Risky Business #802 -- Accessing internal Microsoft apps with your Hotmail creds

Adam Boileau

Foreign.

Patrick Gray

And welcome to Risky Business. My name's Patrick Gray. We'll be getting into a discussion of the week's cyber security news in just a moment with Adam Boileau. And then we'll be hearing from this week's sponsor. And this week's show is brought to you by the team at Spectrops and they make and maintain Bloodhound, which is a very popular open source package for doing attack path analysis. Pentesters worth their salt all know and use Bloodhound. And of course there is an enterprise edition of that software as well. And they've just done a major release. I think it's version 8 and forgive me if I got the version number wrong, but yeah, they've just done a major release and they have broadened out the attack graph capabilities of Bloodhound such that you can basically Swiss army this thing to get it to analyze whatever type of attack paths you want. Justin Kohler will be joining us a little bit later on in this week's sponsor interview to talk through what all of that means. But it is a major release and it is very cool stuff. So I do recommend you hang around to watch or listen to that discussion. But yeah, let's get into the news now, Adam. And kicking things off this week. Yeah, I think it was like shortly after we put the showdown last week, Sissa, you know, put out a warning on the latest Exchange vulnerability, saying, oh my God, you have to patch it immediately. And like, it looks like Exchange admins are having a worse time than normal, which you wouldn't have thought was actually possible. But there's this bug that allows you to go from like on prem Exchange, like escalate up into Exchange online or whatnot. Like, what can you tell us about this one?

Adam Boileau

So there was a talk at Black Hat by Dirk Jan Mollema, who we've had on the show before, and he's kind of understands a whole bunch around how weird Microsoft auth things work. And he was looking into how, amongst other things, how Exchange on Prem integrates with Exchange online. And Microsoft has a number of features that rely on that integration. They describe it very euphemistically as the. Was it like the enhanced coexistence features of their environments?

Patrick Gray

Yeah, totally normal language that you use when everything's fine.

Adam Boileau

Yes, but basically this is the thing that says, like, if you've got both Exchanges on Prem and Cloud, which many organizations that are migrating or have different business units, like, it's not unusual for that to exist. Anyway, if you want to have things like integrated Free, busy or integrated, like profile, picture sharing, really important features like that, then there is some kind of like mechanism for the On Prem Exchange to integrate with Cloud Exchange and they can share and talk about stuff. And it feels like the mechanism by which this happens is probably like, dates from fairly early in Microsoft's cloud transition. And so it's not super well thought through. And the net result is that, yes, if you are an admin of an On Prem Exchange that has this, you know, enhanced interaction stuff turned on, then you can then the account that is used to facilitate that in the cloud has way more privilege than it should do. So like read, write, user directory or whatever. So you can steal the credentials or steal the access from On Prem and then leverage that to move up into the cloud. And dirkjan's Talk has a whole bunch of like really excruciating details about exactly how and why things be like they be. And the answer is it's just really complicated because Microsoft's stuff is really complicated and they don't necessarily all understand how it works. But yes, CISA seems to think that if you're a FedGov agency, then, yeah, probably you should apply the patch.

Patrick Gray

Well, you must. And I guess what's cool in this case, right, is that normally when you see one of these emergency directives from cisa, it's because someone is actively exploiting the bug. In this case, it looks like maybe they've got out ahead of it, which is nice.

Adam Boileau

Yeah. And actually what's interesting about this bug as well is that Microsoft, I don't know if I've seen Microsoft do this before. They've got this program where they are going to intentionally break these features for a couple of days at a time over the next three or four months.

Patrick Gray

So people will see them broken and say, oh, I need to investigate that and hopefully fix it in the meantime.

Adam Boileau

Yeah. So to try and get their customers attention, they're just going to turn off, you know, what is it like the free busy scheduling and the other features that this needs? They're just going to turn it off for a couple of days at a time, so. And hope that people notice. And they've specifically said there's no exceptions. You can't phone the service desk and say, oh my God, we really, really, really need our free busy scheduling between On Prem and cloud. Like that's just tough. And then they're going to permanently brick it at the end of October this year. So that's kind of, kind of cool in a way. They must be more worried than average about it. Or maybe this is a sign that Microsoft will be willing to. This is a company that really loves backwards compatibility and they're actually going to brick one of their own features.

Patrick Gray

They've done it here and there. Like I remember all the way back at first Service Pack 2 of Windows XP, that was the, that was the first time I think they'd really broken stuff in the name of security. So they will do it. And that was like entirely justified. Had to happen. They did it. They pulled the band aid off. So it is nice to see him do it again. I mean one thing I'd note here is like you and I, we don't sit here saying, oh, you know, there's a class of vulnerable devices, you know, people just should not use them. Like we don't usually do like absolute advice. But I do remember several years ago you and I both saying like, Exchange on Prem has had its day. It's gotta go. You know, and it's like it's something that we try to avoid doing because you know, often it's not realistic to tell companies to stop using stuff that, you know, does have some inherent problems. But in the case of Exchange on Prem, it's had its day years ago.

Adam Boileau

Yeah. Yeah. And that's, you know, that's how I feel about say Fortinet for example. But yeah, you can't just turn around and say eh, you just can't use them anymore. Stop it.

Patrick Gray

Yeah.

Adam Boileau

You know, and if we could stop people using Exchange, we probably would. So yeah, it's. Yeah, it's. It's funny that they are, you know, of all the things that Microsoft has to use this particular stick with. It's funny that this is the one, you know.

Patrick Gray

Yeah. Now let's stay with Microsoft and talk about some research here where someone was just having a poke around and a whole bunch of horrors fell out. Walk us through this blog post because you put this one into this week's Run Run sheet. Excuse me. It's called Consent and Compromise Abusing entran fun and access to internal Microsoft applications. Again, this was sort of like someone stumbling onto something that was horrifying.

