Risky Business #800 — The SharePoint bug may have leaked from Microsoft MAPP - Risky Business

Summary6 min read

Risky Business #800 Summary: The SharePoint Bug May Have Leaked from Microsoft MAP

Introduction

In the 800th episode of Risky Business, host Patrick Gray delves into a range of pressing information security issues, from significant data breaches to intricate cyberattacks impacting major organizations worldwide. The episode features an insightful discussion with Adam Boileau and concludes with an in-depth sponsor interview with Dan Cuthbert from Push Security.

1. SharePoint Bug Leak and Potential Microsoft MAP Involvement

Patrick Gray opens the episode by discussing a brewing scandal surrounding a SharePoint vulnerability. Initially disclosed by a Vietnamese hacker at the Pwn2Own competition in Berlin, the bug was handed over to Microsoft for patching. Approximately 60 days later, Microsoft released a patch through its Microsoft Active Protections Program (MAP).

Adam Boileau elaborates on the situation:

"[01:59] Adam Boileau: ... Microsoft said they're investigating whether or not these facts are related. But, you know, the glove does fit a little bit as."

The timing of the exploitation coincides suspiciously with the MAP patch release. Notably, Chinese companies participating in MAP are under scrutiny for potentially leveraging early access to the patch information to develop and deploy exploits swiftly. This breach has reportedly affected over 400 organizations, including the U.S. Department of Energy's National Nuclear Security Administration, raising significant concerns about national security implications.

Patrick questions the likelihood of rapid exploit development:

"[03:47] Patrick Gray: ... it feels like kind of the more realistic scenario."

Boileau adds:

"[03:05] Adam Boileau: ... finding the bug if you'd seen the patch and then turning it into an exploit probably is feasible within the timeframe we're talking about."

2. Expel's Fido U2F Bypass Claim Reversed

The podcast revisits a previous discussion about Expel's claim of bypassing Fido U2F authentication via cross-device methods. However, Adam clarifies:

"[07:52] Adam Boileau: ... they misread the logs. They've now published a mea culpa blog post."

This correction underscores the importance of verifying security claims and the challenges of interpreting cloud service logs accurately.

3. Tea App Data Breach Exposes Sensitive User Information

Patrick shifts focus to the Tea app, designed for women's safety by allowing users to research and report concerning behavior in men. A major breach exposed user verification data, including selfies and ID photos, followed by a subsequent leak of private user messages. These breaches were exploited on platforms like 4chan, leading to harassment and misinformation.

Adam highlights the severity:

"[13:34] Adam Boileau: ... there are basic things like that that ideally you should do before you launch something like this."

The breach emphasizes the critical need for robust security measures, especially in applications handling sensitive personal data.

4. NSA General Counsel April Falcon Doss Fired Amidst Political Pressure

The episode covers the firing of April Falcon Doss, the NSA's general counsel, reportedly due to pressure from Laura Loomer, a far-right activist. Patrick expresses mixed feelings:

"[16:48] Adam Boileau: ... when they review this in, you know, five, 10 years time, when the U.S. comes out of this mad phase."

This incident reflects the intertwining of cybersecurity leadership with political dynamics, raising questions about the stability and decision-making processes within federal agencies.

5. Mandiant’s Insight into Scattered Spider Kids’ VMware Exploits

Discussing research from Mandiant, Adam and Patrick explore the tactics of the Scattered Spider Kids group targeting VMware environments. The group employs methods like unmounting domain controller disks to extract credentials, albeit with some technical missteps.

"[19:11] Adam Boileau: ... it's kind of funny because in the end it just works. And as we often say on the show, it's really not dumb if it works."

Their approach underscores the balance between effective exploitation and the inherent flaws that can emerge from executing complex attacks.

6. VMware Patching Issues Under Broadcom’s Stewardship

Patrick addresses ongoing frustrations with Broadcom’s handling of VMware patches. Customers with perpetual licenses are experiencing delays in receiving security updates, leaving systems vulnerable.

"[22:05] Adam Boileau: ... it's extremely not good by Broadcom."

This situation highlights the challenges organizations face in maintaining security amidst vendor limitations and the critical importance of timely patch management.

7. Aeroflot and Minnesota Targeted by Cyber Partisans and Unknown Attackers

Aeroflot, Russia's largest airline, suffered cyberattacks from groups like the Belarusian Cyber Partisans and Silent Crow, leading to flight cancellations and data exfiltration. Similarly, Minnesota's St. Paul city systems were compromised, prompting the activation of the state's National Guard cyber units.

"[26:31] Adam Boileau: ... maybe, maybe I will be wrong. I hope I'm wrong. I'm not wrong."

These incidents illustrate the escalating threat landscape targeting both aviation and municipal infrastructures, emphasizing the need for robust defensive measures.

8. Post Luxembourg's Telecom Services Disrupted by Pro-Russian Hackers

Post Luxembourg faced a significant outage attributed to pro-Russian hacker groups, affecting emergency services and communications. Although services were restored, the attack demonstrates the vulnerability of essential services to sophisticated cyber threats.

9. Clorox Sues Cognizant Over Security Failures Facilitating Scattered Spider Attack

A legal battle ensues as Clorox sues Cognizant for negligence, alleging that inadequate security measures at Cognizant allowed Scattered Spider to compromise Clorox's systems, resulting in substantial damages.

"[31:34] Adam Boileau: ... Enterprise Security is to deal with that inevitable failure."

The case underscores the complexities of accountability in outsourced cybersecurity services and the imperative for clear contractual security obligations.

10. Critical Cisco Identity Services Engine (ISE) Vulnerability

Patrick and Adam discuss a severe vulnerability in Cisco's Identity Services Engine (ISE), where an API endpoint erroneously executes Python code sent via POST requests. This flaw permits unauthorized code execution, posing significant risks to authentication systems.

"[33:19] Adam Boileau: ... post Python to it and away she goes."

This vulnerability emphasizes the necessity for rigorous API security and the potential dangers of improperly sanitized inputs in critical infrastructure.

11. Arrest of Woman Operating North Korean Laptop Farm Highlighting Operational Security Failures

A woman from Arizona was sentenced to eight and a half years for running a laptop farm aiding North Korea, inadvertently revealing her criminal activities through a TikTok video showcasing her setup.

"[36:58] Adam Boileau: Maybe don't post."

This case highlights the importance of maintaining strict operational security to avoid unintentional exposure of illicit activities.

12. Cybercrime Forum Leak Zone Exposes Its Own User Data

The Leak Zone cybercrime forum inadvertently exposed its user records, including IP addresses and access times, due to an unsecured database. This ironic breach serves as a cautionary tale for cybercriminal platforms regarding data security.

"[37:51] Patrick Gray: Indeed."

Sponsor Interview: Push Security with Dan Cuthbert

The episode transitions to a sponsored segment featuring Dan Cuthbert from Push Security. Push Security offers a browser plugin that enhances identity security by monitoring login events, enforcing controls on third-party SaaS applications, and detecting phishing attempts. Dan emphasizes the tool's ability to provide comprehensive telemetry, aiding in proactive detection engineering.

