wasn't actually signal gate after all.

Adam Boileau

Yes, we have seen reports that they were using a signal fork called Telemessage by made by a company called Telemessage called TMSignal. And the Internet has gone pretty nuts over the last couple of days understanding what that means. And it turns out not very good things at all.

Patrick Gray

Yeah, I think you would have to describe it as extremely not great. And there's irony here, right, because what TM Signal allows you to do is to keep records of conversations. Now, a big feature of us talking about Signal Gate is a lot of people have really honed in on the idea that they're bypassing record keeping requirements and whatnot when having these conversations. Looks like that's not the case. Unfortunately though, it looks like this app which keeps records of the conversation doesn't really do it in a sensible way.

Adam Boileau

No, it really does not look sensible. So the deal here is that Telemessage, the company, which is an Israeli company that's now owned as of like 2024 by an American firm, they make messaging apps forked from the various popular messengers that implement record keeping. And it does that by modifying the client, replacing the client, which you then deploy out to your devices using some variety of sideloading, sort of the enterprise side loading that you get from MDM solutions and so on, and then that basically just carbon copies all of your messages off to a Telemessage controlled server, which then archives them into whatever mechanism you have as the administrator have configured, which is typically going to be it just emails them to an archive place or in integrates with the Office 365 or whatever else, but it does so of course in the clear, which already not really what you want.

Patrick Gray

Hang on, hang on. In the clear or like just not end to end encrypted.

Adam Boileau

Well, in the clear from the archive point of view, the point of the archive is to have a clear text copy of the message. How that's stored on disk is kind of up to the individual implementations. And in this case we're probably talking transport crypto wise. Yes, it's crypto TLS to Telemessage and probably SMTP TLS to Microsoft 365 or Google or whatever mail server if you're using that, or SFTP or whatever other transport mechanism. But in the end the content of that message is delivered to the archive endpoint and is in those archives and obviously traverses telemessages services in the clear.

Patrick Gray

Now this is not necessarily a bad thing. There is still a security benefit, right, from if you're going to use an archive messenger, being able to use an end to end encrypted messaging platform that allows you to have things like expiring messages so that those messages are only stored in one place. If that archive is handled sensibly, that is still going to be a net security gain. So let's see if I'm building this, I'm going to make sure that these messages are forwarded into some sort of cloud service via an account or an API that has write only access. And I'm sure that's the way they did this here. Isn't that right, Adam? Right, right.

Adam Boileau

It just keeps getting worse. So somebody found a source code archive for the Android version of the Telemetric Signal app, as well as some people in reverse engineering the binary versions of the iOS ones and that contained hard coded credentials which are used to deliver the arch messages into telemessages system. And those credentials appear to have been valid to log into some manner of telemessage backend system. Because we have seen at least two reports, two separate reports, where journalists have talked to hackers that have broken into telematics telemessages systems and have obtained in some cases access to messages, in some cases lists of subscribers and so on. And the assumption is, I don't know if anyone specifically said this, but the assumption is that it's those hard coded credentials giving more access than they should have.

Patrick Gray

Yeah, as in not just write only, which honestly if it was write only it would be probably, you know, verging on. Okay, right.

Adam Boileau

I mean, you know, there are better ways to do it. But that would have at least been less terrible. Yeah, but I mean one of the reports we've seen, I think it was, was it NBC maybe where it looked like the attacker memory dumped the server. So they must have got some relatively privileged access because it looks like the back end is some kind of Java app. I've seen some screenshots of what looks like strings on a memory dump of a Java app that has message fragments in it. None of those messages that we've seen so far look like they were specifically White House ones. But we have seen other messages from their signal capture. But also some of the other platforms, WeChat and WhatsApp and Telegram.

Patrick Gray

Well, and the, and the assumption is that whoever did these, you know, quote unquote attacks was intercepting messages on the way through telemessages like archive server on the way to the actual end user archives. You know, 404 Media has been doing a great job covering this. They were, they were early with their coverage and a lot of it's based on research that's been done by Micah Lee who's really done an excellent job of, you know, pulling this down and even drawing pretty little network diagrams and pictures showing us how it all works. It looks like this app and again look, it's a foreign controlled app as well, which is a whole other set of issues. It looks like this app was originally brought in for government use like with the, I think the State Department and the CDC in the US under the Biden White House, like when he was president. So I don't think this is just a failure of the Trump admin, but certainly, you know, using an app like this to conduct, you know, sensitive policy conversations seems insane. Telemessage has since actually pulled this thing from the market. They've like nuked their website, gone to ground. And you just think, you know, where was the evaluation of this technology when it was being considered for government use? You know, you do have other provide. I mean we've mentioned it a bunch of times in over the last few weeks, but Wicker was is a well regarded messaging platform that has archiving features and end to end encryption. And you know, it was acquired by Amazon and it is offered for, you know, government and enterprise use. Was there a bake off here? You know, these guys had a $2 million contract at least with the federal government dating back to last year. And you just think, you know, who, who looked at this thing?

Adam Boileau

Yeah, I mean that is a great question and we've certainly seen calls for investigation. I Think Ron Wyden has been out there asking for investigations into how this happened and the stories that kind of led up to it. And certainly that's a great question, like, who did the eval, what eval was there, what did this look like in the procurement process, etc. Etc. To my mind, I think the killer feature though, with the Telemachine signal fork is its interoperability with existing signal, which if you move to a different platform, all of a sudden the rest of the extended Magaverse and other people that are using signal to communicate with people who do need to archive lose that kind of connectivity. Which, like, that's the reason that you would go down this slightly crazy route.

