Risky Business #795 -- How The Com is hacking Salesforce tenants

Patrick Gray

Foreign and welcome to Risky Business. My name's Patrick Gray. We've got a great show for you today, actually. It's full of intrigue and dumb bugs and criminal activity and basically everything. It's a real mixed bag. But a very fun show coming up. So we'll be talking with Adam Boileau in just a moment, going through all of the week's security news. Adam. And then we'll be hearing from this week's sponsor, which is Okta. And this is actually a cracking sponsor interview this week, Alex Tilly, who people in Australia would remember as our friendly local Fed. He worked for a long time as an investigator for the Australian Federal Police. These days, he's in a threat intelligence role at Okta and he got his hands on, he's got his hands on so much data there to crunch and analyze. And today we're going to be talking to him about how he's going about identifying a lot of these fake North Korean workers using, using intel, you know, threat intelligence from like login events and whatnot. It is a really interesting interview. I let it run a little bit long because it's just very compelling stuff and I would recommend that you stick around for that one. But let's get into the, into the news now, Adam. And as I said, there's, we got a, we got a whole broad array of stuff to cover this week, but let's start with a bit of intrigue. There's a group, what are they calling themselves again?

Adam Boileau

Errors, Leaks.

Patrick Gray

Errors Leaks. Yeah. So these guys, presumably guys, have just decided that they want to live dangerous lives, right? So their business is apparently offering stolen documents stolen from various intelligence services for sale over Telegram. And they have given some pretty juicy documents to the New York Times as like a free sample and a way to advertise their service. This won't end badly for them at all.

Adam Boileau

No, not at all. Not at all. They claim to have gotten hold of some documents from the Russian fsb, the intelligence apparatus. And one of the samples that they provided to the New York Times related to how China to the intelligence capability that Russia uses against China. The spy on WeChat conversations which, you know, you would kind of expect Russian intelligence to be up in Chinese comms. That's seems relevant to them, but yeah, this does feel like living a little bit dangerously. They won't say where they got the data from, but they are. They also advertise to buy data from intelligence agencies. So they post on Telegram and say, hey, if you work in an Indian intelligence agency, we'd love to hear from you. And then they package it up and they sell it on which, I mean, it's very 20, 25, so that's nice.

Patrick Gray

Yeah. But you do wonder if they're going to get a case of the windows, you know.

Adam Boileau

Well, yes, exactly. I mean, especially, like, selling stuff, the FSB like that.

Patrick Gray

I mean, on Telegram, which is known to cooperate with Russian intelligence services as well.

Adam Boileau

Do you want to flood a window? Do you want to get Novichok in your underpants? Like, none of this ends well.

Patrick Gray

Yeah. Now, the New York Times can't definitively say if these documents are legit, but they have done their homework on it. They've reached out to a bunch of Western intelligence agencies, and some of them, some of their sources have said, well, you know, this seems to vibe with what we understand as they're doing as well. And other people have looked at the documents and said, this looks like legit, you know, Russian intelligence documents. And then, of course, the New York Times has spun out a couple of stories about the content of the documents. I think the most interesting one is about how suspicious Russia's intelligence services are of China, and really looking at Chinese efforts to steal things like military, you know, technology secrets and whatnot from Russia. They're also really trying to understand the capabilities of the Western weaponry being used in Ukraine, for obvious reasons. The WeChat stuff, though, I thought was a little bit weak because this Times piece doesn't really go into actually how they're alleging this data came to be obtained. Like, is it just from, like, malware? On an endpoint, it says that there's an agreement that WeChat data is hosted in Russia for Russians, so maybe they just have legit access to that data in the first place. So I. I actually found that one the least compelling angle to all of the material they accessed.

Adam Boileau

Yeah, I think that it sounded more like that was tooling for processing the data. So less about access to it, but more about integrating it into the kind of intelligence pipeline. But that's the kind of stuff that is workaday at an intelligence agency, is that kind of processing.

Patrick Gray

Yeah, it's like the least exciting thing, which is they have a tool for processing dumped, like, WeChat logs. Like, who cares?

Adam Boileau

Bread and butter stuff, though, right?

Patrick Gray

Yeah, exactly. I think the thing that was interesting about that, though, is they said that quite often these Russians who have been targeted by Chinese services don't realize they're talking to Chinese spies on WeChat and whatnot. So, you know, I think these stories are worth reading. So Check out this week's show notes if you would like. Meanwhile, we've got a report here that Ukraine's military intelligence folks have stolen a bunch of sensitive information from Tupolev which makes, you know, long range strategic bombers and things like that. Although I can't say I'm impressed when they say that they got away with a whopping 4.4 gigabytes of data, because that seems like one person's mail spool kind of thing.

Adam Boileau

I mean, these days that's not an impressive amount of data, but once upon a time that would have been quite a lot. And maybe Tupolev's information systems are from the Soviet era where, you know, 4.4 gigabytes in Soviet times there's, that would be quite a lot. So, you know, there could be old file formats that are very small, I don't know. But yeah, it's, I guess this is a hot story just because of the Ukraine. The Ukrainians attack on a whole bunch of Tupolev bombers with the drones that we talked about a little bit last week. So Tupolev is kind of fresh in the mind and it's a bit of a, you know, finger in the eye. Thumb in the eye.

Patrick Gray

Yeah, they deface the website with their logo as well, but they say they've got sensitive data on like internal communications, personnel files, purchase records, notes from closed door meetings, blah, blah, blah, blah. But, you know, these drone attacks in Ukraine are ongoing too. Like, everybody was very focused on the attacks against the airfields, but like they, they keep attacking all sorts of other stuff like munitions factories, trains. Yeah, all sorts. So that, that's still going. That piece was written by Dorina, Antonio Antoniok, who is based in Kiev. She's Ukrainian and based in Kyiv. And you know, I saw some very upsetting posts from her when she was hunkered down, you know, and it was raining, you know, drones and missiles on Kiev. And Dorina, you know, we, we, we hope you're okay. And yeah, it's a, it's a horrible situation. I was very relieved. In fact, she had posted that she was scared she was going to die. So I was very relieved to see subsequent posts that she. Yeah, she survived the most recent bombardment and, you know, continuing to deliver such quality work in such difficult circumstances. I think it's, it's, it's commendable. So good, good on you, Darina. Okay, let's move on now. And we've got some work out of iverify, who do iOS focused security stuff. They've found a bunch of artifacts on devices they've analyzed, which suggests those devices have been owned via some sort of imessage exploit. Apple is kind of being weaselly about it. I guess. The most interesting thing about this is Iverify says that some of the targets of this campaign, where they don't quite have the bug pinned down, but they're like, there's evidence of exploitation here. They were targeting the Harris Waltz campaign, which, look, honestly, those people getting quality malware and exploits dropped on them should not be at all surprising.

