Risky Business - Risky Business #744 -- Ransomware upstarts jostle in Lockbit's absence
Episode Date: April 10, 2024On this week’s show Patrick and Adam discuss the week’s security news, including: Ransomware: down but not out Zero day prices on the rise… … and what it... means for enterprise software Geopolitical conflict comes to computers in Palau Ukraine cyber chief Illia Vitiuk suspended More x86 microarchitectural bad times And much much more Proofpoint’s chief strategy officer Ryan Kalember is this week’s sponsor guest. He takes aim at some recent vendor trends, like security companies describing themselves as “platforms”. Show notes CyberCX_Report_DFIR 2023 Year in Review_Online.pdf Ransomlook Stats Vlad Styran 🇺🇦 on X: ".@riskybusiness has noted recently that there is an “orthodox Easter”-like low season in the ransomware village. Although my sources do not support this assessment, if true, there might be a simple explanation https://t.co/kM8lu6KbyY" / X Price of zero-day exploits rises as companies harden products against hackers | TechCrunch Mandiant spots advanced exploit activity in Ivanti devices | Cybersecurity Dive Pricing - Knocknoc ALPHV steps up laundering of Change Healthcare ransom payments | CyberScoop Extortion group threatens to sell Change Healthcare data | CyberScoop Attempted hack on NYC continues wave of cyberattacks against municipal governments Missouri county declares state of emergency amid suspected ransomware attack | Ars Technica Medusa cybercrime gang takes credit for another attack on US municipality Omni Hotels & Resorts hit by cyberattack | Cybersecurity Dive Targus says cyberattack is causing operational outage | TechCrunch German database company Genios confirms ransomware attack Researchers discover new ransomware gang ‘Muliaka’ attacking Russian businesses ‘An attack on the reputation of Palau’: officials question who was really behind ransomware incident 'They’re lying': Palau denies claims by ransomware gang over recent cyberattack Ukrainian security service’s cyber chief suspended following media investigation Russia seeks criminal charges against executives at flight booking service accused of failing to protect consumer data House hurtles toward showdown over expiring surveillance tools | CyberScoop D-Link tells customers to sunset actively exploited storage devices | Cybersecurity Dive A Vigilante Hacker Took Down North Korea’s Internet. Now He’s Taking Off His Mask | WIRED Ahoi Attacks Linux Kernel Patched For Branch History Injection "BHI" Intel CPU Vulnerability - Phoronix Ransomware gang’s new extortion trick? Calling the front desk | TechCrunch Evolving Threat Landscape: A Deep Dive into Multichannel Attacks Targeting Retailers | Proofpoint US
Transcript
Discussion (0)
Hi everyone and welcome to Risky Business. My name's Patrick Gray. This week's show is brought and he takes a good old-fashioned dump on some recent vendor trends,
like all these security companies trying to be platforms.
What's a platform in this context?
What do you mean, platform?
He also walks us through some attacker behavior Proofpoint has seen lately,
like attackers moving from 365 accounts into on-prem code execution,
which is something Adam and I have talked about a bit on the show.
Yeah, that's happening more and more,
so Ryan's going to join us to talk about that later on.
That is coming up later, but first up,
it's time for a check of the week's news headlines
with Adam Boileau.
G'day, mate. How are you?
Not too bad. Not too bad, Pat.
Excellent. And look, this week, there's no huge story.
It feels like it's been a little while
since there hasn't been a major ransomware operator takedown
or Microsoft getting owned or bad reports into Microsoft
or the XE backdoor or whatever.
But that's good.
There's a bunch of stuff to talk about.
Don't get me wrong.
But we're going to start by talking about some trends.
And CyberCX, where you have worked for some years, have just dropped a report
from their incident response group that actually makes for very interesting reading.
Yeah, I mean, it's a great crew. They respond to a lot of incidents in Australia and New Zealand,
and this is their year in review. And there's a number of insights in this which I think especially in context of
the conversation that we're going to have today you know kind of around where ransomware is at
the moment there's a number of insights in here one of them was that BEC continues to rise as a
real place for attackers to make money and BEC has been a huge part and an unrecognized like
under-recognized part because ransomware is so flashy BSE has just been the thing that's been making a whole bunch
the bucks the bucks have always been in BSE but yeah according to this report among the CCX
caseload it's a 37% increase in 12 months which is like yeah yeah exactly that is a pretty big
one and that uh older MFA mechanisms you know earlier, earlier than pass keys And, you know, that
does bring the question, is ransomware still a way to make mad bank, you know, between the
takedowns and the risks and the pressure and the costs being imposed by Western governments and
law enforcement and so on. And, you know, people being less willing to pay, insurers being less
willing to pay, like, is this a thing that is changing that overall calculus for them?
Maybe.
I mean, 50% of a tonne of money is still a tonne of money.
This is true, yes.
It is still a tonne of money.
And also, we've seen the way the ransomware ecosystem
has broken up into separate access brokers
and people selling onwards access into systems and
a bit more diversity in the way that people are getting in. We've seen exploitation, we've seen
cred stuffing, we've seen remote access with creds harvested from other people. So it's not just
shells on the edge of the network anymore or not just phishing email like it used to be
a few years back. Yeah, remote access solutions with valid credentials became the number one initial access method
for cyber extortion incidents.
In other words, they're just logging in.
Yeah, they're just logging in.
And after all of the high profile,
Fortinet bugs and Citrix bugs and whatever else
that got a whole bunch of people owned a couple of years back,
I'm thinking back to Accelion, for example,
which was more data breached than ransomware,
but still monetized by Clop and whoever else.
So seeing that kind of bug as the primary entry point
seems like it's not so much that these days.
Yeah, yeah.
I mean, I think, and this is a conversation
you and I had the other day, right?
Where I think it really depends on the affiliate.
I think for an affiliate that gets access to,
that reverse engineers a patch or whatever,
gets themselves a timely bug,
and then develops an exploit,
goes out and exploits it,
and makes a bunch of money that way.
I think it's a per affiliate kind of thing.
It's going to come down to who's actually doing the hacking.
Yeah, like if you've got the bugs,
you can absolutely go and use them
and make some bank with them.
But there are plenty of other people who don't have those skills or don't have access to the bugs that are still finding ways to get in there.
Either through buying access and just kind of make a margin, basically, or using other less exciting but still workable techniques. Now, I want to talk about Lockbit for a bit, because we've noticed like
over the last few weeks, look, there's still plenty of ransomware going on. There's, I think,
VMware is, VMware gear is having a hard time at the moment getting ransomware left and right.
But Lockbit is gone, right? At least for now, Lockbit has just disappeared. And we've got this,
you know, ransomlook.io slash stats,
which publishes a bunch of ransomware statistics.
We've linked through to it in the show notes.
But when you flick through this page,
it's amazing when you realize just how prolific LockBit were before the takedown.
So you scroll to the bottom of this page
and you see the number of listings LockBit was doing.