"[42:04] Dan Cuthbert: ... you're now getting all this rich data that you can actually do stuff with."

He highlights how Push Security integrates with existing security infrastructures to offer deeper insights into user authentication patterns and potential anomalies, making it an invaluable asset for large organizations aiming to bolster their security posture.

Conclusion

Patrick Gray wraps up the episode by thanking Adam Boileau for his contributions and Dan Cuthbert for the insightful discussion on Push Security. The episode underscores the multifaceted challenges in the information security landscape, from vulnerabilities in major platforms to sophisticated cyberattacks targeting critical infrastructures. It also highlights the evolving tools and strategies necessary to counteract these threats effectively.

Notable Quotes:

Adam Boileau [01:59]: "Microsoft says they're investigating whether or not these facts are related. But, you know, the glove does fit a little bit as."
Patrick Gray [03:47]: "it feels like kind of the more realistic scenario."
Adam Boileau [07:52]: "they misread the logs. They've now published a mea culpa blog post."
Adam Boileau [22:05]: "it's extremely not good by Broadcom."
Dan Cuthbert [42:04]: "you're now getting all this rich data that you can actually do stuff with."

Further Resources:

For more detailed information on the discussed topics, listeners are encouraged to check the episode's show notes, which include links to relevant articles and blog posts.

