Risky Business - Risky Business #719 -- FBI vapes 700,000 Qakbot infections
Episode Date: August 29, 2023On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news. They cover: The FBI takes down Qakbot, steals operators’ bitcoins ha ha D...anish hosting provider completely destroyed in ransomware attack Sophisticated Russian cyber attack on Polish trains. Well. Not really. Microsoft revokes cert then revokes its revocation Much, much more! This week’s show is brought to you by Proofpoint. Ryan Kalember, Proofpoint’s EVP of cybersecurity strategy Ryan Kalember is this week’s sponsor guest. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that’s your thing. Show notes US says it and partners have taken down notorious 'Qakbot' hacking network | Reuters Danish cloud host says customers ‘lost all data’ after ransomware attack | TechCrunch VDP Platform 2022 Annual Report Showcases Platform’s Success | CISA Proposed bill would require vulnerability disclosure policies for all federal contractors The Cheap Radio Hack That Disrupted Poland's Railway System | WIRED Two suspects arrested following Poland railway hack ‘Incredible concern and anger’ among Metropolitan Police after hackers breach data New malware from North Korea’s Lazarus used against healthcare industry North Korea’s Lazarus hackers behind recent crypto heists: FBI US arrests Tornado Cash co-founder, sanctions another who remains at large Kroll Employee SIM-Swapped for Crypto Investor Data – Krebs on Security (2) Risky Biz News: WinRAR zero-day used to hack stock and crypto traders Microsoft signing keys keep getting hijacked, to the delight of Chinese threat actors | Ars Technica Renegade certificate removed from Windows. Then it returns. Microsoft stays silent. | Ars Technica Barracuda ESG zero-day exploit still under way after patches fail | Cybersecurity Dive Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868) | Mandiant Unpacking the MOVEit Breach: Statistics and Analysis The DEA Accidentally Sent $50,000 Of Seized Cryptocurrency To A Scammer Akira Ransomware Targeting VPNs without Multi-Factor Authentication - Cisco Blogs Ransomware attack dwell times fall, pressuring companies to quickly respond | Cybersecurity Dive British court convicts two teen Lapsus$ members of hacking tech firms Tourists Give Themselves Away by Looking Up. So Do Most Network Intruders. – Krebs on Security Apple security updates could be banned by British government
Transcript
Discussion (0)
Hi everyone and welcome to Risky Business. My name is Patrick Gray. This week's show
is brought to you by Proofpoint and Proofpoint's EVP of cybersecurity strategy, Ryan Callenber,
is this week's sponsor guest. And he is here to say that we as an industry are putting
focus on the wrong stuff when it comes to cloud security. So, you know, sure, cloud security posture management is important.
Infrastructure security tooling is important.
But most of the threat activity in cloud is targeting stuff like Google Workspace and M365 accounts.
So maybe we should invest a little bit more there, which, you know, it seems like a reasonable opinion.
That is this week's sponsor interview, which is coming up after this week's news.
Just some brief housekeeping before we get going.
For the last couple of years,
Google Podcasts has been using the wrong feed for our podcasts.
They've been using a site-wide feed,
which has meant that all of our podcasts
between the main feed and the Risky Business News RSS feed
have been sort of mixed together and presented as one
feed, which means people are getting like eight podcasts a week, some weeks. So we're sorting that
out with them. But for now, they've just removed the Risky Biz News RSS content. So if you subscribe
to that content through the one big jumbo feed through Google Podcast, you're going to notice
that that is missing. So we're working on getting that content into its own dedicated Google Podcasts entry.
But until then, if you are missing the six, you know, five or six weekly podcasts we publish
into the Risky Business News RSS feed, you will need to get that audio from another podcatcher
or on Spotify.
Sorry for the inconvenience.
But yeah, let's get into the news now with Adam
Barlow. And Adam, the G-men have done it again. They've gone after Cackbot.
Yes, Cackbot is a pretty large botnet that's been around for a long time,
and something like 700,000 active nodes at the moment, or at least until a few days ago,
when the FBI decided to shut it down. They sinkholed the C2, took over the botnet
and then issued like a botnet wide kill command, removing it from all of the infected machines.
They said about 200,000 of those were in the United States. And it's really refreshing to
see the feds out there bricking a botnet, you know, where 10 years ago there was so much hand
wringing about this kind of thing. And now no deal yeah it's interesting though because uh you know the fbi
director chris ray actually did a youtube you know video statement on this which is uh you know
sign of the times uh but he did say this is the first time they've done this which to my knowledge
i mean i think the turla thing they did the same thing so not sure that it's the first time they've
done it but anyway here is chris ray talking about the cackbot taked did the same thing, so not sure that it's the first time they've done it. But anyway, here is Chris Wray talking about the CACBOT takedown.
The botnet's infrastructure enabled the most prolific ransomware groups, groups like Conti
and Proloc, to cause losses in the hundreds of millions to businesses around the world.
But that's where we came in. Our FBI-led operation infiltrated the botnet servers and
redirected their traffic to our own systems to uninstall the malware. This is the first time
we've deployed this innovative technique, severing thousands of computers from the botnet and
restoring control back to the victims. We also seized millions in cryptocurrency in the process.
Ha ha, sucked in, they got your Bitcoin.
Chris Wray also, it must be said, has a very soothing voice.
I think he needs to do like sleepy time book readings.
That could be his next job, right?
Yeah, he does very, very, very smooth.
And you feel that like warm,uring protection from sam i wonder he
got promoted yeah exactly yes yeah so good good job feds you know that's uh you know there's a
lot of moving parts and pulling a shenanigan like that and they nailed it by the look of it yeah
yeah they certainly did so i mean this is stuff that we have i mean you know this is different
to the hive ransomware takedown in that, you know, this, they have directly gone after Botnet.
Previously, they went after Turla, but that's different.
You know, like that is different.
This is crime-based stuff.
And I love it that they went after the money because you remember for years I've been saying, go after the money.