Patrick Gray

Yeah, I mean, I wonder what the FIA FOIA implications are of this as well, now that, you know, the Democrats understand that there is an archive of a bunch of these messages. You know, I guess that could get a little bit interesting. But look, all in all, just, you know, it's the scandal that, that keeps on giving, isn't it?

Adam Boileau

I mean, it really is. And like, I hate to feel sorry for them because, you know, the rest of the whole Trumpian experience is not great, but I do kind of feel a little bit bad because they probably got told if you want to use Signal, you have to use this. It looks exactly like Signal. It feels like they're getting everything that they expect from Signal in terms of its confidentiality and so on and so forth. But this just meets those archiving obligations. And then for them to now be mired in this total trash heap of a, you know, of the story just getting worse and worse. Like, I, I mean, part of me enjoys watching, you know, everything fall apart, but I feel a little bit bad because, you know, they were trying to do the right thing, you know, provide archive records and, and so on.

Patrick Gray

You know, I tell you who doesn't feel bad for them is the Vice Chair of the Senate Select Committee on Intelligence, Senator Mark Warner, who I spoke to yesterday. And funnily enough, he recognizes the irony here of them trying to do the right thing. But it seems to be his position that it's still, you know, absolutely boneheaded what they did. I interviewed Senator Warner yesterday. We spoke for about an hour and we've already published that as a podcast and also onto our YouTube feed. But here is just a two minute excerpt where he talks about these latest developments in Signal Gate. So here he is, Mark Warner, Vice Chair of the Senate Select Committee on Intelligence.

Mark Warner

What Waltz? And the Secretary of Defense Hegseth. They already have not only the foul of using signal which should have been on a classified network, they now have the double foul of using this addendum to signal that as you indicated has been hacked repeatedly to the point that there was at least a report this afternoon that that, you know, add on service may be being pulled from the market. So again, this starts with whether it's in Australia or in the States or wherever, you know, basic Cyber and Hygiene 101. Particularly if you're dealing with sensitive or classified information, don't put it on an unclassified network. Recognize if possible to make sure there are no ways to have penetrations. And in the case of this so called signal gate, this is only one of the reported 20 signal chats that Waltz took place when he was National Security Advisor. So we may still be just seeing the tip of what is even a bigger problem.

Patrick Gray

I mean, I think one of the issues here though is even if they weren't discussing classified information, that signal version or the modified version of signal that was being used there probably wouldn't even be suited for non classified communications. I mean, how much of a concern is that from your perspective?

Mark Warner

That's a concern as well. Now there is again, I don't want to. The only thing I'd say about Waltz was he at least acknowledged a mistake, something again that other folks who were on that chat didn't even acknowledge. The irony here being that if he was trying to preserve records, but again it shows kind of a failure to understand Cyber Hygiene 101. You know, this notion of this extra add on being as vulnerable as it is. And you know, just to be, to be clear, we don't even know if in the first episode that included all of these senior officials, whether anyone has gone and checked the actual devices to make sure that there's no malware that's been dropped onto them. I mean this is like, you know.

Patrick Gray

Okay, so you heard from Mark Warner there, I mean, you know, there's the saying that there will be blood. I think in this case we can say there will be hearings.

Adam Boileau

Yes, there's going to be so many hearings. Oh dear, oh dear. And I mean of all the things I had on my bingo card like that we would be talking about in this new administration. Like I did not expect non end to end signal to be one of them. So it's at least it's been great for us. We've had something interesting to talk about for the last, you know, last couple of weeks. So yeah, thanks.

Patrick Gray

I guess it's an end to end Messaging platform. Anyway, but look, I think, you know, I hope the lesson that comes out of this is really about and it's something that we've been talking about a lot on like Seriously Risky Business, our podcast that focuses on sort of government policy and intelligence. I hope that what comes out of this is for governments to really sit down and look at, you know, how we can give better guidance to government officials on how to communicate, give them the tools that they need to communicate securely and sometimes privately, you know, change some of the guidance, you know, to reflect the world that we're living in now and hopefully we all wind up in a better place because of this. But yeah, wow. Anyway, moving on and you know, this ransomware campaign targeting British retailers just keeps on trucking. Harrods is the latest one to be attacked, although it looks like the attackers didn't get very far. Marks and Spencer is a complete smoldering wreck of a company at the moment. And yeah, also big dramas at co op. The press hasn't linked these says that, you know, there's, there's, they haven't been able to substantiate a link between these attacks. But from what I'm hearing, I had an anonymous sort of email come in from someone that looks legit. I mean I have, you know, it's unverified information but they're like, yeah, these two camp, these two attacks shared the same C2 which would tend to indicate that it's the same crew. They also say that Scattered Spider obtained initial access to Marks and Spencer through, you know, socially engineering a help desk which would, you know, that's pretty typical of their ttps. They moved laterally, got the entire active directory environment and absolutely everything in it. There was no NDR in the environment and you know, they've got third party IR in there. They're trying to roll out CrowdStrike and just doing, you know, real hand to hand battles. Apparently the attackers were monitoring like Microsoft Teams archives of meetings and whatnot. And it's just like it is, you know, about as bad as it gets. This person who's emailed me says Marks and Spencer haven't really been sharing information appropriately with other retailers and people are having to do back channeling and it's just all bad, bad, bad, bad. Funnily enough, you know, what this person is saying has sort of been substantiated somewhat by some subsequent reporting, reporting at a BBC where co op staff have been instructed not to keep records of things like teams conversations. But you know, Marks and Spencer is saying that it's going to take months for them to restore service and ordering and whatnot.

