Risky Business #798 -- Mexican cartel surveilled the FBI to identify, kill witnesses - Risky Business

Summary8 min read

Risky Business #798 Summary: Mexican Cartel Surveillance of the FBI

Release Date: July 2, 2025

Hosts: Patrick Gray and Adam Boileau

1. Introduction

Patrick Gray and Adam Boileau delve into a range of current cybersecurity issues, from advanced persistent threats targeting major airlines to significant vulnerabilities in cloud infrastructure. The episode also features an insightful interview with Jimmy Mester from RAD Security, discussing the integration of AI in cloud and Kubernetes security.

2. Major News Stories

a. Scattered Spider Targets Airline Industry

Overview: The notorious hacking group Scattered Spider has shifted its focus from the insurance sector to the airline industry, orchestrating breaches at WestJet, Hawaiian Airlines, and Qantas.
Discussion: Adam Boileau highlights the pattern of third-party platform breaches, emphasizing the group's expertise in exploiting outsourced relationships. Patrick compares this wave to the LulzSec era, underscoring the persistent threat posed by such advanced groups.
Notable Quote:

Patrick Gray (02:28): "This almost feels a little bit like, for those who are around back then, because it has been a long time. It feels a little bit like LulzSec back in the day."

b. AT&T Introduces Account Lock Feature to Prevent SIM Swapping

Overview: AT&T has rolled out an account lock feature via its mobile app, aiming to make SIM swapping attacks more challenging for cybercriminals.
Discussion: The hosts discuss potential flaws in the implementation, such as scenarios where users lose access to the app. Adam notes that while it adds a layer of protection, determined attackers might still find ways around it.
Notable Quote:

Adam Boileau (07:29): "Anything that adds, even if it is just a speed bump to COM kids doing SIM takeovers, we're going."

c. Microsoft Enhances Windows Security Post-CrowdStrike Breach

Overview: In response to the CrowdStrike breach, Microsoft is implementing changes to make Windows more resilient, including moving security operations out of the kernel and introducing robust recovery features.
Discussion: Adam explains Microsoft's multipronged approach, focusing on API enhancements, update deployment guidelines, and improved recovery mechanisms. Patrick appreciates the proactive measures but critiques the delayed response.
Notable Quote:

Adam Boileau (09:40): "They've been introducing a mechanism for administrators to deploy updates to machines that are in recovery reboot mode."

d. Microsoft’s App Consent Changes in Entra

Overview: Microsoft is modifying app consent processes within Entra (Azure AD) to require administrative approval for high-privilege permissions, aiming to reduce excessive or malicious app access.
Discussion: The hosts commend the move towards stricter controls but lament the delay in implementing such essential security measures.
Notable Quote:

Adam Boileau (14:07): "The new default settings will be that for certain privileged, particularly powerful permissions... those are going to be restricted and require admin consent."

e. Synology Backup Vulnerability Exposes Microsoft 365 Data

Overview: Security firm MOD0 uncovered a critical vulnerability in Synology's Active Backup for Microsoft 365, revealing a hardcoded password that allows unauthorized access to sensitive data.
Discussion: Patrick and Adam critique Synology's inadequate disclosure and highlight the severe implications of unauthorized access to Teams messages and other data.
Notable Quote:

Patrick Gray (20:02): "Allowing attackers to obtain sensitive information by unspecified vectors like that's the entirety of."

f. Iranian Cyber Threats and Speculations on Upcoming Attacks

Overview: Despite heightened fears and government warnings, there has been a paucity of significant Iranian cyberattacks targeting U.S. critical infrastructure.
Discussion: The hosts express skepticism about the likelihood of major cyber offensives, suggesting that Iran may focus on less impactful tactics like hack-and-leak operations.
Notable Quote:

Patrick Gray (24:25): "All of these reports too, talking about US Government warnings about Iranian threats against US Critical infrastructure and whatnot... and we have not seen any really."

g. AMI Mega Rack Bugs Added to CISA’s KEV List

Overview: Critical vulnerabilities in AMI's Mega Rack management systems have been identified, posing significant risks due to the potential for unauthorized access and control over hardware.
Discussion: The hosts discuss the ease of exploiting these bugs and the challenges in patching them across diverse hardware vendor ecosystems.
Notable Quote:

Adam Boileau (28:17): "Being able to just log into anyone's Microsoft tenancy that uses the Synology product and read their Teams messages seems bad."

h. New Citrix Netscaler Vulnerability Mirrors Past Issues

Overview: A newly discovered Citrix Netscaler bug mirrors the infamous Citrix Bleed, allowing attackers to leak sensitive memory, including session tokens, thereby bypassing multi-factor authentication.
Discussion: The conversation emphasizes the dangers of post-authentication vulnerabilities and the false security multi-factor authentication can provide.
Notable Quote:

Adam Boileau (30:01): "If you can steal a session token and ride an existing session... all the auth in the world doesn't really help you."

i. Cracking Down on North Korean Laptop Farms

Overview: The FBI has dismantled 29 laptop farms across 16 U.S. states, arresting individuals involved in using these setups for illicit activities.
Discussion: Patrick and Adam explore the operational challenges faced by North Korean cyber operatives, noting the logistical difficulties of maintaining remote-controlled operations.
Notable Quote:

Adam Boileau (33:17): "Imagine having to log into someone's enterprise Citrix via an IPKVM of a laptop in someone's basement in Missouri."

j. Russia’s Increased Restrictions on Cloudflare Services

Overview: Russia is intensifying its efforts to block access to Cloudflare-protected websites, citing the use of encrypted client protocols like Client Hello as a means to bypass censorship.
Discussion: The hosts reflect on Cloudflare's commitment to maintaining internet access in Russia despite geopolitical tensions, and the resultant impact on Russian internet users.
Notable Quote:

Patrick Gray (36:08): "Cloudflare didn't leave Russia after it invaded Ukraine, saying at the time, 'Russia needs more Internet access, not less.'"

k. FBI Report on Mexican Cartels Surveillance Techniques

Overview: A partially redacted FBI report reveals that Mexican cartels have employed sophisticated technical surveillance methods to monitor and eliminate FBI personnel and witnesses.
Discussion: The episode underscores the blurred lines between law enforcement and intelligence operations in contended information spaces, highlighting the escalated threats posed by organized crime.
Notable Quote:

Adam Boileau (38:03): "It kind of makes law enforcement feel more like intelligence work, like foreign intelligence work."

l. NATO Members Pressured to Increase Defense Spending

Overview: NATO is urging member countries to boost their defense expenditures to 5% of GDP, allocating funds towards core defense and cybersecurity initiatives.
Discussion: Patrick and Adam debate the implications of reclassifying cybersecurity investments as national defense spending, pondering potential benefits and budgetary challenges.
Notable Quote:

Adam Boileau (42:00): "It's Microsoft 365 licenses... E5 and more CrowdStrike."

m. U.S. Sanctions AZA Group A-E-Z A Bulletproof Hosting Provider

Overview: The U.S. government has sanctioned AZA Group A-E-Z A, a notorious bulletproof hosting provider linked to various cybercriminal activities, including ransomware and data breaches.
Discussion: The hosts critique the effectiveness of sanctions compared to direct operational takedowns, expressing a preference for more aggressive actions against such entities.
Notable Quote:

Patrick Gray (43:39): "I would much rather see them do that than this, personally."

n. Arrest of Cybercriminal 'Intel Broker' Kai West

Overview: Kai West, a 25-year-old cybercriminal known as 'Intel Broker,' has been arrested for orchestrating multiple breach forums and facilitating extensive hacking activities.
Discussion: The conversation touches on the constantly evolving nature of breach forums and the challenges law enforcement faces in tracking and dismantling these operations.
Notable Quote:

Patrick Gray (44:26): "It's a bit of a mess... but either way, some people have been arrested and I guess we'll have another five new breach forums run by different people."

o. Massive Crypto Scamming Operation in Spain Dismantled

Overview: Five individuals in Spain have been arrested for orchestrating crypto scams that defrauded over 5,000 victims worldwide, accumulating losses exceeding $542 million.
Discussion: Patrick and Adam discuss the sophistication of the operation, noting the intertwined processes of money laundering and investment scams.
Notable Quote:

Patrick Gray (46:01): "If you're going to do crime right, you may as well work from home, somewhere nice."

