Risky Business - Risky Business #734 -- The number of hacked Microsoft 365 customers is skyrocketing
Episode Date: January 30, 2024In this week’s show Patrick Gray and Adam Boileau discuss the week’s security news. They talk about: More details on sanctioned Medibank hacker Aleksandr Ermakov... More details on alleged Scattered Spider hacker Noah Michael Urban RUMINT that the number of Microsoft customers impacted by the SVR oauth/365 campaign is huge Ron Wyden did something useful… …then did something stupid Ivanti’s clown car collides with dumpster fire Much, much more This week’s feature guest is Australia’s assistant foreign minister (and cybersecurity tragic) Tim Watts. He joins us to talk about why the Australian government sanctioned Aleksandr Ermakob. Sublime Security founder and CEO Josh Kamdjou is this week’s sponsor guest. He joins us to talk about combating QR-code phishing. Show notes Exclusive: US disabled Chinese hacking network targeting critical infrastructure | Reuters Medibank’s Attacker: IT Businessman, Claimed Psychologist… | Intel471 Who is Alleged Medibank Hacker Aleksandr Ermakov? – Krebs on Security Fla. Man Charged in SIM-Swapping Spree is Key Suspect in Hacker Groups Oktapus, Scattered Spider – Krebs on Security Microsoft says Russian hackers also targeted other organizations | TechCrunch HPE hit by a monthslong cyberattack on its cloud-based email | Cybersecurity Dive (99+) Microsoft's Dangerous Addiction To Security Revenue | LinkedIn Microsoft critics accuse the firm of ‘negligence’ in latest breach | CyberScoop N.S.A. Buys Americans’ Internet Data Without Warrants, Letter Says - The New York Times Trading platform EquiLend down following cyberattack | Cybersecurity Dive Ivanti Connect Secure zero-day patches delayed | Cybersecurity Dive Popular CI/CD tool Jenkins discloses critical CVE | Cybersecurity Dive MOVEit liabilities mount for Progress Software | Cybersecurity Dive Tim Watts bio: Pennywise - Down Under [Men at Work Cover] - YouTube
Transcript
Discussion (0)
Hi everyone and welcome to Risky Business. My name's Patrick Gray. We will of course
be checking in with Adam Boileau in just a moment to talk through the week's security
news and we have another feature guest this week, Tim Watts. He is Australia's Assistant
Foreign Minister and Tim was the driving force behind the sanctions levelled at Alexander
Ermakov over his involvement in the Medibank Australia hack. Tim will be joining us a little bit later on to answer some questions on that.
This week's show is brought to you by Sublime Security.
They make an email security product for people who want to do things like add custom detection rules.
So it's just like less of a black box compared to the big email security providers.
There is a free version that actually does a lot of cool stuff.
It's a free version that's actually worth deploying.
So there's that.
And its founder, Sublime's founder, Josh Kamju,
is this week's sponsor guest,
and he'll be walking us through last year's QR code phishing epidemic
and how Sublime responded to that,
which is actually quite interesting, and that is coming up later.
But first up, of course, it is time for a check of the week's security news with Adam Boileau.
G'day, Adam.
G'day, Pat. How's it going?
Adam, I am great, and I'm doing better than whoever is behind the Vault Typhoon campaign,
which is the Chinese APT campaign that's got the Americans very, very nervous,
because they had their little botnet taken away from them, apparently,
according to this report from Reuters, at least.
Yes, they were operating a couple of botnets,
one made out of IoT gear and network edge equipment
that they were using for proxying their onwards connections
through getting geographically close to whatever they were targeting.
And yes, it looks like the US government decided
that botnet wasn't a thing that they liked,
and they got themselves a quarter or something
to go ahead and shut that down or impair it somehow.
The specifics of exactly what they did to it, we haven't seen details of, but it is no longer.
What exactly did you do?
We imposed cost.
Okay, thank you very much.
Yeah, exactly. Like, yeah, it's not quite clear, but clearly the Volt typhoon thing has been getting a lot of attention from the US Gov,
both in terms of the, you know,
the attention being paid to its technical operations,
but also kind of what it means
in terms of that larger conflict,
because, you know, they are a bit worried
about some of the things that it has been used for.
Yeah, no, I mean, this one certainly,
I can't really recall too many other cases
where the government, you know,
where a government has been sort of this public
about being this concerned, right?
So when I recorded the podcast
at the NSA Cybersecurity Collaboration Center,
you know, we just heard them talking about that as well.
And, you know, when I talk to other journalists
who are based in the United States
who cover this sort of stuff,
they all get the same vibe,
which is that this is a worrying thing.
And I think it's really because the US government has assessed the intent behind these intrusions is pre-positioning
for disruptive operations that might have military consequences so you know i'm not all that surprised
to see the u.s government taking action against this group but i am kind of surprised they're
talking about it to be honest yeah we don't normally see this stuff telegraphed so clearly.
Like normally it's pretty cloak and dagger.
We don't see the kind of, you know, bot wars and turf wars
and people are emming each other's stuff.
You know, it's not like IRC in the 90s
when, you know, nation states are, you know,
tending to each other's, you know, concerning bits of cyber.
But this one is a bit more public and, you know,
we're all about signaling because that's all we've got, you know, but this one is a bit more public and we're all about signalling because that's all we've got in this industry.
And yeah, it's hard not to interpret this as a deliberate,
we see you, we're doing this, this is us responding to you,
this is a signal of the sorts of things that we're going to be doing
next time that you run up a network of orbs and stick them in our face.
Well, and I think also there's a practical implication here,
which is by using such a decent pool of orbs,
you make detection harder,
especially when this is a crew that's known to use
living off the land techniques and whatever,
and now they're coming in from residential IPs and whatever.
So I don't know, this should make their stealth a little bit difficult,
at least in the short term, right?
You would think until they can rebuild some sort of capability.
Exactly, yes.
You know what would be really handy is net flow traffic
or international traffic coming into residential devices in the US
that you could bounce through.
Hmm, if only someone had that.
Yeah.
Foreshadowing.
We'll get to that in a bit uh now we've
seen a lot of subsequent reporting on uh alexander ermikov uh who is the guy who was uh sanctioned by
the australian government over his role in the medibank hack i do have to report something i am
a little bit crushed adam because it turns out that photo that we thought was an asd trophy shot
from his webcam turns out that that was one of, it was a photo that he'd previously published to his VK profile.
So we were wrong about that, and it's very unfortunate.
It's very sad.
Yeah, it's very sad.
I'm pretty sure ASD still shelled him, like you would think.
Maybe.