And they actually did.
They stole their money.
And they did, yes.
Yeah, a whole bunch of money uh the dutch police were also involved and they found something like
what was it seven billion sets of creds uh from the systems behind the botnet so that's a lot of
usernames i'm not sure if it's usernames and passwords or just like email addresses or whatever
but that's a lot of creds well i mean you know it's not going to be just email addresses if it's
you know they would have said email addresses like it's got to be credentials i i just wondered whether or not that was like auth tokens or something yeah
maybe it could be i guess you still steal cookies and stuff but either way 7.6 billion anything
and i guess they've dumped it all on troy over at uh have i been pwned so i guess we'll be seeing
some jumbo updates to his database yeah he's spinning up the disks as we speak.
But yeah, so good job to the FBI.
We hope to see lots more of that sort of thing.
It is nice.
The hounds have been released
and we are rejoicing at Risky Biz HQ.
Now let's move to a sad story.
In Denmark, a Danish cloud host
has had a bad time.
Yes, Cloud Nordic is a hosting provider over there
and some ransomware crew, unspecified,
got into their systems and encrypted all of their stuff
and they got into the control panels,
got into the disks of hosting customers,
encrypted all their data
and then asked for ransom, obviously,
and the company refused to pay.
And so now all the data is gone.
Yes.
And they are in the process of rebuilding their customer systems without the data, which
is like not rebuilding them.
They did say, though, at least no one stole their data.
Well, I mean, I would be deeply reassured if I was one of their customers and my entire infrastructure got removed, you know, vaporized.
Yeah.
I just thought it was a good spin, though.
We only got extorted one way, not both ways at the same time,
so you can't go and pay to get your data back.
Yeah.
I'm not sure how big this hosting provider is,
but, I mean, they appear to have, have like another arm of their business that does threat
Intel for the,
for,
you know,
and has government contracts and stuff.
So you would think that they're not just some like ma and pa cloud host,
right?
Yeah.
And it would be a bit orcs if you're also running threat Intel to have all
of your business vape.
So yeah,
I hope that arm of the business manages to survive.
Yeah. Yeah, yeah.
I can remember once there was, you know,
the one prior case study on this was when,
I think it was a disgruntled ex-employee burned down a hosting provider
here in Australia, in Melbourne.
And that one was a, you know, the go-to case study on everyone's slide.
So I guess, you know, that's, you know, go update your PPTs, people.
We got a new case study.
A new example, yes.
I mean, I'm frankly surprised this
doesn't happen more often aren't you yeah i mean i'm surprised also like you would think we would
see more cases of stuff you know being properly burnt down but uh i don't know maybe maybe
ransomware cruiser not quite so ransomy i don't know maybe that'll be next year i think maybe
next year yes now sisa has CISA has put out a release
touting the success of its VDP platform.
So in 2019, CISA issued a binding operational directive
requiring all federal civilian agencies to develop
and publish a vulnerability disclosure policy.
And CISA also recognised that getting those agencies
to spin up an entire platform to handle those disclosures was not realistic.
So they also spun up a VDP platform.
And they've shared some results from this.
And it looks like they had something like, what was it, 1,300-ish reports and 1,000 remediations, which is pretty good.
So they are saying that this is working well.
It's saving them money. And we've also got talk coming out of the US
where some lawmakers are proposing to pass a bill,
which is going to be called
the Federal Cybersecurity Vulnerability Reduction Act.
Love it.
They're going to pass a bill
which would require government contractors
to also have VDPs.
So this is just,
obviously this doesn't solve everything.
I think for a while people were putting too much stock in stuff like, you know, having vulnerability
disclosures open and stuff, but it's still a good thing to do. And it's nice to see it, you know,
here we are four years later and it looks like it is actually achieving something. So that's nice.
Yeah. It's nice to see a wrap up like this this and there's been you know it doesn't seem that
long ago that even just finding out how to report like what email address you could send information
to let alone we were literally having this conversation last week about um you know having
to in the past like being you know people using me as a cut out to go and approach companies and
tell them that they had a problem so at least for government you know there's somewhere to go yeah no absolutely and it's a good process to have as a researcher it's
a good process to have you know as an network operator or environment operator and yeah i'm
i am glad that the numbers and the you know the stats support this being a good idea because it is
yeah yeah that's right uh now let's talk about the massive russian cyber attack on the polish
railways adam so there were reports in in mainstream media you know last week about
trains being disrupted in poland by cyber attackers it turns out that there is a system
on polish trains like in many other places, where rail infrastructure can signal to trains that something's gone wrong.
So like a local switching system or a station or whatever can broadcast a radio signal which will tell incoming trains to stop because something bad has happened.
And that system, as a fail-safe safety system, is meant to be kind of simple.
And it's documented that you send these particular three tones
in a you know in order on like 150 megahertz whatever it is and then the train stops so
not really cyber unless you count you know sending tones over you know over radio as being
cybers but this was like some sort of sandworm gru operation right like this was a big because
i saw the headlines this is a huge you know you know, Russian cyber attack on the trains in Poland,
in a NATO country, no less.
Apparently, because obviously the hard part here is being in radio range of a train.
Apparently what happened was.
So they did this with physical proximity and didn't get caught.
Exactly.
And didn't get caught.
I mean, amazing GRU operation.
Amazing they got away with it, yes.
So two Polish men have been arrested.
Wait, what?
Apparently one of them is a police officer.
Oh.
And then his younger sidekick or whatever,
they got raided and arrested.
And that's, I guess, a little bit awkward
from an employment point of view.
Yeah, especially when they were broadcasting the tones
alongside the Russian national anthem
and a speech from Vladimir Putin.
Yeah, seems a little bit awks. Like, maybe
they're patsies? Maybe they got blackmailed into it
by the Russians? But no.
It did not seem like
a super-sophisticated cyber-attack
on the railway logistics system.
They're just idiots, basically.
But, you know, I knew as soon as...
