Risky Business - Risky Business #724 -- Exploitation moves away from Microsoft, Google and Apple products
Episode Date: October 3, 2023On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news. They cover: Ransomware crews target WS_FTP and Jetbrains servers Global ene...rgy supply shapes up as big target The Dossier Center drops another banger Indian nationalists DDoS Canadian targets A look at the Exim drama Much, much more This week’s show is brought to you by Kroll Cyber. George Glass is this week’s sponsor guest. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that’s your thing. Show notes Multiple exploits hit Progress Software’s WS_FTP Server | Cybersecurity Dive Progress Software discloses 8 vulnerabilities in one of its other file-transfer services | Cybersecurity Dive Progress Software says business impact ‘minimal’ from MOVEit attack spree | Cybersecurity Dive NEXTA on X: Гостайна по электричеству - Досье Russian flight booking system suffers ‘massive’ cyberattack Cyberattacks hit military, Parliament websites as India-based group targets Canada | CBC News NATO investigating breach, leak of internal documents | CyberScoop Chinese hackers stole emails from US State Dept in Microsoft breach, Senate staffer says | Reuters FBI warns energy sector of likely increase in targeting by Chinese, Russian hackers Cisco routers abused by China-linked hackers against US, Japan companies | Cybersecurity Dive Suspected China-based hackers target Middle Eastern telecom, Asian government North Korean hackers posed as Meta recruiter on LinkedIn | CyberScoop Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company Ransomware gangs destroying data, using multiple strains during attacks: FBI Critical vulnerabilities in Exim threaten over 250k email servers worldwide | Ars Technica NSA is creating a hub for AI security, Nakasone says Privacy watchdog recommends court approval for FBI searches of spy data | CyberScoop Vulnerable Arm GPU drivers under active exploitation. Patches may not be available | Ars Technica ‘Snatch’ Ransom Group Exposes Visitor IP Addresses – Krebs on Security IronNet, founded by former NSA director, shuts down and lays off staff | TechCrunch
Transcript
Discussion (0)
Hi everyone and welcome to Risky Business. My name's Patrick Gray and Adam Boileau is back this week. He's. And he's along to talk about how Kroll
went back over some of its historical incident response caseload and found evidence that the
Klopp group had been developing its move at exploit for about two years before it perfected
it, right? So that's a really interesting interview. And it's coming up after this week's
news, which starts now. And Adam, speaking of CLOP and speaking of ransomware file transfer appliances and whatnot, we've got some in the wild exploitation happening at the what the WS stands for, Winsock FTP service.
So this is actually a software package
run by Progress Software,
which is the same company that made Moveit.
There were a couple of bugs disclosed in it last week.
There were eight bugs, but two of them were real clangers.
One was discovered by Shubs and Sean over at AssetNote,
the other one by Rapid7.
Someone has dropped a POC
and now there's in the wild exploitation and it looks uh quite uh
bad i mean i guess for those of us that are not quite as old as as me and you like wsftp is a
name that has been around since the like early 90s it was like a shareware ftTP client and server package. When I first downloaded Linux in 1994 over dial-up,
I'm pretty sure I used WSFTP as the FTP client.
This is an old piece of software,
and it was really like one guy from the army wrote it
in his spare time kind of thing.
Eventually, Ipswich software was formed around it,
subsequently purchased by Progress, et cetera.
This is from back in the days when Windows didn't have an IP stack right so you'd have to install winsock so that you
could actually get ip on your computer and you know when you dialed in with your 28.8 kilobit per
second modem uh exactly right so this is why and you know just the winsock ftp what year is this it's major
uh time warp stuff but it does look like the software has evolved somewhat um it still supports
it still supports ftp though which is incredible well i think that that is still its core competence
even though they've bolted on support for other you know forms of file transfer like ftp over ssl
which is also a terrible idea for various reasons sftp etc but the fact that the that the software is even still around let alone being used and
let alone of course has bugs in it because it was you know has a very very long lineage um
and one of the things you pointed out is there is a bigger installed base of this than move it
itself yeah and we saw how much chaos and that caused around the internet
so yeah apparently there's like stuff just reading catalan's report on this uh this morning there's
apparently 4300 wsfdp servers connected to the internet right and i don't know if it's clop doing
this i don't know if it's ransomware groups or data extortion groups but there's definitely some
exploitation happening the other thing being exploded at the moment is the uh jetbrains team city cicd servers uh so
there's a bug in that that is also being exploited but yeah it just seems like it's it's a bad time
it's a bad time i mean at least a cicd like there's a lot of moving parts you can kind of
understand it's a very you know modern thing that we're still trying to figure out
how it should work.
Like I can kind of feel the bugs in that,
but come on, FTP servers.
Like this is, you know, a protocol that predates HTTP.
Yeah.
You know, it's older than that.
I think FTP actually technically predates IP.
Wow.
In that the first FTPs were done earlier prior than IP being widespread network.
And that's why the transfer mechanism is asked backwards and it sends it out of the wrong way, etc, etc.
It makes firewall admins sad because it predates network firewalling.
It doesn't make firewall admins sad because they just block it and have done since about 1999, right?
As well they should
yes and i think maybe maybe like you know how we block uh windows smb and windows you know one
through seven etc on the backbone networks of residential isps we should just probably drop ftp
on the internet in the same way of course then people would just tunnel it around stuff so we
can't see it but you know anyway anyway we're getting sidetracked here. The point is we saw the disclosure, you know,
over the last week or two,
we saw these bugs being disclosed and then boom,
you know, as soon as a pocket comes out,
it starts getting weaponized and used.
What's really amazing is this week's sponsor interview,
like I recorded that last week or the week before,
and, you know, George Glass from Kroll is in there going,
oh yeah, we're going to see more of this.
And his prediction was more around stuff.
And it's very interesting.
I recommend people listen to this week's sponsor interview
because he made some really good points about other targets.
