Risky Business - Risky Business #747 -- Lockbit Leader Has A Very Bad Day
Episode Date: May 8, 2024Patrick dials in from RSA in San Francisco to discuss the week’s security news with Adam, including: The west doxxes LockbitSupp, who must now hide his hundred mil...lion dollars Revil hacker behind Kasaya breach gets 14 years Microsoft makes some positive sounding* noises on security A fun flaw in nearly all VPN clients Gitlab admins continue their never-ending incident response And much, much more. This week’s sponsor is Stairwell. Long time infosec researcher Silas Cutler joins us to talk through his adventures in attacker C2 systems, and how this feeds into Stairwell’s data. * we’re still sceptical they’ll get it right, but they do at least seem to realise how deep the doo-doo they’re in is… Pat speculates they have … tentacles, and a regulatory-threat-gland. Show notes 'ArcaneDoor' Cyberspies Hacked Cisco Firewalls to Access Government Networks | WIRED Andy Greenberg: "@metlstorm @riskybusiness no w…" - Infosec Exchange U.S. Charges Russian Man as Boss of LockBit Ransomware Group – Krebs on Security Ukrainian sentenced to almost 14 years for infecting thousands with REvil ransomware Microsoft ties security goals to exec compensation China suspected of hacking British military payment system, reports say Germany recalls ambassador to Russia over cyberattacks Blinken unveils State Dept. strategy for ‘vibrant, open and secure technological future’ Microsoft plans to lock down Windows DNS like never before. Here’s how. | Ars Technica Novel attack against virtually all VPN apps neuters their entire purpose | Ars Technica The Breach of a Face Recognition Firm Reveals a Hidden Danger of Biometrics | WIRED Dropbox says hacker accessed passwords, authentication info during breach Maximum-severity GitLab flaw allowing account hijacking under active exploitation | Ars Technica Our new research: Enhancing blockchain analytics through AI Reconstructing the Mind’s Eye: fMRI-to-Image with Contrastive Learning and Diffusion Priors Kevin Collier on X: "Oh my God. @riskybusiness is already the name of what is by a longshot the most established cyber podcast. There are a million possible names out there and Mr Decision Making over here went with one that's been in use for more than 15 years."
Transcript
Discussion (0)
Hey everyone and welcome to Risky Business. My name's Patrick Gray. This week's show is brought
to you by Stairwell and they make a platform that's really great for analyzing malware. It has
you know detection and response use cases as well as threat intel use cases and you can find them
at stairwell.com and this week's
sponsor guest is silas cutler who is stairwell's principal reverse engineer and he's joining us to
talk about some of his adventures on the internet he's created some tooling that knows how to speak
to common c2 beacons he's got the protocols all worked out so yeah he's had some fun with that
and he'll be joining us in a little while to talk through all of that. That is coming up later.
But first up, of course, it is time to check the week's security news with Adam Boileau.
And mate, I am in San Francisco right now.
And, you know, it's RSA week over here.
And I'd forgotten because I think the last time I came to one of these was over 10 years ago.
I'd forgotten just quite how insane it is.
It does look pretty mad.
I've been following along with some of the social medias and seeing some of the marketing stunts going on around there
but yeah it looks like a wild ride. Yeah even Run Zero has like a guy walking
around in a Yeti suit and it's just like it's just what? There's a Yeti? But yeah
look before we kick off we're actually just gonna run a quick correction on
last week it's your it's your culpa. I was busy getting ready to travel to the US last week, so I didn't have time to do as detailed a read of the
news as I usually do. But yeah, we made a boo-boo. We did. We were talking about Andy Greenberg's
piece about a bunch of Cisco routers being hacked by China. And I said that they were being hacked
by Russia, which we had no deep intel you
know saying that that was the case that was just me misremembering an upcoming story that was about
Fancy Bear and you know usually it's Fancy Bear heckin Cisco so but yeah a little bit embarrassing
sorry about that everybody yeah it's funny right because you you posted a mea culpa to Mastodon and
Andy Greenberg actually chimed in very graciously saying,
oh, no worries, you clearly understood the attacks better than me
in other ways, and I learned a lot.
So cheers.
I mean, what a guy.
That was really nice of him.
Yeah, that was really nice.
And yes, it's always fun getting messages from spooks going,
hey, interesting attribution you got there on the show this week.
Yeah, yeah, yeah.
Teasing the Adam boileau a little
bit with that now of course the big news uh just broke today and of course it's the talk of san
francisco uh lock bits up the guy who ran uh the lock bit ransomware as a service operation he has
been named charged and sanctioned by the u.s government and you know it's it's interesting
that this has happened because when the initial takedown happened of course you know
they replaced the lock bit leak site with you know their own version with the
authorities version there was a countdown you know that indicated they
were going to dox him and then they didn't do it and now they have so I
guess this may be signal some sort of change in policy but it's fantastic yeah
like maybe there was some, you
know, hoops that they had to jump through before they could actually do it that made the timeline
funny. But yes, they have doxxed him. Of course, he actually denies it. Krebs has written this up
talking about this guy, Dmitry Yurovich Koroshev, who is a 31-year-old Russian man. And Krebs
actually reached out to him and said, you know, what's up? You know, what's going on? Hey,
what's up? What's going on? Hey, what's cracking what's cracking buddy and yeah he of course said well that's not me
who's this poor innocent man that they've defamed so but yes clearly the US gov if they're going to
charge and indict them probably do know who is the right guy so yes he apparently made something
like a hundred million million out of this.
So 20% of what was going through LockBit, which, I mean, that's some very real dosh.
Well, and he's going to be having an interesting couple of days, right?
Because his home address is all over social media at this point.
You know, and I just wonder how many people are on their way over to his place with a rubber hose right now to beat his Bitcoin passphrases out of him. Yeah, well, exactly right. I mean, this is the problem.
What do you do with it? You either put it in your Bitcoin wallets, you stick it under your mattress,
you put it in a bank where it's going to get seized. There's no safe way to have $100 million
in proceeds of crime, especially when you're getting doxxed. Yeah. Now, when Australia doxxed
Ermakov, who was the Medibank guy, you know, very quickly he wound up in prison.
