Risky Business - Risky Business #712 -- The 336,000 undead Fortigates of DOOM
Episode Date: July 11, 2023On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news. They cover: The SEC is targeting SolarWinds executives UK to make banks lia...ble for fraud NSA issues advice on UEFI trojan Microsoft blocks 100+ dodgy drivers The US IC knew what Prihozhin was up to. But what FSB doing? Much, much more This week’s show is brought to you by Netwrix. Martin Cannard, Netwrix’s VP of Product Strategy, is this week’s sponsor guest. He talks about why zero standing privilege is a worthy goal. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that’s your thing. Show notes SEC notifies SolarWinds CISO and CFO of possible action in cyber investigation | Cybersecurity Dive While Australian banks refuse most scam victims refunds, the UK is making them mandatory - ABC News New law could allow GCHQ to monitor UK internet logs in real-time to tackle fraud Federal incentives could help utilities overcome major cybersecurity hurdle: money | CyberScoop Major Japanese port suspends operation following ransomware attack Petro-Canada reports service restoration after suspected Suncor breach | Cybersecurity Dive Chinese state-backed hackers accidentally infected a European hospital with malware Hackers exploit gaping Windows loophole to give their malware kernel access | Ars Technica 336,000 servers remain unpatched against critical Fortigate vulnerability | Ars Technica CISA says latest VMware analytics bug being exploited MOVEit vulnerability snags almost 200 victims, more expected | Cybersecurity Dive Actively exploited vulnerability threatens hundreds of solar power stations | Ars Technica U.S. intelligence learned in mid-June Prigozhin was plotting uprising - The Washington Post Russian election-meddling ‘troll factory’ reportedly shut down after Wagner revolt Russian telecom confirms hack after group backing Wagner boasted about an attack | CyberScoop Hackers claim to take down Russian satellite communications provider Russian railway site allegedly taken down by Ukrainian hackers Several US states investigating ‘SiegedSec’ hacking campaign Hacking crew targeting states over transition bans claims cyberattack hitting global satellite systems | CyberScoop Hacktivists steal government files from Texas city Fort Worth | TechCrunch Belarusian hacktivists сlaim to breach country’s leading state university British prosecutors say teen Lapsus$ member was behind hacks on Uber, Rockstar Silk Road’s Second-in-Command, Variety Jones, Gets 20 Years in Prison | WIRED Russian cyber expert arrested in Kazakhstan, triggering a showdown between US and Moscow More than 6,500 arrested since French and Dutch police’s EncroChat hack BreachForums seized by FBI three months after arrest of alleged admin BreachForums replacement emerges as robust forum for criminal hackers to trade their spoils | CyberScoop Genesis Market gang tries to sell platform after FBI disruption Hackers using TrueBot malware for phishing attacks in US, Canada, officials warn | Cybersecurity Dive CSI_BlackLotus_Mitigation_Guide.PDF Hacks targeting British exam boards raise fears of students cheating More than $125 million taken from crypto platform Multichain Twitter’s chaotic weekend of outages and rate limits leaves more questions than answers Mastodon fixes critical “TootRoot” vulnerability allowing node hijacking | Ars Technica
Transcript
Discussion (0)
Hi everyone and welcome back to Risky Business. My name is Patrick Gray and Adam Boileau will be joining us in just a moment to talk through all the security news of the last few weeks.
And then we'll be hearing from this week's sponsor, Netrix. And Netrix is the PAM vendor that acquired our long-term sponsor, Remediant. Netrix's VP of product strategy, Martin Canard, is this week's sponsor
guest and we'll be talking about how PAM has changed and why working towards the goal of
zero standing privilege is the future of PAM. That is coming up later, but first up, it is time
for a check of the news that we missed while we were on break with Adam Boileau. And buddy,
you know, we've been on break a couple of weeks and normally when we do that, something catastrophic happens, but it looks like we got
off pretty light this time around. We still do have plenty of like technology related news to
get through, but I wanted to start off this week by talking about some government stuff. And yeah,
it looks like the SEC is pursuing some SolarWinds executives personally.
They've sent letters to their SolarWinds CISO and a couple of others,
and it looks like some sort of enforcement action is coming.
What do you think about all of this?
Well, we've seen the SEC nosing around with SolarWinds before.
Obviously, the SolarWinds breaches were pretty high profile, and everyone wanted to get in on the action there with regulation and so on.
But I guess going after individual C-levels and other management at companies who get hacked is probably
going to be a thing that, you know, we will see more of. And there's a concern of, you know,
a number of people who work in that kind of field in the United States that they may be,
you know, more exposed to personal liability. It's hard to say that that's a bad thing overall,
but the individuals involved in SolarWinds,
it's kind of hard to say whether...
And also, we don't really know the nature of the enforcement
that the SEC are going to do here.
It could be a slap on the wrist, it could be more serious.
But that kind of liability shift towards individuals
probably overall is a good thing.
Overall, maybe.
And we've got to keep in mind, we don't know what the sec knows yeah we don't about this right like uh it just
it just made me think about the whole uh joe sullivan saga yes where people were like oh this
will have a chilling effect and blah blah blah and people were very panicky about it but ultimately
what he did was was very silly and um that's how he wound up uh up in a lot of trouble for it.
We won't really be able to form a proper opinion on this
until we actually see what the SEC is alleging was done here.
So they're saying that they're looking into the company's
internal controls as well as its disclosure controls and procedures.
So I guess this is one of those things that, you know,
we just won't know for a while, right?
Yeah, but all we've seen so far is that they've been sent
Wells notices, which is kind of part of the process
where the SEC notifies companies or individuals
that they're going to be potentially subject
to some kind of action.
I think this is the SEC equivalent of putting a horse's head
in their bed.
Yes.
Sending them a Wells notice, right?
Exactly.
And the range of things that could happen here is very large.
It could absolutely be a tut-tut through to you know you're never going to work in this town
ever again um and we don't really know you know as you say we're just going to have to wait and
see what happens but you know anything that does make individual executives more liable for the
cyber does have the potential to change things even even if it's not quite, you know,
as hysterical as we saw after the Joe Sullivan situation.
Yeah, yeah, I agree.
I mean, it is interesting that the company for its part has said, wow, wow, wow, we're
awesome.
You know, we did everything right.
No one could have foreseen these, you know, hackers from Mars, well, Russia, coming after
us and doing all of this.
And it also says, oh, you know, the enforcement action here will make the industry less secure.
And here's the quote, by having a chilling effect on cyber incident disclosure
i think they've got that backwards right because once the sec goes after people for failing to
disclose i don't think that means there's going to be less disclosures no probably not fewer and
excuse me fewer disclosures fewer disclosures and we're certainly just going to keep on seeing
hacken and you know its relationship to the market
and investors and shareholders and so on like that's the job of the sec to make a fair and
transparent and workable system out of now look another story uh involving governments here and
while we were on break there was a new regulation introduced into the united Kingdom that will make banks there liable for fraud targeting
their customers, right? So, I mean, I personally know people who've been defrauded of substantial
amounts of money, usually older people, just of the ones that I know, substantial amounts of money
where, you know, someone rings them up and says, hey, we're the bank and someone's got control of
your account and you need to transfer money to your family
member's account. And, oh, you don't have their details. Here it is. And, you know, they transfer
the money out. And I've watched the bank's response when that sort of fraud is reported.
I mean, it could be reported the next day. And I'm talking about in Australia. And, you know,
this is a transfer to another Australian bank. And they just say, oh, sorry, you know, money's gone. And what the UK is saying here is that's
just not good enough. And there is a similar push here to make banks liable for this type of fraud.