Adam Boileau

Yeah. This guy, Vaisha Bernard wrote up this journey where he was using Microsoft's. So if you've ever seen like the AKA Ms. Link shortener that Microsoft uses for a bunch of their stuff and he wondered like what happens if you just go to AKA Ms. And there's a login prompt and he tries to log in with his Azure creds because why not? And it says no you don't have perms to use this app. That's totally fine. But that leads him to thinking that I wonder how many things in Microsoft you can log into with a consumer account or another tenant's account because of the way Entra app IDs work. So he exhaustively domain discovered all of the Microsoft domains, went through and found all the ones that have a login prompt that will take as your enter ID Auth tries to auth to all of them. And that leads him into this vein of really quite a rich gold of internal Microsoft applications where the team that deployed it deployed it as supportive multi tenant and the app developers that built it never thought about what would happen if you deployed it as multi tenant and didn't specifically check that you are coming from an internal Microsoft organization. The net result is yeah, he ends up in all sorts of weird Microsoft engineering backwaters with interesting bits and pieces and he submits all of this to MSRC and they say thank you very much. They stand up a team to go through and audit it all and figure it all out and deal to it and then they don't give him a bounty. Boo boo. And so then the end of this particular journey blog post, which is wonderful and fun, has good memes and quality write up is him logging into the Microsoft cloud application where they approve and send payments to to people for bug bounty rewards or other things where like basically you just stick a PayPal account in, say how much money you want to send it, hit send and then Microsoft will send you that money. And so yeah, he leaves the blog post on that question of whether or not he sent himself some money. One assumes that he didn't, but he was.

Patrick Gray

I mean this is standard, right? For crypto stuff. I mean he could have sent himself 10 million bucks and then offered to return 9 million of it.

Adam Boileau

I know that's what he should have done. Yeah, it would have been absolutely fine for reward payment.

Patrick Gray

Microsoft's lawyers would not have had anything to say about this. It would have been absolutely fine.

Adam Boileau

But the real moral of the story is even Microsoft doesn't know how to use their own tooling and everybody else who's ever screwed up deploying apps into Azure and made these kind of mistakes, even Microsoft gets this stuff wrong and they even get it wrong on important internal things. So it's not just you. This really is hard and really is hard and it really is kind of a mess. And I hope Microsoft learned something from this process.

Patrick Gray

I mean it's, you know, this is the strength and the weakness of Azure, right, is it's just one big system. You know, it's one big directory and everybody's in the same directory and it's, it's just this big multi tenant thing which isn't sort of separated along customer lines. It's one thing.

Adam Boileau

Yeah, I mean it's, it's one mainframe. We've gone from distributed computing back to like there's the Microsoft computer and the Google computer and it's all just, you know, multi user, you know, one big multi user computer that we all share. Yay.

Patrick Gray

Yeah. Fantastic. Now back in, I think it was July, Politico reported about an intrusion into the US court system. Right. The court filing system. They've got some follow up reporting here which is somewhat alarming, which says that drug cartels may have accessed a bunch of the data stolen out of these court systems. Now this is just as per officials, some officials that Politico spoken to but you know, they seem to be good at journalism. Right. So you would assume that they're speaking to well placed people who, you know, these are, these are reasonably grounded fears. Fears that are grounded in, in reality. Although the interesting details here is like, well, it's not really clear how the cartels may have got access to this information, whether or not they hacked it themselves or they're just buying it from other hackers or whether there's corrupt officials in other places that acted. And one of the reasons they're not sure exactly what went down here is because there were so many different threat actors in these systems at once that it's a little bit hard to figure out exactly what happened. But you know, I know our colleague Tommy ran, he's taking a look at this this week for the Seriously Risky Business newsletter and podcast. Subscribe to those two if you haven't people. But you know, this idea that now you've got to worry about like the Sinaloa cartel, you know, like we had that report, you know, a month or so ago where we were talking about the cartels actually surveilling FBI people with like stingrays and stuff on the ground to find cooperating witnesses and whatnot. Now you've got these reports where they're hacking the court system or at least obtaining information that was hacked from the court system really changes the way you need to think about the criminals you're investigating when they have this sort of capability.

Adam Boileau

Yeah. Like it's a pretty messy situation. And some of the other reporting has said there's been all sorts of Russians up in there and they're not sure whether it's Russian, you know, like government cyber, or whether it's, you know, cyber criminals or why not both, you know, or why not cartels as well?

Patrick Gray

You get the impression from reading this that, like, everybody had a shell in this, in these systems. Right.

Adam Boileau

That seems to be the case. And, you know, there's some pretty extraordinary tales of, like, judges being told to not use it for certain cases or having to handle things on paper only because they can't trust their computer systems. I think there was some report to a House Judiciary Committee that one of the systems PACER is basically just not sustainable, like unsustainable due to cyber risks and needs to be replaced. Like, it sounds pretty. From the kind of technical problems they've got, but also just, you know, in general, the court system is a thing that you kind of rely on to be able to enforce, you know, sealed filings or whatever else when they handle NATSC stuff, apparently independently, like on paper, not using the system. But there is a whole swathe of cases and, you know, Mexican drug cartels, et cetera, other sorts of things where, you know, there is very real risk to witnesses and to other people involved in court processes if you start, you know, having these, you know, documents and data available to anyone who's buying or anyone who's hacking.

Patrick Gray

Yeah. And it's not like, look, I mean, it's not like this sort of risk is just contained to the courts and the FBI. I mean, we've seen some spectacular failures in the intelligence community on the cyber front that have resulted in people being killed. I'm thinking in particular around the. That covert comm system used by the FBI, which, by the sounds of things, was something like, you know, just drop a WordPress comment here and it's fine, you know, ding. So, but you would think that, like, I think the. The FBI and the DOJ need to up their game. Right. And that's going to be expensive. That is going to be expensive.

Adam Boileau

Yeah. I know when you were talking, I think it was when you were talking to Tom in a previous episode about Officer B about the. The drug cartels, like that the FBI really does have to be able to operate like it's a real intelligence service, not just law enforcement. And this is much the same, like, court systems need to be, you know, robust against their worst adversary. And, you know, now that you've connected everything to the world, that range of adversaries is really quite big. And all that complex document handling, all of the identity bits and all of the, like, these are Complicated systems. It's understandable that they end up being kind of a mess, especially when they've evolved over a long period of time and across a range of technology solutions and stuff. Like you can see why it's like this, but it's just not, you know, it's not good enough and it's going to be expensive to fix.

Patrick Gray

Yeah. And I think Tom's take and you know, more on this again tomorrow. Head over to Risky Biz to subscribe to the newsletter if you want to read about this. But you know, Tom just his early thoughts seem to be, well, the Trump administration seems to be perhaps over indexing on offensive disruption for cyber stuff and we want to see offensive action. But how would that work to address this risk? Right. Like you're not talking about disrupting a ransomware crew or something or you know, going after an apt crew like this. This is just different. So we're sort of back to square one in some ways where it's going to come back to do a better job of defense.

Adam Boileau

Yeah. And that's hard and expensive. And you know, cisa's, you know, I'm thinking like some of the resources CISA was bringing to bear on that, like secure by design initiative, for example, like that would have paid off over the long term. You know, some of those have been kind of disrupted by changes in the administration as well. So yeah, it's a mess.

