Risky Business - Risky Business #741 -- The Mintlify breach and modern supply chains
Episode Date: March 19, 2024On this week’s show Patrick and Adam discuss the week’s security news, including: Turns out AI is still bad code review after all, Mintlify loses a bunch of Gi...thub tokens, Everything old is new again with the UDP loop DoS, Know-your-(recon satellite)-customer is hard, Microsoft takes away Russia’s powershell, solving living off the land, And much, much more This week’s show is brought to you by Material Security. In this week’s sponsor interview we speak with Material’s Rajan Kapoor, VP of Customer Experience at Material. We’re also joined by Chaim Sanders, who heads Security and Privacy at Lyft. Show notes Anthropic’s CISO drinks the AI kool aid - backpedals frantically on security analysis claim Incident report on March 13, 2024 - Mintlify Loop DoS: New Denial-of-Service attack targets application-layer protocols State of IP Spoofing Pharmaceutical development company investigating cyberattack after LockBit posting Exclusive: After LockBit’s takedown, its purported leader vows to hack on Russian-Canadian hacker sentenced for global ransomware scheme to be extradited | CTV News A Suspicious Pattern Alarming the Ukrainian Military - The Atlantic Exclusive: Musk's SpaceX is building spy satellite network for US intelligence agency, sources say | Reuters Elon Musk’s SpaceX Forges Closer Ties With U.S. Spy and Military Agencies - WSJ Russians will no longer be able to access Microsoft cloud services, business intelligence tools Rostelecom blocks the SIP protocol for clients of Russian hosters / Sudo Null IT News Researchers spot updated version of malware that hit Viasat | CyberScoop Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks | Trend Micro (US) PRC State-Sponsored Cyber Activity: Actions for Critical Infrastructure Leaders | CISA US is still chasing down pieces of Chinese hacking operation, NSA official says 875 workers rescued in Tarlac POGO raid | Philippine News Agency Fujitsu says it found malware on its corporate network, warns of possible data breach | Ars Technica Mike Lindell must pay a Nevada man after election data dispute - The Washington Post
Transcript
Discussion (0)
Hi everyone and welcome to Risky Business. My name's Patrick Gray. This week's show is brought to you by Material Security and Material makes a product that locks up your M365 and Google Workspace accounts.
So even if an attacker can access an account, there's not really all that much they can do with it And you can find them at material.security. And for their sponsor interview this week,
they brought a customer with them.
We are going to be talking to Haim Sanders,
who is the head of security and privacy at Lyft.
So we'll be talking to him,
as well as Rajan Kapoor,
who is the VP of customer experience at Material.
He was previously a director of security at Dropbox.
So that's this week's sponsor interview and it's coming up later.
But first up, of course, it's time for a check of the week's security news with our good friend Adam Boileau.
And Adam, we're going to begin this show with a retraction, with a correction.
We were had.
We were had by the machines, Adam.
We got taken for a ride by the AIs.
We certainly did. We talked last week about
a guy, a CISO of a company called Anthropic, that had posted about the success of their machine
learning systems in identifying bugs in Linux kernel and reproducing a bug that had been found
by Google Project Zero. Turns out, or bunkum, the example bug that was being used
to demonstrate the power was not actually the bug
that he was talking about.
The fix didn't work.
And a couple of people, Sean Healan, I think,
primarily took the guy to task
and debunked it pretty roundly, unfortunately.
But the thing is that I found really interesting
about this entire episode is that this all looked entirely credible. This is the problem with LLMs is they often produce stuff that looks
entirely credible because that's, I mean, that's what they're designed to do, which is to output
the sort of thing that you would expect based on the input. You know, very smart people had sent
this to me and said, wow, look at what these LLMs are doing with fuzzers and then the analysis and
whatever. So, you know, that's the part of this that I found really interesting
is that a lot of really smart people looked at this and said, wow,
and it turns out it's just, you know, it just wasn't what it looked like.
Do you think the people who are writing it up actually knew?
It's kind of hard to say.
I mean, surely you must.
Because this is at the root of all of these of these you know LLM hallucination things
well yeah like how do you know how do you know and I had this pointed out to me by a friend of mine
and it's embarrassing we were had by AI misinformation I think is what you meant to say
exactly yeah um so in a way I'm kind of reassured because when I saw that particular story I thought dang I you know my
expectation is that AI stuff is mostly
rubbish and I read
that piece and I'm like dang that actually
looks like it's doing something useful maybe I
need to adjust my world view yeah now I have to
take it seriously yeah and now I have to take it
seriously and so I actually was in a way I was kind of
relieved to read the
the write up and the debunking
of it.
So the machines aren't coming for our jerbs.
Yeah, exactly.
They're coming for our jerbs.
I mean, I guess I'm sure there are some people
who have their security news summarised by AI.
I'd be careful doing that, personally.
Take our jerbs.
But, yeah, so we were wrong.
The AI guy was wrong.
And people like Ben Hawks and Sean Healan
and a bunch of the other people
who have been pouring cold water, I guess,
on the ability of machine learning systems
to find bugs this way.
Like there are other ways to do it.
And the integration work between using AI to guide fuzzing
and the triage fuzzing output,
like that seems really promising.
And Google Project Zero has done some great work there.
I mean, this one was basically source code auditing,
like taking input source, reasoning about it,
and going onwards from there.
And Ben Hawks made a pretty good point
about quite how big that state space gets
and why it's not a great fit for the current you know state of the art of language
models and AI systems what I've what I've really noticed about like when we're talking about AI
and chat GPT and all of that is people say wow it can take over these jobs you know and then you
talk to any expert in one of those jobs and they just laugh and they say no you know so here we're
talking about vulnerability research but I've had people saying to me, oh, you know, you must be really worried about,
excuse me, about AI.
