Risky Business - Risky Business #768 -- CSRB will investigate China's Wiretap Hacks
Episode Date: October 30, 2024On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: CSRB to investigate China’s telco-wiretapping hacks Euro ...law enforcement takes down the Redline infostealer Someone steals Fed crypto… and then tries to quietly sneak it back in Russia sentences REvil guys to … jail? Really? Apple private cloud compute gets a proper bug bounty program And much, much more. This week’s episode is sponsored by Material Security, who help navigate the mess of cloud productivity data security. Daniel Ayala - Chief Security and Trust Officer at Dotmatics - is a Material customer, and joins Pat and Material Security’s Rajan Kapoor to talk about how to wrangle securing data that ends up in corporate cloud email and file stores. This episode is also available on Youtube. Show notes Apple 10 day certificates Chinese hackers said to have collected audio of American calls U.S. Panel to Probe Cyber Failures in Massive Chinese Hack of Telecoms How a series of opsec failures led US authorities to the alleged developer of the Redline password-stealing malware Operation Magnus Hacker Returns $19.3 Million to Drained US Government Crypto Wallet Meet ZachXBT, the Masked Vigilante Tracking Down Billions in Crypto Scams and Thefts | WIRED Radar systems in Iran breached prior to Israel's Saturday counter-strike - report Delta sues CrowdStrike after widespread IT outage that caused thousands of cancellations Tens of thousands of taxpayer accounts hacked as CRA repeatedly paid out millions in bogus refunds Microsoft CEO asked board to cut pay in connection with security overhaul | Cybersecurity Dive Four REvil members sentenced to more than four years in prison Russia says it might build its own Linux community after removal of several kernel maintainers Nigerian court drops charges against detained Binance executive Tigran Gambaryan Apple will pay security researchers up to $1 million to hack its private AI cloud | TechCrunch SonicWall firewalls the common access point in spreading ransomware campaign | Cybersecurity Dive Fortinet zero-day attack spree hits at least 50 customers | Cybersecurity Dive Cisco warns actively exploited CVE can lead to DoS attacks against VPN services | Cybersecurity Dive Chinese influence operation targets US down-ballot races, Microsoft says | Reuters Exclusive: Accused Iranian hackers successfully peddle stolen Trump emails | Reuters Viral video of ripped-up Pennsylvania ballots is fake and Russian-made, intelligence agencies say Product Demo: Securing M365 and Google Workspace with Material Security
Transcript
Discussion (0)
Hey everyone and welcome to Risky Business. My name is Patrick Gray. We'll be chatting with Adam Boileau in just a moment about all the week's security news, and he'll be joining us, as will Materials Securities Rajan Kapoor.
And we're basically talking about what a mess M365 and Workspace are from an access control point of view.
It's a great chat, and it's coming up later.
But first off, let's get into the news now with Adam Boileau.
And Adam, it's good to be back on deck and feeling a little bit better.
I had a pretty rough week. I'm still not 100%, but I just wanted to say thanks to everyone who sent me well
wishes. Yeah, no, you certainly were having a rough time and it's nice to see you starting to
bounce back. Starting baby steps, right? But look, we're going to actually start this week's news
section with a correction, which is last week we spoke about how apple was in the you know the ca browser forum asking for certificate life to be dropped down
as low as 10 days it turns out we actually got that wrong it's 45 days which is still a very
short time but that's a detail we got wrong and it's because when catalan prepared the report
and i'm not blaming him for this by the way we always you know we all make mistakes uh he was looking at the wrong table when he came up with the 10-day figure that 10 days
is for i think validation data reuse um and we just you know got that mixed up and we didn't
check it so that's why we got that wrong i don't think it really changes anything that we said last
week though no i know i don't think so i mean 45 days is still short enough that you really can't
do it by hand and that's the important thing, right?
Yeah, and that was the guts of what we said last week.
So I just wanted to make that correction before we got into the rest of the show.
And, of course, the big news this week is that we've talked about this intrusion
into American and other telcos, not just confined to America,
but all of the news is centered on America.
This salt typhoon intrusion
where Chinese APTs have got into American telcos and targeted the systems that provision
wiretaps early on, the reporting seemed to suggest that the actors were interested in finding out who
the FBI was wiretapping, for example. It looks like now, it looks like they were actually
listening in on some calls, including, you know, political staffers and whatnot, members of the Trump campaign, the Harris campaign.
And they did actually target some of the candidates' phones, but it's no word on whether or not they actually intercepted any audio there.
But this thing has blown up and it looks like it's the next CSRB investigation as well yeah because when we were
talking about this uh in the previous episode you know it was kind of couched like it looked like
counter counter intelligence like that they were trying to figure out who was being wiretapped
and in some respects that felt like you know that's just kind of normal spying you know and
not you know it's it's it's a bit sneaky getting in there and checking for yourself but i mean kind of probably within the bounds of the of the great game but actually provisioning
your own wiretaps of political staffers like that definitely is a little more you know
well i mean we don't 100 know if they provisioned them as wiretaps or if they just used the the you
know widespread uh i think someone described it as exquisite access that they had to do it some
other way. But I think the good news is here.
We should find out a lot more given that the Cyber Safety Review Board is going
to look into this.
Although I do worry that they're going to get hampered a little bit by
classification and whatnot. And there's,
there's probably some details they won't be able to talk about, you you know in the in their final report but you know their reports so far have
been good so fingers crossed yeah and i was certainly heartened to see that uh the csrb
was going to look at this because yeah i have so many questions because you know having done some
of this stuff myself like i'm professionally nosy about what they did and how they did it and how
they you know kind of provisioned their access and so on and so forth and yeah I think you're right that they will be slightly hampered by
the classifications and you know security controls around some of this infrastructure
but you know I am certainly hanging out to read the report because as you say the previous ones
have been really pretty good and I think you know overall the CSRB has been, you know,
much better than we could have hoped for, I think,
because we've seen so many calls for that type of investigative body before,
but kind of the makeup of it and the nature of their output,
you know, I find, you know, really pretty best case.