Maybe they got the webcam, the real webcam photos, and they're just saving them for the office.
Maybe, yeah.
I am sure that they went in there and had a peek at his webcam,
but they just have not deigned to share that with us yet.
Yeah, well, Intel 471 has a great write-up on this guy.
Yes, yeah.
He's been around for a while,
and people are starting to pull the threads of the kind of stuff
that he was involved in and what he was doing.
We did see a brief kerfuffle about like there was another alexander ermikov yeah yeah apparently there's two alexander
ermikovs in russia that are both involved in in ransomware and uh there is an account that has
a reasonable track record uh of you know observing various ransomware actors claiming that the
australian government's got the wrong guy.
It's my feeling, Adam, that if you were to ask
the Australian government about this,
they would say that they wouldn't want to dignify it
with a response.
But it's my feeling also, Adam, it's my vibe,
that if they were to respond, they would say
they got the right guy.
They know this guy very well and sit down.
But that's just a vibe.
I know it's a very specific vibe because, you know,
obviously the Australian government doesn't want to dignify this
with a response.
But, you know, if they were to respond, that's my vibe on how they would respond.
Well, we're all about vibes these days.
I kind of feel like the ASD probably understands, like,
how to deconflict people with the same name.
I think there's a little bit of questioning of ASD
by people who might not understand that they're a competent agency, right?
And there was 80 ASD and AFP people on this.
I don't think that's a mistake they're going to make.
Let's put it that way.
Yeah, especially not when there's that you know, that many government ministers getting up, you know, announcing it.
Like that's, yeah, you're going to get your man
and make sure you get the right man because, you know,
the consequences of getting that wrong are pretty high.
Yeah, but it certainly looks like this guy's been up to his ears
in all sorts of bad stuff for years.
Yeah, he's clearly not a good guy, clearly having a very bad time.
Yeah.
Now, look, one little mention that I made last week,
which it was funny, it was one of those things that someone just told me
and I repeated it as a tip, not thinking, oh, this is actually news,
but it was that guy who got arrested in Florida was Scattered Spider.
And then, of course, cue the people going, are you sure about that?
Because that's kind of big news.
And I'm like, actually, I'm not,
because it was just something that someone who's quite well well positioned told me and I just you know ran it
as a you know just just floated it because you know not really thinking that um um it's it's
quite a newsworthy thing but it looks like that one did actually pan out right so so Brian Krebs
has um done a bit of a deep dive on this guy and connected him to a bunch of stuff he says in his
piece that this guy is like a key suspect
um when it comes to scattered spider and octopus uh campaigns um but i don't know that he's
necessarily substantiated that completely in his reporting but certainly this guy is in the mix and
um you know i'm confident that what i said last week was right yeah like it looks like he was
involved with a whole bunch of phone based you know sim
swapping and phone impersonation and things and also the breach of twilio which makes a lot of
sense if you're you know working in the cell phone and messaging you know hack and space access to
twilio stuff definitely useful and then there is a some suggestion in the krebs piece about a link
up with the last pass intrusion which is an interesting
tie in because that was technically
quite interesting
but also had
aspects that felt kind of
scattered spot of the comm
ish in the
tradecraft so
certainly there is going to be more to the story
as it breaks and seeing some of the other names
and of course Krebs has extensive files on everybody,
so has tied together some of this guy's activity in other areas as well.
Apparently he was also particularly into stealing
unreleased music tracks from rap artists,
which is a niche that we can have on the internet these days.
And he was a big player in that particular scene for what it's worth.
But yeah, going after the big casinos, you know,
last pass if that turns out to be the case, you know, this was, you know,
the group has been very significant.
This guy was tied up in all those things.
Then yeah, maybe key player is an accurate kind of thing.
We will see.
Yeah. Yeah. He's definitely in the mix.
It's funny, right? because Brian Krebs and I,
we will generally, like every couple of months,
just have a chat and, you know,
had that chat over the weekend and, you know,
started off talking and he's saying,
oh, you know, this guy,
I feel like I can talk about this conversation
now that he's actually published his piece
because he's saying this guy and I'm like,
oh my God, was I wrong about that?
He's like, no, au contraire.
And walked me through some of this and yeah, crazy, crazy times.
Now, look, this is the biggest story I think that we're going to talk about this week.
And we're in the unusual position where it's the biggest story and people don't quite know that it's the biggest story yet. We've already spoken on the show about this intrusion by the SVR into Microsoft
where they password sprayed their way into a test tenant
and then managed somehow to pivot that access into all of Microsoft Corp mailbox access
and probably more.
And then we saw an announcement from HPE, I think it was, wasn't it?
Yes.
Hewlett Packard Enterprise got done in a similar way. And probably more. And then we saw an announcement from HPE, I think it was, wasn't it? Yes.
Hewlett Packard Enterprise got done in a similar way.
But I'm hearing rumours from multiple parties that the number of victims of this particular set of TTPs
is in the triple digits.
So this is apparently a big one.
You know, we've only got a handful of public reports at this point, but this is
a major pantsing that the SVR has managed to pull off here. The more we find out about this,
because Microsoft dropped another blog post after last week's show too, talking about the,
you know, the way that attackers were able to pull this off. And I suppose the infuriating thing here
is that Microsoft is saying,
well, no, there was no exploitation
of a vulnerability in Microsoft's products.
It's like, well, okay, technically that's right.
But this is Microsoft,
unambiguously, unequivocally, it's Microsoft's fault.
And they're trying to pass the buck on this.
But yeah, I guess what I'm getting at
is this story has a long way to go
in terms of playing out.
And it's a mess.
Yeah, I mean, I think at minimum,
the CSRB is going to have fun with this one
because there is a lot to dig into here.
And Microsoft-
How are they going to do two Microsoft incidents in a row?
At the same time, yeah.
It's going to be busy work.
So I guess to start from the beginning,
what we have seen over the last week or so
is some more ideas about how this process went down,
like how you go from single-factor OAuth test tenant in Azure
through to Microsoft corporate email.
And that involves overly permissive grants
to some OAuth applications
that essentially allow you to modify
the directory content so what used to be called Azure Active Directory is now called Entra ID
because I mean I love modifying my directory through some long forgotten OAuth app you
probably do too as as does everybody it's what we do these days so they got in they created a new oauth app and then used this old oauth apps
access to the directory to kind of grant this new app which would then let them you know go onwards
into and impersonate the ownership or impersonate the role of a privileged user and use that to get
in onwards to the corporate environment and you know provisioning uh you know cloud-based
identity and access control is already really difficult and understanding the implications of
some of these things is difficult and understanding what the defaults are and how they change also all
very difficult and like the fact that microsoft can't manage this suggests that it's going to be
pretty difficult for everybody else.
