Risky Business - Risky Business #728 -- The Citrixbleed ransomware disaster
Episode Date: November 28, 2023On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news. They cover: The Citrixbleed ransomware crisis Why the FBI hasn’t arrested... Scattered Spider members DPRK is in your supply chains Microsoft has a brainwave and buys a HSM When civil war meets pig butchering Much, much more This week’s show is brought to you by Airlock Digital. David Cottingham and Daniel Schell are this week’s sponsor guests. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that’s your thing. Show notes ‘Citrix Bleed’ vulnerability targeted by nation-state and criminal hackers: CISA Australian ports operator recovering after major cyber incident Minister lashes DP World hack failure Gang says ICBC paid ransom over hack that disrupted US Treasury market | Reuters Cyberattack on US hospital owner diverts ambulances from emergency rooms in multiple states | CNN Politics Fidelity National Financial investigating cyberattack that led to service disruption | Cybersecurity Dive Potentially hundreds of UK law firms affected by cyberattack on IT provider CTS North Texas water utility serving 2 million hit with cyberattack Healthcare manufacturer Henry Schein expects platform restored this week after cyberattack High-profile ransomware gang suspects arrested in Ukraine FBI struggled to disrupt dangerous casino hacking gang, cyber responders say | Reuters Chinese spies had acces to Dutch chip maker NXP's systems for over two years: report | NL Times North Korean supply chain attacks prompt joint warning from Seoul and London North Korean attack on CyberLink impacted devices around the world, Microsoft says North Korean ‘BlueNoroff’ group targeting financial institutions with macOS malware Microsoft upgrades security for signing keys in wake of Chinese breach | CyberScoop (14) Microsoft Should Look to the Past for Its Security Future Sacked Ukrainian cyber chief released on bail amid corruption probe Second top Ukrainian cyber official arrested amid corruption probe Report claims to reveal identity of Russian hacktivist leader Rebel offensive in Myanmar takes aim at online scam industry Myanmar Rebel Offensive Helps China's Cybercrime Crackdown Shadowy hacking group targeting Israel shows outsized capabilities | CyberScoop Nearly two dozen Danish energy companies hacked through firewall bug in May Senate proposes surveillance bill without FBI warrant requirement The FCC says new rules will curb SIM swapping. I’m pessimistic | Ars Technica EU urged to drop new law that could allow member states to intercept and decrypt global web traffic Google researchers discover 'Reptar,’ a new CPU vulnerability | Google Cloud Blog Spavor blames fellow prisoner Kovrig for Chinese detention, alleges he was used for intelligence gathering - The Globe and Mail The Mirai Confessions: Three Young Hackers Who Built a Web-Killing Monster Finally Tell Their Story | WIRED
Transcript
Discussion (0)
Hey everyone and welcome back to Risky Business. I am back from my trip to the USA and Brazil
and I had a terrific time, a great trip to America and then a wonderful vacation in Brazil.
But yeah, it is really, really good to be back on deck. Unfortunately, Mrs. Biz, Mrs.
Business just tested positive for COVID this morning and I'm starting to feel a little bit weird.
So we're going to get through today's news recording.
And I'm basically outrunning the rona, Adam.
I'm outrunning it today, and we'll see how we go.
But I suspect the rest of the week is going to be a bit of a write-off.
As you can hear, Adam Boileau is on deck as well, and we're going to be talking through all the week's news in just a moment.
And then we'll hear from two of the founders of the application allow listing and execution control company Airlock Digital in this week's sponsor interview.
And we're talking to them about some changes the ASD has made to the Essential 8 maturity models.
That is coming up later, but first up, it is time to get into the week's security news.
Well, I guess the last three weeks security news with adam boileau and uh just before we kick that off adam i just want
to say thank you uh for filling in for me and holding the fort while i was away uh this was
my first real holiday in quite a while and i really really enjoyed it so thank you so much
very very well deserved you have worked hard for a very long time to make this show function
and all of the other parts of it
that people who listen to only the main show
may not realize that there is a whole empire
of risky business content that we produce.
And yeah, it's been interesting and fun
learning to do a whole bunch of that
while you've been away.
I think the funniest description I've heard
for the other stuff we do
is someone described it
as the risky business extended universe.
Exactly, yes.
Which is pretty much how it is.
Now, look, of course, every time I take a break, big stuff happens.
I think really the last three or four weeks
was marked by all of the ransomware attacks
stemming from the so-called Citrix bleed bug.
I do want to talk about this
because it's a really interesting case study of how we go from bugs to massive ransomware campaigns. But let's start off by
talking about the bug because it is a very interesting one. Why don't you tell everyone
what Citrix bleed actually is? Yeah, it's really interesting. The bug itself is a flaw in Citrix's
edge product. So they have a Citrix like NetScaler application delivery service.
Essentially, it's the thing that they sell you
to run the Edge connection
for your Citrix products.
So if you've got Citrix for desktop access
or other Citrix things,
then this is the thing
that mediates access through them.
So it's on the Edge UI network.
Great place for there to be bugs.
This bug was particularly interesting
because it's a session takeover bug so you could show up to the application delivery controller on
the edge of the network and take over an existing user's post authentication session by stealing
the session tokens and connecting as them and what that means is it's post-auth. So post-multifactor, post any other controls you've got in place.
Well, the session token is post-auth, not the exploit, just to be clear.
Yeah, the exploit gets you a post-auth session
after the user has already completed the authentication process
and done the relevant multifactor
and then drops you into the Citrix environment,
which super powerful place to go
and circumvents multi-factor, which is one of the things that really makes for a juicy bug
in an interconnected service these days. Yeah. So exploitation of this en masse started the day I
went off to a dinner in Washington, DC with Dimitri Alperovitch and a few others. And this dinner,
there were a bunch of policy people there.
Darren Goldie, who was the Australian Cyber Security Coordinator,
who's since actually been recalled to defence
to deal with some HR matter.
I don't know what that's about, but he was there.
Kemba Walden, who's the acting National Cyber Coordinator
or something in the US government.
Ilya Vychuk from Ukraine's SBU was there.
An amazing dinner uh with a
bunch of officials there and um we're all sort of having a conversation and yeah it was just in the
hours prior to me attending that dinner was when catalan was in our slack saying wow you know
exploitation is really kicking off on this and i did say to the dinner because there was everyone
was sort of talking about um scattered spider and social eng and i'm like yeah i mean you know that's a that's a problem but let me tell you what's just
happening right now and i said look you know there's there's people who are going around and
grabbing all of these session tokens now whether they're initial access brokers who are going to
sell them off to ransomware crews or whether it's the crews doing it themselves like this one is
going to get ugly over the next couple of months it's's, you know, we're on the cusp of a major event.
And we have seen some pretty spectacular attacks.
There was a major port operator in Australia was impacted.
I don't know that ransomware was actually deployed or whether or not they just shut
down systems when they detected someone in their network or in their environment.
