Risky Business - Risky Business #732 — We are CRUSHED
Episode Date: January 16, 2024On this week’s SURPRISE edition, Patrick Gray and Adam Boileau discuss the week’s security news. They cover: Their disappointment over last week’s SEC Twitter ...hack China rainbow-tables Airdrop Enterprise bugs galore… … and why patching fast is hard when there isn’t even a patch yet UEFI flaws get trad-BIOS-era vendor response and much, much more… This week’s show is unsponsored, we’re just here for the fun of it. Show notes The SEC’s Official X Account Was ‘Compromised’ and Used to Post Fake Bitcoin News | WIRED Apple AirDrop leaks user data like a sieve. Chinese authorities say they’re scooping it up. | Ars Technica FireChat – the messaging app that’s powering the Hong Kong protests End-of-life Cisco routers targeted by China’s Volt Typhoon group Ivanti Connect Secure attacks part of deliberate espionage operation | Cybersecurity Dive Ivanti Connect Secure VPN Exploitation Goes Global NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-6548 and CVE-2023-6549 Aria Automation Missing Access Control Vulnerability (CVE-2023-34063) Security Bulletin - January 16 2024 Stable Channel Update for Desktop “MyFlaw” — Cross Platform 0-Day RCE Vulnerability Discovered in Opera’s Browser PixieFail: Nine vulnerabilities in Tianocore's EDK II IPv6 network stack. LeftoverLocals: Listening to LLM responses through leaked GPU local memory Bigpanzi TV Botnet Southeast Asian casino industry supercharging cyber fraud, UN says
Transcript
Discussion (0)
Hey everyone and welcome to this surprise edition of Risky Business. I'm Patrick Gray.
Boo!
My family and I came back early from our camping trip because, you know, it got pretty wet.
We were rained out for a day and I also got sick of sleeping on our two-year-old's bunk
while he luxuriated in the queen bed with Mrs. Biz.
But we lasted four nights and a good time was had by all.
So yeah, I got home yesterday and I said to Adam,
hey, like, how about we do a news-only edition of the show and you can produce it?
And he said, sure.
So he's prepared the run sheet, done the research,
and by the time you hear this, he has edited this podcast. Adam, thank you in advance for that.
You're most welcome, Pat.
So yeah, there's no sponsor interview this week. We're just doing this one for the love of it, for the love, but we're also this hack of the SEC Twitter account where someone put together artwork that looked really official
and perfect language announcing that Bitcoin ETFs were now approved by the SEC.
And I'm like, my God, someone made some serious bank on that.
But unfortunately, the SEC did announce that approval the next day.
So it looks like what happened is someone took over the SEC's account
and just posted the draft tweet that they had ready to go.
And, you know, I'm not too hopeful that they positioned themselves to, you know, really make money out of this.
And I'm really sad because I was so excited last week talking about how finally we saw a good Twitter account take over crime.
And it looks like it wasn't.
You were.
You were so excited.
And your dreams have been crushed now.
I was jazzed. I was jazzed, Adam. You were. You were so excited. And your dreams have been crushed now by this. I was jazzed.
I was jazzed at it.
You were genuinely excited about it.
And we do love a good bit of crime around here at Risky Biz.
But the idea of good crime, because we're kind of connoisseurs, I guess.
We sit on the sidelines of crime and we enjoy the show.
And it was just a very nice story to imagine that someone had done the really smart thing for
once but but no this is infosec we don't do smart things around here we do dumb things and sadly
this was a dumb thing yeah i mean i should have known when the sec said that you know an attacker
obtained control of the account and posted something unauthorized but they didn't say
something incorrect and i'm like oh i should parsed that language a bit more carefully. But yeah, look, I am just very disappointed.
And, you know, last week I joked
that if we were doing, you know, Yelp for crime,
it would be five stars.
I've revised that down.
Look, it's still a solid two and a half
because it did cause a movement in Bitcoin
in the order of two and a half percent.
But, you know, without capitalizing on that,
what's the point? Yeah, that's just every day in Bitcoin otherwise so yeah very sad it was interesting I
think when we were recording last week talking about this we kind of talked about the fact that
both the SEC and Mandian didn't have multi-factor auth on their accounts and it looks like as the
follow-up goes that probably like they probably had multi-factor
but then are a victim of when twitter turned off sms based multi-factor and then just left
everybody who was using sms and wasn't paying them to no mfa welcome to account takeover land
so this is a good reminder that if you were relying on SMS MFA for your shared Twitter account where using OTP was difficult, that A, your MFA is gone, and B, you can enroll multiple pass keys or YubiKeys or whatever else, which gives you an option for shared accounts.
