Risky Business - Risky Business #763 – Microsoft un-patches critical bug
Episode Date: September 11, 2024On this week’s show, Patrick Gray and Adam Boileau discuss the weeks security news, including: Russia’s disinformation peddlers face multifaceted sternness from ...the DoJ Telegram is now law enforcement’s bestest new pal, all of a sudden Iran’s banking industry arranges a payment plan for a ransom Columbia investigates how it sent private jets full of cash to pay for Pegasus Microsoft innovates with Un-Patch Tuesday And much, much more. This week’s sponsor is Kroll Cyber, and one of their incident responders Paul Wells joins to discuss that one weird trick that actually helps - preparing for an incident before hand, rather than learning all those hard lessons in the middle of a crisis. This week’s episode is also available on Youtube. Show notes Risky Biz News: Doppelganger gets a kick in the butt from Uncle Sam Russia focusing on American social media stars to covertly influence voters | Reuters Russian pro-democracy nonprofit investigates alleged data breach by Kremlin-backed hackers Biden administration hits Russia with sanctions over efforts to manipulate U.S. opinion ahead of the election US hits Chinese companies with new sanctions over Russia-Ukraine war Elon Musk’s Starlink backtracks to comply with Brazil’s ban on X | Elon Musk | The Guardian Why It's So Hard to Fully Block X in Brazil | WIRED Durov says Telegram will tackle criticism of how it moderates content | Reuters Navalny allies accuse Telegram and other platforms of censorship | Economy News | Al Jazeera How India tamed Twitter and set a global standard for online censorship - The Washington Post 2 white supremacists tried to spark race war by soliciting murder and hate crimes on Telegram, feds say Matthew Garrett: "Why clone a yubikey when you c…" - Nondeterministic Computer Iran pays millions in ransom to end massive cyberattack on banks, officials say – POLITICO Four Delaware men charged in international sextortion scheme that netted nearly $2 million | CyberScoop Colombian president suggests prior administration illegally sent $11 million in cash to Israel for spyware Poland’s constitutional court finds commission investigating use of Pegasus spyware unconstitutional | Notes From Poland CISA says SonicWall bug being exploited as experts warn of ransomware gang use SonicWall SSLVPN access control flaw is now exploited in attacks Bug Left Some Windows PCs Dangerously Unpatched – Krebs on Security
Transcript
Discussion (0)
Hey everyone and welcome to another edition of Risky Business. My name's Patrick Gray.
We'll be talking through the week's news in just a moment with Adam Boileau and then it will be time for this week's sponsor interview with Paul Wells from Kroll Cyber.
Kroll runs a huge incident response practice and Paul's joining us to talk about incident response practice. And Paul's joining us to talk about incident response preparedness.
There are more and more compliance regimes demanding that organizations have some sort of incident response plan.
And yeah, he's going to be joining us to talk about what really should be in those plans
and who's standing them up, who's benefiting, who's struggling, so on and so forth.
That is coming up later.
But first up, it is time to get into the news with Adam Boileau.
And we'll be talking about some more technical news items a little bit later on,
like we've got some ransomware hitting Iran. We've got some SonicWall related drama.
We've got Microsoft bringing back vulnerabilities from the dead by like unpatching them.
There's a few things to get through there. But we're going to start off by talking about the US Department of Justice's big announcement last week,
where the part that got a lot of attention was that it turned out like RT or an affiliated entity
had been giving millions of dollars to like right wing YouTubers in the United States
so that they could bang on about Kremlin talking points.
And that obviously got a lot of attention. But there were a few
components to this action, aside from the Tenant Media stuff, including the DOJ taking down
something like 32 typosquatting domains that redirected to Kremlin propaganda, so like fake
news websites and whatnot. And, you know, this is just a huge uh action against russian disinformation
targeting the 2024 u.s presidential election yeah the doj actually indicted a couple of rt employees
for violating the foreign agents registration act and and conspiracy to commit money laundering. They also re-characterized a couple of
RT affiliates in the US as foreign missions, which kind of comes with a bunch of extra
obligations in terms of reporting what they're doing and financial oversight and so on.
Generally, it must be pretty uncomfortable being RT in the US at the moment. And I think that's given, you know,
their tendrils reach into all sorts of places
because RT's parent company,
which is I think the largest media company in Russia,
also controls, you know, Sputnik and a bunch of other things
that, you know, repeat Russian talking points around the world.
So pretty, pretty messy.
And I guess, you know, given how involved they are,
and, you know, now we're seeing kind of how involved they are in working on the US election
kind of makes a bunch of sense. So, you know, we've got kind of technical aspects in terms of
identifying where disinformation is being created. And we've also got interaction with kind of normal
media that is amplifying those messages in the got interaction with kind of normal media that is
amplifying those messages in the form of rt and other things like that yeah i mean we've seen
doppelganger though like this is a group that's kind of tracked by the cyber security community
you know what i mean because they're often running like networks of twitter bots and all that sort of
thing all those sort of things and we've also seen sanctions applied against Alexey Alexeyevich Garechenko,
Anastasia Igorovena Yermoshkina.
Man, I shouldn't have committed to reading those names.
And Alexander Vitalyevich Neshensev.
God, I'm so sorry to anyone who's Russian who's listening to that.
But yeah, there's some sanctions against them for operating a pro-Kremlin hacktivist group known as Radit, which is Russian angry hackers did it.
So I guess the point I'm trying to get at here is this is a huge blow to Russian disinformation efforts across a number of different sort of tendrils, right?