Adam Boileau

Yeah, it does sound like a. It's like a real mess. We've seen a couple of insiders, I think. Was it Sky News in the UK also? We're talking to an insider who said that it was just pure chaos, I think was the quote inside there. Because they didn't really have any plans for how to respond to this sort of incident and that everything is just complete. You know, people sleeping in the offices, working over the weekends, trying to, you know, pull together in an environment where they haven't, you know, they're not even sure they've managed to throw the attackers out yet. So that's a, you know, that's hard yacker for all of the people on the ground having to deal with that. And you really, you know, you feel sympathy for them, but at the same time, like, being an organization these days are not being ready for this kind of thing. You know, it's not like ransomware is brand new at this point in the conversation, so.

Patrick Gray

Well, we have, we have seen reports, in fact, that Marks and Spencer did not have an IR plan, which, you know, you know, just those words will be sending shutters down the spines of all of our listeners who actually work in ir. Because that's the worst thing that you can, you know, it's the worst thing to not have in a situation.

Adam Boileau

Well, exactly right. This is not a thing you want to be doing for the first time, you know, when you really need it. And even simple things. When I say simple things, even things as straightforward as how do we even go through the process of resetting everybody's passwords or locking everybody out or in what order do we have to do it? How do we roll the curb? Tgt those are things that you don't want to be learning during an active incident when you can't even talk to each other. And some of the reports are saying, like, you know, people are reduced to using personal devices, personal WhatsApp accounts to try and communicate because all of the normal corporate mechanisms are untrustworthy or offline or whatever else. So, yeah, total mess. And, you know, I guess, hug ups to everybody involved. Yeah. Like, at this point, that's pretty much all we can offer you, is hugs, you know, so. Yeesh.

Patrick Gray

Yeah. I do think it's interesting, though, that, you know, in the case of co op, staff have been told to keep their cameras on during meetings, which suggests they might have had some uninvited visitors attending prior meetings. Right. So just an absolute an absolute mess. And you would expect that this would rise to the level where you might see a response out of, you know, GCHQ perhaps, or at least them lending a hand given that it's a sector wide attack against, you know, major British brands.

Adam Boileau

Yeah, I mean Harrods and Marks and Spencer are both very, very, you know, sort of iconic British brands and clearly Co Op is pretty big. I didn't really know much about them, but clearly they're pretty big. Apparently they provide funeral services as well as other things. So that's not a thing. You want ransomware.

Patrick Gray

It's like those Japanese companies that offer everything from fresh seafood to light bulbs.

Adam Boileau

Yes, exactly. Yeah. And like you do wonder given, you know, we haven't really seen details beyond like some kind of scattered Spider affiliated people, but it being a whole bunch of British retailers at once does feel kind of British. You know, like foreigners may not care that much about hitting those kind of brands all in one go, whereas if it was someone local it just feels a bit more.

Patrick Gray

Yeah, if you want to, if you want to feel like a badass. Right. You take down the biggest brands in your, in your country, I'd imagine that's the, that's what you get, right.

Adam Boileau

Yeah, I think so. It'll be interesting to see how the investigations unfold because Scatter Spider is not a group that's known for rock solid opsec. So.

Patrick Gray

Oh, they're all going to get caught. They're absolutely all going to get caught. But you know, as we saw after Caesars and mgm, like I expected the cuffs to go on like the week after, but it took a while. I, I wonder now like you would expect that global law enforcement would just have generally better intelligence on the comm and all of the groups and the satellite groups and splinter groups and you know, perhaps we'll see a faster, you know, the handcuffs come out a little bit faster. But yeah, you're not, I'm not expecting these guys to get away with it. I mean, you know, will they get absolutely everyone involved? Like, probably not. But you'll see some arrests here, surely.

Adam Boileau

Yeah, surely you would expect. And I, you know, I imagine the people who are sort of spectators in that environment might be feeling a little bit nervous about being so close to it. So you know, maybe it'll, maybe it'll slow things down there a little bit. But then again, kids not really known for their, you know, threat modeling and cause and effect and thinking about their actions and all that kind of thing.

Patrick Gray

Now let's talk about where long term planning And Cybercrime Meet because somebody has pulled the trigger on a magecart style of attack that goes back. Like this thing goes back years. So someone had been subverting magecart stores for something like the last five or six years and has finally pulled the trigger and deployed their nasty wear onto these e commerce websites. And you just sort of think, wow, that's a. That's a slight slow burn.

Adam Boileau

Yeah, yeah, the story is pretty wild. So the. There are three companies that package up Magento online shopping sites, like, provide the tools for them to run your own. And all three of them seem to have been hacked at some point between 2019 and 2022 and had backdoors, the same backdoor put in a bunch of kind of packages that they provide. And yeah, those have just been sitting around idle. And there's a. Like, if you know how to trigger the back. So you can just run arbitrary PHP on a Magento website. And then that's been sitting around, you know, four, six years, somebody's pulled the trigger and started dropping magecart style, you know, shopping cart scraping, you know, payment scraping, payment card scraping out of the shopping cart, malware on these sites all at once. And yeah, like, that is a pretty slow burn. Like quite a lot of patience. It makes me wonder if, you know, someone deployed it and then maybe dropped out of crime. Maybe they went and did something else with their life.

