Risky Business - Risky Business #715 -- Pressure mounts on Microsoft to explain itself
Episode Date: August 1, 2023On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news. They cover: Ron Wyden’s “please explain” letter to Microsoft Chinese ...APT crews prepositioning to disrupt US military logistics China claims US hacked its seismology sensors Ivanti/MobileIron exploitation going vertical Much, much more This week’s show is brought to you by Stairwell. Mike Wiacek, Stairwell’s founder and CEO, is this week’s sponsor guest. He’s joined by Eric Foster, Stairwell’s VP of Business Development. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that’s your thing. Show notes Wyden letter to CISA, DOJ, FTC re 2023 Microsoft breach Senator calls on DOJ to investigate alleged China hack of Microsoft cloud tools U.S. Hunts Chinese Malware That Could Disrupt American Military Operations - The New York Times Multiple Chinese APTs establish major beachheads inside sensitive infrastructure | Ars Technica John Hultquist🌻 on Twitter: "We found this actor in land, air, and sea transportation targets which could be leveraged for a serious disruption to logistics." / X China accuses U.S. of hacking earthquake monitoring equipment Exclusive: Pentagon Investigates ‘Critical Compromise’ Of Air Force Communications Systems CISA: Ivanti hacks targeting Norway began in April US, Australia cyber agencies warn IDOR security flaws can be exploited ‘at scale’ | TechCrunch Ivanti warns of second vulnerability used in attacks on Norway gov’t Andrew Morris on Twitter: "Exploitation of Ivanti EPMM (MobileIron Core) CVE-2023-35078 is currently popping off https://t.co/tkRoWqvtv1 https://t.co/XOaWEZ3U3X" / X Trail of Bits | Products US contractor says info of up to 10 million leaked in MOVEit breach British ambulances unable to access patient records system following cyberattack Valid account credentials are behind most cyber intrusions, CISA finds | Cybersecurity Dive An Unexpected Endorsement for WebAuthn | Okta Security SEC votes to overhaul disclosure rules for material cyber events | Cybersecurity Dive White House unveils ‘whole of society’ push to expand cybersecurity workforce Section 702 surveillance powers are necessary, but FBI access needs limits, panel says The NSA Is Lobbying Congress to Save a Phone Surveillance 'Loophole' | WIRED Kazakhstan refuses to extradite detained Russian cyber expert to US Russia Sends Cybersecurity CEO to Jail for 14 Years – Krebs on Security Millions stolen from crypto platforms through exploited ‘Vyper’ vulnerability A New Attack Impacts ChatGPT—and No One Knows How to Stop It | WIRED Cloud company assisted 17 different government hacking groups, U.S. researchers say | Reuters No evidence ransomware victims with cyber insurance pay up more often, UK report says ‘Worm-like’ botnet malware targeting popular Redis storage tool Hackers are infecting Call of Duty players with a self-spreading malware | TechCrunch Bug in Minecraft mods allows hackers to exploit players' devices
Transcript
Discussion (0)
Hey everyone and welcome to Risky Business. My name is Patrick Gray. This week's show is brought to you by Stairwell. Stairwell makes a platform that you set up in your enterprise and then you can forward all binaries in your organization to it as they come in and also historical binaries and whatever and from there it does a bunch of crunching on them and this is quite useful as it turns out stairwells founder
and ceo mike wyersek will be along in this week's sponsor interview along with vice president of
business development eric foster and they'll be talking about how you can press a button
on their platform to find out if the latest big threat report from the likes of crowdstrike or
mandian is relevant to you so you know those hashes in that report, are they present?
Were they present for 10 minutes two years ago?
What variants has Stairwell linked to those hashes?
And are those hashes present or were they ever?
These are nice questions to be able to answer.
So that interview is coming up later.
But first up, of course, it is time for a check of the week's security news with Adam Boileau.
And Adam, we're going to start with this letter here from the American senator for Oregon, Ron Wyden.
He has a bee in his bonnet about Microsoft and has written an angry letter urging all sorts of, you know, arms of the US government to investigate Microsoft for sucking, basically.
And I'm all about this.
Yes, of course.
He invokes the recent attacks on the signing keys
for Microsoft's auth process,
but also calls back to things like solo-ins and so on.
And, you know, he kind of makes some pretty good points.
You know, we are so reliant on Microsoft,
they do have to be held to a pretty high standard
because of the consequences if they don't.
And, yeah, I imagine they're quaking in their boots over at Redmond.
We'll see.
Yeah, I mean, this one, as you point out,
it sort of has been inspired by the recent attacks
that impacted organisations like the State Department
where a threat actor was able to acquire some sort of key.
Why no HSM, Microsoft?
Why no HSM?
They managed to get a hold of some key somehow.
It was like for signing tokens for consumer accounts and used it to access enterprise
accounts.
And, you know, this whole letter is a big, angry WTF.
It's addressed to Jen Easterly, the Attorney General, and who's Khan?
Khan!
Khan! The Chair of the Federal federal trade commission there you go chair of the chair of the ftc khan and um yeah i mean i don't know if
anything will come out of this i i can't imagine the fbi raiding redmond uh over this but it is
interesting that you know that that he's written this letter to the doj as well right yeah and i
mean you know he's always uh pretty on top DOJ as well, right? Yeah, and I mean, he's always pretty on top of security issues
and national security issues as they relate to cyber stuff.
And he's got a pretty significant staff that's focused on
and understands these issues.
So it's rare that we see a bad take out of him.
I mean, sometimes he's pulling the wrong part of the issue,
but they're nearly always interesting, meaningful things that he's talking about.
Yeah, I mean, I just love that we've got a letter
from a senator here talking about key material.
You know what I mean?
Like that's a hell of a sign of the times, right?
And it is, as you point out,
it's like a pretty on-point criticism
and it's an on-point demand.
It's an on-point WTF, Microsoft, WTF.
Yeah, I'm sure there were a lot of us saying wtf as we read about
that particular story and you know when it's being used to straight up sign keys to auth into the
state department's hotmail you know email outlook um yeah it's not great yeah some questions some
definitely some wtf is warranted yeah so let let's see if anyone actually picks that up and runs with it.
If there is some sort of DOJ or FTC probe into that,
that could be uncomfortable, couldn't it?
Yes.
Let's move on.
And the New York Times is running a story from David Sanger
and Julian E. Barnes, which suggests that this campaign we spoke about
a couple months back where Chinese actors had been detected in sort of critical facilities and
telcos in Guam and whatnot. And there was a lot of sort of noise and rumbling about it at the time
that, you know, Chinese APT crews were doing some pre-positioning attacks and putting themselves in
a position to disrupt
critical infrastructure in the event of some sort of military conflict in the Taiwan Strait.
