Risky Business #793 -- Scattered Spider is hijacking MX records - Risky Business

Summary8 min read

Risky Business #793 Summary: Scattered Spider is Hijacking MX Records

Release Date: May 28, 2025
Host: Patrick Gray
Guests: Adam Boileau, Dmitri Alperovich
Sponsored by: Thinkst Canary

1. Scattered Spider’s Rapid MX Record Hijacking

The episode opens with Patrick Gray introducing a concerning trend observed by CyberCX, an Australian cybersecurity firm. They are witnessing a surge in attacks by the group Scattered Spider, which focuses on hijacking MX (Mail Exchange) records of Australian enterprises.

Patrick Gray [00:00]: "What makes this really interesting is the speed at which they're moving."
Adam Boileau [01:58]: Describes Scattered Spider's polished workflow, which involves social engineering to control DNS, hijacking inbound email, and swiftly pivoting into cloud applications like Atlassian, Slack, Microsoft 365, and Azure. This rapid movement leaves organizations scrambling to respond as email services are disrupted within minutes.
Dmitri Alperovich [05:15]: Highlights that while DNS hijacking isn't new, the speed and efficiency of Scattered Spider's operations make them more destructive than some established ransomware groups.

The group’s tactics leave organizations with broken email systems and compromised cloud infrastructures, often resulting in extortion attempts and significant data theft. The speed of these attacks challenges traditional incident response mechanisms, leading to prolonged recovery times.

2. Silk Typhoon Targets Commvault Cloud

Adam discusses another threat actor named Silk Typhoon, which has been exploiting vulnerabilities in Commvault’s cloud backup solutions.

Adam Boileau [07:35]: Explains that Silk Typhoon exploited a remote code execution (CVE) vulnerability in Commvault's web server product. Microsoft detected unusual activity within Azure and alerted Commvault. While Commvault stated that customer backup data wasn’t impacted, the breach raises concerns about the integrity of backup environments and the potential for unauthorized data access.

3. Emergence of SVG-Based Phishing Attacks

A significant increase in SVG (Scalable Vector Graphics) usage in phishing campaigns was highlighted by Patrick and Adam, with insights from Dmitri.

Patrick Gray [08:47]: Notes that while SVGs currently represent 1% of phishing attacks, their use is on the rise. SVGs can embed JavaScript and other active content, enabling sophisticated phishing vectors.
Adam Boileau [09:21]: Compares SVGs to "MySpace in a GIF," emphasizing their dual nature as both image and executable code, making them potent tools for attackers.
Dmitri Alperovich [11:26]: While acknowledging the innovation of phishing tactics, Dmitri asserts that advanced filtering solutions can detect and mitigate SVG-based threats by analyzing the behavior and embedded scripts within SVG files.

The discussion underscores the need for updated email filtering mechanisms and browser defenses to counteract these evolving phishing strategies effectively.

4. Brian Krebs’ Site Suffers Record DDoS Attack

Brian Krebs, a prominent cybersecurity journalist, experienced a massive 6.3 terabits per second (Tbps) DDoS attack on his website.

Adam Boileau [14:20]: Highlights that Google's DDoS prevention platform managed the attack, which was reportedly orchestrated by the same botnet responsible for Cloudflare’s largest DDoS incident.
Dmitri Alperovich [14:48]: Speculates that the attack was more of a test for the botnet's capabilities, using Krebs as a high-profile target to demonstrate power without intent to cause lasting damage.

The attack emphasizes the relentless nature of DDoS threats and the importance of robust mitigation strategies, even for well-protected targets.

5. Cellcom Telco Faces Prolonged Service Disruption

A midwestern telecommunications company, Cellcom, is grappling with an ongoing incident disrupting voice and text services for around 300,000 subscribers.

Adam Boileau [16:09]: Suggests the disruption might stem from a ransomware attack, given the prolonged impact and the CEO’s candid communication about the challenges faced.
Dmitri Alperovich [17:04]: Raises concerns about the existential threat such an outage poses to the company, potentially driving customers away permanently.

The incident highlights the severe repercussions telecom companies can face from cybersecurity breaches, affecting both operations and customer trust.

6. Llama (Luma) Stealer and Law Enforcement Takedown

The Llama Stealer malware recently underwent a significant law enforcement operation resulting in domains seizure.

Adam Boileau [18:46]: Describes the takedown, where law enforcement exploited vulnerabilities in Dell’s iDRAC (Integrated Dell Remote Access Controller) systems to infiltrate the botnet's infrastructure. The attackers struggled to recover their operations, indicating the effectiveness of the takedown.
Dmitri Alperovich [21:12]: Notes the resilience of cybercriminals, as the operators of Llama hinted at future efforts despite the current setbacks.

This segment illustrates the complexities of dismantling sophisticated botnets and the ongoing cat-and-mouse game between law enforcement and cybercriminals.

7. Operation Endgame 2: Danabot Malware Disrupted

Operation Endgame 2 successfully took down the Danabot malware family, resulting in the arrest of 16 individuals and the seizure of associated infrastructure.

Dmitri Alperovich [22:49]: Points out the espionage variants of Russian botnets targeting diplomatic communications, raising concerns about state-sponsored cyber espionage.
Adam Boileau [22:18]: Emphasizes the broad impact of the operation, highlighting the extensive efforts to dismantle the botnet's operations.

The operation underscores the international cooperation required to combat organized cybercrime and the persistent threat posed by sophisticated malware families.

8. Closure on the Baltimore Ransomware Attack

An Iranian national has pleaded guilty to the Baltimore ransomware attack originally reported in 2019.

Adam Boileau [26:09]: Details the case where the perpetrator demanded 13 Bitcoin (then ~$70,000) to unlock Baltimore’s network, causing significant disruptions to city services.
Dmitri Alperovich [27:20]: Discusses the impact on residents and the challenges faced by the city in restoring services and regaining public trust.

The resolution of this case marks a significant milestone in holding cybercriminals accountable, though questions remain about the methods leading to the suspect’s arrest in North Carolina.

9. Crypto Platform Attacks: Cetus and Coinbase Breaches

The episode addresses significant breaches in the cryptocurrency sector:

Cetus saw $233 million worth of crypto stolen from its decentralized finance (DeFi) platform.
Coinbase reported a breach affecting 70,000 users, leading to increased phishing attempts targeting former account holders like Dmitri Alperovich.
Dmitri Alperovich [30:49]: Expresses frustration over relentless phishing attempts post-breach, highlighting the real-world dangers of compromised crypto data, including transaction histories, balances, and home addresses.

These incidents demonstrate the vulnerabilities within crypto platforms and the cascading effects of breaches on users’ security and trust.

10. Crypto Investor Torture Incident

A harrowing story emerged of a cryptocurrency investor who was physically tortured to extract his crypto wallet password.

Patrick Gray [32:01]: Relays the incident where a 28-year-old investor was held and tortured in New York, ultimately resisting payment demands even under duress.
Adam Boileau [33:04]: Reflects on the extreme lengths criminals will go to secure crypto assets, raising concerns about the physical security aspects of digital currencies.

This case underscores the intersection of physical violence and digital security, emphasizing the need for robust protection mechanisms for crypto assets.

11. Vietnam Bans Telegram Amidst Security Concerns

Vietnam has officially banned Telegram, citing concerns over subversive material and cybercrime activities.

Dmitri Alperovich [35:58]: Suggests that the ban is likely motivated by the government's desire to control information flow rather than solely focusing on criminal activities, given Vietnam's stringent content filtering policies.
Patrick Gray [35:12]: Acknowledges the dual motivations behind the ban, recognizing both the legitimate concerns over cybercrime and the broader implications for information suppression.

The ban highlights the challenges governments face in balancing security and freedom of information, especially with platforms like Telegram that facilitate both legitimate and illicit activities.

12. Telemessage Data Leak by DDoS Secrets

A data leak from Telemessage, a secure messaging service, was exploited by the group DDoS Secrets.

Adam Boileau [38:26]: Notes that the leaked data mainly contained phone numbers and metadata, with limited sensitive information, suggesting that the breach was mitigated quickly.
Dmitri Alperovich [39:46]: Raises broader concerns about Telemessage’s security posture, advocating for more secure alternatives for sensitive governmental communications.