Adam Boileau

Yeah, I mean, they seem like pretty legitimate intelligence targets for some people. But yeah, Verify does have kind of a unique perspective because they're one of the few companies other than Apple that gets to collect crash dumps and logs and stuff from a really quite large swathe of Apple devices. And what they've kind of pieced together here is that there are a bunch of crash dumps in a funny sort of place combined with some targeting information and whatever else. And they sort of pulled the thread a little bit. And what they've arrived at is that they think someone has been exploiting a bug that Apple patched, I think earlier this year in what, 18.3 something. And the bug appears to be in the processing of avatar updates via imessage. So sometimes when you're using imessage, you'll get a thing that's saying, your friend has updated their contact photo. Do you want to update it in your address book? And so that particular type of message is processing image data from this kind of contact update. And it's doing so in a way that apparently was not in the. Or was able to escape the sandbox that's normally around image processing in imessage, just because I guess it was. Maybe the contacts bit works a little bit differently. Anyway, that's kind of where they were thinking Iverifier pretty careful to say that they don't have conclusive proof. This is kind of circumstantial. And Apple says they patched a bug in this area, so the kind of dots kind of line up. But it is just. It's always interesting when you see this research from Iverify because of their, you know, parallel perspective to what Apple has.

Patrick Gray

I mean, you know, the thing they point to is really rare crash dumps. And that is the sort of thing that tends to get you snapped if you are, you know, if you've written an exploit and you're deploying it against iPhones and you generate a weird crash dump, like that bug is getting crushed. And I know that this is something that keeps People awake who develop these exploits because I've talked to them about it and they're like, you cannot generate a crash on an iPhone because then your bug is going away. So looks like, you know, that may be what has happened here. It's weird that Apple's saying nothing to see here though. You know, maybe they know something we don't.

Adam Boileau

But, you know, yeah, they must know something we don't know. There must be some other aspect that, you know, means that they're not willing to talk about it. But yeah, it's still good work and I'm glad that somebody is kind of keeping an eye on it because we do have to, because that Apple ecosystem is so closed, we have to put so much faith in Apple. So it's kind of nice to have somebody else, you know, just kind of keeping an eye and checking what they're up to.

Patrick Gray

Even though, I mean, I would argue Apple probably has the best team out there.

Adam Boileau

Yes, yes. Almost certainly has almost no visibility into what their team is doing.

Patrick Gray

No, no, I agree with you. It's like trust but verify. I verify. There you go. Maybe that's why they named it that. But yeah, I also just want to point out too that, you know, we're just saying, like, if you're in a role like that, you are going to get targeted by high quality malware, by high quality exploits. I mean, this is why you don't discuss imminent military actions on your Signal Group chat. But anyway, Suzanne Smelley over at the Record has this report. A bunch of people have reported this. Paragon, the spyware manufacturer that had already, I believe, suspended its relationship with Italy because there was an allegation that the Italian government had deployed its spyware against a journalist it has now terminated completely its contract with Italy. The interesting thing in this though is that Paragon say they had found a way that with Italy's cooperation, they could have verified that this journalist wasn't targeted. And Italy refused to do it. Okay. Which is interesting because Italy is saying, oh no, this person wasn't targeted at all. Never happened. And then Paragon's like, well, here's a way we can check. And they're like, no, thank you. So I think that tells you all you need to know.

Adam Boileau

Well, yeah, exactly. There's sort of like a process going on in Italy at the moment where they're, you know, investigating these allegations and there's like parliamentary committees or whatever the structure is there that have been looking into it and in this process paragraph was trying to keep their name out of the mud. I suppose. And they showed up with this offer and the. Was it the Department of Information, Department of Information for Security, which oversees the intelligence agencies in the country, basically said like, yeah, this is a bit invasive. It's what I say, invasive practices unverifiable in scope, results, method, and therefore not compliant with national security requirements. So we don't want to let Paragon in to go process the logs from Paragon's infrastructure or whatever bits of plumbing are around it. So, yeah, like, as you say, we can read between those lines, I guess.

Patrick Gray

I mean, look, it could be some sort of compliance issue, but either way, Paragon's made the right decision, which is, well, if you can't prove to us, to this bar, that you haven't done the bad thing that everyone's saying you're doing, well, we're just not going to do business with you. I mean, there's been the parliamentary inquiry into all of this in Italy, says that the, that spyware was used against sort of immigration activists who worked to save immigration, immigrants at sea. I mean, again, it's hard to know. Context is everything when you're, when you're talking about that sort of thing. Because, you know, should people be targeted for activism, being activists? Like, no. But once you start getting into the area of, like, well, who are you dealing with as part of this? And is there involvement of foreign actors and whatever? And like, are you using this to collect evidence, to press charges, or are you just trying to collect intelligence to understand if there's a nexus between these people and foreign actors who might be up to no good? Like, it all gets, it all gets pretty fraught. But I think Paragon ultimately has made the right decision here.

Adam Boileau

Yeah, I mean, it's complicated because outsourcing this kind of responsibility to a private organization instead of a government, you end up with all these things, but they don't have the necessary information to make good decisions. You can't share it with them. This is sovereign state business, but they're using private sector tooling, and we can't really expect private sector companies to hold sovereign states.

Patrick Gray

But that's what happened in this time.

Adam Boileau

Other than just not selling them in the first place. Right. There's no granularity to that, I guess, is what I mean.

Patrick Gray

Well, I mean, the irony here is that in this case, it's a private sector supplier providing oversight over a government.

Adam Boileau

Yes.

Patrick Gray

Not the other way around. Right.

Adam Boileau

So it's a bit of a back to what. I mean, we can't expect them to take that role because, you know, Well.

Patrick Gray

I think we kind of are though, right? Like that is kind of how it's working out, which is that, like, if you don't want to get sanctioned and have an awful time, you kind of have to put that oversight on your customers or you're going to have a bad time.

Adam Boileau

Yeah, but I mean, that's not a, you know, if the only tool you have is to not sell your product to them in the first place or just withdraw it after the fact, you know, that's pretty blunt.

Patrick Gray

It works for me.

Adam Boileau

Fair enough. Right?

Patrick Gray

Yeah. Now look, we've got a bunch of mobile stuff to talk about this week, including this next story. Lorenzo has this one over at TechCrunch. Qualcomm has patched a bunch of bugs in its, you know, chipsets or whatnot. And these things were being exploded in the wild. And this is thanks to, we know this thanks to some work out of Google Tag.

Adam Boileau

Yeah, these bugs all seem to be in graphics driver implementations. So it looks like one of the Google researchers either found an interesting bug or saw some crash dumps or something that led them to go have a nose around in Qualcomm's graphics plumbing and they've got a bunch of bugs that are critical severity or related, which basically say you can Go via the GPU into, I presume, CodExec and the kernel memory leaks or whatever else. So that's a complicated set of attack service in the graphics environment. And mobile devices are just as complicated as everything else these days. So good work to Google finding some cool bugs.

Patrick Gray

Yeah, I guess one of the issues with all of this though is that patching them like it's going to be up to the individual handset manufacturers because it's in Qualcomm drivers, not in Android itself. Right. So that always gets a bit, you know, that's the age old problem with Android, I guess.

Adam Boileau

Yeah, it takes a while to percolate through the ecosystem.

