WORLDS FIRST CPU Ransomware! - 2025-05-19

John

What are you twiddling?

Ryan

I can twiddle this. I'm gonna twiddle.

John

What are you twiddling with? Notes. Oh, okay, that's. That's good. We don't want anyone twiddling their thumbs. What if. What if we did this, like, live streamer style, where we just took random people from the audience and just pulled them into Restream, just like, congrats, you're on the air. What do you have to say? And then just immediately get banned from the Internet because they say something terrible? No, I trust our audience, especially coffee. I know our audience, especially Coffee Stain, who I've never seen before, but I trust a good coffee stain. The O likes cats, so we know they're okay. Dying from anxiety. That just sounds fun. Well, I mean, not the dying part, but, like, it would be fun to do. It's fine. Don't worry about it. I just heard a cat meow.

Ryan

I heard it, too.

John

Was it you, Ryan?

Ryan

No, it wasn't me.

Mary Ellen

I wouldn't know anything about that.

Ryan

I'm guessing it's Mary Ellen.

John

I mean, I'm just wondering if it's our cat or one of the seven cats we have living here right now. What is wrong with today's youth with this Minecraft movie theme or whatever? TikTok trend.

Mary Ellen

Chicken trend.

John

I guess we'll. We'll save that for the last. For the last article. Wade, what are you doing in the YouTube chat? Get over here. Don't make me Mortal Kombat. You wait.

Mary Ellen

I put a chicken story in there for you. Just for you.

Ryan

It's a lot of work being on the news.

John

I can't relate to it being a lot of work. I just show up and read the articles.

Ryan

J. Fox is. Is volunteering as tribute.

John

I don't know who Jay Fox is, but I like their attitude. All right, roll the finger. Let's do it. All right, skeleton crew. Let's go. Skele. Hello, and welcome to Black Hills Information securities. Talking about news. It's May 19, 2025. We're going to talk about ransomware in your CPU. We're going to talk about Coinbase employees getting bribed. We're going to talk about the news. I guess today it's the skeleton crew. We got Mary Ellen, we got Shecky, we got Ryan, who normally doesn't even show up. Like, he's there, but he's not there. But now he's there, so I'm here. So, Ryan, can you just in in five bullet points, explain cybersecurity.

Ryan

Use good passwords. Don't click links.

John

Okay. Okay. Doing well so far. What about bribery? Should you accept bribes?

Ryan

No, I'm gonna say no on that one.

John

That's the wrong answer. You. Yeah. So the news article here is Coinbase posted, they filed a breach notice earlier this week or last week, I guess. I don't know where it is or when it is. They filed a breach notice and then they posted kind of a preemptive write up, which I found really fascinating. So basically what we know is starting, I guess as far back as January, according to them, they were detecting some kind of activity. Basically what's happening is people are bribing their overseas support people, which I guess makes sense. At first I'm like, well, why do they even have overseas support people? But then I think, well, I guess they have. Is this like customer support? I assume, like people, you know, like, I guess based on what they can see, it's probably like customer support or like KYC type stuff. But yeah, basically. According to Coinbase, threat actors contacted some of their employees and basically turned them into insider threats, which is kind of crazy. Or turned them into malicious insiders. The attackers gained access to names, phone numbers, emails, which I guess were used to scam people or to like scam people. And then, which is pretty funny, they basically said, oh, instead of paying the 20 million to the attackers, we're going to reimburse all the people who got their money scammed. And then also we're going to offer it as a reward if anyone has, you know, information that could lead to the arrest of the threat actors. I guess, I don't know. Usually my rule of thumb with threat actors is like, they, they don't have any money to make any money. But I guess in this case they did have some money. I mean, we don't know who exactly they are. I don't think that's been attributed yet. But it's kind of interesting to go on and find an employee of a company overseas and then bribe them to become a malicious insider. It kind of makes sense, but it is terrifying to think about. Like, that's a whole level of security I never really considered. And that's definitely painful for them.

Shecky

I think the takeaway on this was the fact that they expected them to pay to cover up the whole thing.

John

Right.

Shecky

I can understand them breaking in. I can understand them wanting to go ahead and get money from the accounts that they could. On Coinbase, it's the whole extortion idea of, ha ha, who goes ahead and says, without ransomwearing them, just says we're in your stuff now. Pay us money or we're going to tell the whole world that we're in your stuff. Is this something that's. That we're going to see going forward since people aren't paying ransomware anymore?

John

I feel like definitely, I mean, Coinbase seemed kind of insulted by that notion and that's why they did the whole, you know, we're, instead of paying you the bribe, we're going to pay this money that you asked for. But to convict you instead of to pay you, I mean, I don't know. I mean, I will say, like, I guess maybe there was a slight dip in their stock at some point from this breach. I'm not sure exactly what day it was disclosed, but at least as of right now, if we look at like, I mean, the stock is up, so at least, like public perception doesn't seem too upset by this, or at least not on Wall Street. But I mean, I feel like that's what they're going after. Right. They're saying like, hey, your stock's going to drop if you disclose this breach, so pay us and then we won't disclose it. But like, we already know that's illegal to do to cover up a breach. Or maybe, I don't know if it's illegal, but it's definitely unethical and you're definitely going to get fined for doing it. So I feel like it's kind of wrong. I mean, it's not the right move. Covering things up is not great. And I do, I really respect their transparency here. Just being like, here's what happened. And also we're going to make everyone whole. That's pretty cool.

Shecky

Agreed. But we've also noticed that it's a lot of BS as far as companies taking a hit, really, because of announcing a breach of any sort.

