Risky Business - Risky Business #737 -- LockBit gets absolutely rekt
Episode Date: February 20, 2024In this week’s show Patrick Gray and Adam Boileau discuss the week’s security news. They talk about: LockBit has been taken down by law enforcement Some mega-j...uicy leaks out of Chinese offsec/APT contractor I-SOON GRU gets its Moobot network shutdown Signal adding usernames is… complicated Much, much more In this week’s sponsor interview Devicie’s Tom Plant joins the show to talk about problems orgs run into when it comes to Windows policies. There’s an expectation out there that Windows policies are set and forget, but sadly, this is not so. Show notes Feds Seize LockBit Ransomware Websites, Offer Decryption Tools, Troll Affiliates – Krebs on Security Law enforcement disrupt world’s biggest ransomware operation Shanghai Anxun’s information is unreliable and is a trap for national government agencies. China spy agency renews foreign cyber intelligence warning after data breaches US Justice Department says it disrupted Russian intelligence hacking network | Reuters Several Ukrainian media outlets attacked by Russian hackers Polish PM says previous ruling party used Pegasus spyware against ‘very long’ list of victims Hackers are targeting Asian bank accounts using stolen facial recognition data Signal Finally Rolls Out Usernames, So You Can Keep Your Phone Number Private | WIRED Code injection or backdoor: A new look at Ivanti’s CVE-2021-44529 “the "AB" trigger has similar vibes to the Unreal IRCd and ProFTPD backdoors of the same timeframe.” FLATLINED: ANALYZING PULSE SECURE FIRMWARE AND BYPASSING INTEGRITY CHECKING CVSS 10 RCE in Screen Connect National Security Agency Announces Retirement of Cybersecurity Director Hunting M365 Invaders: Navigating the Shadows of Midnight Blizzard
Transcript
Discussion (0)
Over the past few days, the Justice Department has worked together with our partners in the
United Kingdom and around the world to take down LockBit, one of the most prolific ransomware
variants in the world.
Together, we dismantled and seized infrastructure that the LockBit ransomware group has used
to target over 2,000 victims and extort more than $120 million in ransom payments.
Hi everyone and welcome to Risky Business.
My name's Patrick Gray and that was U.S. Attorney General Merrick B. Garland
talking about the disruption action against LockBit that just went down.
Obviously, we'll be talking about that with Adam Boileau in this week's news segment.
And, you know, there's a lot going on right now.
In addition to the LockBit takedown, there's been a massive leak of data from the Chinese
offset contractor, iSoon.
That one is juicy.
So grab your popcorn and get ready.
We'll be jumping into that momentarily.
This week's show is brought to you by Devicee and Devicee's Tom Plant.
We'll be along a bit later on to talk about problems
orgs run into when it comes to Windows policies.
There's an expectation out there among a lot of people
that Windows policies are kind of set and forget things,
but sadly, this is not so.
So Tom is going to pop in to talk about
Windows policies gone wrong.
And of course, Devicey runs a platform
that manages its customers' environments via Microsoft Intune.
So this is stuff they know about.
That is coming up later.
But first up, of course, it's time to get into the news with Adam Boileau.
And Adam, I think some time ago, you know, I expressed an opinion on this show that I would be very surprised if there weren't currently a bunch of hounds working their way into the LockBit organization to run some sort of disruption
action against them. And yeah, it's happened. There's been a takedown. And look, this one's
a little bit more impressive than usual. I mean, it's always nice to see a ransomware as a service
platform dismantled, but LockBit really got wrecked. Yeah, LockBit's one of the bigger operations of the last few years,
and this feels like a pretty thorough wrecking.
Like a consortium of law enforcement people,
I think led by the French initially,
but with the American and British and all sorts of things,
have gotten all up in LockBit's business,
taken over LockBit's leak portal,
and they've released decryption keys they've released I
think in cooperation with Japanese law enforcement a recovery tool they've announced a bunch of
indictments of various LockBit affiliates and even the defacement of LockBit's like that they took
over LockBit's leak site but they've kind of done it in the style of lock bits web design so it's just it's a beautiful
thing yeah no i mean it's like they had some fun with this right which is which is great and you
can tell like if you're going to put this much work in it's worth spending a few afternoons to
get the artwork right you know and it really is it really is spectacular i thought it was actually
the uh brits i thought it was the nca uh you know, I think they're all being a bit vague
about, like, which agency was lead
because there were so many of them involved
and I think they're trying to present a, you know, united front.
But who cares?
Whodunit, because it's got a bow on it.
Although there are things here that annoy me.
Like they've said they seized 200 cryptocurrency accounts
thought to be tied to
the gang's activities and okay that's great but you didn't tell us what amount of crypto like what
the dollar amount of crypto that you seized is which indicates to me that these were probably
throwaway laundering accounts uh so yeah that's a bit disappointing yeah and i think i mean they
don't they haven't rounded up like the main ringleader or the we don't know who the person behind the lock bits up persona is uh and that person apparently is still at large
uh they've rounded up a number of affiliates which is great work but you know lock bit was a very
large operation in terms of the number of people involved and the number of victims so you know
i'm sure we will see more over time as they work through the material they've got and pull the
threads and so on.
But, yeah, there's always more that you could do in these things.
But, I mean, this is a pretty big blow to, you know, ransomware as an overall community.
And it's funny, they appear to have initially got in here through a PHP bug, according to some scuttlebutt on the forums.
Well, that's because that's what Lockbit is claiming.
But the fact is Lockbit wouldn't know, right?
Because they are not expert incident responders
and they can't just call Mandiant.
I mean, that would be hilarious.
Yeah.
But yeah, so we don't 100% know.
And law enforcement has ways and means
that are good for taking out these types of crowds.
And honestly, having a bit of discord sowed in the community and have a bit of distrust and a bit of uncertainty is great
because it makes those communities harder to work in it you know brings fear and drives people out
of the scene and so on and so forth so it's just yeah it's really nice to see a high quality high
profile takedown.
And I'm sure they'll be working through the loot from this for quite a long time.
And we'll see the best for years to come.
Yeah, there's so much.
There's indictments, there's sanctions coming,
there's recovery tools and whatnot.
And it's just so comprehensive that it makes me think,
some of these global counter ransomware initiative things.
I went to the Australian embassy
to one of the get-togethers for this thing.