And it looks like a mistake on the chart.
Yeah, exactly.
And then you go and look at the 30 days and, oh, okay, they're gone.
And they're just gone and the chart kind of looks normal again.
Obviously, when the Lockbit takedown happened, there was all of this, you know, brouhaha with them saying we'll be back.
And, you know, standing up various hidden services and stuff and saying, you know, brouhaha with them saying, we'll be back and, you know, standing up various
hidden services and stuff and saying, you know, it's just a flesh wound. But they appear at least
for now to be gone, which is pretty interesting. Meanwhile, there's all sorts of chaos happening
with, you know, Alpha or Alfie or whatever you want to call them. You know, they got into a
spat with the affiliate who ransomware change healthcare because the affiliate claims that, you know,
Alpha just nicked off with the money.
So it seems like the ransomware ecosystem
is going through a bit of change right now.
But a caveat here, which is, you know,
we're around Orthodox Easter at the moment.
So it's possible some of these groups are waiting
until after they've hung out with grandma
to kick their operations on again, you know. Yeah it's funny because we we've been having this conversation
back and forward for probably a solid week now in in the risky biz slack about you know whether
ransomware really has dropped off cliff whether you know it's just small groups picking up whether
the size of victims has changed all this kind of analysis and then someone pointed out that
actually yeah it's just it might just be Orthodox Easter.
As you say, everybody's gone home to see Babushka
and hanging out and having compote and whatever else.
It might just be that simple.
Well, it kind of predates Easter, though.
It does.
I don't know if we can say that volumes are reduced,
and it really depends how you measure it.
Do you measure it by number of systems ransomed?
Do you measure it by payments?
Do you measure it by the turnover of impacted organizations or their criticality, right?
Like, analyzing ransomware and seeing how it's doing as a whole, there's like a hundred different ways to do it, right?
Which is why often when you hear commentary on ransomware, it's all a little bit vague, kind of like what we're doing now.
Yeah, there's a lot of vibes and the facts can be hard to come by.
But you do get the sense that things are changing.
I think that's the thing that we can say, right?
Yeah, and I think the stats on ransomwork.io do show a big gap
where LockBit used to be and And the sort of, you know,
the groups that are picking up the slack
are a bit more scrabbly, a bit less well-organized,
a bit less scaled because ransomware.
And, you know, we've been through an era
of a number of the large ransomware groups
really being at the center of everything,
you know, LockBit, BlackCatFV, et cetera, et cetera.
And it seems a bit more bitsy at the moment.
And, you know, it's going to take a while before we know
whether some of the things that we have done, you know,
in terms of intervention of law enforcement takedowns,
et cetera, et cetera,
even just the effectiveness of blockchain cryptocurrency tracking
and the amount of grief that that brings to people,
you know, like alf v crew being
watched with their change healthcare ransom um yeah they're currently we got some reporting here
that says they're currently like throwing all that into mixes and you know doing their best but good
luck yeah good luck exactly right it's just becoming you know there's a bunch of pressure
points on that ecosystem and i you know i'm hopeful that the kind of change in
in velocity that we're seeing is real and not just a you know an artifact of a holiday season
yeah i mean i think what you say about the large-scale ransomware as a service platforms
is right like you know who knows maybe the mid-tiers and scrappy ones are going to be able to completely make up what we've
been able to remove through those disruptions.
But you do get the sense that if another one, once another one starts to get some scale,
there's probably going to be a disruption action against them as well, right?
And around and around we go.
So it's still too early to say, but there are at least some signs that, okay, we're
not making a comment on what it's done to the ransomware problem as a whole, but I think
we can say that we've at least been able to observe an effect in that Lockbit currently
dead.
Alpha exit scammed with $22 million and haven't really been seen again, which, you know, if
it weren't for the pressure of these
disruptions maybe they wouldn't have done that yeah i think back to when darknet markets were
starting out right when alpha bay or um what's the silk road silk road like back when there were
you know one or two big marketplaces and they got you know a whole bunch of focus and now you know
that ecosystem has had to fragment
to stay under the radar.
There isn't really room for a Silk Road-like high-profile thing.
And I think maybe that's the point we've got to with ransomware
is you do have to stay smaller and underground,
a bit more underground,
to be able to stay under the radar
of law enforcement and disruption activity.
And I hope that's the case.
Well, that would be a win, right?
It would, yeah.
Yeah.
I think one thing too that I just want to reflect on in wrapping all of this up
is that early on when ransomware really became a crisis,
there was a big response among a lot of policymakers
that a big part of the solution to ransomware
was going to be security uplift, right?
That always seemed ridiculous to me. and i think we can definitely say if anything's changing in the ransomware
like criminal ecosystem it ain't because we got better at security
yeah that that's you know given the bugs that we've seen in enterprise edge software you know
lately clearly we're not solving that problem but you know in the end whatever gets the job done right i mean we can't do the hard thing which is make
software good then maybe we could make cryptocurrency hard now on that topic we can make software good
but only in certain circumstances right so we got a report here from lorenzo over at tech crunch
which is talks about the skyrocketing prices brokers are paying for bugs in things like iPhones and Android devices, WhatsApp, Signal, iMessage, that sort of thing.
So the prices are going to the moon.
This suggests to all of us and should suggest to anyone listening that it's getting harder to own those devices, right?
And that's why the prices for these exploits are going up.
Now, where I think some people make a mistake
is they see this trajectory
and they think that the same thing is going to happen
in enterprise software
because more exploitation means more spending on QA,
more spending on security reviews,
tightening it up and whatnot.
I disagree with that for reasons I'll get into in a moment.
But why don't you start off by walking us through this report
from TechCrunch, Adam?
So this is based on like a refresh of a vulnerability acquisition program
by a vendor called Crowdfence, which I think are UAE-based.
And they buy bugs and then
turn them you know turn them into exploits or whatever else and then you sell them on with
it's not 100% clear who they sell them to but they're in that kind of like buy vulnerabilities
don't report them to the vendor make money out of them business and they have put out a new price
list that basically is offering between five and seven million dollars for iphone
bugs about five ish million for android bugs three ish million for chrome and safari and so on which
is a little above what we've seen from say um zerodium zerodium or you know some of the other
like zdi is not really in the same game exactly because they do report them to the vendors but
you know open market vulnerability buyers,
this is a little higher than perhaps we've seen elsewhere.
For the more private marketplaces, these prices might even be a bit low,
you know, for the sort of people selling into defence and government
and places like that.
Into places where provenance is important, right?
Yes, and also where, you know, exclusivity is important
and it's, you know, a much more controlled kind of marketplace.
So either way, you know, regardless of the specific numbers,
the point is that, you know, you talk to anyone who works
in Android or iOS exploitation, you know, exploit dev,
and they're all saying that, like, life's getting a bit hard, right?
The bugs are expensive, we get paid good money,
but these are not easy like they were.
They're not as easy as they once were.