The incident serves as a reminder of the persistent vulnerabilities in secure communication platforms and the importance of rigorous security assessments.

13. Leadership Exodus at CISA and NSC

Significant departures within CISA (Cybersecurity and Infrastructure Security Agency) and the National Security Council (NSC) were discussed.

Adam Boileau [43:06]: Highlights the concerns over the removal of seasoned leaders from CISA, potentially weakening the agency's cybersecurity capabilities amid escalating global threats.
Dmitri Alperovich [43:48]: Attributes the NSC’s staffing cuts to the incoming administration's disposition, emphasizing a shift away from a policy-focused approach to a more streamlined implementation strategy.

The leadership changes raise alarms about the resilience and effectiveness of critical national cybersecurity institutions during pivotal times.

14. Sponsor Interview: Thinkst Canary on AI Hype in Security

The episode features an interview with Haroon Meer, founder of Thinkst Canary, discussing the overhype of AI in the security industry.

Haroon Meer [48:19]: Critiques the current AI boom, stating, "I question how much we understand the problems we've already started selling solutions to." He argues that many AI-driven security solutions are overpromised and underdelivered, creating market noise without delivering substantial value.
Patrick Gray [49:34]: Agrees that while AI has transformative potential, the prevalent market trend of branding products as AI-centric without meaningful innovation leads to market saturation with ineffective solutions.
Haroon Meer [52:15]: Emphasizes the importance of solving real problems over chasing AI hype, cautioning against the "hype cycle" where companies rapidly switch focus to attract investment without ensuring product efficacy.

The discussion underscores the necessity for grounded, problem-focused innovation in the security sector, warning against the pitfalls of succumbing to fleeting technological trends without substantive advancements.

Conclusion

Risky Business #793 delves deep into the evolving landscape of cybersecurity threats and industry dynamics. From the sophisticated tactics of Scattered Spider and the rapid evolution of phishing methods to significant breaches in the crypto space and leadership shifts within key national agencies, the episode provides a comprehensive overview of the current security challenges. The sponsor interview with Haroon Meer offers a critical perspective on the AI hype within the industry, advocating for substance over trend-driven solutions. For information security professionals, this episode serves as an essential digest of contemporary threats, responses, and industry insights.

