Risky Business - Risky Business #736 -- Azure misconfigurations are 2024's looming threat
Episode Date: February 13, 2024In this week’s show Patrick Gray and Adam Boileau discuss the week’s security news. They talk about: Somehow there are still more Ivanti and Fortinet exploits ...Volt Typhoon have been at it for years Starlink in Ukraine gets complicated Canadians hate poor Flipper Much, much more… In this week’s sponsor interview Feross Aboukhadijeh from Socket joins the show to talk about the sheer volume of malicious packages being committed to code repositories and why older SCA tools aren’t well equipped to deal with them. Show notes Microsoft Azure customers hit by phishing, account takeover attacks | Cybersecurity Dive Ivanti publishes urgent warning about new vulnerability How is Pulse Secure Formed Attackers hit more networking gear, this time a critical Fortinet CVE | Cybersecurity Dive End Of General Availability of the free vSphere Hypervisor (ESXi 7.x and 8.x) (2107518) Coker: ONCD is studying ‘liability regimes’ for software flaws Chinese hackers spent 5 years in US infrastructure, ready to attack CISA, FBI warn of China-linked hackers pre-positioning for ‘destructive cyberattacks against US critical infrastructure’ Russia using Starlink Canada declares Flipper Zero public enemy No. 1 in car-theft crackdown | Ars Technica Health insurance data breach affects nearly half of France’s population, privacy regulator warns Hackers attack 25 Romanian hospitals Catalin on the Rhysider ransomware decrypter going public A password manager LastPass calls “fraudulent” booted from App Store | Ars Technica From Cybercrime Saul Goodman to the Russian GRU – Krebs on Security
Transcript
Discussion (0)
Hey everyone and welcome to Risky Business. My name is Patrick Gray and yeah, we've got a great show for you today. Adam Boileau is joining me in the flesh. He is here IRL because he is visiting the Risky Business Global Headquarters here in Australia, which is otherwise known as my house. So yeah, we'll be sitting down and talking through all the week's news in just a moment. This week's show is brought to you by Socket and Socket's founder, Feroz Aboukhodije,
will be along in this week's sponsored interview to talk about how the incumbent software composition
analysis companies are doing a pretty bad job of tracking supply chain risks because they're just
a little bit too slow.
They're not really set up to do it properly. That is coming up later, but first up, Adam,
let's get into the news now. And we're going to kick off with some research out of Proofpoint.
And, you know, the usual disclaimer goes on that, which is that they are a risky biz sponsor.
But they've punched out a report here that's pretty interesting, especially in light of a
conversation you and I had the other day that we'll also get into in a moment. But yeah, why don't you just start by
walking us through what this report says. So Proofpoint has written up a campaign of
intrusions against a bunch of companies that use Microsoft Azure for email. And this is a pretty
typical sort of thing, right right it's phishing emails targeting
executives and you know people in the finance parts of companies you know so they can do account
takeover and do financial fraud and the scale of this is about you know kind of like a hundred
ish customers which you know kind of every day on the internet pretty normal sort of stuff
but given the focus that Microsoft has had from attackers lately and
you know our focus on Microsoft lately as a result of that seeing this just continuing does make you
ask questions you know what's it going to mean when someone glues SVR tactics of you know taking
over your entire cloud from a you cloud from a user account compromise
and a tenant to this kind of broad brush
as you're compromising regular companies.
Because if you could join that together,
we're in for a pretty rough ride.
Yeah, so I think in this case,
it's actually 200, not 100 affected organizations
and something like 500 user accounts.
But one of the reasons you and I have pulled this one out
to talk about this week is because the other day
we sat down and had a chat with Andy Robbins,
again from another sponsor, Spectre Ops, who make Bloodhound.
And they've been really out there blogging
and talking about the SVR campaign,
targeting Azure tenants and how that all works.
And, you know, it's just a fascinating conversation
because a lot of people don't really think much
about the relationship between Microsoft's productivity tools
like 365 and Azure.
And probably the most helpful way to think about this
is that Azure is the platform,
but Microsoft's productivity suite is just a bunch of apps
that run on that platform.
So you are an Azure customer.
There are complicated permissions mechanisms at play here
that interact in strange and
suboptimal ways shall we say and we're just going to see so much more of this and
you know the proof point thing here is interesting because as you say like it's a it's a you know
criminally motivated group doing financial fraud that have figured out how to attack these tenants.
And I just feel like this year, it's going to be the year of attacks against Azure.
And Microsoft has let this get bad enough that it's going to be real hard to wind it
back by changing defaults and things like that, things that Microsoft don't like doing.
Yeah.
And we've learned so much about Active Directory over the last 15, 20 years.
And attackers have picked that up very quickly.
We've seen ransomware operators turned a bunch of compromises of end devices
now immediately gets turned into enterprise-wide compromise
through Active Directory techniques.
Azure AD, Entry ID, and the way that all of that cloud works together
is very ripe for exactly the same
transition and SVR showing how effective some of these misconfigurations can be. I mean,
when we were talking to Andy Robbins, he basically explained that in order to do the things that
Microsoft described as happening, the attackers had to end up with effectively global admin in Microsoft corporate as a result of compromising
one Azure Entry ID account in a different tenant.
If it can happen to Microsoft, it can happen to other people,
and attackers are just much more adept at taking pen testing knowledge,
taking industry understanding, and turning that into real-world effects.
And I am afraid for how fast it's going to have to move in azure once we start seeing there is no there is no way we're going to keep up right like just forget it it's not happening and
yeah i mean i'm not trying to sound alarmist here but i just think already because i think a few
weeks ago i was like i think this year we're going to see like a lot of sec filings describing
attacks against azure i think this is going to be a big year for compromises
of azure infrastructure and i mean here we are it's february and it sort of feels like we're
already there and i just think we're going to see more and more creative uses as attackers realize
that these misconfigurations are so prevalent right like they're everywhere that all you need
to do is get one account you know uh manipulate permissions in a certain way mess around with application registrations and do
the hokey pokey and then from there you know you've got you've got the ability to auth into
all sorts of stuff and i reckon probably we're going to start seeing people going from compromised
0365 accounts down into like code execution on-prem so you, you know, I think maybe people don't quite realize
that that's going to be a pretty straightforward process.
