A

Foreign and welcome back to Risky Business. My name's Patrick Gray and yeah, I'm on deck again. After a couple of weeks off, I had a terrific break and consider myself extremely lucky that I can take basically all of the school holidays off to hang out with my kids. One of the reasons I was able to do that this break is because Amberly Jack stepped in for me to fill in for me and host the first ever edition of Risky Business that didn't have me in it and she did a terrific job. So I just wanted to start today's show by saying, Amberly, thank you so much for doing that. And yeah, universally awesome feedback as well. And you know, the week before that Adam was away. So this is our first show together in like four weeks, which is. Yeah. So it's cool. We've, I've missed it. So we're back on deck. Before we get into it though, just one thing I wanted to mention this week is we are hiring. Um, we're probably not really looking to urgently onboard anyone, but we are looking for someone to join us who can act as an interviewer and as a podcaster and someone who's also got, you know, plenty of knowledge about cyber security and you know, the products that make up the cyber security industry. If this is something that you are interested in doing, if you want to apply to work with us, we're most interested in people who are based anywhere from the east coast of Australia to, to the west coast of the United States, New Zealand, pretty much the perfect location, time zone wise. So if you want to apply to that, for that, just email your resume to Editorialisky Biz and include a video of yourself. And this can just be shot straight into a phone, like self shot video explaining to us what you think a big problem in enterprise security is. And that'll just give us a sense of how you speak to a camera, how you speak to a microphone. So yeah, if it's something you're interested in pursuing, do get in touch with us and yeah, onto this week's show now. And this week's show is brought to you by Stairwell. And Mike Wysek, who is the founder of Stairwell, will be along in this week's sponsor interview a little bit later on. Talking about how a bunch of people these days are licensing the Stairwell API and they're using it for same enrichment, much in the same way that people would use Virus Total. So that is an interesting conversation and it is coming up later. But first up, of course it is time for a check of the week's security news with Adam. Missed you, dude.

B

No. Well, it's good to be back. Like, there's a lot of. Lot of interesting stuff to talk about. Some great bugs, too, which I always enjoy.

A

Yeah, it's funny, right? We got. We got a. We got a whole bug section at the end of the show, but like a big thing that's been happening, I guess really all year, but it seems to have hit fever pitch at the moment is just all of these data extortion attacks. Right. So we've got Klopp going nuts with some Oracle bugs. And then we've got. What are they calling. They're calling themselves, ironically, what is it? The lapsus shiny Scattered Hunters.

B

Scattered Lapses Hunter. Yeah. So like the comm with its usual kind of set of hats on. Yes.

A

Yeah, yeah. And a sense of humor about it. And they've been going around and what socially engineering people. Salesforce data. That's been obviously happening for months now. But some of that data is now starting to leak. Big news here in Australia where Qantas Data on like 5.7 million customers or something, I'd be one of them has leaked. But look, it's just. I mean, it's just mayhem out there, right?

B

Yeah, yeah, it really is. And the kind of stuff happening in so many directions. We've seen some new data lake sites coming up with data that previously we hadn't seen. Publicized some arrests, some kind of doxing generally of com kids. But yeah, it's a real mess out there.

A

Yes. So we've seen this FBI takedown of yet one more breach forums. Right. So it's breach forums, not breached forums. And I don't know if there's like 17 of these as well as there were with breach forums. What do we know here?

B

So this was a leak site that was being set up to distribute data from Salesforce. They called it breached forums or breached forums, which I think is just at this point basically a running joke because it'll just confuse us poor pundits who have to talk about it. But they were going to stand up Scatter Spider crew, the comm crew, whoever were going to stand up a site to release a bunch of data. They'd set up a clear net and a dark website that got seized by the FBI. Well, at least taken over, you know, FBI seized banner put on top of. Looks like they had compromised the servers behind it because it was also the onion site. The dark website was also. Had been defaced, I guess defaced by law enforcement. Since then, the kids have you know, kind of taken back the Onion site. I think the, the clear web one, the domain is long gone. The registrar has pulled it or whatever. So, yeah, they were setting up the leaks and data got kind of gazumped by the FBI. And that may have set it back a little bit, but I'm sure we'll see the data come out nevertheless.

A

I mean, this is something that occurred to me when the news first broke here about the Qantas data leaking, which is that somewhere in government someone was signing a piece of paper authorizing ASD AFB joint task forces or whatever to go and destroy that data. Right? Like search and destroy for large corpuses of data, you know, leaked in a country like Australia. Like that is going to result in shells getting popped. Like, that's, that's down to policy right now. And I just thought that, you know, that my mind went there immediately on hearing the news. I thought, you know, I just, I found that interesting.

B

Yeah, it's certainly like the world has changed a little bit around, you know, both data extortion and like, I guess the impact that has on the wider ransomware, you know, like locking things up for ransom. But, yeah, that kind of calculus is different than perhaps it would have been five or six years ago. And the idea that, you know, we see law enforcement, you know, showing up in leak sites and spooks in some cases, you know, going around and destroying data, like it's a, It's a interesting development. And, you know, well, see, I think it makes more.

A

I think it makes more sense than the other way around. Right. Like, I never thought it made sense that you would have. Like in the case of Qantas, it's a very important company that used to be, I think it was state owned right. At some point and then privatized. And, you know, it's a. It's a very big deal. And the idea that someone would steal heaps of customer data and just post it and the government would just go, ah, well, you know, what are you going to do? Like, that's the part that seemed crazy. So I think the idea that we've got authorities, like really actively, aggressively and quickly going after this sort of leak data, that's a good thing. But this isn't full release the hounds. And I don't think we need to go full release the hounds, because as you just alluded to then, you know, I kind of feel like this is a good news story in that so much of what's getting attention at the moment is around data extortion and not ransomware, which is just heaps more disruptive. I've said it on the show a bunch of times, like, I don't actually think this stuff is really a national security threat to the same degree. Like you look at a recent case, Land Rover, where ransomware was deployed. I think they're just starting to spin up their production again. Now there's a government loan facility, like a bailout of the entire supply chain for Land Rover. Like that stuff, national security threat, this stuff. I just sort of think, well, it sucks that a lot of this information is going to get out there. How widely it can be distributed, I think is still an open question, given how aggressively governments are now going after this sort of data to destroy it. So it will be circulated, but perhaps not really, really widely. And you just sort of think, I don't know. Do I dare suggest that we're in a better place?

B

I mean, it's, it's a. You absolutely could suggest it. Right. And that argument is kind of interesting because, you know, it clearly is less disruptive. I mean, you think about colonial pipeline people, you know, filling plastic bags with.

