Risky Business - Risky Business #760 – Microsoft to make MFA mandatory
Episode Date: August 21, 2024On this week’s show, Patrick Gray and Adam Boileau discuss the week’s security news including: Microsoft did a good thing! Soon all Azure admins will require MFA... The three billion row National Public Data breach mess, courtesy Florida Man US govt confirms that it was Iran that hacked the Trump campaign Is TP-Link the next Huawei, or just not very good at computers? Major Chinese RFID card maker has hardcoded backdoors And much, much more. This week’s episode is sponsored by Specter Ops, makers of Bloodhound Enterprise. VP of Products Justin Kohler joins to talk about how they’ve joined their on-prem AD and cloud Entra attack path graphs, so you can map out that juicy, real-world attack surface. Show notes Announcing mandatory multi-factor authentication for Azure sign-in | Microsoft Azure Blog phishing resistant mfa - Google Search Microsoft will require MFA for all Azure users NationalPublicData.com Hack Exposes a Nation’s Data – Krebs on Security National Public Data Published Its Own Passwords – Krebs on Security Bloomberg Law How the government's proposed 'Trust Exchange' digital ID scheme would work - ABC News German Cyber Agency Wants Changes in Microsoft, CrowdStrike Products After Tech Outage - WSJ Joint ODNI, FBI, and CISA Statement on Iranian Election Influence Efforts — FBI Crypto firm says hacker locked all employees out of Google products for four days ZachXBT on X: "Seven hours ago a suspicious transfer was made from a potential victim for 4064 BTC ($238M)" / X Bitcoin News Today: $238 Million Bitcoin Heist Linked to Genesis Global Trading Routers from China-based TP-Link a national security threat, US lawmakers claim Hardware backdoors found in Chinese smart cards Unmasking Styx Stealer: How a Hacker's Slip Led to an Intelligence Treasure Trove - Check Point Research Hardware backdoors found in Chinese smart cards Man who hacked Hawaii state registry to forge his own death certificate sentenced to 81 months
Transcript
Discussion (0)
Hi everyone and welcome to another edition of the Risky Business Podcast. My name is Patrick Gray.
We're going to talk through all of the week's security news with Adam Boileau in just a moment
and then it'll be time for this week's sponsor interview. And this week we're speaking with
Justin Kohler from SpectorOps. SpectorOps of course makes Bloodhound and Bloodhound Enterprise,
which is a tool that you can use to enumerate all of the attack parts in your organizations. And then you can start closing them one, so that now you can track attack paths from AD into Entra and back.
So they've had the Entra Azure product for a while, they've had the AD one, that's the OG product, and now they're working together and a lot of their customers have been waiting for that and it's working really well so justin will be joining us a little bit later on to talk through
all of that but first up adam uh time to get into this week's news and we're going to start
uncharacteristically with some good news and not just that good news from microsoft from Microsoft, which is doubly extra rare these days.
Yes, they are announcing that multi-factor authentication
will be mandatory for admin users of Azure.
If you're going to log into the Azure product set,
then you're going to have to have some manner of fishing-resistant MFA,
they say.
Well, yeah.
Well, more on that in just a moment
because their definition is a little bit funny there.
Yeah, that's bizarre.
But I should say too,
they actually announced this back in May,
but they did it in the most confusing way possible, right?
Like it even caused us trouble in our newsroom,
you know, when we were preparing a bulletin on this for the
risky business news, like, you know, news broadcast in our other podcast channel.
And the announcement goes, this July, Azure teams will begin rolling out additional tenant
level security measures to require multi-factor authentication, establishing this security
baseline at the tenant, at the tenant level puts in place additional
security blah blah blah blah blah the reason it was confusing is because people were like hang on
does this include service accounts does this include 365 users everyone was super confused
i mean even if you scroll i've included the link from may from microsoft even if you scroll to the
comments there the top comment is really all users no exception like service accounts and as your
users or all users with guests in Entra tenant and which MFA authentication methods will be allowed
or enforced so they kind of botched the comms and I remember I the reason I remember this so well is
because you were editing the news bulletin and I think at one point you'd added a line into the
bulletin which was much more your interpretation of what they'd said instead of what they'd said.
And we had this whole sort of discussion about it.
And because the announcement was so poor, at least now we have clarity.
It looks like what they're doing is if you want to access Azure portal, right?
So the actual Azure portal and like the guts of Azure, now you need MFA.
So it's not 365 users.
It doesn't apply to service accounts,
but it's like, yeah, admin accounts, essentially.
Yeah, I mean, essentially anyone who has business logging
into the Azure portal, which may not be admins
in the literal sense of administrative accounts,
but they're people who are doing Azure business
as opposed to end users
in your IT environment that happens to be on Azure.
But yeah, super unclear.
A little more clear now, which is good.
And obviously the overall plan
of introducing more multi-factor auth,
absolutely a step in the right direction.
And they are working on,
so right now it's for like interactive like end user logins or admin end users, so people logging into the portal. If
you're using command line tools and PowerShell integrations and those kinds of things,
they are also going to introduce MFA requirements for those maybe early next year. So all of this
is absolutely, you know know steps in the right direction
and you know makes total sense it's just it really underscores the you know quite how confusing
microsoft's nomenclature is like that we don't really understand what they're talking about when
they say as your users well yeah i mean people were freaking out in the school in the education
sector because they thought that all of their students would require mfa and you know so like it was at in
the end even back in the bulletin if you go look for it or go back to um catalan's newsletter write
up of it we even wrote like if they mean admin accounts this is pretty spectacular spectacularly
botched comms and it's quite funny uh and yeah, it turns out that was actually right. So phase one starts in October.
MFA will be required to sign into Azure portal,
Microsoft Entra Admin Center and Intune Admin Center,
which is why I said admins, right?
So it is essentially for human admins.
So this is what they announced for July.
Now they've announced that it's happening in October,
fine, whatever.
Phase two is beginning in early 2025,
gradual enforcement of Mfa at sign in for
azure cli as your powershell as your mobile app and infrastructure as code so i mean this is
really cool what's funny is they're saying that the you know the pillars of their secure
futures initiative is like ensuring 100 of user accounts are protected with securely managed
phishing resistant multi-factor authentication and that's what we're doing and then later in
the same blog post where they say everyone needs to have MFA and that their goal is phishing
resistant they're like yeah you can use you know FIDO keys you can use pass keys through the
Microsoft Authenticator app which is really cool that that that they support that now and I think
that's that's fantastic.
But then they also say, oh yeah,
and you know, if you want,
you can use SMS-based MFA,
which is like not phishing resistant, guys.
Not really phishing resistant.