3. Sponsor Interview: AI in Cloud Security with RAD Security

Guest: Jimmy Mester, Co-Founder of RAD Security
Timestamp: [48:00] - [61:47]

a. AI Enhancing Vulnerability Management

Overview: Jimmy Mester discusses how AI, particularly Large Language Models (LLMs), is revolutionizing vulnerability triage by automating the prioritization of security issues based on context and severity.
Discussion: The conversation highlights RAD Security's approach to utilizing AI for parsing complex data like SBOMs (Software Bill of Materials) and generating actionable insights, thereby streamlining security workflows.
Notable Quote:

Jimmy Mester (49:56): "LLMs can help rank order that... and then you keep kind of chipping away at the context until you get to the point where the LLM can help you rearrange the Lego pieces and give you some actual insight on what to tackle first."

b. AI vs Traditional Machine Learning in Security

Overview: Jimmy contrasts the flexibility and user-friendliness of LLMs with traditional machine learning classifiers, emphasizing the advantage of natural language interfaces in handling imperfect queries.
Discussion: The ease of integrating LLMs into security operations without the need for specialized query languages is underscored, showcasing how RAD Security leverages AI for more intuitive security management.
Notable Quote:

Jimmy Mester (54:02): "It's a lot better than doing it manually. It's a hard task."

c. Challenges of Private AI Models in Enterprises

Overview: The conversation shifts to the difficulties of improving AI models within enterprise environments that require private, non-trainable models, potentially limiting visibility into model behavior and improvements.
Discussion: Patrick raises concerns about the sustainability and adaptability of private models, while Jimmy explains RAD Security's strategy of supporting a curated list of reliable models to maintain consistency and effectiveness.
Notable Quote:

Jimmy Mester (60:16): "It's not the same as retraining a model and publishing it, but at least it's a way to make it much more specific to what the customer wants."

4. Conclusion

Patrick Gray wraps up the episode by thanking Adam and Jimmy, reflecting on the plethora of cybersecurity challenges discussed, and hinting at future episodes that will delve deeper into these critical issues.

Listener Note: The episode offers a comprehensive look at the evolving landscape of cybersecurity threats and defenses, emphasizing the importance of proactive measures and technological advancements in safeguarding digital infrastructure.