New York Times has this piece up saying that, you know, it's a little bit vague, I'm going to say,
but it does have this piece up saying that, you know, the US government is engaged in a very
significant effort to hunt down and expel these attackers from all sorts of interesting places.
One thing that does give it a bit of credence, though,
is a tweet from John Hulquist,
who's a threat researcher quite well known.
I think he's still Mandiant, isn't he?
Hang on.
Click on bio.
Chief analyst, Mandiant Intelligence.
Okay, got it.
Yes, who is still with Mandiant.
And he has quote tweeted the New York Times piece.
I'm sorry.
He quote X'd on X.
Link to the New York Times piece and says,
we found this actor in land, air and sea transportation targets,
which could be leveraged for a serious disruption to logistics.
So when we first spoke about this, we were a little bit like,
well, how do they know that, you know,
this Chinese APT crews is doing pre-positioning for attacks against critical infrastructure?
You know, I did hear subsequent to us saying that, that the people who know, know. And, you know,
when you see people like John saying stuff like that, and obviously, you know, officials encouraging
the New York Times to write these sort of stories, you do get the impression there is something to
this. Yeah, yeah, there certainly is. And, you know, you would expect pre-positioning in comms
and supply systems, you know, for a base like Guam, that would be a pretty, you know, if you're
China and you're thinking about what targets are going to be really useful for you to disrupt,
like that's a good one. There does seem to be some suggestion that, you know, the same thing
is happening in other places, you know, that it's not just Guam, that they're seeing this elsewhere as well.
But it would make sense.
It would be a smart play to do that.
So although we don't necessarily know the specifics, because no one's going to tell us the specifics until sometime after it's either happened or been successfully disarmed. It certainly sounds reasonable to me.
Yeah, I mean, the Times says,
American intelligence officials believe the malware
could give China the power to disrupt
or slow American deployments or resupply operations.
So it looks like this is something really targeting logistics.
It makes me remember, you know,
the interview that we did with Andrew Boyd from the CIA recently
where, you know, he said a conflict, the cyber elements
of a conflict with China are going to look very different to the cyber elements of a
conflict with Russia.
And, you know, you sort of get the impression this is the sort of stuff that we're talking
about.
And, you know, when you do talk to people in that sort of cyber worry space, one thing
that they do worry about is logistics.
Yeah, absolutely.
And, you know projecting
power across the entire pacific is not straightforward like just logistics is so
important for america because like that's one of its main advantages over its other competitors
is that it is experienced at global scale logistics for the military and yeah if you can turn it off
even for a couple of days right at the beginning of an invasion of Taiwan,
it's going to buy you a better time.
Yeah, I mean, I saw some TikTok recently.
It was some American military guy talking about how,
just making the point about their logistics,
where they actually accidentally ordered
like a plane load of toilet paper to some remote base
and it turned up.
You know what I mean?
Like it was like, no one stopped.
They're just like, okay, we'll deliver it.
And like the amount of jet fuel and stuff stuff i can't remember if it was toilet paper
but it was something they needed like a very small amount of and wound up getting a fully loaded like
airplane turn up with it with it so they're very good at moving stuff around but again that interview
as well uh the the boyd one we don't know what sort of an impact something like this would have
until it happens because militaries are quite you you know, resilient in the face of stuff going wrong, right?
Well, that's the idea anyway.
That is the idea, yes.
But, you know, the Tyson quote.
Yes.
Everyone has a plan until you get punched in the face, right?
Yeah, yeah.
Now, meanwhile, it's not just the Americans accusing the Chinese of hacking stuff.
The Chinese are accusing the Americans of hacking stuff as well.
What makes this particular accusation more interesting
is that China's state-controlled newspaper,
the Global Times, is saying that the Americans have hacked
into, like, seismology sensors in China to do spying stuff, which just made me think, oh, you know, cool.
I mean, I guess having access to seismic measurements, you know, if you're, I don't
know what, you would, I mean, there must be some useful things you can do with that.
Well, I think in this piece, they sort of mentioned that we're going off an Alexander
Martin story on the record here.
You know, the idea is they might be able to infer
construction activity involving military facilities.
I imagine it would be very good for detecting bomb tests,
things like that as well.
Yeah, I mean, certainly nuclear weapons testing,
like using seismic measurement, that's a thing.
That's 100% legit.
But I feel like the US already has enough seismic sensors to do that,
given that they've been doing it in North Korea as well.
But, you know, maybe you can determine the size of the crowd
at some Xi Jinping show, I don't know.
But either way, that's what makes this story interesting, right?
Is he like, ooh, they're hacking sensors, I wonder why.
It's the part that we don't know that makes it more interesting.
Yes, exactly.
It's probably very boring.
Now, look, this one's a bit of a head scratcher.
We got a report from Forbes.
I feel like the headline on this one
might be overdone a little bit. It says
Pentagon investigates critical compromise of
Air Force communication systems. But it looks like
what happened here is someone took
some stuff home with them that
they probably shouldn't have
and
also had admin access to a bunch of stuff they shouldn't have.
And anyway, walk us through this one.
What actually happened here?
So the story goes that an engineer who worked at an Air Force base in Tennessee
on radio equipment used on the base had taken a bunch of things home.
So taken some equipment home, had software access and other bits and pieces.
And they raided this house and found this.
And the raid was triggered
because some of the coworkers of this engineer
had dobbed them in for insider threat-like behavior.
Well, I think it was, let me just read that, right?
Because that's how we reported it on Risky Biz News.
But the specifics are that he sold radios
and radio equipment, worked odd hours was arrogant
frequently lied displayed inappropriate workplace behavior and sexual harassment
had financial problems and possessed like base equipment which is like hmm maybe maybe someone
whose door you want to knock on right yes and clearly knock they did and uh yeah found him
like in the middle of
programming some motorola gear or something i you know even just reading what's in the story you
kind of get vibes off the guy yeah yeah but i get more like just vague asshole vibes than chinese
spy vibes right um yeah that's that yeah yeah that that that's kind of the feel i get and he
hasn't been charged with anything that's's the interesting thing. So this whole story is based off a warrant
that was served on him to search his premises.
Yeah, I think one of the other nuances that was in the story
was that some of the radio equipment that he had possession of
was similar to or the same as used by parts of the FBI as well.
So, you know, it's all a bit vague.
It is, I guess, reassuring that given the amount of people
that have been doing weird stuff in the you know us mill um over the last few years and have
actually been spying or have taken stuff home and it's stolen by their antivirus and given to the
russians for example that they are being a little bit more proactive and proactive yes yeah i mean
this it's just funny when you read about that guy and you're like, man, how did he have that job?
