A

Foreign. And welcome to Risky Business. My name's Patrick Gray. This week's show is brought to you by Sublime Security. And we'll be hearing from Josh Kamju a little bit later about the spate of calendar invites phishing that's going around and how that is actually kind of a complicated problem to deal with if you're an email security provider. Interesting topic, actually, even though it's like low level stupid but at high volume stuff like dealing with it is a pain. So Josh will be with us a little bit later on to talk through all of that. It's been a hard week for us Aussies with everything that's happened in Bondi. Our thoughts, our hearts go out to everybody in Sydney who's been affected by the horrible massacre that happened at Bondi Beach. If I was just going to say one thing about that, I, I would say that as much as it's been a dark week, there's an awful lot to be proud of there as well. Everything from the way surf lifesavers pulled people to safety, placing themselves at risk, the way that civilians were able to disarm these attackers, the way that the police were able to take these guys out in four and a half minutes for the first one and completely taken out after six minutes with pistols facing down people with shotguns and rifles showing just incredible bravery. There is so much to be proud of. Much as it's been a very dark period. You know, I think it's important that we, that we don't lose sight of that aspect of this as well, which is that it could have been a lot worse and everybody did what they were supposed to do but look heavy enough. Right. So we're going to move on and get into this week's news. I just, I just felt I had to say something there. But Adam, let's talk about the cybers, right? Because the cybers are a lot more fun than all of that. And for first of all, a quick Update on the React 2 shell stuff. Every apt crew on the planet apparently jumping in on the action there. We've got the, even the Iranians are jumping in on this one and it looks like they're grabbing cloud service credentials. Seems to be what people are after here. Not so much shells.

B

Yeah, we've seen Microsoft did a write up of a number of campaigns they've seen and there's people deploying proxy networks, there's people deploying regular root kits and shells for access and yes, stealing cloud credentials. I guess that indicates that's what people want these days, is to pivot onwards into all the cloud properties. But yeah, this is kind of as we expected, CVSS 10 out of 10, no off bug. Of course it's going to go big.

A

Yeah. And meanwhile a couple more bugs, like we said last week. Right. Which we said last week, now that there's been one big bug in this stuff, other people are going to have a look and stuff will undoubtedly fall out. We've already seen a couple more, I think. What there's a MEM leak and a DOS condition here that are not particularly high impact, but kind of funny because they were found very, very quickly.

B

Yeah. One of them is like a straight up denial of service by putting it into an infinite loop is not really what you want. And yet another one I think was a source code disclosure, one where you can get the server side JavaScript source code, which is useful for finding other bugs and maybe credentials and tokens and things. So, yeah, people who are out there patching have just discovered that they run React server components and are patching them. They're going to be patching again. But yes, as you said, this is what we expect to happen once someone finds a bug and everyone else starts piling on.

A

Yeah, I think Andrew McPherson, ex Maltego actually found those. So nicely done, Andrew. Now let's move on to that technique that I was talking about just at the intro there. Consent Fix, right? So click Fix has become. This somehow has become a big thing, right? And this is where people. It's the clipboard thing where the attacker puts something on your clipboard and then they tell people, oh, you got to pay, you know, you got to go to the start bar and like run it as a command or whatever and paste and off you go. And look, people are still doing it, so it clearly works. Right. So now let's talk about Consent fix, which is kind of a similar thing, but it doesn't touch the endpoint. It's all in browser. The reason we know about this is because push security and full disclosure. They're a sponsor of the show and I'm an advisor to them. I've got share options in them and whatever. But that's not why we're talking about it. We're talking about it because this is actually very, very cool. The only reason we know about this is because finally we've got some companies making like browser telemetry products that can see these sorts of things. And man, they found a good one here. John Hammond too, who's the, you know, security YouTube guy. He's got like 2 million subscribers. He did a long video on this too, which is awesome. And we've linked through to it in the, in the show notes. But walk us through this, this technique because like it's odd combo between being really really dumb and really really smart in a way that you don't see very often. Right.

B

Well, you know the old classic, it ain't dumb if it works. But yeah, this is a, it's actually, it's, it's really, it's really clever. So the deal here is you're browsing the web and the site that you're visiting will prompt you to authenticate an OAuth application in your Microsoft account. And the application it prompts you to add is the Azure cli. So the command line interface for talking into Azure, this is an OAuth app that's enabled by default for all tenancies. The process of authenticating an OAuth app like this one, the way that it was intended to work is that you go to Microsoft, you say you want to enroll in this application and once you've authenticated and kind of agree consented to the application to give the necessary kind of key material back to the Azure CLI, your browser then makes a callback to LocalHost and in a normal flow, the Microsoft authentication libraries that you would use for this spin up a listener to catch that particular request and then that gives it the necessary key material to go off and issue a longer term token for access to your account with the Azure cli. If you don't have Azure CLI and it didn't initiate this request, there is of course no listener on localhost. And so in the attack, the browser triggers this process. Your browser gets redirected to localhost and of course localhost isn't there. And you get an error from your browser that says error 404 or page not found or whatever else. The attackers convince the victim to copy paste the URL of this error message which contains the key material in a get parameter, and give it to the attacker. It's similar to Qlik Fix in that you're social engineering the user that you've got a problem and to fix it you need to copy paste this particular piece of information and then the attackers can use this to register the Azure CLI app into your account from their machine. So then they've got a long term access token and they can make Azure CLI requests into whatever endpoint Microsoft that is, and that's functionally equivalent to giving them your whole Microsoft 365 account in terms of what it can do, which makes the attackers very happy. And it's a really fun kind of little trick and I don't know why it wouldn't work. And indeed, according to Bush, you know, they've seen it being used in the wild, so clearly it does.