And it's kind of the opposite.
I feel like, you know,
AI models ability to just churn out
massive volumes of low quality content
puts people like us actually
in an extremely good position.
So yeah, not really worried
that we're going to be replacing our staff members
who are doing good old fashioned human analysis uh with some of these things and i i think that's the i think we're
still finding like you were you were talking before about expectations i think we're still
trying to establish where our expectations should be for these things uh broadly speaking right so
not just when it comes to vuln uh discovery but where it comes to you know medical use cases
information summary uh report writing whatever it is yeah i mean there's definitely a lot of use cases for things
where you know accuracy is less important and by that i mean like specific accuracies like if
you're generating images like there's kind of a level of interpretation like you're presenting
it to humans you know human brains are kind of fuzzy
which is different than when we're talking about maths and code and things that are you know
specific and so you know I don't know what the tech is going to look like I mean some of the
image gen stuff and the things that are making you know images and videos and and that kind of
content I mean it's super amazing what it can do but that's still a long way from
the sort of detail and thought that you know that i hope we provide now look let's let's move on to
some more bread and butter infosec here some more meat and veggies infosec uh if you will and let's
talk about a little breach here which is at uh mintlify which i believe is some sort of uh you
know documentation service that's used
by developers what's really fascinating here is they've had an incident that looks like it's
impacted customers via the theft of like github tokens and whatnot and even though this story I
mean it's you know it's not the sort of story you're going to expect to get a massive amount
of play but it really really demonstrates like what a modern supply chain risk looks like
these days and it ain't just about old open source software libraries you know there's that whole
services supply chain as well and this is what it looks like when it goes wrong uh walk us through
the breach for starters yeah so this company uh makes software for hosting people's documentation
and it integrates with your build process and your source code repos and stuff so that it can ingest your code either generate or provide an interface
for you to work on your docs and then it has a bunch of add-ons to provide a nice user interface
and searching and you know chat gpt so you can talk about the docs and so on like that
and that integration with their customers source repositories is where this got interesting so
they got breached they got they had some issue with an API that was exposing their internal
tokens which exposed how they stored access tokens for customer github repos someone stole those and
then used them to access at least one customer's github account onwards from here, but they said they lost, what, 91 customers' GitHub tokens.
And this is interesting because, as you said, this is not an old company. This is a Y Combinator
startup that's still very young and for whom security really, you don't get the impression
that security was a priority. They've got a bunch of blogs talking about how they built the company
and where it's been going. And a lot of their customers are other startup types but it's a great example of what
supply chain looks like when everybody's innovating so hard that security is an add-on everyone's
company is a fake until you make it you know they talk about how they when they started this business
they would just write people's documentation for them for free or for $30 a month to just bootstrap the business.
And now here we are onwards into supply chain risk.
But I thought this one was interesting
because it suggests a degree of thoughtful targeting, I think.
You know, targeting developer service organizations
that have access to code repos seems like a smart place to go.
That could be, I mean, immediately what leaps to my mind is stuff like a smart place that could be i mean
immediately what leaps to my mind is stuff like well that sounds kind of north korea-y and it also
sounds kind of uh you know um lapsus-y right it's so funny there's so much kind of overlap in the
targeting between those two well and both those groups because they're going after the crypto
right well both those groups are focused on things that work
regardless of how dumb they are.
You know, they're not constrained by targeting rules
or whatever like APTs or governments are.
I guess North Korea is a government,
but you know what I mean, right?
It's a gets it done kind of hack and approach,
which we like.
A respectable government, I think, is what you mean.
But anyway, we linked through to the incident report
in the show notes and people can go check that out.
Now let's talk about the latest thing, Adam.
Loop DOS.
I mean, look, this is interesting.
This has been an interesting little rabbit hole
for all of us, right?
At Risky Biz HQ,
because someone's kind of rediscovered
loop-based DOS attacks, right?
Where you can get two services
to just go in an infinite loop of talking to each other.
But the whole thing's kind of predicated on spoofing.
So it's like, hang on,
didn't we move past this on the internet
because everybody knows that this is kind of a risk
so you can't really do spoofing anymore.
And then you went and actually looked into that
and it turns out, well, not everywhere.
And then, you know, so this went from being,
there's multiple levels of strange here
for old people like us when talking about this,
but walk through why.
Right, so this is some research
from a German research unit
looking at ways to do traffic amplified DDoS
through UDP services where you spoof a source
and then it causes multiple services to talk to each other in a loop. So traditionally in the old
days, like in the 80s and 90s, we did this with things like UDP Echo service, where you send a
message to a UDP service and it just replies back with the same thing to the source. And if you could
spoof the source of another machine that has UDP echo enabled,
and then they end up talking to each other,
they just fill their network interfaces with traffic.
And so that's well-known comedy hacking from way back,
but what this research unit did was beyond just that,
they replicated that with DNS, with NTP,
with a couple of other UDP-based
protocols that are pretty widespread on high-performance networks. And so that's useful,
useful work, but the prerequisite is that you are able to spoof packets. And for most of us,
spoofing the source of packets hasn't been a thing you could do on the internet.
Like, it looks easy on your LAN, you can do it,
but on the internet, you know,
most of the time this is filtered by service providers.
And there was some work out of another, you know,
European university a while ago.
They went and surveyed how much spoof prevention there was.
We have a thing called BCPp38 which was a doc which specified
what service providers should do to prevent ip spoofing and i assumed that that had been
implemented pretty universally but it turns out it hasn't where i live in new zealand nearly all
service providers do it but in other places in the world and some hosting providers it's much
more variable.
And we've linked through from the show notes to a global survey of how much source spoofing you can do around the world. And there are some places, like in India, for example, where fully half of service providers don't have any spoof prevention.