Patrick Gray

Yeah. Now back to some bread and butter. Infosec, more Citrix netscaler companies. It's turned out like some critical infrastructure operators got owned with some Citrix bugs. But apparently these bugs were popping up in the wild as o day before they were patched. Now, is this a different set of bugs to the most recent bugs we talked about?

Adam Boileau

This is Citrix Bleed 2. So it's the memory leak that we talked about a little while ago. Apparently it was being hit in the wild something like a month before Citrix disclosed it. So, you know, it's a little bit unclear exactly what that timeline looks like, but. But yeah, that's critical infrastructure amongst many. One of the many victims of this particular bug, which, you know, I think we all predicted was going to go big and here it is.

Patrick Gray

Yeah. Yeah, that's right. Well, it turns out it actually had gone big before we predicted that it would go big because it was being used as oda. But yeah, we've linked through to cybersecurity Dive, who've got a report on that. Now this connects quite nicely to our theme last week where we spoke about AI on Offense there was the darpa, you know, AI Cyber Challenge or whatever that happened in Vegas last week. The results are in. There were three teams that did well. Trailer Bits Disclosure, they're a minor sponsor of this podcast. Trailer Bits came second, which is pretty cool. So congratulations to them. A group called Team Atlanta came first and Theory Theory claimed the third spot. But what was interesting here is the way the challenge worked is DARPA grabbed a bunch of open source packages, inserted like 70 something synthetic vulnerabilities into them, and then these AI agents were supposed to go and try to find them and auto patch them. And they did pretty well. They found something like 50 of the bugs. They had patches for like 40 something of them. But what was really interesting is they found a bunch of actual bugs that were not put there by DARPA as well. Right. So again, this just sort of reinforces the idea that we're pretty early days into vulnerability research using large language models, and already they're actually proving to be quite, quite useful. I feel like it's too early to judge what this is going to look like in a couple of years, but you would have to say this looks pretty promising.

Adam Boileau

Yeah, I mean, this is what, you know, the whole point of this conversation of this competition was to shake out a bunch of interesting research and approach and so on. And one of the great things about it is that it also required, like, if you entered this competition, one of the conditions was you had to then release it as open source afterwards so that everyone else can see what you're doing and we can kind of build as a community on these kinds of sets of tooling. And that's really cool, regardless of how well it works. That's a cool approach to this. But yeah, it did work pretty well. I had a quick look through Trailer Bits, had published their particular set of code on GitHub, so I was having to rummage through it earlier on just out of curiosity, and essentially that their system takes code bases, hooks them up into oss, uses OSS fuzz kind of bindings to build fuzzing harnesses for them, triage bugs that are found in that process and then write patches for them and then kind of iterate through that with AI models kind of guiding that process. And it's just, you know, it's kind of what you imagine that would look like, but there's so many fiddly bits to doing that and making it work well. So, like really good work from all the teams involved. And yeah, it's going to be fascinating to see what this is like in a few years.

Patrick Gray

Yeah, well, that's right. I mean, one thing to okay, it can build a, you know, fuzzing harness and whatever and automate a bunch of stuff. Like what does that look like in a few years? Like when this is the babby steps, right when they get. When they start to look more comprehensive and whatnot. So that's, you know, that's really cool. Now last week also we mentioned that James Kettle was due to present some research, presumably on HTTP, like desync stuff. And yeah, that's what he's done. He's wound up spinning up a website. I think it's called HTTP 1.1 must die. And you know, the research is, yeah, typically interesting stuff. I mean, we're talking about issues sort of inherent to HTTP 1.1 that are going to be very, very, very difficult to fix. Why don't you walk us through this? Because you are much better qualified to do that than I am.

Adam Boileau

Yeah, this is absolutely classic James Kettling. The research really focuses on a structured approach to thinking about desynchronizing different levels of web server along the path. So when you have a client talking to a web server, that's kind of one thing, but when you've got pro the way and nearly everything of value on the modern Internet is not a web server on the Internet, it's a web server behind a cloudflare, behind an akamai, behind some other kind of reverse proxy. And that proxying layer is quite difficult to do. And HTTP, the protocol, HTTP 1, the protocol has a whole bunch of, you know, kind of historical baggage and complexity that makes proxying it, well, really quite difficult. And the goal of his research here was to get to the point where we accept that there is no way to make this okay except moving everything to HTTP 2, where the whole transport mechanism is redone from scratch in a way that doesn't have the same sort of inherent confusion and problems. And most of these flaws kind of come down to the parsers at different steps of the way, interpreting things either in a different way or in a different order and being able to kind of manipulate that in a way that is useful to the attacker. And some of the examples that he shows off here are being able to steal other people's auth tokens, post auth from intermediate proxy layers by confusing it and so on. But really the point he makes is that there is an infinite source of these types of bugs because of the confusion and point fixing any one of them is not going to help us. And that was his goal. And of course, as is usual, he's released a tooling that he uses and all the methodology and stuff so that everyone else can also go and find this stuff. So, yeah, pretty cool.

Patrick Gray

Yeah, it was funny too, because last week we were talking about how you would have, like, an AI agent eventually with Burp and whatever, and then you had people yelling at you through the week because apparently Burp already does have an AI agent.

Adam Boileau

Yeah, there's a Burp plugin that implements an MCP endpoint so that you can control it from your app, which is like. That's one part of that kind of puzzle. But, yeah, it does already exist.

Patrick Gray

So, yeah, yeah, yeah. I mean, I think, yeah, it's just worth following up, given. Yeah, James Kettle is behind Burp, so, yeah, that's one that's definitely worth reading about. Post Vegas, you would have to. You would have to agree. All right, so moving on. And the United States has taken down some ransomware gang, apparently that took, you know, $370 million in ransoms, which is quite a lot of. Quite a lot of bitcoin. John Greig has a write up over at the Record.

Adam Boileau

Yeah, this is the Black Suit ransomware crew that used to be the Royal Ransomware Group. And they did a bunch of, I think, US Cities they ransomed, but they got shut down a few weeks ago now. But it wasn't really like, no one had been really talking about it. Like, they had like their dark web leak sites and stuff had been seized and put banners, you know, banners been put on them, but no one was talking about it. And then the Germans, I think maybe last week the Germans said, yes, we were involved, but now we've finally seen the US Law enforcement, actually Justice Department come out and talk about it a little bit. So, yeah, they shut down some things and seized some crypto and, you know, all the things that you would expect from a cybercrime groom cyber crime group being shut down.