Yeah.
I mean, I was expecting them to look into the CrowdStrike thing,
but I guess I don't know what else there is to learn there really pretty best case. Yeah. I mean, I was expecting them to look into the CrowdStrike thing,
but I guess I don't know what else there is to learn there that would require the board, you know?
Like Microsoft is looking at kernel restrictions
and there's been a lot of work done there
and I think what happened there is pretty well understood,
which is CrowdStrike made a big whoopsie, basically.
So I think this is a good use of the board's time.
I agree.
Interestingly enough, I mean, so it's Ellen Nakashima
over at the Washington Post with Josh Dorsey,
who came up with the scoop that audio was intercepted.
But even they point out in this piece that, you know,
end-to-end encrypted communications such as those
in the Signal platform are believed not to have been hacked.
I mean, obviously.
But it's, yeah, it is interesting
because recently we also spoke about
how the Trump campaign was using these specialist
secure Android devices from a company called Green Hills, right?
So you wonder what they got, I guess, is what I'm getting at.
Yeah, I mean, the contents of phone calls and text messages,
I guess, is what you'd expect to be able to get along with. Yeah, I mean the contents of phone calls and text messages, I guess is what you'd expect
to be able to get along with call metadata, I suppose,
which are still useful things, but these days, as you say,
so much communication is done through over the top apps
with end-to-end crypto in some cases.
So yeah, of less utility, more limited utility
than it once would have been uh but i mean still i can
you know so many people fall back on pstn phone calls because it's just easy and ubiquitous and
works everywhere and there's no you know interoperability problems or whatever else so
i mean so many people do you're right but do the people working for presidential campaigns that
are being targeted by iranian hackers and it's been known that they've been've been targeted by Iranian hackers uh you know in this case it's the Chinese but you
know what I'm saying right like they know they're a target yeah I'm guessing they're using signal
most of the time right like I and it just reinforces the point you're making which is
this this doesn't get you as much as it used to yes exactly and you know I'm sure they are probably
using something like signal for anything juicy but you know sometimes in the you know i'm sure they are probably using something like signal for anything juicy
but you know sometimes in the you know for the sake of expediency sometimes a phone call is just
what people do without necessarily stopping to think uh you know about exactly what they're
saying and where they're saying but as you say if you are working for the trump campaign uh by this
time probably you should have pretty good instincts about
what to say and what not to say and over what medium.
Yeah, yeah.
Now, let's talk about Operation Magnus.
This was a, you know, a bunch of different police services and authorities were involved
in this.
It was a takedown against a couple of info stealers.
What was it, Redline?
And what's the other one called?
No, that one's called Meta, somewhat confusingly.
Yes, so Redline and Meta, you know, authorities seized a bunch of servers and domain names.
They arrested a couple of people in Belgium who I believe are customers of these InfoStealer
botnets, and they've also indicted, presumably in absentia, the Russian fellow who runs the
whole thing.
You know, just a pretty nice textbook takedown here,
including some very high-quality krebsing
in the DOJ's indictment of the guy who runs it,
because, yeah, it totally reads like a krebs piece,
that indictment.
It really does, yes.
They ended up doxing this guy,
I think based on some tips from private sector infosec firms,
but he had been using
like his hacker nick on like Russian dating forums and stuff going back I think like 12 years or so
so you know there's some challenges to um to using the same persona when you're trying to
pick up uh pick up a date as also selling your wares on crime forums.
So, you know, as you say, I think he's still in Russia,
so probably other than it being a little bit embarrassing,
he may not face much retribution.
But the Dutch police, I think, or whichever European police force
put together the domain and the package,
did do some reasonable trolling.
They made a little video about the most recent update
to the software, which basically said,
hey, we've got all of the customer data
and we're going to be sharing it
with all your local law enforcement friends.
So good luck with that.
So yeah, good work, police.
And it's kind of like we've talked about
how it feels like IRC Troll Wars from the 90s
when it's law enforcement versus cyber crooks.
And yeah, totally here for that.
Yeah, 100%.
Now, this one is a more recent type of phenomenon, right?
Which is, you know, crypto theft and stuff is probably,
I mean, to be appreciated for not being something
that was happening in the 90s, at least it's something new.
A really bizarre situation unfolded over
the last week where someone stole nearly 20 million dollars or around 20 million dollars
from a u.s government controlled crypto wallet and these were funds that were seized as part of an
investigation into the hack of binance right but the the funds were in the control of the us government and blockchain investigators including like zach xbt started noticing this
money moving around in a way that made it really obvious that someone had stolen it
the reason it's funny is because the attacker has uh since returned the funds saying i mean i'm
guessing they're saying my bad um so you wonder if they just didn't know
that they were stealing funds you know probably from like the u.s department of justice or one
of its one of its agencies right like whoops yeah exactly i would have liked to have been in the chat
channel like in the telegram or wherever it was uh where the people were coordinating that and
kind of seen the you know being a fly on the wall to
the, excuse me, you just sold $20 million from the US feds. Like, you're going to need to give
that back right now. Because we've, you know, we've made lots of jokes over the years about
the dog that catches the car, you know, when it's chasing it down the street. And that kind of is
the vibe that you get here. I think the funds in question were from the Bitfinex hack,
not because Binance were involved in investigating this,
but I think the actual hacked funds came from Bitfinex.