Whereas it was just the tenant media stuff
that got the attention in the mainstream media last week,
which is fair enough, really,
because that was pretty scandalous.
Yeah, yeah, exactly.
I think there's a $10 million bounty for information
on some of the Russian angry hackers people.
So, like, a really kind of multi-pronged,
multi-faceted response from the DOJ.
And, you know, I kind of hope it works
because, you know, this information
and influencing foreign elections is kind of rude.
And, yeah, they should not do it.
Now, staying with all things Russia,
a pro-democracy non-profit called the Free Russia Foundation is investigating an intrusion, apparently, and a bunch of its documents were leaked online.
Gee, I wonder who could be behind that.
Yeah, I wonder.
They've attributed it to a group called Cold River, which is Kremlin-sponsored, as you'd expect.
And we're starting to see some of
the data that was taken from them being leaked and you know there's a lot of communications
in those mail spools and things that got taken that you know could be a little awkward for people
who've been interacting with you know Russian outsider you, opposition groups like this. And yeah, it's, you know, it's a dirty tricks game, unfortunately.
And I think the people behind this particular organization
seemed to kind of understand that this was a thing
that was probably going to happen to them at some point.
Yeah, yeah.
Hey, I wanted to just quickly revisit something we spoke about last week,
which was a Chinese disinformation campaign
targeting the United States election. It seems like, you know, America's a Chinese disinformation campaign targeting the United
States election. It seems like, you know, America's getting it from all sides at the moment.
But we spoke briefly about the Grafica report into the Spamouflage group. And Elise Thomas,
who is a senior OSINT analyst for the Institute for Strategic Dialogue, she got in touch with me
to just share some thoughts.
After you and I had spoken about it, she said that, you know, you had said, oh, well, they're
just trying to create drama.
They're not really picking one side or another.
It actually looks like they might be because they have seen right-wing pro-Trump accounts
and left-wing anti-Democrat accounts using like the war in Gaza as a cudgel to beat them up with,
but they haven't seen much anti-Trump activity,
which doesn't necessarily in its own prove anything.
But she did say the interesting thing about the Grafica report
is it only looked at 15 accounts,
and that's because spamouflage,
where you used to be able to sit down and spend a few hours
and identify hundreds of accounts, now it's really stealthy.
So they managed to turn up like these 15 accounts that basically had zero interaction.
But they just don't quite understand or have a feeling for how many accounts are out there.
And that's partially because Twitter has sealed off that API access that disinformation researchers used to use. But it's also partly
because the spammer flash crew have just got better at being stealthy. So I thought that was
worth mentioning. Yeah, no, it is interesting to see how, you know, the use of things like Twitter
has changed as both the groups have got more mature, but also the platforms themselves change.
And I think was it one of the wide world of cybers where you were talking and you and Alex were talking about
like kind of how disinformation has changed
and election security and things.
And I just thought it was, you know,
the fact that this election is kind of different
than the last couple where we had, you know,
cyber or information leaks or hack and leak or whatever.
Like, you know, It has changed every cycle.
And this one is a little more subtle, a little more advanced,
a little less in our faces like it was back in the Guccifer examples.
Well, I mean, I remember that conversation
because we were talking about the Iranian hack and leak
targeting the Republican Party, and it just didn't go anywhere.
And now we've got these big campaigns being rolled up.
In 2016, the DOJ, I don't think, was really looking at this stuff, right?
And I think that's something that's changed.
The timing of this takedown to a couple of months before the election, you know, they've
clearly timed this for to do maximum disruption at the most critical time.
So that's why I wanted to mention it, because, yeah, it really does feel like things have changed.
Yeah, I agree.
And, you know, the election is as contentious as the previous ones.
And, you know, it's important that we keep a handle on, you know,
all the people who are trying to put their fingers on the scale
in various different ways.
Last week, we talked about how Starlink had its accounts seized by the
Brazilian courts because it had refused to you know because Twitter had refused
to pay fines levied against it Starlink was also refusing to ban or
block X slash Twitter they have since capitulated so Starlink is now blocking
Twitter for Brazilian users which is
is interesting because i i spoke to a few people about this and they were like there is no way
elon musk and starlink are going to backtrack on that and they wilted yeah i mean i think in some
ways spacex and starlink in particular you know spacex feels like a much more mature company in
a lot of ways compared to you know musk to Musk's other ramblings and things going on
because Starlink is so important to the US government,
so important to the US military,
and so important to many other organizations and places around the world
in ways that Twitter is kind of a sideshow, right?
Yeah.
But Starlink is not.
And I think, you know, SpaceX, you know,
both because of its regulatory obligations,
but also, like, it's a much more real business than Twitter is.
Like, I think just has to take stuff a little bit more seriously.
And, you know, by virtue of being where Musk's's you know current rise to to stardom started
like spacex has a very capable elon musk wrangling department clearly it's like they've managed to
kind of succeed and work around him and so like there must be a whole team that's just kind of
like involved in managing the muskness uh and it feels like you know they have prevailed at their
job because clearly they're
pretty good at it yeah well look just another thing on the x-ban in brazil lily hay newman
over at wired has written up a piece uh titled why it's so hard to fully block x in brazil
so okay sure they're having a problem with like regional isps not implementing the block and some
of them are just doing it with like, you know, DNS filtering and whatever,
which is pretty easy to get around.
The reason I wanted to talk about this though
is I don't think that really matters.
I think for something like a social network,
all you have to do really is disrupt it
and people stop paying attention to it.
You know, there's going to be
some really highly motivated people
who still work to get around the block and whatever.