A friend of mine, actually,
I first learned of this from a friend of mine, DM'd me and said hey have you seen this and i i said to him
like basically i said i'll i'll i'll find out eventually about this like you know whether this
is a big deal or not but initially this was being presented as a big you know sort of scary cyber
thing and um yeah it just turns out it wasn't. It was a couple of idiots with a radio transmitter.
Yeah, like $30 SDR or whatever.
And like this stuff is literally documented
in the European Union standards for radio,
for this stuff's literally documented
in the European Union standards for train systems.
So, you know, not exactly the height of the cybers.
Yeah, yeah.
So we can, sorry to pour some cold water on that one,
but yeah not not
so interesting in the end uh we got a data breach here affecting the met the metropolitan police
service in london uh looks like uh yeah all of the forces 47 000 personnel have been notified
about the potential exposure of their names photographs and ranks um but it doesn't look
like uh stuff like you know home addresses and stuff has has gone out there which is um good because there are certain people
who hold animosity towards police so probably not great for their all of their home addresses to be
doxxed yeah it looks like this was a system that was involved in printing id cards or some other
like identity document for the police so they had all the data to go on those cards,
like nicely formatted photos, et cetera.
Yes, they don't tend to print police's home addresses on their ID cards.
Not so much, no.
So it seems like they only had the information that they actually needed,
but still, like this is pretty embarrassing for everybody concerned.
And as a, you know, ID document printer, you know,
you've only got a couple
of jobs, and one of them is to not lose all of the data that you're going to print.
I think I remember saying this on the show once before, but years and years and years
ago, I remember visiting a friend who worked at a print shop, and they had really tight
security, and I wondered why, and it was because they print stuff like annual reports for companies
before it's announced, you know, results are announced to market stuff why and it was because they print stuff like annual reports for companies before it's announced you know results are announced to market stuff so it was just a place
where I didn't expect to find robust security and did and you know that that was more a physical
security thing back then but you know you do wonder if print you know print shops handle
often handle some pretty sensitive stuff so you do wonder how well secured they are against this sort of thing.
Yeah, and also handle a lot of documents,
a lot of PDFs, a lot of things that are vectors
for breaking into them electronically.
But yeah, physical security-wise,
I've been to a number of card printing bureaus
and that's some of the highest physical security stuff
you've seen in the public sector.
But that's card printing.
I mean, I'm talking about like on paper printing.
The security there was still pretty high
because as I said,
they are often handling stuff
like market sensitive information.
But anyway, we've linked through
to Alexander Martin's version of that on the record.
Another one from the record here,
John Greig has a report up about Lazarus,
the North Korean government hacking organization
mostly associated with cryptocurrency theft.
They're going after the healthcare industry apparently is that right yes we've seen reports
that lazarus crew or at least people using their kind of style tooling have been seen
in healthcare entities and some internet backbone stuff um as well so you know the north koreans
have been very willing to attack infrastructure to move onwards to whatever their real targets are,
be it cryptocurrency theft, which is what they're mostly known for,
or something else.
But they had that really sweet manage engine bug,
and I think this is probably a case of, well, have bug, we'll travel.
Let's go use what we've got before it gets fixed,
because that bug was disclosed not that long ago,
and like five days later, North Koreans are rolling rolling with
it so makes sense to go get some access while you can so you think this is less likely to be them
deliberately pivoting towards targeting healthcare and more likely that just healthcare orgs were
using that software and they just had a bug for it yeah I don't have any data to back that up but
that's just kind of like gut feel you've got a great bug like that you may as well go use it
everywhere that you can and then figure out later and we've seen that kind of kind of like gut feel. You've got a great bug like that. You may as well go use it everywhere that you can and then figure out later.
And we've seen that kind of approach
of like just shell everything,
sort it out later from the North Koreans in the past.
Yeah.
And John Gregg's also written up the FBI saying
that Lazarus are behind a bunch
of recent cryptocurrency thefts.
I don't think we're at all surprised by that.
Not at all.
It's so funny though,
because there's like various North Korea watchers
who I know listen to this show who get really irritated
when people just describe Lazarus as this one thing.
That's a whole complicated thing.
Is there a Lazarus?
Is there not a Lazarus?
This is a topic that people actually argue about.
But, look, staying on the crypto stuff,
and I guess this connects with north
korean stuff adam janowski uh also at the record uh has a write-up about the two indictments against
the tornado cash operators unsealed one is i think arrested the other ones on the run uh what's been
really funny for me is watching like tweets flying around or X's on X,
as we now call them, flying around.
Where crypto people are like, oh, what's next?
Are they going to, you know, outlaw shovels because someone got hit on the head with a shovel once,
you know, like sort of not seeing that laundering
stolen crypto for the North Koreans is problematic.
But, you know, I guess this is,
this whole story will conclude at sentencing but this
is certainly a step towards the conclusion of the tornado cash uh event yes and this is one of those
cases where cryptocurrency people were like well this is just a smart contract on the blockchain
you know it's not a person doing it it's just the software that they wrote and deployed
and made money from um and like those kinds of arguments just don't work and it's good for them to have their noses rubbed in that i think the only other
tidbit is of interest in this story is that uh both of the tornado cash people are called roman
yes roman storm and roman semenov uh and i think it is roman semenov he's the russian national who
remains at large the other one was arrested arrested in Washington state where he resides.
Yes.
Womp, womp, womp.
Maybe don't run a North Korean money laundering operation
from your house in Washington.
Yeah, yeah.
Not a great idea.
And look, staying with all things crypto and drama,
Kroll, which is the global sort of risk advisory company,
it is handling bankruptcy restructuring for BlockFi and FTX.
And one of its employees got SIM swapped and someone, you know, Parties Unknown,
racked off with a bunch of information on people who had like bankruptcy claims in for those companies.
And obviously they're going to use that information to do onwards fraud. Yes, we've seen some examples of FTX account holders receiving emails
saying, hey, you can withdraw some of your funds
as part of the bankruptcy process,
which then just goes ahead and scams them for even more cryptocurrency.