Patrick Gray

Yeah, yeah, they just. It is whack a mole, though, at this point. Right. But you do wonder how bad it would be without the takedowns. I don't know. It's. We're back to that same old discussion about, you know, is there an impact here from these takedowns? Is it measurable? You know, it all comes down to hypotheticals. Got it. You know, let's. Let's not get bogged down in that one again, but. Sheesh, it is nice to see another takedown. Let's just say that. Meanwhile, Dorina Antoniok over at the Record has a report that a North Korean cyber espionage group called Scarcraft apparently is dropping some ransomware recently, which is unusual for them, apparently. You know, I've. I've said a few times on the show over the last couple of years, if North Korea really embraces doing ransomware for profit will have all sorts of problems. It hasn't really happened that way. Right. Like we see it, it's more of an occasional thing. They're not doing industrial grade ransomware. I do kind of wonder why that is. I think possibly it's because they're making so much money out of crypto theft anyway, they don't need to that. But, you know, maybe it's because they're worried it's too disruptive and it will invite other types of responses. I don't know. But either way, we do have an example here of a North Korean group dropping some ransomware.

Adam Boileau

Yeah, yeah. Which I think, you know, I think you're right. That is kind of interesting that they don't. And you know, part of me wonders, like, I wonder if this is more like the Chinese ecosystem where these groups do have a little bit of free rein about how they make money on the side. And especially if some of these groups are not operating directly inside North Korea, maybe they're influenced by other Chinese groups that are making money this way. Or I think it could be something as simple as maybe they didn't meet their targets. And if you don't meet your targets, you start to get desperate. Maybe they didn't steal enough from cryptocurrency firms, so you got to make up a shortfall somehow and maybe that's good enough. So, yeah, it's always hard to know what's going on inside the hermit kingdom and exactly why.

Patrick Gray

Now, it was only a few months ago, Adam, and you would remember this when you actually educated me on what an SVG image is and why it's basically like a bunch of, you know, it's an image with a bunch of JavaScript basically, which is, yeah, it's no bueno, basically. And we've got a great example here of people using SVGs, like somewhat maliciously. It's a write up from Dan Gooden over at Ars Technica. Apparently there are a bunch of SVG files popping up on adult websites which use JavaScript to do like a Facebook like on a Target page like this seems like a pretty victimless crime if I'm honest. So obviously someone is like, is like trying to boost Facebook likes on some page or whatever. So what they do is when A target visits one of these adult websites, the JavaScript in the SVG, if that user is logged into Facebook, like does a like on that page for them. And I just think this is absolutely hilarious. I mean, who'd have thought that this is what would happen when you allowed JavaScript to be contained in image files?

Adam Boileau

I mean, SVG is just particularly dumb format in that regard because most people don't expect image files to be full featured image documents in the style of HTML, which is what an SVG really is. The kind of saving grace and the reason we don't see this being an absolute disaster across the entire Internet is that when an SVG is parsed in an image context, so like loaded by an image tag in a web page, no scripts get run. So the scripts only get run when the SVGs are parsed in some other context. So for example, if you open it in iframe or you open it using an object embed, but the one that the pawn sites are using is if you download an SVG and then in Windows you open it, you open it in Edge and at that point when it's open as a bare document, so not in a context of a web page, it does execute the scripts. So that's the trick here, is that they are getting people to download. Because I read the RS thread because Dan Goodman writes for rs, technically I read the comments thread and people are like, but what do you mean you're not using it incognito mode when you're browsing porn sites? Like, what are you doing? Why is that like you're not logged into your Facebook? How does this work? And that led me to the question of how does this work? And yeah, it's tricking people to download SVG files, open them later, and then in Windows the default is you get your full featured ads, which probably is logged into your Facebook and at that point then it can go click on and add likes to whatever thing it's trying to like. Or no, I mean that makes sense.

Patrick Gray

Because I was wondering like how that would work if people are actually accessing these websites with all of those cookies set. And I thought, I don't know, man, normies are weird. Like maybe that's what they do, right? But this makes a lot more sense that yeah, they're like, oh, here's an image library you can download of this model or whatever. And then people, you know, store it and categorize it and whatever it is that they do and then bang, open it up and what? So when you open a SVG image. The default, like image opener is what, like Edgyum?

Adam Boileau

Actually, I'm not sure on Windows, I guess it probably is. Yeah. I don't know how the file associations work on. I don't know what the standard file associated. I don't open SVGs on windows very often. Often. So I don't know. But yeah, if it opens in Edge and then at that point you're going to open in, you know, the, the with your standard browser sessions and then onwards you go to terrible times which. Yeah, it's just a funny. It's a funny world that.

Patrick Gray

It's a funny old world. We keep finding ourselves saying this one recently. Now we got a bit of an update from Sonicwall here. Remember like last week we spoke about how their advice was like, enable mfa. It won't probably work, but enable it anyway and do this and do that. And they didn't really know what was going on. They were worried about a O day in their product. Turns out wasn't an O day.

Adam Boileau

Yeah. Sonicwall has instead blamed the customers. And they have said that after the most recent round of previous exploits where people were getting their config stolen when people upgraded from that, that they also needed to change their passwords because the passwords had probably been stolen previously and people who didn't change their passwords were the ones getting compromised. And some of the early reports did seem to say that that wasn't the case. Like that those customers had. And I guess perhaps those customers were confused about exactly what they'd done or didn't want to admit that they hadn't changed the password.

Patrick Gray

But I mean, this totally fits with the vibe of like, these boxes are getting owned mysteriously and we can't figure out why. It's like attackers have the creds. That totally explains it.

Adam Boileau

Have the creds.

Patrick Gray

Yes.

Adam Boileau

The irony is MFA probably would have helped then, but. Yeah. So either way, I guess if you're a running sonic balls, you're still having a bad time regardless of whether or not there was zero day this week. Because, hey, there might still be zero day next week. Who knows?

Patrick Gray

Yeah. Now, speaking of bugs, you know, it's a win. It's a Winrar bug. You always got to go with the golden oldies, right? Like that's like this is like a radio show. We're playing a golden Aldi. There's two groups out there apparently exploiting Winrar bugs in separate cyber espionage campaigns, according to this report from Dorina over at the Record.

Adam Boileau

Yeah, this is another Winrar bug. I think this One was like integer overflow or something. I forget about the exact specifics. Well, remember it was a past. Maybe it was a path traversal bug. I read the, the details.

Patrick Gray

I mean it's usually a path traversal.