Patrick Gray

Now some business news, some sort of, you know, mobile exploit development business news. Corellium is being acquired by Cellbrite for 200 million bucks. Now Corellium, of course, is a company that makes like, I guess, you know, how do you even describe Corellium? It's like they offer like virtualized iOS environment that people can use that are very handy when you're doing exploit development. I mean, it does have uses outside of that as well. But I think where the, where it's most commercially successful is as a tool used by people who are doing exploitation on iOS. They even offer like iOS over cloud. Right. It's pretty crazy. And you know, Apple even sued them trying to say that it was a copyright problem or whatever. Like, amazingly, Corellium actually won that one. We've had Chris Wade on the show before. He's the founder of Corellium, an Australian guy actually who grew up not too far from where I'm sitting. And yeah, 200 million bucks for Chris Wade and co to sell off Corellium to cellbrite, which is, you know, I mean it seems like a logical place for Corellium to wind up.

Adam Boileau

Yeah, yeah, I think so. I mean it's, you know, it is a pretty niche tool. But so is cellebrite. Like they've got, you know, for them being able to test their products on these kinds of virtualized devices, I mean, you know, anyone who's had to maintain a pool of test mobile devices where you've got different device configurations. In the Apple world, it's bad because there's all these devices and all these iOS versions you have to maintain. In the Android world, it's even worse because now we're dealing with, hey, I need to test a Qualcomm exploit. We need Android, all the versions, but we also need all the different like Qualcomm chipsets and other vendors, modem chipsets and like it gets, you know, that's a hard problem to solve. And having it virtualized in the cloud environment, like super handy for a researcher. So I can totally see why, you know, cellbrite's nerds would be like, hey, that would be super handy to have in the lab.

Patrick Gray

Yeah, but I mean they bought the company, not just the product. Right. So I think, I don't think it's just going to be a case where they'll take it for in house use and no one else will be able to use it. I think it's just going to be one of their, their products. I mean this whole deal is subject to CFIUS review, but I don't think there's going to be any dramas there. But yeah, they do cover Android as well. I mean it is, it's exactly what you say. And even companies that have to manage, you know, an app that winds up on a really large array of devices and they have to work, you know, it's very useful technology for them. But yeah, I just think it's, it's crazy to see that, you know, you had this company that Apple were really trying to shut it down and you know, they managed to actually get through that unscathed after appeals, everything, and sold the company for 200 million bucks. So congratulations to them. Now we got this one from 404 Media about Apple giving up push notifications to people. Right. So governments are requesting information on push notifications. I feel like the story here, not intentionally, but is a little bit misleading because it says push notification data can sometimes include the unencrypted content of notifications. And there have been requests from the US uk, Germany and Israel. I mean sure you might get some unencrypted data in a push notification, you know, if you've, if you've given Apple a warrant, but that's not going to be like an E2E messaging app, like you know, Signal or WhatsApp. This is going to be much more boring stuff than that.

Adam Boileau

Yeah, yeah. There's basically two patterns by which people use these messaging push notifications. So apps kind of register with Apple to get an identifier to deliver a message to their particular user in their app context. And then when the back end system wants to send a message, you know, it forms a message, send it to Apple's endpoint with that particular token and that causes it to be routed out to the user. And those messages can either be here is a message, here's what the pop up is going to display the icon, the type and the message or it can just be a go wake this application up and tell it that there's something for it to do. And in most cases where you're handling sensitive content like signal, that's what they're using. They're just getting signal says, gets a message saying hey, something's happened, go poll the server and get what you need. And those are not displayed to the user, those are just internal app things. And then the app can generate its own pop up message to alert the user once it's gone and got the relevant context. So most of the time you're going to be seeing really boring content in your push notifications. It's going to be the lights at your Apple home got set to 40% or whatever.

Patrick Gray

Your car is fully charged if you have an ev. Yeah.

Adam Boileau

So like the metadata aspect of it, like if you're doing, if you're looking at metadata for timing and saying like hey, there's a notification going to a crypto wallet app about the time we saw some crypto get stolen, that might be a useful correlation point.

Patrick Gray

But well, and even just message timing back and forth and whatever, like there's plenty of useful stuff. So I think it's not at all surprising really that we're seeing this sort of Data.

Adam Boileau

No, it's a natural thing that, you know, law enforcement can get a warrant to go get from Apple and, you know, the list of things you can get out of them is not super huge.

Patrick Gray

Yeah, I think we had another one from 404 that I don't believe made it to the final run sheet, but it was about how airlines were selling like passenger manifest information to the U.S. government. And it's funny, right? Because you and I both agreed that this is like a story for 404 but like if the government didn't have access to that information, it would be a story for the Washington Post. Like that would be the scandal if the government didn't know who was flying around on planes all the time. It's all in the eye of the beholder, I guess. What else have we got here? We've got some research again, 404. Jo Cox was the first one to have this. It's a research by a guy who's figured out how to brute force the phone number out of like a Google account, which would be very, very useful in the context of doing things like sim swapping attacks and whatever. Google shouldn't be coughing up that information. I believe they've now fixed this issue.

Adam Boileau

Yeah, it was some interesting research. The person who found this basically chained together a couple of things. The core guts of it is they can turn a Google account into a full name and a phone number, which that's hella useful. And there's a couple of tricks. The phone number was a case of brute forcing it out of the password reset flow using the non JavaScript version. So like Google has an old legacy version of the password reset flow that doesn't use JavaScript and the kind of bot anti bot scraping protection stuff was tied to a JavaScript proof of work process and then if you hit it in the non JavaScript way, you would get a captcha. And that was kind of how that control was meant to work. But this guy figured out that you could take the proof of work that you did in the JavaScript version of the thing and submit that to the non JavaScript version's endpoint and it would be like, oh, okay, so I don't need to capture them. And at that point now he can brute force phone numbers and then combined with getting a username out of some other like some obscure Google app that no one's ever heard of would cough up a full name in a particular case. So he was able to kind of join the dots and turn this into something. Google ended up Giving I think $5,000 as a bug bounty, which yeah, seems fair.

Patrick Gray

It seems a little stingy to me, man, if I'm honest. Like, OK, it's not worth 100k but 5, really?

Adam Boileau

I mean they originally gave him $1,337 and he went back and had a suck.

Patrick Gray

Okay, yeah, yeah, good. Well I'm glad he that because yeah, 1337 is an insult, I think. Another one from Dorina over at the Record and this one's interesting, right, because Llama Stealer was, or Luma stealer, whatever you want to call it. This was one of those botnets that was taken down recently. Was like an info stealer botnet. And what was really interesting is Catalan wrote that up in his newsletter for us, Risky Business News, which if you're not subscribed, head over to Risky Biz and subscribe to that. We also do a three times weekly news bulletin based on his newsletter in the Risky Bulletin podcast feed. But he wrote that basically this meant Lama Steeler were done. Right. Like even if they were going to try to recover, people were going to move on. What was interesting is I had someone from the CTI world reach out and say, look, that was a really good write up but they're trying to bring it back online now and you know, they might succeed. And Catalan in our internal chats just said, no way man, they're finished. And it looks like this accrete infosteeler is really taking over market share from where Llama Stealer used to be. So I think as usual, Catalan, the final boss of like Macro Threat intel appears to have been right on this one.

Adam Boileau

That guy just huffs so much infosec news all day, every day that yeah, he just kind of, he kind of gets it. So it's a dog eat dog world over there in Russian cybercrime. So it makes sense that you know, there's someone waiting in the wings who are taken over.

Patrick Gray

Yeah, I mean it's a, you can sort of cut the news two ways, can't you? You can say, well, the bad news here is that the, you know, that people have access to other info stealers. But the good news here is the disruption appeared to stick.