A

Yes. So I think basically the way this went down is they saw some weird behavior targeting one of their customers and started, you know, stepping it back and wound up with a D, A F U Q kind of moment, looking at this stuff. And then they. It was a little bit to unpack too because the attackers here were using compromised websites, right? They would add some JavaScript to compromise websites that would pop up this fake cloudflare turnstile that asked for your email address and if you weren't one of the whitelisted domains that they were targeting, you would never see the payload again. Right. So whoever was doing this was, was actually doing it in a way to try to avoid detection. Didn't work in this case. But, but I mean it's just like I love this, right? You're getting people to cut and paste a like localhost URL to complete a made up login process, which seems like a weird thing to a typical user, I'm going to imagine. It seems like a weird thing to a typical user. But you know, even one that's like maybe a little bit computer minded wouldn't necessarily think that giving up a URL, you know, oh, if there's a problem, if it's showing you an error, just copy that URL and paste it here like that might actually make sense to them. Right, so and then from there, yeah, you could use that keymap that from wherever in the world just to have that command line access into that user account. And if that user account is privileged, I'd imagine there's quite a lot you can do there, right?

B

Yeah. If you land on a privileged account, like an Azure privileged account, then oh boy, yeah, you're in for a great time because that's equivalent to access to their account and onwards the great victory. And the normal controls that people would have in place around this because by Comparison to regular OAuth consent phishing, the attacker creates a malicious OAuth app which redirects back to the attacker and that OAuth app has to be authorized into the account to start with by the administrator. Because we went from anyone can add any OAuth app whatsoever to their Microsoft world to now. These days, because of that OAuth consent phishing, most places have admin Controls as to what oauth apps are going to be permitted. But in this case, Microsoft has provided the sort of malicious app in this scenario and it's pre approved. And its redirect behavior during the auth though just happens to be a thing that the attacker has figured out a way to leverage. Now if the attacker was in a position to catch that logical host request some other way, you know, other malware or there was a piece of enterprise crap where that happens to have advantageous behavior for the attacker, maybe there are other avenues to go down this road but like just straight up socialing the user to do it honestly makes a lot of sense. And you know, and you, your Fido.

A

Keys aren't going to do anything to stop this as well. I mean that's the thing that I find most interesting here is that you would think, okay, well we got phishing resistant mfa. We're good.

B

No, yeah, we knew we're not good.

A

Yeah, we are definitely not a great thing.

B

Right. That now that we're making phishing kind of a much less like phishing for credentials, a much less straightforward thing, attackers are forced to do some actual novel research now. And I'm totally here for novel research. And this is, you know, it's just great lateral thinking. I love it.

A

Yeah, life finds a way as they say. So yeah, we've linked through the write ups there but I'm like this as your CLI thing, I'm looking at it, I'm like, this is like Cloud Bash. Like what is this? It's like, yeah. Oh man, Cloud Bash. What a world. Oh. Now look, let's have a quick chat about all of the goings on in the United States when it comes to trying to find people to run nsa. Both the head of nsa, Director NSA and Deputy Director Laura Loomer keeps getting in the way of this process, man. And it's, it's, it's, I mean it's, it's both serious and kind of funny. I mean it's just like you, you kind of do have to laugh about this, right? Because we had this situation where Tim Hogg and Deputy, I can't remember her name got canned because they were part of the deep state or something. According to, according to Laura Loomer who claims it. Yeah, you know, I got them canned and now there's been people in the acting jobs ever since then there was a number two that got announced for the job, but Looma decided she didn't like him either. This is for the Deputy Director position. So this is Joe Francesca, who was announced in August as the next deputy NSA director. Then we've got a report here from the record that said the administration was going to name Tim Kasiba who formerly held senior roles at NSA and FBI. But then Laura Loomer has taken to X to talk about how the record story is wrong and there's no way this guy is going to get the job because he's too cosy with the deep state, Trump hating Democrats. Right. And then when you look at her, what she describes as her receipts of this guy's disloyalty to Trump, it's stuff like him wishing Tim Hogg all the best after he's left NSA on LinkedIn. You know, this is the scandalous content that apparently disqualifies him from a senior position under the Trump admin when platitudes on LinkedIn.

B

That's all it takes, apparently. Yeah, which. It's just bonkers. It's absolutely bonkers. And you know, how, how long into this administration are we. And there's still no one, you know, at the head of America's, you know, cyber and spy agency. Like it's just at a time when this is really quite important and yet here we are because this guy said nice things on LinkedIn. It's just either of these guys have been said nice things on LinkedIn or did something to offend her delicate sensibilities. It's just bonkers.