It was our colleague, Katalin Kimpanu, who predicted, you know,
this guy is going to have trouble and quick.
Now this guy, I don't necessarily know that he's tied to crimes
that took place within the Russian Federation,
which was Ermakov's deadly sin.
But I still think he's going to have trouble, right?
Because at some point, you know, maybe some corrupt official
is going to come and try to run a bit of a sh you know, maybe some corrupt official is going to come
and try to run a bit of a shakedown, maybe organize criminal, like his life is just about to get
really complicated. And I don't think this is a case of Western authorities having to jump through
extra hoops. I think this is a, this is actually an escalation from, you know, the Five Eyes
countries towards this problem. And I think we're going to see more of this.
That's just my feeling.
Yeah, I mean, it's been a while.
There's been a lot of actions that haven't seemed super effective.
I mean, some of the earlier takedowns of ransomware gangs,
you know, caused a little blip,
but ultimately didn't really change things.
And then this kind of thing, and same with Irmakov,
does feel a little more effective.
And that's what we've been looking for, what's the right mix of levers that can actually be pulled
in the Russian Federation from the West. It's funny, but when you talk to people in
government policy about exactly this problem, one issue they've really got is they need to consider
all of the legal implications around human rights when you do something like this, because is this
person getting due process? What if something happens to them? You know, it is actually quite
legally tricky to do this sort of stuff as a government. So I think what this tells me is
that they've crossed that threshold now. And I think now that they've crossed it, we're going to
see, I think it's gloves off time. I really do. And I think that's, that's great. Yeah, I guess
like now they've
established a precedent of how you can make those calls like where you can weigh up those equities
and then still decide to do something like this yeah like i think you're right once that's done
that rubicon's crossed then yeah it will be an option for lots of other places and maybe even
other countries to also do yeah i think until now it's been a bit of a wait and see approach
and now it's like no okay we a wait and see approach and now it's
like no okay we've waited and what we've seen we don't like so let's do it this way now so yeah
sucks for you uh mr dimitri yurevich koroshev it does indeed suck to be him now he's not the only
one having a hard time uh in the ransomware world uh yaroslav vazinsky who is 24 years old he was involved with reval and uh you
know was i think the one of the people behind the attack against kaseya way back when he was
arrested by the polls in 2021 when he was fleeing ukraine uh and uh yeah he's been arrested extradited
the whole nine yards and uh yeah he's been sentenced 14 years and 16 million bucks in
restitution Ouch. Yeah.
I mean, it's nice to see some justice coming home.
And, you know, I guess, you know, in 2021 or even earlier than that, it would have seemed like a safe thing to do this from inside Ukraine.
But no, not anymore.
The world has changed around them.
And, yeah, they're paying the price for that.
And that's just it's good to see.
Yeah.
Now, in more cases of the wicked being punished uh microsoft
we had a chat last week about how microsoft had briefly mentioned on an earnings call that
security was now its top priority and we're very very skeptical but it looks like they finally got
the message so we've seen the edict come from satchin adela the microsoft ceo uh saying that
now you know they're going to tie
executive compensation to security outcomes that security needs to be top of mind no more trade-offs
on and on and on which i think is great and i do think is a positive change but i think you know
if you're such an adela do you necessarily understand quite how much technical debt they've built, right?
And even if they spend the next five years making great decisions,
I don't even know where that gets them in five years.
I just, you know, I think, as I say, I think this is a really positive story,
but I don't expect this to turn around quickly.
No, I think you're completely right.
I mean, it's good to see this moving.
It's good to see, you to see some very clear guidance.
I mean, one of Satya's things he said was just do security full stop.
When you have to make a choice, do the right thing.
This reminds me of the Simpsons where Homer Simpson was a manager
and he said to his team, hey, are you working hard?
And they said, yeah.
And he said, well, do you think you can work a little bit harder?
And they said, yeah, boss, and started typing a little bit quicker.
I mean, it's the type of satire that kind of applies to here, right? Like, do you think you could maybe do it a little bit harder? And they said, yeah, boss, and started typing a little bit quicker. I mean, it's the type of satire that kind of applies to here, right? Do you think you could
maybe do it a little bit more secure? We'll give you a bonus. Anyway, sorry, I cut you off.
Yeah. But no, you are right that this is not going to be a quick thing. And the amount of this,
to me, there's two parts of this, right? There's the technical debt of existing Windows, which has
a very, very long tail going back a very long way and then there's azure which is brand new technical debt that they are building so quick
that you know you almost feel like they've generated an entire windows worth of technical
debt in the space of a couple of years with azure and both of those problems are going to require
fixing and they have different kind of ways of approaching them and it is a bit more nuanced
than just do security so the proof will be in the pudding and i hope this does get them
into the right direction because lord knows we need a microsoft that takes security seriously
i mean they've done windows before and that's not honestly the thing that i think is the hard
problem here the hard problem is the azure stuff because i'm not convinced and you know we've
talked about this before i'm not entirely convinced that even the people who work at Microsoft understand how Azure works.
Yeah.
Azure is wild.
I had a drink last night with a buddy of mine that does Microsoft bug bounties in his spare time, and he's making six figures out of Azure just by finding, you know, proper good bugs, too, in the Azure ecosystem.
So there is a lot to be done there, and they have a hard road ahead of them.
Now, I think, you know, we've got to credit CSRB,
the Cyber Safety Review Board,
and its report into, I think it was the Chinese attack against,
you know, where they stole the key and signed tokens and whatever.
So the CSRB report into all of that,
I think really was the straw that broke the camel's back here.
I think it was a big catalyst.
The way I've described it is just in conversation
with people over here is,
you know, the CSRB report was the baseball bat that, you know, the board handed all of
Microsoft's critics the weapon that they needed to beat them over their head, right? But I also
think it's telling that this is, that they finally got there. I think it is telling because their
share price, their revenues have just been going to the moon for so long.
And someone was saying that last night, which is, you know, off to the moon, off to the moon.
And sure, but when I think what's happened here is one of Microsoft's sensory tentacles has detected that people in government are starting to ask questions like, hey, why is it that their security around this stuff has been so bad?
Do you think it maybe has anything to do with competition?