But by and large
you know say you remove the top 20 most interesting accounts of people who can't be bothered messing
around with you know hosts files and whatever you know you can pretty much call it a day at that
point especially when you've got the apps being removed from the app stores and whatnot people
can access it browser only so you know while I recognize that it's a, you know,
perfectly reasonable thing to write about and point out,
which is that implementing these sort of blocks countrywide,
they're far from comprehensive.
I guess my point is they don't need to be.
Yeah, especially for a social network,
because, you know, as you point out, right,
the value is the social part of it.
And if people aren't there, then, you know,
the platform kind of becomes irrelevant.
And it's interesting that to be able to technically block stuff like this,
you really do have to have proper authoritarian level apparatus,
like in a more distributed network, i.e. how it's kind of meant to work.
It is hard to implement these sorts of things.
So yeah, I was more interested in the technical aspect than you were, I think. of meant to work you know it is hard uh to implement these sorts of things so um yeah no
i'm you know i was more interested in the technical aspect than than you were i think
but you know overall outcome wise yeah totally agree what what did you find interesting about
the technical aspect though as an ex-isp nerd like i'm always interested in how internet service
providing works in other countries and you know like the lack of a centralized infrastructure
and all that kind of stuff yeah it's you know personal rather than any particularly you know, like the lack of a centralised infrastructure and all that kind of stuff. Yeah, it's, you know, personal rather than any particularly,
you know, good reason.
Well, I mean, I think one day it's going to be harder, right?
When you've got like TLS3 and like everyone's using a CDN,
it's going to get harder.
But again, I don't think that really matters if you, you know,
if you're blocking something that people prefer to use via an app
and they have to, you know, it just seems like, well,
you just need to make it hard
you don't you know it's not like the brazilian authorities are scared someone might get on
twitter you know and discover some huge secret it's just like you know they are trying to disrupt
it as a social network and that's quite easy ban still in effect there were protests on september
7 uh in paulista in san paulo you know big protests and gee, how weird it is that Brazilians are
protesting in Paulista Avenue. And I will say too, I played our segment talking about all of that to
a couple of Brazilian friends and they said it was good. But the one thing that they took issue
with is when I said that Brazilians love to protest things and they're like, what about the
Chileans? And I'm like, yeah, well, you know,
I was talking in comparison to us.
And they're like, okay, yeah, fair enough, fair enough.
Now, look, speaking of capitulation,
as we did a moment ago with SpaceX,
Pavel Durov seems to have had some change of heart
about moderation policies.
Gee, I wonder why.
That came out of nowhere.
The text on their website saying that they
never respond to law enforcement requests uh is gone and he's saying oh maybe we're gonna do maybe
we're gonna do some moderation now funny that yeah it is it is funny and you know the proof will be
in the pudding because you know it's pretty easy to say those things especially after you've uh you
know had a slight run-in with the french authorities um you know telegram is such a sprawling monstrosity though and they've got you know famously few staff
so it is difficult to um you know to do content moderation well but i mean hey you know given
they're starting from we don't talk to law enforcement at all like i guess they don't
have to do much to appear to improve um you know we'll see We'll see whether that goes anywhere.
I mean, you say it's one thing to say it, it's another thing to do it.
But if he wants to avoid prison, I mean, he's going to have to do it, right?
Like, you know, this can't just be words, I think, given his predicament.
Well, I certainly hope so.
But, you know, when you're a very rich man, sometimes you have other options available
than just doing what you should. So, so you know we will wait and see i'm what you know just feel slippery you know
yeah yeah one thing i wanted to point out too both on telegram and x is that you know telegram has
removed channels previously like pro navalny channels in the lead up to the last russian
election gone right uh but you know heroin dealing and and child sex abuse material are not so much like pro-Navalny channels in the lead up to the last Russian election, gone, right?
But, you know, heroin dealing and child sex abuse material
are not so much.
So that's just something to keep in mind.
And also Twitter.
Twitter censors the absolute crap out of content in India
at the behest of Nehendra Modi's BJP government, right?
So, yeah, it's just pretty funny that this came to a head in Brazil,
not India. I wonder why. government right so yeah it's just pretty funny that this came to a head in brazil not india
uh i wonder why i wonder why adam these free speech warriors tend to be selective when it
comes to authoritarian right-wing governments it's funny that oh and just uh one more thing
on telegram too which is uh the u.s has just indicted two white supremacists for running a
telegram channel called terrogram where they were soliciting the murder of uh federal officials and
hate crimes and um conspiring to provide material support to terrorists uh and all that stuff so
yeah just uh typical lovely telegram stuff right yeah and facing up to 220 years in prison each if convicted on all charges so like pretty
serious stuff um and you know fair enough too well i mean you know being a terrorist generally
tends to attract prison time um so there you go uh a quick follow-up to last week you and i spoke
about an attack that would allow people to use specialist hardware sorry let's just stop
laughing i know i know it's this is the funniest thing right so we spoke about an attack that if
you had like 11 grand of specialist hardware and you could get physical access to someone's uber
key and you had their credentials you would be able to clone the uber key and of course you know
we spoke about this last week and i was like i don't think it's that big a deal because you can't
do it over us USB remotely and whatever.
But, you know, they should fix it, et cetera, et cetera.
Matthew Garrett has posted to Mastodon, why clone a YubiKey when you can simply steal it and leave an identical looking one that just doesn't work?
And then the user is just going to be confused for a bunch of time without realizing someone else has their 2FA token now.