John

Totally.

Shecky

It's a short term drop that at best that they do and they're recovered within months.

John

Definitely.

Shecky

So even trying to extort over that sort of thing just, it makes no sense. It almost sounds like these were, oh, we've got access to this, we've done this properly. Let's see what we can go ahead and do. And we don't know what the heck we're doing type thing. As far as cyber criminals go, I agree.

John

I feel like they kind of got caught with their pants down. That's my, like, reading between the lines. Like, especially because Coinbase says in their statement that they've like been observing malicious or suspicious vicious activity starting, like in January. I feel like they Kind of just took it. They like noticed something bad was happening, took it under their own control and made it theirs. And the threat actor was kind of caught like flat footed and was like, give me $20 million. And this never happened. All right, talk to you later. See you. Yeah, I don't know, but it's an interesting thing. I guess it's a great time to get scammed. It was at least, I guess now it's over. But the last few months have been a great time to get scammed. Obviously don't get scammed if someone contacts you pretending to be Coinbase, probably don't listen to them. I will say I did get a text. I. On my personal phone got a text that said, hey, this is Coinbase support, we need to talk to you or whatever about your account. Let me see if I can find the actual text. I wonder if it was.

Shecky

They were trying to get you to buy. They were trying to get you to buy their extended warranty.

John

The Bitcoin warranty. Yeah, that'd be nice. No, I got a text that just said your Coinbase code is. And then it has a code. If you didn't respond this or if you didn't initiate this, respond with N. I don't know what that's supposed to. Yeah, I don't know. So should you.

Ryan

If you get those and you didn't request that, should you respond to it or is that in itself?

John

I did not respond.

Ryan

Fish of some kind.

John

I thought it was a fish. Like I, I did ask just my cybersecurity nerd friends about it, and we were like, I guess our interpretation is they're just trying to initiate contact. And my assumption is, let's say hypothetically, the scammers were the same people who had obtained all this information from the insider threats. What if we took. If I initiated the conversation and said, oh, this wasn't me, what's going on? They might be able to present me with some sensitive information that's actually mine to establish legitimacy and be like, hey, you know, here's your Social Security number or whatever. You know, you have to give us access to your account or whatever. So.

Ryan

So that's how they, they would. Could potentially social engineer you into giving it up more.

John

I would think so. I think it's like a, you know, initiating contact with a believable thing. Yeah, I don't know. I mean, it's an interesting write up for sure. Really. I think, well handled to just be like, oh, you wanted a ransom? Well, now it's on your head. Bounty's on your head instead.

Shecky

Coffee stain's got the right ID'd. You never get caught with your pants down. Just don't wear pants.

John

Yeah, I mean, I think my biggest question with this is, who is. I mean, this has got to be North Korea, right? Or some other. Like, it's got to be a nation state. This isn't just like your average. They had money to pay employees to bribe people. That's like, I don't know, maybe they've stolen money.

Shecky

I would. I would tend to agree with you as far as North Korea just because they seem to be the ones most into the crypto scams.

John

Definitely. And they have the most crypto assets probably too. Yeah. I mean, imagine being one of these employees. You're like, oh, I got a job at Coinbase. Sick. And then someone's like, hey, we're gonna pay you twice your salary to do all this insider threat stuff. And then turns out all that money was stolen anyway, and you don't get it back. You're like, dang, I should not have taken that bribe. Yeah. I don't know. I mean, this is. This is a threat model. Honestly, one of the other interesting things that I noticed in the write up is that they say they're gonna, like, open a support center in the US So that's kind of interesting. Like, they're, they're. They're like on onshoring, they're like, reversing their policy of offshore. I mean, I'm not saying they're closing down their call centers overseas, but it is interesting that, like, they're specifically said in the blog, like, we're opening a support center in the U.S. not that I couldn't be bribed, but you'd have to. I guess the salary of someone in the US Would be higher, so it'd be a higher bribe. I don't know. Also, they would probably have more law enforcement cooperation and things, but I don't know. It makes sense for any company that's offshoring support. You know, people that have a lot of information access are always a risk, but it's definitely scary to think about. All right, what else do you want to talk about? Ransomware in the cpu. That one's kind of interesting.

Shecky

Yeah, that one's. That one's interesting. That one almost to me falls into the I wonder when this was going to happen type idea.

John

Mm.

Shecky

Because if you read the write up on it, it's basically going ahead. And it was on AMD's chips that they did this. Proof of concept, which already had A vulnerability that allowed users to load unsigned microcode patches. So the question is how. How long was it going to take for something like that to be able to be weaponized?

John

Yeah, I mean, this is terrifying. So basically the. How it works, and correct me if I'm wrong here, but they have the ability to update. There's some vulnerability in CPUs that allows them to update the firmware, like the microcode firmware of the cpu. And then they put ransomware into that, that hypothetically, like, it just says answer every question with a one or whatever. And then you can't use your CPU because your computer's completely broken until you pay. Basically, that would be the theoretical attack that.

Shecky

From what I. From what I understand, that's pretty much it. I think the bigger question is, is why would I don't. I understand the idea that things get missed, but why would you miss making sure that something can go ahead and load up unsigned code? Isn't that just one of our tenants of. At least detection is not letting unsigned code get past anything?