Now, when Microsoft's sensory tentacles hear talk about people in government
wondering about Microsoft and competition,
when those two words start coming together,
Microsoft's fear gland enlarges.
Microsoft's fear gland activates
because it's all well and good
to send your share price to the moon,
but you know what will send it back down again
is when the government comes and breaks you up
because of competition concerns and antitrust and all that.
Yeah, and there's such a weird political dynamic
around big tech,
and there has been sort of momentum weird political dynamic around big tech and you know there has
been sort of momentum about you know there's some of these companies getting too big being a little
too you know powerful in their in their niches and yeah i think you're right that that gland
probably is rightfully swollen the antitrust fear gland yes so i you know, personally, I just think Microsoft would have just continued business as usual if it weren't for them realising, geez, we've got to get a handle on this or it could get pretty grim.
Yes, it definitely could get ugly.
And, you know, we have seen there was some comments from one of the Amazon AWS bosses basically saying, look, unlike some of our competitors, we take security seriously,
was sort of the gist of it.
And similarly, Google doesn't have these kinds of incidents.
So, you know, Microsoft at some point is going to have to start looking
into that and going, well, this is a little bit awkward seeing
this kind of criticism.
And if we started to see this being used against them, you know,
in the marketplace as well.
Yeah, but I don't think that's it because I don't think, you know,
if you're a US government department, I don't think it's necessarily feasible
to switch over to a, you know, workspace stack.
I don't think that's it.
I think the point is the Microsoft lock-in has actually become
a national security liability and that gets very smart,
very powerful people thinking about, well, why is that the case?
You know, and is this because they don't have a natural predator?
And how could we remedy that?
And that is terrifying talk.
If you're the CEO of Microsoft,
you really don't want that conversation to progress much further.
No, you do not.
Yeah, I think that's a big part of what's going on here.
But let's talk about a big breach in England, Adam.
Yes.
So the British Ministry of Defence have some kind of commercial partner
that they outsourced either payroll or some kind of like payroll-related thing,
like expense claims processing to.
And that contractor got themselves breached,
and a whole bunch of data about UK military employees
and their bank account details and contact
details and all of that were taken we don't have any specifics about who done it but there has been
some British press coverage suggesting that it was Chinese state actors and that's not a great
situation to be in and we've seen some comments to the British Parliament kind of explaining that
yes a bad thing's happened yes they're going to go and deal with people and there's a bunch of steps they're taking
for the affected people but it did bring to mind you know some of the chinese breaches of american
um government like when they breached the people who did the clearances in the u.s
oh like opm yeah i mean this is i mean opm was just too good, right? Like there was so much juicy information in that.
Like this, less so.
But it does still have the ring of the type of data set
that you expect to be currently being ingested
into some giant database in China somewhere, right?
Exactly, yes.
I'm sorry, not a database anymore, a data lake, Adam.
It's a data lake.
Yes, a data lake.
And they can mine it and do all sorts of things.
So, you know, it's not quite clear
what you would use this data for,
but it's, you know, once you put it in the lake,
then it can be useful for all sorts of things.
And, you know, we've seen some concerns around,
you know, could use it for blackmail,
could use it for targeting people for,
you know, turning into intelligence agents
or, you know or whatever else.
But either way, pretty embarrassing.
And I imagine there are British military service members
asking a few questions about their data
and what to do about it.
Yeah.
I mean, it's just, it ain't great, is it?
It's not.
It's not great.
It's extremely not great.
So there you go.
Now, we've got some action on the diplomatic front.
Doreen Antonik over at The Record has a report up about how Germany has recalled its ambassador to Russia over the cybers. the end of last week about you know a fairly widespread giu campaign compromising uh outlook
much of the outlook email clients that have been you know hit a bunch of european countries and
agencies uh germany was one of the main targets of that so yeah they have expressed their diplomatic
displeasure with russia i think this also is timed with um putin's being you know re-elected or
whatever there's some kind of ceremonial thing
that Germany obviously does not want to show up
and participate in.
So they recalled their ambassador,
said some stern words to the Russians.
I think similarly, Czechia, the Czech Republic,
have also summoned the Russian ambassador
for conversations about the same campaign.
So yeah, the political situation
vis-a-vis Russian hacking in Europe doesn't look good,
but then the political situation
vis-a-vis Russia in Europe full stop doesn't look good.
Yeah, exactly.
I mean, we've got leaked German conference calls
where they're talking about delivering
Taurus missiles to the Ukrainians.
So it's not exactly like it was all smiles and sunshine
until this point.
Yes, exactly, exactly. Now, look smiles and sunshine until this point. Yes, exactly.
Now, look, I know a couple of stories back,
we were just kicking the crap out of Microsoft,
but they're launching a new thing here around DNS,
DNS firewall integration that actually looks kind of neato,
I think would be the technical word, Adam.
Yeah, I was kind of pleasantly surprised by this.
So this is a scheme and they're previewing it and will presumably bring it to Windows 11 at some point.
And the idea is that the Windows DNS client,
the thing that resolves DNS on your workstation,
will be configured by group policy
in a corporate environment
to only use a number of trusted DNS servers.
And it will do so over DNS over TLS or DNS over HTTPS
so that it's not the regular UDP mechanism.
And then the Windows firewall will inspect the DNS answers
and then allow outbound traffic only to IP addresses
that were resolved by those DNS queries
and then drop everything else.
So you end up with giving corporate administrators
a way to control outbound traffic without having
to break and inspect TLS and look at you know SMI which will also be taken away from us at some
point in the future and without having to break and inspect DNS they're providing a mechanism for
them to do this in a controlled way and it's quite a big change in terms of you know you expect to be
able to just make outbound connections to
anything as the kind of standard starting point and this is going to be like a default deny
you can only connect the things that came from a trusted dns resolver and then that resolver has a
bunch of policy controls for administrators and microsoft providing tooling and ways to allow list
or whatever else in the dns server so for end users, like on the internet,
it doesn't make much difference.
For corporate machines, corporate environments,
and especially people working from home
outside of the corporate network
without the controls on the corporate network,
this is a way for them to implement some of those things
out on mobile devices on work from home things.
