Risky Business #798 -- Mexican cartel surveilled the FBI to identify, kill witnesses

Summary

Risky Business #798 Summary: Mexican Cartel Surveillance of the FBI

Release Date: July 2, 2025

Hosts: Patrick Gray and Adam Boileau

1. Introduction

Patrick Gray and Adam Boileau delve into a range of current cybersecurity issues, from advanced persistent threats targeting major airlines to significant vulnerabilities in cloud infrastructure. The episode also features an insightful interview with Jimmy Mester from RAD Security, discussing the integration of AI in cloud and Kubernetes security.

2. Major News Stories

a. Scattered Spider Targets Airline Industry

Overview: The notorious hacking group Scattered Spider has shifted its focus from the insurance sector to the airline industry, orchestrating breaches at WestJet, Hawaiian Airlines, and Qantas.
Discussion: Adam Boileau highlights the pattern of third-party platform breaches, emphasizing the group's expertise in exploiting outsourced relationships. Patrick compares this wave to the LulzSec era, underscoring the persistent threat posed by such advanced groups.
Notable Quote:

Patrick Gray (02:28): "This almost feels a little bit like, for those who are around back then, because it has been a long time. It feels a little bit like LulzSec back in the day."

b. AT&T Introduces Account Lock Feature to Prevent SIM Swapping

Overview: AT&T has rolled out an account lock feature via its mobile app, aiming to make SIM swapping attacks more challenging for cybercriminals.
Discussion: The hosts discuss potential flaws in the implementation, such as scenarios where users lose access to the app. Adam notes that while it adds a layer of protection, determined attackers might still find ways around it.
Notable Quote:

Adam Boileau (07:29): "Anything that adds, even if it is just a speed bump to COM kids doing SIM takeovers, we're going."

c. Microsoft Enhances Windows Security Post-CrowdStrike Breach

Overview: In response to the CrowdStrike breach, Microsoft is implementing changes to make Windows more resilient, including moving security operations out of the kernel and introducing robust recovery features.
Discussion: Adam explains Microsoft's multipronged approach, focusing on API enhancements, update deployment guidelines, and improved recovery mechanisms. Patrick appreciates the proactive measures but critiques the delayed response.
Notable Quote:

Adam Boileau (09:40): "They've been introducing a mechanism for administrators to deploy updates to machines that are in recovery reboot mode."

d. Microsoft’s App Consent Changes in Entra

Overview: Microsoft is modifying app consent processes within Entra (Azure AD) to require administrative approval for high-privilege permissions, aiming to reduce excessive or malicious app access.
Discussion: The hosts commend the move towards stricter controls but lament the delay in implementing such essential security measures.
Notable Quote:

Adam Boileau (14:07): "The new default settings will be that for certain privileged, particularly powerful permissions... those are going to be restricted and require admin consent."

e. Synology Backup Vulnerability Exposes Microsoft 365 Data

Overview: Security firm MOD0 uncovered a critical vulnerability in Synology's Active Backup for Microsoft 365, revealing a hardcoded password that allows unauthorized access to sensitive data.
Discussion: Patrick and Adam critique Synology's inadequate disclosure and highlight the severe implications of unauthorized access to Teams messages and other data.
Notable Quote:

Patrick Gray (20:02): "Allowing attackers to obtain sensitive information by unspecified vectors like that's the entirety of."

f. Iranian Cyber Threats and Speculations on Upcoming Attacks

Overview: Despite heightened fears and government warnings, there has been a paucity of significant Iranian cyberattacks targeting U.S. critical infrastructure.
Discussion: The hosts express skepticism about the likelihood of major cyber offensives, suggesting that Iran may focus on less impactful tactics like hack-and-leak operations.
Notable Quote:

Patrick Gray (24:25): "All of these reports too, talking about US Government warnings about Iranian threats against US Critical infrastructure and whatnot... and we have not seen any really."

g. AMI Mega Rack Bugs Added to CISA’s KEV List

Overview: Critical vulnerabilities in AMI's Mega Rack management systems have been identified, posing significant risks due to the potential for unauthorized access and control over hardware.
Discussion: The hosts discuss the ease of exploiting these bugs and the challenges in patching them across diverse hardware vendor ecosystems.
Notable Quote:

Adam Boileau (28:17): "Being able to just log into anyone's Microsoft tenancy that uses the Synology product and read their Teams messages seems bad."

h. New Citrix Netscaler Vulnerability Mirrors Past Issues

Overview: A newly discovered Citrix Netscaler bug mirrors the infamous Citrix Bleed, allowing attackers to leak sensitive memory, including session tokens, thereby bypassing multi-factor authentication.
Discussion: The conversation emphasizes the dangers of post-authentication vulnerabilities and the false security multi-factor authentication can provide.
Notable Quote:

Adam Boileau (30:01): "If you can steal a session token and ride an existing session... all the auth in the world doesn't really help you."

i. Cracking Down on North Korean Laptop Farms

Overview: The FBI has dismantled 29 laptop farms across 16 U.S. states, arresting individuals involved in using these setups for illicit activities.
Discussion: Patrick and Adam explore the operational challenges faced by North Korean cyber operatives, noting the logistical difficulties of maintaining remote-controlled operations.
Notable Quote:

