
Loading summary
A
Hey, everyone, and welcome along to Risky Business. My name is Amberly Jack, and this is, I believe, the first time that a Risky Business weekly show has been produced without Patrick Gray at the helm. But Pat's on holiday for a couple of weeks and regular listeners of the show will be aware of, I guess you could call it the Risky Business curse, where the idea is if Pat goes away, the Internet will go boom in his absence and there'll be no one to talk about it. So we figured we'd do what we can and keep the show going in his absence. So joining me in his regular spot behind the microphone is Mr. Adam Boileau. Adam, thank you so much for joining me.
B
Yeah, it's great to be here, Amberly. And you're right, this is, you know, it's historic. Pat and I have been doing the show. I think I've been here more than 15 years, and Pat's been doing it before that without me. So, yeah, a Pat free show is. It's pretty miraculous. So let's give it a go. I guess we should also point out this is not sponsored. This is just us kind of doing it for fun because, you know, we're sitting around the office anyway, we're already talking about the news in chat, so why not get in front of the microphone and do what we always do?
A
Yeah, for sure. And I want to jump straight into it, actually, with a news that, as a journalist, really piqued my interest when I saw it this week.
B
Journalists love money.
A
Journalists love money. But a BBC reporter, Joe Tidey, has written a first person piece about being contacted on signal by hackers who asked him to hand over his BBC credentials in exchange for a percentage of whatever the hackers would manage to extort from BBC. And this one made me laugh because. And it also made me a little bit envious as a journalist, because if I was still working in a newsroom and I received a message like that, my first thought would not be, how can I extort my company and make lots of money? My first thought would be, I'm going to run straight to my editor and say, look at this great story that I have in my hot little hands. How would you like to approach this? But, Adam, the question I wanted to ask you is, as a journalist, we don't have a lot of permissions with our accounts. I mean, if you hacked into a journalist account, you could maybe, I don't know, add some typos to a story or a cab picture on the front page. But it's not about that, is it? It's just literally about getting access.
B
Yeah, I mean, of the things that ransomware crews are good at, one of their core competencies is taking any sort of initial access and turning that into, you know, enterprise wide compromise and onwards to ransom and getting access to any one individual user's account, be it, you know, a journalist or a janitor or a receptionist or you know, a call center person, that's where they land anyway. If they're fishing, you know, for code execution, if they're phishing for credentials, whatever initial entry access route that they are going after, typically they're not going to be landing into a privileged, you know, an IT privileged account. And so turning that, you know, turning any regular account into the kind of privilege they need to do ransomware. That's what they're good at. And the avenues for doing it are, you know, very well understood in terms of attacking Windows domain environments and so on and so forth. So the fact that it's a journalist and if anything they probably should have paid more attention to that because I think of all the sorts of, you know, roles and industries and people you could go after with this kind of like, hey, we'll just give you, we'll cut you in on the ransom. Journalists seem to me to be the one that's least likely to work because, you know, as you suggested, like journalists are not there for the money. They are there because they want stories. If they were willing to do journalism for money, they'd be in corporate comms instead. Right. Getting paid fat bank. And instead, no, they are there because they want the stories. And so the fact that Joe Tidy immediately turned around to his editor and said, let's write a story about this, 100% predictable. So yeah, I don't know, I don't know what else we expected. I don't know what they expected out of this whole process.
A
Yeah, for sure. And I just, I mean obviously journalists, not the best people to try this tactic with, but this tactic in general, Adam, is it a good plan? Is it a plan that is going to work? And if so, why are we only seeing it now?
