A (3:13)

Yeah, well, I mean, not a breach in the customers, a breach in the breach of the accounts that they use. Right, so we've got to be kind of clear in the case of Salesforce Data. But, but as you pointed out, I didn't even ment mention this. It looks like, yeah, other services, there were tokens for other services as well, including Workspace, S3, Azure and OpenAI. I mean, I don't know why you'd be integrating your website chat AI chatbot with these things, but you know, I don't know, I'm not an enterprise guy, I guess.

B (3:40)

I mean, cloud oauth is difficult and I think, you know, that's, you know, sort of big picture. That's one of the interesting points of this, you know, kind of this whole episode is doing authentication between third party cloud systems and scoping that authentication properly, storing it robustly, handling it safely. Like there is something for kind of everybody in the story. Like there's something for Sales Loft as a cloud company holding sensitive auth tokens for their customers. There's something for those customers choosing who they integrate with and what the impact of a breach of that vendor is. And then there's the downstream customer customers, the people who are using services from say Cloudflare, which is one of the organizations that was involved in this, you know, customers of Cloudflare who are interacting with support ticketing systems at Cloudflare that are integrated with Sales Loft, which have now been stolen. And that in sometimes in some cases includes tokens for access onwards into people's Cloudflare services. So it's a pretty, you know, it's a twisty, turny maze of cloud auth. And this is a thing that we have, you know, kind of expressed some concern, dismay, you know, head scratching about, you know, over the last couple of years as we talk about the cloud Future.

A (4:55)

Now, I know, you know, Bloodhound, they have like the open graph now. I sort of wonder what it looks like when you start throwing in all of these OAuth relationships into something like, you know, a Bloodhound graph and what it looks like, because I have a feeling that if you were able to automagically run like a bloodhound, but OAuth against all of the relationships, the OAuth relationships that touch your company and every account in your company, that's going to be a horror show.

B (5:19)

Right?

A (5:20)

I think this is just a great example of that.

B (5:22)

Yeah. And I think that, you know, if anything was good for, for those guys to go sell their, you know, cloud version of Bloodhound, like, this is probably a great example of understanding what your exposure looks like and modeling these relationships because it is complicated and, you know, kind of, I think so. Cloudflare was one of the companies that ultimately had data breached in this process. And they had a blog post where they've written up their experience of it. And one of the things I really liked about Cloudflare's write up of this is like, upfront, they say, we chose a supplier, that supplier had a security issue, that has issues for our customers. This is ultimately on us because we chose the supplier, we own the data, we take responsibility for it. And, you know, there's lots of places that are very quick to say, well, this was a third party something, something, it wasn't our fault. And I think Cloudflare, you know, for once doing a good thing and actually, you know, taken ownership of it. They, in their write up, they went through and looked at the attackers interacting with Cloudflare systems after they had got access to data and doing things like finding tokens in the support history and then seeing whether those had been used against Cloudflare's infrastructure, rotating them, all that kind of thing. So, like pulling that thread. So, yeah, I mean, kind of good work there too.

A (6:43)

Well, yeah. There's one funny thing they said though, which is they're going to do weekly rotation of these sort of things and I don't really know what that would have got you in this case, if I'm honest. You know what I mean? Like, and we still don't know how sales, these Salesloft tokens went missing, whether or not it was some social engineering thing or a different token that got into the token store or, you know what I mean? Like, there's a lot we don't know here, but as you point out, like, it looks like it was some sort of Comm affiliated, Shiny Hunter, you know, something in that whole mix and probably they're just going to try to ransom these companies to delete the data. But it doesn't look like it's super sensitive data. Named companies affected include Palo Alto Networks and Zscaler and whatnot. But yeah, it's, it's certainly a big story this week and as you point out, it's an interesting one just for the OAuth soupiness of it all.

B (7:31)

Yeah, yeah, exactly. And we were actually, we were chatting about this in our Slack earlier on today and Brett Winiford used to work at Risky Biz now at Okta, popped up to say, well, maybe they should be using this particular obscure OAuth extension that lets you bind key usage so that they can only be used from certain places. And we got quite a good conversation about that because there absolutely are some controls you can use to try and prevent this kind of token sprawl and so on. But you know, OAuth and federated authentication and this kind of like inter cloud authentication, there's so many nuanced moving parts. And as a customer you have very little control over how your vendors implement these technologies as well. So like trying to do it right might be possible. But you know, from a technical point of view there might be, you know, you can like cryptographically bind these things so that you can't just steal the tokens. You have to also be, you know, access to the key store. That's blah, blah, blah, blah, blah. There's a bunch of stuff. But making this actually happen in the real world, you know, it's, it's, there's, there's a lot of complexity here.

A (8:40)

I mean, Octa has done minor sponsorships here and there of Risky Biz over the years. And I remember once having their chief architect on the show and you know, this architect was begging CISOs to include in procurement documents that the SAS vendors that they were using had to have like the, you know, the logout features included in their apps because they built all of these wonderful features where, you know, you've got universal sign in, you know, like one touch sign in, but no one touch sign out.

B (9:13)

Right?

A (9:13)

He's like, we've built it, please. The only way that the SaaS companies are going to do this is if you start putting it in your procurement documents. So I think there's, you know, you, you've got limited options in terms of what the IDP can do here and then you've got some sort of old world controls that we were talking about like IP restricting the ranges where these things can be used from. But you know, as you point out, everything's so dynamic now with machine to machine, even with machine to machine right in the cloud that like the IPs where these tokens are going to be coming from, like it would not be unusual if they change. Like one of the reasons we use these tokens is so we don't have to have that old school type of machine to machine trust. Right? So this is not an easy thing to fix. And you know, it's something that I've been, you know, frankly crapping on about quite a lot over the last, you know, five years which is just like this Oauth stuff is hard, like it's not that observable. Do you know what I mean? It's not really. There's only so much you can do as a customer because there's only so much of it in your control, which is what we're talking about now. And yeah, anyway, it's an interesting story.

