Risky Business #797 -- Stuxnet vs Massive Ordnance Penetrators

Patrick Gray

Foreign and welcome to Risky Business. My name's Patrick Gray. We've got a great show for you this week. Adam Boileau will be joining me in just a moment to go through what is a really fun grab bag of news items this week. And then we'll be hearing from this week's sponsor. And this week's show is brought to you by Gray Noise Intelligence, which means Andrew Morris is this week's sponsor guest, which is always a good time. And we're talking to Andrew about a botnet they detected comprised of ASUS routers. And yeah, there's some interesting stuff to do with that botnet. Like it didn't use malware. It just, you know, would insert dodgy SSH keys and stuff, which meant that even if you firmware updated these things, the botnet would persist. So that is a fun chat and it is coming up soon. But first up, Adam, let's get into the news now. And did you hear that there's been a huge password leak of 16 billion passwords? Of course, this has been a dodgy news item that has somehow managed to escape from a niche outlet into the mainstream media. And. Well, it's not, it's not, it's not really true.

Adam Boileau

Yes. So this, the story broke that, you know, this giant repository of passwords have been found, you know, what, like at least two passwords per person for the entire planet or something like that, which, you know, clearly ridiculous. It is as many people, you know, kind of expect, you know, just a repackaging of a bunch of additional of existing credential dumps, a bunch of things from info leaks or from info stealers. Sorry. And no efforts been made for denuplication. Like if Troy Hunt was were to take this data set and load it into. Have I been pwned? I don't know. He'd be sending very many new alerts out. Like, that's the kind of vibe that we get. But of course that's a nuance that's well and truly lost when it escapes into the mainstream press, which it has very much done. So.

Patrick Gray

Yeah, and it's funny, right, because I think I saw someone on social media somewhere, like link to another version of basically the same story that the same guy published at the same outlet like a year ago. So it's like, well, it's June. Time to write a story about the latest aggregation of previously stolen credit credentials. And yeah, it just took on a life of its own. I even wound up doing a hit on ABC Radio about this. Just crazy.

Adam Boileau

It is kind of Nuts. I mean, if we had a story that was like, you know, a hundred million cars have crashed and it's like, yes, if you count every car crash in the history of automotiveness. Yes, that's kind of what these, these stories are like. And it just, you know, I mean, on the one hand, anything that makes people think about how they use passwords and where they reuse them and like, if the net result of all of this mainstream coverage is a few more people start using their password manager or start using passkeys, then, you know, okay, that's good. That's probably still a good outcome. But it is just a bit tedious when, you know, your grandparents or whatever are ringing up in a panic because they think their Googles have been hacked.

Patrick Gray

Yeah. And there's been some quality humor on this one as well. I think someone pre generated every like 4 and 6 and 8 digit number or something, whacked it in a database and described it as a breach of every single OTP code. You know, your OTP code is in there. And someone else generated every possible password or whatever. So.

Adam Boileau

Yeah, every possible phone number. Leaked and giant.

Patrick Gray

Yeah, yeah, exactly, exactly. But, you know, to your point, that's exactly what I was saying on ABC Radio, which is like, this isn't new, but there's still some important lessons here, which is do not use unique password. Use unique passwords. I'm sorry, for every single service. And explaining why that is, you know, where possible, you know, user use a password manager. Don't listen to what Tavis Ormandy was saying years ago. Use a password manager. Try to use MFA where possible. And pass keys are a good thing. So I guess, you know, let's be glass half full about this and say, you know, this is good.

Adam Boileau

Yeah, good job. Whatever the outlet was called, I think.

Patrick Gray

It'S called Cyber News. I don't think they are serious people, let's just put it that way. That's being charitable, I think. Okay, so we've got some updates here, a couple of logos to talk about. So, you know, in the startup world, cyber security startups are all about getting logos on their website of their customers and design partners and whatnot. APT Group crews, I guess, do something similar, right? Which is they get, they get access somewhere and they've collected that logo. We've got two telcos that look like they've been taken over by Salt Typhoon, which is the more sort of intelligence oriented of the. Of the big typhoons. The other one being Vault Typhoon, of course. So it looks like. Yeah, viasat and some mob in Canada have disclosed that they've experienced breaches as a result of this group.

Adam Boileau

Yeah, and I think, you know, I think this is the first example of a telco outside of the us we know there's been targeting of telcos outside the US but I think this is the first, like here is a telco in this country that has been targeted by, or has said that they have been targeted by Salt Typhoon. I think the Canadian government kind of confirmed that and it's exactly what you'd expect from these groups. They found they used some bugs in a Cisco iOS XE device that was patched, but they clearly hadn't applied the patch, shelled the box and then set it up for intelligence collection and presumably moved laterally around the network and had a good rummage because that's what you do when you hack a telco.

Patrick Gray

I mean I think it's a sign of the times that when I saw that the bug was only 18 months old, I thought, wow, they had to actually work for this one. Some ancient, ancient bug. And indeed, look, we know there have been, yeah, A lot of other telcos hit all around the world by this, but you know, the Americans are actually a little bit more transparent about this stuff than most, which is an interesting little, it's just an interesting little detail I think, which is when it happens in the US you're more likely to find out about it.

Adam Boileau

Yeah, certainly other countries, you know, do seem a little more reticent about dragging this stuff out in public and you know, the, the U.S. reporting guidelines, you know, through the SEC, ET and some of the oversight in the government there does seem to draw this out of private sector companies which, you know, plenty of other telco incident response jobs I've worked on end up with. Okay, now we cover it up.

Patrick Gray

Yes. Yeah, great findings. Now conceal them please. Yes. Now of course, big bit of news over the last week has been the United States hitting a bunch of targets in Iran. There's actually a few things to talk about cyber wise here. I guess the first thing to look at is that there's been a whole bunch of GPS jamming happening in the Strait of Hormuz which has resulted in ships appearing like they're on land and stuff, which, you know, I'm no marine expert but you look at the map and you're like, that doesn't seem right.

Adam Boileau

Yeah, yeah, Anything that kind of messes up with these systems does have some downstream consequences. At the very least it has made people quite excited watching some of the like ship Tracker websites, because as you say, all of a sudden there is a boat in the middle of a mountain, which, you know, that's not their natural habitat. No, but you know, we haven't seen any, I think safety incidents or collisions or anything like that yet. But it's the kind of thing that can happen when you're messing with these.

Patrick Gray

Yeah, that's right. And apparently the chairman of the Joint Chiefs of Staff, General Dan Kane, when he was talking about the strikes that America did, you know, against the Iranian nuclear program, mentioned that Cyber Command was actually, you know, part of this strike, which I find interesting. Of course he didn't actually say what they were doing. There's a lot of people in the intelligence community who like to joke about how Cyber Command just does, you know, half baked psyops. So I wonder if they sent them some, some pop ups on their screens telling them to think about what they're doing.