But either way, it's very funny.
I'm sorry.
Yeah, you're right.
It's Bitfinex, not Binance.
They all blend into one.
They all start with the –
Exactly.
It makes no difference.
Same, same.
It's all just a bunch of crypto skullduggery,foolery jibbery pokery rubbish yes so yeah anyway the feds
got it back but i wouldn't want to be the guy that nicked it no no and the idea that you're
going to dodge the heat by just giving the money back you're probably better off keeping it you
know like seriously the crime is done you can't
undo the crime i'd just haul ass to a non-extradition country don't give it back you're
gonna need that money to stay on the run exactly exactly but yeah what a world what a world and
you know we just mentioned zacxbt and andy greenberg at wired uh has like what i would
describe as a really nice write-up. For those who are unfamiliar,
ZachXBT is someone who does a lot of blockchain investigations and stuff quite openly,
helps people recover money, had been operating mostly under like a donation model. People would
donate money. But he recently accepted payment to help someone investigate something. And he's
thinking about, you know,
turning it into a more professional thing.
But you read this whole thing and you get the impression
that this is not someone who's really, at least at this point,
not really someone who's in it for the money.
They're just really into trying to right wrongs, right?
Like that sort of motivated by justice kind of thing.
It's a heartwarming read, I've got to say.
It is.
And it's nice when you see these kind of, you know of life write-ups of you know what it's like being
someone like that and you know just spending you know all day every day in front of your blockchain
slaving over a hot blockchain you know trying to figure out what's going on and yeah you do get
the impression that you know it's just a you know a guy that wants to right wrongs in the world and you know there's not it's not many people that do that uh so good for him and yeah definitely if
you follow you know blockchain drama definitely worth reading um reading this particular write
up because yeah it's good it's good insight yeah now we're gonna switch to a report from the
jerusalem post which has got to be the most vague write-up of a thing I've ever seen,
where it says the headline is
Radar systems in Iran breached
prior to Israel's Saturday counter-strike report.
So they write that radar screens in Iran froze
and this helped Israel to perform a bunch of airstrikes targeting i think mostly air
defense sites in in iran uh but there are no details on like how why what you know like there's
just zero details in here we don't know if it was some sort of ew based attack if it was cyber
enabled if it actually attacked the equipment itself on the ground like
the s300s or whatever or whether it attacked some sort of uh you know centralized facility that
maybe did have network connectivity like just unbelievably light on detail here but um i just
thought i'd flag it because if it's true it's pretty interesting i know when i think catalan
pasted this into our slack and we had a good conversation about you you know, what it could be and all those sorts of things.
But yeah, we just know nothing and I would very much like to know more.
Yeah, yeah, exactly.
So we'll move on from that one, but we flagged it and we'll see if more details come out later.
Delta and CrowdStrike are still screeching at each other in the wake of, when was that?
I think it was back in July, wasn't it?
The CrowdStrike apocalypse.
But yeah, you know, we saw Delta saying
they were going to sue CrowdStrike.
They have now launched a lawsuit for $500 million.
And I think CrowdStrike's counter-suing them
for saying nasty things about them.
And it's gone exactly where we expected it to go.
And I've got no idea how this is going to play out.
I think CrowdStrike's going to dig its heels in here.
I mean, their argument is that, you know, well well all your competitors got back online quicker than you uh you know
you're just not very good at it and um you know delta's argument as well no you just vaped all of
our all of our systems so yeah we'll let the lawyers argue about it that's my opinion on this
one yeah i don't know that delta really did themselves many favors because there's a bunch
of details in here where they said like look we didn't patch any of our stuff,
so how come CrowdStrike broke it?
I think if your defence is, well, we didn't patch our security software,
it doesn't necessarily paint you in the best light either.
We're not very good at IT.
Therefore, why did our IT change and break?
Yes.
So once again, this is for the courts and lawyers to argue about
and make fat bank out of but uh you know we'll just sit here and quietly watch and enjoy the show
now let's turn our attention to canada and the can the canada revenue agency which is their tax
office uh up there is having some issues with a bunch of false returns. And it looks like there's some feeling there
that this could be because of a major breach
at the firm H&R Block.
Now I find this one interesting for a bunch of reasons
because we saw the IRS go through something similar
a few years ago.
And you remember in response to that,
they were using like a third party facial recognition
service and that was very controversial or whatever, but they had to really scramble to put a lid on these, on these
false returns. And it looks like, you know, an organized campaign has pocketed something like
$6 million lodging false returns and getting those funds redirected to attackers because of,
you know, information that wasn't even stolen from the tax office these sorts of campaigns
these sorts of crimes are a real problem for tax officers around the world and i think
you know any tax office that isn't dealing with this right now is going to at some point in the
future and that's why i wanted to talk about this one yeah and i think that's a really interesting
point to this because you know the hard part of computer crime
is figuring out ways to monetize access to data.
But once you've got a model that works,
then everywhere you can reuse that model
is another opportunity for you.
And so this model of, in this case,
they stole electronic filing credentials
from H&R Block is the accusation.
H&R Block has said that it wasn't them, of course, we should
say that. But that model, stealing those credentials, changing the bank account details
for a refund, filing a false return, pocketing the refund faster than the tax agency can follow it,
is going to work, you know, in all sorts of places. And so if you are at a tax agency anywhere else,
you know, this is the sort of thing I'm sure you're very much keeping on top of
because you're going to have to have some defences in place,
some detection, and be able to respond to it.
But this does seem like a bit of a mess in Canada
that's going to turn political in some respects
because I think some journalists dug up the story
and now there's accusations being thrown back and forth
in Parliament in Canada.