But that was a huge, very, very big deal where the company responsible for 40 percent of
freight through ports in and out of our country could not operate and I think the systems that
they closed down were the ones on the truck side so they could get the containers off the boats
but they couldn't get them onto the trucks you know we saw the federal government get involved
the national emergency coordination mechanism or whatever whatever was invoked and pretty good government response, to be honest. And they got it all back up and running,
so it didn't turn into anything material. But of course, you know, when you've got ransomware
crews messing with your port infrastructure, that is not good. Especially when you're an
island nation like Australia. Exactly right. Ports are kind of important. And just yesterday, actually,
the Financial Review here published a bunch of quotes from our Home Affairs and Cybersecurity
Minister, Claire O'Neill, and she has given the port operator DP World a giant serve for not
patching their Citrix. She's basically saying, look, you're critical infrastructure, what the
hell are you doing? Which is just so weird seeing a government minister
zeroing in on actually the right criticism.
But then we saw, and this one I think is even bigger,
the ICBC ransomware incident.
And the ICBC is, yeah, the biggest lender in China
and its US arm got ransomware,
which actually had an impact on the bond market.
Now, you know, I know that we have cyber people listening and I'm, you know, they're very smart
people and most of them would know that something impacting the bond market is a big deal. But
I think there's probably a few listening who don't realize just quite how big a deal that is.
Yeah. I mean, they ended up owing, what, $9 billion
to some other US bank in the process
that they couldn't settle
because they had turned off a bunch of their systems.
And then they had to get that capital
from their Chinese parent company into the US
to be able to kind of pay off their debts.
Like anything that involves $9 billion,
even didn't go missing,
it's just kind of a little bit late.
Like that's still a
pretty pretty big deal and it also sounds like uh icbc which was the the industrial commercial bank
of china it sounds like they paid the ransom too so lockbert got some money out of them um and you
know that's not a great look for a system handling billions and billions of dollars yeah and it looks
like it was the same bug so kevin Kevin Beaumont has been doing a wonderful job
of taking Shodan screen caps and showing that
most of these major ransomware attacks over the last few weeks,
Shodan illustrates that they were running Citrix products
at their border.
So, you know, it's not proof, but two plus two,
you know what I mean?
So I think also I saw a comment on Twitter.
I think it was Andrew Thompson, I'm not sure,
who said Lockbit might start to experience some active response
with Chinese characteristics after this one.
Yes, like messing with a flagship kind of Chinese entity like that
may be a little risky,
although we don't really know
what Chinese hound release looks like,
you know, how it compares to what we do in the West.
But either way, if I were Lockbert,
you know, you've had a very, very busy couple of weeks.
It might be time to, you know, head down to Sochi,
have yourself a, you know, a holiday break or something
and just kind of get away from the computers for a little bit.
Maybe, yeah.
Yeah, I mean, you know, Tom Uran, our colleague,
wrote this up.
He doesn't expect the earth to move because of this on the Chinese side.
But I think, you know, a disturbance to the bond market is the sort of thing that winds
up on the president's desk.
You know, this is a very big deal.
Like, this is even more of a big deal, I think, than Australian ports, right?
Like, the bond market is the underpinning
of the global economy.
Yeah, like we did see,
because this was when President Xi was in the United States
and we did see some reporting, I think,
that Tom wrote up about Janet Yellen,
the chair of the US Federal Reserve,
like talking to a Chinese counterpart about this.
And you would imagine this is the sort of thing that,
you know, it's only kind of one notch up for that to be uh you know Biden talking to Xi about this right it's
very serious business stuff and also embarrassing for China right they don't like to lose face
and I think if you were Lockbert crew you might want to consider that yeah yeah well I mean I
don't know what they were thinking um to be honest but then
again i mean they don't seem to have much of a sense of lines do they you know ransomware crews
generally like the sort of person who's going to ransomware a hospital uh i guess is is the sort
of person who's going to do something like this without necessarily thinking it through or just
not caring i guess also the affiliate structure and the sort of quite distributed nature
of ransomware gangs makes it hard to,
you don't get one consistent set of rules of engagement
or decisions about these things.
It can be pretty distributed, pretty slow,
not entirely clear or well thought out.
Yeah, I mean, I think law enforcement focus on affiliates,
like sure, arrest them and whatever,
but really we make a dent on this problem
by going after the developers. And, you know, unfortunately, we cannot extradite the
developers of these things very easily. So, you know, we're back to that whole discussion about
release the hounds and disruption and whatnot. But, you know, I would just think that I'm sort
of surprised still we're in 2023 and things are still escalating. Now, I was in the
United States, I was in DC during the sort of counter ransomware initiative meetings, you know,
I even attended an event at the Australian embassy, met the Australian ambassador to the United States
who's a former prime minister here, Kevin Rudd. And yeah, it's really interesting because everyone's
talking, the conversation is really about frameworks., you know, I get it because that's how policy moves.
And I think eventually it will get somewhere where there'll be better cooperation on tracking,
you know, ransomware payments and things like that and arresting affiliates that aren't
based in Russia.
But you do, it is a bit frustrating when you're sitting there hearing people talk about frameworks
when this sort of thing is going on,
when really what we need is, you know,
either a unilateral heavy response to this
or maybe some sort of five eyes response.
But again, then you come back to the issue of resources.
And this is something that I heard a lot in the United States
from people in IC and also people from the FBI, which is they're
all really resource constrained at the moment. They don't have enough tech people at the moment
to do everything that they want to do. So I think that's another issue we've got here.
Yeah, exactly. It's hard work working for law enforcement and the salaries in the private
sector are very competitive with that. But it's also really important work i think you know one of the things that i think we come across
it later in the news that's talking about the situation with the kilnett russian hacktivist guy
where someone was saying you know when the war in ukraine is over and russia rejoins the
international community all of these russian cyber criminals know, they're going to be on the list of things that
Russia could be. Yeah. For normalization, right? Like if you want to have normal relations again,
you've got to hand over these people. Yes. It may be frustrating right now, but we may see
some progress in, you know, I don't know how long it's going to take. Like they can't stay
isolated forever. Well, they won't extradite
because it's forbidden in their constitution, right?
So even if Russia does normalise relations with the West,
they will not extradite their own citizens,
but they might lock them up themselves.
Yeah, we might see some change
in the current very frustrating situation
that I'm sure if your law enforcement
does feel a little bit demotivating,
I guess is where I was heading with that.
So, you know, hopefully.
Yeah, I mean, there's another one from later in the run sheet
that I'll just pull forward now, which is Reuters is reporting that,
you know, there's a lot of discontent at the moment
that the scattered spider people haven't been arrested
because apparently the FBI knows who they are.
And, you know, we said these guys are going to be in cuffs,
like instantly, and that hasn't happened.
Again when I spoke to various people like informally from places like FBI and said like
why are these guys not in cuffs came down to two reasons. First of all a lot of the victims of this
group aren't actually reporting intrusions to law enforcement which means there's less evidence to
collect and it just makes it a bit harder and And second of all, resources. It must be hard to have that information and not be able to go
roll on them. I think one of the other bits in that piece talked about the fact that there's
so many different bits of the FBI and all different field officers that maybe started
investigations in parallel. So there's quite a lot of work to be done to put it all together
into one unified case and make those arrests but
yeah resourcing for law enforcement is definitely a hard problem yeah yeah it is and you know ilia
vichuk uh from uh ukraine's sbu uh now it was a chatham house rules uh discussion but i asked him
if i could repeat this on the show and he said that was fine uh you know he was saying that
russia is investing a lot in skills development, particularly in the universities there.