Or places like some regions in Africa or North Africa where everybody can spoof.
And the interaction between modern carrier-grade NAT
and source spoofing is actually a lot more complicated
than I thought.
There are some variables there
that make the answer to this question a bit different
than it might've been 10 years ago.
So yeah, it did prove to be an interesting hole to go down.
And I don't think we're going to see widespread network collapse
because time servers are talking to each other at line rate gigabits.
Between Tunisia and India.
Yes.
Well, I mean, you only got to spoof it from one place to kick it off.
So you could target NDP servers on US backbones from India
and obviously getting a shell host in India,
pretty straightforward.
So like this could still go large
and it's good to draw attention to it.
And the immediate grumpy old man, I mean, was like,
well, we did this back in the 90s already.
You know, don't you kids know about history?
You know, that got squashed once I thought about it a bit more
and understood what the current state is.
It's more nuanced than I thought.
Yeah, so, I mean, this is the sort of thing where I guess
it might make sense for a bit of work to be done encouraging
some of these countries like India, Brazil's not too crash hot,
Indonesia, you know, Tunisia, there's a bunch of others.
You know, we might want to do it. Russia. We might want to do a little bit of work, Tunisia, there's a bunch of others. We might want to do it.
Russia.
We might want to do a little bit of work sort of encouraging some of these other countries
to lock down their internets a little bit against spoofing.
Yeah.
And also, it's just a reminder that some of these old lessons that we learned a long time
ago, many of them are still applicable, even though it's 15, 20, 30 years back.
Old ways still work, and you have to defend against everything new,
but also everything old that's ever been discovered.
Yeah, that's right.
Now let's talk about the possibly reanimated corpse of Lockbit,
because it is still limping around.
You know, it sort of reminds me a little of the Monty Python scene
with the guy with his arm chopped off. It's just a flesh wound. Come here, I'll fight you, you know it sort of reminds me a little of the you know the the monty python scene with the guy with his arm chopped off he's like it's just a flesh come here i'll fight you you
know that seems to be where lock bit is right now right so so we had this really interesting
whole narrative around this when the takedown first happened and then a few days later of course they
managed to spring up a couple services again and everyone's like look see takedowns don't work
lock bit is back up and running.
I mean, it looks like there are some targets being hit,
not that many, and it just kind of looks,
I don't know, Lockbit don't look like what it did.
Yeah, it doesn't feel like fresh and hale and hearty.
It feels like a death, sorry,
a chicken running around with its head cut off.
Yeah, a little bit.
I mean, and look, that could change.
But at this point, they've attacked a pharmaceutical development company.
This company has like a $3.5 billion market capitalization.
This looks like a new one, but they have been posting old data as well.
So it's a little bit unclear exactly what's going on with them.
But yeah, there's just, you know, and they've done an interview.
They did an interview with the record.
I always find it funny when people like interview ransomware actors and whatever,
because like, it's not like they give you,
it's not like if they try to give you factual information that you can trust it.
Yeah.
And you're just kind of platforming them because often it's pretty ranty,
not super helpful.
Yeah.
I mean, I don't want to,
I don't want to criticize the record for doing that because obviously a lot of people are going to want to read this i'm just saying it's not for me right
um but you know they've done an interview with lock bit support where he's like you know i'll
do this until i die and the fbi i love the fbi they make my life interesting and stuff and it's
like yeah i don't know man you seem like you might be a little bit mad bro yeah basically
and meanwhile the the russian canadian who was
picked up in canada for being an affiliate for lock bit you know that was a few years ago now
has been sentenced to four years in prison in canada but also extradited to the united states
to face charges there so i think that four years might be about to grow somewhat so anyway
when you look at these stories,
or the handful of stories we've got here,
what's your feeling on the state of Lockbit?
I mean, it does not feel like it's really going places,
and the interview definitely came off as some pretty false bravado.
I imagine that there are a lot of affiliates looking at some of those takedowns
both of lockbit and um and black cat you know and feeling a little bit nervous about working
with them right about trusting them especially after that exit scam that we saw with black cat
uh so like it doesn't feel like a great time if i were lock bits up like now seems like a great
time to walk away and you know take whatever
bitcoin he's managed to scrounge together over the years and and call it done but you know we
don't know what circumstances and we don't have much money we don't know who he owes it to etc
but it did feel just a little bit desperate and in the end you know publishing a website on tour
claiming that you're doing a bunch of stuff is not a lot of work, right?
And following through, running an actual ransomware operation at scale,
that's a lot of work.
With affiliates that trust you as well.
Yes, exactly, yeah.
So I can't imagine it's a great time to be that guy.
Yeah, I just think we need to just hold our horses on proclaiming,
you know, Lockbit is back. Yeah. You know, like let's just need to just hold our horses on proclaiming, you know, Lockbid is back.
Yeah.
You know, like, let's just...
Exactly, exactly.
Now, let's switch gears here for a second, Adam,
and this isn't strictly cybersecurity,
but I did find it interesting.
You know, one thing that's been really interesting
about this war, this awful war between,
well, Russia's, it's Russia's war on Ukraine.
I was going to say between Russia and Ukraine,
but that doesn't quite describe it.
One thing that's been fascinating is the amount of, like, OSINT that's been done using commercial satellite imagery.
The fact that these days you could go and task a satellite
with a credit card and get an image back in a day or two, I mean, is just absolutely extraordinary.
But I feel like those days might be coming to an end.
And I've linked to a story in The Atlantic in this week's show notes that explains why.