Loading summary

Transcript105 lines

[00:00]
Patrick Gray
Foreign and welcome to Risky Business. My name is Patrick Gray and as you can tell from my voice and probably my appearance, if you're Joining us on YouTube this week, I am a little bit under the weather. I've spent the last few days in bed. But I am feeling well enough to record today's podcast. So that's, that's great. This week's show is brought to you by Push Security and we're going to be joined by Dan Cuthbert who is fairly well known guy in infosec in the old cyber security and these days Dan works for Santander bank where he does all sorts of interesting cybersecurity work. And he's joining us to talk about products like Push and what you could do with them from like a detection engineering standpoint and just like generally what you could do with the types of data that come out of products like Push. For those who don't remember, Push primarily is a, is a browser plugin based solution that captures stuff like login events, whether that's, yeah, like login events into third party SaaS basically so you can get all of that information. You could also put controls around third party SaaS using push and just generally it's turning out to be a very useful thing. So Dan is joining us later to talk through all of that. But first up of course it is time for a check of the week's news headlines with Adam Boileau and mates what looks to be a brewing scandal this week. Last week of course we talked about how, you know, everyone's sharepoints were getting owned by the Chinese government which was, you know, not a good time for people with SharePoint boxes. But now it looks like there might have been a leak out of Microsoft relating to these, to these bugs. But it's all a little bit like, I don't know, I don't know if there's any like smoking gun here yet, but something weird definitely happened with the, with Microsoft's so called MAP program. Walk us through this.
[01:59]
Adam Boileau
Yeah, the timing of these leaks or of the exploitation is certainly, you know, it's interesting at the very least. So the story goes that the original SharePoint bug was disclosed at Pone to own in Berlin by a Vietnamese hacker. He handed off during that competition to a Microsoft representative to go off into the patching thing. About 60 days later Microsoft came up with a patch in the Map program. It's kind of like two levels. There's a quite highly vetted one where you get like 5 days advanced notification of patches and then there's the more like the slightly broader MAP program where you get a day worth of prior notification. The day before the patch is due to be released, it gets sent out to map and then that day it starts to be attacked in the wild. And there are a number of Chinese companies that are members of the MAP program and you know, there's some, like Microsoft says they're investigating whether or not, you know, these facts are related. But, you know, the, you know, the glove does fit a little bit as.
[03:06]
Patrick Gray
To whether or not, you know, I mean, kind of. But like, do we really expect that someone, say some, someone close to the government working for one of these companies in China? Because there's a plenty. There's plenty of Chinese companies that are part of the MAP program. Right. Are we seriously saying that someone worked at that, at one of those Chinese companies, saw that Microsoft was going to patch these bugs and what, they had time to like, reverse enter the patch and come up with a functioning exploit in that time? Or do we think it's more likely that it's the case where, you know, maybe there was a leak and someone realized, oh my God, our SharePoint bugs that we've been using at low volume are about to get patched. Let's go big with these now because that to me feels like kind of the more realistic scenario.
[03:48]
Adam Boileau
Yeah, I mean, the bug in question isn't super complicated. Like it is just NET deserialization and there was an AUTH bypass that was related so you could get to that endpoint without auth. So in that respect, like finding the bug if you'd seen the patch and then turning it into an exploit probably is feasible within the timeframe we're talking about. But I do feel like your instinct of that, probably it's a bug that was already being used and the fact that it's about to get burnt all of a sudden means you may as well hand it out or led a bunch of people off the, you know, off the leash that have been a bit more tightly controlled in its use. You know, that's kind of more, you know, that sounds pretty believable as well, but I don't think it would be impossible for it to be the other explanation.
[04:34]
Patrick Gray
Yeah, I mean, either way though, like a program like this leaking is extremely not great. I still feel like programs like this develop more good than bad though. Like, even if you're going to have the occasional leak like this. But I mean, it is embarrassing, right? Because the hafnim, like the exchange stuff that hafnium used in, like, when was that? 2021, all the exchange hacks like that apparently leaked out a map as well. So like this isn't the first time. It's not a good look.
[04:59]
Adam Boileau
No, it's not. And you know these programs are always going to be this kind of trade off, right? I mean the, you know, every sort of private vulnerability, disclosure group, you know, everything going back to like Zardos, you know, have been sources of leaks or have been sources of hacks and people used to break into security researchers to get access to their stash back in the, you know, in the 90s as well. So you know, trading in this kind of information, you know, makes a lot of sense and the net benefit probably still worth it.
[05:28]
Patrick Gray
Yeah, yeah, exactly. But yeah, let's see if there's a complete investigation from Microsoft there. I suspect this is the last we're ever going to hear of it. But anyway, now look, just staying on the SharePoint thing. Apparently we've graduated from Chinese apts using this bug and now various attackers based out of China also using the bug to deploy something called the Warlock ransomware. So good news everyone. It's now being used for ransomware as well as espionage. I guess that. Great news, good job everybody.
[06:03]
Adam Boileau
I mean it makes sense when you've got groups that do both of these things like do espionage and also do ransomware to pay the bills. So not that surprising. But we have seen, you know, I think what like 400 companies, agencies, government departments, whatever breached using the bug. So that's, you know, a lot of people have SharePoint on the Internet and you know, some of those are pretty big organizations. I think one victim we saw talked about the US Department of Energy said its National Nuclear Security Administration was a victim. And that's not good.
[06:33]
Patrick Gray
No, but you would imagine that, that, that the nuclear nuke, that the National Nuclear Security Administration, you know, does not rely on its Windows network in such a way that it getting owned would cause mushroom clouds or you know, dirty mater be sprayed about everywhere like, you know, like it makes for, it makes for a good headline. But I mean the people who work there, they're not, they're not dumb, right?
[06:57]
Adam Boileau
No, it's just, it's still not good though.
[07:00]
Patrick Gray
No, no it ain't, it ain't. So yeah, we got another story here also from what cyber security dive talking about this stuff as well that, that goes into the Department of Energy things. So we've, we've linked through to those in this week's show notes we need to update something we spoke about last week. So we spoke about this work out of a company called Expel, where they'd figured out apparently how to bypass Fido, you know, U2F auth using cross device authentication. And you even mentioned at the time, now normally there's a proximity check for that via Bluetooth to make sure that the device is in the right place and blah, blah, blah. And in some reason it didn't work here. Well, Adam, turns out this, this bypass that they claim just didn't happen. They misread the logs. They've now published a mea culpa blog post. But, yeah, so it turns out that, that, that skipping of that step just like, never happened.
[07:53]
Adam Boileau
Yeah, so it turns out they were working off, I think, logs from Okta. So the attacker in this case was authenticating to Okta, and either they misinterpreted the logs or the logs weren't super clear. You know, sometimes logs from cloud services can be difficult to interpret when you don't have the context of the system that's behind the scenes, the implementation that you can't necessarily see. But it's one of those extraordinary claims requires, you know, extraordinary proof, and they kind of didn't have it. So, you know, I am, I feel a little bit vindicated in the sense that I remember reading this and going, well, like, it feels like there's something missing here. But I mean, if they're saying it happened, then I guess I don't know what that missing thing is. But turns out, yes, the missing thing was it didn't happen.
[08:35]
Patrick Gray
It's real funny, right? Because I think that headline hit my podcatcher, like the last day I was in Fiji, and I just remember seeing a headline from us saying, oh, yeah, there's a Fido or U2F bypass. And I just remember going, oh, you know, reminded me of like, you know, earlier in my career. I remember around 2000, you know, like early 2000s, like every week someone would claim to have broken SSL, right? And every week it was like some really, like, weird, exotic config. You could get it to maybe do a thing that was strange and you might recover a couple of bytes or something like that, but it was always.