Yeah.
I mean, we've been kicking the crap out of them for years over this, right?
And, you know, just one example, there wasn't really an effective way to manage user access to OAuth apps in a clicky pointy way.
It was all PowerShell until a few years ago, you know?
And we were really vocal about that, that this is a problem.
And now we're seeing what it looks like
when attackers figure out how this stuff works.
And it ain't pretty.
It ain't pretty.
It's really not.
And using this understanding and this kind of approach,
we are now expecting to see, as you say,
maybe triple digits worth of other people.
But at the very least, we've seen tens.
But the HPE thing looks like the same tradecraft. you know triple digits worth of other people but at the very least we've seen tens but the hpe
thing looks like the same tradecraft like get into an azure account somehow leverage weak
permissions to then modify directory servers and do whatever else to get onwards via oauth and so
on so this is going to work elsewhere clearly Clearly it has worked elsewhere. How widespread that elsewhere is,
is going to be interesting to see
because if it is triple digits,
like that's going to be a really big mess.
Well, and if it is triple digits,
it's kind of, you know, it's inspo, right?
For other people to get involved.
And, you know, at this point, if you're Microsoft,
what do you even do to fix this?
I mean, you know, Alex Damos has this terrific post up on LinkedIn
where he really gave Microsoft both barrels.
He did, yes.
Because as part of their, he says,
Microsoft blog post deserves a nomination
to the Cybersecurity Hutzpuff Hall of Fame
because Microsoft has recommended that you detect, detect investigate and remediate identity-based
attacks using solutions like microsoft entra id protection that you investigate compromised
attacks using microsoft purview audit premium and enforce on-premise microsoft entra password
protection for microsoft active uh active directory domain, you know, his point is that Microsoft, you know,
sells you a Tinder box
and then charges you top dollar for a fire extinguisher, you know?
And he's making good points.
He makes a very solid point.
And, you know, like it's one thing to do this in the commercial world,
but doing this to the US government,
because they're so in bed with governments all over the world selling them services but it's gotten too big and alex makes
the point that microsoft selling security as an add-on as a you know a place for them to make
money as opposed to a basic thing it should already do is going to come back and buy them
because they just can't well sort of adam? And this is actually something that came up when I was in the United States.
I stopped by Johns Hopkins University to have a conversation with Jason Kichter
and speak to some of his students.
And, you know, it was something that came up,
which is that Microsoft kind of has the US government buy its you-know-whats
because there's no way for them to migrate to other services.
Like, it's just they are the only provider really like the lock-in is real so to a degree you know you have to think
about microsoft not as a company not as a typical supplier to the u.s government but you have to
think of them in the way that you relate to them if you're the u.s government more like dealing with
a with a with another nation.
You know, you can lobby them,
you can try diplomacy,
you can try various sanctions,
but ultimately, you know, you don't have,
you know, it's not a supplier you can drop. The balance of trade between Microsoft
and the US government, right,
I guess is a thing you have to consider, yes.
Yeah, so it's, you know so it's a real complicated thing.
And we have seen, actually,
we've got a report here from CyberScoop, actually,
about Ron Wyden's office giving Microsoft,
also giving Microsoft both barrels about this.
So there is some political pressure mounting on them.
I think this year is going to be rough for Microsoft
because I think with the new SEC rules
demanding that people file reports
about cybersecurity incidents
if they determine that they're material or whatever,
I think we're going to see a lot of reports
about a lot of 0365 oopsies, right?
And that's just going to make Microsoft look bad.
Yeah, I think so.
When you read about some of the ways
they've screwed up their cloud,
I mean, this is obviously a pretty good one,
but they've had a bunch over the last year or so in some ways it makes you nostalgic
for on-prem active directory because at least that moved kind of slowly like we we as attackers took
years to understand it but at least you kind of you know microsoft couldn't just turn around and
add something new behind your back without you understanding what it meant. And, you know, the cloud is very tempting
for them to move quick and break stuff
and for security to be an add-on
when you can hide it.
With the SEC rules
and with attackers understanding it better and faster,
like their ability to hide that shame is restricted.
And, you know, slower product development
with more robust controls is kind
of what we're talking about here which you know is a step back towards the the old ways and
honestly it's hard not to feel like we need it yeah i mean just even having some privilege
auditing tools you know god why should an app continue to have a permission it hasn't used in
a year for example like or is used in very limited circumstances why is there no step up orth on that like just like why does bloodhound
even exist like why is spectra able to sell you enterprise bloodhound like this stuff ought to be
sensible already and yeah you know yeah so spectra spectra ops is a sponsor of the podcast adam and i
adam and i recorded a demo with them uh. I actually had an interview scheduled with them this week, but the person I was going to speak to had to postpone.
But it's, you know, their future looks bright, right?
Like that's, I've been thinking that because, you know,
they've got to pivot to Azure and you're like,
as if you need something like Bloodhound in Azure.
And then you see this and you're like, oh my God,
that's pretty much the only way to approach this
because of the way Microsoft has just repeated all all of the same mistakes but made them faster yeah faster and more prevalent and
you know right there on the internet for everybody so now look you know from widen's office being on
point to widen's office being kind of dumb they're getting up nsa for buying team kumri style
netflow data for cti purposes to tell when american computers are connecting to
foreign foreign aptc2s which you know to me seems like a good thing for nsa to be doing
but this has turned into a panic around nsa buying data on americans from data brokers and
new york times has an absolutely atrocious report up that kind of conflates this with issues around mobile app data.
Just shocking reporting, terrible framing.
We saw a similar...
The reason I mentioned Team Kumari, they're not mentioned in this,
but the reason I mentioned that is because there was some panic story
last year about the same topic.
It's just exasperating, right?
It is, and confl know things that really do need
to be improved like the extent to which american you know privacy is kind of weird privacy law and
and mobile app tracking all those kinds of things and commercial data brokers selling that kind of
stuff versus this where it's like a it's 100 in nsa's mission to look for weird looking traffic
from outside the u.s into US into the US and vice versa.
And previously they did this by having to stick Snoopy boxes,
you know, in internet exchanges and backhaul it off to, you know,
Utah or wherever the data center is and sniff it themselves.
Now they can just buy NetFlow from service providers,
like way cheaper, 100%, you know,
like responsible use of government money
versus having to build that infrastructure
and i bet you there were there were a lot of meetings to work out what happens to that data
once it actually enters the building how to minimize like you know that's what people i think
don't quite realize is like the number of meetings the number of meetings right like
how can you query this stuff and i think that's you know the nsa tends to be pretty diligent about
that stuff fbi less so, right?