B (10:19)

Yeah, it really is. And to change it like to improve this kind of ecosystem, all sorts of people kind of need to be able to move in lockstep, right? IDPs have to implement new features. The things that consume applications that rely on an IDP have to update how they for example handle controlled sign out and then people who are giving out tokens like the actual end users, like okay, we need to constrain these tokens to have only these behaviors or only to be usable in this context. So everybody needs to improve, you know, kind of in lockstep but at the same time these are all different organizations, different companies. Like it's a real, you know, it's a real soup and changing, changing your soup after you've made it, it's kind of difficult, right?

A (11:02)

Yeah. I mean people would normally say unmaking the omelette, but unmaking the soup. Sure, let's go with that. Unmaking the soup. All right, so the other big news that happened over the last week is there's been a massive advisory released by a whole bunch of different agencies. Let's see, we've got nsa, cisa, FBI, the Department of Defense, Cybercrime Centre, asd, the Canadian Centre for Cyber Security, the Canadian Security. Anyway you get the idea but it's NCSC as well. Like everybody, the bnd and it's an attribution document around Salt Typhoon and a roundup of a bunch of the stuff that Salt Typhoon have been doing. The most notable and interesting thing here is the advisory names a bunch of Chinese contractors. So the Sichuan Juxing Network Technology Company, the Beijing Huan Yu Tian Kyong Tianchong Information Technology Company and the Sichuan Xishin. I don't even, I can't even guess at the pronunciation of that one. Ruji maybe Network Technology company. The point is these are these contractors that we're increasingly seeing talked about that are doing a whole bunch of apt like activities, right? So we saw Sophos go after one of them, for example, and they just keep popping up. And it looks like Salt Typhoon is a contractor operation. I did reach out to a few people and my big question was, well, we know contractors are doing this. Is it on spec? And that's a journalism term actually on spec is when like a freelance journalist will write a story before having an editor who's agreed to buy it. So in this case it would involve collecting a bunch of intelligence and then trying to sell it. And we know that some Chinese contractors do that. So I asked around, I'm like, you know, do we think this is on spec or is this state directed? And I'm told that, you know, in this case this is state directed activity. So this is the contract is being asked by the government to go and get it. But this is interesting for a number of reasons. But before we get into what I think about it, what do you think about this?

B (13:04)

Well, I think it's, it's good to have some clarity because this is the set of intrusions that was breaking into telcos all over the place. And you know that, you know, telcos have access to so many things. There's many reasons why you want to break into a telco. So seeing, you know, getting some understanding of who was behind it and I think, you know, the fact that it was private companies, you know, a speaks to the range of expertise you can buy in the, you know, in the, you know, the commercial market in China. Like pretty good at this whole capitalism game. But also what you can do once you're in a telco is just less useful to private companies and more useful to governments because you can use it for tracking people, you can use it for identifying how your other operations are being looked at by looking at traffic flows and monitoring. And we saw intrusions into lawful interceptee systems for understanding counterintelligence. There's lots of reasons that governments love breaking into telco. So farming out in the private sector is quite interesting in that respect. So that's fun. There's also the like, there's a bunch of technical details here about how they were doing it, how they were hiding their activity inside the telco routing environments and frankly doing some stuff that, you know, I like. Telco networks. I've broken into telco networks. There's some bits and pieces in here that are like, I don't know that I would feel comfortable doing that live on a telco's network. Like there's a little bit more config, changey, you know, plumbing stuff around, you know, turning on packet sniffing and network spanning and then pumping it up and down tunnels around the place. Like there's a little more, you know.

A (14:35)

They'Re a little bit yellow I think is what you're saying.

B (14:39)

Feel comfortable?

A (14:40)

Yeah, they're not being careful. Although you don't forget that when Syria lost Internet access at one point, everybody thought it was because Bashar Al Assad, you know, shut down their big Internet gateways. This is a long time ago now. But it turned out, as far as I know, like I think this leaked eventually. But it turned out it was like a misfired implant that someone at Cyber Command, like they rebooted it just didn't come back. And that was, that was a bit awks. I heard that was a fun day in the office. But you know, but that's the exception, I guess, because they're, you know, generally the western services are much more careful not to do things like that. Doesn't always work out, but they are more careful. But you know, what's interesting here to me is, you know, I talked about how some of these contractors, like Isense was the big one where there was a data breach. And we learned a lot about these Chinese contractors thanks to that. Oh, Isoon, sorry, Isense. Not to be confused with Isense, the reputable security company, which was that Alex Thomas one? No, that was isec. Anyway. Yeah, yeah, yeah, so ISEC partners. But look, when something's on spec, and I believe that these contractors may actually do on spec work as well. When it's on spec, it's not an exercise of state authority. When it's a contractor, it's not an exercise of state authority. It's just cybercrime. Right. Which is, which is, you know, something that we really need to think about here. Now, I remember having a conversation with a couple of contractors in the United States who'd worked at Fort Meade. I'll just say it right, they'd worked there and they had expressed frustration to me that every time that they were going to do certain things like run a command or you know, whatever, they had to stick their hand up and get the guy with camo to come over to their workstation and hit enter, right? And they did not like this. And they said, well, you know, contractors should be able to do more. And I'm like, no, the reason the guy in the camo needs to hit enter is because. Because he is or he or she is exercising state authority and you actually need to be working for the state to exercise state authority. And what was interesting about that conversation is I wound up turning these guys around, which was it's rare when you can convince someone because they were like, contractors need to be able to do more. And ultimately, the way I turned them around, I said, say you've got a contractor, you know, working for nsa, say, right, doing ops. Say there's an opsec slip up, right? Is the boss going to report that if it's a minor OPSEC slip up, or are they going to bury it because it risks their bonus? And this is the thing. This is just one of the many, many problems with outsourcing these sorts of operations, Right? And China no doubt is bumping into these issues already. But there is a reason that Captain Camo needs to hit enter when you're trying to run Metasploit. So there's good reasons for that. Now, the other interesting idea here is what do you think should be the Western response to these Chinese contracting firms who are doing this sort of stuff? Adam?