So one to think about if you're in charge of a high-profile account.
Which you would think Mandiant would have done, to be honest. I mean, you would hope so, yes. But hey, I mean, sometimes these things can slip under the radar
and not everyone lives and breathes Twitter anymore,
which, you know, probably for the best.
I think the SEC would still get SMS MFA.
Probably.
As a sort of recognised by Twitter organisation.
But I don't think that really would have helped in this case,
considering it looks like it was a SIM swap
that got the account in the first place
so they would have been able to get those OTP codes.
Yes, exactly.
You know, all in all, I'm very disappointed.
It's like finding out Santa Claus isn't real or something.
I'm just crushed.
I'm very sorry.
I apologise on behalf of the internet to you
for this poor quality crime.
Got it, got it.
All right, moving moving on let's talk
a little bit about airdrop uh in china because this is a story that's been unfolding for a while
i've seen a couple other write-ups dan gooden's got one here and we thought you know it's a light
enough week that we can actually finally talk about this one so airdrop has been used in China as a means of distributing, you know, pamphlets, basically.
Pamphlets or videos or content that the Chinese internet won't let you distribute.
Let's put it that way, right?
So, you can be on a train, AirDropping political messages to people, and there's no way for the government to get in the way of that process. So back in 2022, Apple made a change to AirDrop where in China,
where you could only allow it to accept AirDrops from everyone for a period of 10 minutes before
it would go back to the contacts only setting. So a lot of people have interpreted this as
Apple giving a concession to the Chinese government who clearly want to stop this thing.
But now there's a further development to this story
because it looks like people are still using AirDrop
to send Winnie the Pooh memes targeting Xi and whatever.
So now it looks like the Chinese government
is actually using rainbow tables
to de-anonymize people who are AirDropping on the subway and whatnot
so they can chase them down and send them to re-education camps
to be filled with the correct Xi thoughts.
This is a very, very interesting situation and story,
the whole thing.
What do you make of all of this, Adam?
Yeah, it certainly is interesting.
And the details of how it works is,
we had understood how it worked a while ago.
There was some researchers, I think, from TU Darmstadt
that had dug into this protocol.
And essentially, Apple had invented their own mechanisms for privacy-preserving announcements of AirDrop capability and then carrying on through the AirDrop process.
And designing those kinds of protocols well is difficult. The net result is that essentially a SHA-256 of your phone number
or your iCloud account email address is used in that process. And if you're China, it's pretty
straightforward to SHA-256 every phone number in the country because you just pick a number range
and that's straightforward to do. And then for email addresses, if you know everybody's email
addresses in the country, which they kind of do, then building a rainbow table to do that lookup,
relatively straightforward. So it gives you a mechanism to either over the air sniff,
or, and this one is perhaps the more interesting one, recover from the logs after the fact,
the hashes that are used in the announcing process, and then use that to de-anonymise recipients.
So if someone who is a Communist Party flunky receives a Winnie the Pooh meme on the train,
they can then go back to the office, submit their logs, get them de-anonymised and re-educate
some people.
So it's an interesting kind of combination of factors that perhaps is kind of unique to China and unique to AirDrop, but
seeing non-centralized communications mechanisms pop up in these really tightly controlled places
is a thing we've seen elsewhere. Yeah, I mean, one thing that I think you're missing, though,
on why Apple wouldn't make this ironclad anonymous is, I mean, you know, and we've all
got to weigh equities, right,
when developing technology, but d*** pics.
I'm just going to say it straight up.
Like if you had completely anonymous airdrop
that couldn't be tied back to you, you know,
you would be seeing a proliferation of junk shots
along the lines of which the world has never seen, right?
So that's one issue where I think, you know,
perhaps this is a reason Apple has added some logging here, right?
Yeah, like the trade-offs between perverts
and, you know, national security interests
and revolutionaries or whatever.
Yeah, it's a hard set of trade-offs to maintain, that's for sure.
Yeah, no, it really is.
And, you know, you just alluded to this
being something that has happened before.
And indeed, back in 2014, when there were widespread protests in Hong Kong,
and a lot of people would have forgotten this,
there was a similar thing that happened where protesters were using an app called FireChat.
And it was a Bluetooth app, kind of like AirDrop,
which would allow you to form a type of mesh network, right?