Adam Boileau

It's usually a path traversal in this particular case. The funny bit is that was being exploited in the wild and one of the groups exploiting it in the wild was a Russian backed, you know, cyber espionage crew and the other group exploiting it in the wild was someone hacking Russian organisations. And so we don't know who got it first or who was doing it. Apparently there was rumours of a bug like this being for sale on some Russian underground forums which either, you know, for or against Russia can buy from Russian underground forums. So we don't really know. But yeah, kind of ironic when we've got, you know, write ups from eset saying hey, Russians have been using this and then write ups from some Russian security firm saying somebody's hacking us with. So Everybody gets a WinRAR bug.

Patrick Gray

I mean it's just amazing that WinRAR persists because Microsoft like Windows doesn't have a good Archiver. Like it's 2025 man. Like come on Microsoft, either buy WinRAR please just buy WinRAR and make it better or just develop a good archiver.

Adam Boileau

Yeah, the built in Windows compressed folders functionality was not great. I don't know if it's gotten any better since, you know, in Windows 11 or anything. But yeah, people still run WinRAR and it's very common like how you know, everywhere. But yeah, especially it does seem like ex Russian, you know, ex Soviet states, like they seem to really love Winra there more than average. So yeah, I don't know.

Patrick Gray

Well what's real funny, you talk to the airlock guys about stuff that just sticks out like a sore thumb that just like if it's not in an environment and is suddenly introduced into an environment that's like a red flag is Winra. Because there's so many crews, like apt crews who just byo Winra to like archive stuff for X, you know, for xfil. So they're like if you see like a blocked execution attempt for winrar and you haven't seen that before, it's like that's like run, whoop, go to that box and figure out what's going on. Always a lot of fun. Now it turns out someone hit a pretty massive payday for a Chrome bug. 250 grand, which, that would be quite nice. Tell us about this bug and why it's worth 250k Adam.

Adam Boileau

Yeah. So some guy turned up with a, you know, a Chrome sandbox escape bug. And you know, there's a thread in Google's bug tracker and the Chromium bug tracker, like where this bug gets triaged and investigated. So the. It's technically quite interesting.

Patrick Gray

So it's like a logic bug, right? Like not so much like a classic, you know.

Adam Boileau

Yeah, it's not MEM corruption. No, it's a kind of a classic kind of. It's a complicated design and there's lots of moving parts. But yeah, it's sort of a, what they call it, like a confused deputy, I suppose. But anyway, so Chrome is made up of a whole bunch of processes and this was an architectural choice that Google made pretty early in the development lifecycle to separate out using the existing operating system controls, different tabs, different process, different components to try and limit the blast radius of any particular bug, which is a great idea and has really stood Chrome in good stead. So that when you've got different tabs in different security contexts, they're running in different operating system level processes. So even if you get codexec and one, you don't get much else, there is communication between these processes to handle things. Like I would like to draw some stuff on the screen and I'd like to interact with the file system or the network or whatever. And there is a gatekeeping sandbox process that's responsible for mediating all this access. And this was a flaw where you could basically convince the sandbox component that you too were the sandbox and that you were authorized and essentially be able to kind of impersonate it. And that's a pretty cool, like you can leverage this into full sandbox escape, which is, you know, in the context of Chrome security model, pretty catastrophic. But it's just a really fiddly, nuanced, interesting bug and a great write up. And the guy showed up with, you know, proof of concept code and stuff. So exactly what you know, Google wants when they get this type of bug report. And yeah, they decided to show their appreciation in the manner of quarter of a million dollars. So Cha ching.

Patrick Gray

Yeah, and I think one thing that's interesting is as you said, it's exactly the sort of thing that Google wants. And they cited that as a reason for the payment being so high. When they passed on that payment it says like, this is exactly the sort of stuff that we want to see, we want to reward this, we want to encourage this. So that's nice and a great payday. I'm sure that that researcher was very happy. Now, James Reddick over at the Record has reported that one of the three founders of Tornado Cash, Roman Storm. What a name. He's like, there's like two of the founders. Their first names are Roman, the Romans, which is kind of interesting. He has been found guilty on some charges and not guilty on money laundering. So I think there was like, found guilty of operating like a, you know, unlicensed money remittance business or something, but not. Not guilty on the much more serious charges. So it's just funny that this is still going through the courts. I think one of the other founders is on the lam, you know, outside of the US and yet one more founder, he was convicted and imprisoned and then is out on. On awaiting appeal or something like that. So this thing is just still dragging on years and years later.

Adam Boileau

Yeah, because it was what, 2019, tornado cash. Right. So it's going. Going back away in the context of the crypto world that's practically ancient. But yeah, it's kind of interesting because money laundering is such a important feature of cryptocurrency for crime. I mean, there's other things you can do with cryptocurrency, but like being able to use it for crime and obscure the origin of your funds. I mean, that's. Without that, as we have seen, like, with the extent to which blockchain tracking services have made using stolen cryptocurrency difficult, without that anonymity, it's very hard to. To actually spend the, you know, hundreds of millions of billions of dollars that you've stolen.

Patrick Gray

I mean, we had a. There was an item last week that we wound up dropping from the run sheet about some massive bitcoin heist from way back when, which these days, like, that amount of bitcoin would be worth, you know, like tens of billions of dollars or something. And the money's still sitting there on the blockchain untouched, because you can't move it around.

Adam Boileau

Yeah, I mean, it must be really weird to have stolen multi. Billions of dollars and not be able to then use it for something, because how do you launder, was it a 4 billion or 14 billion?

Patrick Gray

It's like you stole a whole truck full of gold bars. You know, you buried them and then someone built an army base on top of them. Yes, exactly.

Adam Boileau

Right, exactly.

Patrick Gray

Yeah. Crap.

Adam Boileau

But no, so we've often talked about, like, the value of targeting the bits of this ecosystem that are good for disruption. Right. And money laundering is one that really makes sense to target. So it's kind of weird to then see a, you know, high profile money laundering service like this not get, you know, not be prosecuted. Well, not, not result in a really big prosecution for the thing that you want to punish so.

Patrick Gray

Well, I mean, you know, this piece actually points out too that there's been a real shift in tone around cryptocurrency regulation with the new administration in the United States. I mean, they've even passed like new regulations that allow people to invest in crypto for their like, like pensions and whatnot. You know, so they're really like pro crypto. So I can't imagine there's going to be a lot of, you know, momentum.

Adam Boileau

Yeah.

Patrick Gray

Here. But I mean, things can change, right? Like, let's see what happens in three and a half years from now.