Loading summary

Transcript146 lines

[00:00]
Patrick Bray
Foreign and welcome to Risky Business. My name's Patrick Bray. We've got a great show for you. We'll be getting into the news with Adam Boileau in just a moment, and then it'll be time for this week's sponsor interview. And this week's show is brought to you by RAD Security. And they do a lot of stuff around Kubernetes and sort of cloud infrastructure security. And we're talking to Jimmy Mester, one of the founders there, all about all of the stuff they're doing with AI in cloud. And it just feels like everyone is doing stuff with AI now. And that's an interesting chat. And it is coming up later. Before we get going, Adam, we should probably mention that we're actually about to go on break. The weekly show is going on break for a couple of weeks. It's school holidays here, and I'm, you know, going to enjoy that with my family. So if anyone's wondering why there's no weekly show next week or the week after, that is why. But let's kick off the news now. And, yeah, airlines. So last week we were talking about how Scattered Spider had pivoted into attacking the insurance industry. And it's like, wow, it's so weird that they target verticals like this. Looks like they found a new vertical, which is the airline industry.
[01:15]
Adam Boileau
Yes. We had seen some reports last week about their potential involvement with breaches at WestJet and Hawaiian Airlines. And then in the last kind of hour or so, we've seen a report in the Australian media that Qantas, the nationally line of Australia, has also suffered a pretty big breach of some sort. Lost, I think, 6 million customers worth of data. And that is being described as, you know, scattered spider like, or esque or, you know, probably involves that group of people. So, yeah, we got three. Does that make a trend? Probably, right?
[01:50]
Patrick Bray
Well, I mean, last week you grabbed that WestJet story and stuck it in the news items, and we were like, I don't know what this is. Could be ransomware, could be anything. But it looks like, yeah, that was the first one to fall, right? Yeah. Now Hawaiian Airlines and then Qantas, and you just think it's got the makings that, you know, it's a. It's a crime wave. Right. Like, let's just. Let's just call it what it is, which is these advanced, persistent teens are just out there raising hell. This almost feels a little bit like, you know, for those who are around back then, because it has been a long time. It feels a little bit like LulzSec back in the day, right, where it was just like, just kept happening and you never knew where they were going to pop up.
[02:29]
Adam Boileau
Yeah, yeah, no, that, that parallel I think is, is pretty apt. Apt. This particular one at Qantas does have some other kind of elements that certainly seem pretty familiar from other scattered spider breaches. So it sounds like this was a third party platform used by Qantas's contact center and that kind of like third party, you know, outsource provider breaches seem to be the methodology for Marks and Spencer that scatters quite a lot. So they do understand how to go find the weak points in these ecosystems. And you know, the relationships between a lot of these organizations and their outsourced partners or people they use for these sorts of things, you know, are not really designed to be super resilient because no one's really gone around and targeted them before. Certainly as a pen tester, you know, people doing assurance, you never practically get to go exploit these relationships. You can point at them on paper, but there's no practical, kind of like we've done a thing. And so this is not an area that has got much focus, I don't think.
[03:32]
Patrick Bray
Yeah, well, I mean, we spoke a couple of weeks ago, didn't we, about the AP teens who were going around and changing people's MX records by socially engineering their, you know, their like domain registrars and whatever. And as you pointed out at the time, you can't really go and do that as part of a pen test. You can't socially engineer the help desk at a domain registrar and you know, have that transferred over. It's just not a thing.
[03:55]
Adam Boileau
No, no, that's unfortunately out of scope. And if you raise those things, and I've written reports raising exactly these issues with customers saying, hey, look, there is a weak spot here. If someone were to do this, you know, it gets put down the list, you know, way below all of the other, you know, like easy technical issues to fix, you know, like go update this or patch that. That's straightforward for them to wrap their heads around doing something about these ones. They go, eh, that sounds complicated. Kind of big picture, kind of, you know, ecosystem, eh, that's risk accepted. Next.
[04:29]
Patrick Bray
Yeah, well, I mean I think, yeah, outsources and SaaS is the other one. Right, which you gotta worry about because we used to worry about this when it was infrastructure as a service. Like we used to worry about, well, what happens if there's bugs in AWS or whatever and your pen testers can't you know, go and hack aws. And mostly, I mean, they're doing a really good job of that with the exception of Oracle. Right. They're the ones that aren't that do not appear to be doing a good job with that. But you know, I think with SaaS, when it comes to major SaaS, you're mostly okay, but there's so much like, so much of this stuff. Right. Like God knows what it was, whether it was an outsourcer or an, you know, a SaaS platform or a combination of both. And, you know, more and more that's how business operates these days. And more and more we're going to see third party breaches just like this. I mean, it's hardly new though, but I think it's just ubiquitous now.
[05:15]
Adam Boileau
Yeah, I mean, I guess it's a good reminder that as we improve other things, you know, the deployment of like passkeys and multi factor everywhere and things that make traditional hacker trash of like stealing creds and logging in. Once that goes away, it doesn't mean everything's secure. It just means people are going to start looking for other things that unfortunately are probably going to be more difficult to defend than just bad passwords. I mean, the rise of info stealers as a credential source already suggests that we're kind of getting better at not just having Monday 1 as our password for half our user base. Because that's the default when someone, someone joins or whatever, you know, these attackers don't go away. Right. They move and they find something different. And unfortunately, fixing things is just going to kind of get more complicated as the attack surface gets more, you know, gnarly.
[06:05]
Patrick Bray
Yeah, gnarly, Good choice. But it is like it is squeezing the balloon, right? You squeeze the balloon and yes, it does not get smaller. Unfortunately, it's enough to make one. You know, given enough time in this industry, it's enough to make one maybe a little bit jaded.
[06:18]
Adam Boileau
Yeah, yeah. I mean, the amount of people who work in this field who are like, I'm just going to quit and go be a llama farmer or something. Yeah, that's the joke farming. That's the future.
[06:26]
Patrick Bray
Yeah, yeah, the joke LinkedIn thing, which is, what is it like, you know, sysadmin through to CISO and then goat farmer seems to be the correct career trajectory. We got a story here from Cyberscoop about AT&T making some changes. They've got like an account lock feature now which is supposed to be, that's supposed to make sim swapping harder. I Think this is good. I do worry that things like this, if they're not properly implemented, which is very difficult to do at scale, just turn into speed bumps for people like, you know, the comm kids.
[06:57]
Adam Boileau
Yeah, yeah, exactly. I think this is a feature they've launched where in their mobile app you can basically put a lock on your account that prevents number porting, changes to details, you know, changes to numbers and other bits of, you know, of your account setup. And if you do want to do those things, you have to go turn that off in the app. The natural question is, what do you do if you've lost your phone, you don't have the app, or you can't sign into the app for whatever reason, what does that flow look like? But I guess, you know, anything that adds, even if it is just a speed bump to. COM kids doing sim takeovers, we're going.
[07:29]
Patrick Bray
To make them drive over that speed bump.
[07:32]
Adam Boileau
Yes. I think the AT&T docs did say that at least if you turn this account lock feature off, it sends a message to all of the numbers in the account and emails everybody and so on. So, yeah, you know, you've got a chance that you might spot it happening, which is why of course the comm kids will do it at 2 in the morning, you know, or on a long weekend or when you're at the pub.
[07:54]
Patrick Bray
So yeah, yeah, I just would have thought like even standard things that they don't do, which aren't always going to work, but like trying to ring the person who's being sim swapped. Like they're like, I lost my phone, I need to SIM swap, ring the number and see if it rings, see if someone picks it up, you know what I mean? Like maybe put a 24 hour delay on it. I don't know, it's just always seemed way too loose. So look, it's good that they're doing something there and maybe that'll slow a few things down, I don't know. Let's talk about some more meaningful changes now. So in the wake of this, you know, crowdstrike disaster. When was that? Last year?
[08:29]
Adam Boileau
Yeah, I think it was 2020. Yes, last year. 2024.
[08:31]
Patrick Bray
Yeah, yeah, yeah. So Microsoft made some noises about how they were going to, you know, change things basically to try to make Windows more resilient to this sort of stuff that involves a combination of things like encouraging security companies to move as much possible out of the kernel, which seems quite sensible actually. And you know, encouragingly, they didn't just knee jerk, they weren't like Everybody's got to get out of the kernel. But now they've got like a bit more of a roadmap for what those changes are going to look like. Now one of the things they're doing is, you know, and they sort of buried it in their report, in their blog post about this. And we're like, oh, we're releasing all of these features to help people get out of the kernel. It doesn't look like they're. They haven't said whether or not they're going to kick everyone out, but it doesn't feel like that quite yet to me. I think what they're going to try to do is see exactly what they can get out before they make any further decisions and, you know, and whatnot. But they've also introduced a bunch of like, recovery features and stuff, which should help quite a lot next time. Well, you know, hopefully there's no next time, but next, if something like this were to happen again, these features would make a real difference. Can you just walk us through exactly what they got planned here?
[09:41]
Adam Boileau