Look, I think this is a really good thing because of all of the organizations on the planet that
are best positioned to tackle this sort of stuff, it's the banks.
Now, is this going to be costly for them?
Probably.
But are they going to get a handle on this now that they're properly incentivized?
Absolutely.
I think the worst thing that we're going to deal with as a result of this regulatory change in the UK is perhaps transfers will be slowed down a little bit.
Yeah, I think that, you know, you really hit the nail on the head, right?
I mean, it's in the ideal world, people should be responsible for managing their accounts
and managing their access and the devices that they use and all those sorts of things.
But the real world scenario is that there are plenty of people who don't necessarily
understand all the technology and perhaps nor should they have to, to be able to just use the banking system.
But it's not even about understanding the technology.
It's just that there's an entire industry,
criminal industry that's popped up
that solely exists to tricking people
into transferring stuff into different accounts.
And the bank's response processes
are just completely inadequate
because they don't have skin in the game.
Yes, exactly. That's one of the things i liked about this uk proposal is that um the money that the
banks would have to pay to refund fraudulent transactions is actually split between the
originating bank and the destination bank uh so they've both got skin in it and they both then
have to kind of cooperate to do fraud detection to reverse transactions to do whatever
the things they can do whereas previously if you try to make it one or the other end's problem then
they're very good at saying well okay it's the other bank's problem uh so yeah i mean everybody
in the one that i was was involved with here the money went from commonwealth to city and you know
obviously you you make the complaint with commonwealth then they tell, and then you just have to wait like 90 days,
and then eventually they come back and say,
oh, well, Citi lost the money, nothing we can do.
We got no insight into what happened there.
Sorry, bye.
That's not good enough.
No, no.
So I think this is, it's going to be really interesting
to see how this works out.
I mean, there is some argument that, you know,
maybe it would make it a more attractive target
because banks are, you know, people are individually less a more attractive target because banks are you know
people are individually less liable banks are more liable but i don't know that i buy that like that
was the argument that's been made in other places is that you're just going to encourage fraudsters
to come here they're already here they're already taking a whole bunch of money making you know in
some cases billions of dollars so you know stopping it pragmatically by making the banks
use their fraud detection techniques
and move their processes i think this is a good a good plan yeah i'm not sure if this is just a
consumer protection regulation or if it's also going to apply to bec and whatnot but yeah i mean
i think it is broadly a positive thing um and you're quite right this hasn't started yet it
starts next year but they announced the regulation uh while we were on break, and it kicks off next year.
So, yeah, let's see if that works.
But I have a feeling that it will.
You know, they will fight it tooth and nail here.
Everywhere where there's a banking lobby, this will be fought.
I mean, I've been up against the Australian Banking Association
when I was a news journalist, you know, and they are just –
they're exactly what you imagine a banking cartel lobbyist group to be like you know
their their lobbyist enters you can smell the sulfur kind of thing yeah indeed there's you
know there are arguments back from australian banks in this write-up that we have from abc in
australia um already trying to you know prepare the battle space as they would say in the in the
us mill uh for this coming down the pipe. But, you know, I would be surprised
if this doesn't result in improvement in the UK
and then I think we would see other countries follow suit.
So what else have we got?
Oh, yeah, we've got a proposal in the UK
and the government there is considering doing this,
which would allow the GCHQ access to some metadata within the UK to combat fraud, right?
And it's not a scary proposal.
It's actually some pretty clever thinking.
So there's an idea in here where they say, look, you could look for devices that are communicating with banks
and also communicating with command and control servers for known banking malware so that you could then,
you know, I mean, there's a bunch of stuff you could do with that sort of information. You could
give that information to the bank and say this, you know, your customer's device is compromised.
You could contact the customer directly, but this is the sort of stuff they're talking about.
I get that there'll be some people who will say, no, we can't let them do domestic surveillance.
But it seems like a pretty sensible use of data that's already been collected.
Yeah, it sounds like the vibe you get from this
is that there was a desire in the political class
to come up with some kind of,
we've got to do something about this.
And then somebody at GCHQ went,
well, I guess we could,
and came up with a bunch of ideas for using metadata
to spot indicators of fraud or whatever else
and then like the plumbing of turning that into an actual functioning system there's a lot of
nuance and detail but at a high level you know it seems like gchq is well probably better equipped
to deal with this kind of problem you know from a technical perspective than anyone else
and then you know you kind of have to figure out how to make all the other parts of the ecosystem
work but it's a really interesting idea to be able to do this on a And then, you know, you kind of have to figure out how to make all the other parts of the ecosystem work.
But it's a really interesting idea
to be able to do this on a national scale.
And, you know, the size of the fraud problem
is big enough that we have to think of,
you know, somewhat out of the box solutions
and traditional intelligence apparatus
has a lot of the tools that you could use
to address these kinds of problems.
Yeah, I i mean it reminds
me a little bit uh and this was an alexander martin story from from the record it reminds
me a bit of some of the conversations i've had with andrew morris actually i mean this is different
but you'll see where i'm going in a second where you know gray noise's whole thing is they want to
get to the point where they're partnering with enough telcos that it makes that they've made
mass scanning or mass exploitation basically really, really difficult
to do on the internet at all, because you're going to get snapped immediately. Now, if you've got
an environment where as soon as someone discovers your C2, they've now got a capability that can
find all of the endpoints that are communicating with it and distribute that information to the
banks to prevent those things from logging in and doing fraud i mean you've actually just made you know
you've introduced some real risks for the attacker in in making your country a you know uh a priority
right yes yeah i mean that's a it's a great example like a great comparison of being able to
you know you're going to burn your stuff so quickly that it introduces
very real costs to the adversaries and yeah i think it's like you know the the cypherpunk
many years ago in me still you know says oh my god they can't you know look at every net flow
record and then start feeding real-time information to other government agencies or whatever else but
the reality is it's actually quite a sensible proposal
to do that and solve very real problems and, you know.
Yeah, I mean, Tom and I often have these conversations
about, like, what's government for, right?
Yes.
And you can make a slippery slope argument
out of basically anything.
And I just, I think there will be people
who will try to turn this into, oh, it's mass but really it's a it seems to me and and by the sounds of things it
seems to you to be a fairly sensible proposal yeah i mean the cost of internet fraud is so high
and if we can solve it one way or the other even if it has you know the whiff of surveillance you
know you just put some rules around it and blah, blah, blah, blah.
But I mean, you know,
if there were some straightforward sets of rules,
you know, that you can spin up like that,
you know, concurrent use of a banking website
and a fraud C2,
like, you know, it's pretty sensible.
So yeah, I mean, I would like to know, wouldn't you?
Yes.
You know, if my device was communicating
with a malware command and control,
I would like to know that.
So anyway, our final sort of big government story
that I wanted to talk about this week
is there are some changes happening in the US.
This story is by Christian Vasquez at Cyberscoop.
He did a terrific job on this one.
And it's looking at how in the utilities sector in the United States,
the prices they can charge are really tightly regulated by the government.
And what's happening is there's some rule changes happening which will allow some of these utilities to charge more if that money is going to be used for security programs to do certain things. And, you know, you read this piece and you realize, look, this seems like a pretty
smart application of regulation because, you know, utilities, they have so many customers,
they don't really need to raise their prices by all that much to raise a lot of money.
And this is really about expanding their margins just for a very specific purpose,
which is increased security spending, and then some guidelines on what that spending should be and
you just read this and you think no this is this is this seems pretty good this seems pretty sensible
yeah and in that kind of utility space right it's also a very slow moving environment so making any
changes is a very very long process and you know some of the problems they have to address in terms
of cyber are fast moving problems where you know right now
it's very difficult to go make a business case to invest in this kind of control or that kind of
thing and because it takes so long it means the like organizational risks of doing those processes
is very high and so having some support from the regulator to say like here is a set of things you
could try doing and like one of the examples of things that they would permit you
to raise rates to fund is, like, joining the ISAC,
like the Local Information Exchange for utilities,
which, you know, that seems like a pretty big no-brainer.