So it's pretty messy.
And you would hope that, you know, this is a lesson that tax agencies would learn all at once together.
But that's not how the world works.
No, I mean, I suppose the silver lining here is that $6 million in the context of, you know, Canada's tax revenue is probably not really that much.
But it's also one of those things where you sort of get the sense that it
could spiral if they don't get on top of it.
And unfortunately getting on top of something like this is quite difficult.
So I guess the reason I mentioned it is like,
if you work in anti-fraud in a tax office somewhere,
maybe have a think about how you'd respond to something like this happening
because it's probably going to happen at some point.
Exactly. Yeah.
Yeah.
Now a report that we also carried is that Satya Nadella of Microsoft this happening because it's probably going to happen at some point exactly yeah yeah now uh a
report that uh we also carried uh is that uh sachin adela of microsoft actually you know he's the
chair of the board he's the ceo he actually asked the board to reduce part of his annual compensation
he he said i don't want that 10 million dollar uh you know cash component of my comp because there
were security failings and it happened on my watch. And I think he's still, his total comp was still 79 million.
I think they didn't even take away all of that cash comp.
No, I think they gave him half of it.
Yeah, so this seems a little bit performative, if I'm honest.
It's contrition that doesn't really hurt him, I guess.
But then again, kind of sends a good message
i i don't know i don't know what to think about this yeah i mean five million bucks is still
you know that's a lot of money in anyone's book even if you're you know a very rich person but
as you say like it doesn't really hurt him that much i would imagine, you know, when the package is, what was it?
Yeah, 70-ish million.
And that's 63% up over what he made last year.
So, yeah, really, really suffering there, buddy.
Well, but I mean, again, the reason I don't know what to think about this is that he's really hard to argue that he's not doing a good job as CEO when you look at the business, right?
But then, yeah, anyway, it hurts. It hurts my brain.
Now, here's a bit of an odd one. Four members of the Rival ransomware gang have been sentenced to
four years plus in prison in Russia. John Greig has this one for the record. We also covered it
in Risky Business News. I mean, you don't really expect to see that, do you?
No, it did seem a little startling.
And I, you know, it kind of makes you wonder how badly they screwed up to end up being put in prison in Russia in a penal colony.
It was, I think, a standard penal colony, like not the really severe ones that they send the bad people to.
So, you know, but still, I can't imagine it's a great time.
Yeah, I don't think, you know,
oh, the nice Russian penal colony, right?
Like, I don't think that's really a thing, Adam.
I think you pointed out when we were talking about this
in our Slack that there's very few details
and they were tried in a military court in St. Petersburg
rather than a, you know a kind of open one.
So we don't have much detail
because military courts are relatively closed.
And there's no real clear idea why.
Yeah, I mean, I just flagged that
because Catalan had reported that it was a military court.
And I just asked him when we were going over
the news script for one of our news balloons
in the Risky Business News channel,
which you should all subscribe to.
I just asked him, I'm like, why did they do this in a military court? And, you know,
he had looked into that and he's like, look, I couldn't pin it down, you know, because none of the reporting explained why they were tried by a military court. So that is one odd feature here.
Yeah, I think Catalan's work in theory was that a military court can have closed proceedings, whereas a civilian court in Russia, there isn't really a mechanism for sealing stuff.
So maybe that's it.
But yeah, we're guessing.
Yeah, yeah, 100%.
Who knows?
Staying with Russia and Linus Torvalds has expressed support for the removal of around a dozen Russians from a list of Linux kernel maintainers.
We got a link through to Doreen Antonyuk's write-up for the record here.
I mean, this isn't just, they're not just kicking out Russians.
These particular kernel maintainers were linked to organizations that have been either
onwards linked to the Russian government or are sanctioned, right?
So it feels like this is more of a compliance thing
than a, you know, let's just kick all Russians
out of being able to be Linux maintainers.
Funny thing here, though, was Torvalds saying,
you know, I'm Finnish.
What did you think I would think about this?
Who is, you know, Torvalds is famously grumpy.
And yeah, he's like, he does not seem to be a fan
of Russian foreign foreign policy let's
put it that way yeah that's that seems pretty fair i think uh on the mailing list there was
some conversation that linux foundation had received some legal advice and they weren't you
know the maintainers linus and greg kh um who landed the patch that did this said like we're
not going to discuss the advice that we got but this is just how it is and tallwell's basically
said yeah you know deal with it that's how it how it be yeah yeah and uh meanwhile russia is saying
it's going to build its own linux community um which sure but i don't know going it alone i mean
linux at this point i mean you think about the number of hours that have gone into it the fact
that it is just such a gigantic community with genuine support behind it you know and so much i guess sponsorship
from large companies that pay people to contribute to it you know they'll just hire people full-time
to to be doing that sort of dev i don't know how well russia is going to go with you know
russia russia linux you know i don't know yeah it's it's a hard road forking any piece of open
source software and maintaining it yourself in the future. And, you know, Russia has tried it with Red Star,
with their particular Linux.
The North Koreans have tried it with their Red Star Linux.
So, you know, there is some precedent for it,
but it's a hard road to make a good Linux.
And of course, every time you fork off from the main thing,
all of your adversary SIGINT agencies start, you know,
chuckling and rubbing their hands
because now the patches
are going to take even longer to get there and good times ahead.
Yeah, exactly.
Better make sure you don't make any mistakes, see?
And that's, you know, the vulnerabilities equities process
looks a bit different in those scenarios as well.
