Risky Business #796 – Detailed Summary

Host: Patrick Gray
Special Guest Co-Host: Chris Krebs
Release Date: June 18, 2025
Sponsor: Kroll Cyber

Introduction

In this episode of Risky Business, host Patrick Gray is joined by regular contributor Adam Boileau and special guest co-host Chris Krebs. The trio delves into the latest developments in information security, analyzing significant cyber threats and discussing advanced attack methodologies. The episode also features an insightful interview with George Glass from Kroll Cyber, focusing on recent retail sector breaches in the United Kingdom.

Cyber Conflict: Israel vs. Iran

Attack on Iranian Bank

The episode opens with a discussion on the escalating cyber conflict between Israel and Iran. Adam Boileau provides an overview of a significant cyberattack on Bank Sepah, Iran's main state-run bank, perpetrated by the group known as Predatory Sparrow. This hack resulted in payment systems being disrupted, with local Iranian media reporting that customers were unable to access their accounts and that physical branches were closed. The attack's impact is profound, considering the bank's role in disbursing government salaries and managing critical financial operations.

Notable Quote:
Patrick Gray [02:18]: "You remove a major bank, you create a systemic problem to the banking sector because of the interdependencies between major banks."

Implications for Cyber Warfare

Patrick Gray and Chris Krebs discuss the broader implications of targeting financial institutions in cyber warfare. Destroying backups or disrupting a major bank can lead to extensive systemic chaos, undermining public trust and economic stability. Chris Krebs emphasizes the potential for such attacks to incite civil unrest by depriving citizens of financial resources.

Notable Quote:
Chris Krebs [04:29]: "If you really want to piss off the workforce, if you really want to cause civil unrest and chaos, you take their money away."

Krebs also highlights the possibility that attacking Bank Sepah could disrupt financial mechanisms used to evade sanctions, potentially providing intelligence advantages to allied nations.

Identity-Based Attacks on Cloud Services

Scattered Spider Attacks on UK Retailers and Insurance

The conversation shifts to identity-centric attacks, particularly those following the Scattered Spider playbook targeting UK retailers and now expanding into the insurance sector. Adam Boileau explains that these attacks leverage sophisticated social engineering techniques to compromise user identities, enabling broader access to sensitive systems.

Notable Quote:
Adam Boileau [12:44]: "Everything no one cares about. Buffer overflows. That's grandpa's technique. This is the way that people get compromised these days."

Salesforce Credential Phishing Incident

Patrick Gray provides an update on a Salesforce breach initially thought to involve app-based social engineering. It was later clarified that attackers obtained credential pairs through phishing, allowing them to log into Salesforce tenants directly.

Notable Quote:
Patrick Gray [15:01]: "Everything's identity. Now. Now you and I were talking about this and say you had domain admin creds back in the day..."

Challenges in Zero Trust and Identity Security

The hosts debate the difficulties in securing identity in a zero-trust environment. They discuss how modern cloud infrastructures complicate traditional security models, making identity the new perimeter. Conditional access policies offer some protection but are often insufficient without comprehensive identity management strategies.

Notable Quote:
Adam Boileau [16:40]: "We put it all on the Internet and we relied on identity to solve the problem without really making identity robust."

Microsoft’s Response: Running M365 on Local Data Centers

In response to European concerns over reliance on American tech providers, Microsoft is now offering the ability to run Microsoft 365 services on local data centers. This move aims to address data sovereignty issues but introduces new complexities in managing and securing these localized environments.

Notable Quote:
Patrick Gray [30:53]: "The way they are carving it off from the private cloud plus the third party providers, it's a pretty elegant solution."

AI-Driven Cyber Threats

Microsoft 365 Copilot Prompt Injection Attack

Adam Boileau discusses groundbreaking research from AIM Security Labs demonstrating a prompt injection attack on Microsoft 365 Copilot. By crafting deceptive emails, attackers can manipulate the AI to execute unauthorized actions, exfiltrate sensitive data, and bypass security filters.