And this is not really a thing you can do as an individual anymore.
You have to have a team of researchers.
You have to have all that kind of structure around it.
It's been that way for a while, let's be honest.
Yeah, it has.
But the point is, yeah, the prices are, you know,
the trajectory is going in the right direction for defence.
Yes.
And if you're willing to spend, you know, eight figures,
then you can still get these bugs,
but, you know, they are not cheap and easy anymore,
which is a win.
It is.
But I do get the sense that some people,
when they look at a situation like that,
expect this to be the situation for your FortiGates
and all of the other crap,
like payroll systems, file transfer appliances,
even cloud services, right?
And I think the thing that people
who make these comparisons forget
is that how many users does WhatsApp have?
A couple billion yeah
so so this stuff is qa'd like you wouldn't believe you know the budgets involved the teams working on
this stuff like it's critical to them to get this right whereas a typical bit of enterprise software
you know you might have 5 000 customers if're lucky. It's just a completely different scale.
And while I think there's going to be progress made, I just don't expect that the average enterprise web application
is going to be as robust as, you know, Signal on iOS.
Like that's just apples and oranges, right?
Yeah, and I think, you know,
one of the advantages that that scale brings you
is the ability to collect telemetry, right?
If you're Apple or Microsoft or Google,
you're collecting enough data to see weird edge cases.
And exploitation is a super weird edge case.
Like they stick out like the proverbial dogs
when you start to see them in your telemetry data.
I think you mean like the dogs proverbials.
Dogs proverbials, Not proverbial dogs.
Yes.
Like the dog's proverbials.
I was just picturing a really conspicuous dog.
Smoking a pipe.
Yes.
Exactly.
Like the dog's playing poker in the painting.
Anyway, like that, like an enterprise, like someone like Fortinet is not really going
to be collecting crash dumps from their firewalls.
They may be starting to think about it now, you know apple microsoft and google have just had years of head
start and something like whatsapp same kind of they've got that data and and the ability to go
look at it and the mandate to make their services better as a result so i think you know that does
help a lot that kind of scale because yeah you know one telemetry pool for the entire planet
for iMessage it makes it very hard to develop an iMessage exploit because your test environment
is logging you yes which is not the case for an appliance like a fortinet that you can go stick
on your own home lab and work on it in secret well i think you can actually disable some of
that reporting uh for your test environments but anyway that's that's just that's a whole nother wrinkle right that you have to go through 100 like you know
you cannot have an unreliable exploit in that game right because as soon as like man apple have set
things up google probably as well where as soon as something unique happens on any device anywhere
in the world when something happens that's never happened before a crash dump
goes to someone real smart yeah exactly and they've got that spidey sense you know where they
can just kind of like read the tea leaves of the of the crash dump and be like hmm this looks hinky
i'm going to deploy seven dudes to spend their next week understanding why and how and all of a
sudden your seven million dollar bug is wrecked
yes which you know be nice if oracle did that with their products but you know there's there's
just such a scale and diversity of enterprise apps well speaking of speaking of we've got a story here
where mandiant's published like post game oni exploitation. And it turns out like there were a lot of groups
getting Avanti ownage, right?
Because I think all of the reporting was like,
oh yeah, there's now two groups.
It turns out, at least according to Bandi,
it was a free-for-all.
It was a feeding frenzy.
Yes, and some of those groups were there
well ahead of public disclosure of the bugs.
So clearly people have been trading some of these in the underground for a while. Lots of Chinese actors up in various Avanti businesses. But yeah, like for a vendor like Avanti that you kind of get the impression they didn't really even understand that they were security critical until quite recently, you know, because they've acquired so many things. Like, I don't imagine that, what, Avanti CEO Jeff Abbott, who was talking recently about
overhauling the company's security practices, like, I can't imagine he knew about Connect
Secure until, you know, a few months back, because it's just one tiny product of a giant
litany of things.
Whereas I'm pretty sure that everybody at Apple has heard of iMessage, you know?
Yeah, I wonder if this is sort of like when I talked to Brad Arkin,
who was then CISO of Adobe.
And I think, you know, the Acrobat Reader plugin, browser plugin,
was like the bane of his existence.
You know, because everyone on the planet used it.
And it's like, I think they spent a long time in Adobe
trying to kill the browser plugin.
Oh no,
it was flash.
Yeah.
That's right.
Flash.
Yeah.
Yeah.
Yeah.
So trying to kill flash because it's like,
it gave them nothing from a business perspective except headaches.
Right.
So,
and everyone's like,
Oh,
Adobe sucks,
you know,
murder flash.
And they like,
we're trying,
we're trying.
Product groups keep making it necessary for various things.
So many people used it.
Yeah, they were really stuck in a hard place.
I wonder if these sort of acquisitions
that wind up part of big software companies,
if they're going to get taken out to pasture,
because they're just not worth the hassle.
I reckon we'll see it eventually.
Maybe that's what Broadcom's doing with VMware right now.
I don't know.
They'll get their pound of flesh first um i just
quickly too wanted to mention like you know this is a huge problem this crappy enterprise software
now being targeted uh both through exploits and through just you know direct cred entry and
whatever and brute forcing and all sorts of stuff you know over the last i don't know year people
would have heard me saying on the show gee if only someone would build something that would plumb your IDP through to dynamic firewalling
so that people couldn't hit your apps and your edge devices unless they were, you know,
properly SSO'd, that would be really cool.
It turns out someone has actually built that.
They were working on it.
They're Australian and they found it really funny that we were talking about,
gee, wouldn't it be nice if someone would build a productterm risky business which was yeah yeah sydney-based a couple guys from a city-based company called uh soul one and you
know they've now launched that product it's called knock knock uh knoc no k on it i'll drop a link
into the show notes my point in raising this it's not just a shameless plug it's that i think this
is going to be more the solution to that problem, right?
It's going to be less about, you know, improving the quality of the code that goes into these
solutions and more about finding ways to make sure no one can touch them.
Exactly right.
The, you know, I know when I started reading about Knock Knock, like the first thing I'm
thinking is, oh man, I would sleep way better, you know, because I'm also Risky Biz sysadmin now.
You are now, yes.
I would sleep way better at night
if our content management system
was nowhere near the internet until post-auth.
And now, thanks to Knock Knock,
it is nowhere near the internet until post-auth
and I do sleep better.
So, you know, it's one of those things
that it's a dumb solution.
Until you realize how many uses there are for it. Until you think about, yeah, all the things that it makes life dumb solution. Until you realise how many uses there are for it.
Until you think about, yeah,
all the things that it makes life better through.
You've already got SSO and IDP and so on.
You've already got a million firewalls.
Why not just, like, why is it network reachable
until pre-auth?
It just shouldn't be.
Especially when you've got the IDP
that handles all of the SSO
and that ingress thing is their
problem right and they're pretty good at that so when you've got this wonderful centralized ingress
point why not tie network rules to it it works really well so we use it for ssh and we use it
for our cms but there's people using it for stuff like citrix for rdp for ssh like at scale it's
it's really cool.