So they are really working hard with their universities to develop a rather large workforce that can do offset.
And that means that they're going to have a lot of operators in their intelligence services and whatnot.
But it also means a lot of, you know, a lot of spare people with offset training
are probably going to bolster the crime ecosystem over there as well. And, you know, he seemed to
think that we need to get serious about skills development, maybe think a little bit less about
frameworks and a little bit more about like just training an entire generation of people
who know how to do offensive stuff so that, you know, if you do need to release the hounds, you have hounds to release.
So I thought that was an interesting contrast between, you know,
Western policy people talking about, you know,
the sort of slow-moving stuff versus someone who's, you know,
representing a country that's at war saying, no, got to move now,
got to do it now because it's quite serious.
So yeah, it's fascinating.
Certainly the contrast, yeah.
And look, there's so many serious ransomware attacks to talk about.
There's ardent health services.
This looks like a big deal.
This is just happening over the last few days.
Yeah, this is a health hospital chain in, I think, six different United States,
which is currently turning people away
because they've had a bunch of their systems ransomwared.
I've got to say, I love the way you phrased that,
six different United States.
Six different states in the United States.
It looks like this may well have also been Citrix bleed.
I don't know if I have a solid source on that.
It may just be like the normal Kevin Beaumaumont post screenshots of everything getting you know that's running citrix um but either way
turning ambulances away from hospital emergency rooms that's real serious business yeah yeah and
sadly not the first time we've seen it uh fidelity national financial as well they're investigating
an alpha v black hat uh one and i mean you crazy. It's like, I know this because we've got our own
little newsroom with Catalin and Tom and you, and, you know, we're losing track at the moment
because we're seeing, okay, real estate transactions aren't settling because conveyance
firms have been affected. And then you see another report that real estate transactions aren't
settling and you're like, is that the same one or is that a different one and i think there's two different uh ransomware attacks at the moment
that are affecting property transactions is that right yes yeah there's fidelity national in the
united states which is very big and then a managed service provider called cts in the united kingdom
which provides services for a whole bunch of real estate firms and services in that market in the UK. That one has been reported
as Citrix bleed. Yeah. I mean, it's just amazing. I spoke to a defense official as well. I spoke to
everyone. It was absolutely amazing being in DC. And I just realized too, I didn't say a special
thank you. The people who came to the NSA, the podcast that we recorded at NSA. I really enjoyed that. We had a great audience there and some of
the audience brought me some very special stickers. That's all I'm going to say, but you know who you
are and they're very cool and I will treasure them and thank you. And yeah, it was funny. Actually,
I had to pack up all my gear immediately afterwards. I didn't really have much of a
chance to mingle and whatnot, but yeah, thank you very much for the special stickers. But yeah, I was speaking to a defence
official over there who was saying the same thing, oh, resource constraints, whatever. But I, you
know, I'm getting to the point where I'm finding that a bit frustrating. It's like, well, maybe we
need to fix the resource constraints. Because, you know, we're just talking about impacts on
ambulances being diverted in hospitals, major port operators, the bond market.
At what point can we get out of this, I don't know, just this rut and actually do something here?
I don't know.
Yeah, it's frustrating.
And there are definitely people doing really good work to bring that kind of education and to feed the supply chain of people but we are
just not willing to move at the same pace that uh that ilia and friends are because you know things
just take time when you're not in the middle of a war yeah yeah that's right and uh we've got a
north texas water utility as well that serves two million people it's been impacted and this was
like so two separate water utilities with separate cyber issues in the united
states right much like with real estate conveyancing and then one was uh the business systems of a water
utility and the other was actual pumping stations yeah that one i think was iranians iranian
activists so you know i mean i think it's safe to say that this citrix bleed thing caused all hell
to break loose and again we don't know that every one of these incidents is Citrixbleed, but yeesh.
Yeah, it's certainly a reasonable proportion of them.
Yeah, yeah.
And yeah, there's a healthcare manufacturer
has been impacted and whatever.
Some good news though, some affiliates,
looks like they got picked up in Ukraine
and they were pretty serious business.
Yeah, this was a group of people that were affiliates for,
I think... No, it was a bunch of them. were affiliates for i think um no it was a
bunch of them it was loco goga mega cortex hive and dharma so like they they they were you know
tech agnostic yeah because we've seen there was a bunch of loco goga people that were picked up
i think last year sometime and it looks like this is an extension of that particular investigation but
it's really nice to see the ukrainian authorities you know in the middle of a war going through and
doing good law enforcement and arresting these people and you know and keeping on with the
progress yeah yeah uh funnily enough uh what did i see i saw a twitter thread uh from someone who
lost their phone or their phone was stolen or whatever in Kiev like a year and a half ago.
And then they got a call from the cops saying,
oh yeah, we found your phone.
You can come and pick it up.
How do they do this in a war?
But look, it's not all smiles and sunshine.
In Ukraine, Viktor Zora and his boss who run the,
what is it?
The SSS, SSS, CIP.
Basically the Ukrainian CISA.
They've been stood down and then arrested for corruption and bailed.
It looks like the allegation is in the years leading up to the war,
they were just doing some...
The allegation is they were doing some pretty standard sort of embezzlement,
directing the government to buy software at inflated prices
from their mates and getting kickbacks and what.
That seems to be the allegation.
But yeah, not a good look.
And certainly not great.
I mean, Zora's out on bail and has been on Twitter
and said that he's going to fight it.
I think the other guy has been basically pretty quiet about it
and we'll see how the process goes.
And it's funny because
zora's the deputy but he's the one everyone knows his name because he's really been out there you
know talking a lot to infosec media we've never dealt with him but yeah yeah well like he's been
on stage at black hat and he was a you know he keynoted cyber walk on in in the u.s so yeah he's
definitely been out there and you know it's kind of hard to judge from the outside you know exactly
what we're seeing you know whether it's well i, whether it's infighting, whether it's...
I don't think anyone would say that there's no corruption in Ukraine.
It's a known problem.
But just in retrospect, I find it interesting then
that when we had Ilya on the show, he was really talking like...
I don't even remember if this survived the edit,
but he was at pains to talk about the transparency
when people are helping Ukraine now
where everything goes onto a website
and you can see exactly where the money went,
what it was spent on.
And he was just really talking about that a lot.
And it's like, I guess this is maybe why.
This may well be it, yeah.
And I guess that if there's a lot of eyes
and a lot of pressure
and in ways that there are a lot of visibility into Ukraine
in ways that there weren't three years ago, you know, when there wasn't so much aid, there wasn't so much international interest.
So, yeah, it's probably it's good to see people being persnickety about that kind of thing.
Yes, yes.