Yeah, so it's kind of multipronged approach. One is they've been talking a bunch with security vendors about kind of what they want from an API, what do they need to do in kernel, and is there a way to be provided that those services, those callbacks, whatever it is, out in user space. So that's kind of one tack. The next is there are a bunch of guidelines from Microsoft about how you should deploy updates for this kind of like really privileged software. So things like, you know, staggered rollouts, ring deployments, you know, sort of best practice stuff that some vendors do.
[10:14]
Patrick Bray
Well, what was funny is like how much emphasis there was on the, in the Microsoft post about ring deployments. Like, you can almost tell the people writing it could not believe that CrowdStrike weren't doing that, you know, and they're making it a requirement, like if you want to have kernel access, like you have to do ring deployments. And like, they shouldn't have to demand that people do that. Like, it was that was that, that was the sin. Right? If you look back on the CrowdStrike thing, you know, it was this weird confluence of events. They were very unlucky for that to have happened. It is a well designed, like if you're going to be in the kernel, it was actually very well designed. They just got really, really, really unlucky. But that's why you do ring deployments in case you get really, really unlucky. So anyway, sorry I cut you off.
[10:54]
Adam Boileau
Yeah, yeah, yeah. So that's. I guess that's the. The second part is some better guidance and requirements for vendors that are going to have this access. And then the third bit that you mentioned is, when it happens, what does the recovery process look like? So Microsoft has been introducing a. So there's already like a Windows recovery mode process. But one of the problems was stuff was getting stuck in kind of recovery mode and not able to get updated. And there were a number of clever hacks that people came up with to try and remotely recover machines that were stuck in a reboot loop. But Microsoft's kind of formalizing that structure and then introducing a mechanism for administrators to deploy updates to machines that are in, like, recovery reboot mode. So better resilience for an overall fleet. In the event something terrible happens, you don't actually have to roll truck and go and visit every physical machine or get along the console of every server or every virtual machine or whatever else, like some mechanisms to automate that process. And that seems like good progress, you know, regardless of what thing goes wrong, you know, with people's machines, having a mechanism to recover them at scale clearly is something that we needed.
[12:04]
Patrick Bray
Yeah. And I'm sorry to all of the listeners who might have been triggered by this conversation, you know, having flashbacks like that. What's that Gif of the dog having the Vietnam War flashback dog. So, yeah, sorry. Sorry for, you know, going full flashback dog on you folks. It was pretty full on. All right, so Microsoft is also making some changes to app consents in Entra, which is a very positive thing. These are baby steps, though. So it was a listener who alerted me to this through the. The Entra chat podcast, which is a thing that emanates from the bowels of Microsoft. It even has a theme song involving singing the words entrachat, which I find incredibly cringe. But it is really good that they're actually out there talking about this. And indeed, there was a young woman there, Erin Greenlee, who. And you watched this whole thing and you were like, you know, this is a smart person making a lot of sense. But it does seem like these changes are baby steps. Like, walk us through what exactly they're doing here.
[13:04]
Adam Boileau
So the deal is that in a Microsoft, like, as your tenancy, the app consent process at the, like the current default. Default is end users can consent to stuff, and you can change that, but the default has been end users can just consent to whatever. And that has led to a proliferation of apps that are consented for access to people's cloud resources that have Too much permission or aren't really used or the opportunity of social engineering people to grant access to apps into their work environments. There's just a whole bunch of bad stuff that have happened. And the plan here is that they are going to change the defaults so that admins are required to consent to certain kind of high privileged access. And in particular one of the permissions that you can grant is like read write access to all files or read write access to the directory. And these are things that there's not often a good reason to do and often it's abused by app developers just because it's easy.
[14:07]
Patrick Bray
Rather than specific permissions, there often is a good reason to do them, but that's going to be something that is going to be rolled enterprise wide. Right? It's not something you want a user to be, it's not permission you want a user to be able to grant.
[14:21]
Adam Boileau
Exactly. And so the new default settings will be that for certain privileged, particularly powerful permissions that the user kind of has already, but that it's not desirable for them to be able to just grant willy nilly. Those are going to be restricted and require admin consent. And as an admin you'll be able to configure exactly which permissions meet that threshold. Set up escalation. There's some options for delegated so you can delegate. Some permissions can be approved by the mail team and some can approve by the desktop team, whatever. A bit more granular and powerful control. The downside is a bunch of this is going to require you to talk PowerShell to an API rather than pointy clicky. But as you say, baby steps. But it's, you know, overall it's just good that they are thinking about this and you know, the era of, you know, people just being able to grant access to all of the corporate resources at a click without really even understanding what they're doing. Like that's the thing that Microsoft should probably end and it sounds like they're on the road to do that so.
[15:25]
Patrick Bray
Well, they should have done it five years ago, which is my beef here, which is like, oh, it's great you're doing this thing that you should have done in 2018.
[15:32]
Adam Boileau
Well, I guess we didn't really understand how.
[15:35]
Patrick Bray
Yes, we did. We talked about it at the time.
[15:38]
Adam Boileau
We did, but we, the ecosystem, we the industry as a whole, like we didn't really know which cloud model was going to win. We didn't know if we were all going to end up in some like Oracle cloud future or whatever. Instead of the Microsoft one. Like, you know, the current mess of OAuth granting and federated authentication and so on and so forth is just, you know, it took us a while to. Better than. Unfortunately, we're doing it on the Internet with all of our, you know, the businesses that run the entire Western world. So it's a little bit of a YOLO time.
[16:10]
Patrick Bray
Indeed, indeed. And yes, Erin Greenlee is the product manager for App Consent on Microsoft's App Platform team. That is a real job title. And she sat down with host Meryl Fernando to chat about app consents for one hour and 12 minutes. And that is on YouTube. And you can find it. Although, Adam, you said that, you know, you were sort of impressed with the understanding sort of being shown there, so.
[16:36]
Adam Boileau
Yeah, yeah. I mean, it felt like quite a lot of thought has gone into this and you get the feeling that there are absolutely pockets of competence at Microsoft and this is one of them. But, you know, the overall big picture is still like, we're away, away from where we need to be, you know, big picture, ecosystem wide.
[16:55]
Patrick Bray
Yeah. Now, if only we had a sort of recent example of how this can go wrong. Oh, look, we do. We got this blog post here from a company I think, named MOD zero, which is looking at a pretty disastrous Synology backup thing. Right. So you've got this Synology active backup for Microsoft 365, which already I have so many questions. So this is. This is a backup product for your cloud. So this is if you, like, don't trust Microsoft to back up your cloud data and you would prefer Synology to do that for you, like in your house. Is that the basic idea of this product?
[17:35]
Adam Boileau
That's basically it, yes. If you have a Synology NAS and you want to back up your stuff out of Microsoft cloud, then this is the kind of the plugin that you use to do this. So you install the active backup app on your Synology and then you have to authorize that into your cloud environment so that it can then read and write stuff.
[17:57]
Patrick Bray
And how do you authorize it into your cloud?
[18:00]
Adam Boileau
Well, so there's like an initial kind of setup process where you have like an OAuth grant that you give that creates an account in your Microsoft environment, which then gets passed off to Synology, who then pass it back to the NAS through some back channel and then it provisions through that basically admin access to your cloud so that it can back stuff up. And it does that part of it, like getting admin access to your cloud is kind of done as you'd expect with grants and blah blah blah. But the initial setup step where you are approving this app into your environment, there's something kind of weird going on. And these researchers, this security company, MOD0, they were red teaming a customer that used this product in their cloud and were looking around and decided to install it themselves and look and see how it worked.
[18:57]
Patrick Bray
Which is a lot more effort than just telling them not to run it because it's a bad idea.
[19:01]
Adam Boileau
But anyway, well, you wanna be informed about these things when you're giving.
[19:04]
Patrick Bray
You wanna know why it's a bad idea. I guess you wanna point it exactly.
[19:07]
Adam Boileau
Cause otherw computers are a bad idea. But that's not. You can't just write that in the report and collect a check, which is you'd like, but no. So they pulled it apart and they were like looking at the web requests going back and forth and they saw a username and a password in one of the requests and they're like, well that's weird because this is all oauthy, you know, tokeny like why is there a credential going past? And they pulled the thread and it turns out this credential is shared by. So this process creates accounts in your service principles in your Azure tenancy. But the process that creates this seems to have a hard coded password and so they checked and yes, they can auth with this password and then they checked Synology's own Microsoft tenancy and it works there too.
[19:58]
Patrick Bray
So they've created a password for everybody.
[20:02]
Adam Boileau