The thing that made Moveit such a great thing to exploit en masse
is because the vulnerability was on one box
and the data was on one box, right?
So you could sort of programmatically do this at scale hack.
And he reckons, I'm kind of spoiling some of the
interview here, but he reckons things like there's a lot of payroll systems out there where the data
resides on the box and the code's properly creaky, right? So he thinks we might see some
large scale exploitation of systems like that. But here we are with a good old, another file
transfer box being exploited in the wild, thousands of them out
there.
And I guess we just have to see whether or not this turns into something at the same
scale as Moveit.
So while there are more boxes out there, you know, it feels like this is a less enterprise-y
kind of solution.
So maybe the amount of data that attackers might get will not be so great, but we're
only going to know in the fullness of time because you know i didn't even know people like i did not expect thousands of wsftp servers to be out there to
be honest it is pretty ridiculous but i think you know these things tend to be used in stuff that
has been around a very long time or things you have to integrate with very old systems
and that probably means lots of data on the same box and a long tail of that data which does make it a
pretty juicy target because if you can steal data that's you know got 20 years of user records
that does apply a lot of pressure to a company versus having to deal with you know a much smaller
in time data breach so the volume of data the nature of data but also like if you have to notify
customers going back 20 years it's going to take a lot it's going to cost you a lot of money to do that,
be very embarrassing, et cetera, et cetera.
So these are just great targets for ransomware crews
to assert pressure and make money.
Now, in case you were worried, Adam,
in case anyone out there was worried about the impact
this might have had on Progress Software,
all of this stuff, the MoveIt incident
being the biggest data loss incident in history
don't worry because progress software is happy to report that all of this didn't really affect
them that much which i mean i was worried about it but i'm worried i mean i was i know that's what
was keeping me up at night worrying about progress software and the business hit that they might have
but no apparently they they spent about 950 grand in cyber incident and vulnerability response expenses but apart from
that everything's fine which yeah that that upsets me greatly because i feel like they should suffer
some consequences ideally financial uh for doing it like this um but you know i guess if they bought
wsftp a very long time ago i've
amortized the cost right there's no no but i mean this is in relation to the move it in relation to
move it yes as well but i mean the you know i feel like companies like that do deserve to have some
kind of you know financial spanking but no um the cost for the breach from relating to move it was
like 0.5 percent of their revenue for the quarter which is up six
percent so yeah yeah the invisible hand of the market did not so much spank them as cup their
buttocks gently deliver them on a soft pillow you know into their luxury vehicles or wherever it is
whatever it is that they're doing eating caviariar. So I've got a link through.
Cyber Security Dive has done some good coverage on this.
I'll link through to Catalan's newsletter too this week.
But it's just like, man, it's just amazing that...
I did see a report too the other day.
I think it was in Catalan's newsletter
where now bugs in Apple, Microsoft and Google stuff
make up less than 50% of in-the-wild exploitation
and that's the first time that's ever happened.
And so, you know, they're still the biggest three,
but they now represent less than half of stuff
that we're seeing exploited in the wild.
So there is a clear trend of threat actors
now targeting enterprise grade software.
And, you know, indeed,
like even through the Caesars and MGM stuff,
like speaking to people I know
who are sort of au fait with what happened there.
In that case, not so much exploitation,
but we're definitely seeing people using enterprise software
as a way to get around in networks.
We're also seeing it as, you know,
frontline exploitation is now happening in enterprise software.
And it's, yeah, it's just an interesting trend.
And one that, frankly, we kind of predicted a long time ago,
like we predicted too early.
You know, we thought that this would be happening five, ten years ago,
and now it's happening now.
I think we saw this coming with the demise of, like, Flash,
because that was, you know, the thing that everyone exploited
10, 15 years ago now, Flash and Java and ActivX and things in browsers.
And we thought that it would move on to something else, but we weren't expecting it to go back to enterprise software back to network
facing services you know i thought it was going to go somewhere else after that but uh yeah it's
it's definitely been a pivot away from client side away from the traditional things acrobat reader
etc well i suppose acrobat reader people still hack but you know some of the trads of that kind of late 2000s
period as yeah it didn't really go
100% where I expected. No
I mean I remember too because like browsers got
better and I think you were expecting more stuff
like SSRF into enterprise gear
and then you know
that sort of thing. Yeah I
was expecting the complexity of web apps
and the web application ecosystem to
catch up and then keep going.
But instead, we've gone back to, it's 1999 again.
Yeah, yeah, exactly.
Winsock.
Winsock for the lose.
Now, let's talk about the dossier center's latest.
Of course, back in April, you and I spoke about their, you know, essentially they obtained data somehow from Evgeny Prokhozhin's businesses.
And that was an interesting chat that we had back then.
And look, their latest report,
what they've managed to do is cobble together a list
and a map essentially of sensitive Russian military
and intelligence sites.
But it's the way that they've done this that's interesting.
It's so funny.
Yeah, the Moscow, like I think it was the Moscow City Hall.
Yeah, Moscow City Hall website accidentally published a document
which included details about sites in Russia
that had to have high availability electricity
because otherwise, you know, bad things would happen.
Now, a lot of these were sort of, you know, things like hospitals and whatnot, but there's a lot of
other sites which are sort of nondescript buildings that, you know, clearly the implication here is
that they're military and intelligence sites. So, it's just, I find this a really interesting
example of how you can infer a lot from data all over the place right like that that data is not being
closely held but has actually a great deal of intelligence value this is just one more example
of how you know intelligence has moved to being much more of a digital discipline these days
yes i mean some of the data is like you know here are a bunch of holiday duchess that just
happen to be really super important and you really wouldn would want to cut the power off because you'll totally lose your job if you do.