Patrick Gray

Yeah, yeah. I mean, it feels like. It feels like someone's contingency plan. Right? Like, that's what it feels like to me is like they had this thing bubbling away on the back burner just in case sort of thing. And then they're like, okay, well I'll go work on that now, because whatever, their other botnet got rolled up or something.

Adam Boileau

Yeah, yeah, maybe, maybe. Right. And you know, it could have been traded. It could have been. You know, there's all sorts of ways that these things get, you know, shared around on knowledge spreads or whatever else. But yeah, it's kind of unusual. Like, we don't often see, you know, something like this lying around for so long. And, you know, it was not the world's most innocuous looking backdoor. Like it's, you know, I guess you probably don't read all of the PHP of all of the plugins of all of the Magento things that you run. But yeah, kind of, you know, I don't want to take my hat off to them, but it's kind of, you know, it's kind of good work waiting this long. And then Kaboom well, ain't no one.

Patrick Gray

Doing code review on that stuff. Like just, they're not, you know, probably not like you're waiting for shells or some weird stuff to get detected at runtime. Like that's how this stuff is going to get discovered. You know, I'm sure there's companies out there who are going to write to me and go, we do scanning of, you know, magento packages and whatnot. But like, ain't nobody paying attention.

Adam Boileau

No. And certainly no one's paying money to do that.

Patrick Gray

So no, they're absolutely not. Now let's talk about Microsoft's big push into pass keys. So according to this piece by Dan Gooden, Microsoft is making passwordless logins the default means for signing into new accounts. I think somewhat sensibly actually. I mean, they're criticized a little bit in this article for this, but they're requiring the use of the Microsoft Authenticator app. So they're saying you can't use the Google one, you can't use, you know, whatever, like third party ones. You have to use the Microsoft Authenticator app. I actually think that's a good idea because it gives Microsoft the ability to like say, no, we're not going to have some sort of sync fabric that's going to send these things to a million other accounts. So I think keeping it within the Microsoft ecosystem is actually a positive, not a negative. But you know, Dan's just written a story here, sort of walking through what this could mean. I mean, generally I think this is a really good idea. Where I think the drama might exist is when you start bumping into the enrollment processes, when someone's lost a phone or needs to be reprovisioned or whatever. And that's going to be where the, you know, the attack surface is. But I think, you know, by and large this is going to be a positive thing. What's your immediate reaction to this, Adam?

Adam Boileau

So my immediate reaction is passkeys are better than passwords. And the problems that we are talking about around the passkey ecosystem are very legitimate, like things like onboarding, things like offboarding, things like dealing with password reset flows and so on. All of those already exist with passwords, but at least passkeys are less fishable, modular. We saw some like Edge case stuff with Bluetooth, weird Bluetooth Passkey phishing the other day. But by and large this is absolutely an improvement over passwords and all of the problems still existed elsewhere and a perfect solution is pretty difficult. So I think there are absolutely valid points to the criticism, but overall if we get to the point where you can't Monday one your way into a major corporate because that's how initial passwords are set up by the service desk, then we're in a better place. And you know, passkeys are less understandable I guess is one downside. Like people don't necessarily have a great mental model for how Parskey Storage works. I don't know that I have a great mental model. Well, but that's, that's how password sync fabric, pass key sync fabric works and blah blah blah blah. And that's to your point about Authenticator at least that gives Microsoft a point of control rather than simultaneously having to solve the multi vendor cross platform syncing problem. Especially when Microsoft doesn't have its own phone platform anymore.

Patrick Gray

Well, but this is, this is exactly right. You know, do you want to allow people to use Google Authenticator and then Google make some sort of decision that you know is probably going to violate the security policies of all your, all of your enterprise enterprise clients? Like I just don't see how you would do this without having control of that piece of this. Like I think that's absolutely the right decision.

Adam Boileau

Yeah, yeah. I mean I don't necessarily love it. Like I don't want another Authenticator world as well that I have to think about how it works. But I think you are right that this is the pragmatic choice for Microsoft given that Windows Phone is dead and they can't use this as a way to, you know, leverage people into the Windows Phone ecosystem.

Patrick Gray

Yeah, I mean I had a great chat with. It's really funny actually. I often interview people from Yubico who are a minor sponsor of the show. But I'll interview them about what they see as being challenges with things like software based pass keys and whatnot. And people write in and say, well of course they're going to say that they're financially motivated to sell Yubikeys. And it's like well yeah, but they're also right and it always takes like a year or two and then it's like oh okay. The points they were making were pretty good. And I think, you know, this restriction to using the Microsoft Authenticator app is actually a bit of a, you know, recognition of some of the issues around the portability of passkeys. Anyway, I've made that point well and truly so let's move on. And this one, I've read through it, I'm not entirely clear on the ins and outs of it, but it's another Dan Gooden story Based on some, you know, discoveries by. I can't, I can't remember who. I'm terribly sorry. But some people have discovered that rdp, like you can still log into a Microsoft machine with RDP using an expired or revoked credential, which is not what people would expect the behavior to be. This has been reported to Microsoft and they're like, no, that's by design. We're not going to change it. So first of all, can you walk us through exactly why it is that this condition exists and then tell us why they're not changing it?