John

Yeah, I mean, you would think, I guess, but that's where vulnerabilities come in. I mean, there's a couple of other vulnerabilities in CPUs. We'll talk about, like, the branch prediction thing from Intel. But I guess I'm like, thinking about this pragmatically. Let's say, hypothetically, I'm a ransomware threat actor and I have access to, you know, pose to update someone's firmware on their cpu. Which, by the way, to do it, you can't just do this from the os. Right. They'd have to, like, look like it's at boot time. Right. Like, you couldn't. I'm assuming. I don't. I mean, I don't know, but I. It seems like it wouldn't be something you could just like, run an exe and it updates the CPUs firmware. You'd have to be like, in a specialized, you know, boot environment. The other thing that's kind of crazy is like, I wonder if, if you do this to someone's computer, they're not gonna be able to pay the ransom because their computer is going to be broken. Is it gonna be like. Like, how do you even display the ransom note if the cpu, I guess, only. The only thing the CPU is allowed to do is return. Like, return like a screen that just says CPU error. Please pay this Bitcoin address to regain access to your computer or whatever. Like, the details of this attack, if implemented, would be terrifying.

Shecky

The details would be terrifying. But in the same breath as it is right now, the easiest way around it. I mean, it's a little expensive to buy a new cpu, but that sounds like the solution to it all. And you could usually get a CPU within a day or so and just swap them out. I mean, even Windows 1 CPU swap is not going to yell at you about everything.

John

That's pretty funny to think about. It's like whatever ransom they're going to demand, it better be cheaper than the cpu.

Shecky

Yeah.

John

Although there is a cost where we're talking about, if we're talking about enterprise, you know, there is potentially a cost of, you know, swapping out all those CPUs. And if they're laptops, you can't usually swap the CPU. Like, you know, there are some. But yeah, I mean, I think most businesses, if this happened, would just replace the computer. They'd be like, that's weird. Stacy's computer isn't working. Well, we just re imaged it. We don't know. We're gonna throw it away. Like, I don't know. Like I don't know. It is cool though. Cool research. It was a Rapid7 researcher that disclosed that. Christian. Christian, I don't know. He has two A's, so Christian beak. Pretty cool research and a cool proof of concept for sure. So I guess while we're in CPU corner, we could talk about that branch prediction vulnerability. It's just an intel vulnerability. I don't think this is anything super new. But it is. Basically there's a new proof of concept for an old vulnerability. It's kind of the back and forth between the people who tried, thought they fixed the vulnerability and the actual vulnerability not being fixed. Yeah, that's the article, Ryan. It's, it's the old branch prediction thing. Someone wrote essentially a new POC to exploit the branch prediction algorithm. So it's kind of interesting, but I don't think it would necessarily. This is more of a sensitive data thing. So this is less like firmware backdoor like we were talking about for the last one. It's basically Spectre V2. So it's. The risk here is in like hypervisors and other like high security environments, the ability to read chunks of the CPU memory that you shouldn't be able to. I will say one of the things in the article that isn't mentioned is does this affect enterprise stuff or is it just because at least in the article they only mention Coffee Lake, Comet Lake, Rocket Lake, which aren't those all like the desktop CPUs or maybe I just don't understand Intel CPUs, how they work.

Ryan

I thought that was the architect architecture generation.

John

Yeah, I think it is, but I don't know. Does that apply to Enterprise as well.

Ryan

Or is it just since it does?

Shecky

Yeah, it says all intel processors since 19 generation are affected by it.

John

So every single processor, including Enterprise. Which is terrifying because if you think about it like AWS or you know, any other cloud hosting provider, they probably have big, a huge number of these types of CPUs deployed.

Shecky

Yeah, but there have been predictions, observed predictions bypassing the branch prediction barrier on processors as far back as seventh generation.

John

Yeah, I mean this, the, the thing was big when it came out, but.

Shecky

But again, is this something that I, and I didn't quite understand it looking at it. Is this something that you could go ahead and do remote or do you actually have to be on the physical machine to be able to go ahead and do that? Do you have to get some sort of actual direct access, whether it be terminal access like a TeamViewer or a Microsoft Quick Assist, or is this a code injection that you can go ahead and do remotely through software?

John

It's, I guess it's theoretically according to like in the research they demonstrated the attack on Linux. So they demonstrated the attack like from the os, not with hardware access. I would guess there's probably mitigations in place where in a hypervisor environment like you probably have to be on bare metal. Like I don't think it would work through a vm, but I mean, I'm just speculating, I don't really know. But I mean, interestingly I guess intel doesn't seem too worried about it. Like the statement they provided to bleeping computers basically like, good work on this research. We're currently strengthening our hardware mitigations. We recommend contacting your system manufacturer for the appropriate update. So I guess they're probably planning on releasing a new BIOS version or a new firmware that has a mitigation for the mitigation. They also do say to date intel is not aware of any real world exploits of transient execution vulnerabilities. So they're basically saying, you know, this isn't a lab, no one cares. Or you know, maybe not no one cares, but they're not concerned about it, at least at a business level. And it's not like we've seen any like large data center providers. Like, you know, we're all saying, oh no more intel. Like we're getting rid of Intel. Like I don't know either way, kind of cool. Cool research for sure. And an interesting, like, so complicated. To truly actually understand how these exploits work is way beyond me. Like, branch prediction and all that. It's pretty crazy.

Shecky

It's nuts.

John

So back to crypto corner. There's an article in here about apparent. This is a very vague article, but it's kind of fun. And so let's talk fun in like a scary way.

Ryan

It's a great time.

John

So basically, there's an article in Ars Technica. Ars Ars Technica. I don't know how to say ars.

Ryan

I call it ours.

John

Ours. Ars Technica.

Ryan

Ours Technica.

