Risky Business - Risky Business #755 -- SSH 0day! Polyfill drama! Entrust crushed!
Episode Date: July 3, 2024On this week’s show, Patrick Gray and Adam Boileau discuss the week’s security news, including: Widely used polyfill javascript gets hijacked by its new owners ... MacOS supply chain disaster bullet dodged That OpenSSH remote code exec OH MY <3 Entrust gets its CA business kicked to the kerb by Google South Korean telco intentionally viruses 600k customers Microsoft continues to deeply underwhelm And much, much more. This week’s episode is sponsored by Greynoise. Founder Andrew Morris joins to talk about ways to track attackers across NAT and VPNs, as well as how you can join in the fun of running an internet-scale honeypot network. Show notes Polyfill, Cloudflare trade barbs after reports of supply chain attack threatening 100k websites 3 million iOS and macOS apps were exposed to potent supply-chain attacks regreSSHion: RCE in OpenSSH's server, on glibc-based Linux systems (CVE-2024-6387) Google Online Security Blog: Sustaining Digital Certificate Security - Entrust Certificate Distrust TeamViewer: Hackers copied employee directory data and encrypted passwords South Korean telecom company attacks customers with malware — over 600,000 torrent users report missing files, strange folders, and disabled PCs | Tom's Hardware CDK eyes service restoration for all car dealers by Fourth of July ‘I don’t see it happening’: CISA chief dismisses ban on ransomware payments Patelco Credit Union ransomware attack halts banking services for nearly half a million members LockBit claims cyberattack on Croatia’s largest hospital Inside a Violent Gang's Ruthless Crypto-Stealing Home Invasion Spree Suspected Chinese gov’t hackers used ransomware as cover in attacks on Brazil presidency, Indian health org Nearly 4,000 arrested in global police crackdown on online scam networks USD 257 million seized in global police crackdown against online scams Microsoft alerts additional customers of state-linked threat group attacks Midnight Blizzard Microsoft Email Data Sharing Request: Legit? : r/Office365 Polish Parliament strips official of immunity, clearing path for prosecution in spyware scandal Stolen credentials could unmask thousands of darknet child abuse website users WA man set up fake free wifi at Australian airports and on flights to steal people’s data, police allege Bytecode Breakdown: Unraveling Factorio's Lua Security Flaws iOS 17 lockdown mode blocking CarPlay? : r/ios
Transcript
Discussion (0)
Hi everyone and welcome to Risky Business. My name's Patrick Gray and my god, SSH O'Day,
massive supply chain attacks, Entrust getting nuked by Google Chrome. There's just so much
going on and we're going to get into all of that in just a minute with Adam Boileau.
And then we're going to hear from Andrew Morris, the founder of Gray Noise, in this week's sponsor interview.
And, you know, I'm sure regular listeners would know I always really enjoy chatting with Andrew.
And he'll be talking to us about some of the complexities involved in trying to identify malicious probes that are behind carrier-grade NAT.
So when a malicious box's IP is changing every couple of seconds,
how does Grey Noise handle that?
That's coming up soon.
But let's get into the news now with Adam Boileau.
And before we get going, a quick note.
I am taking my family away for the winter school holidays
and they start next week.
So that means I've got the next two weeks off.
So there will be no weekly show next week.
I do have an episode of Wide World of Cyber
with Chris Krebs and Alex Stamos ready to go.
So that one will be published instead of the weekly show next week,
Wednesday afternoon, Australia time.
But yeah, Adam, let's get into it.
And we've got so much big news to cover this week.
It was funny because last week we sort of took it easy
because there wasn't a whole bunch to talk about so we got to go in a bit in depth but man it's like
action stations at the moment let's start off by talking about this uh polyfill supply chain
drama incident state of affairs i don't even know what to call this but yeah
tell us about polyfill and the news here so polyfill.io is a site that provides JavaScript libraries
that browsers use to emulate newer behavior
that they don't know about.
So if you're running old Internet Explorer
and you're a web developer
and you want to use some modern features
of browser environments,
then Polyfill is named after,
I guess in the US you would call it
spackle, like the things you cover up holes in your drywall with, you can use these polyfills
to kind of provide functionality that the browser might not have. And these days this is kind of
less of a thing that matters, but in the time when we were coming out of Internet Explorer
into the early Chrome and there was a bunch more variability in people's
browsers, this kind of like a shim that fixes up browser functionality was very, very common.
Anyway, so polyfills.io is a site that provides these libraries, and at some point it has become
the property of a Chinese company, and they've decided to just start deploying I mean effectively
malware like weird stuff into the JavaScript and the guy that was originally behind the polyfill
service says he has nothing to do with it and he doesn't control the domain name and it's all
turned into rather a mess because this stuff is very widely used and the new owner or operator of the domain name does seem willing to just kind
of use it for for malice use it for whatever hell they want to do which is a little concerning
yeah and uh cloudflare is one of the companies talking about this and we've got uh its chief
executive matthew prince saying that tens of millions of websites or four percent of the web
uh uses polyfill.io right so
this is not some obscure service i get what you mean though like because there was a time there
where browsers just kept changing so fast and we're not it's not really like that anymore is it
no it has settled down a lot and the things that browsers don't support you know where they differ
in their support these days tends to be more major features things like you know support
for hardware auth tokens and stuff like that you can't really just work around in software so there
was a lot less use for these and i suspect the vast majority of that you know four percent of the web
these days really doesn't even need to be using these things yeah so where to from here i guess
right like what do you even do about a situation like this because i'm guessing guessing if there's tens of millions of websites, there's going to be at least
millions of people who don't know about this.
You know, I don't think the word is going to get out to every single web developer that
they need to do something here.
So, I mean, what do you even do about this?
Well, I think in this case, most of this stuff is going to be, you know, websites that are
not being actively developed.
Like, this is kind of an old technique and the sorts know websites that are not being actively developed like this is kind of
an old technique and the sorts of places that are using it are likely unmaintained right they're old
sites that no one actively cares about anymore they're just there sailing along you know on the
internet like the mary celeste on you know completely unmanaged so no nothing much is
going to change cloudflare has kind of taken matters into their own hands a bit and started providing stable known good versions of the libraries when you request it through their
cdn which is you know a little bit it's not really their place to do that but on the other hand
what else are you going to do right so it's sort of you know that's an engineering solution for
people that use it off cdns but it really just underscores the very, very long
tale of JavaScript dependencies and the extent to which web developers and operators and admins and
users don't really understand quite how much trust you have to place in JavaScript dependencies.
