Risky Business - Risky Business #769 -- Sophos drops implants on Chinese exploit devs
Episode Date: November 6, 2024On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: Sophos drops implants on Chinese firewall exploit devs Micr...osoft workshops better just-in-time Windows admin privileges Snowflake hacker arrested in Canada Okta has a fun, but not very impactful auth-bypass bug Russians bring dumb-but-smart RDP client attacks And much, much more. Special guest Sophos CISO Ross McKerchar joined us to talk about its “hacking back” campaign. The full interview is available on Youtube for those who want to really live vicariously through Sophos doing what every vendor probably wants to do. This week’s episode is sponsored by attack surface mapping vendor runZero. Founder and CEO HD Moore joins to talk about marrying up the outside and inside views of your network. You can also watch this episode on Youtube Show notes Okta AD/LDAP Delegated Authentication - Username Above 52 Characters Security Advisory Does bcrypt have a maximum password length? - Information Security Stack Exchange Local Administrator Protection | Privilege Protection Inside Sophos' 5-Year War With the Chinese Hackers Hijacking Its Devices | WIRED A Deeper Look at FortiJump (FortiManager CVE-2024-47575) | Bishop Fox Man Arrested for Snowflake Hacking Spree Faces US Extradition | WIRED Google uses large language model to discover real-world vulnerability GreyNoise Intelligence Discovers Zero-Day Vulnerabilities in Live Streaming Cameras with the Help of AI Thousands of hacked TP-Link routers used in yearslong account takeover attacks - Ars Technica CISA warns of foreign threat group launching spearphishing campaign using malicious RDP files | Cybersecurity Dive Chinese state-backed hackers breached 20 Canadian government networks over four years, agency warns India-Canada row: Canadian officials confess to leaking 'intel' against India to Washington Post - India Today Amid diplomatic row, Canada names India in ‘cyberthreat adversary’ list, accuses it of ‘likely spying’ | World News - The Indian Express The Untold Story of Trump's Failed Attempt to Overthrow Venezuela's President | WIRED Risky Biz News: The mystery at Mango Park North Korean hackers seen collaborating with Play ransomware group, researchers say
Transcript
Discussion (0)
Hey everyone and welcome to Risky Business. My name's Patrick Gray and we've got an absolutely
terrific show for you all today. There's been plenty of InfoSec news, cyber security news
over the last week or so. And for those who are looking to get their mind off the US election,
boy, do we have a terrific show for you all. So I'll be talking with Adam Boileau in just a moment.
And we're also going to hear this week from Sophos' CISO, Ross McKercher, who's going to talk to us about how they dropped like kernel rootkits essentially on Chinese APT researchers who were doing exploit development against their products.
I'm sure a lot of you listening to this and watching this would have seen that report mentioned in the media over the last few days. So we're going to hear from him on
that. And then in this week's sponsor interview, we're chatting with H.D. Moore, who is the chief
executive and co-founder of RunZero. And he'll be talking about some new tricks that RunZero has
picked up in terms of being able to marry internal asset discovery scanning with external
asset discovery scanning. That's all very interesting stuff and it's coming up later.
But first, yes, Adam, it is time to talk through the week's news. And we're going to actually start
with a story that, I don't know, man, I just found it interesting, right? So I want to lead with it.
It's proper, you know, security geekery here. But let's talk about this Okta bug where under certain
circumstances, you could just enter a username, whack enter and get access. And I'm just going
to say right off the bat, it's not quite as bad as it sounds, but yeah, walk us through what
actually happened here. Yeah, this bug is a good time. So one of Okta's features is that you can
have your Okta authentication stack glued to your existing on-premise auth source.
So if you've got Active Directory or LDAP, you can basically run up a thing inside your environment to its machine that will connect back out to Okta and will then forward authentication requests from Okta onwards to your internal directory. They had a bug in this process
where essentially they cache the authentication requests
so that they can operate
when the connection to the on-premise kind of interface drops
so that you can still authenticate stuff on the network.
And that caching process stored like a bcrypt hash of the username and password
so that it could verify them, you know, offline.
And unfortunately, no one who wrote this thought about the fact
that bcrypt actually has an upper limit to how long a bcrypt hash can be,
which is about 50-h characters up 50 to 70
depending on on the implementation exactly but the result was you could turn up enter a 50 character
username match an existing cache entry and be authenticated yeah which when you're an
authentication product like octa you know clearly is not what you want.
But as you said, like it does have a few things that have made this mostly a curiosity
rather than a practical thing.
Like, so you had to be single factor.
The connection between Okta and the on-premise agent
had to be not functional or denied of service
or whatever else.
And then you had to, you know,
provide a 50 whatever character
username so pretty niche bug i think octa um the code that was vulnerable to this was in production
for like three months or something like that yeah so you know overall like it's it's a fun it's an
embarrassing bug but at the same time like i don't know that anyone who, oh, I didn't know that about Bcrypt.
No, no.
I've been in this industry for a long time.
The other thing here too is someone needs to have previously logged in
via Okta with that user, right?
So when you're thinking about a username that's got 52 characters in it,
it's got to be a service account, right?
So what are the odds of a service account, you know,
like a service account bouncing out through Okta from your AD? So what are the chances that a service account, you know, like a service account bouncing out through Okta from your AD?
So what are the chances that someone's actually used Okta, excuse me, to authenticate like that user?
It's very, very low.