Adam Boileau

Yeah, maybe. Maybe, you know, we don't know. And it would be of course lovely to see lots of details and those of us in the commentariat would love details of these kinds of things, but we don't get them until, you know, many years after the fact. And you know, maybe they were jamming air defense, maybe they were jamming comms lines to make response difficult. Maybe they were dealing with, you know, making emergency services, you know, because we've seen like the Israelis for example, warn emergency services when stuff's going down. So kind of like reverse psyop, like the Grok says, like you want to be nice with your cybers to make win hearts and minds or whatever. So we don't know what they're doing, but clearly they were cyber in something. So.

Patrick Gray

Yeah, I mean jamming ain't really their thing but you know, using cyber to brick comms is like, if I had to guess, it's going to be something like that.

Adam Boileau

Yeah, I mean, I guess that's what I mean. Like jamming from a network point of view, not jamming from a rf, you know, radio comms point of view.

Patrick Gray

It's interesting though. It's interesting when you think back to last week when we were talking about the stuff. Andrew Morris from Gray Noise, who's this week's sponsor guest, we were talking about the stuff he was seeing on the Iranian Internet and he said the last time he saw that was when the United States assassinated Qassim Soleimani.

Adam Boileau

Interesting.

Patrick Gray

It is, isn't it? When you think about it like that, that was almost a early warning that something was about to go down.

Adam Boileau

Yeah, it's an interesting, interesting point, actually. Yeah. Sneaky, Andrew.

Patrick Gray

Sneaky, Sneaky. Yeah. So, look, speaking of Cyber Command, it's probably worth mentioning that they still don't have a leader. Cyber Command still does not have a leader. NSA still does not have a leader. They're both acting. And apparently the guy who was picked by Pete Hegseth and Tulsi Gabbard to, to be nominated into that position, that person has now been rejected by the White House as per reporting this, reporting from Politico. So still leaderless. I mean, we saw this in Trump v.1, right? Like, a lot of positions were acting. Only you do wonder when they're going to get on this and actually nominate someone or if they're going to try to split NSA from Cyber Command. I mean, maybe that's a reason they didn't want to do this, is they want to do that split first so they can get civilian leadership into nsa. But I guess it is worth noting that during this somewhat serious military action, there was no one. Actually, you know, there's only an acting head of Cyber Command.

Adam Boileau

Yeah, that does seem a little concerning when, you know, as, you know, there's so much politicking going on around these positions, like making sure they're loyalists and, and all that kind of thing. So I guess it's taken them a while to find someone.

Patrick Gray

Now, meanwhile, there are some fears in the United States that the Iranians are going to go and do cyber to them. There's also a lot of fears from people who seem to be like, on the further right side of the spectrum, talking about thousands of Iranian sleeper cells that are about to rise up and do terrorism. I would think that would be dangerous for Iran to, to do that. So I don't know that I share those fears, but I think it's reasonable to think that, you know, Iran, which does have a history of hitting control systems at, like, municipalities and whatever. I mean, it's. You would think it's possible there's going to be some sort of cyber drama resulting from all of this.

Adam Boileau

Yeah, it's certainly one of the tools at their disposal, and they have used it in the past, both in conflict with the US and other places. But, you know, Iranian cyber activity hasn't seemed really super effective in terms of like a proportional response to the sort of things that they're going. We've seen them carry out missile strikes or whatever on US Bases in the Middle East. That's a kind of proportional response, you know, hacking some, you know, small government in Midwest somewhere kind of doesn't really fit into that framework, but there's still plenty of scope for, you know, enthusiasts and activists and you know, sort of. Not necessarily state directed, but still, you know, I'm sure there's a lot of angry Iranians, but we don't really, you know, we don't.

Patrick Gray

I feel like, I feel like, you know, I'd bet dollars to doughnuts a lot of that sort of activity, especially the stuff that targeted Israel a few years back. I'd bet dollars to donuts that that was actually state directed. I just find it interesting that Iran has this sort of half baked offensive cyber program targeting small scale critical infrastructure. Right. And they do seem to be very. I mean, of course they got their intelligence collection bits and whatever, but they, they do seem to have this sort of fetish, shall we say, for control system hacking. And you wonder if that's because of Stuxnet and because that was what was done to them. So they're sort of trying to emulate the same thing, but on a much smaller scale.

Adam Boileau

Yeah, it's certainly possible. And also like, I guess that stuff does get some media coverage. So like in terms of having some psyop result, you know, for your site, because as Tom and Grak have talked about a bunch on between two nerds, like, making cyber war useful for anything is quite difficult. And so latching onto psychological effects is easier to kind of justify as being effective because it's more fuzzy around the edges versus like, you know, melting steel plants down. Whatever it was. Was it the Israelis that.

Patrick Gray

Yeah, and they got the video and everything. So. I mean, yeah, it's just. I just, man, you know, I just. I just don't feel like. I feel like the Iranians are running a program that's designed to look cool as opposed to actually being cool. Maybe a way to impress their bosses and whatnot. I think it' also interesting to. To have a bit of. To at this point reflect on Stuxnet, right? Because you would say, oh, okay, Stuxnet didn't work, bombs worked. But we're seeing reporting now, there's a report in CNN today that says there was a leaked battle damage assessment from the Defense Intelligence Agency that says that, you know, this bombing campaign has hardly put a dent in Iran's nuclear ambitions. So there will need to be, you know, subsequent bombing. This will be a continuous bombing campaign if it is designed to suppress Iran's nuclear ambitions. And you know, I can't figure out if that makes, if all of this makes Stuxnet look better or worse. You know, more effective or less effective in retrospect, I think it's really hard to know when, you know, if we consider that they dropped these giant bombs on these facilities and didn't manage to really destroy that program. You know, I think it kind of makes stuxnet look pretty good in that it was able to achieve a similar effect without doing that.

Adam Boileau

Yeah. And for a pretty reasonable period of time. Like, it took them a long time to recover. Although it is hard to isolate these effects because, I mean, in the wider context, where we've also got Israel, you know, assassinating scientists and, you know, a whole bunch of, like, domestic Israeli led campaigns inside Iran that, you know, it's hard to unpick all of these aspects, but it does feel like Stuxnet perhaps did more than we gave it credit for at the time because we don't have the visibility. But then again, you know, here we are dealing with the potential, you know, nuclear and Iran regardless. So, you know, whether it bought us one year, two year, five years, 10 years, you know, if. If the end outcome is that they still have the will and the political leadership has the will to get there, you know, all of these things are going to be necessary to stop them. Right.

