Risky Business #791 -- Woof! Copilot for Sharepoint coughs up creds and keys

Patrick Gray

Foreign and welcome to Risky Business. My name is Patrick Gray. We're going to chat with Adam Boileau about all the week's security news in just a moment. And then we'll be hearing from this week's sponsor. And this week's show is brought to you by Resourcely. Resourcely is a company that makes a fantastic platform for helping you wrangle Terraform. Right. Like, if you've ever seen a demo of this, we got one on our YouTube page. It looks like, I guess, what the interface for a cloud computing provider should look like instead of what they actually do look like. So if you're a heavy Terraform user, you definitely want to check out resourcely. But Travis McPeak, who is the founder and CEO, he's joining us this week to talk about a completely new thing they're doing, which is called Resourcely Fix, where they can actually help you fix systemic security issues in your cloud infrastructure. So if you're like, you know, wiz is lighting up red with a million things that you don't have time to fix, they can actually help you, you know, go back to the source and stop these things from happening and remediate them. So, yeah, Travis will be joining us a little bit later on to talk through all of that, but of course, it is time for the news now. And Adam, we're actually going to start off, start off with a couple of interesting research blog posts this week and the first one is from Pen Test Partners and they've taken a look at the way Microsoft has implemented like AI assistance into SharePoint and it is about as horrible as you would expect where, you know, if you get some sort of access to these agents, you could just start asking them like, hey, I'm a, I'm an admin and I'm really concerned about security, so could you please go and find any secrets that shouldn't be in documents on the SharePoint server and point me towards them like, and, and it does it like.

Adam Boileau

Yeah, when you say horrible. But as a person who has spent, you know, probably weeks of my adult life rummaging in other people's sharepoints looking for that stuff.

Patrick Gray

Right? Yeah.

Adam Boileau

Not having to like, put that in my brain because at the end of the workday when you spent your whole day in somebody else's enterprise, SharePoint, like, you don't feel good. Whereas being able to just make it AI do it. And in this case, copilot for SharePoint, which I'm sure all of the SharePoint admins, people who are responsible for this out There are already like holding their head in their hands. Like you pay, you pay enough for SharePoint as it is and now you're going to have to pay for an AI to ingest it and help attackers find the way around. Anyway, it's a Pentex partners have done a good write up of kind of like what is, what's the basic functionality, you know, in terms of security boundaries being crossed. The only like real boundary there is being able to read docs without showing up in the like people who've recently accessed your documents in SharePoint and normally it will show you some history of who's looked at your stuff. And if you're rummaging in SharePoint you're always a little bit mindful of, you know, someone looking at, you know, who last opened passwords xlsx.

Patrick Gray

Why has this one user from our HR team looked at like 6,000 documents in the last 24 hours?

Adam Boileau

Yeah, so that's, that's a thing that people have alerted on in the past or sometimes nosy admins will just notice. So being able to proxy your activity, you know, through the AI, kind of handy. And then people can also implement their own kind of like custom copilots. So there's the default one that Microsoft provides but people could also implement their own ones to have other capabilities. So those are kind of interesting as well. But yeah, overall if you are a professional rummager in SharePoint for juicy, juicy stuff, then yeah, definitely have a read of this post and yeah, it will make your life less miserable. Unless of course the AI hallucinates domain admin creds in the SharePoint and then you go down a rabbit hole, then.

Patrick Gray

You get snapped because you keep using made up credentials. That'd be funny. But I mean there's you know, there's some sort of funny behavior around like document access and whatnot as well. Like you know, asking it to give you a document and it says no, I can't do that. And then you just ask it to read it out and it does.

Adam Boileau

Yeah, yeah, there's a few of the usual kind of like weird AI guardrail stuff where you have to kind of like lie to the AI and give it good reasons like I need this, you know, I need the contents of this file to save poor Timmy from being run over by a train. And then it's like, oh well I better, I better give it to you then. So yeah, it's, it's like the world is kind of strange and this sort of computers can speak English now. So now you have to kind of sweet talk them to give you the data. Like, I, I don't know how I feel about that. You know, I feel bad enough tricking humans, you know, with phishing emails or whatever else, and now we have to trick the computers too. Like that used to be honest work tricking computers and now feels kind of sleepy.

Patrick Gray

Well, it's funny actually, like just as a bit of a tangent, you and I were talking earlier this morning and I was telling you about. Excuse me, I did a great interview with Tony Delafuente, who's the founder of Prowler, which is like an open source cloud security platform. Very cool stuff by the way, completely free as an open source thing too, if people want to check it out. But you know, they got this really cool thing now where they've got like Prowler Hub where you can go, you know, all of this stuff, all of their detections just used to be as code in GitHub and now there's like Prowler Hub where you get descriptions of what the detections are doing and whatnot. And that's. You can access that via API. So if you've got some weird cloud misconfiguration detected that gets pumped to the seam, there's actually going to be some context there and whatnot. And then I was thinking, well, hey, what about if like Dropzone, which is an AI soc agent, starts ingesting that text as well and interpreting it? Essentially you've got two computers speaking to each other in English, which is, is this better or. I mean it's definitely less efficient than JSON, but. But is this better or worse? Is this progress? And who can say really?

Adam Boileau

I think probably worse. Except that being able to sit in the middle and read it would be kind of interesting. And it's more fun than looking at tzbdump. But it works.

Patrick Gray

Here's the thing, it actually works and actually saves time. So I mean, I think just teaching computers how to speak and do things based on English, I don't know.

Adam Boileau

I think in the end we will decide that teaching computers to speak was a terrible idea, much like computers, full stop were a terrible idea.

Patrick Gray

Maybe they need to teach each other how to speak, Jason, which I think is another thing that they're, that they're kind of doing. But anyway, this world. But look, we got another bit of research to talk about this week and this isn't the sort of thing that you normally bring up the front of the show, but it was just so good. I was reading it's actually Done by, as best I can tell, a young guy in New Zealand. He's a, he's a, you know, discord and stuff, right?