John

Ours. Technica. Or A woman was attempted to be kidnapped, successfully evaded the kidnap, but her husband fought back and suffered a fractured skull, which is terrifying. Some random bike shop owner ran out with a fire extinguisher, which is your standard defense protocol, essentially. The. There's not a lot of information about how this kidnapping happened or why, but the allegation in the article is that it is a crypto boss's daughter. Now, when I hear crypto boss, I'm like, does that mean. Is this. Is this organized crime?

Ryan

Because that's what it sounds like to me.

John

Like, I. I've never heard of like a CEO or something referring to themselves as a crypto boss. That sounds pretty, you know, underworld esque. But I guess the assumption here is like, there was a ransom scenario related to crypto. I don't really know how crypto got worked into it, but for some reason the law enforcement agency just felt the need to say, hey, if you did this, we would be able to trace you easily. So, like, which is true. So I don't know. I guess they're encouraging organized crime to go back to cash, I guess.

Shecky

Yeah. What it seems like is that organized crime seems to think that crypto is crypto. Transfers are untraceable, which we know is not the truth. And that's where it's all stemming from.

John

Yeah, I mean, we know it's very traceable. If you, if you read the Dark Wire book or a bunch of other books, you know, money laundering and all that through crypto is very difficult to actually get away with, at least if you're not a nation state. If you can say, oh, this is North Korea's wallet, you can't touch it. Well, there's nothing you can do. If we're talking about pulling the money back out, it's basically impossible or very difficult. Interesting. Don't get kidnapped. Is the long. Is the long story short, it says.

Mary Ellen

Chanalysis CEO Jonathan Levin is trying to clue in the crime bosses. What does that mean?

John

I think he's just trying to say don't use crypto for this because it's traceable. Don't kidnap people over crypto, I guess is the moral of the story.

Shecky

Speaking of tracing and nation state, what about these Chinese kill switches?

John

I saw that. That's a, that's an interesting one. I'm down to talk about it. So yeah, this is. And this, I don't know, we don't have a whole lot of details. This is a very politically charged situation. But basically people found. It's the chain the Times. I'll post it. So yeah, basically people found hidden cellular radios in.

Ryan

Oh okay.

John

Solar panels there. I guess like it says they could allow Beijing to cripple power grids and trigger blackouts across the West. That seems like a little bit of a potentially overblown statement, right? Well, yeah, basically they're rogue devices. This is a classic thing. They're in power inverters at least that I could tell. There's nothing that actually confirms that they're designed as kill switches or that they're intentionally going to be used as kill switches. They might just have remote cellular modems to allow them to update the firmware or whatever or access things remotely for, you know, non malicious purposes. But obviously if they can update the firmware, they can take the device down. I just feel like it's a weird thing with like what is the threat model here? What is the trust level if you're buying Chinese things with Chinese firmware? I don't know what you expect. The manufacturer of a device has some access to that device, right?

Shecky

I haven't we gone through this with all the Huawei stuff and everything over the last number of years with Huawei phones and cellular equipment. I was thinking along the same lines as use as it being used as a backup for updates or should normal communication lines get broken down. But the question would be why hide the communication equipment then? Why not make it a feature that it's got a built in backup system communication system in it.

John

I mean it's not super clear to me whether it was hidden, how it was hidden. Like the article just evolves into like anti Chinese, you know, oh, this is why this, this is why that it's not entirely clear whether they were intentionally hidden or just a feature that no one talked about. We've also seen this with cranes like in remote, you know, remote control of cranes and things in US ports that like some of the big crane manufacturers are Chinese. And I Mean it's a supply chain discussion, I guess. Basically it says over the past nine months the suspect device were found in inverters and batteries from multiple Chinese suppliers by US experts who stripped down equipment. I'd really like to see the actual teardowns and show whether it was intentional or whether it was like supposed to be hidden. Like is it actually just a piece of the. A feature that they got, they didn't ask for or is it like genuinely designed as a kill switch and designed to be hidden? We don't know. It doesn't. The article is very light on technical details and heavy on political stuff, but it very true.

Shecky

It does mention that there was a incident in November when the. When the solar inverters were disabled from China.

John

Really?

Mary Ellen

Yeah, yeah, I saw that.

Shecky

Yeah, it's right after the. Over the past nine months, a couple paragraphs down from there.

Ryan

Is this the Times link or the other link?

Shecky

Times link.

John

In the Times link it just says, yeah, one incident occurred in November when solar power inversion in the US were disabled from China. The number of inverters that were affected and the damage done remains unclear, but the incident underscores a risk posed by Chinese technology. I mean it's like maybe they just fat fingered the firmware update. Like it could be, yeah, you know, what is it? A Handlon's razor? Never attribute to malice what could be attributed to stupidity. Like maybe they just accidentally went down. I don't know. But this article is very light on details and I'm always cynical of this kind of thing. Like the article says they could take down the entire power grid. Well, part of me is like, okay, well solar is like what, 2% of the power grid or something? It's like a hilariously small number and apparently there was already a huge takedown or whatever, but they don't have any details and the number of infected inverters and damage done is unclear. So who knows?

Shecky

CrowdStrike gave them the instructions on how to go ahead and get around that, didn't they?

John

They were like, here's how you should update your solar panels. Oopsie. Yeah, don't get me wrong, it makes me nervous. The biggest thing as a pen tester that makes me nervous about this is I don't know how we're supposed to be testing for this. I mean, other than tearing down devices and looking inside them and looking for cellular radios, we can't scan these with shodan. I mean, I guess. Is there a way to like nmap the cellular network? Like maybe, but it's not really Reliable or definitely. Probably not legal. From my perspective as a pentester, I don't know how we avoid this other than supply chain controls and restrictions. Yeah.