Meanwhile, Dina Temple Rustin and James Reddick
also for the record have reported that Nigeriaigeria has dropped charges against that binance
investigator who's uh what's his name tigran gambara gambarian um he has been held in nigeria
since february basically on charges of like manipulating nigeria's currency because you
know a lot of people in nigeria were using crypto because the local currency was kind of unstable
and it kind of tanked the currency and they're you know they just wanted to hold someone basically so
you do get the sense that what was happening to this guy was not fair and you also get the sense
that there may have been some sort of diplomacy involved in securing this guy's release I mean
he had malaria in custody he was not in good shape and uh you know the court has said they have allowed him to travel abroad for medical treatment so you do get the impression
that maybe there was a bit of pressure applied here yeah and and that that sounds like the right
thing to do because this guy was you know previously at the irs and was integral in
the takedown of silk road the rest of ross albrecht uh takedown of alpha Road, the arrest of Ross Ulbricht, the takedown of Alpha Bay. So he has done a lot of good in this world.
And yeah, the story was kind of sad
seeing him just rotting in jail in Nigeria.
Now, Apple has introduced a new bug bounty program
involving its private AI cloud.
And it looks like a pretty interesting program
as in participants will get to actually access cool stuff.
And, you know, we love this.
Yeah, I think this is a great move.
I mean, Apple has been learning the lessons
of where it needs to be open and have public scrutiny
in order to kind of back up some of its claims over the years.
And I think this private cloud compute
is a pretty major shift for them.
And you can see sort of the roots in some of the security programs for iPhones, bug bounty programs,
researcher phones, those kinds of things, like all of the hard work that people inside Apple did to build those up,
prove that it's viable.
And now we've really seen it writ large with the plan for private cloud compute.
So they've released a bunch of the software components,
a virtual environment where you can run up the server side of their private
cloud compute system.
It'll use your local GPU on your Mac to do, you know, the AI parts of it.
So you can kind of exercise the whole system.
And then the bug bounty has a bunch of, you know,
things that will pay out like up to a million US dollars for a code exec, but there's a bunch of, you know, things that will pay out, like up to a million US dollars for Code Exec,
but there's a bunch of other aspects as well.
And even things like they've included their thing
that sends logs off the Splunk
so that you can verify what it's logging,
how it's logging it.
And then they've got a bunch of transparency things
so you can kind of, in the future,
see that the code that they're running in production
matches what's been seen publicly. really very well thought out and you know i'm looking forward to seeing what researchers
dig up yeah and find do we know if this is like open to everyone or is this one of those ones
where you have to kind of apply i'm not a hundred percent sure i think it uh some of the things i
read suggested it is a bit more open than the like researcher only phones that you know really were very difficult to get hold of so I think it is more open than that but
yeah proof will be in the pudding yep yep all right well we've dropped all the links into this
week's show notes on that one uh now let's do the usual section where we talk about how people are
getting owned via their like security software and security appliances. This is like an evergreen.
Ah, yes, the regular feature, yes.
Yeah, an evergreen section.
So SonicWall firewalls appear to be the common link
in a ransomware campaign that's hit something like 30 different targets.
Matt Kapko has the report for Cybersecurity Dive.
Yeah, we don't know the specifics of the bug.
I think it was one that they patched.
It was like an access control bug that got patched back i think in what august or something
earlier this year at some point anyway it's being picked up and is being used
in a campaign targeting the sslvpn access and then onwards to ransomware i think in some cases
we've seen ransomware within hours to you know not even a day or two between initial point of entry and onwards to ransomware.
So, yeah, if you have one of those, you're probably already having a bad time.
Yeah.
Just a reminder, you can use Knock Knock to restrict access to these sorts of things.
That would be a good choice.
Yeah, but I'm guessing the average company that's using SonicWall
probably skews a bit smaller.
I mean, you know, I'm not saying that Knock Knock doesn't work
for smaller companies.
I guess I'm saying that they're going to be the people
who are least likely to understand that they would need to do something.
Yes.
And, yeah, there's more Fortinet drum.
I mean, it all blends into one.
It's like every week we're talking about Fortinet bugs
being used to own people. Like, I don't even know if these are the bugs from last week or the
week before but uh another report from matt capco here at cyber security dive talking about um
you know oh this is the fortimanager stuff this is the stuff we talked about last week right okay
yeah it's the same same bug but i think it looks like someone hit a bunch of managed service
providers went downstream to customers and and did it at a slightly larger scale.
But either way, it's just every week, four to fail.
And, you know, at this point,
I've got a Fortinet on the edge of the network.
You either need to not have a Fortinet
or you need to lock it up behind knock-knock.
And there's been some stuff going on with Cisco gear,
which has been poorly communicated uh in my view because
we were trying to report the other day on they released a new feature which is designed to make
brute forcing impractical against various devices which okay cool uh but then in the same breath
they're saying oh yeah because there was a zero day being used as part of a brute force campaign but they
don't actually tell us much about the bug i mean do we have any clarity on what they're on about
no um the cisco advisory is pretty unclear there's like a bug that they refer to which is like cbss
5.8 and they claim that they have fixed it and it's related to brute force it's denial of service
through authentication and then it's also listed on sys's kev list and then you know so it's a
little bit unclear that my best guess is that this is a mechanism to allow you to bypass rate
limiting or lockouts whilst brute forcing credentials.
Cisco says that the bug exhaust resources
cause denial of service on a reload.
So it may well be that you can try a bunch of creds,
lock out an account, reload the VPN service, try a bunch more.
That's what it feels like, but no one actually says that.
And again, we're guessing.
We shouldn't be guessing about this, right?