Adam Boileau

Yeah, yeah, like he's, he's in one of the discords, the local New Zealand hacker discords that I hang out in. And yeah, he's done this research which like he bought a motherboard, Asus motherboard, was trying to get the WI fi working, went to go install some drivers. The easy way to install drivers with Asus is to use their, like just magically make my drivers install thing that they drop on you. And he started pulling the thread on that. It turns out like it's a piece of software you install in your machine that then the user interfaces via a browser and it's got a local socket. And he started looking at, well, what stops any other website. Just talking to the Asus driver install service that's now running on machine turns out like substring, matching on the domain name. So if you have. So like was it driverhub, asus.com, something like that in your URL, not the whole URL. So in his case he just made, because he controls his own DNS, made a driverhub.asus.com MrBruh.com, which is his domain, and then works that up into basically remote code exec. You can just drop exe on people with very little user interaction required. And Bob, is your remote code exec having uncle.

Patrick Gray

Yeah, I mean I was just reading this and just going no, no. And you know there is, they're doing stuff like code, you know, code signing and whatnot. But he's found ways around it and you know, basically you get a file, right? And then you know, this and that. And you know, essentially what this means is for anyone who's using this like Driver Hub software from Asus, it's single click to ask to drop an executable on someone and run it in a highly privileged context as well. And I'm just like, oh my God, this is horrible. And man, right up the top of this blog post they're like, there's a part two to this and it's worse. And you think, how could it be worse?

Adam Boileau

Yeah, I see it used to be that essentially all software that you installed that had a browser based interface was kind of vulnerable to sort of dumb things. Like I'm thinking back in the old days, like VMware would drop an OCX control, an ActiveX control in your Internet Explorer to control virtual machines. And of course any attacker could come along and mess with that or if there were bugs in it. So like this is this kind of like browser, local browser with a privileged context, backend server thing is a very common pattern 10 years ago. And Asus I guess is still doing it like was 10 years ago. And clearly with kind of control from 10 years ago.

Patrick Gray

I mean it's just such fertile ground. Right. Like I remember years ago there was so many similar sorts of horror show bugs in all of the stuff that used to ship by default on Dell hardware, you know. And what's funny is, and I've told this story a few times, forgive me listeners if you've heard it already, but I remember once I got, I helped Airlock Digital get in for a POC at an organization that had a SOY where they stripped all of that dulls crapware out of their SOY and then they ran airlock and it was still everywhere. Like it's real hard to make sure you're not running any of this stuff in your environment.

Adam Boileau

Yeah, it is because you don't really inspect how this stuff works. And especially if it's a thing that you need, like in this case making wireless drivers work, that's the thing you do once and especially in an enterprise context. I guess ASUS is probably not a thing in the enterprise context quite so much. But in an enterprise context you build this one time and you probably don't have resource to send every different, you know, kind of make and model of device out for pen testing. It's quite often, you know, back at Insomnia we would get here is our standard SOY Build for Windows 10 or whatever, can you review it? And we'd get a representative hardware in the laptop or whatever else. We wouldn't get every config. And when you've got intel drivers or graphics drivers or the things that you use for like, you know, controlling external displays or laptops that have multiple display chips for different power levels and stuff, you know, you don't see all of those things. And there are lots of bugs in that kind of enterprise crap where, you know, drivery oem kind of stuff. It's nasty.

Patrick Gray

Yeah. So to you, Mr. Brah aka Paul from New Zealand BR basically, nice work.

Adam Boileau

The real kicker though, the real kicker is he went through this whole process, found all of these bugs, didn't get anything from asus from it. His WI fi still doesn't work.

Patrick Gray

Yes, yes. And I think the response like Asus when they wrote this up, their CVE description is this issue is limited to motherboards and does not affect laptops or desktop computers. And he's like, well, it does. And it also says it may allow untrusted sources to affect system behavior, which is a very polite way of describing may let randos run, you know, executables on your machines. Look, in an enterprise context. The thing that'll save you here, though, and it's worth remembering is, you know, you got a good shot at detecting random unwashed executables popping off on your machine if you're running properly configured EDR with good monitoring. Right, but still, like, that's your last line at that point, right?

Adam Boileau

Yeah, it should not get that far. The whole rest of the team has to fail before the goalie has to stop it. And that's. Yes, this is definitely fail way up the field.

Patrick Gray

Yeah. Now, let's talk through some ransomware news because there's been a bit going on actually, and I guess we'll kick it off with Lockbit. And it looks like what's left of Lockbit has been owned, like, their leak site got, you know, defaced with, like, crime is bad or whatever. Yeah, don't do crime. Crime is bad. XOXO from Prague with a link to all of their leak data. I mean, surely this is the nail in Lockbit's coffin. They haven't been the same since they faced a serious, you know, five ising a while ago. And, you know, God, how embarrassing.

Adam Boileau

Yeah, yeah, it's not, it's not great. I mean, they, you know, they have reinvented themselves in the past, as have other ransomware gangs. But, yeah, it's not particularly a great look. And I think there was another ransomware crew that got taken out with the same message, I want to say, a month ago or something like that. I think we reported on it. I don't remember which ransomware crew it was, but, yeah, clearly someone has taken a swing at them. And, you know, that whole kind of, you know, the, the, the stalwarts of the ransomware as a service ecosystem that we've grown used to over the last, you know, three or four years of ransomware. You know, wheels are kind of falling off. You know, things are getting a bit more difficult for them. And, yeah, I guess this, this iteration of lock bit also has ended badly by the look of it.

Patrick Gray

I mean, lock bit with a Coca Cola of ransomware. Right. Like, they were the giants. They were responsible for, you know, as a ransomware, as a service platform, responsible for so much of the activity going on. And, you know, ever since they were taken down and they've sor constituted. It just hasn't been the same. Yeah, this is bad. And also, you know, we've seen some more Conti leaks, including videos from like inside private planes and things like that. And you know, this is just more fuel for the CTI types who say thank you very much, you know, ingest and analyze all of this data and you know, bad, bad, bad.

Adam Boileau

Yeah, yeah. And it's kind of funny stuff. This particular someone is leaking this onto X and we don't really know how authentic it is or any kind of origin of where the data came from, but it seems like someone has hacked their Instagrams maybe and has pulled a bunch of maybe unposted, maybe deleted or private posted or whatever stuff from Insta and either way, very funny. Regardless of you know, exactly how and who and what the motivations are.