So I think all in all, this is something that like never would have been really practical in the wild, but it's still not, as you point out, it's not a good look for an authentication company.
I think another saving grace here too is, as you said, they introduced it on July 23rd and by October 30th, they actually had it cleaned up. So that's a sign
that the internal review, I guess, failed in the first instance, but, you know, caught it in the
second instance, which I guess you'd call belt and suspender. But I think that one of the reasons I
wanted to talk about this is just people were jumping on this, like it was, you know, affected
all Okta SSO and, you know, like it just the the sky was falling and it's not really that it
is a curiosity but it isn't it's still an interesting one right yeah yeah it's definitely
not as bad as some of the social media commentary that as you say i want to jump on octa because you
know they have had a few clangers over the last couple years but you know this one was not one
of them they did find it internally
and obviously code review should have picked this up ideally before it went into production rather
than three months after but you know they got there in the end which is a lot better than
you know when you think about all the other vendors out there and how long some of those
terrible bugs live for before they're you know found being used in the wild you know yeah i think uh octa in
this case you know overall comes out of this looking pretty reasonable yeah we'll give them
a b right like not an a exactly but they still get a b but i'm gonna call you on something you
just said there which is excuse me they've had a few clangers what were they i mean there's this
perception out there that octa's doing really badly and it ties
back to a couple of incidents where I just don't think it's substantiated.
So there was the case where someone got into a third party support,
you know,
portal or whatever and took a screen cap and that was it.
And that was reported as an Okta breach.
And then there was the stuff affecting the casinos where an attacker was able
to like
federate an external IDP into Okta and maintain persistence that way. But that also affected
Entra. The difference is that Okta talked about it and Microsoft didn't. So look, some people are
going to say, Oh, Okta is a minor sponsor of risky business and that's why you're defending them.
But I just think the perception doesn't quite match the reality. And I think that's another reason people jumped all over this
is because of that perception,
that unearned reputation that Okta has right now
of being sort of lax.
You know, I just don't think it's entirely fair.
I guess the one I was thinking of was one of the Auth0 bugs,
which is like that's an Okta acquisition
rather than Okta themselves.
But, you know, that was a JWT algorithm none kind of bug,
which, you know, that I feel happy calling that a clanger.
But yeah, I do think overall you're right that, you know,
Okta has been tarred with a brush that maybe hasn't been entirely fair.
Yeah, yeah, that's it.
I think it's just one of those vendors everyone loves to hate
because Okta is sort of seen like a tax on your budget.
You know, it's just money you've got to pay
and people sort of grumble about it, which is fair enough.
But no, I don't think they're a hideously run vendor
from a security perspective.
I mean, they're a big vendor.
They're always going to make mistakes, but yeah.
Anyway, moving on and let's talk about some new features
coming to Windows 11.
Catalan reported on this for us today,
and it's really interesting what they're doing.
Essentially, in future versions of Windows 11,
you know, goodbye root, basically.
Everything's going to be sudo.
You will not be able to perform certain high-privileged functions
without sort of re-authenticating via a specified means first
and this is a great idea yeah yeah we started to see some details because there was a windows
canary build that has this functionality in it and we're starting to see some people looking
into it and digging up the details microsoft hasn't really talked super specifically about
how it works but essentially in windows you have a regular user level token
inside an admin account that's used for normal things and then you have a more privileged token
that's used for authentication authenticating admin level stuff and that's when you do like
run as administrator you know to start a privileged process that's what's going on behind the scenes
and basically what they're doing is moving that privileged token up into a whole nother user account so it's more segregated from the regular
admin session so it is kind of like the pseudo in a unix environment as you say and then there'll
be a gate that you have to go through to do that and it's kind of similar to how UAC the user
account control which makes you click yes
I would like to do admin stuff worked but this can now be used to require more authentication
and so ideally you know multi-factor or biometric or U2F or some you know because authentication is
always more flexible now as well and as an adversary who lands in a privileged admin account
like this is the sort of thing that is just going to make your life more complicated.
And yeah, I'm totally here for that.
Yeah, it's like just-in-time admin for local accounts, right?
And it's great, like a really cool idea.
And yes, before people jump in the comments,
I am aware that the concept of root doesn't exist in Windows,
but you know what I mean.
I also twigged that we have a different pronunciation.
For me, it's su-do because it's super user-do.
And for you, it's su-do.
Su-do, yeah.
Like judo.
I don't know why.
That's just how it is.
That's just how it is.
It's just one of those things.
Just how-be.
All right.
So now we're going to talk about the big Sophos report
that dropped late last week.
This is a fascinating document.
Basically, Sophos noticed that dropped late last week. This is a fascinating document. Basically,
Sophos noticed that some Sophos customers were getting owned, and the Sophos team were able to figure out that people were doing Volendev on a bunch of Sophos-like trial VMs in certain
locations in China. They've since tied this activity back to a couple of specific organizations a university and a company in China that that look like
we're doing exploit dev for the you know for Chinese APT operations and what they
did is they dropped like kernel level rootkits on these people to monitor them
we're able to get an early heads up on ODAs squash them collect all sorts of
amazing telemetry and they did this over a period of five years.
And now they've dropped a report on it.
And it is, I mean, I'm here for this.
Yeah, very, very much so.
This was such an interesting story.
