Risky Business #805 Summary

Podcast: Risky Business
Host: Patrick Gray
Co-Host: Adam Boileau
Date: September 3, 2025

Episode Overview

This episode dives deep into two major themes:

1. The Salesloft/Drift Cloud Token Breach and the Era of "OAuth Soup": Examining how interconnected cloud auth systems can create cascading risks for organizations, using the Salesloft breach as an example.

2. The Changing Security Landscape: Cloud Attacks, APT Contractor Attribution, Ransomware Evolution, and AI’s Influence on Cybersecurity: Covering global attribution of Chinese contractor cyber activities, nuanced escalations in cyber conflict, the fragmentation of ransomware, and how AI is shifting the security poverty line.

The show also includes a sponsor interview with Ed Wu (Dropzone) about the democratization of security via AI.

Key Discussion Points & Insights

1. Salesloft/Drift OAuth Breach: "OAuth Soup" & Cloud Risks

• Breach Overview

  • Attackers accessed Salesloft's stored OAuth tokens, which allowed third-party integrations with services like Salesforce, Google Workspace, S3, Azure, and OpenAI.
  • Resulted in exfiltration of customer data from multiple major clients, including Palo Alto Networks, Zscaler, and Cloudflare.
    • [02:04] “The attackers stole OAUTH authentication tokens, bearer tokens that were that sales loft we're holding on behalf of its customers... and then started rummaging around to see where that would get them.” – Adam Boileau
    • [03:13] “Including Workspace, S3, Azure and OpenAI. I mean, I don't know why you'd be integrating your website chat AI chatbot with these things, but... I'm not an enterprise guy, I guess.” – Patrick Gray

• Complexity and Challenges ("OAuth Soup")

  • Third-party cloud services create a web of trust relationships that's hard to monitor and audit.
  • Proper scoping, storage, and revocation of cloud tokens is tricky and not always possible for customers to control.
    • [03:40] “It's a pretty, you know, it's a twisty, turny maze of cloud auth. And this is a thing that we have, you know, kind of expressed some concern, dismay, you know, head scratching about...” – Adam Boileau
    • [04:55] "If you were able to...run like a bloodhound, but OAuth against all of the relationships...that's going to be a horror show." – Patrick Gray

• Vendor Responsibility and Token Handling

  • Cloudflare notably accepted blame, stating that the supplier's breach is still ultimately Cloudflare's responsibility.
    • [05:22] “We chose a supplier, that supplier had a security issue, that has issues for our customers. This is ultimately on us because we chose the supplier, we own the data, we take responsibility for it.” – Adam Boileau

• Industry Controls (or Lack Thereof)

  • Existing controls (crypto-bound tokens, logout/universal sign-out, IP restrictions) aren't widely adopted or are impractical with dynamic environments.
    • [07:31] “There absolutely are some controls you can use...But...OAuth and federated authentication and this kind of like inter cloud authentication, there's so many nuanced moving parts. And as a customer you have very little control over how your vendors implement these technologies...” – Adam Boileau
  • Customers' limited ability to enforce identity and access controls on SaaS vendors remains a persistent problem.
    • [09:13] “The only way that the SaaS companies are going to do this is if you start putting it in your procurement documents.” – Patrick Gray

• Systemic Risk

  • Vendor chains and cloud auth relationships create the potential for broad, cascading compromises, especially in complex or acquired environments.
    • [10:19] "To improve this ecosystem, all sorts of people kind of need to be able to move in lockstep... it's a real soup and changing your soup after you've made it, it's kind of difficult." – Adam Boileau

2. Global Threats: APT Contractors, Attribution, and Escalation

Attribution of Chinese Contractors ("Salt Typhoon")

• Key Facts

  • U.S. and allied agencies (NSA, FBI, ASD, etc.) released a detailed advisory, naming multiple Chinese contractor companies engaged in APT work (e.g., Sichuan Juxing, Beijing Huan Yu).
  • These contractors were linked to large-scale telco intrusions, specializing in operations useful to state surveillance.