And when you posted that into our Slack, my reaction oh my god we're idiots I mean the dumb thing is he's exactly right right because I mean
you know YubiKeys and U2F in general are so new and shiny that it just not working for some reason, 100% feels normal.
I mean, it's rare that it doesn't work,
but like totally believable.
My YubiKey is broken.
Oh, well.
You'd be sitting there scratching your head going,
oh, well, I guess I put it too near to something in my pocket
or the cat shoot it or, you know,
like my toddler shoves Play-Doh in the USB hole
or whatever else, right?
There's a million reasons why it might just stop working and all way more effective than having to decap it put a magnetic
you know kind of induction probe over some particular part of the circuit and do timing
attacks and whatever else and then repackage it and yeah no no yeah it's funny actually the same
day that you'd posted that i had a conversation with uh
yeah dimitri operovich good friend of mine uh you know originally a co-founder of crowdstrike now
does other stuff but he's like he asked me oh what do you think about this yubikey thing and i said
well maybe you should listen to the podcast dimitri was the first thing i said but i said
uh but i but i said you know i gave him my i shared my thoughts with him and um and then said but you
know matthew garrett pointed out that you could do this.
And it was really funny because he had the same reaction
where there was a pause of about two seconds
and then he just was laughing his head off
because he's like, oh, my God, that's so true.
Like, why do we overcomplicate these things?
Because we're nerds and that's just, you know,
we've got one way to solve problems
and that's with complex nerd stuff.
Yeah, exactly.
It reminds me of the old, you know, Rubber Hose, solve problems and that's with complex nerd stuff yeah exactly exactly it reminds me of the old you know rubber hose xkcd comic um yeah exactly which is why break someone's encryption when you can just beat them with a rubber hose and get their passphrase
thank you matthew garrett for the comedy yes very good very very good uh now we're going to look at
a story from politico uh about iran having to pay millions of dollars
to a ransomware crew after they targeted a company
that provides a lot of services to the Iranian banking sector.
Walk us through this one, Adam, because it is pretty interesting.
Yeah, so there's a company that provides services
to like 20 out of 29 banks or kind of credit institutions in Iran.
They got ransomware a
bunch of data taken apparently the data in question is you know like credit card numbers
detailed credit card transactions payment card trends other you know bank account transaction
details whole bunch of stuff there was also some interruption to the services of ATMs around Iran
when the original incident happened which was a couple of months ago now.
And the reporting is that the company not only has decided to pay, that they were encouraged to pay
by the Iranian government who feared the fallout because Iran's financial system is
under a lot of pressure after many, many, many years of sanctions and other complexities.
And they were just kind of worried about the impact that it might have.
The firm has now started paying the ransom in installments,
which is also pretty grim.
They accept a payment plan, huh?
Yeah, yeah.
Not great.
And the blockchain kind of supports a bunch of money being paid, I think $3 million so far or something like that.
So I just thought it was interesting because of that kind of the nuance of it being sufficiently bad that they were encouraged to pay by their own government. Yeah. And, you know, Iran just being kind of, you know,
that kind of fragile in some respect because of all of the other pressures
that they face.
Yeah, it's interesting too because the government there obviously
is blaming Israel and the United States.
It was kind of funny seeing Politico write that accusation seemed plausible
given the broader tensions between Israel, the US and Iran.
But then they go on to say, you know,
they spoke to people who are familiar with the hack
and they don't think it's affiliated with the US or Israel,
which, you know, I mean, I would love to see the US going off
and ransom wearing a bunch of Russian organisations
given that the Russian government's doing nothing about this.
But I don't think that's, you know, it's a non-starter, right, legally.
So I think that accusation is not plausible, personally.
But, you know, you do wonder what the Iranian government response
post-incident is going to be, you know,
because they've definitely got a capability.
They've got very capable hackers.
What does Release the Hounds look like?
What does that sound like in Farsi, right?
Yeah, yeah, that's a great question.
I don't know. And, I mean, it'd be great podcast content at the very least.
But, yeah, who knows?
And, you know, we did briefly have a story that was in an earlier version
of the run sheet, we decided not to put it in,
where someone had ransomed the area around the GCHQ
and we were laughing about, well you know that's I hope
someone checked the map you know of where where that was after they deployed or before ideally
before you deploy the ransomware check the map but I mean I do wonder if you're the group that
did this in Iran with how you feel about spending the money that you're getting because it might be
you know your life might not last super long, you know.
Well, where are these attackers based, right?
So if they are based in Russia, for example,
I mean, Iran is really helping Russia with its war in Ukraine.
In fact, today the news was, you know, I woke up listening to a radio bulletin
and Iran has just provided a whole bunch of missiles to Russia.
Now, if you've got Russian ransomware actors doing this sort of thing in Iran, that's going to get picked up at senior
levels of government, and there's going to be action taken. So I think if this crew are Russian,
and I've got no idea if they are or not, but you would think if they are Russian,
they're in deep doo-doo. Yes would imagine so i would not want to be the
person who did this if i lived in russia you know if it was ukrainians then maybe it's a different
story i don't know but yeah who knows but i don't know i guess the point is ransomware affiliates
are not always known for looking at the map and thinking geopolitics whilst they're in the middle
of dropping yeah i mean if you are a Ukrainian ransomware operator,
I mean, maybe Iran's a good place to go, right, at the moment.
Maybe, yeah.
Just some thoughts.
We've got a write-up from AJ Vissens over at Cyberscoop
about four men from Delaware being charged
for their involvement in a sextortion scheme.
They made nearly $2 million out of this.