So I should feel sorry for them,
but I mean, like this is just the cryptocurrency ecosystem
working as intended, I think.
Yeah, and it's funny too, right too right because crawl actually have a cyber division that does really good work they
sponsor this show as well and we were just talking before we started recording about how like you
know this is the same sort of thing that happens to pwc right who do some of the best incident
response and security work in the business and then didn't they get like majorly, didn't PwC writ large get majorly owned?
I'm pretty sure they got domain admin.
Certainly Deloitte's got domain admin at some point.
KPMG got domain admin, I think.
So like running a big network is legitimately hard.
And, you know, on the one hand as a customer,
you could probably reasonably expect them not to get owned
given they're providing these kind of services for you, but it is just really hard.
But it's also a separate business division, right?
And that's just how this works.
You don't just throw unlimited hours from your cyber people to the rest of your business,
because that's not a great way to make money.
No, it's certainly not.
But that's not reflected in the structure of the Windows domain.
Yeah, this is true.
This is also true. There's a WinRAR Oday also being used to install malware
on user devices and steal money from crypto accounts
and stock accounts as well.
So Catalin wrote this one up from us.
This is research out of Group IB,
but it's actually in like WinRAR's processing of zip files,
which is, you know, can you unzip a RAR?
No, you're un-RARing a zip.
You're un-RARing a zip.
But yeah, WinRAR ODA.
You know, I keep talking about WinRAR, about how it's evil,
and this is just more proof.
Yeah, and it's funny because, you know,
WinRAR gets tied up in so much hacking
because hackers like using WinRAR to, you know,
XFIL packages them up for XFIL.
So it's kind of funny seeing it being used on the way in.
And like, also it's actually a pretty sweet bug
and, you know, lots of things process zips
or RARs, you know, programmatically.
And, you know, I think there's gonna be a long tail
on this one, which I'm always into.
Now we're seeing more stuff getting signed.
More dodgy drivers are getting signed by valid MS certs.
And Dan Gooden has a write-up over at ours.
Yes.
I mean, people have differing expectations
about what code signing was meant to achieve.
You know, it was meant to either identify
the original authors of a piece of code
by having a certificate for them
or show that some code has
been through a review process has had some trust imbued in it by the signer and the reality is that
most code signing schemes do neither you know you can't really identify the author particularly well
and the people doing the signing generally don't check particularly well and Microsoft's driver
signing scheme has been abused by a bunch of people over the years. I mean, initially for signing regular userland binaries, but then with Windows 10 and
the requirement for kernel drivers to be signed, you know, we saw that kind of pick up again. But
it's been abused, you know, a bunch of different ways over the years, and the fact that it's
continuing to be abused, you know, I don't know, is a surprise to anyone. But given the scrutiny on Microsoft lately
with where their signing keys end up
and how they get used,
it's a timely reminder not to trust that ecosystem,
even though it's explicitly for that.
Yeah, I mean, I think this just goes to show
that even though they're going to update
their bad driver block list,
we are, you know, it's going to be whack-a-mole from here to eternity, I think is the message
here.
Yes, basically.
And then even if, you know, they did decide to change how it worked, you know, the next
thing we're about to talk about with Microsoft and certificates indicates that the whole
like end-to-end process for managing certificates as they die or need to be revoked or whatever
else is also a little bit creaky. Well, I mean, it's still useful information, right? It is. end-to-end process for managing certificates as they die or need to be revoked or whatever else
is also a little bit creaky well i mean it's still useful information right because you can if you
have the right tooling you can manage which publishers you trust you can manage which
certificates you trust and whatnot but you still get into some interesting situations and that's
what we're about to talk about here adam because um so this story all started actually with a tweet from the airlock guys so i
was just like lying around at night and noticed that they were tweeting about like hey has anyone
noticed that this pretty important certificate has been revoked in the latest microsoft windows
update and i think my snarky reply when i saw a tweet from the second the other founder you know
along the same lines,
I replied and said,
geez, you guys are having an interesting night, huh?
So what had happened is Microsoft did revoke
what turned out to be a fairly important certificate
just in a Windows update, right?
And they didn't announce this.
They didn't say, hey, we're deprecating this thing.
And it broke stuff, right?
So for Airlock's customers,
I think SAP, the full validation chain for SAP broke, right? Which for their customers wasn't
really a big deal because they can say, okay, we trust this publisher, even if the entire chain
doesn't validate, that's okay, just let it run. So a couple of policy changes and they were all
up and running. But there were other issues issues like it caused breakage unrelated to allow listing elsewhere so some of the accounting software i think it was
quicken actually does like it does its own validation of various bits of itself and if that
validation fails like it won't execute so all of a sudden you had stuff breaking uh left and right
it took the airlock guys a little bit of time
to like really confirm that this certificate had been nuked.
And then they wrote a blog post, published it,
and then Microsoft revoked the revocation.
They rolled it back.
So my joke on that was like, yo, dog, I heard you like revocation,
so I put a revocation in your revocation.
But yeah, walk us through this one.
Why did Microsoft suddenly revoke this certificate revocation in your evocation um but yeah walk us through this one why did microsoft suddenly
revoke this certificate that still like software developers are using in their uh in their in their
trust chains so this was a certificate that was originally kind of begat out of semantic back when
semantic was in the search business and about that time which is like four or five years ago now
it came to light that Symantec had signed a whole bunch of stuff specifically they had signed a like
google.com search and google got yeah well yeah quite understandably google got a little bit
shirty about that and threatened to revoke it all out of Chrome but because VeriSign and Thought and some of the
other like semantic brands were so embedded in the cert ecosystem it was really pretty difficult
so they went through like a gradual process and Microsoft had similar kind of problem like ripping
those certs out is very difficult so they had a gradual process and at some point I think this had been planned but perhaps not really communicated by Microsoft
and the cert got marked as revoked
and it just broke in a whole bunch of ways
that people probably hadn't thought through
but this was always going to be a complicated certificate to revoke
and then they backed it out relatively rapidly
once the impact became clear.