Loading summary

Transcript131 lines

[00:00]
Patrick Gray
Foreign and welcome to Risky Business. My name is Patrick Gray. We've got a great show for you this week. Adam and I are going to talk through the week's news and we're joined by a special guest co host, Mr. Dmitri Alperovich, who is best known, I guess in cybersecurity for being the co founder of CrowdStrike. These days he is the chairman of the Silverado policy accelerator. And yeah, he's going to join us and we'll walk through all of the week's happenings of which there have been many. This week's show is brought to you by Thinkst Canary and Haroon Mia is joining us in this week's sponsor interview to do the Harun Mia thing of giving like a post RS, giving us all a post RSA report just about how everything is AI at the moment and how 90% of what's on the trade floor is quite bad and not very useful. And you know, he's here to make some good points so do stick around for that one. It's a lot of fun. But of course it is time to get into the news now. And Adam, we're going to start with a item that hasn't been reported elsewhere. I suppose it makes sense to sort of introduce how we claim to be talking about this, but you were just having a chat with a former colleague at CyberCX, which is a large Australian cyber security company, and he mentioned, you know, to you that they'd been dealing in their incident response side with a bunch of interesting attacks. Now they were, you mentioned this to me and that that caused us to reach out to them and said, well, do you mind if we talk about these publicly? And they provided us with some details. But essentially what's happening is there's a scattered spider like group doing domain takeovers of Australian enterprises. It seems to be a heavy focus on Australia at the moment, changing MX records and then taking over the whole shebang. But what makes this really interesting is the speed at which they're moving.
[01:59]
Adam Boileau
Yeah, exactly. This crew appears to have a pretty polished workflow to turn social engineering, a domain registrar into control of the DNS and then from control of the DNS hijack the mx, hijack inbound mail and pivot very, very rapidly from there into a bunch of cloud applications. So in particular atlassian stuff, Slack, Microsoft 365 and Azure and then going in a very, very rapid way into then now stealing a whole bunch of data and I think in this case attempting to extort people. But for most organizations, the idea that you would be able to respond to this in the kind of time frame we're talking about, which is tens of minutes in some cases whilst your email is broken. Because the people who are doing this don't even bother forwarding your email onwards. They change the mx, steal all your email and then just junk the rest. They're not following it on. So you're as an organization, you're sitting there, our email's broken, we don't know why. Having the MX record changed out from underneath you is not the first thing you're going to think of looking for. And by the time you figured out that's what's going on, they've already looted your slack for creds, pivoted onwards into your cloud infrastructure and are having a party in your cloud.
[03:15]
Patrick Gray
Yeah, I mean we're talking full entry compromises here. They're getting the whole enchilada and you know, if the, once they've taken over these registrar like accounts, if the company is hosting their DNS records there, they just change the MX and if they're not, they just change the name servers and host their DNS for them. And as you point out they're not doing any email pass through. It's just like, you know, smash and grab, don't care about being detected. But some of these incidents have resulted in these enterprises spending weeks trying to evict the attackers.
[03:54]
Adam Boileau
Yeah, yeah, because throwing someone out who's got domain admin in your Windows like on prem life, like that's no fun and it's a hard road but it's still a whole bunch better understood than throwing people out of your cloud infrastructure because at least you know, hey, we have to roll the curb tgt. We have to you know, do these things in our Windows environment. Trying to even build a map of how does my identity work in the cloud, where do I have to change things? What bits are security critical, which bits have been stolen, like that's a complicated process in the best of times and mid intrusion while the attackers are still in there mucking stuff up is really not the best of times.
[04:33]
Patrick Gray
Yeah, and figuring out which cookies you've got to invalidate and how you would invalidate them and yeah, just an absolute nightmare. So it looks like there's a heavy focus on Australia, but it is affecting organizations globally as well. They're not quite sure why they're doing it. This seems to be a, for the LULZ component to at least some of these as per, as per ccx. So yeah, just a, just a crazy One. Really?
[05:00]
Adam Boileau
Yeah. No, it really is.
[05:01]
Patrick Gray
But yeah. Demetri, I wanted to ask you what you thought about this, Right, because this is, you know, your career was very much around endpoint and whatever. I mean, this is what it looks like now. A modern enterprise gets targeted. It's a whole new world.
[05:16]
Dmitri Alperovich
Yeah, well, as you know, I served on CSRB and we did a report on Lapsus and related groups where you basically had very similar trade crafts. No malware, no exploits, no touching the endpoints. Right. Just social engineering. In that particular case, you're mostly using sim swapping. This is just a next gen of that. Right. You're not sim swapping to get the two FA code. You redirect an email or hijack an email, as is the case here. Of course, none of this tradecraft is new. I mean, DNS hijacking goes back decades. I remember Melbourne IT hack of New York Times and Twitter. Right. What was it like 2013 era hack? And you've had crypto platforms that have been hacked the same way, I think five, six years ago through GoDaddy. But this is the case with these teenagers oftentimes in Brazil and elsewhere that are not super technically savvy, but if they can do social engineering, either direct into the organization or through a supply ch route like the domain registrar, they can do so much more damage than even, you know, some of your best ransomware groups.
[06:18]
Patrick Gray
Yeah, I mean, I wouldn't underestimate their technical knowledge, to be honest, because they seem to have a very good understanding of how all of this stuff is glued together. I mean, reading through this, it reminded me of, geez, I don't know, was it like five years ago or something when Uber had an incident? And what made that one interesting is people were tweeting about it and like, we had a lot of visibility into what was happening. And it was an incident where, like, these kids just kept out running the responders. And the vibe on Twitter that day was like a bird had flown into the classroom. You know what I mean? Because everybody was just like, oh my God. But, you know, just. I think the thing that's new, like you point out that, you know, DNS hijacking is not exactly new. I think the thing that's interesting here, though, is the speed.
[06:59]
Dmitri Alperovich
Yeah. And these guys are often so fast. It's remarkable to watch and so difficult to respond. Particularly, you know, when these guys are basically 24, 7 and the security teams are not. Right.
[07:11]
Patrick Gray
Yeah. Yeah. Well, big thanks to Cyber CX for providing some detail on that and letting us talk about it. Very interesting stuff. Now let's move on. We've got like TTP related news to get through. Adam, you found this one which is Silk Typhoon. We're apparently rifling through Commvault cloud environments and this is like a Commvault's like a backup, isn't it?
[07:35]
Adam Boileau
Yeah, they provide all sorts of backup software solutions and this was their cloud product which there were some attackers in. I think there was some vulnerabilities in their software we've seen like they pointed to a CVE that's like no detail but it's remote code exec in their web server product. But interestingly this was spotted apparently by Microsoft because their cloud service runs inside Azure and Microsoft happened to spot weird stuff happening there and then told Commvault, hey, did you know that there's a bunch of Chinese apts all up in your business rummaging around stealing Keymat and whatever else. Commvault have said that customer backup data wasn't impacted but I mean I don't know what else you do when you're in an environment full of backup data.
[08:18]
Patrick Gray
Yeah, I mean an infrastructure as a service provider actually doing some useful detections for a customer seems to be the most amazing thing about this. But yeah, that one's, that one's pretty much self explanatory. Now the next one I want to talk about a little bit more is actually a piece from our colleague Catalyn Kimpanu. Looking at all of the. It's a bunch of companies have sort of come together and raised the alarm on the fact that phishing crews are now using SVGs. Right.
[08:47]
Harun Meer
A lot.
[08:48]
Patrick Gray
It represents something like 1% of fishing and it's on the up. And you know, until recently I didn't fully understand what an SVG image was. And you remember Adam, we talked about this like a few months ago where you were explaining to me that an svg. Okay, so it's like, you know, it's like a vector image format. Sure. But you can also stuff all of the horrors of like active Internet content, you know, JavaScript and whatever into them. Which means you can kind of get cross site scripting primitives in an image which you can embed in an email. Right. And that, that seems to be what's happening here.
[09:22]
Adam Boileau
Yeah, I mean essentially SVG is to images what HTML is to text. So it has all of the functionality of HTML because it is basically a superset or you know, sort of it's XHTML like HTML is. But yeah, you can stick JavaScript in there you can stick, you can reach up in some cases into the surrounding DOM of the, you know, the browser that's rendering it. It really is a whole web document format that just happens to be for images.
[09:51]
Patrick Gray
The way I keep thinking, for some reason the thought that I'm stuck with is it's like MySpace in a GIF.
[09:58]
Adam Boileau
Exactly right. You can do almost anything you want and for most people it is like you said, it's just an image format. Why do I have to think specifically about it? And places that accept image uploads might say you can allow JPEGs and PNGs and SVGs and not think about it twice. But safely handling SVG images is the same as I would like you, my untrusted user, to upload an HTML file and I'm going to stick it in and render it in other users contexts. And that should be absolutely terrifying. That's exactly what an SVG is. So it makes sense that it's being abused as to what to do about it. I mean option one is rasterize those SVGs out to a proper raster image format somewhere before you.
[10:45]
Dmitri Alperovich
Why can't you just filter out SVGs? How many legitimate emails actually have SVG traffic in them?
[10:50]
Adam Boileau