And watching the takes of the story, you know, amongst, you know, InfoSec, social media,
and, you know, around the various digital water coolers that
we all hang out it's just been really really interesting um so as you said they dropped some
kind of like kernel level monitoring implant on uh virtual machines that were being used for
vuln research or vuln you know exploit development like weaponizing exploits but also a physical
appliance physical device uh that uh this group had and then yet were able
to identify bugs they were using identified techniques look at how they were chaining bugs
together to weaponize them and then deploy either countermeasures or signatures or try and understand
what they were seeing out in the wild and this is
I you know it's really interesting because for a lot of people, this seems to be surprising.
But yet when you compare it to what antivirus or EDR vendors do on Windows, you know, where they have a whole bunch of telemetry,
or even, you know, operating system telemetry from Windows or from Apple iOS or whatever else,
like this stuff gets hoovered up and reviewed and used by security conscious firms.
And so seeing a firewall vendor
or a network perimeter device vendor doing this
just seems like a step in the right direction,
despite all of the hullabaloo it seems to have caused
amongst the commentariat.
Yeah, I mean, 100%, right?
I mean, the thing that I can think of that's most similar
is when Kaspersky wound up on a computer full of NSA exploits
and then extracted them and did threat hunting like that, right?
Like, it's the same thing, but it's on a hardware device,
and yet somehow this is regarded as controversial.
I did a half-an-hour interview last night with Ross McKercher,
who is the CISO of Sophos, to talk all about this. And I'm just going to play an excerpt here
where he talks about some of these reactions we've seen, because some people have been quite
critical of Sophos saying, how dare they drop malware on their possible customer, which is,
you know, I just don't think is a particularly sensible take. um but you know ross spoke really intelligently
about all of that and here's an excerpt of that now by and large i think i think the take the bad
takes that we've seen have been pretty uh pretty uninformed there are some exceptions to that you
know i think there are i think the whole kind of hacking back debate is an interesting one
is an interesting one to have one thing thing that we've shown, I believe,
is that it's not really a binary kind of
you're doing it or you're not doing it.
There's a lot of shades of grey in that debate.
I'm glad we're having that debate
because we do want to kind of establish cyber norms
in that space, what the right way to operate is.
I think we've pushed that envelope a little bit and shown that it's by and large that we're on the right way to operate is. I think we've pushed that envelope a little bit
and shown that it's by and large
that we're on the right side of history.
We've had a lot of support from,
not on our explicit actions,
but generally we think that organizations
like CISA and NCSC,
they're saying things like,
we encourage vendors to take accountability
and responsibility for customer security outcomes.
We felt like, as long as we're kind of guided by those principles
and following that kind of guidance, then it's probably going to be okay.
So there you go.
That's Ross just sort of spelling out, I guess,
his thoughts on what all of this means for hacking back and whatnot.
And if you want to watch the full interview,
I'm going to publish it to our YouTube channel.
So just find Risky Business Media on YouTube
and I've put the whole thing there.
You watched it this morning, Adam.
I mean, I was really happy with that interview.
I thought he was a terrific guest and said really interesting things.
Yeah, I really enjoyed that interview.
Like you touched on a bunch, you know, all the questions that we all had,
because as you said, I think in it, you know know we kind of all had questions in the internal whiskey biz slack
that you then you know kind of used uh on uh on in the interview and yeah like I just seems like
a thing that a security vendor should be doing and one of the things that he said uh you know
was that you know as security vendors you kind of have to pick a side at this point. And going after, in this case,
Chinese exploit dev being used against Taiwan
and being used against other Western allies,
like kind of what they should be doing
and the level of cooperation with law enforcement,
with intelligence agencies,
like reflects the reality of the world that we are now in.
And anyone who thinks that they have have anyone who has a vendor about which
they have privacy concerns like they want to be secret from their vendor needs to adjust their
threat model because that's just not how the world works anymore and yeah deal with it well you know
you and i were talking about this the other day and I think you and I both have crash dumps turned on for our iOS devices
because you want failed exploit attempts being flagged
and sent to Apple for their threat hunters to have a look at
because one day you might get an email or a phone call
from someone at Apple saying, hey, someone's trying to own you.
You know, like this is the new reality.
Like it is a good thing.
We used to, like 10, 20 20 years ago we used to turn that stuff
off we don't want that data going anywhere and now you just smash the hell yeah button right
and especially as companies have gotten better at handling that data like i'm much more confident
that memory dumps from my ios devices are going to be treated with due respect at apple like both
in terms of how their staff manage them, but also how they just store them
and how they use them or whatever else.
Whereas once upon a time,
I am sure that Dr. Watson crashed dumps from Windows or whatever.
We're just kicking around a file share in Redmond.
But these days, things have changed,
and it's just not like it used to be.
So I would be a little bit wary with less you know mainline
vendors maybe the ones that don't haven't necessarily earned that respect yet uh but
yeah the world is definitely not where it once was well ross actually describes that well he says
some people are nervous about it on gdpr grounds which he thinks is like kind of crazy when you
think of the privacy benefit you get from you know not
getting owned it's probably bigger than the privacy benefit you get by not sharing crash
dumps but again you know people should go uh absolutely go and check out that uh interview
hell yeah okay now we've got a write-up to look at adam it's a it's bishop fox's write-up of the
photo manager vulnerability that's been getting everyone owned. I just think this
is a really interesting bug. And I mean, I know most of it is all done right now, like in terms
of everything's been owned that's on the internet, but I still think it's worth looking at. I also
had a really interesting chat yesterday with a gentleman by the name of Gert van der Berg,
who works for an Australian sort of defense focused
consultancy called Cybliminal.