And, you know, some of those are just going to be random rich people, but some of them are quite clearly, you know, and important for a war effort that you know i don't imagine that anyone who worked at moscow city hall thought they would be
in a major conflict you know and this data would be as sensitive as it is now you know however many
10 15 20 years ago whenever they built their digital systems and i think that's a pattern we
see all across multiple all of our countries where we didn't expect the degree of hostility and geopolitical conflict,
et cetera. And so understanding the risks for these systems when we built them so long ago,
the world has changed in ways we didn't expect. Yeah. I think it's amazing too that the dossier
center has just put this all on a navigatable map, which i'm guessing is going to be quite uh popular in uh in to to to
in certain capitals to the west of russia let's just put it quite probably yes certainly useful
for targeting information and to understand what's going on and uh i don't know some of that mundane
information you can get from you know billing systems and records keeping systems is you know
there are super interesting things you can do with do when you've got the data available and searchable
and cross-referenceable and so on.
And we're getting quite good at that as a computer science discipline.
Now, speaking of Russia,
one of the major flight booking systems in Russia
has been getting DDoSed to quite a degree.
And we saw one of the other flight booking systems,
we spoke about that last week,
they got owned and like, you know,
tens of years of historical flight records
are now available to people who might be interested in them.
And now we're seeing DDoSs and whatever.
So this is just the, you know,
steady drumbeat of this sort of stuff happening lately, right?
Yeah, and this particular one has been claimed
by the Ukrainian IT Army, which doesn't mean a whole bunch
because, you know, distributed group, much like anonymous in the old days.
But yeah, clearly causing problems for Moscow.
And I think there is this feeling that by bringing some of that conflict home to Russians, it makes it more real for them and makes Putin's life more difficult.
But still, even just take it out domestic flight bookings, that's going to ruffle a lot of feathers,
make a lot of complexity for everybody.
Now, last week when Dimitri was filling in for you,
I said that all these DDoS attacks and whatnot on Canada,
I said everyone's blaming Russia,
but surely there might be some Indian nationalists in the mix here.
It turns out that...
Sure enough.
Sure enough, next minute,
it turns out there's a bunch of DDoS attacks coming from well there's some indian groups claiming credit for them i'm not sure if it
was india indian groups that were behind the specific ddos attacks that we were talking about
last week but yeah certainly my my spidey sense was on uh on target there when i was suggesting
that um they could expect some drama from indian nationalists given everything that's happening
over there.
Yes, and there's been a bunch of denial of service against all sorts of... The usual kind of grab bag of opportunistic targets
that are kind of vaguely Canadian government-related,
various councils and some election, like, brochureware sorts of systems, etc.
But, you know, kind of embarrassing but not impactful,
but definitely getting some coverage in the Canadian press.
Now, speaking of embarrassing but probably not that impactful,
SiegedSec, which breached...
Oh, breached is a strong word, isn't it?
Which somehow gained access to a NATO information sharing portal
a few months ago and pinched some documents
and made a big deal about it.
Apparently, they've done it again
and broken into some other NATO system and stolen,
they claim, 3,000 documents and NATO's investigating it.
I mean, it's like, you know, you see reports on this,
but it's impossible to really know
if there's going to be much of an impact from this
or if it's just going to be a bunch of really boring bureaucratic documents.
Certainly, you get the feeling that it's going to be pretty boring and one of the sites that they preached was called the
nato lessons learned portal which i don't know if you could think of a more boring name
for a for a system well you could you could you could select a more enraging one because they
could have called it the nato learnings portal they could have yes that would
definitely be more aggravating that's for sure then i would attack it myself
just for the name like and also like the nato standardization office i mean having read nato
standards documents at some point in my career when when i was building the cubic online website
that had like the fake pupu map and i got my got a b in my bonnet that decided that the symbology had to be
correct and so i read like several hundred pages of nato standardized symbology documentation
to understand how the how it should look etc because you know nerd um well you're a deeply
deeply strange man i think it's a complete explanation of that but uh yes of course you
did but yeah i mean you know it's gonna be funny but
also has to be authentic fun um anyway i like this feels like just opportunistic and boring and
really i mean siege sec doesn't seem to have a particularly clear agenda other than making
trouble and not no they're saying this has nothing to do uh with the war between russia and ukraine
it is a retaliation against the countries of NATO for their attacks on human rights.
Yeah, well, I mean, I don't know if you can claim that anything isn't related to the war
in Europe when you're targeting NATO, but yeah.
But seems like, I don't know what to make of that.
It just seems like your average kind of lol, sicky, you know, activist-y, comedy, black
Well, it's attention-seeking stuff, you would think, right?
Like, that's sort of what it feels like.
Hopefully, they get bored and all go and get jobs in the security industry,
which is what normally happens to people like that.
Yeah, and honestly, like, it pays better too, buddy.
It does.
Just saying.
It does.
And you don't have to worry about the FBI jumping out from behind a pot plant
and slapping handcuffs on you.
So, that's another nice benefit.
We've got some follow-up reporting here from Reuters
speaking of a data breach that actually did have some consequence.
So this recent Microsoft online exchange thing
that targeted the State Department and a bunch of other groups,
this is with the stolen key out of the crash dump and that hack,
looks like 60,000 emails. They got 60,000 emails out of the crash dump and you know that hack uh looks like 60 000 emails
uh they got 60 000 emails out of the state department which is pretty crazy i mean that
doesn't sound like that many inboxes when i look at how many are in my gmail that was from 10 that
was from 10 state department accounts as per reuters but 60 000 from 10 10 i mean that's 6 000
per it's not bad yeah i mean that's you know my inbox is about that size so but what i found interesting is that they were indeed dumping
the entire inboxes i guess yeah i mean of course of course you would and that's like that to me
is the real tragedy of this story is they had a bug that good and they only got 60 000 emails
like yeah you know you've mentioned this so many times but like this is just how it works sometimes
when the bosses say we want this stuff,
then you've got to get it.
I just feel for every bug that gets burned.
I feel them in my heart.
But what else do they have?
I mean, how much other key mat do they have?
