Loading summary
Patrick Gray
Foreign and welcome to Risky Business. My name's Patrick Gray. We've got a great show for you this week. Adam Boyloh will join me in just a moment to talk through the week's news as will Chris Krebs, who is going to be our third wheel this week, our guest co host. So that's going to be a bunch of fun. This week's show is brought to you by Kroll. So cyber and Kroll Cybers. George Glass is this week's sponsor guest and he is talking to us about the retail attacks in the United Kingdom. He's got some really interesting details there on how these scattered spider esque threat actors were able to compromise places like Marks and Spencer and go after Harrods and whatnot. There's some really interesting detail in there, so do stick around for that one. And indeed, we're actually going to be talking about the sponsor interview in the news this week. And yes, speaking of, let's get into the news now. But I suppose before we do, Chris, I got to ask, is there anything that you can tell us about your situation at the moment? I'm guessing given that you don't appear to have done any interviews about it in the American press, that you don't have much to share. But I would be not a very good journalist if I didn't ask.
Chris Krebs
Yeah, I have kept things pretty quiet. I haven't done any interviews. I'm, I'm trying to keep the fun and fun employment rather than talking about thorny legal issues that, you know, I'll get around to it at a time and place of my choosing. But in the meantime I'm really excited to just stick to the cybers today.
Patrick Gray
Excellent. Well, let's do that. And we've got a couple of great stories to kick off with. I mean, obviously the big thing in the news at the moment is this conflict between Israel and Iran and there's some very strange things happening on the Internet in that region, as you would expect. Probably the biggest news story here is the this attack against a major Iranian bank called Bank Sepah S E P A H this looks like it was perpetrated by the group known as Predatory Sparrow, which is ostensibly a hacktivist group that we've always thought is, you know, the Israeli government is behind it. But Adam, why don't you kick us off here by actually walking us through what we know has actually happened.
Adam Boileau
So the group behind this has put out some statements saying that they broke into the bank, that they deleted a bunch of stuff. We, we've Seen some reports from local Iranian media that payment systems are down, people are unable to access their bank accounts, the physical branches are closed. So like, sounds pretty bad in terms of impact. And this particular bank is also like, it's the main state run bank in Iran, which was formed by merging a bunch of other smaller state run banks and does things like pay government employees, which, you know, kind of an important function. So, you know, we don't really know, like some reports from Iranian press have been like, oh, it'll be back in a few hours or days. And then we've seen others where like they're completely destroyed when it's, you know, both sides of that kind of like propaganda part. So it's a little hard to read through all of that. But either way, something bad happened to them. And this is a group that we've seen do a bunch of other stuff with, you know, reasonable impact in Iran in the past.
Patrick Gray
Now you just said something interesting there, which is that the bank is responsible for paying government employees. But even if it weren't, if you were able to successfully RMRF a major financial institution, I mean, you and I were talking this morning and I used the metaphor that like, the banking system is a table and if you take out one of its legs, it's not much use as a table anymore. Right. And the banking sector's the same. You take out a bank like this, you destroy its backups. This could be immensely consequential. And indeed, many, many years ago, when governments were still wrapping their heads around the cybers, people like you, people like me would wind up having conversations in various settings with government types and they would ask you, you know, what are the big risks when it comes to cyber war? You know, what would you do if you were going to do a cyber war? And my answer was always, I would disrupt the banks because that is how you would create maximum chaos. Chris, let's bring you into this. I mean, if this is an attack that managed to destroy, say, backups, if it, if they actually managed to delete a bank, you would have to imagine that the consequences of this are going to be huge.
Chris Krebs
Yeah. I mean, just to Adam's point of your point, if you really want to piss off the workforce, if you really want to cause civil unrest and chaos, you take their money away. How are they going to pay for things on a daily basis that they're not going to devolve to a bartering system of commerce? That's just not going to happen, at least anytime soon. So I think that's a Good point. The second is the way that this bank was used to avoid sanctions could also mean that it's a mechanism for laundering overseas payments. So if there's funding coming in from partners, China, elsewhere, they may have broken that link as well or taken the evidence of that for, for future exploitation either by intelligence services or whatever. So this is, this is a big one. I do think that it's an interesting comparison to the beginning, for instance, of the Russia, Ukraine invasion, where everything was cyber all the time and we didn't really hear too much or we haven't heard too much yet. Early, early days here, but this one. And then I think if you watch, you know, some of the intelligence sources or open source intelligence accounts they're talking about, like, yeah, there's weird stuff going on over there. Something's about to kick off here. It does feel like we're on the edge of something quite significant. The Pentagon Pizza index is off the charts, if you're familiar with what that is. So I do think that by the end of this week, at least here, here in the States or at least in the Middle East, I think it'll be a completely different landscape.
Patrick Gray
Yeah, I mean, I think my core point here is it's not just about removing that bank. You remove a major bank, you create a systemic problem to the banking sector because of the interdependencies between major banks. So that's why I say that this could be immensely consequential. But of course, we don't know. They might have offline backups. Maybe their worst case scenario is reverting to, you know, a week's worth of transactions, which would be a disaster, but it wouldn't be existential. Whereas if you are able to permanently delete a bank, that would be, yeah, very, very bad now indeed. You just said there's some indications that things are going a bit sideways on the Internet in places like Iran. I actually had a chat with Andrew Morris this morning from Gray Noise, and I've talked about this with you too, Adam. They're just seeing, and we won't divulge really too many details until they're ready to talk about it, but they're just seeing very unusual activity on the Iranian Internet and activity emanating from Iran. Last time Andrew saw anything like this, it was when the United States took out Qassim Soleimani. So make of that what you will.
Adam Boileau
Yeah, like some of the stuff that's going on, like it's a little bit pepe to silver. Like there's lots of data points and we don't really know how they join together or what it all means, but it's pretty clear that something wacky is going on, and it involves the cybers and the Internet, and we don't really know. And that's, you know, in the context of cyber war, doing something actually useful, like, in this case, taking out banks or whatever, like anything else weird happening in the cybers in Iran at the moment is just kind of interesting.
Patrick Gray
Yeah. And I think, you know, the activity that he described to me, that I described to you, you can't, like, look at that activity and attribute it to any sort of objective. It just doesn't make sense.
Chris Krebs
Yeah, I have no idea what you guys are talking about, but it makes perfect sense for, at a minimum, electronic warfare, jamming lines of communications, things like that, just to completely disorient the adversary. And if this is the US Combined with Israel, I obviously have no intelligence, no insight. In fact, I don't have a security clearance, so I couldn't even access that stuff anymore. But, yeah, they're prepping the battlefield again, every single indicator is there that this is still early days. And as Iran continues to respond, and particularly if they're hitting the population centers, it's only pissing off Netanyahu even more. So this is. This is operational preparation of the battlefield.