Can you imagine the phone calls to get Microsoft
to reverse something like this within a day?
Yes, exactly.
It's hard enough to exercise certificate revocation,
but revoking a revocation?
I wouldn't want to be the person who says,
yes, we're going to do this and it's going to work
and fix everything because it's such a clunky infrastructure.
Well, kudos to Daniel and Dave being the ones who spotted this because the only other signs were just really confused Quicken users.
Basically, no one really knowing what was going on. the recent State Department hack, right, where attackers were using a certificate
for consumer services to create auth tokens
for corporate mailboxes when that certificate
was expired already.
So I just wonder if there's some cert audit
happening within Microsoft at the moment
trying to tidy up a lot of this stuff.
And they were like, okay, well, that one
should have been gone years ago.
Nuke it.
Yeah, that's possible, actually.
I had assumed it was a planned process that just hadn't gone particularly as they had thought.
But absolutely right.
I mean, they could be in the process of looking at their certificate life, you know, apropos of Ron Wyden sniffing around.
Yeah, it looks like it was.
Did I say Quicken earlier?
It looks like it was QuickBooks.
Not Quicken.
QuickBooks and AvaTax, which I've never heard of.
But yeah, we've linked through to Dan Goodens right up on that.
And yeah, that was a real fun one to track as it happened,
where it's like, what, they just nuked it and they didn't put a note
and it broke all this stuff?
Anyway, fun stuff.
And interestingly enough, I think the Airlock guys initially were like,
gee, we wonder if the customers are going to get mad
that they blocked a few things. And customers were like no no you actually did your
job like we pay you to validate this trust right we pay you to validate these certificate chains
and when one breaks that's what you're for yes well that's really nice too because i mean you
know it wasn't that many years back that breaking anything you know was kind of verboten for security
software so yeah
yeah but i think it's just the nature of that software which is like we want you to stop stuff
when it goes you know skew whiff right yeah now speaking of skew whiff uh man this barracuda thing
now of course uh back in was it like may june we found out about this big chinese apt campaign
targeting barracuda email security gateway appliances. And, you know, it was an interesting campaign that upset a lot of people in Western agencies
and even some politicians, because what happened is when Barracuda brought in Mandiant to try to,
I think it was Mandiant, wasn't it, who did the work on this?
Yeah, brought in Mandiant to try to, you know, evict the attackers.
That's when they started borrowing in and accelerating their sort of persistence mechanisms
to the point where people had to throw away some of these Barracuda appliances at the urging of Barracuda itself.
It looks like people are still getting owned with these bugs.
Some of the patches are not necessarily effective.
And yeah, Barracudas need to go into the wood chipper.
Yes, the FBI in particular has put out an advisory you know
telling people that essentially the barracuda patches were not effective and if you have a
barracuda you should kind of assume that it needs to be hardware replaced which you know is a you
know kind of maybe a broad brush kind of statement but i mean still true but i don't know that
necessarily everybody who got barracuded is in that boat.
But it's a campaign that has gone counter to some norms,
I think, in the spook world because of the extent to which they dug in, especially in high-priority targets
and military and government and so on.
They caused a lot of damage.
They caused a lot of disruption, right?
And I think that's the problem, which is like,
you know you've been caught.
Are you really going to cause us this much drama just to extend your access by like a week or two like
really is this what you're doing yeah exactly and that kind of behavior is you know frowned upon
from western agencies but you know if the chinese decide that that's just how they're going to do
it in future then we've got to live with it whether we like it or not and yeah we've linked through to mandiant post on this that they published the other day diving deep into unc 4841 operations
following barracuda esg zero day remediation what a catchy headline just absolutely remarkable
stuff there is a bunch of great detail in that blog post though so if you are interested in the
gubbins it's well worth a read yeah but that is such a threat intel person's headline yes now tom brewster at forbes
has a absolutely hysterical writer on how someone managed to scam the dea out of 50k in seized
tether and this is just you know i clicked on going, is this going to be a silly story?
And it is not.
It is just absolutely, absolutely hilarious.
Yeah, it's pretty funny.
So the DAA had seized some cryptocurrency from some Binance accounts
that were being involved in money laundering,
drug money or something like that,
and then put them in their hardware
wallet like they would normally do with seized cryptocurrencies you're like good job dea for
storing your cryptocurrency in a safe way so far so good yep so far so good and then they would
normally send the cryptocurrency to the u.s marshal service to kind of hold it as part of like this is
how the forfeiture of assets normally works.
So they sent a test transaction from their account
to the US Marshall Service and it worked.
And then some clever enterprising person
spotted that on the blockchain
and then sent the DEA another transaction
from a wallet address that had the same beginning and end numbers,
the same account identifier.
They spun up a wallet with the same first and last four digits or whatever.
Yeah, so then when whoever was going to start moving the money around
looked at the transaction record on their blockchain account,
they're like, oh yeah, that's the DEA.
Sorry, that's the US Marshal Service.
Copy-paste, send money money but it was not um which you know this is a scam we've seen used on you know
like regular joe crypto users uh where you just kind of airdrop them in another wallet address
that looks like what they want and you know i hope that they send you something but it's just
funny that it worked on the dea so smooth yeah and by the time the marshals noticed what happened
and told the DEA uh they contacted what they're calling here the tether operators I don't know
how that works but um yeah they contacted uh someone and apparently the money was all gone
so someone out there is living it up on 50k of DEA tether although I do wonder you know unless
you're based somewhere where extradition is very difficult I do wonder, you know, unless you're based somewhere
where extradition is very difficult,
I do wonder if this is a sensible thing to do.
Yeah, because like this is thumbing your nose
at law enforcement in a way that's just like,
the fact that we're talking about it
is because it's funny and embarrassing
and that's going to get you
some special attention perhaps.