And thanks Gert for that,
because I just wanted to understand the,
like how these things work.
And it is kind of as crazy as you would expect.
Like the Forta Manager thing sits out there at the edge
and it is both a client and a server, right?
So it has to connect to the devices that it's managing.
And those devices need to have sort of various open ports
where this API-like thing sits there and vice versa, right?
So when a bug like this turns up, it's just real, real bad.
And, you know, in this case, you know, essentially how it works
is that an attacker that could connect to a FortiManager appliance
can just enroll
their own device into it. And then from there, I think there was like a command execution
violence. So this is just really terrible and a great reminder. I was chatting with another
mutual friend of ours yesterday actually about this. It's a real reminder that I think we need
to go back to first principles somewhat when looking at rolling out projects like this because you can't put this stuff on the internet right like management interfaces
management ports for firewall orchestrators you can't put that stuff on the internet
and not expect bad things to happen and for some reason i think a lot of people have forgotten that
yeah i mean i think i think you're you're very right. And the bit that the Bishop Fox write-up digs into
is less about the actual command exec bug
and more about the process by which Fortinet tried to make it okay
to put this stuff on the internet,
which is to say they use certificate-based authentication.
But in a management product like this,
there's the whole like bootstrapping problem.
How do you buy a new Fortinet,
take it out of the box
and configure it with your Fortinet manager
if it uses a certificate auth?
There are, in this case, factory certificates.
And if you can show up to a Fortinet manager
with any old signed by Fortinet cert,
then you can kind of start that enrollment process and expose
all the extra attack surface that in this case leads to to command injection but from the point
of view of an organization that's say doing volume scanning trying to understand their perimeter all
they see is a port that they get nothing back from because they don't have the relevant certs
but from an attacker's point of view and indeed bishop fox's case they said we actually had some of these certificates lying around from previous work
that we did pulled them out of a vm extracted them from a hardware device whatever it was
and so this impairs defenders who can't understand what's exposed in their in their you know perimeter
but doesn't really impair attackers because we know how to get these certificates and so on and
this is a thing that we've seen in all sorts of other embedded device management platforms
that have to do kind of over-the-air order enrollment
because they all end up having to trust something,
and that something is having the software in the first place,
which is a bar attackers can meet.
So that was the thing I thought was really interesting about it.
But, I mean, if you architect these things right,
you don't need to have these things facing the internet.
Do you know what I mean?
You can VPN them in some other way or, you know,
there are ways to do this without exposing these ports to the internet.
And I just think given the,
and I also spoke to Andrew Morris this week, right?
And he says that the border device is getting owned at the moment.
Like, even though it's a big story in the cybersecurity media,
he's like, it is so much worse than people realize.
Like, it is just crazy out there
on the internet at the moment.
And I think the only thing
that's going to move the needle on this
is to do better networking, right?
I mean, H.D. Moore in this week's sponsor interview
said something really interesting,
which is that one approach he recommends
for dealing with this,
just in terms of the problem of
actual users connecting into these vpns a way to restrict that is you can actually export a list
of all of the egress ips of CrowdStrike clients right so any any machine running CrowdStrike you
will be able to report its ip you can pull that into an allow list, right? So that's one way to deal with this. But I think we are really on the cusp
of having to seriously lock down like network.
I mean, this is why I've been, you know,
so big on knock knock and whatnot.
And that's just a small part of this.
I just think we're on the cusp of really having to change
the way we think about even allowing network connections
to just occur from anywhere right yeah i mean i think
you're right the you know firewalling is one of those controls that is simple and basically works
right there's not much to go wrong with you can't talk here but we need to make it dynamic i think
is the point yeah like being able to use those controls in ways that reflect the modern kind of
like zero trusty mobile post COVID working from home internet, you know,
but bring in the simplicity and let's face it,
the lack of complexity to controls, right.
By using firewalls or whatever else,
because we can't be trusted to write software.
We can't be trusted to ship and deploy complicated systems that are reachable
to adversaries because we're bad at computers and you know controls that actually
work like that's super valuable and you know not forgetting that you know you think about how many
things we have been saved from because of ipv4 exhaustion and address translation yeah you know
it wasn't meant to be a security controller.
Boy, oh boy, has it bored us a few years.
Yeah, it certainly has.
Now let's look at Wired's report here.
A bunch of outlets have covered this.
A suspect has been arrested in Canada.
He is suspected of being the snowflake hacker,
affiliated with the comm kind of thing.
Alexander Conamer has been arrested
this week by Canadian authorities and
in all sorts of trouble.
So I think you'd expect
an extradition to the United States there. I think there
is more coming on this story
but I'm going to be
good and not talk about it until next
week.
Very responsible of you sir.
Very responsible, yes yes so i think this
guy we're going to see him in u.s custody which is probably where he belongs uh and you know but
by all accounts he like bought credentials from an infestator and then used them against
snowflake and then you know tried to turn that into embarrassment of money for people so like
as hacking goes not very hackery,
but still definitely proper crimes.
So yeah, let's hope he gets the book thrown at him.
Probably better described as an alleged computer criminal
rather than a hacker, right?
Yes.
It's a bit of an insult to the word hacker.