A

Gasoline like Americans, Americans, you'd be crazy.

B

Clearly, having your, Having your data stolen and leaked. It depends on what the data is, I guess, and how widely available it is. But straight off the bat, it's not immediately as disruptive. And I think the examples of, say, the Australian health insurer, that kind of data getting out there, that's a bit more impactful than your Qantas frequency flyer number. So there's a lot more nuance and kind of.

A

No, I understand that. But if you want to look at what can really impact. It's not like a hospital getting ransomware. I mean, think of how many hospitals were getting ransomware, ransomware. And I mean, I'm sure it's still happening, but you don't. I mean, come on, we're going through the news every day. We're not seeing as much of that anymore.

B

Yeah, no, I agree. There definitely does seem to be less significant disruption and, you know, more of this kind of data extortion. And I guess the question is like, does it make enough money to keep the criminals interested and stop them going off and doing something else, which may.

A

Apparently, from what I hear, they're making money hand over 50, which I kind of think again, is kind of good news. Right? Like, let's just keep them busy doing that, paying their bills, earning their fat stacks, doing something that is much less disruptive. I think if you're going to pick a cybercrime problem and your choice is this or ransomware. You pick this every day of the week.

B

Yeah, I mean I think like the harm minimisation approach. This is better.

A

Yeah, yeah, 100%. Now speaking of all of this data extortion, like I mentioned, that Clop was part of this right now. Clop, they used to do stuff like go anywhere FTA like file transfer appliances. Right. They developed bugs in a few of these things and then went out there stealing stuff. Seems like they're moving up into more serious categories of enterprise software. Adam, Good for them.

B

Yes, we've seen a campaign where they've been targeting Oracle E business suite which is a giant mess of software from Oracle. Honestly, despite having shelled it myself, I still don't really know what it does other than give you shells. But anyway, a bunch of businesses run this thing and it tends to be out quite often. You do see it Internet face and so yeah, Klopp got hold of a zero day in IT and had been using it for I think a couple of months before Oracle patched it. They have now got some patches out. There was actually a second or a bug in the same piece of software that Oracle out of band patched I think just was it end of last week. So you know, that's a piece of software that has a bunch of bugs in it anyway, Clop has been out there stealing data from it. You know, it's not. When you hit a file transfer server you kind of have some idea of what you're going to see, right? There's going to be data going from one organization to another and typically that data is going to have some business value. The kind of stuff you can steal from E biz varies wildly depending on what it is. So the question of how successful an exploitation a campaign extorting people with this data will be, I guess we're going to find out because that's what they're doing. But it's a good time and I just personally really love it because you know, having shelled E Biz myself, I have a real weak spot for it as a, you know, as a target because it's such a messy piece of software. Well, I'm always interested to see how other people do it, you know.

A

And speaking of, we got a write up from Watchtower Labs about the bugs in ebees. Are these the bugs that are actually being exploited?

B

Yes, this was the bug chain that was being exploited. Wattstow found a proof of concept or an exploit in the wild that was being used and reverse engineered it and it's actually like you know, four or five ish kind of little bugs chained together. Essentially there's kind of two parts. One is there's a bug that lets you server side request forgery from it. So have ebers make web requests on your behalf and then from that you can make requests back into itself and hit attack service that isn't normally Internet facing. And that exposes just like thousands of opportunities for doing things to it. And this particular chain then turns that into arb, codexec and like ebiz, like I'm not kidding when I say it's a Mess. Like it's 14,000 JSP files in the Webroot public facing and I think 86 is my recollection of how many servlets, Java servlets there are that process data from the outside. And enumerating all of that attack service, it took me weeks of making spreadsheets to figure out what endpoints you could reach and what they would give you. And then using a server side request forgery bug to bounce into the internally exposed attack service, there's probably another, you know, probably another order of magnitude of endpoints you can reach. So this bug chain did not surprise me in the slightest. I have plenty of pity for the people that actually worked it up because it's a horrible code base to work.

A

With, but so they're going to deserve their ill gotten gains for having done the hard slog of actually working through the drudgery of constructing an oracle E biz exploit.

B

Like it's, it's the making a working test environment that's the hard bit. Like setting up E biz took, I mean Pipes and I did it way back in the day and like it's a miserable journey and Pipes is a professional UNIX admin and he, you know, was struggling with that piece of trash. So yeah, I, I feel like whoever found this bug worked hard and probably deserved their extortion money.

A

So we got a great write up on a bunch of this data extortion stuff from Krebs on security. Brian Krebs has done a great write, so we've linked through to that. But you know there's been some pretty big names taken down through all of this, including Red Hat who I think got one of their GitLab instances popped and we've got a discord user data as well. Like that's comm adjacent. So yeah, the kids are going a little bit crazy right now. And you know the QANTAS stuff, as I mentioned, it's making news here I think the government, the transport minister was like, oh, you know, I think there was like some social engineering involved at a Philippine call center in the Philippines. And they're like, well, you can outsource your call centers, but you can't escape accountability from the law. You know, so obviously anything in involving Qantas, like people are going to expect them to get whacked with a stick. I'm not sure that that's entirely fair given everyone seems to be getting owned this way. But I don't know, a bit of, you know, busting out the stick. Obviously not the, not the worst thing, not the worst thing that's ever that could happen in this situation. But let's move on to some other topics now. And we've got a report here from us, from Catalyn Kimpani's newsletter looking at some oday attacks against the like legacy IE mode in Edge that apparently people are exploiting. Now this isn't a function that is enabled by default in Edge. I mean really what this IE mode is, is like when they shipped Edge, which uses like the Chrome engine, basically it broke a lot of enterprise apps where they needed IE to work. So Microsoft enables you to basically run the IE rendering engine inside Edge and that's what people are attacking. No surprises there. Like, like it's just crazy to me that we've got this much better browser and it's like, okay, just ship a crap vulnerable mode for backwards compatibility purposes, but very on brand for Microsoft. But what do we know about this? Like, are the attackers targeting people who just, they know are using this mode or is there some other exploit which turns the mode on? Like, how does this work?

B

So this is a combination of like social engineering people to trigger their IE compatibility mode. So they send you to a website and say like to, you know, to log in, you have to reopen this in IE mode. So there's a social engineering aspect. And then once it reopens in IE mode, they're actually using a zero day in the IE engine. Like honest to God, like memory corruption.

A

Yeah, but like, I, like, I don't know, that's not a big statement anymore, I guess. Is it like in the IE engine? Are you surprised that someone could find Ode in the IE code base which is now like deprecated and ancient?