Patrick Gray
Well, I mean, if you did want to confuse people, this activity is confusing. I'm confused. Adam's confused. So maybe that's it. And meanwhile, Iran's cyber command has ordered top officials and their security details to not use any sort of network connected device. I mean, what I infer from this is that those devices have been used to pull together target packages, which should not at all be surprising to anyone. Right. You know, I was discussing this with a friend, and they said, oh, well, it'll be interesting to see if these top officials and their security details actually stick to the advice. But I think when the advice is, you know, ditch your personal device because the Israelis are using it to guide missiles to your location, that's a pretty strong motivator. It.
Chris Krebs
I mean, this. This is, like, one of my favorite details of the last five or six days. It's the, you know, nature is learning. Right. They picked up from the Hezbollah pager attacks, and now they're applying it into the. The. The field. At least the Iranians are in real time.
Adam Boileau
It.
Chris Krebs
It shows you that the. The Israelis have achieved some level of maybe not strategic deterrence, but tactical deterrence. They've instilled fear like the Iranians are afraid of Israel. They know how good they are and they are confused. They're going to be disoriented if they can't use their devices, they're going to have limited means of communications. So it's really going to, I think, continue to cause chaos. And just from a strategic objective, maybe with tactical impacts, Israel's gotten right where they want them.
Patrick Gray
Yeah. I think, Adam, you are making that point as well, which is, even if they stop using their devices, you've still kind of won because they're not trusting their devices and that slows down their ability to actually do anything.
Adam Boileau
Yeah. I mean, the thing that occurred to me reading this is like, you know the phrase bomb them back to the Stone Age, like this is like, just deter them ever so slightly out of the information age. Right. Slightly less kinetic, but in terms of degrading the ability to command and control and to respond coherently, like. Like, probably quite effective. So, you know, good work, I suppose.
Patrick Gray
Yeah. I mean, again, we will say, just because people get confused when we talk about Israeli operations, not an endorsement of Israeli policy, just an analysis of what's actually happening. So you can save your emails and angry tweets. Thank you. I've also linked through to, I guess, an advisory from Radware, just looking about some of the stuff that they're seeing the Iranians pull together. I think it's really interesting to contrast what you're seeing Iranians do, which is like, muddy water and whatever. Oh, they might hack a water treatment plant in Minnesota, you know, whereas on the Iranian side, it's like, we can't use our mobile phones because we're going to die if we do. Right. So sort of shows you what a mature signals intelligence, you know, organization looks like in contrast to what the Iranians are doing, I would think. Unless they're going to show us something new, I doubt it. I mean, what's your vibe on that, Chris? Like, I mean, that. That's. That's. I mean, I think I just said it there. Right. Which is. It's. It contrasts a mature one to one that just looks cool.
Chris Krebs
I think that the general concern here is that they have a capability. The question is, are they going to be able to use it? And I just don't know if they still have that ability in place that can be directed from the High command.
Patrick Gray
Yeah, yeah, indeed. All right, so we're going to change gear now and we're going to revisit a topic that we spoke about last. We've got some updated information on the Salesforce story that we spoke about last week. But the theme of identity based attacks is a big one this week. So we'll start off with this story from cybersecurity Dive where Google Mandiant is warning that these scattered spider esque attacks that hit UK retailers, they are now targeting the insurance vertical, which is interesting, but again, identity based social engineering. This is something that needs to be top of mind for CISOs at the moment, Adam.
Adam Boileau
Yeah, yeah, absolutely. I mean, regardless of which particular industry they're hitting, I mean, you know, the retail ones were quite flashy. Insurance maybe is a little more boring for the average consumer. But the methodology, which is, you know, a bunch of kids, a bunch of attackers that really understand how modern systems work and that is identity centric. Everything no one cares about. Buffer overflows. That's grandpa's technique. This is the way that people get compromised these days. And so seeing it applied in other industries seems like a natural progression. Right, but everyone's got to think about this.
Patrick Gray
Yeah. So you and I have been kicking around some thoughts, so I will update everybody on the Salesforce thing. So it looks like the original reporting we relied on to have last week's discussion wasn't 100% accurate. Right. So the way it had been reported is that the attackers had managed to socially engineer people into connecting an app into a Salesforce tenant. Looks like that's not actually what they were doing. I spoke to someone about Salesforce about this who has the details. What they were able to do was get a cred pair basically through social engineering, log into the Salesforce tenant and then do it themselves. Right. Still leaves us in the same position though, which is we have all of this infrastructure as a service, all of this software as a service, and it's not really clear how we could comprehensively apply conditional access policies to these sorts of actions and even how far that would get us. Right. So this is still the core issue, which is that everything's identity. Now. Now you and I were talking about this and say you had domain admin creds back in the day and you're a remote attacker. Where do you even put them in? You know what I mean? Like there was. There seemed to be a little bit more control about like physically where you were, what network you were on, even what device you were using. Whereas these days we're in a zero trust sort of world, it's less likely to be that way. Now, again, conditional access policies can get you some of the way to fixing this, but not all of the way. And I just have a feeling that Unless you're one of the security 1% that's really put a lot of thought into how to deal with this. You're going to have a bad time.
Adam Boileau
Yeah, absolutely agree. And you know, when Google gave us this sort of zero trust future with like the Google, you know, when we first started seeing this idea of an organization that didn't have a permanent, didn't have an internal network, everything was on the Internet. You know, Google kind of thought about it, right? And they approached it with their level of resource and controls and things. But for most people moving into the cloud and moving into the as a service world, there was this implied second factor of somewhere you are, which is at the office, on the local network, on the Windows domain that was separate from the other sorts of authentication, something, you know, something you have. And we got rid of somewhere you are and smart people like places that were really, well, resources, maybe replace that with good conditional access and bespoke apps and things like the Google way. But for most people, we just got rid of some of you are and gave away that whole factor without really replacing it, compensating for that control with other stuff. And I think that's what's coming home to roost for us now is since we put our Office suite and our file server on the Internet through SharePoint and whatever else, you know, now it's username, password. Maybe you've got a fish mfa, maybe you've got a reset mfa, but you can use it from anywhere. And to answer your question, where do you put those domain admin creds once you've got them? You know, in the old days it was unusual perhaps that you could just show up with Windows creds and use them externally. You had to find a vpn, you had to find a web app that was domain integrated auth you had to find some obscure network service.
Patrick Gray
Well, there'd be a policy that might say, there'd be a policy that might say you can't log in as a domain administrator through the vpn, because that is crazy.
Adam Boileau
Yes. Or at least the VPN requires multi factor and domain admin doesn't have a multi factor token, so you can't log in and you got that kind of control even if it was by accident. Whereas now, you know, you just what have we got? We put it all on the Internet and we relied on identity to solve the problem without really making identity robust. And what does that even look like?
