Risky Business Podcast Summary #799: Everyone's SharePoint Gets Shelled

Release Date: July 23, 2025
Host: Patrick Gray
Guest: Dave Cottingham, CEO of Airlock Digital
Duration: Approximately 50-60 minutes

1. Introduction

Patrick Gray welcomes listeners back from his holiday in Fiji and introduces Adam Boileau as his co-host. They briefly mention the episode's structure, which includes the weekly security news roundup followed by a sponsorship segment featuring Airlock Digital.

2. Major Security News

a. Microsoft’s Use of Chinese Engineers for Pentagon Cloud Support

Patrick and Adam discuss a ProPublica article revealing that Microsoft employs Chinese engineers to support the Pentagon’s cloud services. These engineers are escorted by "digital Sherpas," who are paid only $18 per hour despite holding security clearances.

• Patrick Gray [02:40]:
  "The pay rate for these digital Sherpas... they're paying them $18 bucks an hour."

• Adam Boileau [03:32]:
  "You can secure a malicious person's access... by paying someone to watch them, like is already kind of shonky enough."

The controversy gained traction after right-wing figure Laura Loomer highlighted the issue, leading to bipartisan condemnation. Ultimately, Pete Exif, the US Defense Secretary, announced the cessation of Chinese contractors' involvement in DoD cloud services.

• Pete Exif [04:36]:
  "China will no longer have any involvement whatsoever in our cloud services, effective immediately."

b. Exploitation of SharePoint Vulnerabilities

The hosts highlight the exploitation of a recent bug in SharePoint Server, which allowed attackers to bypass authentication and execute code remotely. Microsoft patched the vulnerability over the weekend, but widespread exploitation persists, particularly by Chinese hackers.

• Adam Boileau [08:47]:
  "They're using this to gain machine key access and then... code execution in the future."

c. Chinese Group Salt Typhoon’s Activities

Salt Typhoon, traditionally associated with telecom hacks, has been implicated in breaching a US State's National Guard systems. The Department of Homeland Security issued a memo regarding this intrusion.

• Adam Boileau [13:02]:
  "Kevin Collier wrote... Chinese group Salt Typhoon broke into one of the US State's National Guard."

d. Arrests Related to Cyber Attacks

Italian authorities, in collaboration with the FBI, arrested Zhu Zi Wei for involvement in the Hafnium Exchange hacks—a series of attacks targeting Microsoft Exchange servers. Zhu works for Shanghai Power Rock Network Company, which had ties to the MSS.

• Patrick Gray [14:57]:
  "Zhu Zi Wei... has been charged... He's going to get extradited."

The discussion touches on the improbability of China arresting NSA personnel, citing strong OPSEC measures within Five Eyes agencies.

e. Cryptocurrency Exchange Heists

The podcast covers significant cryptocurrency thefts, including:

• GMX Exchange: Lost $42 million, agreeing to let attackers keep $5 million as a bounty.

• CoinDCX Exchange: Lost $44 million.

• Chainalysis Research: Reports $2.17 billion stolen in crypto during the first half of 2020, with the Bybit hack accounting for $1.5 billion.

• Adam Boileau [31:12]:
  "It's nuts... up to $4 billion in crypto theft this year."

f. Authentication Vulnerabilities and Bypasses

Research from Expel reveals methods to bypass Yubikey-based authentication using cross-device authentication flaws. The vulnerability exploited QR codes in the authentication process, allowing attackers to phish users effectively.

• Patrick Gray [33:14]:
  "It's the complexity of modern auth and the real-world imperfect auth situations."

g. Chrome Extension Security Risks

John Tuckner from Secure Annex discovered that several Chrome extensions included code that allowed companies to proxy web scraping requests through users' browsers. This not only bypasses security headers but also poses significant risks in corporate environments.

• Adam Boileau [40:24]:
  "They're proxying out your connection... not great."

h. Industrial Control System (ICS) Vulnerabilities: Trains

Hackers can remotely trigger brakes on American trains by exploiting software-defined radio (SDR) vulnerabilities. These systems, designed decades ago, lack robust security measures against modern radio-based attacks.