B

I mean, I'm not surprised. It's just like it's a niche bug off the side of a niche bug, I guess, or a niche environment. So like the fact that someone would go to that effort. But I guess as you point out, right, bugs in IT are probably pretty easy to come by.

A

Well, it's easier than finding one in the Chrome engine that underpins Edge. Right. Like I'm giving them points for this. This is clever.

B

And then I believe Microsoft, instead of just Patching the IE ActiveX control or whatever it is, whatever kind of component they use to embed IE into, into Edge, they've made the process of turning on IE mode a bunch more onerous. So now you have to go into settings, turn on the overall feature of being able to use IE mode at all, restart your browser completely, and then add sites that you want to use this mode into a specific allow list. So a bunch more hoops to jump through. And hopefully the people who are being socially engineered to do this will have a little bit of pause as they go through that process. Although, who am I kidding? Of course not. They'll just make better social engineering lures. I mean, you know, given that we social engineer people to like open the windows, run dialogue and paste PowerShell in, I guess we can, you know, convince people to open IE mode. But yeah, like, honestly, I think this is one of those, like you just do got to hand it to them. I mean, like your real browser is too hard. Why not turn on IE and attack that instead?

A

So, yeah, I mean it's, yeah, it's great, it's clever, it is pretty cool. Now a couple of teenagers have been arrested in England for attacking like what, like a preschool, like a British nursery school chain called Keto and they were like doxxing little kids.

B

Yeah. So this was, these are comm adjacent kids. They hacked this, you know, chain, I think of, of nurseries. They stole personal data of children and their parents and then they stood up a like onion leak site to try and extort the company and they had some sample data of children and they had like pictures of children and their caregivers and details and dress details and stuff. And even amongst cybercriminals there was a bit of like, what are you even doing? And they redacted the data. They pulled the leak site down and claimed that they had deleted it all after the amount of blowback. They got both, you know, from the general public, but even, as you say, amongst the, amongst the wider cybercrime underground. But yeah, they've been arrested as a pair of 17 year olds from England. And I don't think they're going to have a great time, even though they're only 17 going through the British justice system here for this.

A

No. And I mean most people, I'm guessing, would Be aware that people who harm children do not have a particularly nice time in prison. They in fact, have a very, very dangerous time in prison. I'm not sure whether this would rise to that level of placing them in danger if they were to be incarcerated. But. Yeah, just scummy, isn't it?

B

Yeah, yeah. Really, really gross.

A

Yeah. Now, let's turn our attention to the high functioning United States government for a moment, Adam. And apparently Army General William Hartman, who is currently running US Cyber Command and National Security Agency, is not going to be nominated for the permanent position. Now, this guy's been in an acting position since Tim Hogg and his deputy were given the heave ho by Trump because of something Laura Loomis said. I don't know. I was like, how do you even track this? But, you know, currently it looks like NSA and Cyber Command is still without a leader.

B

Yeah. And I think as a result of this, he's probably going to resign because, like, clearly he has no future in the job if they're not willing to nominate him to do it permanently. And yeah, the, you know, some of the scuttlebutt has been like, maybe this will cause a rethink of the, you know, the, the idea of canning dual hattery. Because it seemed like the White House sort of accepted that they were going to have to live with dual hat even if they weren't super happy about it. And, you know, but who even knows? It's such a mess and, you know, how far into the term are we. And they still don't have a leader for, you know, a long term, you know, leader for this real key part of their, you know, intelligence function. So.

A

Yeah, well, the alarming, the alarming bit is if they do end dual hat, they can put someone in charge of NSA who's a civilian, you know, and that's the thing that's got a few people a little bit, like, because at the moment, because it's Dual Hatton, because cybercamman's military. It's gotta be someone from the military, right? Not, you know, like, what podcast are they gonna find to run the nsa? Oh, hang on. Maybe we just gotta start talking up Trump, you know, talk about how great he is. And maybe you and me, you know, we're five eyes, we're not Americans. Maybe we could go run.

B

Special exchange program or something. Yeah, that'd be.

A

Yeah.

B

Oh, dear. Oh, dear. I, you know, become fun.

A

But I don't think running NSA would be fun at all, actually. I mean, I think that'd be a horrible job if I'm honest. But look, staying with the US Government now, and there's been a whole bunch of more layoffs at CISA after the government has been shut down. One of the things the government appears to be doing, too, is reassigning people to new jobs, like sort of making their positions redundant and like, reassigning them to different jobs at DHS in, like, different cities across the country, basically kind of engineering a situation where these people are going to resign. But look, from everything I've heard, and it's not something I've spoken about a great deal on the show, from everything I've heard, the situation at CISA has just got worse and worse and worse. And there's people I've spoken to who were working with them on various initiatives or programs, and they're like, look, everyone we were working with is gone. You know, leadership's all resigned. Like, he's, he's, it's, it's. The agency's getting killed. It really looks like they're getting killed.

B

Yeah, and it's just kind of, it's, it's sad because that kind of centralized, coordinated leadership for cyber was a thing the US really needed. And then the fact that it's being, you know, kind of sacrificed on the altar of, well, they had to do election security and Trump didn't like the election. It just, yeah, it's pretty, pretty horrible to watch. And as you said, there are so many good people who worked there, you know, in the past or still, probably still work there now, some of them. And so much important work to be done. And it's just all, it's all disappearing, you know, and that kind of leadership in the space is just evaporating. All that work down the drain.

A

Well, and funnily enough, CISA was an agency that was stood up under Trump in his first term, so be creative. He destroyeth, you know, the whims of America's king. And, you know, speaking, speaking of Trump, you know, we're not going to turn this into a Trump bashing podcast, people, don't worry. But this is pretty funny. You know, we had the big signal gate thing where Pete Exegeth was, you know, texting sensitive information to journalists, adding journalists to war planning group chats. That was pretty lol. Now we've got Trump. He accidentally. So there was this weird thing that happened, I think it was a week or two ago, a couple of weeks ago now, where he, he did this post on truth social media to Pam Bondi, the Attorney General, saying, you gotta, you know, you Gotta lay charges against James Comey and all these other people. Like, where's the action? We're no talk. We're all action. You've got to get on top of this. And then it was deleted and then it was reposted and people were like, was that supposed to be a dm? And it turns out subsequent reporting says yes, indeed. Trump had intended just to direct message the Attorney General instructing them to prosecute people he didn't like. And he did this in the open by accident, which is pretty funny. Now look, it's very hard in the United States to fight a charge by claiming that it's a vindictive prosecution. But I'm guessing this is going to help James Comey.