I think there's been some other suspects either indicted
or picked up who were based on the Ivory Coast, I think. Just wanted to talk about this one because this has turned
into such a big crime, right? This happens so much now and it's really ramped up over the last
couple of years. This is something Alex Stamos has talked about a lot. It's something that he
used to see when working at Facebook.
It's an absolutely despicable crime.
Basically, people will approach young men, young women,
eventually gain their trust, get them to send some nudes
and then blackmail them with those images.
And we've seen a lot of suicides as a result of this crime type.
So it is good to see some indictments here but you know i do wonder
i do question the wisdom of meta enabling e2ee by default for facebook accounts when we've got
crimes like this happening uh because it it sort of locks them out of being able to do anything
about it and i do kind of wonder if that's one of the reasons they've done it,
where it's like, well, it's not our problem.
We've got no visibility there.
And sure, they can use metadata to detect things like older people
befriending younger people and things like that.
And that's a really reliable indicator for certain types of predators
who use social media to identify their possible victims, their targets.
But when it comes to this stuff,
usually it's someone running an account
that is posing as another young person.
That metadata detection might be less reliable.
And yeah, they don't have any visibility into those comms.
I mean, there might be some safety features
they can build in there,
but the whole thing's just so horrible.
And I understand that we really do want to have a situation
where people's private conversations are protected.
I wouldn't like it if my entire Facebook chat history got leaked
because there was no E2E on, you know, 15 years of it or whatever.
But, yeah, there's a bunch to balance here.
There really is.
Yeah.
I mean, these issues are unfortunately complicated
and it's especially tragic when it also involves young people
and people end up taking their lives because of the pressure
that they're under.
And, you know, these are, you know, the solutions to these problems
are, you know, never 100% technical or 100% social, right?
There is a blend of both of those things.
And, you know, there's an education aspect as well, right? I mean, people have to be a little bit both of those things. And there's an education aspect as well.
People have to be a little bit more cautious, unfortunately.
We don't want to blame people for starting relationships and having fun.
But it's just these are wicked problems, right?
And there isn't an easy, simple way to deal with them, sadly.
No, there's not.
But taking a few of them and putting them in prison,
it's an excellent start.
Good plan.
Now, Suzanne Smalley has a great report up for The Record,
where the Colombian president is apparently looking into allegations
that the previous administration there sent $11 million in cash to Israel in two tranches to pay
for NSO group software that was then used to sort of spy on the political opposition which is
the people who are now in power so they're obviously displeased with this I think it's
interesting the way this came to light which was the Israeli banks kind of reporting this as saying
well hang on this is a bit weird this is tied to NSO group activity and they kind of reporting this as saying, well, hang on, this is a bit weird. This is tied to NSO group activity.
They kind of flagged it.
But this is turning into a bit of a scandal in Colombia.
Yeah, I mean, I guess you'd kind of hope that,
you know, a Learjet showing up with,
you know, $5 million in it or something,
you know, and then what?
You go to the bank branch and deposit it?
Like, I don't know how it works.
Maybe I'm a bit simplistic in my, you know,
international illicit payments techniques.
But you'd kind of hope that that would ring, you know,
ring some alarm bells or something.
But yeah, it's interesting seeing, you know,
the number of jurisdictions around the world
where a change of government has happened
and now investigations into spyware are ongoing
um and you know it's kind of heartening in a way to see some of the fallout of buying the software
because i mean we've had nso group and other vendors you know for so long saying well the
stuff we only sell to legitimate organizations or legitimate governments or whatever else
but you know it's just there's very few legitimate use cases for this kind of stuff and
i'm happy to see i wouldn't say i wouldn't say there's very few legitimate use cases i'd just
say there also happen to be a lot of illegitimate use cases right and that's yeah i'm like i guess
i mean like a few by unique type right i mean in quantity there are plenty of law enforcement cases
where you know
you want to investigate crime types that involve technology but there's just you know there's not
you know law enforcement using it for legitimate law enforcement things yeah i mean there's so
many interesting things to this as you as you say like it is interesting watching this play out i'm
kind of surprised actually that it's it's it's wound up this messy for NSO Group and by extension for Israel. We even saw that when
one of the lawsuits was launched against NSO Group, Israeli government people turned up to
NSO Group's offices and seized a bunch of documents. And initially, I discussed that in
one of the Seriously Risky Business podcasts with Tom Uren. And our know, our take was that, you know, Israel was keen to avoid embarrassment.
But I since had a conversation with a friend of mine in Israel
who said, look, it's less about embarrassment and more
about the fact that the Israeli government was providing
this technology to a bunch of countries in the region
that it hasn't historically been aligned with, right?
And this is part of its diplomacy in the Middle East.
And if it were known that the Israeli government
was providing technology to some of these states,
it would be awkward politically for those states,
which is why they went and seized a bunch of documents.