But basically, it looks like Russia is using commercial satellite imagery
from Western companies and Western
countries to actually task missile strikes. Because what will happen is they will ask for a
shot of a, you know, a shot will be requested of a certain location in Ukraine. The next day,
a missile hits it. And then there's a follow through task to go and, you know, survey the
damage, basically. So the Atlantic has put together this report here, really looking at
Ukrainian suspicions that this is what's happening. And you do kind of wonder what can be done about damage basically so the atlantic has put together this report here really looking at ukrainian
suspicions that this is what's happening and you do kind of wonder what can be done about this
yeah no it's it's a really interesting story and the the basis of it is i guess looking at
the satellite providers tasking information and in many cases like if you sign up for any services
and you go and request imagery you can see previous other customer requests
because maybe the satellite imagery that's already been taken
from a week ago is sufficient for your needs.
So you can often see what other things have been taken.
You don't know who ordered it.
You don't necessarily know why they've done it,
but you can infer.
And the source in the ukrainian
government that is kind of behind the atlantic piece hasn't been identified but has identified
a bunch of you know correlation between requests to satellite providers for tasking and then
corresponding attacks and subsequent damage inside ukraine and that it's kind of too much to be
coincidence and of course there are
other users of these services so like without cooperation from you know Maxar or Planet Labs
or whoever else is selling the services and identifying the individual customers it might
be a bit more difficult to say conclusively but you know because equally it could be you know
news organizations or it could be other people.
Well, news organisations taking photos of things
immediately before they get a cruise missile on them from Russia.
The question is whether we know it's the same customer
before and after versus...
Well, because the...
Okay, the afterwards bit, fair enough.
But it does seem more than a coincidence, right?
It does.
And frankly, if you're a Russian
tasked with planning missile
strikes i mean why would you not why would you not yeah exactly because like real satellite assets
like the national satellite assets are probably expensive and highly contended and the quality
of commercial imagery and availability is pretty amazing um and it's not it's not that expensive i
am uh one of my compatriots here in you know the wellington hackers scene
bought some satellite pictures of his house from one of these services and he said it cost him 50
bucks yeah to have a satellite take a picture of his house um and i think this is what i mean
this is what i mean where i say like things are going to change i think yes because this stuff
is so accessible that the idea that you could kyc your your way of it and stop the Russian military from being able to procure the images
that it wants, like, that's just not realistic.
Well, interesting you say that because I actually hit him up
while I was reading the story and said,
hey, you know, what was the company that you used to take pictures
of your house?
He told me.
And it was actually one of the ones mentioned in the Atlantic piece.
And he said he stopped using them because they wanted pictures
of his passport now and that all of their KYC requirements made him not want to deal with that complexity anymore.
So they have added some since.
Yeah, but my point is it won't work against SVR, GIU, Russian military broadly.
Like it just won't work, Adam.
Yeah, exactly right.
But I guess what I mean is like clearly this is a thing that they've started to deal with,
but it's very hard to put the kind of controls that you would expect
given that you know orbital photography used to be the realms of the national reconnaissance office
and another thing that you and i could do from our phones like one of these companies literally
has an ios app where you could in-app purchase your satellite tasking yeah which is wild it's
a wild time right i went and looked up the prices for taking photos of your house,
actually, Pat.
It's just this morning.
There you go.
Now, look, you did just mention the NRO.
Yes.
And we've got this Reuters piece here,
which says that SpaceX is working on a massive contract for the NRO,
which is very, very interesting to me, right?
Because the sort of stuff that, I mean, NRO,
for those who are not familiar,
is the National Reconnaissance Office.
It's the satellite spy agency in the United States.
And the idea that they're going to get low-Earth orbit satellites
and lots of them, NRO can do so much with them, right?
Now, this has been written up as like imaging and whatever.
But, you know, Starlink is offering direct to sell so you can use a standard samsung and you know and transmit
data via lte over a satellite that's passing over your head interestingly enough that means that starlink is going to know a lot about which devices are where
and when do they have an interest in keeping that sort of data i don't know but the nro does
so what i find fascinating here is that it definitely feels like things are changing a lot
when it comes to you know space being a lot more know, being able to do a lot more with space
thanks to organisations like SpaceX and whatnot.
And, yeah, billions of dollars being spent by the NRO
on this new satellite capability.
And you sort of think, well, what do you do with the ones
that let you just buy images online for 50 bucks?
Like, do you shut them down?
What do you do yeah i mean
it's a great question when i remember like back before google maps was widely available google
maps had ubiquitous satellite photography of the whole planet like i was doing a bunch of you know
wi-fi you know war driving and mapping stuff back in the you know early 2000s and i used to have to
go and obtain the aerial photography and like you know projection correct
them myself and it was really fiddly to be able to do it and then all of a sudden Google Maps came
along Google Earth came along and you know we started to expect to have ubiquitous access to
you know satellite photography as civilians and I remembered like just spending you know days
scrolling through Google Maps looking at you know at back blocks of the Kola Peninsula
or places I'd read about in spy novels
or the back blocks of China where there's missile silos
and testing range and calibration signs
for their reconnaissance satellites on the ground in the desert.
And the fact that satellite access is now a civilian thing
and we can put satellites up for such inexpensive cost
and then spacex coming along with starlink and and there are other various derivatives of that
service like it's that's a real change and i don't know that there's much you know we can do about
because we're talking about primarily us providers but there are so many other providers right i mean
around the world uh different countries with different capabilities,
and it's only going to become more ubiquitous
and more available.
And, I mean, it's a hard thing to regulate
or KYC your way out of, as you said, right?
And I don't know where that takes us
because eventually we're going to get to a point
where we will have, you know,
continuous real-time satellite imagery,
like not point-in-time, not a snapshot from six months ago.
Well, this is what I'm getting at with the SpaceX NRO contract, right?
I mean, that's just incredible visibility.