And I can't believe I said it's not all smiles and sunshine as my segue into that piece, because I think it's fairly obvious that it's not all smiles and sunshine in Ukraine at the moment.
They're still right in the thick of it, fighting very hard. It's fairly obvious that it's not all smiles and sunshine in Ukraine at the moment. They're still right in the thick of it,
fighting very hard.
It's miserable.
And yeah, so sorry if I seemed flippant there.
It was segue reflex.
Let's just put it that way.
What else have we got here?
NXP, the Dutch chip maker.
Apparently they had Chinese APTs all up in their network
for a couple of years.
Yeah, the reports are that the Chinese Chimera Group,
which I think is state-sponsored, was in there from 2017 until at least 2020
and had been rummaging around stealing intellectual property.
This is the same group that we've seen inside chip manufacturers in Taiwan as well.
So that kind of all all lines
up uh interestingly nxp says they only found out because they connected to some like uh klm
subsidiary that then detected the connections from klm going back into nxp and then that they
brought fox it and everyone started investigating and now it looks like yeah they've been in there for quite some time and like this is not unexpected in terms of
Chinese MO but NXP is a pretty big deal like they make chips that go into a great many things
including a lot of you know embedded systems smart cards radio systems you know your embedded systems, smart cards, radio systems, you know, your Yubico, you know, YubiKey
or your Google Titan or whatever else
are probably also NXP chips.
So, you know, I looked at this and I thought,
well, you know, there's a lot you could do inside NXP
if you were the Chinese gov.
Well, if you were to fiddle with some of their firmware
or whatever, yeah.
Well, I mean, there's the industrial espionage aspects,
there's potential for learning about security flaws or how to get key material out of
keys that we've seen some work done with side channels on nxp chips in the past so there's
just a lot you could do in there and nxp clearly needs to take it a bit more seriously if they're
going to be trustworthy well i mean we don't know that they weren't you know no but i mean they've been in there for years and didn't spot it themselves okay okay fair fair enough now look let's
let's just take a moment and we've been doing this a bit lately and i feel guilty about it but i do
kind of stand the north korean apts i do kind of stand them stand them. And it's for the reason that you outlined once.
And it really explained to me why I stand them,
which is that they're not constrained.
They are not constrained at all
in terms of being able to jump into the supply chain
and hack their way through three different suppliers
to land on and to see where they land, right?
And they've been busy lately.
And it just, everything we're seeing coming out of North Korea
at the moment is pretty cool.
But walk us through the latest.
Yes.
I mean, I 100% agree with you.
I mean, the North Koreans just get to hack in a way
that everyone else must be just deeply jealous of.
Yeah, like if you work at NSA and you're like,
I would really like to hack this major technology company so that I can get a shell on Adam's box yes you know the lawyers are
going to say no whereas if you're North Korean they're like yeah go for it yeah so yeah deeply
jealous uh and I am you and I are not the only ones uh you know that are like we do got to hand
it to the North Koreans they they get the job done. Anyway, there's been a bunch of supply chain attacks lately that have come to light.
There was a joint advisory put out by the United Kingdom and South Korea talking about,
in general, North Korean supply chain attacks and giving some TDPs and things that people
can look for.
There's been, there was one with like JumpCloud a while ago that they were using to get into
into people
there's MagicLineNX which made
auth software which was used by
South Korean government entities for
auth so that was an interesting
one to back to. I mean that's where you want to be if you're
DPRK. Well exactly
another one we saw pretty recently
was a company called CyberLink
who are like a taiwanese software
manufacturer that probably most people would remember from um like if you watched dvds on
your windows box in the mid-2000s they made the like power dvd thing that everyone used to play
back dvds once upon a time anyway they got into that uh and backed or a whole bunch of their
software uh like signed it and everything um so that if you
they did it right they did it right they did it they did it right and so yeah if you downloaded
cyberlink software from their legit site with legit certs it was pre-backdoored by north koreans which
you know that's just that's just you know yeah i'm here for that that's good work
and they're also pushing a bunch of mac os malware at the moment as well like pushing the
state of the art with the the old max yeah yeah we've seen them going after cryptocurrency firms
which obviously is a thing that they do but in this case you know there's a lot of mac users in
crypto firms uh so showing up with you know not technically super sophisticated mac os malware but
gets the job done it's not done if it works etc exactly exactly so yeah good
like in terms of outcomes based hacking you know things that north syrians get done in terms of
money stolen or access to stuff gained yeah they they're killing it so yeah and i mean some of this
is linked to uh espionage obviously it's not all crypto theft but yeah they've just really scaled
up in a way that I think is impressive.
Like I've always had that argument with Dimitri about like, he's like, no,
they were always good. And I'm like, yeah, they were always good,
but they weren't operating at this sort of scale. It's like, you know,
it's impressive. I hate to say it.
Yeah. I mean, it is.
Microsoft, I can't believe I'm going to say these words, but Microsoft has decided that maybe it's going to put its key mat in a HSM
so that things like Storm 0558 don't happen again.
Now, look, I think this is good.
It is. It is good.
But I don't really think the issue
was that they didn't have the keys stored in a HSM,
you know, like at the sort of scale that Microsoft operates.
So, of course, we're talking about the Storm 0558 hack
where the theory is that an attacker obtained a key, some key material from a crash dump in
Microsoft's network, and then use that to sort of mint authentication tokens and steal email from
the State Department and whatnot. You know, the issue that I have is that that key was originally
created in, I think, 2016. And, you know, years later,
someone comes along and steals it and then uses it.
Now, the reason we rotate keys is so that that's not a problem.
Like, that's the whole point.
And I'm guessing Microsoft is going to say, you know, eventually,
because there is a CSRB report coming on this,
and I'm guessing they're going to say, oh, but that's hard.
It's like, yeah, it is.
But, you know, you're one of the biggest companies
in the world.
When you're with your auth system for half the planet,
hard is a bar that you need to be able to leap over.
Totally.
So, look, I think it's great that they're going
to start sticking keys in an HSM.
Now, whether or not that is just like root of trust
and then they're going to have like operational keys
that sort of get signed
by that root of trust.
And then,
you know,
used in,
in non HSM systems,
I'm guessing it'll be something like that.
But I think the bigger issue here is that they should be rotating these keys
every few weeks.
I mean,
it's ridiculous.
We just did an SSL key rotation on risky biz,
which is annual because I can't use let's encrypt for a whole bunch of boring
reasons,
but we do an annual key rotation,
and Microsoft can't do a seven-year key rotation
for its root-of-trust signing key for all of the world's email?
Like, you know, insane.
Yeah, it is insane.
And, you know, I do have sympathy for some of the problems
that they have to solve at a scale that's kind of unprecedented
and with a an availability like if they screw up the key rotation it's going to break email for
half the planet so i can i have some sympathy for their operational people no doubt it is hard yes
so like it is hard and we we certainly acknowledge that but the fact that it is such important key mat and microsoft runs as
you are which is you know got to be one of the biggest platforms on the planet that has hsms and
things that like all their customers have access to a bunch of the tools to do this properly
microsoft should also be eating their own dog food yeah and i think like it's just the point
that azure has moved so much in that time
and how many legacy assumptions or legacy choices like this are still kicking around and microsoft
needs to you know store this key material well and think about your rotation for this one but
they also need to go through and say what other skeletons are in azure's closet that we need to
go back and revisit now that it is so important. Yeah, yeah. So I think that, look, I mean, you're quite right
that they've announced high-frequency key rotation as part of this, right?