Which is something we've spoken about in the context of 702.
But, you know, this just strikes me as a ridiculous thing to attack NSA over.
Yeah.
Like this does not, I mean, one widened gunpowder could be better used for other things because
Lord knows there are things that need some widening, but this just ain't one.
Yeah.
And it's funny, like I'm sure there are parts of DOD where they have done silly stuff
but, you know,
often you hear about like,
remember when the Air Force
bought a whole bunch of location data
in bulk
and I think it may have,
I can't even remember
so don't yell at me if I'm wrong
but I think it may have like,
you know,
incidentally contained
some location data on Americans
and it was, you know,
controversial.
For whatever reason,
it was controversial
but they were using that mobile data
to like pad out their no strike list,
which I mean, I think that's great, right?
If you can take mobile data and go,
well, there's a lot of people here on a Friday morning,
that's a mosque.
You know what I mean?
I mean, that's useful, isn't it?
Look at the drop-off times here.
That's a kindergarten.
I mean, that's kind of something
you want the Air Force to know, I think.
But anyway, but as you said, US law in this area is a mess I mean, that's kind of something you want the Air Force to know, I think.
Anyway.
But, you know, as you said, US law in this area is a mess and they probably do need to regulate it, but not for this reason.
Yes.
Talk to me about Equilend, Adam, because they've been having a rough time.
And who are they?
Because it turns out they're important.
Yeah, so Equilend is like a financial services tech company
in the securities market.
And they move a lot.
I'd never heard of them before this,
but they move a lot of money around.
Like we're talking trillions of dollars a month
worth of securities trades that they are involved in
or execute or I don't know.
But they got themselves what looked like ransomware,
which, you know know obviously not great but anything
with like trillion dollars worth of money and uh having hackers near it is a pretty bad plan
they've had to turn off a bunch of their services which has meant that you know some of their
customers are not meeting regulatory requirements for reporting trades and all sorts of like yeah
there's been some reversion to manual processes
for some customers for some things but yeah it's it's a mess but i i get the impression it's a mess
without being a catastrophe just at this at this point given how involved they are in a bunch of
stuff you know we haven't seen you know public impact yet but it's just anything that's this
kind of big and we've seen you know a lot of centralization in providers in some of these areas.
So when a big one goes down,
it can have ripple effects that take a while to figure out.
So yeah, the specifics are very thin.
We don't know exactly.
Yeah, they are.
I don't think they've gone down per se.
I think some services have been impacted
and some customers have been impacted more than others.
But you're right, it's real hard to know.
But it's amazing that this one's kind of just sliding
under the radar a little bit.
So that's one to flag to maybe follow up on next week.
Now let's check in, Adam, with what's happening over at Evant.
Because it ain't good.
It's not good, no.
Like, of course, like for those who are catching up,
like their stuff is getting wrecked everywhere.
There's no patches and it's bad.
Yeah, they had said, so there was two bugs
that were like remote code exec that are being actively used in the wild by Vault Typhoon, actually,
and other people.
And they said they were going to have patches out, I think, on the 22nd,
and they still have no patches,
and they have not explained why there are no patches yet.
And it's bad.
Probably by the time they get the patches out,
everybody who was going to get owned has already been owned.
But, yeah, it's just a real mess
and you know the impacted
products both have the word secure
of course
Ivanti Connect secure
and Ivanti Policy secure
neither of those things are true
slow clap for
Ivanti I mean god
I mean there are those...
Aren't there some complicated mitigations that don't always work?
It's a mess.
It really is a mess.
And the mitigation advice they gave out was not great.
The US Gov was telling people to do that mitigation advice,
even though it did look a little kind of dodgy.
But, yeah, it's probably just too late.
And the fact that there's still no patches, like not good.
So I guess that's a dump Ivanti call from Adam.
Yes.
Yeah.
Talk to me about Jenkins.
Yes.
So Jenkins is like a open source, I guess like automation,
like code testing automation thing that's very,
very widely used amongst developers and there
is a bug in Jenkins which is starts with arbitrary file read but you can leverage it up into code
execution which is bad you know that's normally bad but Jenkins is involved in software development
so from a supply chain bugs point of view popping people's Jenkinses is great and that's bad.
So there are patches available, you should run it,
but the bugs are just real clangers.
Yeah, and the temptation with something like that
is to put it on the internet, right?
So that people can kick off builds from whatever location
and no one's really going to bother protecting something
like that properly, really.
No, network-based protections of VPNs or whatever are very out of fashion these days.
And just bung your Jenkins on the internet, get it shelled is what we do.
Now, last week we spoke about how MoveIt, Progress Software, was doing great.
MoveIt sales are way up.
But we got a bit of a counterpoint here, thanks to Matt Kapko over at Cybersecurity Dive,
who's done a really nice little write-up here about how you know it ain't completely peachy for Progo
software on this because they're facing like all sorts of trouble from the government and
more than a hundred class action lawsuits. Yeah well you know not surprising you know
you get your customers properly owned like that then you know you should expect some recourse but
yeah we were talking last week about you know how good their numbers were looking and how little impact they
had faced you know turns out yeah their SEC filings are a little more grim the SEC's been
asking them all sorts of awkward questions as has the Federal Trade Commission and yeah customers
lining up to collect either some money or have their insurance topped up or whatever else.
Matt did note in the story that Progress does seem to have quite a bit of their insurance money left.
So yeah, if you were a Move It customer and you want to cash in, then join the queue.
All right, Adam, that is it for the news.
But let's hear from our feature guest now, Tim Watts.
He is Australia's Assistant Foreign Minister.
But while he was in opposition,
he was the Shadow Minister for Cybersecurity. So Tim has a legitimate interest in security
and yeah, he was really looking forward
to being Australia's Cybersecurity Minister
but after his party won the last federal election,
the higher-ups decided he was needed in a different position,
that of Assistant Foreign Minister.
So Claire O'Neill became the Minister for Home Affairs and Cybersecurity,
and Tim went into essentially like a Deputy Foreign Affairs role
under Penny Wong, who was our Foreign Minister.
But, you know, this shift did not stop him
from being interested in cybersecurity,
and he's managed to do some cyber stuff in his new position.
And one of those things was, you know,
he really drove these sanctions against Alexander Ermakov,
the man the Australian government believes,
with a high degree of confidence, was behind the Medibank hack.
Tim Watts joins us now.
So, Tim, thanks for joining us.