So it's less about just general embarrassment
and damaging relations with the West
and much more about damaging regional alliances that they bolstered by sharing this technology with them. And I thought that was
really interesting. Yeah, I mean, I guess it underscores like how complicated that region of
the world is. And, you know, we kind of want Israel to be building relationships with its
neighbors. It's unfortunate that shilling spyware to them is the way to do it
um you know but you can kind of see like big picture you know we do want to encourage them
to trade and interact and have relationships with each other it's just you know can you sell them
couscous instead of instead of nso group spyware or something that would be nice
yeah oh dear yeah it's all a bit of a mess over there and we're not getting into that but yes i think you know adam's extremely controversial uh message is it would be nice
if there were peace in the middle east and uh you know i wholeheartedly agree um but look staying
with the uh spyware stuff and you know another one of the countries where there's like this
you know incoming government has come in and is looking
back at the prior administration's use of this sort of technology is in Poland. And we've got
a story here, Catalan covered it this morning for Risky Business News, but Poland's constitutional
tribunal has ruled that a parliamentary commission investigating the use of Pegasus spyware
is unconstitutional. But what's interesting here is this constitutional tribunal is like
stacked with political appointees who are put there by the previous party. And it's not really
like doesn't really have say, you know, shouldn't really have much say over what the courts are
doing and whatnot. And it's just turned into this absolute mess where the previous government,
you know, members of that party are doing everything they can to shut this down and they're probably i doubt they're going to succeed but it's just another
case where we've got yeah the story from colombia story from poland i think we've seen similar moves
in hungary have we all maybe not hungary yet i don't know it's it's a mess anyway yeah i think
greece went the other way because the government that did it is still in power yeah they decided
that they had done nothing wrong and everything was fine and all of the spyware is great yeah i mean i think hungary and greece might be next yeah exactly
so yeah interesting stuff there now uh a technical story this week john greeg has written this one up
for the record sissa has warned about a sonic wall bug uh being exploited to drop ransomware and look
i'm going to talk a little bit after you're done
explaining this story about what I think this means for us,
what this type of story means for us.
But yeah, what's the go here?
So the basic details of the flaw are still unclear, I think.
There is some kind of bug that involves the SSL VPN components
of SonicWall.
They had described it as like an access control flaw,
but CVSS 9.3,
anything that's internet facing that ransomware crews are using.
It's a dot dot slash, isn't it?
It's a dot dot slash.
The specifics don't particularly matter, I guess.
But yeah, if you've got a SonicWall, you're having a bad time.
So yeah, that's been used in the wild um sysa has put it on the kev list you know this patch is
available etc but you know pretty standard issue sonic walling unfortunately yeah so i guess for
me the big lesson that's coming out of these types of things which is edge devices getting owned there's a big thing happening right now where companies are re-evaluating remote access
and that's through things like virtual desktop infrastructure is all getting yeeted
citrix stuff is getting yeeted wherever possible and you know in the case of these types of of
controls people people are trying to get rid of these border devices, right?
So there's all sorts of new approaches to this.
This is like, as a result, I think of the, you know,
the big work from home push that happened during COVID.
We're finally getting to the point where we're starting
to re-architect the way that we do this.
And stuff like this, in my view, doesn't really have much of a future, right?
Stuff like Citrix, stuff like VDI doesn't really have much of a future, right? Stuff like Citrix, stuff like VDI doesn't really have much of a future.
We're starting to move to actually zero trust instead of the zero trust that we got, which was firewall vendors saying, we're zero trust.
It's like, no, you're a VPN, right?
Yeah.
So what I mean by that is we've got companies like, and I will talk about a couple
of sponsors now, I hope people don't mind, but you know, Island, the browser, is being used a lot by
companies that are getting rid of virtual desktop stuff, right? Which when you think about it,
is a surprising use case for an enterprise browser, but makes a lot of sense once you look at how
people are deploying it, right? Because you can lock web application access to this browser.
There's a lot of controls you can put around it.
You can even do endpoint health checking and whatnot.
So it's really useful as a replacement for VDI,
and that's where they're winning a lot.
And then there's other companies like KnockKnock that I'm working with
quite a lot, actually, and I'll have more to announce on that in the future,
where they're able to put just network controls around pre-existing infra
like your Sonic walls, like your Palo Alto gear, like your Fortinets and whatever,
so that unless you're authenticated via your IDP, you can't even get to the port, right? So we are seeing, I think,
a huge shift away from VPNs at the moment, finally.
You know, after so many were bought and installed in 2020
just because everyone needed that quick solution,
finally we're moving to much more sort of genuine,
like zero trust thinking.
And I think that's a positive.
It's a shame though,
that so many people are going to have to get owned through their sonic walls etc until that happens but this
is this is the big shift right now uh you know i'm not sure if you've seen much of that but you know
this is something i'm picking up on big time yeah and that makes it makes a lot of sense because i
mean vdi was always a terrible solution that solved the problem. And that problem was in part,
how do we sell people more expensive
on-prem virtualization solutions
back when those were new and exciting?
And partly because managing client-side devices
and patching them and all that was difficult
and people thought that bung it in a VDI,
now it doesn't look like it's a problem anymore,
even though all of the old problems still existed
and all the hackers were entirely happy with VDI worlds
because now we've got twice the attack surface
to go after the real desktops and the virtual desktops.
So like it makes, you know,
we are due for a correction on VDIs
and network appliances and things on the edge
have just always been terrible.
They were just not really very visible.
And so, you know, if you got hold of any Fortinet appliance
or any other, you know, like a Sonico or whatever,
it's got to the point where you could kind of jailbreak it,
get a shell on it.
You would inevitably find hilarious bugs
that you could use to go about your business as an attacker.
So, like, this correction is pretty long due
and real zero trust was too expensive
for most people to do in one go.
And the cloud ecosystem kind of needed to catch up, right?
I mean, Microsoft 365 and all of the app stack
in the cloud there has made it viable
to do such a large percentage of your work
without having to have a VPN,
without having to have traditional
road access infrastructure.