We should not. See, at 2024, we should have have good quality information if the case is that there was rate
limiting and there are already protections there then why are they issuing releasing new features
to address that like that's the other part that's not clear here yeah it is it is unclear i mean i
guess all we really know is that people are getting brute forced via their vpns and cisco is doing
something and it's bad enough that it made it to the Kev list,
which is not reassuring or particularly helpful
for the people who have that equipment on their network.
Yeah, man.
What chaos, right?
Just chaos everywhere with VPNs.
VPNs were a mistake.
Computers were a mistake.
That's right.
Now we're going to turn our attention out Internet was a mistake. Computers were a mistake. That's right.
Now we're going to turn our attention, Adam,
to all of the wonderful stuff happening in the US election.
There are influence campaigns trying to swing the election.
They're coming from every single corner of the world.
We've got a great write-up here from Chris Bing and AJ Vicenz,
who is now over at Reuters.
We congratulated him when he got the gig recently,
so it's great to see those two bylines together.
They're looking at how a Chinese influence operation is targeting down ballot races in the US, which is interesting because we've seen these big sort of disinformation campaigns and influence campaigns
trying to swing things, you know, towards Trump or away from, you know, away from Trump or whatever.
But when they're actually targeting specific down-ballot races,
that suggests a level of sort of planning that's quite alarming, I guess.
Yeah, yeah, it does.
And they're not particularly sophisticated campaigns,
but that's kind of not really the point, right?
I mean, this is sending anti-Semitic messages
and parroting accusations of corruption and things like that.
But, you know, stuff that can move the needle on,
especially on a platform as messy as X.
And, yeah, the targeting, I guess,
is more interesting than the actual techniques, right?
Because it suggests an intent and a focus and a degree of research
that, you know, is not casual.
No, agreed. And and look another one from
chris bing this one also with rafael sata and uh graham slattery over at reuters um they've looked
at uh look i'm going to take a bit of an issue with the headline here they've said exclusive
accused iranian hackers successfully peddle stolen trump emails and it's because a blog called American Muckrackers, they have published some of the material stolen by Iran and it also popped up on someone's sub stack.
To me, this is not successful.
Okay.
To me, this, you know, success looks like it did in 2016 when you had all of the major media outlets in the United States talking nonstop about the DNC leaks.
That's what a successful hack and leak campaign looks like.
I think getting it out there via a few blogs is not successful.
I mean, it's still a great write-up, but it's very interesting.
My issue is with the headline.
But did you have the same reaction there?
Yeah, exactly.
I mean, this does not feel like success especially by comparison to the you know
two election cycles ago uh and um you know the some of the details are interesting right it's
it's a good write-up but that was exactly my reaction as well like this does not feel like
um like they're going to get their bonus the people who are running this particular campaign
and nothing like the success of the 2016
where all of the coverage was focused on that one that one issue with Guccifer and Hillary's emails
and you know to this day we still talk about Hillary's emails yeah I mean I think something
that's interesting here is that muckrackers is like a pack so it's a you know political action
action committee or whatever they could they call them them. So that's an interesting aspect here.
But I mean, the fact that you need Reuters to talk about it for it to matter kind of suggests that it doesn't.
Yeah, I agree completely.
So I mean, if anything, it's kind of nice.
It feels like we've made some progress at being a bit more resilient against these kinds of hack and leak and info ops, which is good.
It just means that we'll have to come up with new and novel ways to influence
people.
Yeah.
And meanwhile,
Russia managed to get itself a bit of a,
bit of a viral video happening with them,
like ripping up.
There was a video of like Pennsylvania ballots being ripped up that turned out
to be fake and made by Russia.
And it was interesting that this,
they were able to get that out quickly and say,
no,
this is fake. It was made by Russia. I mean, I don't know if some of the targets of
this sort of disinfo are going to believe US authorities when they, when they say that it
was fabricated, but you know, uh, I guess they've got to, they've got to try, right?
Yeah. And of course this was distributed initially on X as has become the fashion. So that's, yeah.
When we look back on this election,
like the whole Musk slash X mess that this has become is probably going to be one of the defining bits
of the disinfo part of this story.
But yeah, it's nice to see the blanket.
I've never thought that Twitter really had any influence
on anyone's political
destiny and that's before Musk right so I don't know why people now think that
because he's taken it over and he's pumping just non-stop Looney Tunes stuff
that it's actually going to move the needle I think the people who are buying
into that who are all over X I mean they're the people who already believe
that stuff yeah you know yeah that's what I think with that and you know as
much as I find him odious and I think, you know, he just tells, you know,
he just talks absolute nonsense 24-7 these days,
I just don't know how much it's going to impact things.
But we're going to know in a week, aren't we?
Yeah, well, exactly.
We've got some outcomes-based metrics, which, yeah.
Called the election.
And I think, you know, look, we're close enough now.
It's been, you know, we've got a week remaining.
I think we can say that, you know, foreign disinformation,
foreign influence operations haven't featured majorly in this thing.
There's been some stuff around the edges.
We've talked about it, but I think we can say, you know,
in no universe was this at all close to being a rerun of, you know, 2016.
I think we're in a better place.
Yeah.
I mean, you know, all of the madness has been largely us
domestic and it doesn't feel like it's been yeah in the same way as it was two cycles ago so i guess
i guess that's good right yeah we'll be uh we'll be recording next week as they are counting the
votes right which is uh it's always an interesting day in australia it'll be a wednesday here
and then um you know you get to you get to stream a bit of cable TV. And it's funny,
I read a story recently about Americans in Australia and how they're sort of dismayed
that Australians treat this like it's a big reality TV contest. They're like,
are you going to have an election party? Like, where are we going to watch it? We'll go to the
pub. And they're just like, oh my God, no, that's not what I'm thinking about this one.