But they have to, right?
Like there is no way that everybody's going to be able
to go and use passkeys.
I mean, although at this point,
I sort of feel like with passkey support for the microsoft authenticator app like i don't quite understand
why they're still supporting sms but you know the microsoft world is so big i'm guessing they've done
the math and they figured out that they just have to yeah and i mean there's all sorts of other
markets that aren't you know europe or the west you know or the us where you know things can
be a bit more complicated locally either in terms of cost or access to devices or whatever else or
even just you know updates can be challenging somewhere just because of like the sheer size
of windows updates maybe it's difficult to get you know edge or whatever that has modern support i
don't know whatever excuses but they've clearly done the research and decided that it's a thing
that they are stuck with for a little while.
Because if they could say no SMS
or no voice, like phone call approvals,
they probably would, but clearly they can't.
Yeah, I mean, exactly, right?
And yeah, I mean, any way you dress it up,
it is good news.
You know, you'll love to see it and it will probably move the needle. Funnily enough, though, if SMS authentication had a slogan, if you were trying to market it, you. Now let's talk about this national public data hack.
Krebs on security, Brian Krebs, I think he has the best coverage on this.
I think Lily Hay Newman had a better headline though, right?
Because she described this hack as a slow burn.
And it absolutely has been because we've come across news snippets relating to this hack in dribs and drabs since April.
And it's never really hit the threshold for us to quite bother talking about it yet.
Because back in April, it was like, yeah, some data broker, you know, some shady data broker on the dark web was shopping around this database that
apparently contained you know billions of social security numbers and they published some snippets
and we were sort of stuck at the well is this real phase or are they pretending um and you know just
little dribs and drabs of information have come out then you know i think a couple of weeks ago
someone lodged a class action lawsuit um alleging that the company did in fact lose all of this information and now the thing that's been that's busted at wide open
is some time ago short time ago this entire data set was published to the dark web and it checks
out it's legit so Brian's gone and written the whole thing up. He's got two stories up. Both are great, which really look at like who this company is.
And that's bizarre enough.
Like who the company is, how they got the data, how they got owned, you know, and what the, you know, and how it sort of wound up sort of trickling out.
There's some nuance here, like some of the data, a couple uh people in the data like they're actually deceased
right uh so that's good um but the scope of this thing is like pretty extraordinary right so why
don't you just walk us through this one because it's it's amazing so the story goes that uh this
guy salvatore verini who seems to have like been an actor who has played cops in movies and stuff,
and is also an actual ex-cop of some sort,
runs a company or a set of companies that market this data,
market, you know, the data and background checky types of services.
And those websites, set of websites and companies do seem pretty fly by
night shonky. Like for example, they had until I think what, like two days ago, if you just asked
for slash members.zip on one of their sites, it will return a zip with a whole bunch of data,
including clear text passwords and details for the site itself as well as users, and then things like the users of the sites all have the same default password, etc., etc.
Anyway, the data set has something like 2.9 billion rows as reported,
something like 270 million unique social security numbers,
and as you say, there's a range of ages of the data,
and you kind of get the feeling that this data is being kind of cobbled together you know sort of once and then packaged up and
resold by this company you know in ways that you know the US background checking ecosystem is just
kind of you know anyone can do it it's weird and fly by night and and kind of gross but yeah you
don't really get to see
where the data comes from how it gets arranged how it gets maintained all those sorts of things
when you're buying and selling it so the data set feels a little bit funny uh and people now that
it's been exposed uh are digging into it and finding out like for example there's a bunch of
people who are more than 120 years old uh because you know the data set is not particularly well maintained and if anything
it's just a kind of a good summary of how weird the u.s data broker ecosystem is well anyone can
just hang out a shingle and do it right which is the which is the amazing thing and this you know
this guy who is the former actor slash producer slash bounty hunter or whatever the hell he was you know
like the fact that he can just go and collect all of this stuff apparently from public sources too
um is just mind-boggling right that that there's no sort of regulation that means that if you're
going to be doing this sort of thing you need to do it properly um i mean i suppose the natural
defense in the u.s legal system is that he's probably about to be
sued into oblivion right so that's you know that's hopefully well I mean I think those sort of
lawsuits in the United States sort of take the place of of certain types of regulation that we
have in other countries right like it's just a natural part of how their system works but you
read about this guy yeah Florida man I call him because him, because he's a Floridian. And it's just, the whole thing is just bizarre.
Like, you know, how did this guy manage to pull all this together
and then just do such a bad job of hosting it?
It's mind-boggling.
But yeah, you know, as you point out, like it could be, you know,
social security numbers and various personal details
on the majority of the US population, which is just staggering.
Yeah, it's pretty wild.
And I imagine he is going to get sued into oblivion.
But yeah, it's just, you know,
how many operations are there like this, right?
And this one's particularly egregious, I suppose.
But I think Krebs talked to some of the people
who've been involved in the underground scene where the data was being posted.
And even the guy that posted it back in April said that he wasn't the person that actually originally got it.
It had been kicking around for a while.
Like, this is pretty normal every day on the dark web, the scary underground dark webs um and you know short of over an overhaul of u.s privacy legislation and
data handling like this is just how it's going to be yeah i mean it kind of reminds me that part
where they were talking about how it was kicking around did remind me of the hell pizza thing
uh which is a story i've told on the show a couple of times but like a long long time ago
uh back in the day there was a really popular pizza chain in the
united sorry in the united states in new zealand called hell pizza and you know like pretty much
everyone in new zealand has ordered from hell pizza at one time or another pizza yeah so the
way that you would do that is you would do online ordering and it was through some horrible flash
front end and there was no like input sanitization so if you just put a database query in it essentially it'd just you know crap out the
entire database the flash app talked to like sequel gateway.jsp and then had an argument query
and you just put sequel queries in it is what i heard yeah so is what you heard yeah right buddy
um so and that's the thing right is that is that that database, because everybody created accounts for that database, that database wound up being passed around among a lot of pen testers and red teamers in New Zealand, right?
Because if they needed the password for some corporate account, they would just look up their Hell Pizza account and then they would be able to use that.
But unfortunately, criminals were also doing this as well.
And of course, the security consultants had tried reporting this to the company and they just got blown off. So eventually, a few people asked me,
they're like, Patrick, can you please, you know, go in there and say, I'm a journalist writing a
story about that, like, they've got to close this up, because it's a real, it's a real liability.
And of course, I went to them and wrote it up as a story, which turned into like an absolute media circus in New Zealand and I think
the owners of the company at one point were accusing me of colluding with a like a former
business partner of theirs because they were going through some sort of acquisition and it turned
into a whole thing but yes that's the hell pizza story and you know sometimes these just gigantic
data sets I mean in this, it came from public records.