Adam Boileau

Yes.

Patrick Gray

You know, and it's just I think really the success of all of these recent law enforcement actions, they can't be a point in time exercise. They can't be, you know, they always say, oh, it's operation, you know, whatever. You can't just have a single operation. And it's great to take down all these services at once there will be an impact, but all of this stuff has got to be rolling. You've got to have a process for it. It's got to be happening all the time. Right? So, okay, Accrete has taken over. Hit him, you know, hit him soon, you know, don't turn it into the next 18 month operation. But, you know, I think we're away, away from that. But definitely things are moving in the right direction, as evidenced by this story from John Grigg over at the Record as well, which is the Darknet forum. Biden cash has been taken down by the Americans and the Dutch.

Adam Boileau

Yeah, the Dutch always do seem to be the ones that come out swinging against this stuff there. They seem to be involved in basically every one of these that we report on. But yeah, they just keep knocking them down. And the Biden cash was just funny because of the branding. I mean, they, I don't know, there's just something funny about Joe Biden's face in the login screen of very nice.

Patrick Gray

Very nice photos too.

Adam Boileau

Yeah, I mean, they're good photos.

Patrick Gray

So, like looking very handsome in the way that us politicians can, you know.

Adam Boileau

Yes, yeah, exactly. Yeah, yeah. But yeah, you know, this kind of run of the mill cybercriming kind of stuff. But it's just fun.

Patrick Gray

Yeah, exactly. All right, so Alexander Martin again at the Record has reported that the national health system in the UK has issued a call out for more people to donate blood. They say they need 1 million blood donors because at the moment their stocks are not doing so well. They particularly need O type blood and this is because of that ransomware attack. I think it was against that pathology place. We spoke about that like maybe last year. And so it's got real bad. Like this disruption due to a cyber attack has led to shortages in national bloodstocks. So I mean, this is just one of those stories you talk about because it's a, you know, it's a sign of. Yeah, the dystopian hell we live in.

Adam Boileau

Right, yeah, yeah, it is. I think in this case they, because the pathology system was grinding under the load and with all of the other things that were going on with it, they were forced to use more generic O type blood because they weren't getting results for tests back from people fast enough to then use more specific blood types that they had available. So that's kind of the, the mechanism of this. And so now they've diminished their stocks of generic blood and they need to replenish that because that's the stuff you need in A real emergency when you don't have information, you don't have time to do tests and get something more specific. So yeah, I guess if you are an O type blood person in the UK then this is a time for you to go do your duty and provide some juice.

Patrick Gray

Yeah, I mean it's important stuff, right? So if you are a listener in the UK and you can find a way to give blood, we would hope that you would do that yet one more from the record. They are covering this ransomware incident targeting United Natural Foods. So they've issued a statement, they filed documents with the SEC. The attack apparently began on June 5th and it is disrupting their ability to fulfill customer orders. Now the reason this is news is because they are a massive distributor of foods in the United States.

Adam Boileau

Yeah, I think Catelyn had some details that said like this was the biggest distributor.

Patrick Gray

Yeah, I saw you fact checking him in Slack this morning. You're like, are you sure? And he's like, here you go.

Adam Boileau

Yeah, yeah, by appointed me some links. But yeah, they provide most of the distribution for Whole Foods, which causes very big chain in the US and a bunch of other things. It does sound like they are still managing to do some of the deliveries and they're kind of prioritizing. But this is, you know, like what was it, $8 billion last quarter. These are, you know, $30 billion a year food distribution business. Business. So that's pretty serious stuff. And this can turn like there could be long tails to disruptions to this kind of ecosystem. Much like with the blood system we were just talking about. So messy, very messy.

Patrick Gray

Yeah, yeah. I mean when you get a disruption to like a major component of your food supply, like what does that do for farmers? What does it do for supermarket earnings? Like, you know, there's just all sorts of stuff that can go sideways. You know it's interesting that this one, well, I guess it's only just recently recently kicked off but as a public incident, but you know, I mean this would have been sort of more front page news five years ago. It's amazing how tolerated this sort of stuff is now. You know, I would hope that there's a windowless basement somewhere where people are cooking up a response. I would think that if anything hits the threshold, this would be it.

Adam Boileau

Yeah, I mean you'd certainly hope so. I remember when we saw what was it JBS meets a few years back and we were covering that and that was, you know, getting quite a bit of mainstream press coverage as well as in the meat press. So yeah, you would hope that.

Patrick Gray

Well, I think the thing that'll move the needle on press coverage is if people go to Whole Foods and they can't buy their potatoes or whatever. Like that's when you, you know, that's when it starts kicking off.

Adam Boileau

But yeah, the windowless basement people, I'm sure, you know, hopefully they are thinking about, you know, where their hound's at.

Patrick Gray

Yeah. There's also been an attack against a company in Ohio called Kettering Health. This disrupted their operations. Looks like they're all back up and running now though.

Adam Boileau

Yes. Yeah, there was a small, what was 14 medical centers and care facilities in Ohio.

Patrick Gray

So yeah, we don't have it in the run sheet or in the show notes, but I think Marks and Spencer are mostly back online now, which is about time. Right. But geez, what a incident that was.

Adam Boileau

Yeah, I think they've got like some online ordering is back. So not all of the services you can't like click and collect yet, but there are some aspects of it. So that's, you know, it's taken a while to claw their way back and they've still got a way to go.

Patrick Gray

Yeah, well, when you got to rebuild your whole environment, like while you're being attacked, it does tend to take some time. Right. So yeah, now we're going to talk about. Look, I actually think this is one of the most interesting stories of the week. And you're like, when we've talked about this previously, you're like, oh, well, it's dumb, but it works. I don't think it's dumb. I think this is the sort of thing we're going to see an awful lot more of. And that is hackers using voice phishing or social engineering. Really. Let's not call it voice phishing. Let's just call it social engineering to trick people into authorizing a malicious app into their Salesforce tenant and like connecting an app into their Salesforce tenant that allows them to siphon off the data. Now the reason I find this such an interesting story is because I don't really know how you would go about addressing this threat beyond making sure that the only people who are authorized to make those app authorizations really understand what they're doing. And that is not going to be possible everywhere. So, you know, on one hand, oh, okay. It's a bit of a dumb, dumb attack. Well, kinda. But it really does exploit, you know, it requires knowledge of Salesforce, how it works, how these app authorizations work. And you know, Salesforce are doing the typical thing of like, well, there's no vulnerability in Salesforce. It's like, no, this is more of a, like, your architecture allows this to happen kind of kind of issue. I mean, walk us through this one, man. Because like, this tale, this goes back to, I think, stuff that was first highlighted by Salesforce back in March, but now Google, I think it's tag again, isn't it?

Adam Boileau

I think so, yes.

Patrick Gray

Yeah. So Google is actually sounding the alarm on this because they're starting to see it. So, yeah, walk us through exactly what's happening here.