So they've created the password for everybody. And then this particular crown has relatively restricted permissions, but amongst the permissions it does have is read all your team's messages, which is not great. And I think if it's. I was a little unclear if it's read everybody's teams messages because like you do have to be admin to do. Yeah, it's a bit confusing. But then the other weird thing is that there does not actually appear to be any legitimate reason like this password is not actually used in any legitimate flow. It seems like maybe at some point they were trying to do it just the easy way with passwords and then they moved to doing it the correct way with, you know, tokens and blah, blah blah blah. It gets kind of a bit murky but maybe they didn't tidy it up. So this all seems pretty bad. Like being able to just log into anyone's Microsoft tenancy that uses the Synology product and read their teams messages seems bad. But the thing that's kind of Worse also is that Synology's disclosure of this bug really underplays what the bug is and says that no one has to do anything. Even though as best I can tell, all of their customers that use this kind of need to go roll credentials at the very least, let alone look at the access logs or whatever else Synology's actual advisory is like. Allows attackers to obtain sensitive information by unspecified vectors like that's the entirety of.
[21:30]
Patrick Bray
It'S weasel language if ever I've heard it. Now let me riddle me this, right, Because I want to connect it back to our previous conversation. What is to stop a typical corporate user connecting their Microsoft 365 account to this via OAuth?
[21:47]
Adam Boileau
Um, I think at some point in this flow you will need to be a global admin. So you'll need to be.
[21:54]
Patrick Bray
Oh really? Okay, okay, okay.
[21:56]
Adam Boileau
In this process. So an end user I don't think can do this.
[22:01]
Patrick Bray
You have to be an admin.
[22:02]
Adam Boileau
I think you have to be an admin to do it. Which I guess is good. But the fact that the other. I guess the problem is I'm not clear.
[22:11]
Patrick Bray
Yeah.
[22:12]
Adam Boileau
And that is kind of the bigger problem is I don't really know if you know, an end user can consent to some of these things and like do half this process or like it doesn't. I mean, no, I.
[22:26]
Patrick Bray
Look, the fact that the OAUTH grant says review for your organization because they've got a screen cap of the OAUTH thing, the pop up, the fact that it says review for your organization tends to suggest it's admin Y. I think.
[22:38]
Adam Boileau
That you do need to be global admin to at some point in this process. Like there may be some bits that don't have to be admin, but either way it's not great. And the fact that no one really understands how all of this works enough to design sensible, you know, kind of like how should we back up our stuff to our NAS in our house and do so in a way that doesn't result in everybody in the world being able to read your team's messages? Like I.
[23:04]
Patrick Bray
Well, I guess What a world.
[23:06]
Adam Boileau
What a world.
[23:06]
Patrick Bray
I guess it's my mistake. It doesn't really connect to the previous story because it is an admin doing the consent. Probably. But we don't know. But maybe. But anyway, I don't know. It's just a strange. It's a strange old world and computers.
[23:17]
Adam Boileau
The point is that Cloud Auth is weird and hard.
[23:19]
Patrick Bray
Yes, exactly. Right. So let's move on to a Story now where, look, we're just going to mention this one briefly. You know, some hacker linked to Iran, this is the person calling himself Robert, who leaked a bunch of stuff I think during the presidential campaign, is now threatening to release more emails. I mean, really care factor pretty low on that, I would imagine. And we've got all of these reports too, talking about US Government warnings about Iranian threats against US Critical infrastructure and whatnot. You've got also the, you know, mostly the sort of maga, right, predicting there's going to be massive terrorist incidents because of these Iranian sleeper cells that crept into the country under Sleepy Joe's watch. You know, so there's all of this like, you know, fear being pumped about Iranian cyber attacks and we have not seen any really. And I just have this feeling. And Tom, our colleague Tom Yoren, he's working on that this week. He's writing about this for Seriously Risky Business Tomorrow, which you can subscribe to at Risky Biz. You know, I think once the bombs start flying around, you know, doing something that doesn't achieve a military aim but causes a bunch of damage, like attacking US Critical infrastructure, like opening a dam in the Midwest, I don't think is really going to do anything good for Iran. And they're not dumb. So I just don't think it's going to happen. What do you think about this? Because for the last like two weeks we've just been looking non stop at news headlines coming into our, you know, central sort of news repository where we scrape everything into. And it's just been this constant drumbeat of fear about Iranian attacks and no actual attacks.
[25:09]
Adam Boileau
Yeah, yeah, but there really just has not been much to show for it. And you know, when we did see like, what was it, some Iranian attacks in Armenia, was it we talked about.
[25:19]
Patrick Bray
That was like MEK stuff that was.
[25:21]
Adam Boileau
Nothing that was MEK related but like just kind of not very exciting and.
[25:25]
Patrick Bray
Yeah, they took down a municipality's website or something.
[25:28]
Adam Boileau
Yeah, yeah, exactly. And I guess the, you know, the problem is like, yes, they have cyber capability, yes, they can do cyber, but they don't want to do cyber. That's escalatory. And if you want to do cyber, that's not escalatory. You haven't really got very much left. Like you could only really do inconsequential stuff.
[25:47]
Patrick Bray
Well, that's why I think the hack and leak, that's why I think that we might see the hack and leak stuff kind of kick off again. Because what, they dump a couple of mail spools that doesn't justify a bombing run, but taking out some critical infrastructure does.
[25:59]
Adam Boileau
Yeah, yeah, exactly. So we, we might see some, you know, Roger Stone emails or whatever and like, maybe there's something in there. But like us kind of already elected Trump, it's a bit late for that.
[26:10]
Patrick Bray
Yeah. And it's not like he's particular. Like, he's, he's just one of those, he's Teflon. Right. So I mean, this is a guy who's making millions and millions of dollars out of like, you know, coins and selling fragrances and doing all sorts of stuff that's like very, very unconventional. And I just don't think you're gonna cause him much political damage with a bunch of leaked emails. And if they were that damaging, they would have released them already.
[26:31]
Adam Boileau
Well, exactly. Yeah, exactly.
[26:33]
Patrick Bray
So, but of course, now we've said this, probably, you know, immediately, something really, really bad is gonna happen. But it is just our feeling internally, isn't it, that it's, it's unlikely that they're going to do anything real.
[26:44]
Adam Boileau
Yeah, it doesn't feel like it. So. But hey, you know, maybe we'll be wrong. Maybe we'll have a really juicy episode after you come back from holiday.
[26:52]
Patrick Bray
Sorry if we cursed you all by saying that. Now, look, let's talk about these AMI mega rack bugs. These bugs were disclosed in 2024. I'm almost certain we spoke about them at the time. But these are like lights out management bugs in lights out management stuff used in data centers, which is, you know, look, if someone's actually going to use these things like it's, they're using them, you're in trouble. Right. If you're dealing with this sort of stuff. And it looks like CISA has just added that stuff to the KEV list. So we've got a report here from Dan Gooden looking at that. That's not good.
[27:25]
Adam Boileau
No, no, it's not. I mean, these, it makes sense that these bugs are going to get used in the world because they're pretty trivial. I mean, the bug that Eclipsium found was a, like you can basically bypass auth with an HTTP header, which. That's not great. In a lightsaber management system where of course you've got access to the underlying hardware, the underlying disks, you can bypass early boot security controls. You can do all sorts of really good stuff with access to these things. And you know, most people hopefully don't put their lights out management systems on the Internet. Obviously some people do, which is not great. But there's also the case of like if you get any bug where you land on some server, so web app bug or whatever else you can usually quite often you can reach the lights out management system locally from the machine. So as an escalation vector, once you've got any form of compromise.
[28:18]
Patrick Bray
Yeah, instilateral movement to everything everywhere basically as soon as you.
[28:22]
Adam Boileau
And also just as a privilege escalation vector, being able to go from an unpriv like web user on a box to I control the lights out management system on that same hardware, you bypass all the rest of the OS security controls. Plus there's not really going to be great logging up there. There's not going to be any edr like it's a great route to go down. So I'm not surprised that people are using it. The other aspect that's complicated about this is lights out management software tends to be, because of the integration with hardware tends to come from the BIOS manufacturers or the hardware vendor, you know, with a licensed tool from a BIOS manufacturer.
[29:02]
Patrick Bray
So what you're saying is this will be easy to patch?
[29:05]
Adam Boileau
Yes. So like software supply chain patch, like patch supply chain wise. This is messy and that's one of the reasons I imagine it's ended up on the Kev is that, you know, there are a dozen hardware vendors using AMI's Mega Rack, you know, lights out management framework, either under license or however that, you know, the commercials work. So, you know, very reminiscent of the Android ecosystem in terms of how quickly things can get patched.
[29:29]
Patrick Bray
Yeah. And look, staying with bugs. Right, We've got a new one to talk about here, which is a bug in Citrix Netscaler, which is a 9.3 CVSS. And you know, last time we saw something like this, it got a fancy name back in 2023, Citrix bleed. And I remember when that one came up, I think that was when I was in the US and I just remember saying to some people, like everybody's about to get owned with this and it actually happened like instantly. Right. So I'd imagine that, yeah, certainly by the time I'm back in a couple of weeks, we'll be talking about all of the people who got owned by this. But this bug looks bad.
[30:01]
Adam Boileau