• Adam Boileau [52:18]:
  "They have radios... exploiting a bug where... mangle messages to activate brakes remotely."

i. Other Notable Vulnerabilities

• Fortinet FortiWeb Exploit:
  A pre-auth SQL injection vulnerability allows remote root code execution (RCE) by exploiting the authorization header.

  • Adam Boileau [47:03]:
    "SQL injection in the authorization header... turning it into remote root codexec."

• Citrix NetScaler Flaws:
  Continuing issues with Citrix NetScaler vulnerabilities that facilitate 2FA bypasses by stealing session tokens.

• SonicWall Backdoor:
  A user-mode rootkit manipulates network functions to create a backdoor in SonicWall devices, allowing remote command execution.

  • Adam Boileau [49:34]:
    "They hook network read/write functions looking for magic strings to trigger the backdoor."

3. Discussions on Security Practices

Insider Threats and Authentication Challenges: Patrick and Adam delve into the complexities of robust authentication systems. They emphasize that while tools like FIDO and U2F enhance security, the surrounding processes for credential resets and multi-factor authentication (MFA) still present vulnerabilities exploited by attackers.

• Adam Boileau [37:00]:
  "Social engineering attacks on the enrollment process remain the weak links."

Mitigating Insider Threats: Dave Cottingham discusses strategies Airlock Digital employs to prevent malicious administrators from compromising the allow-listing platform. Key strategies include:

• Visibility:
  Ensuring customers can easily monitor and audit configuration changes.

• Segmented Approvals:
  Implementing dual-approval systems where policy changes require authorization from multiple users.

• Automation in Testing:
  Utilizing automated systems to test various permission combinations and ensure security integrity.

  • Dave Cottingham [61:31]:
    "We've got an automation rig that runs through all permutations to ensure everything is securely configured."

4. Sponsor Highlight: Airlock Digital

The episode transitions to the sponsorship segment featuring Dave Cottingham, CEO of Airlock Digital, a company specializing in allow-listing software scalable to large enterprises.

Key Topics Discussed:

• Multi-Role Console Development:
  Transitioning from a single-admin console to a multi-user, multi-role system to accommodate different organizational functions such as security, application deployment, and support teams.

  • Dave Cottingham [57:38]:
    "We attach different privileges to major Persona roles to control access based on responsibilities."

• Handling Policy Changes:
  Implementing automated functional testing to manage and validate complex permission structures, ensuring that policy changes do not inadvertently compromise security.

  • Dave Cottingham [63:05]:
    "Functional testing from the user perspective ensures the entire stack operates securely."

• Preventing Malicious Actions:
  Strategies to detect and prevent unauthorized allow-list modifications, including partnerships with services like VirusTotal to flag known malicious activities.

  • Dave Cottingham [71:00]:
    "Segmented approvals of policy require multiple users to authorize changes, enhancing security."

Conclusion of Sponsorship: Patrick lauds Airlock Digital for its robust and scalable allow-listing solutions, highlighting its importance in modern enterprise security architectures.

• Patrick Gray [73:07]:
  "I absolutely recommend and fully endorse Airlock Digital. They make fine software."

5. Closing Remarks

Patrick and Adam wrap up the episode, reiterating the importance of staying vigilant against evolving security threats and acknowledging the contributions of their guests and sponsors. They tease the next episode's content and sign off until the following week.

Notable Quotes:

• Pete Exif [04:36]:
  "China will no longer have any involvement whatsoever in our cloud services, effective immediately."

• Adam Boileau [08:47]:
  "They're using this to gain machine key access and then... code execution in the future."

• Dave Cottingham [63:05]:
  "Functional testing from the user perspective ensures the entire stack operates securely."

This episode of Risky Business provides a comprehensive overview of current cybersecurity challenges, ranging from geopolitical cyber operations to insider threats and authentication vulnerabilities. The insightful discussion with Airlock Digital offers valuable perspectives on enterprise security best practices, emphasizing the critical role of scalable and secure allow-listing systems.