So I think maybe it's just a headline that I'm mad at.
Yeah.
I mean, all well and good, a little bit too late in my view,
but, you know, they did announce their big new Secure Future initiative,
which some people have been comparing to the old,
you know, 20-year-old trustworthy computing memo
that came out under Bill Gates back in the day.
Our colleague Tom Uren did a big write-up on that
for Seriously Risky Biz where he said,
yeah, this actually looks pretty weak source
and he's not convinced.
Yeah, I mean, Tom and I had a great conversation
on the Seriously Risky Business podcast about this and, and you know there are a bunch of good ideas in there in terms of the engineering
side but big picture leadership wise it did seem pretty thin and i was certainly concerned about
the let's just ai our way out of this part of it like that's not a thing that belongs in a
you know leadership statement for security of a company the size of Microsoft. Like, it's a tool you can use.
It's interesting to investigate,
but don't tell me we're just going to throw AI at this
and it's going to make it better.
Yeah, yeah, agreed.
Now, we've got a piece here from Darina Antonik,
which you spoke about earlier,
which is the apparent head of Kilnat,
which is the Russian, you know,
hacktivist crew that DDoSes everyone,
has been doxxed. And really reading through this story darina's based in ukraine uh you know so she's closer to to all of this and really reading through this story you get the impression that the
reason he got doxxed is because nobody likes him yeah i mean kill net's kind of i mean it's kind of
like a russian anonymous in a way like it's it's one of these like more hacktivist-y,
more splashy, less actual technical hacky kind of groups.
And Kill Milk, the boss of Kill Net,
was one of those kind of personalities
that's more about kind of image and self-promotion
and being seen rather than actually doing
badass technical hacking.
And it sounds like,
given that he had a history of doxing his enemies,
it's kind of not surprising that he ends up in the same fate.
Yeah, so you really get the impression
this isn't like, you know, Ukrainian hackers doxing him.
It's like his mates who are just like,
we don't like you.
Yeah, like I kind of think
he's just kind of made enough mess in the scene.
And the fact that we saw a state-owned media outlet
doing the initial doxing
does also send a little bit of a message, I suppose.
So not really very surprised.
I mean, it's always nice when Brian Krebs does it,
but I guess we should also be happy when Russian media is doing it too.
Now, James Reddick over at The Record has this absolutely terrific
and disturbing piece up, which is really about when civil wars meet pig butchering.
This is just, this is insane.
This is such a wild ride.
And when you click through, he's also linked to a VOA, Voice of America News piece.
Like the stuff that is happening with this human trafficking into pig butchering call centres and whatnot is insane.
And this story is really about how these rebels that are fighting against the government in Myanmar
are now targeting the pig butchering operations that are on the border with China
and they're actually getting support from the chinese government because chinese nationals previously
had been gunned down by uh myanmar border guards when trying to flee a raid on a compound
where people were doing pig book butchering i mean this stuff has has gone crazy uh walk us
through it it's wild it really is wild and like to understand the story you kind of have to understand a bit of
like miami's background i suppose where there is a region on the border of china
um the kind of roughly the size of lebanon um called kokang and it's kind of self-administering
and there's a local border guard force that is the like the local military that is sanctioned by the kind of
Myanmar government but not really directly controlled it's kind of a little bit independent
does its own thing and that region has been a hotbed of all sorts of crime and it's proximity
to China and the border trade means you know smuggling and all sorts of things going on
and that's where most of these pig butchering
you know scam centers have cropped up and we've seen people ending up in these you know kind of
centers through uh you know just being like kidnapped we've seen people lured there with
fake jobs we've seen people you know kind of forced there by family you know connections and
so on and it's a real kind of lawless region and the previous raids that we've talked about
with the Chinese law enforcement kind of going across the border cooperating with local law
enforcement to raid stuff has been one part of China's response to this but we're also seeing
local you know military groups so rebels in the context of the Mianmaris government
but kind of people who are against the current administration in that
region that then want to go and fight and one of the things they are want to do is go and you know
tear up a bunch of these scam call center operations as part of their fighting against
what they see as oppression by you know the local government group so it's a real intersection of crime and lawlessness and cross
border politics and it's not surprising to see it uh you know interacting with our you know computer
security world in this way but the story is just wild you know yeah yeah so i mean obviously we've
linked through to those ones uh in the show notes go have a read because it's just like you know
yeah crazy now we're going to talk about the 702
surveillance authorization um in the united states and i i had some really fascinating
conversations with people from nsa and fvi uh when i was in the us talking about this uh one
of the cases where i'm at odds with them um a couple of times you know i was saying look i don't
think you should really be able to use data collected under 702, you know, incidental collection on Americans to use it as evidence of a crime. It just seems
wrong to me. And they're like, yeah, but that data was already collected. And which is just
such a dumb argument because it was incidental collection and it was never collected for that
purpose. I said to him, really, you're going to run with that argument, please go to Congress
and say, you want to stand up 702 for this purpose and see what they say. And all of them would just shrug and go, yeah, okay, fair enough. So, you know, the issue here
really is that the FBI was querying the 702 data set too often and for unclear purposes. And,
you know, it doesn't really return much because when this data is collected, the tasking is not
done by FBI, it's done by NSA and it's targeting foreigners.
But maybe there's a little bit of adjacent data that is incidental and, hey, the FBI can use that.
Again, I think that's wrong.
I think in the case of national security risks and threats, counter-espionage, counter-terrorism, I think it would be justified, but not just for the evidence of any crime.
That is insane to me. And we've seen some lawmakers propose
a warrant requirement for the FBI to get at 702 data.
I think probably that might even go a little bit far.
It's complicated by the FBI
having both the domestic counterintelligence role
and a law enforcement traditional crime fighting role.
And if they were different agencies, you wouldn give the fbi access to this data set sure i think one
other wrinkle too is that the fbi only does investigate very serious crimes yes um but you
know should you be using evidence that was incidentally collected via 702 to pursue a fraud
case and i i think not uh personally that's just that's just where I sit on it. So it looks like what's
happening is it's going to get attached to a must-pass bill which is the NDAA. The White House
is pushing for no warrant requirement and it looks like what they're going to try to do is attach it
to the NDAA, get a further reauthorization for 12 years and get compliance officers at places like FBI.
You know, I don't think this is the end of the world, but it does feel a little bit backdoor
surveillance-y to me. So I'm not a huge fan of it. I do get the impression NSA is quietly furious
with the FBI for jeopardizing what is an extremely important program. So,
you know, absolutely it needs to get renewed. And FBI still doesn't really have a good explanation
for how the naughty searches happened, the naughty queries. And yeah, so as I say,
gritted teeth from NSA people when talking about it and shrugs from the FBI people
when talking about it. So clearly something needs to change here, but I don't think it's going to wind up with a warrant requirement just yet.