In fact, when I raised that with you the other day,
when we were just having a conversation about it,
you said that this is something you've done in Pentest before.
Yes, yeah, pivoting from the cloud back into machines on-premise,
servers or workstations.
Yeah, there are avenues for doing this.
Intune is filled with interesting options there.
And most people just don't understand how glued together everything is and how quickly it's moving
in the cloud I mean on-prem Windows and Active Directory you know moved slowly it took us 15-20
years to get Active Directory to where it is but Azure and the cloud version of everything now is just, it's moving so quick.
And, you know, I did see there was a guy on Twitter
that posted a pretty typical reply guy response, you know,
about here's the things you could do to secure your Azure.
And, you know, none of these things are simple or quick or easy.
And he missed a bunch of stuff too.
And he missed a bunch of stuff.
And it's just, you know. And this stuff is really complicated.
And seeing someone like Andy Robbins,
who really does understand this stuff,
even he has to sit down and refer to his own blog post
to explain it to us because it's just that complicated and messy.
And Microsoft don't provide the kinds of tools and visibility that we need.
Or they charge you for it,
which is somehow even worse
than just not providing it in the first place.
Yeah.
And by the way, I just remembered too,
there was one of these Russian APT crews
that did already go from cloud to on-prem.
Like this is something we've seen before,
but I just mean,
like I think we're going to see a lot more of it.
You know, if you've got APT crews doing it,
pen testers doing it,
like it just feels like, yeah, the race is on now.
This is how it's going to get done.
As Adam alluded to, I recorded an interview with Andy Robbins,
which I think I'll be publishing next week,
which is a really solid walkthrough.
It's heavy going, man.
This isn't light listening.
It really is.
But it's a solid walkthrough of what likely happened
with this SVR campaign and how all of that worked.
And it's impossible to... I think it And, you know, it's impossible to,
I think it's the sort of thing
that's impossible to listen to
without realizing that everybody needs to take action.
They need to be doing permission audits
and sadly they need third-party tools to do that
or they need to give Microsoft money
for their extra security tooling,
like you mentioned earlier.
But it's a big mess
and this proof point research
just really sort of underscores that.
This is the sort of thing that would have slid by i think a while ago but now i just feel like
it things that things have changed yes yeah attack is going to glue that together and we're in for a
rough ride yeah oh speaking of soapboxes as well uh i recorded one with andrew morris from gray
noise uh which i published on monday that is like 10 out of 10 heaps like such good time. Everybody needs to go listen to that because Andrew is just, you know,
terrific talent, very funny.
He speaks about like, yeah, some of the vault typhoon stuff,
like being able to observe their orb, you know,
relay boxes out there on the internet.
And cause you know,
they're all always trying to go out and exploit other routers and turn them
into orbs as well.
So he's got some amazing insight into bad stuff on the internet,
but moving on now and you know, routers and turn them into orbs as well. So he's got some amazing insight into bad stuff on the internet.
But moving on now, and, you know, I've got to stop saying this,
but I always say, oh, we don't like talking about Vols on this show,
but considering we don't like talking about them,
we talk about them a lot.
But there's a bunch. There's a bunch this week that are kind of eye-rolly and serious
at the same time.
So we've got more Avanti bugs, which i think are on sysachev
right like they're being yes yeah yep being hit in the wild more bugs i can't believe that there
are still more bugs in that thing yeah it's yeah and then there's more fortinet bugs as well uh
kevin beaumont took a look at uh the avanti pulse connect box and Adam this is amazing. Yeah he posted the versions of a bunch of pieces of
software that make up the Avanti Pulse Secure VPN boxes and it's like kernel from 2009 and
versions of Perl from 20 years ago and exactly the sorts of things you don't want to see in your
security appliance and you can see why there are bugs in it when the software is that vintage
but actually in that particular thread, someone pointed out,
and I hadn't realized this, that Avanti Pulse Secure was begat from Juniper,
which was begat from Juniper's acquisition of Funk Software,
who made a RADIUS server in the early 2000s that was quite popular.
And essentially this product looks like it was built in the early 2000s,
I think, by Funk, and that explains why it looks like it was built in the early 2000s, I think, by Funk
and that explains why it's like it is.
I can't believe it's made it 30 years later
or 20-something years later
and it's still, in many cases, the same piece of software
just rebadged with a fresh GUI slapped on the front
and that explains why there are so many bugs here.
Yeah.
If it ain't broke, don't fix it,
but I guess we can't really say it ain't broke don't fix it but i guess
we can't really say it ain't broke anymore but but staggeringly you know you've gone down a bit
of a rabbit hole and looked at some of the lineage of competing products and it's all kind of like
you know traces back to the to the to the time that dinosaurs roamed the earth yeah yeah i think
like i looked uh like sonic walls sslvpn think, comes from a vendor called Aventail, also from the early 2000s,
a competitor of Funk at that point in time.
And, yeah, it's weird when you see how long.
The people who built this would be mortified to realize that their code
and their systems are still being rebadged and sold as new today
because it's just sheer filth, it's sheer filth.
It's filthy.
It's so dirty.
Unclean.
Unclean.
Yeah.
I mean, it's funny because I didn't remember Funk.
Like the last couple of days you've been telling me about this,
I'm like, I don't remember Funk.
But right then when you said Radius product, I'm like, oh, yeah,
now I remember.
They had a steel belted Radius was their main product.
Yeah, I remember now.
Which was a dumb name.
But it actually was pretty good back then.
Yeah, if you wanted to run an ISP in the early 2000s,
dial-up pool authentication, then, you know,
that was one of the places you could go.
And Microsoft.
Microsoft and Adobe both dropped a couple of clangers
because it's like, you know, just the wake of Patch Tuesday
right now.
It's Wednesday here in Australia, but still Tuesday
in the United States.
And yeah, bad, bad, unclean, unclean.
There's a couple of Microsoft smart screen bugs,
the sort of thing that let you bypass market the web, etc.,
which don't sound exciting but are important parts
of delivering malware through email or through links or whatever else.