But even something as simple as that, right,
it is complicated in utilities because of, you know,
that sort of very risk-averse, very long-term thinking
that they are used to doing.
And having to operate in the modern world
is challenging for them culturally.
So any way we can support it makes sense.
And I think a very small rate change for consumers
can make a big difference because, as you say, of the scale.
Yeah, yeah, that's it.
Now, of course, while we were away,
there were a gajillion ransomware incidents, as usual.
Yeah, I mean, so the way it works, for those who are curious, is one of our staffers does a daily scrape of news articles in cybersecurity and puts them in a big document for us to then go and go through and pick out the ones that we want to talk about in the show.
And, you know, we came back from a couple of weeks off with, you know, something like 12 or 13 pages of links to news articles
and a lot of them were ransomware,
but there were two that were interesting for a couple of reasons.
One was a Japanese port, the port of Nagoya,
which accounts for about 10% of container shipping in Japan.
They were ransomware and actually had to shut down for a couple of days. But the
interesting thing is they didn't pay and they were back up and running in two days. And that is,
that's a good news story from where I sit when the disruption was, okay, sure, you know,
massively disruptive event, but they managed to get back up and running. The other one was
Petro Canada. All of their, you know, service stations had problems with payments and whatever.
They had a massive, horrible ransomware incident.
Also back up and running after a couple of days.
But so we know that the Japanese port has said that they didn't pay.
I don't know that Petro Canada has said the same thing.
I did a quick Google around this morning.
I couldn't find anything.
But it is my guess that they probably did not pay right so what we are seeing now um you know it's mixed news right because what we're
seeing now is a lot of these bigger organizations with more mature security teams and whatever
they're getting back up and running and they're not paying whereas the you know community colleges
and whatever you know they're the ones getting nuked not sure if they're paying or not but it just seems like big enterprise with competent security teams are the ones who are you know
being disrupted but not flattened by ransomware these days yes i think that's probably a reasonable
assessment and it is good that people are getting to the point where recovery isn't you know is a
practical option um and also i guess you know the sort of um social pressure to not pay has been ratcheting
up over the years like it's generally seen as a bit less acceptable you know to go down to your
local uh you know chamber of commerce and brag to your biz buddies that you paid off a ransom you
know that's not the not so much the vibes uh anymore whereas perhaps it might have been seen
differently some time ago um of course one does wonder know, how good are we at evicting people?
Because that's real fiddly, especially in big networks.
And Petro-Canada is part of Suncor,
which is a giant energy conglomerate
with tendrils all over North America.
Like, evicting someone from a complex environment,
you know, you want to be pretty sure?
I mean, you don't have to evict them from everywhere, though.
You just have to evict them from the places where they can do serious damage.
And I think, though, that there are enough people in the consulting space now, incident responders who are used to dealing with this, that I think eviction is probably more achievable.
Like with the right external consultants, it's probably going to be a bit easier now than it was even just a couple of years ago.
Because it's become such a critical thing. It it's a service people need please come and kick the
russians out of my network you know yeah yeah and i you know i look at the skill level of you know
some of the instant response team here at cyber cx that you know some of the operations they have
to pull to evict people out of networks like this some it's hard work but they're also very good at
it and that kind of understanding you know there are there are, as you say, a bunch of people
that do have that expertise now.
But, you know, when you look at the, you know,
the head towards, you know, EFI and boot sectors
and hardware-based things,
we have to track the hardware.
You know, that's, that, you know,
maybe we're in a sweet spot
where eviction is a reasonable option at the moment,
and maybe we should enjoy that sweet spot while it lasts.
Yeah, I think the TLDR, and we'll get to this later,
which is, you know, if you're a crook,
it's time to start really learning how UEFI works.
Yeah, exactly.
The TLDR.
An interesting one here from John Greig over at The Record,
where some European hospital wound up getting a whole bunch of malware spread
around on it via usb it looks like it was some sort of chinese apt malware where someone from
the hospital went to a conference in asia and this usb based malware was targeting southeast
asian targets and whatever you know they they used it on someone's laptop to do a you know to put
their slide deck for the conference or whatever, brought it back to the hospital,
and it's just been doing the rounds at this hospital.
And you think, you know, I mean, this is,
we saw something similar with Stuxnet, right?
Like a long time ago.
The difference was that Stuxnet would spread
but not really do anything.
It would propagate, but, oh, hang on,
you're not a uranium enrichment plant in advance.
I'm not going to do anything, right? whereas this thing looks like it was you know getting on everyone's box and
start and exfiltrating information back to beijing right yeah not great and you know those kinds of
conferences i mean i'm i spoke at a conference once uh where there turned out to be usb born
malware on the av systems of the like intercontinental hotel here in wellington
which then ended up propagating into people's corporate networks and stuff um so like you know
anywhere where you're handing usb sticks around still kind of risky uh but i think it was i think
it was ibm that was handing out like pre-infected usb by accident um at osset that's right yeah
yeah that was a long time ago and And Ossert got really annoyed with me
for actually writing that up as a story.
But that's just how they were back then.
They were like super salty, you know?
Yeah.
Yeah, and it's interesting that, you know,
controlling the distribution of, you know,
hardware traversing malware,
like malware that traverses via people plugging stuff in,
physically moving things around,
a la the, you know know 80s virus era is still
very much a thing um and i you know i kind of like it in a way you know there's something old school
about physically passing malware around that i like even though having a hospital in europe home
not ideal yeah but i mean this comes back to the fact that china is not particularly responsible
when it comes to a lot of these operations i mean mean, you look at the Hafnium stuff,
you look at the more recent stuff with,
God, what crapware was it?
It wasn't SonicWall.
What was it?
Barracuda.
Yeah, yeah, yeah. Sorry, they all blend into one in my brain, right?
So yeah, the Barracuda stuff more recently,
Hafnium, and then stuff like this.
And you think, you know, come on, you've got lawyers.
Can you just not do stuff like this, please?
You don't need to. just don't be lazy yeah yeah it it does seem contrary to the sort of norms that
you know western intelligence agencies and so on have to abide by you know in terms of being
responsible with where their stuff ends up and what happens to them and stuck to it notwithstanding
um but you know that was a somewhat joint operation, shall we say.
It was also 12 years ago,
and they did actually put some stuff in the malware to make it not harmful when it did propagate
to systems that weren't its intended targets.
I mean, I'm just getting at the fact that,
and, you know, the tricky thing for the West
is you can't respond to something like this
by going and malwareing a whole bunch of Chinese hospitals
because that's illegal.
So, you know, it just would be nice if China...
Proportional, but illegal.
Yes, exactly. So it would be nice if China... Proportional, but illegal. Yes, exactly.
So it would be nice if China would put a little bit more thought
into how to stop these sorts of things from happening.
Yeah, it's rude.
It's China rude.
Very rude.
Microsoft has nuked over 100 malicious drivers, Adam.
And look, I've looked into this a little bit.
You've looked into it a lot more.
Some of these drivers got signed with like stolen certificates and stuff.
But one of the ways that they could get them into a state where they would be loadable into Windows was by like backdating the signing or something.
Can you walk us through all of this?
Because it's still a bit fuzzy for me.
Yeah.