A

I don't think she has delicate sensibilities. I think she has spiky, nasty sensibilities actually mate. But meanwhile, apparently they're like, that's the Deputy Director position. Apparently there is someone in, in the frame for the director position which is going to be this guy, Army Lieutenant General Joshua Rudd, who is the Deputy Chief of the US Indo Pacific Command. But it doesn't look like he has actually any experience in cyber. Now I'm not sure how much that necessarily matters when the director job really is, you know, as I understand it, you know, you're sort of managing upwards to Congress and whatn and it's a, it's a big organization and it's, you know, we're running it like any other big organization. I think the Deputy Director role, as I understand it, is much more about, you know, managing down into the organization. But you do wonder on what, like what the criteria were in selecting this guy who obviously I know absolutely nothing about. We've got a great quote in here from Senator Mark Warner who said that he looks forward to. Where is it? I got the quote here. Looks forward to Evaluating his qualifications to lead the NSA and U.S. cyber Command at a moment of unprecedented cyber and national security threats. That was Senator Mark Warner. So, you know, just. Yeah, it's a, it's a bit of a clown show over there right now, isn't it?

B

Such a clown show. And I feel like, I feel bad for clowns even, you know, that's how bad it is over there. What a, what a mess.

A

And meanwhile, there's a story going around in Bloomberg that says that the soon to be released cyber security strategy is going to outline a bunch of ways in which the private sector is going to do offensive cyber. I'd be a little bit cautious about accepting that story as fact. It hasn't stopped everyone from talking about it an awful lot. It's been social media fodder over the last few days, big time. And we do know that the admin over there has been kicking around ideas about getting private companies involved in those sort of activities. But I think we should wait for the strategy to actually be released before we start talking about it as if this is in it.

B

Yeah, yeah, that seems pretty reasonable. I mean, Bloomberg's track record has not been super spectacular when they are of course responsible for that grain of rice Chinese backdoor story back in the day as well. So. Yeah, not always the most reliable source.

A

Yeah, so let's just see how that happens. Now. This one's fun. This one is fun because we are not sure what to make of it. There has been some sort of cyber attack, maybe a wiper attack, maybe a ransomware attack, against the Venezuelan state oil firm pdv, which has, depending on who you listen to, has been contained or has ground their operations down to a halt. Now the obvious question here is the Venezuelans are blaming the Americans and saying it's an attack from Americans, but you know, you sort of get the impression they would say that anyway. Right. Even if it was an attack from a Russian ransomware crew or a bunch of pro democrat hacktivists, they're always going to blame the Americans because it suits their political interests. But in this case, you kind of do wonder if it was the Americans.

B

Yeah, but you do kind of wonder, I mean, given the situation, you know, the relationship between Venezuela and the US at the moment, you do kind of wonder. And you could totally imagine the American administration deciding to add some cyber to the, to the mix. And oil is super important to Venezuela's economy, so like doing it under the COVID of a ransomware operation. Also a totally. A thing that could happen. Seems believable, but yeah, it also absolutely could just be regular common garden. Everyone gets ransomware. Like, this is just normal, having computers on the Internet kind of thing. We just don't know.

A

But it does. I mean, it feels trumpy, right? It feels trumpy.

B

It smells trumpy. I agree. I agree it smells like it.

A

But, I mean, it is kind of the cyber equivalent of blowing up a speedboat. You know what I mean?

B

I mean, they seized an oil tanker, right? So we did see some reporting, I think was. What in. Was it Reuters that were reporting that, like, a bunch of oil tankers that, you know, ship oil for this organization have either gone dark on their tracking, like, turned it off, or have, like, tankers that are inbound to pick up cargoes have turned around because of the uncertainty. So, you know, if the intent was to disrupt oil exports out of Venezuela, you know, depending on the reporting you read, like, plausibly, mission accomplished. So, yeah, it's just it. It smells well.

A

And all of these things. Yeah, all of these things taken together, right, with the tanker seizure and this, you would sort of think, you know, it does. It. It does feel a little bit more than a coincidence. You would think.

B

Yeah, you kind of do. But, you know, it absolutely also could just be. It could just be ransom here. We know we do it. We don't know.

A

We don't know what is it. Sometimes it's just a chocolate bar. Right? Now, let's contrast that operation, which may or may not be, you know, a U.S. cyber operation. Let's contrast that to what the Russians have been up to. And man, flinging money at hacktivists, right? Flinging money towards hacktivists to just randomly pop shells and try to wreak havoc and not really doing anything except annoying people. And now we've got someone. What's this? Ukrainian national Victoria Edward Edwardovna Dubronova, 33 years old, also known as Vika, Tory and Sovasonia. She has been extradited to the United States and is facing up to 99 years in prison for her role in a bunch of this activity. But it's when you read this activity that you just think, why is the Russian state giving money to this group to do this sort of stuff? Like, what is even the point of it?

B

Yeah, no, you really do end up wondering that, because, I mean, some of the examples of attacks this lot have carried out, I mean, some of it's, you know, denial of service stuff. Some of it's breaking into things. And we've seen, like, initially, you see reports that are, like, you know, broke into water Treatment facilities and adjusted chlorine levels in a children's water park. And you know, things that sound, you know, opportunistic but serious. And then when you start to see some more of the details and some are detailed in this, in this indictment, it's something like, you know, attacking a car wash in Florida or, you know, attacking. I think it turned out that the children's water park in the Netherlands turned out to be a fountain. You know, like, not exactly like chlorinated pools that might poison children. No, it's like it's a fountain. They adjusted the water level in a fountain.

A

Birds drinking from that fountain may have felt under the weather briefly though.