Adam Boileau

So the reason this exists is that Microsoft ultimately don't want you to deal with, and they don't want to deal with the support workload of locking out the last remaining account on a Windows system. So there are some special rules that seem to prevent account expiry or credential expiry working when there is, when it's the only user. I think that's what Microsoft said, which is a behavior that I didn't know existed. So I guess probably surprising for a bunch of people. So when you have the combination of centralized auth or federated authentication and IDP and this is the only IDP account, they don't want you to get in a position where you have to go like safe mode the machine to recover it. If the only account that you have gets locked out. And then in combination with a distributed auth system, those credentials get cached locally on the machine for authentication so that it can authenticate. Even if the upstream auth source, be it Azure or Intro or whatever else, is offline, you can still locally auth. So that combination of we let you use expired credentials for the last remaining account and we have local caching kind of means that when you change someone's account credential in your centralized enter id, people can still log into these machines with that old credential, which is just kind of counter to what you would expect.

Patrick Gray

Well, I mean, that's okay because attackers never use RDP with valid creds.

Adam Boileau

Well, exactly. And like, this is not just a Microsoft problem. Like, there are plenty of other places in the ecosystem where people's mental model of how credential revocation works doesn't match the technical reality. I'm thinking like, for example, certificate authentication and wireless networks, like, you can revoke that certificate, but it doesn't stop current running authenticated wireless connections from continuing to work until next reauth time. And that could be weeks. Right.

Patrick Gray

So you want to kick the network in the guts at that point.

Adam Boileau

And so there is a bunch of nuance to how password expiry and revocation actually works in the real world to make it match what people expect. And I think this is another great example of, honestly, I see why Microsoft made this design choice. It is documented and I think Microsoft have updated the documentation to make it a little bit clearer. Microsoft have linked through in their response to this guy's bug report saying, we've made this update. It's a pretty small block in a rather a lot of documentation. So I think this probably is still surprising to most people, but kind of makes sense, I guess. And you could see why they're not triaging it as a, you know, a security flaw, more as just a. Yeah, a surprising behavior.

Patrick Gray

Yeah. So that was Daniel Wade, by the way. I had time while you were chatting just then to look up the guy's name. Let's move on to our next story now. And according to cyberscoop, a piece here from Matt Kapko, North Korean, like fake IT workers are just really kicking some goals at the moment and they have infiltrated hundreds of the Fortune 500. I don't know that I'm tremendously surprised by this, but that's because I spend my days reading cybersecurity news. Right. I think if you don't spend your days reading cybersecurity news and talking to people about this, you might not realize just the scale of this.

Adam Boileau

Yeah, that was the thing that stuck out to me was the sheer scale. Like, I mean, you read about it and it makes sense that this would work. But you think this is probably only going to happen to like a few cryptocurrency exchanges or, you know, kind of niche targeted kind of things, not significant swathes of Western companies. And when you certainly talk to a bunch of organizations that have had this happen to them personally, like, this is not secondhand, third hand kind of stories. This is our HR department, our hiring process is getting these come through. And I think this story on cyberscoop is kind of on the back of a bunch of conversation about this at the RSA conference where people are coming out and talking about like, yes, this is happening to us. You know, yes, we are seeing this at a bunch of our customers. And I think it's just worth calling out to everybody quite how big this is. And clearly North Korea knows how to do this at scale and it must be making them enough money to be worth doing it.

Patrick Gray

Yeah, yeah, well, and they get further options as well. Like once they're in certain places, you know, I've got a great podcast I recorded It's a Wide World of Cyber podcast without Chris Krebs, which is weird because it's a Sentinel One risky biz sort of joint thing. And, but it's Alex Damos and Steve Stone. And one of the big things we talk about is all of the North Koreans who tried to get work at Sentinel One, right? And they detected them early, but instead of just like throwing their resumes in the bin, they sort of tried to play it out and, and see what they could learn. And it's a, it's a very interesting conversation, by the way, for anyone wondering. Chris is doing great. I actually had a good phone call with him this morning and he will be back on Risky Business at some point. Probably not Wide World of Cyber, but you know, he'll be back on the show real soon. But moving on. Oh, and I'll publish that because that was like a live event. I was supposed to be in the US to record it, but instead they like I joined by Zoom and they put me on a screen in the room and, you know, it actually worked better than you would have thought. So I'll be publishing that one in a couple of days. Moving on. Oh, and we got some great news here, actually. So these are both pieces from the record. One's by Joe Warminski, the other one is by James Reddick. But the United States government is making some meaningful moves, like treasury is making some meaningful moves against these scam compounds. And you know, in our coverage, particularly the work that we've done here with Tom Uren, who's, who's our seriously Risky Business, you know, policy and Intelligence editor, you know, we've been talking about this as the way to take action against scam compounds for a long time because quite often there are obviously corrupt relationships between, you know, large companies, politicians, you know, government officials and these scam groups. And you can deal with that to a degree with sanctions. So what we're seeing now is we're seeing US treasury sanctions against a Cambodia based conglomerate, which is, you know, they're saying primarily a money laundering concern. We're also seeing specific sanctions against a militia leader in Myanmar over his involvement in scam compounds. I mean, this is a good start.

Adam Boileau

Yeah, yeah, it absolutely is. I mean, that we won group that runs a whole bunch of like e commerce and online, you know, financial services and stuff in Cambodia that has been a pretty clear target. I mean, they are laundering something like $4 billion worth of illicit proceeds is what the US treasury said. And that's, you know, that's very, very real money.

Patrick Gray

Well, and when you're operating at that sort of scale, that's when sanctions hurt, too.