Patrick Gray

Yeah. I mean, what's their solution here? Maybe they just build a deeper hole to do this.

Adam Boileau

Clearly, I've built some pretty deep holes.

Patrick Gray

Already, so they just dig a deeper hole. I don't know. So look, for those who are really interested in, you know, this whole issue, Dmitri Alperovich, who's a friend of this podcast, he did an Excell podcast with arms control wonk Dr. Jeffrey someone. I can't remember his last name, but fantastic, absolutely fantastic podcast, all about Iran's nuclear program and all of the bits that make it up. Because there's a, you know, there's the factory that actually manufactures the centrifuges for doing enrichment, and there's the plant that turns the yellow cake into gas and then the enrichment plants and then turning it back into metal and all of that. So it's. It's a really good listen. I'll link it in this week's show notes and you can check it out.

Adam Boileau

Now, Iran Arms Control Wong is good fun. Like, I listen to that recreationally. Anyway. Jeffrey Lewis.

Patrick Gray

Jeffrey Lewis, that's right. Yeah, yeah, yeah, yeah. So if you want to hear Dimitri interviewing Jeffrey Lewis about that, I highly recommend it. Now, Iran has still managed to find time in all of this to actually do some cyber against a municipality. And this is in connection with all of the mek stuff that, you know, God. Does this link to Albania? This is in Albania.

Adam Boileau

This was the capital city of Albania's like local municipal council was what they hacked. Because Albania does host their opposition in exile in the mek.

Patrick Gray

Yeah. So for people, terrorist group, slash missing the context. There's an opposition group, an Iranian opposition group called MEK who've set up shop in Albania and like do cyber attacks against Iran and stuff from Albania. And they're also like, really not great as well because you think, oh, Iranian opposition, they've got to be good. And it's like, well, not really. They're quite horrible as well. So, yeah, now Iran's attacking Albanian municipalities and stopping them from being able to do municipal government functions.

Adam Boileau

And they specifically disabled the ability for people to sign up their children for kindergarten. So the registration system for children going into early childhood education. So great proportional response to an attack on your nuclear facilities. I know it's Albania, not the U.S. but you know, cyber, cyber war right there.

Patrick Gray

And just look, one last detail on all of this before we move on to some more bread and butter cybersecurity stories is that at one point Iran actually killed its Internet access to the outside world to try to slow down the Israelis, which is like, you know, things are going great when you're like ripping the cable out.

Adam Boileau

Yeah, yeah. And I mean, they're clearly pretty afraid of Israeli capability and we've seen pretty widespread penetration of their, you know, all banner of systems. You know, we had that bank we talked about last week and in the past the Israelis have just been all up in their business. So yeah, just pulling the plug out and hoping that, you know, there's nothing else. The Israelis have remote access to, you know, via some other non Internet channel, which, you know, pages come to mind. Be a bad time for Iran all around.

Patrick Gray

Yeah. And I haven't had a chance really to ask around about what the current status of the, that Iranian bank is. I mean, I'm keeping an eye on, you know, various social media platforms and stuff and trying to find out like, have they reopened, have they recovered? Are the branches still there? Like, what's going on? Can't really find anything yet. I think the, the, the only thing I could find is that the bank was somehow reconnected back into their like, banking transaction network. But I don't know if that means that they've recovered everyone's balances and loans and whatever. So still on it. Just don't know yet. Now, last week, was it last week or the week before we spoke about the you know, the advanced persistent teenagers, the comm style kids transitioning from going after British retailers into now targeting the insurance industry. We have one insurer who's come forward and has disclosed an intrusion that they say they were able to repel over the course of a few hours, which I would, you know, I would absolutely call that a win. But I would expect that we're going to see a few more of these in coming weeks.

Adam Boileau

Yeah, we've seen a bit of kind of scuttlebut that there's some underway and more coming. But yeah, this one I think they, the company Aflac disclosed in an SEC filing. So there's certainly some value to the, you know, speaking to us oversight as we were earlier. Like we got to see some detail there that we might not have seen this early otherwise. But yeah, they don't seem to have suffered in the same way that say, Marks and Spencer did.

Patrick Gray

Yeah. Now turning our attention to the Pacific and your region, Adam, the, you know, look, if you wanted. I don't think we need to prove that ransomware actors are scumbags anymore. I think we've established that. But it looks like they, some crew has managed to disable Tonga's Ministry of Health. They are being ransomware. And you know, this is a country, a small country with a population, you know, with a tiny population, 100,000 people and a GDP per capita of about 5,000 bucks. And they're ransomwaring them and you just think, man, bring back the death penalty kind of vibes, you know, it's pretty.

Adam Boileau

It's pretty hard. It sounds like Australia has dispatched some incident responders to help, which unfortunately, you know, in the Pacific is a pretty common occurrence that, you know that Australia's help has been needed. So that's good. I guess some people are over there doing the needful. But yeah, it's just. It's just scummy. And I mean, New Zealand where I live, like there's almost the same amount of Tongans here as there are in Tonga. So like there's a big expat population of Tongans here. So, you know, I think people are feeling it not just in Tonga, but also all their family back at home and so on. So yeah, it's just. It's horrible and scummy and nasty and blur.

Patrick Gray

Yeah, I gotta say too, I think it's really good that our government here actually sends help to these nations. I think it's. Look, in addition to it being just the right thing to do, I think it is really good diplomacy and something really Good to do in the region. And, you know, congratulations to everyone who's involved in that. It's, it's, it's a worthwhile endeavor. All right, so now we got one from the record. Dorina Antoniok has reported that a ryok, an initial access broker who was somehow connected to Ryuk, was arrested in Ukraine and has been extradited to the U.S. so, yeah, I guess someone who was selling shells now gonna have a bad time.

Adam Boileau

Yes. Yeah, this guy, I think they see something like what, $600,000 worth of crypto, nine luxury cars and 24 bits of land. So I guess he was doing all right out of his initial access. Broken. But yeah, it's. I guess the world has changed around cyber criminals operating in Ukraine quite a bit over the last few years. You know, they're, you know, the COVID that you might have had being part of the wider sort of runette, Russian speaking cybercore ecosystem doesn't really hold when, when your country is at war with Russia. So. No, extradited.

Patrick Gray

No, it doesn't. And another one from Daruna here, which is Russia, has released a bunch of Revil crew people. They've been imprisoned since 2022 awaiting trial on payment card fraud actually. So they were, they were arrested for carding and yeah, they've now been released for time served after a few years. I mean, look, at least they did some time, which is not the usual thing in Russia.