B

Yeah, they may have had to minimize further down into the pond to get their water. So like, it's just, it's kind of, kind of rubbish. I mean, I guess they must have done some things that did cause genuine inconvenience. But you know, as a state funded, because, I mean, the allegation is that these groups are being funded by the, the gru, Russian military intelligence. But yeah, as a, as a tool of state power, I don't feel that, you know, particularly overwhelmed by it.

A

Well, dude, in November 2024, they attacked a meat processing facility in Los Angeles and spoiled thousands of pounds of meat and caused an ammonia leak at the facility.

B

Well, I mean, that's at least a little more serious than a children's fountain. But yeah, like, this is not, this is not the cyber war we were promised. And I know like over on, over on between two nerds, Tom and the Grok are often talking about how, you know, cyber really is not actually very effective at, you know, expressing state power. And this is a great example of it just being total trash.

A

Yeah, and I'd highly recommend too. Funnily enough, I think some of the best coverage of this has come from the VX underground, the VX underground Twitter feed where they wrote up a bunch of details on the indictment when it first landed. You know, and what do they say? Like, looking at, looking at the, the guy whose car wash got messed with, like they messed with his car wash settings in Florida. You just think, what now look too. Also speaking about between two Nerds, this week's episode is a must. Listen, in my mind, it was actually labeled between three nerds. So that's Tom Uren, our colleague the Gruk, and a guy called Hamid Kashvi who is talking about the evolution of Iranian apt groups. And not only is it a very interesting conversation, it's also quite funny. So I would recommend that, that People, check that out. You. I know you've enjoyed that one as well.

B

Yeah, yeah, no, I definitely enjoyed watching that one. I watched the YouTube version. That's just. It's. It's a funny. It's a funny episode, but also, like, legitimately educational. Like, I learned a bunch about, you know, Iranian cyber activity. Definitely worth it.

A

I mean, it starts off with the wonderful knowledge that quite often some of these Iranian apt crews love to get detected and love to make headlines because it's actually really good for them internally. Gets them noticed by the bosses. Right. So. And getting doxed and stuff. Like, fantastic. You know, you're notorious. Like, whoops, did I accidentally just expose my ip? Oh, no. But look, you know, there's. There's a whole bunch more Russian activity to talk about. This week, the German parliament got ddosed during a visit from Volodymyr Zelensky, you know, and you just sort of think, what's the. Again, what's the point of this?

B

Yeah, yeah, exactly. It's not particularly clear. It looks like maybe their email systems had some outage. There was some local reporting that suggested that maybe it wasn't cyber, maybe it was just regular common garden incompetence. Which, you know, it can be a little hard to tell these days. But, yeah, we did see the Germans was summoning the Russian ambassador to protest about Russian attacks on the companies behind air traffic control in Germany. So there is definitely a focus. And having Zelensky there, you know, walking around and having photo ops of German politicians, I cannot imagine made the Russians happy. And it would be entirely believable for them to go throw a DDoS, you know, as a, you know, petulant punishment for that.

A

Yeah, have a little tanty. Basically. Now we got one here from Krebs on security, which says that most parked domains now are now serving malicious content. Now, what does he mean by malicious content? Because that's a pretty broad brush.

B

Yeah, so there's all sorts of things there. There's things that are trying to drop scareware on you, things that are sending you onwards to, you know, more sophisticated attack, you know, browser exploitation and things. Some of the things we've seen that he writes up here are often these ads or content on these sites will send you off through a bunch of redirectors that are going to assess your interest, the level of interest the attackers have in you, and then send you to different kind of grades of attack or scams or malware or whatever else, depending on how interesting that you are. So that kind of makes sense, I suppose. The thing that stood out to me in this story though was something like, according to, I think it was research from Infoblox, 90% of visits to a Park domain is going to end up in some kind of nasty content. But that varies wildly depending on whether you come from a residential IP address or not. If you're coming from a VPN or the sort of cloud service where a scanning operator might be running out of, you tend to get redirected to much more benign content. So that kind of shows a degree of sophistication there. There was one other point though that Brian made, which was that the quality of like the maliciousness of content on parked sites got significantly worse early this year when Google turned off default targeting of Google AdWords. So like Google's AdSense platform used to serve ad content on park domains by default. They turned it off and now it's opt in only. And that has meant that there's way less advertising. There's. So it's much cheaper for people to go and put on, you know, more malicious content, lower quality advertising, that kind of thing. So like, by those things combined, park domains have become, you know, a much even more of a cesspool than they already were.

A

So I mean you could, you know, bit flip a cosmic ray, could hit your computer, bit flip you, you wind up on the wrong domain, it's parked and whammo.

B

Yeah, yeah, basically, yeah, that's a great time and good reminder to make sure you patch your browser because yeah, drive by from, you know, just a typo, not really what you want.

A

No, not a good time. Now what do we got here? Oh yes, perverts everywhere repent because pornhub, apparently a third party supplier to pornhub got owned and a whole bunch of data on their premium members got leaked. And this includes stuff like their search history. And I'm guessing if you're the sort of person who pays for a pornhub subscription, it's going to be a pretty exotic sort of collection of keywords you would think that you probably don't want associated with your email address. I mean this is. I saw someone on Twitter describe this as Ashley Madison, but the Ashley Madison hack, but for zoomers, which I think is probably about right. But I mean this is, this is bad, you know, this is really bad.