And it seems like a pretty smart move.
I mean, it does.
I mean, you're not going to
get anyone being able to just bounce shells out to like hard-coded ips i mean that's nice right
that's one but really you know and they're having to use the resolvers that you choose
so that's another win but i mean they can just you know use those resolvers right uh yes but
then those resolvers have policy controls
to allow us what you can actually look up.
Yeah, okay.
Yeah, so that's like it's a combined set of controls.
Yeah, I get what you mean.
Like if you add it all up,
it is probably actually going to help you quite a bit, right?
And it will give you also some decent signals out of that DNS
when someone's tried to look up something that looks a bit iffy.
Yes, exactly right. It gives you a place to do logging and inspection and it deals with some of the problems where you can't really intercept tls anymore yeah so it gives some
visibility it gives a bit more control uh at the cost of some compatibility problems and this is
the sort of trade-off that a new microsoft where doing things that improve security that will also
break stuff because things like
you know UDP video streaming going to be a problem anything that doesn't use DNS has a hard-coded IP
is going to be a problem you know things like printer discovery or you know anything plug and
play it's going to be a bit problematic but that's a trade-off that's perhaps worth giving you know
worth making and giving administrators the options to use in their environment so yeah I mean if this was the sort of the thing that microsoft would prioritize in the you know new
secure future then yeah i'm here for it yeah i mean and it's interesting what you said about
like encrypted sni or whatever the hell they call it these days and you know all of that tls 1.3
stuff which just a whole bunch of stuff went opaque yeah this yeah it's a good idea i get it
yeah it's a smart place to give some of that control
back now we've got a dan gooden piece here from ars technica about something it's got a name
it's got a name it's a vpn uh issue uh called tunnel vision yes uh this one i am mad at myself
because you didn't find it i am pretty it's just it's so obvious and i i feel like i've been here before and i didn't think about it in
this way anyway this is a kind of like a a flaw in basically all vpn clients where a malicious
network so i think you know you're on a coffee shop wi-fi or something where a malicious network
can cause you to route traffic outside your vpn thus defeating the point of the VPN. And it's super straightforward. You just give in the DHCP answers
when someone plugs into your network
or connects to your network
and they get given an IP address,
you can also, as a DHCP server, give out extra routes.
Yes.
So not just the default route,
you can also provide more specific routes.
You can just give out two specific routes
for the whole internet
because the whole internet is a slash zero
and you can give out two slash ones that are more specific which then can mean all
of the network traffic gets routed outside the vpn where you can then observe it as the malicious
network and it's super dumb but it straight up works yeah that's a nice little trick right but
i mean you know again like even if you've got someone outside their vpn these days in this day
and age 2024 i mean i'm you know i'm traveling at the moment, which means connecting to an awful amount of unsecured networks.
Yes.
You know how it be.
And, you know, I don't really sweat it these days because everything's TLS, right?
Yeah.
I mean, your computer these days should be all right operating on the internet by itself.
You shouldn't need a VPN.
And indeed, by and large, you shouldn't need a vpn and indeed by and large you don't need a vpn right that's the fallacy of all of the youtube ads for
vpn providers is you straight up don't need they make it worse not better everyone who uses a
normal computer with well-configured tls etc this doesn't really matter but for people who are
relying on vpns to do yeah confidential you know, protect access into really terrible legacy apps that
don't have encryption or whatever.
Yeah, no, I mean, I get it.
I get it.
I just like, it's just, this would have been so cool like in 2012.
Yes, exactly.
And indeed, this existed in 2012.
Yes.
And I know that I've played with using DHCP routing options to do fun stuff for it.
It just never occurred to me to split tunnel it the outside
the vpn and the fact that they just straight up works is cool so good research whoever did it but
yes 10 years ago 15 years ago this bug would have been super cool yeah i mean yeah it's totally
totally would have you know padded out the wall of sheep nicely right yes exactly
now uh we've had a bit of an interesting uh breach Australia. We have a bunch of licensed clubs in Australia where there's, you know, we've got quite liberal laws around gambling, slot machines everywhere, etc.
And people can choose to self-exclude themselves from those venues if they have a gambling problem or whatever.
You know, there's technology companies that have popped up to help people self-exclude.
So when they try to sign into some of these clubs,
you know, the people say, sorry, no,
we see you've added yourself to the, you know, self-exclusion list.
One of the companies that runs this tech
managed to get itself breached.
And, you know, we've got a lot of records
were made public because of this,
including people's driver's licenses
and, you know, various bits of information about them. But there's a few twists in this one, right? Because the website that was set up to
promote this breach claimed that the data had come from a bunch of disgruntled employees or
contractors in the Philippines who never got paid, and that's why they're doing this. But also,
quickly, I think we saw an arrest in Australia. maybe that was not the true story but anyway you walk us through what
happened here so these people ran like kiosks that would scan your face as you went into the club
you'd sign in or whatever and they also had a bunch of integration with the gambling machine
operators at the clubs yes so they got all of the data from those gambling machines
and then they'd handed it off to some devs somewhere.
And there's a bunch of screenshots of things like, you know,
just straight up Google Docs,
Google Sheets with all of the customer data in it
and biometrics and so on.
And as you say, the exact circumstances
under which this data got posted
on the internet and the funny thing was that the site that they ran up that was exposing this data
and letting people search for themselves redacted the data in the web interface but it actually used
the javascript api behind the scenes which failed to redact it so they ended up leaking stuff even
the people who are leaking didn't mean to leak, which is all very funny. But overall, I guess, as you said, it comes down to how do we handle biometric data?
What do you do when lots of photos of someone's face plus their identity document is a thing you can then use with AI to synthesize their face and other identity documents?
Like it's a mess that's beyond just this particular one, right?
I mean, maybe, right? Because we say, okay, you know, you've got a photo of them.
Going from there to AI being used somehow to trick properly done biometrics,
I don't see it.
I mean, this is why Apple doesn't use a camera on its iPhones
to do the biometric facial recognition.
They've got dedicated hardware to do that.
Once you start trying to tamper with it, it gets complicated real quick.
So I'm not necessarily sure that I think this has implications for well-done biometrics.