B (17:32)

Well, that's a great question. The traditional would be, well, I mean, if they were cybercrime groups, we would, you know, try and arrest them through multilateral law enforcement. You know, it's clearly not a thing when it's in China, then you've got sanctions and other kind of like financial mechanisms to try and make doing business. You know, like, let's not sell them Nvidia GPUs. You know, there's things like that you can do. But when it's, you know, kind of half state directed, but also, you know, private sale, it gets a little bit complicated. At the very least, they probably can't go to Disney World. So, like, there's that at least.

A (18:06)

Okay, what about torching their networks? Now, I'm going to give you the, I'm going to give you the case for. And the case against the case for is you're going to make their life a lot harder. You're going to slow them down, right? If they all of a sudden understand that they're operating an environment where if they get detected, they get shelled and RMRF'd and everything gets burned down and they have to rebuild and it Takes them offline for a week, right? That's going to slow them down. Now, it's not going to stop them, but it will slow it down. Now, an argument against it is this could be escalatory because currently, once they're getting into a telco, getting what they need, they're not burning it down on the way out. So would they.

B (18:45)

Other than all of the, the. What was the male gate? Barracuda. Other than all the barracudas, where they did.

A (18:55)

Well, they didn't burn them down. They just. They just went deeper. Right, Like, I see what you mean. They made a mess. Yeah, yeah, yeah, yeah, they made a mess. So could it be escalatory? Right. And the answer is yes. But here's why I think it doesn't matter, because if you burn one of these contractors, say you just, you detect them doing salt typhoon stuff, you go in, you RMRF everything, you make their lives miserable, steal a bunch of data, put it out there as torrents, right? Just really make their life hard. I don't think the Chinese government would view it favorably if they then responded by going and doing the same thing to a US government agency. I think that's the escalation risk. It would be entirely up to them whether or not this escalated into a proper, like I'm going to say it, cyber war. What do you think?

B (19:48)

I mean, yeah, I mean, we, we burn their tools, right? So if we, you know, we went to this like a few years ago when the US started like dropping attacker tooling on, you know, on GitHub or whatever, so that they would be forced to have, you know, their tooling ripped out from underneath them, and they'd have to go reinvest in tooling. And that's kind of like similar sort of thing, but without the sort of quite as much aggro, you know, into their network's ness. But I mean, you can totally see it would make sense to go hack back, delete their stuff, try and make their lives as difficult as possible, pull that thread as far as you can to maximize the costs that you're imposing, you know, Then you've got to ask like, well, why don't we access the building control systems and torch that and lock them all in their building so they can't go to the bathroom anymore, you know, or we go, you know, I mean, I've been, I've gone back to playing cyberpunk the video game lately. It's like, maybe we need some bad ice that'll burn their brains out, you know, while they're trying to hack us. So you know, you've got a range of options. And you know, I know that I've broken into building access control systems and been in a position to lock people in their incident response room and it is kind of tempting to say, well what are you going to do now when you can't leave? But you know, health and safety and liability insurance means we probably can't do that. But you know, maybe the, the US Gov could in fact do that. And yeah, as you say, I think the escalatoriness of it is overcorrected for because we're already, you know, things are already pretty escalatory around here and like, you know, they were already hacking all the telcos, you know, China's already hacking US telcos and pre positioning for everything else. Like, you know, how much further can they escalate without it actually, you know, getting real?

A (21:30)

Yeah, I mean it's, yeah, that's what I wonder as well. I'm like on one, you know, on one level it's like it seems like an escalation risk but then you game it out and it's like, I don't actually think so, I don't think so. And we've got a White House at the moment that is, is getting serious about being much more aggressive. They're talking about how they want to be much more offensive. You know, Tom Uren, our colleague has written about how like, look, that's good, do that, but that's not going to solve problems like, you know, the court system getting hacked. Like, you know, you can't offsec your way out of everything. But it doesn't mean you shouldn't do it. And I think certainly in this case, I reckon a little bit of hound release might, might make sense. You know, if they're looking to adopt a more offensive posture, I think these, these contractors would be a great place to start. Now, speaking of getting a little bit more offensive, Google is talking about launching what they're calling, I guess a disruption unit, which is interesting. It's a little bit unclear exactly what they mean by this, whether or not it's about, you know, lawful takedowns or whatever, or whether they're just going to YOLO it. But we got a piece here from cyberscoop that quotes Sandra Joyce, who's the VP of Google's Threat Intelligence Group. I've met Sandra. Honestly, I think we could probably solve the ransomware issue by giving her a parachute and a pistol and like kicking her out of a plane over Russia. She's a Hard charger, very smart woman. And. Yeah. Anyway, what did you make of this? What exactly do we know about what Google's trying to do here?

B (23:01)

So they're a little bit vague about it. And there is absolutely a kind of a continuum between taking down, stopping ongoing operations that you detect in flight by burning their tools or burning their intermediate boxes through to like, you know, kind of disrupting infrastructure proactively. So when you see domains getting set up, maybe you can go take those domains and if you see C2 systems, you know, standing up, you can maybe go get those shut down somewhere to try and interfere with operations that are in the process of standing up. And then there's the kind of like the sort of thing that some of the threat intel companies like to do where you actually, you know, go hack into those C2s and you pull the threads to identify victims, you head back towards their workstations, towards their, you know, or networks, whatever other infrastructure you can get to behind that. Once you're starting, once you are willing to start doing crimes. Right. Breaking the law and hacking stuff. And so, like, we don't know exactly what Google's talking about. We're on that spectrum. And, you know, certainly when you've read, when you read some of Google's other attributions over the years, you do get a sense that there's probably a bit of shell popping going on somewhere like that. They'll of course deny it, but that's crazy talk.

A (24:11)

What are you talking, Intelligence people, Popp shells. It never. It. That doesn't happen.