Adam Boileau

Yeah, I mean, I think this kind of case dated from the era before the Ukraine conflict when they were like, this was some cooperation with the US and then, yeah, they've just kind of let them go now. But yeah, any time in custody in Russia for doing cybercrime, like, pretty amazing.

Patrick Gray

Now let's talk about some research out of SpectreOps, which as an advisor to Spectre Ops, I think is awesome. And as an advisor to an idp, authentic. Sends a chill down my spine because something like this you really don't want to see in an idp. This is to do with a different idp, which is one login. But I mean, this is pretty brutal stuff. Walk us through it.

Adam Boileau

It's pretty comedy. Yes. So they were looking at the connector for OneLogin and Active Directory. So if you have on premise Active directory and you want to glue your web facing identity into your active directory, so they have a connector product and they were rummaging through kind of understanding how the AUTH worked and they got to the point where you can kind of get a directory access token out of the configuration of this agent and Then make queries into the OneLogin AD connector and it will return a bunch more data. Amongst that was some other authentication tokens and they went rummaging around trying to understand what they were. One of them was for a Amazon S3 bucket for storing logs in. And they're like, oh, I wonder what's in that bucket. And they went, look, the bucket wasn't registered. So they did the obvious thing which is go register that bucket with Amazon. And of course Amazon bucket names are kind of globally unique. So they have this bucket there they said to be world writable. And then at some point later on, somebody's one login single sign on solution just started putting logs in it. And that log data contained enough kind of key material for them to then query this other company's one login system, pull out the necessary key material to then just straight up sign authentication tokens. So at that point you can impersonate every user in that particular company's single sign on system. Which. Not great.

Patrick Gray

No, not great. And as I said like reading this, I'm like, man, this is awesome. Because I know the Spectre Ops team and they're really good and I'm like, oh, I just, I'm living for this. And then you know, when I take off my Spectrops hat and put on my authentic hat, I'm like, God, I hope nothing like this ever happens to those guys.

Adam Boileau

Well, the disclosure timeline when they reached out to one login, which I think is Quest, is the upstream, kind of like the company that, that owns OneLogin reached out to them. And then the disclosure timeline reads like anyone who's ever tried to report a bug to a big company that doesn't know how to deal with these things, it just, I felt this, I felt this in my bones when I was reading it because they're like, the person tries to report a bug and they're like, where's check with your account manager? And like, I'm not a customer, I don't have an account manager or a support contract. I'm trying to tell you about a problem with your product. And then they spend months in a email loop asking who their account manager is because no one is capable of identifying what this is escalating to the right person and getting something to happen. So I think eventually they did find someone like out of band to talk to about it. But yeah, just a pretty normal process.

Patrick Gray

The bug part of this is forgivable in that it happens. Stuff like this happens, right? And you can see how you wouldn't necessarily notice it. You can, you can see how this could have happened. But the disclosure timeline, as you point out, like that is, that is the unforgivable part of this.

Adam Boileau

Yeah, I mean, I think in the end it took them what, like three or four months to get to the point where OneLogin had fixed the bug or at least thought about doing something about it. But yeah, it's. This is the problem with putting everything up in the cloud is right. You end up with relying on some opaque organizations on the other side of the world to do some critical thing for you. And you don't necessarily know there's anyone there who understands or understands the importance to you as a customer of their software. Which. Good times.

Patrick Gray

Now let's talk about my favorite story of the week, which is what's going on with libxml2. This is just so good.

Adam Boileau

Dear, oh dear. Libxml2 open source piece of software for doing XML related stuff. Pretty widely used. All the major operating systems use it in some form or the other. The maintainer of libxml2 is a guy called Nick Vellenhofer and he is just kind of sick and tired of dealing with security bugs. Like he, for fun maintains an XML library which, let's face it, that's not my idea of fun. But hey, you do you buddy. And he is the sole maintainer of this piece of software and so he has decided that he is just going to let people file security bugs in this piece of software in the bug tracker like every other bug and he will deal with them when he gets to it One Saturday he feels like working on his open source project. Yeah, maybe he'll fix a bug or two.

Patrick Gray

Unless someone else feels like maybe writing a patch for that issue.

Adam Boileau

Yeah, unless somebody else shows up with a patch which you know, as I mean I grew up in the open source community. I totally understand how open source maintainers feel and it's really hard to be mad at the guy. Like, you know, he kind of throws a little bit of snark at Google and specifically Project Zero who have reported bugs in Lib xml because Google Project Zero's mandate is find Internet critical software and go find bugs in it so as to improve the ecosystem as a whole. But this one guy is like, you know, this is a multibillion dollar company's crack team showing up at me, one, you know, volunteer maintainer in his weekend and expecting me to triage and fix bugs that they found. Yeah, and that's, you know, that would feel a little and to be clear.

Patrick Gray

Libxml too is like, you know, it's.

Adam Boileau

Everywhere it is, right, because lots of people process XML and it's just, you know, it's one of the standard operating system libraries that people will be using. But anyway, so this guy has made his feelings felt and there's, you know, lots of debate in the bug tracker about, you know, whether he has done a bad thing or a good thing. And in the end it's his project, he can do as he please. Yeah, and the thing I really liked was he's updated the README file to reflect the security policy of libxml2. And I would like to quote from it because it's wonderful. He says this is open source software written by hobbyists, maintained by a single volunteer, badly tested, written in a memory, unsafe language and full of security bugs. It is foolish to use this software to process untrusted data.

Patrick Gray

Yep, Mic drop.

Adam Boileau

I mean let's face it, that's honest and I love it. So good job. Mr. Mr. Villenhofer.

Patrick Gray

I mean my reaction to this was in GIF form in our internal Slack this morning, which was that GIF of the comedian Shane Gillis holding a gun inside his mouth and then pulling it out and pointing it at other people. You know, it's like that's the, that's the vibe here. And I, you know, I don't hate this. I think that this does have potential to cause some real problems, but it has potential to cause real problems for the sort of organizations who should be offering real solutions. So I'm just like, eh, good on him.

Adam Boileau

Yeah. I mean in the end like if you bootstrap yourself using other people's open source code, like you have to take some responsibility as the user if it doesn't do what you need, right, either by contributing patches or by contributing resources or by writing and using your own software like go buy another XML processing library. Instead of, you know, Apple and Google and Microsoft relying on one guy and I know where he's from, you know, to write some important Internet critical library. But that's, you know, that's kind of the open source model. And you know, I don't mind if he wants to change his security policy. Good for him.