B

Yeah, so this is Shiny Hunters breached mix panel, which is a third party data analytics provide and pornhub apparently was one of their customers. Pornhub actually came out and said that they stopped using mixpanel back in 2021 and so therefore the data is probably a few years out of date. On the other hand, Mixpanel have said that the pornhub data didn't come from them and it must have come from somewhere else. It was a bit of like, you know, he said she shed see, he said she said back and forth between the two. But the net result seems to be that Shiny Hunters have the data, they are attempting to ransom pornhub to pay them to not release it. They have shared some of it with Bleeping Computer to kind of prove its provenance and so on. And Bleeping Computer seems convinced that it is in fact the genuine article. And yeah, watch histories and search histories or search terms is probably, as you said, not a thing that a premium user, pornhub probably wants out there. And I feel like pornhub's not going to pay Shiny Hunters and this data is going to come out probably. Even if they did pay, Shiny Hunters will probably release it for the lulls anyway. So, yeah, probably not a great time to be a premium subscriber. Although pornhub is, you know, trying to say that it's, you know, a subset of customers and so on. All the usual sorts of things that you get from people who've had the data stolen.

A

Yeah, you know, it's, it's, it's. This one is a bit worrying, I think, do you know what I mean? Because it is the sort of thing where, you know, you might be exposing somebody's sexuality in that data set that, you know, they might be in the closet or something. Like, like it's got a lot of potential to cause people serious distress. Right. So I'm making jokes about it at the start, but, you know, just like the Ashley Madison data leak, there were, there were suicides linked to that. You sort of wonder if the same thing could happen here. So I think this could become, depending on how it plays out, it could be, you know, a leak with those sort of real world impacts. And the two others that I think of are Ashley Madison and then the Vestamo, you know, psychotherapy clinics, data set release. You know, people shouldn't touch this sort of stuff. It's dangerous. Yeah.

B

I mean the potential for consequences, like real world actual consequences, you know, are pretty significant. And yeah, it's not, it's not, you know, doesn't, it doesn't feel good to have your data stolen at the best times, but even worse when it's, you know, kind of private or intimate or sensitive like this.

A

Yeah. So I kid the perverts, but also, you know, this is, this is, this is a serious incident and let's hope it just goes away. And it's just, they said we didn't really have the data. We only had what we gave to bleeping computer and the whole thing's just a laugh. The end. That would be great. Now we got this absolutely wild piece here, man. Holy dooley. This former employee of accenture, Danielle Hilma, 53 of Chantilly, Virginia, she's being targeted with like, what is it, like wire fraud and stuff for basically lying to the US Federal government about whether or not a. Lying about a product being sort of Fedramp compliant when it wasn't. And you just sort of think, which salesperson doesn't lie about their Fedramp compliance? Right. And she's facing like 20 years in prison. This is a crazy indictment. I mean, like, we love to see the wicked punished, but I gotta be honest, I'm reading this and my jaw hit the floor. Your reaction was similar, wasn't it?

B

Yeah, exactly. I mean, how many salespeople, you know, only tell the full truth, you know, and don't exaggerate or leave things out or whatever else? Like, it's just, it's wild. And yeah, the charges really stack up. I mean, there's some for wire fraud, there's some for government fraud, there's some counts of like, obstruction. The federal audit. Apparently at some point she was involved in like, you know, obstructing some auditors that were attempting to, you know, look at the products or services that they were selling. Like, it's pretty wild. And you know, if she ends up going down for this, like, you know, remember how much we talked about like, you know, the chilling effect of, you know, on CISOs, of, you know, the SEC or whatever. It was a while ago back, like was with the, was it the Uber guy or the. Was one of those.

A

Joe Sullivan.

B

Yeah, Joe Sullivan. Yes. Like imagine there was so much like, oh, the chilling effect it's going to have on CISOs and blah, blah, blah. Like this is going to have a shelling effect. Like if you're going down 30 year federal charges for lying about Fedramp compliance. Like, yeah, that's, that's real shelling effect right there. Sales going to grind to a halt. No one's going to be getting their bonuses.

A

Like, how quickly can we engineer, how quickly can we engineer an on prem version of our solution? Is the, is the takeaway question from this one? Because honestly, like, that is an easy. Like, unless you have to do Fedramp, you don't want to do Fedramp and that is the easiest way around that is just like oh, we got an on prem thing. We stick it in a container. You don't need to worry about Fedramp because it's a shocker. Like it's a horrible process to go through and you know, I don't recommend lying about it and, and concealing things from the auditors here. It did. I did remind me a little bit of the Joe Sullivan thing actually now that you mentioned it because you know, I think one of the key allegations here is that they were actively concealing and lying and you know, ducking and weaving which were some of the, the allegations against, against Sullivan too at the time. Well, I guess his was more. No, they did allege that he concealed stuff but I think his was more gray area like fail to report sort of thing. Anyway, that one's all over. Let's not reopen that one. We've got some good news here which is Microsoft is finally killing RC4.