B

It does kind of feel that way. And I mean, like all the people who've complained about Mastodon DMs being difficult to understand, you know, when you're DMing and when you're messaging, like, turns out it's not just, not just the Mastodon social network. Apparently it's difficult everywhere. And there's also the bit where like, you know, he's really carrying out the business of government via Truth Social. I mean, I thought we were supposed to have, you know, more sensible ways to, you know, instruct officials to do things or whatever else, more record keeping, et cetera, et cetera. But no, like, well, they tried using Signal.

A

They tried using Signal, that didn't work out.

B

I wonder if there's a Truth Social intercept module for the, the same Israeli company that did the signal one.

A

Oh dear, dear, oh dear. Now we got some action on scam compounds at the moment. Some head of a Cambodian like conglomerate is in trouble and like $15 billion of Bitcoin has been seized from the chairman of this conglomerate. Like, what's going on here?

B

Yeah, so this was a company, a big conglomerate of organizations that were running, amongst other things, scam compounds in Cambodia. They also have, you know, hotels and casinos and all sorts of other kind of aspects of the wider business. But yeah, they were one of the companies that's behind it. They were also laundering proceeds from the scam compounds through bitcoin mining. So that's why there was $15 billion worth of Bitcoin here, is because they were buying mining equipment with the ill gotten gains to then launder it by mining bitcoin. Net result is we've now got sanctions from US gov, a bunch of other stuff relating to, you know, from other countries other than the U.S. you know, blacklisting some of these organizations out of the banking system. Bunch of bitcoin being seized. So, you know, there's, we've seen some previous similar work against, I think Hui Won Guarantee was one of the other big Cambodian players here. But of course these are, you know, organizations that are so big that they've captured the local government or in some cases are, you know, the same family or the same people that run, you know, their own political power there. So it's all pretty complicated. And I imagine inside Cambodia there will be some fallout for this. As to whether anyone will actually see justice, I don't know.

A

Well, but you remember me pointing out that between Cambodia, Laos and Myanmar, these scam compounds represent something like 40% of their combined GDP.

B

Yeah. Yes. Yeah, it's really significant.

A

You're gonna get corruption in a situation like that because it's 40% of all economic activity in the region across those three countries. So of course you're going to get, you know, large scale enterprises like these getting in on the action. And of course they're going to be paying off the right people in the government so they don't get in trouble. Like that is just absolutely how this stuff goes. And meanwhile, the US Congress is standing up a committee. Well, a US Congressional committee is investigating Starlink over it providing access to these scam compounds because of course, when they authorities there did try cutting off a bunch of these compounds, you know, and this would be a part of the, of the governments there unaffected by the corruption or maybe just not being paid enough. Right. So they have a situation where they're cutting off their Internet access and their electricity and stuff. You know, the scam compounds have survived this and one of the ways they've survived this, you know, obviously you can stand up diesel generator, solar generator, you know, solar power, whatever. But for Internet access they went Starlink, you know, and Starlink just seems to be the, the access of choice for these criminal organizations. And this, you know, this congressional committee is going to take a look at that and I think that's a good idea.

B

Yeah, yeah, I think so. I mean, some of the pictures we've seen of the compounds and like, you know, drone photographs and stuff, you see them, the, the roofs festooned with Starlink dishes to try and get enough capacity into their, their previous attempts at like, you know, buying mobile access across the border. Because some of these scam comments are like, right on the border with Thailand, for example. So they'll buy mobile service out of Thailand and just take them SIM cards across the river or string fiber across the river or whatever else. Starlink just Gives them a degree of independence from, you know, being tethered to their immediate neighbours. It does seem like SpaceX doesn't, you know, hasn't been particularly responding much to, you know, complaints from people about this particular use of Starlink. Whether they get attention, you know, whether they will pay attention to this particular one, I guess. I mean obviously US government, you know, is pretty important for SpaceX so they can't really just completely ignore it. But whether there's the political will to go and, you know, smack SpaceX around the nose of the roll up newspaper, we don't really know.

A

Yeah, well I keep seeing the U.S. congress referred to as the American doomer at the moment. Right. So it's, I don't know how much cloud it's actually got but this is apparently the Joint Economic Committee. They're taking a look in at this. We've got some quotes in here. You know, former California. This is a Guardian piece. Former California prosecutor Aaron west, who now heads the Operation Shamrock Group campaigning against the centers, said it is abhorrent that an American company is enabling this to happen. I happen to agree with that. It's something I've mentioned on the show before but I had, there was a, there was a problem with the Internet access in my area over a period of a few months, just weather damage basically. And I had to use Starlink for a period of like two and a half, three months while I had some enterprise fiber trenched in basically. So that took a while. And every second website when I was using Starlink was a captcha. Right. Every second, every second website was a captcha. Which gives you an indication of like the level of abuse that must be happening on the Starlink network.

B

Yeah.

A

Where you can't even access, you know, Freddy's blog without having to jump through hoops because they want to make sure that you're not, you know, trying to, trying to own them or scam them. Right. So I, I just think they've, you know, Starlink is a bit of a cesspit.

B

Yeah, yeah. And I mean that networks are only going to get bigger and get more capacity and more ways of accessing it and it's only going to get worse.

A

Yeah. Now staying with satellites and we've got some excellent work here. So this is some academic research, Right. Where they just stuck up a cheap satellite dish and started sniffing and reverse engineering protocols and seeing what they could see and it was a lot more than you would expect.

B

Yeah, yeah. This was a pretty interesting project where, you know, they pointed a satellite dish up to geostationary orbit. I think over the course of a couple of years, just kind of repointed it and sniffed, left, you know, all of the satellites that they could see from San Diego, I think where they were. And a surprising amount is still unencrypted. You know, obviously there's a lot of broadcast stuff over satellites that doesn't, you know, like TV shows and movies and.

A

So on that I knew people who used to, who used to pirate like movies because they would be sent via satellite beamed into Australia and they could just like grab them off their rooftops and stuff like before they were out. Pretty cool, but obviously not so much anymore. But yeah.

B

So these guys basically put together the software to decode all of the various ways that you can stick Internet IP protocol stuff inside satellite communications and then sniffed a bunch and then found some interesting things. Like for example, there were the US cell carrier T mobile was backhauling a bunch of mobile network calls and text messages between cell sites, presumably cell sites that are in like very difficult to get to locations that don't necessarily have fiber in the ground or whatever. But yeah, they were able to get clear text phone calls and text messages off the, off the backhaul. They saw, I think Telco in Mexico doing similar kind of thing where one vendor appears to have misconfigured their satellite equipment and was sending it in the clear. Military comms, you know, local emergency services, comms in flight, WI fi from planes, which Internet traffic is kind of less of a problem here because like most Internet is TLS these days. So like sniffing a backhaul connection there is less exciting than it once was. But yeah, it's just kind of funny how much stuff is still in the clear. And yeah, they put the software on GitHub. So, you know, if you've got a spare satellite dish hanging around and want to go point it at the sky and see what falls out on top of you, then yeah, a great pastime.