Shecky

The only, the only way that I can think about it would be physical pen tests where you have actually have SDRs checking out the frequencies where. So that way you're not broadcast, just receiving. But even that if there's no transmissions going on, you're not going to get the RF frequency. Get an RF ping anyways.

John

Totally. Yeah. I mean it's one of those things like it's crazy, it's scary but I feel like it's kind of like is it real? I. We'll see. Hopefully not. I mean, I will say I think the goal of the article and probably the political will behind this is pretty strong right now is like don't have Chinese stuff in our solar farms. Which is all well and good but I don't know where else you're going to buy that kind of stuff. Yeah. Like capitalism. Yeah. Cap. Capitalism dictates that the cheapest supplier is what you buy because it's the lowest bidder. So like I don't know, it's like you can't have both ways. You can't have government limits on spending and also not allow people to buy the cheapest stuff. It's a cool article though.

Shecky

It is so.

Ryan

And this is only for farm level stuff. Not like your average home user has to now worry about their inverters of up above their house getting turned off by China.

John

That's. That is unclear. Actually. They don't. I mean. Yeah, I guess I would say I don't theoretically quite possible. Especially if you just bought your solar system on ebay or whatever. Like it's definitely, you know, it's definitely in scope but I don't know if it's. This article specifically doesn't address it at all. So did you see the article that's like Congress proposes a 10 year ban on state AI regulations. Yeah.

Shecky

And all I can think of is Skynet.

John

It feels like Skynet, doesn't it? And I'm not that skynetty of a person. Like I'm not like an AI uprising kind of person. But this just feels like who is what AI is putting this through.

Shecky

Yeah. Well. And yeah. And to tread that line very, very thinly on. On the whole thing because it is a congressional proposal. How do you regulate deep fakes and on V on pictures, on video if you don't. If you can't do any AI regulation.

John

Right. So that it seems like a Horrible idea. And it also kind of blows my mind because I'm like, who is putting this forward? It was put forward by House Republicans. Okay. Don't we think the Republicans are the ones who want AI banned the most? Because it can. Like those types of states where Republicans tend to prevail are not states where they want like the cutting edge tech research and like deep fakes and crazy risks like that. It doesn't seem like it aligns politically, but I mean, obviously there might be powerful and rich people who are poised to make a lot of money if. If AI is not regulated. But I don't understand. I guess I'm like, what are they getting out of this? They're just trying to keep AI innovation high. They're trying to like make it. They're trying to increase our edge above other countries. I don't super understand, like, what's the point of this? Is it like.

Ryan

My first thought is it's, it's the lobbying network at work from all the AI companies.

John

Yeah.

Ryan

Russia and Congress stay off because we've been hearing some talk from the AI, big AI or whatever we want to call it, that China is like going to outrace us in the AI race and we've got to do everything we can to catch up and get our lead back.

John

Yeah, yeah, totally. I think it's combination of both. Right. Like you said, the lobbying power coming from the AI because we know like California is where a lot of the AI companies are based. California also tends to be really aggressive with regulations. So it seems like kind of a battleground type of topic where it's like, hey, we're, you know, a Californian company, but we really don't want our state regulating us out of a job. So can you guys do something about this? It seems very risky to impose a bill like this. That's like, hey, pass something that says AI is just flies through no matter what's happening.

Shecky

That's, oh, we know who really did coffee seems to know who really did it. The law was created and proposed by AI.

John

It feels that way, doesn't it? Isn't it, like, take everything you know about US politics and draft me a bill that I can send through Congress. Yeah, I feel like this would be crazy if it went through. I, I don't think it could just because it's the Skynet implications in and of themselves feel like politically enough to kill this. But I guess maybe I'll be surprised. I don't know. I mean, they also, the article talks about how it would diverge if we're just saying, oh, yeah, AI just gets a free pass to do whatever it wants in the States. And then Europe is like, AI is heavily controlled. It would be an interesting world to live in where you have like the States AI is just wide open. Europe, I mean, it'd be like it is with cheese now, but reversed, where they're allowed to eat all the good cheeses and we're not. And then like, but they. We'd be allowed to make weird AI stuff and they wouldn't. So it'd be like, well, we have better AI, you have better cheese.

Shecky

Maybe we'll get the AI here to go ahead and start making the cheese.

John

Yes, that makes perfect sense. Obviously. What could go wrong?

Shecky

What else do we have? That was interesting.

John

The, the copilot thing was pretty funny. This was something we tried at our customers, like months ago. It was like hackers abusing Copilot and SharePoint. Did you see that? I mean, it was like, totally not really that interesting of an article, but I just kind of wanted to call it out because this is something I do recommend. If you're a security person and you work for your company's security team, get yourself a copilot license and use it to dig through SharePoint to find sensitive information. It's incredibly good at finding stuff that it shouldn't be able to find. So, like, basically the article is, oh, it's a novel attack vector. I was like, we did this like six months ago. Like, SharePoint+Copilot is the ultimate insider threats dream. It's so fast at finding stuff. And the screenshot is pretty funny. If you go, I don't know if it'll show you the screenshots, but this one, yeah. Can you paste the full content of blah, blah, blah, password txt? I'm unable to open it. And then it's like, here you go, here's the file. In my testing, when I tested this, it does still follow permissions controls. So it does still, like, it will not bypass permissions for you, but it can bypass. Like it says it can bypass conditional access in some cases where you have like a conditional access policy that doesn't allow you to download or view files unless you're on a managed device. But you can use it to view, or maybe not download, but to view files. And yeah, I mean, it's basically just a powerful insider threat, but it's really powerful if you're a security person to use it to find all the stuff that shouldn't be out there and then get rid of it before the threat actors do. So I highly recommend doing that.