Adam Boileau

Yeah, so the deal here is that essentially people are social engineering you to authorize an app into your Salesforce. But why this is really clever is. And like, you know, your point like this isn't. It's dumb technically, but it's also really clever. Right. And then the clever part is that we have mechanisms to address credential theft now. We have things that deal with multifactor. Auth ultimately is about preventing credential theft from being useful. And phishing for CodExec is kind of much harder than it used to be. All of the software as a service apps have a bunch of other protections around it, but that kind of whole, how do we share data between applications, how do we authorize stuff, things like OAuth app permissions and so on. That's the bit that is taking over from this. And so this is targeting that authorization process with basically cloned copies of Salesforce's real apps. So, like things that you'd use for integration and calling via Salesforce APIs. So attackers will take one of those, modify it to be able to do other things that are extract data in bulk, whatever, and then get that authorization process through the regular flow just to a different app or a different endpoint or whatever else that the attacker is running and to someone who is being socialed. Computers are mysterious enough to start with, but most people understand username and password and they can recognize that giving someone my password is going to do a bad thing. And I shouldn't do that. Or I should at least be aware that something can happen to me. But something like OAuth app authorizations or whatever are so opaque to most people, and they're opaque to us. Like we work and report in this field. And like, I was using Google Cloud stuff the other day and I had to click through some authorization stuff into our Corpo G suite, and it's like I'm gonna just click yes because I don't understand what it's asking me, right? And I'm an expert in this. And if you Social be like that, it would hella work because cloud stuff moves so quickly, it's so opaque, there's no way to inspect it. If you showed up and asked a Windows user, can I apply this particular NTFS free permission mask or whatever, you have no idea what it meant. And we're in the same world now, except that it's all software as a service, so we can't see the insights.

Patrick Gray

Yeah, I mean, I think so. You know, I do, I work with Push Security as an advisor and they've been saying some interesting stuff like about how you know, attackers are going after like OAuth grants, like not through your primary IDP. So and this is a perfect example of that, right? So you might log into Salesforce through, through some OAuth grant or SSO process, but then you're doing a separate authorization which doesn't isn't tied back to your primary like IDP account at all. So the only way you're going to be able to address this, I think and I don't know that Push, I mean, like maybe they do, they'll, they'll ring me up and yell at me if I get this wrong, but I don't think they've got anything at the moment that would defeat this in particular. I think it would be easy enough for them to do something here. But then you've got to look at like, well, where does the intelligence come from that can let you know if this app someone is trying to authorize into a Salesforce tenant is okay. Right. And we've got, we've got other issues that are very similar to this. It's all browser stuff, right. So you look at the issue of Chrome extensions a while back. A while back we chatted about some work by a guy called John Tuckner who runs a company, small company called Secure Annex and they do sort of threat Intel I guess you would call it on Chrome extensions or browser extensions generally and other extensions in the developer world and whatnot. And it's really interesting because what they can do is look at, well, has the ownership changed of this app that you're using? Is this one known bad? Is it using weird code like they can do some sort of analysis of them and they're getting some pretty high fidelity and reliable data. But then, okay, what do you then do with that information? Right, so if you've got a situation where you're allow listing apps, like you could use that information to figure out when one of them has turned. But like in terms of like if you want anything at all Sort of open and permissive. At what level do you start instrumenting that? Yeah, you know, and it, and it gets really hard. So again, I find this an interesting story because like we don't quite have a standard agreed upon approach yet for dealing with this. You need something that can do the control of the OAuth event. You need something that can block it, but you also need the intelligence to let you know when you should block it. And we don't really have either of those things just yet.

Adam Boileau

Yeah. And also in the case of SaaS, vendors like Salesforce, we also need basically their cooperation, like they need to care about, explain document, monitor, alert on all these kinds of events inside their apps. We are used to layering controls around the outside. We have things like OAuth that standardize some aspects of that process. But like this bit might not even be OAuth. Like it may be some Salesforce internal business that someone like Push is never going to know about until they've got customers that particularly demand it. And then at that point you are distributing the effort required to implement these controls across hundreds of apps.

Patrick Gray

I mean, well, I mean, yes and no. I mean, so much of this stuff, you know, if you take the top hundred, right, whether it's GitHub, Snowflake, Salesforce, right. Like you can, you can cover most bases there. But as you said, this might not actually be OAuth. I mean, I've been talking about it as being an OAuth grant. It might not actually be OAuth. It might be some sort of other authorization process. But the point is, even if you're in a position to instrument that and block it, how do you know what to block?

Adam Boileau

On what basis are you going to make a choice? And then if you're going to have to ask the user, is this what you meant right now? They were involved in that. This is the consequence of fixing passwords, of making phishing resistant auth standard kind of thing of us moving to yubikeys and phyto tokens and passkeys and so on. If we make stealing orth difficult, do attackers stop? Especially ones that are like, I think this is the comm esque group.

Patrick Gray

Yes.

Adam Boileau

Like people who are pragmatic and kind of don't care about our infosec, you know, our poor infosec people having to do this the right, the right way or the cool hacker way from the 90s. This is people who just want to get it done and they'll do what it takes. And hey, if you can't steal Passwords, why not steal authorizations or integrations or API tokens or whatever else you can get.

Patrick Gray

Yeah, and I will say too, I think what John Tuckner's doing on the sort of browser extension side over at Secure Enix, I think it's really cool. I wish him all the best with that. I mean, I think it's interesting that he seems to be taking this sort of intelligence approach, which means that if you're a vendor which is in a position to do stuff around extensions, you can take that data and do stuff with it. I think mostly what their customers, early customers, it's early days. Mostly what they're doing is just like we use these apps, keep an eye on them. That seems to be the early business case there. But I think we need more thinking like that. So I think it's very cool. But we spoke about attributions and threat intel and whatnot last week. I just want to read you a paragraph from this cybersecurity Dave report by David Jones about all of this, which says Larson said there are broad overlaps between the Salesforce hackers and an underground collective known as the Comm, which includes the notorious cyber grime cybercrime gang dubbed Scattered Spider. Larson cautioned, however, that the threat actor involved in the Salesforce attacks is a distinct group from the threat group tracked as UNC 3944, which overlaps with a subset of Scattered Spider activity. Well, I'm glad we, I'm glad we cleared that up. So it's. Look, as I've always said about the Comm stuff, Scattered Spider Lapsus. It's not a group, it's a vibe.

Adam Boileau

Yeah, exactly. It's a feeling.

Patrick Gray

It's a feeling. It's a vibe. All right. So yeah, we've linked through to the report on cyber security dive and also the March post from Sales Salesforce battle of that. Now another bit of interesting technical work from Shubham Shah, who is a terrific Australian hacker and the co founder of Asset Note. He's built a tool that allows you to inspect the Internet from the IP ranges of, you know, cloud computing environments and CDNs and whatnot that are typically trusted in ways that they just shouldn't be. So why don't you give the background on why this is interesting?

Adam Boileau

Yeah, so there's a lot of places where in the old days we relied on origin network or source network addresses to kind of make access control decisions. And then as things became a bit more fluid and people started pushing stuff up into the cloud, a lot of times we kept those traditional controls, but now we're using them from an environment where we don't strictly control the origin networks anymore. Those origin networks are now operated by Google or Amazon or Microsoft or whoever else. And you can just go buy access into those environments. And so a lot of people have end up with access control rules or policies that they've just opened it up to a whole swathe of the network. And also understanding how big those ranges are, where you're going to be coming from if they're dynamic, it's all kind of complicated. So a lot of people just let stuff in. And so if you pop up in one of those environments, sometimes you'll get elevated access. And Shubs tool, you basically give it. Here's a list of URLs I care about. Here's a service that I'd like you to check from. And it will just go spin UP connections through EC2 instances or through Amazon's other APIs or through Azure Functions or whatever else.