Patrick Gray

Now, of course the big ransomware story that's been in the news the last few weeks are these attacks on the retail sector in the United Kingdom. So we've got Marks and Spencer. We had what someone went after Harrods as well, didn't get very far. In the case of Harrods co op as well, has been owned. Now all of these attacks, attacks. What's been interesting is there's been early coverage saying yeah, this was like scattered spider esque activity using Dragon Force ransomware as a service to actually, you know, deploy this stuff and try to make their money and monetize. Dragon Force though, keeps now being reported by a bunch of media outlets as having been behind the attack, which isn't really quite the case. The interesting thing here is the affiliate appears to be, you know, as best we can tell, young Westerners, right. Like not hardcore cybercriminals operating in Russia or whatever. These are like hardcore young people who just are all going to get caught. But what's interesting here is Dragon Force. Well, first of all, tell us about Dragon Force because you know, you've done a bit of research, done, done a bit of a look at them over the last few days and they're a bit different to your typical ransomware as a service organization, aren't they?

Adam Boileau

Yeah, I mean Dragon Force is a, a crew that kind of started out as like sort of, I think Malaysia was the origin story for some of the their early work. But it's kind of turned into, you know, it turned into a pretty standard kind of ranso. Whereas a service operation they built on top of earlier Lockbit and earlier Conti Ransomware tooling built their own platform to run it. But they've kind of pivoted into being sort of a white label ransomware as a service tool vendor.

Patrick Gray

So they're ransomware as a service, as a service.

Adam Boileau

Yes, ransomware as a service as a service. So that you can use components of their tooling if you wanted to bring your own actual ransomware, but plug into their platform for managing communications and managing data leaks and whatever else. So it's kind of how you would build applications in the cloud on top of Amazon or Google Cloud or whatever by taking components of their tooling and then building your own sort of thing out of it. So that's kind of where they seem to have pivoted. But you know, the nuance of ransomware as a service, Ransomware as a service, as a service groups like Scattered Spider, which are not really a group, more like a loose affiliation of, you know, like minded people and all that, like that nuance is all obviously lost when it gets translated into more mainstream reporting. And you know, the British stuff has been very mainstream because it's targeting, you know, high street name brand retailers rather than, you know, obscure tech stuff. So the coverage is a little bit murky, I think when you're reading. Yeah, yeah, you're reading it in the mainstream.

Patrick Gray

Yeah. I mean, I did also hear too, just from that, you know, I mentioned we got an email from someone who was pretty plugged into everything that was happening in the UK as best we can tell, like it's unverified information. But they did say that the Marks and Spencer and the co op attackers were using the same C2, which definitely suggests a link there. Now it's interesting that Dragon, because I'd seen the reports about Dragon Force being, you know, Malaysian in origin, which makes this next bit of news really confusing because they've apparently issued a statement, this is Dragon Force saying whatever you do, don't hit targets in Russia. You know, don't hit critical infrastructure hospitals where patients, children and the elderly are kept, or Russia or the countries of the former Soviet Union. And this is something that we've seen Russian ransomware operators, you know, say in the past. And indeed we've seen Russian ransomware operators get into trouble before because their affiliates are hitting Russian targets. But why don't you just tell us like why, why is this? Why do they, why do some people think these guys are Malaysian?

Adam Boileau

So I think the earlier iteration of the name Dragon Force was being used by some like Malaysian hacktivisty bits and I think.

Patrick Gray

So it might have been Malaysian affiliates like using this.

Adam Boileau

Yeah, so like, you know, these things are pretty fluid because we always see them from the outside, not from kind of the inside. And, you know, I think it's just some people were, were calling themselves that and maybe some tooling got shared or maybe, you know, they were, you know, using Russian tools or, you know, we don't really know what the kind of glue was. But it seems pretty clear that the current iteration of Dragon Force, you know, feels like Russian cybercrime, you know, and kind of begat out of the earlier iterations of Russian ransomware as a service. Because, you know, that whole kind of, you know, when, when ransomware as a service was at its peak, that kind of time feels like it's passed a little bit and there's been a bit of re juggling as they try and, you know, kind of make sense out of how do I make money out of this expertise out of this tooling. And I think, you know, the current iteration of Dragon Force absolutely feels like it's made out of Russian ransomware. Yeah, you know, criminal groups.

Patrick Gray

Now, a while ago I said, like, probably one of the best things that, you know, intelligence agencies, law enforcement, your cyber commands and whatever of the world. One of the most effective things that they could do to cause headaches for these guys would be to take their tools and then do failed ransomware deployments against Russian companies. So gain access, start spreading the ransomware around everywhere, but don't pull the trigger. So every time I see a statement from one of these groups saying, oh my God, stop hitting Russian targets, it makes me wonder. Now, I don't know whether or not that is something that would be legally possible for Western agencies to do, but it makes you think it does.

Adam Boileau

It would be a good idea regardless whether they're actually doing it. It would be a fun idea. And certainly you do get the impression that somewhere, somehow, somebody is throwing sand in the gears of the smooth operation of the Russian cyberquime ecosystem.

Patrick Gray

Now, on that, on that, sorry to cut you off there. We've got this great report from Coveware and I think this, this came out May 1, so, you know, it's a couple of weeks old now, but it really does take a high level look at the ransomware ecosystem and basically says that, yeah, these people are all fighting each other. Their anonymity is at risk. Their entire ecosystem, all of the vulnerable points in their ecosystem, whether it's money laundering or, you know, RAs or whatever, are all being pressed on. And it really does paint a picture that the ransomware ecosystem is under a bit of pressure at the moment, which we Love to see.

Adam Boileau

Yeah, yeah, we certainly do. And we've talked a bunch on this show about the vulnerability of that ecosystem is the trust and communication, the way that all those people can work together and rely on the other bits of the ecosystem providing bulletproof hosting or anti denial of service stuff or all of the components that you need to build your just in time crime pipeline. A few years ago that ecosystem felt like it was thriving. Now it feels like it's falling on itself and like they're infighting and stealing from each other and you know, at least appearing to be, you know, infighting. Whether or not it's actually real or whether it's western, you know, agencies we don't know and that, you know, is just slowing them down. And Coveware had some stats in this write up about, you know, the, the kind of lower size of ransomware payments, the lower overall volume, the lower rate of kind of their success at getting paid for each campaign. And all of those metrics are looking great for us and not great for ransomware crews. And I think, you know, that's just applying pressure on everybody. Everybody's feeling the strain of things are not as easy as they were. And maybe there's other better ways to monetize these kinds of skills than doing, you know, the sort of rants the way that people were doing in, you know, late 2022.