Yeah, it's very similar to the original Citrix Bleed. So it's a memory leak where you get the contents of some kind of other parts of memory back due to, I'm assuming like buffer mismanagement somewhere. But the real issue with these is if you leak memory and that memory happens to contain session tokens of inflight communications, which is pretty likely, I guess, if you get, you know, get lucky in that bit of memory and the attacker gets a session token. They are now post auth, which bypasses multi factor. And that's the thing that really made a mess last time is like people assume the multi factor makes it okay to put this stuff on the Internet. But if you can steal a session token and ride an existing session or, you know, take over an existing session, then yeah, like all the auth in the world doesn't really help you. All the octa, all of the other controls, all of that login stuff, all the impossible travel, all of the things you do at the login step are no use if you have stolen the post auth session, you know, authorization material. So. Yeesh.
[31:02]
Patrick Bray
Yeah, I mean, it's like people don't think about stuff like pre auth rce either. They just don't think about it because they're like, oh, you need to log into it. It's like, well, if there's pre auth attack surface there, like, no, you don't. Authentication is not access control to this stuff, really. No, it's really not. You know. Anyway, got a great story here from Andy Greenberg. I mean, this is, we're seeing something that I feel like I've predicted on the, on the show, which is that the weak points in these North Korean, you know, fraudulent IT worker schemes has always been the laptop farms. And it was my feeling that once the FBI had turned these sorts of investigations into those laptop farms into a process, which is often how they tend to do it when they're cracking down on a crime type. Once they've got a template for how to enforce and investigate and enforce, that's what they do and that's what they're doing. So we've seen 29 laptop farms across 16 states in the United States being shut down, computer seized, people arrested, and yeah, they're, they're, they're going at it. So I think the, the easy wins for the North Koreans, you know, just using these laptop farms, I think that's going to get harder for them, but they'll pivot to something else, whether that's residential proxy networks or whatever. But it's going to be harder, I think.
[32:16]
Adam Boileau
Yeah, yeah. I mean, it's certainly there's a number of steps in this process that are just made easier by having a physical presence on the ground. Right. I mean, things like having identity cards and all of the other like, bits and bobs you need to go through initial Employment validation, like when you get onboarded or you go through the hiring process. So there's kind of like a bunch of that stuff that these people were facilitating. And then there's the receiving the laptop, plugging it in, operating the infrastructure for the North Koreans to access it. I think There were like 200 computers all up seized across these, the, you know, 29 or so laptop farms. And it seemed what they were using was like ipkvm. So they would plug these devices into the USB and video output, USB input video output of these laptops and then the North Koreans would use the console through an IP kvm which you know, I imagine with the round trip time to Pyongyang, Internet probably not a great user experience. I mean can you imagine having to log into someone's enterprise Citrix via an IPKVM of a laptop in someone's basement in Missouri?
[33:17]
Patrick Bray
Like I don't think, I don't think these guys are actually based in Pyongyang. I think often they're based all around, all around Asia. But yeah, like the round trip time is still going to suck.
[33:25]
Adam Boileau
Yes, it's still going to be a terrible user experience. Can you imagine having the video, video conferencing because I mean we've seen plenty of stories about like, you know, these North Koreans don't show up on cam on their video conferences. Yeah, it's because they're having to use an IPKVM to video conference because they're.
[33:39]
Patrick Bray
Gonna look like a, they're gonna look like a slideshow.
[33:41]
Adam Boileau
Well, exactly like. And then like USB pass through for camera. Like it's just. Yeah, I think was it one of the UK retailers was making people turn on their cams because they were worried about hackers in their environment. Like maybe that's another way to deal with, you know, North Korean workers is, you know, actually having a functional camera across this big or this kind of janky of a connection. Not going to be a good time. So that's how you, that's how you can detect it. But anyway, you are right, this is an easy place for them to round people up and the fact they are doing so is good. I think we've only seen two of the farm operators identified, both in New Jersey. But I imagine we'll see details of more as they unveil the rest of the prosecution documentation and stuff.
[34:26]
Patrick Bray
Well, and I think they're using these laptop farms for a reason. Right. To give them that local presence. But there's got to be a reason they're not using residential Proxy networks, which would be the obvious way. And it's just something about actually having a computer. Like there are ways to detect when a computer is sort of physically located roughly somewhere. I just don't know how. Like, it would be harder to do this through a residential proxy network, I think. Yeah.
[34:46]
Adam Boileau
Because, I mean, otherwise you have to get the physical laptop to them in Pyongyang or wherever they are, wherever they're hanging out, and then you've got to try and tunnel everything back through, which, I mean, you could do. You could give them little Linux boxes that tailscale it or whatever outside someone's residential proxy network. But I imagine the logistical side of that is also complicated. Physically getting the laptop there and then the consequences of any OPSEC breach at that point. Right. Because if you start going, where do the WI FI networks around this corporal laptop think it is? And it looks like it's in Taipei or where.
[35:22]
Patrick Bray
Yeah, exactly. Right. Like, it's just complicated.
[35:24]
Adam Boileau
It's better in the us, you know.
[35:26]
Patrick Bray
Yeah. There's reasons it's easier just to do it that way. Meanwhile, in Russia, and this is not the first time Russia has done this, but they're increasingly cracking down on Cloudflare. Like, it's like getting real hard to get to Cloudflare, you know, websites behind Cloudflare in Russia, Roscoe Nadzo has been saying this would happen for quite some time, so there's no real surprises here. I think, interestingly enough, it really is because Cloudflare uses encrypted client. Hello. Which means that it's quite easy to bypass things like censorship restrictions by tunneling traffic through Cloudflare, and that's really why they're doing this. So if you want your website to be available in Russia, you can't. You just can't sort of use Cloudflare, I guess, is the moral of the story.
[36:08]
Adam Boileau
Yeah, yeah. Apparently they are dropping connections after the first 16 kilobytes of data, which ain't going to get you very far. That's enough for a TLS connection stand up and, you know, maybe a, you know, the page header to come through, but that's about it. So, yeah, pretty. It must be pretty rough being on the Internet in Russia at the moment, you know, because, like Cloudflare, it's a pretty big swathe of the Internet.
[36:29]
Patrick Bray
Yeah. And Cloudflare didn't leave Russia after it invaded Ukraine, saying at the time, russia needs more Internet access, not less. Very Cloudflare like response. All right, so an interesting one this week, we've got a report out of the FBI. It's partially redacted. It's really interesting. It looks at the risks posed to FBI operations by what they call ubiquitous technical surveillance. And it's got some amazing anecdotes in it from 2018 about how the Sinaloa cartel, I believe, was able to surveil FBI personnel. I don't think they were actually agents. I think they were like, it was a legal attache in one case and whatnot. But they were. They were doing sophisticated, fairly sophisticated technical surveillance of FBI personnel in order to locate sources and witnesses and murder them. Which is really not great when you're the FBI. Like, if you are actually leading the cartel to the identities of the people who are, you know, being witnesses and sources against it so that they can be murdered. I mean, really, that's just not doing your job properly, I suppose. Perhaps these risks weren't as well understood by FBI in 2018. They certainly would have been understood by other agencies like CIA. But really, this report just is looking at, like, what a threat this sort of stuff is to its operations and how they really need to mix up the way they do things. And it's an interesting report, as I say, and I think Tom is looking at this one for seriously risky business this week as well.
[38:04]
Adam Boileau
Yeah, I mean, the idea of law enforcement agencies having to operate in a. I mean, what do I say, Contested information space is that, oh, they've got some euphemism.
[38:14]
Patrick Bray
I can't remember what it is right.
[38:15]
Adam Boileau
Now, but yeah, you know, it kind of makes law enforcement feel more like, you know, intelligence work, like foreign intelligence work, because you're, you know, operating in an environment that is surveilling you and has all these kinds of interesting tooling and, you know, the sort of trickle down of surveillance techniques into the. I guess. I guess criminals are private sector, you know, does kind of change things a little bit. So some of the examples they gave include things like compromising the phone of. I think, as you said, it was attache or something, to be able to see who they were calling, who they were talking to, track location. There was some other reports of, you know, cartel hackers breaking into camera systems around Mexico City and using that to track movements of agents and so on. So, you know, kind of movie hacking in a way, like. Which has got to be pretty scary when you, you know, if you're an agent or. And certainly if you're cooperating with, you know, with drug enforcement agents or whoever else, you know, the fear of being murdered by the cartel for snitching, you Know, anything that increases that fear is good for the cartel, even if it's not necessarily real in all cases, like, you know, the idea that they have this kind of spooky capability, you know, put people off, even if it isn't real in all cases, you know.
[39:40]
Patrick Bray
You know, get yourself a Stingray on Alibaba and buy some data from a data brokerage and you know, you're off, you're up and running. I don't know that. Did they compromise the phone or. I thought that was more that they were surveilling and it felt more like Stingray from the bit that I was.
[39:52]
Adam Boileau
Yeah, it may have been stingray. It may have been like some of the SS7 tracking tricks.
[39:57]
Patrick Bray
Yeah.
[39:57]
Adam Boileau
Figure out what cell side a roaming phone is associated with. It was a little like, there's enough kind of redaction and uncleanness in this that it wasn't, you know, I wasn't clear if it was on device compromise, something like a Stingray or something like a, you know, some other mechanism, you know, via.
[40:14]
Patrick Bray