Patrick Gray

Yeah. Now last week we spoke about the Russians going after the inboxes of various academics and think tankers, you know, to collect intelligence from them. One of them was Keir Giles or Giles. I don't know if it's a soft or a hard G actually, but we've got some detail now. On how these compromises may have happened. It's like a social engineering campaign. It's a very clever one, very clever. But the goal of the social engineering campaign is to get people to generate a Gmail like application specific password and then provide it to the attackers. Now, you'll walk us through the pretext and everything, but this does dovetail nicely with the conversation we had recently about, well, when you're doing an OAuth versus a this versus that kind of authorization, do you even know what you're doing? And that's what this exploits, which is the complexity of modern authorizations and authentication and whatnot. There's a really interesting thing in this Google write up of it which is towards the end of the piece it says, look, our solution for this is if you're using advanced protection or whatever, if you've got that set up in your account, our solution is, well, we just won't let you generate one of these passwords, which I think on one hand, okay, that's cool, but on the other hand that's your solution here is just to turn it off. Like, I don't know if that gets you very far in a detailed social engineering campaign where you've proved your, you know, to the target's satisfaction that you are legit. At that point you could just tell them to disable that from your account. Well, you can't use it, you know, blah, blah, blah. Anyway, walk us through the pretext here because it is, as I say, very interesting.

Adam Boileau

Yeah, it's pretty cunning. Essentially what they do is they show up with allure, claiming to be some particular, I think this was the US State Department is what they were impersonating here. And they said to gain access to our, to share documents with us or to interact with us, you have to register for our interface thing. And the way you do this is by going to your Google Dashboard, going to app password, typing in the name of our service that you're going to authenticate to, which was like ms.state.gov and then hit generate and it will generate you a password for our service. So they're letting the user be confused as to the fact that you know as to what the password is for. Right. Is it for authenticating to us or authenticating to you? And they present it as it's authenticating to us. But the reality is they've made a password to authenticate as the victim to Google and then they pretext to hand.

Patrick Gray

It over as a processing. They tell them to name the application specific password because you can name them either ms.state.gov or in a different campaign, Ukrainian and Microsoft themed ASP. So it really is that idea. That's where they're able to create that point of confusion which is to say, oh, you're creating a password for our service, not giving us a password to your service.

Adam Boileau

Yes. Which is, you know, is a cunning, you know, it's a cunning campaign. Right, because it exploits that lack of understanding about how all these systems work. Because it's not reasonable for people to understand how these systems work. Right. Nerds who have to build this kind of stuff presumably understand. But you know, the average person, you know, working at a think tank, you know, in the UK as the Keir Giles guy was like, you can't expect them to understand the nuance of these things. So yeah, clearly actually worked and pretty slick campaign to be honest. So yeah. And I'm less mad about Google just turning off app specific passwords because most people do not need app specific passwords and I think the use case for them over time has really declined. I mean the original use case was IMAP access to Google for mail clients that didn't support web based mfa. They don't have the ability to invoke a browser, get a token and then sign in and that, you know, they have also been really kind of making other mechanisms and we have so much better ways of doing integrated auth than app specific passwords. So I'm less mad at Google about just turning it off for well protected accounts.

Patrick Gray

I don't know, maybe you're right. I don't know, I don't know. And of course you know, Google doing business at massive scale. That was a really interesting thing for me getting to know Alex Damos well when he was the security guy at Facebook. Which is it forces you to think differently about, you know, how to deal with just like mega scale threats. Right. Like, you know, I remember at the time people are very critical of SMS based authentication and he's like, yeah, it is fishable. But then that means that they have to phish the token which instead of just using a username and password and like, do you have any idea when you have billions of users like what that control saves you? And it's like, yeah, no, I do, I get it. All right, now let's speak of speaking of like sort of dumb socially engineered social engineering stuff, we've got two here which are just like so brain dead that you just sort of wonder why people are doing them. But if they're doing them, it's because it works. So let's just recap what click fix was and then talk about file fix, because these are two very dumb things. And there's, you know, there's the new dumb thing, which is becoming more popular than the old dumb thing.

Adam Boileau

Yeah. So click fix, which I'm going to prefix by saying it's a dumb name. And I've tried my best to not use it in our coverage because it's a name that bears no reflection to what the thing actually is. This is the attack where you show up on a website and it says, to prove that you're a human, please complete this captcha. And the captcha is press Win R, which opens the Run dialog box in Windows, and then Control V which pastes. And of course, the site has preloaded your clipboard buffer with some PowerShell commands or DOS shell commands to run, and it compromises your box. Now, technical users probably are going to be a little sus about opening the command prompt and pasting in a command to prove that, you know, to bypass to prove that they're human through a capture. But plenty of people fall for it. I know, you know, I was surprised when I saw this and went, you know, like, surely, surely no one would. But clearly people have. So FileFix is a new variant where somebody's been looking around thinking, like, where else can I paste commands into Windows in a way that I can trick a user in the same thing? And so this is doing the same thing, but pasting into the Windows Explorer file bar so you can straight up just paste shell commands into the address bar in Explorer. And so they construct a lure which is like, to read this HR policy, copy paste this file path into your Explorer, and then it preloads the copy paste buffer with a bunch of PowerShell commands. And then, you know, something to make some white space so that in the end it looks like you've pasted a path or it looks like a path. And of course that runs commands. And I'd like to say this is just super dumb, but it's gonna work and people will use it. So I, and I guess we are going to see people finding all sorts of other places that you can track Windows into running commands by having people paste them in and spam into themselves. So, yeah, those of you who run big estates of Windows users, probably this should be on the list of things that you should spot. Your EDR would already be spotting PowerShell being spawned from Explorer, but, hey, who knows?

Patrick Gray

Yeah, I don't think this is as much of a risk to corporate Environments as just, you know, normal home users. That's what, that's the vibe I get. But look, this isn't the stupidest thing we're talking about this week. This next one is from Dan Gooden. And you just sort of think, how does this work? And look, if people are doing it, it's got to work, right? So walk us through this.

Adam Boileau

Yeah. So people have been seeding links or taking out ads that get indexed by search engines that when you click on them, take you to a legitimate site. So like hp.com for killer packard. And then the path of the URL links through to the search system on that site with a query. And that query is, you know, call us for tech support. And here is a phone number. And that of course gets reflected back in the page output as, although it's a, you know, as a phone number or whatever other message they put in there. So it's kind of like cross site scripting but for brains instead of for browsers. And the hope is people will show up to Google, type in, you know, how do I fix my HP printer? One of these malicious ads will come up that links to the realhp.com then they phone the number that they see on the first screen without looking at the fact that they're on the search results page for hp.com and then get scammed out of their credit card details. So pretty bottom of the barrel stuff. But on the other hand, it's probably going to work.