So yeah, I mean, I'm shamelessly plugging it.
I'm going to be involved in this business.
We're going to do an interview with them
to go into the next edition of Snake Oilers,
but it's still a bit rough around the edges
because it is a new product, but it's very cool.
And it does sound like,
it's one of those things that sounds like a dumb idea
until you realise
just how many places you can use it, you know?
Exactly, exactly.
What else we got here?
Yeah, so I've dumped a few links into the show notes
looking at that.
I've put in a story here from AJ Vincennes
over at CyberScoop looking at Alpha's laundering
of cryptocurrency and also he's written
a piece about how there's a bit of drama going on with the data that was obtained by uh by the
affiliates in the attack because the affiliates got ripped off so it looks like change healthcare
paid the ransomware as a service platform but then they ripped off the affiliate who has the data and
now they're trying to sell it and you know that know, that whole thing's just a mess. Yeah, so it is.
John Griggs written up some stories about some ransomware attacks
in New York, like local government stuff.
We got a Dan Gooden piece about Missouri County
declaring a state of emergency.
Yeah, there's all sorts of stuff still happening.
Omni Hotels and Resorts have been hit with a ransomware attack.
Targus, who make the gadgets and the bags, they've had a bit of a disruption.
A German database company called Genius.
But it all just doesn't feel like the big ticket stuff at the moment.
Yeah, it just feels on a different scale than it was six months ago.
And I hope that that's progress.
Yeah, yeah.
There is a ransomware gang called Muliaka,
which is attacking Russian businesses as well.
Yeah, they seem to have like a fork of Conti
that they're using in Russia to do stuff.
So, you know, like, I don't know whether that's Ukraine
or some friends of Ukraine, but hey, why not, right?
I mean, I did recently write a piece saying, you know,
that it would be nice if it wouldn't be illegal to do this
to Russian orgs using Russian ransomware, because it might get the authorities there
to take things a bit more seriously. Now let's talk about this attack on Palau.
So Palau is a small country, kind of around Indonesia, around that sort of neck of the woods,
the Philippines, up around there.
And John Greig has done a terrific job writing this up for the record because apparently they were being ransomwared.
They had one of their boxes locked up and there were ransom notes,
but the ransom notes came from like two different ransomware crews
and it looks like it was just cover
and that probably China was behind this attack.
Yeah.
So politically the situation there is interesting.
Palau is a pretty small island nation,
like 18,000, 20,000 people.
Like it's really not big.
And they are in a free association with the US,
which kind of upsets China because it's the Pacific
and China wants to be big in the Pacific.
And yeah, their government got ransomed.
They found like a ransom note on the printer from Lockbit.
This is kind of like after Lockbit kind of got shut down.
So, you know, a bit awkward there.
And the Bitcoin links and the links to the like portals
to go negotiate payment of ransom were all broken.
And then they got other ransom notes
from a group called Dragonforce,
which is nominally Malaysian.
But again, broken links didn't work.
You know, smells a lot like disruption
using ransomware as a cover.
And the attack, which locked up a number of government services,
like payroll for government employees in Palau,
locked them up whilst they were announcing some commemoration
of the country's free association agreement with the United States.
So, you know, kind of on the nose politically,
didn't really feel like legit ransomware.
The government in Palau was like,
well, we'll just write some checks for payroll because, you know,
small place.
So, yeah, all a bit sus.
And, you know, we've certainly seen ransomware used as cover,
you know, for nation state maneuvering before.
So not really a surprise.
But yeah, really interesting write-up from John.
Because otherwise this one would have gone under the radar otherwise.
Why do this though?
That's the bit that I feel like is missing here.
Like what's the objective?
Is this just like punishment for them recognizing Taiwan
as an independent state?
Or like what's the go?
Yeah, but I think part of it is China is just a bit of a bully
in that region because they want to assert their power
and Palau was one of the countries that has recognised Taiwan
and they saw some attacks previously around
when they had announced their recognition of Taiwan.
So I think it's just kind of China flexing
and there's been other countries in the region that have accepted Chinese support, kind of fallen more down on China's side geopolitically.
And, you know, I think this is carrot and stick, like someone gets investment in port infrastructure and someone gets a ransomware on their government if you don't cooperate.
So it's just, you know, China kind of being a jerk.
China going to China.
Yeah, pretty much.
Yeah.
Now some other news.
And Ilya Vityuk, who was the head of cyber
for the Ukrainian SBU security service,
we've had him on the show previously.
I had dinner with Ilya in Washington, D.C. last year.
And he's been stood down and he is being sent to the front.
He may, in fact, already be there while some investigations
into his conduct are carried out, Adam.
Yeah, the reporting seems to be that the suggestions of corruption,
that he and his family were spending a bit beyond their means,
had a fancy apartment in Ukraine, in Kiev,
that he couldn't really afford,
and presumably there's a bunch more details underneath.
There was also a nuance where a local investigative journalist outfit
in Ukraine had kind of been investigating him
and other aspects of the SBU. And one of their journalists
got approached while he was out at the shopping mall and basically told, you know, you need to
go report to, you know, for your military services, you're, you know, not defending your country,
you know, being kind of threatened with being sent to the front because they were investigating was the the allegation
made by the publisher so that's also kind of not very nice no i mean trying to shut down
a journalist investigating you for alleged corruption by threatening to have them sent
to the front yeah is not very nice i would agree with that i mean it that part of it
might there might be a there there,
there might not.
I mean, obviously we don't know.
There's going to be an investigation here.
But, you know, Viktor Zhura,
who was one of the other big Ukrainian government cyber people,
he was yeeted for corruption as well.
So, I mean, it's just, this is, you know,
one of those issues that Ukraine has had for a long time
is a government culture that's quite permissive of corruption.
Yeah, and I guess, you know,
it's pretty desperate times there for a lot of people.
So you can kind of see when, you know,
there's a bunch of money coming past
or a bunch of things you think,
well, maybe I need to, you know,
clip some of that for myself, you know,
because it's such desperate, you know,
the whole country is in such desperate things.
Well, and because everyone's doing it,
which is what makes corruption so corrosive and cancerous, right?
Yes, yeah, exactly.
So, I mean, it's kind of, you know, it's not nice to see
because Ilya, when we've had him on the show
and when he met him, you know, seemed like a pretty nice guy
and seemed pretty competent.
Yeah, very much.
Like, he's a smart dude.
Like, he's a very, very smart guy.
So this is very, very disappointing if it turns out to be true.
I mean, we don't know, right?
We know.
I looked at the original reporting from the Ukrainian outlet
that looked into this,
and basically his wife has a very nice apartment in Kiev,
like really nice, and lists as her employment,
you know, I'm an entrepreneur in the legal industry,
and then there's no details at all on what she's doing for work.