So the Windows hardware certification process will sign drivers for vendors hardware
and that's you know we've had signing driver signing for a while and at some point i think
maybe during the vista era they introduced some rules so that people who had drivers that worked
on vista but that weren't didn't meet modern requirements were allowed to still be loaded
after an upgrade to windows 10 or whatever if they were signed before a certain date which was like 2015 something so if you take a stolen certificate these days and you sign a
driver with a stolen certificate obviously there's plenty of those around in the underground and
backdate its signing time to 2015 through using like Windows detours to hook the timing time
process during the signing
then you bypass a whole bunch of those more modern verifications that windows does when they sign the
drivers so you can sign old drivers you can bring old drivers and use them in ways that they were
intended to do or whatever else so it's a way to bypass the modern security controls and there's a
couple of open source tools for doing this time
manipulation whilst signing yeah so this looks like it's sprung out of like the game cheat
community and then got picked up by apts and you know this is something that you and i have spoken
about before which is the quality of research coming out of game cheats is just amazing yeah
yeah exactly if you want to load a kernel driver to you know manipulate call of duty or something
in memory and get around there the drm or the anti-cheat then yeah you exactly. If you want to load a kernel driver to, you know, manipulate Call of Duty or something in memory and get around the DRM or the anti-cheat,
then yeah, you have to be, you know, pretty sophisticated.
And then, you know, we've seen these techniques
now being picked up by the hacking community
and some of the, you know, kernel drivers in place
are for things like killing antivirus software
or killing endpoint software or, you know,
doing other things in kernel space
that hackers would like to do.
Yeah, I think I misspoke too, because I think this has been linked to the Chinese cyber
criminal underground, not so much APTs. But yeah, either way, it started off with game
cheats and that's very interesting. Now, look, you know, you can mess around with backdating
drivers and doing all that sort of stuff, or you can just go and own a Fortinet appliance, Adam.
And according to the latest research, I think this was,
was this Bishop Fox?
Yeah, Bishop Fox.
Yeah, it was Bishop Fox. They took a look at the internet and they found
336,000 vulnerable FortiGate appliances on the internet.
So good news, everyone.
Yes, and yeah, yeah exploits this was the
heap vulnerability we mentioned it before we went on break the bug had just come out but yeah anyway
there's workable exploits for this and yeah you just pointed to fortinet and you get a root shell
job done yeah so 69 of 40 gate appliances are apparently like unpatched yeah some as much as
i think what eight years old someone said some of the bishop popped guys so that's pretty grim pretty grim it is and i just sort of think
like if you are building the next you know iteration of a border device you have to factor
this into your thinking you have to factor this into your plans i don't think anyone could release
a device like this that doesn't auto install updates right yes if you
know that a border device like this is not going to get patches 70 of the time you know how can you
sell it in good conscience well i mean that's a that's a great question i mean some of the code
quality we've seen in these devices in general does suggest uh that the security of the people who are buying it is not
a priority always and i mean thinking about your ecosystem overall long term in terms of
maintainability as a vendor like that's not a thing that they've ever really prioritized well
and that's what i'm saying they need to start doing and yeah exactly like they absolutely do
need to start thinking holistically and pragmatically. And the honest answer is they deserve to fail
in the marketplace for having trash solutions,
but you don't find that out until seven years
after you bought your Fortinet.
So market failure.
Market failure.
We love to bust out the old market failure.
Market failure.
Yes.
We need a meme with the button press.
Yes, exactly.
The big blue button, market failure.
Now staying with enterprise, absolute enterprise shit,
where CISA has issued a warning.
This was actually just after we went on break.
They've issued a warning that there's active exploitation
of VMware Analytics.
This has a 9.8 CVSS, which I guess just means you look at it
and it gives you shells.
What's this bug in exactly?
I think this is in a
vmware aria operations for networks which is like a orchestration tool for managing your cloud across
multiple things so if you have aws and on-prem vmware and something else it's for kind of doing
cloud orchestration and capacity management and all that kind of thing the bug in question was
actually kind of not that exciting.
Like it's a web service with a badly configured
like front-end proxy rule.
It lets you kind of like dot slash your way
to a different endpoint.
And then it's onwards into like command injection.
And it's just going to call an underlying shell command
and you can inject commands into it and job done.
So pretty boring as bugs go,
but it gets you root in someone's cloud
orchestrator so not great yeah and i wonder how many of them are on the internet um well yeah
now another thing obviously that happened while we were on break is you know hundreds of uh
organizations have been reported as being victimized in the latest file transfer appliance
you know the move it thing that has been ongoing for a month or something um i think we should just
reiterate our advice from april which is if you're using an on-prem file transfer appliance uh you
know it doesn't matter which company it's from because clop is gonna is doing research into all
of the file transfer appliances now because that is their business model uh you need to look at
moving to something more modern and cloudy and secure. Yeah, I think
that's absolutely the right advice. Because yeah, these things have just like they've made such a
target for themselves now. And there's business model for making money out of it. And there's
just no reason to stop that gravy train until you run out of file transfer appliances. Yeah,
that's right. So get off them, right? And make everything ephemeral on those appliances quick smart.
Now, Adam, you would remember that when we traveled to Canberra
to do a live recording of the Risky Business podcast
at the ACER conference,
the first thing that we spoke about was the horrible state
of Evgeny Prigozhin's business network, right?
Like the computer network that controlled his communications
and business interests.
And yeah, we've got a story here from Washington Post
about how, I'll just read you the headline,
US spies learned in mid-June that Prigozhin was planning
an armed action in Russia.
Gee, I wonder how they found out about that.
That's why I wanted to include
this one, because we spoke about the report that came out of the dossier, Senator. Evgeny
Prigozhin is obviously the Russian business person, businessman behind a bunch of interests
over there, Concord Management Group, the Wagner private military contractor, and also the internet
research agency Troll Farm that was instrumental in conducting all sorts of interference
into the 2016 election in the United States.
And yeah, he went on a rampage with thousands of his fighters
heading towards Moscow, shooting down aircraft and whatever.
Unless you were hiding out in a cave at the time this was happening,
you would have caught the news.
But yeah, I mean, absolutely zero surprises here that apparently the American
intelligence community saw this coming. But my question for you is, what FSB doing?
Yeah, exactly. When, you know, clearly they should have had some concerns about
Wagner in general. And, you know, you would have thought Hacken has computers to go have a look,
you know, would have been easy and perhaps responsible to do.
So that is a very good question of what FSB do.
Yes, yes.
So Precaution's network,
if you want to go back, listen to that episode, check it out.
But his network was basically, you know,
a giant flat, unpatched Windows network, right?
That was also handling the communication
for their not end-to-end encrypted,
like secure custom Android handsets.
Like just, yeah.
So wow, wow. The USIC were custom Android handsets. Like just, yeah. So, wow, wow.
The USIC were up in their network.
Like what a surprise.
At least the NSA didn't have to expend any expensive zero days on it.
Yeah, exactly right.
Such value for taxpayer money.
Yeah.
And look, staying with Progozhin-related news,
there have been reports in Russia that he has actually shut down
Patriot or Patriot Media, his media company, which includes the Internet Research Agency.
There are conflicting reports, though, that suggest that the IRA is being sold off to another
Russian businessman. So we're not exactly sure what's going on there. There's a third theory,
which kind of incorporates both of them
which is that the powers that be in Russia
want him to sell this to someone else
but he's running around firing everyone instead
because he doesn't want someone else to have access to his baby.
And yeah, so that's the cyber angle.
Russia be crazy as always.
Russia be crazy as always.
Now, this is kind of Wagner-related,
although it's more like someone wants us to think
that it's Wagner-related.