Patrick Gray
Well, and you know, this is the pitfall I think is a lot of companies out there are Saying, well we'll give you know, things like Yubikeys to our most sensitive admins but then these guys, they just ring up the help desk and reset the mfa, right. So you're sort of right back at square one. So I mean some of the stuff people are doing around this, they can use various like hardware attestation software. Like what's the okta one? There's like an Okta endpoint agent that'll give you okay, you know, this person is actually on a corporate device and things like that. But you know, like my point was like if you've got the right identity information, maybe you can just intune provision yourself like a corporate workstation or whatever. And like it's just, I guess the point is it's just getting, it's just getting complicated. It's getting really complicated. And then when you look at like the issue of OAuth grants and things like that as we were talking about with Salesforce last week, well, oh, and here's an interesting fact too about the Salesforce thing is those creds that they were phishing, they could have got all of the data that they got. They didn't need to connect an app, they just did that sort of for convenience. But if you wanted to stop like an app grant, you know, that's not always to your point last week that's not always going to be an OAuth thing. Sometimes that's like just a configuration change that you do through some sort of control panel or whatever. So CASB is not really going to help you there. Even though there are CASB solutions that are designed to prevent this. And it's like all very much configuration dependent. But I think really ultimately the first thing people need to do in dealing with this is probably stop their call centres from being able to reset MFA tokens. That should be an in person sort of thing.
Adam Boileau
Yeah, I mean these are all really hard issues because ultimately even if we fixed every software problem, even if there were no buffer overloads, no MEM corruption, no programming flaws, no mistakes were made ever, we would still need functional identity. And you know, if that means we have to have multi factor everywhere and you know, for organizations that are, you know, 10, 20, 30, 100,000 people scaling good identity and password reset flows and multi factor auth flows and dealing with the realities of life. My dog ate my Yubikey, you know, my kids stuck it in, you know, the washing machine or whatever else, like these things happen and scaling up in person is really hard and I don't know what we do, you know.
Patrick Gray
Yeah, so Chris, Chris was sort of responsible, I guess, for, you know, thinking about these sort of issues for the US government. I mean, any thoughts here, mate, about, like, how we begin to rein in some of the problems that are emerging because we've moved to such an identity centric computing model?
Chris Krebs
I've been thinking, frankly, less about the identity problem here and more they were further complicating the perimeter by bringing in all these third parties. I mean, the Pat opet letter from JP a couple weeks ago or whatever it was to third party suppliers is like, that's. So when I'm thinking about some of these scattered spider attacks, that it may not even be that they're coming in through the front door of the individual targets. Right. Of social engineering, the, the call centers for individual organizations. It could be that they're coming in through a third party back door that gives them kind of a unified point of entry across a multiplicity of targets. And, and that's like, that's where my head just explodes. Because if we can't even do the first order problem of managing identity, how the hell are we going to manage the third party issue?
Patrick Gray
Yeah, so that's, that's a little bit along the lines of what I was saying, what I was talking about last week, which is, you know, we have to operate under the assumption that these identities at some point are going to be compromised. Right. And even in the call I had this morning with my Salesforce buddy, you know, I said, okay, that's great, you know, everything that you've talked about, conditional access and the hardware provisioning. But if all that's standing between me and a multimillion dollar ransomware payout from your company is I have to follow one of your staff home, hit them over the head with a lead pipe and open up their laptop. You know what I mean? There still needs to be that second line of controls that can prevent that identity from doing horrible things. Right. And that's almost an intractable problem, you know, what are the ideas? Okay, you could time lock certain administrative actions, but no one's going to go for that. And you're going to need break glass for the time lock anyway. Right. So it is. And then, you know, a solution that works for Azure won't work for GCP or let alone your software as a service like your Salesforce or your, you know, various infrastructure as a service tools. So I just think, you know, we're going to see a lot here. I'm totally with you, though.
Chris Krebs
Yeah, I mean, I remember I can't remember if we did this on A Wide World of Cyber last year, but I know Alex is Stamos has done a great deal of thinking about at least the first party issue. It's just like you said, it's you have conditional access, you have as you go up levels of sensitivity of the system or the process or program or whatever, but it's just not flexible and it doesn't really match the speed of business all the time. And someone's always going to figure out a way to whip through the Windows administration piece and there you go.
Patrick Gray
Okay, well, we're a bunch of chuckles today, aren't we? This is fantastic. We're all ruined. Now look, just staying on the theme of identity. Apple is doing some work, Adam, on passkey portability which will enable you to get passkeys out of the Apple ecosystem into other devices and stuff. It is good to see this sort of work continuing. And I do think, you know, for people who have multiple devices in consumerland, that helps with identity quite a bit, you know, because you can start throwing them pop ups on other devices if they lose a device. They don't necessarily have to reset the whole lot and whatnot. So I think in the consumer space we're actually making some real strides here. But you know, ironically enough, you know, connecting the enterprise world to some of this consumer goodness, businesses won't want to do it, even though probably eventually that's going to be a more secure way to do things. Are you tracking me?
Adam Boileau
Yeah, I mean I think passkeys are clearly better than a password in many respects, but managing them at an enterprise scale and dealing with the enterprise problems with a solution that's ultimately pretty consumer focused to start with is really difficult. And Apple's making some good steps here because being able to get passkeys out, move them around, sync them outside of the one ecosystem. Because I'm an inside. If all of your world is inside Apple life, then everything just magically works. That's the appeal of Apple Life. But most people are not single ecosystem and certainly most businesses are not. So it's kind of good work. And I think my mind goes back to the time you were talking with one of the guys from Yubikey about identity and tokens and starting to build that differentiation between hardware bound tokens and movable around, you know, key material. And I think the sooner we get that clear in everybody's heads that some things you can move and some things are stuck to a particular device, like that's good, that helps overall with Just how we think about it.
Patrick Gray
Yeah, But I mean, ironically enough, the portability enables you to get attestation from multiple devices, which is a huge benefit, but also introduce other risks. Right. Like that's the. Oh man, it's doing my head in.
Adam Boileau
Yeah. At least, you know, a Fido token, a Yubikey, at least that's a one thing. Like it's kind of complex conceptually, a bit more simple, which may know, maybe that's a real attribute in itself.
Patrick Gray
Yeah. And then you've got to deal with the when the user says my dog ate it issue. Right.
Adam Boileau
So you wait 12 hours for the dog and then you can log in, you know.
Patrick Gray
So look, I think, you know, all in all, like this conversation, all we're trying to do here is point out that, you know, things have really changed. I think the founders, in 10 years from now of the next cybersecurity companies, they're going to be those kids who are hanging out in the comm right now who might not necessarily be doing crimes, but they might be crime adjacent, let's just put it that way. But yeah, I think, I think we're seeing an emerging set of issues that are going to really start to bite over the next couple of years and it is these identity based cloud first attacks and it's only going to be those 1%, those top 1% who are anywhere positioned to deal with them. And look, let's talk about a couple of identity attacks just this week, high profile ones. We've seen the email accounts of Washington Post journalists, those on the natsec team, being compromised by a, you know, a state backed actor. I think the scuttlebutt is probably China. I mean that's completely unsurprising that we would see that. We've also seen Keir Giles, who's a prominent British researcher on Russia. He had his email popped as well. There was some sort of account takeover. Again, you know, both of these attacks look like attempts to gather intelligence from people who are talking to interesting people and both done through identity hijacks.