B
It's a great question because the, you know, we don't see, we've seen some examples of this, but kind of less than you would expect. And you know, as someone who has worked in technical security, the idea that your users would be co opted against you is pretty scary because building systems that are sufficiently robust to survive malicious insiders is not a thing that we're good at. Like we struggle dealing with, you know, malicious attackers that are inside our environment. And malicious insiders are using usually have enough knowledge to be properly dangerous. But they don't have hacking knowledge, they have company environment specific knowledge. But if you can pair someone who knows the foibles of the environment with someone who understands technical hacking and combine their powers together, then that's an adversary that most of us don't want to have to defend against. But the reason I think we don't see this is that, I mean, what's the outcome going to be? Let's say you're Joe Tighty, you take the, you know, tens of thousands of dollars or you know, you take the punt on however much money BBC might pay out, the chances that it's not going to be tracked back to you is basically zero. Like you are 100% going to take the rap for it. And Russian cybercriminals at least have the benefit of being in a jurisdiction that's not going to extradite them. Like they are immune to law enforcement so long as they pay the appropriate cover in Russia, you know, to whoever they're bribing. But that's not the case everywhere else, right? If you work at that company and you get them ransomware on purpose for money, you should expect law enforcement on your doorstep. You should expect to not work again, you should like, you should expect to face those consequences. And if anything, you know, the ransom recruits are kind of like buying a fall guy here, right? Because if they've confined someone, if authorities can find someone to prosecute, then that takes a bit of pressure off the ransomware crews. So this is just an all round bad idea. And the examples we have seen, like that guy we reported a couple months ago about this guy in Brazil who gave up his access to the like some payments, the backend systems for payment stuff in Brazil where he, you know, worked there, wasn't going particularly well in his career. Sold his access at a bar for a few thousand dollars and sure enough, the attackers break in, steal a couple of hundred million dollars worth of funds and now he's facing the rap for it. So it's just, I don't see that this is a good deal and much as an attacker. There's been a few times in my career when we're trying to break into my day job as my all day job as a red teamer, when we're trying to break into a hard target, something that's very tempting to go, can we just offer someone a couple of thousand bucks to run a command for us because that would be cheaper than the time we are spending trying to technically hack them. But the reality is this isn't a great initial access vector and you know, although it's kind of scary to have to deal with it, I think, you know, it's not a thing we should spend a whole bunch of time worrying about as defenders because, you know, clearly if this was going to happen a lot, it would be by now.
A
Yeah, for sure. And I guess the last thing I want to say on this as well is I'd love that. The headline is one of the quotes from the hackers, which is, you'll never have to work again. And then later in the article it did, it did say he didn't know how much money he was going to get, but it did say that he was up to initiate a payment of something like $55,000, which, I mean, journalists aren't paid. Great. But $55,000 is not going to be enough to flee the country and retire on.
B
So, no, that's not enough money to go on the land for the rest of your life, which is what we're talking about here.
A
Yeah, and sticking with the ransomware stories, Adam, the Jaguar Land Rover update. I mean, we've been talking about the story for a few weeks now. The UK government has agreed to guar a 1.5 billion pound loan to basically keep Jaguar Land Rover going and help them recover. And I guess, I mean, you and Pad have sort of discussed about how important and how big Jaguar Land Rover is in terms of the British economy and I guess this kind of cements that.
B
Yeah, it really does underscore how much grief this is causing, I mean, to Jaguar Land Rover, but kind of more importantly to all of the smaller little companies that are in the supply chain because those are the ones like that, you know, can't really weather a multi month shutdown. And so, you know, the government's, I guess like we've seen some headlines describe this as a bailout, which, you know, kind of isn't really their underwriting alone. If Jaguar Land Rover fails, they were probably going to get nationalised anyway. So it's not like the government's going to lose. And you know, they can, they can back this loan that some, you know, private bankers are going to extend to Jaguar Land Rover. And I think then the plan is that they would then use that to provide some assistance to their suppliers and kind of just try and get the whole enterprise and all its downstream, you know, related companies through this process and back to the point where they can start making cars again and that, you know, seems like a smart move, pretty low risk for the government, but it's kind of. Yeah, it's interesting that it's kind of, it's, that it is this bad. And you know, I don't know what ransom recruiters take from this or whether they even think it through, but you know, it's certainly a mess for all of the people who work at those suppliers and this will at least provide them with some certainty for the next few months.