Yeah, 100%. And this is something that our colleague, Catalin Kimpano, is always rubbing
his temples over, right? Because people don't quite realize it. I mean, in this case, it's not the end of the world currently,
because what it appears to be doing is like redirecting people to sports betting websites.
And it's just typical, like, redirect spam at this point. So not the end of the world,
but still, you know, like, again, it just highlights the issues that come along with
those sort of dependencies. Yeah, exactly. And, you know, the open web provides a lot of opportunity for people to build stuff. But when you're building
resilient things or, you know, banking or finance or cryptocurrency wallets or whatever else,
it's not always clear when you're shifting from recreational low value web dev to serious business
web dev. And that can change over time too yeah yeah uh meanwhile we've seen something
well i guess not similar because it's a story about a bullet dodged um but talk to us about
this coco pods thing so coco pods is a like code repository software you know distribution system
for mac os and ios coco is the user interface, one of the graphical user interface
frameworks in the macOS environment, and Cocoa pods provide a, you know, a service for people
to include dependencies. And like every other large dependency code repository, you know, in
the PHP world, in the Perl world, in the Python world, it is volunteer run, kind of old and filled
with bugs. So some researchers researchers went looked at it found
some like account takeover bugs where you could take over software that had been abandoned
but more concerningly they found a code exec like straight up remote code exec in the server that
runs this that's been there basically for 10 years which is not great in a software supply chain context where
we're talking you know millions of ios apps and millions of mac os apps so i guess the good news
is the researchers found it talked to the maintainers operators of the service and they've
now patched it the bad news is that there was code exec in this thing for 10 years and the people who
run coco pods said look we don't know if anyone's ever
exploited this maybe they did maybe they didn't either way uh you know we've patched it now so
that's good who can say right like that who can even say uh what happened here so i guess the the
key takeaway here is the supply chain everything's fine we don't need to worry about it yes totally
totally fine nothing to worry about it. Yes, totally fine. Nothing to
worry about. It's all good. Every day in the software world is like every other day. Well,
I mean, you know, that's our discussion about the modern, you know, software ecosystem. You know,
it seems like a bit of a mess, but thankfully we're in a position where we've locked down
those fundamental building blocks of the internet and our infrastructure, Adam. Like, you know, when was the last time we saw a bug
in something like Apache or OpenSSH?
Oh, wait.
Oh, wait.
When was the last time we saw one of these?
So we got some sweet, sweet Oday
in like current OpenSSH that just landed the other day,
thus causing me to text you quite late at night saying,
Adam, I think we need to make a config change on the box.
Would you mind awfully doing that right about now?
But yeah, this is like an old bug
that's very similar to a bug that was patched in 2006,
which was actually a Mark Dowd bug
from all the way back in the day.
There's been some sort of regression
where they've reintroduced a similar vulnerability, right? 2020 so it's been there for a while this one may be a bit tricky to exploit and i think
takes quite a long time to exploit yeah walk us through this bug because um yeah you don't you
don't see many of these anymore it has been a long time since there was a default configuration
straight up remote root code exec in SSH because OpenSSH is
you know a very widely used piece of software but also very well scrutinized and well engineered
like the developers behind OpenSSH expended a lot of effort in making a very good code base and
I've spent some time spelunking around inside that code myself and it's one of the most readable
clean nice bits of network-aware C code
that you will ever look at.
Now, this research came out of Qualys.
And whoever it is at Qualys,
and we don't know who it is,
but clearly they don't want to come out
and be on the show and talk about it.
But whoever does this is super old school.
And boy, oh boy, are they good.
Because we've seen some superb work just absolute
classic chef kiss beautiful work coming out of qualis's research basement uh over the years and
this one is just it's a thing of beauty and and the write-up also just beautiful so yeah as you
say the nature of the bug is it's a regression in a signal race bug that Mark Dowd came up with a very long time ago.
I don't know that Dowd ever got a non-lab scenario exploit for his signal race because these things are super fiddly.
But the Qualys researchers sat down, looked at that previous bug, looked at how it's kind of come back, and then starting
with very, very old versions of SSH from the early 2000s, exploited those, kind of working
up towards what's necessary to do it on a modern implementation of SSH with exploit
mitigation, ASLR, those kinds of things.
And they got there on 32-bit platforms.
On 64-bit Linuxux it's going to be
complicated they had their hand pushed a little bit early in terms of disclosure here because
there was a bug reported to ssh in the particular code they were looking at that was being identified
as a deadlock as opposed to a potential exploitable code exec.
So they had to kind of rush that and they hadn't finished the 64-bit exploitation option.
But this is, it's just a wonderful piece
of security research.
And you did message me late at night and say,
hey, we should probably patch this.
Unfortunately, we're on 64-bit Linux.
So chances of it being exploited in the wild, pretty low.
And the timing requirements for this are also wild.
And that's one of the things I wanted to,
like if you care about the innards of exploit dev,
the work that they have done to remove the timing,
you know, variability out of this exploit process
is just beautiful.
Things like, you know, they have to kind of set up memory
for heap corruption in a particular way
and then they will one of the one of the exploits they do this with certificates so they send
malformed certificates to ssh to set up memory in the right way so that when they trigger the
race condition it's aligned neatly and they will send this very big certificate and one of the
problems with the timing is they have to account for how long it takes ssh to process the nasty certificate and they try and time this process and then deliver
all but the last byte of the certificate to ssh so it's in the buffer ready to go and then when
they want to trigger it they send the last byte and then it processes and then they've already
benchmarked how long they think it's going to take so that they can time that right. And it's just, it's so good.
I mean, you already stand the Qualys research team or if it's one person, like we got no idea
but you were already standing the person
who is the person or people
who were doing research at Qualys.
And it's so funny, right?
Cause it's like, frankly, no offense to Qualys
but you know, not necessarily the company
where you would expect to find this level of
research this is more stuff that you'd expect to come out of like project zero right yeah like it
it's it feels to me like one old i'm gonna say probably french dude in the basement that's been
doing this stuff forever and just kicks it so very old school and has probably been at qualis
doesn't want to work in the uh surveillance industry basically yeah yeah it doesn't want and just kicks it so very old school and has probably been at Qualys since the beginning.
In the surveillance industry, basically.
Yeah, it doesn't want to work somewhere else.