But anyway.
Yes.
Anyway, time for a bit of an update on the Ivanti stuff,
which is, you know, that's the product formerly known as MobileIron.
I think they're going to have to change the name again after this.
Yes, I think so.
But yeah, we got some reporting here.
John Greig at The Record says that uh sissa has said
that the norwegian government was being uh hacked with this odai in the avanti gear as early as
april uh we've also seen the disclosure of more bugs in avanti at least one more and gray noise
has started seeing this thing popping off in the wild. So that's a bit of an update across everything that's going on with that story.
But, you know, when Grey Noise shows you the graph of the number of IPs
exploiting this thing going vertical, that means that all of these
are going to be owned, like, in the next 48 hours, you would think.
Absolutely, yes.
And the Mancisa has weighed in and said, you know,
it's on the known exploitative vulnerabilities list now,
which means federal civilian agencies have until what, like August the 21st, which is about three weeks late.
Exactly.
That's the time frame CISA has given them.
But yes, they have until about a day ago, I think, really.
Yes, pretty much.
And like the bug was so, the original bug was so dumb.
Like it was a, you can just talk to the API without auth
and do admin stuff to it.
And then the subsequent bug that they've patched this week
was a, you can then turn that into command exec
on the underlying operating system.
So like with those two things combined, right,
you're in a very good place to do all sorts of crimes
against anyone who's running that kind of stuff.
So yeesh, when the security product is getting you owned,
it is a bad day.
Yeah, I mean, Trail of Bits wound up developing
like an MDM Lite kind of thing, right?
It doesn't have full MDM capabilities,
but it works to do certain things.
We spoke about it a while ago.
Sorry, I'm fuzzy on the details,
but, you know, the reason they developed that
is so that you didn't have to use this sort of crap.
Yes, exactly, right?
I mean, it's way too powerful
and then the fact that there's just no auth on the api like what the how well i mean this is why
funnily enough the us and australia uh you know the cyber agencies have put out like an advisory
on direct object reference bugs because you know there was i mean you could class it as a direct object
reference but you could yes and you know so now they're like maybe you want to check for direct
object references there you know i mean what year is this i know it is pretty funny because it's the
first time we've seen an advisor about it like a general technique and although insecure direct
object reference is like what number one on the OWASP API security list,
we don't see CISO putting out a warning
about remote code exec.
Like don't have remote code exec.
Yeah, we know.
Yeah.
Yeah.
Wow.
Anyway, so let's see how that-
Maybe they should.
That's what they should do.
That's our advice.
This is it today.
Let's see how that progresses over the next week or so.
Now, look, you know, the move it thing has been talked about to death.
But I think it's, you know, we stopped sort of talking about all of the move it stories a few weeks ago.
But it's probably worth mentioning again because the scale of it.
We're still just discovering the scale of it.
You know, we got another John Greig one from the record here, looking at this IT firm that got done with Moveit. And PII went missing on 10 million people,
right? And I think they're just Americans, right? Because it's an American company servicing
American organizations. The scale of this thing is pretty mind-boggling right when you think about how it's just a trash
bug in a bit of trash software and probably tens over a hundred million uh records lost and you
just think oh you know you put in so much effort elsewhere and then you just get pantsed by something like this. Why do we try, Adam?
Exactly, yes.
John Greig quotes Emsisoft saying they've seen at least 514 organisations hacked by Moveit,
which, like, that's a lot of impact to a lot of places.
And there's some, I think the Club Ransomware gang added Deloitte
to the list of people they've popped lately,
and we don't know whether that's just like some boring stuff
when they move it.
And we've seen Deloitte get domain admin by people before,
so okay, fair.
But, you know, everything from small schools
through to global multinationals, right?
I mean, getting hacked by this stuff, it's pretty grim.
Yeah, it is.
And look, again, you you know in the same vein we
don't really talk about ransomware attacks uh that often but there is one in this week's news
list that's worth mentioning a swedish software company uh got themselves i'm assuming ransomware
we don't know the specific exactly how they got hacked but they provided electronic patient record
transfer systems uh for the the British ambulance services.
So ambulances are showing up in hospitals
and they can't transfer the patient records to the hospital,
which that's not ideal and not, you know,
in terms of real world impact,
like a delay of even minutes for someone showing up in an ambulance,
that's real serious stuff.
It is.
So this is your regular reminder that file transfer appliances are bad
and ransomware is bad too.
Okay.
Yes.
Everyone is bad.
That's right.
And in more real peachy news,
Adam,
we've got,
we've got a finding from CISA here that,
and I quote valid account credentials are behind my most cyber
intrusions.
I mean,
I know when people ask, you know, like,
so what's computer hacking like?
It's like, well, step one, you get the password.
Step two, you just type the password in
and now you're done with the computer hacking part
and you can get on with the action on objectives part,
which is the hard part.
It's an important reminder for people
that it's not just about funny exploits
and, you know very technical
stunt hacking that just getting the passwords out of data breaches from phishing emails from
whatever else uh you know it gets the job done and the lateral movement part same thing it's
you steal creds you pretend to be the person whose job it is and you do the job for them
and i think this is just a reminder i think the frustrating thing about this is that FIDO2 nips this in the bud. It removes that part of the attack chain, right? And I think that's
why CISA would highlight this in particular. Now, I understand that not every organization,
not every account in the world, especially when you're talking B2C accounts, you know,
not everyone's going to be able to use FIDO2, but I would hazard a guess that there's a lot
of organizations, a lot of people who work for organizations listening to this where they should really
be using FIDO2. And that's kind of the point I wanted to get across this week.
Yeah. Like some kind of phishing resistant MFA is pretty much table stakes for not getting wrecked
these days. And it's amazing how much reluctance there is, even in organizations that are pretty mature,
to consider spending a couple of bucks on a token
when it's just so much cheaper than an instant response.
Well, it's not just cheaper than that.
It's just when you look at bang for buck, right?
I mean, this is the thing that Fido 2 has, right?
Say it's like 30, 40 bucks each.
It's a one-time spend.
And it just gets you so far
and frees you up and yeah just please please everybody go get some Fido too right yeah I mean
you know Microsoft's getting pretty good with integrating it all with Windows Hello and with
Azure AD and you know like all the plumbing is in place for you to have robust auth these days and
it's kind of table stakes at this point. Funny actually, Brett Winifred
who works at Okta used to work with us
he actually sent me a thing, I'll link to it
in the show notes, I forgot to put it in there but he sent me a thing
the other day, a write up on a fishing
attempt where the whole thing
was like, you're going to lose
access to the ticketing system
unless you disable your YubiKey
so he described
that as pretty good validation
that FIDO2 works well, right?