A

Now, not technically a cyber security, but there's so much intrigue and crazy stuff happening right now when it comes to semiconductors and chips that I just thought I wanted to mention this story. A lot of people would have heard about it already, but the Dutch have invoked special powers against a company called Nexperia, which is a semiconductor company which is Chinese owned but based in the Netherlands. And the story seems to be that they were doing a bunch of really shady divestitures and whatnot and trying to grab as much intellectual property as they could and repatriate that to China, which has actually caused the Dutch government to essentially functionally nationalise the business, which is an activity or an action that you would normally associate more with the Chinese Communist Party than with the Dutch government. But, you know, we know that the Dutch has a pretty good, you know, intelligence apparatus and intelligence community and I'm guessing there is something real behind this. But this comes, of course, as China is moving to restrict rare earth, rare earth exports to the west and we've got, you know, America trying to restrict semiconductor exports to China and it's all, you know, it's all spilling over, it's all going a bit crazy. I think we're going to start seeing some very focused Chinese cyber espionage targeting semiconductors. I mean, we have been seeing that already for quite some time, but I have a feeling that it's about to kick up a notch, shall we say?

B

Yeah, yeah, this was quite interesting because it does, as you say, it's not necessarily the thing you would expect a Western government to be doing, but, you know, there are reasons, but I'm sure they have their reasons for doing it. The thing that I wanted to point out about the story, which is, I guess it's not 100% cyber, but. So Nextperia is a spin off out of NXP, which was itself a spin off out of Philips. So Philips in the Netherlands spun off its, like, semiconductor business as nxp. Nextperia is a subunit of nxp. It was about a third of the company, maybe a quarter of it, that makes like discrete logic stuff, so like mosfets and things like that. So it's not the. Not nxp, the like big integrated circuit semiconductor, it's more discrete electronic semiconductors, I guess, but still a pretty big deal. And as you say, there is plenty of intellectual property there that the Chinese will be interested in hoovering up and, and this kind of geopolitical. Like the fact that there are factories and people and places like that exist in the real world that can be controlled by their host governments is a thing that we're going to have to factor into how we do business in the Internet and how we work on the technology world. Because it's not all just bits and bytes in the Internet, right? Some of it's physical plant and equipment and factories and all that kind of stuff. That's, you know, we're going to see things get nationalized and stuff get kind of weird.

A

Yeah, yeah, 100% things are getting weird. Speaking of weird deals and weird things going on, NSO Group has been bought by U.S. investors. And what's stunning about this is not the fact that it's been acquired by U.S. investors. Like, I think at this point, like, that's a good thing. You want a company like, you know, like NSO Group being subject to oversight of a company of a country like the United States. That puts us in a, in a good position. What's crazy here though is the price that they mention in here is like, oh, they, they parted with tens of millions of dollars. And I'm thinking, didn't this company used to have a unicorn valuation like of over a billion dollars? Which made me think, wow, these sanctions and the actions against NSO Group, if this is the case, if this is being accurately reported, then those sanctions really worked.

B

Yeah, I think the numbers we saw was like back in 2019, I think was around, around a billion dollars. When they were flogging it off, I think was. Was it Francisco Partners that bought it was like some private equity firm that bought it and then subsequently sold it. Again, like around that point it was valued at a billion. So if it is, as you know, reported here and like the reporting on the numbers here is pretty thin, but tens of millions is what we saw. Also, funnily enough, appears to be bought by a group of people led by a Hollywood producer.

A

He was there and you told me he's the guy who produced Happy Gilmore.

B

Yes, yeah, the guy who produced Happy Gilmore, amongst other things. He was also behind a deal to acquire it, I think a couple of years back. So I don't know what the, what the tie in there, like why, you know, why Mobile phone exploits and Hollywood producers are a thing that go together. But, you know, for whatever reason, can't.

A

Wait for the movie.

B

I mean, maybe that's the best. Maybe it's just movie rights. Maybe that's the villains. The movie rights for, for NSO Group. I think I'd watch that. So. But yeah, definitely, like that's a, that's a lot of valuation gone. If it's true.

A

Yeah, 100%. And speaking of those sort of bugs, Apple is doing like more crazy numbers for its bug bounty program. Apparently $2 million rewards for very dangerous exploits. And I think full chains for iPhone could go up to like 5 million bucks.

B

Yeah, I think if you've got like a full chain lockdown mode, you know, zero click remote code exec, I think the number may be as much as 5 million bucks.

A

It's worth more than that.

B

It's honestly, probably it's worth more than that.

A

Like if you could get a lockdown mode. I mean what I'm interested in though is memory, the memory integrity enforcement stuff. Like a bypass of that you would think would be worth an awful lot. You know, everyone's working on that at the moment.

B

Well, yeah, exactly. Right. Because they've, you know, Apple certainly, you know, do make it pretty difficult for people in that line of work. And you know, the sort of, the, the days when one researcher can show up and have a bug chain that's going to do all the things necessary to make that kind of money, you have to sell it to Apple for a couple of million bucks. Like that day has passed. I think there's not very many single people that are going to be able to do that work end to end. Like you're talking whole teams and at that point 2, 3, 4, 5 million doesn't go particularly far when you're having to pay what it costs to do that work.

A

When there's a team of 10 highly specialized, experienced exploit developers. Yeah, and that's going to, yeah, it's funny, right? Like I support this. I think it's a good thing to do. I think it's also putting your money where your mouth is. It's a good signal to say we stand behind our product. But I can't imagine this is going to change much. You know, like I don't know where there's a situation where people have got this bug chain and they give it to Apple. Like that bug chain just doesn't come into existence outside the sort of defense space. It just doesn't anymore.

B

Yeah, yeah, exactly. It's not like one researcher at university is going to stumble across the sweetest bug and get paid 2 million bucks. Like it's, that's just not how it works anymore for Apple. Bugs, maybe other platforms. That is the case. The Oracle bugs, no problem, everyone can do that.

A

Maybe what you need to do is get a job for one of these companies, steal their exploit chain, sell it to Apple and then move to Belize.

B

That would also work. That's probably the easiest way to go about getting it. Although not that we would advocate for that. But yeah, I don't think Apple has got like a huge war chest and they're planning on paying out many, many, many, many five million dollar batteries.