Now let's talk about the robots doing some hacking here, Adam,
because we've got two stories that relate to large language models
that are actually really interesting.
So John Grieg has a write up at the record
about one of Google's large language models
actually finding a bug in SQLite, SQLite.
And we've also got a report about GrayNoise
discovering a zero day in the wild that was targeting IP cameras with their SIFT LLM-based thing, which, you know, we've had Andrew on the show talking about that before.
But this is the first time they found a good one, went through the whole reporting process, so on and so forth.
And indeed, he's going to be on the show in a couple of weeks talking about that but you know this is encouraging right when you're starting to see uh llms being used to actually find bugs in code and find bugs being used on the internet i mean i'm
i love it yeah no it is it is encouraging although you know before anyone gets too excited like
reading google wrote up the details of this on their Project Zero blog, and it has a bunch of the
interactions with the LLM, like a bunch of the conversations and process. And it's a really good
write-up because it talks through the challenges of getting the LLM to do the right thing, but then
also what it was good at, what it wasn't, kind of where it made good contributions, kind of how it
relates to fuzzing. they compare it quite strongly to like
why wasn't this bug found with automated fuzzing because google and their oss fuzz project already
does fuzz sqlite and didn't find this particular bug so it's it's well worth a read for anyone
who's kind of in the weeds of using lms for bug finding and bug hunting and so on so uh yeah i
think you know we're definitely making progress and it is really interesting
to see something proper in real world this way.
But, you know, it's just not as broadly applicable yet as people want it to be.
But it's a great step in the right direction.
Yeah, baby steps.
Baby steps.
We're just starting here.
And by the way, everyone, I'm aware I'm still coughing.
You know, not much i can do about it if i were to stop and try to record clean takes every time
i cough we'd be here all day uh still recovering and thank you to people for their continued well
wishes yes i was very sick um but the gray noise one's cool right because what they're doing is
they got their big honeypot network out there and they're just seeing these attack attempts come in
and to be able to automatically extract an exploit out of that.
And I think this was like a real deal command ejection bug as well,
affecting, and these weren't like little, you know, cheap home cameras.
These were serious business IP cameras at sensitive facilities and whatnot.
And probably the attackers were trying to just use them as orbs,
but being able to stop that in its tracks,
you know, to be able to detect a bug like that and just have an LLM write it up,
I think that's just an amazing achievement.
Yeah, like I could certainly imagine
the kind of volume that Gray Noise has to deal with,
having anything that's going to help sift through it,
dig stuff out and automate,
you know, part of this process, the triage,
super valuable.
So yeah, solid work there.
Yeah, now speaking of orbs,
we've got a write-up here from Ars Technica
about TP-Link routers being used as orbs
by the Chinese to really obscure the origin of attacks.
I mean, this is something that's come up a few times.
We've been talking about this a bit,
but really, it's a good way to roll, right?
Like it's the old way to roll, right? It's the old way
to roll, which is you have a compromised end user device and you stage your attacks from there
because it just looks like a normal home IP. But it's a good write-up here and there's some
nice details in here. Yeah. And I think the thing that stood out to me about this one was
that Microsoft wrote up this campaign because it was being used to do low and slow brute force against Azure and
Microsoft you know kind of identity services and vendors like Microsoft really big ones like that
are in a you know in a position to spot really scaled low and slow campaigns like this and I
think writing them up and talking about them publicly is just super useful because everybody
else who's too small to spot
really low volume spraying distributed very widely,
you know, we have to rely on the big people
with really big viewports into the internet
to be able to warn us about this stuff.
So yeah, good work Microsoft for once.
Indeed.
Hey, that's a bit harsh.
Like their threat people are pretty good.
Their threat people are excellent.
Like our criticism of Microsoft is very much around the, you know the products not the not the people doing this
sort of work right sorry microsoft people that do good work yeah yeah uh now let's look at um
you know it's not dumb if it works we've got this midnight blizzard attack targeting people with
like malicious rdp like config files is that about right? Yeah, yeah, exactly.
This is, you know, it's smart because it's dumb and it works.
They've been emailing people around with a phishing lure
that is an RDP file that is associated with the Windows Remote Desktop software.
And if you click on it to launch,
it will prompt you to connect to some, you know,
server on the internet via remote desktop.
Many people don't internet via remote desktop many people don't
understand that remote desktop can also share local resources like drives and printers and
whatever else with the remote server and so this was set up to basically you know share your c drive
or whatever with the server after auth and so the attackers in question were then using that drive
access to pivot back down into the local machine, infect it with malware,
and then onwards to come out of your machine and great victory,
which is pretty smooth.
Like I've definitely thought about doing this before,
but it's one of those things where you just look at it and think,
no one's going to respect me in the lunchroom if I'm going to try
and hit my target by convincing the double click on an Rdp file i have to go find a better bug but you know i guess if it's your actual job
as opposed to just you know something you're doing to try and look clever in lunchroom
you know it gets it done i remember like 15 years ago chatting with i think it was brett moore who
was your boss uh technically at um uh insomnia at an early kiwiCon. And I think you can do similar things over Citrix.
You can like remote mount drives and stuff like that.
Yeah, yeah, yeah.
Yeah, I had no idea, right?
So that's why, because I think he was presenting on some Citrix stuff.
Was that him who did that Citrix Gateway talk?
Like, what was that, like 2008 or something?
Yeah, an amazing talk.