Yeah, yeah.
When stage one of phishing
is getting people to turn off their FIDO2.
So good.
Rule changes from the SEC in the United States.
You must disclose, like as soon as you discover,
as soon as you determine that a cyber attack
has a material impact or whatever on your organization, you have four days to notify the SEC.
That's up from the two days that was originally proposed.
So we found a bit of a compromise there.
And we could just imagine the acrobatics that in-house councils are going to be performing to not deem something material as a result of this.
Exactly.
Yes. Can't wait for the court cases. This will be amazing. to not deem something material, right, as a result of this. Yes, exactly, yes.
Can't wait for the court cases.
This will be amazing.
Yeah, yeah, exactly. We're going to see all sorts of people getting dragged over the coals
for coming up with creative interpretations of that.
So, yes, if you're an American company that's listed,
then you too should get a copy of Form 8K to stick your disclosures in.
There you go.
Now, this one, Suzanne Smalley, uh for the record has written it up uh the white house has apparently unveiled a whole of society
push to expand the cyber security workforce and you read this and you're like okay this is cool
this is good but then you look at the funding amount and it's 24 million bucks and you just
think that is not a whole of society number you know that's a very
very very small part of a society number yes and there's obviously a lot to do they want to have
good uh cyber security literacy for everybody they want to improve their options for immigration for
people who are experienced with the cybers so they can bolster their workforce but yeah 24 million
dollars does not go far uh towards anything much these days yeah i mean that said you don't need funding to change immigration
rules right that's true so there's a lot you can do there but i mean you know so i really don't
know what to think of this because i think on on one hand you know they're clearly serious about
doing whole of government stuff to to try to this workforce problem. But on the other hand, you just look at that money
and you go, oh, that's not enough.
Are you serious?
Are you really?
Like that's not a lot of scholarships to universities
for people to go and study it
because they talk about altering the mix of the workforce
and getting more people in,
addressing some of the historical disadvantaged audiences
for our industry.
But yeah, 24 mil does not go far.
Yeah.
Now, a White House panel of intelligence experts, Adam,
has weighed in on the 702 debate.
Now, when the whole issue of 702 reauthorization came up,
most recently, right, because it has come up previously,
702 is the intelligence collection authorization
that's due to sunset.
And, you know, it's an important one.
It is definitely an important one.
But it looked like the FBI was being a little bit yolo with its access.
The FBI was being a little bit yolo with its access into this data set.
And at the time when this first came up, you know, I think you and I said 702 clearly needs to be reauthorized.
But the FBI's use of it needs a good review, right?
And now this panel of intelligence experts
who've written a report for the White House
have said that 702 should be reauthorized,
but the FBI's access needs some limits on it.
So that's, I feel pretty validated
in what we said originally about this, Adam.
Yes, yeah.
This is the sensible thing to do.
Like, clearly they're not going to turn off 702,
but also clearly they can't go around just using it for whatever they please,
like we have seen some examples of, you know, specifically in the FBI.
So, yeah, as we expected.
Yeah, as we expected.
I mean, Tom found that there was some, Tom Uran, our colleague,
found that there was some nuance there in terms of, like fbi's access being somewhat limited and you know a lot
of the controls on what winds up in that data set being applied at time of ingestion so the fbi
wouldn't get access you know anyway so like it's not as bad as we might have initially thought but
it's also beside the point because they are yoloing. And, you know, that seems to be what they found here.
So FBI is going to get reined in, 702 will continue.
And look, staying with intelligence
and sort of surveillance authorizations and laws,
you know, we've spoken about this,
the Fourth Amendment is not for sale act,
which would prohibit US government agencies
from being able to purchase data sets from data brokers.
NSA is saying,
whoa, whoa, whoa, hold up. That's going to cause us some problems. I think they're actually making a valid point here. I think that that act is mostly going to provide a benefit when it comes to
local and state law enforcement, FBI, you know, policing agencies that actually do have authority
inside the United States
to arrest people, put people in prison.
NSA doesn't, Pentagon doesn't, you know,
so they're sort of asking for a carve out here
and, you know, I can't believe I'm saying this,
but they're kind of making a good point.
Yeah, like it doesn't make sense
to apply it to a non-domestic context.
Yeah.
And, you know, as you say,
NSA, Pentagon seem like the sorts of agencies and-domestic context yeah and you know as you say NSA Pentagon
seem like the sorts of agencies and I'm sure there's you know other parts of you know the
externally focused bits of the US government that it would not necessarily make sense to do this for
because you know if you can buy the data on your adversaries commercially then you know why waste
sources methods and whatever else on that when, you could just go buy it.
Well, it just might not be available to you any other way.
And I think the issue here might be that even if you're targeting adversaries,
you probably can't be guaranteed not to be scooping up data of Americans as well,
which is, you know, it's an intelligence,
it's a SIGINT agency dilemma as old as SIGINT, that one.
Yes, yeah, exactly.
And, you know, they've got processes in place to throw out stuff that they're not authorized for which you know of course it leads to the obvious
argument well how do we trust them to do that blah blah blah but like this makes sense for domestic
i think i think the reason i'm more comfortable with the sigint agencies these days is because
like even if they have something incriminating on me what are they going to do with it what the nsa
police going to come around and arrest me you know that the asd police like no that's not how this will take you off the christmas card list
yeah pretty much right so so that's interesting that there's some lobbying here for a carve out
yeah certainly what we would expect i mean i can't imagine the nsa were like hell yeah
let's not be allowed to do something yeah yeah but i certainly think when it comes to police
they they're the ones who need warrants and look look, there is the other wrinkle here too,
which is what court would NSA go to to ask for permission
or a warrant to buy this sort of stuff?
I mean, that's why 702 exists in the first place.
So it's all just – but then they don't know what's in the data set
before they buy.
Anyway, it's just like I can see why some lawyer at NSA flagged this
and just said,
this hurts my head, we need to carve out,
otherwise it's going to be a paperwork nightmare.
Now we've got an update on Nikita Kislytsyn,
who was a former Group IB person.
It's Russia-based.
Ran its Russia-based spin-off, Fact,
and was arrested in Kazakhstan pending extradition to the United States for, what was it, for selling form spring logins in 20-
Yeah, from like 2012.
2014, I think it was.
Yeah, anyway.
So for a while it looked like Kazakhstan were actually going to extradite
this guy to the United States,
but Russia did what Russia always does in these situations,
which is to lodge a competing extradition request.