And this is how they were
getting around censorship back then. You know, eventually, of course, I believe, like, this is
just from memory, I believe what happened is, you know, the Chinese deployed rubber hose attacks,
right, where they could just get someone's phone, rubber hose them into getting the password, you
know, just beat them with a rubber hose for those people who don't get the reference, and then sort
of infiltrate, you know, chat rooms and groups and whatnot the the usual way this is done and of course you know
flash forward 10 years and the Chinese government controls the app stores it essentially controls
the platforms there's no way even if even if you know fire chat was a app that still existed I'm
not sure if it does but there would be no way for a Chinese consumer to install that on their device.
So one thing I find really interesting about this is you've got this native functionality built into an iPhone that people are repurposing to distribute political material.
And then you've got pressure being exerted on the vendor, in this case Apple, to make that less useful.
And you've got teams of presumably MSS people on the subway with antennas trying to figure in
rainbow tables trying to figure out who's who's trying to disseminate this stuff the whole thing
is very very very cyberpunk yeah it really is dystopian future science fiction you know made
flesh which the cypherpunk you know 90s kid in me is kind of like wow that's pretty cool
but it turns out actually it's not that cool so how we grow up
right yeah yeah that's right and it is just uh wild that um you know i mean can you imagine
something like that happening in the west like it's just inconceivable that you would have teams
of people on trains with antennas and rainbow tables trying to identify people sending political
messages you know like all of those things that we
are ultra paranoid about well you know when we were young hacklings as you would say um you know
all those things that you are ultra paranoid about the the state in the west doing is what's happening
in china and this is just a perfect encapsulation of that i did think like on that on that note one
of my first exposures to the way chinese online culture dealt with the censorship of like using code words, of using metaphor and euphemisms and jokes and poetry and things, which we made fun of back in like KiwiCon 7, I think, in the artwork and the logo.
Now, when you watch TikTok and you see Western kids having to talk about, you know, sex education using code words because of, you because of Chinese online censorship in the platform.
It's just a weird sort of conjunction of the things
that happened in China online eventually come to us.
It just takes a few years.
Well, they came to us because that's a Chinese company.
Yes, exactly, yeah.
Exactly what you're talking about.
Like with TikTok, you will never hear anyone say killed or shot.
It's always unalived or, you know, there's all this euphemistic language that people on TikTok have to use. Because, you know, if you
say killed, oh, that sets off the violence flag because some, you know, auto transcript bot has
flagged that word as like, don't boost those videos. It's so crazy. But yeah, that's a good
point. Now, staying with China and Vault Typhoon, which is the big scary APT group that was doing stuff around Guam that has senior attacks against infrastructure that would be, you know, lent on in a conflict
in the South China Sea or a conflict around Taiwan.
Yeah, they have been going somewhat berserk
owning a category of Cisco devices
and it's like they've got like a third of them.
They got shells on like a third of them out there.
These are just like what little routers or whatnot.
Like walk us through this one anyway yeah so this is the cisco rv 320 and 325 devices which are
smallish routers and relatively like not quite end of life but like i don't think cisco will
sell you them anymore they're still supported uh for a few more years or at least like a couple
of years maybe um and there's some bugs that you know just
haven't really had widely deployed patching that lead to code exec and we've seen vault typhoon
out there as you said a fully a third of the devices on the internet appear to have been hacked
and people have spotted that once devices are kind of part of this network they end up being
used as a you know as a relay network for those hackers to move onwards towards their target.
So an orb or a relay proxy network.
A jump box, if you will.
A jump box, yes, but like a big mesh of them.
And where these devices exist on the internet
tend to be places that probably don't have
super great security monitoring
because kind of old, not particularly well-patched devices, devices well connected but otherwise you know they can do what they like from there so
it's a really great place for living off the land types to kind of bounce onwards and into their
targets so good work china unfortunately yeah we did get an email from a listener on this one saying
oh why are you getting shout you know because catalan wrote this up in the risky business
newsletter a few days ago and you know why are you getting shouty? You know, because Catalan wrote this up in the Risky Business newsletter a few days ago.
And, you know, why are you getting mad at Cisco?
These things, they stopped selling them in 2019.
I mean, you know, a device like this
should last a long time, right?
If you sell it in 2019,
I'm surprised they're cutting support for it in 2025.
It looks like January next year
is when, you know, security patches and stuff for this end.
But, you know, not that it makes much of a difference anyway
because no one seems to patch them.
This is bringing us back to the big theme of the week,
which is, I mean, we're about to talk about a whole bunch of vulns
in enterprise stuff.
And I think it's really time that we start exerting pressure on vendors.