But yeah, certainly I will be grabbing some popcorn.
Well, Adam, that's actually it for the week's news.
Thank you so much for joining me.
Great to chat to you and we'll do it all again next week.
Yeah, thanks very much, Pat. And best of luck to all our American friends.
That was Adam Boileau there with a look at the week's security news.
Big thanks to him for that.
It is time for this week's sponsor interview now with Material Securities, Rajan Kapoor
and Materials customer, Daniel Ayala, who is the Chief Security and Trust Officer at
Dotmatics.
Material Security makes a product that can help secure M365 and workspace data at rest,
which is handy if one of your users' accounts gets compromised.
They lock up sensitive information in your inboxes, you know, and they can find other stuff too, like files that have been shared externally or company-wide that shouldn't have been.
I actually published a demo of Material Security last week, and I'll drop a link into the show notes if you want to check that out.
But yeah, the idea is they're trying to sort out some of M365 and workspaces like security dysfunction.
So I'll begin this interview. I'll drop you in here with Daniel Ayala. And I asked him why he
started looking at tooling to try to get a handle on things like accidental exposures via M365.
And here's what he had to say. I go back to the delve day the day that delve came out
and i think this encompasses so much of my problem with some of these with these collaboration
suites is there's all this exposure that the the the um the access models in all these platforms
are so all over the place and hard to manage that there's documents, there's email, there's sharing,
there's access that has previously been hidden by obscurity. People didn't know they had the access.
And the day Delve showed up, and now it's doubled with some of the better search and some of the
new AI tools that are layering on, all this stuff became exposed, became visible to people in a way that had never been before. So yes, there's an email problem. Yes, there's business
email compromise that keep us all up at night. But there's also all of this stuff that people
previously didn't know they had access to, including attackers that might get into that box,
that we now have to figure out how to wrangle. And some of this is really back history. Like some
of this goes back a decade and trying to figure out what that is. Tell me about this Delve thing,
because are you talking about some sort of discovery tool? Because I've got to be honest,
I haven't heard of it. Yeah, Microsoft, what is it, eight, nine years ago,
released Delve as part of Office 365. It was one of their first discovery tools that you could do a search and it would show you the answers to all the things that match that search,
including documents that you never knew you had access to. And enter an access model in Office
365 that was open and you'd share a... HR would have had a file out there that they said, sure,
anybody in the company can see,
but we'll only send the link to these people. But it had SSNs in it.
Now, when I go search for my name, let's say,
or someone else's name, that document's gonna show up.
And again, this is eight, nine years ago.
So we've had this access problem for a while,
but it's only gotten more magnificent
as the ability to search and and dive into this
stuff has advanced and now with you know the rise of some of the really easy search queries you know
to take away the need to know how to search to find stuff and make it as simple as show me all
the things with ssns and you'll be able to pop it all up you know all this stuff scares the life out
of me.
Yeah, no, I don't blame you.
And I mean, there's not really,
and this is kind of what I was getting at earlier.
There's not really much of a straightforward way to remediate this as yet, is there?
Which just seems a little bit insane.
Like what, you know, pre-tooling,
what are your options there in terms of like,
you know, I've done a search, I've found a bunch of stuff.
Is there some way to easily or programmatically,
like, you know, remediate that?
Hand cleanup. I mean, I'm sure there's there's i'm sure with powershell you can go through and and make
all sorts of you know batch things but those are more of sledgehammer approaches and a lot of these
things require a more scalpel approach where you go one by one to the owner or you do a search that
says show me all the files that are there that include ssns or this you know this with this
masking but that are owned by and then show me them by owner and we go to that owner and say hey
go fix these 20 documents go fix the permissions on these that kind of thing it was really really
manual yeah and yes there's dlp stuff that looks at that as it exits but there really isn't much
that looks at it it's, you know, in stationary.
Yeah. Yeah. So, I mean, Rajan's here as well from Material. I mean, you know, it's funny,
right? Because you did start off the company more as a way to restrict access to email data.
And obviously people still buy Material for that, but, you know, more and more you realized while
you're in there fiddling with these APIs, like the file share problem in you know m365 is just it's a it's a big one and it's one that's kind of slept on like
i know of other vendors who try to chip away at this right some of them more successfully than
others but you know it's the sort of thing where you you wonder if people truly understand what
their exposure is like what's your sense of how aware people are that this is a problem to begin with?
It's very interesting, because when I talk to people and ask, you know, I talk to CISOs,
and I ask them, you know, how concerned are you about your email? How concerned are you about your files? The common response is they're somewhat concerned about files, but with email,
they just don't care, literally just don't care. And my follow up question is always,
but do you even know what's in there? Like, how can you say you don't care about something when you don't even have visibility
into what's in there? And I think it's the analogy I like to use is it's, you know, when you fly,
when you go to the airport and you fly, people worry about like the plane having a problem,
but you're more likely to get into a problem driving to and from the airport. And we've just
kind of accepted email as like the car ride.
We're not really worried about it because we haven't been able to do anything about
it for so long.
But that's, you know, it's interesting because the problem that we solved at Material actually
wasn't an email problem to begin with.
It was a data warehouse problem.
We figured out how to take large data sets and structure them.
Well, I mean, I've always described it as like an access control product, really.
Like when it comes to, yeah, when it comes to locking away sensitive information in inboxes
and stuff.
Yeah.
My point there is that you can't even get to that if you can't like structure those
emails, right?
Because you have to scan them, you have to read them, you have to look at them.
And that's the hard problem that we solved.