For a while, it actually looked like it was going to go America's way, which was really interesting
considering Kazakhstan has been traditionally allied with Russia. But no, ultimately, this all
worked out the way it usually works out. And Kazakhstan has agreed to extradite Kislytsin
back to Russia to face other charges other charges yeah and we don't
even know what those are in particular uh and they may well be entirely made up and and uh you know
of no concern once he's back inside russia but uh yeah the story has played out as we kind of
expected it would which is very disappointing and um ilya skov, who is the founder and CEO of Group IB,
meanwhile has been sentenced to 14 years in prison in Russia for treason.
Yes, unspecified treason, quite convenient treason
for some Russian authorities, I am sure.
Sharing details on Russian hackers with Western intelligence,
which might be, I don't know, sharing some IOCs with...
Yes.
Oh, God. Yeah, either don't know, sharing some IOCs with... Yes. Oh, God.
Yeah, either way, it does not look good.
He's facing incarceration in a strict gulag,
which is apparently about level three out of four.
I did some digging because I was curious
about how the gulags worked.
Yeah, so about three out of four on the strictness scale
below special.
And I imagine that's, you know,
a very Russian
definition
of strict. It's not like our
definition with our kids where they have to finish
their P's.
It did not sound like a fun time.
Russian strict is like
next level.
Now this next one is actually
I mean I shouldn't laugh but we do we do we do we
do laugh because it's funny it is so catalan catalan first popped this one into slack the
other day and we all had a bit of a chortle about it uh tell us about viper and the vulnerability
in it which has led to uh i think what catalan described internally here at risky biz hq
as a massacre there's been bodies hitting the floor on this one.
So Viper is like a programming environment
for writing smart contracts and stuff
that are going to get run on the blockchain.
Jeez, I mean, you wouldn't really want to have a problem with that,
would you?
No, you would not want to have a problem with that.
It turns out there was like a re-entrancy bug,
like a locking re-entrancy bug
where you can call the same code multiple times
in crafted ways and then use that to bypass controls and i saw a write-up that described
this particular scam which basically involved like you took out a flash loan to get some currency to
play with and then like transferred it around inside you know these various web3 decentralized
finance constructs such that you could withdraw it multiple times
and then pay the loan back and walk away with millions
and millions of dollars worth of people's apes or whatever.
So situation normal in the cryptocurrency world.
One particular crew that got hit with this,
Bloomberg, so not necessarily the most reliable sourcing,
said that along with the tens of millions of dollars,
something like $60, $70 million worth that was actually stolen,
that $1.5 billion was also removed for safekeeping,
which I think just means they're not allowing people to withdraw stuff
or whatever's going on.
But either way, these are big numbers for what really is a pretty silly kind of bug.
And once again, much as we expect in the cryptocurrency world.
It's funny, you know,
Catalan really tracks that stuff quite closely
because I think because he understands it quite well
and also because he finds it immensely entertaining.
Yes.
I think it's because he's kind of a troll at heart there.
Yeah, pretty much.
Every time something like this happens, you know,
he's in slack going hey guys
um what else have we got here oh no this is an interesting story from wired
uh by will knight and it's the sort of story that you expect to be dumb and then you start reading
it and it actually yeah it actually isn't so you and I had this discussion today when we were talking about
what would stay in the run sheet.
Yeah, walk us through this one.
So the title is A New Attack Impacts Major AI Chatbots
and No One Knows How to Stop It.
And you're thinking, oh, God, here we go.
But what you've got here is a description essentially of escapes
in GPT prompts,
and they're funny.
Yeah, yeah.
So I guess the guts of this particular piece of research
is extending the kind of prompt injection attacks
that we've seen already with AI systems
where you can tell the chatbot to respond
as though it was saying the opposite of what it meant or whatever
so that it tells you the things it's been filtered to not say and so what these researchers did was they took
some open source chat bot implementations and then used access to the underlying model to kind of
permute things to stick in you know prompts to stick in front of or after the queries in a way
that didn't really respect the human language meaning of those prompts
but still manipulated the behavior of the model.
And then they assessed to see whether the techniques
were transferable to closed models like ChatGPT
and Google BARD and so on and found that they were.
And that's quite, it's a really interesting approach
because you're not just doing it by trial and error as a human.
They can write software to experiment with it
at programmer speed and then use that to manipulate.
The fact that it's transferable between models
is also just really interesting
and from a future research point of view, really interesting.
Well, I mean, what I find interesting about this
is when you look at malicious content injection
into like a web app or an API or whatever the hell, right?
You know, you sanitize the input.
Yes.
The problem with these things
is there isn't really a straightforward way to do that.
And I think that's what I find interesting about this.
Exactly, right?
And especially when the relationship
between the prompt being injected
and what it's doing to the model
is also kind of by design,
because of how AI works,
pretty unclear.
So doing semantic filtering
up front or doing, you know,
kind of, what are you going to do,
like re-exit?
I mean, no, it's just
a very hard problem to solve.
And that's the sort of hard problem
that, you know, we're so busy
building AI-backed systems
and no one's really stopping to
think about how badly is this going to go wrong so it's always interesting to see research that
really is thinking about those problems yeah yeah so uh everyone should go have a look at that one
because as i say it's that it's that sort of piece that you expect it to be really dumb and then you
get into it a little bit and you and i both had the reaction which is is like click, groan, and then, oh, okay.
And, you know, we love a good problem that doesn't have a straightforward solution.
That's our bread and butter, right?
That's why we have good jobs.
Exactly.
Now, we've got one from Reuters here from Chris Bing and Raphael Satter talking about,
and we reported on this in Risky Biz News as well, in that podcast.
There's this American cloud company called, where is it?
Cloudsy.
Cloudsy.
And a Texas-based security company called Halcyon has written a report on them.
Because it turns out they appear to be hosting an awful lot of C2, right?
And for all and sundry, for threat actors from like 17 countries,
ransomware crews, this, that.
And what's interesting is despite being an American company,
it looks like a lot of their infrastructure is actually hosted in Tehran.
The guy who runs it is apparently, I mean, by the sound of his name,
I think he's Iranian.
And so it would make sense.
Like it might not be some sort of nefarious you know irgc connection or whatever but the point is this company has
alleged that this is an extremely shady outfit that is probably violating all sorts of sanctions
and whatever it's just an interesting read where you're like goodness yeah we do love a good write
up of like the background of a bulletproof hosting company and for it to be a you know nominally american registered in america uh company even if it is run by what's uh hanan
nazari yeah you're right he was iranian not currently living in iran he wouldn't say where
he lived finally well he's also said that this is all wrong like we've we must say that these are
just allegations adam because he says only two percent of uh you of his clients are malicious, which already as a defence, that's one in 50.