There's also an Outlook preview pane bug,
which I don't think we've seen exploited in the wild yet,
but that's the sort of thing that everyone loves
for drive-by downloads out of reading an email without even having to open it so good times happy days there's also
an acrobat adobe acrobat bug like i mean there's plenty of those as you said we don't talk about
vons on the show but it's nice to see that some things in life are consistent you know there's
so much change in this world and yet still code exec and acrobat that you know makes you feel
grounded in history there'll always be acrobat. That makes you feel grounded in history.
There'll always be Acrobat bugs.
There'll always be new Java things.
Yes, exactly.
Exactly.
That's good.
At least some things stay the same.
Let's talk about VMware and Broadcom
because this is actually a funny conversation
you and I had at the pub.
If you imagine what it is,
like Adam and I hanging out,
it's basically an extended episode of Risky Business.
Down at the pub having a bit of a chat about Broadcom's acquisition of VMware.
And man, they are going to move to milk this
and basically extract as much money out of VMware customers
as humanly possible.
And they've done stuff like kill off the free version of ESXi.
Like we mentioned that briefly on the show recently.
But where this conversation got interesting the other day
is I think this is good news, right?
Because this is providing a massive incentive
for enterprises to get off VMware,
which has been associated with an awful lot of problems
because, you know, for the same thing,
it's like bit rot over time. VMware is not a particularly safe product an awful lot of problems because, you know, for the same thing, it's like bit rot over time.
VMware is not a particularly safe product.
So I don't know.
Maybe this is going to kick off this huge modernization in enterprise, Adam,
and it's going to be wonderful.
They can all move to Azure.
Well, that's the thing, right?
Yes, they're going to have to.
I mean, everyone who's got lots and lots of VMware,
and that's very many big corps have giant enterprise VMware farms on-prem.
They're all getting a bit long in the tooth.
Now the support is going to get expensive and VMware's Broadcom's cut off all of the
channel partners.
So all of the people that, you know, that whole ecosystem is dying.
Anyone who works as a VMware specialist somewhere needs to find a new job.
And so, you know, the whole place is going to bit rot.
Well, they're just going to have to learn how to do it
in the actual cloud as opposed to on-prem pretend cloud.
Yes, yes.
And when VMware did try to make some of their tools
managed both, but like ultimately, yes,
it's got to move somewhere else
and it's going to go into a zero rate of US or GCP
or wherever else, which overall maybe is a net benefit,
but I feel bad for all the people that are in orgs
that run on top of VMware
and whose jobs are all around managing VMware stuff
because, yeah, Broadcom is just going to milk you so hard.
And if the project to get off it isn't already started, now's the time.
We'll see where the security updates start to slow down.
They got rid of a whole bunch of people as well.
So, you know, it's just a dying's a dying ecosystem and that's hard to watch.
Yeah, now just, you had a great anecdote
about a lift and shift gone wrong too,
which is kind of relevant to this.
And I think that's, I think it's a good one
for sharing, Adam.
So here's the talking stick.
Share, share with the others, please.
I looked at a migration once where a vendor was paid
to migrate some systems up into the cloud,
you know, from physical tin that was running out of support
into the cloud.
And, you know, they got given clear instructions.
This is a super important business-critical system.
It needs to move into the cloud.
Don't change anything.
Move it to the cloud.
So they did.
The consultants came in, lifted, shifted it.
We came in to do some security review work afterwards,
and they had lifted and shifted it wholesale,
including the internal management interfaces,
like the Telnet,
to this important big iron system,
which used to be on an internal network
and now is on the vendor's public cloud,
public IP addresses.
So you could 1FA via Telnet,
and given that this was, you know,
Solaris, there's been some bugs at Solaris Telnet,
that lets you get in. Yeah, you could just Telis. There's been some bugs at Solaris Telnet that let you get in.
Yeah, you could just Telnet into the middle of a big environment
because they'd moved it to the cloud
without thinking about what that might change.
Yeah, maybe just ask them what their plans are
for like firewalls and stuff, you know,
if you're doing this lift and shift.
But yeah, it's mind-blowing too, like big enterprise doing that,
paying top dollar and then, you know, at least though,
they had the, you know, at least though,
they had the wherewithal to bring in some security consultants afterwards
and at least give it an NMAP.
You know, like that's something
because otherwise that could have been sitting there for years.
Now, look, we've just talked about vendors behaving badly.
And, you know, we've got the National Cyber Director
in the United States, Harry Coker,
delivering some remarks.
This is a report from Suzanne Smalley over at The Record,
delivering some remarks in which he said that they're working
on adjusting liability regimes for software manufacturers.
And, you know, I've seen a lot of people passing this story around.
They're getting quite excited.
You know, you and I have been around in this thing for way too long.
This is a conversation that's been happening for 20 years. It never usually goes anywhere because people realize that if you start
saying to vendors what they can and can't protect themselves from in end-user license,
like it just gets complicated. A lot of unintended consequences tend to flow out of that. So it is something that's very difficult to do.
I would say, though, that the thing that has changed here
is that there is political pressure.
There is government pressure now.
There seems to be more of a mandate for government regulators
and agencies to do something about this.
So I think we might start to see some changes here.
Adam, what do you think?
Yeah, I mean, I think the time is right
before some changes. One of the big things that has happened, you know, in the time that we've
been covering InfoSec is, you know, this move away from a software vendor sells you a software
package and you run it yourself in your own environment to cloud. And when the vendor is
also operating the environment, the options that you have the customer to architect architect, to fence in depth, or to put layered controls in,
or whatever else, start to get limited.
You're much more reliant on the vendors.
And that makes the pressure for the vendors
to be good a bit higher.
And I think US government has been bitten by Microsoft
and some of its other vendors.
So the time is riper than it has ever been.
It is such a complicated process, though,
and there's going to be so much lobbying and jockeying for position,
but I'm here for it, right?
I mean, I don't think that Avanti should be allowed to buy
the corpse of Funk off Juniper and then just keep selling it
for the rest of time and getting people owned, right?
There should be some consequence to that, you know, investment.
They make money, but where's the risk?
So I'd like to see some.
Yeah, I mean, we all want to see the wicked get punished.
Yes, of course.
Of course we do.
But I don't know.
I just don't know.
I don't know where.
Look, I don't know where this would wind up.