In other cases, it can come from a pizza store, right?
Like it's just, this stuff just winds up everywhere,
which leads me.
Oh, go on, you've got something there?
That's because if I may, there was one beautiful gem that I really loved about that Hell Pizza story,
which is when someone asked the guy
if the data had been stolen, he said, no, it's still there.
Yeah, I love it.
I love it.
Funnily enough, though, once they'd figured out
that I actually was a journalist and not some operative
like working for the partner they were having a problem with,
I wound up having a very friendly chat at the end of it all
with one of the owners, and they said, funnily enough,
it actually turned out to be really good for their business
because Hell Pizza was being talked about on the news 24-7
and it got everyone thinking,
gee, I could go for one of those pizzas right now.
So apparently it was like their best sales week ever,
which is, I guess, explains a lot of things about our industry.
Yeah, so good.
Now, this actually dovetails nicely with a story out of Australia
and I don't want to spend too
long on this because our colleague Tom Yuran is currently investigating this as we speak and I'll
talk to him about this tomorrow on our Seriously Risky Business podcast in our other podcast feed
but the Australian government is actually spinning up a identity service called Trust Exchange and
the reason I think this is worth mentioning in today's show is because it's really
designed, the thinking behind this seems quite solid, which is it's designed for people to be
able to attest to their identity to whoever without actually having to hand over their
information. So it is a proper identity service. The devil is going to be in the details. I'm sure
the implementation will be horrid. The last time they tried to do something similar was the
Centrelink card and
the crypto it was it was a smart card that was going to go to anyone who interacted with the
welfare agency centrelink which a lot of middle class people in australia do as well because
there's various um child you know child care rebates and and whatever so you know 95 of
australians were going to get one of these cards uh but the crypto was a mess i remember researchers
looking at it and it was horrible but this know, they're having another crack at this idea. And I just
think in this day and age, either governments or banks or, you know, these large institutions
need to develop services that are going to allow people to attest to their identity without handing
over all of their information so that we can avoid some of these catastrophes right like we need robust identity eventually if you build a system
like this and it's it's working eventually you can you know plumb these through to idps and
whatever and actually get good online identity attestation so i think it's good to see the
government making steps here i'm sure there's going to be mistakes but you know we have to get
there eventually right yeah yeah i i agree i mean the best data is data you don't have right if you
don't need to keep it you don't need to you know store that data then it can't be stolen from you
and that's a great place to be as a business but sometimes you have requirements for you know
validating age for example where you know now what are you going to do store everybody's you
know driver's licenses or whatever other documents they provide like if there's a way to do this
that doesn't involve having to store it but that is trustable and attestable and that the
you know companies and organizations relying on it can say hey we are doing this we're
meeting our obligations and we're doing so in a way that doesn't store that data then great and
government and some other you know things like banks or whatever and we're doing so in a way that doesn't store that data, then great. And government and some other, you know,
things like banks or whatever else
are in a great place to be able to do that.
But the devil is in the details,
and governments are not known for, you know,
smooth, well-thought-out IT projects.
So, you know, I think, you know,
several governments around the world have tried things
like the, you know, Estonian National Smart Card, you know, identity system, you know, I think, you know, several governments around the world have tried things like the, you know, Estonian national smart card, you know, identity system, you know, is an example that has been held up in the past.
But there is a lot of details.
And I think, you know, it's the natural path forward.
It's just finding the right way, a good implementation that balances all of the, you know, equities involved in different groups and so on.
Well, I think the federal government here is sort of well situated to do something like this i think if something similar were proposed in the united
states it might lead to a revolution uh because the idea of the federal government being responsible
for your identity uh wouldn't work but perhaps um you know banks or you know similar sort of
institutions that touch a lot of people everyone sort of has a bank account right or most people
have bank accounts so being able to enroll telcos kind of fell into that role you know as mobile phones became a way of
authenticating your identity so you know there are some examples of this happening in the private
sector that are not perfect well they did a great job didn't they telcos wow adam good example
but it's you know it's better than nothing yeah much like sms authentication so yeah i mean i
don't think it'll happen in the telco space to be honest but i i would think more yeah banks post
office i don't know post office is a national institution anyway let's see where it goes but
the point is if you want to run a society that's not where it's not a disaster if this sort of data
leaks this is the sort of project you're looking at right so uh now i'm moving on to some more technical news and germany's sort of peak cyber agency
wants changes to what microsoft allows security vendors to do in the kernel
of course this comes after the the crowd strike disaster i think we're going to start seeing people float ideas for what
Microsoft needs to do here and that's going to be a very complicated discussion what do you think
yeah I mean anytime that regulators or governments or you know kind of outside groups start meddling with technical design issues like what belongs in the kernel
how should that access work how should it be verified how does you know driver signing work
how to you know windows hardware quality labs processes but all those things you know are a mix
of policy goals and technical implementation details.
And, you know, there is a lot of trade-off in thinking there.
And, you know, in some cases, like, you know,
we never really thought that this would become a political issue.
You know, how long ago did we settle on, you know,
monolithic kernel plus user land as the kind of architecture versus micro kernels or whatever other kind of academic options um so anytime people get involved in those things from the outside it can be a mess
that said right the crowd strike debacle you can see why you know a place like the european union
would think well maybe this is a thing we should stick our oar into but it's particularly funny in the eu because there is
existing eu regulation that requires microsoft to open access to the kernel well for security
vendors and whatever else slow your role there because that's not i there was an eu sort of
agreement between the eu and microsoft which people have said quite often um means that they
can't kick people out of the kernel but i I don't believe that the kernel access is actually mentioned in the agreement.
It's much more about having the same level of access for Defender as for other things.
So it's much more around competition.
It's kind of agnostic when it comes to the kernel.
But yeah, this obviously touches issues around competition.
You can't get into a situation where Microsoft's own security tooling has preferential access to Windows because that puts us in a bad place. I also don't think
that they should move to a API-based model like macOS or macOS has because you sort of stifle
innovation at that point. Like being able to actually do things in the kernel and experiment in the kernel
drives a lot of innovation. People think of new ideas and that's the place they're going to get
applied. And if you lock that out completely, you are locking out the innovation. Now, should people
be running the bulk of their product in kernel mode? I think that's a, you know, there's some
questions that could be asked around there. Now, as much as it's, you know, you know, European cyber agencies looking into this, we might look at that and go, well,
you know, are they really the best people to do this? There are some very smart people thinking
about this at the moment. One of them, I won't say who it is, because I didn't ask them if I could,
but I've spoken to them. They're one of the world's foremost experts on Windows kernel security
and Windows internals.