Magic Microsoft key mat that lets them sail into any mailbox in the world.
Yeah, exactly.
What else are they off doing?
Yeah, no.
I just feel bad.
I always want to pour out the,
what do you pour out in China, I guess,
like a 50 of Qingdao?
I don't know.
You know, pour one out for the bugs that get killed
in the line of work, the line of duty.
So we pay our respects here at Misconvinced.
We do, we do.
Pour one out.
Now, it's interesting what you were saying about,
you know, geopolitics changing all of this stuff.
Because I, you know, something I was going to mention as well this week, Suzanne Smalley, who's over at the Record these days, has a great report up. I always like Suzanne's stuff. Like, she's really good. She's got a great report up talking about the risks to the energy sector globally from, you know, cyber threat actors, if we're going to use the correct nomenclature,
particularly Chinese and Russian. And I found it an interesting read because it did get me thinking
that as much as the cyber war element between Russia and Ukraine has been a bit of a flop,
you've got to be careful not to say that that's always what cyber action is going to look like
in the future. And I think the extent to which Russia failed to prosecute a successful campaign in the cybers in Ukraine
has sent a lot of other countries back to the drawing board and saying,
well, maybe we need to think more strategically about how we use this and whatever.
And when you look at the role of global energy supplies in geopolitics at the moment,
I mean, it's driving so much, you know, obviously the,
you know, everything happening with Russia and Ukraine is a big factor. You've got Australia
spending, you know, $370 billion or whatever it is on a, you know, on a nuclear submarine program,
which it's my understanding that that's largely to protect our, you know, we import all of our
liquid fuels and they come through Singapore
and I'd hazard a guess that that's what AUKUS is about. So the idea that you might get Russian and
Chinese crews trying to get some deep access into energy infrastructure globally so that they might
be able to disrupt energy supplies to adversaries, I think that's something that we do need to take seriously yeah i i agree like i
think suzanne makes a good kind of contrast in the piece between the kind of the macro
aspects you're talking about like the fact that energy is so important geopolitically and the way
that we're all so interconnected and then the kind of more targeted more specific like actually what
are we going to hack how are we going to it, what expertise do we have in breaking into energy supply networks, like and there's these kind of
two bits that are starting to mesh together, I think the, you know, when we look back at Russia
versus Ukraine, we will see like the difference between the effects the Russians wanted to create
and the technical capabilities and access that they had to do it didn't really line up, right?
I mean, doing WannaCry-style attacks into Ukraine's infrastructure,
even over the last few years,
didn't really line up with the political goals
they were trying to achieve.
And as we talked about,
they kind of spent their effort too early.
They used it wrong because of lack of communications.
Whereas I think in the energy sector,
it's a bit more clear that the cyber capability
and the geopolitical goals can line up.
And, you know, China in particular,
because of their energy,
like their energy dependence on the outside of the world,
it's just, it's a different situation than Ukraine,
but so many of the lessons from ukraine apply so it's a
important place for us to think and you know the interaction between private sector parts and
government parts is different than the military example that you use so like it's clearly the
choke point where cyber can actually be effective i think yeah and you're dealing with a lot of
moving parts where cyber security investment might be a little bit lacking, you know, in things like ports, shipping companies, things like that, right?
So there are vulnerabilities there.
A very big physical plant that lasts a very long time and has a very long infrastructure investment kind of return period.
So, yeah.
I mean, I think, you know, you could probably cause some serious economic effects by disrupting energy supplies.
I don't think you could cut them off completely with the cybers, but I think you could cause some serious economic consequences just by disrupting it. But
again, you know, I don't want to be over-hyping it and saying, oh, the Chinese are going to turn
off the oil. You know, there's going to be a workaround eventually, but I do expect that this
is where governments are going to spend a bit of time studying vulnerabilities in global energy supply
and it's something that we should be aware of.
Yeah, and there's so much complexity there,
especially with the renewable resources these days
and all the supply chains and manufacturing chains
for solar panels and for wind turbines and so on and so on.
It's a really interesting problem
and it will keep analysts and government busy for a very long time.
Yeah, so that story is based on an FBI notification
sent to the energy industry in the United States,
and Suzanne got her hands on it somehow and wrote that story.
And it's a good one, and it's linked through in this week's show notes,
so go check that one out.
What else have we got?
Yeah, we've got Chinese APTs behaving badly.
They are hacking, I think, Cisco devices.
But what's interesting is they're targeting the subsidiaries of Japanese and American companies outside of their home countries.
And then, you know, owning them via some, you know, Cisco technique and then pivoting into the home networks.
That's about right, isn't it?
What are they calling it?
Black tech.
Black tech.
Yeah. right isn't it what are they calling it black tech black tech yeah there's actually there's a couple of things that i thought was interesting about this because there's the cisco as initial
entry point which that gets a little confusing because cisco makes so much so many things you
know from enterprise and service provider routers down to consumer grade gear and you know someone
owning a link sys that's owned by cisco is kind of a different story than owning a service provider
and then using the cisco so this is the initial entry point and there's been a bunch of cisco bugs
that have been used in that way and then the other part is using access to routing infrastructure
either in corporate networks or service provider networks to then move traffic around or intercept
stuff or to leverage that and that's kind of a much more trad western spook kind of trick like western
spooks love being in the you know in the routing infrastructure and helping themselves in that
particular way and seeing the chinese get better at that is interesting in in my opinion they're
actually reflashing the cisco routing devices right like with their own bad firmware yeah so
like backdooring routing and network equipment uh you know once again thing
that five eyes have been very very good at over the years so the post-exploitation bit is the
part that you're finding interesting because yeah and then also using access to that to reroute
traffic there's some example uh indicators of compromise uh where the chinese hackers are you
know setting up tunnels to sniff traffic in one place with a Cisco device, tunnel it out to a point
where you can then collect it, tunnel it back again,
or whatever else.