Adam Boileau

Yeah, well, exactly. Right, exactly. So let's hope things go back to normality or at least some degree of sense. But yeah, for now, I guess this guy, if he only gets five years in jail, which I think is the maximum he's facing now, then, you know, he probably will. Other than being shaken down while in jail for all of his crypto. Yeah. I mean, probably it's better than 20 years.

Patrick Gray

Yes, true, true. Now we've got this story from Wired and I feel like I need to dim the lights and play some spooky synth music for the intro here because as you pointed out to me, this one is written up somewhat breathlessly. I'm going to give you the headline here and it's such a cracking headline. Hackers hijacked Google's Gemini AI with a poisoned calendar invite to take over a smart home. You know, very, very cool. And yet, you know, I still think this is worth talking about. I feel like the smart home takeover bit like that's the stunt hacking part of this story. But I think the fact that you can do prompt injection via a Google Calendar invite and get Gemini to start doing stuff it shouldn't be doing, I mean, that ain't good.

Adam Boileau

No. And that's the ultimate reason this PC ended up still in the run sheet, despite the rather breathy framing of it all. So this was right above some research that was presented I think at Blackout at defcon, which was looking at ways to do prompt injection, kind of second order prompt injection, I suppose, in the sense that you send someone a meeting invite or something else that gets put in their calendar at later on at some point the user interacts with the calendar via the Gemini AI model and then it reads the calendar input, which then contains some kind of prompt instructions for it. And those then are setting up the AI to later take action when the user does something else. So it's sort of laundering their instructions, the malicious instructions that you're prompt injecting kind of of a couple of degrees away from where they originally came from to try and confuse the source of the instructions so that existing controls that are in place to kind of stop this sort of thing are ineffective.

Patrick Gray

Do this when I say xyz. So it's like the user has initiated the action, right?

Adam Boileau

Yes. And then it kind of asks the. So like the example with the smart home thing was like the prompt told the AI that it's now in charge of some bits of the home. And when I say thank you, you should open the windows or whatever, so that later on when you say thank you to the AI, that instruction has been kind of loaded in and off it goes. And the idea that we're going to hook up all sorts of systems to let these models do stuff on our behalf. So take this calendar invite and stick it in my calendar or whatever other stuff you might ask it to do. And then we're blurring instructions and data and then access to the rest of our personal infrastructure, smart home stuff or whatever other stuff you've got kind of hooked up to your Google accounts. It's all a bit blurry and a bit fuzzy. And the kinds of controls that we were put in place around this really don't feel very reassuring because they're all vibes. Right? It's hey, AI, don't do something I don't expect, but please do all of these other things that I do expect. And I'm going to trust you to kind of, you know, make that decision yourself based on being, you know, a very smart spell checker. Like, it's just.

Patrick Gray

Yeah, well, as I say, you got to keep thinking of these AI agents as very eager to please 14 year olds. Yes, that's what they are. Give them root access on your, on your device. It'll be fine.

Adam Boileau

Yeah, yeah. I'm glad someone's doing this research and I'm glad that people are talking about it, but yeah, I don't know about this future, man. I don't know. I don't know.

Patrick Gray

It's going to be an interesting few years. Like, I definitely think it's going to be an interesting few years. Now, John Tuckner, who is the Secure Annex guy, I mean, I've spoken about what he's up to these days. Like he's the guy who looks at malicious chrome extensions and whatnot, and ones that get Bought and then turned malicious and whatever. Another thing that he looks at is like VS code extensions. Now something that's interesting is Cursor and Windsurf have actually been booted from the Microsoft like VS code extension store because it's not an official Microsoft product, so you can't access the store. So bye bye. Now this means that people who want to buy extensions for Cursor and Windsurf are now having to go to like these other stores that are full of malicious extensions. And this is extremely no bueno. And John's done a write up of it here. He also sent me an email earlier about this, like alerting me to this, this and I think he said that some of these extensions have been linked to like supply chain attacks that have resulted in like half a million bucks worth of crypto going, which I know is small beer in the sort of crypto space, but still, like this is not good. And you sort of wonder like Microsoft, come on. It seems a little bit petty of Microsoft to kick Cursor and Windsurf out of these stores.

Adam Boileau

Yeah, I mean, I guess the backstory there is that Visual Studio code got open sourced and then of course people use that code base to build other products. But there are restrictions about how what you can call it, you know, for trademark reasons or whatever else, like you can't call it Visual Studio code anymore. You have to call it something else. And distancing Microsoft from the downstream forks of it. And then I guess they decided that, you know, having other people's products that aren't Microsoft using their marketplace for extensions, you know, brought them some liability. I imagine the lawyers were involved somewhere. But the outcome I guess is that anytime you end up with these ecosystems of extensions and plugins and whatever else, forking and going off and doing their own thing somewhere else. And I think the OpenVSX Marketplace or Plugin extension Registry that they're using is actually operated by the Eclipse foundation as sort of good for the community. But operating any type of this kind of thing brings with it all of the problems of managing a store. Right.

Patrick Gray

The costs money to keep the bad stuff. I mean.

Adam Boileau

Yes, yeah, because like the review processes are complicated, you know, and making hard moderation decisions, it's complicated like staff. And if it's not core business like say it is for the Apple App Store, then you end up with a total trash fire. And that's unfortunately what's going to happen. What is happening. And yeah, the, you know, people having their crypto stolen, it's kind of what we expect unfortunately, yeah.

Patrick Gray

I just love it that John's managed to carve out a niche business, you know, bootstrapped niche business that sells intelligence on dodgy extensions, whether they be VS code or Chrome or whatever. It's just so cool. I dig it. And one more thing I just wanted to cover quickly is push and full disclosure, I'm an advisor to push. One of those guys sent over today just a write up they've done on some like adfs phishing with office.com Anyway, it's just a write up of a phishing campaign that shows how creative phishing campaigns are these days and I think it's probably worth a read for people.

Adam Boileau

Yeah, yeah, it's an interesting trick where basically you can send someone a link that sends you to login Microsoft.com Microsoft Online.com, whatever it is and then we'll redirect you onwards to an attacker controlled site so the link looks legit. All the people you've told to look at the links and only click on them, it looks believable because that's how we solve phishing. Can now be kind of tricked by this. And he makes, I think Luke Jennings the write up and he makes the point that if there was an arb redirect in office.com, where you could make it go somewhere then that would be bad. And this is basically the same thing where you just register an Azure tenancy, set up ADFS and use that to redirect people. So it's just another trick for redirecting, but it's one that's being used by phishers because as you say, they are creative and they find all sorts of interesting ways to do it. So. Yep, yet another one to look at and I guess another good reason why just telling users to, you know, think before they click isn't really that helpful when they're faced with tricks like this.