Yeah, I mean, if you put a camera on every Starlink satellite
that they put up and all of a sudden they've got 5,000 of them
in lower orbit and they've got the bandwidth to get the video back down like nro would buy the hell out of that
surface uh and so we don't know what they've commissioned and we don't know what the legal
process has been for working out what they can even do with it but i guess i'm just flagging it
that you know we've got some change coming we do now look we mentioned russia's uh war against ukraine uh just earlier and you
know there's the the decoupling that you would have expected to have happened already between
russia and the west is still happening and we've got a piece here from darina antonik uh over at
the record talking about how yeah like if you're still a microsoft cloud customer in russia you're
about to get uh you're about to get your service yanked.
Yeah, yes.
I think one of the Russian companies
that kind of resells or distributes Microsoft products
in Russia has started telling its customers
that starting pretty soon,
a number of the services are no longer going to be available.
And the exact list of which services
Microsoft is pulling out of Russia
was like on a post-Auth Telegram link.
So I haven't actually managed to read it.
But they mentioned things like Dynamics 365, some of their Power BI business intelligence stuff.
We did see also something about like PowerShell and SQL Server and OneDrive.
I know.
And you and I both did the same thing, which is try to click through to the Telegram post that's linked in the article,
but it's like you have to be a member of the channel
to read it.
So that was confusing to me as well.
Yes, maybe a screenshot next time, the record,
that would be great.
But yeah, I guess the thing that made me chuckle
beyond the obvious simplifications
for all the Russian companies
that were still using the Microsoft stack is,
well, at least now the SVR
won't be able to use PowerShell anymore.
So that's good.
We've solved Russian living off the land forever.
But no, I'm honestly surprised that it's taken this long
for us to see Microsoft and other cloud providers, Amazon and so on,
really starting to end for businesses in Russia.
I mean, I imagine, you know,
there would have been many Russian customers
that stopped using those services pretty quick as well.
So, I mean, I think this is just the, you know,
the continued wind down.
But yeah, I too was surprised
that there would be even a single Azure customer
left in Russia.
Staying with Russia,
and they shot themselves in the foot
with a new requirement for telcos the other day.
This is extremely funny, and we all had a good chortle about it
in the old Risky Biz Slack.
We certainly did.
This was a requirement from the Russian Federal Security Service
which was handed down to Rostelecom,
which is the biggest telco in Russia,
where they were told to block SIP on the edge of their network.
And this is a company that's...
That's fine. No one uses that.
This is a company that sells commercial SIP trunkings.
So like if you're a business with more than one phone line
or you're a call center or anyone who needs, you know,
some slightly more than average amount of phone services,
like this is how you're going to be getting it.
And yeah, they got told to just block it.
And I spent enough time inside telcos
to imagine what that meeting must have been like,
where the engineers are like, excuse me, you what now?
You realize that's going to break phone services
for businesses all over Russia.
And they're like, well, security services say so.
So start packet filtering.
So anyway, it was entertaining.
Yes, that one is fun.
What else have we got here?
We have a write-up from CyberScoop
about a new version of the Wiper malware
that hit Viasat customers' modems at the onset of the,
again, look, it's a lot of Russia-Ukraine stuff this week,
but, yeah, right at the outset of the invasion.
Great hack. You know, they at the outset of the invasion, great hack.
They managed to push this Wiper malware
down to Viasat customers
and basically brick Viasat for people in that region.
Yeah, there's a new version of that
and it looks like it's picked up a few new tricks.
Yes.
So the original Wiper, which was dubbed Acid Rain,
was compiled for, I think, Linux on MIPS CPUs,
because that's what the modems in Viasat were running.
Somebody in Ukraine uploaded an x86 version of this malware,
like derivative of this malware, just recently,
and people have been pulling it apart.
I think Jags, one Andres Groszard from Sentinel Labs,
was doing like a live thread on Twitter
where he was pulling it apart
and looking at some of the commonalities
between the earlier acid rain.
But yeah, the existence of that on X86 is interesting.
And yes, it picked up a bunch more capabilities,
you know, wiping raids,
wiping other types of flash storage devices and things so russians do love
wipers so not surprising we're seeing ongoing development yeah but i mean this one looks like
it's you know still geared towards embedded devices right so that's not normally where you
see russia deploy well i mean i guess they deploy them everywhere as you say they love them but this
isn't just another windows wiper that relies on some ancient signed hard disk utility driver.
Yeah, no, this is one that could be useful in all sorts of contexts.
And given its use against Viasat, it seems likely they're out there doing it again.
Yeah, and that write-up was based, as you say, on work out of Sentinel.
One, we got some work out of Trend2 that's looking a little bit uh they they keep attributing stuff back to the isoon
company that got you know got all its stuff leaked uh in china recently uh trend micro has a write-up
where they have yeah attributed some activity back to isoon yeah yeah i mean that isoon leak has been
i'm sure a gold mine for those trend micro researchers because clearly a lot of their
customers were getting hit by that group and similar groups. This was them using the Isun leaks to understand that there was basically
kind of two groups that were doing attacks from inside Isun,
and they started to understand the relationship between two other groups
they had seen in the wild and now where they had commonality
and where they didn't, and Isun kind of explained it.
So this was kind of a good write-up and a good bit of attribution of this particular group back to the people what done it
yeah uh meanwhile sissa has dropped a well sissa and a bunch of others have dropped a fact sheet
uh for critical infrastructure leaders talking all about the old vault typhoon, which is, you know, just indicates still that this is something
that the US government is quite concerned about.
Rob Joyce is on his way out at NSA after resigning some time ago,
and he's sort of doing a bunch of, you know, sort of farewell interviews
with various folks where he's still talking a lot
about vault typhoons, saying that the USIC doesn't entirely understand the full scope
of those attacks just yet. And yeah, so it feels like there are a lot of people in the US government
still very, very concerned about this and still trying to push things forward in terms of dealing
with it as a threat. Yeah, I think it's interesting the consistent attention this has got.