And so now we can build files on top of that we can ingest API's, right. And this has been the
reason I think that a lot of people have not really tackled this problem, the data sets were
just too large to deal with. And so what would you do as a CISO if your board was like, hey,
what are we gonna do about email? Well, we'll do inbound threat detection and remediation. But
beyond that, there's not much I can do. And what's also changed is you actually have a way to get to that data at
rest, right? You can leverage APIs now. We lost control of the infrastructure when we went to SAS,
right? But we now have a way to get back to that data at rest and do things with it.
And that's where APIs come in, right? So you take APIs, you take a good data
warehouse, and you can start building a whole bunch of magic on top of that. I mean, it seemed
like what you were saying, because I was asking you about awareness about the sort of shared files
issue and like overly loose access to sensitive information contained in files. You seem to be
saying that that, you know, overly loose access to sensitive information contained in shared files.
Sounds like you think that that is more of an understood issue, which kind of surprises me,
because it's not one that I hear people talking about all that much.
I think it's an issue that when we bring up, when I bring up, people will click on that
much more quickly than they will with email. They'll say, you're right, I don't know what's
happening with my files. I used to work at Dropbox. We can credit Dropbox with making people
worried about files, right?
And so I think it is easier to, if you look at the DLP space
in general, a lot of it's focused on what's
in your files, right?
And so you end up with security teams that are,
it's easier for them to wrap their head around the risk
with data and files than it is for them to wrap their head around the risk of data and
email.
So I guess it's an easier sell is what you're saying, right?
Which makes sense.
I mean, a hundred percent.
Yeah, yeah.
That's crazy.
That's crazy because, you know, again, like this is your, your add-on feature, right?
Like it's not what you originally built.
So do you find that that's actually a way into deals for you? Is like, you know, they'll take the meeting for the files and then buy for
the email? It's a way in for sure. We're building another product called Unified Detections and
that's also been a great way in. But what we've seen with our existing customers is every, almost
every single one of them is interested in Drive, right? So it becomes a very complimentary like
solution, right? It's like, hey, we're not just going to help you with your data in files we're
not just going to help you with your data in email and if you think about microsoft 365 and google
workspace where else is your data but files and email right yeah and so they become you start to
get this like really really like holistic um view and over your data, wherever it is in those two suites.
I mean, I think the other component to this whole equation is the identity side and authorized
applications and whatnot, which I know isn't really something that you guys focus on so much.
But that's, yeah, that's the other part. I think there's a bit of a triad with those
cloud environments. Dan, I want to go back to you.
You dealing with your board, as I imagine you do,
did you experience what Rajan said is the case,
that people are generally – were people internally much more concerned with data and files than in emails?
I think it's actually a little more balanced than that.
And a lot of it is due to once you've gotten burned by email, by data in email, I think you get the religion.
And so, I mean, most of my peers have gone through some kind of email-based attack that has done something or has shown that light. And I fully admit that I do not,
I can't represent every CISO or every security organization out there, but I think it's a growing
area of understanding. And it's not hard to paint that picture quickly to say, hey, look,
look at this thing that we found in your mail. And what could this enable? Or, you know, this thing you forgot about that's buried, you know, six months ago that we can, you know, that we can put a shield in front of. If an outsider got a hold i use that analogy a lot uh and finding a piece of email
that contains some sensitive information um that tends to paint the picture pretty well and pretty
quickly or if you say to somebody you know hey think back six months to a deal you just finished
or a contract or a negotiation or an hr discussion All of those things quickly get people rather clenched
as they think about the thing that might have been found,
that might have been used by an outsider.
And then you relay it to some of the extortion attacks
that are happening and that method of attack
rather than ransomware for disrupting business,
now extortion, to collect money
because backups have become prevalent.
And think about the things that show up.
You see passports that show in the evidence that they put out there to prove that they
actually, you know, that they've actually been in.
They'll take a passport picture that came out of an email.
They'll take a, you know take a screenshot that you emailed somebody
of notes that you hand wrote.
Those kinds of things are pretty quick eye openers.
I mean, it's funny.
And the attackers, Patrick,
the attackers are kind of telling us that, right?
If you look at like when Storm hacked,
you know, the State Department's M365 infrastructure
and when Midnight Blizzard, you know,
went after Microsoft themselves
on their Microsoft 365 infrastructure, they went right for email, right? That's like the thing they did a
beeline for, because they know that like, it's still the number one collaboration tool in the
world, right? That is where everything happens. And, and if, if they're going right for email,
like, what are we doing to stop them from getting there once they've popped the account?
Yeah, I just want to ask
you dan too as we wrap this up you've been in this business for a long time right like stretching
back to the 90s do you also find it funny that like state-backed espionage these days looks a
little bit like 1990s scene war hacking with people grabbing each other's mail spools like
this is something we pretty regularly have a chuckle about on the on the you know the main show and i just you know does it also boggle
your mind yeah it really does it's a it back to basics applies to so many different parts of this
field uh in terms of you know figuring out the the things you that you have and watch them and
roll them out as completely as you can and do them well but the same kind of thing we're back
to the same kind of basic attacks,
partly because we've lost sight of watching basics as a, you know, as a security team.
We've gotten a little distracted at times by shiny things.
All right, Dan Ayala, Rajan Kapoor,
thank you so much for joining me for that discussion.
Very interesting stuff.
Thanks, Matt.
Thank you.
That was Daniel Ayala
there from Dotmatics and Rajan Kapoor from Material Security there. And you could find
them at material.security. Big thanks to them for sponsoring this week's edition of the show.
And that is it for this week's podcast. I do hope you enjoyed it. I'll be back with more
risky business for you all very soon. But until then, I've been Patrick Gray. Thanks for listening.