A
I have to say, Adam, I am looking forward to the day where we can see a court sketch of some very miserable Land Rover hackers. In the same vein as the amazing picture that is featured in Brian Krebs Krebs on security write up of the Scattered Spider teens Thala Joubert and Owen Flowers who were arrested for the Transport for London hack last year. And they, they sort of saw their day in court and charges have been laid and Brian Krebs has done what Brian Krebs does and has pieced all the, all the pieces together in this great write up.
B
Yeah, the, some of these kids, and in particular the Jubeir kid has been in the hacking scene for a while in that kind of extended comm universe. And Brian ties together some of the previous exploits of this kid and some of the other shady stuff he was involved in. You know, things like swatting and the attacks against the casinos in Las Vegas a couple of years ago. Now. So yeah, like a pretty long rap sheet even if they're not, you know, he's not facing charges that relate to all of those things. But like he's been involved and his name is, goes back through, you know, so many things. So yeah, Crab's got a good write up. I don't think there's anything that we didn't already kind of know and understand. But when you see it like Cribs does those great write ups where you know, when you lay it all out like that, you do see like this kid's been doing bad stuff for a long time and he's only 19 now. So he must have started this stuff pretty young. Which, you know, I do despair for having to have good OPSEC as a 13 or 14 year old hacker kid on the Internet. Like you just can't, right? You can't have good OPSEC and be that young because it's, you know, it's complicated and you know, especially for these kids in the uk, they're, they're all going to end up in jail and you know, the opportunities for becoming a productive member of society are A bit more limited. I think you and Tom talked about that on, on srb. It's just kind of difficult these days. So, yeah, sucks to be there. But these kids are not, you know, they're not good dudes.
A
Unfortunately, they're not. And yeah, you sort of mean, you know, Tom and I were talking about how even just in the past decade, the violence and the money and the just all round nastiness of all of this is just getting so much more intense and there really is no kind of path to redemption for these kids.
B
Yeah, I mean, I mean, you grew up alongside a teenage hacker kid, right? And like, we were goofy and, you know, a bit of a menace and made a little bit of trouble, but ultimately weren't bad people. Right. And many of us ended up in careers that were, you know, useful members, you know, were useful contributors to society. And it's kind of hard to see some of these kids in that same light, which, you know, maybe this is just old people, you know, yelling at clouds and that's, that's, that's all that's happening here. But yeah, when you read the whole rap sheet like this, it's pretty rough.
A
Now, Adam, we may be old people yelling at clouds about kids these days, but I had to laugh because an arrest has been made in connection with the cyber attack against Collins Aerospace, which is the, the check in and boarding technology that caused all the chaos recently at European airports. But the thing that seems very strange in the story is the person that was arrested as a man in his.
B
40S, which, I mean, on the one hand, okay, yeah, you did some hacking. That's good, I suppose, like, good for you, buddy. Although I think it was ransomware, so not great hacking. But yeah, I was surprised to see that age too, because you would hope that if you're in your 40s, you know, your ability to. Your ability to kind of reason about the risks that you would face when you live in England, hacking airports that are, you know, amongst other things in England. Like surely that would give you some pause. But no, apparently not. This guy's been picked up. We haven't seen many other details other than that he was in his 40s and I think from like West Sussex or something, facing some charges. But yeah, like not great risk management or risk thinking even amongst middle aged folks for sure.
A
And it's like you were saying just before, I mean, you and my brother both grew up kind of, I guess, hacking at similar times in life. And as you said, you grow up and you become functioning members of the hacking Community mostly.
B
I just feel like if you got the technical skills to be able to hack at airport, surely you can also get a reasonably playing, legitimate job in it, like, you know, which is a better choice than hacking airports, in my opinion.
A
Just one thing, though, Adam. I mean, we were talking earlier about the journalist who was kind of hit up and sort of said, hey, let us buy your creds for a take in this. Do you think there could be some kind of similar. Like, do you think this could be a guy in his 40s who got caught up in something?