So that kind of like tromboning traffic around
using production network infrastructure
is generally reserved for pretty sophisticated hackers,
not because it's technically difficult,
but because there are so many ways to screw it up.
And if you screw it up, you're going to get snapped.
And historically for like i'm
thinking like the amount of times i've been in core routing infrastructure and you know you want
to sniff a particular traffic flow but like i don't know that my cisco foo is quite good enough
and i don't have a lab to test it first and that's the thing that if you're an intelligence agency
you've got people whose core expertise is we've got everything in the lab we can do this safely
we know how to manipulate service provider routing
or whatever else to do what we need to do
to carry out action on objectives.
And that capability is a thing that we're starting
to see the Chinese use as well.
That to me is a bigger shift than just, you know,
Internet of Things junk hacking that happens to be Cisco branded
because Linksys or whatever else.
Yeah, well, they've been attacking companies,
this group has been attacking companies
that support the defence industry since 2010
and lately has been hitting some targets in Taiwan as well.
So there's some interesting stuff here.
People can go check out that story in this week's show notes.
Now, let's talk about North Korea
because, I mean, you do got to hand it.
You don't got to hand it to them.
You don't got to hand it to them.
But look, North Korea, let me just explain what's happening here, right?
So they're going after, you know, they've been doing recruitment-based targeting into Western orgs for a long time.
But the way they're doing it now is actually, you know, super clever, makes total sense.
They're trying to recruit developers. And then they give them a coding challenge.
And they're like, you've got to fix this code and get it to compile and run it or whatever.
And obviously it's, you know, laced with malware.
And what's great about this is people are doing these coding challenges when they're applying for these made up jobs that the North Koreans are advertising.
They're doing it from their work systems because that's just what people do and of course where are detection controls the weakest developing machines because they're always
compiling and running random stuff so like this is just so clever uh in so many ways um eset's done
some work on it and uh we've linked through to a write-up on cyberscoop yeah i mean although you say all of that but then one of the ways they were delivering the malicious content was like
quiz1.exe quiz2.exe so you know i mean also it wasn't like some incomplete project that the
developer we have seen them in the past use you know like visual studio projects or whatever yeah
that's what i thought this was which yeah which i mean i may well have been involved but it's just like all of that and
then also quiz.exe which you know if it works it's not dumb and clearly it works for them yeah
but like the thing about north koreans targeting this is it's just so brazen and continuous and
you know in that respect they are the classic persistent threat.
Yeah, quiz1.exe.
I mean, that's right up there with funnycats.jar.
It certainly is, yes.
And as you said once on this show,
what's funnier than cats in a jar?
I still remember that joke.
It must have been 10 years ago.
It's a great joke.
That's a great joke.
The FBI has put out a warning
saying that ransomware crews are now double encrypting.
So they're using two different strains on operations.
And the reason they're doing this is because there are occasionally decryptors available which sync their ops, right?
So I think this is a good news story in a way that they're having to double encrypt.
Yeah, and I think it also just reflects the fluidity and success of the marketplace.
You know, the fact that you can just pick up two encryptors,
it doesn't cost that much more.
Yeah, may as well.
Like the fact that they're kind of interchangeable like that
is a sign of the kind of the maturity of that modular marketplace
just in time crime.
Do they have to pay their developers twice?
Like that's the bit that I wondered about.
Are they destroying their profit by doing it this way?
I mean, probably, but I think that's a relatively small piece of the puzzle.
You know, you think you're doing it in volume, you know,
and you're only going to pay them if you get paid.
So I don't know how the economics works,
but clearly it makes sense because they're doing it.
Yeah.
Speaking of old software, you know,
I should have lumped this with the WSFTP one.
Some patches came out for Exim. There was a bit of a disclosure, you know, I should have lumped this with the WSFTP one. Some patches came out
for Exim. There was a bit of a disclosure brouhaha because like, oh God, Trend Micro's, you know,
ZDI zero day initiative apparently reported some bugs to Exim like a year and a half ago or
something and they didn't get patched. And then there was communication difficulties and whatever,
like the whole thing just looks like it was poorly handled i don't know who by it could have been xm it could have been zdi but either way um there was a bit of
an exposure window here and xm has now rushed out a few patches that as of a couple of days ago they
were saying we're not even sure if these work because we don't have appropriate details on the
on the bugs but um yeah stressful time to be adminning an Exim box though. Yeah, I mean, Exim was, I'm not sure if it still is,
was the default MTA for Debian-based systems as well.
So like it was surprisingly common
and common by people who didn't really think
about the fact they were running an interfacing MTA.
So there was quite a lot of it around.
And I think like this story is a great example
of how the modern world versus the kind of traditional ways that we did disclosure
and we handled it.
The fact that bugs matter now,
like the old open source way of doing disclosure,
especially in big projects like this that are used very widely
with all the kind of coordination,
was never really fast enough or tight enough
to deal with modern times where times where you know it's going
to get shelled real fast if we don't move yeah and now we've got a year-long disclosure window
and it's all just kind of complicated yeah i feel bad for xm admins yeah i mean there's 250 000
uh xm boxes out there apparently now adam everybody can calm down because the nsa is here to solve the
ai problem uh they are spinning up the Artificial Intelligence Security Center.
Now, apparently Paul Nakasone,
the head of NSA and Cyber Command,
he's still there.
I think he's on his way out, isn't he?
But he's still there at the moment.
But they've got, yeah,
they're spinning up a thing
within the Cybersecurity Collaboration Center, the CCC,
and it's going to be some,
they're going to take a look at AI security
and possible applications for AI and whatnot.
I mean, I guess this is what you'd expect NSA to do.
You certainly would,
because there's so many interesting aspects
of attacking or using AI
as part of a kind of attack chains
that it's worth talking about.