So yeah, I mean i mean i'm you know
i would be happy to see no more sonic walls um and no more fortinets so yay finally this week
we're going to talk about um microsoft speaking of moving in the right direction yeah managing
to actually unpatch a serious bug womp womp yes so this was a bug from like 2015 in windows uh that had been um exploited in the
wild back then was patched and then due to some kind of flaw in microsoft's like patching systems
they're a little bit unclear basically they say uh the build numbers got into a range where it
stopped working which sounds like something you know some
number got too big i don't know maybe there was a uh i can't even speculate at like quite how you
ended up in that circumstance but anyway they ended up basically reverting a patch for this bug
uh for a particular version of windows 10 um and now they've had to put out an advisory and say
well it's exploited in the wild,
kind of like it was once exploited in the wild,
but not yet for the new incarnation of it.
So that was part of Microsoft's patch Tuesday for the month.
They fixed a few other zero days.
There was some bugs in,
there's like a mark of the web bypass from publisher
and there's some other bits and pieces as well.
So normal sort of stuff plus
of course everybody else has been patched Tuesdaying um so you know time to apply those but everybody
who listened to this already patched Tuesday so I don't know that we need to remind them too hard
about that um but yeah that Microsoft bug just it made me chuckle and it's nice to read some
some comedy in a Microsoft you know security advisory for once instead of just like smacking your head in your hand and weeping yeah i mean you do realize
that this happening means that unpatched tuesday is actually a thing
unpatched tuesday microsoft actually had an unpatched tuesday but uh but mate we're gonna
wrap it up there.
Thank you so much for all of that.
It's great to talk to you as always.
And, yeah, we'll do it all again next week.
Well, you certainly will, Pat.
I will talk to you then.
That was Adam Boileau there with the check of the week's security news.
It is time for this week's sponsor interview now with Paul Wells,
who is an incident responder with Kroll Cyber, which has a huge incident response practice. And he joined me
to talk about incident response preparedness. More and more compliance regimes are demanding
that organizations have incident response plans. So it's a thing that people are doing now and
really thinking about. So he joined me to talk about all of that. And he started off by explaining, you know, really in basic terms, what should be in an incident response plan.
Here he is. Incident response plans shouldn't be complicated. You know, you don't want an 100 page
volume of information that gives long flowery descriptions of everything,
but doesn't really give you sort of a key understanding of what you need to do.
When we're helping organizations put incident response planning documentation together,
I really encourage people to try and keep it as succinct as possible. Keep it to the key
information that they need. So really it's having to hand the information of the third parties you're
going to rely on. So whether that's your incident response provider,
whether that's your lawyer,
whether that's your insurer,
making sure you've got all that information to hand,
and then having key actions to take during each of the phases.
So, you know, what are the actions you need to take the moment you discover an incident?
Who do you need to call?
Whose responsibility is it to make those calls?
So those sort of information... Right, so you want to have a bit of a, you know,
just the basics there, which is like our incident responder is this person. This is their phone
number. Really down to that basic level of information. And I'm guessing the technical
checklist would be more along the lines of doing things like isolating the backups immediately.
And I don't know. I mean you tell me you're the expert man
yeah absolutely you know from from a technical side it's having the backups and having the
backups tested as well um you know we we um so this is pre-incident this isn't part of the response
playbook this is more in the lead up to an event which will hopefully never come absolutely we we dealt with um an incident last
year where um the organization um had pretty decent backups in place um and the it team had
tested them and they said it takes us i can't remember 12 hours whatever it was to restore
their key systems from backups so this this was before Kroll was involved. But when they had this incident,
the IT team confidently spoke to their senior management and said, we can have systems back
up and running in 12 hours. Senior management took that information, communicated it to all
their stakeholders, we'll be back online within 12 hours. Obviously, what they haven't factored
in is that isn't when you're restoring from a major cybersecurity incident,
it isn't just rolling back to your last known good.
You've also got to check that.
Did you have any persistence mechanisms within there?
You've got to reset a whole bunch of... Did I just restore the attacker's malware, basically,
is what you've got to check, right?
Exactly.
So they ended up in a position that they thought they could restore within 12 hours.
It was a lot longer than that.
It caused them further problems because they hadn't really tested the recovery in an actual
or in a kind of simulated cybersecurity incident.
Well, I suppose when you're testing an individual backup, that's one thing.
But when you're congesting your network, trying to do a whole bunch of systems at once, I
mean, I'm guessing you're going to run into issues like that, right?
Yeah, of course. And you're going to run into those issues as well when you're under kind of increased management pressure to get this stuff done as quickly as
possible. So a lot of what we talk to clients about is having kind of a senior management
understanding of exactly what the technical teams are going to have to do, the sort of timescales that are involved as well.
There was an incident not very long ago
where the organization had immutable backups.
So they should have been in a pretty good place
in terms of restoration,
but the technical teams were under a huge amount of pressure
to get those backups restored as quickly as possible.
So they had one team who
was working on pushing out the agents onto the machine so they could then do the backups from AWS.
They also had another team who were working on reconfiguring switches at the same time. So as
they were reconfiguring the switches, they managed to interrupt the rollout of the agent.
That ended up corrupting the secret key, which then replicated up to AWS, trashed the entire
backup system. So they actually, because they were trying to run their backup service quickly,
without really thinking it through and planning properly, they actually were in a worse state
than they would have been due to the ransomware.
We always hear talk of how dwell times have come down, right?
The time between when someone has first got their,
you know, decent privileged access on a network
and when they escalate their attack and, you know, do the thing.
And I've often wondered if,
and you're in a great position to answer this,
I've often wondered if, and you're in a great position to answer this. I've often wondered if ransomware attackers in particular,
because they're the sort of people who tend to come up against backups.