And they're working with a couple of others on coming up with some ideas about how you would actually have a sensible regime that would sort of scope what sort of access is appropriate here and what changes Microsoft might be able to make that would enable a lot of these security players to actually get out of the kernel.
Because if there are places where they can move out, generally speaking, they do it.
So I think there's a lot of work to be done here.
And I'm actually surprised by Microsoft's reaction, which has actually been quite nuanced
and sensible.
And statements like these from various regulators and agencies where they're like, this is something
that we need to improve.
Instead of, blah, we need to kick everyone out of the kernel or, you know, blah, we need to do this or blah,
we need to do that. Everybody's saying we need to think about this. And I think really like what,
what better reaction could you expect? Like what, what, what could you hope for? You know, this is,
this is great. Yeah. Yeah. No, I agree. Like we need to think about it and think about it. We
shall. And I think, you know, you make a good point that given an option to implement their products not in kernel space,
most vendors would prefer to not have this responsibility.
Like they would prefer to be in a place where their screwing up doesn't ground all the planes in the world.
You know, that's not what you want.
So if you give them viable options, they will use them for their own reason,
you know, for their own benefit.
It's not just, you know,
because it improves the ecosystem as a whole.
So, you know, it's a natural place for industry
and big vendors like Microsoft to work together,
coordinate, figure out how they could do it
and onwards from there, you know,
what value regulators have in that conversation,
I guess is, you know, kind of up for debate.
Well, I mean, I think the fact that they are just indicating
that they're paying attention is positive, actually,
because it is a little bit of a motivator for Microsoft
to want to solve this problem.
So, you know, in this case, I think it's nice to see
some govies piping up, actually.
Big regulation pat.
Yeah, that's who you are.
I'm not saying that.
I don't know if I'd support them regulating,
but, you know, at least piping up, that's a good thing.
Agreed. Very agreed.
All right.
Speaking of govies piping up,
we've got a statement here from the ODNI, FBI and CISA
confirming that Iran was responsible for the hack and presumably the leak
out of Donald Trump's campaign. Of course, these actors also targeted the Harris campaign.
So, you know, we've got some confirmation there. I don't think it was really ever in doubt.
You know, Chris Krebs, who was, of course, the first director of CISA, he was all over Twitter
immediately saying, I have it on good authority that this was Iran
and that the Trump campaign is telling the truth.
There were a lot of people out there who really disliked Trump
who were saying, yeah, they're making it up as if this was Iran,
that sort of thing.
But no, it was, odds were always on that it was them.
And now we've got at least, you know,
at least the deep state has weighed in here, Adam,
to throw its support behind this attribution.
Yeah, it's good to see some confirmation
so we can all kind of integrate this knowledge
into our understanding and move on with life.
But you're right, the US election cycle is just such a show.
Yeah, it sure is.
We're sitting here watching and, yeah, popcorn.
And if anyone's interested in a discussion that i had with chris
krebs and alex stamos all about that hack and leak and um uh election interference generally
this cycle and how it's different to 2016 uh we discussed that in the most recent episode of wide
world of cyber which you can find on our youtube channel or in our podcast feed. Moving on, and we've got a great story here from John Grieg over at The Record.
And some cryptocurrency company,
an attacker managed to get access
to like their workspace admin page
and just change all their passwords, lock them out.
And then they don't really appear to have much insight
into what the attackers did after that,
which is like i would
be feeling quite uncomfortable about that if i were them yeah it's it's been quite a mess uh this
company is in the crypto space um so you would imagine they would lose a bunch of of money in
the process but they don't seem to be saying that this resulted in in large-scale theft of crypto
which presumably was the reason for going in in the first place.
They've sold something like half a billion dollars' worth of Unicoins,
but they're not saying that it's all gone.
And we haven't seen anyone from the blockchain intelligence companies
saying that they've seen it.
But mostly I put this one in the run sheet this week
because i just
wanted everyone to imagine what that's like having your entire g suite life of your company you're
just showing up one morning and computer says no yeah and admin can't log in users can't log in
entirely dead in the water and then you've got to try and convince google to do something about it
which again like that'll be a be a fun phone call, I guess.
Well, I mean, they were locked out for four days,
and I was thinking how?
Like, you know, something went wrong there, right?
Yeah, we don't really know.
And then the extra cherry on top of the story is when they started
to restore this stuff, they went looking to try and figure
out what was going on. As you said, they don't really have any clear idea of what happened
whilst the attackers were in but they did find that one of their employees like a contractor
had forged identity and there was some other you know kind of weird issues with some of their staff
so they found other stuff when they when they looked but you know that must have been a crazy
day at the office
i think the us authorities are going to be able to get on top of this north korea contractor problem
actually and i think they've found the vulnerable link in the chain which are these basements full
of laptops using rdp or whatever right yeah so i mean really all it takes is for a company to say
we've just discovered that this contractor is probably a North Korean.
And then they just need to trace back their access to the basement farm, get the basement laptop farm, get a warrant.
Then they roll in there and find out that there's 50 laptops all being RDP controlled by North Koreans and shut them down.
And I think that's going to be a pretty efficient sort of enforcement action
and i just wonder you know it's really going to be up to people to report this type of activity but
i was just thinking about that and i'm like as long as people are reporting like for every report
you get you're going to find one of these farms and take out like 50 fake contractors right so
it's sort of like an enforcement action that scales know what i mean yeah yeah like it's definitely there is actionable stuff like when you get reports of these you know
pretty much one-to-one because there's going to be a laptop somewhere there's going to be like
someone's looking after it farming it etc whereas you know compared to regular crypto theft like
it's not clear when you report to the feds you know that your crypto has been nicked what they're
going to do about it whereas this there is just a clear path to some enforcement action some response i gotta say the crypto
people that i know who work for crypto exchanges like i know people who are not into cryptocurrency
at all but they work at crypto exchanges just because like they want an extreme job right
they want to do they want to do real system of extreme sports i mean they're they're
in there hand to hand with like some of the world's best attackers using ttps that like aren't
documented and you know they've got the authority to build all sorts of controls and detections and
they love their jobs right like even though they think the companies they work for are kind of dumb
um they just they get to go up against real attackers and get yeah and get to build real
defenses and they just you know they love full combat cyber right like where else do you get that
yeah yeah exactly that's if that's what you're into it's definitely the place to do it
uh and speaking of we first saw this it was an attack it was a a tweet from um
zach xbt who's a blockchain researcher who watches the blockchain for unusual stuff happening.
And it looked like, yeah, potential victim.