A

No, no, but they will still pay top dollar for bugs that aren't like end to end, you know, fully weaponized, whatever. So no, it's good. I like, I support it. I just, as I say I don't, you know, you see the headlines, oh wow, Apple's going to Pay so much for these. And it's like, well, no one's, no one's doing them for the bug bounties. Like, yeah, that's. They're doing it because it's their job, man. They've been working on getting this chain working for like, you know, a year and a half with 10 other people. Like, it's. Anyway, now we mentioned at the top of the show that there's a bunch of bugs. Let's get into the first one and here with Redis. And this is something that I didn't really like. I know the name, but I don't really know what it is. And you're very excited about this bug. Walk us through it, Adam. Walk us through it, Adam.

C

Sorry.

B

Redis is like a in memory key value database and it's used by lots of like web apps like cloud services and things to just kind of like store little snippets of values that it needs rapid access to for things like caching and like managing access to longer, you know, data takes a longer time to retrieve or whatever else. Anyway, it is widely deployed and this particular bug is a CVSS 10 out of 10. And it's a bug that's been in the code base basically since the beginning or something like 13 years. It's a use after free in the LUA sandbox runtime. So Redis lets you write queries in LUA which is run inside an embedded scripting LUA scripting environment in the REDIS runtime. And this lets you escape out of that and then onwards into the system that's running it. This is a bug that basically if you can talk to Redis, you can codexec it. And most people don't have or many deployments of Redis don't use authentication. Indeed, the official containers provided by Redis don't have auth. So yeah, this is a bug that's going to get a lot of interesting things quite owned. And yeah, I saw the headline like, oh yeah, it's going to be a fun time.

A

Yeah, so that's work out of Wiz, apparently. This stuff, as you mentioned, it's just bloody everywhere. I can imagine too that it's included with a lot of things and used in a lot of services where you might not even know that it's, you know. So it's probably a long tail thing as well, would you think?

B

I think so, yes. Yeah, yeah. And certainly also inside many environments. So you've got a like server side request for you or you've got somewhere to make requests from Inside an environment, there's going to be lots of no auth redis and you can turn this into codexec. So good time.

A

Yeah. Now, a while ago we spoke about this brute force campaign against Sonicwall customers. So anyone who was using like their cloud backup service and whatever, like they would have had their configs being obtained via a brute force attack that Sonicwall just didn't detect. They didn't have like lockouts for failed logins, they didn't have brute force detection, like really bad. And it's got so bad for them that at this point, you know, I'm looking at a story here by Matt Kapko over at cyberscoop and they're describing Sonic Wall as a besieged vendor, which when journalists are writing besieged next to your name, usually not exactly.

B

Yeah. So it turns out that Sonic Walls cloud backup. So it's like their my Sonic wall or whatever it is that stored your Sonic or configs. All of the customers had their config stolen.

A

Everyone who was using the cloud backup.

B

Service, everyone who was using the cloud backup service that they provided. Those config files include hashed credentials and it looks like someone has been cracking those back into Cleartext and then using them to log into people's Sonic walls and in some cases pivot onwards into corporate environments or wherever, you know, whatever's on the network around the Sonic walls and do other manner, you know, other sorts of crimes to them. So that's not a great look when your firewall vendor is getting compromised and even worse when it's, you know, they show up with credentials that they stole from, you know, the company that made your firewall in the first place. So womp, womp.

A

I mean, one of my favorite. And look, I might be getting the details wrong, we'll have to fact check this in post, but one of the Phineas Fisher attacks, I think it was, and I don't know that it was ever properly reported, but I been hearing things, right. I think it was hacking team, they were using a Sonic Wall and I think the Phineas Fisher crew owned it and then reflashed it with all of their own tools and were like using the Sonic Wall as their, like, you know, network Dropbox, which was pretty crazy.

B

That sounds familiar. I'm pretty sure. Yeah, I think I. Yeah, that rings a bell.

A

So yes, and it's like that was like 10 years ago, you know what I mean? And things haven't gotten better. We also saw a couple bugs in the CrowdStrike like Falcon sensor. Apparently these bugs were reported to them through the bug bounty program. Looks like they were used. You could use them to, like, delete files if you already had, like, local user code execution on the box. So not the end of the world, but could be used as a bypass bug in certain circumstances. The funny thing is, though, I saw CrowdStrike were catching a bit of heat online for consistently referring in their advisory to these vulnerabilities as issues. So they're not. They're not vulnerabilities. They're issues, too. We've patched two issues. You know, I think the only time they use the word vulnerability in the synopsis is when they talk about how they used industry best practices for coordinated vulnerability disclosure. But it did feel a little bit like PR had stepped on this advisory, didn't it?

B

Yeah, yeah, I guess a little bit. And, you know, you do, you know, you don't want bugs in your, you know, intrusion detection, like, you know, Endpoint Security product. That's not ideal for them. But yeah, these weren't super serious bugs. But one of them was a time of check, time of use bug in, like, symlink handling that maybe you could use to delete files. I think the other was a, like, signature validation issue with something. So, yeah, if you have local access and you want to bypass Falcon, then maybe these would have been useful tools to have. But yeah, it's still pretty funny when they get, you know, beaten on by marketing for just calling them a vulnerability.

A

Yeah, I mean, I can't. I honestly, I'm surprised that we don't see more vulnerabilities being reported in stuff like edr because it's complicated software. It has to do an awful lot. It's got parses everywhere. And you just sort of think, why are they not. Why is it not raining shells out of CrowdStrike, Sentinel 1, Defender? But I guess, you know, carefully constructed code bases, I would imagine would be.

B

Yeah, I guess they take a, you know, they process a lot of nasty input and so they probably catch crashes pretty quick. They've got the plumbing in place, you know, for doing that. So. But yeah, it is surprising how much, given how much work they do, how few bugs we see.

A

Yeah, it is, it is. Now, last bug story this week is zdi, the Zero Day Initiative. They are mad as hell and they're not going to take it anymore. Adam?

B

Yes. They've dropped 13 advisories describing bugs in Ivanti Endpoint Manager. Now, in their defense, 11 of those bugs are SQL injection, but they're SQL Injection that could go places like it's not idle SQL injection and then a couple of other that Ivanti haven't fixed. Essentially, Ivanti asked for an extension on the disclosure date. And these are bugs from beginning of the year or late last year. And Avanti is just like, no, we're just going to drop this. These. Sorry, as ndi, it's like, we're just going to drop these and Avanti is going to have to deal. And yeah, Avanti is, I guess, pretty experienced at just having to deal with horrible bugs in their products. So. One thing I did want to say about Avanti, though. So the Avanti code base, I didn't realize this, but it is actually begat from Landesk, which was acquired by intel in 1991, originally founded as LAN Systems in 1985. And this endpoint management product is essentially code from the 90s from intel, which was then eventually spun off in private equity and blah, blah, blah. And so if you're ever wondering why there are so many bugs in Avanti products, this particular product at least. Yeah, it's just Landesk. Wow.