Well, and we've just seen that like blockchain,
you know,
the immutability of the blockchain
isn't real amenable to getting away with crimes in the long term.
So you do wonder if...
Yeah, it cuts both ways, my friends.
You wonder if this is going to be like the guys
who stopped the trains in Poland, you know,
where you talk about it and then three days later
you get the arrest.
Like, if this turns out to be some American kid,
it'll be very funny.
Yes.
Or, you know, do one to two i do
you think they knew that this was dea i mean or was this just a standard technique they used to
try to to try to trick people it's a great question i guess we'll find out when they get arrested
it might be the dog who caught the car which would be very funny yeah uh and we got some work
out of sophos looking at dwell times for ransomware attacks and it looks
like they're down to five days from the average last year of nine days which is I mean you know
much as you would expect they're getting better they're optimizing their workflows it's about
productivity to the moon yes I mean the methodologies for taking advantage of a Windows
corporate network are pretty well entrenched
at this point.
There's plenty of automation.
There's plenty of good tooling.
It does just take time to read enough documentation
about the network that you're in and understand the layout
and so on to be able to effectively ransom it.
So I don't know how much lower it will go,
but being able to spot it and have triggered your ransomware
within a week is pretty good as productivity improvements go.
So the pen tester part of you is actually low-key impressed here, it looks like.
Yes, exactly.
We would have to write reports, which slows us down,
but actually getting enough info about the network to effectively ransom it,
find the backups, find the other domains of the forest or whatever
else like you know that's pretty good yeah good job yeah uh alex martin at the record has a write
up on the sentencing or the conviction i should say of two of the lapsus members uh one of them
is arion kurtage uh who i think he was the one who was found not fit to stand trial right i believe
so yeah because he's a autistic
spectrum somewhere well to the point where he's in a special school for you know people with quite
serious autism so this is the guy who like i think he kept getting bailed and then kept criming
yeah literally doing crime from the hotel where he was bailed to like on the tv
with an amazon fire stick with a fire stick right, right? So, I don't know, you know, the British justice system has determined that this guy, you know,
is not, I guess, criminally culpable because he's got some challenges, but wow.
And the other one is like 17, so it can't be named.
But yeah, the candle that burns twice as bright or something something yeah it's just it's hard to
know what to do with kids like this that are clearly a menace to society but at the same time
you can't just put a autistic kid or a 17 year old kid in a grown-up prison and expect that to end
well either so yeah yeah it's tough yeah yeah so you do wonder, like, with someone like Kirtash, like, I'm thinking it's going to come down to the parents
just saying, that's it.
You can use a pen and paper and that's about it.
Kirtash needs some time away from a computer, you would think.
Yeah, that certainly sounds like it.
Now, Brian Krebs has a write-up of some output from Cisco Telus,
which I actually thought was really interesting
because they were looking at,
and I love the headline that Brian Gray gave this,
which is tourists give themselves away by looking up
and so do most network intruders.
And really the report looks at how
when an attacker lands in a certain environment,
they're going to do certain things
that regular admins don't really do.
And you really ought to be canarying those things. a certain environment they're going to do certain things that regular admins don't really do and
you know you really ought to be canarying those things and indeed there's even some screenshots
and stuff of like you know canary tokens and whatever um but this just you know i just really
like this write-up because it's good advice for anyone working in you know enterprise security on
some stuff you can do that's low cost and reasonably high impact
yeah super pragmatic stuff and as an attacker who has like going from i've got some degree of access
to a corporate environment um to i understand how it works like that's kind of been my core
speciality and looking around the network understanding how it hangs together reading
the configs so that you understand the as-built reality of the environment like if someone takes that away from me by putting canary tokens
in the cisco configs then it's just gonna make me so mad uh and like gonna get me snapped you type
show config and you get wrecked yeah yes show it show or show up like show run yeah it's just
you're gonna look at the up, right?
Yeah.
Yeah.
So it's one of those things that just attacks the reality of being an adversary.
You know, you have to look around and nose about to get an understanding of where you are and what's going on.
Because you don't know.
Whereas the people who work there know where they work.
You know, and they know where the domain controller is.
And they don't have to go looking for that stuff.
And it's just a great tell for someone who was new to the environment nosing about and i hate it because it would 100 catch me uh and that makes me mad yeah i mean i
think what thingston you know disclosure i mean i think everyone knows they've been a long-term
sponsor of the podcast but i think really what they've done is just take a simple idea to the nth degree. And it really is at the point where you see companies like Cisco writing like canaries it's become something that's mainstream now like it really does feel like
canaries have in the last couple of years been gradually moving towards the mainstream and i
think that's a trend that's going to continue and it's going to make you know pen testers sad
yes absolutely like it's a thing that legitimately introduces cost and just makes you doubt yourself
because now you have to think every time you're going to type a command is there a chance this directory listing this config file
this whatever else is going to trigger a token and it screws with your workflow you know you're
a pen tester how often would you actually run into these things i mean non-zero non-zero but
like not most of the time is not most of the time, yes. And if it was a thing that you had to expect most of the time,
it would impose pretty serious cost.
Yeah.
And that would suck.
Impose cost.
Hit that button.
Hit that button.
Now, I'm linking through to this story.
We're not going to actually talk about it.
I just wanted to give everyone a bit of a teaser
because Tom Uren is doing some analysis on this at the moment.
He's looking at some new proposed changes in the UK which would mean that like if some vendor
wanted to introduce a new security feature to their ecosystem they would need the approval of
the British government and you know the British government would put itself in a position to say
well we want you to hold off on patching that particular vulnerability for now
because we're using it.
You know, we don't have persistence.
So we need that bug
because we're in the middle
of a serious investigation or whatever.
Now, obviously, you know,
people are screaming at this
and I can absolutely understand why.