I can't think of another ongoing, you know, kind of APT attack
that's had this consistent level of attention.
I mean, the one you were mentioning from CISO is a joint Five Eyes release,
you know, with a bunch of details and guidance for people to go,
you know, focus on looking for this in their environments.
And then, yeah, Rob Joyce talking about seeing it pre-positioning
into airlines, for example.
I don't know that we had seen airlines as an example of a sector
that they were targeting.
We'd seen other critical infrastructure,
but that kind of makes it seem pretty serious.
And so, yeah, it's interesting, I think,
that it's getting that much attention.
He also said in – it was a roundtable with a bunch of reporters.
We've linked through to Martin Matyshak's write-up of that.
Joyce also said he thinks like, you know,
maybe one of the goals here is, you know,
if a conflict's to break out or whatever,
that part I'm just assuming.
But the goal would be to get people panicking,
to sort of create a bit of societal panic that that is
possibly one of the motivations of the vault typhoon people i don't think we've heard that
said so far either so i think that's an interesting bit of conjecture from him
we've seen another raid in southeast asia freeing people who are apparently working in pig butchering
farms this time uh it was a raid at a offshore gaming operator in the Philippines based in a town called Tarlac.
And it looks like, yeah, hundreds of people have been freed.
They were being held against their will and forced to participate in what this report here describes as romance scams,
which I would think puts them squarely in that pig butchering category.
Interestingly enough, it looks like the reason authorities were alerted to this activity is because a couple of people escaped and told them, including I think there was a Vietnamese national
and someone else, but yeah, Malaysian. So they've somehow managed to get away and alert authorities
who've raided this compound. I mean, this is just, you know, again, when we saw the first one of these,
I just thought it was so crazy.
And now it seems to be popping up pretty regularly.
Yeah.
And it's just such a weird and terrifying kind of, you know,
can you imagine that experience, right, of ending up in slavery,
doing online romance scams?
Like, yeah, it's just mad.
And then there's a picture in this release from the Filipino
government, you know, that has a, you know, the wall of telephones all plugged into their chargers
that they would have been using to do some of this work. And it's just horrific to kind of
think about the human impact both on both sides, because we're used to only thinking about the
victims of these scams, but then thinking about the people victimized to do them as well it's yeah it's it's
pretty horrid yeah i mean it's it's the chilling thing is when a crime organization is treating
people like commodities yeah like this treating them like cattle you know they they have a function
to perform uh they don't have any sort of humility you know no rights no humanity they just they are
just a tool uh and that's certainly how the pig butchering farms seem to operate so yeah it's
pretty pretty horrific now you flagged this one by dan gooden not a lot of information in it but
it looks like fujitsu is like oh we found some malware on our corporate network and there's been
a bit of a data breach and maybe some customer data as well. And we've seen breaches at Fujitsu in the past
kind of spiral into pretty big events.
So we just wanted to kind of flag that one.
Yeah, that's what's interesting.
I mean, Fujitsu is huge and huge in Japan,
but also huge globally.
And they've had a pretty checkered run
of their security issues over the last couple of years.
So like, as you say, they're saying some data got nicked.
We don't know the circumstances,
but that CloudHopper campaign a while ago
where we saw people move through service providers
down into their customers,
Fujitsu would be a great place to do that.
So yeah, as you say, it's just worth flagging to people
that something's up in Fujitsu's network.
I just remember that stuff,
and Dan's put it in his story as well,
which is back in 2021,
they had their project web,
like enterprise software as a service platform,
got done, and that was a disaster
that impacted a whole bunch of people.
Now, we don't know if this is just like a contained incident,
a little bit of PII lost,
or if this is, you know, as is the way sometimes,
whether we see
gradually escalating updates to a blog post somewhere that all of a sudden get very interesting.
If you're a Fujitsu customer, maybe have a chat to your account manager.
Yeah. Look, we're going to end with a funny one. I think this is absolutely hysterical
in many ways. This is very, very funny. Mike Lindell, who is the, you know, better known as
the MyPillow guy. He's one of those people who's in that sort of Trump orbit, you know, moves in
those circles in the United States. He was also one of the people who was trying to claim that
China had altered the results of the 2020 election in the United States. And he launched his
$5 million Pro prove Mike wrong uh uh
competition where if you could prove that he was wrong about Chinese you know hackers interfering
in the 2020 US presidential election that he would give you five million bucks well obviously someone
did prove that interestingly enough someone who is a massive Trump supporter voted for Trump in
2016 voted for him in 2020 uh but also uh to his credit, seems to think that, you know,
basing things in truth is pretty important.
So engaged in the challenge, you know, proved Mike wrong,
and of course Mike didn't pay up because that's not the sort of guy Mike is.
And then it's all gone off to court,
and now Lindell is apparently going to have to pay up or appeal.
But it's just so funny. It's so funny. a court and now lindell is apparently going to have to pay up uh or appeal so but i just i just
it's just so funny it's so funny i mean this was like you know i remember rob graham wound up going
to one of this guy's events to like prove him wrong as well it was just like it was just such
a circus and the fact that it's costing five million bucks is just deeply hysterically funny
to me hopefully it's costing a lot in lawyers fees as well because yeah this was
i mean it was pretty straightforward this guy went through and said like the data you've got
does not prove the thing that you were saying it does give me my five million bucks please
and they've been arguing ever since and i imagine they will continue to argue for some time because
as you say he does not seem like the sort of guy that uh pays his debts all right mate well on that
note on that hilarious note, that is actually –
I didn't even say anything about Trump, but I'll get emails now.