A

Yeah. I mean, that software is older than. Probably a substantial part of our audience.

B

Yes, yes.

A

Which is pretty crazy. I was thinking back, like, what was I doing in 91, you know what I mean? And I was around in 91. I was a teenager, you know, you too, probably, but crazy, man, crazy. And we're just gonna, we're gonna wrap it up. But we gotta mention too happy Windows 10 end of life day. Right. Because it's October 14th as we record this in the United States. October 15th here. But that's it, man. No more win 10. And look again to feel old. Win 10 still kind of feels like the new one.

B

Yeah, it is. Yeah, it does. It feels like the new Windows is dead already. There is extended updates, so you can go and pay Microsoft for the privilege. I think in the European Union there's some exception where you get it for free because they decided it was anti competitive to make you pay for security fixes. But everybody else, I think we do have to pay. You can of course also Update to Windows 11. Good luck with that. Have fun.

A

Yeah, I don't know if that's for corporate users or just end users, but. Yeah, I remember we covered something on that in the bulletin a while ago. Yeah.

B

Yeah.

A

Crazy times, man. All right, that is it for this week's news. Adam, thank you so much for joining me and I look forward to chatting to you again next week.

B

Yeah, thanks much, Pat. I will talk to you then.

A

That was Adam Boileau there With the check of the week security news. Big thanks to him for that. It is time for this week's sponsor interview now with Mike Wiesek from Stairwell. And Stairwell really started off as a platform, a file based threat hunting platform. I think I used to describe it as like NDR but for files. The idea being that every single executable file in your environment you sort of would, would find a way to plumb that through to the Stairwell platform. And then if something turned out to be malware, you could very quickly, you know, do some really cool threat hunting, you know, pivot around similar files, things like that. But generally it's just a really good thing to have access to as well, which is a corpus of all of the files in your network and knowing where they are. So you can do things like show me the 10 least common executables in my environment. You're going to find interesting stuff doing that. But Stairwell also has another big use case which is becoming more and more popular. And that's what Mike is here to talk about. Today they are offering Stairwell analysis of binaries through an API. So people are using this for SIEM enrichment much like they would, much like they would use VirusTotal. But Mike thinks they've got the edge in a few ways and he joined me to talk through all of that. Here he is.

C

We built a platform with Stairwell that was ingesting and is ingesting all of the executables, files and scripts from all the machines in an enterprise, storing them in perpetuity and then constantly reevaluating, you know, their disposition, good or bad, in light of the best available information. And it's a, it's a really powerful process. But the challenge is it doesn't fit into the workflow of what most SOCs are doing on a day by day basis. Like they're consuming the alerts natively from their EDR or you know, if anyone's still using AV from their av. And we're sitting on all of this, this gold mine of data. And the idea was how do we get that value into people to save them time? How do we get that value to them to save them? The efficiencies of dealing with false positives and actually tackling a really unspoken about part of the detection response ecosystem, which is a false negative, like what is a false negative rate in an enterprise? And many enterprises simply don't know because the tools that they're relying on to detect something is the thing that's responsible for detecting it in the first place. And There is no second guess there. So as we're collecting files, we're able to apply perfect hindsight over them. So with the evolution of AI, we sat down and said, how can we leverage AI to solve two of these problems? How do we take something that's really hard and make it easy, but then also fit into the workflows? So one of the things that we've been building is integrations with SEMs out there. We have a Chronicle integration and a Splunk ES cloud integration right now that if an enterprise is collecting files from their endpoints and storing them in stairwell, or even if they're not, because we're ingesting about a million pieces of malware a day from a bunch of different sources, we're able to take that corpus of knowledge we have and enrich it with information nobody else can. And that becomes really, really powerful for saving time, eliminating false positives, finding false negatives, and moving the needle where you need to move it on the cases that you need to move it.

A

I think it's probably worth pointing out that back when you worked at Google, you were kind of responsible at one point for VirusTotal at Google and then you were part of the whole Chronicle thing, which is now. I don't even know what's it called now.

C

I think it's Google SecOps, but it's still Chronicles as a product name. But in the umbrella I think it's called Google Sec.

A

Yeah, because originally it was Chronicle backstory. Chronicle was the company, backstory was the product. Then they changed the name of the company like Google SecOps and now the product is Chronicle, not the company. Is that right?

C

Yeah, it's gone full circle, I believe.

A

Yeah, yeah, yeah, yeah. So there we go. So you know, you back in the day working at Google were responsible for VirusTotal, came out to build this sort of file based threat hunt platform. And then you've wound up collecting so many files as a result of building this file based threat hunt platform that you've kind of wound up building a different virus total again. I mean that's kind of where we are. Right? But now it's like an AI enabled virus total.

C

It is. And it's got. The key thing is the key differentiator in my book is it's got visibility into the enterprise. So if you think about it, if you look up a hash in virustotal and that hash is not there because it's unique to one of your systems, it doesn't help you versus with us because we really do want to Straddle that line of collecting a lot of malware out in the outside world, but then also collecting it from within the enterprise. Anything you look up that was on one of your endpoints will be inside of stairwell. And then we can help bridge the world automatically to what is that connected to in the outside world. And all of that stays private. So what you upload into stairwell is not shared publicly. It's not available to anyone else. And that allows an enterprise to make use of all of that scanning infrastructure, all of the intelligence and all of that, the data, while actually enriching it with a collective universe of external information.

A

Yeah, right. So you've already walked me through before we got recording. You showed me a little bit of a demo of the integration with Google's Chronicle SIEM thing, which looks pretty cool. You do also get. So you're getting the typical AI summary of like, well, you know, this driver file is weird because it's smaller than a real driver should be and it does these things and you know, so you're getting those full analysis, but you're also getting importantly that numerical score, which is the likelihood that something is malicious. So you can make a quick determination in a sort of same workflow. I mean, that's the thinking here, right?

C

Yeah, definitely. You get a. It generates when you give it a file. And the cool thing is it works on executables, it works on DLLs and stuff that is not a Python or a PowerShell script, which is where a lot of.

A

Yeah, so it's not just a script that's like easily readable by a machine. It's like you can actually do, you know, AI based binary analysis, for example.