Oh, yeah, yep, yep.
Like using Notepad, like remotely served,
unwashed Notepad to get great victory like through Citrix. And then, you know, talking to him after that, he's like, oh, yeah, unwashed notepad to get great victory, like through Citrix.
And then, you know, talking to him after that,
he's like, oh yeah, you can mount drives.
You can do this.
You can do that.
You can print stuff if you want.
You're just like, wait, what?
Yeah, yeah, printer sharing.
There's all sorts of microphones
if you want to hot mic people.
It's just, yeah, it's super useful.
Yeah, so I mean-
We shared a lot of things over the years like that.
And so I'm like, yeah.
So I guess it's worth pointing out that thin client,
you know, can probably do a little bit more than just remotely display a screen and i think a lot
of people don't know that so yeah so as dumb as that is it's like you know it's sort of like
forgotten knowledge yes yeah yeah i mean i i really enjoy you know smart dumb hacking that's
that's the way yeah yeah now uh we got this other write-up here. We'll go with the record version. James Reddick has the write-up. It's about Chinese intrusions into government agencies. I mean, this is all, you know, so far so normal stuff. But then we've got interesting stuff here. It's all Canada this week, right? maybe leaking some sigint to the Washington Post about senior figures in India greenlighting
assassination attempts or assassinations on Canadian soil of like Sikh separatists.
And then you've got bodies in Canada releasing threat reports saying that, you know, India is
now a like cyber adversary. Things have just got hot, right?
So for those who haven't been following,
the diplomatic relations between India and Canada
have been deteriorating over this assassination plot
and it's just getting bad.
And I do think it's interesting
that when you've got these national threat assessments
coming out, when you've got these bureaucrats
basically saying, and I'm not using bureaucrat as a pe when you've got these bureaucrats basically saying,
and I'm not using bureaucrat as a pejorative, they're bureaucrats, basically saying, yeah,
look, India is now our adversary in the cyber domain. It's just amazing how quickly that all
turned around. Yeah, it has moved very quickly. And, you know, when we see, you know, like there's
been so much talk about, say, like iPhone production, you know, with Foxconn and China being moved to Malaysia and moved to India, you know, and doing that because India
is seen as more stable, seen more as geopolitically aligned with the West, etc. It's funny how quickly
that kind of thing can change. And, you know, as infosec professionals, we're always thinking about,
you know, how do we manage supply chain risk? How do we manage our exposure to geopolitical realities? And it can move so quickly,
but, you know, what are you supposed to do when it's on the timeframe of like, can I buy,
you know, iPhones made in India now, if you're a Canadian, you know, supplier to the Canadian
government or whatever, like, you know, it doesn't take much to look, you know, if this gets worse,
you know, another three months worse, another six months worse,
what would that mean for, you know, people having to, you know,
buy hardware, buy software?
It's just hard to keep track of, you know?
Yeah.
Things can change quick, right?
They can.
Things can change real quick.
That's why we've become so much a geopolitical podcast
as well as a tech one, right?
Well, you know, on that topic, we've got a great report here
from Wired, which really looks back into a, you know,
failed regime change attempt
by the Americans targeting Nicolas Maduro in Venezuela.
And the reason we're talking about it here
is it looks like there was a cyber element of this.
The reporting is a little bit vague
on exactly how this happened,
but it looks like the Americans were able to actually shut down the payroll system for Venezuelan soldiers.
And this was seen as a way of, you know, generating some discontent there in concert with other activities.
As we all know, you know, these attempts failed and Nicola Maduro is still very much in charge in Venezuela, sadly.
But look, it's an interesting read nonetheless, right?
And it's a little bit of an insight into, you know,
how governments can use some of these techniques
to try to tilt power one way or the other.
Yeah, I thought it was a really fascinating read.
I mean, A, because of the kind of cyber angle,
which is in our beat,
but also B, the extent to which it's clear that the CIA really didn't want to
have to do what it was being asked to like their reluctance to get all Bayer pigs up in there
or you know put you know operatives on the ground in Venezuela to do things and how cyber was kind
of seen as a way to have some effect like enough that they could claim that they were doing
what, you know, the President Trump had told them to do,
but, you know, without it really turning
into something particularly effective.
And, like, that's just, you know,
when you imagine what the American national security bureaucracy
is like, you know, A, sounds super believable,
and B, you know, it's just kind of a funny about face
from the CIA that, you know,
you read about in the spy novels and so on.
But, yeah, it's just, I think it's a good read for anyone
who follows, you know, sort of the intersection of NATSEC and cyber.
And there's some juicy little details in there as well
where the people who are running this operation
were trying to get access to better resources on the cyber side
from within CIA and NSA, and they got told to pound sand basically.
So you get the impression that like the entire sort of, you know,
IC bureaucracy was not marching as one on this one.
Well, exactly, yeah, yeah.
And then once John Bolton was one of the main kind of architects of this
and once he got pushed out.
Cuckoo, cuckoo, cuckoo.
John Bolton, the walrus.