And I guess the first question is, you know, I've seen a few people saying,
well, you know, sanctions, why is this guy going to care about sanctions?
What's the point of all of this?
You know, my first question is a real simple one, which is why do this at all?
Well, look, it's a significant step by the
Australian government. This is the first time that we've used our autonomous sanctions in the
cyber domain. And we're trying to send a clear message that there are costs and consequences
for targeting Australia and Australians. And, you know, at the outset, I don't want to miss
the fact that this is a significant effect because this was a really significant incident,
you know, significant in scale. The personal
private health insurance records of more than 9 million people, the majority of which
were published on the dark web, records that include incredibly sensitive information,
records of using abortion services, using drug and alcohol treatment. You know, it's really one of the most egregious incidents that you could imagine.
And we thought it was important as an Australian government, as a normative issue, to send
a message that we're not going to tolerate this.
This is beyond the realms of remotely acceptable behaviour, and we're going to use all the
tools at our disposal to respond.
As you've indicated,
this was announced by three cabinet ministers, the Deputy Prime Minister, the Defence Minister,
the Foreign Minister, and my very good friend, Claire O'Neill, the Cybersecurity Minister.
So that's an indication of the seriousness. So in one sense, we're pulling out all the stops
on an issue of this significance.
Now, like the legal implications of this sanctioning, well, you know, it's a travel ban.
It makes it a criminal offence in Australia to provide assets to Ermakov or to use or deal with his assets, you know, through crypto wallets, making ransom payments.
He doesn't get to travel to Australia or hold property here.
I should also say that's now true in the US and the UK who have taken similar sanctions action. And look,
does that solve all problems? No. But my view is that any signal that you can send, any costs that you can impose that shape the decisions of any of the individuals in this ecosystem help.
If there's any individual young Russian with these skills who is thinking, do I go into
this industry or something more productive to do with my time and think, well, you know,
maybe I want to be able to do something in the US.
Maybe I want to be able to go for a holiday to Australia sometime and maybe I won't make
these choices.
That helps.
You know, it won't deter everyone. But if it stops one't make these choices, that helps. It won't deter everyone.
But if it stops one person getting into it, that helps.
Yeah, and I'm sure too that his expectation now is that if he steps foot
inside the West, he will be arrested because it's clear
that his identity is known.
Well, law enforcement investigations are continuing
and the Australian Federal Police are continuing to pursue this and pressing charges, issuing arrest warrants.
That's absolutely something that we are continuing to pursue.
There are other, how do you say it, implications beyond the formal legal effect of this sanctions listening.
As you say, publicly identifying
Mr. Erbakov in this way will have impacts as well. You know, it's bad for business.
You know, in the cybercrime world, you know, having associates know that you have been rumbled
and that people know who you are isn't good for business. You know, it seeds paranoia amongst Mr. Urbakov and his associates
about, you know, whether it's safe to work with this individual. So, you know, there are
impacts from this action beyond the formal legal impacts within Australia and within other
countries who have supported this action. Do you think that the, like when you're sitting there
and calculating what you're going to do,
like how much you're going to dox him and out his activities,
like do you expect that outing him and doxing him
is probably the more impactful than the sanctions?
Because like I said, the sanctions may have impact later in life,
but right now when you're in Moscow,
you've got a bunch of cryptocurrency
and everyone now knows you've got it.
That's a pretty dog-eat-dog world like is that a bigger consideration in terms of impact and an imposing cost? The way I think about it is there are there are different impacts in different
spheres right so as I was saying before we very consciously wanted to send a message that the
Medibank private incident was of a different scale
and of a different seriousness than others that we've confronted. And that as an Australian
government, we wanted to send a very clear message that we see that differently. And that sends a
message to other countries. It sends a normative message about responsible state behaviour in
cyberspace, and that's all important. At that individual level, yes,
I'm sure that being publicly identified in that way
has a bigger impact on individuals.
I can certainly imagine that being possible.
Yeah, so look, just staying with that a little bit,
you know, the effects beyond the sanctions,
you know, what can you tell us about what else
may have been done to this guy?
Because I imagine there would have been opportunities to make his life pretty difficult,
lock him out of some accounts, maybe steal some of his Bitcoin. Like, what can you tell us about
actions that the government has taken against this individual, you know, beyond the sanctions?
Well, anytime you see a press conference with
three cabinet ministers standing in front of it, you know that there are a lot of people
who've been working to make that possible. So responding to the Medibank private breach,
I can say from within the Australian Signals Directorate was a massive effort. So,
you know, more than 80 staff were involved in this effort, and that's across supporting incident response with Medibank Private.
And I do want to say that Medibank Private was really exemplary
in the way that they worked with the Australian government.
I've actually noticed that government officials have been at pains
to talk about how vital it was that Medibank actually reached out to ASD early on
because that apparently really helped.
Yeah, and we really valued those relationships, and I know that those relationships are really valued at the coalface
by ASD. So we want to really say that, that they were exemplary in the way that they worked with
us. But yeah, more than 80 staff in ASD across incident response, across understanding the
incident and the actors that were involved in it,
and then in disruption and the identification of Irmakov for sanctions listing.
Now, on the disruption front, you know, ASD has a legal remit to counter cybercrime by using offensive cyber capabilities to prevent and disrupt malicious cyber intrusions and attacks.
So they can disrupt offshore cyber criminals
by disabling infrastructure,
by taking actions that disrupt their business models.
And I can say that the Australian government
very much supports that approach.
Our $9.9 billion Red Spice investment
has tripled ASD's offensive capability
to go about doing that.
Now, in the Medibank private space,
on the disruption side, working closely with law enforcement, Australian Federal Police
here, as well as international and industry partners, cyber intelligence analysts and
offensive cyber operators at ASD were working around the clock, employing ASD's unique authorities and capabilities, including offshore offensive
cyber capabilities and global intelligence through friends and partners.
So it used its capabilities to access tools and infrastructure used by actors to conduct
the data breach and to disrupt the ability of those actors to sell or to share the stolen
Medivang private data.
So, impeding the signing down their operations.
The RMRF shark was released, if I have to read between the lines.
Nom, nom, nom, nom.
You know, and I understand.
I don't fill in the lines, Patrick.
So, I mean, that's what I had to, you know, if I had to guess.
I mean, I'm trying to read between the lines, and that's what I'm saying.
But you can't really tell us, can you,
specific actions that might have been taken against this guy.
No, there's very good reasons why we don't go into specifics on that,
and ASD takes that very seriously.
We want to protect sources and methods, identity of staff,
all of those things, that there are very good reasons not to do that.
But I guess, okay, can you tell me this?