And I think I remember saying on the show
that there was just like a lot of people there,
like just bureaucrats, like a room full of bureaucrats
who are in the United States to have meetings on this.
And, you know, I mean, this is a positive development
when you see that sort of,
you go from sort of cheap canapes at a function
at an embassy to this, and you're like, oh, okay, right, and maybe they can get stuff done after
all. Yeah, I mean, you know, the wheels move slowly, but they do move, and, you know, law
enforcement, you know, it takes them a while to learn new technologies and new tricks and new
crime types, but, you know, dogged police work is their speciality and that's what leads you to success against these kinds of groups and I think the press release from Europol about it
said you know there was like 27 operational meetings and a thousand messengers in there
like case management system and so on so you kind of get a feel for you know quite how many people
and quite how much hard work went into this and it's important to acknowledge that like this is real police work that took a lot of
people's time and effort and as you say just getting the defacement to look nice at the end
totally worth it as a cherry on top i should say though the canapes at the australian embassy were
actually pretty good so that wasn't that wasn't entirely a fair comment. Your taxpayer dollars at work there. That was rather unfair.
But when I first started advocating for this type of thing many, many years ago,
I thought it would be either the SIGINT agencies or the military agencies,
cyber agencies that would do it because they have the skills
and they have a mandate to operate outside of their nation's borders
to do this sort of thing.
And it's turned out a bit different, which is rather than them using their authorities,
which, I mean, they would have needed tuning up anyway,
it's more that law enforcement agencies are now doing this disruption stuff.
And I think it's great because so many law enforcement agencies
are just told consistently to get runs on the board, right?
What they need to get is convictions.
And it's hard to justify spending the money and the time
and the effort to go and do something like this
when chances are you're not going to get any convictions
because the principal offenders are based in Russia
and you can't extradite them.
So I think, you know, a lot of this was a problem of incentives, right,
where law enforcement wasn't really incentivised
to do this sort of thing.
And that's changed, and I think it's really good. I mean, if a law enforcement agency't really incentivized to do this sort of thing. And that's changed.
And I think it's really good.
I mean, if a law enforcement agency can get a warrant to kick in someone's front door,
I don't see why they shouldn't be able to get a warrant to exploit someone's out-of-date
PHP, you know?
And here we all are.
And it's wonderful.
Like, they've extracted a bunch of intelligence here as well.
Like, this is, I think, a meaningful disruption.
Like, I think the last few big ones we've seen
have all been quite meaningful.
I think this will start actually having an impact
throughout this year.
Yeah, I think you're right.
And, you know, when we were first looking at, you know,
how do we deal with ransomware and can we release hounds?
It was a case of, you know,
we've got this capability in intelligence agencies.
We could use it there.
It would be better in law enforcement.
And it's great to see, over time,
law enforcement's got to the point
where they can do these things.
They're proving to be pretty good at it.
Yeah, it's great to see.
So hats off to all of our listeners
who work in those law enforcement communities,
and good job.
Yeah, I'm sure they're getting some help
from the SIGINT people, though.
Yeah.
Anyway, that's a fun one, isn't it?
Yeah, it's nice to see.
It's not often we have good news on the show.
Especially not the star up the front.
Lockbit, we spit on your grave.
Now let's move on to our other big story
of the week, Adam, and I'm just stunned
this one isn't in the news,
right? So, like, it's
been a few days now and barely
anyone's reporting on this but uh it's you
know it's made a big splash on um uh social media and whatnot but uh this this contractor in china
called isun which looks like it yeah it's real plugged into the offensive tooling market over
there and they have police as customers and all sorts of agencies as customers yeah they've experienced a real massive uh data
breach and all of their stuff is getting leaked and it's amazing it's absolutely amazing this is
kind of like uh what was my joke when you get your edward snowden from wish but uh yeah they're
having they're having a real bad time at the moment because you know these leaks are pretty juicy why don't you walk us through them yeah so a person's unknown uploaded to github a bunch of documentation and screenshots
and chat logs and things from this company and their position seemed to be that there was a bunch
of disgruntled people the company is not doing very well financially there's been a lot of you
know staff leaving and a lot of you know disgrled employees. And it feels like perhaps this is one
of them. And it contains, you know, a bunch of documentation about their products and services
and business pitches. So this is a company that essentially markets itself literally as an APT
to Chinese, you know, government agencies. They provide APT services.
And there's a bunch of data in there,
like when they're out there.
I mean, when you say they provide APT services,
they even market them as like,
here's our APT services,
which is quite hilarious,
given that that was originally a term coined
by the Americans to describe these Chinese groups, right?
Now they're using it in their marketing material.
Yes, we do APT services.
And yeah, it's filled with juicy stuff.
There is a pitch document that they wrote
pitching to a county province in Western China
for their anti-terrorism services
to deal with pesky Uyghur Muslims and things like
that where they talk through here's a bunch of the other stuff that we've hacked to get data to use
for these you know anti-terrorism services and these are like telcos in Kazakhstan and airlines
in India and you know a bunch of other government entities around the place. And they have in this GitHub repo, like,
is some raw data from telcos in Kazakhstan.
There's like call data records and other log files and things.
Yeah, there's like CDRs and stuff that lets you work out the victims.
And like, they've been thoroughly wrecked here.
Like this is, you know,
this is making Lockbet look like they're having a good week.
Yeah.
Like there was a document that described a bunch of the things
that they had compromised, one of which I think was Air India,
and it was like check-in kiosks at Air India
where they were getting 100,000 check-in records a day
from these systems.
So that's a pretty major compromise.
And then there's a couple of other airlines involved,
telcos, government entities,
and that's what they were pitching to
this particular local you know provincial authority to to purchase their services
there's a bunch of other great stuff like they've been all up in malaysia's business
they're into like malaysia's bureau of statistics but yeah so quite a prolific crew that's been
around for quite a long time like some of the people who work there have been there for you know tens of years and the chat logs appear to have been scraped out of
their WeChat either on their phone or synchronized to desktop or whatever it is and there's just a
you know whilst there's a bunch of APTing in here and a bunch of insight into some of the things
they get up to there's also just kind of like a slice of life of what it's like being a Chinese, you know, APT employee
and not a very well-paid one
because there are a lot of complaints about pay.
Yeah, no one getting paid well
at a Chinese sort of, you know, off-sec tooling company.