Patrick Gray

And from different regions as well.

Adam Boileau

From different regions, from different locations, like near your target, far away from your target, and just try and find some combination that gets you something that you didn't expect. Which. Yeah, it's the sort of very pragmatic hacking that we expect from that crew from Sharks and Pals.

Patrick Gray

Yeah, I mean, I think it's. I thought it was really cool. I messaged him, I said, this is really cool, man, I dig it. I mean, he points out that GitLab's official advice is to whitelist the entire GCP region that their shared runners are in.

Adam Boileau

Yes, right. Exactly. Right. Yeah.

Patrick Gray

You know, come on. So I guess what he's getting at is, you know, you might find, you might discover through whatever process, a domain name that for some reason, whatever it is, you can't hit it, you know, but then you throw that into. Yeah, as you said, into this tool and you might say, oh, look, I can reach it from AWS east or whatever. And then, you know, it's party time. I mean, tricks like these we've also seen being used to discover the origins. I mean, similar techniques, I guess, used to discover the origins of things that are behind CDNs and whatever. But you know, you might even find, yeah, you might even find access to different services based on this. Right. So you might not be able to hit SSH from the RAW Internet, but you can from a GCP IP range. Right? You're going to see stuff like that.

Adam Boileau

Yeah. Oh, yeah, absolutely. Yeah. And you will find treasure. I mean, I, you know, I know my Pen testing days. You know, there sometimes just popping out of Amazon or popping out of, you know, a cloud provider somewhere else, you get treasure. You do, you do you find joy.

Patrick Gray

Now, speaking of treasure, let's talk about Ross Ulbricht. Because he has received a mysterious $31 million donation from someone who's linked to a different underground marketplace on the Internet. And the whole thing is extremely suspicious. People are saying, well, it just might be someone who made a lot of money out of doing online crime who considered him a inspiration. I mean, it could also be that he gave someone 300 bitcoins to hold for him and he's getting repaid now that he's out of prison. So, I mean, it feels like a little bit escrow servicey.

Adam Boileau

It does. A little bit, yes. Like a debt coming back. And, you know, I guess having been in jail for all this time, you know, that enforced hodling, if it was a debt that's being repaid, has done quite handsomely for him. $30 million worth of bitcoin, like, that's. Yeah, nothing to be sneezed at. Donated to his, you know, to his funds by mysterious persons. That, I think, was it chainalysis did the work to kind of dig through the various mixes and tumblers and other, you know, kind of exchanges that had been through and pointed the finger back to someone who was selling on alphabay.

Patrick Gray

Yeah.

Adam Boileau

Way back in the early 2000 teens.

Patrick Gray

Yes. I mean, that amount of bitcoin when Ulbricht was busted wasn't actually worth all of that much, which is why it feels like, here, hold these three. But I mean, I'm just speculating. I've got no idea. You know, it could entirely just be a donation. But there you go, from prison to pardon to, you know, presumably life of luxury. Now, I would say, though, that if this were to occur in Australia, and I'm not sure what the laws are like in the United States on this, given these funds are linked to criminal activity, like they'd just be seized by the government. They would say these are proceeds of crime legislation. You know, there's proceeds of crime legislation here, which would mean yoink, basically.

Adam Boileau

Exactly. Like, you clearly did not do the work to earn this money in a sensible way. We can't point out. Exactly.

Patrick Gray

But sorry, pal, you can't keep it. Yeah, I mean, they do that all the time. Like they roll up on a bunch of, you know, bikers or whatever and just say, that's a nice Bentley there, pal. How did you buy it? Bring the tow truck. Now, look, we're going to end with just a funny story, I think, which is an Australian Navy ship managed to like DOS radio comms in a fairly large area of your country the other day, Adam.

Adam Boileau

Yes. So I think it was like quite a big ship in the Australian Navy, was actually still out in international waters, had its radar on and a number of kind of regional wireless Internet providers that use the 5 GHz banned, had their, you know, all of their services disrupted by this radar. And there was a lot of whinging and blaming the Australians for being irresponsible. Like someone said, oh, the Australians never leave port, so they didn't know that they were supposed to turn it off when they're near land or something. But the actual, the kind of reality of this here is that these are ISPs using dirty bans that are meant for radar use. And in order to have like the license for using the spectrum, the spectrum range in New Zealand basically means if a radar wants to use your bands, you have to GTFO the band and you have to use. They call it dfs, Dynamic Frequency something. Something which basically you just have to shut up and change frequency when you see a radar. And of course, the Australian radar was bigger than all of the available frequencies. And so these wireless ISPs were basically just had to shut down and wait. And if they wanted that to not happen, they could have paid the $150 a year for actual allocated spectrum license where the radar wouldn't stomp on them. So there was a lot of QQ from the wireless providers in question.

Patrick Gray

That's funny, right?

Adam Boileau

Ultimately, the Australians just said, oh, sorry and turned the radar off.

Patrick Gray

It's funny because this is like perfectly encapsulates the Australia, New Zealand relationship, which is family, you know, we're family. We're right next to each other down in this sort of isolated part of the. We love each other deeply, but we, we love to scrap, you know.

Adam Boileau

Yes, we do and blame each other for this kind of shenanigans. And I'm sure when a New Zealand ship visits Australia sometime we'll just leave our radar on, assuming that we can afford the, you know, the wattage, we probably can't afford the fuel to run.

Patrick Gray

The radar, but you're building a ship, you're building a ship. When does it launch?

Adam Boileau

I mean, after that one sunk on the reef and wherever it was that it was meant to be surveying a reef and it's sailed into the reef and then you did have a ship. Yeah, we did have a ship, yeah.

Patrick Gray

Anyway, we're gonna wrap it up there. Love you Kiwis, by the way. Fantastic. Well, we do, you know, and I will just say too, it's been like, I still hang around a bit on X and what's been really weird is watching the American, right, posting a lot of videos of, like, Kiwis doing the hacker and, like, sort of ridiculing it and whatever. And I just say, like, you know, that pisses me off as an Australian, like, to a very high degree. I just think, you know, leave them alone. Which is also part of the, I guess the relationship, isn't it? Which is like being mean to Kiwis is our job and we don't do it like that. That is too far. Don't. Don't do that. But, yeah, big love to all the Kiwis. And sorry, we dosed your wireless Internet with our navy. That's it for this week's show. Adam, thank you very much for joining me. It was great to chat and, yeah, we'll do it all again next week.

Adam Boileau

Now, you're best welcome, Pat, talk to you then.

Patrick Gray

That was Adam Boileau there with a check of the week's security news. Now it is time for this week's sponsor interview and we're chatting with Alex Tim, who these days works in a threat intelligence role at okta. But some listeners might remember Alex from his time at the Australian Federal Police, where he worked as an investigator for many years and was a regular fixture around the security and hacker cons in Australia and New Zealand. And, yeah, a friend of mine as well, who I haven't spoken to in a few years. So it was really good to be able to do this interview. So, yeah, as I mentioned, Alex has a background as an investigator. So when he took this job with Okta, it meant that he was able to access all sorts of data around identity events and, you know, with the remit of, like, well, what can we investigate here? What can we find? He's been spending a bunch of time looking at what North Koreans are doing in terms of these fake IT worker scams. So both from the perspective of them putting out job ads that they want people to apply to so they can drop malware on them. Also from the perspective of just getting in there, getting salaries and also getting in there and dropping malware and on and on and on. So, yeah, Alex joined me for this interview that I let run a little long because I thought it was very, very interesting where he talks about all of his work analyzing, you know, Okta data to tie together what these North Korean operations look like. Enjoy.