And I also think it's probably a great,
like if you spin up a center that does particularly that,
you could take all of the staff that have got the ai bugbear and get them out of everybody
else's faces and stop you know ruining people's lunchtime conversations with people injecting ai
into it so you know good place to put troublemakers good place to put the obsessives yes yeah i'm sure
there's none of those in the nsa um but yeah like there are a number of really interesting fields
that it makes sense
for them to be involved in overall i would like ai to go the way of cryptocurrency but you know
hopefully it'll take uh you know less time than cryptocurrency has i regret to inform you that
gray noise has actually done something quite useful with llms and it oh no i know it really
encouraged these people geez yeah so andrew mor Morris sent me a preview the other day,
and I'm like, don't tell me that was AI generated.
He said, yeah, it was.
I'm like, oh, shit.
Oh, God.
I know, because it's good.
It's really annoying, because they've got all their sensors
all over the internet, and now they can actually just take
a bunch of signals and feed it into an LLM,
and the LLM says what it is.
And it's like, that annoys me that it works.
Yeah, that sounds really useful, but I resent it.
I resent it.
Yeah, so they probably won't have to do manual tagging anymore.
I don't know, man.
Grey Noise is cool.
I'm so glad they're a sponsor, but they just keep doing cool stuff like that.
Well, stop it.
We don't approve of cool stuff around here anymore.
I know, but I'll send you the link after we're done recording
and you can have a look at it, but it is pretty sweet.
Let's just move on to this one from Ars Technica,
which is there's some ARM GPU drivers
that are apparently under active exploitation.
These devices pop up in all sorts of stuff,
including Google Pixel devices and Android handsets
and also Chromebooks and various bits of hardware that run Linux.
What did you make of this?
Is this just, what, some privask or something?
Yeah, so this is local privask.
We want to read bits of memory that you're not supposed to
and if you are on the system.
So in the case of Android, like, you'd have to get a malicious app
onto the device first.
But Chromebooks are an interesting avenue for attack
because a lot of people trust them by virtue of their simplicity.
But anyway, this was called up by Maddy Stone from Google Project Zero avenue for attack because a lot of people trust them by virtue of their simplicity um but anyway
this was um called up by maddie stone from google project zero who's been doing a bunch of
interesting research you know into these types of weird bugs that affect the android and and you
know wider ecosystem um and yeah like this is really good work it's just a classic example
of the android ecosystem's diversity making it really hard to patch well.
Yeah.
Yeah, but it also makes it really hard to exploit on mouse.
That's true, yes.
Especially when it's this close to the hardware
and down in drivers and stuff.
So, yeah, definitely double-edged sword for Android time.
Just quickly, Brian Krebs has a story up that's quite a lot of fun.
It's a lot harder than it's meant to be.
So, Matt, you remember I keep talking about like and this is
something i've said so many times which is that like when dark web markets popped up everybody
thought that this was an unstoppable phenomenon and you know completely impervious to law
enforcement and stuff and then we saw just how utterly rubbish ross ulbricht's opsec was and i
keep saying like people have got to stop thinking
that ransomware crews are magical right and have this incredible opsec and stuff and here is just
such a great example of that take it away adam yes this is a darknet leak site for a ransomware
crew called snatch and uh you know their hidden service on tour where you can connect and see all their things they left
the built in default
Apache slash service status
thing enabled which lets
you see all of the current requests
being handled by the web server
and their origin IP
which you know if you were to poll
that constantly you would see all the people
using a dark web leak site,
including, of course, the admins and the various monitoring systems and all the other stuff
that interacts with it to post stuff.
And like server status is just such a classic.
I mean, I remember like friends of mine spinning up Apache configs in 2001 in front of me and
saying, you always need to make sure you disable the status page.
Like this is not
some obscure thing like when i remember when pipes hit the air like top thousand or top hundred
thousand whatever it was on the internet websites for server status i got you know session cookies
in the in the requests to account takeover and so on in like yahoo and stuff back in the back in the days but we're talking like early 2000s at best
you know so it is absolutely a thing that you would hope people turn off but uh clearly the
sysadmins of the ransomware crew are questioned perhaps not up with the play for early 2000s
sysadmining yeah just what do you say what say? And look, we're going to close the show with some sad news.
Adam, IronNet, which was the security company, I guess they were.
I don't know that they really delivered much,
but they were founded by former NSA director Keith Alexander.
IronNet is no more.
It's had a sort of short and controversial history.
Yeah, there's lawsuits.
There's all sorts of bad stuff. I think it's safe to say, and legally safe. Yeah, there's lawsuits. There's all sorts of bad stuff.
I think it's safe to say, and legally safe to say,
that it's my personal opinion that Keith Alexander
getting involved in this business was a mistake.
Yeah, I think so, yeah.
Because when they raised, what, like $400 million
and now they're essentially, you know, zilch.
No one's going to get any money back.
And, you know, that kind of going straight out
of a high-profile position like that in the cybers
into the industry in this way,
like there's plenty of ways you can transition
into private sector out of government.
Yeah.
But this kind of high-profile,
especially given what the investment landscape was like
when this happened, you know,
and the hype around the cybers in general,
it was just not a pretty thing to watch.
And hopefully all the people who actually worked there during real work
will have somewhere else to go.
Yeah, I mean, it's just staggering that someone like Keith Alexander
winds up sort of involved in something like this.
It's mind-blowing.
It does feel a little bit gross.
A little bit icky.
Let's be honest.
Let's see what Paul Nakasone does next.
Don't do this, I would think is the move.
Well, Adam, mate, that is it for the week's news.
Thank you so much for joining me from California.
Over there actually having a vacay, having a holiday,
but still finding time to do the weekly show.
You having a good time?
Yeah, having a great time.
Actually, I was over in the People's Republic of Berkeley this morning
where I guess in a way my security career started
through the Cuckoo's Eclipse book about Russian hackers.
So yeah, kind of funny.
It's been a fun trip.
Yeah, awesome.
All right, well, we're going to get you back on next week
and Lena Lau is going to join us again.