I mean, we could just hire all of their people,
give them citizenship in the West,
keep an eye on them, obviously,
but, you know, we'd solve that.
We could drain
their talent pool real easy. Yeah. I mean, I was surprised because I looked through-
We'll triple your salaries, everyone. We'll 10X them. Come on over. It's great.
I looked through some of the chats where they were complaining about salary and there was one guy
complaining, when I used to work at Hick Vision, I got this much a month and now I only get this
much. I took a pay cut to come here and I've got more money now.
But the numbers are really not impressive.
Like they're very mid tier,
you know, basically bang on
the kind of average salary
for that particular region in China.
They're really not making out,
you know, like-
They're offering turnkey
end-to-end exploitation services
for like 60 grand.
Like it's so cheap.
So Tom,
Tom,
your ends working on a piece for tomorrow's newsletter.
So go to news.risky.biz to register and you'll get it in your inbox as soon
as it's ready.
Catalin Kimpanu has done some of the reporting that's going into that.
And we've got drafts and notes and stuff in front of us.
So, you know,
Catalin's compiled a bit of a list of some of their toolings.
So they've got malware that can run on Windows,
Mac OS, Linux, iOS, and Android.
They've got a platform to collect and analyze email data,
a platform to hack into Outlook accounts,
a Twitter monitoring platform, which was interesting.
There's a reconnaissance platform
to, you know, pull together OSINT data.
And they've got physical hardware devices
to be used on-prem, right?
So targeting Wi-Fi networks and whatnot.
And they also have these communications equipment and services
which use a Tor-like network for agents working abroad.
So there's just so much juicy stuff in here.
And Tom actually spotted something.
Tom and Katalin both spotted something real interesting,
which is for a long time we've wondered whether or not Chinese government agencies were snagging proof of concept exploits out of things like the Tianfu Cup, right, which is the pwn to own of China.
And there was never any sort of smoking gun out of that, especially when, you know, the Chinese government passed rules saying if you've got an exploit that you're going to report, you've got to share it with the government
and whatever, and we could never quite know if there was a pipeline
to orgs like MSS.
We did see an exploit that was used in the Chianfu Cup being used
to target Uyghur Muslims shortly afterwards, and that was an indication
that there was some sort of connection there, but we didn't know
if it was official.
Anyway, what the guys have found is that there are indications
in these chats that suggest that pipeline exists.
Here's Tom Uren talking about that.
It's been speculated, and there's evidence,
that the Chinese intelligence authorities are kind of siphoning off
vulnerabilities from these kinds of contests.
And in this chat between the head of
the company and an underling, it's a back and forth about, you know, what's happening to these
vulnerabilities? Can we get them? And the reply is, no, they've already been given to Jiangsu,
which is the, I think the Jiangsu Ministry of State Security, which is one of the Ministry
of State Security branches that does
a lot of hacking. So it's interesting. Now, it's not conclusive proof that those vulnerabilities
are being sent to intelligence agencies, but it's pretty interesting that the people doing
the hacking think that they are. So yeah, I mean, I just think this is a great leak if you really want to understand yeah what the
chinese what a chinese offset company looks like and it looks like they've linked some of the either
the tools or the activities of this company to like apt 41 and there's so much good stuff in here
it's great yeah and i think like for me having spent you know quite a bit of yesterday afternoon
reading through some of the chat history you know through machine translation like the slice of life aspect like i can relate to some
of these people you know complaining about how difficult it is to turn proof of concept into
actual exploits on ios or you know asking what version of juniper the target's running and do
they have an exploit for it and then also there's a lot of like let's go out the hot pot let's
you know complain about the boss or the expense claim process.
Hey boss, come down here.
We're all playing Mahjong.
Yes.
Yeah.
Like it's just, you know, proper slice of life stuff.
And like, if anything, it's very easy to demonize your geostrategic opponents, but just seeing the slice of life stuff of, you know, complaining about.
I mean, yeah, but keep in mind, these people know that their tools are going to be used
to target the Uyghur diaspora in other countries
and, you know, not for legitimate security reasons.
And you just sort of think,
well, I don't really care that you come across
as a normal person in your WeChat, bro.
You know?
I don't know.
I just, I like there being some humanity there.
Of course.
Like wherever you go in the world, people are just people.
Yeah, we all put on our pants one leg at a time, as they say.
Although tomorrow, just to disprove that,
I'm going to put my pants on the floor and jump into them.
Just to be a contrarian.
I saw it.
There was one of the chats where someone was saying,
hey, look, I drank too much tonight, boss,
but man, I never want to work with the police.
These guys suck to work for.
Can we just get some new customers
that aren't the police force?
Because, oh, yeah, yeah.
Complaining about how the coppers
that they were trying to, you know,
get to use their exploitation tooling
were dumb asses, basically.
It was, yeah, it was pretty funny.
It's relatable, you know, and I felt that.
Yeah, I mean, you literally were eating popcorn
while you were going over these.
He sent us a link into, not a link, I'm sorry,
a picture into Slack of like the big old bowl of popcorn
in front of this GitHub and he's sitting there going,
nom, nom, nom, nom, nom.
So good work from everyone here at Risky Biz.
Like, you know, Cattle and Tom, yourself all dove in.
I was out of the office yesterday for a really boring reason.
But yeah, everyone just did some great analysis.
And Tom's going to be, yeah, pulling a lot of that together for tomorrow's newsletter.
Again, head to news.risky.biz if you want to be able to read that.
Now, look, staying with China, and we've got a story here from the South China Morning Post,
which I think is fascinating because it's basically the Chinese MSS
issuing renewed warnings about foreign espionage.
They're citing a couple of cases here where they got hacked,
talking about the need to be vigilant, et cetera, et cetera, et cetera.
What I find fascinating about this is it is so similar
to what the Western intelligence agencies are telling their constituents, right?
So China's kind of going through that transformation now
of like, oh, okay, we've been this very secretive agency,
but we've got to go out there and engage
because we're getting wrecked.
And I just find it amazing that they are now dealing,
they are now trying these tactics
to deal with the same problem, right?