• State vs. On-Spec Operations

  • Clarified: The highlighted activities were state-directed, not contractor “on-spec” freelancing.
    • [12:17] “Is this on spec or is this state directed? And I'm told that, you know, in this case this is state directed activity.” – Patrick Gray

• Security and Ethical Implications

  • Unlike Western services, where contractors require approval to "exercise state authority," China outsources this to commercial entities.
    • [14:39] “There is a reason that Captain Camo needs to hit enter when you're trying to run Metasploit.” – Patrick Gray

• What Should the Western Response Be?

  • Tools: Arrests, sanctions, hack-back (destroying or disrupting contractor networks).
  • Escalation Risks: Direct retaliation against contractors unlikely to provoke full state escalation, but the line is blurry.
    • [18:06] “If you burn one of these contractors...I don't think the Chinese government would view it favorably if they then responded by going and doing the same thing to a US government agency...” – Patrick Gray
    • [19:48] "You can totally see it would make sense to go hack back, delete their stuff, try and make their lives as difficult as possible..." – Adam Boileau

• Private Sector Offensive Operations

  • Google’s proposed “disruption unit” reflects a trend towards public-private, potentially offensive operations (akin to “cyber letters of marque”).
    • [23:01] “There's absolutely a continuum between... burning their tools... through to disrupting infrastructure proactively. ...We don't know exactly what Google's talking about, but...” – Adam Boileau
    • [24:55] “The fact they're saying anything at all about it is a change from, you know, some years in the past.” – Adam Boileau

3. Ransomware: Fragmentation and Cloud-Native Threats

Ransomware Group Fragmentation

• Small Gangs, Many Targets

  • Law enforcement and intelligence operations have splintered major ransomware-as-a-service groups, driving proliferation of smaller, less capable criminal teams.
    • [27:16] “Alan Liske ... said that it's now incredibly dangerous to be a large ransomware as a service group. And that was really the point of these takedowns...” – Patrick Gray

• Metrics and Progress

  • Number of active groups has increased, but effectiveness and impact per group is reduced.
    • [28:49] “We have long talked about disrupting the kind of like trust in the marketplaces ... introducing friction, that was part of the whole point of this and that feels like it's been successful.” – Adam Boileau

• Example: Sweden Municipal Ransomware

  • Single-vendor compromise affecting 70% of Swedish municipalities via HR software vendor.
    • [29:31] “a pretty niche vendor, but one that is dominant in its niche being a great target for this type of ransomware...big impact across a whole country like Sweden.” – Adam Boileau

Cloud Ransomware: Microsoft Storm-0501 Analysis

• Attack Evolution

  • Group formerly focused on on-prem ransomware now pivots to cloud-native attacks.
    • [31:54] “This is just top tier right up here. ...They’re copying out all the cloud data and then burning the actual cloud instances, including the backups, and then ransoming that data back...” – Patrick Gray

• Defense Complexity

  • Even with solid security practices, variations across organizational units (e.g., post-M&A fragmentation) create weak links.
    • [34:41] “Once you glue them all together in one intro or one...set of interests that are connected together...you end up inheriting...the weakest link.” – Adam Boileau

• Cloud Backup Risks

  • Attackers managed to enumerate and disable backup protections, or, where not possible, they simply encrypted data in place.
    • [33:38] “They were actually able to enumerate all those and then wherever possible, disable them so that they could then actually delete the data. And then when they couldn't delete the data, they resorted to encrypting it in place.” – Adam Boileau

4. AI and Cybercrime: Double-Edged Sword

• AI Accelerates Ransomware Development

  • AI-generated ("vibe coded") malware increases attack velocity, even if quality is erratic.
    • [36:47] “If you're doing crime, vibe coding is even better than if you're like doing normal software because it doesn't have to be resilient...” – Patrick Gray

• AI Democratizing Security Operations [Sponsor Segment: Ed Wu, Dropzone]

  • AI-powered T1 SoC tools may let even small organizations afford 24/7 coverage and basic threat hunting.
    • [48:24] “GenAI and such as technologies we're building should really allow [small orgs] to up level and get to a place above the poverty line... organizations with 200 employees or 50 employees should still be able to get 24, 7 alert coverage.” – Ed Wu
  • Managed security providers (MSSPs) see improved margins from AI but may face “margin compression” as AI-powered rivals emerge.
    • [54:30] "It always has been a labor cost plus margin business....those days are numbered." – Ed Wu