And one of the things I really loved about the write-up,
amongst other things,
is how much callback there is to prior research.
So they ended up using a technique from the Maleficarium,
which was a set of memory corruption techniques
from the early 2000s fracks.
And I call back to some of those
and explain how they use them in this context.
And there's just so much referencing to our history,
to our collective hacker history,
that it just really warms the heart.
Like the advisory is in a text file.
It's an 80 column wide text.
And it's just, it's how vuln research and vuln discovery and bugs used to
be written up in the old days and for people like me that grew up reading this kind of stuff in
frack on on bug track on wherever else it just feels so comfortable and so homely and i get it
i get it i get it um we're gonna have to move on otherwise i'm gonna be sitting here for another half an hour while you sing the praises of this research i got one thing i want to say which is
the people who write up these bugs assume that you the reader are going to follow in their footsteps
right you're not a passive consumer of information you are learning to and that's a thing that i
really loved about the old scene and you know it's so nice seeing that carry on i haven't seen you this happy in years i mean ssh remote coding is so good it's been so good it has been a while good
uh now moving on to some other news and google uh is kicking antrust out of like it's no longer
going to be a trusted ca for chrome which is kind of a big deal because Entrust, obviously,
you know, its history goes way back. It's one of the biggest CAs and Google's just said, no,
they're doing a bad job. They keep promising they're going to improve and they haven't. So bye-bye. Basically what they're going to do is any certificate that chains back to Entrust issued
after some date in October will no longer be trusted.
But current certificates that have already been minted,
they're going to be fine.
So they're handling it well, but it's still a big move, right?
It is a big move.
Entrust is a big CA, and obviously all CA's stars have waned
as things like Let's Encrypt or whatever have really kind of eaten their lunch
and the need for a very rapid different way
of obtaining and using SSL certs has just, you know,
there isn't really a business model
to support this so much anymore.
And I think, you know, all of the legacy CAs
are just kind of bit rotting and Entrust is one of them.
Google links through to their list of kind of like
incident reports and complaints
that they've had about Entrust over the years.
Pretty grim reading.
And it's kind of not surprising that they have got to the point where they're going to throw it out of the cert store.
And it's kind of sad that it's going to take that.
But also, this is what we expect from root store maintainers.
That's their job is to make these calls and turf out people who don't perform.
Yeah, but you would have expected it was, you know,
Bob's certificates run out of someone's garage
that we're going to get the heave-ho,
not the giants of the industry.
But I guess, you know, as you point out,
their margins are getting compressed like you wouldn't believe
because everybody's using Let's Encrypt.
So, you know, the amount of money people will pay
for a certificate is like very, very small.
So, you know, they can't run it properly. Yeah. I mean, ultimately selling certificates is a legacy
business, right? And the people who own these things, this is one very, very, very small line
item in the spreadsheet. And yet it's super important for the web and for how trust works
on the internet. But yeah, there's just no money in it. I don't think anyone who is in that business
really cares about it. Like if you were in uni learning infosec, looking for your new jobs,
are you going to go work for a legacy certificate provider?
Like is that your exciting new career?
When I grow up, I want to work for VeriSign.
Yeah, exactly, right?
That's just not, no one wants that.
So yeah, these are all dead and dying businesses, sadly.
Yeah, yeah, crazy.
Now there's also been an incident at TeamViewer.
As I said, it's like a big news week.
What happened here?
Because, I mean, this has been attributed to APT29,
like Russian crew, right?
So you're thinking this is very serious.
On the other hand, you've got people like Kevin Beaumont
on social media saying,
oh, this isn't actually as big as it appears.
But then, you know, I'm looking at this write-up
from John Grieg over at The Record
and it seems like a pretty big deal to me.
According to TeamViewer,
the Russian hackers have made off
with their employee directory,
which if it was just a text file
with names and phone numbers,
probably not so exciting.
But apparently it also includes encrypted passwords,
which makes it sound a lot like their active directory.
Yeah, yeah.
So there's something bad has happened here.
I guess the reason you might say it's not as bad, you know, we know how much the Russians
love supply chaining stuff.
So, I mean, it could have been worse, I think is probably where Kevin was coming from.
Yeah, it could have been worse is not super reassuring.
Now, let's talk about the most absolutely bonkers story of the week.
Our colleague Tom Uren is currently working on a write-up over this
for tomorrow's edition of the Seriously Risky Business newsletter,
which you can subscribe to at news.risky.biz.
A South Korean, like a major South Korean telco,
was dropping malware on its customers.
So something like 600,000 torrent users.
And, you know, their systems were getting wrecked by this malware.
And it turns out, yeah, it was their own ISP doing it to try to disable them from being
able to actually torrent stuff.
And it looks like all of this ties back to the way that like peering arrangements work in Korea, which involves ISPs having to pay each other for peering.
But it's just like top to bottom.
You just read this and you think, wow, you know, things really do work differently in different parts of the world.
Although, I mean, maybe not because there have been arrests and whatnot over this.
Like it's turned into a scandal.
But walk us through what we know here because this just seems completely insane. It does seem super, super bonkers. So the story goes that in South Korea,
there is a company called WebHard that appears to be owned by LG and has been kicking around for,
I think, like 15 years, judging them. Their website looks very old and they provide a cloud storage
application where you can store your data in the cloud but instead of having their own servers
they store it on their users boxes and it gets redistributed via torrent so essentially they
provide like a seeding service and the framework and then you store your data in your web hard
drive and then it's magically available everywhere
and is performant and so on and so forth.
This was causing a bunch of load for KT,
the telco in question,
and they had at some point actually
gone through a court process against web hard,
asking them to stop using their data
and stop using the customer's bandwidth
to run their
business. And then they went ahead and started deploying malware onto people's systems via,
it's not 100% clear whether they were doing it via an exploit in WebHard or whether there was
some other functionality they were able to abuse here. But yeah, the net result was malware on 600 000 customer machines and the malware seemed
to be trying to make fake data but had some side effects where occasionally it would crash things
occasionally would delete stuff you know making malware is hard uh and yeah what a total mess and
the interaction with the like how isp peering and inter-ispP billing and stuff works in Korea is an interesting wrinkle
that I hadn't appreciated either so I'm interested to see what Tom digs up yeah yeah he's working on
that one I had a bit of a chat to him about it yesterday and it just as I say the whole thing
just seems completely insane completely bonkers I mean I'm not even sure is it malware or were
they just corrupting files through some sort of you know seeding bad data like I we don't know
but the point is they were doing some serious disruption
against their own customers,
which, yeah, probably not, you know,
going to result in a whole bunch of five-star reviews,
you would think, right?