B
It's a good thought, actually. Yeah, because that would fit. But the guy in Brazil we were talking about briefly, he was in his 40s and, like, hadn't gone places in his career, was trying to retrain, you know, so. And maybe that's. That's. That. That is another possible explanation. We've got, you know, no details at all about this guy. So who knows? But, yeah, that could be a thing. Yeah, I mean, it would be an interesting data point if it did turn out to be the case.
A
We've got a story here from the Record from Jonathan Greig. A Chinese woman has pleaded guilty in the UK after the government seized a significant amount of money, $7 billion in Bitcoin, which was from this woman's investment Frau fraud, which feels like a lot.
B
Adam, do you reckon? Yeah, the story here is that she was running like a bitcoin cryptocurrency investment kind of Ponzi scheme scam thing in China in the mid 2010s, and she stole a bunch of bitcoin and it was a significant amount of bitcoin. It was, I think by 2017 or something, it was about $200 million worth of Bitcoin. So pretty reasonable money at that point. She was starting to get some heat in China, fled to the uk, bought herself a fancy house and has been kind of like laundering the money and on the run from the law for a little bit and then subsequently arrested. And then the UK government seized her bitcoin holdings, which turned out to be 61,000 bitcoins, which at today's value, as you say, is like US$7 billion. And so going through the, you know, this has been prosecuted in the courts and so on. Some of the original investors from China are actually asking the UK government for their money back, which.
A
So, Adam, they. I believe when they made the investments, they were promised something kind of crazy, like 300% returns. But if we take that $7 billion worth of bitcoins and they do get this, what kind of returns are we looking at for this investment?
B
I did the numbers and it's 11,300% returns. So the thing I find myself wondering is she was promising. This was an, it was an investment scheme where they would make 300% returns. If they now make 11,000% returns, is it even a scam? Like, I mean, like, are they going to prosecute her? I mean if, like if the UK government said, okay, we're going to give the money back to the investors, like they can be very happy with their return. Like, did she even really do a crime is what I'm wondering. Because, you know, bitcoin is so crazy that you can do fraud and yet somehow at the end of it, maybe not even did a crime. So the UK government of course wants to keep the 6 billion, $7 billion because, you know, that'd be handy, handy to have.
A
It would have to be the first time where you would be absolutely stoked to be a victim of fraud.
B
Well, you see, you would say that, but in the cryptocurrency world where everything is topsy turvy madness, there's been plenty of other examples of people who've had their bitcoin stolen and then eventually got it back. And as a result of that like enforced toddling, they've ended up making heaps of money. I think like Mount Gox in Japan was a cryptocurrency exchange where that kind of happened. They had a bunch of crypto stolen and then by the time people got it back, actually appreciated so much in value that they were doing really well. So yeah, I mean it just, I mean if anything else, it just underscores how absolutely bonkers cryptocurrency is and how it makes no sense whatsoever and you shouldn't invest in it even if you are going to get 11,000% returns over a 10 year period or whatever.
A
I hear that bitcoin is absolutely terrible and you should not invest in it. But also on the other side, having your bitcoin stolen is potentially the best term deposit possible.
B
Well, it does at least stop you from touching it and messing with it. And yeah, if you eventually get your money back, then it would beat every other financial instrument you could possibly work with. So yeah, just don't come to Risky Business for financial advice. I think that's the main takeaway here.
A
I think that is the number way, number one takeaway you can gain from that conversation. Now people in Japan, Adam, are going without their beer. A cyber attack on Asahi.
B
Yeah, there's been some kind of attack. We don't know that it's ransomware, but it sure smells like ransomware. It seems to be affecting a bunch of domestic operations at Asahi, which is a giant Japanese brewing firm. So far, I think shipping, like call center, order management, shipping and stuff are all impacted. I think the actual breweries are still running, but we don't know how long that will continue. But yes, it's not affecting the international arms of Asahi, and they own, you know, a bunch of international beer brands as well. But it's pretty rude if it does turn it pretty ransomware, you know, hacking beer. That's just, you know, that's not. That's just not on. Not on.