Looks like sort of since mostly confirmed.
Someone got 4,064 Bitcoin stolen from him, which is market value of about 238 million US dollars.
You know, I excitedly popped this into Slack going you know holy crap look at this and i think
catalan kimpanu our colleague is like yeah that's like the third biggest this year which is just
it's just amazing right yeah so someone someone pinched this cash i think from uh genesis market
or something uh and then they've scattered this you know they've tried to launder this stuff
unfortunately for them though like this stuff is always going to be tainted and linked to a theft um so what what happens to these bitcoins from
here i don't even know yeah i yeah i saw the um i think slow mist um made a graph showing how the
bitcoins are going to move through and move through the various blockchains um as they were
you know as they were laundered and like it just must like you read
about numbers like that you think like you know stealing 200 million dollars in a single heist
like that would be the you know the heist of a career if you're a physical bank robber but then
you've got to fence it and and you know get on with with your life it must be really galling
to be sitting on 200200 million worth of Bitcoin
and actually getting it out and using it for whatever you want to do.
And it's just pretty difficult,
and you're always going to be looking over your shoulder.
Doesn't sound like fun to me.
No, and I should clarify, too.
I said Genesis Market by accident, which was a dark web crime forum.
This is, of course, the completely legitimate Genesis Global Trading. So trading um so it's got global and it's definitely legitimate yeah but it is it is
funny and you wonder like what's the clock like is this like the bank robber who's in prison who
buried their stash you know what i mean and one day they're gonna go dig it up or like how does
that all work i don't know uh it would be frustrating now let's talk about um
china tech supply chains here and a couple of pieces we got which sort of speak to the distrust
around you know chinese manufactured technology and in both of these cases it sort of comes down
to are these deliberate backdoors or is this just crappy engineering basically right so the first
one we're going to talk about is uh tp link so a couple of congress people in the united states are
asking the commerce department uh to investigate tp link investigate the risks posed by tp link
this is uh james reddick wrote this one up for the record and
okay sure they're like there's a lot of bugs in TP-Link stuff and Vault Typhoon
are known to use networks of routers and whatever home routers to stage various
attacks. So I don't know what they're thinking here I mean maybe they're
thinking that the government is asking TP-Link not to patch stuff so that they get easier access
or maybe they're thinking well these things are just really um these things are just really
vulnerable and we you know need to look at regulating the use of them but I mean mostly
what I'm catching here is just like a couple of Congress people saying well this is chinese so it's sinister um was that your vibe here as well
yeah i mean tp links are you know their devices in general are you know pretty standard issue
you know get the job done not always super quality not super well supported over time
but you know it's just kind of normal consumer electronic stuff and you know, it's just kind of like normal consumer electronics stuff. And, you know, we've seen some bugs in their web interfaces.
And, you know, I think there was a universal plug and play bug that they had a while ago.
But it's just, you know, it feels like normal TP-linking, like normal vendory stuff.
So Catalin wrote this up in this week's Risk Abuse News.
And I was editing it and i had like mentally like i
had some you know mental thing that tp link was singaporean not chinese and so i went and googled
you know headquarters in singapore and blah blah blah and then we went looking and as you pointed
out like they've been singaporean for two years uh they're now currently like headquartered in
california and singapore and the the Chinese TP Link is a totally separate company
and not at all related, they said.
Nothing to see here.
I mean, it is interesting that they announced,
you know, a few years ago,
they announced this intention
to restructure their operations.
And it just reminded me of Group IB,
which was a Russian, you know, threat intel company.
I think one of their, you know, founders or whatever
is in prison in Russia or whatever.
But one of the, you know,
they moved their company to Singapore. I believe they did actually, you know, quite a few of their you know founders or whatever is in prison in russia or whatever but uh one of the you know that they moved their company to singapore i believe they did actually you know quite a few
of their people did actually go to singapore but it's sort of like saying yeah we're a singaporean
company we have nothing to do with russia and that's they were really pushing that a few years
ago when they did it um and this is the same sort of thing it's like chinese what are you talking
about we're we're based in singapore and california it's like well kind of yeah so i mean we don't know if it's going to go like full huawei
on them or whether it's just a case of you know tp-link will you know maybe improve the amount
of patches they release i don't know but like yeah this didn't feel like there was you know to
your intro to this like it didn't feel like there was any kind of accusation of backdoors or whatever else it was just like product engineering not super great
but the other one that is in this pair is a story about shanghai food and microelectronics
who are a pretty big manufacturer of smart cards and like access control systems and so on.
And they, so they have a line of smart cards,
which are based on the NXP MyFair Classic, which is, you know, an older standard.
And a researcher was fuzzing these cards and found some undocumented instructions that they were responding to.
And then with a bit of extra work,
turns out that there is a hard-coded backdoor key
that you can use to, you know,
read out the contents of these cards and effectively clone them.
And this backdoor has been there for, you know,
a couple of, maybe like a decade, 15 years, something like that.
And these are widely used in like hotel door locks and things like that.
And, you know, these feel a little bit more,
like it's hard to tell the difference
between engineering backdoor and backdoor, backdoor.
What's a debugger?
It doesn't feel good.
What's a debugger and what's a backdoor?
It feels like that, right?
Like what is a bit of code that the engineers included
because it helped them do engineering stuff
and they accidentally shipped it
versus, you know, a prc directed backdoor in cards used in the west but i mean i think
something that mitigates this as big news is that we haven't really had we haven't really had
security expectations around my fair cards for quite a while right yes yeah we're not my fair
classics no like those have been broken in other ways for a long time but i mean this is like trivial you know insta clone these cards which you
know if you were a hotel chain would certainly be of concern to you because there's a difference
between you know i can clone one card but it takes a bunch of effort and you have to kind of be
targeted versus you know trivially just walk up to a lock and open it kind of thing.
But yeah,
I don't know.
It's,
it's hard to say if backdoor or,
you know,
just bad.
But that's kind of what I'm getting at,
right?
Like you just,
it's just impossible to tell.
And I think maybe the moral of the story here is don't use crap tech,
you know,
like don't use TP link for anything important. Don't use these. But then again, I mean, like don't use tp link for anything important don't
use these but then again i mean tp link stuff isn't really used for anything important you know
it's mostly home-based stuff but there's this sort of additive thing isn't there when there's
millions of them out there on your public networks like that can be a problem if someone is controlling
them yeah yeah exactly when you know it can be hard to tell when something is cheap and crap, you know, like,
you know, Cisco bought Linksys and, you know, Linksys was a big kind of home device manufacturer
once upon a time.
And now there's a bunch of like, when you get a Cisco low-end, Cisco edge device, like,
is it really a Cisco?