So apologies to any Trump fans that we may have triggered.
We'll work to make this a more safe and inclusive environment
for you in the future.
Adam, that is it for the week's news.
Thank you so much for joining us, and we'll chat to you again next week.
Thanks, Matt.
I will talk to you then.
It's time for this week's sponsor interview now with Rajan Kapoor,
the VP of Customer Experience at
Material Security, and Chaim Sanders,
a Material customer.
Chaim runs Privacy and Security
at Lyft, the rideshare company, although
these days they call themselves a mobility-as-a-service company.
But yeah, Material makes a product that was originally designed
in the wake of the John Podesta leaks back in the day.
So it seemed to Material's founders that accessing someone's inbox,
like getting an auth token or something into someone's inbox,
shouldn't mean you can exfiltrate their entire mail spool.
That just seemed kind of nuts to them. token or something into someone's inbox shouldn't mean you can exfiltrate their entire mail spool.
That just seemed kind of nuts to them. Now, since then, Material's product has become really extremely relevant to the concerns of a lot of CISOs out there because we're seeing the
problems M365 customers are having with compromised mailboxes and the way attackers are pivoting from
mailbox access to broader compromise through OAuth shenanigans and things like that. So Rajan and Chaim joined me for a chat about where things are when it comes to cloud
productivity products and risk. And I'll drop you in here where Chaim explains that he thinks we
should all be feeling a little bit ripped off at this point. We got sold as a security team,
sort of a pretty bad bill of rights with this whole scenario where we said, hey, is SaaS a great idea?
Is cloud security a great idea?
We'll take it to the next step.
Is AI a great idea?
And the answer from the security side is obviously no.
We prefer you not do that.
But the business has requirements.
The business needs to move quickly, innovate, and execute.
And so we came up with a model where we said, okay, this is what we need at minimum to do this.
We need access to our logs in a way that are ensured that the integrity has been maintained.
We need access to these certain systems.
I would argue that one of those principles is that
things were implemented securely by default. I don't know that that's how it is today. I feel
like a lot of these SaaS-based providers, not just office suites, but other ones or productivity
suites, are saying, here's some logs. We'll just throw them over the wall. You feel it. You figure it out. Or we have lots of settings. Hopefully you've done this correctly. And oh, by the way,
now information is ubiquitous, right? You can integrate with my G suites. You can integrate
with my O365 into Slack, into Potato, into whatever. And the data just goes anywhere.
Well, and that's what attackers love, right? It's those sort of integrations.
It's only getting more amazing when we talk about, oh, how are we going to deal with
like AI models, which I know makes everybody want to take a drink and we all just do that.
And that's great. But the real answer is that eventually people are going to say,
put all your data in one place and let these models crawl all over them. But that's amazing
for attackers, right? Put all your security data and financial data and operations data all in one place. And I don't know, like it's,
we, it's a good open question whether or not, first off, we should continue to accept the
same bill of rights that we did, the same risk model that we have been accepting.
And it's also another question that's open that says, how do we secure this? Do we?
Sure.
I mean, look, I'm going to push back a little on what you've said there.
So I understand from your perspective that this all looks terrible.
But, you know, on-prem AD and rotting NT, you know, Windows NT infrastructure was hardly a good situation.
So, you know, while I agree that I don't think we've solved all of our problems,
we've certainly solved some of those older problems for most orgs, right?
So, you know, I even was at a barbecue
and there was an enterprise architect there the other day
and, you know, chatting to them about what they're doing.
And it's all the big push to SaaS because it's what businesses require.
It lowers a lot of overhead in terms of
operational burden and whatnot. So from a lot of different perspectives, it makes sense.
And it makes so much sense that I think that security perspectives are often,
that old risk accepted stamp tends to come out for a busy workout when it comes to doing these
things that the business require. And I mean, that's, you know, that's a very old problem. Wouldn't you agree? Yeah. Building on what... And we should say,
this is Rajan Kapoor here from Material speaking now. Hi there. Yeah. Thanks for having me,
Patrick. Building on what I'm saying, you know, as we made this lift to SaaS, lift to the cloud,
right? What I call and what material calls our critical infrastructure,
which is AD, which is your office environment, it has all of your sensitive data in it.
You just kind of, the risk tolerance that you accepted was, I will trust the infrastructure
manager of Microsoft. I will trust the infrastructure management of Google.
And so all of our controls that we put in place were around authentication,
right.
And authorization from the front door,
from like users,
we were just like users,
users,
users,
we got to protect the users because they're,
they're going to mess us up.
I mean,
I see where you're going with this.
And I also agree that it would have been reasonable for us to expect that
Microsoft would do things like rotate their token signing keys or put them in HSMs or not allow crazy
or shenanigans to go on that are completely opaque
to users and whatever.
But you know, I'm guessing they would argue,
oh, this is all unforeseen.
I think that's personally.
That's what they would say.
Let's take that one step further.
Like if you're saying, okay,
you are gonna manage my private keys, fine.
I'm okay on that.
Should I not be expecting that you're going to tell me when someone accesses those private keys?
That seems pretty fundamental for me to be able to do this.
How could that be unforeseen?
And this is true not just for Microsoft, but all IDPs, lots of different organizations as well.
We get top-level visibility as users, but we missPs, lots of different organizations as well. We get top level visibility
as users, but we miss what's underneath the hood, what's going on in the back end of your systems.
And that's troubling. But of course, and Raj is going to probably say this a whole bunch of times,
I'm sure, we're not even doing a particularly good job of configuring the options that are
available to us now. So I'm not... I wouldn't say we're not doing a good job.
I would say that the job is it's,
it's a tough job,
right?