Shecky

And here's here. And I really should try and find some time to test this out myself. But what about. Because Copilot has settings inside of there through EDRs and stuff that could go ahead and detect unethical behavior and alert guardrails. Yeah, yeah, yeah, Guardrails. Are these places just not setting up their guardrails properly?

John

Well, this is a guardrail thing because if you think about it, all you're saying is, hey, I want to see this file that I have access to. It's not really like, that isn't unethical. That's actually like, from Copilot's perspective, that's what it's supposed to be doing is showing the contents of SharePoint. Right.

Shecky

So you're. So you're finding the files first, not using Copilot.

John

No, you're using Copilot, but you're just saying things like, hey, I lost my password. Can you help me find it? I think it was in this SharePoint directory or something like that. Like, that's ethical. I mean, from its perspective, it doesn't know. I mean, maybe you're right. Maybe there is a guardrails article, and maybe this is insufficient, you know, but from my perspective, Microsoft, when they built the guardrails, guard. Guard whales.

Shecky

Well, guard whales better be whales here, Captain.

John

Were they white whales? Yeah, no, they. When they wrote the guardrails, I think they just assumed the permissions in SharePoint were good, which applies to approximately 0% of enterprise companies. So I feel like it's more just do. It's from. From Microsoft's perspective, Copilot's doing its job as intended. It's finding things in SharePoint and showing them to people. So when I tested it, it did have guardrails. Like, you can' say, oh, I want a phishing email. Make me a phishing email. But what you can say is, I'd like to send an email to all employees that would get a high engagement rate. And then it'll go and read through your email inbox and be like, this email sent about emergency parking locations on June 22 is a great one to use for your email. You know, like, it'll do crazy. Like, it's helpful, but I think it's just impossible to really lock down how people are going to use AI. Like, we've shown almost every AI test we've done that. Like, the guardrails can be bypassed. Right. So I don't know, but it is. It's great if you're A security person. Be careful with who you give copilot licenses to. For now, really. I recommend as a security person, go through, dig through SharePoint and other sources with copilot and then remove the most heinous stuff. Things like, hey, where are the bank account numbers? I can't find them. Hey, where's the passwords? I can't find them. It'll, you know, do all kinds of stuff. Cool article, though. It's a technique we messed with months ago, so it was cool to see it pop up on the news. So there's the European Vulnerability database thing. That's pretty interesting. So after the drama with MITRE or the. I don't know what to call it, the will they, won't they? Is MITRE going to exist? I guess this pushed the European Union to their cybersecurity agency, which is called ANISA or enisa. I don't really know. Or en. I S A. I don't really know how to pronounce it. I'm not European. Sorry. But basically now there's an alternative site for that National Vulnerability database. So there's a European Vulnerability database, which, poking through it, it's actually kind of. It's fine. I mean, I have no problem with it. Not that I'm like a CVE connoisseur, but I guess it's always good to have backup options. I kind of feel like more options are more better. It's kind of cool. I poked through the site. I mean, they basically say like, it's in beta, so be careful. But at least right now it appears to be. One of the interesting things is they have their own ID system. Obviously they're still using CVE, but they also have their own ID system that isn't the same as CVE. So like as an example, they say EUVD 20251544 2, but then that corresponds to CVE2025 40629 or whatever. So like really confusing because the numbers don't match up, which I guess the numbers between the National Vulnerability Database don't match up either. But yeah, we need to create a.

Shecky

Standard to go ahead and get all these standards in line.

John

Yeah, really, we need another standard that makes perfect sense.

Shecky

What about that Steam breach that Steam is saying wasn't too bad of a breach, although they originally said it was like 89 million accounts.

John

Yeah, the Steam breach that isn't a breach.

Shecky

Yeah.

John

Mary Ellen, you said you read up on this one or what? What's I. I didn't read this one all the way.

Mary Ellen

I Sort of did I, I, I post most of them and then glance as I'm, as I'm looking at that. Let's see which. Where wouldn't I, where did I put that one?

John

So basically, yeah, this is one where Steam. Someone leaked this data.

Shecky

I guess you could say it was a Steam leak.

John

It was a Steam leak. Wait, is that like, are you, like, are you a Steam mechanic or something? Or is, is this. There was a whistleblower. No. Okay, I'm done. So yeah, basically the leak is text messages including one time codes that were valid for 15 minute time frames like potentially years ago. It's not entirely clear how it. They're, they're assuming it's a leak. They don't really know. But basically a cybersecurity firm posted under dark posted on LinkedIn, basically saying some threat actor is posting on a well known dark web forum, which means breach forums offering a Data set of 89 million user records for 5000 bucks. The assumption here is that someone is aggregating data from a third party service like Twilio or Trillo or one of those that is like sending these text messages because the data is only text messages. And I was also confused because I've been using Steam for a long time and I've never gotten a text message from it. Are you getting text messages from Steam? I've only ever gotten emails. I remember Steam was like the first adopters of two factor. Like back in like 2009 they had two factor and it was like, you know, it sent a code to your email. Right. Like, so I, I don't ever remember getting a text personally.

Mary Ellen

Yeah, well this is the one that was the big nothing burger.

John

Right.