Adam Boileau
If you're the FSB and you're tasked with it, then you're going to do what works and taking over the identity and then in some cases, I think with the British guy leveraging his identity to then try and talk to other people and so on, navigate through those, you know, those webs of contacts. Makes total sense.
Patrick Gray
Yeah. Now look, I'm so glad this broke in the days leading up to a Chris Krebs appearance because this is a topic near and dear to his heart. Microsoft is taking the ass out of SaaS and now they're just selling S. We need a new term for it. We could call it software. Basically they're selling you the ability to run like as you're an M365 stack in your own data center. This is aimed at the European market where the Europeans are increasingly skeptical about relying on American technology providers. So yeah, I find it really funny that you've got like we were joking about it, weren't we Adam? Like I was calling it Windows NT 6 and, and you know, you were saying maybe they could offer you know, some version of M365 that runs on the endpoints. But you know, currently where this is though, it's sort of like M365 to your own pseudo cloud mainframe kind of thing. What a world. Now Chris, you and I just were chatting about this very briefly before we got going and you say that this has probably been in the works for quite a long time.
Chris Krebs
Yeah, so kind of bringing it about, the technical layer again, more of a, a wide world of cyber type conversation. If you think back to 2007, 2008, the Russian DDoS attacks on Estonia where they, you know, pretty much flattened a bunch of government services all over a Soviet Union era statue of a Russian or a Soviet soldier, there's been this desire, this interest from certain countries in Europe for the ability of a sovereign cloud where they can take, or even a digital embassy is probably the better way to put it. Where you can take the government key functions, the key data systems and put them somewhere else that's not residing on terra firma in that country because the Russians are coming after them. When I was at Microsoft from 2014 to 2017, this is something that Brad Smith, now the President Chief Legal Officer was pushing pretty hard. This was kind of also related to, at least tangentially to the digital Geneva Convention work that Microsoft pushed pretty hard. They kind of went through the Paris Cyber Agreement or whatever it's called. So this sort of ability to float up originally started again as a defense against Russia but over time it seems to be a GDPR plus plus plus sort of outgrowth of eh, we don't trust the Russians, maybe we don't trust the US either out of a number of different European countries. And when you see that ability to put in 365 in other associated services in trusted providers or second parties. But again something that Pat, we talked about on, I think the la. I want to say was that the last wide world Cyber I did I.
Patrick Gray
Don'T know, they all blur into one.
Chris Krebs
But again, this is exactly what Alex talked about. This is what I talked about. They're just going to throw Azure into a domestic champion. And so you've got an SAP shoot off or subsidiary that's going to be running it in Germany. And that's the most extreme case, at least for Germany and France, where you can drop it into critical infrastructure, you can drop it into government services and there's no US fingers anywhere near the software, whether it's private or public cloud. So I think this is a kind of a natural outgrowth. It's really interesting. I think also wrinkle that instead of Europe pushing back on US tech providers, they're asking for more and more ways to do it. Which I think if you had been in the room in the Munich security conference where the vice president, Vice President Vance I think pushed back pretty hard on European governments and censorship and things like that. This isn't necessarily the way I would have expected it to go that the European countries would be asking for more US support now or at least technical support from companies. But the way they are carving it off from the private cloud plus the third party providers, it's a pretty elegant solution.
Patrick Gray
It is. I mean, I don't think it's just about spinning up countrywide clouds. I mean, from what this post from Microsoft seems to say is like individual organizations can even run their own sort of Microsoft stack in their data centers, right. So it's not even just about that sovereignty piece. It's about, hey, you can run end to end Azure M365 in your own data center, put it in a rack, right. And as you point out, there's a bit of disquiet in Europe over being so reliant on US technology. I mean there's been a couple things that have happened there. I mean, there's various policy disagreements, a little bit less trust perhaps in America's restraint when it comes to being able to inspect data that Microsoft has access to. It's so similar in so many ways to the concerns Western countries have over Huawei. Right. Like, it's amazing the degree to which those concerns things map onto each other. So I think from one perspective this solves the problem of the data being stored by Microsoft that is not stored by Microsoft. But I do wonder if things deteriorate further, if this will be enough. Right. Because ultimately you're still running code that is being shipped into that environment. Direct from Redmond, I think there's a pretty heavy bar in the United States. You know, the bar for the US Government leaning on Microsoft to start deploying code that would give them access and stuff, that's a pretty high bar. But we're in pretty unprecedented times right now. So I don't know.
Chris Krebs
So first things first, right? What's the alternative?
Patrick Gray
Red Star? Linux? I don't know.
Chris Krebs
Yeah, but I think they're making the best of a situation that I won't say is a bad situation, but it's not the best. And so I think Microsoft sees the business opportunity. They seem to me at least to be way ahead of the competition. They seem to be ahead of Google. And again, this is something that Brad Smith, that Microsoft's been thinking through for over a decade now. What's most interesting to me is the go to market rollout and how it's Judson, the Chief Commercial Officer, that's dropping this announcement on the Microsoft blog. So it is, this is a product, this is commercialized. This is going out into the market. It is not in the Microsoft policy laboratory anymore. This is a real, you know, this is a real baby. This is a real child. They are going to take this out. So, so we'll see, we'll see how it goes. But the last piece that, that I think I would add is that one of the things that we were thinking about, at least in the first Trump administration about the Huawei issue that you talked about was that there's still any way you cut it. The rule of law in the US and in Europe, what we had is a kind of a foil against China was that there is no similar right of action in the courts that's legitimate, you know, where you can sue if, if the Chinese government comes knocking on your door and says, hey, company turnover, data that doesn't exist. Microsoft sued the US Government for data that was sitting in an Irish data center that they were like, no, US doesn't have territory here or jurisdiction here. You can't do it. That case went all the way to the Supreme Court and there was a law, the Cloud act that was passed subsequent that was made to address this issue. So at least in the good old days of the last Trump administration, there was rule of law that was something that Europe at least could kind of hang their hat on. Now, granted, we're like two or three shrimps past that. So in also in the second Trump administration, so it's not clear exactly how this is going to play out, but Microsoft is making a big, big commercial bet. So they think they've got something here. They have confidence, they're putting their money where their mouth is.
Patrick Gray
Yeah. I mean Adam, I wonder what your take is on this because I wonder about the. I mean, would you want to maintain your own Azure and M365 stack? Because that just sounds like not a good time.