If you listen to Risky Business News,
you would have heard over the last couple of weeks
reports that a Russian SATCOM ISP
or telecommunications provider was hacked
and the people claiming credit for the hack said that they were
supporting wagner group's uh you know uh actions against the russian military when in fact it was
probably a bunch of ukrainians doing this because they thought it was funny yeah i i suspect so and
i think the satellite provider was a dozo teleport they're called um and they looked like they did
get pretty comprehensively owned,
but we didn't really see the, you know,
Viasat-style, you know, bricking in devices or anything.
We saw, like, a bunch of data being leaked,
a bunch of stuff being deleted, but, you know,
they seem to be back up and running relatively quickly.
Yeah, it was a few days sort of thing.
Yeah, and this is a SATCOM provider that was, you know,
providing a bunch of stuff to Russian state entities and so on as well.
Yeah, the city of Moscow, the FSB as well, I think, are accustomed.
Yeah, yeah, exactly.
So pretty serious business,
but they seem to be back up and running faster than you would expect
if they've been properly brick and modems or whatever.
Yeah, yeah.
But it's just funny that it's like,
yes, we are Wagner Group and we did this.
It's just like, oh, you've got to love the stirring.
But we've got a bunch of stories here about hacktivism,
ostensible or otherwise.
Yes.
Right?
And it's interesting because I can't recall a time
where we've seen this much.
Do you remember 10 years ago,
hacktivism used to be like people calling themselves anonymous
using like off-the-shelf DDoS tools to get websites, right?
Like that's what we used to call hacktivism.
But now we're talking about genuine hacks or DDoSs that actually have some sort of real-world impact.
Like there's this one here where the Russian state-owned railway company RZD
was hit with some sort of attack that rendered their app inoperable
so people could only buy tickets from the ticket counters at train stations.
Yeah, and that's the thing that has actual impact on real people.
So as denial of service go, that's kind of unusual.
I mean, normally we see much more ineffective denial of service,
so well targeted in that respect.
But yeah, you're right.
The change in hacktivism from being largely kind of a joke into a thing...
To now being mildly inconvenient.
Oh my God, it's cyber war!
Exactly, yes.
But also pivoting a bit from just DDoS to Guacamaia, for example,
actually stealing data and doing meaningful things with it.
So there was definitely more sophistication in the hacktivist world,
and it's perfected in the number of stories
we've got this week to talk about.
Yeah, so the Russian ISP,
Satcom ISP, that was
probably Ukraine,
or pro-Ukrainian people.
This thing was the Ukrainian IT army,
so claimed by Ukrainian
hacktivists. And then we've got,
let's talk about sieged sick,
because we've got some people doing, you know, apparent hacktivism in the United States, targeting states or more heavily targeting states that are implementing controls on pregnancy terminations and gender affirming care in those states.
And this group is now attacking them.
This particular group claims to be like a bunch of gay furries.
So that seems pretty inventive.
Why not?
Why not?
It's 2023.
I mean, the dual goals of inactivism of doing computer crime
in a way that you don't get caught
and then also making a big song and dance out of it
and getting this kind of social recognition,
like they are kind of conflicting goals
and this crowd has certainly been doing a lot of talking about it um you know
some hacking as well but the more you talk about it the more likely you're going to get arrested
and doing hacking inside the u.s against u.s you know official entities like the nebraska
judicial branch like you're kind of asking for the fbi to knock down your door your door and make trouble for you and your friends.
So we'll see whether it's real hacktivism or Russians,
but my gut feel is actually...
I mean, Gwakamaya's real.
Like, you and I wound up getting it on good authority
that that's real.
Yes, yeah.
That seemed to be the conclusion, yes, that it felt real.
Yeah.
We've even got more news stories in this week's run sheet
about, you know, actually genuine hacktivists
like the Belarusian
group, the cyber partisans have hacked some sort of university. And, you know, there's just a lot
going on, a lot going on. Now, look, moving away from hacktivists to actual cyber criminals,
we have more details now. The British courts have lifted a reporting restriction
on one of these lapsus kids who's been charged with a whole bunch
of offenses they were apparently arrested last year and they're in a lot of trouble alexander
martin has written it up for the record but this it looks like this guy uh kurtage what's his name
arian kurtage uh yeah he's in all sorts of trouble and it looks like he was behind uh breaches at uber and we
covered that one at the time that was what a day that was on twitter when uber got owned sideways
that was like we're all in the classroom and a bird flew in you know it was that that was the
vibe uh then there was revolut and uh you know great the the developer of uh grand theft auto
uh you know that game studio but yeah he's in all sorts of trouble.
12 charges, he's 18 years old, he's just turned 18. Lucky him, turning 18 in jail and now can
face real charges. They also picked up a bunch of other lapsus kids, like some that are still
underage, but I mean, that was also the crew that hacked NVIDIA at that point in time as well. So
yeah, those kids are definitely in trouble.
I think there's, what, five arrested in the UK,
one in Brazil, one of that.
Yeah, there were five in the UK, two somewhere else.
I don't know, but it looks like, by the looks of things,
a lot more lapsus people were rounded up than we previously knew about
and there were reporting restrictions on this because they were kids.
Yes, yeah.
That's the TLDR here.
I don't know that he's in prison, though.
You said he turned 18 in prison?
I don't see in the story that he's in prison.
Yeah, he may not in fact be in prison,
but maybe he's in home arrest or whatever.
Well, probably out on bail awaiting trial would be my guess, yeah.
But I just wanted to clarify that.
Now, someone who is definitely in prison is Robert Thomas Clark,
who is also known as Variety Jones.
This was Robert Ulbricht's right-hand man in running the Silk Road drug marketplace.
This is a terrific write-up from Andy Greenberg, who has, of course, covered the Silk Road stuff for a long time, spent a lot of time in court.
And it's a sad read, really, because this guy is 62 years old.
He'd been in jail in Thailand for a while.
He is gaunt.
You know, by the time he wound up being flown back to the United States,
he's rail thin, just looks like absolute shit.
And now he's going to prison.
He's 62 years old.
He's going to prison for 20 years.
Yeah, no, it's pretty hard to read some of those particular details but then
you also read the like this is the guy that pushed uh all bricked into you know paying for murder for
hire so there's a degree of you know yeah the sympathy the sympathy sort of runs out the further
you read yes in this in this article doesn't it yeah yeah exactly the one bit uh that i think
immediately leaped out to both of us in this piece of reporting, though, is some detail where the guy claimed that he had bought some exploits to, you know, de-anonymize people from none other than the GRUK.
Yeah.
In the Thailand zero-day trading scene.
Yeah, yeah.
So he claims he bought a bunch of Oday to de-anonymize Tor users from GRUK and then gave it to UK and US law enforcement.
Like, it's a claim that doesn't make much sense.
It doesn't make any sense at all.
Gruk has said, I don't know what the guy's on about.
Like, this is bullshit.
And the guy has made a whole bunch of other,
like, absolutely ridiculous claims as well.
So I think it's bullshit.
And yeah, it's just, look, it's a really interesting read.
And this guy says that he was involved with Silk Road
because of his political belief that drugs should be, know decriminalized and whatever but yeah as you say
you read into it and it's like he's he's pushing for murders and things like that you just think
well you know you're not very nice are you you probably do belong in prison exactly yeah yeah
what else we got here yeah there was uh so one of these ex-Group IB people has been arrested.
Nikita Kislitsin has been arrested and charged.
I love the charges here,
because this is like straight out of a time warp.
He's been charged with selling usernames and passwords
belonging to American customers of the social media company Formspring in 2012.
This is another story from the record by Darina Antoniuk.
And yeah, he's in a bit of trouble.
Now, what's interesting is that this guy was arrested in Kazakhstan
and the US is seeking extradition.