No, probably not.
I think, well, there's 13 people are facing charges
of some sort under Korean law.
So either way, it has not gone well for anyone.
Yeah, yeah.
Meanwhile, CDK, CDK Global, this is the car dealership software provider, korean law so either way it has not gone well for anyone yeah yeah uh meanwhile cdk uh cdk global
this is the car dealership software provider uh looks like they're bringing services back up and
should be back up and running for everybody around uh the 4th of july so i'm guessing they paid right
and we we had that conversation last week um about all that and yeah i'm guessing i'm guessing they've
actually paid and that's what's happening.
Yeah, we haven't seen any confirmation from that.
I'm assuming the people who watch blockchains
may be able to spot something.
But yeah, we don't know for sure,
but certainly convenient for them
to be able to bring it back in time for,
I guess buying a car on the 4th of July
is pretty American.
What's more patriotic?
You know, go buy an F-150.
You know, it's America.
Hoorah.
Yeah, yeah, that's it.
But, you know, speaking of, you know,
because last week we spoke about, like,
why a ransomware ban might be a bad idea
because it looked like in the case of CDK
they just couldn't evict the attackers, right?
And if they wanted them to stop doing more damage and putting them
in a worse and worse position, they were going to have to pay. So, you know, it was my opinion,
it still is, that, you know, this suggests that a ransomware payment ban is a bad idea.
We've got a write-up here from Alexander Martin at The Record, based on some comments from CISA
Chief Jen Easterly. And she was interviewed by Kieran Martin who was the
former head of NCSC in the UK because he wrote an opinion piece for a newspaper a while ago saying
that ransomware payments should be banned and you know really did a good job of kicking off the
conversation. They were talking and Easterly just said like i don't see it happening but i think her comments were more about like it would be a difficult thing to do practically it was less
about whether or not this would be a desirable policy just more that like implementing a policy
like this would be really hard yeah we certainly have seen you know lots of knee-jerk suggestions
that you know paying ransoms full stop should be illegal that would solve the problem drive the money supply but it really isn't always that simple um and i think you know
the gen focusing on the it's difficult to do practically aspect kind of underscores that
but yeah overall you know there aren't easy solutions to ransomware and and infosec and
hacking in general uh and yeah i don't know why we would expect them here.
Yeah, I mean, I think there's so many good ideas as well
that really when the rubber hits the road,
they're kind of impractical to implement
because it might be difficult to do it via regulation
or via legislation.
And there's teams full of lawyers
just telling you you can't do it or whatever.
And Easterlies just sort of said,
yeah, this would be just too hard anyway.
So why are we talking about it, I guess.
And, you know, full credit to Kieran too,
because last week when I was saying that a ban was a bad idea,
I took a little video clip of our conversation of that
and I put it on social media and he reposted that.
And I thought that was cool.
When we're arguing against his position, he still reposted it.
And, you know, that shows someone who values debate. So you for that Kieran very nice yeah yeah and look just on
ransomware as well as one that's an incident kicking off at Patelco Credit
Union which is a credit union based in the United States it's in the Bay Area
and apparently they have something like half a million customers that are
affected by this and this incident could
according to reports last for weeks so you know I guess we'll just keep an eye on that one
oh and there's been a an attack against a hospital in Croatia that Lockbit has claimed credit for
but they've been claiming credit for a lot of stuff lately that just hasn't happened like they
remember they claimed recently that they'd owned the the u.s federal reserve and it turned out to be
what some finance company or something uh a big one like a significant breach but it wasn't
ransomware it was like data exposure i don't know this just seems like lock bit is just not what it
was right yes it's certainly not i mean if they still manage to interrupt service at a hospital that's
not great but i think the reporting was that they were down for a day whilst they tried to recover
which is you know that's better than it could be yeah 100 right like a hospital down for a day is
um is pretty good going uh these days and yeah there's some great quotes in there that's uh
darina antonik uh also at the record um you know we've dropped a link to her reporting in this
week's show notes.
We've got a great one here from Andy Greenberg and his colleague, Matt Giles, which is looking at
crypto stealing home invasions. I mean, this was something that came up last week when we spoke about this scattered spider kid who'd had to flee to Spain because people were home invading him and
trying to rubber hose him for his crypto. But this is increasingly, like this is turning into a real thing.
I guess, you know, we all kind of predicted this, like this isn't such a surprise, but
it's still crazy when you see it more and more in the news.
I think to a degree, though, we can use this, but we'll talk about that in a moment.
First of all, talk us through what Wired's reported here, Adam.
So they've reported a guy, or I guess a group of people from Florida
that were originally in the internet crime business.
They were stealing cryptocurrency.
Apparently they met playing Minecraft, so that's nice for them.
And then they kind of graduated up into, well,
if we know these people have crypto wallets in their houses and we can't hack them, why don't we just go around and do violence? And they started doing
that. And I guess, fortunately, they weren't very good at it. So they terrorized a few people,
went into people's houses and, you know, kidnapped them in some cases, you know,
threatened them with guns, et cetera, but ultimately didn't make a whole heap of money.
They had, you know know were targeting people that
they knew the locations of that had access to a significant amount of crypto in some cases they
were targeting people who were active in the crime underworld stealing other people's crypto
and then trying to then steal it onwards from them or people who had wronged them or you know that
kind of thing so like relatively small scale in that it was largely in the underground
apart from a couple of crypto investors.
But the real point is
if you've got millions of dollars of assets
in an immediately transferable form in your house,
then this is a concern.
And the fact that these people are going to go to jail
is great, but you've got to expect more of this. Yeah, yeah. I mean, it's not just crypto either, right? It's exactly what you
said, which is easily transferable assets. So, you know, a lot of listeners would know that
Mrs. Business is Brazilian, and we tend to go over there about every year and a half. And
last time we were over there, people are like, you know, some people are like leaving their
mobile phones at home when they go out, because now you can get someone point a gun at your head and force you to do a
transfer from your mobile device. And of course, you know, when you've got some of these sort of
sophisticated onboard biometrics in things like iPhones that can really accurately do ID, it means
that the banks really trust that those transactions are authenticated. So if
someone's pointing a gun at your head and they say, hey, you know, send us a hundred thousand
bucks into this account. And they point a gun at your head, you know, you do it, right? So the,
yeah, not just crypto, but I think in places like, you know, Europe and the United States,
crypto seems like a good one to go after, and i wonder you know how much we're gonna
how much of this is happening in places like russia because we want this to happen in russia
because who has all the bitcoin it's the ransomware affiliates it's the ransomware as a service
platform operators you know i would love to see them getting rubber hosed uh for their crypto
you know something i've said before i guess you know yeah i guess it's you know that's one of the
glass half full look is that,
yes, you can rubber hose people and steal their crypto.