Staying with America, the FCC is implementing new rules for telcos over there to help combat
SIM swap fraud. This comes in the wake of the CSIB, the Cyber Safety Review Board,
report into Lapsus and other types of actors who use similar TTPs.
The idea is, yeah, they're going to, like if someone tries to SIM swap you,
they will send you an SMS saying,
hey, are you trying to actually port out your SIM card and whatnot?
So this will hopefully solve some of the problem.
As was pointed out to you and I by a friend of ours at Microsoft,
this only solves a half of the problem because another issue is that quite
often the people doing the SIM swaps actually have shells at the telcos and
they're just logging in and doing it themselves.
So it's not going to solve that part of it, but you know,
it is a positive development.
Yeah.
I mean,
anything that adds more friction to those processes is going to do something
to make it better um
you know i know dan gooden over at ours had a piece uh that he wrote up and he said basically
i'm pessimistic in the headline about how effective it's going to be because the
afcc haven't uh made any real concrete rules and there's quite a bit of latitude given to the
telcos about what the controls they implement look like but anything that adds friction to this is going to improve it and as you say the problems of people
who are inside the telcos already or inside people who've got access through retailers or
blackmailing them all of the other things we've seen uh you know the underground sim swapping
community do like they're a resourceful group and telcos are not.
Yeah.
Yeah.
Yeah.
Yeah.
Yeah.
Now look,
I just want to touch on this one briefly.
There's a proposal in the EU where member states could demand that browsers like that they can put a certificate into the root store of a browser and it would be respected and stuff.
And this has caused a lot of controversy with people saying,
Oh no,
but it's going to be used for surveillance and whatnot.
And I just don't think that's what this is for.
I understand why people would be a little bit, you know, worried about that.
But that to me seems more like a concern from 10 years ago
before we had things like cert pinning and whatever
and browsers alerting you when certificates look a little bit funky.
So, again, I don't think that's the intent here.
I think this is more about the EU being just very EU
and crazily bureaucratic and saying,
yes, of course, we need to be the root of trust
for identity services in our states
and we need the browsers to cooperate and whatever.
So I get why people are protesting this,
but I think it's dumb and bureaucratic,
but I don't think this is a ploy to do surveillance.
I think that's the wrong take here.
Yeah, yeah, I think I agree completely.
I mean, the EU,
like this probably has been grinding through the EU process for about 10 years,
which is why it seems such old thing.
And modern controls
like certificate transparency reporting,
where every cert that's
going to get issued gets shoved into a ct log so that people can see what certs are being issued
if it was being used for surveillance they will get snapped like in in five minutes and it will
be super embarrassing so the idea that this like just having a root ca cert used to let you man in
the middle anything and do anything you want these days days, it's a lot more complicated than that.
And I think, you know, that's one of the reasons why this is less scary.
It's done, but it's less scary because the modern SSL ecosystem, as you say, is just a bit more mature than that.
But I think it also speaks to the different mentality in EU member state governments versus the US,
where, you know, in the US, the government is the enemy always.
You know what I mean?
It must be minimized and keep out of people's lives. And, you know, in
other countries around the world, particularly Europe, you know, the idea is the government is
there to do, you know, fulfill certain functions. And, you know, if putting a key into everyone's
browser is going to help them deliver some sort of service or function, they're going to demand it,
you know, so. And I mean, plenty of other countries have root cas you know under their control so you could see why the europeans would want that too but
i don't it's just mostly the european regulatory process is so slow and unwieldy and we end up with
you know everyone in the world having to click through cookie banners all day every day because
the eu so yeah yeah yeah now look let's uh what's real funny about clicking through those cookie banners is
that's and a lot of people wouldn't remember this but that's how the internet was in the 90s
so it was really when people just had that interpretation of like cookies well there
could be a bit of a legal issue here we need to put these pop-ups and whatever it's just so weird
that we've gone back like 25 years in internet time to having to swat away all of these things but anyway you time
yeah so uh look got a couple more things to talk about real quick uh let's just touch on this one
briefly but uh google researchers have found some cpu bugs that actually look quite interesting
yeah there was a write-up from tavis you know of a bunch of research that came out of you know
teams all across google that have been fuzzing CPUs
and they found some issues in like instruction decoding on Intel x86 you know x64 CPUs that can
basically lead to you know the CPU getting into a state where it doesn't want to work anymore and
if you do it just right you can basically cause the whole CPU to hard lock and reset itself and you can do it from inside VMs so from that point of view some availability issues
for cloud providers they haven't got a concrete like privilege escalation situation for it but
that's kind of because the bugs themselves are way in the guts of the microcode of modern Intel CPUs
now I just want to touch on this one quickly as well.
It's a story from the Globe and Mail in Canada.
You remember when the Huawei CFO was arrested,
detained in Canada,
and then the Chinese government detained the two Michaels?
Yes, yes, yes.
So that was, yes, Michael Spavor and what was his other name?
Kovrig?
Yeah, Kovrig.
So, you know, the thinking was that these two poor Canadian fellows
were being held as hostages to allow the release of the Huawei CFO.
Turns out we might owe China a bit of an apology on that one, Adam.
So I'm just going to read the first few paragraphs
from this Globe and Mail story.
One of the two Canadians jailed by China for nearly three years in a case that was at the heart of a diplomatic crisis is
seeking a multi-million dollar settlement from Ottawa, two sources say, alleging he was detained
because he unwittingly provided intelligence on North Korea to Canada and allied spy services.
Michael Spavor alleges that the deception was conducted by fellow Canadian prisoner Michael Kovrig,
and it was intelligence work by the latter
that led to both men's incarceration by Chinese authorities,
according to the sources.
So looks like maybe there was actually something to it, you know.
And if that's true, you would imagine
that that would be immensely frustrating for the, you know,
for the Chinese intelligence people who are doing good work and catching people for actually doing spying
and then being told oh you're just keeping hostages you know one of the michaels michael
spavoy he's the guy that arranged uh dennis rodman going to north korea and he's like posting pictures
of him drinking cocktails with kim jong-un and like kind of not surprising
that he would have some interesting data
about what's up in North Korea.
And then, yeah, the other Michael kind of talked him
into sharing some stuff and reported it back to Ottawa,
goes the story.
So maybe Spavor, you know, the idea here is that what,
maybe Spavor was what they call a useful idiot
and then the other guy sort of cynically exploited him.
Then again, I think the sort of person who organizes tours for dennis rodman to north
korea can we take him at his word right i mean it's kind of yeah like like that guy's either
got a screw loose or is is i don't know you know we did very much just go well that's china
you know being the canadians because yeah actually, yeah, it may well have been
legitimate counterintelligence work.
Yeah, counterespionage arrests are legit.
But I mean, of course, we don't know, right?
It's just a lawsuit.
It could not be correct.
The guy has a very weird job
and probably a very weird outlook on the world,
so it could be wrong.
But who knows?
Wouldn't it be crazy if it turned out that way?