Adam Boileau

Yes, exactly right. Because they also like to launder that kind of money. You have to have a big enough business to kind of move that through. So, like, they are a pretty real enterprise and it makes a, you know, it makes sense for them to be targeted by this. And it, they have ties to, you know, sort of the, the ruling leadership there, you know, political leadership in the country. So it's not a thing that domestically they seem particularly inclined to deal with. So dealing, you know, dealing with this on the international stage kind of makes sense. So that's good. And then the individuals from. There's like one particular border province with, I think with Thailand, where a whole bunch of the scam combats are actually physically located. And that's an area where that has had a whole bunch of, you know, political intrigue and there's sort of rebel forces and all sorts of mad stuff. And the Karen national army is like a, I think, Buddhist separatist. I don't know. Politics in Myanmar are very difficult to follow. Like, it's very, very complicated. But they've been designated for sanctions and their leadership and I think some family members of their leader have also all been sanctions. Like tying all of these bits together is the logical place to target this stuff. So, you know, good work.

Patrick Gray

Yeah. And it is complicated. Right. Because we've seen China sponsoring militias in Myanmar in order to get them to free people from scam compounds. And I remember saying, at some point, some of these militia leaders are going to say, you know what? There's real money in this stuff. And, you know, maybe that's what's happened with this militia. I don't know if they were involved from the get go. But the point is the amount of money involved is just staggering. So it is. You know, I think there was a stat that the turnover of this sort of stuff is equivalent to like 40% of the GDP of Laos, Cambodia and Myanmar combined.

Adam Boileau

Yes.

Patrick Gray

Now, anytime you've got that much economic share in one thing, particularly if it's illicit, the tail is going to start wagging the dog.

Adam Boileau

Oh, yeah, yeah.

Patrick Gray

You know, absolutely. And you could see this in, you know, you could see this in narco states back in the day. Right. When you would have certainly all sorts of issues in places like Colombia in the, in the 80s and 90s. So, yeah, same sort of stuff. Good to see some action there. Moving on to our next story now, and Trump is proposing major cuts to CISA's budget, I think it's in the order of like 17%. You know, they have a, they have a $3 billion budget and the proposed cut here is 491 million. Justification for the cut is they were censoring conservative voices and, you know, the usual sort of stuff. So we'll see if that actually becomes reality. And also there's a proposal to cut up to 2,000 civilian roles out of NSA. So they want to downsize NSA. I mean, I don't know enough about the internal, you know, bits and pieces of NSA to know if this would be crippling or, you know, or doable. But yeah, it's certainly on the cards. Links to those ones are in this week's show notes. One is from Eric Geller over at Cybersecurity dive. The other one there is from Martin Matoshak at the Record. We're going to end with some news about NSO Group because, you know, there's been this long running lawsuit between Meta, which of course owns Facebook and WhatsApp. Meta has been suing NSO Group over a campaign that was conducted against its users using NSO Group tooling back in 2019. Looks like that case has finally come to a conclusion. We saw previously that there was an order to pay something like $440,000 from NSO to. Yeah, $444,719 from NSO to Meta to cover the direct costs involved in dealing with the this campaign. Now come the punitive damages of $168 million, which is gonna hurt.

Adam Boileau

Yeah, that's certainly a fair whack of cash, I imagine. I was surprised at how low Facebook's Meta's costs were.

Patrick Gray

I mean, me too. They talk about efficiency.

Adam Boileau

Yeah, yeah, exactly. Like, clearly I must have used some AI or something. I don't know.

Patrick Gray

They used one of their 100x engineers who sorted it out in a day. I think, you know, that's probably it.

Adam Boileau

Yes. So, yeah, 168 million bucks, that's gotta suck for NSO Group. I imagine they're gonna appeal. They haven't indicated that they're going to yet, but I mean, when does a lawsuit in the US ever not end with an appeal?

Patrick Gray

Well, especially when it's such a large amount of money and NSO is like not been doing as well really over the last five years or so. So, you know, you'd think they have to.

Adam Boileau

Yeah, I mean, I imagine, I imagine they would. At the very least, I'm sure their lawyers would be like, well, you can come back for another round and then we'll keep getting paid for another few years. So, you know, yeah, I, I expect we will see an appeal. But, you know, this, this is, it's a great outcome. You know, it's been a long time coming and, you know, you think about the fights between software companies and some of the companies that make exploits or, you know, sell this kind of tooling. You know, a lot of people have walked away from really pushing these through the courts and, you know, kind of good on Meta for actually seeing this one through.

Patrick Gray

Yeah, I mean, I think one of the differences between NSO Group and some of the toolmakers who supply, you know, governments in developed nations is the extent to which they actually support the campaigns. You know what I mean? Like, they run the infrastructure and that's different because with a lot of these companies, they will provide the tools to an agency. They don't know how they're used. Do you know what I mean? Like, and that's why they have to have a high level of trust in these agencies so that they, you know, trust that they're going to go use these tools to do sensible things and not go and conduct a whole bunch of human rights violations. But, but yeah, I. Look, we'll just wait for the inevitable appeal, but that's it for the news. Adam, thank you so much for joining me. As always, it was a great conversation and we' do it all again next week.

Adam Boileau

Yeah, thanks so much, Pat. I will talk to you then.

Patrick Gray

That was Adam Boileau there with a look at the week's security news headlines. It is time for this week's sponsor interview now with Aaron Unterberger, who is the director of Sales engineering with Nucleus Security. And Nucleus has been. Nucleus is a, is a risky business, babby startup, right? Because when they, when they first signed up with us, they were just a couple of people. And now, you know, they're a fully fledged vendor offering a vulnerability management platform. The idea is you just get all of your vulnerability scanning tools and whatnot, you know, and also asset discovery tools, they can all report into their platform. Then once you've got all that data in the one place, you can normalize it, slice and dice it, distribute it to the correct teams and whatnot, and, you know, just generally much better than relying on a bunch of spreadsheets. I mean, it's just, you know, it's a big step forward from that. But what we're talking about today is how cloud vulnerability management is a bit of a mess, frankly. And that's really got A lot to do with. I suppose there's two factors here. One factor is that the technology for doing VM in the cloud hasn't really caught up to contemporary practices. And the other one is that just the way assets tend to operate in the cloud is very different to the way that they operate on prem. So joining me to explore that issue is Aaron Unterberger from Nucleus Security, and here's what he had to say.