That's the other option is just throw out SVGs. But unfortunately people use them for like company logos because the designer has made that beautiful vector arbitrary scalable logo and people don't want it to be like aspect ratio squished in their mail footers and then not meet corporate branding guidelines. So yeah, it's a mess.
[11:09]
Patrick Gray
But I mean couldn't you have a vector image format without allowing it to be stuffed full of like XML and JavaScript?
[11:16]
Dmitri Alperovich
You totally can't, you know.
[11:18]
Adam Boileau
Yeah, there are other vector image formats, it's just we got the web one and unfortunately the web one is the nasty one.
[11:25]
Patrick Gray
Yeah. Dmitri, you had some thoughts?
[11:27]
Dmitri Alperovich
Well, look, I started out my career in email filtering back 25 years ago, so I always have a soft spot for these criminals because they're so incredibly innovative, breaking through spam filters, breaking base filters, breaking word based filters with image spam and so forth. So this is just the latest iteration of that using basically images as code, as Adam said. But there's countermeasures to all of this and I think some of the more advanced filtering companies are able to detect it fairly quickly because as you pointed out Patrick, there is image that is encoded in SVG and then you can look at other things that it's trying to do where it's Basically a self contained phishing delivery platform and has a lot of other links and HTML and so forth that you can determine as malicious. So if you've got a modern filter, I don't know why it would struggle with detecting this.
[12:21]
Patrick Gray
Well, but I mean, where do you apply the filtering? Right. And this is a problem for all of the email companies at the moment, where people are putting their phishing campaigns behind like Cloudflare, Turnstile and Captchas and all sorts of stuff. Right. So you know, ultimately the, the, the place to deal with this is going to be in the browser.
[12:40]
Dmitri Alperovich
Yeah. But these images are actually being sent as attachments, I believe, Right within the email. So you are able to filter it out just doing the scans of the email content.
[12:50]
Patrick Gray
Yeah, I mean now I'm worried like, I don't know, you see a story like this and sometimes something like this bubbles up and then it goes away and then sometimes something like this turns up and it's a starter's pistol. And in a year from now you're talking about the great 2026 Internet SVG meltdown. Right. So let's hope that's not happening. Now to some happenings. This is a great story. I love this story. Brian Krebs has written about the latest DDoS to hit his website. The last one, which was a tenth the volume of this one, was enough so that Akamai, who had been providing him with DDoS protection back then, actually said, would you mind finding another host because you're starting to present some problems to the integrity of our network and our ability to protect other customers. The latest DDoS to hit the Krebs on security website, 6.3 terabits per second.
[13:48]
Adam Boileau
I mean, wow, that sure is a lot of UDP. And fortunately for Brian, he is running on Google's DDoS prevention platform. They have one that they use for, you know, like public interest stuff or whatever, which is perfectly capable of syncing six terabytes of bandwidth, apparently. Although they did say, Google said this is actually the biggest they have seen as well when they were comparing notes with Cloudflare. And it seems like it's the same botnet, same crew that were responsible for Cloudflare's biggest one, which I think is the biggest full stop.
[14:21]
Patrick Gray
But this is like, I just love how if you're in DDoS, like the equivalent of popping calc is to DDoS Brian Crab's website and it's great advertising as well because you DDoS his website and then he writes about it.
[14:32]
Dmitri Alperovich
Yes, this is literally what I found Most fascinating. They weren't trying to take him down. This was literally a test. It's sort of equivalent of ping local host or print hello world encoding. Right. You're going to use Brian as a punching bag because he's so well known and notorious of course, in the cybercrime circles.
[14:48]
Patrick Gray
I mean he has such an odd relationship with those circles as well because you really do get the impression that the people in the underground quite like him and they all read his articles and stuff. But then he goes into this whole section where he writes about the guy behind the botnet who's some young guy probably in Brazil called Forky, who claims like, oh, it's got nothing to do with me, I haven't done this stuff for years. And then Brian's like, well what about these posts from like December last year? And he's like, well, you know, but the whole.
[15:16]
Dmitri Alperovich
I'm not sure they like him. I think they have begrudging respect for him, what he's able to do.
[15:21]
Patrick Gray
Yeah, it's a complicated relationship, I guess is, is what I'm getting at. Now let's turn to this piece. Look, this has been going on. We could have reported on this last week but it sort of slipped through because we had other stuff to talk about. But John Greig has a report up at the Record about this television telco in the Midwest called Cellcom. And Cellcom has had some sort of incident which has affected like voice and text for its, its customers. But the crazy thing is it's like ongoing, it's been going a while and it's actually affected the ability of their subscribers to port out to other carriers. So they're just sort of stuck with a service that they can't use and they can't even port out their number. Like that's a bad situation for the company and their subscribers because surely you would think once they restore service a lot of people are just going to turn away from it.
[16:09]
Adam Boileau
Yeah, this seems to be like a small, kind of like family run regional telco. I think I've got about 300,000 subscribers. So like pretty large nevertheless. But yeah, they are definitely having a rough time. The CEO put out like a YouTube video like talking pretty candidly about their problems and you know, saying nice things to their customers. But it's going to be a must be a rough day at the office there.
[16:32]
Patrick Gray
Trying to deal with the CEO was sending thoughts and prayers. Right.
[16:36]
Adam Boileau
I mean, you know, she did a pretty good job of being heartfelt and honest and you know, of CEOs of CEOs of telcos that I have seen apologize for outages. It's amongst the better ones. But yeah, it must be rough being their customers. And we haven't seen any particular details about what it is, but it feels like someone got in and ransomware, you know, deleted a bunch of stuff or lock up a bunch of stuff because yeah, they're having a rough time.
[16:59]
Patrick Gray
Yeah. I mean, you had a reaction to this one, Dmitri. I remember when you were reading through the news list, you were like, wow.
[17:04]
Dmitri Alperovich
Well, you know, they're talking about impacts to customers. Missing job interviews, missing calls from family members are really important. Right. And I just have a hard time thinking that this company is going to survive or you know, is it going to be just a shovel? It's former self post this because imagine your customer that has had that type of impact, that's been without a phone for days on end. Are you really going to stick around and hope that next time they'll do better when you have other options? So this might be one of those cases and they're usually few and far between, but where this is an existential threat to the business in the case of this ransomware outage.
[17:40]
Patrick Gray
Now, they are not the only people having problems in their data centers. Let's talk now about the Llama or Luma stealer, however you want to say it. This was a bit of malware that relied on a bunch of domains. It's been around for quite a while. Microsoft took part in a law enforcement takedown of this botnet. There was another one too, that we'll talk about in a moment. In fact, it's one of the only weeks you can ever say it's been a bad week to be a cybercriminal because there's been a lot of law enforcement action. But what's really interesting about this one is these guys got RMRF'd and all of their domains seized and just had a really bad time. But what's been interesting is seeing the people who actually operate the botnet sort of pop up with a post incident review. And what's crazy is they're like, yeah, okay, so our whole server got nuked. So we spun it back up and put extra logging on and it got nuked again and it didn't turn up in the logs. So now they're thinking they got popped through some sort of vulnerability in like idrac, Right. Which is like data center stuff. Adam, talk us through this one. Because I know that this type of hacking is near and dear to your heart.
[18:47]
Adam Boileau
It certainly Is. Yeah, it seems like. So the FBI shelled their box somehow put up a phishing page searching for, you know, trying to lure credentials and IPs from their users apparently would also try and turn on the webcam so the FBI can, you know, snap the traditional pick out the webcam of whoever they hacking.
[19:08]
Patrick Gray
Sorry, just a second though. Like how, I mean, you know, how dense do you need to be as a cybercriminal who is now logging into essentially a phishing page? Like when are you going to log into your criminal portal, right, as a criminal where you're going to do crime and then it asks you for permission to turn on your webcam, who clicks?
[19:29]
Dmitri Alperovich
Yes, but anyway, even if it's not law enforcement doing it, but your vendors in the cybercrime area who can now use it against you for blackmail. But that's not a good idea to say. Yes, right?
[19:39]
Patrick Gray
What. Anyway, continue, Adam.
[19:41]
Adam Boileau
Oh dear. Yeah, anyway, so they, their stuff was hosted in some kind of bulletproof hosting somewhere, well out of retail breach of law enforcement. But it appears that law enforcement had some bugs in the Dell IDRAC lights out management system and we're using that to get in is what their assertion is. I, as you say, I have enjoyed some other vulnerabilities in lights out management systems over the years, so that seems entirely reasonable. And obviously if you can get into the lights out management, you can do anything you want. You can boot the server off disk, you can mount USB sticks, you know, virtually across the network. You can, you've got, you know, it's like you're standing there in front of the server itself. So it's a great place to go and do hacking. It sounds like it was. So they, the Lumasteel admin admin said that the Drac interface was connected to a whole different network somewhere else. So, you know, we have seen law enforcement break into bulletproof hosting providers and kind of, you know, rummage around and do things. But either way it's quite fun watching them have to, you know, pull that thread and figure out how they got hacked or law enforcement or whatever we're going to call it.
[20:46]
Patrick Gray