And some of those people deserve having their crypto stolen.
But yeah, I don't know.
Like there's just a reason we ended up with banks
and like putting your money in a place where like
there's a time lock at the bank
and you have to go and do a whole bunch of boring stuff to get it.
And that's kind of good in a way.
Yeah, daily transaction limits on your accounts are good
and they will help you, right?
Because you won't lose everything all at once.
Moving on, and we've got a report from SentinelOne,
Recorded Future, and Team T5 that's looked at a bunch
of intrusions and says and has concluded that Chinese government APT like operators are increasingly using ransomware like kind of like fake ransomware as a way to cover up their intrusions.
Which I think honestly is a pretty dumb strategy and is not going to give them the type of cover that they want. We saw them do this in Palau a while ago, and it looks like it's been happening in Brazil and India and a bunch of
places. So, you know, if you want to destroy logs and sort of confuse your adversary, I mean,
I guess this is one way to do it, but it's a veneer, you know, it's not an enduring deception.
So I think it's pretty dumb and needlessly destructive also against norms. I don't know. I just think this is bad. I think China should stop doing this, obviously.
Yeah. I mean, clearly China should stop hacking people in the first place, but I guess-
Well, I mean, if they're doing collection, they're doing collection, right? Like you can't say that
that's against norms. It's not. Where it is against norms is when they're doing things that are
destructive, you know? And we saw it, we remember when they were attacking those uh was it some sort of uh uh mail appliance what was that like
barracudas or barracudas yeah it was a barracudas right same thing like the the west didn't kick up
a stink until they rumbled the campaign and then the operators started going deeper borrowing into
those things creating unnecessary drama doing destructive things and this is just another
example of you know people working at the behest of the Chinese government just being d***.
It's not great.
And I agree.
China should stop doing it.
Yeah.
No, they should.
And I mean, you know, this report here,
this one's from John Greig again over at The Record.
I mean, it really looks at like how the ecosystem
for how all of this stuff works in places like China and Iran.
Like it's a mess.
You've got all of these contractors who are moonlighting doing crime stuff.
And it's just like, can you just please professionalize your cyber agencies for God's sakes?
Be professionals, China, Iran.
I'm looking at you.
And of course, you know, it would be nice if Russia would stop, you would stop giving tacit approval to its criminals
for attacking Western hospitals.
But anyway, it would be nice, wouldn't it,
if we lived in a more ideal world.
Some good news now.
This is a write-up from Darina Antonik over at The Record.
4,000 people have been arrested in a global police crackdown
on pig butchering and online fraud networks.
Yeah, what was it, like 61 countries, 3,900 suspects arrested, $250 million in assets seized.
This is a good day for law enforcement.
Yeah, this is called Operation First Light.
And I think, you know, as cooperation between law enforcement on cyber stuff goes, like this is really to be applauded.
Like it's so much hard work to coordinate all these kind of different agencies, all these arrests, try and do things simultaneously across multiple countries.
So much effort goes into it.
And, you know, you pointed out like $250 million drop in the bucket as cybercrime goes.
But for the amount of work law enforcement did for this,
like I think they should feel pretty pleased with themselves, you know,
rounding up this many people and you know,
it will prevent a bunch of harm. So it's great. On the other hand, yeah,
it is still a drop in the bucket, unfortunately.
Yeah, it is. I mean, you were like, when we, before we started recording,
you're like, man, they seized a quarter of a billion dollars and yet drop in the
ocean. It's just, it's just so big, yet drop in the ocean uh it's just it's just so big but i mean look it's it's it's movement right and we we like
movement so um and let's hope too that if some of these people had been human trafficked into this
you know hopefully what this means for them is freedom not incarceration and um that would uh
that would certainly be a good result uh cyber security dive has a report up from david jones
uh this one I actually got
tipped on this. I think you did too, right? Like this was something that people were sending me,
which is Microsoft has decided to notify its customers when communications between Microsoft
executives and those customers were breached as part of this midnight blizzard attack
against Microsoft last year. This was the one that was the topic of the CSRB report.
But the way Microsoft has handled this notification is just bizarre. They've sent an email out to
impacted customers that just look straight up like phishing like really really suspicious and green caps of
this started popping up over all sorts of places like you know reddit and and twitter and whatnot
with people saying like has anyone else got this is this for real and yeah it actually was for real
which is which is just nuts yeah it is pretty nuts like microsoft really could have done a better job
of this uh the funny thing is
on reddit one of the threads about this the person who received it said they had reached out to their
regular microsoft contact to say hey is this legit it came from like mb support at microsoft.com and
the microsoft people like we've never heard of that maybe don't click on the links in this thing
uh which is just not how well and the link the biggest the link that you're
supposed to click is purviewcustomer.powerappsportal.com and you're supposed to supply your
organization's tenant id the access code located at the bottom of the email and an email address
for individuals within your organization who can nominate reviewers who will be granted access to
the set of exfiltrated email. Like the whole thing just,
and I get that trying to spin something like this up and do it in a sensible way,
like it's a lot of work,
but it really does look like they half-assed it here.
Yeah.
And I mean, Microsoft's a big company that ought to know how to computer.
And, you know, given how important this is,
like this is number one priority for them these days,
you think they could have done perhaps a slightly more robust job,
a slightly more professional-looking job,
because this just...
What are you doing, Microsoft?
What are you doing?
What are you doing?
Yeah, now, just turning our attention to developments in Poland,
and there's been this whole thing where the new government's come in
and is trying to investigate the previous government for its use of stuff like Pegasus against political opponents and whatnot.
There was a raid.
I don't think we talked about it last week, but there was recently a raid on a government department where another investigative agency went and seized some computers that were apparently being used as like either a C2 or where the control panels for the spyware were located
or whatever.
And now we're actually seeing the Polish parliament start to strip officials, former
officials of immunity, which is clearing the path for them to be prosecuted.