Well, the point is that electronic surveillance, this type of surveillance has been democratized to the point where organized crime can use it. I've had some fascinating discussions with people who are sort of intelligence community adjacent about like, you know, this is sort of a related topic. If you wanted to put a, you know, a human into a human spy into somewhere like China, you just sort of can't anymore without them knowing. Right. Because one photo of that person on the Internet, you've got their identity with things like facial recognition and whatnot now. And if they don't have any trail on the Internet, well, that's suspicious too. So, you know, how do you even have a legend for. It's very, very hard. So, I mean, I'd imagine there would be some interesting recruitments to solve that problem where you would really need to take people who have established identities, doing something quite benign and, you know, patch them in and make them spies. I don't know, maybe that's one solution. But how sustainable is that? I don't know. But look, the report is an interesting read and again, Tom's going to have some more coverage on that tomorrow. We got one here from Alex Martin over at the Record, which is looking at NATO members are sort of being squeezed by the Americans to increase defence spending to 5% of GDP, which does seem a little bit high if I'm honest. But what they're doing is they're taking like 1.5%, so they'll do 3, 3.5% on core defence, 1.5% is going to go to other stuff like, you know, infrastructure, security improvements, cyber, things like that. So I'm guessing there's going to be a bit of a spending boom in Europe thanks to this, which is like, sure, yeah, we're spending 5% on defense, but it's not more planes and tanks.
[42:00]
Adam Boileau
Yeah, it's Microsoft 365 licenses.
[42:03]
Patrick Bray
It's like E5 and more CrowdStrike.
[42:05]
Adam Boileau
Yeah, yeah, yeah. Which I guess whatever way they want to weasel it. But it is a bit funny to go like, yeah, okay, we're going to classify our fortinets or whatever as defense spending when actually it's probably making it worse.
[42:21]
Patrick Bray
I was just wondering if oddly this could actually work out quite well, which is to sort of think of this as national defense because it's all pretty ad hoc in most countries, right. When it comes to like the way civilian government systems in particular are defended. Like, you know, let's see how this plays out. It could, could turn into a really good thing.
[42:37]
Adam Boileau
Yeah, it's certainly possible. It's not often we have glass half full moments on the show, but yeah, it's possible. Like maybe the kind of coordinated purchasing and sort of, you know, the, the process that would go along with, you know, defense and air quotes spending, you know, maybe, I mean, despite all budget overruns and all sorts of cost overruns that go into, you know, normal military procurement. But like, maybe that procurement process will result in better outcomes than ad hoc purchasing or whatever it is that we do at the moment in the, in the IT world. So yeah, maybe, maybe.
[43:08]
Patrick Bray
We live in hope. Meanwhile, the United States government has sanctioned a bulletproof hosting provider. According to this piece by Matt Kapko over at cyberscoop, it's called the AZA Group A, E, Z A. They were linked to like Llama, Steele, Medusa, Bien, Lian, Redline, a whole bunch of stuff. I mean, look, sanctions are nice. I kind of prefer what ASD did though to a, to a bulletproof host, which is to release the RMRF shark and just burn the whole place down. I would much rather see them do that than this, personally.
[43:40]
Adam Boileau
I mean, you know, why don't we have both? Why not sanction them and burn them down? That would, you know, I mean, that's.
[43:45]
Patrick Bray
Good, but I feel, I feel like just actually destroying their operations is just a better way to go.
[43:50]
Adam Boileau
Yeah, I mean, ultimately those bulletproof hosting providers are such an important part of that ecosystem. So like anything that makes people not trust the bulletproofness is good. And I Guess maybe being sanctioned suggests, you know, that other stuff may be happening to them or that they are targets for that. But, but you know, yeah, it would be better if they just RMRF them off the Internet. I'm with you, yeah, yeah.
[44:11]
Patrick Bray
And meanwhile, this guy, Kai West, 25 years old, apparently known as Intel Broker and was behind, you know, a bunch of hacks and one of the breached forums because apparently there's more than one. I don't track this stuff very closely. He's been arrested. Walk us through this one, Adam.
[44:26]
Adam Boileau
Yeah, so like the name breach forums has been. There's sort of a dozen different forums over the years that have had basically the same name, the same design and many of them are sort of every time one of the breach forums gets raided or shut down or seized or whatever, that sort of splinters into two more ones with some admins from the last one or some high ranked users from the last one starting their own fresh one. So it's a bit of a mess. But yeah, this guy, I think he was British and then the rest of the admins of this instance of breach forums were Frenchmen and they were running, you know, essentially the same kind of thing as like Pompompurin was, even though unrelated other than the fact like name and vibes. But yeah, they were involved in. There was one kind of high profile thing that this particular breach forum was into.
[45:15]
Patrick Bray
Oh, I think it was at the.
[45:16]
Adam Boileau
23Andme maybe there was something I forget like it's hard to keep track of because the names are all the same, many of the same people on the different instances instances of the forums and then they're all getting arrested and talking smack about each other and like it's hard to keep track but either way like some people have been arrested and I guess, you know, now we'll have another five new breath forums run by different people.
[45:39]
Patrick Bray
Yeah, And Darina Antoniok over at the Record has reported on some arrests in Spain. Five people arrested, over $542 million worth of crypto scamming. So they apparently fleeced 5,000 victims worldwide. I'm not really sure if this means they're operating some of these compounds in Asia or whatnot, but either way people doing bad stuff at quite a high volume. And they've been arrested.
[46:01]
Adam Boileau
Yes, I think a couple of them, three of them were in the Canary Islands. So like Tenerife I guess is a good place to run your, your scamming business.
[46:09]
Patrick Bray
But yeah, I mean if you're going to do crime right, you may as well Work from home, somewhere nice.
[46:14]
Adam Boileau
Yeah, exactly, exactly. But, yeah, they were. There was a bunch of like, mules that were cashing out and then like via ATMs, cashing out people's bank accounts and then depositing that and then that was getting sent onwards through cryptocurrency. So it's kind of part of this money laundering, you know, kind of merry go round and then all of the crypto investment scamming that was feeding that. So. Yeah, I mean, $500 million is not a small operation.
[46:43]
Patrick Bray
No, it's not. And just a reading list item, I guess, more than anything else. James Reddick at the Record has written a nice small feature about what life is actually like. Four people in those scam compounds. Basically a write up of a international rights watchdog report into what life is like there. They interviewed 58 survivors of those compounds in Cambodia. Pretty grim reading.
[47:06]
Adam Boileau
Yeah, yeah, the, the. I think he links through to the Amnesty International piece and yeah, it's just, it's so hard reading like old people getting, you know, forced labor into being a criminal. Like, it's. Yeah, some of the individual stories are pretty harrowing and there's a bunch of details about, like, the compounds and the guards and the controls they have in place. So, yeah, it's, it's not really an enjoyable read, but it's, you know, this is the reality for a bunch of people who are stuck in these places. So, yeah, yeah.
[47:35]
Patrick Bray
All right, mate. Well, that's actually it for this week's news. Thank you so much for joining me. A pleasure to chat to you as always. And we'll do it again in three weeks.
[47:44]
Adam Boileau
Yeah, a lot of bad stuff can happen in three weeks. So I'm kind of looking forward to. When you get back. We'll be able to. I'm sure there'll be something terrible and enjoyable and we'd love a good disaster. So, yeah, good luck, Internet. We'll see you in a few weeks.
[48:08]
Patrick Bray
That was Adam Boylow there with a look at the week's security news. It is time for this week's sponsor interview now. And this week's show is brought to you by RAD Security. Now, RAD specializes in cloud security. They were formerly, like a couple of years ago, they were known as KSOC for the, I think Kubernetes. Kubernetes Security Operations Center, I think that's what the acronym stood for. But the point is they do a lot with Kubernetes, right? So they really know Kubernetes. They've done some really interesting work around like container fingerprinting as well. And they've done a lot over the last year in particular around AI. So that's what I wanted to chat with this week's guest, Jimmy Meste. That's what I wanted to talk to him about, which is like, what's the use case for AI in cloud and in kubernetes? And here's what he had to say.
[48:57]
Jimmy Mester
Cloud telemetry is vast and ephemeral and it is generally noisy. So AI can really start to help us make sense of that. And a few different use cases that we're starting with would be, you know, the age old vulnerability triage problem. Right. You have, you know, a thousand different AWS accounts, a sprinkle of GCP over here, you have many thousand different images, packages, misconfigurations. It's a hard task to figure out what to work on first and what matters the most and what can actually prevent a breach. And we're finding that automating those workflows with the help of AI can help teams get that done much faster. At least the first 80% there's still work to be done, but it takes that burden off of their plate. So we're seeing a lot of success there.
[49:57]
Patrick Bray
I mean, so what does that look like? Right? So I guess one thing that's different in cloud world versus because we are talking about vulnerability management, but vulnerability management writ large. You know, a lot of the effort there, a lot of what you're really trying to do is apply context, you know, the unique context of your environment to a finding. Right. And that's something that I'm a little bit skeptical of how well LLMs are going to do there. I think it's a little bit less that case in cloud security because at least there's some uniformity there. But like you said, it gets you 80% of there, 80% of the way there with some of these workflows, like in what way can you make it tangible for us? Like how does that, how does AI help in one of these sort of cloud based, you know, or cloud environment vulnerability management workflows?