I agree with you except that nobody does well-done biometrics except Apple because they're the
only people with custom hardware to do it. But that's where we use biometrics. You know, that's where it's most critical is on our
mobile devices and when tying them to pass keys and things like that. Like, I don't think we can,
I don't think it's even fair to say like a photo database, you know, even describing that as
biometric information, I think is a bit of a stretch is what I'm getting at. Well, I mean,
as a counter example, in my pen testing days,
we reviewed a system for doing identity verification for online sign up to banking.
So you sign up for a bank account and you upload your identity documents and then they video
conference you in the browser to check your identity. And we were able to bypass that
by machine generating the poses that they want you to. No, I get it.
I've seen these sort of systems.
I'm just saying, I think they're dumb
and we shouldn't even call them biometrics
because they're dumb and they don't work.
And, you know, this is just-
I agree, but, you know, there's plenty of places
that seem to think it's going to work.
And I agree with you that it's dumb and it won't,
but, you know, a large set of face data is a useful input
for other forms of crime that we don't yet understand.
Yeah, yeah.
I'm just saying I think that's a risk
that should be well understood.
I guess you're right in that it's not,
but voice verification as well in an age of audio deep fakes
is something you can do in 10 minutes.
Obviously, for you and me,
whose voices are all over the internet and have been nearly 20 years you know you don't we don't want our banks
verifying us by voice hell no hell to the no and i just think i just think you know having the
expectation that a that a photo is going to do anything for you i just i don't know it just
seems a bit nuts to me yeah i mean it does and people who handle
data you know regardless of how biometric it is i'd call it a photo check not biometrics you know
and i think there was some big problem with some company you remember this when the irs in the us
were using some contractor to do you know remote verification over video and stuff it just doesn't
work uh it doesn't work but that doesn't stop people pretending it works and selling it to
banks i mean i'm at RSA, man.
There's plenty of pretenders around here.
Don't you worry.
Don't you worry about that.
Lots of insanity on the trade floor.
You know what's crazy?
I haven't even been able, I have not even had time to walk into the conference.
I tried to go on Monday and they're like, oh, we don't open till 5.30.
And then it was pulled into a million things, right?
It's just so nuts over here.
And, you know, you get into an elevator
when you go back to your hotel,
like I just did, to come back and record this,
and everyone just looks like they've been smacked around
by the bogeyman.
Like, they just look terrible
because it is just so, like, punishing.
Anyway, this next story,
another one from John Greig over at The Record.
There's been an incident at Dropbox, apparently.
Yes, Dropbox reported a breach to the
SEC to release to the markets it's a breach at Dropbox sign so they bought at some point a thing
called HelloSign so it's like a document signing service similar to DocuSign I guess and this
particular subsidiary got their stuff breached it looked like a service account password or something
got hacked and a bunch of customer data got leaked out, including passwords, user details.
Apparently not the actual documents being signed.
But yeah, not a great look.
Although I did see a number of the headlines have been like, oh my God, Dropbox got hacked,
which it's not the Dropbox you're thinking.
It's not the main Dropbox.
Yeah, technically it's the company.
Yeah.
And I mean, I know a few people who are ex-Dropbox
and they, you know, as best I can tell, they have a good team there.
So, you know, that's the thing, isn't it?
Like, I think there's a little bit lost in a lot of media reporting these days
when you see so-and-so got ransomware and it turned out they, you know,
disrupted by ransomware attack and it turns out it's because they detected it
and pulled the plug on their network and disrupted their own services.
But that nuance is often lost in the reporting. Now this one I've seen you popping
off about this one in Slack and having a bit of a chat about it. Tell us about this GitLab bug.
Yeah so this is a bug in GitLab which is an open source GitHub style system for managing
your source code and sharing it and so on this was a bug in the password
reset process where you could basically provide the email address to which you would like the
password reset process to send you your you know your new link to to log in and receive a password
which that's pretty bad if you have multi-factor auth turned on then this ultimately resulted in
not getting access but there is a lot of git lab out there
and compromising these systems puts you in the perfect place to then modify code or you know
attack into downstream software or automated system because a lot of people use git lab
in their devops yeah as the source of truth for the the scripts that build all their infrastructure
on on aws or on azure or whatever else So the consequences of people's GitLab getting owned are pretty bad. And a bug like this one is just, I mean, it's comedy bad.
Yeah. Yeah. I mean, those were the comments I saw you essentially making in our internal Slack.
You know, just thinking on this and, you know, this isn't a stab at GitLab at all,
but remember when Microsoft bought GitHub and everyone's like, it's over, man.
GitHub's done.
And that's one area where Microsoft seems to have done
a terrific job of actually managing something
and keeping it secure and whatever.
So I don't know.
Yeah, they do not seem to have ruined GitHub,
which now I think about it, it's pretty amazing, actually.
Yeah.
Now, a couple of the big names in blockchain analysis are obviously chainalysis
another one is elliptic and they've published a blog post here looking at how you can uh to put
it in their words enhance blockchain analytics um through ai and um yeah pretty interesting
yeah this is interesting research so it's interesting for two reasons number one like
using machine learning to analyze blockchain is a pretty natural fit right we've got great data in a very structured way in the blockchain and spotting
hinky stuff is the sort of thing that a well-trained ml system should be able to do but the second half
of this is they have released a set of training data that they use uh for this system themselves
and this is something like 200 million transactions,
and they have labeled them with how sus stuff is. So the training data has, you know, here is a set
of transactions and through their own data of like, which nodes in the blockchain are, you know,
known money laundering or known dodgy cryptocurrency exchanges or known ransomware
crews getting paid. and then they've
mapped transactions out and categorized them so if you want to build your own AI thing
that can analyze the blockchain for different types of money laundering or weird stuff
you've got a public training data set that's three orders of magnitude bigger than anything
that's been released before so it's a really interesting contribution i believe this is a joint piece of research they did with um mit and ibm's watson
ai lab yeah and i imagine that you know that they are thinking about ways to use this stuff
as blockchain style data stores get used you know in other applications but yeah this is just if
you're in that kind of space of analyzing blockchain for weird stuff, like this is a pretty interesting piece of data that you've got to work with.