A
Don't mess with people's beer, man.
B
Exactly.
A
Come on. And Adam, Afghanistan is having a really rough time of it at the moment. The entire country's had the Internet shut off. We've got a story here from Dorina Antoniuk at the Record. And the Taliban have shut down the Internet as part of a crackdown on immoral acts.
B
I mean, to be fair, the Internet does have a lot of immoral act on it, which, you know, you know, it's the obvious joke to make. But on the other hand, like, this is not a joke if you're there. I mean, the Internet is so ingrained in modern society and even, you know, Afghanistan's, you know, not exactly the, you know, pinnacle of high tech, I guess, but, you know, it's communications are super important and, you know, the amount of things that must be broken right now in Afghanistan, I can't imagine, like, I mean, I can't imagine what our society would be like if the Internet just disappeared one day. But then also there's such huge Afghani diaspora around the world. They have family back at home, you know, and not knowing what's going on has got to be such a horrible experience as well. So, like, it's kind of not really cyber news, but, like, just thinking through what it would feel like and what, you know, how we would cope with that kind of impact of your Internet being turned off completely, you know, is pretty sobering.
A
Yeah. And that's the big thing, I think, you know, I mean, there's the obvious disruptions. Reading through the story, you know, like airports and banking and everything else, but the isolation would just be phenomenal.
B
Yeah, we're so used to being such an interconnected, immediately communicate anywhere in the world, you know, kind of place, and then having that just taken away all, you know, overnight. And it didn't seem like there was much warning Here either. There's been a few sort of, you know, rumblings and things, something starting to break, but just. Yeah, waking up one morning and no more. And it's not even being pitched as like a temporary thing. It's a, you know, they're talking about maybe we're going to build some alternative system instead. I think we had a quote from some governor of a private province in Afghanistan saying, hey, we're just going to build some kind of other system. And it's like, excuse me, you what now?
A
And for essential services. It doesn't sound like they're planning on stopping at any time soon.
B
No, that's definitely a rough time. And, you know, I guess we don't have many listers in Afghanistan this week, so. Yeah. But our condolences nevertheless.
A
Now, Adam, Tile trackers. We have some research here from Georgia Tech, well, researchers from Georgia Tech saying there's a few issues with tile trackers. Tell me about this research.
B
Yeah, so tile make, you know, little like Bluetooth, low energy Bluetooth tracking devices, the tile network of these things, you know, you put them on your key rings and bags and whatever else, and they send out local radio, radio messages, beacons I guess, that are picked up by other devices and people use that to track things. Tile is probably the second biggest network after the Apple find my equivalent. And this is I think the first sort of comprehensive research we've seen into like how tile works and how it's built. And I know when Apple find my launch, there was a lot of criticism about the potential for abuse of people tracking people without their consent, slipping a tracker into somebody's bag and following around, or of the privacy concerns of tracking information being beacon around other people being able to track you by your devices. And Apple built a bunch of kind of smart engineering into their things to try and mitigate most of those abuse cases. This research from a team at Georgia Tech suggests that tile basically didn't implement the same kind of level of rigor. The core of the criticism is that tile devices broadcast a static identifier. So the Mac address, the harbor identifier of the radio, and a static unique identifier in other tracking networks. Those things change quite rapidly. So even if you know that there is an Apple airtag nearby, you don't know that it's the same one that you saw last week in the tile devices. It appears that you can actually identify an individual people with them. And if you can see the same device going past the same place, you'll be able to kind of, you know, spot Patterns of life and so on. There's also some concerns around their resilience to being used surreptitiously because of the, like the stalking case where you stick a tracker in someone's. In someone's car, in someone's bag or whatever. Anyway, the researchers wrote this all up, reported it to Life360, who are the parent company of Tile, I think at the beginning of last year. And at some point life 360 kind of stopped replying to them and there hasn't really been much movement. And the researchers suggest that this is kind of. These are kind of design level issues, not like something you could easily patch. So that may explain some of the slow communication. The Register reached out to live360 and got some comment back that said basically we've done some things but wouldn't specify exactly what those things are. So not super confidence inspiring. But yeah, just good to see research out there because this is one of these things where we build these technological systems and we don't always think about the ways that they can be abused. And the stalking use cases for this stuff is really all pretty gross.