[09:10]
Adam Boileau
A gig of traffic to do it and.
[09:11]
Patrick Gray
Yeah, exactly. But it was always written up as like, ssl, completely smashed, you know, and it was like, like I just had a. Had a flashback in the moment that I saw that notification come up on the, on the phone. So, I mean, from our point of view, there's not much you can do when a, you know, security company writes up. We saw These sequence of events, you know, you don't, I mean, you don't really think to vet and cross check that, you know, like in a technical blog post, you kind of would think that they know what they're doing.
[09:38]
Adam Boileau
Yeah, I mean, and usually companies will publish as much technical detail as they are able to. And if the technical detail that you want as a reader isn't there, it's because they can't publish it for some reason, whatever that is, they don't have it. They don't know. They're not allowed to. It's a customer's details, whatever it is. And so, yeah, you do just have to take it a little bit on faith that when they say we saw this and these other conclusions that they've done their work and yeah, in this case, they didn't.
[10:04]
Patrick Gray
They had not. Dear listener. Now let's talk about Tea. Now, Tea is a app that bills itself as being for women's safety. And I think the idea seems to be that like you can do some research on men in your area, see if they've got like criminal convictions and see if any other t user has, you know, said, oh, you know, we, we found out this guy's dating like six people at once, that sort of thing. Or this guy's really dangerous and creepy and everybody should stay away from him. That's kind of the idea behind this app. Unfortunately, it looks like the people who built the app didn't do it in a very secure way. So there's been a fairly major breach. There's. There's been two. Right. There's the major one that, that this whole story began with where someone grabbed. It looks like their user verification database, like containing selfies and pictures of IDs. Going up to sometime in 2023, they've moved to some sort of new verification process where they're not storing that sort of information, which is what they should have been doing in the first place. But it looks like, yeah, some of the older stuff got out. This has been all over 4chan with people saying horrible things about the women who are users of this app and, you know, just ex the sort of, you know, discussions you would expect from a bunch of 4chan in cells when something like this happens. But since then, other people have gone and looked at this app as well and discovered that the security situation there is extremely not great. Someone was able to recover a whole bunch of messages between users talking about extremely personal things and then showed that that material off to people who work at 404 Media, unsure whether or not that that second tranche of information involving very personal messages has been obtained by anyone else. You would think that's a possibility, but we don't know that yet. Either way, if you're going to provide people with an app like this, you know, you really want to make sure you do a better job than usual is my feeling. Right. Especially when women might be having discussions with each other about violent men, you know, about creepy men. The last thing you want is what you've said about a creepy man being made public. Right. Because that, that seems quite dangerous to me.
[12:16]
Adam Boileau
Yeah, it's certainly a really good example of a place where like the normal, like minimum viable product. Let's just, you know, I don't know, they vibe coded this, but let's just kind of come up with something that does what we need and then iterate as we get more users and we get, you know, a bit bigger and able to afford it. Sometimes that's not the right approach. And in this particular case where you're dealing with, you know, I mean foreseeing that a group like 4chan would sink its teeth into something like this isn't a big stretch. Especially when they are, as you say, the subject of many of the conversations being had in apps like this. And yeah, it's, I mean the second bug you're talking about or second leak that you're talking about with the direct messages, some of the reporting said that that was as an authenticated user you could talk to the direct messaging API endpoint and that via that you could get other people's messages. So like a pretty straightforward kind of API security, cross roll, cross account sort of thing. The sort of pretty standard type of pen testing or pretty standard sort of security view would ideally spot. So that is kind of concerning when you're dealing with sensitive data like this, that there's basic things like that that ideally you should do before you launch something like this.
[13:34]
Patrick Gray
Yeah. How did the other data get out? The pictures of the IDs and whatever.
[13:38]
Adam Boileau
So the initial. So that breach, it looked like it was some kind of unsecured database, just.
[13:43]
Patrick Gray
Like an open bucket or database.
[13:45]
Adam Boileau
I think it's some kind of open database. I imagine it's probably some kind of NoSQL database kind of thing. I think this thing was built on Google Firebase. I'm not sure what the standard kind of data store that people would use with Firebase apps is but you know, that felt like a pretty normal. We are early in our dev cycle and we just forgot about auth in the backend system that we're using or we moved away from that system and then just forgot about it instead of actively decommissioning it. So, yeah, not good.
[14:14]
Patrick Gray
Yeah, I mean, the fact that some of this data, like it's old data and finishes from some date in 2023 suggests that this app is years old. And you would have to think nobody did a pen test or a review on this.
[14:26]
Adam Boileau
That's kind of what it feels like. Or it was pretty flimsy or like, if you had even open this up to like bug bountying, like, it would not have lasted with this kind of bug very long. It's exactly the sort of thing that people who review mobile apps with security for a living will find. So it does feel like probably they just kind of winged it early startup phase and then never really got back to doing it properly. So. Yeesh.
[14:52]
Patrick Gray
Yeah. So anyway, let's hope that that second tranche of information does not wind up in the public domain because I have a feeling that would be the really dangerous stuff that would actually put people at. So, you know, let's hope that it just stays as, you know. But even the IDs and stuff, they've got people's addresses on them and yeah, it's just not good. It is really not good. Now we've got some reporting from the New York Times here where the top Lawyer at the NSA, April Falcon Doss, she was appointed general counsel in April 2022 by the Biden administration and she has now been fired. And this is due, it looks like, to Laura Loomer not liking her. Now, of course, it was Laura Loomer who complained about the Director and Deputy Director of NSA and got them fired. And now it looks like she's done it again. And you know, you search on X and for this woman's name and you see stuff like, here we go, Deep State Biden borrowed a far left Democrat activist into the NSA before he left office. April Falcon Doss has written extensively about her hatred of President Trump and supported the prosecution of Michael Flynn and Carter Blade and blah, blah, blah, blah, blah, blah. So it looks like it's this sort of stuff bubbling up through you know, the online fever swamp of MAGA and then winding up with the swamp queen, Laura Loomer. And from there, you know, then she gets fired. So, I mean, look, on one hand this is bad, right? But on the other hand, I kind of feel like it's encouraging that the reason she's being fired is so stupid. Does that make sense? Like she's not Being fired because she was refusing to allow the administration to do something extremely illegal. She's fired because a bunch of like weirdos on the Internet think she's a deep state far leftist, you know, Biden plant. And that's, I mean that's a, that's a good sign. Is that a good sign?
[16:48]
Adam Boileau
I don't know. I mean we, we really do want, I mean any sort of good sign at this point would be great. So it's, you know, we are kind of looking for them, but yeah, it's, it's just no way to run a sensible, legitimate country. You know, when they review this in, you know, five, 10 years time, when the U.S. comes out of this mad phase.
[17:14]
Patrick Gray
Oh, do not make assumptions like that, my friend. Do not make assumptions like that. The United States is coming out of a phase, man. Like, do not. That is a dangerous assumption, my friend.
[17:29]
Adam Boileau
Dear. I guess we live in hope, right? But maybe, maybe, maybe I will be wrong. I hope I'm wrong. I'm not wrong.
[17:35]
Patrick Gray
Yeah, well, I mean, look, you know, I can't imagine someone who's risen through the ranks to become general counsel at an organization like NSA is going to have a terrifically, you know, a terribly hard time finding work. So I think she will be fine. It'll be interesting to see who they try to put into that job. I mean, I think that's going to be the more important news to see whether they get someone who's just boring, who says the right things on social media, you know, that's fine. Or whether or not they just, you know, select some absolute lunatic, which we've seen a few times. Right. So fun times, fun times. We have some research to talk about here from Googie and Mandate Mandougal from, from Mandiant, which is of course now part of Google, looking at what the scattered spider kids have been getting up to when it comes to VMware. Some of this stuff is interesting, like some of the walkthroughs of how they're avoiding detection when they're working their way through all of this vsphere stuff is interesting in that it works, but they're also doing unnecessary steps and they obviously don't understand how this stuff works 100% but the point is they know it well enough to get the job done. But I just generally thought this was an interesting write up.