Yeah, it's funny to see it happening
and you know seeing them have exactly the problems that we have and i know it's a topic we've talked
about a number of times over the years is like is a more controlled society like china better for
managing cyber security like can you do a better job of securing your critical infrastructure and
your military and your blah blah blah in a very restrictive centrally controlled environment
or can we manage it in a you know in a free country or in a free you know in the west
because we have the same kinds of problems and so it's interesting to see them either doing things
differently than us or doing things in very much the same way you know um stealing bugs from tianfu cup for
people to use versus you know this kind of thing of like you've got to go out there and explain to
everybody why they do have to patch their stuff yeah but you know as we've talked about before
telling everyone to patch your stuff doesn't get you the results you might want no no but i love
this like let me just read from their their wechat post cyber spies outside China often scan exposed network security floors in large batches.
Once they discover unpatched vulnerabilities on important units,
they launch targeted attacks to steal data.
Gee, sounds familiar.
It sure does.
Now, meanwhile, the US Department of Justice has disrupted
what looks like a SOHO router botnet that was being used by Russian intelligence services.
This story from Reuters says that they relied on criminals
to build this thing for them,
but I think what that kind of means is they took this over from some criminals.
Yeah, like either they stole it or found the people
and said you've got to give it to us, or they just bought it.
But yeah, this is, you know, just another takedown of this sort of thing.
I think it's interesting, right, that we're seeing,
because we saw some takedowns, oh, not takedowns,
we saw a disruption action against the similar network
being used by Vault Typhoon.
I think we spoke about that last week or the week before,
although grey noise didn't see much of a drop off there.
But at least we can say that dismantling these types of things
looks to be more and more a priority for US authorities, at least we can say that dismantling these types of things looks to be more and more a
priority for US authorities at least. Yeah the FBI had Operation Dying Ember which they were
court authorized to go and take over a bunch of the devices that comprised this GOU botnet as you
said it was previously built by criminals the Moobot crew who've built botnets out of a bunch
of things television cameras and
other things like that their ubiquity botnet was what got taken over here the FBI were allowed by
the court to go in and install firewall rules to disconnect these things from their command and
control system but as people reboot their routers or factory reset or whatever then it will become
you know it could kind of come back through that mechanism.
But yeah, the fact that this is a regular thing that the FBI are doing,
we don't see any arguments about, oh my God,
making changes to other people's devices is not a thing you're allowed to do.
That argument's long dead.
Thanks, because I was sick of talking about that one as well.
Yeah, get in the bin, that argument.
Moving over to ukraine now and a bunch of
ukrainian media outlets have been attacked uh by russian hackers and they're planting fake news and
whatnot now this is dumb and if you want to know why it's dumb you need to listen to one of our
other podcasts yes yes you do uh this week on um Two Nerds, Tom Yeran and our good friend of the show, The Gruck, talked through kind of how Russian cyber doctrine was written and what it actually manifested as in the Ukraine war and kind of compares that to, you know, how effective non-cyber means have been. And seeing Russian doctrine playing out exactly per the letter here
and then hearing Tom and Gruck talk through how effective that might be
and why, in fact, it isn't very effective,
I really enjoyed it.
That was a solid lesson from them this week.
Yeah, look, if you're not subscribed to Risky Business News,
which is the RSS feed where that podcast appears,
so I had to do a bunch of driving yesterday,
and I just mainlined all of the content from Risky Biz News,
and I'd taken some time off so I could listen to it with fresh ears
and just wall-to-wall incredible, like, you know,
Catalan's bulletins, as read by Claire Aird, are just top-notch.
You won't find anything better anywhere.
And, yeah, that podcast has gotten so good yeah
and you know gruck talking about how you know to the russians everything is people and to the
americans nothing is people it's all about things and objectives and you know really contrasting
those two approaches to to using cyber and i think it was actually the the between two nodes the week
earlier where they're um gruck and i'd had this thought as well, so that's why I really remember him saying this, is that, you know, the Russians tend the Axis powers in World War II thought that you could bomb people into submission.
And that those people would get angry at their own governments instead of getting angry at the people who are actually bombing them.
And obviously, you know, that's not how that plays out, right?
Certainly not in Vietnam, that's for sure.
Well, not in Vietnam, not in England, not in Germany, not in Japan, not anywhere, you know.
So, like, it just doesn't work.
You don't bomb people into your point of view
and you can't really do that with these types of actions.
I mean, this one's a little bit different
because we're talking about cyber to do disinfo
rather than sort of cyber shock and awe.
But, look, really, I mean, we included this here
so that we had an excuse to tell everyone to go listen
to Between Two Nerds because it really was very good.
It's a great episode.
You should totally listen to it.
So, yes, good job.
Now, in Poland, the prime minister over there
has said the previous government used the Pegasus spyware
against a really long list of victims.
And it looks like in a series of surveillance operations
that look to be quite dangerous to democracy there.
Yes, because we've talked a bunch about Poland's problem
with using Pegasus, and there have been citizen lab reports
and so on and so forth, but since there's been a change
of government in Poland, the incoming administration
has dug through the records and found you know solid evidence that
the previous government was you know really quite strongly abusing Pegasus to attack its adversaries
and you know that the influence on the previous election in Poland was pretty strong and there's
just like it's gonna be a long list of people getting their comeuppance which is great to see
it's also interesting because it kind of underscores the problem with NSO's argument that, oh,
we only sell it to legitimate users from trusted places, and therefore it's fine to
make these tools available when it's very clear that they are being abused, and not
just in Poland.
We've seen other examples around Europe where it's being used against the democratic process by people in Poland. We've seen other examples around Europe where it's being used against the democratic
process by people in power. So I think this is an important case to really make sure that future
spyware operations can't just weasel out using that kind of excuse. Yeah, but I mean, you would
have thought you would be safe doing business with pollen. I mean, I just wonder how something like this happens, right?
Because if some ruling party here had the same idea, it wouldn't get very far.
Certainly hope not, right?
It would turn into a scandal pretty quickly, or it would just get shut down and just never would get off the ground.
So I'm really curious to find out, you know, really quite how this happened and what they're going to do to make
sure it can't happen again with the next vendor you know well exactly and i've been given that
similar things happen in what like spain and greece and hungary yeah and and so on like this
is a problem that we need to you know shine some light on and yeah i'm really interested to see
uh how the polish justice system deals with this uh what do we got here we got one from james
reddick over at The Record,
which is suspected Chinese hackers are stealing facial recognition data
and using it to access bank accounts in Southeast Asia.
I mean, what this looks like is they're using photographic data
to do deep fakes, to do kind of like,
yes, it is me who's trying to do that transaction level
of authentication with banks.