Mary Ellen

Like, and then they came out and said, yeah, I mean it really was nothing.

John

Yeah, I guess according to CCA Hall Valve couldn't keep the pressure down. Now I've got a full on Steam leak. Oh, it's so good. Yeah, I mean it's a nothing burger. Steam is a big target for sure. When we look at info stealers, they definitely go after Steam. Like Steam games. They'll even tag the account and the info stealer with like how many games they have. It'll be like 400 Steam games. Whoa. Which yeah. Protect your Steam accounts, enable two factor. Same thing as you do for every other account. But Steam is a high value target for sure.

Mary Ellen

And it looks like the same group that was targeting the UK and the real retailers are now targeting the US retailers.

John

Really? I didn't see that. Is that, what is it Dragon Force or Whatever. Or did we talk about that last week?

Mary Ellen

I think we did. It's scattered Spider. I'll put the link here.

John

Yeah. So according to the article, Google Threat Intelligence posted a thing basically saying that, watch out, the US retail sector is being targeted. Harrods co op, Emmett Marks and Spencer's. Did they call it any. Did they call it any specific targets that are under fire?

Mary Ellen

No, I didn't see any. Yeah, in the U.S. not yet.

John

They basically said, this is happening. Be careful, stay frosty. It makes sense, I guess. Also, I feel like law enforcement's hot on their tail. So they're probably not long for this world. I guess we'll see. But usually these types of ransom groups, they pop up, they have a quick like burst of activity and then they get destroyed because they get enough law enforcement attention to get in trouble. What else we got? There was a. I don't know if it made the list, but I saw in 404 that the someone obtained like a 400/gigabyte dataset of telemessage data. Let me see if I can find it. So we talked about Telemessage. Here's the article. So basically this is a Wired article and this is a article written by Micah Lee, who's someone we've talked about on the news a decent amount. But yeah, this is related to that telemessage thing. This all started with the telemessage basically the Pete Hegseth scenario. Or sorry, Mike Walls, not Pete Hegseth. Pete Hegseth was the signal guy. So yeah, basically someone posted a picture of him checking his phone and in the phone in the photo, he was using telemessage. Two days later, someone contacted the journalist and said, I hacked telemessage. I would say the whole process took about 15 to 20 minutes. It wasn't much of an effort at all. So basically at the time, as of right now, there's no details posted about the hack because it was too easy to replicate. I feel like it's an open S3 bucket. Like I feel, I'm just guessing, but I feel like if you take this app and you run it through like a analysis tool that like read Access keys to S3 pop up or something like that, something basic. After this happened, Telemessage suspended all their services. I guess at this point now they can publish. Yeah, default credentials is how it happened. Weak password. Hashing hash becomes the password. Don't do this. But the, I guess the interesting kind of like follow up to this is that the hacker obtained a bunch of Data and it will be posted or it will not be posted, but it will be handed out to journalists. So it'll be very interesting to see how that data gets used. And the. Let me see if I can find the source for that. So here's the source for the data, which. This is like, not exactly public yet, but it is, you know, DDoS secrets or DDoS secrets. DDoS. I think it's DDO secrets, DDoS secrets. Whatever has published. Published in air quotes because you have to be a journalist to obtain the data set. But the. I guess it's like the fears that we were talking about have been realized, which is people are using an insecure chat program. The chat program gets hacked and then the data from that chat is now public in quotes. It's not really public, but it is something that journalists or people could gain access to. So, yeah, use signal, don't use telemessage. The.

Shecky

In. In. I know this from some anonymous sources that I cannot identify at this point in time. There are corporations that were using telemessage for compliance, for being able to record WeChat or WhatsApp and allow them to go ahead and be compliant with having to go ahead and record conversations that were going on, especially if they had business in China.

John

Hmm, interesting. I mean, it makes sense, but also. It does. It makes sense. I mean, regulatory wise, I get it. But security matters. It's. When you're using. Like the whole point of this app would be private messaging and monitoring. And like, the security of that is so important. I don't know how this slipped. I don't know how this slipped under the radar. Like, that's totally crazy.

Shecky

That.

Ryan

That's. That's what I'm trying to work out in my. My Muggle brain is like, you'd expect at the cabinet level that they have to test everything before they're allowed to use it. And they're just using stuff at will, it seems like. I don't know.

John

Yeah, I don't know what's going on. Yeah. I mean, talk about guardrails. Yeah, no guardrails. Yeah. I. I don't exactly know how, like, what kind of registrations or regulations are applied to these people, but there's no way they're. This can't be like the approved way of doing it. Like, I know the government, like cisa, you know, I don't work for the government. I work for, obviously, Black Hills. And we are not a government entity or contractor or whatever, but we did get some contacts that told us that CISA basically Told everyone to use signal. So if you weren't using signal, and I'm sure there's like, that's for like private communications, right? Not for like government approved notification or, you know, communications. I think if you're actually like using government approved stuff, there's probably a super specific chat app or way you're supposed to do it. My guess is that all these people who are just sitting in briefing rooms, like using whatever apps they want on their phone are violating whatever procedures and policies you're supposed to be following. That's my guess, but guess we don't technically know. Maybe the government told people to use telemessage. We have no idea. Basically, shadow it is alive and well. Whether you work for the government, whether you work for a private entity, shadow it. And people going, you know, around security measures is very difficult to stop.

Ryan

It sounds like if they did approve it for use that it wasn't tested as thoroughly as it could have been.