A
Yeah, yeah, very gross. And I'd love the kind of, you know, we've made things better, but we won't tell you how or what or just trust me, bro.
B
Yeah, exactly. Exactly.
A
And keeping with the research, Adam, we've got a write up here from Dan Gooden at Ars Technica. Intel and AMD trusted enclaves, bit of research into that. Can you tell me about it?
B
I mean, this is pretty deep in the weeds and this is the sort of story that Pat would be like, hey, Adam, explain this to me because I don't want to read these research papers.
A
So pretty much the same thing.
B
Then if your eyes glows over, you're totally excluded. It's totally excused. So this is some research into how AMD and Intel systems implement their secure enclaves and the systems that support that. So things like encrypted memory and so on. And there's two sets of research by independent researchers that just both happen to occur at the same time and both have kind of roughly similar things. The key of these is both these bits of research look into a use case that these trusted enclaves weren't really meant to solve, which is an attacker has some ability to modify the hardware. In both cases, the researchers insert a custom hardware device between the system and its memory and then can read memory accesses and kind of use that to infer things about the behavior of the code running in these trusted enclaves. Or eventually break the crypto through some other kind of cryptographic attacks that they can do through repeated observation. The net result of all of this is that these two research papers look at two use cases for this kind of thing. One is for running code on computers that you don't necessarily trust. So things like distributed computing networks or cloud computing environments where you want to kind of have the hardware make some attestations about its robustness and its integrity and so on. And this is research into how to kind of get around those things. But the real key is neither of these solutions were designed to be robust against hardware intrusion. And this is super important research, but ultimately not a thing that end users of this technology really needs to care about too much. We may see, you know, future developments in this kind of like remote attested, you know, robust secured computing kind of thing, but this is just, you know, research that will contribute to that, but not really, you know, some of the headlines have been a bit breathy. And this is not a thing that everyday people really need to concern themselves much about. There's so many other things to worry about and this one probably isn't one of them.
A
Now, Adam, we've got another write up here from Dan Gordon at RS about Super Micro server motherboards that can be infected. And I'm intrigued here with unremovable malware. Explain to me what unremovable malware is, Adam, and why it matters.
B
So this is a write up of some research from a company called Bernali who've been involved in all sorts of work looking into firmware. And this is a set of vulnerabilities in how Super Micro motherboards validate firmware updates into some of their embedded systems. So there are a number of kind of small embedded computers inside modern computers. They're made up of controllers for various peripherals and whatever else. And all of those also have software. And there's meant to be mechanisms to try and make that software robust in the sense that you can't just, once you had access to a computer, update it willy nilly. You have to have software signed by the manufacturer. And Binali have reverse engineered some of the software for the baseboard management controllers, which is one of the embedded computers that's typically involved in managing, managing the hardware itself. You know, how fast are the fans going and you know, how turning the devices on and off. In a data center context, these are used to manage power remotely or manage network interfaces remotely before the system even necessarily has an operating system running on it. So this was work findings and VULNERABILITIES in how the software in these embedded components are updated and then being able to use it for malice and in particular implanting it for long term access. And this is a thing that nation state hackers particularly really enjoy. Because once you've hacked a computer, if you can get to the point where the only way to throw out the attacker who's broken in is to physically replace the equipment, then that bar is very, very high and it makes throwing people out very, very difficult. And so, yeah, that kind of hardware backdoor is very attractive to motivated attackers and really very, very difficult for everyone else because I know when I've been involved in instant response cases, having to turn around and say, okay, in order to evict the attackers in your environment, you're going to have to replace every computer that you own. And that's quite a high bar. You have to be very sure about your findings before you recommend that a company replaces all of its computing equipment. And very, I don't, you know, I've never seen anyone do that like probably outside of a government or military context where they are willing to go and throw computers into a wood chipper as part of the response process.