Yeah, I mean, I think both of those companies have done just such a splendid job of getting
their hands around the money laundering stuff in such a short amount of time. You know, like the
visibility that we have these days onto the blockchain, thanks to these sort of analytics
companies is, you know, I mean, I was just just it's great that the people who moved into the space really knew what they were doing
yeah and it's you know we've seen some pretty concrete results too in terms of understanding
you know crimes that have happened following the money on the blockchain following ransom payments
and some of the like their paper that writes up this particular research has some really
interesting like here are some structural like this is what money laundering looks like on the blockchain and some examples of
patterns of transactions uh that are you know it's just really interesting if this is a you know if
this is your nerd jam money laundering then yeah this is a must read in my opinion yeah i mean i
gotta say too like one thing that's been really surprising about being over here at rsa or around
rsa i mean i'm here as a guest of decibel vc right and they fund they're the vc behind like one thing that's been really surprising about being over here at RSA or around RSA,
I mean, I'm here as a guest of Decibel VC, right? And they fund, they're the VC behind a bunch of
our sponsors. So Sublime Security, Run Zero, Spectre Ops, like Push Security, on and on and
on, right? And so, you know, my joke is, you know, we have similar taste in startups, Decibel and us,
right? And what's been really interesting is I've been hanging out with
a bunch of the investors and, you know, talking about the AI thing. And, you know, it's been about
a year and a half since the starter's pistol was really fired on AI stuff. And I was really
expecting the market to be flooded with insane, ridiculous cybersecurity AI startups. And it
hasn't quite happened yet. Like there's
a couple dozen of them, but every time I'm talking to someone who's doing something around
cybersecurity and AI, and I can't believe I'm saying this, it actually sounds really interesting
and useful. And I, you know, it's kind of restored my faith a little bit because I just thought we
were going to be drowned in dumb stuff. And I don't
know quite why it hasn't been, I mean, I'm sure there's going to be plenty of stupid stuff. Don't
get me wrong, but there's certainly some smart people working on this and they've got good ideas.
It's bizarre. And I wonder if that's like high interest rates mean that, you know, the VCs are
just being really selective about what they fund, but you, but I'll take it. It's a win.
No, you're right.
There has been, because I'm pretty skeptical about a lot of AI stuff.
And you've pointed me at a few things
that you've seen where we've gone,
actually, that sounds actually pretty good.
Yeah, like Dropzone's a great example of that.
And they're the ones who like emulate
a tier one SOC analyst.
And you think, oh yeah. And then you go through the demo and you're like oh okay yeah that's probably going to
be more accurate than a poorly trained human for sure even a well-trained human yeah and as a way
for humans to become better trained yeah yeah yeah it's i feel weird seeing ai stuff the way you go
actually that's that's kind of cool because my natural skeptic wants to you know ruin everything
but yeah that's what 20 years of pen testing will do to you is makes you want to ruin everything
there's some cool stuff coming through and i think everybody's been kind of
sufficiently cautious like the the the sensible people in the industry have been sufficiently
cautious not to just run absolute looney tunes up the flagpole and I'm thankful for that.
Yeah I mean there's certainly plenty of mad stuff happening but it seems to be not so much in the
security space like the stuff that that we've seen seems to be a little more well considered
and I think that's because you know we have been burnt by so many terrible products over the years
I mean everyone who's worked in this industry has had to deal with products that over-promise
and ultimately don't work and make it worse.
So I think we're all a bit, you know,
we're all a little skeptical and that's good.
Yeah, and I think also it's perhaps
because we've already had the AI slash ML investment boom
in security and it wasn't, you know,
it preceded large language models.
It was really those, you know, malware network detection things,
you know, malware detection, network detection, using ML, using AI.
So I sort of feel like maybe cybersecurity already had its AI hype cycle.
So what do the models kind of bring to it?
We've been there, done that.
So I wonder if that's a part of it as well.
Yeah, it's certainly possible.
And, you know, some of the generative stuff is just so nutso. little aside off the cybers but indulge me for a second sure someone linked me to a
research paper which was using generative ml to recover images of what people are thinking about
from fmri scans so you get an mri scan they take the brain data and then they have two models one which
matches at a high level what the subject of what you're thinking about and another one which matches
the kind of like colors and textures and layout of what you're thinking about in the visual cortex
of your brain feeds that into a generative AI model that then spits out an image of what you
were thinking about and that's just like that's some cyberpunk terrifying what the hell
madness um so yeah mind reading mind reading yeah as a which you know you think about all the stuff
we're gonna do in security that's a bad idea like that seems way worse yeah yeah sure does uh now
just real quick before we wrap it up i want to say a big thanks to all the risky business listeners
who helped me out this week.
You know Nate Silver?
He's the guy who founded FiveThirtyEight?
Yes, yes, yes. Yeah, so this is the guy who was like the crystal ball,
could predict elections.
And he got one right.
And after that, not so much, right?
And yeah, so he wound up at ABC News and whatever.
He's out on his own now.
But he announced that he is starting a podcast,
very exciting stuff, called Risky Business.
Which was, yeah.
And what's funny is like the Risky Business listeners were all over him.
If you look at his announcement, if you look at his announcement,
it's mostly like it's a couple of people going, oh, yeah, Nate,
you know, can't wait.
And then all of these other people, someone called him an utter utter pine cone and i don't even know what that means but i did
enjoy i did enjoy uh reading that but there was you know probably like and people were being you
know they weren't being you know overly aggressive or whatever but just like what are you doing man
you know like there's already a pretty popular google it yeah i mean look there's other you know
there's a lot of little podcasts that are mostly defunct now that never really even popped up on my radar called Risky Business and, you know, whatever. But, you know, this guy has three and a half million Twitter followers or something like that. So that was going to cause a bit of drama for us. But, you know, people really let it be known that this was an issue. And I've actually noticed that they've updated the name. And the name is now Risky Business with Nate Silver and Maria Konnikova, which is his co-host
and, you know, that's just a really excellent result because that's not going to cause any
confusion. You know, it was going to be confusing when there were two quite popular podcasts both
called Risky Business and nothing else. So, just wanted to say thanks to the listeners for
showing a bit of support there and for, you know, as I say, keeping it relatively civil. They
weren't nasty about it. They, you know, they were joking around about it
and, you know, calling him a pinecone,
but, you know, it wasn't nasty.