B (24:18)

Yeah, but it does feel like with the US Administration being a little more willing to consider this and, you know, Tom's conversation about, you know, cyber letters of Mark where, you know, private organizations would get a license to be able to go do, you know, what would otherwise be crimes or, you know, the kind of offensive hack and that, you know, and I think if anyone was going to be doing it, Google is pretty well equipped both in terms of people in reach and whatever else to be out there on the, you know, the pointy end of the, you know, the letter of Marx spear. So we don't know exactly what they're up to, but, you know, the fact they're saying anything at all about it is a change from, you know, some years in the past.

A (24:55)

Yeah. It's interesting, though, because we're just talking about the disadvantage of contractors for state work. Well, yeah, yeah, yeah, right. But I guess, you know, letter of Mark to target, like, ransomware people, it feels a little bit different, doesn't it, you know, like that's. Is that a. Is that a little bit.

C (25:10)

Yeah.

A (25:11)

Is that a state authority that it's okay to farm out? And like, maybe.

B (25:14)

I don't know, I mean, in the era of piracy, I guess we decided that it was and then, you know, maybe now in the era of computers we can decide that as well. But it certainly is very interesting. The contrast, the, you know, the centrally managed, kind of like almost, you know, command economy approach that the US has to doing cyber versus the very free market, you know, capitalist approach that the Chinese have, which is kind of, you know, ironic in a way. But, you know, I think everybody's got a little bit to learn from everybody else in this about, you know, how to approach these things.

A (25:48)

Yeah, I mean, we've long joked that it's free market communism. Right. It's a joke in China. But anyway, now let's have a bit of a chat about ransomware because John Greig over at Recorded Futures, what is it? The Record masthead has written an absolutely cracking feature. Actually. I think this is a, this is a terrific write up and really it's talking about the way that the ransomware ecosystem has splintered and just the number of groups out there has just, is just really proliferating. And there's a great quote in here from Alan Liske from Recorded Future, who said that it's now incredibly dangerous to be a large ransomware as a service group. And that was really the point of these takedowns and various actions of law enforcement with assistance from, you know, sigan agencies and whatnot. So, you know, it's, it's. Look, it's just a great write up about where we are. The story is quite balanced on, I guess what this means, you know, because it's saying that ransomware is kind of up and that's the number of new groups that are, that are proliferating that's sort of responsible for that. I read this though, and I feel like this is a positive development. I think once you've knocked out the ability for these groups to kind of scale and they're splintered off into these little different groups and they're using sort of recycled old ransomware source and whatnot, I feel like that's actually progress. Even if the numbers might be bad at the moment, I do feel like this is progress.

B (27:16)

Yeah, I'm inclined to agree with you here. I mean, it's very easy to kind of choose the numbers to support the story you want to tell. And like number of ransomware groups is a Great example of a metric that's, you know, maybe looks like it's going up, but you know, the amount of money being brought in, a number of people involved. There's lots of ways that you can kind of look at this when you.

A (27:34)

Can'T even, you can't even measure impact on money or headcount of organization. And you know, criticality is like such a rubbery thing, right? Like. Yeah, yeah, yeah.

B (27:41)

No, it is, it is. It's difficult to kind of come up with sensible metrics. And so there's quite a lot of vibe in here. And that's, you know, the vibes feel good. Look, as we've been, you know, we've long talked about disrupting the kind of like trust in the marketplaces of just in time crime pipelines that these kind of groups use where they're buying initial access from one people and using ransomware and farming out the money laundering to someone else and all those kinds of things, like introducing friction, that was part of the whole point of this and that feels like it's been successful. And one of the points that this piece makes is that ransomware groups that are big are now having to much more tightly control who they're willing to work with as affiliates or as suppliers or whatever else, because they're being infiltrated by threat intel groups and law enforcement and whoever else. So they have to be much more restricted. Which means there's a whole swathe of actors that want to be in the game but can't get into one of the premium groups and then have to go use recycled code, lower quality stuff, more vulnerable stuff, you know, things that have, you know, bad crypto or whatever else. So all of this cost in, you know, imposing feels like it's kind of working, which is great.

A (28:49)

Yeah, it is. And I'm guessing there's still a few vulnerable points that they can press on, right? Like in the money laundering supply chain, I'm guessing a lot of these people, they're not getting paid. Right. They might even be collecting ransoms, but good luck turning that into cash. Right? So I just think, you know, you, you've heard me describe it as mowing the lawn, right? It's not going to be a one time thing. I feel like the lawn is, is still a bit woolly, but it's, it's, it's, you know, getting a little bit more under control. The giant weeds have been removed. Man, I'm really stretching that metaphor a little bit too far. But look, speaking of ransomware, Alexander Martin, also at the Record, has reported that something like 70% of these municipal governments in Sweden have been ransomware. And that's causing some drama there.

B (29:31)

Yeah, this was a shared service provider that provided like some kind of HR function, like managing sick leave, I think was one of the examples. So they got compromised and ransomed and that has impacted, you know, employee data from Swedish municipalities and also availability of these services at Swedish municipalities all over the country. And it's a great example of a, you know, a pretty niche vendor, but one that is dominant in its niche being a great target for this type of ransomware because you have big impact for, you know, relatively, you know, I'm assuming one kind of, one relatively straightforward hack. But you've got, you know, big impact across a whole country like Sweden. Lots of people to go and shake down for money.

A (30:10)

Yeah, yeah, that's it. Now, staying with ransomware. And this is a fantastic write up from Microsoft about a group they call Storm 0501, which is the cloud ransomware stuff they're doing. And this is just top tier right up here. I think if there's one thing you would want to read that we've spoken about this week, this would be it. And I mean, it's tr. It's a tragedy too, because you get the impression that the target in this instance was actually doing some stuff, right? Like there's a great section where they talked about how they had some creds, but they couldn't get into the entra tenant because there were conditional access policies in place, right? So then they wound up founding another like linked tenant which didn't have conditional access policies in. And then away they went and they were able to federate in their own malicious tenant and onwards and onwards. And it's just a really great write up of what this sort of like hybrid on prem up into the cloud, you know, lateral and then federating in your own. Your own IDP basically looks like. And yeah, they're doing. What they're doing is they're copying out all of the cloud data and then burning the actual cloud instances, including the backups, and then ransoming that data back so that they can do the recovery, which seems a good way to do it. But you sort of wonder why or how an attacker is able to permanently delete backups, right? Like there should be a way to structure your cloud backups in such a way that attackers can't do this. But then of course you think, well, you know, what's the dwell time of the attacker? And if they're in there for like three Months, you know, can they just gradually corrupt backups or whatnot? But either way, what were your thoughts on this? On this write up, Adam?