Yes.
That's all.
The lines are very hard to draw about where these things are.
And if you draw a line too clearly,
then people will skirt just to the left of that line
and still cause the problems,
but be able to point to it and go,
well, hey, we didn't do that one extra thing
that makes us liable or whatever else.
Yeah.
And it's like they might say,
oh, you need to write stuff in memsafe languages.
And they do, and it's still awful.
Like it's just, there's a lot here that,
oh, I don't know.
I don't know, man.
But you know, like, you you know when i was saying things
have changed like people forget like sissa is just over five years old yeah that's it is amazing how
much i mean you think you know we were talking uh as we've been hanging out about some of the
early days of risky biz when you were you know practically editing the show by cutting tape
together with scissors uh you know it's well that was before Risky Biz when I literally did edit tape at a community radio station
with a razor blade and special sticky tape
and chalk marks and things like that.
But yeah, it's changed a lot.
It really, really has.
And so, you know, we can't solve...
Perfect is very hard.
We're never going to get perfect.
But I would like to see a bigger stick
to beat up software and service companies.
And fair enough.
Fair enough.
Now, look, we spoke with a senior CISA official last week, Eric Goldstein,
and we spoke to him a bit about Vault Typhoon.
The very next day, there was a major report from CISA, the NSA, FBI,
and a bunch of cybersecurity directorates in Australia, New Zealand and the UK
talking about Vault Typhoon and there was some interesting stuff in here and I think one of the
things that's interesting is that Vault Typhoon actors have been active and borrowed in to a bunch
of organizations in the United States for five years. So I think that might kind of explain uh a little bit why everyone is so
spooked here is because you know probably they got some insight into one incident recently
and then they've just been pulling the thread on it and these guys are everywhere right
uh they've there's also some detail in here about how the attackers are targeting you know
documentation uh relating to control systems and things like that, and they're really doing their homework to understand the environments they're in.
And, yeah, look, it's a decent report.
Again, it's very unusual, I guess, to see governments talking so plainly
about a particular APT crew, but it's clear that it's a focus now.
Like, I mean, if there was any doubt, you look at this report,
and, yeah, they care about these guys yeah and i think uh like the the thing that's concerning
about this group right is that they are not there for regular spookery it's not there for intelligence
or espionage and if they've been in there five years and now they've started to pull the threads
and they've got like this is what they've spent the last five years doing you can really infer
intent from five years sample set, right?
If someone's been in your environment a week,
they may not have got to their action or objectives
or whatever else.
When you've got five years of data to look at,
you can say, okay, these people have been here,
they are here for pre-positioning because, like,
if they had some other reason, they would have done it by now.
So that kind of long-term insight, I think,
is one of the things that has
really made this a bit more scary than some of the other campaigns i'm guessing they've got other
intelligence here too you know it's it's i saw someone on uh social media saying you know why
doesn't nsa or cyber command or someone you know try to hack these guys back to find out what
they're doing it's like what do you think their job is like you think they're not doing that
what do you think they do all day yeah's like, what do you think their job is? You think they're not doing that? What do you think they do all day?
Yeah, yeah.
Like you literally just described their job.
But anyway, I just found it interesting that, you know,
we've been talking about it a bit and, you know,
had no idea this report was in the works, honest.
But, you know, it's out now and we've dropped a couple of links
to write-ups on that into this week's show notes.
Now, let's talk about Starlink again.
There have been a bunch of reports that
Russian soldiers are now using Starlink terminals on the battlefield, on their side of the
battle lines. And this is extremely not great, for obvious reasons, because Starlink
has provided the Ukrainian military with a real edge. So yeah, one thing we knew was that the Ukrainians had been asking SpaceX
to remove the geoblock on Starlink around the front line.
And I'm guessing what's happened now is that that's happened,
which means the Russians are able to use captured terminals.
And possibly by the looks of things, terminals they've acquired via other means,
and they're using them on that side of the geofence, of what
used to be the geofence. So really, I think the only options here are going to be for the geoblock
to be reinstated, which would just put things back to the way they were, and that was pretty messy.
Or they're going to have to impose some sort of restriction on accounts that are being used from
Russian-controlled territories. So there's got to be some sort of account-based control,
maybe a mix of block listing and allow listing, I don't know.
But Ukraine's Starlink terminals were not purchased
or provided by one central organization.
So pulling together a list of accounts to provide to Starlink in a way
that isn't too onerous is going to be real difficult, not insurmountable, but I guess I'm
just trying to describe what they're up against at the moment. Now you might say, hey, that's great,
Russians using an American ISP, there's a bunch of opportunities to do stuff to them.
Yes and no. I mean, you know, they're not stupid. They're not going to put the Starlink dish directly on top of their command post.
You know what I mean?
You might wind up in a situation if you're trying to target these things of, you know,
expending very expensive and scarce munitions to blow up an antenna worth a few hundred bucks.
So, you know, this is a pickle and it's something that can only be rectified by Starlink, you know, working with the Ukrainians.
And they have a major shareholder in the form of Elon Musk who is sort of gradually morphing into an anti-Ukraine figure.
I mean, when we were first talking about the use of Starlink in Ukraine, right, there was a bunch of conversation about, you know, exactly how that would work in terms of whether you could rely
for battlefield communications and so on.
The idea of both sides using it and, you know,
Starlink ultimately is an American company.
I can't imagine that, I mean, as you said,
like they know where the terminals are and, you know,
the positions of the front lines may be somewhat opaque to them,
but obviously they were having
that data when they were doing their own geofencing.
They've put out statements saying these terminals aren't being used
in Russia, and it's like, no, but they are being used
in occupied territories, right?
That's a cute response.
Nice try, guys.
Yeah, but I think the, you know, overall, like,
I would feel a little worried being a Russian soldier
using a comm system that's ultimately owned by a supporter of my enemy.
That just sounds like a thing that's going to get you killed one way or the other.
Not running a slightly long Ethernet cable from the terminal
back to your trench or whatever seems smart, but...
It's only going to get you so far.
It's only going to get you so far, and it might work for a day,
but once you start moving this stuff around,
and they're building up patterns of life and so on,
it just seems...
Yeah.