I mean, this isn't about actually tricking facial authentication technologies yes it is me who's trying to do that transaction level of authentication with banks i mean this
isn't about actually tricking facial authentication technologies like you might find in a iphone for
example yeah so this is based on a write-up from group ib who looked into this android and now ios
malware family called gold digger and one of the features of this was that when you got this app installed
on iOS they basically rely on social engineering people to install an MDM profile whereas on
Android they have actual exploits and then it amongst other things will get you to enroll in a
fake facial recognition process which then steals video of your face from the camera
and then they use that
to to bypass other facial authentication elsewhere and this one is particularly interesting because
this malware focuses in thailand and vietnam where the bank regulators have demanded that banks use
facial recognition for big transactions so it's now become commonplace in those that all banks have gone and built facial recognition systems
of presumably varying qualities,
like they're buying off-the-shelf systems.
And those banks are price sensitive like any other buyer,
and there's a range of qualities there.
So seeing malware, collecting that data
to then bypass banks' facial authentication
in Thailand and Vietnam
makes a whole bunch of sense as you
say bypassing IOS
facial auth with the stolen data
probably not a thing that's straightforward
because Apple's facial recognition
uses you know depth cameras and infrared
and all sorts of fancy business
but for online
you know video
essentially video conferencing-based stuff.
This sort of thing for online is a dumb idea.
Yes.
And it always has been, and it's always going to be bypassable
because it's not, you know, at least Apple, you know,
Apple does think through some things quite carefully
and biometrics has been one of them.
Yeah.
Where, you know, that stuff, you can't access that sensor raw.
It's all plumbed through to their, like, little secure enclave and you know that this is why yes and exactly that tech's been around for
a while now like this isn't this isn't a threat that nobody saw coming yeah and i mean the systems
that i have seen that implement this so forward entity verification for opening bank accounts or
whatever else like they're all pretty shonky and it's hard for the people buying the
technology to understand because it looks the same like the difference between an iphone unlocking
with your face and you just like running some web you know video conferencing thing with your bank
to sign up for an account or open or whatever like those are different things underneath in ways that are technical and nuanced but very important from a security attestation perspective
and you know the people making the purchasing decisions about these systems don't understand
that and the people testing them as i and i say this as someone who in my pen testing career we
looked at exactly these kinds of identity verification systems and by and large we broke them all and the response from a customer reading that report is
not well we have to throw out this whole idea because it's dumb it's let's point fix a couple
of the really egregious problems and get on with life because yeah let's get the risk accepted stamp
yes yeah dip it in the ink yeah boom let's go baby Because turning around and saying
We can't do remote identity verification
In the modern world
Is not an acceptable answer
When the bank has got to
You know have a way to do it
Because they're closing their branches
Right so
You know this is going to come home and roost
You know in a very long slow painful process
For everybody in our society
And we will be in business running this show for a very long time because of it.
So thanks.
Hooray.
Hey, see, silver lining.
Andy Greenberg over at Wired has written a story about how Signal has finally rolled
out usernames in a beta so that you can keep your phone number private, which, you know,
I think is a recipe for abuse.
Personally, I really hope they've thought through this,
but there's a lot of talk about how wonderfully private it's going to be
so that you can message people with a username
and not expose your phone number and stay sort of anonymous.
But there's not really much talk about what they're going to do to handle abuse,
which I find a bit curious because you would think like,
domestic, bad domestic situations
ex-partners things like that right like uh how is this not going to be a disaster convince me
because I I just don't know so I mean this signal is it is at the pointy end of a lot of this like
privacy preservation versus social harms kind of you you know, trade-off, right?
They are in a tough place compared to something like WhatsApp or Facebook Messenger,
where they've got, you know, existing ecosystems to tie into,
where the overall privacy concerns around Facebook, et cetera, et cetera, are kind of different,
where Signal is a one-stop shop just for messaging.
That's all they do.
Their system is kind of interesting in that it's not just you get a username
as well as your phone number.
It's that you can pick a username and bind it to your phone number
in a way that it's privacy-preserving,
and you can change that binding at any point in time.
You can change your username any time, and once you do,
there's no way to tie an earlier username to your phone
number again right because essentially it's like a hashing sort of situation so once you've changed
your username signal can't tell law enforcement or anyone else who that username was bound to
in a previous point in time which has a lot of interesting privacy aspects but as you say like
the abuse aspect is pretty wild and in terms of what signal is going to do about abuse like i'm
not clear yet like this is a pretty novel design for a large scale public messaging systems you
know sort of identity system and i don't know what consequences we're going to see like it's going to
be messy i I think,
and the question I have,
and I say this as a regular Signal user
and somebody who pays Signal money for that service,
like, I wonder if they're going to bite off
more than they can chew here with law enforcement
because, you know, phone numbers...
Can they look up a current username
and match it to a number?
Is that data that Signal would hold,
or is it something that, you know, law enforcement?
Well, I guess they would have to ask Signal because.
So they'd have to ask Signal,
and Signal must have that data to do that binding in real time.
You would think so, yeah.
But once you change it, that data appears to no longer exist.
And knowing the phone number doesn't mean you know the usernames
that are associated with it and knowing usernames doesn't mean that you necessarily know the phone
number you can turn that setting off but signal has to have some of that binding data for right
now but yeah it's just an interesting design and the consequences are not a hundred percent clear
to me yet no well look let's talk about something utterly hilarious uh which is the avanti
backdoor oh yes this is so good so good let's this is like a palette cleanser yes a little
little something fresh uh so one of the avanti bugs in their like pulse secure you know um i
think it's their endpoint manager um product. They patched it.
It was like a code exec bug.
And Avanti described it as code injection.
Some guy over at Gray Noise, Ron, Ron Bowes at Gray Noise,
he started digging into it after a tweet from Stephen Seeley, Mr. Me.
And it turns out this is less a remote code execution
and more a backdoor.
And this backdoor is in a piece of code called CSRF Magic,
which is a project that has been dead for 10, 8 years,
something like that.
So at some point, their code repo got compromised.
A backdoor got put into
into the php and that backdoor meant that you know if you showed up with a magic cookie with
you know a certain thing in it then you could just provide a command to execute and it would
this got written up and and fixed you know in the underlying code mid-2010s, I think.
And this backdoor has a bunch of things in common
with some other backdoors that were contemporary
at that point in time,
in that it used the prefix AB to trigger the backdoor.