Did he have a bad time?
Look, I can say that we know a lot about Mr. Umakov.
Okay.
All right, all right.
We'll leave that there.
That's something about time to me.
I mean, you kind of covered this, right,
which is that it was the egregiousness,
it was the seriousness of the Medibank incident
that led to this response.
You know, I said in last week's show,
I can't imagine the Australian government mobilising like this
against the idiot kid who enumerated data
from an unsecured Optus API, for example, right?
Like, this was a serious, very serious incident.
Can you imagine...
Is this something we're likely to see again, though, in the wake of other
serious incidents? Is this the first of many? Is it something that now it's been done once,
it will be easier to do again? Is this government policy now, I guess, is the question?
So I sit inside the foreign affairs portfolio, so there are certain tools that we have there.
I think that whether you're talking about sanctions,
whether you're talking about attribution,
there will always be the caveat that we will take those steps
when they're in the national interest to do so.
So we're weighing up a number of equities
in considering whether to take those actions.
I think we wanted to send a very clear message in this case
because it was just so far beyond the pale.
I mean, even within some ransomware forums,
like going after people's private health data,
it's kind of, you know, it's not cool.
Like even other ransomware operators think this guy's a scumbag, right?
Like, that's amazing.
Yeah, amongst the rogues gallery, people are like, oh, this guy's a scumbag, right? Like, that's amazing. Yeah, amongst, you know, the rogues gallery,
people are like, oh, this guy is a scumbag.
So, you know, and I should say,
I really love working with my mate Claire O'Neill.
We've known each other for a long time.
And, you know, she's very blunt in her language
and in the press conference announcing these sanctions.
She didn't pull any punches about what she thought about this bloke.
And I was certainly cheering that on. Yeah, yeah you know i mean is this so so i guess what you're saying is this
sort of thing gets evaluated on a case-by-case basis right and and you know we have seen uh tom
muren and i we sat down the other day and tried to think have we seen something similar to this i
mean the best we could come up with is the trick bot sanctions where the united states government
announced sanctions against i think it was like a dozen members of a group doing trick bot sanctions where the united states government announced sanctions against i
think it was like a dozen members of a group doing trick bot stuff but this does feel different
doesn't it because it's it's you know it's a full full special treatment for a single individual
based on a single event whereas the trick bot thing felt more like it was about a pattern of
behavior so i mean i think this feels like a bit of a first, but you have been in the weeds on this for, you know,
obviously the last year or so.
Is it?
Like, to what degree is this something new, I guess, is the question?
I mean, I think back to the evil corp sanctioning.
I mean, that's one that was around for a while.
I can certainly remember photos of Maxim Yakubets
and his obscene fluoro camouflage colored Lamborghini getting around in Moscow.
He should be in prison for shitty taste, let alone his ransomware crimes.
But that one sticks in my memory because I remember that the license plate on that Lambo was thief.
Yeah.
Right.
And that sense of impunity, that just drove me nuts.
You know, like the impact that these ransomware actors are having.
I mean, you know, we talk about the impact on critical infrastructure
and those nation-level impacts.
And that is extremely significant.
And, you know, we've seen it in Australia with the attack on Toll,
a major logistics company that was disrupting vaccine distribution.
Like those are very significant impacts.
But that RUCI report that came out last week talking about the impacts of small business, I mean, this stuff is just a scourge. And the idea that people pursuing it can think they have that level of individual impunity really sticks in my craw.
So there aren't silver bullets here.
And InfoSec is like I had a cyber portfolio in opposition and got to spend a lot of time kicking around Hacker Summer Camp
and doing all those cool things.
And I love the cybers.
But it's also an industry where it's full of really smart people
who are really quick to get to the yes, but.
This doesn't solve all problems.
And that's just not a reason not to act.
You know, like this is, is a sexual listing from Australia
the end of impunity for ransomware actors?
Like, no.
We understand that.
But does this move the needle on that?
Yes.
And we need to be moving the needle across every front available,
really, to ensure that people understand there are costs
and consequences for this and that we can go so far beyond the pale.
You just described the rationale for the release the hounds doctrine, Tim.
I mean, that's really the – that is the thinking.
Now, look, I want to talk –
When I think about Montgomery Burns releasing the hounds,
there is a pack of hounds.
There's lots of hounds, right?
So, you know, there's the offensive cyber hound.
There's the law enforcement hound.
There's the AML hound.
There's uplifting cyber resilience hound, there's the law enforcement hound, there's the AML hound, there's uplifting cyber resilience hound.
I'm going to draw this analogy a long, long way.
And there's the sanctions listing hound.
So we know hounds away.
Hounds away.
They're all good dogs.
They're all good dogs.
That's right.
Now, look, there's another topic I want to talk to you about.
Because, you know, as I said at the intro,
this is the first time I can think of where, you know,
really you were in training to be Australia's cybersecurity minister.
I mean, we're not complaining about the minister we got.
Claire O'Neill is doing a terrific job.
But this was, you know, for a number of years,
a topic that you had a great deal of interest in.
And I know you a little and I know you were looking forward to getting into that portfolio, you've wound up in this
different job instead. But you've managed to take some of that, you know, cybersecurity knowledge
into this new role, and been able to make it a priority in some ways in, you know, the work that
you're doing now. And one of the things that you've been doing is trying to think about cybersecurity
and the ramifications for poor cybersecurity
and incidents and whatnot in the Pacific.
So Australia, for those who aren't necessarily aware,
I mean, we're an interesting country in a lot of ways.
We do an absolute ton of trade with China.
We have Southeast Asia to our Northwest,
and we are ringed in by these Pacific microstates.
And they've been having some trouble in the old cybers,
and the Australian government has been trying to help them
for a number of reasons.
But, Tim, why don't you talk us through
what the Australian government has been doing in the Pacific cybers?
Well, it's a good starting point to talk about Claire O'Neill, our new cybersecurity minister. So yeah, I dearly love the cybers. I'm still trying to keep across
everything that's happening there. And of course, in foreign policy, international cyber policy is
a really big part of that.
But because of the relationship between Claire and I, we've written a book together, we've
known each other for 10 years.
And I can't think of anyone better to take on a cabinet level cybersecurity role than
Claire.
She's got a brain as big as a planet.
She has an unparalleled capacity for hard work.
I mean, she's best, right? And she was undertaking a
full review of Australia's cybersecurity strategy at a domestic level. Our international cybersecurity
policy settings were also frankly coming up to a need for review. So I said to her,
let's integrate this. Let's have a joint approach across both the international and the domestic cybersecurity strategy settings.