And I'm glad that-
Yeah, it wasn't a feral pile on.
No, people kept it classy, right?
So, you know, thanks to all of you
for sticking up for us, man.
That was cool.
Yeah, that's real nice.
Thank you.
Thank you very much, all the listeners,
for doing that for us. Good job. All right, Adam, uh, that's it for the week's news. Thanks so much for joining me. I've got to like put this down and immediately go to my next event. Uh, but, uh,
yeah, I'll be back next week and we'll be doing it, uh, again over the internet, but you know,
a little bit closer next time. Yes, we will. I'll, I'll look forward to it and yeah, have,
have fun at the rest of, uh, of your crazy will. I'll look forward to it. And yeah, have fun at the rest of your crazy week.
I'm exhausted.
That was Adam Boileau there with a check of the week's security news. It is time for this week's
sponsor interview now with Silas Cutler, who is the principal reverse engineer at Stairwell.
And yeah, if you've ever been interested in being able to throw a bunch of malicious binaries at a platform to analyze them Stairwell is
really great for that you can do a yeah a bunch of analysis variant discovery
and whatnot it is it is very cool stuff so Silas has developed some tools to
connect to and interrogate C2 nodes and this has led to some interesting
adventures so here he is to fill us in on all of that.
Fundamentally, like when you use platforms
like Census and Shodan,
you can get great results
and be able to identify malware control servers
and huge amounts of malicious infrastructure.
But if you want to start being able
to interrogate control servers in real time
and being able to sometimes elicit parts of the protocol that may not Strike or PlugX or Pick Your Malware Here.
You go from that medium confidence to a high confidence where it's this malware, this server spoke the language of Cobalt Strike, of PlugX.
And therefore, I can say with high confidence that yes it is likely a malicious
yeah it's it's it's we know now that it quacks like a duck and it uses duck words and does it
is not just a feathery giraffe very much so and also with the significant amount of honeypots
that are out there even for things like uh xc which happened a few weeks ago that the malicious
backdoor that was that in the code there
5060 honeypots that spun up that weekend of
all looking for the same thing so
For as many control servers there as there are out there There's an equal number of honeypots not always for the same things, but roughly equivalent. Yeah, right, right
So you want to be able to say well this one's just pretending to be a cobalt strike c2 or whatever and this one actually is one okay but then what right so so i'm always
interested in the and then you know you spoke about these remarkable insights you could get
once you learn to speak duck so to speak um you know what what do the ducks tell you when you
start quacking at them but the ducks tell you everything the ducks the ducks tell you everything
once you can speak speak duck um so honestly something something like Cobalt Strike has been one of my favorites to scan for over the years.
Because something like Cobalt Strike, when you send the request for it, you get back a full beacon sample, which gives you the full details of an infection.
So does it actually give you the configs and whatever of what it's deploying to endpoints?
Yeah, nice.
And so I used to joke that I don't like getting my news from cnn um and i've gotten to the point over the years where i don't quite like getting my malware every day from
virus total um i prefer something faster and scanning and uh and the work we do also at
stairwell is the way that i'm getting malware every day faster before it ends up on virus total.
But I mean, that would just be giving you the Cobalt Strike beacon component of like an infection chain, right?
It's not going to be giving you actual malware.
Oh, sometimes though from scanning.
So there's been definitely over the past couple months I've seen more reporting on it.
But actors make mistakes on servers too.
And sometimes a server is used for running Cobalt Strike.
Sometimes it's also used for running a couple other pieces of malware.
And sometimes actors make mistakes,
like leaving their home directory sitting in an open web directory.
And when people like me come along with a scanner,
that all gets pulled down, scanned, and we go hunting.
So this is like threat hunting or thrunting.
Love it. We're hunting or thrunting.
Love it.
We're talking about thrunting with the guy who runs Only Scans.
That's a hell of a combination of words there.
But this is like internet scale threat hunting, I guess.
I mean, what's the most interesting stuff that you've been able to rumble by doing this?
Because I'm guessing you would have found some cool stuff.
And you're like, wow, I just ruined someone's day in Tehran you know yep that's happened a couple times um a couple times
thinking it was tehran and it was others so there's been a couple big ones over the past year
uh so last year there was an akira ransomware operator also probably uh moonlighting with
snatch ransomware i think um where they left their home directory open.
We had access to copies of the malware,
uh,
their daily,
daily driving toolkit for conducting attacks,
uh,
and got some really great insight out of,
out of that finding.
One of the big things actually,
and I don't think I've said this publicly before,
uh,
a couple of years ago,
uh, there was a attacker web directory they were using sliver all of the open source commodity tooling
um but there was a database backup file that had come from an online firearms auction website that
had 500 000 um usernames passwords emails, emails, addresses, firearm ID numbers,
their entire purchase history on the website.
I mean, I remember this story.
I remember covering that story when that, because news of that did break.
So that was you who found that thing?
So, yeah, I passed it over to Have I Been Pwned
so they could start notifying victims.
I'd contacted the website owner hours after I found it,
FBI, CISA, and then the rest of the usual probe.
Yeah. Nice. Nice. Now you alluded to it before. I mean, there's the side of this where you could
do like internet wide scanning, you know, you might find, but I'm guessing there's a component
too, where it's kind of interlinked with the work that you do at Stairwell, right? Because
the work can drive each other. So you might get an interesting hit on a new sample
that's never been seen before in Stairwell.
You might do a little bit of analysis,
find out, hey, this is where it connects to.
And then you could use these other tools to go and,
you know, speak duck and elicit all sorts of information.
And, but I'm guessing also, like, as you just said,
sometimes the internet wide scanning
might lead you to the sample.
So it's almost like you need to be doing both of these if you want to be doing this internet wide threat hunting stuff,
right? Oh, absolutely. I mean, that's always been the key thing with threat intelligence is you,
you have this dance between, between what you know and what you think, you know, in these constant
testing of hypotheses. And, and that goes also for how you're focusing. So if you're only focused in
a retroactive capacity where it's, what have we seen from our incident response engagements, what have we seen from looking at samples from malware repositories, you're always sitting several days behind the curve of what's current. forward and defend forward in a way where you are proactively scanning the internet, either
using groups like Census and Shodan
or only scans,
that's when threat
intelligence really starts to get into
speed.