C

Exactly. And it's not there to be reverse engineer either. It's there to give a SOC analyst like a high level of confidence. Is this good or bad? Should I spend my time on it? And if it is bad, why? Right, so we give a, you know, a few sentences that describes what the TLDR of the file analysis is, and then we give a likelihood score out of 100% and a confidence score out of 100%. And simply getting that attached to every alert you're getting from an EDR as an independent opinion enriched with it. So we may come back and say, hey, this file is bad. It's a suspicious driver for these reasons. It's also a variant of something connected to this report that pick your vendor here, Palo Alto unit 42 wrote about six weeks ago and blah, blah, blah. And you can connect all these dots together.

A

Yeah, there's all that sort of OSINT enrichment as well, right?

C

Exactly. So you're combining all of that. We're sitting on 2 trillion passive DNS records in the platform. So as some of the engineering matures, you're getting the benefit of, oh, this thing is talking to a host name we've never seen before. But that host name was seen resolving to this previous IP address, which was resolved to this other bad host name. And you can walk that tree, which is what manual threat intel folks do. But now you've automated that operationally in the SoC, and a Tier 1 SoC analyst gets the value of the output of all of that.

A

You just mentioned earlier that even when it's a unique file that you don't already have in the system, it can give you some sort of determination as to whether or not it's malicious. And you're using AI to do this. But I'd imagine what you're doing like a sandbox analysis that the LLM then interprets. Why don't you walk me through just the flow there of how that actual analysis works? Because I know you've got all of this data around what malicious files are up to, but how you were then extracting the features from a fresh binary to compare it against that corpus of data that you already have. I'm just curious what the actual workflow is there for the LLM.

C

Every file that we ingest goes through dozens of different. We call them scanners. You can think of them as feature extractors. Sometimes a feature extractor extracts nothing from a particular file. It's only looking for information from, say, PDFs, and you've given me a MAKO file or something along those lines. But they get run through all of them, they all extract it. All that information is indexed and stored in a giant, giant database. And that is then used to help understand what features are bespoke or very common within particular file. And then when you give me a file, we run that analysis on that file again, find anything that has overlap with it, and then walk that process recursively. So we're kind of looking for, you know, think something simple like the import hash of this file is shared with known malware. That's a flag on it. What else can we go from? DNS, historic DNS resolutions. Yara rule matches. YARA rule overlap. One of the really key features here is a. It's a feature we call prevalence. So what is the prevalence of this exact file within your environment, and what is the prevalence of that file across all of the environments? That we are deployed at gives us an idea for, you know, a statistical reputation of a particular thing. We can even go even further, right? Like if this file is called Notepad Exe, but that is a distinct, unique copy of Notepad Exe in the universe of everything we've ever seen. That becomes like features that you can actually go in and work with all of that. We then go over and we then heuristically look for interesting portions of the raw binary itself. Like you think about structural data like import tables or function names or debug strings and all that type of stuff. All of that goes in. So we end up, when we generate a prompt, we're pulling in from six years over a petabyte of data in the system, storing it, cross referencing it, and then using generative AI to go over and then summarize that report and then give you a concise thing. This is what this thing looks like. This is why this is this confidence score and this is the likelihood it's malicious.

A

No, that all makes sense. But I got to ask, like, say you're a, you're a SOC operator, right? You're sitting there, you're pretty happy with vt, you've been using it forever. You know, why change? What's the case for changing to a. I mean, look, I think the case you've given us about, you know, it's a unique file, sure. But like, at most places, their answer to that would be to throw that unique file into a sandbox when VT comes back with a shrug, right? So beyond that, what's the draw here? I guess, what's the selling point?

C

I think there's a couple of things. One, for us, priced much more economically effective for most enterprises, budget lines, we are priced for people to use it. And our goal is not to stand there and drive big ticket things. We're looking for adoption. We want feedback, we want to improve the system gets smarter with every new file that we get. And that's actually a really, really important aspect for us that we wanted to make sure we're aware of. Two, in hindsight, when I sit down and I look at a verdict score, if a VT score is 27 out of 65 or 70 or whatever, I'm still left trying to answer a question of like, okay, is it good or bad? Is it a false positive? Do people just copy each other's verdicts? Or what is that? And I have a challenge there. If I go to a sandbox solution and there's some great sandboxes out there, but even when I Get a sandbox. I'm still ultimately looking at something very technical like the to ability, ability for a Tier 1 SoC analyst to look at a sandbox and understand, oh, this, this particular operation is risky because of these reasons. You are presupposing they have a large body of knowledge to go back to and we start thinking about it in terms of like, you know, almost like a public health aspect of like understanding what is it shared in common, the contact tracing aspect?

A

Well, I mean you've got the data, right? So a sandbox doesn't. You've got the data where it's like, well this could go either way. But then you've actually got the context there. That would really help, I'd imagine. So I guess that's, I mean that's kind of the thing, right? It's like the best of both worlds, I guess would be if I was you, that's how I'd pitch it. Right.

C

I'll take it.

A

Instead of having to flip between, flip between a sandbox vt. Sandbox vt, like kind of more like a. Okay, well you could just, you could just use this one thing.

C

Exactly. I mean like it's a one stop shop. And so we're trying to bring into our SEM integrations like we've done with Chronicle, not only do you get like the AI triage file analysis, but you also get a list of, hey, these are variants of that particular file. So if you think about that as like automated file threat hunting, you're getting a list of the hashes for the variants pulled right into your sim. You're getting a list of all the network indicators pulled in, the passenger of DNS history for those network indicators pulled in as well. Correlation with open source and even private threat intelligence you may have access to pulled in. You're getting all the Yara rules that match that file pulled in. So you're kind of pulling in a lot of information. Which one you can't get in any one spot. And then some of the information is information you can't get at all outside of a system like this. And so, you know, we have a team that does proactive threat hunting over certain customers of ours who want that service and something really strange has happened to them in their workflow is that they finish it before the day's over. So they've looked at all of the things that are new and suspicious in environments and they're able to blow through what would have been a prioritized list of things to do. They're finishing it and they're doing so in like, you know, a couple of hours a day, not, you know, oh, they make it to seven hours and they finish it, they're actually closing that stuff out so fast. And so the, the time in terms of personnel and technical cost savings is pretty substantial.

A

Alrighty. Well, you can get Stairwell. You can, you can query Stairwell via its API. That is the play here. May your API licenses flow. Mike Wyersek, always great to see you, my friend. And we'll chat again soon.

C

Thank you. Patrick.

A

That was Mike Wyersek from Stairwell there. Big thanks to him for that and big thanks to Stairwell for being a Risky business sponsor. And that's it for this week's show. I do hope you enjoyed it. I'll be back next week with more security news and analysis. But until then, I've been Patrick Gray, thanks for joining it.