So we were able to launch this as a fully joined up collaborative cybersecurity strategy.
In Australia's foreign policy settings, we are a Pacific nation.
We're part of what's called the Pacific family in the Pacific Islands Forum.
And what happens in the Pacific really matters to us.
You know, it's in our immediate region.
And when we came into government,
we had a priority to listen to the Pacific Islands,
to listen to their priorities
in acting as a member of the Pacific family.
And the Pacific Islands are well known around the world
as being on the front lines of climate change.
You know, they are facing a literal, physical, existential threat from climate change. And
understandably, that is the number one priority in the Pacific Islands. But very close behind that
is that the Pacific Islands are not a wealthy part of the world, one of the least developed
parts of the world. And their leaders understandably have a big priority for economic development.
And like anywhere, they see connecting with the global economy
as a pathway to that economic development.
And really for them, that's connectivity and digitization.
This is an incredibly dispersed, incredibly large geographic area.
So providing basic subsea cable connectivity,
providing the bandwidth necessary to be a full participant in that economy,
providing redundancy so that when things like the volcanic eruption
and tsunami in Tonga happen,
there are other connections to the world.
Because they lost connectivity completely, didn't they, when that happened?
And it's extraordinary.
You can see some of it online,
but you see the footage of what happened to those subsidy cables,
how far they were dragged.
I mean, it's quite extraordinary physical disruption.
So that's a long way of saying from a foreign policy perspective,
listening to Pacific Islands priorities,
they want to develop through increasing their connectivity and digitisation.
And of course, cyber security threats, threatened to undermine all of that.
We've seen a series of incidents that have a really big impact in the Pacific Islands.
I mean, there was a time there where the Pacific Islands were clearly being targeted by ransomware crews and they were just getting smashed.
I mean, we've seen similar things in different regions, like certain parts of Latin America.
This was happening in the Pacific. And it was happening, you know, over and over again.
And, you know, like we know what a pain it is to deal with these incidents in Australia.
You know, dealing with those incidents in a country where you have far less scale, far less resource,
they have an enormous impact. So there's a couple of things that we heard loud and clear from Civic Islands Forums. They want us to be able to help with incident response. So we've set up these
cyber rapid teams that draw on diplomatic expertise in DFAT, but also the technical
expertise within agencies and government
and trusted private sector providers
so that when an incident happens, we can be on the spot.
In the Pacific, people are used to seeing Australian Navy assets,
LHDs turning up when there's an earthquake or a cyclone
or a volcanic eruption,
or we're on the spot as well when there's a digital disaster,
helping get those systems back up online as quickly as possible.
All right, well, Tim Watts, thank you so much for joining us on this week's show to have
a talk about that sanctions announcement last week, and also about what the Australian government
through DFAT is doing in the Pacific.
It's all very interesting stuff.
It's great to have you back, and hopefully we can have you on again soon.
Cheers. Fantastic. Thanks, have you back, and hopefully we can have you on again soon. Cheers.
Fantastic. Thanks, guys.
Thanks, Tim.
That was Australia's Assistant Foreign Minister,
Tim Watts there,
and of course, my co-host and good friend,
Adam Boileau.
It is time for this week's sponsor interview now
with Josh Kamdrew, the
founder and CEO of Sublime Security.
Sublime makes an email
security product for people who don't want their mail
filtering to be a black box.
You know, like it's a mail security platform
that you can add custom rules to
and actually query, right?
Sounds good, yeah.
Now, it's not going to be for everyone. A lot of people
just want something that they sign up to and forget about but, you know But if you have a decent security team and you're finding that the big
solutions aren't flexible enough for you, then they're definitely worth checking out.
Josh joined me to chat about QR code phishing, which was a real scourge last year. And here's
what he had to say. Yeah. The primary intent behind QR code phishing is to solicit credentials, to take over accounts.
And so there's nothing really special around the intent. So we've seen it before. It's really just
the delivery vector that's unique. Yeah. So, I mean, this did kind of catch everyone with their
pants down, so to speak, right? Because, you know, using traditional
mail filtering, it's kind of hard to catch because all of a sudden you've got to take
an image, process it, interpret it, and then figure out, you know, whether it's malicious or not.
And, you know, mail filtering just wasn't set up to do that. I mean, is that why
there was such a just explosive growth in this, do you think?
That's exactly why. I would attribute it to
two main categories of things that led to this big jump in the delivery of this campaign.
The first is definitely traditional email gateways weren't designed to really process
this type and filter this type of technique.
So it's like malware, attachments, links, text.
So detection is actually quite difficult.
You have to have an engine that can take an image, recognize it, and then decode it.
And then the second category is the human element of it.
So we've become just so accustomed to QR codes in our daily lives.
We're scanning things at restaurants. We have legitimate email communications with QR codes
in them all the time. We're used to scanning QR codes for MFA setup and whatnot. And so we're
just very accustomed to it. And as users, we've trained our users for years and years to like look at the destination,
hover over the link in the email and look where it goes. And you can't do that with a QR code.
There's, there's nothing there. So you have to basically hover and you have to scan it to see
where it goes. Yeah. I mean, we can just thank COVID for this, right? Because, uh, well in,
in Australia anyway, cause we're doing QR code check-ins everywhere. And I've just got to like share with you
a little gripe that I have with Apple,
which is in the middle of the pandemic,
when we're all using QR codes,
you used to point your camera at the QR code
and it would put the URL at a fixed location
at the bottom of the screen and you'd tap it.
And then some idiot at Apple decided to push an update to iOS
so that the URL would no longer be in a fixed position,
but would like hover around where the QR code was.
So you had to hold your phone at least.
And I'm like, what the hell were you thinking?
You know, and this is where in Australia,
like to go anywhere,
you have to like check in absolutely everywhere.
But you know, that was there for like a year
before they changed it back.
Anyway, that was super frustrating,
but that is completely by the by.
But yeah, you're right.
I mean, QR codes have been around for a very long time,
but we are actually finally starting to use them, right?
So I think there were jokes about like, you know,
2021 being the year of the QR code.
So, I mean, look, it's not all bad news
because this turned out to be very, very good for you
because you are set up to deal with this.
But how do you, Sublime Security,
respond to this for your customers?
Why is it that you can create rules to deal with this
where others can't?
What's the difference?
Yeah, so we really designed Sublime
to be adaptable from the ground up.
So our entire detection engine
is exposed through a query language
that you can use to describe
any type of attacker behavior,
specifically in email.
So if you're getting into like Yara
or Snort signatures or Sigma
and how you can build detections
for specific behavior,
that's kind of what we built for email.