[50:44]
Jimmy Mester
Yeah, sure. So depending on where the data is coming from, we'll just pick on some of the sensors we've built over the years. You typically have a collection of S boms, right? Sboms are annoyingly kind of dense and hard for humans to reason about. So we've built tools over the years, but you know, it still is hard to kind of take an SBOM and do something with it at scale. So something that we've been able to use the SBOM for is essentially helping build a rag pipeline that stores the data. We can do similarity search with LLMs, understand like the ecosystem at whole and say like which of these workloads is most similar and help prioritize based off of how many times we've seen that application running, what types of clusters is it in, is it even live, which packages are in use. And then the LLM can help kind of rank order that. And then we overlay traditional cloud posture data on top of that to say, okay, we know this workload exists 500 times, we know that it's in a cluster that is in use, it's in production, and there's some external IP addresses tied to these workloads. And then you just keep kind of chipping away at the context until you get to the point where the LLM can help you kind of rearrange the Lego pieces and give you some actual insight on what to tackle first, second and third.
[52:30]
Patrick Bray
Yeah, I mean, I guess that's what I was getting at when it comes to cloud world because it's, you know, usually you're protecting a production environment and often the context can be as simple as is vulnerable is on the Internet. That's a priority. Right?
[52:42]
Jimmy Mester
So, yeah, yeah, but there's more elements that I think the LLM can, at least the adding LLMs can help us with that priority versus, you know.
[52:51]
Patrick Bray
Well, it helps you with the is vulnerable problem. Right. When you're actually looking at the SBOMs because you might not immediately be aware that you've got, you know, like log 4j is the example that everybody uses. Right? Yeah. If you've got those SBOMs and you've got LLMs understanding them, you're going to know where you've got a vulnerable library.
[53:08]
Jimmy Mester
Exactly. And another example that we've had success with too has been with our EBPF telemetry that we, we've had for a long time. We are able to see and inspect low level kernel information. Right. So like system level information, process tree files that are created network connections. So we've had customers who use that data and the LLM interface that we have, they can generate basically firewall rules based off of all like a 30 day average of traffic. Right. That we've seen. It's actual HTTP requests and they can start to build policies proactively that match all of that data that we've seen. And an LLM is a lot better at that than doing it manually. It's a hard task.
[54:02]
Patrick Bray
Yeah, but we've Been doing that sort of stuff with machine learning classifiers for quite a long time. What's the advantage of an LLM there? I guess often when people talk to me about things like these, like the advantage of an LLM is that engineering that thing, part of it is a lot easier when you're using LLM, when you're using.
[54:20]
Jimmy Mester
Yeah, can move faster. Like ML models don't need to be maintained over time. And I think the biggest advantage is just people like using natural language for this sort of thing. Like it's. Humans have imperfect questions. And I think the way we've built at least our chat interface is it's very much kind of an interview where you know, the chat will say, did you mean this? Do you want to see that? And then you can add, keep adding more context and ultimately you don't have to have any special query language or anything on top of it. The LLM can handle that.
[54:59]
Patrick Bray
Yeah, I mean, I think vendor specific scripting languages are dead. Yeah, thankfully. Right? Like, thankfully.
[55:05]
Jimmy Mester
Thank God, that was a long era.
[55:08]
Adam Boileau
Yeah.
[55:09]
Patrick Bray
And even before stuff like ChatGPT existed, it's like, you know, I do interviews like these and they'd be like, yeah, so we've got this great language, we've got this great query and you know, scripting language. And I'm like, oh God, no, you.
[55:21]
Jimmy Mester
Know, no, no more of that. Yeah, it's, it's not necessary now. Right. And like all of everything can be kind of translated into whatever language you want through that prompting. And then one more thing we have released too, that helps add a little more context is a knowledge base. So we've had customers who you spend years building internal policies, you have architecture diagrams, you have existing tickets from the past, you have pen test reports, SOC 2, whatever these artifacts are, they're, they're vast. And when it comes to cloud security, another kind of dimension of priority is like, does it matter to me? Right? Like it's one thing to say, is it connected to the Internet? Like everyone should care about that, but maybe you have a policy or some, something you're trying to protect that's buried in this sea of data. And the LLM is also pretty good at saying, hey, you have these vulnerabilities and they're even a bigger problem because you're, you know, you're have a Fedramp deficiency or something, I made that up. But there's, there's ways to pull in internal data that can really make that effort, you know, even better. So we're excited about that too.
[56:48]
Patrick Bray
Now, one Thing I wanted to sort of query you on is it feels like we're in a pretty different place now than we were a year ago when it comes to the acceptance of AI, you know, actually in enterprises. Right. Like a year ago, people are like, I don't know, man. I don't want to let ChatGPT loose and causing damage here, you know, like, and fair enough too. But it sort of feels like, like it's matured a bit and there is just this growing acceptance where people are like, willing to give it a go. Right. They'll have a look at it, they'll say, oh, okay, cool, and they'll try it. Like, is that sort of your understanding of where we are as well when it comes to people using AI to do stuff like this?
[57:24]
Jimmy Mester
Yeah, I mean, we started a year and a half ago a little more than that, using it for our core runtime detection product. And I would say at that time it was like, we're curious, but you know, we're going to have to go through some hoops to do this. And now maybe it's a mix of people just threw their hands up and said, like, our team's going to do this anyways and we might as well pick the right one. And I think everyone's using AI for their day to day and they just got used to the, the way it works. Legal teams still have, there's still pushback for sure, but there's more of an ecosystem to run your own models to tie to somebody else's AWS bedrock or something like that, where you can kind of defer the risk and put it back on, you know, the person using it. And we've seen some of our customers do that where they said, we love it, but you have to use our model. And you're like, okay, right. And we have a way to do that.
[58:28]
Patrick Bray
Yeah. And they've got some sort of weird policy and governance framework applied to that model, and that's what helps them work well. But doesn't that make your life harder? Because that model might behave in interesting, unexpected ways.
[58:39]
Jimmy Mester
Yeah, we've kind of taken the, the line of like, you can't just pick any random model or you're not going to have the same tool that all of our other customers do. So we have kind of a list of supported, more frontier models that help with that.
[58:56]
Patrick Bray
Yeah. Another question I've got though is like, so many vendors I'm talking to, their customers are like, okay, but we need to run this standalone model. Right. Like, nothing we do with this model can be used to train, you know, the model. So how does the model get better in a situation where everybody's running private models? This is something that I've worried, you know, that I, That I worry could be a bit of a, like, like a pain in the. You know, what for people like you who are trying to improve their products and you just. You get carved out of that visibility by legal.
[59:26]
Jimmy Mester
Yeah. And it's. Yeah, it reminds me of the time everyone forgets. But like, even chatgpt, well, all the data on it not that long ago was what from. It was all a year old or something. And I think for us, we've leaned into, well, there's two things. One is token counts are rising, so you can start putting more and more in a. In a prompt. Essentially that's helpful, but also, I think rag in vector databases, giving the model unique context in that way. It's not the same as like retraining a model and publishing it, but at least. At least it's a way to make it much more specific to what the customer wants. And it's unique. Right. And you can separate through tenancy.
[60:17]
Patrick Bray
Yeah, but how do you know this is the problem? How do you know when they've done something cool that you want to, you know, you want to make some changes across all of your customers because they've figured out something cool and you can't.
[60:28]
Jimmy Mester
Yeah, I don't think that's solved yet. Yeah, other. Other than them sharing it, which isn't gonna be the case all the time. So, you know, have you.
[60:39]
Patrick Bray
Have you had that issue, though, where people have bumped into like a corner case where it's doing something weird and like, just working through that without that inspectability, I imagine it's just a bit of back and forth. Right.
[60:48]
Jimmy Mester
Yeah, we. And we drew a pretty hard line on, like, we don't look at prompts. We don't. I mean, we don't see anything that's really happening. So, like, it has to be a conversation basically when. Because we don't, you know, we're a security company, so we would just jump on a zoom and try to reproduce it. Or, you know, we have ways to send kind of generic reports back to us, but I don't think that's totally solved yet. And these systems are so unpredictable at times. It's. You couldn't reproduce it if you tried.
[61:23]
Patrick Bray
Yeah, that's what I was going to ask. Like, how does that conversation go? Because you're like, oh, you jump on a zoom call, try to reproduce it. And the model just won't.
[61:29]
Jimmy Mester
You're like, no, it worked this time. You're like, well, tell the model. I'll tell the model to do more of that, I guess. I don't know.
[61:36]
Patrick Bray
Yeah, yeah, yeah. Exactly. Exactly. All right, Jimmy Master, thank you so much for joining us to talk about, like, where AI is when it comes to cloud security. Very interesting stuff.
[61:45]
Jimmy Mester
Yep. Thank you.
[61:47]
Patrick Bray
That was Jimmy Mester there from Rad Security. Big thanks to him for that. And that is it for this week's show. I do hope you enjoyed it. I'll be back tomorrow with the Seriously Risky Business podcast in the Risky Bulletin podcast feed. And then I'm off for a couple of weeks. But, yeah, until then, I've been Patrick Gray, thanks for listening. Sa.