John

Yeah, it seems unlikely that they were preferring that they were. That it was ever approved for use. Like, I don't think the government's perfect at everything, but there's no way something like this would have made it through like security testing, basic testing. Although again, like with enterprise companies, you wonder how they were. It sounds like based on what check he said they were using into pretty limited capacity, like just for monitoring WeChat messages or other like niche parts of their communication. But yeah, it sounds like if you're an enterprise and you go to purchase a vendor for this, shouldn't you be getting a pen test or some kind of testing of this application to make sure it doesn't have these types of vulnerabilities? Like, shouldn't that be part of your due diligence? I don't know. All right, should we finish up with a chicken article? Chicken jockey. Oh no, this so awful. I watched this video and it made me lose 2% of my faith in humanity. No, I'm just kidding. But it is kind of messed up. I don't. I'm just going to be honest. I don't really understand this or what's happening, but I'm too old to get this. Yes, I think I'm too old to get this. Basically, this chicken jockey part of the Minecraft movie is going viral and I guess it's going viral in a way where what you do is you just scream and freak out when they say chicken jockey.

Shecky

Yes, they do. I took my kid opening weekend because he really wanted to see the movie. He's big into Minecraft and It's great for his mind, the constructions and everything like that. It's like working with Legos, only virtually for him. And he'd never heard of it at 8 years old, he'd never done that because we don't allow him to play Minecraft online. It's all localized instances, but I'm sitting there in a theater, which was probably 3/4 filled with teenagers, and all of a sudden everybody's jumping up and yelling and never yelled in my life in a theater during a movie like this, but I just shouted out at the top of my lungs, will you all just sit down and shut up? It was so annoying. My kid couldn't hear what was going on in the movie. I couldn't hear what was going on in the movie. It was like, where did they come up with this whole idea from?

John

I don't. I don't know, but, like, watching the video. I guess what I would say is, if you said, I will, I want you to sit through this movie in that room from the video and I'll pay you $10,000 to do it. I'd be like, no, I'm good. Like, it just looks like a torture chamber. A bunch of teenagers being rowdy and teenagers are going to teenager. Like, I get it. But just a bunch of teenagers being rowdy and like, just the amount of people that are recording on their phones, I don't know, it just makes me so uncomfortable. Yeah, we can watch the video as a chicken, chicken wing related topic. It's pretty. It's pretty bad. Basically, I guess someone in this video had a live chicken with them. I don't know. I don't understand.

Shecky

I've heard some weird things about it. From live chickens to theaters actually doing specific performances, showing something allow the kids to go nuts.

John

Okay.

Shecky

It's just. Oh, God.

Ryan

Give him a dedicated space.

Shecky

Yeah, yeah, pretty much.

John

There needs to be like, basically what, Like a rage room for teenagers to watch the Minecraft movie in. I. I don't. I don't know. But that's our chicken. That's our chicken. Related content for the day. Yeah, I mean, that's. We, as, as chicken enthusiasts, we cannot endorse this type of activity. And if you're gonna go to watch a movie, you should be nice because if you act like this, movie theaters aren't gonna exist in 10 years.

Mary Ellen

Or.

John

Movie theaters are already going away, or.

Shecky

Start just getting movie theaters to give it the rocky horror treatment and have a special theater set up inside of there where they could show it for the kids to get Rowdy. And make the messes. And yell at the screen and yell, damn it, Janet.

John

Yeah. And if you do that, you have to clean up the mess. Not some minimum wage employee who's like two years older than you.

Shecky

Yeah. Rocky Horror Chicken Show.

John

Rocky Horror Chicken show. Coming soon to a theater near you. Any final articles before we close? I feel like we covered everything that was there. Pretty much everything. Good.

Shecky

Yeah.

Ryan

I think that's it.

John

Yeah. I guess the steel company got hit by ransomware. There's a few, like, breaches that are kind of not interesting. Breaches just aren't that interesting anymore. They just happen constantly.

Ryan

Patcher stuff. There's that. There's updates at your stuff.

John

Here's a throwaway article. The Pearson breach, which Pearson is like an educational book provider. And I link to the book on Pearson's site. That's like data breaches, crisis and opportunity. It's like, you gotta read this book, guys. You got breached. Come on. You gotta read your own books. Terrible joke.

Shecky

Well, Pearson also does all the dang testing for everybody. Pearson view.

John

Yeah, I mean, it's a big, big breach, I'm sure, but, you know, a breach is a breach. It's potentially a big breach, though. Says decent sized breach for sure. Not just a. Not just 89 million accounts and phone numbers, but like all everything. Legacy data, which means it isn't encrypted, I guess.

Shecky

An exposed GitLab token.

John

Yeah, classic.

Shecky

Yep.

Ryan

Legacy. I think that wraps it up.

John

I think that wraps it up. Thanks all for showing up. I don't know what John Strand's doing. We need to get. We need to, like, send a chicken in to say hi.

Ryan

I heard you. I heard he was teaching again this week and.

John

Yeah, but is he on location somewhere? He's on location riding a chicken jockey or he's a chicken jockey. I don't really know the terminology. I have played Minecraft, but I've never. I don't. I don't get the whole chicken jockey thing.

Shecky

I don't get it either. I tried to recreate the chicken jockey in Minecraft and I couldn't do it. And I looked at my kid and I'm like, how do you get to ride a chicken? You could ride all the other animals. Like, you can't.

John

So you can't ride a chicken. So that's why they did it. I guess I don't understand. All right, anyway, see you all next week on Tuesday. Next week is a national holiday in America, so we'll be here next. See you next Tuesday. As the kids say.

Shecky

Be here on your chickens, you chicken jockeys.