B (31:54)

Yeah, no, it's a really good write up and absolutely worth reading. So this is a group that I think in the past has done more traditional On Prem ransomware and clearly they've updated their, you know, their goals in life and they are doing this, you know, kind of exclusively in the cloud. In this case, they pivoted through all of the On Prem infrastructure to get there and I think that's quite interesting. So they attacked their On Prem ad, got in through all the normal kind of mechanisms there, and then leveraged some of the synchronization between On Prem and Entra ID to then eventually take over a global admin account. As you mentioned, there was, you know, some good configuration, but like many big organizations, this victim had a bunch of different divisions that had different infrastructure managed by different teams with slightly varying levels of security across them. And they were able to find the weakest link and then use that to pivot up into the cloud where it is much more shared and connected together and then enumerate virtual machines, enumerate data stores, rummage around, steal the data. To your question about the backups, Microsoft writes that they were able to enumerate some of the stores, storage policies around these things so you can set like some data storage bits to be sort of immutable so they can't be deleted or virtual machines to have snapshots and other backup mechanisms. And they were actually able to enumerate all those and then wherever possible, disable them so that they could then actually delete the data. And then when they couldn't delete the data, they resorted to encrypting it in place, so then making that difficult. So the overall process of recovering from this was still really quite complicated. And I guess, I don't know, Microsoft said whether they actually managed to get a ransom for all of this work or not, but they certainly gave it a, you know, a good go.

A (33:38)

Well, it's the sort of thing that you read and you think, oh man, like that is such a bad day. And you also think this is a type of attack that could play out pretty much anywhere.

B (33:49)

Oh yeah, yeah, absolutely.

A (33:50)

You know, and it's. And like, as you said about our different teams and whatever, like they were doing a lot of the right stuff. And as you point out, man, like you kind of got to be perfect everywhere for the problem.

B (34:02)

Right. Once you glue everything together like this. And this was an organization that had multiple standalone Windows domains that had some degree of trust, but were, I assume this is like a merger merger of an acquisition kind of thing, where a company has been built from lots of different, smaller acquisitions that have different, different kind of setups and policies and things. So you can certainly see how you end up with that kind of variability in a real world environment. But once you glue them all together in one intro or one, you know, set of interests that are connected together such that you can navigate between them, then, yeah, you end up, you know, inheriting, you know, the weakest link, man.

A (34:41)

You know, Brad Arkin, who's a friend of the show, he's actually the CISO over at Salesforce. I remember when he was CISO at Adobe back in the day, like the number of acquisitions they were doing, it was like one every two months or something, right? Yeah, but like, but smaller things, right? Like they just, they were acquisition hungry company at the time. I don't know if they still are, but yeah, I mean, the horror stories he would tell me about, like, you know, they come in and they're like, hey, we just bought this company. You go take a look and you're like, oh my God, how have you not been completely owned and destroyed already? And then, you know, what do you do with that when the pace of the acquisitions is like that? I mean, his, his response in the end was to come up with like five different architectures that they would have to move to that were. That were like, diverse enough that like, everyone would fall into a category where they were closest to at least one of them. And that was kind of how he solved that problem. But it was like, I mean, solve is a strong word. That's how he sort of tackled that problem. And, you know, you would imagine too that at a bunch of companies that are doing these sort of acquisitions, you know, they don't even have someone even thinking about it. I think one of those big healthcare data breaches in the US was, you know, this is going back a historical one that was via a merger and acquisition and some temporary link they put between the two networks and whatever. We actually had the person on the show talking about that, you know, some years after it had happened. But yeah. Anyway, we've also got a great piece here from Wired, written by Lily Hay Newman and Matt Burgess, looking at, you know, the way AI is impacting ransomware. I mean, ransomware is software, AI is impacting ransomware development. So no surprises there. I guess what's interesting though is, you know, Tom and the Grok had A good chat about this on the Between Two Nerds podcast. We've linked through to the YouTube version of that if people want to take a look. But really, I think the thinking is if you're doing crime, vibe coding is even better than if you're like doing normal software because it doesn't have to be resilient, it doesn't have to be beautifully documented. You know, you could just get something working. It works once and then you get your, you know, you get your payment.

B (36:47)

Yeah, yeah, exactly. And that conversation that Grack and Tom have is pretty funny. They talk through. This is all based on a report from Anthropic looking at how their AIs are being used by various actors, including criminals, to go and do cybercrime. And yeah, the conclusion seems to be that actually it's a better fit for crime than it is many other, you know, more traditional software development kind of sets up of problems you have to solve because, yeah, it doesn't need to be quite as repeatable. It doesn't need to be as well integrated. And you know, that's kind of, it's kind of funny actually, in a way that, you know, some people are really struggling to find the value in these AI systems because the amount of work that it causes versus what it saves you. But yeah, criminals apparently seems to work well for them.

A (37:30)

So, yeah, AI is great for criming, as it turns out. Speaking of criming, Brian Krebs over at Krebs on Security has a fun, fun write up. I mean, I don't know, he's this cyber security, it's, it's like, it's cyber crime, I guess, online crime. But he's taken a look at some of these like, fake casinos as a service programs where you can basically just spin up a fake casino and get people to register for it by promising them free credits. And then of course they, you know, you want to recover all of your winnings, your $10,000. Oh, you need to pay a $100 verification fee through Bitcoin or whatever. And you know, that's how you can cash out. And of course they just run away with the money. Just a nice write up of this, of this, you know, little crime ecosystem here.