Alex Tilly

From the research, there's three different angles that I'm really looking at here. One is you've got North Koreans applying for jobs at legitimate companies. So they just search for remote full stack developer job and then probably spam applications. That is sort of brought up with the second model of it, which is they're hosting fake job ads and they're generating these opportunities that don't as jobs that don't exist to draw in legitimate applications to then understand, okay, well, what does a good CV look like for a full stack developer? What does a good CV look like for someone with this many years of experience? What sort of school should I have gone to? These types of things to build that quorum of knowledge and to who they're supposed to be when they become the job applicant. And then there's the third point of view, which is. Sorry, there's the third angle on this, which is the whole get people to apply for jobs and then deploy malware on their machines to also conduct reconnaissance. Like it's a full featured rats that they deploy to then, you know, harvest either, you know, what is their development system look like on their laptop, what sort of tooling are they using or anything that they can do to make their own Personas look more legitimate and get past those instant sort of allow or deny gates on these applications.

Patrick Gray

Yeah, there's that whole, oh, if you want this development job, you got to download this image and do the coding challenge. And it's just, you know, a giant blob of malware and whatever.

Alex Tilly

Yeah, go to git and it's got a little bit of, you know, a little 5k of obfuscated JavaScript goodness added into the end of it and off you go.

Patrick Gray

Yeah. So, you know, you're looking at this. I mean, you're working at Okta, obviously, and you know, how do you then when your main source of data is like login events and identity events like that, like, how do you begin to start tracking all of this behavior? Like, how were you able to tie this together and actually draw some insights out?

Alex Tilly

A lot of times it's around talking to customers and saying, hi, we've seen some accounts being used. We're trying to figure out what it is they're up to. And obviously most of these customers won't tell us this individual is doing this, but it very much is because of privacy information. Of course, no one's sure that these accounts are North Koreans at that point. It's about, does this look strange to You. And they'll say, yeah, it looks strange. That person was looking at job ads or that person was generating CVs, et cetera, like that. And with that, and then the subsequent login events that we see from other customers, we can build a picture of their whole toolkit. What are the services that they're using to generate these identities to make them look more attractive, to look more legitimate, to then go forth and apply for jobs, to then get employment? So it's around sort of doing that homework piece in the back end. So it's not just about that spam CV to a job ad somewhere. It's about this whole back end infrastructure of tradecraft being set up to make sure that that spam CV looks good and will get them past that first line.

Patrick Gray

So, you know, you talked about going to a customer and saying, hey, this identity, we think it might be up to no good. How are you actually, you know, landing on that detection in the first place? How are you actually getting this preliminary list of like, shady identities?

Alex Tilly

It's generated through a lot of different reasons, through a lot of different methods, really. It's around sometimes people say, hey, I've identified this account as being probable dpik. And we have a look at it for them and we say, okay, well, there's, there's a really base level of about five or six different services that a lot of these individuals will use to start with. And I can identify those five or six services and say, yes, if it's an account using, let's say, this particular VPN provider, someone who knows has identified it as being probable dprk. And I can see it using one of these commonly used services over time. And then I can then pivot off that and say, okay, well, what other IPs were they using? What are basically, you know, investigation?

Patrick Gray

Yeah, yeah, yeah, yeah. So you can say, we think this one suss because it's doing all of the things that we normally associate with dprk, dprk, like behavior. What else have you got on this identity? And then away you go. So, you know, you mentioned the three, you know, angles to all of this. What have you been able to learn through doing this research? It's funny, actually. I spoke to your colleague, Brett Winifred about, you know, you coming in to do this interview, and he, he told me that when you came on board at Okta, you were just like, oh my God, data. So much data. But what have you been able to learn from, from all of this, you know, Okta data in terms of, like, how these schemes are operating and you know, also where the vulnerable points might be.

Alex Tilly

Yeah, it really is, has been really fascinating to me to learn and see them using this back end, almost like a development lifecycle, to really get these applications through all the ringers and jump through all the hoops that we as hiring companies may do to put them through to make sure that their applications look the best and have the most chances success. They know which HR systems have what sort of scoring, they know what a good CV looks like. They know sometimes what VPN service to not use because it's been publicized which ones they do use. So they sort of move away from those VPN services. Just like in, you know, the olden days of publications of where botnets sit and do their bulletproof hosting, they tended to migrate away from that similar in this case. And then through using all these different systems around webcam identification. Like if I conduct an interview with an AI that's tuned to look for webcam fakes or webcam filters, etc. Will I get passed? Will I get detected by these systems? And when I look at these customers say, okay, well here's a probable DPRK email address or identity using this particular service that advertises that they detect deep fakes or they detect fake webcam filters and overlays, etc. That to me shows that they are using those systems to try and say, okay, well, will I get picked up? Will I get past that step? And it's all about just advancing that one step after another to try and get closer to an individual for an interview, to try and keep a job for a few months.

Patrick Gray

Yeah, I mean, what I find fascinating about this, right, is that you've got a situation where you can track a single identity going to all of these different touch points and you can infer, you know, you told me earlier, you can infer from like how much time they spend where like kind of what they're doing and what the life cycle is of establishing these identities. What I don't quite understand is why they're using the same identities to do all of these different things in the touchpoint to like do all of this research. And I'm guessing it's gotta be just kind of laziness.

Alex Tilly

It does appear that some people have a certain way that they like to do business. And some of the facilitators like to just use one or two different email accounts as their, you know, account to sign up for all these services, to try them, to then, you know, use them until they get burned or get, you know, turned off or stop working. It does just seem to be, this is how I do my job. The interesting part about it though is that the reverse is also true. When I look at some of these identities and what they're doing, there's a lot of discipline there. And by that I mean they're only really using either job related stuff or actual work connection sort of stuff that we sort of see through customers or whatever. But we're not seeing them doing a lot of just personal browsing or at least connecting to services that we have a touch point on. So very, very much is like the actual workers themselves are sticking to that particular path of only using those accounts for work purposes. Which is interesting.

Patrick Gray

Yeah. So there's, there's some segregation there which enables you, which will stop you from being able to pin down their real identities and correlating that to their work identities. But you can still track their work identities across a lot, a large number of different services.

Alex Tilly

Exactly. And understand what they're doing over time.

Patrick Gray

So the question becomes like, what do we do with all of this information? Now that you've built a bit of a sort of, you know, pattern for these types of look, I'm guessing you've, you are able now to run some sort of batch, you know, threat hunting and just, you know, run some, some custom queries against Oktadata and a whole bunch of these identities fall out. I mean, is that what you're doing? And then from there what do you do with that?