Patrick Gray

Yeah, so the ransomware payment resolution rates are down from like 85% in 2019 down to like 27% now. But I think the average payment might actually be ticking up anyway. We've linked through to the report, people can have a look. The other thing that I found really interesting here was when you look at the CVEs that these guys are using, right. So you know, here we go, we've got one, you know, a bunch of 20, 25 CVEs are highlighted as well. So there's Ivanti Connect Secure VPNs, SonicWall, SMA1000s, Ivanti Connect Secure VPNs again, path traversal vulnerabilities in Mitel MyCollab systems. And of course it wouldn't be complete without Palo Alto in there as well. So they've got a nice breakdown of initial attack vectors between remote access compromises, which are number one at the moment. You've got phishing exploitation of vulnerabilities and internal, which is tiny. But look, it's a good report and people can click through and have a look at it. Just head over to Risky Biz, our website and you will find the post for this podcast with all of the links in there now, was it last week or the week before? We spoke about a SAP Netweaver vulnerability and we were like, this is going to be bad. This is going to be very bad. And it turns out, Adam, it's bad.

Adam Boileau

Shocking, shocking development. It is bad. Yes. We are seeing pretty widespread exploitation of Internet facing SAP Netweaver. There's a bug in one of the components called like the Visual Composer. So that's not great. And as you know, as kind of as we predicted, but sort of worse than that, it looks like it's Chinese Apts and in fact the same crew that were behind a bunch of other quite successful large scale exploitation of Internet facing bugs. So stuff in I think some of the Avanti things, but they're trash.

Patrick Gray

Like these guys are trash. If you look, we've got a blog post from Eclectic IQ and they're scanning for. So there's been a couple of components to this. Like someone's gone around and dropped web shells on all of these SAP boxes, right? So now there's this second wave of exploitation and who knows if it's the same actor, but one of the actors, you know, scanning for this stuff, they've got their box just doing all the scanning and then an open web server on it where you can drop in and like just read all of their scan results and stuff and you just think, my God, man, that's like, aren't you embarrassed?

Adam Boileau

You probably, probably should be. But you know, I guess if you move fast enough, you don't got time for doing it right? You just gotta shell all of the netweavers today so that you can go back and pick them over at a later date. But yeah, there's a little bit awks when you, you've got the indexing turned on on your web server full of all of your shell results.

Patrick Gray

You get a scan probe from some box, you hit it and there's a web server on it with the scan results in it.

Adam Boileau

I mean it's convenient for everybody else. Like maybe you want to muddy the attribution for the source. Incompetence seems more likely. But yeah, I mean regardless of how good they are at their infrastructure, they do seem pretty good at shelling things. And this eclectic IQ write up has a bunch of information about their specific ttps and so on. One of the ones that leapt out at me as being amusing is some of the C2 traffic goes to a box whose domain name is sentinel ones plural.com.

Patrick Gray

Yeah.

Adam Boileau

Which apropos of you talking to Starmos the other day about, you know, there being a team of people in China tasked to attack, you know, Sentinel One go almost to their customers. Kind of funny to see their, their name in the mouth of, of the set of attackers as well. So kind of, kind of funny just leapt out at me when I was looking at screenshots.

Patrick Gray

Yeah, we got links to that, of course, in the show notes as well this week. Now let's look at a piece by Dan Gooden. Apparently a software engineer from Doge had an info stealer on their box that was just, you know, popping up, spewing creds out everywhere. Basically their creds out everywhere. I mean, again, this ties into what we've said from day one about the way Doge was doing stuff, which is, you know, they're moving fast and breaking things, but they're not being careful. And that was going to present problems. And you know, what is this exhibit? You know, exhibit 437. Exactly, right?

Adam Boileau

Yeah, yeah. So this one was like initially when I read it, I thought because the angle was, oh, this guy's data didn't have a been poned and let's face, everybody's data is in haverhib pwned. But the interesting bit is that this is not just like other people's data breaches, you know, with cred dumps from, from big sites. This is data from infosteel Trojans, malware on people's boxes that is also ingested by have I been pwned. And some of the data is, you know, within the last couple of years, which is not a great sign for someone that is wandering around the US government helping themselves to, you know, enterprise admin level access in their sharepoints and in their office, 365s and so on. So not a great look. And you know, we don't know for sure that the machines they're using to do their dojing are filled with info stealers, but it's certainly possible.

Patrick Gray

Well, I mean there was that news item we spoke about a little while ago where they were spinning up new accounts for government systems. And then those accounts, you know, Russians were, you know, Russian IPs were trying to log into them a couple of minutes later and only denied because of their like impossible travel restrictions. And your take on that at the time was, you know, it was, they were probably just using a Russian VPN or something, you know, some VPN service. But I don't know, man, I still think we need to take a look at that, honestly, because.

Adam Boileau

Yeah, yeah, I Do not disagree with you. It doesn't, does not look good. Like there is definitely a bit of, you know, where the smoke, this fire kind of situation. There's several pieces of smoke floating around here.

Patrick Gray

The smoke is wafting from multiple now over the last couple of weeks as well, both here and in our Risky Bulletin podcasts, which everyone should subscribe to too. We do three news bulletins a week which are put together by Catalyn Kimpanu, edited by you and Amberly and sometimes me, and then voiced by Claire. It's a great little news bulletin for those who are unfamiliar with it. You can find that by searching for Risky Bulletin. But yeah, we've been covering this thing that's been happening in Asia, particularly in Japan, where hackers have been, you know, breaking into brokerage accounts and then using the funds in those brokerage accounts to buy penny stocks that they hold. And this is a way to make millions of dollars. So initially, like, it was like we were reporting on this because they said it was something like, you know, $700 million. And we were like, oh my God, that's so much money. Turns out, Adam, it's actually much worse. And we're looking at something like $2 billion in fraudulent trades in a relatively short period of time. Like, that's really quite an issue.