And just look,
we're not even really going to talk about this one,
but just we threw it in our,
as our last link in this week's run sheet,
but Andy Greenberg wrote a terrific feature for Wired
about the three young hackers who built the Mirai botnet.
And, you know, where are they now?
And it's a great read.
Yeah, Andy Greenberg does a very good line
in these kinds of, you know, long form now and it's a great read yeah Andy Greenwood does a very good line in
these kinds of you know long form background stories of of hackers and criminals and other
people who've been through the system and yeah it's well worth the read and you know Mirai you
know is still very relevant today I really enjoyed the bit where he kind of relates what it feels
like to wake up in the morning and read news headlines about a thing that you wrote that's going crazy around the world.
And then like, how do you integrate that
into your days, the day in your life?
So it's well worth a read.
Yeah, yeah.
Well, mate, that's actually it for the news.
Great to be back on deck.
Great to chat to you.
And yeah, thanks again for holding the fort
while I was away.
Yeah, no problem.
It was fun learning a bunch of the extra risky business stuff
that happens behind the scenes here at HQ.
So yeah, I enjoyed it.
That was Adam Boileau there with a look at the week's security news.
Big thanks to him for that.
And yeah, it is time for this week's sponsor interview now
with one of our favorite sponsors, Airlock Digital.
Airlock makes allow listing software that works really well at scale.
And I think actually calling it allow listing,
and people have heard me say this a million times,
I think calling it just allow listing is a bit too simple
because it really gives you the ability to finally control the way
things execute on your endpoints so it's really good at stopping things like living off the land
techniques which are all the rage with chinese apt crews at the moment so if you're a defense
industrial based company you really do want to have a look at airlock so airlock founders daniel
shell and david cottingham joined me for this conversation about a recent update to the Australian Signals Directorate's
Essential 8 maturity models. There's been a lot of talk online about the new models imposing
heavier recommendations or requirements for things like fishing resistant MFA but we zoomed out a bit
to talk about the models a little bit more generally and some other aspects of them. The first voice you hear will be Airlock's CEO, David Cottingham, and the other voice,
of course, is Daniel Schell, who is Airlock's CTO. Enjoy. The Essential 8 Maturity Model is
essentially eight controls that, you know, I used to say, if you need to do eight things to defend
yourself, these are
the eight things that you should do because we consider them essential controls. But the maturity
model is a recognition that not all implementation is created equal, right? So you can implement
some things badly, which is sort of maturity level zero, or you can implement some things
really, really robustly, which is maturity level three. And then there's maturity level one and
two, which is sort of the gray areas in between. And they keep tweaking with all the different
maturity levels with individual things you should do. So for example, the patch timeframes for
maturity level three is if there's a critical vulnerability that gets released by a vendor,
you need to patch within 48 hours to stay ahead of attackers. But you're only going to patch within one month
if you're on maturity level one.
So the success of this whole model has been that it is very succinct,
easy to understand, easy for organizations to pick up and say,
okay, I'm going to do these eight things,
and that's going to keep me secure for the majority of attacks.
Yeah, and I mean, application allow listing
is part of the essential eight, has been for a long time,
but it only kicks in, it kicks into different degrees
based on the maturity level, right?
That's correct.
So we actually started, you know, Airlock as a company
based off this standard.
When it was first released, it used to be called the top four,
which was, you know, released back in about 2012.
And, you know, we back in about 2012. And, you know, we
found that really hard to do. It's mandatory for all federal government agencies in Australia to
implement these controls. And, you know, essentially spurred us to start a company off the back of it.
And I think it's been a great tool in order to sort of influence the market in terms of this is,
you know, these are the real controls that we want you to meet and drive innovation
in these areas. So look, we love the standard and it's really interesting some of the updates that
have come in for November 2023. They seem to be tightening up the controls, of course,
and becoming more prescriptive. Well, Ben, that's how these maturity levels tend to go, right? It's
like they just gradually tighten them and make them a little
bit more a little bit more serious as time goes on but one thing that i found interesting in this
release compared to you know all the other ones which have come in the last decade is there seems
to be a little bit of self-awareness uh and practicality creeping into these controls there's
actually been some controls that are loosened and wound back which is like hang on this might actually be too difficult so instead of like for example with patching you know it says patch internet
facing stuff within 48 hours but forget about desktops for critical patching you should do
that within the first month because they're not normally the things that get compromised so how
about you concentrate your effort on your rapid patching to the stuff that is over here, and then we'll give you a break on not trying to say, hey, everyone, patch your entire network within 48 hours, which I think is interesting.
Yeah, so what's really been interesting is that all the change that's happened in the patch management side of things is that for maturity level one, and this wasn't a requirement before, it's like facing things must with critical vulnerabilities must be patched within 48 hours so that's actually really moved forward
to being like hey you need to do this quick and obviously it's a reaction to like you know now
you would say that hey if there's a new vulnerability discovered you know people react
the hackers are scanning the internet within 48 hours so you know get you better get going as
soon as possible while you're relaxing for like internal stuff but the wording and i've seen this now where i talk to all my customers about implementation so i was talking
about hey internet facing servers or not internet facing that's like one of the big groupings now
where they're like you know we care first about the internet facing servers and then yeah okay
we've sort of de-prived the rest a little bit um but we need to get to that first so what they've
done is for patches to um all vendor mitigations to vulnerabilities and productivity shoots,
web browsers and extensions and office applications
should still be applied within 48 hours at level three.
So I guess anything that accesses the internet,
then you're talking, I guess, about phishing at that point
where if you can trick a user into opening something,
then yeah, you have to patch that stuff quick.
But not just everything all the time, right?
Yeah, so I think one thing that's also interesting then yeah you have to patch that stuff quick but not just everything all the time right yeah so i
think i think one thing that's that's also uh interesting reading the the changes in this you
can see the types of arguments that incident responders are having with organizations when
they go into them and they're trying to be more prescriptive in certain really nuanced areas for
example uh event log collection.
You know, they're saying you can't just use,
you know, PowerShell logging is not using application control
to log which PowerShell ran.
We actually want you to log the contents of PowerShell.
So people have obviously had PowerShell logging say,
here, here are all my PowerShell scripts which have run
and seen like the files that have executed,
but they haven't actually had the contents of the PowerShell,
which is what incident responders are looking for so they've changed it to say
no you actually need module logging script lock logging and transcription events enabled so we
have the content not just the metadata of what's actually executed because that's what's useful
for us as incident responders and uh you know it's it's i i think the danger here for the essential eight, the advantage has been that it's really easy to pick up, understand and build a plan around as an organization for your security strategy.
But if we start to get into the real specific nuts and bolts and it starts to become a document, which is 40 pages long think that it starts to lose some of that uh advantage i guess out there um and you know they
put requirements on for nearly every control in there now that event logs from this mitigation
so let's say patching you know you need to have your patching logs protected from unauthorized modification deletion.
But, you know, that's a requirement across eight controls times eight.
It bloats out the document and it just becomes more technically difficult to pick up and understand where it was a great sort of management tool before.