And I mean, by we, I mean governments start exerting pressure on vendors
to make things to the fullest extent possible, self-patching. And if vendors come back and say,
oh, well, that's just too hard. Well, it's not really. I mean, it is 2024. I mean, I understand
that it's complicated because of the way you've built your products now, but maybe we need to
start building them in a different way so that they can be patched by the vendor instead of relying on users to patch them because users never do no and like i think this week's episode really made clear to me
when i was putting together the run sheet the extent to which just patch is no longer good enough
both the speed of patching the complexity of patching the complexity of managing the data
about what needs to be patched and so on. But also just like the lack of exploit mitigation tech,
like we're still seeing stuff that gets exploited
that would be fine if you had compiled it with modern options and things.
So there's a bunch of, you know, hardening and things
that will make stuff more resilient that we've started the CISAs
pushing for in their requirements for vendors and so on.
But, you know, patching really not
enough anymore. And the next story just exemplifies exactly why that is.
Well, just before we jump into that, I mean, the other thing that we could consider doing,
and this is crazy that we're saying this in 2024 is like firewalling, Adam, maybe?
Sticking some of this stuff behind a firewall might save us a bit of drama. But of course,
you can't put your VPN concentrator
behind a firewall because then no one can use it.
So if you're an Avanti Connect secure user,
you're in a bit of strife at the moment
and that's the one that you were just alluding to then.
Ah, yes.
Firewalls may be grandpa's protection,
but damn, it would be nice
to not have your Avanti boxes on the internet. So there is a couple of zero days in Avanti Connect Secure VPN,
which is what used to be Pulse Secure, so like great, great brand there.
And these are being used by some manner of Chinese spooky crowd,
probably starting in December.
The bugs are not yet patched Avanti are still working on they're
still like in some cases you know a few days to a couple of weeks depending on which particular
software version away from patching them but they are already out there being bulk compromised
Vilexity is one of the research crews that have been keeping an eye on it and they said that so they've
developed a scanner that can kind of look for signs of compromise remotely they said 1700 devices
already been compromised and probably if you haven't it's like it's not even if you haven't
patched like if you haven't applied the you know weird looking creaky workaround xml file
that avanti has published on its blog
and has not described very well
what it might do to your systems.
If you didn't apply that, you're probably
already hacked by Chinese.
Well, I mean, you know, at least it's not ransomware.
I mean, it's probably
going to be ransomware soon.
Yeah. Well, I mean, not if it's
a Chinese APT.
I'm trying to be APT crew, hopefully. So, Vilex would say they are now...
I'm trying to be glass half full, man.
Well, I'm afraid that it really isn't.
Like, this glass is bottomed out.
Look, and these are not to be confused with the Avanti, like,
endpoint secure device manager thing that we spoke about last week
with the, you know, that was some sort of weird database bug.
But, you know, we're talking about an authentication bypass volume right with
a cvss of 8.2 and there's a command ejection volume with like 9.1 and you and i know anything
over a 7 is pretty much like yes so i think in this case you can chain the two together so like
one's with bypass one's authenticated code exec you're chaining together you've got good times
yeah so it's it's a nasty bug and avanti's blog posts are super unclear about the specifics
of how you're supposed to work around it like you have to go past a login wall to even read
the details of the workaround if only you needed to have to go around a login wall to
exploit this vulnerability putting the login wall in the wrong place yes and avanti also has been downplaying the severity
they've said i logged tens of customers 20 customers something like that uh which as far
as we can tell was based on velexity so velexity came up with a fingerprinting technique which they
ran across the internet found 20 or so communicated with avanti about it then subsequently they
developed a new one which has now shown now shown a much more widespread impact,
but Avanti hasn't really updated their comms to reflect the fact
that everybody's getting owned if you've got this stuff on the network
and you can't patch it, so bad times all round.
Yeah, I mean, no one can see this, but I'm doing the two thumbs up.
Yeah.
Hey, that's fantastic. But hey, look, look, look doing the two thumbs up. That's fantastic.
But hey, look, look, look.
This doesn't affect everyone.
Not everyone runs Avanti.
There's plenty of Citrix shops out there too,
and they're fine, right?
Right?
We're through this disastrous thing that happened a few months ago, right?
That's done.
That's done and dusted.
The ransomware Armageddon ushered in by those bugs
you know there's surely not more bugs like that in in you know netscaler adc and netscaler gateway
yes yes you forget we are talking about citrix the thing that just keeps on giving so much
complexity so there's a couple more code exec bugs uh in citrix these are at least management
interface bugs so hopefully you don't have. These are at least management interface bugs.