Suzanne Smalley has this write up.
And yeah, I mean, this is all moving in the right direction.
Yeah, this guy Mikhail Voss was one of the people involved in buying the Pegasus Bioware from NSO Group.
And yes, he's had his immunity stripped away
and we'll see whether or not the prosecution proceeds.
But yeah, they're definitely taking this real seriously over there,
which is great to see.
This stuff should be punished.
Yeah, so he's a former member of the Polish Parliament's
Council of Ministers.
So, you know, they're certainly going after,
they're not just going after the button pushers, I guess, which is good.
Yeah, exactly.
The people who were making the decisions rather than just the poor flunkies with the computers.
I wonder if he gets immunity because it was an official act.
Don't even go there.
I'm not going there. Don't even go there.
I'm not going there. Not going there go there i'm not going there not going there
it's okay um but yes the mind boggles uh what else have we got here now this one this is a
really interesting piece actually from alexander martin um which is a really interesting idea it's
actually a write-up on on research done uh by recorded future but they've realized that if you
capture a whole bunch of data from info stealers you can
start looking up which of those compromised accounts belong to like c-sam websites and you
can start tying them to their real identities because the info stealer is obviously capturing
you know genuine uh capturing login information for their real name accounts and also for their
awful you know,
dot onion websites that are hosting this sort of material, which is just, it's just an interesting idea in terms of like what sort of, you know, leads you could give to investigators based off
malware collecting stuff off endpoints, right? I just found this a fascinating idea.
Yeah, no, it is. It's really interesting. Recorded Future wrote up their research,
but they've got something like three and a half thousand user accounts that they've seen accessing
child sex abuse material, where they have now shared that information with law enforcement. So
it makes a whole bunch of sense to do this. And it makes you wonder what other, you know,
we've seen Inverse Dealers used in a bunch of different compromises lately. So it's kind of
nice to see that data set also being used for good as well as just busting into things.
Yeah.
And you'd think that should be enough.
It should be enough to go to a court and apply for a warrant, but I'm not even sure.
Like, I don't know if that would be enough.
Just the existence of an account that you could tie to a person.
The existence of the account on a website like that.
You would think it would be enough, but I don't know.
I'd have to ask a lawyer about that.
I just thought it was an interesting idea.
We got a guy who got arrested in Western Australia
because he set up a fake Wi-Fi access point at airports
and on flights in order to try to capture creds,
which is just crazy because this is like, you know,
a type of attack that never really happened all that much
but was talked about a lot.
And now, you know, here we are in 2024,
and I think this is the second one of these that we've talked
about in the last month.
Yeah, you think about how much effort we've spent telling people
not to connect to weird wireless networks or having to charge their phones in public because juice jackers actually seeing this stuff done in the
wild is kind of funny in a way and I don't know this 42 year old man I guess was kicking it kind
of old school you know pretty retro doing these sorts of things in the year 2024 he was running
networks that cloned public networks in airports redirecting people to websites that would to websites that would presumably inject JavaScript and steal their credentials when they logged into things.
So, I mean, I guess it's good that he's been arrested.
But it's just funny that we don't see, you know, we haven't seen that much of that over the years, despite the software for doing this being widely available and widely used by pen testers. Police allege the man's fake Wi-Fi networks took users to a dummy page that asked for
their email or social media login details.
But you would think really that modern browsers would alert on that, right?
So I'm guessing that's probably how he got caught is just triggering all these warnings
on all sorts of people's browsers until they called the cops and someone just turned up,
captured the Mac, you know,
got the right antennas, beep, beep, beep, done.
You'd think that's how this went down, right?
I imagine that's how this went down. The dumb way is how this went down.
Yeah, and that was by Stephanie Convery over at The Guardian.
Now, before we go, Adam, there's that research piece
that you wanted to talk about, a bug in a game,
but it's actually really interesting research.
Talk us through this one real quick. so the game is called factorio which
i you know fair disclosure uh probably has the highest number of hours in my steam of hours
played so i love this game it's so good it's basically a game about programming that you
don't know it's about programming anyway there's this blog post that came up with uh you know remote code exec uh from a malicious server
you know attacking players of the game and it really reminded me of the qualis write-up which
is an excuse to gush about that again because it's a super detailed write-up by persons unknown
like unattributed no name no nothing uh talking through an obscure exploitation technique and
super amounts of detail so that you too can learn how to break out of games,
lure sandboxes
and achieve code execution
through mem corruption
in the lure interpreter.
And it's just wonderful research
for really very little purpose
other than fun
and super well written.
So if you're into obscure
exploitation techniques
or you're into Factorio, you should totally go and read
this post.
There you go.
I've linked through to that one in this week's show notes, and that can be your reading list
item for the week.
And just the last thing before we go, last week I mentioned that I couldn't use lockdown
mode in my new car because it uses TKIP Wi-Fi, right?
So someone actually contacted me on, I think it it was mastodon and said have you tried
wired carplay and i thought yeah that's crazy but i didn't even think to try that so i get into my
car i plug it in there is no wired carplay in that car unfortunately it's only wireless but the
strangest thing happened where previously i had tried manually connecting to my car's wi-fi network
to try to get wireless carplay to work thus thus bypassing the no auto-join thing that's part of lockdown mode.
And yeah, previously it didn't work.
I tried it again and now it does work.
So I've got lockdown mode and wireless CarPlay in my car.
All I got to do is just open up Wi-Fi and connect to that TKIP network
and click through the warnings and it's all fine.
So in case anyone actually cared about how that story ends,
that's how that story ended. So I will be driving along in my Supra, listening to my favorite tunes.
That's all wonderful. But Adam, that is it for this week's show. And indeed, that's it for a
few weeks because I'm taking the kids away for winter holidays over the next couple of weeks.
But we'll sit down and do this all again in three weeks. Thanks for joining me.
Yeah, we certainly will, Pat. Have a great time on your holiday.
And I guess it's weird to have an SSH remote code exec
before you go on holiday,
which makes me wonder what's going to happen while you're on holiday.
Yeah, exactly right.
So, yes, we look forward to the traditional Risky Biz holiday curse.
Brace yourselves.
That was Adam Bois-Lowe there with a check of the week's security news.
It is time for this week's sponsor interview now with the founder and chief architect of GrayNoise, Andrew Morris.
And just to let you all know, they're making their sensors available for free to people who want them.