Is it just a Linksys in a coat?
We don't really know.
So, you know, it can be hard to tell where it's a, you know, where it's a legitimate
brand or, you know, a legitimate one.
And maybe the Cisco Lynx is one that's a bad example
because it's kind of historical now.
But, you know, I mean, it's, yeah.
If you're buying smart cards from major, you know,
they're a big vendor.
Like this would be a reputable in quotes
in terms of market share vendor.'re not they're not a nobody
company is what you're saying right they're not not a nobody right yeah yeah yeah makes sense
now look i want to move on to this story uh well it's checkpoint it's research out of checkpoint
that is delightful um it is my favorite story of the week uh i found it absolutely hilarious
because so there's this malware
called stick stealer they like rent it out the operators of the malware or the developers rent
it out to people it steals browser data im sessions uh for telegram and discord steals
cryptocurrency that sort of stuff right so it's like crimeware and i think it reports back like
the xfield material into telegram and these researchers
from checkpoint managed to get into one of these telegram channels right which is essentially a c2
and then they noticed a bit of a data dump into that channel that was not like the others adam
and that seems like a good place to begin
so the uh the developer of this particular tool which is essentially there's an open source
tool called the femidrone stealer and this is basically just kind of like a rebadged
commercially supported version of this open source tool so the developer of that
had infected his test system like his development system uh whilst working on it and i'm not sure
that's just because he was testing or whatever, and it stole all his data and uploaded it to the channel, which a little bit awks.
And then I think the way this started was that the Checkpoint researchers were tracking a guy who turned out to be a Nigerian cyber criminal who was using this software.
And then they went from the key material used to crypto the the data being uploaded to
telegram in this and then pivoted on that and back and found this particular unencrypted you know zip
that had been uploaded that then out of the developer and then they looked at the data that
was being stolen from the developer system and found his communications with the nigerian guy
that was using it and then managed to piece together the identities of all the people involved.
The developer turned out to be Turkish.
The Nigerian spammer turned out to be a pretty well-known guy.
But it's just, you know, it's such a beautiful thing
when these people fall victim to their own tools
and then gets used against them by researchers or whatever else.
And, you know, Checkpoint have written it up in excruciatingly delicious detail,
and it's well worth a read if you're into this particular type
of, you know, schadenfreude.
Yes, this particular developer managed to shoot themselves
in the crotch, I think is the best way to describe this.
And what I like it too is they're like, well,
here's the Spanish phone number that they used
to register the Telegram account,
but here's his real number, which is in Turkey.
And like, you know, this person is going to have problems, right?
Like they're probably booking flights right now.
Cause yeah, drama, drama is coming.
Now we're going to end with a couple of sort of funnier stories.
Well, I suppose this first one isn't that funny,
but a guy in New Jersey has been charged with hacking
and extorting his employer last year.
This guy, Daniel Ryan, abused his position as core infrastructure engineer
to create a secret virtual machine on his company network
and he used the VM to run automated scripts that changed the passwords
of employee accounts, deleted backups, and shut down his employer's servers,
and then used an email account to demand a $750,000 ransom to be paid, I guess, to make him stop.
So Catalan found the court documents there and just did a little write-up in one of our newsletter editions.
But this isn't the first time we've seen this by far.
I mean, I think the new thing is back in the day when you used to see a disgruntled
ex-employee do bad stuff, it wasn't necessarily financially motivated. But these days you're
seeing people, what was the one, Brian Krebs got dragged into it. It was some vendor and
the employee was going out there and making claims about the attack. And like,
there was a ransom element to
it as well i mean this is just something that happens now right where just one of your employees
one day just decides to cause havoc and try to shake you down yeah and i guess in in the old days
they would cause the business disruption but there wasn't really a way for them to make profit out of
it and now you know you can disrupt the business and there's a chance you'll get a big payday which you know if you're disgruntled with your
employer maybe you feel you're entitled to or something like that but they inevitably screw
it up because you know the point of a ransomware crew is that you have to build some reputation
that you will follow through delete the data or you know provide the keys or whatever it is and so you
have to have some backstory and identity and these people of course are fresh you know clean skin
ransomware operators effectively and they screw up and end up getting getting caught because they
don't have enough experience of being a ransomware affiliate like it would make more sense to go out
and join a ransomware program
or find someone who is, offer up the access,
offer to run the tools or whatever to deploy it,
have them do the ransomware for you and then take a cut.
Like that would be a much smarter way to do this.
But these are generally people making emotional choices,
not rational ones.
This guy hardly seems like a master cyber criminal, right?
Because first of all, it wasn't actually ransomware.
It was just they were causing chaos from this VM
that they spun up in the environment.
So of course the FBI turned up, looked at the VM
and traced it back to his laptop.
You know, like it wasn't...
Ah, anyway.
Lost the mind.
And you know, he spun up a new email account
to email the threat and, you know,
I'm guessing there might have been some
evidence there as well so yeah certainly not you know sort of like i'd call it dread pirate
roberts syndrome right where you think your opsec is up here uh but actually it's down here
uh look it's f'd here in the in the same vein uh this guy a kentucky man has just been sentenced to 81 months in prison so nearly seven years
and among the things that put him there was he used a stolen credential to access a government
system in Hawaii the Hawaii death registry system to basically fake his own death so he could get
out of paying like a 100 grand in child support,
which is just like, first of all, a really scummy crime.
And second of all, just really dumb.
Like, are you going to declare yourself legally dead for 100 grand?
You know, it's kind of hard to live your life when you are legally dead.
You know, it's not easy to get a loan.
It's not easy to get a driver's license when you were
dead i mean maybe this person was a master of using stolen identities or whatever but
if if that were the case why would they need to declare the death i don't know the whole thing
is just so bizarre uh he's in prison uh sounds like his children will be much better off with
him there uh and um what a weird one uh jake again James Rennick at the record, this one.
Yeah, not a well thought through set of crimes.
And I mean, yeah,
probably everybody has got what they deserve in the situation.
And yeah, I mean, I feel bad for the kids,
but also, as you say, maybe better off.
I mean, someone doing this to get out of $100,000 in parking tickets,
you're sort of sitting there thinking,
ha, nice try, buddy, you know. But to get out of child support, you're parking tickets, you're sort of sitting there thinking, ha, nice try, buddy, you know.
But to get out of child support, you're just like,
no, man, you go to prison.
Yeah, yeah, yeah.
You go to prison.
Yeah, exactly.
Exactly.
All right, mate.
Well, that is it for this week's news segment.
Thanks so much for joining me to chat about it all as usual
and we'll do it all again next week.