So hopefully you don't have your Citrix Netscaler
management interface on the internet,
or at least if you did,
you were already rolling incident response
from the last 27 different bugs.
So, you know, that's maybe a mitigating factor
already responding.
But look, look, look,
let's not get bogged down into details here
because there's just, you know,
as you said, there's so many this week, right? Like it's like everyone was waiting till this week in January just to dump patches. And we got another one here from VMware that looks pretty bad. By the way, I saw some posts on social media going past that VMware is killing off the free version of ESX. So end of an era. I honestly think the free version of ESX back in the day is one of the reasons VMware succeeded as a company because just everybody was using it right um yeah absolutely yeah there's a 9.9 CVSS bug in what is
it uh VMware ARIA automation yeah so that's their like orchestrator product for managing your VMs
but yeah this is a straight up as far as it looks like code exec i've never heard this before it's a missing access
control vulnerability it's one way to put it details of this bug are super thin vm whereas
advisories are even worse than usual like there is zero detail in there so who even knows but if
you have one of those things and bad people can reach it then you should assume 9.9 means you
probably got shelled so yeah good time and course, we've got the usual smattering
of Atlassian bugs.
There's a new Chrome release as well.
Well, when you say usual smattering,
there's like 26 Atlassian Confluence bugs
and a bunch of them are remote code exec,
unauth remote code exec.
One of them I think was a CVSS 10 out of 10.
They're rare.
It's like a unicorn.
And in the data center product,
and like it's, yeah,
if you run Confluence and bad people can reach it,
you are used to having a bad time, but you're having a bad time yet again.
So it's business as usual, but faster and more.
Yes, more and faster.
That's how we do it.
And we got a new Chrome release as well.
And there's also a bug.
There's like a cross-platform ODE in Opera as well.
Yeah, yeah.
I mean, the Chrome one was being exploited in the wild,
but it's just everyday Chrome bugs.
Yep.
The Opera one is actually interesting
because it's a bug in Opera's own browser extension
because Opera is just Chromium underneath.
They ship a bunch of browser extensions.
Well, they ship a browser extension,
which does a bunch of browser extensions well they ship a browser extension which does a
bunch of magic opera stuff and that extension trusts opera's websites to be good and opera's
websites have xss bugs in them and bad things so you can turn that into in this case arb file read
and write and code exec uh in opera so well that'll get her done yes yeah so it's a little fiddly to actually exploit
but like you have to have a malicious browser extension to to do it but still but that's why
i don't run opera is that you know because it doesn't have that massive install base and all
of that qa i don't know and and they're trying to compete on having whiz-bang new features as opposed to solid engineering.
So at least Opera appear to have been very good to deal with.
The person who found this bug said nice things about them in the disclosure timeline.
Unlike the next bug where the disclosure timeline
is just the stuff of nightmares.
Glacial.
Well, not only glacial, but, oh boy.
Well, tell us about this.
What is Pixie Fail?
So this is a bunch of research into network stack bugs
in early boot firmware.
So EFI IPv6 bugs, basically.
So if you can talk network to a machine while it's booting,
you can lead onwards to, I mean, a bunch of impacts.
There's code exec, there's other good stuff um and that's like that's just solid research it's good
work um the thing about this particular advisory though is trying to coordinate a bug in uh in
early boot software so like this is made by tiano core which is a consortium that manufactures early boot EFI firmware,
which is then used by AMD and Intel and Inside and Phoenix and Microsoft
and everybody who wants to build a modern BIOS.
And this disclosure timeline has stuff like they report it to TianoCore
and they say, well, why don't you write your own damn patches if you're so smart?
Which, okay, that's not normally how this process works normally you fix your own software and we find bugs in it and then they argue the toss about uh like one of the bugs is tcp sequence
number prediction like it's the year 1995 and they came back and said well this is not a real bug
because like no one would ever do this and And the researchers responded with, here are, you know,
40 years of articles about TCP sequence number bugs
going back to Mitnick jacking, you know, Shimomura.
And same with there was a random number prediction bug.
And they said, well, this would never happen.
It's like, here is all of the research where things have been hacked
by predictable random number generators and so on and so on and so on.
Yeah, so when I scrolled it earlier, I thought it was just really long
and now I realise it wasn't actually that slow.
It was August last year.
I didn't look at the dates, but it is a wild scroll.
So painful and those researchers have the patience of saints
for dealing with a vendor or some group of vendors like that.