Adam Boileau

Yeah, the Japanese Financial Services Agency, their regulator for this kind of thing, has been looking into it. And yeah, it is definitely bigger than we originally reported. And that's. So the $2 billion number, I think, is like the amount of trades that have been done. So we don't know how much money the actual attackers are making. Clearly it's enough for them to be able to make this worth doing. But yeah, the fact that it's that much bigger than we thought and the Japanese regulator had some stats that said, like, in previous years, this kind of thing was much, much smaller. So it has definitely tracked up pretty quickly. One theory is that because AI chatgpt, et cetera, et cetera, are so much better now, you can carry out these kinds of attacks in languages and environments that aren't necessarily your own because you can interact with these systems much more easily. So that's one plausible explanation for why we're seeing it tick up in Japan, for example, has historically been a quite a difficult target because of the language barrier, you know, versus English speaking environments or, you know, or other things.

Patrick Gray

So, yeah, yeah, Ryan Caliber from proofpoint is quoted in this piece as saying that. And I know Ryan, he's a mate and he's been on this For a while. Like, he's been on this from very early on with AI working at a place like proofpoint where they deal with so much fishing. He's like, man, this is going to be really useful for attackers to, you know, as it says in this piece, draft, you know, culturally appropriate fishing lures. It's just like, what an amazing thing for fishes. And one of the regions that he was particularly concerned about was Japan. So, Ryan, looks like you were right there, buddy. Hey, how you going? Also, and yeah, this piece was written by John Greeg on over at the Record, but you had something else you wanted to add there.

Adam Boileau

I was just thinking, like, I'm trying what other countries have impenetrable languages? I thought, ah, they're going to be coming for Finland next.

Patrick Gray

I don't think the models are there yet, but let's see, we've got a couple of law enforcement takedowns to talk through here. We saw. We've got a TechCrunch here. TechCrunch piece here from Lorenzo. A joint international law enforcement action shut down two services accused of providing a botnet of hacked Internet connected devices. This looks like one of those residential proxies which are very useful when you want to hide your origin, but that one's been taken down.

Adam Boileau

Yeah. So this is. Any proxies was, I think was the retail name that they used. And this one was kind of significant because they've been around like 20 years.

Patrick Gray

Wow.

Adam Boileau

This is the OG of residential proxies. And I was also surprised, given they've been doing it for 20 years, that the amount of money they made was something in the order of 40ish million. I think the DOJ said $46 million, which for 20 years work. I mean, it's, it's more money than I've made in 20 years. Yeah.

Patrick Gray

I mean, come on, man, can, you.

Adam Boileau

Know, at the same time, you know, like, for 20 years, cybercrime, I feel like you could do better than $40 million.

Patrick Gray

Yeah. If you're going to be a criminal, like, that's kind of a lower end, right?

Adam Boileau

It does, it does seem. But either way, yeah, they've been, they've been shut down. Of course they were, I think Russians. So I don't know what consequences they will face. But yeah, I mean, just continuing that whack. A mole of Internet crime, you know, kind of components. Because this is another example of Russian cybercrime bits that are just really useful when you want to go to crime to be able to buy access from residential IPs. In another country near your victims.

Patrick Gray

Yeah. And meanwhile, Dorina Antoniok over also over at the Record, has reported that a few dudes have been arrested in Poland and they were operating like a stressor botnet kind of thing. And, you know, you could give them like 10 bucks and they'd hit a target for you, I think. Was that this one?

Adam Boileau

Yes, yeah, yeah, yeah, it was pretty cheap. They had a low end €10 service or something like that, which I don't know how much details you get for €10, but I mean, how much do you really need, you know?

Patrick Gray

Well, I mean, if you, you know, if you're not paying for the bandwidth, like you can sell it cheap. Right. So, yeah, I get the idea this is just worth a quick mention, but, you know, there was a power school, you know, this is a company that makes software used by schools. There was a powerschool breach a while ago and data was ransomed and they paid. And unfortunately it looks like now the people who have that data are going back out to the schools and ransoming them again. So it looks like this is one of those instances where paying for deletion just, they didn't do it. Most of the time they do. And the reason they do is because they need to be credible when they're asking for money next time. So I'd imagine there would be other data extortionists who would be quite cheesed about this, actually.

Adam Boileau

Yeah, yeah, we don't really know exactly like how it all worked out, like whether the data was, you know, available in multiple places, like whether we don't know if it's the people who took the payment also now doing the subsequent round of extortion. But either way it impacts their reputation. I imagine they are, as you say, probably quite cheesed off at whoever is behind it, if it's not them and if it is them, like maybe they've reached the end of the road and they've decided that, you know, they are going to exit the market soon, so they may as well cash out, you know, as much as they can with the data they've got right now. Regardless, it still sucks for the schools and the parents and the children of the victims involved in this campaign.

Patrick Gray

Yeah, that one was from Kevin Collier over at NBC. Back to the Record now. And Alexander Martin has reported that the EU is launching a vulnerability database, which is interesting. So it's kind of been written up as like, oh, NVD is looking shaky and that's why this is happening. But really the plans for this, according to our colleague Catalyn Kimpanu the plans for this were sort of laid out in 2022, but I think it's a good idea that an organization like anisa, which is the EU cybersecurity organization, actually spins up something like this because the stuff in America doesn't look as reliable or you know, as it used to, let's put it that way.

Adam Boileau

Yeah, I guess whoever was behind this, starting this in 2022 probably feels quite vindicated now. Like actually yes, Europe probably does need a little bit of independence, you know, from, from the US and from other countries. You know, they're going to use the Chinese vulnerability database. So yeah, probably feeling pretty forward thinking and you know, if the outcome of the madness in America is we do end up with a more distributed, more resilient kind of set of international infrastructures like this. Because I can imagine Australia and New Zealand, for example, you know, using the European vulnerability database as well as the American one, as well as, you know, other countries ones much like, you know, we now have multiple satellite navigation networks and people can rely on, you know, GPS and whatever the European one is called and whatever the glonass, the Russian one, you can have multiple ones. So, you know, it's probably good overall.

Patrick Gray

Yep. And we're going to head towards the finish now. Got a few items to go, but we've got a couple of. These are these stuff, these things that I never understand. Right. Which is like, basically we got like a Spectre style attack here. Walk us through it. This one's from vusec.