And it looks like that's going to be granted.
Russia did what it normally does in this situation,
which is to lodge a bunch of its own charges
and try to get extradition of its citizen back to Russia.
For a long time, people thought this indicated
that Russia was trying to get back its criminal hackers
because they're doing the bidding of the state or whatever.
Tom Uren wrote an excellent edition
of Seriously Risky Business last week
in which he argued that Russia's mostly doing this
just to put a finger in America's eye
and also doing it because they're a bit embarrassed
about their cybercrime thing and they would rather just, you know,
handle it themselves kind of thing.
But, you know, there's a lot to unpack on this one, isn't there?
Yeah, yeah, yeah.
There certainly is.
And, you know, Group IBs tie up with all sorts of, you know,
people who are involved in the Russian cybercrime world
and intelligence services.
Like keeping track of that web i think would be a
full-time you know you need a full-time analyst to keep track of that stuff it's complicated
um but uh yeah now you're i think tom's analysis of you know russia's moves regarding extradition
of its citizens you know from kazakhstan from other places like that i think it's banging on
because it's like the simple answer of like, this is just kind of awkward versus the, you know,
machination and grand conspiracy.
Yeah.
So I think I'm with Tom on that one.
Well, it's also a way, it's also, you know,
that sort of lawfare approach of Russia to say,
see, we're a nation of laws.
We're trying to extradite this person for computer crimes too.
You know, it's just very, very Russian.
Yeah.
And yeah.
So there's, yeah, good right up there on the record.
What else have we got here
we have a report again tom covered this while we were away but we got some stats on the encro
chat the encro chat was a crime phone sort of like anom sort of like you know was a phantom
secure and whatever we finally have some statistics now out of european police now we thought anom was
amazing because there was something like 800 arrests
in Australia and New Zealand.
It looks like from the intelligence police
gathered from the EncroChat infiltration,
they arrested 6,500 people,
including 197 high-value targets.
They sentenced people to a combined 7,134 years of imprisonment, seized 740 million
euros in cash, 150 million in frozen assets and bank accounts. They seized 30...
100 tons of cocaine.
103.5 tons of cocaine, 30 million pills, 164 tons of cannabis, 3.3 tons of cocaine 30 million pills 164 tons of cannabis 3.3 tons of heroin nearly a thousand
vehicles 271 estates or homes 923 weapons 20 000 rounds of ammunition and 68 explosives
83 boats 40 planes uh 100 assassinations prevented and a partridge in the pear tree
just amazing i mean did your mind boggle and what's amazing is that this happened some weeks 100 assassinations prevented and a partridge in a pear tree. Just amazing.
I mean, did your mind boggle?
And what's amazing is that this happened some weeks
after Tom wrote up for us a piece titled
Crime Phones Are a Cop's Best Friend.
Yeah, but some of those numbers are just staggering.
I mean, trying to imagine like tons of heroin
is not normally a metric that one considers it in.
And then 100 assassinations prevented. Shashinations, I'm not sure I it in. And then 100 assassinations prevent...
Shashinations, like Sean Connery.
And 100 assassinations prevent it.
Like, that's a metric that I don't know
that I've ever read in a news story, you know?
Yeah.
So, yeah, pretty seriously good police work there.
And, yeah, crime phones, definitely a cop's best friend.
Well, especially considering just how free people
who use them think they are to just
say whatever they want you know my favorite little detail about the anon one is how it would tag
every single message with the gps coordinates of the unit when the message was sent so that it
would be someone's like sending their mate a picture of someone they just killed yeah you
know and they'd have then the cops would have the picture you know the identity of the person
sending it and the gps coordination you know just it just mind-blowing stuff, mind-blowing stuff.
Now, look, just wanted to quickly mention this.
Breached forums has been seized.
This is, of course, three months after the admin or the alleged admin has been arrested.
It's already kind of sprung up in a reincarnated form, but you do wonder how long that one will last.
I think the fact that the FBI
and various global law enforcement agencies
are just continuously smashing these marketplaces,
you do wonder how long the new one will stick around.
Yeah, I mean, that kind of secession planning
is a key part of being a crime forum operator.
I think the guy that's running the new one
was pretty senior in the previous breach forum,
so maybe there's some leads that they already have from that data.
Or they're an FBI agent pretending to be.
Or they're an FBI agent pretending to be.
What was interesting, I thought, was Alexander Martin,
who wrote this up for the record,
noting that there's been very little effect
in the non-english speaking crime
forums world we've seen so much you know turmoil with brief forums and raid forums and so on
whereas the russian ones are just carrying on situation normal no real impact um which you know
it's very nice to see these successes but it's a good reminder that there's plenty of other
non-english speaking ones that are still super important. Yeah, I mean, I think it's like any of these crime communities, right?
And Silk Road was a good example of this.
And, you know, subsequent marketplaces is, you know,
there's always the rise and the fall.
But once one of them gets too powerful,
like they do facilitate an awful lot of crime.
Like, you know, your best case scenario is to have a bunch of little ones that almost fly a little bit under law enforcement's uh radar now look speaking of the
of the crime forums genesis market apparently is hitting all of the forums trying to sell off the
business and their business uh of course was that you know was the market itself but they also had
stuff like browser plugins that would allow people to mimic certain browser profiles
to bypass those sorts of checks
when using stolen credentials, et cetera.
And yeah, they're trying to sell it.
The funny thing is though,
their listings are getting booted off the forums
because people don't trust that they're not FBI.
And of course, Genesis Market was disrupted by the FBI.
So now everyone's like,
well, yeah, we just don't trust these listings.
So this is another one by Alexander Martin.
We talked about a bunch of his stories this week,
but I did get a chuckle out of this one.
Yeah, yeah.
It's always nice seeing that kind of social cohesion breakdown
as a result of law enforcement actions.
I think in this case, they're trying to sell,
like they say the dark net, like the Tor version of Genesis Market
is still up and functioning
and trying to sell that as a going concern plus all the other you know technical all the other
technological gubbins that you mentioned but yeah not not having a whole heap of luck yeah yeah uh
now let's talk about uh true bot now this is a particularly nasty bit of malware that tends to
be used as an initial access component for ransomware crews and
whatnot we've seen warnings out of the americans and the canadians about this thing coming back
and being spread around at the moment it's actually being deployed via a vulnerability in
a product made by this week's sponsor netrix it's um one of their uh order auditor products um server side bug and you know
their advice obviously to mitigate this is hey maybe don't put your pam auditing software on
the internet which i think seems fairly sensible um but yeah true bots back and it's a um you know
it's it's a particularly nasty one which i guess is why we're seeing the warnings here
yeah exactly i mean it's the one that's been around for a while
in different forms and more traditionally,
like email delivered, click on a bad thing,
get infected.
But seeing it being actively exploited,
exploiting bugs in server software
is a bit of a kind of a twist for it.
But there's also a strong tie up between Truebot and Clop.
We've seen Truebot used by the Clop affiliated people for gaining initial entry to then go and steal data and CLOP. We've seen Truebot used by the CLOP-affiliated people
for gaining initial entry to then go and steal data and so on.
So it's one of those likelihood is high and impact is high kind of thing,
even if they're components that we've seen in other contexts already.
Yeah, yeah.
It's context is everything, isn't it?
Yes.
Which is that these people are not messing around.
Yes, exactly.
Yeah.