So yes, hats off to you, sirs.
Well, look, that's our little wrap of the bugs,
which again, you know, we don't normally spend a good 10 minutes
talking about bugs, but we're getting to a point.
And the point really is what you said earlier,
which is that this is no longer a problem
that anyone can expect to manage
just by adopting an ethos of,
we'll patch bugs when they come in
because we know what we're running.
Like, forget it.
Yeah, I mean, I agree completely.
Like the fact that we've got vendors communicating
so badly around what needs to be patched, where we've got vendors communicating so badly
around what needs to be patched,
where we've got things that are like pre-patch workarounds
that are not patches,
along with all the problems we already had with patching,
it's just really hard.
And doing it fast enough to beat large-scale crime
or to beat large-scale intelligence operations and things,
like it's, you know, patching has passed its prime.
We're still going to do it, but it's you know patching has passed its prime we're not going to do it but it's not enough no but then the question becomes well what then and i'm
and i'm thinking it's going to be a bunch of things to sort of compensate for the fact that
you're always running uh vulnerable stuff a lot of that's going to be around sort of decent
detection uh you know protecting the crown jewels uh as they say, you know, knowing where to put your
access, trying to prioritize the worst of the bugs and develop a patching program that can be
responsive when big things kick off and maybe trying to do, you know, as much as possible,
limit network access to stuff that's likely to have all those CVSS 9.9s in them.
Yeah, I mean, defense in depth would get you a long way,
good quality logging and the ability to be able to triage
what's happened after the fact, full-tech network logging,
DNS logging, like things that we've got many of the pieces
that we need to do a reasonable holistic job,
but we have not been particularly good at that.
And those capabilities are hard, right?
They do require attention and money and engineering time and resources.
And, you know, the fact that ransomware has kind of taken the luxury
of bugs taking time away from us, right?
You know, ransomware moves super quickly.
Those crime crews are incentivized to move fast.
And, you know, even if move fast and you know even if
we could you know wave a magic wand and make ransomware go away like even if we said okay
you can't use cryptocurrency we come up with some amazing way to prevent you using cryptocurrency
for ransoms we'd still have all the spookery and all the people who would be using bugs for other
reasons out there people don't care about that because a board can say you know a cso can say
to a board,
oh, well, look,
it was a very sophisticated operation
by the People's Republic of China.
We didn't stand a chance, right?
That is fine.
They get tick, tick, tick.
No worries.
Off you go.
Here's your bonus, right?
Whereas our entire operations are down
because we got ransomwared.
You know, it's a different,
it's a completely different paradigm
in my view.
Yeah, although there are some places
where that threat model, right, of being worried about nation-state i mean think about you know
microsoft 365 off you know off pipeline having their signing keys taken or octa or you know
there are some places in internet infrastructure where you do need to credibly be able to defend
against spookery there is good news here which is the bugs that we're talking about,
the ones that really stress people out,
aren't the ones that are typically present
on your Windows network.
That's true.
That's an area where we've actually
got things under control.
Now, if you've got attackers in your Cisco devices
deep in your enterprise,
you know, that's bad,
but you can actually set things up
to the point that once they go after your Windows network,
you're going to pick them up pretty quick
and be able to evict, right?
So that leaves the really risky stuff
is going to be the stuff that is network connected
and vulnerable and contains data.
So you've got your Confluence is an example of that.
Payroll system sitting out at
the edge of your network, your file transfer appliances and whatnot. And then I guess, you
know, your stuff that's joined to your Windows network that does authentication to your Windows
network. So that's your VPN concentrators and your Citrix stuff. But, you know, so I guess what I'm
getting at is like, it's also important not to catastrophize, right? Like I think we need to recognize that comprehensive patching
is just a pipe dream at this point, but we can also –
we should also be able to structure things in a way
such that we can live with this.
Yeah, but I think to go back to what you said,
firewalling goes a long way, right?
We've got a bunch of old techniques
that are still very applicable
that we can use to reduce the attack surface.
And it requires a bit of more holistic thinking
around reducing attack surface,
around reducing the value of stolen credentials,
about being able to leverage the detection
and logging that we already have in smart ways.
We as an industry have come a long way.
The fact that modern Windows is more defensible
than it used to be is great work,
but that network perimeter has just been such a nightmare
over the last 18 months,
and it's hard not to look at that
and just throw your hands in the air.
I mean, we've seen zero networks do some interesting stuff
around gluing dynamic firewalling to SSO.
You do an SSO login and then it opens a port to their VPN product.