Adam Boileau

Yeah. So there's these researchers from vusec, which I think is their Amsterdam, they're Dutch, looking into a kind of a variant of Spectre memory side channel attacks. So the thing that they have done here is they have figured out how to essentially bypass some of the constraints that we were relying on, some of the mitigations we were relying on to prevent side channel leaking across trust boundaries in modern CPUs, they've come up with essentially some tricks that can bypass, you know, basically all of the existing Spectre side channel mitigations. And this means that they've got, they have sort of a generic technique that crosses circumvents sort of the architectural controls where you shouldn't be able to influence in this case the branch protection from, you know, some user space to kernel space, for example. So they've got some things where you can kind of train the branch predictor in kernel space and then use that to leak information about what it's doing. They've also found in the process of this research, some CPU bugs that they can then use to do this. In some cases across hyper, like guest to host hypervisor boundary.

Patrick Gray

Yeah, they got a clock where they can leak hypervisor memory at 8.5 kilobytes.

Adam Boileau

A second, which is, you know, that's like. The research is pretty dense. Like it's quite heavy going if you're not familiar with all of the previous work on side channels. But the end results are pretty convincing, which is like, wow. Yeah, hypervisor. From a guest up to the hypervisor onto the other virtual machines, not a great look. And right up to really modern intel hardware as well. So that's some great research. And I pity the people who run cloud infrastructure who now have to think about.

Patrick Gray

Yeah, yeah, that's right. I mean, it's hard enough for me to just think about it for five minutes talking to you about it. But yeah, all these speculative execution things are confusing to people like me. And we've also got another one and something similar from. What is it? Eth Zurich.

Adam Boileau

Yeah, Eth Zurich. So this is basically the same target. So the branch prediction in the CPUs and being able to use that to leak memory. But the Eth Zurich research essentially is a race condition between. When you train the branch predictor, the guts of all of these bugs is you set up the branch prediction in the CPU and then you let it run code that you want to learn about and you infer the behavior of that code by looking at how the branch predictor change state. And one of the ways that we've worked around this is by flushing the branch prediction cache when we transition between security bounds. So when you move from executing guest code to executing hypervisor code, the CPU is meant to be able to throw out the state of the branch predictor and carry on. This is a race condition in that process where the results of branch predictions that were in flight at the time of the transition between security zones land after that zone transition and still impact the state of the cache. So that race condition means that they can influence across those security boundaries. And their proof of concept is also pretty compelling. It's like I would like to read the system password file on a Unix box.

Patrick Gray

Well, I mean that's. That's pretty handy.

Adam Boileau

Yeah, so like there's a lot of nerd crap, you know, in these kind of reasons. Like super academic, really dense, hard to read. But the proof of concept, honestly, pretty straightforward to understand. Run, command, receive, you know, root password, hash. Pretty compelling.

Patrick Gray

Yes, I would agree. That's compelling. And apologies to them for calling them Eth Zurich. The cryptocurrency people have melted my brain. It is Eth Zurich, of course, a fun one here. Very much at a different end of the of the spectrum, which is a slide deck from Black Hat Asia from April. Looking at some work a group of people did here. What's the name? PC Automotive? Three researchers, Polina Smirnova, Mikhail Evdokamov and Radu Motspan. I'm very sorry I massacred your names. But they looked at doing some security research against a Nissan leaf, like a 2020 model and they could go from Bluetooth to like starting the car. So, you know, a bit of stunt hacking here, but a really great slide deck with a walkthrough on how they did it.

Adam Boileau

Yeah. And I mean, honestly, like going through their research, I felt this is beyond stunt hacking. Like this is actually pretty legit.

Patrick Gray

Oh. But you know what I mean, like the concept is done hacking. But yeah, it is a good write up.

Adam Boileau

Yeah. And so they bought essentially the like head end guts and telematics units and stuff from an SN Leaf and then reverse engineered firmware every step of the way and circumvented all of the controls that got in their way and then found memory corruption via Bluetooth, turned that into command exec on the head end. From there shelled towards the like can bus interface that talks out to the rest of the car. Got codexec on that. Figured out how like the can bus message filtering worked, like border test, like the sort of thing that mechanics would use to send undocumented, you know, proprietary can bus commands for the Leaf. Reverse engineer those so that they could get out there and net result, whole thing end to end. Bluetooth, it's not quite zero interaction. You have to be on the network settings screen and they're like, yes, we can Denial of service to WI fi. So that someone goes, why isn't this connecting? Goes to the WI fi connection screen. And then that's all that's needed to trigger the Bluetooth bugs. And then onwards from there to root on the infotainment system and full access to the can bus control, the steering control, the doors. Like, you know, it's impressive work and they must have had so much fun doing it as well. So, you know, good work.

Patrick Gray

Yeah. I like how they just went to a wrecker, you know, an auto wrecker and just like grabbed one of these things and stuck it in a rack. Like that's pretty cool. And we've got. Just rubbing my temples, right. What Week of Risky business would be complete without talking about some Ivanti and Fortinet bugs. Hey, yay.

Adam Boileau

Yeah. So we have Ivanti's Endpoint Mobile Manager. Endpoint Manager Mobile, whatever it is product. They have some high cbss bugs in it. They are blaming open source code that they put in there. They won't say which open source code. Just, you know, just trust us. We're getting shelled again. Just trust us.

Patrick Gray

I think Catalan wrote in his script, it was very dry. It was like, you know, they blamed a bunch of libraries. They have not named the libraries.

Adam Boileau

Yes, yeah, exactly. If you're an Avanti customer, you are well used to getting owned and having to patch your stuff. So go patch your stuff and probably roll instant response again. And then yes, of course our friends at Fortinet, they've got a stack based buffer overflow in the year 2025 of our Lord stack based buffer overflow in like half a dozen products that you would have in your network Edge, including.

Patrick Gray

Their NDR product which is just for those following at home. The NDR stands for Network Detection and Response. So I mean look, to be fair, like NDRs are pretty, usually pretty good targets because they have to parse so much, right? So they're full of parsers but still, you know, woof.

Adam Boileau

Yeah, it's a little bit orcs. When you buy your security products, put them on the edge of your network and then they are the things that get you shelled. So yes, they're stack over bugs and like the list of products that affected is pretty huge. The camera products, you know, their video recording products, NDR mail thing, mail filtering stuff. So it's just, it's just gross. They've got a few IOCs because of course people are out there exploiting it in the wild. We have to assume it's probably, you know, Chinese APT as usual and they are doing the thing where they like the exploitation will also dump log files and stuff so they can get them later. And presumably that's for, you know, even if you do manage to evict them, they've still got an option to go pull enough data to get back in, much like we've seen with other products. So yeah, pretty standard Fortinet owning day for Fortinet owners.