And the other backdoors that were contemporary
from that time were in Pro FTPD and Unreal IRCD.
And I'm guessing that AB stands for Acid Bitches,
who were a hacker crew that was involved in an IRC war back in the, you know, late 2000s.
I mean, this, like what Grey Noise has done, what Ron Bowes has done here,
is less security research and more kind of security archaeology.
Yes, yes, exactly.
You know, this is a remnant from a previous time.
And it's, here it is.
And here it is.
And so.
It's like finding dinosaur bones, like somewhere unexpected.
Exactly.
And so like the funny thing is that SSL VPNs in themselves
are an early 2000s, you mid-2000s era construct.
And the idea that Avanti's SSL VPN,
which is, as we discussed, I think maybe last week
or the week before, essentially Funk Software's SSL VPN
from the early 2000s, has a contemporary backdoor
from the early 2000s from a hacker crew of that time
still in it to this day
and i don't know that there's a more beautiful thing like that's like it's really lit up my week
knowing that you know a scene war from 20 years ago is still being played out on echoes security
echoes adam and yes i am aware that i mentioned archaeology and made an archaeology joke and then
spoke about dinosaur bones before anyone writes in i know that's paleontology so you don't need to
you don't need to you can stop typing your email settle down settle down there and uh look real
quick because we're sort of going over time at this point um there's another issue here with
like the pulse secure integrity checking which
you know someone basically released a tool where you could check the integrity of your pulse secure
and then someone's finally got around to looking at it and apparently it's not very good avanti
released the tool this was an official avanti tool to check the integrity of their product and
yeah but that's avanti pulse secure right yes yeah so avanti released the tool and then yeah
someone from eclipsen pulled it apart apart and found that it really doesn't work particularly well,
and you can bypass it, lol,
which, yeah, not really a surprise, I guess,
given the engineering grade in this product.
Let's throw another log on this old trash fire right now.
Do you throw a log on a trash fire?
I guess if you want to keep it burning,
you just throw more trash.
Yeah, more trash.
So more trash into the dumpster fire here,
and we've got a ConnectWise Screen Connect CVSS 10.
And they are rare.
Like you see 9.8s all the time, and they're terrible,
but like a 10, a perfect 10 out of 10.
This is like in gymnastics.
You don't see a perfect 10 every now, you know, all the time, right?
Yeah, most vendors goose the stats to try and make it not 10 out of 10,
but no, ConnectWise just straight up owned it yes their security product uh had a 10 out of 10
path traversal to code exec womp womp womp womp so they've described it as authentication bypass
using an alternate path or channel which i'm guessing is just hit a different slash whatever
yeah exactly exactly yeah so So I think Shadow Service said
there's like maybe 8,000 of these on the internet,
unpatched or like we're running vulnerable
to this particular bug.
So if you are unfortunate enough to have one,
then go and visit the very doublespeak named
ConnectWise Trust Centre
to restore your trust in their terrible product.
Now, Rob Joyce, who's been a guest on this program
a bunch of times, he is the
current director, cybersecurity director at NSA. He has just announced his retirement. So he'll be
out of there March 31, 2024, after 34 years at NSA. And, you know, look, I'm wishing him some rest,
because after 34 years, a lot of them spent at senior levels of an agency
like NSA.
I bet he bloody needs it.
You know, so I think this is good news for Rob, who's probably ready to slow down a bit
after so long doing this stuff.
But, you know, it's impossible to feel like this isn't a bit of a loss, right?
Because he's a tremendously intelligent guy, you know, very technically knowledgeable my dealings with him he's always been great i've heard a lot of other people who've
worked uh at nsa say great things about him so you do sort of feel like this is nsa's loss and
you know rob's personal gain here bittersweet yeah and he's been so involved in so many bits
of really good quality outreach from the NSA
like in some of his work promoting Ghidra was really really great you know his Christmas lights
are famous in hackers social media because he posts pictures of his house with his amazing
light system and of course he was involved in in tailored access operations which you know was at
the guts of so he ran he ran TAO. Yes.
And then he was the White House cyber guy.
Yeah.
There's like pictures of him with Trump and stuff.
I remember having him on the show, like after he'd exited that job,
and I'm like, so what was it like to work for Donald Trump?
And his answer was great.
I loved it.
Because he's like, I got to work in the White House.
How cool is that?
Which was the best non-answer answer ever.
He's also a lot taller than you expect.
He's a very tall man.
But it's interesting what you said about the outreach because I feel like Rob did a lot to sort of rehabilitate NSA's image
among people in the sort of technical security community
after Snowden, right?
But I think, you know, he really did, you know,
Rob's really been a part of that push by a lot of these agencies to be more outwardly focused,
to be more engaged. And, you know, he did it tremendously well. When you think of senior US
public servants who've, you know, in the security space, who've really managed to nail that,
you would think Rob Joyce and probably Chris Krebs are the two that really just got it right yeah i mean at defcon and black hat and like really making nsa a much more approachable and
like also just posting jokes right i mean making jokes about juice jacking and and like the nsa
branded charger that was black hat and that's kind of what we want you know that's how we want to
relate to those people because i mean so many people in those agencies are just our people that work for a government agency
and can't talk about what they do.
And so at least having a sense of humour about it
and playing along with some of the community's, you know,
foibles, et cetera.
Like, yeah, he's done a good job of that.
So I wish him a happy retirement because it's well earned.
Well, hopefully we can drag him onto the show every now and then.
Yeah, hopefully.
He's got a bit more time, so that'll be good.
You know, you're welcome to come and co-host a few with us, Rob. We'd love it if well earned. Hopefully we can drag him onto the show every now and then. He's got a bit more time so that'll be good. You're welcome to come and co-host a few with us Rob. We'd love it if you
would and I know he listens to the show so
congratulations on a career well done.
That is wonderful. Now
we're just going to wrap it up here with
a blog post from Splunk.
We published
our interview
with Andy Robbins
from Specter Ops going over how he thinks the SVR attacks
against 365 tenants went.
And we had a long conversation with him about that.
That I think is an important listen.
So if you haven't listened to that,
that went out on Monday.
The podcast is called Soapbox,
a deep dive on how Russia's SVR
is hacking Microsoft 365 tenants.