Patrick Gray

Yeah, I mean that's why like we are literally a push customer because of that. And we've got. I've also linked through to their write up which is called Introducing our guide to Phishing Detection Evasion Techniques. This is a guide written by Jacques for like security teams. So that's actually a pretty, pretty useful thing that I've that I have linked through to in this week's show notes. But Adam, that is actually it for this week's security news. Big thanks for joining us and yeah, I'll chat to you again next week. Week.

Adam Boileau

Yeah, thanks so much, Pat. I will see you then.

Patrick Gray

That was Adam Boileau there with A check of the week's security news. It is time for this week's sponsor interview now with Justin Kohler from Spectre Ops. And Spectre Ops of course, makes Bloodhound. This is both a community open source project and an enterprise software tool. And what it enables you to do is to enumerate the attack paths that are present in your organizations. Right. Directories are very complicated things and Bloodhound helps you to figure out like where the misconfigurations are, where the risks are in your directory, like permission structures. Right. So it's not like a permissions audit, it's much more graph based and it's very interesting. Now people have been using this against Windows stuff for a long time, but there's been a brand new release of Bloodhound and they've opened up the graph. Right. So it's like an open graph approach now and Justin's going to explain what that means. Essentially it means you can extend your attack graph analysis beyond just Windows directories and into really whatever you want. So this is most relevant to researchers and, you know, pen testers and whatnot at the moment. But obviously this is going to trickle down into, I'd imagine, pre canned analysis and pre canned approaches for different types of directories and credential stores. Anyway, complicated stuff to try to introduce, but I'll let Justin Kohler explain what is in the latest release of Bloodhound. Enjoy.

Justin Kohler

There's a lot in here. We broke it into three kind of components. One, usability. So like, how can I use it easier and faster and better. Two, how can I expand the use of it? So expand to new areas of the platforms we cover today. How can I integrate that data into other tools that I might use on my site? And then the last one that we're super excited is the announcement of Open Graph, which is the ability to model attack paths into brand new platforms. So beyond the Microsoft ecosystem that Bloodhound's really known for, we can now model attack paths in one password or Snowflake or you put fill in the blank.

Patrick Gray

Okay, so walk us through how that works. Right? Like walk us through how that would work in the context of like all of those things actually.

Justin Kohler

Yeah. So it traditionally when Bloodhound would ingest data, it was looking for Active Directory or Azure data. If you tried to send us something else, we'd just drop it on the floor because we didn't know what to do with it. That actually was problematic for two different reasons. One, it was horrifically complex to expand within the platform that we already covered, like to get a new active directory attack path in or an Azure attack path in. It was a monumental workload for our team to do so. And then it kind of prevented us from even thinking about expanding. But that was always the vision of, like, we've talked a long time about how attack paths are not a Microsoft problem. It's a complexity issue with identities.

Patrick Gray

Right.

Justin Kohler

And privileges.

Patrick Gray

Well, and it's inherent to any sort of directory. Right. Like, that's one thing I've learned from knowing you guys is like, this is not, this is not something that you can software QA your way out of.

Justin Kohler

No. And we, we, you know, the active directory was the easy button because that's how we took over environments for decades. But we abuse attack paths in AWS and in kubernetes, and you name it all the time. It's the same logic. But we've never had a way to model it. And so today, now we do. We've actually, we. We quietly released this two months ago, but we didn't talk about it because we have set our research team on it to see what they could build and what lessons we needed to learn before we launched it to the community. So that was like, you know, if you throw in custom data, how do we help you delete it faster or, you know, like clear that out without clearing out the rest of your data. The other, the surprising thing is people were able to build stuff really fast. Like Jared. No. So Jared's our cto. Jared's not the TYP Bloodhound user by any means, but he went from idea to attack paths in the graph for a 1Password instance within about 4 hours. It was insane. Like, we actually, yesterday we announced this right in. By the end of the day, somebody had already posted their proof of concept for an SCCM attack path that happens to be in Microsoft, but they used Open graph and the flexibility to do it ridiculously fast.

Patrick Gray

So help. This makes sense to me, right? Because one password, not a directory. I mean, it is a store of credentials with various privileges and whatever. But how do you actually pull that into an attack graph and like, make that make sense?

Justin Kohler

Yeah, so it's, it's incumbent on the researcher. So Bloodhound. This initial step into expanding beyond the Microsoft ecosystem is primarily focused on researchers, both internal and external. So external community contributions can be ingested. We have a query like a library of extensions for adding to the Bloodhound graph that we host on our documentation and then point out to GitHub. So we have examples for SQL 1 password snowflake. I can't remember what the last one is, but we have examples of how you would do this and we're incorporating any community submissions. But these are primarily researchers. So they define the model and of the attack path by saying this edge and like goes this direction between these two nodes and they supply all that in the JSON package they post up to the API. This might sound complex, but it's actually really not. If you're, if you, if you do any of this work or if you're a pen tester, you can start to model these attack paths very, very quickly.

Patrick Gray

Okay. Right. So what is proving? I mean this is very, very new. But what's proving popular so far? You mentioned like 1, you know, 1 password sccm, but that's still within Microsoft. Like what? Why don't you just tell us what does an SCCM attack path even look like, you know.

Justin Kohler

Yeah, well, the cooler one I think is SQL.

Patrick Gray

Then use that one. Let's go with the cool one.

Justin Kohler

One, not, not cooler. The one that we internally developed. I can, I can properly talk about that one.

Patrick Gray

Yeah.

Justin Kohler

So in SQL, the same directory problems like who has what role exists within the SQL system itself.

Patrick Gray

Yeah. Because that's not an active directory permission, is it?

Justin Kohler

No, it's completely housed within SQL. But ask any SQL DBA like who has the rights to do what. It's a choose your own adventure of how you would try to answer that. And so we just map all the permissions in our attack graph, graph model of SQL and just posted that to Bloodhound and it just took care of it for us. And the cool thing is is it hooks into any of your existing data. So if you build a model that relates, you know, this user is the same as this user in SQL in your attack graph, then you can go from a user in Active directory or Azure or whatever else you put in there to SQL and back and forth.

Patrick Gray

Yeah. So you can, okay, so you can wind up, you know, a concerning attack path. There, there might be if someone owns this help desk support user that can result in a compromise of the production database. Yeah, that's not great.