Seems kind of high, dude.
Got to be honest.
Whereas other people are saying it's more like 50%, but...
Yeah, so there's like Iranian actors, Russians, North Koreans,
Indians, Pakistanis, Vietnamese.
They've got the full set.
Maybe after this story they can start fighting each other
to do third-party collection on each other's C2s.
Like, maybe they're going to start
popping through hypervisors at Cloudsy and doing it.
Maybe that's what this is about.
Maybe this is like trying to get
like an East Coast, West Coast, like, rap war going
as all of these threat actors fight each other
for control of the underlying box
to get each other's C2.
What do you think?
You'd think Cloudsy could sell it as an add-on service you can subscribe to a rss feed of other
maybe this is all a giant nsa operation to do third-party collect maybe you say maybe yeah
we're through the looking glass here people we are now yes yeah but i mean wheels within wheels
you would expect though that after this story run, that there might be some sort of...
But, I mean, why even register this in the US?
I'm so confused.
It does not seem to make a whole bunch of sense,
but, I mean, who knows?
People do strange things.
Things change over time in ways you don't expect.
Who knows?
Yeah.
Oh, well, moving on.
Moving on.
We've got a report here from Alexander Martin,
at the record, uh that there's no
evidence that ransomware victims uh with cyber insurance pay up more often uh according to a
report that's been prepared in the uk i mean initially you think well what's your methodology
there but then you read through it and you see and and it seems like they have actually applied
a decent methodology here and they found that it's not really a significant factor doesn't really vibe with what we've learned
anecdotally about ransomware crews you know stealing people's uh cyber policies like seeking
out their cyber policies to figure out their coverage as soon as they gain access to an
environment also targeting cyber insurance uh um organizations themselves to get their customer
list to figure out who to go after but i guess maybe what this report tells us is that what
these threat actors are doing in these situations is kind of pointless and that's what i find
interesting here yeah yeah i was really interested by this as well because that absolutely challenges
that assumption that you know that cyber insurance was not a great idea because it increased the probability that
you would be ransomed but it may just be that like there is so much ransomware going on that
that kind of bias towards people who were insured you know is such a small part that it's kind of
not statistically significant anymore if it ever was or it might just mean that okay yeah we've
got insurance.
That doesn't change our negotiations.
Let's continue.
And I think that might be it, that this is something that threat actors
were trying to do but didn't really move the needle enough
to show up in the stats.
Yeah, and also people like us reading about that,
we love a good piece of irony.
It makes for a great story, like, hey, someone broke into this insurer,
stole their list,
now they're going to go ransom everybody.
Like, it fits the narrative that we want of, you know, of...
Everyone's dumb.
Yes.
I mean, I'm glad that this kind of basic research
is being done because we don't,
there's so much we don't know about
what really happens out there
because it's all in the shadows all the time.
Now, looks like we've got a worm on the loose, Adam.
Affecting something pretty obscure,
but nice to see a worm.
Yes, yes, it certainly is.
This is a worm that targets Redis,
you know, kind of key value store servers.
And there's a number of bugs being used,
but the majority of the process here
is that you attack a Redis server you get in
and then you kind of there's a replication feature that you can use between Redis to share data
around and that process can also load code into the slave Redis instances and then use that to
propagate itself start scanning again and onwards so I think we've seen researchers from kato security labs saying
that this is actually a pretty widespread worm amongst redis installs now and that it doesn't
disrupt the operation the correct normal operation of the redis so many operators aren't necessarily
going to see it which is all pretty cool yeah that's pretty that's pretty old school too you
know because that's what worms were before your sort of code reds and your slammers and your blasters that's what they you remember the ramen worm yeah yeah yeah
yeah yeah exactly right you they didn't clog up the internet man it just you know just spreading
the ramen like this one i think distributed something called a miner but that it wasn't
actually a crypto miner like it may have just been a placeholder for a future crypto miner or
whatever other example payload uh that uh that they might use later um but yeah just kind of it's kind of
cool to see people engineering niche you know niche toys like this uh on the internet yeah i
wonder if we're going to see worms again being a thing you know what i mean if because everything
seems to come around again one thing i've been thinking about recently adam and i wanted to get
your thoughts on this is we're seeing a lot
of people attacking server-side enterprise software right kind of reminds me of the days
when people used to attack server-side ias apache you know core and modules etc etc and then we saw
the big pivot around what am i going to say between sort of 2003 2005 the big pivot to um
targeting client-side stuff like Internet Explorer, whatever.
The ActiveX era.
Sorry?
The ActiveX era.
Yeah, exactly, right?
So I wonder if we're about to see a similar pivot
from targeting server-side enterprise software
to client-side enterprise software
once people start getting the crapware off the edges of their network.
I think it's a natural progression of things.
We certainly saw the pivot back to enterprise server exploitation
and enterprise edge exploitation is a result of the browsers
getting much better.
But there is still a lot of software out there that isn't a browser
and isn't an IIS or Apache or now a VPN or something else
that's by design on the edge of the network.
But it's still indirectly reachable from the internet.
So I think it's a natural place to go look for client-side exploitation
in software that isn't a browser.
You know, rumour has it that Western operators have a habit
of using bugs in stuff like antivirus software.
And you don't hear about it a lot because they're Western operators
and they tend to be quite low volume, careful, you know, targeted.
And I do wonder if perhaps that stuff's about to go wide.
You know, once all the FortiGates get turned off or owned
or ransomware or whatever, right, you know,
maybe then they're going to go after it.
Anyway, let's see.
I mean, antivirus software is such a wonderful target.
So much complexity.
So easy to get to.
It has a huge attack surface because it has to parse everything.
Yes, exactly.
We've certainly seen researchers do it for fun,
but it never has really gone big.
There's always time.
There's always time.
Now, look, staying with worm stuff,
this is completely low impact, just funny news.
This one's from Lorenzo over at TechCrunch.
We had it in Risky Biz News as well.
Apparently, Call of Duty Modern Warfare 2,
which is like the game from 2009, people are still playing it
and there's some sort of worm impacting people
through the game lobby.
How does this one work?
Some kind of code exec, I think, that you can send via the lobby
and then that's kind of propagating
between players who are then spreading it to other lobbies and so on so like you know self-mobile
propagating malware in the call of duty lobby chat it's pretty fun i mean retro but fun yeah
and there's uh bugs in a minecraft mod as well um deserialization bugs that are actually being
exploited i mean i like that we see, you know,
tomorrow's hackers and security people, you know,
this is, we're watching, this is them.
They're babby.