Patrick Gray

Well mate, that actually brings us to the end of this week's news segment. Thank you very much for joining me. Great fun as always and we'll do it all again next week.

Adam Boileau

We certainly will and I'm sure there'll be yet more Fortnite Bugs for us to talk about. What fun. Yay.

Patrick Gray

That was Adam Boileau there with a look at the week's security news. It is time for this week's sponsor interview now with Travis McPeak, who is the founder of Resourcely. And Resourcely is an interesting company that makes a platform that helps you to generate and wrangle Terraform. Right? So instead of your terraform being a complete mess with no sort of procedures there for you to actually spin up infrastructure, Resourcely absolutely solves that problem. But we're talking to Travis today because he has built something new as part of Resourcely, which is a, the platform can now fix things. Right now you might say, okay, and we get into this in the interview, you might say, well, you know, Wiz can remediate a lot. But as Travis points out, it is a brave cloud admin who selects Remediate all with Wiz and just hits the go for it button because that's a recipe for a really bad day. So he's taking a different approach to try to more systematically eradicate the source of problems and the source of misconfigurations in an environment. So here is Travis McPeak telling us all about Resourcely Fixed. Enjoy.

Travis McPeak

I think security people rightfully have a ton of anxiety because they have this giant cloud environment. They go and log into their cnapp dashboard and the thing is just, you know, red with pages and pages and pages of stuff that they don't have the ability or time to address. And then they, they need to do something. Like sometimes when you buy a cnap, you actually create a new problem because before you were flying blind, life was good, you were blissfully ignorant. Now you buy the solution. It's like, oh crap, there's a ton of risk. And to the extent that you have a funded security team, the job of that team is to reduce risk for the business and do so in a way that's quantifiable and provable to leadership. Then you get more funding for security. So that's really why we've built fixes to answer that customer question of how do we clean up all of the security issues in our brownfield cloud?

Patrick Gray

Okay, I mean, that sounds great, but why wouldn't you just use the incumbent solutions out there like Wiz or whatever? Like it seems like maybe you're a little bit late to this party. Like, you know, isn't that a solved problem? I guess is what I'm getting at.

Travis McPeak

Yeah. So if you, let's say that Wiz had perfect remediation for every Single issue. So every, every cloud misconfiguration that they showed you in Wiz had a little button that you can toggle that would say, fix this. They do have that for some, but let's say that every single one had it. You know what security team would have the confidence to go in there and select all and apply? Like, if you do that, you're going to cause not just one outage, you're going to cause 10,000 outages. You're going to be buried in outages for the next 10 years.

Patrick Gray

Stuff's going to be on fire, like immediately.

Travis McPeak

Yep, yep. And I have friends that have run those kind of projects where they just started remediating stuff. They didn't coordinate with devs and it caused outages and people told the security team to stop. So yeah, this is really what we're adding is the ability to coordinate those changes in a way that's careful. So one of the projects I ran was Repo Kid. We would actually go and coordinate with developers, ask them, is it okay to make this change? Sometimes they would say, come back at this later time and make the change. Then we'd make the change and we'd communicate that we did it and we'd give them a big button they could press if something was messed up that would put it back to where it was. That's really the bit that all of these platforms are missing. If you're an advanced company, then you might build this yourself. You might implement like a soar type of tool to do this kind of coordination. But our position is that you should just have one solution that will both make the change for you and also do all of this coordination. It's very manual. You have to track things in Google sheets and do a bunch of manual slack reach outs. So we're implementing all of that in one place.

Patrick Gray

Yeah. For those who aren't familiar, Travis was on the show something like five years ago when he worked at Netflix talking about Repo Kid, which was a really awesome open source project. I mean, you developed it for internal use at Netflix, but open sourced it. And what it would do was monitor like aws, I think in that instance for unused, like IAM roles. Right. Like unused permissions, essentially. And it would just take them away if nobody was using it. So. Okay, so going back to this. Yeah. The idea being that you have a third option, right. In the case of some sort of cloud security issue. So the traditional options have been, okay, that's great, don't touch it, leave it alone. And the other option is like okay, auto, remediate that, cross your fingers, hope for the best. So I guess what you're proposing here is a third option which is like, okay, kick off a workflow here that's going to see this thing get fixed. That seems like a management issue, not like so much a hard tech issue like in your platform, when you decide to kick off a remediation here, how does it know which developer to reach out to and like what does the platform do then? How do you actually skin this cat?

Travis McPeak

Yeah. So ownership is hard in all aspects of security. It's unsolved in many companies, hence the question. Yes, yes, yes, exactly. So we can pick up some breadcrumbs. So for example, if it is managed in infrastructure as code, we're going to get some signals like this is the person that made the pull request for it, this is who reviewed it, this is who touched it last. If you are deploying directly to cloud and you can look at things like CloudTrail. In some cases though, in a lot of companies security just has a hunch like, oh, this is part of this application. We've dealt with this particular developer on this application before. Let's just go and ask them. But like I said, it's extremely manual.

Patrick Gray

Yeah. Okay, so how do you do it then? What's the user experience for an admin who is trying to remediate some issue that this thing's identified, what do they then do as the person driving your platform?

Travis McPeak

Yep. So end to end, what we're going to do is they're going to pull up some systemic fix they want to make across the board. We're going to apply SCPs, we're going to get rid of this particular class of wiz finding, we're going to get rid of IAM users, whatever it is, we're going to pull that in, we're going to make a list of all of them that is not secret sauce. Like we all said, visibility solved. But then at that point we're going to ingest these signals of ownership. That's going to get a bunch of them. The ones that aren't, you're going to have this list like need to figure out the owner for that. If you have a guest, you can send it out. It'll send a slack message email. Developer will get something that's basically like cloud security wants to change this. Are you responsible for it? They'll get like a nice easy button and then if they confirm ownership, great, you have the right person you're coordinating. Sometimes that person may not even know, and then they'll just throw it back to security and you can continue triaging. In a lot of cases they say, I'm not the owner, this other person over here is. So instead of again, security, having to do this weird Slack dance will just automate it for them.