B

Yes. So I mean killing is a strong word I suppose. They are disabling by default the use of RC4 and Windows Active Directory and in particular as a response to it being kind of a key part of the Kerberos attack flow where you can kind of steal credentials as any domain user and yeah, they've been trying to kill this off for a long time because you know, having to use RC4 in a world where we've got AES support, have had AES support since Windows I think 2003. Windows Server 2003 is where they. The first is the system where that only supported RC4. So things like, of that venture, it's like it's been a while and Microsoft has been working hard to try and make it go away. The main reason it stuck around is that some third party implementations, things that interop with the Active directory don't particularly work well plus you know, old versions of Windows. But yes, Microsoft's going to turn it off by default. If you want to keep using it you can but you know, kind of at your own risk. Microsoft's also introduced some better logging so that you can discover clients in your environment that don't support RC4 or sorry, that don't support AES or have it misconfigured for some reason so that it can't to try and help you figure out little bits of edge cases. They're also asking for details of any third party solutions that only work with RC4. So they've done the work and I guess some Windows Admins next year when they start to roll out this change will discover what things no longer work in their environment with RC4.

A

That's right. Now we're going to talk about my absolute favorite story of the week. This is our skateboarding dog. It is our final news story of the week. Adam. Very, very funny. Very, very good. We love kicking F5 when they're down. You know, you're thinking about all of the problems with F5 and you think, well, why don't you go to a competing technology, right? And one of the competing technologies there comes from Trafik. T R A E F I K. Trafik does cloud native reverse proxies and ingress controllers. It's got 60,000 GitHub stars, 3 billion download, can do all your SSL termination and you know, TLS termination, all of that good stuff. But their ingress controller for Kubernetes has a bug in it that is just so funny. Like, it is so funny. Please walk us like this is a pure proper comedy bug. I mean, I don't think anyone's actually exploited this in the wild, but like it's just so funny.

B

It's comedy. Yes. So if you're using Traefik in your Kubernetes environment and you were migrating to from using NGINX in the same role, the thing that parses your NGINX config and then generates appropriate Traefik config to replace it had a little bit of a boo boo. And the boo boo was when you had a setting in your NGINX version which said, hey, I'd really quite like to verify that the SSL certificates involved are valid. It would translate that into a new configuration which was the opposite. Please do not verify any TLS certificates. And so this has been about six months that the setting has been reversed where, you know, certificate validation on ended up with certificate validation equals off. So that's a little bit awkward. And as you say, in the modern world relying on tls, certificate verification is pretty important. And having that setting just be backwards for six months and no one notices, it's pretty funny. It's pretty funny.

A

Yeah. Well, someone did notice, but they were using some sort of automated like code scanning tool or something and just throwing it at various code bases. And that's how this got found, which I think is kind of a win, right?

B

Yeah, this is one of these. It's a firm that's like doing a bunch of AI stuff. And indeed their write up feels very written by an LLM. Like there's some stuff that just like, has that LLM sniff to it. But the bug's legit. So regardless of how they found it, whether it was humans, whether it was computers, whether it was both, we are still laughing at a very real bike. So, yeah, good work.

A

Yeah, that's right. By off, we mean on and on we mean off. Just like total inversion. Now, look, just before we wrap it up, that's actually it for the week's news. But before we wrap it up, I just want to send a special shout out to a friend of the show, Mr. Dylan O'. Donnell. Dylan helped. He's a friend of mine from my local area. You know, we often. I think I've mentioned on the show once before that I go and get dinner with a bunch of friends once a week. We all eat a steak. You know, he's. He's one of my steak buddies. He also did the CSS for the Risky Business website when we relaunched a while ago. So, you know, we took the design and Dylan was one of the people who. Dylan and you basically developed our new website and he got added into our slack and, like, when that project was done, we didn't get rid of him. So he's sort of like. He's sort of like Risky Business, Risky verse auxiliary. And a good mate, really good friend of mine and Dylan was just diagnosed with esophageal cancer, unfortunately, and he's beginning chemo this week. And Dylan, I know you listen to the show, mate, and just wanted to wish you all the best with that. And some people might know his name because he actually operates a very popular astronomy YouTube channel with, you know, I think over 50,000 subscribers. He's got his jumbo telescope in his. In his dome in his backyard and takes some pretty amazing photos. So, Dylan, we're all thinking of you, mate. And, you know, let's hope that chemo just goes in and nukes those little things in you and, you know, that'll be a good result. But, Adam, that is it for the week's news. That is it for risky business for 2025, mate, thank you so much for everything over the whole year. It's been a lot of fun. We've had so much fun this year and I think next year is going to be even better, mate. So thanks again and I'll catch you in 2026.

B

Yeah, thanks, Pat. It's. We're going into, what, the 20th year for you? Next year? That's a hell of a. Hell of a lot of Risky Business. And I'm looking forward to coming back 20 years. All of this, 20 years, all of this again next year. Thanks very much, Pat.