Alex Tilly

Yeah, definitely working in the, in the direction of making it much more automated. It's really much about trying to understand as again they shift their tradecraft over time, trying to make sure that we keep, keep up with what are the new customers that they're using, where are they moving to now so we can make sure that we understand what they're doing right now. A lot of that is historical. Looking to sort of see, okay, well you might pick up an identity a month later. You know, someone might say, hey, we just sacked this person for being a potential DPI K worker. And then I can look back historically and say, okay, what were they doing? So it's a little bit historical in that respect to sort of try and get that fingerprint of what they were doing and then understand what we can do with that going forward to look for that. So things like keeping quorums of email addresses, that sort of stuff are definitely useful for future proofing because they do, as we've discussed, tend to use similar email addresses for quite a little While so that's definitely useful for sure.

Patrick Gray

Yeah. So I'm guessing from an Okta perspective the priority is to be able to, where possible be able to flag to customers, hey, we think this identity that's interacting with you is probably a North Korean, you know, fake worker. And you know, I'd imagine you would want to, you know, squash those identities and then, and then just to be able to detect and notify. Is that kind of the thing? I'd imagine you'd be passing some of this stuff to law enforcement as well.

Alex Tilly

Definitely part of it. Definitely trying to work down, down those paths to try and get some sort of remediation done. But a lot of the what I'm doing now is understanding that this is not just a high tech industry thing, this is not just like a fang thing shall we say? This is all verticals. And that's the interesting part about what's falling out of the research is that when we actually see them logging into, let's say a client that I've successfully got a job with and we look back and say okay, well what was that procedure seller company advertising for? We're seeing manufacturing, we're seeing healthcare, we're seeing all kinds of different verticals or advertising for full stack developers. People seem to think this is like a large tech problem but it's not. It's any vertical that's advertising for these people is getting these applications and probably is going to at least interview one or two of these people. So it's about getting that information out there to people saying hey, hiring managers, you need to be aware that if something looks funny and smells funny it could be worth looking into. And that's a really big part of it. People seem to think that that's just the high end of town's problem. Yeah, but it really is individual small organizations problem. That's sort of why, you know me, I like to tell people what to worry about. In this case it's sort of like yeah, if you're advertising for these remote developer jobs, doesn't matter what size your organization is, you need to be aware of this particular problem because it's probably going to get worse because they seem to be having some success.

Patrick Gray

Yeah, I mean look, as best I can tell, the MO seems to be raise money for the motherland quite often they'll just take the jobs half ass. It only do a few hours a week work and they've probably got five or 10 jobs on the go at once and it's just about raising revenue. Then they might, you know, Drop some shells, get some persistence, see if there's anything else they can do there. I mean, I'm wondering if ransomware is going to feature more heavily in all of this in the future. And of course, if they land somewhere that's at all adjacent to cryptocurrency, they're going to try to pivot into, into theft. But when it comes to these businesses that you've just been talking about, like, you know, not exactly MA and PAR, but like SMEs, I mean, what, what's the actionable advice you can give them that will really help them to defeat this? Because I guess ultimately what it comes down to is just really carefully vetting remote hires, trusting your gut and then monitoring them once they've started.

Alex Tilly

That's the key point. Right? And that's probably one of the key parts of this, is it's about vetting up front, understanding, okay, are there any red flags we've got to look for? Is there anything that's pinging straight away saying, this is weird, but it's also about, okay, a month down the track, is the person that you hired today still the person doing that job in a month's time? And that's the bit where a lot of places seem to fall down is they, they may invest heavily in time and effort initially to verify the person, but they don't really come around and do another quick round of verification later on.

Patrick Gray

I mean, is it possible there from what you're saying, that the person who got through the application process and the interview and got the job isn't the person who's then on the tools doing the work?

Alex Tilly

Entirely possible. Entirely possible. We've seen that through all kinds of other crime types. You know, we saw back through in the days of money laundering, et cetera, in the days when I was involved in money laundering, when you were involved.

Patrick Gray

In countering money laundering, I think we need to be clear there.

Alex Tilly

That was around, hey person, hey student, here's 500 bucks. Could you go and open a bank account for me? Show up, give your identity and then just give me the card and the means of accessing the account. Right? That was a very basic way it was working. We're seeing it similar with this. It's like, hey, you know, person X, could you be me on this webcam interview? Could you answer these questions, etc, like that, and then hand over control of those accounts? That particularly one way that I believe it's happening. It's hard to see that one happening all the time, but it definitely is the case where you see one person who may not be, you know, a white guy from Texas, or shall we say who then is a different non white guy from Texas two months later? And that's the, that's the interesting part about this, is trying to sort of track that changes over time. And a lot of organizations struggle with that, obviously because of profiling reasons, etcetera, which won't go into. But there is that, that scenario of is that person the same person two or three months later on.

Patrick Gray

Yeah. All right, so look, any final words for people out there who might be. I mean it's, you know, it's difficult. Right, because one of the things is this is a well understood issue in cyber security, but the people who are best positioned to do something about it are HR teams, not cybersecurity teams. But you know, are there any parting words that you would have for people on the security side of things, you know, how they might help their colleagues in HR kind of deal with this, detect it and whatnot?

Alex Tilly

Yeah, and you've hit the nail on the head. There it is, our colleagues in hr. It is definitely about us as security people getting involved with the HR people as much as we can to understand, well, what data sources are available there to us. What can we actually log into to see? Can we as a security team add value to say, hey, this person's logging into an interview via an XVPN connection. That's weird. Or this person, you know, this person seems to be using a webcam filter or their CV was created by the same person as other CVs. You know, these are technical tricks that we can do as security people. If we get involved with our colleagues in HR and our colleagues in HR and hiring managers, really it's about being aware. And that's unfortunately, that is the hard bit about the job that I'm trying to do here is to say just be aware and have a look and don't think that you're not getting targeted because you probably are. And understand that what's my pathways internally where something looks strange, maybe it's a co worker says, hey, you know, that particular guy on my team hasn't been at a team meeting for six weeks. Or, you know, the code seems to be just generated out of an AI or something like that. Something strange here. Do you have a pathway for those team members to raise a red flag and say, hey, can someone have a look into this person? Because obviously we're in different time zones, all kinds of different things going on, but something doesn't smell right because technically we can do a fair bit to identify there's something strange here, but really it is the co workers and the managers who can see that. And the extra bit I will say is that if I call you, please answer the phone. I'd love to talk to you and try and help you.

Patrick Gray

There you go. Yeah. No, look, everything that you've just said makes sense. Security people need to think about what services they can offer to the whole organization, how they can raise awareness, how they can tell people, hey, this is something that's happening. You know, here's the number you call or here's the person you email when you're. When you're sus. And this is what we'll do to look into it. Alex, we're out of time, mate, but it was fantastic to see you. Alex is an old mate of mine and in fact lived very close to my mum's house in Melbourne many years ago. So when I would travel down to see Melbourne, we'd always make sure we snuck in a few beers. Great to see you again, my friends, and we will chat again soon.

Alex Tilly

Thanks, Matt.

Patrick Gray

That was Alex Tilly there from Octa with this week's sponsor interview. Big thanks to him for that. And big thanks to Okta for being this week's sponsor. And that is it for this week's show. I do hope you enjoyed it. I'll be back soon with more security news and analysis, but until then I've been Patrick Gray. Thanks for listening.

Adam Boileau

Sam.