You know, I would think that this is something tangible
that the US government could beat Starlink over the head with,
which is that, hey, you're violating sanctions here.
Yes.
You know, and you've got to take reasonable steps
to avoid doing that.
To which, though, they might say, well, we'll just turn the geofence back on. Yes. You know, and you've got to take reasonable steps to avoid doing that. To which, though, they might say, well, we'll just turn the geofence back on.
Yes.
You know, and that's bad too.
So, I don't know, I just really hope that they pull their finger out,
try to work with the Ukrainians to solve this problem,
because this is a Western capability that should not be available to the Russian military.
Yeah, and that's the whole point of the sanctions,
is so that they can't use this stuff for their own advantage. well it's one of the points of the sanctions but anyway yes now
let's talk about something that just seems on the surface of it pretty insane which is the
government in canada is looking at banning flipper zeros to stop them being used in crimes
but it doesn't really look like flipper zeros
are actually being used to commit crimes at all.
So in particular, they seem concerned with banning devices
that are allowing things like relay attacks,
which are a serious issue, right?
Like you've seen the videos online
of people walking up to a house with a big antenna
and while their mate stands next to the car
and they're relaying the prox keys
to get in a car and drive away.
I mean, this is a problem, but this isn't what flipper zeros are used for right
which begs the question huh yeah it does seem a little bit nonsensical and like the flipper zero
is an easy target because it's cute and little and it's ready to go and it's widely available
exactly and also flipper zeros are great for demonstrating these kinds of things you know
in youtube videos or tiktok or whatever but not very practical for actually going out and stealing cars with because they lack the kind of transmit power.
They lack some of the CPU horsepower to do some of the more complicated attacks on, you know, rolling codes and so on and so forth. easy bugbear to blame, but I don't know that we've seen any concrete reports
of actual car thefts involving actual Flipper Zeros
because there are plenty of other tools available
that are more practical for car thieves.
Yeah, but I mean, you're sort of often getting
into kind of customised rigs for that sort of quote-unquote work.
Yes.
And I would think too that where you can apply the law here is if you
know like there's the laws against people in the united states who build traps into cars that are
used to ferry drugs and stuff around like hidden compartments and whatnot and you know you could
apply similar thinking here which is that if you are creating a device that's specifically
optimized for car theft uh you know and you're not selling it to someone who does roadside
assistance for people who,
you know, or whatever, right?
If it doesn't have a legitimate use, I mean,
you can apply legal pressure there.
So banning Flipper Zeros just does seem pretty dumb.
It does, right?
And, you know, similar sorts of things have happened
with, you know, locksmithing tools over the years
as they've become more and the knowledge has become
more widely available and, you know, knee-jerk banning
a cute little pen-ty tool or hobbyist tool
isn't going to solve the problem but does kind of misdirect resources that could be better spent
elsewhere in my opinion. Alexander Martin over at the Record has reported that a large private
health insurer in France has been attacked and data on 33 million people in France has been stolen.
Not their claim information, though,
which makes it an entirely different type of incident to the one that impacted Medibank here in Australia.
Yeah, because when I saw the headline, my first question was,
ooh, are we going to see some French leons relised
to go after people who've done it?
But no, it does look like it's just, you know,
contact information, email addresses,
like more standard breach stuff.
I mean, $33 million is still a lot.
Well, they'll use that in phishing campaigns and whatever.
Hi, it's your health insurer.
There's been a problem with your payment and blah, blah, blah.
Yeah, but it's still a little less egregious than Medibank
or that psychotherapy chain in Finland
where actual real patient data is being held and ransomed.
So we'll see what the French do about it, but I'm sure it will feature in
many people's PowerPoint presentations, which is the important thing.
Now, the scumbags are at it, though.
They have attacked 100 healthcare facilities in Romania, which are now offline, and this
is because of an attack, a ransomware attack on at least 25 hospitals in Romania and we've got Kevin Colliers right up here from NBC News.
Yeah, there was a shared service that was used to manage
some part of the hospitalisation process or whatever in Romania.
21 hospitals were directly impacted by the ransoming.
The rest were impacted when they had to kind of pull the service shut
and disconnect things whilst they were responding. So they've gone back to manual processing and so on.
As we've seen in other hospitals, our man on the ground in Romania says it's not too bad, but
still anything that impacts healthcare services and 100 hospitals is not small scale. That's a
fifth, I think, of the number of hospitals in romania
and then the other thing that surprised me is surprised me is the actual ransom demand
it's like a hundred thousand euros yeah 170 170 000 us dollars which by the way kevin i know you
listen to the show uh there's a typo in your piece it says three three dollars 0.5 bitcoin in ransom
i think you just mean 3.5
bitcoin i don't know if that was you or a sub editor that you need to whack on the nose with
a rolled up newspaper but uh yes your second to last paragraph my friend but yeah it looks like
the ransom is 170 000 us dollars which is yeah it's not much no and you kind of think someone
who's that amateur in their ransom demand probably is not going to be someone with amazing
opset no i don't know what the i don don't know what the Romanian hound situation is like,
but that guy is going to give us a front pound.
They'll just send Catalan around.
Yeah, yeah.
He's on it.
Now, speaking of Catalan Kimpanu,
our colleague who writes the Risky Business News newsletter,
we've actually launched news.risky.biz, everyone.
So that is the consolidation of tom uren's newsletter and
and catalan kimpanu's newsletter if you're an existing subscriber to those newsletters we have
migrated you over to our wonderful news system which is based on ghost we did leave substack
because they are making money out of hosting insane nazis who are saying insane nazi stuff
and collecting payments for that and the you know substack makes money out of hosting insane Nazis who are saying insane Nazi stuff and collecting payments for that.
And the, you know, Substack makes money out of that
and just didn't sit well with us.
Okay.
So, you know what they say,
if you're, you know, in a bar and you look around,
there's Nazis having a beer,
like you're in a Nazi bar.
So we got out of the Nazi bar and, you know,
I think Ghost has a much more reasonable terms of service,
which basically says, you know,
you can't promote racism,
which, you know, that's...
Sounds reasonable to me.
Sounds fine to me.
But yeah, head on over to news.risky.biz
to subscribe.