I mean, I just think they're lucky it wasn't ASD behind this one because ASD went and nuked an entire bulletproof host. Like they didn't just take down one box, they just torched the entire thing. So I guess, Dmitry, why do you think they kept this, the RMRF shark, so tightly leashed during this operation? I mean, that seems like more of an FBI approach, doesn't it? We'll just stay on this one target instead of raining hell on the entire thing.
[21:12]
Dmitri Alperovich
Yeah, I mean, usually you have corridors around certain things, so it's tightly defined in terms of the scope of the operation, so they can't necessarily deviate from it. But, you know, the funniest thing I saw in that post in Russian, obviously, from the cyber criminal. I think all three takedowns we're talking about are Russian cybercriminals. Of course. But the last line that he had is that, yes, we got access back to the server. We turned off idrac, but I do think they have other cards to play. So we will have future notes for you. Stay tuned. Yeah, they appreciate that this is not over.
[21:45]
Patrick Gray
Yeah, they're like, these guys have game. And I will just say, you know, court orders. Court orders are for cowards. Dimitri, come on, let's go.
[21:52]
Adam Boileau
You know, for G men.
[21:54]
Patrick Gray
That's right. Come on, G men. Get that RMRF shark, you know, big RMRF shark. Let it do its thing. Now, look, as you just alluded to, there's been a bunch of other takedowns as well, including, what is it, Danabot, which is another, you know, malware family. This one's been taken down. What? Have there been arrests or. They're just domains down, like, there's so much going on. Adam, walk us through it.
[22:18]
Adam Boileau
Yeah, so this one was joint law enforcement operation called Operation Endgame 2, and it took down a whole bunch of botanists, of which Danabot, I think, was one of the bigger ones. 16 people arrested and a bunch of domains and other infrastructure seized. So, you know, we've seen this kind of thing happen a lot, but it's just. It's been a very busy week for, you know, being cyber criminal, running botnets, running, you know, info stealers, that kind of thing. So, yeah, rough day in that particular, you know, crime ecosystem.
[22:49]
Dmitri Alperovich
The interesting thing here is that, like in past botnets emanating from Russia that we've seen, there was an espionage variant where they were targeting diplomatic communications and particularly looking at countries, communications with the United States. And the two leaders, obviously, are from Russia, but one of them, Artem Kalinkin, actually works for Gazprom as an IT professional. His Facebook profile, I loved. Mafiosi was the actual nickname. Not very subtle, but the fact that he works for Gazprom, obviously state owned gas company in Russia, you know, makes you wonder of how he got connected with customers or perhaps people that are his roof, his krisha, as they say in Russia, protection in law enforcement that are Also giving him taskings.
[23:40]
Patrick Gray
Yeah, so it was an interesting aspect to this where, you know, you've seen multiple botnets over the years where they've been doing crimeware and then all of a sudden there's like a forked version which is designed to do espionage. And this was certainly one of them. But, you know, this is not exactly what you would call the espionage A team, because according to this piece from Krebs on security from Brian Krebs, the way the FBI was able to unmask some of the operators of Danabot is because they accidentally infected themselves with their own malware, which is, you know, all.
[24:10]
Dmitri Alperovich
Right, who hasn't done that?
[24:11]
Adam Boileau
Yeah, so it happens to the best of us.
[24:13]
Patrick Gray
Who among us, et cetera. And yeah, we've also seen the DOJ unsealed charges against the people behind the Kakbot Quackbot. Q A, K A Quackbot. Yeah, so, yeah, just like, like a lot of law enforcement action over the last week. And also another one, 270 dark web drug traffickers have been arrested by American and European officials. You know, a whole bunch of stuff taken down. 144 kilograms of fentanyl or fentanyl laced narcotics, and 180 firearms confiscated. So just so much happening. So much.
[24:51]
Dmitri Alperovich
Yeah, the Quackbot one is interesting because this has been around for a long time, you guys, I'm sure. Remember, it apparently was created back in 2008 days. Right. So you have almost two decades of non stop activity from this guy, Rustam Kalyamov, another Russian that created it. So for him to get caught or at least identified and indicted after such a long career actually tells you that he was probably quite good.
[25:17]
Patrick Gray
Now we finally got some closure on the Baltimore ransomware attack. Now this was a big deal when it happened back in. When was that? 2019, where, yeah, it was like the city's network got ransomed. And one of the reasons this one made such big news is because the New York Times incorrectly reported that the way that this network was hacked was using EternalBlue, which was a leaked like shadow brokers exploit or whatever. So, you know, this was just massive news at the time. An Iranian national has just pleaded guilty to conducting that attack and mysteriously has pleaded guilty in North Carolina where he was arrested. And the Bulgarians have been thanked by American authorities. No one's really quite saying how he wound up in North Carolina, but. Adam, walk us through this one.
[26:10]
Adam Boileau
Yeah, there was a number of people that were kind of tied up in this particular thing and they were all located in Iran. And it's kind of funny that this one guy just, you know, pops up for no reason and then pleads guilty in. In the US courts. He's facing up to 30 years in prison. When they hacked Baltimore, I think they asked for what, 13 Bitcoin, which at the time was like $70,000, which seems so quaint by. It does, you know, modern ransomware, you know, modern ransomware standards. But yeah, I mean, it caused a whole bunch of disruption at the time. And I don't know that we had seen, you know, these days, attacks on. On city, you know, administrative local government or whatever is pretty workaday common hacking. But back then this was a big deal. So, you know, the wheels of justice turned slowly, but for this guy, they've definitely turned. And I'm interested to see if there is a story behind how he ended up in the US or whether it's just, you know, something dumb like he went to Disneyland.
[27:04]
Patrick Gray
Well, I think, I mean, just reading between the lines, it reads to me like maybe the bulk. He was in Bulgaria, the Bulgarians arrested him and, you know, he was extradited or whatever. But it is a little bit light, the detail. Do you think there's anything more to it there, Dmitri, or is it probably just something simple like what I said?
[27:20]
Dmitri Alperovich
It's hard to say. The DOJ thanked Bulgaria for providing evidence and helping collect evidence, not necessarily for extradition, which presumably they would have done. But what is interesting about this crew is that they seem to have been particularly focused on local municipalities. It wasn't just the city of Baltimore, but city of Greenville in North Carolina, in Oregon and New York and elsewhere where they've targeted this. So they seem to have realized, hey, cities providing vital services like garbage collection and 911 and healthcare, ambulances, et cetera are really prime target for ransomware pretty early on. Obviously nowadays, as Adam said, it's common practice.
[28:05]
Patrick Gray
Yeah, I mean, I do find it interesting that in this John Greig piece from the Record, the last line of the story is the DOJ did not respond to requests for comment about when he was arrested or if he was extradited. So it is like there's just this lingering little air of mystery about exactly what happened there that I think is. That I think is interesting. Now, in a sign of the times, when this story first appeared in our news run sheet, Adam removed it because, you know, happens all the time. And I'm like, man, we've got to put this one back. Given the amount of money involved, some decentralized crypto platform Called Cetus C E T U s got 233 million bucks worth of crypto removed from it. I mean, I think that's. I mean, I know there's crypto attacks every day, But I think $223 million being stolen from a defi platform is still kind of newsworthy.
[28:58]
Dmitri Alperovich
Adam, can we just admit that crypto is now just a wealth transfer mechanism from rich countries to North Korea? Isn't that all it is now?
[29:06]
Patrick Gray
Well, and to some criminals too.
[29:08]
Adam Boileau
I mean, you know, sure, the criminals taken the cut of the North Koreans money whilst they're laundering it, but yeah, I think when, when we were going through the run sheet, I said, look mate, I don't get out of bed for less than a billion dollars worth of crypto stolen. Like 200 million. Pshaw. That's not worth the column inches.
[29:27]
Patrick Gray
Next year, eleventy gajillion dollars was stolen. You know, I do, I just find all of this really interesting. I think the most interesting thing, the buy attack, of course that was what, $1.4 billion in crypto? I mean, that one was just so interesting given the way that it unfolded. I mean, this one looks a little bit more workaday. I did really appreciate when I later did a sponsored interview with someone from Trail of Bits who's really, you know, knows a lot about all crypto stuff. And I asked them was what by was, was the way Bybit managing this stuff kind of standard in the crypto industry? And they just said no. So I think there's probably ways to operate these exchanges and platforms which don't result in hundreds of millions or even billions of dollars going missing, but. And it would probably make sense for those companies to adopt those methods. Yet another one from John Greig here. He's just done a little bit of follow up reporting on the Coinbase breach and we've got some numbers there, which is 70,000 users have been impacted. Dimitri, this one seems to have connected to you because you say you've been getting just since this breach, just absolutely insane amounts of crypto phishing, like Coinbase related phishing attempts to your phone and email because you had an account there a million years ago and you're like, you're like a no coiner who just happened to be in this data set, Is that what we're guessing?
[30:49]
Dmitri Alperovich
Yeah, I don't own any crypto. For the record, for the listeners, don't.
[30:52]
Patrick Gray
Come and chop Dimitri's fingers off. He does not have any crypto.
[30:56]
Dmitri Alperovich
But I did have an account back in the day just To. To play around with it and see how it works and so forth. Literally over a decade ago, and it is annoying. I was wondering about this because for the last, like, month, month and a half, I've been getting, like, daily nonstop phishing emails about, you know, my Coinbase account was hacked. Give a call to this number or withdrawals in process, or you got an authentication code, if you didn't request it, give us a call. A variant of one of those messages at least once a day, sometimes multiple times a day. So I don't know if it's directly connected to this breach, but it certainly seems quite coincidental.