We've got a blog post here though from Splunk,
which actually starts with a shout out to Andy,
but they've done their own sort of analysis
of this attack chain
and it's a pretty good write-up.
Yeah, it's a good write-up.
And if you're in the position
where you have both Azure and Splunk
hooked up to your logs,
there's a bunch of queries
that they've kind of talked through the steps that Andy described and said, how would you find that and Splunk hooked up to your logs. There's a bunch of queries that they've kind of talked through
the steps that Andy described and said,
how would you find that with Splunk?
Which if you're in the position that you've got that tooling available,
then it's a pretty easy copy paste to go explore your own environment.
So yeah, well worth a read for those people.
All right, mate.
Well, that's actually it for the week's news.
Thanks so much for joining me to talk through all of it
and we'll do it all again next week. Yeah, thanks very much, Pat. I will look forward to it.
That was Adam Boileau there with a look at the week's security news. It's time to speak with
this week's sponsor guest now, Tom Plant of Deviceey devicey has basically figured out how to drive in tune
and that's what they do for their customers uh devicey is basically a managed platform that can
wrangle all of your devices keep everything compliant up to date all singing all dancing
etc uh it's essentially built on top of in tune as i mentioned which yeah if you're not a deep
expert in it it's pretty frustrating to use so that's what they've done. They figured out how to use it effectively, Intune that is, and then offered it up as
a managed platform.
So Tom is Devicey's Windows policy guy, and he joined me for this interview about where
orgs go wrong with their Windows policies.
And here's what he had to say.
It's a really broad ecosystem is the biggest problem I see.
Windows policy can mean registry, group policy,
config service provider, declarative management, but not to mention applications as well.
And somehow as an admin, you're expected to manage that, manage Microsoft and vendors
releasing changes every month, and then also every other thing in the business. And somehow
keep those secure as well.
So the biggest thing I see is people finally getting some time to build, say, a standard operating environment, getting all the right policy, and then it doesn't get touched for years.
And then...
Because we have an SOE, right? Yeah, exactly.
Like we had this conversation, we worked it out, we put it all together.
Why would you change it if it ain't broke?
That's exactly it.
And that worked like for a long time.
That was great because it wouldn't change and you were set and your staff could count on it being consistent.
It would work every day.
But these days, Microsoft will release an update, applications will get updated. And all of a sudden your SOE is now giving pop-ups to users
or being really slow or the security policies that you set aren't actually being applied anymore.
And it's really hard to keep up with that change. Yeah.
Yeah. So what does it look like when these things start to sort of atrophy and go wrong?
I think one of the most obvious ones I see is Windows Update patch rates. You start to see
like errors here and there. Maybe disk partitioning was wrong. Saw that the other week. And then over
time, Windows Updates will stop working across your fleet and you might have 10, 20, 30%
devices unpatched. And that can be terrifying. And how does that happen as a result of a bad windows config
like what's the thing that's not being altered in the config to get you into that state i think
patching time frames and and change management can be a big one so having like a pilot group
and having a slightly larger group and then having your your org that has your, like, exec staff and the sensitive stuff.
And then monitoring that regularly and, say, blocking an update that you know is bad.
Blocking the driver you know is bad.
And that's a lot of day-to-day effort, yeah.
Yeah, but, I mean, how does that manifest in terms of, like, you know, policy becoming out of date?
Like, what's the actual policy setting?
You know, I mean, what you described there sounds more like, sounds more like just mismanagement rather than
a policy error. Probably a good example is one I saw the other week where they had a policy to
slow down a particular Windows feature update. That policy was three years old, I think,
and they hadn't had time to go back. That had been blocking that feature update for years.
That feature went end of life and stopped getting
security updates and now the whole fleet aren't getting security patches just because that policy
was sitting there and they didn't know either they thought they were patched because they
they set up all the other patching policies correctly yeah because it's stuff that people
wouldn't even know is happening to them i think that's what makes this kind of bad right yeah i
think the biggest thing is it flying under the
radar like you think you're patched or a huge one i see is exclusions so you have one wonky app or
some windows feature that needs a particular exclusion from a security policy and your your
help desk team or your it staff under pressure um and they need to get that app working now. So they do an exemption.
But particularly in say industry,
exemptions can be really hard to manage or track.
And they might make that scope really wide.
They might exempt everyone and now everyone can execute macros.
And there's no, like, no one's going to go back and check that later,
refine the scope a bit.
You end up with all these holes in your perfect SOE, unfortunately.
And in a typical enterprise, like, how are people actually monitoring this sort of stuff?
Like, how are people catching these sort of mistakes?
And I know, like, for a lot of them, they're just not.
But of the ones who are actually catching these errors, like, how are they doing it?
Yeah, so the S&Bs definitely
aren't, unfortunately. The larger enterprises, we see some of them doing a pretty good job,
but a lot of that is manual effort. So you get your security team coming in and checking every
other week or every day that nothing has been reverted. Or you might have really locked down policy controls that mean no one can do exclusions.
And suddenly your end users are really heavily impacted.
Yeah. But what is the mechanism through which they might detect these things? I mean,
you were talking about manual effort. Is anyone actually doing automated discovery
of these sort of things though? There are some players in the space. We get, for example, the CIS standard. There's a CIS scanner that you run that against
your group policy and that'll find holes. But even then, a lot of those tools are very brittle.
The CIS one, for example, doesn't work with a lot of Intune policy. So you might be compliant
and configured correctly, but it's going to throw false positives at you.
Now, with Intune, like say you're just using Intune Raw, right,
without device, is this the sort of thing that you can instrument detection of?
Yeah, not really.
You can log into the portal and check,
but to do that every day, that's a lot of time.
Yeah.
So, I mean, I'm guessing that's a big part of what you've focused on.
I mean, I've seen the back end or, you know,
what the customers see in terms of like all the compliance reporting stuff. I imagine that, you know, that's a big part of what you've focused. I mean, I've seen the backend or, you know, what the customers see in terms of like all the
compliance reporting and stuff. I imagine that, you know, that's a big part of what you've actually
tried to do at Devisee. Yeah. So that was, that was a big part of why I came on board, actually.
I got really tired of going to dozens of customers and making the same changes over and over and over
fixing the same, say Microsoft incoming change, making a policy update or
reverting the same macro policy that someone keeps enabling.
And we automate that.
And we automate that on a level that means you're not in there every day.
And we're checking that every hour for you, for example, like really, really rapidly.