Adam Boileau
I mean, you remember what a miserable life it is being an Exchange admin. Can you imagine what it's like being an M365 entire cloud stack admin? Although that said, from a technical point of view, this Azure Local thing where you can run your own instance of 365 is like a renamed version of. What's it like? Azure Hybrid Cloud. Azure Stack Hybrid Cloud, I think it was called. So you've been able to run bits of Azure like the virtual machine infrastructure and some of the network plumbing yourself for a while. So bringing the apps into this on top of it is a thing that. It's not entirely brand new. But I do pity the fool that becomes the Exchange admin of the future having to deal with this whole thing.
Patrick Gray
Can you imagine in the future we're going to be talking about headlines where someone got owned because they forgot to patch their M365?
Adam Boileau
Yes, yes, exactly. Exactly right. But on the other hand, I think, as Chris said, what's the alternative? I mean, was it the Dutch that are thinking about going to the LibreOffice future? The Germans tried that in the early 2000s. They tried to get rid of Microsoft and that's back when Open Office, et cetera and the rest of the Open Source Office suites were a lot more feature comparable with just on desktop Microsoft Office, let alone someone who tries to use, you know, OpenStack and all of the Open Source Cloud equivalents to run something that looks like Azure. Like their product is just so much more mature than any other option. So yeah, what are they going to do? Right. As you say, you can't Red Star Linux it.
Chris Krebs
The only thing I'd add here is, you know, based on the last segment, wait till Scattered Spider gets a hold of this. Yeah, I mean we are just making the attack Surface that much more pickable.
Patrick Gray
Yeah.
Adam Boileau
To make about it for so long, it's great.
Patrick Gray
I'm guessing Microsoft's put some thought though into how to at least maintain the stack. So my joke about patching and whatever, you know, probably not that applicable but you would think there's going to be like, you know, someone like you, Adam gets a shell in that environment. You know, it's going to be a. It's going to be a fun time. Oh, and I'll just say too, one of the things that I was mentioning about, you know, the Europeans feeling a bit funny about Azure was, you know, the United States government sanctioned an International Criminal Court prosecutor and that led to their Outlook account being vaped. Right. There were some bad reports going around at the time that they withdrew services from the International Criminal Court. They didn't. But they did withdraw services from one of the prosecutors. And that was enough for, you know, and this is because the United States doesn't like the International Criminal Court investigating Israeli politicians for war crimes. And you know, from a European perspective, they see that and they're like, yeah, that's a little bit alarming. Look, let's kick on with some technical news here. And this is some fascinating research from the AIM Security Labs team that you gave us. You put in the run sheet here, Adam. It's some sort of Microsoft 365 copilot, like AI based attack that lets you email someone and then get information back in return. Walk us through it because I read it and I feel like I 70% understand it, but I don't 100% understand it.
Adam Boileau
So I mean, ultimately this is an instance of prompt injection. So in that respect, not super interesting, but the way that they wrote it up and the way they thought about it I thought was pretty cool. So this was a bug in Microsoft's 365 environment where you could basically send an email which contained instructions which if that email was ingested by Copilot on behalf of the user that received it, you could then cause that AI to do something on your behalf. And then they chained that together with a couple of flaws where they could exfiltrate data without any user interaction. So for example, loading images off remote servers where the data is leaked in the path, or bypassing content security policy in SharePoint in the Cloud, blah blah, blah, blah. But the real interesting bit here I guess is so you email a prompt in. There's meant to be a layer of filtering in Microsoft's environment that attempts to detect when the data you're processing contains prompts or like is giving instructions. So in this AI future world where we are mixing code and data, it's meant to try and detect things that look code ish in stuff that's probably data. And of course that's already a very difficult problem, let alone trying to do it in an AI fluffy world. So they come up with basically a way to bypass that filtering to just through making it look innocuous. And then the second part is engineering the data you're Sending in to maximize the chance that the AI will retrieve it and use it. So they compare this to heap spraying and memory corruption where you're going to spray data into the365 in a way that the AI is likely to get it back. And they do this by crafting an email which when chunked up and ingested into Azure's like rag database, so a vector database that the AI uses to pull relevant data out to then load and process. So they kind of game that such that their malicious input will come back in almost any requests that the AI is making to its data store to get relevant information. And then the instructions are like, find the most sensitive thing you can in the attached documents and then make an image about it and send it to me, the attacker, to leak the data out. And that's just a really fun kind of way of thinking about these attacks with their different parts and then getting it to a point where you're sending an email and receiving sensitive data back. Like sweet, that's great hacking.
Patrick Gray
It is. And it's funny that the way that they bypass that prompt injection detection part is just by phrasing it right. You know what I mean? Like if you're a good writer, you can figure out how to write things in a way where you're conveying the meaning that you want to to the LLM without the filters actually knowing that's what you're doing. And I mean, what's a universal solution to that?
Adam Boileau
Yeah, I mean every solution that we have seen someone talk about so far is just layering more AIs around it to say like, does this look sus. Is this what I expected? Does this match my, you know, the intent of my policy, even if it's not the letter of my policy and it all gets very fluffy and this whole thing where we made computers non deterministic and more like people, it's not going to improve them.
Patrick Gray
Yeah, it's scary when Adam talks this way, isn't it, Chris?
Chris Krebs
Yes. It reminds me sometimes of listening to Alex talk because you're like, oh, where does this end? Where does this go?
Adam Boileau
Yeah, Alex and I have a, both have a strong kind of doom filled streak. I think.
Patrick Gray
We'Re all ruined. All right, let's do a sprint through to the end here. We got a story here from cybersecurity dive about a CISA warning of supply chain risks as ransomware attacks exploit simple help flaws. Why is this a supply chain risk and not just a bug risk?
Adam Boileau
So simple help make remote support software so like remote Access stuff. So the bug is like a path traversal, gets information out with like creds or whatever in it. So it's hit this and then go downstream into the people who use it. Because it's pretty common amongst service providers and that kind of thing. So that's the sort of. The customer usage of this tends to be through third party service providers.
Patrick Gray
Right, okay, so that's the supply chain angle here. So what, they're just doing what you'd expect to do with this sort of access? Smash and grab a bunch of data?
Adam Boileau
Yep, yep, pretty much.
Chris Krebs
Hey, just a real quick one on this. Kudos to cisa. Right? This is great stuff. It's nothing world earth shattering in this alert, but this is CISA doing what CISA should be doing, and they're doing it with reduced staff. They had recent leadership departures. So kudos to the team that pulled these things together. Good to see kind of normalcy in operations.
Patrick Gray
Indeed, indeed. We've also got a follow up on United Natural Foods. This is the huge grocery of like Fresh Food distributor in the United States that supplies Whole Foods and a bunch of others. Whole Foods is bringing stuff back like they're restoring normal operations. But I think you had the amazing data point there, Adam, that this attack was so catastrophic they had to close their sandwich bars.
Adam Boileau
Yes, I think on Tuesday they reported sandwich bar had to be closed. So, you know, that's, that's pretty serious impact.