That's going to be fun. So yeah, we'll talk to you you back on next week, and Lena Lau is going to join us again. That's going to be fun.
So, yeah, we'll talk to you then, and enjoy your time in California, mate.
Yeah, thanks very much, and I'll talk to you next week, Pat.
That was Adam Bailo there with a check of the week's security news.
Big thanks to him for that.
It is time for this week's sponsored interview now
with George Glass of Kroll Cyber.
Kroll is a global risk advisory firm
that has a cybersecurity arm
and they're very well known
for their incident response work
and their managed detection
and response services.
So George joined me this week
to talk about Moveit
and specifically about the history
of the Moveit exploit
that's
behind what's probably the largest single data theft campaign in history.
And as it turns out, when Kroll went back through its historical IR caseload, it actually
found evidence that the Klopp gang were developing the Moovit exploit on live targets for a period
of about two years.
Here's George Glass.
I'd love to be able to tell
you that we had some sort of mega algorithm to go and tell us that, hey, this is something that
we've seen before. But to be perfectly honest, it's just a lot of really good IR people noticing
something that they'd seen before. So as we started to see all of these logs come in from
all the various cases, some of the paths and the trade
craft was ringing bells for people.
So we went back and back on previous Mubit cases, done a bunch of them previously, and
sure enough, we could see what looked like the beginnings of an exploit two years before
this actually happened, which obviously at the time we thought, wow, that's pretty amazing. There's pretty strong evidence here. Let's have a look at this.
And yeah, sure enough, it seems like that the Klopp group were developing this for quite some
time and they've clearly got the money to sit around and develop zero-day exploits for these
very popular file transfer products.
And that was really interesting to work on.
There's obviously a lot of nuances to the case in general,
but as something to, I won't say stumble upon,
but it's just because we had that case data
that we were able to find what they were doing for so long.
That's interesting.
So you're responding to the move-it ones, right?
And you spoke about certain behaviors and whatever.
So those were for logs from the actual move it appliances?
Yes, yes.
And you mentioned paths.
Like what was the relevance of paths in this?
So a lot of the paths that we were looking at
were sort of where they were putting their post requests,
especially where the API DLL is,
requests to get slash API V1 tokens,
all of those things were stuff
that could be part of a more general exploit attempt.
But then we started seeing attempts
for human2.aspx and
things like that um and that's what tied it so closely to to what we were investigating so then
you match then someone it rang the bell and what was the event that you know that it rang a bell
on was that from some other case where move it was involved i think that was um some some casework where there was enough weird traffic
to the device that warranted an ir investigation um but not necessarily exploitation so um
okay i'm much clearer now yeah yeah yeah so i kind of understand which is like okay so you
you're doing the the move at teardowns and after a certain point you're doing a lot of these things
after a while you look at these requests that are coming in they start to look familiar you understand them and you go hang
on we've seen this before and then you went back and had a look at it and realized that they were
sort of what fumbling about trying to actually refine this and develop their techniques until
they could actually pop shell that's so funny because it tells us that they were actually
building this thing on boxes that were in the wild instead of trying to get a copy of this thing and actually working on it themselves.
Is that what you think happened here?
Yeah, it seems like they've periodically, again, this is from our data, so they could have been doing this en masse.
We just don't see it.
But it seems like periodically they were trying different exploits against in the wild technologies. One of the key things was looking for that, putting the org ID out, which is something that they can use to
programmatically access the API. That was happening every few months for a couple of years.
And then it looks like they perfected it. And then one of the things Klopp seems to be very
good at is targeting public holidays, obviously. So clearly they felt that they had a complete exploit and
then waited until the best time to deploy it. So yeah, really interesting set of circumstances,
which led to a really cool investigation. Yeah. Now, I mean, I'd imagine you would be
quite aware of the scale of this thing, right? Having responded to quite a few of them. I mean,
it does somewhat boggle the mind that a piece of technology that, you know,
let's face it, is quite archaic,
is just in such wide use, right?
And used in such a way that it's directly accessible
from the internet and vulnerable to exploits like these.
I mean, you know, this is, in a way,
I mean, this just tells me that there's a valuable lesson here,
which is maybe don't use archaic technology like this to move around
sensitive information.
Like it just seems like that's the lesson here, which is, you know, we were doing something
we shouldn't have been doing and we've been smacked on the nose with a rolled up newspaper
as a result.
Yeah, absolutely.
And if you must use those things, consider deleting all the data because this technology was used for, as has been
discussed, payroll, legal documentation, everything.
And it's designed to be easily accessible so you can easily share files in a secure
way.
And we found not only were we dealing with the splash damage from third parties, organizations
that were running movement and were
impacted and then they had to contact everyone that was impacted by that um third parties of
third parties even um because you know everything that they do for that other third party was done
via that particular law firm or financial services organization or or so on so forth um well i mean
i mean you just touched you just touched on something really important there,
which is that this data doesn't need to live on those boxes forever.
And in fact, I've seen people suggest that, look,
you can actually configure these things to auto-nuke data
after like 30 days or whatever to minimize your exposure.
In your experience, though, I'm guessing you're going to tell me
that people weren't doing that.
No.
Yeah, I mean, it's like signal disappearing messages, right? messages right like you know you can do this with your file transfer appliances
yeah yeah and and on the back end of this thing it's basically a fancy sql database
at the end of the day it's probably a good idea just to get rid of it just for performance sake
let alone data retention and and um you know practicing good data hygiene.
So certainly if these things have to be used,
maybe have it as a read once or live for a week.
I don't think these documents need to be there forever, really.
Now, what do you think this behavior that you'd observed two years ago,
what do you think that tells us about the way groups like CLOP are actually discovering, developing, putting together these exploits and what sort of things they're targeting? Because it seems like, you know, quite obviously that they were testing this thing in the wild, but I'm going to guess that they're doing similar sort of things to other technologies. Did you manage to connect some of that historical activity to other exploitation attempts against other enterprise kit?