So, I mean, you know,
obviously this is something that needs to be looked at. i would love it if it turned out to be incorrect but you
know yeah you never really know when this is et cetera et cetera et cetera so and it's funny too
because when we were talking about this i was getting all judgy about it and you kind of reminded
me it's easy for me to say because i'm in a very comfortable situation so you know for those of us
who aren't the temptation is greater.
Yeah, well, exactly right.
And in the middle of a war zone, you know, different thing,
you know, things can feel a bit different when you're,
you know, you've got air raid sirens going off around you.
Like the world can be a bit different
than the comfortable life that you and I lead.
Yeah, and I think the amount of money is not all that high.
You know, it's something like 600,000 US
or something like that that's, you know,
of questionable origin, right?
So it's just, yeah.
Anyway, I just hope that if he is forced to step down,
that they are able to find someone else, you know,
as competent to take his position, right?
Yeah, well, certainly, you know,
they have a lot of experience in Ukraine
and that does build competence.
So maybe they'll find some people.
But yeah, if he does end up on the front lines,
then, you know, best of luck to him
because no one, you know,
even if you've been a very bad person,
you still don't deserve to die in trench warfare.
So...
Yes.
Well, no one really does, Adam.
So, you know, even on both sides of that conflict,
the average bloody poor conscript who's being sent to fight in Ukraine
on the Russian side, I mean, you know, it's just so pointless.
It really is, yeah.
Now, look, speaking of Russia, prosecutors there are launching
a criminal case against executives of a flight booking platform
because we covered this when
it happened right the platform was called leonardo and uh you know they got owned real hard which is
you know bad especially when you're in a war and then all of a sudden all of the data about
who was flying where uh is is falls into the wrong hands uh that ain't good so there's going to be
looks like a criminal case here yeah i mean this kind of data is super useful and, you know, we've seen outfits like Bellingcat,
et cetera, make really, you know, good, good use of data that leaks like this. And, you know,
it's embarrassing for the people whose data gets dug up and then, and then used. So yeah,
interesting. We're going to see prosecutions, you know, I imagine the bar for sending people off to special penal colonies is not super high in Russia.
So, yeah, I suspect they will face some retribution.
Yeah. So what's the actual charge?
What's the allegation here that they were just doing a crap job?
According to some reporting, it's basically just because they did a bad job.
They got themselves owned.
They got the data leaked.
They did not do a good enough job, plus the scale of it. Yeah, that's basically it. Doing a bad job they got themselves owned they got the data leaked they did not do a good enough job plus the scale of it uh yeah that's that's basically it doing a bad job i believe they
were detained according to tass for allowing a cyber attack so there you go uh let's see oh look
we're not even going to get involved in this let's not talk about it but the 702 renewal is back again again yes the drama keeps on keeps
on going and yeah as you said like there's not you know we've been covering this because we you
know it's super important piece of of you know legislation and super important tool but it is
getting tiring just back and forth back and forth like at some point they're going to have to decide
the future of the 702 program and yeah, blow by blow.
Not that exciting.
Yeah, so we've dropped a link into the show notes.
Tim Starks has a write-up for CyberScoop
so you can go read in your own time, basically.
Now let's talk about this D-Link thing.
D-Link has said people should sunset
these particular storage devices
that have an all-timer bug in them.
Just fantastic, fabulous stuff.
Terrific engineering.
But they've said they should retire them,
which is code for please yeet these things into a log chipper post-haste.
Walk us through this because it sounds like – what was the bug?
It was like a
high prev user with no password yeah so it's a web accessible interface that has
the user message bus and the password of nothing and at that point you can leverage that up into
command exec on the device with it's kind of chained with a with a another bug but yeah that's
the guts of it which is super embarrassing this is their like nas appliances which you probably shouldn't put on the internet in the
first place but yeah end of life i used to say that right because i got a synology and i used
to say that about the synology ones and i'm like who the hell puts these on the internet and what
i didn't realize is there had been a software update that when you set it up it automatically
puts it out there on like a dynamic DNS so that you can access it.
So many of these NAS things which are like,
oh, don't put them on the internet.
When you go through the setup wizard, that's exactly what they do.
I don't know if this one does.
Or they UPnP a hole on the firewall or something.
Yeah, like they want to make themselves reachable.
So yeah, don't do that.
If you have a D-Link, you probably want to go check this stuff
because we are seeing widespread exploitation.
Some of the numbers we had seen early on in this were like 100,000 of these on the internet.
I saw an update from Grey Noise where they said that actually vulnerable boxes is probably more
like 5,000. So it's a bit smaller than was originally reported, but still a big deal
for the people who stuffs on on those nazis yeah grey
noise checked with uh census i think and said no there's 5 000 of these which is you know what's
real funny is because i was talking about that one with tom a couple of days ago he's like yeah
there's 90 000 of these out there and i'm like sure like that just like it didn't sound right
so when you dug up that new number i was like okay that sounds more like it yeah makes a bit
more sense but yeah either way dealing stuff bare on the internet not gonna have a good time no uh now walk us through
andy greenberg's latest uh for wired yeah so this is a story about a guy called alexandro caseres
who's a colombian american lives in florida and is a hacker he's's been doing all sorts of security stuff for a while.
And this story talks about his journey
of becoming like an internet vigilante against North Korea.
So he got tricked by one of those North Korean scams
where they say like, hey, we want to collaborate with you
on some security research on GitHub or wherever,
send you a backdoor binary,
and then shell your box.
He ran the backdoor binary, but in a, you know,
controlled environment, a VMware or whatever,
so he didn't get hacked.
But he got rather salty about it and decided to take it out on North Korea.
As you do.
As you do.
As you do.
So he was, you know, hacking stuff on the North Korean perimeter.
He was DOSing stuff to take out North Korea's internet and, you know hacking stuff on the north korean perimeter he was dossing stuff to take out north korea's internet and you know generally going on a you know on
vigilante spree uh which you know you would expect that that's not a necessarily reasonable
solution to that particular problem not an effective solution to the problem but then
the journey goes into a strange place where he ends up having some buddies that are working in
the pentagon or involved in the Pentagon or involved
in the military industrial complex,
and they're really interested in what he's been doing.
And so Andy writes up this guy's journey of trying
to convince American military and cyber forces
to be a bit more proactive, a bit more YOLO,
a bit more shell-slinging out there on the internet,
making trouble for people.
One of us, one of you know one of us one of us one of us similar vein to the sort of things that we've said with hound release but maybe a
little more yolo but it's a great it's a great story to read and you know i don't 100 agree with
all of his logic you know there's sometimes considerations about just shelling stuff that
you should have in mind.
But it's hard not to like a guy that's just like,
you know what, I would just go shell some things,
RM some things, tear up other people's internet.
What are you going to do about it?
Indeed.
Yeah, good read.
Fun stuff.
All right, so now we're going to talk about something
that's way over my head.