Adam Boileau (33:17): "Imagine having to log into someone's enterprise Citrix via an IPKVM of a laptop in someone's basement in Missouri."

j. Russia’s Increased Restrictions on Cloudflare Services

Overview: Russia is intensifying its efforts to block access to Cloudflare-protected websites, citing the use of encrypted client protocols like Client Hello as a means to bypass censorship.
Discussion: The hosts reflect on Cloudflare's commitment to maintaining internet access in Russia despite geopolitical tensions, and the resultant impact on Russian internet users.
Notable Quote:

Patrick Gray (36:08): "Cloudflare didn't leave Russia after it invaded Ukraine, saying at the time, 'Russia needs more Internet access, not less.'"

k. FBI Report on Mexican Cartels Surveillance Techniques

Overview: A partially redacted FBI report reveals that Mexican cartels have employed sophisticated technical surveillance methods to monitor and eliminate FBI personnel and witnesses.
Discussion: The episode underscores the blurred lines between law enforcement and intelligence operations in contended information spaces, highlighting the escalated threats posed by organized crime.
Notable Quote:

Adam Boileau (38:03): "It kind of makes law enforcement feel more like intelligence work, like foreign intelligence work."

l. NATO Members Pressured to Increase Defense Spending

Overview: NATO is urging member countries to boost their defense expenditures to 5% of GDP, allocating funds towards core defense and cybersecurity initiatives.
Discussion: Patrick and Adam debate the implications of reclassifying cybersecurity investments as national defense spending, pondering potential benefits and budgetary challenges.
Notable Quote:

Adam Boileau (42:00): "It's Microsoft 365 licenses... E5 and more CrowdStrike."

m. U.S. Sanctions AZA Group A-E-Z A Bulletproof Hosting Provider

Overview: The U.S. government has sanctioned AZA Group A-E-Z A, a notorious bulletproof hosting provider linked to various cybercriminal activities, including ransomware and data breaches.
Discussion: The hosts critique the effectiveness of sanctions compared to direct operational takedowns, expressing a preference for more aggressive actions against such entities.
Notable Quote:

Patrick Gray (43:39): "I would much rather see them do that than this, personally."

n. Arrest of Cybercriminal 'Intel Broker' Kai West

Overview: Kai West, a 25-year-old cybercriminal known as 'Intel Broker,' has been arrested for orchestrating multiple breach forums and facilitating extensive hacking activities.
Discussion: The conversation touches on the constantly evolving nature of breach forums and the challenges law enforcement faces in tracking and dismantling these operations.
Notable Quote:

Patrick Gray (44:26): "It's a bit of a mess... but either way, some people have been arrested and I guess we'll have another five new breach forums run by different people."

o. Massive Crypto Scamming Operation in Spain Dismantled

Overview: Five individuals in Spain have been arrested for orchestrating crypto scams that defrauded over 5,000 victims worldwide, accumulating losses exceeding $542 million.
Discussion: Patrick and Adam discuss the sophistication of the operation, noting the intertwined processes of money laundering and investment scams.
Notable Quote:

Patrick Gray (46:01): "If you're going to do crime right, you may as well work from home, somewhere nice."

3. Sponsor Interview: AI in Cloud Security with RAD Security

Guest: Jimmy Mester, Co-Founder of RAD Security
Timestamp: [48:00] - [61:47]

a. AI Enhancing Vulnerability Management

Overview: Jimmy Mester discusses how AI, particularly Large Language Models (LLMs), is revolutionizing vulnerability triage by automating the prioritization of security issues based on context and severity.
Discussion: The conversation highlights RAD Security's approach to utilizing AI for parsing complex data like SBOMs (Software Bill of Materials) and generating actionable insights, thereby streamlining security workflows.
Notable Quote:

Jimmy Mester (49:56): "LLMs can help rank order that... and then you keep kind of chipping away at the context until you get to the point where the LLM can help you rearrange the Lego pieces and give you some actual insight on what to tackle first."

b. AI vs Traditional Machine Learning in Security

Overview: Jimmy contrasts the flexibility and user-friendliness of LLMs with traditional machine learning classifiers, emphasizing the advantage of natural language interfaces in handling imperfect queries.
Discussion: The ease of integrating LLMs into security operations without the need for specialized query languages is underscored, showcasing how RAD Security leverages AI for more intuitive security management.
Notable Quote:

Jimmy Mester (54:02): "It's a lot better than doing it manually. It's a hard task."

c. Challenges of Private AI Models in Enterprises

Overview: The conversation shifts to the difficulties of improving AI models within enterprise environments that require private, non-trainable models, potentially limiting visibility into model behavior and improvements.
Discussion: Patrick raises concerns about the sustainability and adaptability of private models, while Jimmy explains RAD Security's strategy of supporting a curated list of reliable models to maintain consistency and effectiveness.
Notable Quote:

Jimmy Mester (60:16): "It's not the same as retraining a model and publishing it, but at least it's a way to make it much more specific to what the customer wants."

4. Conclusion

Patrick Gray wraps up the episode by thanking Adam and Jimmy, reflecting on the plethora of cybersecurity challenges discussed, and hinting at future episodes that will delve deeper into these critical issues.

Listener Note: The episode offers a comprehensive look at the evolving landscape of cybersecurity threats and defenses, emphasizing the importance of proactive measures and technological advancements in safeguarding digital infrastructure.