Patrick Gray
That is the cyber Pearl harbor, if ever I've heard one. And what else we got? We got a South Korean ticketing platform getting ransomware as well. And also an attack against like WestJet, an airline. Not super clear on the details there.
Adam Boileau
Yeah, I think, yes. 24, which is the Korean place, they're pretty big. Like they're a big ticketing vendor, but also ebooks, sort of like Amazon, I guess, if Amazon sold event tickets in Korea. So that impact's been pretty large. They seem to be clawing themselves back. And yeah, I guess anytime an airline gets ransomware seems a little like I still want to put that in the run sheet, even if we don't have much specifics. And WestJet say that their flights are still going on, but you know, it doesn't feel good when there's attackers, you know, privileged access, presumably up in the middle of an airline network.
Patrick Gray
Yeah, but you need to use the correct PR nomenclature for a ransomware incident, which is what their blog post uses. It's a cybersecurity incident.
Chris Krebs
Yes.
Patrick Gray
So when you get ransomware, you got to understand it's not ransomware. It's a cybersecurity incident of which you're trying to determine the scope and doing eviction. You know, anyway, that's how that works. All right, guys, we're going to wrap it up there. Chris, any final thoughts, any final message for the Risky Business listeners that you would like to share with us today?
Chris Krebs
Well, let me just drop one piece on the last two stories. Ransomware's here to stay right now. And there, there are hounds, as you said last week, waiting to be released. So are we going to release them or what? And the last thing is just again, thanks to support from everyone in the community. It's been overwhelming. You know, RSA a month or so ago was, was great. I'm hoping to make a return trip to Black Hat, but, but again, the outpouring of support's been fantastic. I really appreciate it. Love everybody out there. Keep up what you're doing. And I think if you need any more reminder of just the last couple weeks, again, you guys are the front lines of Defense of Modern Warfare. I said that at a couple panels at rsa. So keep it up. We're all counting on you.
Patrick Gray
Awesome. Well, we will wrap it up there. Chris Krebs, thanks for joining us. Adam, as always, thanks so much, Pat.
Adam Boileau
I'll talk to you next week.
Chris Krebs
Adios.
Patrick Gray
That was Adam Boileau and Chris Krebs there with a look at the week's security news. It is time for this week's sponsor interview now with George Glass from Kroll Cyber. And Kroll have a heavy presence in the UK and have been dealing with some of these, responding to some of these attacks against the retail sector there. And yeah, I mean, it very much ties into the conversation we just had in this, this week's news, which is simple social engineering attack to complete compromise. And this is an issue that's very, very difficult to deal with. So here's George Glass talking about that.
George Glass
Fairly classic social engineering. So ringing up a help desk with limited information about a particular set of targets that they wanted to impersonate. Could be one, could be two operators both trying to impersonate the same person over multiple calls using the information they've got from a previous call in the following one, that could be like an employee number or a manager or something like that. And essentially just building towards social engineering. A help desk person to reset mfa reset a password, could be very cordial on the phone, English speaking gentleman. And you know, that sometimes works. Sometimes they move more towards being angry. You know, I'm very important. I Have a meeting coming up. I must have my phone reset. No, I can't access my email. I'm locked out of all of my accounts. You need to do this for me now. So on and so on and so on.
Patrick Gray
Yeah, I'm going to come down there and there'll be hell to pay. That sort of vibe, right?
George Glass
Exactly. Yep. And they just do, you know, a variation of that. And yeah, it works, obviously.
Patrick Gray
Yeah, yeah. I mean, I guess I'm wondering though, like, okay, that might get you one user account and as you said, multi stage social engineering. I remember not an intentional name drop here, but talking to Kevin Mitnick about this many, many years ago, and he said the thing back then people didn't understand is that, you know, a successful social engineering campaign was multi touch. Right. So as you pointed out, you know, they might have the employee number, but maybe they got that from a previous call where they rang up and they said, hey, it's, you know, Joe Bloggs. I'm filling in a form, I need my employee number. I can't remember it. Can you just look it up for me? That sort of thing. Then they ring back and hey, it's Joe Blogg's employee number. Da, da, da, da, da, da da. And they've got more credibility, but in these cases, okay, they've got user access. What then? Because, you know, getting one user account, okay, that's, that's interesting. But turning that into the chaos that we've seen in the UK retail sector, like, is going to take a bit more skill than just yelling at someone on the phone. Or does it?
George Glass
Well, that's, that's the interesting thing. We've, we've seen targeting of IT personnel, so people that they know will have a whole bunch of really interesting documents in their SharePoint, exfiltrate all of those, you know. Okay, right. I know how to authenticate to the vpn, et cetera, et cetera, et cetera. I know password policies. Very adept at traversing a sharepoint estate, gathering, reconnaissance, that sort of thing. But we've also seen it from low level employees where they've managed to essentially conduct a business email compromise, but then install like Azure Logic app or something like that. That again, can, you know, exploit some sort of vulnerability in the setup. So really does show that they're very adept at Azure SaaS Technologies. They don't need to touch the endpoint until they absolutely have to. And it's. Everything is just identity and traversing these different accounts to get as much information as they need to launch the next stage of the attack.
Patrick Gray
I guess something that concerns me somewhat is we don't really appear to have a good set of controls for dealing with this sort of thing.
George Glass
No, no, you know, policy is one thing. You can have a really good policy. I think the crux of this is at the end of the day, a help desk person, whether they're an in house help desk person, is outsourced. They're really just trying to be helpful. That's, that's sort of their job and I think that's where a lot of this falls down. It's easy to give away small pieces of information that may be out of your policy, but as we've been saying that that all adds up to pretty significant breaches. How you stop those sorts of things, it's very hard because it's human nature and you've got to train that into people, ensure that the policies followed. Conditional access and all of those sorts of things are very expensive, very hard to achieve. Especially in a very distributed environment like retail, where you could have seasonal employees and so on and so forth. It's very tricky. It makes it an easy target for these sorts of guys and it's an expensive thing to get right, to be honest.
Patrick Gray
Yeah, I mean, I don't think there's any realistic prospect of preventing social engineering attacks against help desks from succeeding like that. Just will. That's just not achievable. But I would have thought that you might be able to either detect or slow these people down once they've got that user account and start doing weird stuff. But then you look at the solution sets for these sorts of problems and you got what, like casb? I mean, you're going to rely on casb?
George Glass
Well, you know, to be honest, on our MDR practice we detected a malicious use of employees identity. I think they had access to the environment for all but a couple of minutes. It is possible. But you're looking for anomalies that are hard to catch at any reasonable scale. Right. You have your set of users that you're going to be looking at very, very closely. Those with high privileges, execs, VIPs, so on and so forth. But doing that across an estate of maybe 10, 20,000 people, maybe more, then that becomes a really big challenge.