But this is also an example of something
that I have been suggesting for years would happen,
which is that if you paint governments into a corner,
they're not just going to say, yeah, no'll just not have access anymore yes exactly right governments ultimately
do have power and they will exercise it and pushing them into a corner has not worked particularly
well for cypherpunks and nerds over the years well i feel like we're hitting crunch time now
now that the mobile ecosystem has got that much better,
that a lot of the sort of NSO-style companies
are not surviving unless they're really, really good
and all of the economics of the government spyware-related stuff,
that's all starting to break down.
We're in a really interesting inflection point, I think,
for government access and surveillance,
targeted surveillance into mobile devices
in serious criminal investigations
and counter-terrorism, counter-espionage and all of that.
So, you know, I just think this is an interesting proposal,
probably a sign of things to come.
And, you know, everyone should be subscribing
to Tom Uren's newsletter
so you can read his take on that tomorrow.
But Adam, that is it for this week's news.
Great stuff as always, mate,
and we'll chat to you again next week.
Yeah, thanks so much, Pat.
I will talk to you then.
That was Adam Boileau there
with a check of the week's security news.
It is time for this week's sponsor interview now with Ryan Callenberg,
the Executive Vice President of Cybersecurity Strategy at Proofpoint.
And he is here today to tell us that when it comes to cloud security,
there's been too much emphasis on CSPM and cloud infrastructure security
at the expense of actually tackling real-world threats.
And those real-world threats are M365 and Google Workspace account takeovers.
Here's Ryan.
If you look at where attacks are actually happening, it's still the garden variety stuff.
It's compromising M365 accounts.
It's taking advantage of really woefully configured permissions that really do pop up in everyday
environments that don't get a great deal of hygiene. It's not really esoteric
attacks against either infrastructure as a service or other SaaS applications beyond the basic
productivity ones like Microsoft 365 and Google Workspace. When it came to cloud security, we're on
maybe the fourth or fifth iteration of figuring out what it's supposed to do. The original issue
we were trying to solve back in the earliest days of cloud security
was shadow IT,
if anyone remembers that fever dream
from back in the day.
That obviously did not translate
into meaningful risk.
And I think you'd struggle to find a single CISO
who really cares deeply about shadow IT
as a thing right now.
You mean shadow IT in cloud environments
where the marketing team has
spun up some hideously vulnerable one single use server for an event or something and then just
leaves it there? Yeah, well, exactly. But then if that thing gets owned, what is the actual
consequence? Does that actually matter to my ability to continue to run a business? Probably
not most of the time. So really extrapolating that to the present, I think we got to the point where we at least
figured out what attackers could get comfortable with and where they could operationalize the
sorts of things that frankly matter in the cloud, like BEC schemes, right?
Compromising M365 and Google Workspace accounts is absolutely critical to that entire ecosystem.
And they do the same stuff over and
over again. Once they're in there, they create inbox rules, they search for transaction logs,
they try and use those compromised accounts to do other things. They look at OneDrive,
they look at SharePoint for invoices that they can then use to create fake ones. It's not really
all that complicated. And so everyone should certainly have those controls. But if you look at a brand new, fresh M365 tenant that you could sign up for today, it's not really well
defended against that exact thing. Because they're the equivalent of a, you know, secure by default
mode that would actually protect it better. Well, it really surprised me when I, you know,
Catalin Kimpanu, my colleague, wrote a story into his newsletter,
which we were editing into an item
for our news bulletin podcast,
where it's like, you know,
Microsoft is turning on impossible login detection
for its cloud customers.
And I'm like, they didn't have impossible login detection
for their cloud customers?
Like that was really surprising to me.
And I just sort of wondered how many of their customers
realized that they could have three simultaneous logins for a normal user from three different parts of the planet at the same time, even in terms of building third-party cloud security tools,
like the ones we build to try and detect account takeover, you're at the mercy of the information
that the cloud service generates. And so this was obviously a big discussion topic way back before
CloudTrail logs were a thing, and you really didn't have great visibility. And now, of course,
the E3, E5 premium logging controversy
seems to have been resolved in a relatively good way.
But that had a meaningful impact on our own product's ability to detect things.
Because for an E5 customer, we could find quite a lot.
E3 customers, quite a lot less.
Yeah, so you would actually, I mean, I guess you can confirm
that it was a legit problem.
Oh, yeah. And I mean, our guess you can confirm that it was a legit problem. Oh, yeah.
And I mean, our detection products got better when Microsoft made that change.
Yeah.
I mean, that was quite recent, wasn't it?
Wasn't that just a few weeks ago?
It was a few weeks ago and it's already improved.
Yeah.
Yeah.
So, I mean, do you think most people realize that they need to build their own detections
for some of these simple things?
Because I feel like Microsoft should have a few
of the top five detection.
I'm sure they do have a few good ones,
but I think just from an outsider's perspective,
it seems like what they do is they tend to hunt
adversary groups, right?
They tend to find the group, what TTPs are they using
and then sort of hunt them from there as opposed
to just like looking for weird stuff, running detection rules against individual users.
Yeah. And they obviously have an amazing thread Intel team that just found APT29 using Teams.
But the core for the average organization, the core tenet that I would point them to is,
yeah, the Microsoft stuff is all out there. It's written down. You can absolutely
read the docs and operationalize this as long as you're willing to first do that work, and then
second, keep that work up to date as new features ship and create a tech surface in ways that you
had not necessarily anticipated. The rest of the time, though, given that there is no secure by default lockdown mode
configuration for M365, and it really isn't one for Google Workspace, although of course,
you can do it at the account level, it is very, very useful to be able to look at configuration
and to be able to look at the sort of things that are in those logs, because you find really,
really obvious detections on a regular basis. And in a lot of organizations that are in those logs because you find really, really obvious detections on a
regular basis. And in a lot of organizations that are not super mature in their usage of cloud and
their monitoring of cloud, most of the time they're going to be better off not trying to
roll their own there, but rather rely on either Sigma rules that are out there or a vendor product.