A
Yeah. Wow. And we've got a write up here from Jonathan Greig at the Record as well. And Adam, you and I work together quite a bit in the mornings here at Rescue Biz. We sort of edit bulletins and go through some stories together and every so often your eyes kind of light up and your eyes light up when you see competent hacking. So tell me about this competent hacking hacking done properly, as I think you mentioned to me.
B
Yeah, I do love competent hacking. We see someone's garbage hacking and when you see the good stuff, like, it really warms my heart. So this is a write up originally from Google Mandiant about a Chinese actor using a piece of software they call Brickstorm. And it's not just because of the storm in the name that I'm into it, but this is a write up of like the techniques that they have been using, breaking into organizations, you know, going around doing their, you know, espionage, espionagey, you know, nation statey kind of business. The things that appeal to me really are just like the quality of the, you know, the long term nature of their access or in some cases the dwell time of this actor in places where they are being seen is, you know, in excess of a year. And like they've got some cases where the actors have been in these environments for sufficiently long that the logs no longer cover how they got in so they don't even know how the initial access occurred. Which as an attacker is wonderful. Like that's exactly what you want. So yeah, Mandance done the write up. Jonathan Gregg for record has written up Mandian's write up and there's a bunch of IOCs and various things that you can use if you are worried about being targeted by Chinese attackers. But mostly, you know, I just like to see competent hacking and this was a great example of, you know, the sort of in the VMware in the network fabric, long term access, you know, implanting network devices with things that would scrape credentials out of the login form so that you can get access to cleartext credentials which when everything is domain integrated for authentication means you can get credentials that you can use for other things. It's just these are all tricks that I have used and I dislike other people using, you know, I like other people doing. It's sort of affirmational. Like I feel like I did good hacking and they are doing good hacking. Therefore we are all good hackers and good times unless you're the victim. So yeah, nice.
A
I love to see you loving to see good hacking. So the stories work well for both of us. Adam, I kind of grew up believing that firewalls make things secure. Right. But I think I'm starting to learn that maybe if Cisco is in the name of that that's not the case. Why? So can you tell me about this Cisco firewall bug that federal agencies have basically been given no time to patch?
B
Yeah. So CISA has told federal civilian agencies and everybody else under their kind of remit to go out and patch their Cisco ASA and firepower threat defense devices. These are both firewall products. And you are correct, firewalls are meant to make things more robust and more secure, except if they come from Cisco, in which case they are meant to provide attackers with remote code exec. So there's a pair of bugs that are being chained together. One's an AUTH bypass and one is a high privilege service to root code exec on the underlying device that you can kind of chain together. This is being exploited in the wild. And yeah, like when your firewall gets you compromised, like it's just, it's a bad look for everybody. The industry, like we are meant to be making things better and clearly we are not. There's also the added complexity that patching Cisco devices is usually quite complicated. It's usually quite intrusive in terms of its impact on availability. No one enjoys doing it and so no one does so when we see, oh that's fun. Cisco bugs put in the wild. Yeah, exactly. Like it's, it's a bad time for everybody. And then so there was these bugs in isa. We've also seen the, there's some Cisco zero days or Cisco bugs that were exploited as zero days that are now patches available in Cisco router products, Cisco iOS and iOS XE. And these are like memory corruption via SNMP which is not very exciting for you, but it is exciting for me. And so yeah, once again everybody needs to patch their Cisco stuff. No one is patching the Cisco stuff. These bugs will be, you know, exploited in the wild. I think I saw some, some numbers that the SNMP related flaw. There's something like 30,000 vulnerable devices in Russia. So you know there's going to be plenty of compromise boxes all over the Internet. Good times.
A
Ouch. And Adam, I've spent a bit of time here at Rescue Biz and in my time working here I've picked up a couple of what I feel are kind of important points. Watchtower good fortune. Less good.