They're being formed.
Do you know what I mean?
Like, this is how they start.
And eventually they're going to pop out as, you know,
respected consultants.
Yeah, absolutely.
Right.
I mean, much like with the, you know,
phone jailbreaking scene and so on,
like there's so much interesting hacking outside of regular infosec.
And this Minecraft one's actually quite interesting
because it's like Minecraft's mostly written in Java.
This is a deserialization bug, which is a common bug class,
but the attackers using it are attacking the Minecraft servers
and then attacking back down to the clients
and then stealing their like Discord tokens
or their Steam logins or whatever else,
which, I mean, that's real hacking.
Good job, kids.
Good job.
Yeah, I mean, it's not bad, right?
And that's what I mean.
Like this is actually pretty relevant technique, right?
Yeah, I mean, it would work for cryptocurrency companies
just as well as it works for Minecraft people's Discord accounts.
Yeah, but I mean, there's always going to be like the pen tester
on a team who's the deserialization person.
Yes.
Is my point.
Yeah, absolutely.
All right, man, we're going to wrap it up there.
Thank you so much for joining me to talk through this week's news,
which is a, you know, lighter week than usual
because it's Black Hat Week over in the US of A.
We're not going, of course, because Vegas is a very hot and sweaty place. So we have
decided to sit this one out this year. But yeah, great to chat to you, man. We'll do it all again
next week. Cheers. Yeah, thanks so much, Pat. I'll talk to you then.
That was Adam Boileau there with a look at the week's security news.
Before we get into this week's sponsor interview,
I'd just like to mention that Claire Aird is taking some time
off her news reading duties with Risky Business News
because she's having a baby very soon,
and I just wanted to wish her all the best with that.
But in the meantime, while Claire is off doing that,
Risky Business News is still being
professionally voiced by Caitlin Sori. And big thanks to her for filling in. If you're not
subscribed to Risky Business News, it is a different RSS feed. Go subscribe to that today.
It is time for this week's sponsor interview now with Stairwells founder and CEO, Mike Wyasek,
and also Stairwells VP of BizDev, Eric Foster. And you know, this is a pretty
product focused conversation, but it is a good one. So imagine this scenario, the new Mandiant
threat actor report just dropped and a board member comes and asks you if your org has been
impacted by this threat actor. What you do? I mean, you can plug a few hashes into your EDR console if you have one,
and maybe look for some network C2 activity in your network logs, but that's not really going
to be an exhaustive search. You know, it's tough times, right, when you're asked to answer those
questions. So here is Eric Foster talking about how these types of searches can turn into goat
rodeos and why pulling together a corpus of all of your binaries
in your org is a very useful thing.
Here he is.
You know, Mandiant or CrowdStrike or whomever
comes out with this great threat report,
usually right before a holiday or on a weekend
or whatever else of like,
hey, here's this great new threat that's out.
And, you know, what you'd immediately have to do
is go grab somebody off of their day job and throw them
the very unenviable task of go spend the next hours or days or even weeks trying to pick through
all of our logs and all of our detections and go run a bunch of searches and figure out, are we
affected by this thing? And what we've ended up building for customers that has been exceptionally well
received is something we call threat reports in stairwell, which fully automates that entire
process. So the idea is no exaggeration, about five minutes after one of these great sources
hits publish on one of these blog posts or one of these sources of threat intelligence,
stairwell customers know within about five minutes, almost instantaneously,
they get a either clean bill of health that says,
we have never since becoming stairwell customers been impacted by this threat.
So someone at stairwell HQ copies and pastes the hash in at the back end and then
that's it? No, it's fully automated. So the entire process from start to finish is fully automated.
It's all done by the magical machines. So we're consuming that threat intelligence.
We're extracting all the indicators, all the IOCs, all the YARA, everything else. We're
auto-generating all of the searches and investigations for it.
Our magical machine learning algorithm is doing some really interesting stuff to also look for variants.
Yeah, similar stuff.
Yeah, yeah, yeah.
Exactly. Find other similar stuff that's around this.
And our customers, because we have this complete historic visibility of all the interesting files in their environment, we can know near instantaneously has this thing, you know, and this thing can be something as big as move it or a three CX or long for J, or it can be something as small as just, you know, Hey, here's this random DPRK, you know, Mac malware.
But, you know, I don't have to worry anymore about was this in my environment three months ago or six months ago or a year ago, or is it in my environment right now?
Or are my detections, are my preventions, everything else completely up to date with
this?
I know instantaneously, you know, or near instantaneously within five minutes is close
enough for my book to be instantaneous. You know, I know in an instant whether I was affected by
this thing or not. And so, you know, we've had a lot of people just bias and just operationalize
us just for that single use case. It's like, that used to be such a big pain for me and,
and quite honestly, for my guys, where it's like, you know, I got to go pull somebody, they got to spend two weeks or two days or two hours, whatever, researching this
thing. And the best they could ever give me was a, we're probably not affected by this because,
you know, like evidence of absence and security can be very difficult, right? That's another
thing that we're delivering for people is like, no, I can give you absolute evidence of absence. Maybe it's for 15% of the machines in your environment. If that's all you've
installed stairwell on fine, that's a representative sample that, you know, you can hand your auditors
and say, I can tell you authoritatively that these 15 machines or 15% of machines have never had
the, you know, move it or vulnerable long for J or whatever on it. But those customers for us that go full
enterprise coverage, they can literally say, we've never seen this. We've never had this.
I can sleep at night. I've got this clean bill of health.
So we're talking specifically about file hash information there. Obviously,
you're not going to be able to do any network IOC matching through the system. But I'm curious why you can't do this with something like EDR.
Because EDR does allow you to do file hash searches, right?
So we're not just working.
That's Mike Wyseck jumping in now.
Yeah, we're not just working on the file hashes.
We actually take and store the actual raw bytes of the actual files themselves.
So you actually can do some interesting IOC matching in the sense that we
collect those files. In the sense that there might be some hard-coded domains that you're extracting
from binaries and whatnot? They could be hard-coded, but then we can also detonate those files and we
extract the behaviors out of those files from within sandbox environments. And so we actually
can extract out some of those dynamic behaviors for those files. So you can match like that.
Are you sandbox detonating every single file that comes into a stairwell instance?
Not every single file today. We have ambitions, but in the sense that you are able to go over
to do that. But when you start thinking about the holistic nature of the platform, you're able to go
in and collect, say, all the files come in, they all get hit with, oh geez, thousands and thousands
and thousands of Yara rules. So they get matched and classified like that. They all get hit with, oh, geez, thousands and thousands and thousands of YARA rules.