And Catalan, just, you know, it's not actually published yet,
but by the time this podcast goes out,
it'll be very close to being published.
Catalan's done a terrific write-up
on a group releasing a ransomware decryptor that has actually upset people.
So let's talk about this one.
Yeah, so some academics from Cookman University and KISA, the South Korean Cybersecurity Agency,
worked together on a decryptor for the receder ransomware.
Turns out there was an issue with the random number generator so they were generating keys on the ransom systems using that to encrypt them and then onwards from there so if you can
recover the key you can decrypt the boxes and the way that they were using their random number
generator was not good enough so they were able to write a tool that did that uh they released it
which you would think would be universally applauded because why wouldn't you want a tool to decrypt uh people who've you know been ransomware turns out uh
this vulnerability was already known by a bunch of other people i think um avast and
it was like mz soft or something yeah mz soft had been using this uh to decrypt stuff for their
for their customers
and they are sad that it's now been dropped
because, of course, the reciter ransomware crew
are now going to go and fix it.
And so we end up in this kind of weird niche of the disclosure debate
where disclosing the stuff changes the behaviour of attackers
and changes the behaviour of defenders
and some people like having secret knowledge
and some people like to share it,
and both sides have their pluses and minuses.
Well, as I said to you earlier, in this case,
everybody is right, but everybody is also wrong.
And it's, you know, it is just a paradox either way.
You know, like it's just, it just depends on your perspective here.
Like I don't think anyone's done anything wrong.
No.
I mean, like the movie says,
the only winning move is not to play, right?
To not have ransomware in the first place.
It reminds me of when like some crime marketplace gets,
you know, cybercrime marketplace or forum
gets taken down by the feds
and all the threat intel people come out of the woodwork
and get all salty about it
because they've spent years building up their profiles
on those forums.
It's like, ah. Yeah, it is it's as you say it's frustrating no one's wrong but it's just a you know the whole
situation is rubbish and at least some victims will get some data back without having to pay
yeah that's nice but yeah tough tough day on the internet now we got one from dan gooden here uh
about a fraudulent copy of last pass that somehow
wound up in the apple app store now look this is going to happen i think what makes this egregious
is you know apple has just been testifying in all manner of forums about how they should still be
allowed to keep 30 of all revenue or whatever that flows through apps that are you know plumbed into
their store because of the amazing security benefits and user protection and blah, blah, blah, blah, blah.
So it does seem like, you know, if you're going to make that claim,
maybe don't let the fake LastPass app into your store.
Yeah.
But I mean, other than that, I mean,
I'm finding it a bit hard to get excited by this
because they, you know, it happens.
It's going to happen sometimes.
And the fact that this is such an exception,
I mean, it's almost like the exception that proves the rule,
that the iOS app store is a pretty safe place to get stuff from.
The fact that we're talking about it is because it's unusual
for this to happen in Apple's app store,
whereas in Google Play or the Microsoft app store or everywhere else,
this is every day.
So, you know, in that respect, Apple has done a good job,
but also there should not be a fake last password manager on there.
No.
And they are taking way too much of a chunk out of app developers.
Like, that is insane what they do.
And to say that it's because, oh, security benefits and whatever,
like, it is nuts.
It is.
And I think the guy who developed this particular one,
he still has some other apps up in the App Store.
So what do you do in Apple? Well, they say they're going to take action against him and whatever, I think the guy who developed this particular one, he still has some other apps up in the App Store.
So what do you do in Apple?
Well, they say they're going to take action against him and whatever, but, you know, anyway.
We got some Krebs krebsing.
So Brian Krebs has done some fine krebsing here.
Looking at the identities of people
behind the Russian cybercrime forum, Motherfucker,
we had a discussion about that.
We're not beeping it because it's not actually the naughty word.
It's, you know, M-A-Z-A-F-A-K-A.
Which the Russians did choose because it sounds a lot like the naughty word.
You know, phonetically similar, but it is not actually the naughty word.
But yeah, Krebs has done his usual Krebs thing
and done some doxing here.
But he actually, like, it went somewhere interesting.
Yeah, it did, it did.
Like, normally when he pulls these threads, ends up with some random russian that lives in
a small town somewhere and you know situation normal uh this guy who has been involved in the
forums for like since the early 2000s yeah i mean he was he was a founder of this forum right yeah
and he gives like legal advice on the forum he says my day job is a lawyer and he gives legal advice on the forum. He says, my day job is a lawyer, and he gives legal advice, provides legal services for people on the forum.
Turns out he's also a GRU soldier,
and Krebs has got some pictures of him in the forest in his uniform
looking very militaristic.
But what's weird is this guy's OPSEC is really not that great.
I mean, as Krebsing goes...
This wasn't even hard.
No.
This was like, look at the domain registration.
It's called the email address.
Yeah, historical domain registration correlation.
Like, that's, you know, krebs 101, you know, basic version.
Yeah.
And, yeah, this guy's just been running this four years
whilst also being a, you know, commando,
which is kind of funny.
Commando and lawyer and crime forum operator.
Yeah.
It's a great CV, actually.
I love seeing a 2014 LiveJournal post cited in a doxing.
I mean, that's just...
That's just embarrassing for everybody.
It is.
All right.
Well, Adam, that's actually it for the week's news.
Thank you very much for joining me in the flesh.
It's great to host you at the Casa do Biz.
Fantastic.
And congratulations on surviving my daughter's sixth birthday party,
the unicorn pajama party.
It was a little hectic, I'm going to tell you.
And let me tell everyone there, Adam was the guest of honour.
My daughter absolutely adores him.
And, yeah, a good time was had by all. But, you know, it was – It was very loud. It was mild guest of honour. My daughter absolutely adores him. And, yeah, a good time was had by all.
But, you know, it was –
It was very loud.
It was mildly traumatising, wasn't it?
I mean, any kid's party that doesn't end with an ambulance
or firetruck call-out is probably a good one.
But, boy, oh, boy, there was a lot of shrieking.
Yeah, I think we were both the –
you know, that meme of the dog having Vietnam War flashbacks
was kind of the vibe about two hours in,
but we got her done, buddy.
We did, we did indeed.