But I know there's other people who are working on just the firewall plumbing bit, right?
So you can SSO and then get a port to your existing VPN
or your existing payroll system or your Confluence or your whatever.
So this is a way like you know thinking
beyond vpns like it's a vpn for your vpn i don't know what do you even call this like is this a
sign of progress when you're putting everything behind sso i don't know but i think i think it's
going to be an interesting year because the other big driver you know the other big trend that we've
seen is that finally now when these bugs are disclosed,
they are being weaponized very quickly by APT groups and ransomware groups.
And we've always said, like 15 years ago,
vendors used to put that in their decks.
Oh, we see rapid turnaround.
It kind of wasn't true, right?
You might have seen like one or two attacks,
but now it's being turned around and weaponized at mass scale
to do an awful lot of damage.
And I think that's going to drive some change this year.
Yeah, I mean, I think that has already driven a bunch of change,
not just in vendor marketing slide decks, but responding to ransomware
and defending against the mechanisms that work for ransomware crews
does work for other adversaries as well, right?
I mean, it helps the whole thing.
And in a few years, when we look back and all the horrible bits of ransomware are kind of long enough past you know the hospitals and water
systems and whatever else you know we will realize that it provided a lot of impetus that we really
needed but right now it's like lulz sec back in the day causing an investment boom in web application
security you know what i mean like this is a reactive industry where investment tends
to lag behind what attackers are doing and ransomware has really done more to move the
needle than anything else that i can think of in my entire career yeah sad but very true now adam
we're going to move on to this next story which you found it's a it's a blog post from trail of
bits which uh disclosure they are a sponsor of the Risky Biz podcast. They sponsor a couple episodes every year.
But yeah, they've done a blog post here
about some research they've done into GPU platforms
and what the implications of this research are
for large language models
and ML number crunching and whatnot.
You found this one interesting.
Tell me why.
Yeah, this is an interesting technique
for stealing data from other users of the gpu on the same system and it's not a like flashy amazing technique
like it's really it's one of those like it's done but it works things where you write a gpu program
that just dumps out uninitialized memory and of course modern gpus have quite a lot of memory and
if you can get the contents of that out then you're going to find you know leftovers from the previous user of the GPU and if that is a thing that is meant to be
secret or contains some other proprietary data so one of the examples they use is large language
models where if you are sharing GPU with private data you might be able to leak it out and onwards
from there and because the technique is so straightforward, it's kind of applicable broadly across all of the GPU vendors.
But I mean, would we ever expect GPUs to be able to maintain some sort of separation and
confidentiality? Like, is that an expectation that we have of them?
Well, I would say no. I think it's an expectation that we are starting to have and in much the same way
that like DRM on media content was meant to stop you accessing data that's on your own computer
you know video playback and things so like that arms race for how to protect data on somebody
else's computer is you know difficult and largely lost the concern would be if this was applicable in other shared computing environments. So
like top tier cloud operators like Amazon or Microsoft or whatever, like they have pretty
robust separation between users of GPUs, but there are many much cheaper, you know, like GPU
cloud things where people can like contribute their home gaming GPU in their spare time and
in some money kind of thing where those segregations might be less good
or less viable.
But overall, we are moving into a world
where proprietary knowledge inside GPU,
machine learning models is a thing
that people are expecting to protect
and the hardware is not really at the moment up for that.
And that's why this research is interesting.
Yep, yep. A link to that one is in the show notes now let's talk about a botnet comprised of 172,000
smart tvs adam uh catalan wrote this one up for risky biz news yes uh so this is a botnet that
seems to be run by some like uh either port Spanish speaking kids. I'm going to assume that they're Brazilian pirates.
They're Brazilian.
It's going to be Brazilians.
So this is, yeah, they've been providing like backdoor or Trojans piracy applications for TVs and set-top boxes,
both Android ones and ECOS embedded system ones.
And then these have been kind of lashed together into a giant DDoS botnet some numbers
say you know 170-ish thousand devices we've seen numbers that are even higher than that
and botnet that size pretty legitimately useful and doing that through backdoored firmware images
and malicious apps for tv devices that's some you know that's some hard yakka right there.
So hats off to the Brazilian TV pirating kids
because good work.
I mean, this is a Rome wasn't built in a day sort of situation.
Because you look at it and how they built it
and you're like, wow, you really put in the hours.
Yeah, that's a lot of forum posts
and a lot of trying to make sure your torrents get to the top of the list
and it's hard work.