[18:45]
Adam Boileau
Yeah, yeah, it was. Kind of talks through how they, you know, once they've landed on a network, typically through social engineering, to get a password reset and then onwards from there into privileged access and Active directory, leverage that onwards to VMware VCenter and the fact that they will then typically connect directly to the esx, you know, the underlying hypervisor hosts, which have different kind of sets of logging. A lot of people focus their VMware logging on VCenter because that's where the real administrators do their work. And the ESX hosts typically are not end user, you know, end admin used much and some of the logging unfortunately is off by default, which is not great either. And then they talk through some of the other tradecraft that they use and the one that we've seen, you know, making some comedy on social media, you know, infosec focused social media is them attacking domain controllers from the hypervisor, so pulling the disks off the domain controller and using that to steal, you know, the underlying NDDS DIT file. That gives you all of the credentials for the environment. The funny thing is the scattered spider kids have been like turning off the domain controller VM so they can unmount the disk and then mount it somewhere else to access the files. Without realizing, you could just snapshot it, you can read it out of the underlying block device on the sx. There's plenty of ways to do this that don't involve interrupting service and getting snapped. But on the other hand, probably it doesn't matter because if you're about to ransomware them anyway, they're going to notice. That's kind of the point.
[20:12]
Patrick Gray
So, yeah, I mean, if they've got 10 minutes to stop you, like, what's the difference?
[20:16]
Adam Boileau
Yeah, exactly. I guess how many organizations are going to be able to identify the cause of a domain controller being shut down? And typically you'd pick a secondary DC in some obscure location. At least I would if it was me. But yeah, I mean, it's kind of funny because in the end it just works. And as we often say on the show, it's really not dumb if it works.
[20:38]
Patrick Gray
Yeah. So, you know, but I do find it funny. I do find it funny that, like, people who do know how this stuff works well are sort of being a little bit superior on social media, just saying, oh, look at these silly spiders.
[20:49]
Adam Boileau
And now they're doing it.
[20:50]
Patrick Gray
They don't need to do that.
[20:51]
Adam Boileau
We do this off the block device, like really. But, you know, on the other hand, it gets the job done. And yeah, you stole the NTDS debt. What more do you need?
[21:00]
Patrick Gray
That's right. Now look, speaking of VMware, we've got a story here from the register written by an old mate of mine. Actually Simon Sharwood. Hello, Simon. If you happen to be listening. And Broadcom playing funny bugger with patches again. So if you've got. What is it? Some of these tiers, like perpetual licenses to VMware. You know, Broadcom made all the noises last time this was an issue about how. No, no, it's fine. You'll be able to get security patches. Don't worry. Even if you're not paying for support and whatever. Looks like that process ain't working at the moment. And there's a bunch of people who just can't get patches for their VMware stuff, which, look, you know. And I actually spoke to Simon as he was writing this one. We just had a chat, we caught up. And you know, if you've got VMware on the Internet, you know you're going to have a bad time. So I don't know, like patched versus unpatched VMware. I mean, it's only marginally a worse time if you're unpatched. Right. Like eventually gonna have a bad time anyway. But this is extremely not great. Yeah, this, this is really not good by Broadcom. And it's like this is the sort of stuff that VMware customers have been complaining about since day one. Since Broadcom took it over.
[22:06]
Adam Boileau
Yeah, exactly. And you know, you sort of get the feeling that the organization, a whole is just. It's not a priority for them to make this process work. And the, you know, the actual support people are like, eh, this may take some time and sometime maybe months in this case, which is especially not great when some of the most recent VMware bugs patched. I think this month there's like three guests to host VM Escapes, all of which were ZDI prone to own competition ones. So like VMware's like, yeah, these are not really zero days. They're not really in the wild. It's like if people are dropping them at prone to own. Like you're kind of.
[22:43]
Patrick Gray
I mean, yeah, you could say, sure, okay, they're technically not in the wild, but you know, how much. Let's spin up a poly market on whether they're going to be in the wild in a month.
[22:53]
Adam Boileau
Yeah, yeah, exactly. Right. So we easily buy Broadcom all the way down, which is unfortunately what we expect. And you know, VMware has just turned into such technical debt for so many organizations that built their whole stacks on this stuff, you know, in that kind of early 2000s era when it was good and now it's not so well.
[23:13]
Patrick Gray
But the problem is it still works, doesn't it? And I've got mates who admin some of this stuff and they love it.
[23:18]
Adam Boileau
Yeah. I mean, the other options of virtualization at scale other than pre cloud, like pre infrastructure as a service cloud, you know, the, you know, VMware was the best option. And as you say, it does still work so long as you don't consider, you know, guest to host VM escapes as not working.
[23:37]
Patrick Gray
But that's what I mean, they don't. Because, like, that's sort of. Don't worry about that. You know, like, this is the way we've always done it.
[23:45]
Adam Boileau
Yeah, no, it's. It's certainly a mess. And I don't know. Broadcom, why you got to be like this?
[23:50]
Patrick Gray
Broadcom, why, why now? Aeroflot having a bad time. This is Russia's largest airline, of course, and they got themselves owned by two groups. One of them was the cyber partisans, who are mostly associated with activity targeting the government in Belarus or the regime in Belarus and some other. Other activists. Yeah, Silent. Silent Crow is this other group. So it's Silent Crow. And the Belarusian cyber partisans have really done a number of. On Aeroflot. Apparently they were in there for a while and they managed to RMRF7000 servers and this led to the cancellation of 100 flights and stranded travelers and a bunch of extremely satisfying images being put all over social media. What else do we know here? Did Aeroflot recover? Is this it? You know, is this just a, you know, did we just get some nice images and that's it out of this?
[24:43]
Adam Boileau
So the cyber partisans have said that they exfilled a whole heap ton of information. So some of its passenger records, which they said they're going to make available for independent investigators. So like the Bellingcats of this world will have access to flight records and passenger manifests and all those kinds of things inside Russia and outside, which, you know, that's the sort of information that a group like that really makes hay out of. And we've also seen, you know, some bits about internal conversations and some other kind of, you know, scandalous sorts of things. So, you know, they have said that they're going to leak a bunch of it, and I imagine they probably will because why wouldn't you as to how fast Aeroflot are recovering? I mean, it seems like they've got the planes back to functioning, but, you know, having been inside airline and airport networks. Right. Those things are quite complicated and putting them back together in a way where everything works and all the integrations with third Party systems and crew management. Like, there's just a lot of moving parts in a modern airline. So I don't imagine this will be a particularly quick process. There wasn't any mention in this one of, like, one of the previous breaches of a big Russian organization. I think it was the Gazprom one. The Ukrainians said they destroyed the bioses, the bioses of many of the systems. And, like, that's the sort of thing that making, you know, if you have to go replace motherboards or reflash BIOS chips to the extent that you even can, you know, pull them and reflash them, you know, anything that involves having to go physically touch a whole bunch of computers really slows down recovery. So they didn't seem to do this here. And I'm kind of, you know, I'm always surprised now when we don't see people, you know, physically destroy the hardware in this way when you're doing a destructive attack, because, hey, why wouldn't you, if you can, you know, flash a bunch of stuff? So they seem to, you know, you seem disappointed.
[26:29]
Patrick Gray
You seem underwhelmed. You would have preferred a little bit more carnage.
[26:32]
Adam Boileau
I wanted a little more, you know, like, overriding the ROM chips on the network cards and on the video cards and on the. On the biases. Like, why not just make it so you can't boot these things ever again?
[26:44]
Patrick Gray