Patrick Gray
You mentioned they were going after the people who are likely to have highly privileged access. I mean, I know from Adam Barlow, my co host, when they were doing teaming, I mean, the first people they'd go after with phishing and whatnot was the domain admins who they found helpfully through LinkedIn. I mean, are these, are these guys doing it similarly, do you think? Is that how they're doing their recon, just hitting up LinkedIn and looking for the domain admin?
George Glass
I think that's absolutely the case. Yeah. The cases that we've seen, they seem to be very, very focused on a few individuals that they know are going to have access to a whole bunch of technical documentation, you know, credentials stored in a lastpass, so they might be able to fish and those sorts of things. That's clearly what they're doing first, is some, some reconnaissance and then really just chancing it, to be honest. We've seen. Yeah, you know, some calls just, just hang up, you know, it's clearly not going to work. Okay, forget it. They're probably moved on to the next target by then, some more persistent because they clearly think that they can get a good amount of access by that, that one single identity.
Patrick Gray
Now, walk us through, if you wouldn't mind that. I'm not sure if you have the details at hand, but you just mentioned one of the detections in MDR context. Like what was the detection? Why did it jump out and how were you able to find it? Because, I mean, that's, you know, I mean, hey, this is a marketing segment. Yeah, do your marketing thing. Tell us about how you save someone's bacon.
George Glass
Yeah, so I think a lot of our detections are driven through Sentinel because they have 365 and so on. We work on a number of different signals, anomalous token usage, impossible travel and things like that. The thing with scatter spider is most of the time they'll be VPN'd close to where the user is. So we're looking for multiple signals, different user agents being used to log in over a short period of time, that sort of thing. To be honest, a lot of those detections were set up for attacker in the middle, but it does tend to work for things like MFA resets and stuff like that.
Patrick Gray
Like some of these fish kits that grab, pass through and whatever. Like that would make sense. Right. When the user agent starts flapping around for a user, that's a good one. But I mean, it would catch this as well, right?
George Glass
Yeah, yeah. It's a detection of someone's logged in from an account that. From a device that we haven't seen before. That's in itself weird. So, yeah, obviously you're not going to catch the initial phishing call, but you can hopefully catch the malicious activity that's going on behind the scenes. And then obviously there's defense in depth. Right. So you can start detecting these malicious Azure apps and things like that as they tend to install them from becs and so on. But you want to be getting these guys as early as possible because they'll have the contents of the SharePoint within a few minutes. Absolutely.
Patrick Gray
So tell me about the process of installing a malicious Azure app. Right, so presumably you need to hit a user account that has some sort of privilege. What does the authorization for that look like though? Is that just like an OAuth grant from that account?
George Glass
Yeah, essentially you could get it via phishing. You could get it just by compromising the credentials. It really depends up how the environment is set up as well. A good consultant answer there. It depends. But it can be incredibly easy.
Patrick Gray
It depends. Right, so sometimes it's like you need to go through the whole authentication challenge basically to do it, and other times it might just be an oauth pop up and you just click. Yeah, okay, whatever.
George Glass
Exactly. Yeah.
Patrick Gray
And so what do these Azure apps actually do? Right, because I'm a fossil at this point in cybersecurity. I've been in it for like 25 years. Right. So the idea that, okay, I've reset someone's MFA token, which is going to let me get their user account. Oh, there's some privilege here. Now I'm going to do something called installing an Azure app. What does that do? What does it get me? Explain it to me like I'm old.
George Glass
Yeah, sure, some of them are legitimate apps that they're used for automations, but those automations can be used to download the entire contents of a mailbox, for example, or set up one point documents that also contain phishing links and things like that, and automatically send that out to everyone in the business. So that's one of the methods for lateral movement inside. If you get an internal email or internal teams command from your colleague saying, hey, can you take a look at this onenote document for me? You click the link in there, authenticate. That's more creds for the bad guys. Right. So it's pretty common now, but for BizCML compromise cases that we work that there's some sort of malicious Azure app or logic function or something like that set up.
Patrick Gray
It's amazing, man. Here we are 2025 Infrastructure as a Service, looking about as stupid as the on prem stuff we had 20 years ago. Amazing. Let me ask you this though. This is a. Here's, here's a curly one for you, right? Because you know, you've been in the Thick of this, right? Being based in the uk, this is where all of this activities hit. You've seen the ones who've done badly, you've seen the ones who did well. So there have been reports of like Harrods, you know, they went after Harrods but they were able to evict pretty quick. Didn't look like there was any disruption or damage. What separated the companies that got through this, where it was just like, you know, in the news for a day, where they pulled some systems offline, sorted it out and basically went uninterrupted versus the ones like Marks and Spencer who I think are still restoring services like a month or two later.
George Glass
Yeah, I think for the cases that we worked, which is really all I can talk to, it comes down to detection, right? If we compare the stuff that is still in the news, clearly there was a huge amount of lateral movement, a lot of malware being deployed, rumors of NTDs, DIT being exfiltrated. Really detecting that sort of stuff is pretty paramount to running a good defense in depth capability. So detecting as close to the intrusion as possible, especially identity based detection, they seem to be the ones that are faring a lot better in this case. And actually again, in my experience it seems to be the people with the in house help desk seem to have fared better than those that outsourced.
Patrick Gray
Is that because people tend to adhere to the policies a bit better?
George Glass
I think so. I think so. They tended to be smaller organizations as well, so maybe they recognized the person's voice wasn't who they thought they were going to be talking to and things like that.
Patrick Gray
Yeah, right. Because they know them, because they work down the hall. Yeah, yeah. I mean, I guess I'm wondering though, you know, you say that detection is a good thing here, right? And that totally makes sense. But I mean we see, we've talked about like, you know, again this is about a vibe, not an attribution to a set of people. But we've seen scattered spider esque attacks here in Australia where they take over a domain like they take over an MX record, right, Divert mail and then they go from there to full compromise of absolutely everything in 10 minutes. So I'm sort of wondering like it, you know, are we worried that detections are quite going to cut it when it comes to threat actors who use these types of ttps. And really what we need to look at is hardening. And you know, I find this an interesting question because then I think, well, how do you harden against this?
George Glass
I think you're Absolutely right. I don't think, you know, I think it always goes back to the weakest link in the chain. Can't be a person behind the keyboard. Right. It's got to be controls, it's got to be process, it's got to be procedures. Hardening in this case, as you quite rightly say, is very, very diffic. It's going to be expensive. We've been recommending phishing, resistant to FA conditional access policies and things like that. They'll certainly help. It's expensive to roll out and especially for retail, there's however many endpoints, tens of thousands of endpoints across your estate and you say, hey, we'll do conditional access and make sure that all of your seasonal employees that are only going to be there for three months have Fido 2 tokens. It's just unrealistic, isn't it, really?
Patrick Gray
Yeah. I feel like. I feel like it's going to be an interesting few years figuring out how to deal with all of this, and I think things are going to get a lot worse before they get better. As a pundit who covers it, I have very conflicted feelings about all of this. But George Glass, it was great to see you again, my friend. Thanks for walking us through all of that and we'll look forward to talking to you again soon.