A

That was Adam Boileau there with a check of the week's security news. Big thanks to him for that. It is time for this week's sponsor review now with Josh Kamju, who is the chief executive and co founder of Sublime Security, which is a email security company. So they got a really cool email security platform. It's very AI heavy these days, but not in a dumb way. It works actually quite well because they actually built a product that, you know, just happened to be well suited to have AI bolted onto it later. But we're not talking about AI in this interview. What we're talking about is phishing Crews are going absolutely wild with trying to spam people with calendar invitations, mostly ICS format. Getting these calendar invitations into people's calendars so that with phone numbers in them saying, call this number and then the targets will actually ring the number and get talked through installing malicious software onto their systems, and then the attackers get access from there. Now, the reason this is interesting from an email security provider point of view is twofold, right? First of all, sometimes that email will come in, it gets detected and removed from the inbox, but the calendar entry doesn't, right? So Sublime have had to work out new features for their platform where they can actually reach in and remove these calendar entries. So you hear Josh talk about that. And the other thing that's interesting is that between two tenants in the same provider, like Gmail to Gmail or O365 to 0365, you can actually do calendar invitations without involving email at all through various mysterious undocumented APIs, as is the way in 2025. So, yeah, there's a bunch of interesting stuff to talk about here. So here is Josh Kamju talking about how the bad guys are using ICS phishing. Enjoy.

C

What we're seeing most by volume is what we call callback phishing, or some folks call it toads, which stands for telephone oriented attack delivery. Those are the.

A

That's a hell of a, hell of a backronym. I mean, you know, hat tip to whoever came up with that one, that.

C

Is, which if you. Everyone has seen these, like the traditional one is the Norton. Your Norton antivirus has expired and you need to call this number to. You need to call help, the help desk or customer support in order to renew your, your antivirus. You know, like, there's lots of different themes, but that's the general. That's the general attack delivery Mechanism. It's a, it's a phone number that the end user calls, which is quite clever because they end up getting on the phone with, with, with a scammer and they direct them to go and download. Usually it's malware is what they have them go download. It's like a rat sometimes it's, it's like legitimate remote software tooling that help desk or it will use. But then they, they do lots of nefarious things once they get access.

A

So, so it's less about like give us your credit card number to renew your subscription and more about like here, download this tool and then onwards they go from there.

C

Yes, yes. Yeah, that's generally the intent behind callback phishing. And we, and that's not a new attack type. We've, it's, it's been happening for years and we've got lots of, lots of, we've written a lot about that on our blog and whatnot. So that's by volume what we see the most in terms of what they're trying to deliver. But the second most is what you, what you alluded to, which is credential phishing attacks. So there is a, there's a link that. It is a link embedded in the calendar invite that will take them to a credential phishing page and it'll try and steal your Microsoft credentials or whatever credentials they might be interested in.

A

Now you mentioned that most of these ICS invites, they turn up via email and you're going to see them, but you're an API based product. Most of the time you're deployed as an API based product. So you'll see it after it's delivered and go, whoop, remove that from the inbox. But then there was this issue where, well, because you didn't stop it from actually hitting the inbox, it's created that calendar event. And as an email provider, like previously, you couldn't actually then go and remove that bad calendar invite. I mean, it appears in the calendar, it's not accepted, but it's there. I mean, we've all seen how that works. So now you've actually had to go and develop a feature to go and remove those invites from people's calendars. Right.

C

It's actually an issue that's plagued. The reason this has become such a talked about topic recently is that it impacted both API solutions and email gateways because there's multiple ways of delivering calendar invites onto the.

A

Well, I was going to go there next, right, which is that, you know, through this, like if you're inviting, if you're inviting someone who's a Microsoft user from another Microsoft tenant, you could do that without email.

C

That's right. That's right.

A

Is that how most people are doing it or is most of it coming still via email?

C

We're we're seeing the, the vast majority is coming is, includes an email because it actually it gives them opportunities to deliver the attack 1 like to get the user to engage. It's you get, it's basically like two attacks in one. If they miss the, if the user doesn't read the email then maybe they'll read the calendar invite. And so what we built was a way to, was a way to actually access the calendar and remediate the attacks on the calendar. So we released this a couple weeks ago and we were always able to delete to detect and block the attack in the inbox. But nobody, no email solution has had any access to remediating events on the calendar, which is why it's become such a big problem. So we built that integration and now when we can do both so we can clean those up as well.

A

Yeah. So my next question is really about like what are you doing about the ones that are delivered without email? Are you actually in a position to detect those as well now because you've built this integration or are they still a bit of a blind spot for, for solutions like yours?

C

So those are the, those are the toughest ones right now because the way that the email provider it all, it happens all within there's like some protocol that, that is not public. It all happens internally within Google or Microsoft.

A

It all happens in the background. It's not, there's no SMTP involved. Exactly. Like magically a calendar invite arrives out of, of the ether, right?

C

Yes, yeah, exactly. So there's a couple of things with both of these attacks. The easiest like the most straightforward solution obviously there's trade offs to this is that you can change your default settings for Calendar Invite for how your email provider actually adds invites to your calendar. So in Google and Microsoft there is a setting which by default defaults to on is that any, any recipient, even if you've never spoken to them before can send you an invite and get it auto added to the calendar. And so in Google you actually, you actually have some amount of fine grained control over this where there's a couple different settings. You can say one if it's a, if it's an untrusted sender is what they call it which is someone you've never communicated before or you could just not allow it at all. And then you have to, you have to accept the invite. So if you've got that setting turned off, then the email provider will actually force an email to be sent.

A

Okay. Which is what they should be doing. Which is the first time, which is.

C

How it should have. Yeah, yeah, yeah, exactly.

A

So when you, when you turn that off, it will actually force an email to actually arrive in the inbox. So it's not like you're, you're gonna get people trying to send you a calendar invite through this non SMTP mechanism and it will just disapp.

C

It won't work.