And you will get something in return for that.
You get some pretty valuable intelligence. Not the full GrayNoise access, but yeah, worth doing in my view. And he's got some details on that towards the back of this interview. But yeah, most of you know this
already, but GrayNoise runs a giant dynamic internet facing honeypot network so that they
can capture all sorts of intelligence about mass scanning and
exploitation on the internet. And that means they can do things like capture fresh Oday,
identify brute force campaigns, whatever. And this is useful in all sorts of contexts.
Telco abuse teams love it. A lot of enterprise teams use the data to enrich their seam.
You can know if something's hitting everyone or just you, that sort of stuff. It's just generally very useful information. But yeah, the entire Risky
Business team was in Southeast Asia a couple of weeks ago for a series of company meetings,
and we ran into an issue, which was carrier grade NAT. Our IP, where we were staying, was changing
with basically every single request, which made allow listing to a single IP very difficult.
It was no big deal in the end because, you know, you can just open up a slash 24 or do some tunneling via some other stuff you know is going to work.
And, you know, onwards we went and it was fine. noise and about how so many of the devices they're tracking are behind carrier grade NAT on things
like gigantic, you know, Southeast Asian ISPs. So how on earth can a platform like gray noise
track campaigns when the IPs are always changing? So here's Andrew Morris talking about the issue of
dynamic IPs when tracking badness. Enjoy. Either the person on the other side of things is rotating proxies intentionally to try to avoid you, or the network that you're looking at is just cycling
through, you know, sort of pools of IP addresses. One way or another, if you want to try to figure
it out, you got to go one level below that. And so basically, in this case, you'd say,
what are some identifiable or distinguishable treats that we can actually key on to try to sort of imagine the computer or the machine that's on the other side of that and look at consistencies across it so that you can try to look at things other than just source IP address.
So where we see this in practice, like where it matters for us a lot, is that like, so one thing would just be, okay, you've got an IP address that's in a very large network of shared IPs.
And we don't want to call that entire network bad just because some idiot plugged in his infected laptop.
So we got to make sure that we're cautious about that.
Then the other side of the spectrum is that when new software vulnerabilities are disclosed, the bad guys are exploiting at high volume.
And from our perspective, we might see 50 IPs that
are exploiting that vulnerability or whatever. But if we dig it one layer below that, we start
looking at the actual box doing the exploitation. It's one guy who's like blasting this out from
50 IPs. And you're like, Oh my God, you know, so this is the kinds of things that we have to look
at to make sure that what we're saying to our customers is actually accurate and correct, right?
Yeah, yeah, yeah.
So what sort of stuff are you looking at?
Because I imagine with web stuff, it's going to be stuff like user agent strings and whatever.
But even that's going to get confusing.
So talk to me more about how you deal with disambiguation, I guess, of these sorts of situations.
Yeah, yeah, yeah.
Because I can't really think off the top of my head of an easy way to do this.
So there's the spectrum between things that you know for sure to be true
and things that you're kind of like pretty sure.
Because you never have the full picture.
So you have to operate in ambiguity.
Mikhail Zalusky, the guy who wrote Poff, and obviously
he's a very well-known computer
scientist who worked at Google for some time and
some other places. He's built a lot of really cool stuff.
He wrote The Tangled Web, and he wrote Silence
on the Wire. The first chapter of
Silence on the Wire is called The Foreign Accent.
So you
want to look for a foreign
accent in your connections.
You've got a bunch of different options.
At the very top, you've got like the really obvious stuff
that people are going to lie about.
So in WebLAN, you've got your user agents,
and that's kind of the most sort of where it stops,
the obvious ones that people are going to be changing through.
So then right below that, you've got the order of the HTTP headers, right?
You've got different sort of implementations of different
things that a browser is going to do versus something that a Python library is going to do.
And then you just keep working that sort of down. So an example, some are like purely passive,
some have to be a little bit more active. So people are going to come to your scanners,
people are going to come to your honeypot all the time. And they're going to say, hey, I am looking for this page and I'm running
Firefox, I promise. And then when you hand back a little bit of JavaScript and it doesn't execute
that JavaScript, then you're like, you're probably not actually running Firefox, right?
You're lying.
Yeah, yeah, yeah. Lying on the internet.
Well, that's an interesting idea actually i mean just
being able to test uh an agent a user agent string and just go i'm firefox that's like well here do
this thing that firefox does this weird way something with and you're like i don't know how
to do that right so what you what you have to do is like taking a step back there's there's um what
we do in practice at green noise and then there's kind of the abstract thinking behind it what we do in practice at Green Noise. And then there's kind of the abstract thinking behind it.
Sorry, just to cut you off there, but this is an advantage of like an active honeypot versus...
That's exactly what I was about to say.
Versus just trying to look at the network traffic and passively observe network traffic into real environments.
If you're just observing, you can't do that test.
That's exactly right.
So the principle here is using asymmetry to your advantage.
Asymmetry is typically not an advantage for defenders in security, right? Stated differently,
you know, your enemy is never going to, they have different capabilities than you,
and they're never going to hit you where you think they are. And their cost to do something
is going to be very different from your cost to defend against it blah blah blah blah so in asymmetry uh it's usually hard to be the big one and it's
better to be the small one in security there are not a lot of times where asymmetry can be used to
your advantage as the defender for us it's very much an advantage right so for example like you
i'm the one lying right like the the scanner the attacker is
not the one line we are the ones who are lying we get to control absolutely every single thing
we say back right you don't need to be a large proportion of the potential targets out there
to cause them headaches either which is where the asymmetry idea yeah that's right. We're able to do things like the enemy, for example, has no idea which IP addresses and a IP address of a server that's just off and a honeypot IP address from the attacker's perspective.
Let's just head back a little bit more towards the topic, Andrew.
Right.
So what I'm curious about, hang on, hang on, hang on, hang on.
You were mentioning, you know, active stuff.
I mean, that's really good being able to test user agent strings and stuff and see if something is genuine.
But how do you then, you know, try to determine what's unique, what's distinct?
You know, you mentioned something active and that's interesting because I'm guessing by active you mean these types of returns.
It's not like you're going to initiate a new connection to them because, you know, this conversation is about.
Sometimes, sure. But I mean, in this context, we're talking about IPs that are changing a lot.
So you might initiate a connection out to that IP and it's hitting something else or,
you know, it's carrier grade NAT where in which case it's not even going to route to that device.