B (38:17)

Yeah, I like it because it's one of those sort of innovation and cybercrime that's, you know, sort of a regular segment on the show is interesting innovations in cybercrime and making a like, legitimately good online casino that has good quality games and like, looks slick, works well, and then just kind of like Selling that as a service to other criminals, to scam people with. It's, you know, I guess ransomware doesn't pay so well right, when this kind of quality innovation is coming up, that maybe it's because, you know, if everyone was making hella money out of ransomware then you wouldn't see this. And so this is kind of a good example of like, you know, we've trimmed the lawn over here and so now someone's selling flowers over there. So, you know, it's good. Making the metaphor even worse.

A (38:59)

Meanwhile, we got a little bit more information around what actually was going on in England when it came to Apple. And like, apparently the, you know, the UK government issued a technical capability notice to Apple which resulted in them nuking the advanced data protection feature set for British customers. And now we've got a write up from the Financial Times who got their hands on some legal filing presumably leaked to them by Apple, which doesn't contain the technical capability notice because that has to remain confidential. But there's a bunch of assumed facts in there which kind of spell out the rough shape of what Apple was after. Which includes, yeah, a bunch of data, not just data covered under adp, but it looks like this whole thing where the Americans and you know, Tulsi Gabbard were claiming there was some huge back down. It looks like that hasn't actually happened. No surprises there. I mean we kind of said that at the time that we didn't think anything had actually changed and this reporting would seem to suggest that we were right.

B (39:58)

Yeah, and it also seems to suggest that the British were seeking kind of broader access to icloud than what was protected by adp. Because in some of the conversations we had, I think earlier on we're saying like there's a bunch of stuff on icloud that is end to end crypto but isn't covered under the ADP program. You know, and some things like icloud backups, for example, have their own sort of unique properties. And so it sounds like the UK was seeking pretty broad access to that.

A (40:25)

So yeah, we'll see how the, the TCN included obligations to provide and maintain a capability to disclose categories of data stored within a cloud based backup service, which I don't think is particularly, I don't know, controversial, is it?

B (40:41)

No, it's what you'd expect them to be asking for because I mean, we've certainly seen how useful iPhone backups are for forensic purposes and for investigating things. So that, you know, kind of makes sense they would ask for it but as to exactly what, because, like, ADP is a thing Apple could turn off to make a point. But, you know, backups of your phone into icloud, like, that's not a thing they can just turn off so easily. So, yeah, it'll be interesting to see how this kind of unfurls.

A (41:07)

Yeah, that's right. I think Tom's going to take a look at this one tomorrow as well. In other news, Immigrations and Customs Enforcement in the United States, they had a contract with Paragon, the Israeli spyware maker, worth about 2 million bucks. I think they suspended that contract after there was some controversy involving Paragon's dealings with the Italian government.

B (41:30)

Sorry, maybe it was Greek government, one of the Europeans.

A (41:33)

I think it was the Italians, I think. And. But yeah, there was also a. Yeah, they did a stop work order to make sure that the contract complied with an executive order on commercial spyware, which was a great executive order. We spoke about it at the time. But it looks like that that contract is now back up and running. $2 billion contract, not really a big one in the context of this sort of stuff, if I'm honest.

B (41:56)

Yeah, yeah, not a huge contract. I think part of the reason it's getting coverage is it was specifically the Immigration Customs Enforcement, ice, part of DHS that was doing this. So, you know, that's a thing that's rather a hot button topic in the US at the moment. So them hacking your stuff with Paragon would be of concern to a few people, I'm sure.

A (42:15)

Yeah, yeah, that's right. And look, staying on the spyware theme, I guess. Zach Whitaker over at TechCrunch reports that WhatsApp has patched O Day in its iOS and Mac apps that was being used in the wild zero click. So the good stuff.

B (42:30)

Yeah, this was the. So we talked, maybe it was last week, I don't remember if we mentioned it, that Apple had patched a bug in Image IO. So it looks like that bug in Image IO was being used with images sent through WhatsApp through like device synchronization messages. There was some bug in WhatsApp where you could send like unauthed device sync messages. So basically you could deliver an image to an iPhone in a way that it wasn't clear that that's what had happened and without the end user seeing it and without having to interact with it, and then exploited the Apple bargain, onwards to compromise. So, yeah, it's a pretty expensive bug that someone got burnt.

A (43:05)

Now, quick report on some different spyware here. We got this amazing report out of Australia's Financial Review, where a company here in Australia was using some software called Safe Track. And it was Safe Track the customer or the software, I can't remember.

B (43:23)

But anyway, Safe Track is the customer and the software is called something else.

A (43:26)

Okay, okay. So a company called Safe Track was using software to listen to its employees through their microphones when they were on their laptops when they were working from home. Now they're being investigated by the police for this because as far as I understand it, this is really illegal in Australia. Like, you know, look, the laws may have changed, but I remember writing about this workplace surveillance stuff like 20 years ago, and you have to make it really explicit to people in their workplace that you are surveilling them. Like, if you want to put cameras up and stuff, you need big signs saying this area is being surveilled and whatnot. And I cannot imagine this did not run afoul of that. So that's an interesting write up and a really good and interesting report from David Marin Guzman over at the Fin Review. So anyone who's interested in that can go have a read of it. But not only is that very likely illegal, but if it's found that this was not illegal, it very likely will be illegal soon, let's just put it that way, because that is a type of practice that is massively out of step with what Australians expect their privacy in the workplace to be. And finally, Adam, we got a report from our very own newsletter from Catalyn Kimpanu, where a couple of, like, YouTube, like, scam betas helped bring down a fairly substantial scam operation. So this is a good news story to end the week on.

B (44:51)

Yeah, I'm sure many of us have seen, you know, the scam betas on YouTube that will, you know, kind of engage with the scammers to either, you know, kind of lead them on and waste their time or in some cases will, you know, go and hack back into some of the call centers and other organizations that are running these types of scams and dox them and out.