We're going to talk about disrupting T's with malicious notifications adam what on earth is this this is very complex there's a lot
of acronyms i don't really understand it please help uh so this so we've got two stories to talk
about today we've got both of which are in the like cpu micro architectural bugs category from
academics uh one is this set of attacks they call Ahoy, which comes out of
ETH Zurich. And essentially, this is a mechanism for breaking. So there's a way that you can run
virtual machines on hardware you don't trust. So when you put stuff in the cloud, normally,
you have to trust your cloud provider to not mess with your stuff, not look at what your machine is doing
and steal your intellectual property
or train their machine learning on your data
or whatever else.
And so the hardware vendors have been starting to build
ways for you to run confidential VMs,
virtual machines where the hypervisor can be untrusted
and you can still do work on that hardware
without it being
visible to the to the operator of the cloud and that's the thing the more stuff we put in the
cloud the more mostly compliance people let's be honest are going to want to see some kind of
checkbox that says your data is protected from the cloud vendor ultimately you probably still
have to trust them but we've got technical controls for doing virtual machines that are you know safe from
confidential from the hypervisor itself and both Intel and AMD have mechanisms to implement this
in hardware and this is two attacks from ETH Zurich that break that boundary that allow a hypervisor
to control the runtime state of confidential virtual machines in this case
through the like basically the delivery of interrupts in a crafted manner and the specifics
of exactly how that works is really interesting but not super important the main thing is that
this confidential vm tech is still imperfect um well i mean i'm just thinking sitting here while you're explaining this thinking how
remarkable is it that we could even think that this could be a boundary yeah it is it's amazing
that that's a boundary that we've started to think about implementing yeah i mean we used to say
remember physical access always wins yes now it doesn't right and and you know certainly i mean
it's very very hard right physical access doesn't always win. And now it's like, well, okay, you got like hardware level access
and you're able to protect a VM from that somehow?
Like that is incredible.
It's pretty wild, you know?
Like we've come a long way, like, you know, from Microsoft saying
if you have physical access to the computers, you win.
And now we have Apple phones that, you know,
can defeat law enforcement control of the device,
you know, need bugs to get into that.
And now we've got this being similar with confidential VMs.
And the tricks that they're using are pretty cunning
in actually making them work, which they have done.
But overall, I think if you were designing a platform
to implement confidential computing in an unsecured
hypervisor that wasn't legacy x86 or x64, like traditional architectures, I don't know
that you would have made the mistakes that allowed these things to work.
So we're still, because we're building on old tech, I think it's the ultimate root cause
here.
And in the future, we will have more robust systems for doing this kind of thing. So I don't know that a lot of people use confidential VMs or rely on them for a security
critical purpose and really need to defend against their hypervisor.
But it is super interesting research nevertheless.
Now, is that both of them?
So there's two bugs in this category of confidential VMs.
The other hardware microarchitectural bug I wanted to talk about
is some research from VUSEQ, which is essentially an improvement on one of the Spectre variants.
So it's a microarchitectural side channel that lets you leak data between processes
inside a single machine. So if you're a non-root user being able to steal
things from root like passwords or whatever to escalate access and this is some research into basically advancing
the state of the art they're using symbolic execution to find gadgets that can implement
cache side channels in the branch predictor so we've seen branch prediction side channels before and the main way that people were
exploiting that previously was using eBPF which is like an in Linux in a Linux environment is a
kernel system for doing inspection of the runtime environment so you can build kind of
complicated software that runs in the kernel and changes behavior this is a case of doing it without that is their main
advance in this piece of research so overall net result is a yet another micro architectural
data leaking side channel that lets you prevest inside your machines and great research pushing
the state of the art etc etc we'll pay for it with performance hits and more checks as usual
and get on with our lives.
Yeah, yeah.
But I think the thing that comes across to me here is,
yeah, first of all, amazing research,
but second of all, like what incredible engineering to be able to even research, right?
Yes, yeah.
No, it really is.
It's pretty cool.
Computers, huh?
Computers.
They're amazing.
They are wild.
I think you sent me a quote from an Intel document
that I don't even know which one of those two it pertains to,
but I think you sent this to me because it is so indescribable,
which is Intel recommends continuing to enable both SMEP and EIBRS by default
and using IBPB on context switches where needed.
Glad they could clear that up.
Exactly.
Oh, dear, oh, dear.
Now, I just want to finish uh with something very funny uh and i saw
this kicking around and lorenzo actually wrote it up from tech for tech crunch so we've linked
through to tech crunch but there was a recording of a um phone call between a ransomware operator
apparently from like dragon force which is a ransomware group uh one of the ones that claimed
the palau attack yes yes apparently malaysia based i think is a ransomware group. One of the ones that claimed the Palau attack.
Yes.
Yes.
Apparently Malaysia based, I think.
Is that right?
Yeah.
So someone claiming to be from Dragon Force
rings up a victim company.
You know, I want to speak to management,
you know, trying to do the big spooky hacker thing.
Winds up getting put through to someone in HR
and the resulting conversation,
which has been mostly transcribed here,
reads like it's from a comedy sketch.
It is so funny. This is like if you wanted to make a satirical like sitcom conversation which has been mostly transcribed here reads like it's from a comedy sketch it is
so funny this is like if you wanted to make a satirical like sitcom about ransomware this would
be it yeah like it's it is just so funny and you can see the ransomware guy getting more and more
exasperated with the response from the person in hr who really you know is doing their best but
really has very little idea what's going on or what to
do about it. He's like calling from Dragon
Force and she's like, so is that like dragonforce.com
or? Dragon Force
the band maybe.
And my favourite part is too where
the attacker says that they recorded
a previous conversation. They're like, yeah, you're not allowed
to do that in Ohio. It's a two-party
consent state, you know.
That's illegal. And the a two-party consent state, you know. That's illegal.
And the person says,
ma'am, I am a hacker.
I don't care about the law.
Yeah, and I love how she ends the call,
which is saying, all right,
well, then I'm just going to go ahead
and end this phone call now.
I think we've spent enough time and energy on this.
Good luck.
You know, click.
Anyway, have a read of it.
It's just, yeah, it's wonderful.
It's good comedy.
Good comedy.
It is.
That is it for the news, Adam.
Thank you so much for joining me, and we'll do it all again next week.
Yeah, thanks so much, Pat.
I will talk to you then.
That was Adam Boileau there with a check of the week's security news.
It is time for this week's sponsor interview now with Ryan Callenberg,
the Chief Strategy Officer at Proofpoint.
And Ryan has a bee in his bonnet.
His jimmies are rustled.
He is a cybersecurity executive at a major vendor
who is displeased with other cybersecurity executives
at other major vendors.
That's right.
He's going to have a bit of a rant about why everyone needs
to stop calling their products platforms.
And after that, he's going to talk about how attackers are moving,
I don't even know how you would say this,
they're moving laterally down, up.
Well, they're moving from compromised 365 accounts
to on-prem code exec via things like Intune enrollments
and using their 365 access to do things like
download pre-configured Zscaler clients and whatnot.