Yes. of architects of this and once he got pushed out yes um yeah the kind of wheels all fell off and then and then moments from there but it's just i yeah i think this is a good read you know if
you're looking for something to read your lunchtime this is our recommendation of the week from risky
business now we're going to talk about some reporting from our colleague catalan kimpanu
which looks at recent goings on at mango Park in Cambodia which is where a lot of
these sort of you know scam compounds and whatnot operate there's been arrested workers and some
strange goings on with the Cambodian government can you walk us through this Adam? Yeah so the
basic gist of this is that a South Korean got you know lured into working at the scam, you know, kind of taken, offered a high
profile job or high paying job in Cambodia, gets their passport taken away, imprisoned at Mango
Park and forced to do cyber scamming. Eventually his family in Korea paid a ransom for him to be
released, went back to South Korea, kicked up a hullabaloo and that led to a South Korean
television station doing kind of an expose about it.
And that was sufficiently embarrassing for the Cambodian government
that they actually then went and raided the compound, et cetera, et cetera.
Then where it kind of gets interesting is that the result of this was
a bunch of people have been, you know, freed,
and no one's quite clear whether they're being you know
kind of repatriated or have just been sent back to the compound or whatever else and there's been a
bunch of kind of downplaying and cover-upiness from Cambodian authorities and we've seen previous
reports about the kind of the tie-ins between Cambodian officials Cambodian leadership you know
all the way up to kind of the top levels of
government with both the company that was providing kind of money laundering services but also the
camp scam compound operators themselves uh and you know the kind of overall vibe is that you know
cambodia as a state has kind of been captured by the sheer scale of the scamming business
and then you know that's been turning into a mess for everybody
both the people you know running the scams people imprisoned the people being scammed
with the governments of the countries uh you know who citizens are involved real mess and
like you know it's going to take a while for us to um you know see any real resolution here
because there's just so much money involved.
Yeah, I mean, it's Cambodia, Myanmar and Laos where the bulk of this activity happens.
And I think they're earning these scam compounds
something equivalent to 40% of the combined GDP of those countries.
And any time...
It's just the scale.
That's right.
And any time you've got numbers that are that out of whack,
you've got kind of a Columbia in the 80s situation
where the crime is worth so much money numbers that are that out of whack you've got kind of a colombia in the 80s situation where
the crime is worth so much money that the crime groups become immensely powerful and start to co-opt
politicians so that's one of the things that makes this so insidious is it's so profitable that
they're gonna get top cover uh from governments which is why I think the response so far from the EU and the United States to this has been about right, because we've just seen sanctions flying involving these scam compounds.
I think this is one tool that the West can use to try to put a lid on this stuff i don't know how effective they'll be on their own but i feel like gradually uh things are going to ramp up and we might see some you know more offensive cyber style
operations against these compounds because they rely on an awful lot of bandwidth um to do this
sort of stuff they rely on an awful lot of internet to do their their cyber scamming and that's
something that can be taken away remotely fairly easily and i just wonder how long it'll be before
we get to that point.
Yeah, exactly.
I mean, we've seen some of the people who do it sort of at an amateur level on YouTube,
you know, like doing the breaking into Indian scam call centers, for example, and like,
you know, publishing their video feeds from their security cams and out of them, like
that kind of thing on a larger scale against some of these compounds would be interesting
to see but it's just you
know seeing this happening at such you know as you said like tens of billions of dollars scale
you know it's just kind of different than anything we've really seen before i mean the scale of
ransomware is what like single digit low billions and we're talking tens of billions here like it's
just it's massive well ransomware is disruptive but it's never been the billions here. Like it's just, it's massive. Well, ransomware is disruptive,
but it's never been the earner.
You know, it's BEC and scams.
That's what makes the money.
But I guess they're less cyber these days.
And it's just amazing how they've refined these scams
because these days, like,
you don't even need mule accounts
to run a scam like this.
You just get people to buy crypto
from some exchange, right? And then send it to you and that's it. You've got people to buy crypto from some exchange, right?
And then send it to you and that's it.
You've got the money.
So yeah, it's hard.
I mean, I'd like to see these places getting dosed.
I would like to see their upstream ISPs suffer as well.
I mean, why not sanction the upstream ISPs
that give these people connectivity?
That might get you somewhere.
You know, I think these are the sort of approaches
that we need to think about to try to combat this fraud.
But it's, yeah, it's horrible stuff.
We're going to finish with a story from Jonathan Greig
over at The Record.
He never did get back to us on whether it's Greg or Greig,
by the way.
But apparently a crew in North Korea,
the North Korea's Reconnaissance General Bureau,
were involved in an attack
involving the play ransomware. So, I mean, that's good news, everyone. You know, North Korea just
operating like any other affiliate. If they really, and we've been saying this like all year,
if they really decide to branch out hard into ransomware, that's going to be bad.
Yeah, this was based on some reporting from palo alto's
unit 42 which saw a case where the north koreans had been in there and then after they've been in
for a while uh the play ransomware was delivered through the same mechanism so like through the
same user accounts on the same entry points uh and it very much looked like one had introduced
the other like that the north k North Koreans had brought the play crew
or had deployed the play ransomware,
either by selling access or deploying themselves.
And yeah, that's, I mean, it's a tie up,
I guess we've all been expecting to happen.
And yeah, maybe this is the hot collaboration
of the season, North Koreans bringing the good ransomware and onwards from there
rather than just, you know, fake rubbish stuff.
So, yeah, innovation maybe.
All right, mate.
Well, that's actually it for the news this week.
Thank you so much for joining me.
And again, apologies to listeners for my coughing through this interview.
I hope to be 100% real soon.
But, yeah, we'll pick it all up again next week.
Adam, thanks again.