Yeah. Well, apparently the network made heavy use of Windows XP and Win2K3. The CEO, Sergey Alexandrovsky, has not changed his password since 2022. So, you know, there's some interesting stuff that came out of there. There's lots of, you know, screenshots of, like, ancient Windows with, like, passwords, Txt files on the desktop. And so you get the impression reading through this, that perhaps Aeroflot Security wasn't in amazing shape. Now, Minnesota, the state of Minnesota, is having a bad time. St. Paul, the city, its systems have been really worked over by attackers unknown to the point that the governor, Tim Walls, has activated the state's National Guard to help respond. And it's. What's interesting here is I did not realize that the National Guard in the United States has 50 dedicated cyber units, according to the Department of Defense. So that's good. I mean, having a, you know, a group like that where you can break the glass and hit the old emergency button, that's. That's handy.
[27:44]
Adam Boileau
Yeah. And especially, you know, if you do have a big network that you got to rebuild in a hurry, you know, having a group of people you can bring in who do at least know how to, you know, build domain controllers, you know, reset people's accounts, do all of that kind of, you know, scaled fiddly technical work that's not sophisticated, but it is. You've got to get it right. And you don't want people who've never done that stuff before being the ones who have to do it in a crisis. So, you know, having this seems like the sort of thing that a National Guard is for. So there's not a lot of details. Like we don't know if this is ransomware. We don't really know if it's not ransomware.
[28:17]
Patrick Gray
Now, it's not just Minnesota where people are having trouble. There's been a pretty serious outage targeting Post Luxembourg, which apparently also offered telco services. Right. So their stuff's all been down. There was a major outage. It looks like they're back up and running now, though. But what do we know about this one?
[28:33]
Adam Boileau
So the details are a little bit slim in terms of the technical part, but it sounds like there was some kind of major cyberness going on. Post Luxembourg, it's the main state owned telco as well as Post, you know, postal service there. And the impact of this seemed pretty bad. There were, you know, flights delayed at the airport, emergency services, communications weren't working. So the local government told people that, you know, if you want to report a fire, go walk down to the local fire station. Right. And let them know. And same with the police. So that's not a great situation to be. And they seem to have pulled it back together relatively quickly. But yeah, pretty, you know, it's underscores kind of how important comms is to all sorts of things because, I mean, phones were down, home Internet services down, emergency services, planes, point of sale systems, payment systems. So, you know, pretty, pretty widespread. Although Luxembourg is obviously not a very big place.
[29:26]
Patrick Gray
No. But apparently pro Russian hacker groups have claimed responsibility for similar attacks in the past. Right. So, you know, that might give us some indication as to what's happened here. Now, I love a good legal cat fight. And that's exactly what this is. Right. So Clorox, we all remember back. I can't believe that was in 2023.
[29:46]
Adam Boileau
Yeah, time flies, man.
[29:47]
Patrick Gray
It's like I blinked and like, it's what, two years later? How did that happen? So Clorox, the, you know, the bleach company, got owned hard in 2023 and to the point where, like, supermarkets weren't getting the deliveries of Clorox. Like, for people who don't Remember, like, it was a really serious attack. And Clorox, as it turns out, is a surprisingly huge company. Anyway, turns out they had outsourced, like, a bunch of their help desk stuff to Cognizant. And this is how Scattered Spider owned them. You know, this is how they got the creds to own them, right? So now they're suing Cognizant, saying, Brah, you know, three, you have to give us $380 million because these people owned us because of your negligence. And, you know, you reset creds, like, completely outside of our policy. And we have the customer service calls that prove this, and cognizance response, I gotta say, you know, and that seems like a reasonable complaint. Let's just say that's a reasonable complaint. But then you look at cognizance response, which is basically like, hey, we didn't run your network. We just managed some help desk stuff, and your security is inept. What did they say? It is shocking that a corporation the size of Clorox had such an inept internal cybersecurity system to mitigate this attack. Clorox has tried to blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of help desk services, which Cognizant reasonably performed. Cognizant did not manage cybersecurity for Clorox. So question to you, Adam. Do you think if you're doing outsourced help desk for someone and one of your people gets socially engineered because they went outside of policy, I mean, you would think that there should be a, you know, penalty for that. But do you think they should be blamed for the whole thing and pay $380 million? Because personally, I actually don't think so.
[31:35]
Adam Boileau
No. I mean, I think, you know, clearly delivering those services per the spec of the contract and, you know, it's kind of up to the buyer to ensure that the spec of that contract is actually appropriate. You know, I think there probably should be some reasonable penalties there. And I would certainly like to see organizations that do deliver this kind of outsourced. You know, these kind of outsourced functions take those obligations really seriously. But that said, if one user account gets compromised and that results in your entire company getting ransomed into the ground, that's kind of a bigger problem than just your outsourced provider. Right? The job of Enterprise Security is to deal with that inevitable failure of that someone's account is going to get compromised. There's going to be malicious insider, whatever it happens to be, and then not have that turn into catastrophic enterprise wide failure. That's the job of your enterprise security architecture.
[32:29]
Patrick Gray
So you know, did you never tabletop or ponder or consider the possibility that the help desk might actually reset creds for someone? When it's social engineering like that, that is just something that you never thought could happen.
[32:41]
Adam Boileau
Yeah, exactly, exactly. Yeah. I mean I would like to see everybody take a little bit more responsibility and you know, people do outsource stuff without really thinking about, you know, thinking that they can outsource responsibility. Like you can't outsource blame. That's, that's not how this works. But there's plenty of places that think you can. So yeah, everybody needs to do a better job. Except maybe Scattered Spider, who clearly are doing all right.
[33:07]
Patrick Gray
Now we're going to talk about a Cisco bug. Now you explained it to me earlier and I did laugh, but I'm sick, so I've forgotten. But it involves something of like just throwing Python code at these what devices and they just run, run the Python code.
[33:20]
Adam Boileau
I mean that is basically the summary of it. Yes, this is the Cisco Identity Services engine which is basically like their Radius and tacx like authentication service. So pretty core security component in most people's environments. And yeah, there is an API endpoint and you can just post Python to it and it runs it. That seems to be the bug. Like I found some proof of concept code on GitHub to make sure I understood this and really it does. That seems to be all it does. They post to an API endpoint, here's Python and it runs it.
[33:51]
Patrick Gray
Do you need to give it some special characters first or not? Just cut and paste some Python and away she goes.
[33:57]
Adam Boileau
You seem to just post Python to an API and the API endpoint is like literally admin API and then it runs to Python which I love me some Python. So I'm into Python being executed but in the context of your auth system and this is the sort of thing that people would use for like tying certificate auth wi fi networks to your ad for example, does that kind of like important auth glue situation. So really you'd hope Cisco would have done a little bit better. But then again, you know, statistically it's best practice for Cisco, I suppose so.
[34:35]
Patrick Gray
I wonder if there's also hard coded creds on this box where you could use the use the Python to get you the.
[34:42]
Adam Boileau
Probably that is how Cisco b.
[34:45]
Patrick Gray
So yeah, just amazing. Now this one we are not going to spend a lot of time talking about, but there is an interesting detail in it, John. Greg has the write up for the record. A woman in Arizona, and we've talked about her getting arrested before. She was running one of these laptop farms for, you know, North Korean remote workers, as you do. Right. It's a, it's one of the Americans like to call it. It's a side hustle. Right. Her side hustle was running a basement farm, a basement laptop farm for the North Korean government. She's been sentenced to eight and a half years for running her North Korean laptop farm, which I suppose seems like a reasonable penalty for someone who knew that that's what they were doing and wound up generating $17 million for the North Korean government. That's not great. But there's a fun detail in this one, Adam.
[35:33]
Adam Boileau