It's interesting, right? When we think back to the NT4 days, Windows NT4, because, you know, you'd install NT4 fresh on a server and it would have
IIS open and it would have like all this stuff open to the internet, right, that just most IIS
servers weren't being used as web servers and yet, you know, and the problem with that too is if you
put it up on a public IP, you're building a box that lived on a public public ip the thing would be owned by a worm within 10 seconds of you you know finishing
your install before you even got a chance to patch it so microsoft eventually learned from this and
started tightening up defaults i guess what you're arguing is that for stuff like you know m365
applications and stuff they should really be thinking about doing the same thing or at least
having a mode where people can select would you like a more open by default configuration out of the box? Or would you like a more,
you know, default deny configuration out of the box and you can open stuff up as you,
as you decide you need it. Yeah, I think that's spot on. This is Windows XP service pack two
for the cloud. And, and you can argue that that also should, should be implemented for things
like Azure that have some trust boundary issues that have been found by researchers at Wiz and and you can argue that that also should uh should be implemented for things like azure that
have some trust boundary issues that have been found by researchers at wiz and tenable and and
lots of other way of putting it but yeah yeah trying to be polite here yeah for sure and but
the the main thing that i think is is critical absent that setting though is that you you have
to at least have a cursory look at how things are configured and if something
were compromised, how you'd even notice it.
And this is where I think you learn a lot from the Storm 0558 incident.
You know, just looking at unusual application access to email was an incredibly powerful
detection.
And it's the sort of thing that everybody should be looking for.
So what's interesting here, though, right, and it is interesting, is that you're talking about
cloud security and the stuff that needs to happen. It's really stuff that boils down to
detections based on user events. That's what we need to be doing in cloud security. But,
you know, we've got a cloud security industry, which is largely centered around CSPM,
like cloud security posture management, and securing the infrastructure.
Now, that stuff is clearly important as well.
But I guess what you're getting at is that maybe we're a little underinvested in the user events side of things.
It's not well aligned to the threat activity.
That is absolutely what I'm saying.
And yes, do I want to secure all the cloud workloads? Of course, that matters. It's an important thing to do, especially if you have the ability to do that and your business runs in the cloud. But in terms of what attackers and actually most categories of adversaries take advantage of on a day in, day out basis, it's much simpler than that. And to your point, it's much closer to what users are doing. I think this has been a lesson that's been learned over and over and over again, like
going back to the OAuth issue where I think Risky Biz can take some credit for a lot of
the policy changes happening in Redmond after that one, where you were wondering, why is
this even turned on for the average organization where every user could just trust an OAuth
app?
And that OAuth app is
another type of user identity. It can then do all of the things the user can do. And you never,
ever, ever see that access turned off because it lives forever. See, I could understand why they
turned it on. I get that part of it. What I don't understand is when it became one of the most
popular attack vectors
they didn't think oh maybe we should change this quickly like they just let that thing
fester for like a good couple of years before they before they change the policy well yeah and you
can even argue mfa before that charging for it versus you know where it should be on by default
and should try and point people towards phyto2 if Well, and then the whole thing of like enabling by default
a bunch of protocols that don't support MFA
and only turning that off in 2017 for new tenants
and not retrospectively for old ones.
But anyway, we would be here all day
if we were talking about Microsoft decisions
that we didn't quite appreciate.
So look, I guess what you're saying
is the investment activity, the industry activity,
you know, we've got like Wiz and Lacework
and they've got, you know, gajillion dollar valuations and whatnot. When
really what you're saying is like, we've got logs now. Wouldn't it be nice to build some basic
detection so we can see when user accounts start doing funny stuff. Maybe that's a good place.
Exactly. Yeah. We've got logs, we've got the graph API, we've got the management API,
we've got a couple of other things, and that is a great place to stop
what is actually happening. And are you offering those sorts of detections for your customers? Can
you feed those logs to Proofpoint for those sort of detections? Yeah, absolutely. And actually,
a lot of them are free for users of our email service, the targeted attack protection service.
How do you go about plumbing that up with your Proofpoint account?
It is just turning on the Graph API, right? It's a simple thing to connect. We do have a much more robust
account takeover service that also uses the unified audit log and some other sources of
information. Things like inbox rule creation doesn't show up in Graph API as reliably as we
like to. So it's something where, again, it's a simple thing to solve for. You don't generate a
lot of false positives doing it, and you catch real things. As depressing as this is, in 2023, in over 50%
of the organizations we're deployed in, which skews towards security-conscious organizations
that are paying a lot for cybersecurity products, we find multiple compromised accounts still now
at this late date in history.
And that's the sort of thing that from a cloud security perspective, yeah, we want to get
to FIDO2.
We want to get to ways that this will be solved more proactively.
But in the meantime.
In the meantime, don't let these guys burn you down or steal your money because it's
a really, really straightforward thing.
And the final thing I'll mention there is that the other thing that we have found is
just connected to the Storm 0558 stuff. There are always these weird trust
relationships when things are built on SAML and all these ancient protocols that basically allow
one thing to trust another thing on the cloud side. That to me is the next big category of
things that are going to get exploited because attackers are going to try and replicate what they can do with a cookie or a session token or an OAuth grant in lots of other
ways. And that's what we need to push the cloud providers to really watch because that's one of
the few things that is very, very, very challenging for third parties or even well-intentioned security
teams with proper logging and proper instrumentation
to actually detect.
All right, Ryan, Calumbo,
thank you so much for joining me for that conversation.
Interesting stuff as always,
and we'll catch you again soon.
Always a pleasure, Pat.
That was Ryan Calumbo there
with a chat about cloud security.
Big thanks to Proofpoint
for being a risky business sponsor
for all of these years.
You can find them at proofpoint.com.
That is it for this week's show. I do hope you enjoyed it. I'll be back tomorrow with a big discussion with
Tom Uren over on our Risky Business News RSS feed in the Seriously Risky Business podcast.
But until then, I've been Patrick Gray. Thanks for listening. Thank you.