Patrick Gray

Yeah. Yeah. Well, let's just talk about a little bit more fail. We're on the home stretch now. Veeam, this is the backup technology. They tried to patch a critical bug a while back. I think we spoke about it at the time. Patch didn't stick. They're patching it again. I guess. Let's see if they get it done this time or if third time's the charm.

Adam Boileau

So the bug in question that they patched is a. NET deserialization bug. So the software is written in.

Patrick Gray

Net.

Adam Boileau

They were deserializing stuff unsafely. Their fix was to blacklist the specific deserialization technique that the exploit was using. So of course now they're playing cat and mouse, whack a mole, whatever you want to call it, with expert researchers finding new. NET deserialization gadgets for their software. And that's a game that will go on for the rest of time until Veeam understands that they need to actually implement, you know, kind of white list based filtering.

Patrick Gray

You know, I mean, this is that we used to see this sort of Stuff from the majors. Like 20 years ago, like Microsoft would patch some bug by disallowing a very specific string or whatever and you could just add like a dot to it and it would work, you know, Same sort of vibes here.

Adam Boileau

Yes, yeah, exactly. So they need a slightly more defensive approach to what they're doing. But yeah, it's not a great look for Veeam to now be on their third round of just putting exclusions for specific deserialization gadgets into their software and calling it patched. So boo to Veeam.

Patrick Gray

Now, we spoke a few weeks back about some research from a young Kiwi who goes by the name of Mr. Bruh who looked at Asus. It was like the Asus driver manager that you get on an Asus laptop or whatever. It was really cool research for those who don't remember it. Like he got to the point where you could just go single click URL to Codex. Exactly. In a privileged context. Like it was, it was really cool. And he promised a part two and here it is.

Adam Boileau

Yeah, part two is also pretty dumb. So he looked at the Myasis support app that they use if you wanted to like organize RMAs for defective products or file support tickets or whatever else. So this app had hard coded credentials in it and it was making API calls back into the backend system in Asus in a pretty privileged context to lodged RMAs or whatever else. And so, yeah, he extracted the hard code of API keys from the binary and then you can call into it and retrieve like user records with all people's addresses and phone numbers and all that sort of thing and their ticket details and so on and so forth. And this bug looks like it has been there since this application was launched back in 2022. So yeah, they did a little bit of a Boo boo there, Mr. Asus.

Patrick Gray

I mean, it's not like it's not as cool as the first post, which was the single click RCE in a privileged context, but you know, it's still like hard coded, hard coded creds in a dll. Like bad Asus.

Adam Boileau

Yeah, bad Asus. And of course Asus also has no bug bounty, so Mr. Bruh does not even get paid for it. So.

Patrick Gray

But Mr. Bra does get talked about in Risky Biz. And I think, I think you sent me a screen cap of him asking, is this one cool enough for me to get a mention? It's like, yes, Mr. Bra. Yes, definitely cool enough. Definitely cool enough. All right, and we're going to finish now with a story that like I think is interesting and I'll get to that bitness in a moment but a guy in Perth has pleaded guilty to spinning up fake WI fi access points around airports and I think even on airplanes as a way to do like cred harvesting from people who are connecting to this access point. What's really interesting here is like I think it was air crew or someone who noticed something weird and that's how he got caught. So I think like excellent vigilance on behalf of airline staff there because yeah, impressive to actually catch this guy. The reason, and I think his ultimate goal was to collect nudes from people's like iclouds or whatever, which is just, you know, very, very dumb I think awaiting sentencing at this point. But this happened back in like April last year, like it rings a bell. We may have even talked about it at the time. I guess the reason this is interesting for me is it cuts against. So you know, there's always been some of that advice that we give like don't worry about juice jacking, it's not a real thing. Like this is some of the advice that we give. And no, you don't need to worry about connecting to public WI fi. And I think do we need to reconsider that advice?

Adam Boileau

Yeah, I mean I, you know, people who buy VPNs to save themselves on public Wi Fi like clearly are being scammed by VPN companies. But on the other hand, like the plurality of ways that you authenticate to public WI fi, we have to click through use agreements or whatever else. And that's kind of what he was exploiting here is the expectation people have to show up to public WI fi, get sent to a captive portal which then says give us your email address so that we can send you marketing information in order to be able to use our free public WI fi and then extending that to login with Facebook, login with Google because people are used to federated logins. The expectations people have of what they have to provide and the impact of giving sites those things, I guess is the thing that does make it actually a little bit risky and fun fact here.

Patrick Gray

A VPN ain't going to do anything to help you in that situation.

Adam Boileau

I was going to say like all of the NORDVPN in the world ain't going to help you because you aren't getting to NORDVPN until after you've been through this captive portal process. So.

Patrick Gray

So I mean it's not like this sort of crime type is rife. Right? But you know, when I think Back to how we're like, oh no, that's, that's actually kind of redundant, silly advice. It's like, well, I don't know, maybe it, maybe it's not.

Adam Boileau

I mean if you have the option of using a mobile network, it's generally going to be safer to use mobile van it is to use public WI fi, random public WI fi you find lying around. But on the other hand, all your devices ought to be safe to use on the Internet full stop. Like a modern, fully patched anything ought to be safe on a dirty Internet connection, regardless of whether it's malicious WI fi or mobile network.

Patrick Gray

Yeah, but in this case it's like credfish. Right. So that's not anyway, identity. What are you going to do? And yeah, log in with Google, you know, log in with Google, log in with Facebook. We couldn't oauth please enter your password. You know, like it's. And it's hard to explain Again, it's hard to explain to people like why that's what the distinction is there.

Adam Boileau

Yeah. And I guess this is the value of passkeys because like if you could only auth the Google with a passkey, you couldn't be tricked into giving him your password because the passkey would just fail when you're being, you know, sent to a fake login site. So that's the world we're ending up at eventually is that the human doesn't have to make that choice. But we ain't there yet.

Patrick Gray

No, we're a long way off. In fact, that'll happen after my career is over, I suspect. But Adam Barlow, that is it for the week's news. Great discussion this week. Always enjoy it. And yeah, I'll catch you soon.

Adam Boileau

Yeah, thanks very much, Pat. I will talk to you next week.

Patrick Gray

That was Adam Boileau there with a look at the week's security news. Big thanks to him for that. It is time for this week's sponsor interview now with Andrew Morris, who is at Gray Noise Intelligence. He's one of the founders there, I think the founder. I don't know if he's a sole founder or a co founder, but nonetheless, Andrew is at Gray Noise and he joined me for this interview about a botnet of orbs made up of Asus routers. So this is something that they detected in the Gray Noise sensors all around the world and they just sort of gradually unpicked it. It has some interesting features. So he joined me to talk all about that and here's what he had to say.