So that's the nightmare scenario that Adam and I have been talking about for a while.
But we will start here with Ryan rubbing his temples at some recent trends in the security market.
And yeah, you'll hear Adam in this interview too because he was around for this one. Enjoy.
I don't know that anyone has a consistently agreed upon definition of what a platform is, but it's like the famous Supreme Court case,
you know it when you see it. And several vendors are out there more or less making the case that,
well, our stuff is integrated, there's a single data layer, therefore we are a platform,
and these other things, even if you can buy them with one SKU and they have one name,
they're not actually a platform.
And they're not actually integrated.
They're not actually integrated.
Because one of the things that I think has become really interesting is that regardless
of where you started, whether you started on the endpoint, whether you started on the
network, whether you started like us in email, a lot of people got really in love with being a data layer, trying to put insight together and trying to pull in things from other sources,
trying to put together timelines and normalize data from all kinds of different places and put
it together in a single layer, which starts to feel a bit like a platform. But obviously,
in a lot of cases... But I to the same place and then presenting that data
via a web app that just accesses that data pool. I mean, that's not really what integration means,
is it?
Correct. It's also not remotely a new idea. And ultimately...
Single pane of glass. Single pane of glass. You got to say the words that make the hampster hit
the pedal. Single pane of glass, single pane of glass. You got to say the words that make the hamster hit the pedal. Single pane of glass. I was waiting for you to say it before I did,
but now it's an AI powered single pane of glass. Yeah. And, and ultimately when you think about
what you actually want out of a security tool, even if it's solving multiple things for you,
it's an outcome, right? It is preventing, stopping the bad thing from happening. It's not
a giant pile of data that you then have to go do something with.
Because even the biggest security organizations at this point, they don't have the people
to do it.
They don't have the engineering talent to integrate these pieces.
And I realize I'm making the exact same argument that a lot of the people positioning platforms
are making.
But I think it's actually a philosophical problem on the vendor side, that we're not
trying to solve problems in their entirety and deliver an outcome, but rather trying to create one platform to rule them all that becomes a data layer.
Well, I think one of the reasons behind this is that these companies, particularly the EDR companies, are just so cashed up now and they've got to do something and this is something, right?
So just get more and more data in because they're good at managing large volumes of data, right? So they just get more and more data in and hey,
where the next Splunk? Like that seems to be the thinking, but you're right in that all of the
large vendors seem to think that what everybody wants is all of their data in one place, right?
Yeah. It's the XDR pitch, right? Whatever detection and response. And we've actually started to think about all of the problems that we're trying to solve
differently.
You know, DLP is a great example of something that used to be just a giant pile of alerts,
and then you'd try to do clever things to make the pile smaller or intelligently handle
some of these pieces.
If you're properly thinking about the problem, though, you should plumb it all the way through to what the end user does and try and make sure that anything that bleeds over into the sock is an exception of an exception and actually worth somebody putting eyes on glass for. certainly am completely guilty of this. I love looking at after attribution. I love looking at campaign details. I find that the vast majority of security organizations, maybe if they had all
the time in the world, they would do that, but they don't because again, it's not really their job.
And yeah, we could have a long conversation about this file hash, but we actually have to do.
Exactly. Exactly. The zoom meeting will not attend itself. And so ultimately, if you're doing it right, you solve the problem you're supposed to solve, which in our cases, in that particular example, do not deliver the bad things to the people, whether it's a BEC attack, it perfectly, never hits an inbox, never hits the graph API, never hits anything that can intersect with a person.
So we've actually changed a lot of what we've been doing behind the scenes on the engineering side, not to squeeze more thread intel out of interesting payloads, but to get the detection done as far left as possible.
So it's all pre-delivery. It's not something that
kicks off a response workflow, like, hey, reset that cred, that person clicked on that link,
they were allowed through to it. But we of course can lock it and kill all the active session tokens.
It's much more about solving that problem holistically so that nobody has to do anything
except possibly the end user. I mean, we were talking about this before we got rolling and
you know, I was just saying when we're having the initial discussion about this, this is exactly why
I'm such a big fan of Airlock digital, you know, allow listing, right? Because you just, you know,
there's so much you don't have to do at that point. You don't, you're not even generating the alerts.
Totally. And, uh, phishing resistant authentication. Another great example of a thing in that category.
Airlock and YubiKeys for everybody, man, you're in such a good place.
Like when it comes to all things Windows, and then you're just going to get like owned sideways by all the rotting, you know, corpses at the edge of your network with Fortinet written on them.
Yes, absolutely.
Steel belted radius for the win.
That was my favorite piece of lore.
The other side of that, though, I think is actually interesting though is that what is
left at that point right and the creative ways to try and solve those problems feel like we're
actually filling out the entire bingo card of risky biz sponsors but you know think about
canaries at that point but obviously we've tried to take an approach like that to identity risk
understanding what attack paths look like, like very much like
the SpectreOps guys do, and then using things like deception so that you do not have to configure a
million alerts in Splunk or whatever your data layer is to alert on the attack paths that you
know will still exist because you can't fix them because Active Directory is Active Directory and
Azure AD is Intra-ID. But the part of that,
that I think has actually gotten interesting for us is when you have a solution like that,
and again, it's not the main thing that we position for people, but we think it is a really
useful control to have deception in place because most attackers don't know they're up against that.
And if you're just running Bloodhound against AD, you're going to run into a canary pretty quickly
if you're in an environment that we protect.
But in a lot of organizations, they're not going to have a live attacker in there very
often at all.
So maybe once a year you catch the red team, but that same product is not generating a
pile of alerts on a regular basis.
So even our ROI models, all of the ways that people try and figure out
this security product is worth continuing to pay for
and maintain because all of this overhead
that comes along with it,
it doesn't really work with some of those controls.
Look, this is your long way of saying,
CrowdStrike, what are you doing?
What are you doing?
Palo Alto, what do you do?
Those are both great questions uh what they do is is something that i've not particularly qualified to answer and yes we'll continue
integrating with both crowdstrike and palo alto for your good friends yes i said it you didn't
say it's fine everything's fine but but ultimately i do think yeah it is it is a weird conversation
to have to talk about what platformization, should not exist as a word in the English language.
Well, it doesn't, thankfully.
So you don't have to worry about that.
Go on.
But it also shouldn't be kind of the driving topic for security vendors when they think about their own strategies.
It really should be how do you solve that entire problem and how do you make sure that you're not dependent on bodies?
How do you instead create products which do not necessitate the creation of a data lake?
I think is the statement that we can end that part of the discussion with.
That's the question, really.
How can you do that?
Maybe we should focus on that.
Now, look look you and
i had a chat a couple of weeks ago and you said hey that thing that you've been saying on the show
that you think is coming which is people going from a compromised 365 account to on-prem code
execution uh through some sort of interesting path you're seeing that in the wild uh from what
you told me this is mostly red teams doing it and APT groups. It's not criminals yet, but we know how that goes, right?