And we are alerting you if something does go wrong, if we do need you to have a chat
to that user and manage, say, an exclusion. Yeah. Now, one thing that a lot of enterprises
struggle with is install gaps for very expensive, shiny EDR software and the like. I mean, I believe
that's also something where, you know, if you're doing the job right on the Windows policy side,
you should have a pretty good grip on where that install gap is.
I mean, the issue, of course,
is you're always going to have devices
that aren't correctly enrolled in Intune
or Devicey or whatnot.
And you still might have an install gap there,
but it's going to be better
when you're managing it right.
Yeah, for sure.
And that's something that people are doing pretty well.
Like the EDR vendors make it pretty easy
to at least get the agent on the machine.
Keeping it up to date and configured correctly
can sometimes be a bit more challenging.
And we do a fair bit of that.
Yeah.
So are you actually manipulating EDR configs as well?
To a limited extent, but it's something we're exploring
because we can ensure the endpoint is configured and everything
on that endpoint is configured correctly. So if there's a particular security tool that you want
to roll out really rapidly, we can make that happen. And we're talking with customers about,
okay, is this endpoint config for EDR something you want to see? For example, in the defender
space, we're starting to do a fair bit of that. Yeah, no, I mean, that's one advantage, right, of using Intune for the plumbing of
devicey is it gives you an advantage in terms of actually, you know, configuring some of these
Microsoft like E5 tools, right? I mean, it's almost like, you know, this brings us back to
all of those antitrust conversations about Microsoft, you know, not playing fair and
whatever. But it is the case, isn't it, that if you are in an E5 shop and they've got access to all of these tools, that you can get a little bit more granular
than you can with third-party tools? Yeah, for sure. We're built on Intune. We don't have to
be implementing the config every other week, like the config delivery, because Microsoft will have
already done it because it's their platform. And if you're on Intune then the integration with other tooling in this space is really tight um and we we help a lot of customers take advantage
of that when they don't even realize like they don't know they have a Defender license for example
yeah yeah you were telling me this the other day that uh people often have some of these licenses
and don't even know and you're like hey good news everyone here go. Pew. There's very much like a, we bought the tool.
We sorted, right?
And particularly like in the endpoint space.
That's just, that's not possible.
It's so complex.
But yeah, in the EDR as well, like it's wild.
Well, just a lot of people buying it and using it as shelfware
or licensing it and not realizing they have the license.
Is it both or is it one or the other?
It's both, to be honest. We get a lot who bought it in the bundle, don't realizing they have the license? Is it both or is it one or the other? It's both, to be honest.
We get a lot who bought it in the bundle,
don't know they have it,
and then we get another lot who've clicked deploy,
but it's only on 50% of devices.
Yeah, right, right.
But didn't you just say that EDR vendors do a good job
of making it easy to deploy?
They do, to be honest.
Some of this stuff is very easy.
But it's still a customer error, right? We have to be careful some of this stuff is like is very easy um and that's something we have to be customer
error right i guess we have to be careful how we sell it because it seems easy to us when we've
been doing this stuff for decades um yeah but if you've got an admin who's got 100 devices but also
servers and they're doing end user support like that edi percentage is is not a priority there
yeah yeah yeah so in terms of like being able to
uh say configure something like crowd strike or sentinel one like is that something that you can
do through intune or is it getting a little bit experimental and tricky at that point
yeah so we haven't done a lot of config in that space because a lot of the config is is server
side for security reasons and others um But we focus on patching.
Well, you focus on making sure it's on the endpoint, right?
Yeah, yeah, yeah, yeah, yeah.
Making sure it's patched.
And then what?
You're just making sure that it's checking in
with the EDR server or the EDR service
and getting its config that way.
Yeah, that sort of thing.
So for example, making sure it's running
on the endpoint, for example. Yeah. Now, of thing. So, for example, making sure it's running on the endpoint, for example.
Yeah.
Now, just before we go, can you just give us your top three golden misconfigurations in Windows Fleets that you've seen through your career?
Defender exclusions.
If something breaks, for some reason, the first troubleshooting step for a lot of people is just disable defender.
And that works.
But it'll be like, oh, disable all the program files.
We'll exempt that.
Yeah, yeah, yeah.
And that's not ideal.
Turn off the security software and turn on the stuff that's probably malware.
Got it, right?
So that's number one.
We sort it.
Number two?
Number two, compliance baselines is a big one.
People have a crack at something complex like E8,
get maybe a third of the way through,
and then they'll tell an auditor that they're sorted.
And then I can go and run macros, drive by macros,
download an attachment from an email, and you're out of luck.
But the false confidence is really rough on that.
All right, third one, last one.
I know I'm putting you on the spot, but you've got to have one more.
Certain large organizations,
you'll join,
you'll plug your laptop
into a Thunderbolt monitor.
Nothing.
Doesn't work.
There was a vulnerability,
2018, I think,
direct memory access
and some issues there.
Yeah, I knew you were going to say DMA, right?
Yeah, I knew it.
There you go.
So that's been patched in modern hardware for years, years and years and years.
It's still in compliance standards.
It's still in SOE.
To this day, we get customers ringing us up and going, hey, why can't I use my monitor?
And there's a lot of that.
A lot of those old mitigations for Re Evolve that stopped being relevant years ago.
But who's got the time to go back and check those, especially when the impact kind of feels minimal?
Yeah.
It doesn't seem like a big deal.
That's real funny because we are partly to blame for that because Adam Boileau, my co-host, is actually the guy who wrote WinLockPwn something like 20 years ago and this or 15 years ago.
And this was the DMA tool that you would plug in through a Thunderbolt port on a Windows computer and it would bypass the lock screen.
So that was actually released by Adam back then.
And yes, totally on him.
Tom Plant, thank you so much for joining us for that conversation.
All good stuff.
And we'll talk to you again soon. Cheers. Thanks so much for joining us for that conversation. All good stuff. And we'll talk to you again soon.
Cheers.
Thanks so much, Patrick.
That was Tom Plant from Devicey there.
And if the idea of a managed platform that uses Intune to keep your fleet of devices happy sounds appealing,
you can check them out at devicey.com.
So D-E-V-I-C-I-E.com.
And that is it for this week's show.
I do hope you enjoyed it.
I'll be back soon enough with more risky business.
But until then, I've been Patrick Gray.
Thanks for listening.