Patrick Gray

And is that the touch point for most of the developers? It's through Slack, or is it like email or dare I say it, God forbid, like Jira tickets or something like that?

Travis McPeak

Yeah, exactly, Yeah. I thought you were going to say teams. Yes, those things. So what we've learned is developers do not want to log into a security tool and operate out of there. They want to operate with the tools that they're already using, whether that be GitHub, Jira that. You know, in a lot of cases when we say we're doing devsecops, that's what we mean is we're going to, we're going to file Jira tickets because that's how developers consume their work. But yeah, we are going to give them easiest communication, lowest friction. You know, even in the case of a JIRA ticket today, you know, you have some CNAP issue, status quo, as you create a JIRA ticket, you have some way of assigning that JIRA ticket. Now, Right. If it has a 10.0 CVE like vulnerability on it, you're going to find out really quickly who's the owner. But there's instructions, log into the console, do this thing and then change this. Now you're multiplying that tax on a developer, figuring out how to change their infrastructure on every single developer, on every single change you need to make. So instead of doing all of that, we'll give them a fix it button that'll just go make the change for them and then tell them it's done and give them a unfix it button if it's broken.

Patrick Gray

Yeah. Okay, so like one example you just gave was like these SCP guardrails which are. That's an Amazon thing, right?

Travis McPeak

Yep.

Patrick Gray

Yeah. See, I'm old enough that all of this cloud stuff is still newfangled and confusing, but I'm guessing there's going to be other examples of you mentioned classes and categories of issues that might be exposed through like Wiz. Right. What are some of the categories of issues that you're sort of targeting with this? Right, because I'd imagine you got your classics like open buckets, you've got other stuff like these guardrails and whatnot. But what are some others?

Travis McPeak

Yeah, so anything that's Internet facing is Worth at least a look. Maybe those are designed to be Internet facing, but in those cases you'd at least like documentation about why they're Internet facing and it's not just a mistake. So all of those, you know, open databases, open buckets, open virtual machines, any of those would be one class. And then there's just like common, awful cloud misconfiguration. Like IAM users had a place in time, that place and time was 10 years ago or more. And today they're just a big tax on your environment. If you get compromised in cloud, it's almost certainly going to be some IAM user static key that leaked somewhere and then now they're in your cloud. So any of that kind of stuff, least privilege, scoping down IAM roles, applying backups, making sure that you're replicating things across regions, making sure that your logging's turned on all the places you expect. Basically like any cloud configuration that's security wanted to have, we're going to go and assist them in getting their cloud converged to that state.

Patrick Gray

Now, one thing you haven't mentioned here, which is staggering, is AI. Like, surely it's a new feature in a modern security product. Surely it uses AI, Travis, you know.

Travis McPeak

It'S not a major focus. We do not want AI vibe changing your cloud properties. That thing should be done deterministically, it should work really well. But what we can do is we can use AI cleverly to assist with some of the triage who's the right owner for this thing, and then also move things up and down based on context. So for example, if we see that something that's public facing has stuff around it that indicates it should be public facing, then we can add that as notes and maybe you don't even bother fixing that thing, or you just suggest to the user, hey, it looks like this thing's deliberately public. Here's what AI found about it and then they can decide the right thing to do. All of these just reduce human labor for it, but it's not actually going to go and make the cloud changes because that's terrifying.

Patrick Gray

So Travis, like, I believe also like, we can't go through this interview without discussing your motivations for doing this. And I believe a primary motivator for you developing this feature set is rage.

Travis McPeak

Rage, yes. Yeah, absolutely correct.

Patrick Gray

Share with us your anger. Right now it's a safe space.

Travis McPeak

Yes. So security teams that buy a scanner and then file JIRA tickets and tell developers to do all of the work, in my opinion are adding zero value to the Organization like you do not need security in the loop at all. If that is the value that you provide, then we should just riff the entire security team. What the security team should do is apply their knowledge of security and then help reduce risk in a way that's quantifiable. If you can't, at the end of a year go to your leadership and say, hey, we eliminated these classes of issues. These are not things that we have to worry about anymore. And that was the number 1, 2 and 3 on the top cloud misconfiguration list, then your security team is not pulling their weight. And I see way too many security teams that are, one, happy with just filing a ticket and calling a day. And two, they don't even think about that kind of risk remediation. They're thinking about whatever the compliance auditor is going to come and check so they can have a clean report. And then you might have an open bucket or open database that's on the Internet that has your crown jewels that's not considered a vulnerability. But if you have this CVE5 over here in some system in your sandbox, that thing's going to be remediated because that's what compliance auditors check.

Patrick Gray

Yeah, yeah. I mean, yeah. Yes. But I guess, you know, I guess really to sum it up then as we wrap it up, I mean this is much more, I mean, I hate using these sorts of terms, but it's like kind of more like a shift left idea, you know, get to the root of a lot of these things that are bubbling up into your Cloudsec scanners and panels and, you know, and just being able to eliminate classes of issues rather than just playing whack a mole. Right, yeah.

Travis McPeak

I've always said if you have a security tool and that security tool is telling you everything's on fire all of the time, what happens, it's just, it's natural human instinct. We become desensitized to that thing. So we're like, okay, dashboard says we have 12,000 issues. Like, I guess we're just going to have 12,000 issues and then people stop paying attention to it at all. And so you should either take a whole class of issues and say we're never going to fix this and make those issues go away from the dashboard so you stop looking at it. Or you should reduce the risk of those issues. If you, if you have a thing that's just blinking red all the time, everybody's going to ignore it and nothing's going to happen from it.

Patrick Gray

I mean, you're speaking fluent vm right now you're speaking fluent vulnerability management. It's just amazing that, like when I talk to Nucleus about their stuff, their vulnerability management platform, you know, a big thing they say is like once you get that visibility, you can start looking for root causes. Why does this division in the company produce these sort of bugs and this division doesn't like, what can they learn from each other? And it seems like a similar sort of mindset here. Travis McPeak, thank you so much, so much for joining us. To walk through Resourcely Fix sounds very interesting and I wish you all the best with it.

Travis McPeak

Thank you.

Patrick Gray

That was Travis McPeak from Resourcely there. Big thanks to him for that. And that is it for this week's show. I do hope you enjoyed it. I'll be back soon with more security news and analysis, but until then I've been Patrick Gray, thanks for listening.