What exactly are you seeing?
And then I'm going to hand it over to Adam to ask you the more interesting questions
on this because he knows this stuff a lot better than I do.
Yeah, absolutely.
So just to put this in context, when we're talking about malicious OAuth apps, we mostly
see boring ones uh the vast
majority of them are cleverly disguised as something called test app or sometimes they're
lazy and they don't even rename the default and it's just called app uh and they tend to be things
hiding in plain sight uh but again it's just a classic kind of post-compromise move for an
attacker who has a who has a session token, right?
Like if you use any of these normal MSA-capable phish kits these days, you're logged into M365.
You're probably not super privileged, but in most tenants, it's a setting that's on to be able to create apps.
And that's something that we've seen very, very frequently.
It's actually more common now even than the types of OAuth apps
that we would consider actually malware
because ultimately those are easy to find in Squash,
and there's not that many of them,
and it's kind of a permutation of the App Store problem,
although I guess it's closer to the Google Android ecosystem version of that
versus the Apple iOS version.
Anyone can be an app store.
Yeah, exactly. Exactly. What could possibly go wrong? And so most of that for us is still kind
of in the world of what we would call small crime or BEC actors, right? That's the people that love
to just live in M365. They don't have goals beyond that. What has become much more interesting,
to your point, though, is attackers who want to do kind of a variation on, I guess we're going
to call them Midnight Blizzard, we would call them TA-421, the Russian intelligence attack
on Microsoft, where they turned one compromised account in an M365 tenant into something that
was much more interesting and
access that was much broader. That's all possible, of course. And it's very challenging to monitor
for in most environments, unless you are looking at some of the preview audit logs, most of this,
you know, some of it's in Graph API, not all of it. So it's even a bit of a logging and monitoring
challenge if you're even trying to see it, which is something that is not trivial to deal with either from our perspective, where
we're trying to do this for thousands of organizations, or even on the level of an
individual organization trying to defend one M365 tenant.
So I think the irony of this conversation, the previous one, and then the segue into this one is that correlating logs in one big lake
between your on-prem environment and your cloud environment is one of the things you need to be
able to do to spot attackers migrating through from on-prem to cloud or cloud back into into
on-prem and the way that we've done that in the past,
working with say emails, for example,
that classic attack of being able to set Outlook mail rules
via the web interface for exchange was a thing,
very early path for turning internet access
into on-prem access.
What kind of things are you seeing other than
the traditional OAuth tokens and some of the older email techniques?
What else are we seeing for cloud to on-prem?
It's a great question.
And you're right.
I don't know, Adam, if you're suggesting we build a platform to handle this.
But yes, it is definitely a monitoring challenge. And we had to basically put two different sources of log information together in order to get just the basic vanilla visibility, which, to your point, really kind of shows up in three different event types.
One is absolutely still inbox rule creation.
As depressing as that is in 2024, that is still one of our highest fidelity signals.
Yes.
Because most users either have forgotten how to do it or never did it to begin with.
And so it actually turns out to be something that is almost always worth looking at,
especially if you get an odd looking login that you can associate that with, with a new ISP,
a new ASN, like just the obvious stuff that you'd be looking for that.
Moving into the prem infrastructure i think is is more
interesting because that's going to be in a lot of cases dependent on some configurations
uh password sync was one of the obvious ones yeah again this this this stuff is known it's not new
it's just i i suppose that it's being used a little bit more frequently by attackers who know what they're doing that are also trying to start in a more unusual place.
It is at this point kind of easy to compromise a Microsoft 365 account.
I am continually stunned that even in our customer base, which is some of the most paranoid organizations on the planet, any given month, over 50% of them will have at least one compromised M365 account. So just by virtue of having that starting place, figuring
out what the Azure settings look like, and then possible paths to go on, they almost always go
through a relatively narrow set of routes. But we have seen basically two, again, that password sync
one trying to get to things that can talk to the domain controller.
And then the other side of that
is just going after Intune itself
and looking at kind of the application side.
Because very often, you know,
Intune can be set up,
I think, in an extremely secure way.
Very often, it's not.
And lots of people have abilities
to do different things in Intune.
And those, in some cases, are almost unbounded. At that point, a lot of the Red Team exercises
stop, though, because you're outside your scope at that point. So you're saying they basically
pivot around until they find an account that has rights in Intune, and then off they go and code
exec? Yes. Or in some cases, we have seen actually already the permutation from
APT29 or TA421, where they're just looking for other OAuth apps and doing things like creating
service principles. I think obviously your interview with Andy from SpectreOps was great
at breaking that down. That is another thing where some of those OAuth apps are incredibly powerful.
The one in question obviously was basically global admin but there are others that have on-premises abilities too because again it's just an application and it's basically domain joined
and when when you have a hybrid infrastructure like that there are these trust relationships
which are very difficult to model and very difficult to predict. I mean, who doesn't want to deploy an OAuth app
into their 365 environment
that has code execution privileges on their domain controller?
I mean, I, for one, think that's a terrific idea.
But look, it is 2024.
I'm sure someone has done that.
And I'm sure at least one person has done it with a good reason,
which it pains me to say
But I'm guessing at least one person out there did that and there was a brief there was a reason
yeah, and the part that is really tricky there is
Maybe we have data for thousands of organizations on which a lot apps. They're even running
Sometimes it's a little bit tricky to even figure out what permissions they have
because there's not a really simple way
to just understand that.
Even kind of like read-write access
and the really, really powerful ones that they have.
It's just, it's not anywhere in a GUI.
It's not anywhere that's just easily gettable.
Even if you suck down a lot of those logs
to Adam's point earlier, right?
You do want to actually have as much of
that visibility as possible, but it's entirely possible this is well beyond my knowledge of how
EntraID's portal works at this point in time. But figuring out, give me every OAuth app and
its permissions, non-trivial exercise. Well, I think, Ryan, the problem is that nobody really
knows how that portal works, right? That's it, exactly.
Yeah, Microsoft's building it whilst we all attempt to understand it.
And, you know, I don't know that even Microsoft knows how it works anymore.
It's so complicated.
They are the Boeing of technology, really.
They're building the plane while they're flying it.
I don't know.
There's some better metaphor in there anyway.
But look, Ryan, we're out of time.
That was all very interesting stuff, mate.
Great to chat to you again.
And yeah, we'll speak to you soon. Always a pleasure, Pat and very interesting stuff, mate. Great to chat to you again. And yeah, we'll
speak to you soon. Always a pleasure,
Pat and Adam. Thanks, Ryan.
That was
Ryan Callenber there with this week's sponsor interview.
Big thanks to him for that. And that is it for
this week's show. I do hope you enjoyed it.
I'll be back in a couple of days with a surprise
mystery podcast
for you all. But until then, I've been
Patrick Gray. Thanks for listening.