A (45:10)

Them and whatever else, watch them over cctv, which is always fun.

B (45:13)

Yes, that's always kind of fun. So this was Scammer Payback and Trilogy Media, who both have YouTube channels that do this kind of thing. They were looking into money mules in the US who were receiving payments, you know, receiving goods that have been purchased, you know, with gift cards or whatever else at the behest of scammers, and they would actually go and confront them in person. And some of this video footage, in some cases, the, you know, the people receiving these stolen goods or gift cards or whatever else, you know, admitted their role in this. Like, say, yes, you know, I got paid by so and so and we're doing it, blah, blah, blah. So some of that footage ended up being, I think the Department of Justice said, critical in this big swathe of arrests. They arrested, I think, 25 people across the US over the last few days. So, yeah, interesting to see those. Scambait is actually, you know, cooperating with law enforcement and delivering a pretty good takedown.

A (46:09)

Yeah, yeah, you love to see it. All right, mate, that is actually it for the week's news. Yeah, great discussion this week. Heaps of fun. And I look forward to doing it again now, next week.

B (46:18)

Yeah, thanks very much, Pat. I will talk to you then.

A (46:28)

That was Adam Boileau there with a check of the week's security news. Big thanks to him for that. It is time for this week's sponsor interview now, and we're chatting with Ed Wu, who is the founder at DropZone. And DropZone is a company that makes Offers, an AI tool that really acts like a tier one SoC analyst. Right? So it sits there, hooks into your seam, looks at what's going on and can tell you when something's actually going on. Right? So a lot of people are using this for like, out of hours. SOC monitoring is one use case that's really popular. A lot of people are just using it because Tier one SOC operations are like, really boring. And just having this thing in there, doing that first line of work and triage just actually makes life more bearable. Either way, dropzone is doing really well. It's an interesting product. We published a Demo to the YouTube channel, which you should be able to find, and yet very cool stuff. Ed Wu, he's been in Infosec for a long time. Like, he was the guy at Extra Hop Networks who developed the sort of security part of that product and then he wound up founding Dropzone. Indeed. One of the investors in Dropzone is actually the former founder and CTO of Extra Hop. Right. So that's a vote of confidence right there. Anyway, so I spoke to Ed about, I guess, a couple of things in this interview, and one of them is his opinion, and I happen to agree with it, that AI is actually going to change where the security poverty line sits. Right. Because for so long, unless you're a company that can afford good people and good tooling, you are under that security poverty line and you are at risk. Right? He thinks that AI is really going to democratize a lot of sort of security stuff like monitoring and whatnot. And his case there is compelling. He also puts forward the case that, you know, in a SaaS and AI world, what is a service and what is a product? That line's getting a little bit blurry. So here is Ed Wu talking about all of that and I do hope you enjoy it.

C (48:24)

For the 80% of the organizations on the planet where they have less than 5,000 employees, Genai and such as technologies we're building should really allow them to essentially kind of up level and get to a place above the poverty line. They should be able to achieve like an organization with 200 employees or 50 employees should still be able to get 24, 7 alert coverage, you know, EDR alerts or their VPN or you know, identity alerts. Right. Maybe organizations that's below 1000 employees can now have some sort of automated threat hunt or vulnerability management. And this is where like for us, in addition to working with enterprises, we have been working with a number of security service providers. And what we have seen with those security service providers is the additional augmentation of software and AI really allows them to provide better service at a lot of times lower cost. And that I think will really help again, more organizations to be able to get more security within the same budget. I mean, sometimes it's ironic, right? You look at a 500 people organization and realistically most of these companies only have like one or two security people. But it's also a little bit scary because the amount of data, the value of data that a 500 people organization can gather is monuments. And yet they only have maybe a fractional seesaw, right? And maybe one compliance person that's part or infrastructure person that's part timing looking at alerts for them. And I'm not aware of there's any formal study, but I do wonder that yes, the Fortune 500 enterprises of the world getting breached will cause a lot of societal damage. Right. But at the same time, I wonder how much of the damage caused by cyber attacks are actually occurring in smaller organizations like organizations with 500 people or local hospital with a thousand workers. And that's kind of where, yeah, I think it will be really interesting to see when the cybersecurity poverty line is reduced, like how much it helps not only the haves, but also the have nots.

A (51:04)

Yeah, I mean the whole concept of security tooling for small to medium businesses, and particularly for small businesses, it's always been the white whale, I guess, for a bunch of people out there, which is like if you can crack that problem, like the small business market is actually massive because there's so many participants in it. But it's always been that expense issue. Right. Which is no one is going to spend the money. I mean I even remember like 20 plus years ago going to like semantic events and you know, Checkpoint did this as well where they would launch these tiny little gateways, secure gateways like for your, for your small business. And they were a couple of thousand bucks. So they're very cheap. I don't really think they delivered all that much benefit. But the point is they put all of their marketing behind these things and they didn't actually do that well.

C (51:52)

Yeah.

A (51:53)

Even at that price point. Right, so. So I guess I'm understanding what you're saying here, which is that this is actually a very different sort of thing because you can start to deliver a real benefit for very small amounts of money. It does make me wonder what this means for those managed security providers that you were talking about though, because I imagine at the moment it's a case that their margins are expanding as they find efficiencies with Genai. But as their competitors all start to do the same thing, eventually there's going to be margin compression and it's going to be a very difficult time for them. So I don't know where all this leads up. I mean first of all, do you think that's maybe how this is going to play out for some of the MSSPs?

C (52:29)

Yeah. As we all know, MSSPs or MDRS is a very fragmented market. Right. There's no cross strike of MSSPs, there's no wizard of MSSP or MDRS. It's very fragmented for a variety of different reasons. And for us I see what you.

A (52:49)

Mean, because even the big ones don't have all that much market share. Right. Like your bread, canaries and whatever.