So I hope that they don't keep adding complexity prescription as much as I understand that we live in an industry that
depends it I'm a bit more forgiving I think than you are of that because at least they're starting
from a position of like here are eight controls and obviously like yeah just implement patching
is one of the you know is one of the essential eight right and that that is there are phd theses
on that right so I kind of understand
how you can start with something very simple, but when you get into the detail, it actually
gets quite complicated. So I don't know. I mean, I'm kind of in two minds about that.
But what are the changes that have affected? Because, you know, we often see with like NIST
and with the ASD Essential 8 and whatever, they often move around the application allow listing
and control stuff. Like they either make it, well, more people have to do it or fewer people have to do it
and they tend to kick it around in the maturity levels a bit.
Have there been any changes in this latest update to the Essential 8 maturity models?
Yeah, there has been.
What they've said, for example, is that at level two maturity, you now require like event
log retention and centralized logging as well. You know, that's really focused for like AppLocker and WDAC where by default, you know, they log to now required event log retention and centralized logging as well.
You know, that's really focused for AppLocker and WDAC, where by default, you know, they
log to the Windows event log, and that's the end of it.
So you still have to find it, you have to collect all those logs centrally and look
at them, right?
Otherwise, you don't know what's happening on the individual endpoints, what's being
blocked.
So, you know, it's pretty important to get that brought into it.
And there was another change as well, which maybe was more of a statement in the piece, where they've sort of said, hey, you know brought into it um and there was another change as well which maybe was more of
a statement in the piece where they've sort of said hey you know implementing an application
control using ntfs permissions um is doesn't doesn't count as app control no it's on this
statement saying like you know which at the end of the day is tied to privilege right you can't
rely on privilege to do your application control yeah this is the also the entire app locker
security model in its default form which
is you can only run things from places that you cannot write to all right so for example the
default rule set says that anything in c windows and c program files can execute however standard
users can't write to those locations right but there's always exceptions to that. For example, see Windows Temp is world user writable.
You know, if you install Adobe Reader,
the plugins folder is user writable,
even though it's in program files,
because, you know, you need standard users
to be able to install plugins.
So there's all these exceptions.
We've actually written a tool that you can download
for free off our website called the AllowList Auditor, where it will actually just drop executables and DLLs as a
standard user in every single directory across your system and tell you whether it was able to
get code execution. And it shows you where this NTFS permission security model kind of falls down.
But it's interesting that they call it out. i guess it's also easy for standard users to change the folder permissions uh if they need to as well so they're
making sure now that that to tick the allow listing box you actually have to be you know doing it
properly i guess and this is what you this goes back to what you were saying before about it
becoming more prescriptive yeah they've also added like a new admittree level two you have to do an
annual review of your allow list of policies which is you know good practice um and the other thing as well is they've
also moved like moving microsoft's recommended block list rules which we've talked about which
is now called microsoft recommended application block list in microsoft's annual renaming of
everything that's ever existed um and that's now also at the end you know move to a lower maturity
requirement as well so level two you also need to do that
because of the lull bins impact, I guess.
Now, look, who was it?
It was CISA as well have put out some guidance
on application allow listing.
You were telling me about that the other day, Daniel.
Yeah, it was about two weeks ago now.
CISA and the FBI co-released a report
on the Scattered spider ransomware campaign
and scattered spider uh you know was the the group ransom wearing the casinos and you know the rest
of the planet um recently and um what they what was really interesting for us you know this is
you know we see a lot of these releases of these sort of documents from u.s government for years
i've been watching them um you know but this is the first time they actually highlighted application
control as a major mitigation was the top of the list it was
highlighted in a box saying hey like this is a big deal um and you know application control is
a key mitigation here so it was great for us as an application control vendor to um to see that in
you know proper u.s government official guidance yeah and i also can't see how they can really roll
that back in future
publications as well.
I mean,
it is the sort of,
yeah,
it's the sort of recommendation that once you make it,
you don't unmake it,
you know?
And I think that my experience of,
you know,
dealing with you guys for years now is that your business just
consistently grows,
you know?
Like it's not one of those businesses that goes absolutely mega
ape shit,
like one of these new whiz or lace work or whatever with a,
you know,
$11T gajillion valuation, but it just like is consistent growth not a trickle it's fast growth
it's not crazy growth but it's just sort of unstoppable and it just sort of feels like
that linear line upwards is just going to continue forever yeah I can't see it becoming less relevant
I guess and what I am actually really interested to see,
and we have seen a few bits and pieces of this,
particularly in the North American market,
is now that, you know, especially the US government
is recognising things like allow listing as, you know,
hey, this is actually a good way forward.
You know, there has been companies that have come before us
and have done this before, of course.
But I'm interested to see if there's a revival of you know allow listing feature
sets in other companies products now i reckon that's i reckon that's i was thinking about this
myself and i think that's what's going to happen i think some of these edr vendors are going to
introduce some rudimentary allow listing to let people check the box but it won't give them i
don't think they're going to introduce the same level of like execution control that you've got which really knocks a lot of the lolbin stuff on its
head so a lot of these chinese apt groups now are doing living off the land you know using that as
their primary sort of ttp set um yeah i you know your your stuff is a really good defense against
that so it's interesting that you say that because yeah, the same thought, exactly the same thought occurred to me,
which is that I think we're going to see
some bad allow listing functions
creep into the EDR platforms essentially.
Yeah, I would say, yeah,
then you're going to have like the minimum viable,
but unless they're really basing it
on like the Australian maturity model,
like it's going to be really hard for them to get value.
I think what we'll see as well,
we'll just be again, like, and we've seen this in the past with the essential aid and stuff
they'll just be like the every vendor will say we do allow listing um but it will be their own
definition of that like companies will come out and go we do allow this thing to be for urls not
for files and or be able to privilege management not for application control so yeah or mess things up with me that's why
the proof is in whether it actually works or not and that's why you know we've it'll be horrible
it will be horrible it will be purely there for a compliance checkbox like this is because i it's
so i i literally have thought through this like recently and i'm like yeah they're gonna do it
they have to eventually because it's a feature that more and more people are going to want yeah exactly and and that's why you know i think we're focusing a lot
well we are internally on releasing a lot of tools that actually because the validation of your
security is really important if we can code tools that allow you to independently verify and audit
then you can you can't argue with the thing that executed something
on your system i guess and that's sort of i think the approach that we're going to take to prove out
you know the the effectiveness of these things and including our own solution as well right like we
want to we want to make sure that people are getting good security outcomes from what they're
deploying all right uh daniel shell dave coddingham thanks a lot for joining me uh for that conversation
very interesting stuff i look forward to chatting with you again next year.
Cheers.
Cheers.
Thanks, Patrick.
Thanks, Patrick.
That was Daniel Schell and Dave Cottingham there
with a chat about changes to the ASD's Essential 8 maturity models.
Big thanks to them for that,
and big thanks to Airlock for being a sponsor.
You can find them at airlockdigital.com.
And that is it for this week's show.
I do hope you enjoyed it.
I'll be back next week with more security news and analysis.
But until then, I've been Patrick Gray.
Thanks for listening.