So, you know, walk us through a little bit more about how you can start to categorize,
you know, start to tag things as distinct devices, even when their IPs are changing.
So you imagine the world as like a cylinder of three-dimensional space that time moves through.
You get a little bit of rust coal.
I know, I know.
Just stick with me.
Time is a flat circle.
But anyway, go on.
Stick with me.
Stick with me.
Okay. Time is a flat circle, but anyway, go on. Stick with me, stick with me, okay? So you've got basically,
you have some descriptions of the data
that are going to be like heavy, dark,
three-dimensional pixels.
One of those is gonna be like the port
or the body, right?
And then you've got other different things
that are gonna be real thin lines on this.
Your goal should be for every single pixel
of that three-dimensional cylinder
to be as colored as
possible. Because there is an explanation for every single bit of traffic that is on that wire,
a completely reasonable explanation, right? And so what you want to do is you want to try to explain
as many of those things as humanly possible. And then you want to try to carve out which ones can
be spoofed, which ones can be lies, and which ones cannot. So an example would be like, there are just certain artifacts that happen to a packet
when it goes across carrier-grade NAT.
There are other things that happen, for example, to the MTU and to the window size and to other
little headers in the packet that just have to happen when you egress out of a VPN, right?
They just have to in order for the traffic to get from one place to another, right?
And so what you want to do
is you want to lean into these things
and build essentially an expert system
or a corpus of knowledge,
a knowledge base of explanations of these behaviors
so that you turn that really big list of things
that you have no idea what it looks like
into a smaller list.
And then over time,
what you start to see is more things
start to jut out of that.
So you'll see a net new protocol fingerprint or a net new, you know, whatever.
This is when you start to be able to really cook with gas.
Yeah, because now he's cooking.
Now he's cooking.
Yeah.
I mean, I imagine that, yeah, at that point, the originating IP doesn't matter, right?
Because you've been able to figure out
enough characteristics where you can say,
if it has these characteristics, it's bad.
Yep.
And usually for the source IP,
usually the thing that actually matters
is like when we see a communication at all
from a source IP that we shouldn't see any from,
our customers freak out, right?
And so typically we don't usually have to actually
figure out that like 40 of the IP addresses are actually this one and that one belongs to you.
And we got to figure out if it's bad or not. And it's bad. And so now you care. Usually under this
set of sort of use cases, the customer is going to say, wait a minute, my network was talking to you.
That's all I needed to hear.'s very bad right and so that's usually
and then and then where we have to come in a lot of the time is we have to be able to say and i
think we've talked about this on the show before the communication happened at precisely this
millisecond which they need in order to marry it up with their side because they're like uh sorry
man i've got 10 million devices on this network so like yeah well that's all that's on there yeah
that's the telco use case right where which is really great for telco abuse because they're like yeah this device did something bad at
precisely this time and they can look up the ip list right and they can say okay exactly and ring
the customer or you know kick them off the internet or whatever it is they do based on their
customer service policies you know yes phone call or or just term determination of the account um no that's really
interesting that's actually very interesting thank you and it's helpful for something else
i'm working on as well so maybe some selfish reasons there for uh yeah yeah always always
happy to do free consulting live um but also i wanted to talk to you because you are allowing
people to deploy virtual
sensors now to a point.
I think you've got to take on a few hundred people who can just run them for
free.
They're going to get something out of that.
You're going to get an expanded sensor coverage.
Just walk us through what you're doing with that and why.
Yeah.
So strategically,
the idea here is that we don't want any attack to succeed twice at Great Noise, right, for our customers.
Every attack can succeed once and no more than that, right?
So if this is a sort of operating principle, then that means that we need to be in as many places as possible.
So we could continue slogging away and finding IP space at all these local providers, and we will. But a better way for us to get coverage in the
places that we need, in the countries, the esoteric networks that we need, is to basically
just give the tools and the ability to gray noise power users, and basically just say like, here,
we're going to give you the sickest honeypot of all time. It can be any kind of honeypot that
you want. It can be real software. It can be fake software. You can bring us your own copy of your own honeypot that you brought and you can deploy it to any of your
sensors. Like no problem. There's no overhead to it. And you have full packet capture of everything
that comes into and out of it. So you can actually bring your own IDS signatures or rules or anything
like that. So if there's any kind of call it it, emerging threat that you're trying to figure out if
it's being exploited, or if you're trying to figure out if you're being targeted, or
if you're trying to figure out what kind of malicious traffic is normal for your perimeter,
or you're trying to figure out if someone's scanning you, or if anyone's exploiting a
certain vulnerability, then you can basically, I mean, just DM me on Twitter or send me an
email, and say, hey, I want to get on board.
I want to run a sensor. And specifically, we're looking for people who, maybe not you necessarily, but people
who can get these things deployed to like lots and lots of IP space. And what we want to do is we
want to make sure that you've got access to all your data on the other side of it, but you also
have more or less a copy of the same kinds of things that hit other people for those same IPs and
attacks that hit you. And so what that means is I'm trying to condition people to think communally,
right? To think with more collective thinking and security, to say that actually just the fact that
something bad happened from these three people, that's enough for me to want to do something about it.
And I'm trying to sort of change that behavior.
So in this case,
I think we've still got wood to chop at Grey Noise
on really making sure that our sort of user experience
is really, really good for these things,
for our customers.
But the researchers are completely fine
with I think the state of where things are right now.
So I think we're about ready to get that shipped out. So that's something I'm really excited about because I've been working
on this for a long time. Yeah. So if you want to run a gray noise sensor to provide Andrew and his
colleagues with some sweet, sweet intelligence and in exchange for doing that, you get some sweet,
sweet knowledge as well. And I love it that you still call it Twitter. So do I. I forgot that it had a different name.
Message him on Twitter or Andrew at GrayNoise.
And you're at graynoise.io like everyone else?
Yeah, still going strong on that.
We do own the.ai domain,
and I guarantee you we're going to start using it
at some point in the future, but not yet.
Not yet.
Yeah, so you can get in touch with him
and get yourself one of those software-based sensors andrew morris that's all we
got time for great to chat to you as always and look forward to doing it again always a pleasure
patrick thank you so much sir that was risky business sponsor and all-around legend andrew
morris from gray noise there with a chat about dynamic IPs in a world where you're trying to track bad stuff and do other stuff good too.
And that is it for this week's show.
Until next time, I've been Patrick Gray.
Thanks for listening.