Aaron Unterberger

So cloud basically differs a lot from traditional vm. Right. Traditional VM is in our data centers, it's with our assets. And so things are a lot more static and stable. So first, cloud just introduces a level of speed and scale where stuff is constantly changing. So environments can spin up and down dynamically. And vulnerability management tools have to kind of operate within that constantly changing landscape. Also, things like asset discovery and asset inventory has to keep in lockstep with what you're scanning and what you're assessing. And then also with infrastructure as code and containers and other ephemeral assets, there's been more of a push towards shifting left and addressing things before they get into the environment. So, for example, if you've got a scanner that's scanning an EC2 instance or a VM, but it's been deployed through some kind of terraform or infrastructure as code script, patching the system isn't fixing the root problem. Right. So shifting left.

Patrick Gray

Yeah. I mean, I just keep thinking back to when the vulnerability management firms thought, okay, we're going to solve this cloud problem, which is to make our scanners get visibility into containers. Ah, there we go. And they dusted their hands and they patted themselves on the back and they said, job well done. And that was fine when people were running, you know, static systems. Like EC2 is another great example. Right. Like when cloud started, you would just spin up a, you know, a virtual box in EC2 and you would leave it there. But that's. Yeah. Now it is all very ephemeral. Right. So I guess now the sort of tools that we're using to detect issues, you know, they're less likely to be your nessuses and whatever and more likely to be your sort of wizzes. Yeah.

Aaron Unterberger

Yes. Well, so actually before there was a wiz or an Orca or Lacework, there were still a lot of the traditional VM tools. And it started out with kind of the frictionless scanning, network based scanning. And you can imagine how that just didn't keep up with the pace of change. It doesn't integrate well with Cloud APIs. It doesn't have the Dynamic inventory awareness, and it definitely doesn't shift left. And so then we start to roll out cloud agents and there's some acknowledgment of the difference in the cloud better synchronization with asset inventory, but still doesn't really shift left. And that's really where I think Wiz and Orca and the cnapp tools came into prominence is they kind of reduced the friction of an agent based scan, but had all of the dynamism of the kind of latest iteration. But they integrated through APIs to get this really robust picture. And they also introduced things like cspm, cloud security, posture management, misconfigurations, right. Focusing a lot more on the inventory and more context across systems. And now we're even starting to see more shift left capabilities within those tools as well. So for example, if I have a container and that container has a base image, and then that base image is used across multiple other images and maybe one of those images is a sidecar shared service. So its deployment or its runtime could be many different applications. Internally facing Skunk works to mission critical. Publicly facing that whole continuum of context is really difficult to grasp when you're thinking about container security. So that's one of the areas where we sought to kind of collapse the full kind of lineage of a container and give you a persistent context across everything, what we call a container workload. So if I have a vulnerability that appears in a base image, I know that I'm patching the base image. Or if I have a vulnerability that persists through versions, I know that we're not resetting the clock on when it should get patched because we pushed a new version. The SLA still is when it first showed up in the previous version of that image. So giving more context to address the challenge. Because along with all of this dynamism that cloud brings, it also brings quite a headache in terms of managing risk, understanding that full picture.

Patrick Gray

I understand now what you mean by shifting left, because in this context it really means, especially when you're dealing with ephemeral, you know, workloads, you got to get to the point where they're first being created, right. And fix it there because there's no point finding, hey, oh, look at that, we got 100 of these vulnerable workloads out there. You go, patch them all and then someone spins up one tomorrow and it's vulnerable again, right?

Aaron Unterberger

Yeah, yeah, this game of Whack a mole, right? And that is, I think, the promise of shift left, especially when we think about cloud and it's not just containers, there's IAC. Even EC2 or VMs have images that deployments are based off of. And so a lot of cloud is built off of pre configured automated scripts, CI CD pipelines, things that if you don't address them at the root, you're actually playing whack a mole. It's the never ending.

Patrick Gray

Once you've addressed them at the root, what do you do about the ones that have been spawned from that original image? Do you then go kick them in the guts and have them rebuilt? Or how are you supposed to address it at both ends there? Because I understand you need to shift left and solve the source, solve the problem with the source. But what do you do about the stuff that's already out there?

Aaron Unterberger

Yes, that's where having the full continuum, visibility across the full continuum comes into play is because you want to make sure that you're fixing at the source that otherwise you'll never really fix it. But then you also want to find out who's not actually updating their pipelines and using the latest versions of images, for example. And so that's where having the deployment context also comes into play and seeing, hey, we're still seeing persistence of these vulnerabilities because while we've made our patches to the upstream asset or artifact, it hasn't propagated out to runtime. Right? And so that's where you can hold accountable those teams.

Patrick Gray

Now here comes the important question. Why on earth are you talking about this? Right, so Nucleus is a company that makes, you know, tools to better manage vulnerability programs, right? Normalizes, ingest and normalizes data from all sorts of stuff, you know, allows you to slice and dice and spin up tickets, you know, crap stuff out into Slack, all of that good stuff. Right. Instead of spreadsheets and emails and ticketing nightmares. This is just the way that you do it. I'm guessing if the wizards of the world and the Laceworks and whatever were doing a good job of this, we wouldn't be talking about it.