C (52:54)

Yeah, I think a lot of them have less than close to just single digit percentage in terms of market share. And this is where obviously for us we are leveraging Genai to build like software. But I have noticed recently, just around Black Hat there have been a number of startups coming out that's solely focused on gen AI powered mdr. Right. And I think a couple of them even kind of boasted, hey, we replace expel, we replaced Arctic Wolf in a number of deals already in their investor conversations. And I think this is where these AI native MDRs will start to apply pressure to the existing MSSPs and MDRs which for the longest time have been very labor intensive. It's a service business and we have already seen that because we have partners with a number of MSSPs who are technology progressive and they're realizing that, hey, the new generation of software enabled service providers or startups are coming for us and we really need to up level and change how we deliver the service from a labor or human intensive kind of model to a software augmented model.

A (54:22)

Well, I mean, it always has been a labor cost plus margin business, Right. And I guess the argument you're making now is that those days are numbered.

C (54:30)

Yeah, yeah, absolutely. And this is where both the expectations of customers will start to increase. There will be a downward pressure on pricing. Right. We have seen cases where some of our service providers leveraging our technology are able to reduce their SLA down to like 20 minutes. And there's no way, regardless what kind of humans you have, and regardless which continents they live in, for a 100% human service to get to a 20 minute SLA. So this is where we start to see technology forward, service providers starting to, you can say, disrupt the market. And in addition to that, what I have also seen is a lot of us have been playing with ChatGPT, right? And we have seen the, the breadth of its capabilities. So I'm definitely hearing stories about, even for clients, whether it's a local hospital or legacy manufacturers that has no security expertise and have been outsourcing for two decades, they have higher expectation of their service providers as well because nowadays themselves have been playing with ChatGPT, right? They can see, hey, this thing is a lot more efficient. And they are kind of the expectation of service providers, frankly, is increasing across the board, not only on cybersecurity, but if you look at SDR service providers or accounting service providers, I think the expectation on all service providers have been increasing and a lot of that is also happening within security.

A (56:11)

Well, there's also this thing, right? And we were talking about this before we got recording, which is there's this sort of blurring of the lines between what is a product and what is a service. And I can really understand that when you look at something like dropzone, right, which is a product, but I mean, is there really a difference between offering Dropzone as a product for people who've got seams versus selling it as a service? Because it almost is kind of like an MDR in a box already, right? I mean, do you. What which is it? Is it a product, is it a service, Is it both?

C (56:44)

Yeah, I've definitely seen, you know, a number of startups kind of trying to reside in different spaces within this spectrum. I think product and service at this point, it's not binary, it is a spectrum. Like we have seen service companies having a lot of automation. Right. So they have a product but they don't call that a product. It's just internal tools to help the service. And then we have seen product companies having an army of humans offshore to help maybe plug some of the gaps within the product. Right. And then there's like pure play product companies like us. In my mind a big difference between product and service at this particular moment is boils down to is there somebody you can call in the middle of the night if your CEO has clicked on an email that he or she shouldn't have? Like if yes, then I will say that's a service. Right. If no, then to some extent it's still a product.

A (57:46)

That's a good, that's a nice simple definition. I like it. I mean you tend like. So the interesting thing is for you though, right like you know you're actually selling your technology to mdrs, right?

B (57:56)

Yep.

A (57:57)

Which would make it a little bit difficult for you to say hey congratulations, like now we're an MDR company, right. So like have you excluded yourself from that end of the market?

C (58:06)

Correct. Yeah. For us we do not work with small medium size businesses directly at all. So we sell our technology to MSSPs and MDRs and help them up level their capabilities. Up level their efficiency as well as effectiveness. We ourselves do not have a service arm. There's nobody in drop zone you can call in the middle of the night if you ended up clicking on a ransomware executable. And also keep in mind the product we are building is only automating tier one. Maybe if you squint a little bit, maybe it's automating a little bit. Tier 1.5, but it's nowhere close to automating Tier 2 or Tier 3. So at this moment another maybe a quick test whether it's a product or service is like if I get breached, will you help me undo all the damages and rewind clock? Essentially yeah.

A (59:09)

Or will your model pick up the phone and call in mandiant? Probably not.

C (59:15)

Yeah. Or write up a report to our board explaining kind of what happened and again make all the remediations, the corrective actions as well as sometimes unfortunately rebuilding of the systems. I'm not aware of any AI security agent that's capable of determining. Here are the five workstations we need to nuke. Here are the eight user accounts we need to nuke and rebuild from scratch.

A (59:43)

Yeah, but presumably that's coming in the next few years, you would think.

C (59:49)

I think we will see. Because some might say, hey, look at the growth trajectory of models. They are getting smarter and smarter. I think OpenAI just mentioned they have an internal models that just won the International Math Olympics or something like that. And you might think, okay, if the large language models can win the International Math Olympics, and they surely could do IR work or Tier 3 work. But the reality is, when you look at this, what makes IR and Tier 2 and Tier 3 work difficult is actually not about raw intelligence. In fact, if you take an IQ test, take the average IQ of tier 2 and tier 3 analysts, I don't think that's like meaningfully higher or statistically higher than Tier one analysts. What's actually the difference is actually experience and organizational context. And this is where, regardless how smart the model is, if the model does not have access to all the organizational context, it's not going to be able to make the right decision. And the fortunate or unfortunate reality is that a lot of the organizational contacts are gathered through experience.

A (61:03)

Yeah. They're in people's heads.

C (61:06)

Yeah. And there's no API keys, you know, there's no APIs to people's heads. Maybe, you know, Neuralink will help solve that.

A (61:12)

Maybe, maybe in the future in this dystopian hellscape. Ed Wu, we're kind of going over time at this point, mate, so I'm going to have to say goodbye. But thank you very much for joining me for that conversation. Fascinating as always.

C (61:25)

Thank you.

A (61:27)

That was Edward Wu of Dropzone there, and you can find them@DropZone AI. Big thanks to them for being this week's podcast sponsor. And that is it for this week's show. I do hope you enjoyed it. I'll be back next week with more security news and analysis, but until then, I've been. Patrick Gray. Thanks for listening, Sam.