[31:31]
Patrick Gray
Well, I mean, what I wonder about, right, because you sent me some of the text messages that you were getting. What I wonder is, like, if it's one threat actor who has this data set, they're kind of overdoing it with the phishing attempts, Right. This would suggest to me it's annoying at this point. Well, and that's the thing, like, given the different phrasing, different structure of the messages, and the fact you're getting so many of them, I wonder if maybe quite a few people have this data set now.
[31:56]
Dmitri Alperovich
Yeah, they probably sold it or it got leaked, and lots of people are now trying to take advantage of it.
[32:02]
Patrick Gray
Yeah. And don't forget, we should not forget that included in this data set are transaction histories, balances, and home addresses. And that is a dangerous thing. We alluded to that last week when we were talking about all of the people who are being sort of tortured and having various bits of them chopped off by criminals in an attempt to extract their, like, passphrases and whatever we've got. And just as soon as we put down last week's show, I think a day later, this crazy story broke out of New York where this cryptocurrency investor apparently kidnapped a guy and was torturing him over a period of weeks in a townhouse in New York. Eventually, the guy managed to break loose. He told the guy, okay, I'll give you my password. It's on my laptop in the other room. The guy went to get the laptop, he ran out the front door, managed to flag down a copy, and he's. He's okay now. What I find fascinating about this story, though, is that this guy, who was like, 28 years old or whatever, was being tortured for weeks and did not give up his crypto. Adam, that does seem a little bit.
[33:04]
Adam Boileau
Extreme when you have to go to, like, you know, Special Forces, you know, search and evasion training just to be able to Responsibly hold your crypto wallet. I. I mean, the whole crypto ecosystem doesn't feel particularly good. Like, it's not a good time to be, you know, in charge of a lot of crypto. And, like, I'm amazed. This guy. I mean, I guess, what do you do, right? It's not like you can make up a fake password because it's going to test it straight away. So, like, yeah, I don't know. I don't know how you. How do you deal with that.
[33:32]
Patrick Gray
Like, we just. You just be ultra hardcore like this. I feel like there's more to this story, though, like that, because the two are known to each other. Like, I wonder if there's some sort of business dispute. And the guy who was like, wrench attacking him, you know, he apparently has been. I think he's been denied bail because he has access to a private jet and stuff like this. So you're just like, why are you. Why are you beating a guy up with a wrench and trying to get his phrases Anyway, Dmitry, you add something here.
[33:57]
Dmitri Alperovich
Well, I just wonder how competent he was as a torturer if it took him weeks and didn't get what he was after. You know, wasn't it simpler to just hire some Russian gangster and get the stuff in a matter of minutes? I mean, they know how to do torch hunt for. Unfortunately.
[34:12]
Patrick Gray
Yeah. I mean, you know, what's wrong? You know, don't you know how to water, bro? Do you even. Waterboard, I think is the. Is the vibe here, bro. Do you even. All right, so we've got another one. Yet another one from the Record. Great coverage from the Record this week. Darina Antoniouk has written about Vietnam banning Telegram inside Vietnam. Now, Demetri, you and I had a bit of a chat about this before we got recording, and you're like, what do you think about this? You asked me and I said this feels like, like Telegram doing crime stuff. It's a convenient excuse for Vietnam to ban this because people are spreading like, quote, unquote, subversive material over Telegram. I mean, it's. Look, it could be over genuine concerns about crime, given the amount of cybercrime and fraud happening in that region. It is a good reason to ban Telegram. And yet you can't help but feel that perhaps the government there is concerned is motivated by other things.
[35:13]
Dmitri Alperovich
That's what it feels like. And you know, of course, Telegram and Dura for claiming that they have been cooperating and doing takedowns. You know, who knows whether that's true or not? And how aggressive they were. Of course, Telegram, as you know, we all know, is a kind of run by shoestring type of operation. So even if they want to cooperate, they don't have that much staff to actually respond quickly enough to a lot of these abuse complaints. But I do tend to agree with you. Vietnam, very, very serious about content filtering, very serious about suppression of any information that's not allowed within the country, obviously run by a communist party. And I think that probably has more to do with it than just the fact that they host some dark market Telegram channels.
[35:58]
Patrick Gray
I mean, I hear you, and I have a foot in that camp, but I also have a foot in the other camp, which is, you know, the fraud and, you know, pig butchering stuff taking place in, you know, Cambodia, Laos and Myanmar is equivalent to 40% of the GDP of those three countries. Right. So, you know, it's. It's got to the point where this activity could actually destabilize the region. Right. Because you might wind up with this underground economy kind of corrupting those governments. So I can see that there is also a very good, legitimate reason to do this. I mean, Tom Uren and I, our colleague Tom, who writes Seriously Risky Business, we did a podcast last week where we were talking about the takedown of one of these Telegram markets, which had 900,000 people involved in it, you know, and was just doing tens of billions of fraud. And you just sort of think, I don't know. I sort of feel like if you're the Vietnamese government, you kind of get two birds with one stone, I guess. What do you think, Adam?
[37:05]
Adam Boileau
I mean, if, if. If you can do both of these things, like, why not? You know, I imagine their interests line up, but it may also be a case of, you know, they can shake someone down for a bribe to turn it back on. Like, maybe it's a triple whammy of wind for, you know, whoever's responsible for regulating it there. So, yeah, it's kind of hard to say.
[37:25]
Patrick Gray
I don't actually know what the corruption situation's like in, in Vietnam, because it's really funny because you get this situation where in some with, you know, old school communist leadership, corruption is rife, and in other ones, if you do anything corrupt, you immediately get shot.
[37:40]
Dmitri Alperovich
So it's pretty pervasive in Vietnam.
[37:43]
Patrick Gray
It is widespread. Yeah, yeah, yeah, yeah. All right, so let's look at this Reuters piece now by AJ Vincenz and Rafael SATA. You know, last week we talked about the leak of the. Well, not leak, the DDoS secrets distributed denial of secrets getting their hands on the data breached from telemessage scraped through some API endpoint that would give you a heap dump, because that's what you want when you're running a secure messaging service. As we said last week, we were expecting that, you know, other media would do a deep dive on that data and see. Rummage around in it and see if there was anything that interesting in it. According to this piece from Reuters, nothing too sensitive in it, which is kind of what I expected, if I'm honest.
[38:27]
Adam Boileau
Yeah, you get the impression that they probably pulled the plug on this pretty quickly. And the dumps that DDoS secrets had access to were from a pretty limited time window. So clearly anyone who knew about this and had been doing this since telemessage started up would have been able to see message contents as stuff was going past. But this particular dump, other than kind of confirming through metadata that there are phone numbers of people in positions of power and in the US Government and other things, you know, we haven't seen much in the way of message contents. There are some, like, group names and stuff that give us hints of, you know, the nature of the conversations, but nothing we didn't really expect.
[39:07]
Patrick Gray
Yeah. And I guess because we had a little internal meeting about this when this data was first kind of made available to researchers and journalists, where we had a line, I think, in some of our coverage in Risky Bulletin that said, you know, the data will contain private conversations from senior White House officials. And we had a bit of a discussion about, well, we don't know that, and it looks like it didn't. I mean, you would imagine there would be some size of relief in the White House over this Dmitry. But also, I mean, you just got to wonder at this point if, you know, foreign intelligence services were exploiting this service prior to it being publicly exploited. And there's no real easy way to know that.
[39:47]
Dmitri Alperovich
Well, this is the big issue I have with this story, is that, okay, there's nothing totally valuable in this dump, but. But the reality is that these servers of telemessage are incredibly vulnerable. And it's not just through this one vulnerability. I've been hearing for weeks from other researchers that have been looking into this of all kinds of issues that they've been discovering with this platform. So it's just not a platform that I would feel comfortable any USG official really using for secure communications. Yes, unclassified, but nevertheless potentially sensitive. Even the subject of a group name can be sensitive. Right. If it talks about upcoming military action or what have you, as we've seen in the past. So I do have broader concerns about this particular product. I understand why it's being used. You want to make sure that you preserve archives of these messages to abide by legislation that requires you to preserve communications. But there's got to be other options and if there aren't, someone should build one.
[40:44]
Patrick Gray
I mean, I'm just sorry right now to make such a middle aged point, but to me this seems like the big problem here is procurement, because there are other options, right? You've got Wickr, which is now an Amazon product, which I'm guessing is not going to have the same issues. Right? Like, I'm sure there's going to be stuff. If you test it, you'll find stuff that is less than ideal. But this was a clown show, this app, right? So I just sort of wonder like, in what world does an agency like, I think CBP was like one of the agencies that was using this, in what world do they opt for that app and do absolutely zero sort of due diligence in trying to figure out if it's any good? Right? So that's the thing that. And I think this just ties it. You know, government procurement is hard, right? You know, but.
[41:32]
Dmitri Alperovich