Yes. So she, she was an average user of Tech talk, and at some point on one of her, you know, posts to tech talk, she was making a video about an important topic. She said that she'd been very busy because her clients were quite demanding, the North Koreans being quite demanding that day. And she didn't have time to make breakfast, but she had been doing a diet challenge. And so she had just popped out to the shops to get a breakfast smoothie bowl rather than. Because she didn't have time. She was so busy, you know, installing remote access tools and posting laptops to China and whatever else she didn't, you know, so she had went up, bought the smoothie bowl, brought it home, made a TikTok about her smoothie bowl and the success of her, you know, of her diet program. Unfortunately, she did it in the room where her laptop farm was. And the laptop farm was clearly visible in the background, you know, with the desktop screens up and the windows moving and mouses going around as the Koreans were remotely using them. And apparently the FBI found that quite compelling when they were preparing the search warrants for her house. So what do we learn about our criminal conspiracies? Don't post them on TikTok.
[36:40]
Patrick Gray
Don't post them on TikTok. If you are making your, you know, smoothie video and you're panning around your room and there's the bullet riddled bodies behind you, maybe don't post. Same thing that goes for, like all of the scales and pots covered in white powder, you know, guns lying around, maybe don't post.
[36:58]
Adam Boileau
Maybe don't post.
[36:59]
Patrick Gray
Hashtag opsec. And we got one more skateboarding dog. Says that was kind of a skateboarding dog. We got two this week, two skateboarding dogs to close out the news Talk to us about the cybercrime forum Leak Zone.
[37:14]
Adam Boileau
Yes. So there is a cyber cybercrime forum called League Zone where you post much as you would expect. You know, leaked data, stolen data, data dumps. The bad news for users of Leaked Zone is that they appeared to leave one of their databases lying around on the Internet without authentication and upguard found it and how to rummage through and it's user records or like access records for the forum. So IP addresses, times and dates and so on. So yeah, that's quite funny, I suppose, when you are called leakzone and you have all your stuff leaked.
[37:52]
Patrick Gray
Indeed. All right, well, that is actually it for the week's news. I do want to mention an announcement from a sponsor and the reason I'm going to mention this now is because it's quite funny because a little while ago we had Rad Security in the show as a sponsor, but I'd actually messed up the weeks. So we published the show with the wrong sponsor in it, which, as you can imagine, Tyran Ferrier, who runs sponsorships here at Risky Business, I think he nearly had a stroke when this happened because Rad Security wanted to run it like this week because they had a big announcement coming up, which is. And it's like everybody else's announcement, not to diss it, right, but they've got these things now called RadBots, which are agentic AI powered digital workers. Right. And it does all of the stuff that these AI agents are proving to be good at. Things like triage and you know, alert triage and you know, automating compliance help and whatever. So they've done that now they're going to be a black hat, so you can go check that out. But I guess I did have a thought that's sort of relevant to the, to the general show about this, which is, I think if you're not doing this sort of thing in your security product now, I think you're going to get left behind because everybody's introducing some sort of agentic something that is making their products easier to use. And I just sort of feel like unless the product is really outside of an area where that's useful, like you just have to do this now.
[39:14]
Adam Boileau
Yeah, I mean, it seems to be a thing that, you know, despite there being all sorts of kind of concerns and skepticism, has, you know, a skepticism that has, you know, some real point in many cases it is still really very useful in how people interact with complicated technical data, talking about it and accessing it in ways that are kind of more human. Friendly, more human centric. That really is a force multiplier for a lot of these systems. So yeah, much as it sometimes pains me that we bolt AI into everything, it kind of also makes, I found so many legitimate use cases for it and stuff that we do even, you know, and it's always a bit confronting when you're skepticism meets the actual. Hey, this is quite useful.
[40:01]
Patrick Gray
Yeah, yeah, I regret to inform you it works is kind of the vibe there. So I did just want to mention that because, because I made a boo boo with the sponsorship thing. So sorry about that. Rad security and everybody go check out their agentic AI at BlackHat. But that is it for this week's news. Adam Boilari, thank you so much for joining me and we'll do it all again next week.
[40:22]
Adam Boileau
Yeah, thanks very much, Pat, and hopefully you'll be feeling better by then.
[40:34]
Patrick Gray
That was Adam Boileau there with a check of the week's security news. It is time for this week's sponsor interview now. And this week's sponsor is Push Security. This is a company that I advise, they're part of that, that group of companies that I advise and they do identity security. I guess what, what they're really like incredibly useful for is as a phishing control. So they plug into your browser and your users browsers and it could really track like where users have SaaS accounts, if they're using vulnerable passwords, if they're using personal accounts at work and whatnot. And it really just does build a very complete picture of where users are going and what sort of accounts they're using. It can also detect fish kits very reliably. So, you know, say a link comes in your mail, gateway misses it. You know, this is that last mile defense where if someone actually loads it in the browser, it's going to find, you know, it's going to detect that fish kit and prevent users from being able to enter credentials into it. So it is a very, very useful product. Dan Cuthbert works for Santander bank and he is here to speak to us about push. Instead of it being someone from push, we're going to speak to Dan about, about push. And you know, Dan does a lot of sort of cybersecurity research and detection engineering and cool stuff like that. And he wanted to join us to talk about like what you can do with the type of data that products like PUSH can give you in terms of telemetry. And he sees this as a future area which is going to be, you know, very, very useful to detection teams at large organizations so here's Dan Cuthbert talking about that.
[42:04]
Dan Cuthbert
I think for me, what I'm getting out of this now, especially what Push gives us is the whole context. So I know that a user's authentication is happening against an app, right? So you've got the normal flow, user logs in. What Push gives you is how they've logged in, what kind of authentication process. And once you delve into the authentication world, God, it's a mess, Pat. It's just there are so many different ways you can authenticate and cross authentication and so on. But along with that, you've also got the pattern of luck. So have they ever logged in from this user agent before, from this IP address before? Have they gone in before with sso, but now they're using a username and password? Has that username and password been seen in the breach? Is it a different time of day? It's. There was a great quote. I think it was the Microsoft CISO who said, it's an EDR for the browser. And I totally agree with that. You're now getting all this rich data that you can actually do stuff with. Say, hey, that deviation of pattern of life happened, why did that happen? You can dig deeper.
[43:04]
Patrick Gray
One thing I've always wondered, right, Is like, the reason this is useful is kind of because SaaS apps could never agree on some sort of uniform approach to logging, right? Like if they were doing their jobs right. Like if they all got together in some big little SaaS, circle around a fire and beat their chests or whatever, or did an incantation and figured out how to do uniform log sources, like, we wouldn't need this, but they never did that, so I guess we kind of do.
[43:32]
Dan Cuthbert
Yeah, and I think you nailed it on the head. Most of the SaaS apps out there, frankly put, I don't think do authentication properly. It's a mishmash of rush to markets MVPs being done. Oh, crap, we need to do this. Okay, but why is all the admin accounts not mandatory MFA by default, out of the box?
[43:52]
Adam Boileau
Right?
[43:53]
Dan Cuthbert
Why is it that I can't get any form of decent logs, like you just said, where I can extract, say that user's never logged in from this place? Weird. Because they know that they've got that data, right? Yeah, just it's never presented to the endpoint. I think that's where Push comes along and says, actually we will give you that data. You know, like stupid things like the agent itself. Right. Or the browser. You've never seen that user use Chromium before. But now all Of a sudden they're using chromium at 9pm at night and they're in.
[44:22]
Patrick Gray
And they're in Lagos.
[44:24]
Dan Cuthbert
Yeah, in a weird place like you would think that a SaaS app would be give that data to you, but it's just you don't, you don't get it. It's really frustrating.
[44:33]
Patrick Gray
I think one thing that mitigates this though is like, for a lot of that impossible travel and like, you know, checking to make sure the endpoint is, you know, roughly in line with what it usually is and whatever. I mean, don't the IDPs give you a little bit there?
[44:46]
Dan Cuthbert