Like how do you stay on top of all of the changes you need to make every time
someone discovers like a novel way in.
Right.
And what are you,
how are you,
like what tool are you using to tell you if you've done the right thing?
Right.
Like this is configuring,
like let's go,
I'm going to pick on Microsoft a little bit here.
Well, that's our whole thing.
Go for it.
Trying to understand if you have turned on,
even like MFA in all the right places in Office 365
is a, like, it's just a same task.
Like you think you've done it, but it's not done.
So go do it again.
Oh, I think I've done it, but it's not done. So go do it again. Oh, I think I've done it.
And so like really trying to tie down like is the configuration of this thing secure has become a super, super difficult question to answer because it's a moving target.
It's not just a set it and forget it.
Yeah.
Yeah.
I mean, then you're all of a sudden relying on your dashboard provider to be completely on the ball to surface stuff.
And it's all context dependent.
And that's not really a good solution.
I mean, the solution here would be for what you've done is create a true enterprise grade
facsimile of 0365 that people can bring into their own data center or host themselves,
or you host it for them. But the point is, everything is kind of access controlled,
and you've pared back a lot of the crazy options that they have introduced, right? I mean,
that is what underpins material these days. That's correct. We started from the assumption of you're going to get breached. Just accept that
one day some sort of breach will happen. An account is going to be compromised. That was
the operating assumption, right? Exactly, right? And if you start there,
then yes, all your controls to prevent that, great, you should have those in place.
But if you accept that one day an account will be compromised, what protections do you have post-compromise?
And how do you quickly find out you've been compromised?
Because you can't install agents on Office 365, right?
You can't put CrowdStrike in your Office 365 environment, right?
Sure, they're working on it.
Yeah.
And so how do you become aware?
But to take this one step further, how do you even know what's in there, right?
It is like your users are creating, and I'm not picking on like our employees here.
Employees are great.
But they are creating data every day, right?
And they are putting things in documents or in email that maybe shouldn't be there every day.
How do you wrap your arms around that?
How do you make sure that when someone gets in they can't get access to it and what are you doing to to also like protect yourself from your
and i said this earlier your infrastructure provider also being the problem like they're
yeah you're not going to see them come through the front door no no i mean i've got a question
for you though i mean the the stuff around redacting email inboxes, I mean, that's how material started out, right?
And locking up archives behind step-up MFA challenges,
like you've been doing that for a long time.
But how are you now beginning to address the risks
that come from some of this lateral movement
and privesk via OAuth apps?
Because you're in a pretty good position
to do something about that.
So I know that this is completely going to be promotional and serves your interest, but
I want to hear about it.
How have you worked on that and chipped away at that?
Yeah.
So look, any sort of breach, it's a chain of things that are basically used, right?
No one's just doing one thing and getting through to your infrastructure provider.
And you saw that with Microsoft, right?
Yeah, with the State Department thing, the SVR.
I mean, this is just such an amazing case study.
That's why I'm curious to know
where you've applied your efforts to break that chain.
And so the way we're thinking about this today
is you have a team that is there to prevent the attacks.
You have a team that's there to detect the attacks. And then you have a team that's there to prevent the attacks. You have a team that's there to detect the attacks,
and then you have a team that's there to protect your data, right? And those three teams are usually, in a security organization, three disparate teams. And so our thinking here was,
well, why are they three disparate teams? And why can't they all use the same tool to help
themselves do their job? And it starts with blocking like bad stuff from coming in,
but then you get to this configuration stuff we're talking about, right?
And if you can detect the chain, if you can build that chain of entry,
you can then alert.
I mean, that's cool.
That's cool and everything, Rajan.
But you have said yourself earlier in this very conversation
that you have to assume a breach is going to happen like i'm more curious about what you're
you know what you're doing with behind the scenes magic like what then can material do you know
yeah exactly and i'll get there in a second so so okay it's been breached and then this thing
starts to install like an oauth app somewhere? And you have enough telemetry at this point
to know that something bad has happened.
However, today you're in 10 different places
trying to piece that telemetry together, right?
So the first thing is get it all in one place
so you can see what's happening with your,
see that your posture, right?
Then once they're in, right?
Like you want to make sure
that just getting into the infrastructure
doesn't mean you get access to all the data.
And let's assume that they've gotten the keys or they don't even need the keys because they're doing it through the application interface.
You need to start applying layers.
And you apply layers.
Patrick, you mentioned this earlier.
You unlock an email with MFA that has sensitive content in it.
That's going to be really hard to do if you haven't popped the user's MFA account.
But the second thing that we're working on and we just released actually is files.
When the attacker gets in, if they exfil all of your files, you don't know what's in there.
And so what you want to do is-
So, I mean, look, I'm getting what you're saying, but I mean, it seems like what you're
doing is focusing less on the OAuth apps being installed
and more just making it useless to install them
because we've locked up so much stuff.
That's a great way of summing it up.
You know, like, okay, you're in,
but like the stuff you really want to get to,
this app's not going to get you there.
Chaim Sanders, Rajan Kapoor,
thank you so much for joining me
to have that conversation slash rant
about how everything Azure is Azure 365 is just horrible
and how you might reel it in a bit with Material.
Pleasure to chat to you both.
Thanks, Pat.
Thank you, Patrick.
That was Chaim Sanders and Rajan Kapoor there
with this week's sponsor interview.
Big thanks to them for that.
And this week's sponsor, of course, is Material Security,
and you can find them at material.security.
And that is it for this week's show.
I do hope you've enjoyed it.
I'll be back in a couple of days with a soapbox edition of the show,
which is about volume management.
It's with Scott Kupfer from Nucleus, but I thought it was an interesting chat,
so I'll be posting that in a couple of days.
But until then, I've been Patrick Gray.
Thanks for listening