A

It won't work. Or it will generate an email and that's how the invite gets sent.

C

It generates an email. Yeah, exactly.

A

Okay, cool.

C

Yeah, yeah. It forces the attacker to actually send an email in that case.

A

Yeah. I mean, it's less good though, right. Because when I think about how my calendar flows work.

C

Exactly.

A

You know what I mean? Like I like to be able to see those like grayed out appointments on my calendar and go, oh, what's this? Oh, I haven't accepted that. That Click. Okay, right.

C

That's the, that's the big trade off. And why a lot of our customers have not actually changed that setting is because it's a, it's an impact to productivity. It really is. And convenience and all these things. And so there is, there is real impact to the end user experience, which is a, which is a legitimate consideration. Right.

A

And so I mean the obvious solution here is for the email providers when they add something to a calendar through this non SMTP method to generate an email anyway.

C

Yes, yes. That makes detection and prevention much easier. The other thing that we're doing for really this is more so for the broader community is that we're building, we're open sourcing a playbook. Basically. It's going to be like a series of API integrations so that you can, even if you're not using Sublime and you know, we've got Sublime runs. You can run Sublime. Sublime Core is free for the community, but you know, even for some organizations, like it's hard to get approval for that. So what we're doing is making a. Because it's such a problem right now we're building an open sourcing tool to allow teams to be able to remediate calendar invites in either scenario. So like, even if you've got whether it's email delivered or not and whether you're using Sublime or not, so how.

A

Are you actually determining whether or not a calendar invite is malicious if it didn't generate an email, like if it just appeared on someone's calendar.

C

So if it's just appearing on the calendar, then what you would have to do is you, you basically take that, you take the ics, basically the format of the calendar invite, and the simplest thing that we could do is turn that into like a mock email and then pass it through our detection pipeline. That's like, like. And then, and then be able to.

A

Analyze it and that'll have a look at the URLs and whatever and give you a. Yeah, yeah, yeah.

C

But, but for IR teams that are just. Because a lot of the pain right now is actually just. There's. There's a lot of attacks getting through that they have no ability to actually go and clean up. It's very difficult to go and clean up. And a lot of times you actually know what you need to go and clean up. So this, what we're open sourcing, you can just like give it it a message ID or you tell it where to go and it'll go and clean it up for everyone. So, yeah, that should be coming soon. But the thing that we built and released within the platform is actually really slick because there's nothing that you have to do it all just automatically. If we detect an attack, we will automatically go and also clean up the calendar invite. There's nothing more that you have to do.

A

Yeah, it's just those ones that are not generating emails that are still going to be a problem. Right?

C

Yeah, yeah. And so we're cooking up some things there as well is a harder, harder problem with less visibility. But we're working for, we're working on some things for the things that are only living on the calendar as well. Yeah.

A

So talk to me about the scale of this, though, because you shared a graph with me recently about how much of this ICS phishing is happening and it is absolutely insane. It's like, like it's. You said it reminds you of when a couple of years ago, QR code fishing became the big hot thing. This is like the new QR code thing. Right. Like, give us an indication of the volumes involved here.

C

Yes. So we have seen at this point, it's over 100x increase in volume in, in ICS phishing. And it's very similar to. And the, the key thing similar to QR code phishing. QR code phishing was not a new thing when we initially started to see it again and we started to see the uptick and it started to cause a lot of problems. ICS fishing is not a new technique. It has existed for years and years. So what I anticipate has happened is that it's made its way into commoditized tools like phishing as a service kits and whatnot. And it's along the same lines as we were talking about the anthropic report and how. So it's only a matter of time before more and more of these make it into commoditized services that you can just buy as a random criminal Joe off the street and not have to build and innovate yourself.

A

Yeah, and we'd have to say too, one of the powerful things about Sublime is that it is a very flexible platform which allows you to quickly and rapidly respond to big trends like this, which has been a bit of a challenge for some of the commodities providers.

C

That is, that is one of just like the fundamental thesis of Sublime is that the threat landscape is going to continue to rapidly evolve and you'll see new techniques and you'll see more and more attacks at higher speed and velocity and scale and sophistication. And you have to be able to adapt rapidly, whether it's be able to like re educate the agents that you have making decisions or the core of the detection pipeline or these things. It's how we built Sublime to be able to adapt to the moving threat landscape.

A

Yeah, and as I mentioned at the intro there, Sublime has absolutely gone berserk. I think you've gone from like 10 or 20 staff when you first started out with us to like 200 now you've just closed $150 million million dollars dollar series C. So yes, it seems to be an approach that is being validated. Josh Camdrew, thank you so much for joining me to talk about. That's very interesting stuff.

C

Thanks Pat.

A

That was Josh Kamju from Sublime Security there. Big thanks to him for that and big thanks to Sublime Security for being a Risky Business sponsor. And that is it for the show for 2025. I do hope you enjoyed it it. I do hope you enjoyed listening to it as much as we enjoyed putting it together for you. Big thanks to the entire Risky Business crew. So we got Tom Uren, Catalyn, Kimpanu, Adam Boileau, Amberly, Jack Tieren, Ferrier, Claire, Ed, just everyone you know. Absolutely, absolutely terrific work from all of you. And yeah, looking forward to working with you all again through 2026. And yeah, thanks for listening everybody. Cheers.