So yeah, we'll be chatting to you again next week
when you're back in New Zealand,
but yeah, great to do it in the flesh, mate,
and we'll do it again next week.
Cheers.
Yeah, thanks for having me, Pat.
It's fun to do this in the same room,
although it is quite sweaty here in Australia,
I do have to say.
Hard enough. here in Australia, I do have to say. Harden up.
That was Adam Boileau there with a look at the week's security news.
It is time for this week's sponsor interview now with Feroz Aboukdij from Socket.
Socket is a software supply chain security tool for developers
that will find all of the ugly stuff that attackers tend to submit to open source repos. You know, it'll find your CVEs and whatnot as well, stuff that might
be present in your projects, but it will also find stuff that's dangerous but doesn't have a CVE,
like fake packages that are full of malware or malicious code. You know, think typo squatting
and dependency confusion and all that sort of stuff. That's really the problem that they're
trying to solve.
Faros joined me for this interview and started off by talking about the volume of bad packages that they're identifying which is a pretty crazy volume and about how a lot of the older software composition analysis players are just too slow
to flag this stuff. It's getting published and pulled before they notice which you know can be risky in certain circumstances. So here is for us. So we're detecting and blocking 100 malicious packages every single week. And
that's in the JavaScript ecosystem, Python and Go. It's really something to see. I mean, the amount
of bad code that's getting published to these public package registries. I mean, I imagine a
lot of it, though, is not stuff that's going to be included in anyone's project, right? Like I, you know, maybe some of it's typo squatting, some of it's
just like putting it out there, crossing your fingers and hoping someone includes it. But you
know, I can't imagine too many of these are getting much traction. Yeah. So there's, you know,
there's a lot of garbage on there for sure. It's a public place where people can put any code.
We certainly see a lot of typo squatting attacks where they're just hoping someone's going to install it. And you see the
difference with typo squatting in open source package registries is that unlike making a typo
when you type in a website on your browser, when you make this typo, it's game over, right? I mean,
you're running attacker code. It's like immediate remote code exec when you make that typo. So the consequences are pretty high.
But we also see stuff like what's called dependency confusion, which is where somebody will
name a public package the same as the name of a package used internally within a company.
And occasionally that'll cause it to just get installed by some tooling. And then that's how
they get in. Now, you're actually taking this information and passing it on to the repos.
And they're actually being quite responsive, aren't they, in terms of taking stuff down?
Yeah, we report everything we find.
We try to protect the community.
We're not hoarding this information in any way.
So we submit all those 100 packages every week to all the registries and get takedowns. But honestly, the part that I find
somewhat disappointing, I guess, is that they're not doing anything with that info to kind of warn
people. And so what we've been seeing a lot of is there's no notification system for if you've
installed one of these packages that we learn later are malicious. They're not publishing CVEs for this, right? It's not really part of the...
A malware-laden package isn't going to be eligible for a CVE, right? Because it doesn't
meet the criteria. But I guess the point you're making is that there should be a journal of record
for this stuff somewhere. Absolutely. I mean, not to pick on GitHub here, but they run the NPM
registry. So they know about every single one of these malware takedowns, but they don't put it into their GitHub advisories database.
And so their products aren't going to warn about any of this stuff.
And so what we've been doing is we've been keeping track of all of these takedowns.
And obviously the ones we take down, but also others that get taken down for other reasons.
And we put them all into our product.
And we also kind
of have a list online that folks can can see. And right now we're going on, you know, about seven,
8000 of these. Yeah, yeah. So that's, that's, that's, you know, you publish that all online.
It's not it's not just for just for paid users or anything, people can go just like look it up. But
I guess it's only of limited use, right? When you got to manually go to a web page and like,
search for it and whatever. You know, I'd be surprised if there's no one from GitHub listening, um, uh, who's going
to get on that. Cause they seem, they seem to be pretty security conscious over there at GitHub,
right? Yeah. No, I wasn't trying to pick on them. I like the team there a lot. Um, you know, socket
is, is we're available on the GitHub marketplace. We work closely with that team. Uh, we're one of
the top 50 apps, uh, over there. So, over there. So, you know, it's just,
it's a hard problem. And you got a lot of registries, a lot of different teams and folks,
you know, just trying to take this stuff down. But it's really, it's really unfortunate that there's no easy way for, you know, teams to just figure out whether they're using this code. I
mean, obviously with socket, right, that's one of the things that's one of our value adds is
once you connect socket to your repos, the first thing you get is visibility.
So you get to see all the open source code that you're using, all the dependencies.
And then of course, we have data
on every one of those dependencies
and whether any of those are malicious and are risks.
We obviously do more than that too.
We cover the traditional CVEs
and we can also find a bunch of other risks
like deprecated packages, packages with protest
ware, telemetry.
So the vendor could be phoning home.
The maintainer could be collecting data off of the system.
We can also identify unpopular packages, packages with brand new authors.
So one of the things that people really do like is once they've connected Socket, and
it's a two-click install, by the way.
It's just you go to the GitHub marketplace, you hit install, you pick the repos you want
to add, and then you're done. You get this beautiful page with, first of
all, all your dependencies that you're using. But then you also get a listing of all packages that
have various risks in them. And you can just filter it down and say, I want to know every
single package that we're using in our organization that has obfuscated code in it. You know, just get
a listing of that you find, oh, these are the five packages that contain random blobs what are they doing you
know what is this code for and you can kind of investigate that and it's a good way to uncover
lots of uh of risk yeah now before we started this interview you actually fired up screen share and
showed me that you know one of your competitors you know major company in this space you know
you showed showed me some of the repos that you'd flagged that had
stuff like you know they download and execute like straight up like binaries from the internet like
real the worst of the worst sort of um packages and you know you showed me the llm based write-up
that is is is in your entry for it on your website and whatever but what was interesting is because
you're catching these,
reporting them, then they're getting nuked,
at least one of your major competitors is slow enough that this just all happened and they didn't even notice it
so that there's no record of this ever happening.
So, I mean, it's one thing where you've got GitHub and whatever
aren't keeping a public record of it, but it's a problem, I guess,
because other people are using
software composition analysis tools
and this is just happening and they have no idea.
Yeah, it's super unfortunate.
I mean, these legacy SCA tools are not keeping up.