No, we haven't been able to do something quite like that.
But what I think it does say is clearly these guys
have made so much money that they can employ people
to develop zero-day exploits full-time,
which in and of itself is something pretty remarkable, really.
Do you think, though, that it was full-time or do you think it was just someone noodling around
between, I don't know, laundering their Bitcoin and whatever? What makes you think it was a
full-time effort? Well, I guess maybe it's hard to say if it was full-time, but they've certainly
spent a long time doing this.
It seems to me that they stack up these vulnerabilities.
I wouldn't be surprised if there was one already lined up for the Thanksgiving Christmas period for Pop.
I mean, that's certainly something that they've done in the past.
So I really wouldn't be surprised if we see another one of these for a similar file sharing product,
something along those lines.
And I think one of the main things that this is moving towards is this sort of mass exploitation,
mass exposure of data is something that that particular group is getting really quite good at.
So it's mostly automated.
Well, but I mean, that's mostly automated. We actually saw two...
Well, but I mean, that's the thing, isn't it?
They've built all of that infrastructure
so that they can handle having...
I mean, there's startups out there
that could learn from these guys
in terms of how to process a lot of activity all at once, right?
Absolutely.
They've automated that whole back end,
the payment processing, everything.
So, there's the harvest phase
where they go out and they get all the data
and then there's the turning it into money phase. But I do wonder how applicable
this business model is to different types of vulnerabilities. I mean, the wonderful thing
about exploiting file transfer appliances is you can automate it because you're exploiting a
vulnerability on the box where the data is and the data is stored in a uniform format and you can programmatically
hack all of them at once. You know, even in an MDM solution or a firewall or anything else,
you know, it's not like that. You're going to have to get on the border device, then pivot,
then do this, then do that. I mean, the beautiful thing about the file transfer appliances is it's
just one step. Yeah, absolutely. If it was a vulnerability in a firewall or a VPN
and you had to do some initial access lateral movement
and all that sort of stuff.
What are they going to do, ransom your firewall config?
It's not that people aren't going to pay.
Yeah, exactly.
So I wouldn't be surprised if they're picking specific products
for the next couple of months' worth of exploitation.
I mean, hell, they're still putting some victims up now.
I think there's well over 1,000 plus victims in total.
Are they still listing clop victims now?
I think so.
Like, are Movet victims now?
Yeah, right.
Yeah, I think there's still a couple going up.
What's funny, too, is that people, I think,
have forgotten that this was the second round for them,
and Accelion FTA was the first, right?
It is sort of remarkable that Movit turned into this global watershed moment, whereas Accelion barely got a mention.
I mean, you know, you would see people reporting on the data loss incidents in isolation, but it wasn't nearly as big a story.
Why do you think that is?
Is it just because Moit had a bigger market share
and more customers?
Yes, I think so.
I think they probably learned a lot of lessons from Acelian.
Acelian also was happening during COVID, right?
So there was probably a lot of other things.
We were worried about different.
Worry about.
But this one definitely has, yeah, as I say,
probably over a thousand victims now.
And the splash damage, absolutely massive.
Yes. You know, just because you happen to have a supplier that was using Revit, oh, by the way, now all of your employees' data is leaked.
And you've got to deal with the credit monitoring for that and all of that.
Basically, for the rest of time, that's a pretty hard pill to swallow not to not to mention the regulatory fallout and then journalists mining leaked data
for stories and all sorts of stuff i mean it'll play out for a while yeah absolutely yeah it's
it's um i hate to say it but it's always impressive the scale of the thing is impressive
yeah i mean as far as capers go, right? Definitely. Yeah. It's, you know, great train
robbery-esque, right? For sure. But I mean, like how many file transfer appliances remain in the
market? Because, you know, a lot of this stuff is moving to the cloud now. You know, you wouldn't,
you might be able to own some accounts that hold company data and whatever, but you're only going
to be able to steal so much before someone at the, you know, if someone's providing this assess, someone's going to
hopefully touch wood, hopefully going to notice and pull the plug on the attackers, right? So you
should be able to limit the damage, but are there still a lot of other file transfer appliances and
other, other companies, you know, other vendor solutions out there that you think might be next? Oh, I really couldn't say who I think is probably next.
Not who.
I'm just asking if there's a lot more, if it's a target-rich sector
or if Accelion and Moveit are basically the only two vendors that count.
I think there's definitely other targets that do things like payroll,
things like financial and legal documentation,
and they have a very particular group of customers,
which obviously is a very target-rich environment.
But are these things like accessible, on the edge, with an open port?
Is that the way they tend to be deployed?
Yes.
Yeah.
They're designed to be easily accessed and, you know, just send a link, access our portal,
upload your files, and I'll download them on my end.
So, yeah, they're designed that way.
Yeah, right.
That's interesting because I haven't heard many people sort of talking about that, you
know, ultra-specific stuff like payroll and legal, but it makes sense, right?
So you'd think we should be expecting that they're doing some R&D
on solutions like that.
And they're similar to the Move-It one,
where you can just get on that box, exfil the data from that box,
do it programmatically, and then harvest the data
and then get to work selling it.
Yes.
Yeah, I really wouldn't be surprised if there was something
in the pipe for
the next sort of holiday season. And yeah, it's hard to say what it's going to be, but
I wouldn't be surprised. All right. Well, you're a bucket of chuckles, aren't you, George?
Thanks, George Glass, for joining us to walk us through some lessons learned through
responding to the movement incidents.
Pleasure to chat to you as always.
Thank you, Sam.
That was George Glass there with this week's sponsor interview.
Big thanks to him and big thanks to Kroll Cyber for its support of the Risky Business Podcast.
And that is it for this week's show.
I'll be back tomorrow with another edition of Seriously Risky Business in the Risky Business News Feed.
But until then, I've been Patrick Gray.
Thanks for listening. Thank you.