Not as much they should do. The way I almost look at the detection flow at the moment is my triangle of love, right? Everybody's mostly got an edr, everybody's mostly got an idp and then they've got something hopefully like Push. I want all that data to be thrown into a pool somewhere where you can then map out to say, okay, we're seeing an anomaly there. We're not at that stage yet. Each of those components still operate really separately. And I think that's the frustrating part. And if you look at how most adversaries are now owning stuff, they are targeting one of them because you, whilst you have visibility there, you don't have visibility to the other things. And I think that's the frustrating part. And what I'm finding with Push is that you can start to join these up really nicely. So you're finally having that first stage of, wow, it's 2025. I can get that impossible travel. But then I've got all the context I'm adding on top of it saying, we've never seen this browser, we've never seen this user agent, they're doing a weird ip. And I get, you can spoof all of that, but for the pattern of life, you start to pull out the data and go, actually this is really bad. The stolen credential user journey is fascinating. You know, we know that stolen credentials are very much a thing. We know that identity brokers make an obscene amount of money doing this kind of game. It was putting the pieces in place to show that, hey, a credential was used to try and authenticate to something. And I think that was really useful. That's the first one. I think the next thing is, for the first time ever, I've been able to build a tool that allows me to have this massive data set where I can really understand from A to B, the entire journey of the authentication process. That's Beautiful. And then the third One is finding SaaS providers that should know better. Hey, here's the OWASP ASVs. Why are you not doing this? Like, it's a standard used by everybody. Why are you not adopting this? And I think that's probably for me, the biggest bang for Buck at the moment.
[46:36]
Patrick Gray
What is having PUSH snitch on your SaaS providers.
[46:40]
Dan Cuthbert
Holding them to account. Now saying why. Why is it that, you know, MFA is not mandated for all high privileged accounts?
[46:47]
Patrick Gray
Yeah.
[46:48]
Dan Cuthbert
Sounds super simple, right?
[46:49]
Patrick Gray
Yeah.
[46:50]
Dan Cuthbert
And when you and Adam do your weekly thing and you talk about a breach, most of the times it's because somebody's grabbed a privileged token, they've done something with it because there was no mandatory extra security bolt of time. Like, why? Why not?
[47:04]
Patrick Gray
It's sort of surprising, don't you think, that we haven't had much. I mean, it's not just PUSH anymore. There's a couple more companies sort of moving around in this space, like doing a little bit more in, in terms of collecting data from the browser. I don't think quite as successfully, if I'm, if I'm frank. I mean, I'm biased, obviously, because, you know, I work with Bush, but I just don't think they're quite, they're quite there. But it's sort of surprising, isn't it, that this is a new field, like that this is a new category, that this is a new thing, because it's one of those things that, in retrospect, it's really obvious that you would want to have some sort of visibility into the browser. But I think a large part of why we got here is because for a long time we thought we were going to get this information with Break and Inspect. And, you know, if, if, if Push can just do one thing by ending that, they will have done the world a huge service, I think.
[47:57]
Dan Cuthbert
Yeah, it's. I'm with you. I don't understand why it took us this long to have this mindset appear. You know, we're well ingrained with how EDRs work. Great. Everybody's now building an EDR. It's not a uncommon thing, but it seems the browser space is still. Everybody uses a browser. In fact, I dare to argue, if you look at most organizations now, most employees will spend most of their time in a browser of sorts. Right over, say, fat clients, or you might still have some of them, but everybody's browsing.
[48:29]
Adam Boileau
Right.
[48:29]
Dan Cuthbert
That's how you interact with stuff.
[48:31]
Patrick Gray
Well, and it's completely, it's completely opaque to EDR as Well, like people don't see it, EDR doesn't see it until something goes wrong and it starts like spawning weird processes. Right. But like what is actually happening within the context of the browser? It's like a big old mystery for CrowdStrike and whatever.
[48:46]
Dan Cuthbert
Yeah. Like I feel like the browser is still that frontier where people are going, we've got no insight, we don't know what's happening there. It's just a browser. Oh, it uses tls so we can't see inside of it. But that's where all the juicy stuff is happening. And I think that's where the efforts that we're seeing at the moment from an engineering perspective with Push and the others is pretty exciting because it's. We're closing that circle now, hopefully.
[49:07]
Patrick Gray
Yeah. I mean, do you see it as like, you know, what do you think about what I was saying before about how like this could be like us moving away from that? Break and inspect is the way to do this thing. If you want insight into web traffic, you do break and inspect, which has just been getting more and more brittle and like more and more people are realizing it's just like not a great way to do stuff, you know? Do you, do you think that's one of the reasons we're starting to see tooling pop up here?
[49:29]
Dan Cuthbert
Yes. I don't think the break and inspect model is. It's really hard to get right. You then have the problems of, okay, if you're doing full interception like that, where are you storing the keys? Is that going to be targeted? It's just messy. Whereas this model, it's less overhead. I feel there's less impact on the end user. Especially if sites are doing proper security, they're not going to get all the errors like they do and you get far more telemetry.
[49:56]
Patrick Gray
I guess from what you're saying it seems like what using a product like this has been good for so far has been like surfacing issues like, whoa, that SaaS provider is like doing something silly like username. You know, there's username and password auth for this admin and the password has popped up in a dozen leak dumps. You know what I mean? Like we have a problem. It's that sort of thing. Right. Just surfacing those issues.
[50:20]
Dan Cuthbert
Yeah. And stuff that we all suffer with as industry. There was a great piece Yesterday in the BBC about knights of old, how the 158 year old company got lost because of a weak password being used. And you're like, okay, that shouldn't be the case. And it was unfortunate that did happen, but that is how companies are still getting owned. It's a very simple attack, but you just don't have the insight or the visibility.
[50:44]
Patrick Gray
Yeah. And it also snitches on users who are not using MFA for like important stuff as well. Right. Like just across the board, not just administrators. You can say like show me who's not using MFA for these services.
[50:56]
Dan Cuthbert
Yeah. Also I think if you now look at people, we don't just have a dedicated work life and a personal life. It's very much intermingled. Right. During lunch break I might go into PayPal and try and pay something for the kids or I might buy something and I'm logging into this. I think it gives a good insight and I think the. It was one of the. I think it was LastPass that was owned this way. Remember you and Adam talking about how they went after the personal account of the admin? Right. So that kind of attack is still very much prevalent. And I think something like push and being in the browser allows you to see the path that an attacker might abuse to jump in and get tokens for something else if they are in the browser and can get, you know, extract tokens that way.
[51:39]
Patrick Gray
Now look, I'm led to believe that you're actually working on some detection engineering that uses these log sources. But I'm also told you're going to be quite coyote about exactly what it is that you're putting together. Can you give us some hints?
[51:53]
Dan Cuthbert
I will try and be as non coy as possible. I think having all these sources now. So for example, knowing when a user is logging in and logging into a high risk app and you can enrich it using gray noise or IP info or VirusTotal or Falcon and you can do all the detection engineering stuff you've wanted to do for the last five years but never could. Now all the pieces are there. So now it's a case of just adding it all, querying the data set in this case postgres and saying show me any kind of deviation or show me something that. It's almost like Minority Report with the three cogs. Show me something that could be bad happening in the future so I can preempt it now. Whereas everything else before was very reactive. Bad thing happened. Crap, we need to do something about it now. We're at a stage I feel with the data we've got where we can say, hey, if you keep on doing this, you're probably going to be owned. And that for me is a very exciting place.
[52:51]
Patrick Gray
Yeah, makes sense. All right, Dan Cuthbert, Great to see you, my friend. It's been a while. Great to talk to you. Great to see you. And thanks for coming along to talk a little bit about how you are using telemetry captured from the browser to do some fun detections. Always good to see you, mate. Thanks, man. That was Dan Cuthbert there. Big thanks to him for that. And big thanks to Push Security for being this week's sponsor. And that is it for this week's show. I do hope you enjoyed it. I'll be back next week with more security news and analysis, but until then, I've been Patrick Gray. Thanks for listening.