NSA's put out a really interesting mitigation guide on the black lotus uh malware now this is malware that is like uefi based stuff right like walk us through this one yeah so this is a malware
that we then we talked about it just before we went away um on break which was you know infects the ufi process
so that it can take control during boot up and then getting rid of it's kind of difficult because
of you know the complexities of getting stuff out of the ufi environment and the nsa's paper talks
through like the practical reality of you know of the hardening against this like what the options
are for secure boot like which components
of secure boot work well and like secure boot as the whole ecosystem rather than just the specific
technology and also like from a practical point of view you can read in the paper that the NSA has
tried to do things like put custom root certificates in their boot up process so only they can sign
software that's going to be allowed to boot
and so on and so forth.
And there's some, you know,
like this is practically quite difficult to do.
And like, you know,
you get the impression
that the NSA can't manage that,
then probably not where anyone else is going to.
But it does have a bunch of practical advice
for how to think about,
you know, doing trusted boot
on your various platforms
and not just on Windows,
on Linux systems as well.
So NSA probably put a lot of thought into that.
So it's definitely worth a read.
That's why we're talking about it because it seems quite a thoughtful document,
doesn't it?
Yeah.
It feels born from practical experience.
Yeah.
There's some nuance in it and it's worth a look.
So we've linked through to that in this week's show notes.
And I just wanted to include yet another Alexander Martin story this week.
Apparently someone hacked exam boards in Britain
and stole exams and then sold them to students online.
I only wanted to include this because that's very much
like something from an 80s B movie.
Yes, exactly.
Very enterprising.
Yes, but it has now happened in real life.
What else have we got?
$125 million in crypto stolen from MultiChain,
the MultiChain platform.
That's going to buy a lot of ivory backscratches
for the North Korean leadership, I'm guessing.
And we were talking with Catalan Kim Panu,
our colleague, this morning,
and he's chasing down unconfirmed reports
that there might be something like another 100 million gone from them.
So, you know, the clown show that is Modern Crypto just continues.
My apes, all liquidated, Adam.
My apes have been liquidated.
I mean, I love it.
I love that these combinations of words, you know, if you could send it back in time and say there'd been a mass ape liquidation
event and that that would make sense to thousands of people.
You know, if you had told me that 10 years ago, I would not have believed you.
Anyway, Adam, that's actually it for the week's news.
Thanks a lot for joining us.
And of course, you're doing more with us these days, which is something that I guess we can
tell listeners.
You're helping out a bit more at the old Risky Biz HQ.
Yes, I'm picking up a bit more work.
I'm actually now part-time with Risky Biz HQ,
so I've got a bit more time on my plate to help out.
And it's just really interesting being exposed to some of the inner workings,
like seeing Catalan in real time in the Google Doc.
It's just really interesting.
So, yeah, I'm looking forward to contributing a bit more.
He's our 10x InfoSec journalist is what we call Catalan.
Yeah, exactly, exactly.
Just you stand back and behold, basically, yeah.
All right, mate, thank you so much.
And, of course, we'll be back on the show next week.
Thanks a lot for your time this week.
We certainly will, Pat, and I'll see you then.
That was CyberCX's Adam Boileau there
with a check of the week's security news.
Big thanks to him for that.
It is time for this week's sponsor interview now
with Martin Kanard, the VP of Product Strategy's security news. Big thanks to him for that. It is time for this week's sponsor interview now with Martin Karnad, the VP of product strategy at Netrix. Netrix is a privileged
access management or PAM vendor, and they wound up acquiring our long-term sponsor, Remediant.
And they're really interested in pushing a PAM approach that involves ephemeral privilege or
just-in-time privilege, as opposed to just using password vaults for everything, which is kind of how PAM worked 20 years ago. Here's Martin Canard.
For a long time, we were the only ones, you know, that were really sort of trying to push this. I
mean, us and Remedium, which of course is now part of NetRix, but now other vendors are starting to follow soon. I know two other big pound companies are now starting to
take companies to what is called zero standing privilege. So it's a Gartner term.
So what we call accounts that have their privileges always on, if you like, is standing
privilege. Standing privilege is the attack surface. Zero standing privilege is a state.
That's where you want to get to. And so certainly we're seeing other vendors starting to move into
that because people are saying, well, why am I just sitting around managing this problem? I mean,
it's the same sort of thing with a lot of the things that we do in the world today. I mean,
we want things at the point of time we need them. We're consumers. We're real-time people. I want information. I Google it. I get that
information straight away. And it's just a natural progression, I think. So there's obviously a
usability aspect to this. There's a management aspect. But more importantly, there's a security
aspect as well. Because if you remove that privilege, that means you're cutting off a large chunk of a component that's generally used for lateral movement attacks.
Yeah, I mean, I absolutely see the value in this goal, right?
Which is zero standing privilege is where everybody should strive to be.
The problem is, and it's a simple, simple problem,
you can't really do that because of machine-to-machine accounts, right?
So when you look at service accounts and things like that,
this is the last frontier of stuff that you just can't remove its privilege.
You can't easily do it on demand.
I mean, this is a conversation I've had with your colleagues in the past
where, okay, if you've got something doing, you know, point-in-time scans or point-in-time backups, you know, you can set it up to provision those accounts with privilege for a certain window.
But even then, you've got an attacker who sees this privilege rolling around once every 24 hours or once every three days.
You know, you're kind of back to square one.
I mean, I just think about some of the problems happening right now with Fortinet devices getting owned, right?
And people are grabbing the service account.
They're a domain-joined appliance.
They're grabbing the service account, which has privilege,
and they're using that to move onwards to great victory, right?
So, you know, where is the PAM industry currently?
Like, how is the PAM industry trying to address that last mile problem of service accounts and domain joined, you know, appliances and machine to machine privileged accounts?
So one of the things that can be done with that is really the ability to start moving to ephemera like densities.
So, you know, you're not just saying,
okay, well, I'm going to add and remove permissions.
Because like you say, there's latency involved there.
There are ways, you know, I mean,
with a lot of different types of service accounts
where you need that privilege to be always available
for a period of time.
But there are some mechanisms,
there's some ways in which you can stage accounts.
You know, you can almost, if you like,
have a, think of a hopper of a of accounts that are set up that are ready to use that are
pulled out consumed by you know your machine to machine um you know applications so they they pull
an identity they use it once they finish they throw it away um you know so that part of the benefit of that means that
you know it means that you actually have something where instead of just saying okay well here is um
you know an account and give me a credential to be able to use it and all those permissions being
there it also means that you can actually give the right level of permissions so it means that
you know you have different types of applications things that need right level of permissions. So it means that, you know, you have different types of applications, things that need different types of permissions, which invariably, we always
tend to give things the highest level of permission. We give them local administrator,
we give them, you know, we give them root, you know, we give them sometimes domain admins,
you know, but, you know, without thinking about, well, there's a way of, you know,
pulling down that exact level of privilege that's actually required for that particular session.
And so I think part of certainly what we're doing is, you know, we've essentially built an orchestration system.
That's really what our product is.
It's an engine. but it is a pound product, but it's something that allows you to be able to orchestrate a whole sequence of events or sequence of things, if you like, that what you need at the point of
time you need it, that we can remove afterwards. And that can be accounts. It can be permissions.
We can turn services off and on. We can turn RDP off when you're not using it.
RDP is a ransomware distribution protocol. It's a brute force attack service, but we leave it running 24-7 because we don't think there's another option.
We can turn it off when it's not being used.
Turn it on when you need it, turn it off.
So again, those are just examples of what you can orchestrate.
So it's all about identity orchestration to create the account or the identity that you need, privilege orchestration to give it the right level of privilege and then environmental orchestration
to be able to build some controls
around how you're actually going to use that.
I mean, this doesn't solve
the Fortinet appliance getting owned part of it,
but I mean, the most solid argument I've heard that,
and I'm not saying we throw our hands up in the air
and we say, oh, well, let's not do privilege management.