Aaron Unterberger

Yeah, well, they're doing an excellent job for what they're focusing on, and they're focusing on the assessment of cloud. And so really what Nucleus does to kind of broadly generalize, Nucleus is a platform that unifies data from different sources. And so when it comes to traditional VM, it's integrating with your CMDBs, your, your scanners, Endpoint and downstream ticketing and change management within cloud, it's very much the same. And also a lot of organizations are maybe multi cloud, they've inherited multiple different cnapp tools. And so, you know, it's having a single place, a single source of truth and then it's also having visibility. So a lot of our kind of end customers for data are also executives who need to answer to a board and say, what is our organizational risk across all domains? Right. And so it's really about being able to manage all of these different domains effectively. And what these tools are doing really well is they're assessing the vulnerabilities, but not necessarily providing a normalized view of risk and then also the downstream orchestration and visibility. So being able to ticket and remediate, but also give that normalized view for executives, team leads and application owners to know what their true risk is in a way that's normalized across an organization.

Patrick Gray

When I think you pointed it out before, like if you've gone back and fixed something at the source and yet this team over here keeps spinning up vulnerable images, you know, someone's not doing their job. Right. So it can be good to have that sort of helicopter view, I guess.

Aaron Unterberger

Yeah, yeah. It's having the visibility across the entire spectrum. Right. Going back to the container workloads.

Patrick Gray

I mean, I guess, I guess the reason I mentioned that is like it's not just about giving executives something pretty, they can screen cap for a, you know, board deck. Right. It's, it's. Right.

Aaron Unterberger

It's much, it's actually going to be useful. Yeah, yeah. Much more operational. And the way that that's achieved is actually integrating with beyond just the scanners. Right. It requires integrating with inventory, with your image registries and understanding what your golden images are, understanding the ownership and application context, understanding the runtime. Now oftentimes those are multiple tools, not, not a single scanner that's doing that assessment. So they, they don't really have the ability to stitch together that, that entire picture.

Patrick Gray

And so who's, you know, what sort of orgs are kind of jumping on this, right? Because always when you know, a sponsor is out there talking about something like this, it's usually because there's customer demand, right. It's usually like, well, they're having this problem. So that's why we're out there talking about it and what our approach is like, what sort of companies are actually having issues around this?

Aaron Unterberger

Yeah, the problem I think kind of manifests in a couple of different ways. One is the visibility, right. That kind of executive audience of, you know, if I were to ask my teams what's our organizational risk, we wouldn't be able to answer it this month. Right. But then there's also organizations that are struggling with the volume of vulnerabilities, with the complexity of managing a cloud environment and also with the overall workflow. Maybe it's a manual process. Being able to make the assessment prioritize because there's way too much to actually do in any given day with any team size that I've ever seen. And so you have to focus on what to remediate and then efficiently orchestrate those remediations. So that way you're managing risk as effectively as possible. Right. So being able to automatically triage, being able to automatically route and ticket, orchestrating the bi directional sync of tickets so folks can focus on fixing rather than reporting back on what they've done and then also providing thoughtful analysis on what types of fixes are actually going to move the needle in the most meaningful way for my risk. And it might be more of a software driven approach where, hey, we're out of date on Google Chrome. If we fix this, we fix 100 CDs, right. So providing all of those operational and analytical tools to aid in the efficiency of how a team manages their VM program or their cloud security.

Patrick Gray

It's real funny, but in a recent interview I brought up actually people doing nessus scans like 15, 20 years ago when they'd run it the first time and they'd just be horrified by what they saw. And what's really funny is, you know, thinking about a tool like yours, which gives you that helicopter view, I'm guessing people start using it and then they're horrified by what they're seeing. Not in terms of the number of bugs, because they know about that, but they're horrified in terms of what they see, you know, in terms of their own capability to do something about it.

Aaron Unterberger

Right, yeah, yeah, it's.

Patrick Gray

And that's what this is about. It's like figuring out, you know, well, what should we do given this mountain of data, like what is it telling us we need to get better at?

Aaron Unterberger

Yeah, and a big part of how. So my team specifically is on the kind of pre sales consultative side. And so a big part of how we engage with our customers is not just providing the technology but also the guidance because one, we can kind of talk them down from the ledge where it's like, yes, you do have log 4J and it's a year old and we're going to get it fixed.

Patrick Gray

Yeah.

Aaron Unterberger

But these are things that you can do to make it to where that doesn't become a routine thing. A lot of it's a process yeah.

Patrick Gray

When you see stuff and you're like, look, we've had a dozen clients, a dozen customers who've had this problem, and here's what they did and here's what worked. Right. Like, I'm guessing it's sort of like that. Yeah. All right, Aaron Unterberger, thank you so much for joining me for this conversation. It's always good to see you. And. Yeah. Talk to you again soon, I guess.

Aaron Unterberger

Yes. Look forward to it. Thanks.

Patrick Gray

Patrick, that was Aaron Unterberger there from Nucleus Security with this week's sponsor interview. So, yeah, if you're still trying to manage your enterprise vulnerability management program through a bunch of spreadsheets, and, you know, that is making you a sad panda, you might want to go and check out Nucleus Security. But that is it for this week's show. I do hope you enjoyed it. I'll be back real soon with more security news and analysis, but until then, I've been. Patrick Gray, thanks for listening.