But it's also how it's done. Right? And I guarantee you that they probably did request all kinds of security paperworks, Fedramp compliance. Right? All kinds of checklists that this company did provide to them that didn't matter a whole lot because there was no pen testing of the platform, clearly, or they would have found a lot of this stuff. And this is just a general problem of how government procures and determines whether something is safe or not. It's a checklist approach, not an approach that's focused on really figuring out if this is a secure solution or not.
[42:01]
Patrick Gray
We finally found a case where pen testing would have been absolutely 100% critical and useful.
[42:07]
Adam Boileau
Adam, I remember being on a call with the leadership of Acceleon after we found some remote code exec bugs in the file transfer product. And they literally said, but we have FedRamp. How is this possible? I said, well, I don't know what to tell you, buddy. I got a shell on your accelion.
[42:26]
Patrick Gray
To be clear, they weren't your customer, which is why you're talking about it. You did that research off your own bat just in case anybody was confused. Now look, just to tie it off, this week we've got a piece here from Cybersecurity Dive. I think it's following up on Some reporting from the Washington. We also reported about this as well. But basically, all of the senior leadership at CISA have left the agency. Some political appointees, some not, I think. But, you know, there is a massive exodus of senior leadership at cisa. I mean, you know, what do you. What do you say about that? I think there's a lot of people leaving the federal government at the moment.
[43:07]
Adam Boileau
Yeah, there certainly seems to be some concern amongst the workforce left at CISA about the vacuum, you know, of so much talent and so much experience, because some of these are people who've been, you know, before CISA was cisa, you know, back when, you know, us cert days, that kind of thing. So, you know, it is definitely going to leave a bit of hole in their capability. And I think everyone's a bit kind of worried about, you know, what that means, you know, because it's not a great time to be gutting your cybersecurity defence teams, you know, given the geopolitics and all that.
[43:37]
Patrick Gray
Yeah. And we've also got a story here from the Washington Post about the National Security Council, the staffing at NSC just being completely gutted. What's going on here, Dimitri?
[43:49]
Dmitri Alperovich
Well, look, I think this one is a little bit different from the other stories about people leaving the federal government, because the nsc, of course, is a vital White House organization that really serves at the pleasure of the president. So everyone who is there, whether they're political appointees or detailees from agencies, are there to execute the president's agenda. And the president, frankly, has a right to decide who he wants there, whether someone he thinks is loyal to his agenda or not, or is going to stand in the way of executing it. And I think it's also fair to say that the NSC has gotten way too big over the last decade during the Biden administration. I think it reached its peak of well over 300 personnel. And the process had become the thing that they focused on versus actually solving the issues. And, you know, for better or for worse, President Trump, you know, believes that he is the guy that's actually making policy, not his staff, and he just wants people to implement it. So they're basically cutting it down dramatically and saying, you know, the tweets are the policy. You guys ensure that the agencies execute them. But I don't need you making policies anymore.
[44:52]
Patrick Gray
I mean, we are looking at, I mean, towards the end of Biden's presidency, the policy staff there were 186 according to Washington Post. And, you know, under George W. Bush and Barack Obama, they were at 204 and 222, respectively. So this is a change, right? Like, it's a pretty significant change going like it's going to be smaller than it has been in recent decades. I think this is a thing where this is a conversation that comes up regularly in risky biz internally, right. Is when we're reporting on US Government stuff, you got to be careful not to have that reflex which says that everything Trump does is dumb because he does a lot of dumb stuff. Right. And you've got to resist the urge to say, Trump's doing it, therefore it's stupid. But, you know, and sure, you know, streamlining the NSC could make sense, but you sort of wonder if this is the right time to cut down the number of NSC staffers given everything that's happening in the world. Adam, what are your thoughts on this?
[45:54]
Adam Boileau
I mean, I think actually having expertise involved in decision making, you know, like proper experts that study, have time to study and have the resources to go and make good choices, is always going to help. Now, the NSC's role is kind of less about that sort of. It's more about how it gets implemented. But at the same time, like, the more expertise you have in these things, the better, I feel.
[46:18]
Patrick Gray
So I just don't understand the rationale here, because the savings for government, we're talking about, like, you know, going from like 200 and something to like 100 and something or, you know, maybe down to as few as 60. You know, this is a trivial dollar saving in the context of the US government. So, you know, I just kind of wonder what the advantage is here of removing policy experts from something like the National Security Council.
[46:44]
Adam Boileau
Yeah, it does seem a strange place to go cut, you know, what's like, you know, half of an f35 worth of, you know, worth of budget in the context. So, yeah, I just, I would like us to bring science and expertise and thought back into policymaking, but maybe that's just me.
[47:03]
Patrick Gray
Well, on that note, guys, we're going to wrap it up there. That is the end of this week's news segment. Thank you both so much for joining me to discuss this week's news. And Adam will do it all again next week.
[47:13]
Adam Boileau
We certainly will, Pat. I'll see you then.
[47:15]
Dmitri Alperovich
Thanks so much, Patrick.
[47:22]
Patrick Gray
That was Adam Boileau and Dmitri Alperovich there with a look at the week's security news. It is time for this week's sponsor interview now with Harun Mir, who is the founder of thingst. Canary Canary, for those who don't know. They make great little hardware honeypots you can put in your network that can let you know when attackers start interacting with them. They also do amazing stuff around canary tokens. Very, very great, you know, great tools, great company. And Harun of course has been in the industry for a very long time and is somewhat of a thinker and Harun was at the RSA conference last month and he has thoughts and feelings about the way the industry is doing certain things. In particular, he says the amount of investment and attention being given to AI doesn't quite necessarily make sense just yet and a lot of this stuff is going to turn out to be useless. And he joined me for this interview where we discussed all of that. Here he is.
[48:20]
Harun Meer
Part of the reason I think people used to throw stones at the RSA trade show thing becomes very clear when you see how AI dominated this year, which is I think for sure AI is one of those life changing things like LLMs have been magnificent. We discover new stuff all the time. But I question how much we understand the problems we've already started selling solutions to. There's a lot of people talking about selling AI solutions when I don't know that we've understood AI problems well enough yet. And again, I'm not a troglodyte. I don't think people shouldn't be playing with it. I think researchers should be knee deep in AI stuff. We playing with a lot of it internally. But like a 16Z used to talk about backing founders who've lived in the idea maze long enough like they've experienced these problems and all the people currently selling solutions to gen AI problems, like we haven't even seen what gen AI is in the enterprise yet.
[49:34]
Patrick Gray
Yeah, we haven't built the maze yet. Now like I would agree with you that a whole bunch of startups talking about solving like gen AI security problems, that would be weird. I mean there's a couple of startups already. We had one of them in Snake Oilers, can't remember their name. They're doing cool stuff though, you know, just stuff you need like, you know, tools that'll stop your AI customer service agent from saying insane things and dishing out people's Social Security numbers. Like there's already some products in the market that are needed around that and they are solving very much understood and present problems. But where I'm seeing most of the AI stuff now now is people applying, you know, reasoning models and LLMs to some pretty concrete existing problems in infosec. And that's where I'M interested in AI.
[50:21]
Harun Meer
So I think it's interesting as an investor, but I think one of the things that people get, for example, like we pitch Canary as a solution and we've never had to tell anyone that we use a vector database in the back to help our decision making or we've never said we use Redis instead of MySQL using LLMs as a backend technology to help us do our stuff actually shouldn't matter to people. What matters is are we solving a problem? And infosec gets hung up on the stuff for a whole bunch of perverse incentives because if they say they doing AI stuff they'll attract a whole class of investors which will attract a whole bunch of money. And what I see more and more recently is it's not just attracting investors because you know, I've been kicking VCs for years. The problem goes deeper, right? You get these big established Infosec companies and now they playing a different game because what they need to do is convince the market that they still hot and with it. And the way they do that is by either playing with new technology or buying the latest technology company. And so what you're starting to see or what I'm becoming more and more aware of is these big platform play security vendors every few years have to go through the hype cycle and pick off the top three people and two years later they sunset those products because they weren't really a thing. But it's worked for them because they get to say yes we doing something in the agentic space we bought X company. Yes we're doing something in the source space we bought so and so they get their market pop. The market is happy. But what it means again is just this flood of uselessness and noise in the market.
[52:16]
Patrick Gray
Ah, there's like I'm waiting to the for the point where we disagree because there is an awful lot of stuff out there where they just slap the old sticker on it, you know, you can fit, you know, tap on the lid, you can fit so many LLMs in this bad boy.
[52:28]
Harun Meer
Exactly right.
[52:29]
Patrick Gray
You know, like that, that is a hundred percent a thing. And but I mean that said, I think that the future like I just caught up with a mate of mine who's like a tech executive working for a company in here in Australia and you know he just went down and got a demo from Microsoft of what they're doing with AI and it blew his mind. And when he was telling me about it blew my mind as well. Like this stuff is coming so I'm sort of not surprised that everybody's trying to find a way to be an AI company because everybody's going to be an AI company soon and for good reason. But I think, you know, to your point, a whole bunch of these people are just going to get wiped out. Right?