B
Yes, those are, those are good points to pick up. Yes. We've got a couple of stories here which are this two part blog post from Watchtower Labs in which they write up a recent bug or kind of set of bugs in the Fortra go anywhere mft their file transfer system. And I always have a weak spot for Watchtower Labs write ups as you well know because I like good hacking and they do good hacking and they write it up with the kind of humor and snark that when I had to write blog posts about vendors products was exactly the same sort of thing. So I feel, you know like, I feel like we're at one. These bugs are ultimately a. It's, it's remote code exec via deserializing the licenses. So you show up to the web interface and you're supposed to input your license license. And those licenses are serialized blobs that get parsed in a way that results in CodExec. Now where this gets more interesting is the bugs in question require you to be able to craft a license file and those license files are cryptographically signed. And Watchtower Lab says the key material to sign these licenses they don't have like it's not immediately obvious in the, the firmware. They don't know how to craft one. They know how to turn a license file into code execution because they reverse engineered enough to figure that out. But making a new one requires key material they don't have normally this would mean it's kind of not really a bug, because in theory, only Fortra have those key material. But where it gets funny is this is being exploited in the wild. And Watchtower has some logs that they've got from. They couldn't say where that shows in the wild. Exploitation of this and Fortra's advisory about it makes it sound like it's being exploited in the wild without actually saying that. Like they describe it like it's important and critical and you should deal to it quickly. So we don't really know what's going on here except that probably someone is exploiting this. And exploiting it requires key material that only Fortra has, which means that that key material had to get out of Fortune somehow, which means presumably someone had to steal it from Fortra.
A
Right.
B
And we don't know how that happened. And we've ended up with kind of more questions than we started with. But that's the joy of a write up like Watchtower have done where they've taken a boring security advisory that says, just patch your thing. Nothing really happened here. And the implication is something much more interesting must have happened here. And, you know, that's what I like in a write up, even if there aren't answers.
A
Maybe. Adam, circling back a little bit. A Fortress staff member went to a pub and was offered a couple of thousand dollars for their ultra grips.
B
Nice. Yeah, that's good thinking. It could have gone down like that. We will never know.
A
So, on that note, Adam, we might actually leave it there. But I have had a blast playing Stunt Pat for the week and chatting through the week's news with you, so thank you so much for that. Now, there won't be a show next week. Pat will still be away, but we will be publishing a sponsored Snake Oilers episode. So look out for that one on Wednesday. And Adam, you will be returning to the regularly scheduled programming with Pat the week after that. So have a great week, mate, and it's been an absolute blast. Thank you.
B
Yeah, thanks very much, Amber. I'm going to look forward to seeing what horrible things happen while Pat's away and we will discover whether or not we have fixed the curse or not. Thanks very much, Sa.
Podcast: Risky Business
Hosts: Amberly Jack & Adam Boileau
Date: October 1, 2025
With regular host Patrick Gray on holiday, Amberly Jack and Adam Boileau steer this "Pat-free" episode through another busy week in cybersecurity. They cover a wild hacker attempt to bribe a BBC journalist for access, ransomware's ripple effects on critical businesses, cybercrime in unexpected demographics, intriguing crypto-related legal drama, and fresh research highlights—from insecure location trackers to resilient hardware backdoors. Injecting humor and insider perspective, they dissect threats and trends shaping today’s infosec landscape, while highlighting the ongoing unpredictability of the "Risky Business curse" (big security news surfacing whenever Pat is away).
Amberly and Adam blend humor with sharp technical insight, making sense of front-page breaches, unlikely cybercriminals, and shadowy APTs, all while keeping the infosec community’s morale—if not their firewalls—intact. Amid wild scams, beer outages, and Bitcoin drama, the hosts repeatedly remind listeners:
“Don’t come to Risky Business for financial advice.” (19:16)
The “Risky Business curse” is alive and well; with Pat away, chaos reigns—but Amberly and Adam keep the signal-to-noise ratio (and the snark) high.
Listen for:
(Next week: No regular episode, but a sponsored Snake Oilers show will drop. Regular programming resumes upon Pat’s return.)