Yeah, thanks so much, Pat.
I will see you then all right so it is time for this week's uh sponsor interview now with justin kohler of
specter ops specter ops of course makes uh bloodhound enterprise which you can use to
enumerate all of the attack paths through your directory.
They've been doing this for Active Directory for a very long time. They've been doing it for Azure,
Entra, for a shorter time. But what they've just announced is that they can now attack,
they can now track attack paths or enumerate attack paths from Entra down into AD or vice versa, right? So you can actually start following a lot
of these attack paths through hybrid environments.
Now, there are so many hybrid environments out there,
you know, unless you're a very new business,
you're unlikely to be completely cloud only.
And unless you're a really backwards business,
it's unlikely that you don't at least use something
like Office 365 or M365.
So, you know, this has been a requirement for their customers
for a long time and they finally shipped it. So Justin joined me to talk about that and here he is.
Since the beginning, when we launched Bloodhound, it started with Active Directory. So we modeled
paths with an Active Directory. And then some years ago, I think in 2022, we added coverage
for Azure.
But since then, they've always been two distinct databases.
So on our end, you couldn't look at an attack path from one to the other,
even though we know there are ways to cross from Active Directory to Azure.
There's a bunch of reasons why we didn't do that. A lot of it is complexity and handling that size of graph on our end was a challenge.
But I'm happy to let everybody know that we released support for that in Bloodhound Enterprise and Community Edition just a couple weeks ago.
So now you can traverse attack paths from Active Directory to Azure and back down again.
This is our first iteration of a hybrid attack path. So we know a
multiple between Active Directory and Azure, and we are tracking multiple between, let's say,
Azure and other platforms. But this is our first and kind of main request from the bulk of our
user base and our customers. Well, I mean, that makes sense because for any enterprise that didn't
start yesterday, they're running a hybrid directory, right?
Like almost all of them, they're traditionally an AD environment and they've gone up to 0365 or whatever, which magically makes them sort of enter ID or Azure users, right?
I'm guessing that's the rationale here that you needed to do this.
Absolutely.
And I think everybody recognized that azure
had a bunch of security enhancements above active directory um but we also knew that it was connected
to active directory so so you kind of while you have some enhancements you all you also have all
of the legacy problems of active directory if you're connected so we were connecting them through
user syncing so with password writeback and you And there's a whole bunch of best practice delivered by Microsoft in terms of you shouldn't sync privileged roles.
But since enabling this a couple of weeks ago, we've already found a bunch of paths crossing that plane.
Beginning with the most horrific example where you're syncing a user uh that's a global
administrator um down to just like microsoft gives guidance in terms of best practice for not syncing
any privileged role but a lot of administrators would be like well why okay i get it for global
admin but why why this role um and it's because uh they open up paths back down to their legacy environment. And we can see that any path into Azure, in most customer environments, eventually will terminate into a global admin.
So we've seen a couple of those.
The interesting thing is we're seeing ADCS attack paths that take over the Active Directory environment.
And then that gives you power over synced users,
and then that synced user will give you power
over the Azure tenant.
I think the most interesting one to us so far
is we found an attack path across three different domain trusts
up to Azure, down to a different domain,
so fourth domain, and then up to Azure again
for Global Administrator.
So they can be really short.
They can be really long and complicated.
But the end result is,
I think the fear that a lot of people had
about a hybrid environment,
we can actually start to articulate why they have that.
You can draw them a picture now, which is great.
But I mean, I think also like,
when you talk to people about tools around directory tools, a lot of people fell into the trap of thinking, well, Microsoft fixed that with, you know, Entra, right?
Like AD is horrible. So Microsoft's fixed that. And, you know, they have, as you say, they've taken away some of the foot guns.
But I think what a lot of people don't realize is that directories, like it doesn't matter what tech stack you're running a directory
on, directories are just inherently complicated. Like once they get over a certain size,
the fact that you've got permissions and privileges that allow you to do things in an
environment, whether that's extract information or do some damage or provision users or whatever it
is, it's just inherently going to touch security. There's inherently going to be misconfigurations.
There's inherently going to be attack paths.
And it doesn't matter whether it's on-prem
or whether it's cloud
or how much of a good job your directory provider
has done in trying to take away those foot guns.
Like fundamentally,
there's always going to be security issues
with any directory.
Yeah, I think any one of us could hold maybe 10
people's permissions in their head and probably work out where those might cross, but there's
more than 10 people in most organizations today. And like trying to figure that out is just a
normal complex. And, and what I think what most people's frustration today is in Azure and I'm
not blaming Microsoft here. It's things change for good reason, right? But
like things change and have cascading effects that you didn't really understand. Maybe either like
when you put the permission in place or because of that change, how is that permission rolled out?
So yes, it will cross security. And I think where we differentiate a little bit here is we're going kind of beyond a stereotypical just like access graph.
Like this user has access to do this thing.
And putting like more of the adversarial like this access can turn into subsequent access.
So like we call that the adversary view of the environment.
Well, I'm guessing this is already proving very popular.
Like I know it's been a very short time,
but I'm guessing this is already like a smash hit, right?
With the sort of customers that you sell to.
Absolutely.
Like our customers have been waiting for this
for a long time and they're all really excited
when we started showing them
like the research that we were doing and some,
cause like we researched this in customer environments
to see how widespread this issue would be.
And it was in most.
When we lit the feature up,
then everybody was really excited to go test it out
and find those boundaries that have been crossed.
So just to inject some levity here,
one of my favorite stories,
and sorry to cut you off,
but one of my favorite stories about EntraID,
like a misconfiguration,
not a subtle attack path sort of thing,
but I know someone who was privy
to a incident response gig
where they discovered through incident response gig, where they
discovered through the IR gig, and this wasn't relevant to the particular incident they were
responding to, but they discovered that every single user in the org had in-tune admin privileges,
right? Via intra. It's just insane. So I'm guessing, you know, I mean, that's an obvious
misconfiguration that you're going to find with all sorts of tools but i'm guessing yeah the stuff that you're going to find
with yours is yeah going to be much more subtle and not something that you can easily enumerate
just with a basic config checker no it's not like direct admin access like i can see that
bob owns this or you know every user has that into an administrator role It's more the subtle, I guess, roles that can use to
reset the privileges of some other role that is running as an application. And then it just
traverses a longer path. I think that's why people use Bloodhound is because we just go further in
depth in terms of what can you grant yourself access to, not what you have access to now.
Years ago, we used to talk about
like assume breach mentality.
And if you are operating under that assume breach,
I think most people say like,
okay, in the past we would detect
where we would catch you after that.
That's great, but detections will fail.