Andrew Morris

The story starts in January, February of this year. So we were looking at, we saw large spikes of traffic against gray noise sensors that looked like login attempts, authentication, credential stuffing, stuff like this, right? We see it all the time. What are you going to do? And it was to a certain sort of API endpoint and HTTP endpoint. We dug into that and it was reasonably we could figure out, hey, this is a login endpoint that would be targeting an asus. Whatever the check was or the credential stuff was, we weren't passing it because we didn't have any ASUS routers on the grid at the time. So Remy went to the store and bought some ASUS routers and then came home and both plugged them in and packet forwarded them onto the gray noise grid and also use the hardware to actually pull the firmware off of them and decrypt the firmware so that we could run these different services. Once we were running the actual services of the ASUS firmware, we started passing the check of whatever the credential stuffers were kind of looking for. And that was when we found a combination of, okay, so they're using these default credentials, but then they're also doing some authentication bypasses that in order to gain access to the system without even having to know the creds. So then using a combination of authentication bypass and OS command injection, these actors were compromising these routers out of the box because that particular chained combination of exploits was not patched. And so they're popping these routers out of the box. And then you'd expect that maybe they would drop malware at this point, but they did not. They did not drop malware. They used the baked in ssh, the drop bear ssh. They spawned it on a high port, a new one on a high port, and they injected in a SSH public key that they would allow and they disabled logging, all logging and all telemetry on these routers. And that was that. So we scanned the entire. We actually worked with Census and Shadow Server and looked at how many routers on the Internet have SSH and drop air listening on that high port and were accepting that SSH public key. And it was like 6,000. And they were mostly in the United States and in Western Europe. And so we worked with Shadow Server to do victim notification. We worked with Census to obviously do the scanning. We worked with run zero for them to actually build out a detection for their customers for, you know, if anybody was infected. And we worked with US Intelligence community and law enforcement to kind of get the word out to everything.

Patrick Gray

Yeah.

Andrew Morris

And we weren't going to publish it and then somebody else published something about it. So we're like, well, all right, time to publish it. So we did and that was that.

Patrick Gray

Yeah. Now the thing about this is like, I think if you patched this, the, like the backdoor survived somehow. How did that work? Like even, even it would survive firmware updates. How is that possible? Because from what you've described, like, surely a firmware update would just overwrite that key. Unless I guess ASUS is like, well, we don't want people having to do firmware updates and then, you know, drop their keys in again. So like, was it the case that it was just like a convenience feature?

Andrew Morris

Yeah, it was the place that every. That the backdoor was actually stored was non volatile and so it wasn't going away. It was persistent throughout both, you know, reboots and persistent through firmware updates, which made it kind of particularly terrifying.

Patrick Gray

Yeah. So what do you do about like, you would actually have to get hands on and like reconfigure it.

Andrew Morris

Rip it off the wall. Rip it off the wall.

Patrick Gray

Yeah. But do you throw it into a wood chipper or can you actually fix it?

Andrew Morris

You can fix it. So you can. I need to actually think about this before I say it, because I'm saying you can fix it. And the more I think about it, I'm like, I don't know that you can fix it.

Patrick Gray

Yeah. I mean, for such cheap. I mean, ASUS routers are not exactly expensive. So probably the wood chipper is the best option at that point.

Andrew Morris

I think the wood chipper is the best option. I think that what we're going to find. And I'm on my soapbox a little bit right now, so to speak, no pun intended, literally. But like, I do think that the end of the journey of a lot of these embedded systems getting compromised is. I think people are over intellectualizing it a little bit. I think the end of the journey is finding where they are physically sitting and ripping them off of the wal.

Patrick Gray

And into the wood chipper.

Andrew Morris

And into the wood chipper.

Patrick Gray

Yeah, yeah, yeah.

Andrew Morris

Or mailed to Andrew at Graynoise so that we can run them on our grid, which you can't see this in my camera right now, but maybe three feet to my left is like nine different routers that I'm about to hook onto our grid.

Patrick Gray

Yeah, yeah, Fantastic. So I mean, obviously you would think that this is a botnet being built. I mean, often it's state actors building it not building them. Not always. Sometimes it's just crime networks. But the one thing that I find fascinating about this whole phenomenon of botnets. Is it a phenomenon if it's just a continuation? Probably not. I just find it amazing that there's still this need among attackers for these sorts of things. And I think the one thing that's kept them relevant, that's kept driving the bot herders maintaining these sorts of networks is increasingly they need them to bypass impossible travel restrictions thanks to identity providers like Okta. I mean if you had to attribute it to one thing like why is it we're seeing so many of these botnets now? Is it, is it just that the.

Andrew Morris

Question really should be like, what's the value to an attack to an advanced attacker of having tons of accesses inside of a country that you want to be doing stuff against? Right. Because they're in lots of countries, they're in residential networks. The people behind them probably pose very little intelligence value. I can say that, like we'll call them, you know, a lot of people are referring to them as orbs. Right. So these operational relay box networks, the fact a lot of the attacks that we were seeing were coming through these, so it actually renders a little bit of threat intel, like a lot of the IP based threat intel kind of useless because attacks can be coming from many of these. I do think though that your point is a good one about stuff like Okta and stuff like any of these different kind of authentication providers. Multi factor auth providers.

Patrick Gray

Yeah, like entra, octa, ping, whatever.

Andrew Morris

Yeah, yeah, all of them. Right. Like yeah, it's gonna be just for the same reason that gray noise can't put router sensors in aws, bad guys can't log in with stolen credentials through an EC2 node. Right. Because that doesn't happen. So I think that's a big part of the value of it. Another part of it is really just like what do attackers love about embedded systems so much? And it's the biggest things is that you can't run EDRs on them. They're Swiss cheese. So they're really easy to hack. Right. Like they've got traffic to and from them. There's always gonna be more stuff behind them. They have high uptime. So you're gonna have, you know, if your implant lives in memory, you can live there for a million years until this thing gets rebooted. So it's nightmare fuel, you know.

Patrick Gray

Yeah. I mean I think that original use case for using orbs, like when I think back to old School days. You know, it's like you said, they get into these things, they disable logging. Right. So it sort of walls you off from incident responders to a degree, because they might trace back an attack to one of these devices. They go, aha. Pull the device. There's no logs. They don't know where the person was coming from. You know, maybe they get a little bit from an upstream ISP or whatever, but it just makes it harder.

Andrew Morris

That's right.