• Blurring of Product and Service

  • The line between AI security products and security services is increasingly unclear.
    • [56:44] “Product and service at this point, it's not binary, it is a spectrum...” – Ed Wu

• Limits of AI Automation

  • IR/Tier 2/3 depends on organizational context and experience, which AI cannot (yet) replicate.
    • [59:49] “What makes IR and Tier 2 and Tier 3 work difficult is actually not about raw intelligence. ... It's actually experience and organizational context.” – Ed Wu

5. Additional Noteworthy Stories

• Apple and UK Data Disclosure Laws

  • UK technical capability notice forced Apple to modify iCloud data retention/access features for British users.
    • [39:58] “Now, we've got a write up from the Financial Times ... which includes... more data, not just data covered under ADP... would suggest that we were right [in previous analysis]...” – Patrick Gray

• Spyware & Zero-Days

  • WhatsApp and Apple patched exploited zero-days involving device sync and image handling.

• Australian Workplace Surveillance

  • Report of employer using software to eavesdrop on remote workers via laptop mics—likely illegal under AU law.
    • [43:23] “Safe Track was using software to listen to its employees through their microphones... as far as I understand it, this is really illegal in Australia...” – Patrick Gray

• Scam-Busting via YouTube "Scambaiters"

  • YouTubers' documentation of money mules played a key role in Dept. of Justice takedowns.
    • [45:10] “Scammer Payback and Trilogy Media... were looking into money mules... and some of that footage ended up being...critical [evidence].” – Adam Boileau

Notable Quotes & Memorable Moments

• [05:22] “We chose a supplier, that supplier had a security issue ... This is ultimately on us because we chose the supplier, we own the data, we take responsibility for it.” – Adam Boileau
• [11:02] “Changing your soup after you've made it, it's kind of difficult, right?” – Adam Boileau
• [12:17] “Is this on spec or is this state directed?... in this case this is state directed activity.” – Patrick Gray
• [14:39] “There is a reason that Captain Camo needs to hit enter when you're trying to run Metasploit.” – Patrick Gray
• [18:06] “If you burn one of these contractors...I don't think the Chinese government would view it favorably if they then responded by going and doing the same thing to a US government agency.” – Patrick Gray
• [31:54] “They're copying out all the cloud data and then burning the actual cloud instances, including the backups, and then ransoming that data back...” – Patrick Gray
• [36:47] “If you're doing crime, vibe coding is even better than if you're like doing normal software because it doesn't have to be resilient...” – Patrick Gray
• [48:24] “GenAI ... should really allow [small orgs] to up level and get to a place above the poverty line.” – Ed Wu

Timestamps for Key Segments

• Salesloft/Drift Break & "OAuth soup": 00:03 – 11:02
• Chinese Contractor APT Attribution: 11:02 – 18:06
• Escalation Options & Hack-Back Debate: 18:06 – 24:55
• Google 'Disruption Unit', Letters of Marque: 23:01 – 25:48
• Ransomware Fragmentation, Sweden Attack: 25:48 – 30:10
• Microsoft Cloud Ransomware "Storm 0501": 30:10 – 34:41
• AI and Ransomware, AI's Role in Security (Sponsor Interview): 36:47 – 61:25

Episode Flow

• Straight into dense security news discussion, skipping fluff;
• Layered, realistic breakdowns of current security events with a focus on real-world challenges;
• Engaging, practical commentary on the reality of defending in the current technological, threat, and vendor environment;
• Sponsor interview adds a practical angle to future-facing AI security tooling discussion.

Conclusion

This episode reveals the increasing complexity and interconnected risks in cloud and SaaS environments—showcased by the Salesloft breach—and how attackers are exploiting these amorphous boundaries. It also provides a grounded look at the ransomware landscape (fragmenting under pressure) and debates the contested frontier of offensive cyber operations, both state and corporate.

The sponsor segment provides hope that AI might narrow the security gap for smaller organizations, but with limits: true expertise remains stubbornly human and contextual.

For security professionals, this episode delivers both actionable threat landscape insight and realistic perspective on what technology (AI and cloud) changes—and what it does not.