If you're going to operate under an assume breach,
you have to understand how the adversary views your environment and what paths they have available. Because the
assumed breach was like, let's get beyond the perimeter defenses. Now let's talk about what
the inside of your organization looks like and how we would take it over. Now it's not just
connecting on-prem AD to Azure. You're doing a lot of work to extend the graph out into all sorts of places.
I think you've been doing some work, and I don't know how much this is public, but you've been
doing some work around GitHub Enterprise, right? Yeah. So our research team is busy at work in
multiple locations. So for those that have been following us for years, our first iteration into
Azure was actually in 2018, but it took us until 2022
to add Azure. Now, we're not going to be that long. I'm just going to throw that out there.
We were a much smaller organization back then. But we like to build up a corpus of research and
make sure that we know what we're talking about before we extend the graph. Our team has been
researching. GitHub certainly won. We did a post-breach analysis of the Snowflake incident recently.
And we're also, we just released at Black Hat
Project ApeMan, which is attack paths into AWS.
So this kind of concept and the fundamental approach
to managing attack paths internally
is gonna extend beyond Active Directory and Azure.
That just happens to be the backbone
of most folks' identities today.
It's interesting when you talk about
extending the graph out
to all of these different places
and finding all of the different places
where sort of privileges and identities
and that whole mix and attack paths through them.
I think it's even, you know,
it's just wild when you start thinking
about the combinations, the permutations
and the paths that you get
once you grow it to that level.
And at that point, you know, I think one of the things people have been using you for traditionally in Active Directory is more they'll fire up Bloodhound every month or two, try to find if there's some sort of problem and deal with it. But I'm guessing once you've expanded it out to all of that,
it's going to be a much more sort of live view, I'm guessing, right?
Like, do you foresee that once you've really started
plugging all of this together,
that it's going to be a lot more chatty, Bloodhound?
Like, it's going to be, Bloodhound Enterprise is going to be
more something that is constantly giving you
an updated view of what's going on. And like, there's going to be Bloodhound Enterprise is going to be more something that is constantly giving you a updated view of what's going on and like there's going to be also
interesting ways for people to sort of use that for enrichment and you know plug it into operations
I'm guessing that that's kind of where you're going with this right yeah like people already
use Bloodhound Enterprise in a continuous fashion and people are enriching their alerts to like
you know we we have data across every object in their graph so you know if you get an alert from a different system we can
tell you if that object is connected to something and like if it could reach to zero and and kind
of take over the environment the interesting thing though is there's an identity alert over here and
you should take it seriously because of this reason i'm guessing as well yeah you might not
know like jane isn't a domain
admin or a global administrator but jane connects to that and that might not be obvious by just
checking the directory listing right um but we know that andy did some research a while back
about how he took over an azure tenant through a github uh like through a github action so i mean
that's that's going to be where the alert like the continuous
monitoring really kicks in is like you can't just mention that and move on like walk me through how
that worked so uh so the github uh there was a github action that was feeding a service principle
in azure and that that azure service principle eventually connected up to like you know through applications um i
can't remember exactly the makeup of the attack path it was it was a year and a half ago at way
west hackenfest but that that was pretty interesting and we that i think is what we get really nervous
about you know if you think about the old days where you had to be an administrator to put a domain trust in, your developers can authorize or authenticate a GitHub action to
run as a service principal in your tenant. So now you've just handed off the authentication
to a different platform altogether. And you're basically just trusting that they're operating
as who they say they are. And that just gets me. Yeah, I mean, this is the way the kids are going
to roll, right? Like, I mean, the most fascinating thing that i think i've seen in the last you know five ten years was
just these scattered spider kids and you know before them the lapsus people like i love actually
i really appreciate uh i know that sounds like a weird way to put it but i really appreciate the
way the kids are hacking these days because it's you know it's very creative it's not stuff from our era right like this is oh yeah new new ttps and a lot of it involves exploiting identities and identity
sprawl and privilege sprawl and all of that right so i think it's interesting that you've you're
building a technology that to a degree is going to deal with um you know the attacks of tomorrow
right yeah i mean uh it'll give you a different example the you know the esx
vulnerability that just got disclosed where you could just call yourself esx admins group and you
just you just operate as admins like that's another i mean that's very obvious another
hybrid attack path where you're crossing an active directory into and into esx land and
regardless of the permissions there i mean we can model that very easily um it that
was kind of bananas but like that's that's an actual vulnerability um but i think the whenever
you're crossing platforms like it can be non-obvious to the administrators or the security
team that is charged with the security of that platform that there are things outside of their
control or their view that is affecting the security of that platform that there are things outside of their control or their view that
is affecting the security of that platform that's really complicated way of saying this hybrid
visibility is pretty pretty critical well i should be clear too when i say that the attacks of
tomorrow don't get me wrong they've already started it's just that these are going to be the
the bulk of what we see i think in the future they're going to be like the you know 90 of what
you're going to see is going to involve you know people traversing through systems crossing
boundaries in unexpected ways because of weird privileges and the way various uh yeah various
privileges interact across boundaries in unexpected ways right so and that's the tooling
you're building yeah yeah we another example that we found after lighting up the hybrid attack path was in,
uh, um, an attack path started on active directory, went into an Azure tenant and then crossed the
tenant boundary into another tenant, which we had, we had visibility in a bowl so we could see it.
But, uh, that was, that was pretty scary. That that's kind of exactly what happened with, uh,
the SVR, the, um, the Russia breach, uh, into Microsoft earlier this year.
Yeah, I get my Microsoft breaches mixed up as well.
But yeah, that was a fascinating attack.
And clearly evidence that we need to be paying
a little bit more attention to this stuff than we do.
I feel like for the first time,
we needed this sort of tooling like 10 years ago, right?
And better late than never, I guess.
Justin Kohler, thank you so much for joining me
to talk about how you are now gluing Bloodhound on-prem
with Bloodhound Azure and, you know,
expanding the graph out in all sorts of interesting directions.
A real pleasure to chat to you.
Thank you very much.
Thank you very much.
That was Justin Kohler there from SpectreOps,
this week's sponsor and uh yeah
bloodhound enterprise a great product you should definitely check it out uh bang for buck in terms
of just making your environment that little bit more resilient uh it's a very worthwhile exercise
uh and uh yeah that's it for this week's show i do hope you enjoyed it i'll be back tomorrow in
our other podcast feed uh talking to tom uren for the seriously risky business podcast and we'll be back tomorrow in our other podcast feed talking to Tom Uren for the Seriously Risky Business podcast.
And we'll be back with another weekly show next week.
But until then, I've been Patrick Gray.
Thanks for listening.