Patrick Gray

Whereas now I feel like that tangible reason is like, well, we can't even log in to these places unless we've got like a residential IP somewhere in this range. That's right. So, like, do you have any sort of feelings, vibes, thoughts about what type of actor may be behind this? I guess it would be difficult based on the, you know, the intelligence that you're collecting. Although, I mean, you might have seen some interesting originating ips in there.

Andrew Morris

No. So, okay, like the actual. A lot of the attacks that we saw came from random servers in Malaysia, and we were working with some people to get those imaged. And then like, a horrible natural disaster happened in Malaysia and we were like, okay, well, this feels much less likely to happen now. And so what I know is anecdotal, and it's from conversations that I've had with people in or close to government, and then people who know a lot more about this stuff than I do. There are groups in China, probably in other countries too, but, like, China's the. You know, a lot of these Chinese actors are the ones that have been going after meta systems like this and operating and going after telcos and stuff like that. Like the type.

Patrick Gray

I mean, that's kind of the answer I was fishing for there, man, if I'm honest.

Andrew Morris

Yeah, I mean, it's, you know. But yeah, there's a lot of these Chinese actors. And so then inside you've got. Obviously you've got people who work for the People's Liberation army, you've got folks that work in the intelligence apparatus, and then you've got folks that are outside of it that do nothing but. And maybe they work for the government, maybe they don't. And their job is to build these orb networks and build these botnets, gain accesses, and then pass them along to somebody else. And in a place like that, people aren't going to be as financially motivated. People are going to be more motivated by the notion of currying favor with the party or doing the right thing, being patriotic, whatever. Right. So there's lots of these actors whose job is literally to build orb networks. And there's also a lot of overlap and a lot of crossover between people who have vuln research blogs, who participate in like DEFCON China kind of CTFs and stuff like that, who chat with each other on like the QQ networks and stuff like that, and who post vuln write ups and the vulns themselves that are exploited in this case. I mean, Remy did some insanely good digging to try to figure out anyone and everyone who is doing research on this kind of firmware for these ASUS routers and found just like this treasure trove of vuln research that was written in some Chinese language blogs from Chinese vuln researchers. And we have no indication, there's no reason to believe that this person had anything to do with it. But the write ups that they were doing, all of those same ttps were used and all those same tactics and all those same paths and even some vulnerabilities that nobody would have known except for, you know, somebody who is, who had at least read very closely, you know, that research.

Patrick Gray

Yeah, we got a guest, an occasional guest on Risky Business is Lena Lau, who comes and co hosts every now and then. And you know, she speaks Chinese and finds the most amazing stuff on WeChat. You know, like just she's like, it's a whole other world there and there's all sorts of good stuff being posted there. And the language barrier just means it doesn't often cross over. And also because you've kind of got to be on WeChat to like see that stuff. And most people in the west are not. So. Yeah, that is all very interesting stuff. Let me ask you though, like from a gray noise perspective, you know, tracking these orb networks has got to be a major PITA because they're often on residential ranges, right. And those IPs are going to flap around a bit. So I know that you've already got a feature in gray noise which will tell you like when an IP was known to be bad. But like how often? I guess the question really is like, how often do residential IPs flap around these days? Like how often do those IP leases renew? And how do you keep track of like, well, we know this device is bad, it's on this IP now. Like when that gets a new lease, like how do you actually track it across to its new isp, to its new ip? Sorry, we don't.

Andrew Morris

So from our perspective, it becomes a net new one. This is like all we, all we. And it's like, you know, we're dogmatic about this at Greynois. So, like, we only report on things that we know to be true. So you see combinations of protocol fingerprints, you see nuances in the implementation of the TCP stack to surmise that something might have been the same device. You might see the same banners, you might see actually if any services were being advertised for something like a census or a shodan, then you might see some of those same ones. But we're not really able to track it from, from that angle.

Adam Boileau

Right.

Andrew Morris

We only see the stuff, we're at the mercy of the scanners, like, so whatever it is that reaches out and comes to us, it's as I would say, it's intractable.

Patrick Gray

So I guess what you can do here, though, like you alluded to it earlier, which is you can detect these things, right? If they are connecting to you, you can detect them. So how much of a demand is there from your customers to sort of get rule sets that they can use to understand when one of these things is connecting to them? Is that something that they do increasingly? Yeah. Right. Okay, so there you go. That's kind of what I was wondering is like, what's the value of doing this if you can't track the IPs? And I'm guessing it's like you're giving them the means to detect one of these things connecting to them.

Andrew Morris

So what tells are there in the network traffic that's being generated or tunneled through these things that the IDPs or the centralized authentication providers might be able to use to tell that something is being shoveled through another device?

Patrick Gray

That's what I was curious about.

Andrew Morris

Yeah, yeah. So that's where you're going to see more and more. So we're collecting JA4 on everything that we have right now. And we've got more vendors that are processing stuff like this that are asking us for these lists of all of the JA4 fingerprints, all the TLS fingerprints that we know of that attackers are using for this kind of stuff. And that's, I think, where a lot of the future is going for this because an IP is going to be useless 5 seconds from now. But the implementation of the TCP header and like the MTU overhead and all the IP options or whatever, that's work. It's like, yeah, yeah, that's work to redo that.

Patrick Gray

Yeah, yeah, that's literally what I was asking is like, you know, I figure like, if I'm octa, I might want to come to you and ask you for that information so that I can do some filtering, you know, And I just wonder, is that something happening now or is that, like, more you're hoping that'll happen in the future kind of thing?

Andrew Morris

I want to see more of it. We're not doing a good enough job like packaging that data and getting it to people. So it's kind of like, you know, the way that you would get that is to buy all of Gray Noise's everything, which is very expensive. So I think we need to. We need to do a better job of actually putting that data into this, into the right place, into the right bucket, so that, you know, it's. It's. It's easier for those customers to buy and consume and then do something with. Right.

Patrick Gray

Or you just sell it for lots of money. More ivory back scratches. You know, I know you. I know how you roll.

Andrew Morris

More Asus routers, more TP links.

Patrick Gray

Yeah, yeah, yeah.

Andrew Morris

Yep, that's it.

Patrick Gray

All right, Andrew Morris, we'll wrap it up there. Great to see you as always, my friend. Great conversation. And, yeah, we'll talk to you again soon.

Andrew Morris

Appreciate it, man. Thanks so much for having me.

Patrick Gray

That was Andrew Morris from Greynoise there. Big thanks to him for that. And, yeah, big thanks to Gray Noise for being this week's spot sponsor. That is it for this week's show. I do hope you enjoyed it. I'll be back soon with more security news and analysis, but until then, I've been. Patrick Gray. Thanks for listening.