Justin Kohler

100%. And I think like, you know the cool thing like two years ago, right, the datadog team came out with qpound which was like the, their implementation of Bloodhound with Kubernetes attack paths and they did that, you know, they, they probably wanted to release their research and I, I'm not sure if I can talk about it, but they tried to do that in Bloodhound. Let's just say they had to build their own and they probably didn't want to because then they had to worry about the ui. They had to worry about like data management and stuff when they really just wanted to show the attack path research that they were doing in Kubernetes. So they had to build this other.

Patrick Gray

Separate system and then try to glue it to yours and whatnot. And I guess what you're saying is you've made it now easy just to do that.

Justin Kohler

Exactly. They couldn't glue it to ours. And the problem is, is like then you have a standalone system that doesn't understand the rest of your identity footprint. So like, you know, again, like you might harden Kubernetes. But talk to any of our infrastructure engineers, they're not necessarily worried about Kubernetes itself or AWS IAM roles itself. They're worried about the crossing of those things. So how are they misprovisioning IAM roles with Kubernetes and like those, those crossing of boundaries you might not be able to elevate within Kubernetes, but you can hop back and forth and elevate privilege as you go.

Patrick Gray

Yeah. I mean, I would imagine this substantially broadens your market. Right. I mean, because it has been just a, you know, very much a Windows focused product for a very long time.

Justin Kohler

Yeah.

Patrick Gray

And I'm guessing that there is a section of the market out there where they feel like they've got their Windows stuff under control. And there are, there are some organizations where that, that is the case. I mean, I would imagine most organizations that have been around for a while are going to benefit from running Bloodhound in their environment, but there's going to be some where they're like, this isn't really something where we're worried about, but this kind of opens it up to everybody. Right. Because even if your Windows directory is an all singing, all dancing, beautiful, you know, choreographed thing, all five of you. Yeah. Right. Because any more than five people and it's. And it's not. But even if it were like, you know. Yeah. You start pulling in other systems. Oh yeah. That hold any sort of privilege information that, that's. It's just never going to be, it's never going to be good.

Justin Kohler

And I do want to say like that's, that's really where we're going next year. You're going to see the things that Bloodhound covers natively expand greatly next year because of this capability we just unlocked. Again, this is primarily researcher focused. So pen testers and researchers and obviously if you have tinkerers within your enterprise that you know, want to bolt on things to Bloodhound, we have a few of those as customers. You can do that right now. But having it like a formal portion of the app where we have like supported data collection methods where you can just pull it in like kind of at a click of a button, that's like, we're probably talking early next year, but. Yeah, like what if you're an organization that uses okta either in combination with Active Directory or not, you know, now we can start to model that for you.

Patrick Gray

Yeah, right. So if you. Yeah, so even if you're multi SSO2, which a lot of organizations are, are.

Justin Kohler

Oh yeah, 100%.

Patrick Gray

Yeah. So I mean I, I imagine you see some really wild stuff like when it comes to merges and acquisitions and people like merging different directories and stuff, that's where you get all sorts of like horror. Horror. Horrible things coming out.

Justin Kohler

Yeah, like if you thought like trying to merge Active Directory domains together was hard, what happens when somebody doesn't even use Active Directory and you have to make those two companies work together and then like all the weird glue that you do to temporarily, temporarily in quotes, enable the business, but it never goes away and like now you just have all these like privilege links and attack paths that you've created. Yeah, we've seen it all.

Patrick Gray

So at this point this is like in Bloodhound community and Enterprise, but it's more of a research, research thing and then later on it's more pointy clicky part of the enterprise solution.

Justin Kohler

Absolutely. Yeah. So right now this is just going to be like a, in, in like a pipeline of just research that we will come in organically and we are using internally to expand our coverage beyond Microsoft platforms. But like people are really going to feel this starting next year. But like for the pen testing community, I mean this is a, a huge leap forward in their capability. Again, like we said yesterday, like we just saw some person from the community did it in hours.

Patrick Gray

Yeah, it's funny because I can like, as soon as I finish doing this interview, I'm sending it to Adam because he's going to, he's going to, he's going to really enjoy hearing about it because he was a big advocate for Bloodhound back when he was a pen tester. So look, this is a major release. This open graph was stuff. Yeah, sounds very interesting. What else have you released? Because as I say, it's a major, major, major release.

Justin Kohler

Yeah, absolutely. And all of this works together. So like for example, in usability, sometimes like we represent things in graphs, right? Like path from A to B. But sometimes a graph isn't really useful. So I'll give you an example. If you're looking for, let's say something super simple. Users who haven't reset their password or identities that haven't reset their credentials in the last five years, that's pretty bad. But you don't want to graph. You don't want like nodes on a canvas to click through. You want to take table and drop that to CSV. So we added that. That's been something that people have wanted for a long time. We added new integrations for ServiceNow and Duo. So if you want to take that information and put it into the systems that you use to remediate attack paths at scale, you can. We also cover Azure Privilege Identity management or PIM roles. So a lot of people use this. You should. If you're an Azure Entra ID customer, you don't permanently assign access. You add people as eligible to give themselves that role when they need to. Hopefully you're using that in combination with conditional access and mfa. But what we found is you don't. And so we cover all the different like con, like levels of maturity there so we can identify if somebody's not going through conditional access or does not have MFA enabled.

Patrick Gray

Yeah. Wow. This is, you know, this is much bigger.

Justin Kohler

Yeah, there's, there's a lot. I mean, honestly I'm, I'm, I'm scratching the surface here and alongside this too, there's all these cool things we can do on the technical side. But a lot of people have asked us like, how do you operationalize this program? Because again, like attack paths are kind of this new thing in security or identity attack paths like everybody's used to like patching systems and hosts.

Adam Boileau

Right.

Justin Kohler

But what do we do for an identity that's misconfigured? We have a huge state of attack path management report that we released alongside this and a maturity model model so teams can like understand how we've either helped or seen other companies adapt this internally and the different levels of maturity that you can do and like intertwine that data with other, other teams.

Patrick Gray

Excellent. Well, I will be sure to drop a link to that report into this week's show Notes. You know, this is a cool release. This is a very cool release. Congratulations. Justin Kohler, thank you for much for joining us to walk us through it and I wish you the best with it.

Justin Kohler

Thank you.

Patrick Gray

That was Justin Kohler there from Spectrops. Big thanks to him for that. And big thanks to Spectrops for being a risky business sponsor. And that is it for this week's show. I do hope you enjoyed it. I'll be back next week with more security news and analysis. But until then, I've been Patrick Gray. Thanks for listening.