Let's not embrace this concept of ephemeral privilege,
right? Because it's a good idea. But I think the strongest argument for it, knowing that we're
still going to have these weak points, is that, you know, if you are managing privilege well with
a system like this and with thinking like this, it makes the telemetry that you get from observing the privileged accounts that are
left over a lot easier to manage. And, you know, you can see bad stuff a lot easier when you're
not dealing with just insane volumes of dodgy looking stuff happening all the time, right?
Yeah, it's like eating an elephant, you know, one bite at a time. I mean, you know,
you have to start somewhere, you know, and it's all about, you know, really start removing what
you can remove. I mean, start with the highest value assets first, domain admin accounts.
I mean, you know, anybody compromised the domain admin account and those are the ones that are
generally someone's going to go after in a large movement attack. Well, we saw that with the Vault Typhoon stuff, right,
where people were running various native tools
on Windows domain controllers and stuff, and that was terrible.
Yeah. Oh, yeah.
I mean, someone gets on a domain controller,
I mean, it's a very bad day.
And so when I look at security,
I always think it's like a prescriptive mechanism.
There's 1,001 different things that you can do.
There's a thousand and one things that you can do.
But you start with the highest value assets first, the low hanging fruit.
Where am I going to get, for the least amount of effort, the biggest impact that I need to be able to do?
And you start working through that in the list.
And very often it's dealing with um you know
identities to your point where there's a lot of them so domain admins all right there's not that
many of them but sometimes there are there's a lot of local admins yeah i mean as you start to
reduce down that pool to your point that's when you're cutting out the noise so yeah you can't do
everything but it means that you're providing
a little bit of clarity and control
over those areas that you can't
necessarily make a firm rule.
Well, I mean, one of the things
that we always liked about Remedian
and the company that you were with
that got acquired,
also got acquired by Netrix
was Stealthbit, I believe.
Similar approach, right?
Which is this idea
that you can drop something in,
like password vaults are fiddly
right whereas these things uh you could just drop them in and it gets you a long way very quickly
it doesn't solve all your problems right but what does you know and the idea that you could just um
yeah do pam easily via uh uh this type of orchestration um I think that's really the appeal, isn't it?
Well, and the key thing that we did was we added a vault.
As much as we said, look, you don't need a vault,
and I developed this concept, even trademarked the term BYOV,
bring your own vault, where you could connect to somebody else's vault.
But the thing is, a lot of people want the comfort blanket of a vault.
They want to be able to see if they can do it the old way.
And that's always been the challenge.
When you come up with something that's new, innovative,
every person on a call is going to say, this is fantastic.
I've even actually had a round of applause at the end of a demo,
which I have never had with any other product.
And yet, sometimes in the early days the uptake was very very slow because people didn't want to be that bleeding edge person that brings something in and you know is this something
i need so that was why we felt it was very important to build a full-blown pam solution
that does everything pammy everything from you everything from, you know, the video recording.
That's Netrix's whole thing, right, is to be the big PAM company
with all of the different ways that you can do PAM.
Yeah, well, you want to be, I mean, so it's all about having something
that can cover those, but you want to drive someone
towards a best practice.
Yeah.
You know, so you want to be able to say, look,
you're kind of guiding people along a path. I mean, people do silly things. I mean, you can stop the way that people use tools. People will try to consume. We make it easy for any users to use.
They're more likely to embrace it. Every administrator has PAM PTSD. I mean, no one,
absolutely no one likes PAM. It's one of those really interesting things. I mean, you're selling
a product that no one likes. Philip Lieberman, I mean, he owned Lieberman software years ago
before they were acquired by Bumgar.
He used to say that nobody puts in a PAM solution because they want to.
They put in a PAM solution because they're told to.
Because PAM solutions stop people from doing the job.
People just want, I'm a DBA.
I want to mess around with databases.
I'm a network device admin.
I want to get, they just want to do their stuff.
The groaning eye roll of having to actually hit the PAM speed bump. But but look i got one last line of questioning that i want to hit you with here
which is that now we've moved to this sort of orchestration based you know uh just in time
privilege sort of thing why is the natural home of this function not with the idp companies you
know like your octas and whatnot why have they not done stuff like this?
I mean, maybe they are doing some PAM stuff and I just don't know,
but I would have thought the natural home, you know,
for this type of product would be with the IDP vendors.
Why is that not the case?
So Octa have tried with ASA, you know, where they actually have a,
it's almost like a token-based access control
to servers, Windows and Linux.
But the thing is,
is they are really the sort of custodians
of the identity
as opposed to necessarily
those downstream entitlements.
Now that said,
as NetRigs does,
we've acquired an identity company.
So we are now an identity management.
But that's what I mean.
Like it's a different thing, but you would think that it's a logical place to sort of
glue these two things together would be on the identity side.
Well, it is.
I mean, so ultimately, so, so what we're dealing with though, is, is we're dealing with almost
like a future state where we do need that merge of those
areas together to your point absolutely of the identity is really where it lives but we're in a
world where 99 you know of the even the the companies that have palm at the moment are just
storing these things in in vaults with persistent privileges on all of those accounts and so
really sometimes you know we have to kind of we have to find a way of moving people to some of
these new methodologies now there's always going to be you know sort of different things that we
can add in different combinations that will be able to say look instead of actually having a
pam solution identity solution,
with your SCIM, a share table integration, trying to do attestation up here and swap permission down here,
let's have a central set of entitlements.
That's definitely the future state where we should be going to.
But at the moment, we're in this sort of transition where we have to kind of, like to your point, we have to drag people kicking and screaming from their old notion of pam into this new mindset you know once i think it becomes
more you know uh pervasive you know you know people are using it more and more um you say
you know a lot of the large vendors are also now adding zero standing privilege support
um it'll become a thing.
You know, it will gain its momentum and that will then drive, I think, a whole lot of areas.
I mean, when you think about it, I mean, outside of privilege, think of networking, you know,
about where we actually do, you know, we have static routes on networks.
Why not actually dynamically build a route when you need it and tear it down
when you finish well there's some companies doing stuff like that right so you've got this
zero networks who i think we've just signed up as a sponsor actually because i i had a call with
the founder adam and i both had a call with the founder uh recently had a good chat uh with them
and it is interesting and i think we're moving to a point too where we're going to start doing
you know authorization of individual actions and executions and things like that.
Like CMD on the Linux side, we're doing Duo Push to authenticate like SUDU, right?
Right.
On Linux boxes, yeah, I definitely see the same possibilities.
I think, honestly, a reason a lot of the IDPs aren't going down this road is because of the number of different technologies that have to support.
And it's just too hard. And they're making lots of money doing identity anyway right so oh yeah
there's a lot of technical debt tied up in you know that i mean in terms of platform support
old platform support i mean you know you've got if you're octa do you really want to be
do you really want to be going and building support for a lot of this stuff right yeah i
mean you've got places running you know know, Windows 2003 and, you know,
I mean, 2008, not even R2 or even Land Manager and OS2 in data.
You know, it's a scary world.
No one wants the headache except for you, Martin Canard.
Thank you so much for joining us to have this conversation,
an interesting conversation about, you know, where all this could be going.
Cheers.
You're welcome.
That was Netrix's Martin Cannard there with a chat about what's up with Pam.
Big thanks to him for that.
And big thanks to Netrix for being this week's sponsor.
And that is it for this week's show. I do hope you enjoyed it.
I'll be back tomorrow with another edition of the Seriously Risky Business podcast in the Risky Business News RSS feed.
I do that one with Tom Uran every week.
But until then, I've been Patrick Gray.
Thanks for listening.