And if you think about how QR
codes are delivered, they're delivered in a few ways. So one is as an image attachment that's
embedded inside of the HTML of an email message as a CID. It's like CID embedding. So there's like a
little tag and then it takes the image attachment and then it renders it inside of the HTML body. And then there's like linked images
where it's like an image source in the HTML. So you can like load that from an external resource.
And then there's also embedded directly into the HTML. you can like paint a qr code basically paint an image by with some html
foo you you basically have like a table and then you like fill in the colors of the table
and so there's different ways css yeah that's right sorry i had to make a css joke there but
anyway and so there's there's many different ways that attackers can actually
deliver a qr code so you really have to look at it what you're saying there because like pulling
the image and then doing the qr code and then okay someone just does a html based table and
like that won't work anymore so yeah and so now you can't detect it exactly so you really have to
be set up to detect it from multiple different angles. So our detection language is called MQL,
message query language. And so you can build detection rules to leverage any part of the
message, leverage enrichments, leverage machine learning models and things like that. So what we
did when we saw this evolution was we built several detections for these different delivery
vectors. So when it's an image attachment, we take the image, we send that to our file explosion
engine, which can do all sorts of things on images.
It can run exif, it can run optical character recognition and feed that into an NLU model.
We can run a QR code scanner and first recognize the QR code, and then we can decode the QR
code, and then we can send that the QR code, and then we can
send that to a link analysis enrichment that takes it into this sandbox environment, goes out to the
URL, you know, takes a screenshot of the page, we can then pass that into our other kind of standard
credential phishing detection models. And then for things that are for the delivery vector where it's directly in the body of the message, we have a function in our query language that will actually take a screenshot of the body of the message.
So it takes the HTML of the message and it renders it, takes a screenshot and then passes it into the rest of it.
Exactly.
I mean, it's not dumb if it works right and and
yeah it's so funny like i had this idea years ago i think adam and i uh adam boileau and i were
talking about this which is a good way to recognize lookalike domains is to render them and then ocr
them with a limited character set and see what comes out right and and i remember the first time
because that was like i'm sure other people had thought of this, but this was an idea that I did come up with independently. And everyone I'd mentioned it to
said, that's stupid. It's really effective. It's actually really smart. Yeah. It's actually really
smart because it gets around all like the homoglyphs because there's multiple ways to
detect lookalikes where you could just stream similarity. Yeah, just OCR it with normal ASCII
and see what comes back but I
mean look in this case rendering the image screen capping it and then saying
is this a QR code yeah that's gonna that's gonna make a lot of sense yeah
exactly so so that's how we responded to this evolution and we push this out to
our core detection feed we've got an open source all of our detection rules
for our core feet are all open source on an open source. All of our detection rules for our core
feed are all open source on our GitHub. And Sublime is free to use. So you can deploy it to
your own network if you want. And you can run these detection rules for free. And your data
stays local. And we make money via a couple of different ways. Um, so we've got the, the core version of Sublime that runs, you know, locally on, you
can run it via Docker, you can run it in your own AWS account.
And then we've got the enterprise version that you can run in our cloud, kind of like
your standard SaaS managed thing.
And then we've also got an enterprise version of our self-hosted one too.
So we've got a lot of, a lot of folks running that. And this is've also got an enterprise version of our self-hosted one too. So we've
got a lot of folks running that. And this is all API based, right? Like you don't need to
change any MX records or anything like that. It's just, you know, give it access and away you go.
Exactly. It's just an OAuth grant basically. So it's super easy to actually get this going.
And when you initially deploy, you can deploy it completely passive
and alert only at first.
So you don't have to really worry
about any sort of impediment,
impeding actual mail delivery.
And once you actually feel comfortable
with the platform and detection efficacy,
then you can turn things into remediation mode
and actually start blocking stuff.
Well, and I mean, you can do stuff with detect on, like if you detect a phishing link, you
know, you can then put that into your proxy so that, you know, people can't access it
and things like that.
So there is stuff you can do just by running detections.
But look, this did turn into a win for you because there were an awful lot of Microsoft
customers out there having a terrible time for this. And there wasn't really a straightforward way to fix this. And even
some of the solutions that Microsoft users were proposing to each other, like on social media,
were kind of a little this um when when the initial
evolution of this campaign came came about so um yeah have they have they got better now like you
know can they can microsoft customers now mitigate this so my understanding which is from an outsider, is that Microsoft did push like partial coverage
for some vectors.
So for some customers, I think for some of their like, you know, top tier customers,
and in particular, if there's like an image attachment, if it's the image attachment vector,
then I believe that there is coverage for that.
But don't quote me on that.
Yeah, yeah.
I mean, I think the problem, right?
The dilemma for the big, big, big, big mail filtering companies
is if you're going to render every single email that comes through,
it's just so much compute and they can't do it, right?
So if you've got cycles,
like if you can afford the cycles to do this as a customer,
you know what I mean?
Like as an enterprise,
yeah, you can't really just tick that box
with 0365 or the others, right?
Yeah, well, even for us, like our detection engine,
we don't, I mean, you could build a detection rule
that renders everything,
but we wouldn't necessarily recommend that because of performance reasons.
So the detections that we write typically do leverage several other signals.
Just by nature of these campaigns, most of these are like spray and pray, right? So they're like mass campaigns. And they're typically
from email addresses, like from senders that are taken over and have not necessarily had any
communication with your organization before. And so you can leverage things like sender history,
if you've got context from the organization, which we do, and inside of the
query language, you can actually leverage historical behavior. We build these profiles
for every sender. So you can say, hey, this is actually an unknown sender to my organization.
And just by nature of that, you can then say, all right, I'm going to give this a lot more
extra scrutiny. I'm going to analyze the attachment. I'm going to take a screenshot. I'm going to go out to the link, things like that.
Now, an end result to this is you had an absolute ton of people roll the free version of your
product and then a lot of them became customers, right? So like, thanks QR fishers, I think is what
you're really trying to say, isn't it, Josh? You could say say that you could say that it um yeah it's like the the sponsor
we used to have sanitas who do layer 2 encryption equipment um who were just sort of meandering
along and then edward snowden dropped all of those docs and their business boomed and they're like
yeah we'll buy him a beer anyway josh camju a pleasure to chat to you, my friend. Great to see you.
And we'll be chatting again throughout the year.
Thank you.
So good to see you, Patrick.
Thank you.
That was Josh Kamju there with a chat about Sublime Security and QR code phishing.
Big thanks to him for that.
And that is it for this week's show.
I do hope you enjoyed it.
And I'll catch you all soon.