[53:08]
Harun Meer
Yeah, so. So for me, and again, I think the value in the idea maze, like one of the fundamental problems that I think Infosec when you look at products and companies has had, is over promising and under delivering. And part of the reason is that these incentives work for them. So, so show up at RSA and talk like you understand this thing and you get the shiny booth and you get investors and then you actually get an acquisition because they looking to tell the market that they playing in that space. But the net result is that you people are not being rewarded or people are being adversely rewarded for doing the wrong thing. What you want is people spending enough time in that space to deeply understand it, to come up with solutions that work. And yeah, I think it's one of the, if you take just the example, if you consider that San Francisco now has waymos running all around. Those waymos aren't a new thing. Like, like Google's been working on that stuff for 10 years and it's why that stuff is now there. Most of the we are AI SEC companies showing up at RSA started two weeks ago and the ink is still wet on their term sheet. And that's part of the problem. It's, it's flooding the market with noise at a time when you actually want clarity.
[54:37]
Patrick Gray
Yeah, but it's not all crap. No, you know, like, so if I think of, like if I think of people who've spent time in the problem maze, right. Who are doing stuff in AI. Like Edward Wu is a great example. He's a founder of Drop Zone AI, which, you know, one of the investors in that business is his former boss who was the founder of Extra Hop Networks, which is where Ed built the security part of Extra Hop's product, like, which sits in socks. Like this is a problem space he knows really, really well and realized, hey, if we applied some reasoning models to tier one SoC analyst work in a SoC.
[55:11]
Harun Meer
Yeah, like there's goodness, it's going to.
[55:13]
Patrick Gray
Work and it does. Right. So you know, here is a place where someone's taken an AI approach to solving a problem, which is just, you know, alert fatigue, which we've been dealing with forever. And it works.
[55:29]
Harun Meer
So I'll tell you, for me there's a. And thought about this on the spot. So it's likely to be fraught with, with danger.
[55:36]
Patrick Gray
Let's hear your half baked idea then. Harun.
[55:41]
Harun Meer
You'Ll notice we've never pitched Canary as deception. Like, like nowhere on our site does it say deception. We don't say we are deception company. We say we help defenders win. We say we catch bad guys before they dig in because actually we don't need to give it the Hype cycle name to say here's the problem we solve and if he solves the problem of alert fatigue and socks that work, they, they solve the problem and it doesn't matter that they're using AI or machine learning or LLMs.
[56:18]
Patrick Gray
Well but people, people want to know why? How is it, how is it different? How is it new? So that's why they have to say that it's an AI product because it is an AI product.
[56:27]
Harun Meer
So, so again we didn't have to say we are deception product or we don't have to say it. And, and for me and, and it's not to say that, that they not right. Like I haven't looked at the product. They might well be but I'm saying that's the important thing that as an industry we get wrong which is people jumping on the next and, and you see it in some ways just from the same people who hop from hot Topic to hot Topic. So a bunch of the deception companies went on to be identity security people because identity was the new perimeter and a bunch of them are now onto machine learning because. Or AI because that's the problem. And you see what they're doing is just how can we catch the next bit of free headlines or mindshare or budget allocated at a company. And stupidly the constant hopping like that stops them from ever staying in a problem domain long enough to actually get good at it and actually solve that problem. And like I say in one respect it's tilting at windmills because you end up seeing that system work for people. But the question is which people it works for. It works for founders who play that game and then exit but it doesn't necessarily work for the market because the market ends up with half baked products that end up disappearing every few years.
[57:54]
Patrick Gray
Well, I'd posit that they, that they only get to exit if something has gone right. You know, I would suggest that Harun.
[58:03]
Harun Meer
So I don't think so. Like I've seen a bunch of exits that are again like, like if you follow the, the 10. And this is cynical because sometimes the stuff's decent and good. And, and we all win. But, but I've seen enough of catch the hype cycle, get the funding, use the funding for big shiny booth. Then big player needs to show they're doing something in the space and so they make that acquisition. And now you've got the complete life cycle. And in the mix you've had lots of sales to customers who've got now half implemented stuff that's become abandoned ware and the market hasn't won from it.
[58:44]
Patrick Gray
Yeah, abandoned abandonware is a good term. I'm gonna steal that. And it is. Look, I would say of everything that you've talked about, I mean there's one thing that I think is a serious problem which is, you know, orphaned products like that are, you know, because these people, they've, they've convinced people to take a chance on a startup, you know what I mean? Then they sell it off to some big company and then it just gets shelved like that. That sucks.
[59:04]
Harun Meer
It's, it's that. And, and look, I'll, I'll tell you one of the big challenges like we don't have to do tell the listeners, they'll all know this pain. But, but distraction and noise, like what problem do I work on next? Is one of the biggest challenges for CISOs. Like they know their problems are X and Y, but suddenly all the hype is on Z and they've got to start showing something for that. And so I, yeah, I don't like this. And look, just before rsa, it's kind of funny, I had a chat with an analyst and we've chatted with this analyst in the past and then saw the analyst report that went out and we thought the analyst report was very heavily skewed to a company that partners with those analysts. And so this year we did the analyst interview and after that I spoke to the analyst saying, listen, like we about ready to abandon these analyst interviews. We don't think there's value in it. But I'm really keen to understand a few things, like would you take 30 minutes and just chat to us? And the first thing I asked him is, I say, listen, like you guys do this radar of companies, like you've got two companies listed here as the most innovative in the space. Like how do you choose innovation? Like, I'm not questioning it, I just want to understand your criteria. And there's a little bit of fumbling and a little bit. And so I say, okay, look, let's make this simpler. Like we not in that most innovative space, for some reason we are Newcomers. But I say, let's take us like go to our blog. Here's a year's worth of new things we think we've invented in the space. What have these other people put out in that space for you to call them innovative? And so there's a bit of fumbling because both those blogs just abandoned marketing speak. And I say, okay, let's ignore that. Here's Canary Tools new, like, here's the new stuff we've built in the last year. What have these companies done? Like, like let's go look together at their changelog for the last two years. And both those companies, big companies, bought deception products. Literally haven't touched the stuff in two years. And the analyst then goes like, no, like I think we got this wrong. And so I say like, but that's like, that's your job. Like, that's the one thing that's your job. And by the same token, because now I'm on a roll, I say like, look, you guys sent us this questionnaire that says, do you have like, what are your plans for Gen AI? What are your plans for agentic deception? I'm like, who chose those things? Like, why do you think those things matter? Because we are playing with LLMs inside. Like our research labs have put out a paper.
[61:58]
Patrick Gray
I see where you're going. Like we're gonna have to wrap this up right, because we're over time. But I look, I absolutely see where you're going. Everybody's describing them as a, as an AI company now because that's the sort of market expectation. Like I agree with you on that. Yeah, I, where I disagree is I think that, you know, a lot of this stuff is really going to be the future. Probably 90% of it, 90% of it isn't. Right, I agree with that.
[62:21]
Harun Meer
So again, I think AI and LLMs are definitely the future. But I think if people are hanging a shingle now saying we an AI ML security company, it's very unlikely that you nailed this so early.
[62:37]
Patrick Gray
Yeah.
[62:38]
Harun Meer
And again, people should totally be working on the stuff. People should be knee deep in the stuff. But are we ready to be selling this stuff and asking people to trust us on it? Mainly again, it's, it's a question of doing stuff right and doing stuff long enough. And look, some problems are low hanging fruit and they should be grabbed and worked on now. But more than anything else, it's our complete comfort with just grabbing the new headline and trying to flog it.
[63:09]
Patrick Gray
Look, I'm working personally with a bunch of companies that are using AI. In fact, earlier I told you about one that I'm doing some stuff with at the moment. I explained the whole business to you. It's an AI powered company and I didn't actually mention AI at all.
[63:21]
Harun Meer
And that's when it wins because that's.
[63:22]
Patrick Gray
Not the interesting thing about the business. Right?
[63:24]
Harun Meer
Exactly.
[63:24]
Patrick Gray
So, no, you know, I'm, I'm absolutely with you. And funnily enough, we're actually building out the Risky Business wiki, which explains in very simple terms what vendors do. So it's a vendor wiki where we're going to hope, hopefully launch that in a few months. And, you know, we feel we need to step in because there is so much nonsense out there about, well, we're an agentic this or. Or that. And you know, it's like, no, actually just tell us what you do. But yeah. Thank you, Harun, for joining us on the show to make very good, good points, which you always do. And great to see you, my friend. And I'll look forward to chatting to you again soon.
[63:56]
Harun Meer
Always. Cool. Thanks, Pat.
[64:00]
Patrick Gray
That was Haroun Meer there from Thinkst Canary. Big thanks to him for that. And you can find Canary at Canary Tools, but that is it for this week's edition of the show. I do hope you enjoyed it. I'll be back soon with more security news and analysis, but until then, I've been. Patrick Gray, thanks for listening.