So they get matched and classified like that.
And all that starts building up a model.
And we do have, you know, we use the dreaded ML word, but we do actually have some deep neural network machine learning models, which are actually classifying the risk of these files using a lot of interesting data that we collect.
Like how common is this file within your environment?
How common is this file across all of our different customers?
What methodology?
Like Steve Miller, when he was with us, he wrote almost a thousand what he called YARA methodology rules, which they don't quantify badness, but they can say, hey, this file contains the constants of, I don't know, RC6 encryption algorithms.
This file contains what looks like hooks of physical disks and so forth.
And when you start taking all of this signal data together, coupled with prevalence, coupled
with so many different factors, you can triage and you can almost stack rank.
What is the most risky file in my environment that showed up yesterday?
And when you start being able to look at things holistically like that, I like to think about stuff is when you start thinking about EDR,
these are systems that are almost evidence first. Like if they don't believe something to be bad,
it's not, it's, it's the whole system is not designed to process it. Like we're designed
to process everything down to every single byte of every single file.
And it's because you're not trying to do it every time on every endpoint.
Right.
And that's why that's the luxury that you have, which is you get to do it once, but you do it properly.
And it's sort of like after the fact.
Right.
So you're not getting that sort of real time thing that EDR is supposed to be doing.
But the question was, I mean, you can do file hash searches via EDR, right? Yeah. The other piece of that is, you know,
most EDRs are going to have a relatively limited retention period. So, you know, you can say
CrowdStrike, great, great, great, absolutely great product. And you can go into CrowdStrike and say,
is this hash in my environment today? And for a lot of CrowdStrike customers, you might be able to say, was this hash in my environment in the last 30
days? Stairwell, you can say, was this hash in my environment two years ago? Was it on a machine
for 10 minutes a year ago? Was it on a machine for 30 seconds, seven days ago that nothing else
picked up? I mean, the reason I keep asking you about this is because that's what people listening
to this are going to be thinking, which is like, I can do this with CrowdStrike.
Why do I need an extra tool?
And, you know, so, so, so, so the, the mic drop moment, right.
Is literally, we can do the search.
That's truly unique is if I have a hash, do, have I had any files similar to the file that
matches this hash on any of my systems?
And so that's actually the magic leap here, right?
It's like, I may not actually have the file that's in a report based on shell 256,
but I can have a file that's very, I can have had a file that's very similar
to the file whose bytes compromise what goes into that shell
2d6 hash.
And that's where you start being able to almost do full scope, temporal, agnostic,
retroactive hunting and response work using impartial information, right?
If I have never had that file with that particular hash on my systems, that's the end for EDR
there, right? That's the end for EDR there, right?
That's the end of the game for it.
But we can go back and say, actually, you know what?
Six months ago, that machine had a file that was 98% similar to the file that matches the
hash you searched for.
You might be interested in that one.
It's the peace of mind that I think you get.
Like, was anything here, you know, because we've gone through a bunch of reports where,
you know, there might be five or 10 hashes of IOCs in there.
And then when you actually hit up the variant discovery, you find 50 to 100 that you realize the report was not as exhaustive as you would think it would be.
And I think you end up with a case where people don't know that.
And so in that sense, you almost have value that if you're consuming some sort of a data feed that says there's 10 things and like you can turn around and say, actually, there's 74 and none of
those 74 in your environment.
We're not only ingesting files from, say, your company.
We're also ingesting files from, I think we're up to like six different independent malware
feeds.
And we're aggregating all that together into what we call like the global object collection.
And so when you come into our platform and you do a search, even if you have never had
a particular hash before, odds are we probably have it in that entire corpus of files that
we're collecting there.
And we kind of allow you to hunt and search across internal and external with that collection
in one shot.
So when you come in with a hash, we're able to expand that out into the universe of
everything we've ever seen that is even remotely similar to that. And then that's what gets
intersected across your environment in terms of what you've ever had. It's incredibly rare for us
to see a threat report where there's a whole set of IOCs that is relative to the large data set
that we've been amassing over the last three years to sit back and say, the information in that report or feed or whatever was exhaustive
and conclusive.
And so the first thing we do is we expand it out.
They're never complete, right?
Never complete.
And then the thing is, it changes, right?
What's really funny is if you actually play with our variant discovery, you actually find
people who are still tweaking old Stuxnet drivers
and uploading them the various feeds that come in there. And you're like,
hey, this is a variant of Stuxnet. It is like 99.8% similar to the original one.
And there are still people out there who are trying to binary patch it and tweak it
and mess with it. And you can see that. So when you start seeing stuff like,
go back last year, I think I did a demo with you with Hermetic Wiper.
There are still variants of Hermetic Wiper
showing up almost every week.
And it's a random piece of malware.
I mean, man, if you plug a box just onto the internet
and listen, probably Code Red's still flying around, right?
Oh, I wouldn't doubt it.
I mean, I still think there's probably
SQL Slammer flying around out there.
Yeah, yeah, yeah, yeah, yeah. good old, the good old days, right? So Eric, you're on the
business development side of Stairwell. You know, is this something that's turned into a major
driver for people to put this in, you know, to actually buy and install Stairwell so that they
can just answer those questions quickly? Yeah, because I think it's solving a pain point and
adding more time to your team so that they can focus on better things. But it's also the flip side of this. So the peace of mind absolutely is a part of it, right? It's the, I want to know that I'm not affected by this thing. I don't want to have to pull somebody off of whatever they were doing and have them go search for this and spend days or weeks to figure out if we were impacted by this. But it's really, it's those whatever one out of 10, one out of a hundred where I was impacted and what we do there, you know, as cliche as it is,
I mean, we're trying to shift as far left in the attack cycle there as we can, you know,
obviously you want to try to shift left to boom completely, but you know, you're, what you're
able to do is significantly shrink your response time here to say five minutes after Mandiant
releases, you know, this great report on 3CX. I know instantaneously, you know, again, within
five minutes, every Trojan 3CX instance that's ever been in my environment.
Guys, that's all we're going to have time for. Thank you both so much for joining me
for an interesting chat. It was great. We'll do it all again soon.
Thanks, Patrick.
It's been a true pleasure.
Really, you know, big fan of the show and thanks for having us on.
Always great to be here, man.
Have a good one.
That was Mike Wyasek and Eric Foster there from Stairwell.
Big thanks to them for that.
And you can find them at stairwell.com.
And that is it for this week's show.
I do hope you enjoyed it.
I'll be back tomorrow with another edition of the Seriously Risky Business podcast
with Tom Uren in the Risky Business News RSS feed.
But until then, I've been Patrick Gray.
Thanks for listening.