I've often wondered if they wait now so that they can be sure that those
accounts that they've compromised or the malware they've put in place does
come back with the backups.
Is that something that they consciously do now?
I don't know if I've seen that um we have
there you go pro tip for me to the ransomware operators
free one we do see that they they certainly go out of their way to make sure that they've hit
the key stuff you know they they're interested in making sure they've hit the domain controllers
that they've hit the um any backup systems that they've got.
In terms of looking for kind of having persistence
within the backups,
it wouldn't surprise me if that's the way things go.
You know, we've certainly seen reinfections
from people restoring to bad backups.
Yeah.
I mean, what's your strategy for dealing with that, right?
Because how do you evict when, you know,
I've got this visual image strategy for dealing with that, right? Because how do you evict when, you know, I just keep,
I've got this visual image of those, you know,
10 pin things that, you know, you hit and they keep bouncing back up.
Like, how do you actually deal with that when you've got,
I mean, I suppose you'd have to just selectively back up data, right?
And do fresh installs of everything and, you know, I don't know,
roll back your directories and creds.
And I don't even know.
That's why I'm asking you, man.
Like, that sounds like a nightmare.
We often talk about with containment, we'll have an immediate containment strategy and
then an extended containment strategy.
So your immediate containment strategy is going to be things like resetting passwords,
looking for indicators of compromise, making sure you've got no immediate kind of risk
within the the infrastructure then your extended containment is going to be more of a slower process
of bringing systems back online into secure enclaves making sure they're checked properly
before they're brought back into production and really that kind of having a good strategy for recovery alongside probably a strategy for ransom negotiation as well, or at least communication.
So you can kind of keep that process rolling, keep the attackers talking to you whilst you're ensuring that your environment is safe and secure.
String them along before they just decide to get angry and keep damaging more right that's it because they're going to be pretty unlikely to try and get back
in and trash you if they think that you're in a position that you might pay yeah yeah so how much
of a difference does it make when you go into an organization that's done some of this preparation
work versus one that hasn't i mean is it just it just a very clear difference or does it sort of, does it vary team by team and org by org? Because I imagine you
might go into some places that have just got really great teams and even though they haven't
done much preparation, they're able to respond well. You might go into other places that are
very well prepared, but the team's not so good and the wheels fall off. I mean, I'm just trying
to get a sense of how much of this is about the team versus how much of it is about the preparation work and having the right stuff in a binder on the shelf.
I think the two things go hand in hand. You know, good teams tend to have done good preparation
because good tech people, good cyber people, good managers, you know, they don't like risk.
And one of the ways you're going to mitigate that risk is preparing for incidents.
So it does make a big difference when we're working with an organization that has done
preparation. And it tends to come down to understanding who's responsible for these
actions. So it's not just having a list of actions, it's having clear responsibility and
ownership of those actions. Whose responsibility actually is it
to make sure that we have an incident management call every single day till we get through it,
or every couple of hours till we get through it? Which room are we going to be in? Who's running
the room? Who's in the room? Who's in charge? Who's this? I mean, I sort of see exactly what
you mean. Like even just having those, because trying to figure that out on the fly, God,
when you're under that much pressure, that would be, it's not something you want to be doing then.
Exactly. And that's where stuff really goes wrong.
And, you know, communications is the big one as well.
Whose job actually is it to send communications out to your staff, to let them know what's going on, and to make sure that you're giving them the right message as well. And sometimes that kind of communication,
if you don't have a clear process in place for who gets to sign off on communication,
you can end up where you spend days and days with a message kind of going around. Is it
legal's job to sign it off? Well, we now need to get the tech people to look at it
to make sure it's accurate. Well, now the CEO wants to have a look at it as well.
And before you know it, it's 72 hours have passed and you've not even got a basic message out to
your staff. Yeah. So let me ask you this. What sort of proportion of enterprises out there
actually have done this work? And is that percentage changing? Is this something people
are increasingly realizing they're having to do? Is it rare that you encounter someone who's done the preparation? Is it more often than not?
Like, I'm just trying to get a sense of how common this is. It's definitely increasing. We see a lot
of organizations coming to people like Kroll, looking for assistance with putting instant
response plans together, putting playbooks
together for specific incident types, and also running tabletop exercises or purple team exercises
to, you know, rehearse their teams going through this. I think, especially as we see increased
regulation as well, you know, both within the EU and, you know, other regulators as well, both within the EU and other regulators as well around the globe,
taking increased interest in this ability for organisations to have resilience,
operational resilience through cyber incidents. But I'm guessing people with these sort of plans
are still kind of the minority. I mean, you've said it's increasing. You haven't really told
us what the state is now. I think it's difficult for me to say what it is in terms of a percentage.
We do still see a lot of organisations who try and do things on the hoof. And, you know,
we can help them. And we certainly do help them get through incidents. But in terms of having
that plan in place, they know who they're calling.
That's certainly really important.
Well, Paul Wells, an incident responder, has a message for all of the listeners and viewers, which is please, oh, please go and do some incident response preparedness preparation so that if you have to call him and his merry band of incident responders, things run a little smoother.
Paul Wells, thank you so much for joining us for that interview.
Very interesting stuff.
Thank you, Pat.
That was Paul Wells from Kroll Cyber there.
And yeah, great to chat to him about all of that.
Big thanks to Kroll for supporting Risky Business.
And that is it for this week's show.
I do hope you enjoyed it.
I'll be back tomorrow with another edition
of the Seriously Risky Business podcast in the Risky Business News RSS feed. But until then, I've been Patrick Gray. Thanks for listening.