I think part of it is their whole approach is reactive, right?
It's about really looking at this CVE database, right?
This VOLM database that's mostly,
it's published by the NVD, right? It VOLN database that's mostly, it's published by
the NVD, right? It's basically people are reselling this data, that's public data.
And they're waiting for VOLNs to get into that database, right? And so, you know, if you're
doing that, you're going to miss supply chain attacks. You're going to miss malware because
no one's reporting this stuff. So, and by the way, there's been research on on this like how long does do malicious packages remain on these registries before they're found and the
research is over 200 days right this is like uh it was published at usenix uh security so you know
that's the status quo right no one is like no one's finding it the existing tools aren't keeping
up and so the shift that we're seeing at least at socket is that like the leading organizations
they actually get this right and they they want to move beyond just basic vulnerability scanning and take a more holistic
supply chain security approach. And that's really important because the truth is, and I know,
folks don't like to talk about this, but the truth is a lot of vulnerabilities, they're low impact,
right? A lot of this stuff that get CVEs, a lot of it is low impact, difficult to exploit.
It's in a developer dependency, development dependency.
It's not actually going to run.
Yeah, where something that downloads and runs,
installer underscore six dot exe,
which is I think one of the ones you just showed me.
That's maybe something you want to...
Exactly, yeah.
If you run that even once, you're in trouble.
So it's really a completely higher level of risk.
But the reason why folks haven't focused on it until now is it's been really hard to solve
this problem, right?
There hasn't been tooling like Socket that you could just grab and would protect you
from these types of attacks.
So teams, you know, I don't blame teams for really ignoring this problem.
It's been really hard.
So we analyze every open source package that's published in real time.
And we look for these threats.
We flag them within seconds
because we're following the feeds from all of the major registries. And then we just throw it into
our analysis in real time. And so we catch this stuff within seconds, right? Yeah. But how does
that square with what you said just earlier, which is that the average time that this stuff stays in
a repo is 200 days. I mean, if you're finding this stuff within seconds, reporting it to responsive
teams, aren't you single-handedly going to pull that time down
to like a couple of days? Yeah. So this, this research was from before we started the company.
So this was in 2020 or, you know, it was basically the year we started the same year we started the
company. So I would love to see what that data looks like now. It's probably like, you know,
it's probably a little bit lower than that. You see any trends in, in badness in repos?
Cause this is something like, you know, my colleague,
Catalin Campano, is all over this stuff, right?
He loves paying attention to all of the shady stuff that gets
submitted to various repos.
But, you know, we've seen different waves, you know,
protests where typos, squatting, dependency, confusion, like,
what's the just general state of play with all of that at the moment?
I mean, you probably know this already,
but there's a lot of attacks on crypto stuff,
anything related to crypto.
One of the ones that happened recently,
the Ledger attack that happened last December.
I don't know if you know, but you probably know
Ledger is a hardware wallet, right?
Yeah, yeah.
Yeah, yeah, but they made this-
I think this all happened when we were on break
and I was like just sort of half paying attention via social media. But yeah, but they made this... I think this all happened when we were on break and I was just sort of half paying attention
via social media.
But yeah, walk us through it
because I'd love to hear about it.
Yeah, so they published a JavaScript package
that allows a website to connect to the hardware wallet
through their Chrome extension bridge.
Hang on, they did this?
Like the actual company did this?
Yeah.
Why?
I don't know.
I'm sure they have reasons, but they... but isn't the point of having a hardware wallet so that you don't have it sort of connected in
such a way to you anyway sorry go on i just it's just it never i don't know i should stop being
surprised shouldn't i but anyway go on yeah it's it's unfortunate but uh but yeah basically what
happened was they had a former employee,
someone who left the company that accidentally retained access
to their JavaScript library that they published.
And that guy got hacked.
And the attacker who got on that developer's system
was able to use his NPM credentials
and publish some obfuscated code into that library.
And unfortunately, most people were using that library through a CDN.
And so that update to that package just went out to the CDN automatically,
and then everyone started pulling it into their websites.
And so not very good decentralization, if you ask me.
But yeah, so that was something that Socket caught right away.
And because we saw that code go out, we detected it. You know, the team on there and did a really good
job responding to I think they got they got like a, you know, they got it fixed within 40 minutes.
And they had to wait for the CDN to kind of update. But point is, like, you know, that's the
kind of thing you see a lot of because, you know, the attacker there just stole all the crypto that
any transactions that happened on any sites that had that script in it for for that period and i think i think it was i don't remember the
exact amount but it was on the order of you know hundreds of k's so it's just but for us isn't the
point of a hardware wallet to have a storage mechanism for your crypto that is distinct and
separate from your computer yes i mean isn't that the whole f***ing point? Yeah, I think you're right.
Yeah.
But I think that there's always pressure on people to integrate with more things, do more
things and...
I weep.
I weep for the crypto kids.
I feel like you're asking about trends and I gave you like one example, but I guess kind
of to sort of summarize it, it's like, you know's we just see a lot of stuff with crypto as you might imagine
right there's just a lot of uh a lot of interest on the site on the part of attackers so attackers
want money no surprises there yeah it just you see that all the time in these and oh actually i
have another one too that might be interesting discord i mean we just see discord it's like
these kids right they just want to hack discord accounts like they want discord discord tokens and crypto yeah it's like it's what the
kids are into these days right yeah they're like you know yeah they're playing fortnight and stealing
the discord tokens now straight up like just grepping for the word discord in your in your uh
in your dependency folder is a great way to find malware it's literally that string that string has
been uh has been very
valuable to us. Hosting malware on Discord, a code that steals, you know, Discord tokens from
your, from your system, right? Like it just, the word Discord in any way. There you go. That's a,
that's a red flag. All right. Ferocious Booker DJ, thank you so much for joining us on the show
to talk to all of that. It was a lot of fun to catch up and we'll talk to you again later in the year.
Cool. Thanks, Patrick.
That was for us, Abukadije there from Socket.
Big thanks to him for that and you can find them
at socket.dev.
And that is it for this week's show. I do hope you enjoyed
it. I'll be back next week with more security news
and analysis, but until then, I've been Patrick
Gray. Thanks for listening.