Notable Quote:
Adam Boileau [38:17]: "They come up with basically a way to bypass that filtering to just through making it look innocuous."

Patrick Gray reflects on the challenges of defending against such AI-driven threats, questioning the feasibility of universal solutions against sophisticated prompt engineering.

Notable Quote:
Patrick Gray [41:11]: "What's a universal solution to that?"

Supply Chain Risks and Ransomware

CISA Warning on Supply Chain Exploits

The hosts highlight a recent Cybersecurity and Infrastructure Security Agency (CISA) warning regarding supply chain vulnerabilities. Ransomware groups are exploiting simple help desk flaws to gain unauthorized access, emphasizing the critical need for robust third-party security measures.

Notable Quote:
Chris Krebs [43:04]: "Kudos to CISA. This is great stuff. It's nothing world earth shattering in this alert, but this is CISA doing what CISA should be doing."

Case Studies: United Natural Foods and WestJet

Patrick Gray and Adam Boileau examine high-profile ransomware incidents affecting United Natural Foods and WestJet. United Natural Foods experienced severe operational disruptions, including the closure of sandwich bars, while WestJet faced cyberattacks that threatened flight operations.

Notable Quote:
Adam Boileau [43:29]: "So on Tuesday they reported sandwich bar had to be closed. So, you know, that's, that's pretty serious impact."

Sponsor Segment: Kroll Cyber on UK Retail Attacks

Guest: George Glass, Kroll Cyber

George Glass discusses the mechanics behind recent UK retail cyberattacks, emphasizing the role of multi-stage social engineering targeting help desks. Attackers often impersonate employees to reset multi-factor authentication (MFA) tokens and gain access to sensitive systems.

Notable Quotes:
George Glass [47:32]: "They just do, you know, a variation of that. And yeah, it works, obviously."
Patrick Gray [49:51]: "You mentioned they were going after the people who are likely to have highly privileged access. I mean, I know from Adam Barlow, my co-host, when they were doing teaming, I mean, the first people they'd go after with phishing and whatnot was the domain admins..."

Glass elaborates on detection strategies, such as monitoring anomalous token usage and impossible travel patterns, to identify malicious activities swiftly. He underscores the importance of defense-in-depth but acknowledges the challenges in implementing comprehensive security measures across large, distributed environments.

Notable Quote:
George Glass [54:03]: "A lot of those detections were set up for attacker in the middle, but it does tend to work for things like MFA resets and stuff like that."

Conclusion and Final Thoughts

As the episode wraps up, Chris Krebs offers a sobering reminder of the persistent threat posed by ransomware and the importance of community support in defending against cyber threats.

Notable Quote:
Chris Krebs [45:40]: "Ransomware's here to stay right now. And there are hounds, as you said last week, waiting to be released. So are we going to release them or what?"

Patrick Gray emphasizes the evolving landscape of cyber threats, particularly identity-based cloud attacks, predicting that only the top 1% of organizations are currently equipped to handle these sophisticated threats. The episode concludes with gratitude towards guests and sponsors, reinforcing the critical nature of continuous vigilance in cybersecurity.

Key Takeaways:

1. Strategic Cyberattacks on Financial Institutions: Disrupting major banks can cause widespread economic instability and civil unrest.
2. Identity-Centric Security Challenges: As organizations transition to zero-trust models, robust identity management becomes paramount yet remains fraught with vulnerabilities.
3. AI Vulnerabilities: Advanced AI systems like Microsoft 365 Copilot are susceptible to prompt injection attacks, necessitating sophisticated defensive measures.
4. Supply Chain and Ransomware Risks: Vulnerabilities in third-party services and help desk procedures continue to be exploited by ransomware groups.
5. Effective Detection and Defense: Multi-layered security strategies, including anomaly detection and defense-in-depth, are essential but challenging to implement at scale.

Stay Informed:
For more in-depth discussions and the latest in cyber security news, subscribe to Risky Business and stay ahead in the ever-evolving landscape of information security.