It actually goes back to
something that I talked with Dave Itell
a long time ago about, which was
what does it look like to
fight cyber threats and real-time
disrupt and and defend um at line speed at a point where you can't always have a human analyst
stopping the entire flow of events and then making a call but having to program their logic in
to the defenses but in a state of constant tuning and, and adjusting.
Yeah. I mean, this is stuff most people don't have time for. Let's be honest, right? Like they,
they just don't, but I get that if you want to be really at that front line, I mean, that's what it
takes, right? Yep. Now I got, I got a, I got a question for you about, uh, battle this, right?
Which is you've managed to reverse engineer the protocols
for a lot of these tool sets that are used by malicious actors.
I mean, I'm guessing you've found some bugs, right?
And I'm not just talking about your typical mem corruption stuff.
I mean, there's going to be some dumb stuff in there,
you know, like along the lines of what we just saw
out of Palo Alto Networks where you can dot, dot, slash in a cookie
and arbitrary file name, right, and then onwards to code execution and great victory. I'm guessing
you found similar stuff, right. And I'm guessing all of the people who do this sort of thing,
like you have a big old bag of Oday for this stuff. I mean, is that, is that an out there
assumption? No, I mean, it's not, it's not entirely far assumption. And the truth is, is like there's maybe like one or two actual active exploits that I can think of right now in current pieces of malware.
But just like any zero day, these things expire either because malware developer decides to do a rewrite or someone else finds it and makes a lot of noise and the bug gets burned.
But here's the question.
Here's the question.
If you've got Oday in this,
what for,
what do you use it for Silas?
Oh,
that's,
that's the unfortunate thing is,
is really,
there are very few things that I can do.
Legally.
Yeah.
Well,
that's,
that's always the line.
So legally nothing except either share it out but
that unfortunately runs the risk of people actually going and using them against control servers which
um yeah which gets spicy i mean would that be a terrible result oh i certainly don't think so at
all i'm i'm i'm a bit more forward-leaning and suggesting that I do think that there are times in which
more offensive cyber things need to happen.
But I don't think we can do those things until we are able to actually coordinate and share
better as a community, because because when those things happen, it needs to be deconflicted.
Law enforcement needs to know and law enforcement also needs a way to receive sometimes
ill-gotten gains like that. Yeah. Um, so. All right. Well, that was sufficiently cagey. Let's
move on. Um, so how are you using, now, you know, you work for Stairwell. This is, this is not
Stairwell work that we're talking about, but I'm guessing you use Stairwell as part of all of this.
Like what, what, you know, how do you, how you use it? As someone who works for the company and actually has a reason to use it,
what's your use for it?
Yeah, so I have a lot of uses actually
personally as a researcher for Stairwell.
And I'm really hoping that Mike, the CEO,
does not listen to this
because of how much I'm going to say
about what I use it for in a semi-personal capacity.
So a lot of the scanning stuff,
from the scanning stuff, there's quite a
few things like open web directories where malware artifacts are left. I've tried to process it by
hand myself every day. We're reading through all the samples and Yara scanning individual files,
and it doesn't scale. So right now, feeding it all right into stairwell, and it's giving me
instant scanning over all of the results. So original build out for some of that code came
from another project I run called MalShare, which is a public malware repository similar to
Friars Total, except we don't have any real scanning of files.
So started shipping all the files off to Stairwell in order to start getting actual like YARA results
and being able to differentiate what each thing is.
Because honestly, for the past 10 years,
very few of the files I'm directly scanning
with my own YARA rules,
just because the volume is a bit taxing
on local systems of mine.
So the real advantage here, I guess, is being able to throw these files
at something that's got a bit of scale and compute and can just,
well, and I mean, the tech's good too, right?
Oh, absolutely.
And the other piece to it as well is it's not just also that first scan
of being able to say, hey, what is this file?
It's the variant discovery.
It's being able to tie it to different groups, different families. Yeah. And even because the variant discovery it's being able to tie it to different groups different families yeah and very even even beyond the very discovery being able to have it
continuously update of new hits when it so if i write a new yara rule and put it in the system and
uh i get a get an alert that fires in slack for me uh telling me that i got a hit from a year ago
uh that's just as valuable sometimes because now
it adds context to something that originally I didn't have context about. But all of those
artifacts are still saved so I can go back and do the analysis that I wish I could have done then.
Yeah. No, it makes 100% sense. So, I mean, you know, we were talking before we got recording
and there's no way you're going to open source all of this, right? Because, you know, the adversaries will respond to that and find out ways to defeat this sort of scanning if they know precisely how it's being done.
Yeah. When adversaries can see behind the curtain of how defenders are trying to track them,
people don't often realize, but it is a trivial amount of work sometimes to bypass
detections when you know what the detection is looking for. So sometimes it's just simply adding another character
or if the signature is looking for a string name,
for example, like welcome to the desert of the real,
which was from one of the very first pieces of malware I looked at,
going back and changing that and adding an extra period in the middle
or a space between two of the words,
sometimes that's enough to beat out a detection.
Well, I mean, this is the this is the
problem with antivirus in 2001 right yep the the classic old problem of static signatures but uh
but for a lot of day-to-day things though it is difficult sometimes knowing when your signatures
are failing yeah so it's always this consistent game of of tuning tracking and uh and trying to
stay on top of things. All right.
Well, Silas Cutler, thank you so much for joining me
to talk through your adventures on the internet.
Oh, thank you for having me.
Yeah, it was great to finally meet you
and look forward to doing it again one day.
Yeah, sounds great.
Thank you for having me.
That was Silas Cutler of our sponsor Stairwell there.
Big thanks to him for that.
And big thanks to Stairwell for being this week's show sponsor.
And that is it for this week's podcast.
I do hope you enjoyed it.
I'll be figuratively and physically back next week.
But until then, I've been Patrick Gray.
Thanks for listening. Thank you.