Imagine if they actually put that effort into doing something more productive. and a lot of trying to make sure your torrents get to the top of the list and, like, it's hard work. So, yeah.
Imagine if they actually put that effort into doing something more productive.
And, I mean, there'd be some pretty big DDoS
they could throw out of that many TV devices too
if they decide to go, you know, use that for fun.
Yeah, and they're probably relegated to renting it for 50 bucks an hour.
Probably, yeah.
Like, it's just such a, you know, I've said it before,
it's like loser crime, right?
Yeah, all of that work and all you're going to do
is DOS some Minecraft server kids, so yeah.
But see, you know, this is us again being disappointed
in people not being good enough criminals.
Yeah, we want only like top shelf crime.
We don't want to see no bargain basement, you know,
Minecraft DOSing crime.
Yeah, yeah.
Now, this is like, I mean, this is kind of medium level crime.
This is a late addition to the show.
It's just turned into big news here in Australia.
There's been a pretty widespread cred stuffing campaign targeting a bunch of, you know, household brands in Australia.
So Dan Murphy's, which is our big, you know, bottle store, you know, what are the Americans?
Liquor store.
Liquor store.
That's what Americans call it.
We call them bottle shops. But yeah, Dan Murphy's event cinemas
and like a chain of Mexican restaurants,
which are terrible by the way, Guzman y Gomez.
And it looks like what they've been doing
is cred stuffing into them.
And then if people have got their credit cards saved to file,
they've been like getting gift cards
and like free burritos and stuff.
But the losses have really added up
and it's got to the point where, you know know the prime minister has weighed in and stuff so 2024 the
year of cyber adam presumably because someone got into the dan murphy's account and ordered a whole
bunch of booze and now people are sad about their about their lack of booze but yeah it's a great
example of like a dumb thing that works going and turning cred stuffing into gift cards and money
i mean i can't imagine the returns are great,
selling Dan Murphy gift cards on forums somewhere, but...
I don't know, man.
It's grog, right?
It's true.
Are you going to pay 50 cents in the dollar
for a Dan Murphy's gift card that's going to let you buy that?
That's true.
I would pay more than that then for a Guzman Gomez, so yeah.
Yes, yes, indeed.
Bad burritos, just generally not a great uh not a great don't buy cheap internet
knockoff burritos that's that's what we're getting from that's right that's right now adam we're
going to finish up here with this story uh the write-ups from james reddick at the record but
it's a story about a report from the united nations into casinos in southeast asia that have
become increasingly involved in online crime and money laundering
and whatnot. And this sort of dovetails with all of that coverage we've seen recently about the
pig butchering operations in like the lawless regions of Myanmar. Like this is just, you know,
and we spoke about that, I think last week, where it's just wild, wild, wild stuff when you've got
militias taking control of territory to shut down pig butchering operations.
And now, you know, this looks at the money side of it
and it's an incredible read.
Yeah, yeah, it really is.
And I think, you know, listeners who've been following us
for a while will realise that we've gradually become aware
of this, you know, kind of set of operations and scams
and things that go on in the region.
And, you know, people will have seen us become sort of amazed
and wide-eyed about quite how wild some of this stuff is.
So there were a bunch of casinos in this region
kind of pre-COVID,
and they were mostly targeting physical tourists
from China or from wherever else in the region.
And with COVID, they had to kind of pivot
to find a new way to make money.
And online crime and online gambling and money laundering
through their gambling operations all kind of dovetailed together.
And then that's joined up with the human trafficking aspects
and the pig butchering and so on.
And it's much bigger than I think I realised.
And the level of impact on people's lives and so on.
And the problems in
the region are so intertwined i mean the the lack of stability in the government in myanmar for
example makes a bunch of these things possible and then china's influence and this you know it's
such a complicated region with complicated problems and then seeing it kind of spill out
into the rest of the online world lawlessness
combined with a population that is you know very literate when it comes to computers yes this is
kind of what you get right and what's wild here is some of these casinos they're ephemeral right
because there's all these tools now that let you set up your own casino pretty much immediately
you can white label your casino from another casino.
Yeah, casino is a service.
Like, it's wild.
It is absolutely incredible.
So we've linked through to the record report on that one in this week's show notes.
So that's the rabbit hole that we can send you down this week.
Well, Adam, mate, that's actually it for the show this week.
Thank you so much for doing the production on the episode,
the run sheet preparation, the research and the editing.
Really appreciate that, mate,
and I'll look forward to chatting to you again next week.
Thanks so much, Pat.
I will see you then too. Thank you.