George Glass
Thank you very much.
Patrick Gray
That was George Glass from Kroll Cyber there. Big thanks to him for that and big thanks to Krol Cyber for being this week's sponsor. And that is it for this week's show. I do hope you enjoyed it. I'll be back soon with more security news and analysis, but until then I've been Patrick Gray. Thanks for listening.
Risky Business #796 – Detailed Summary
Host: Patrick Gray
Special Guest Co-Host: Chris Krebs
Release Date: June 18, 2025
Sponsor: Kroll Cyber
In this episode of Risky Business, host Patrick Gray is joined by regular contributor Adam Boileau and special guest co-host Chris Krebs. The trio delves into the latest developments in information security, analyzing significant cyber threats and discussing advanced attack methodologies. The episode also features an insightful interview with George Glass from Kroll Cyber, focusing on recent retail sector breaches in the United Kingdom.
The episode opens with a discussion on the escalating cyber conflict between Israel and Iran. Adam Boileau provides an overview of a significant cyberattack on Bank Sepah, Iran's main state-run bank, perpetrated by the group known as Predatory Sparrow. This hack resulted in payment systems being disrupted, with local Iranian media reporting that customers were unable to access their accounts and that physical branches were closed. The attack's impact is profound, considering the bank's role in disbursing government salaries and managing critical financial operations.
Notable Quote:
Patrick Gray [02:18]: "You remove a major bank, you create a systemic problem to the banking sector because of the interdependencies between major banks."
Patrick Gray and Chris Krebs discuss the broader implications of targeting financial institutions in cyber warfare. Destroying backups or disrupting a major bank can lead to extensive systemic chaos, undermining public trust and economic stability. Chris Krebs emphasizes the potential for such attacks to incite civil unrest by depriving citizens of financial resources.
Notable Quote:
Chris Krebs [04:29]: "If you really want to piss off the workforce, if you really want to cause civil unrest and chaos, you take their money away."
Krebs also highlights the possibility that attacking Bank Sepah could disrupt financial mechanisms used to evade sanctions, potentially providing intelligence advantages to allied nations.
The conversation shifts to identity-centric attacks, particularly those following the Scattered Spider playbook targeting UK retailers and now expanding into the insurance sector. Adam Boileau explains that these attacks leverage sophisticated social engineering techniques to compromise user identities, enabling broader access to sensitive systems.
Notable Quote:
Adam Boileau [12:44]: "Everything no one cares about. Buffer overflows. That's grandpa's technique. This is the way that people get compromised these days."
Patrick Gray provides an update on a Salesforce breach initially thought to involve app-based social engineering. It was later clarified that attackers obtained credential pairs through phishing, allowing them to log into Salesforce tenants directly.
Notable Quote:
Patrick Gray [15:01]: "Everything's identity. Now. Now you and I were talking about this and say you had domain admin creds back in the day..."
The hosts debate the difficulties in securing identity in a zero-trust environment. They discuss how modern cloud infrastructures complicate traditional security models, making identity the new perimeter. Conditional access policies offer some protection but are often insufficient without comprehensive identity management strategies.
Notable Quote:
Adam Boileau [16:40]: "We put it all on the Internet and we relied on identity to solve the problem without really making identity robust."
In response to European concerns over reliance on American tech providers, Microsoft is now offering the ability to run Microsoft 365 services on local data centers. This move aims to address data sovereignty issues but introduces new complexities in managing and securing these localized environments.
Notable Quote:
Patrick Gray [30:53]: "The way they are carving it off from the private cloud plus the third party providers, it's a pretty elegant solution."
Adam Boileau discusses groundbreaking research from AIM Security Labs demonstrating a prompt injection attack on Microsoft 365 Copilot. By crafting deceptive emails, attackers can manipulate the AI to execute unauthorized actions, exfiltrate sensitive data, and bypass security filters.
Notable Quote:
Adam Boileau [38:17]: "They come up with basically a way to bypass that filtering to just through making it look innocuous."
Patrick Gray reflects on the challenges of defending against such AI-driven threats, questioning the feasibility of universal solutions against sophisticated prompt engineering.
Notable Quote:
Patrick Gray [41:11]: "What's a universal solution to that?"
The hosts highlight a recent Cybersecurity and Infrastructure Security Agency (CISA) warning regarding supply chain vulnerabilities. Ransomware groups are exploiting simple help desk flaws to gain unauthorized access, emphasizing the critical need for robust third-party security measures.
Notable Quote:
Chris Krebs [43:04]: "Kudos to CISA. This is great stuff. It's nothing world earth shattering in this alert, but this is CISA doing what CISA should be doing."
Patrick Gray and Adam Boileau examine high-profile ransomware incidents affecting United Natural Foods and WestJet. United Natural Foods experienced severe operational disruptions, including the closure of sandwich bars, while WestJet faced cyberattacks that threatened flight operations.
Notable Quote:
Adam Boileau [43:29]: "So on Tuesday they reported sandwich bar had to be closed. So, you know, that's, that's pretty serious impact."
Guest: George Glass, Kroll Cyber
George Glass discusses the mechanics behind recent UK retail cyberattacks, emphasizing the role of multi-stage social engineering targeting help desks. Attackers often impersonate employees to reset multi-factor authentication (MFA) tokens and gain access to sensitive systems.
Notable Quotes:
George Glass [47:32]: "They just do, you know, a variation of that. And yeah, it works, obviously."
Patrick Gray [49:51]: "You mentioned they were going after the people who are likely to have highly privileged access. I mean, I know from Adam Barlow, my co-host, when they were doing teaming, I mean, the first people they'd go after with phishing and whatnot was the domain admins..."
Glass elaborates on detection strategies, such as monitoring anomalous token usage and impossible travel patterns, to identify malicious activities swiftly. He underscores the importance of defense-in-depth but acknowledges the challenges in implementing comprehensive security measures across large, distributed environments.
Notable Quote:
George Glass [54:03]: "A lot of those detections were set up for attacker in the middle, but it does tend to work for things like MFA resets and stuff like that."
As the episode wraps up, Chris Krebs offers a sobering reminder of the persistent threat posed by ransomware and the importance of community support in defending against cyber threats.
Notable Quote:
Chris Krebs [45:40]: "Ransomware's here to stay right now. And there are hounds, as you said last week, waiting to be released. So are we going to release them or what?"
Patrick Gray emphasizes the evolving landscape of cyber threats, particularly identity-based cloud attacks, predicting that only the top 1% of organizations are currently equipped to handle these sophisticated threats. The episode concludes with gratitude towards guests and sponsors, reinforcing the critical nature of continuous vigilance in cybersecurity.
Key Takeaways:
Stay Informed:
For more in-depth discussions and the latest in cyber security news, subscribe to Risky Business and stay ahead in the ever-evolving landscape of information security.