Yeah, thanks so much, Pat.
I will talk to you then.
That was Adam Boileau there
with a check of the week's security news.
It is time for this week's sponsor interview now
with H.D. Moore,
who is the co-founder and chief executive of RunZero,
which is an excellent sort of chasm
product. It does like attack surface measurement and all of that good stuff so it can find stuff
that you own that's out there on the internet that shouldn't be there and HD is joining me to talk
about some new tricks that RunZero has where it can actually marry internal scan data from the
inside of your environment to external scan data so you can really know that this thing you're
seeing on the inside is that thing that you're seeing on the outside so he's
going to talk through how RunZero is doing that here he is so the biggest
challenge with the external attack service management is knowing where to
start so you need to attribute your entire external IP space domains third
parties everything that basically comes back into your organization and the to start. So you need to attribute your entire external IP space, domains, third parties,
everything that basically comes back into your organization. And the tricky thing about that is
you'll be able to know some of it and you'll be able to use tools and other techniques to get a
candle on a lot of it, but you'll never get all of it. And that's the biggest challenge.
So the idea is that because we already have great data about your entire internal environment,
we can then precisely fingerprint an internal asset and be able to use that to find it on the internet anywhere regardless of attribution so we don't need to
know what your external ip space is to figure out whether you've got a workstation with rdp exposed
to the internet i'd imagine that is useful context as well right so when you find something outside
and you're like that's bad currently i mean i know people have used um you know this sort of software these sorts of scans to find stuff on the outside and they're like, that's bad. Currently, I mean, I know people have used, you know, this sort of software, these sorts of scans to find stuff on the outside.
And they're like, okay, that thing shouldn't be there.
But then they don't know who it belongs to, who's managing it, right?
Whereas I'd imagine once you've got the internal scan data, you would have a better starting point at least.
Or am I off base there?
No, it's exactly right.
Half the time when you get an external attack service report, you're like, great, this thing's exposed.
But what is it?
How is it connected?
What can someone do when you get an external tax office report, you're like, great, this thing's exposed, but what is it? How is it connected? What can someone do when they get there?
When you're starting off from the internal side and you have the full context of your chasm and overlays of your EDR, et cetera, you know exactly what it is.
You know exactly what data has access to, where it lives in the network, what it's connected to, and what the risk of it actually being exposed is.
One of the neat things we can do as well is actually identify, is this machine?
So let's say we see the same cryptographic cert on an internet-facing asset and an
internal asset. There's a bunch of different
scenarios that could play out. One is that machine
is directly exposed. Two, the machine has been
cloned. So someone took a copy of an internal
workstation and put it on AWS as an
AMI. Three,
that key is actually widely copied all over
the place. So it doesn't really matter which
one of those outcomes it is, you've got a problem somewhere.
So we're able to tell you either one know, either one, two or three pretty quickly if you
see anything exposed. So it may not be directly connected to the internet, but it could be a copy
of a machine that was directly connected to the internet or, you know, a cloned machine that's
actually pretty important. I think what you're getting at is it's something worth looking into.
Absolutely. So there's, it's really no false positives, which is the great part about it.
If you see a machine internally that has the same fingerprint, if you will, on the external
side, you've got a problem somewhere.
It's either a cryptographic problem, it's an exposure problem, or it's a hard-coded
weak firmware key problem.
So talk to me about how this actually works, right?
Because you're talking about doing detailed enough fingerprinting on the inside that you
can know that that's the same asset that you're seeing from the outside.
How can you get a fingerprint that works in both directions?
Because I would imagine some of the stuff that enables you
to do high-quality fingerprinting on the inside, I don't know.
I mean, you might be accessing more ports on the inside
than are accessible externally.
Or does it need to present externally the same way it does internally?
Or how do you marry those fingerprints when sometimes you've got access to more information on the inside?
Yeah, I mean, the good news is most of the remote access protocols you're going to care about have built-in encryption.
And they've got built-in encryption.
They've got a hard-coded crypto key of some sort, a public key that rotates every so often and so on.
So you can use the fingerprint of the encryption key or the public key of the asset, whether it's an SH host key or a TLS fingerprint, to get pretty close to truth. You can say, at least it's the same public
key on the same machine, right? Now the question is, is it actually the same machine? So there's
a bunch of techniques you can use for that. So crypto keys aren't the only way we do it,
but to give an example of one that's not a crypto key, SNP version 3 allows you to leak what's
called the engine ID pre-authentication. This is an opaque kind of hex value that also often includes the MAC adders to the machine. So, you know, it's true, you can have the same
hard-coded MAC across multiple routers. But in reality, you know, when we scan the whole internet,
we see that these things are almost unique per physical hardware. However, if they're not the
same for physical hardware, we have ways to tell them apart. So in addition to the engine ID leaking
out, there's also a bunch of counters. So if we hit the counters in the internal side and say the
counter is currently 35, and then we do something to bump it up to 36, there's also a bunch of counters. So if we hit the counters in the internal side and say the counter's currently 35,
and then we do something
to bump it up to 36,
then we query the external side
and say, is it currently 36?
Bang on, you know exactly
that it's that physical asset.
If it's not, you know,
it's a copy of that asset.
So we can use the same type of thing.
Yeah, so you're actually making changes
on the inside
and waiting for them to pop up
on the outside.
That makes a lot of sense.
It's another attribute
to the protocol you can leak out.
So, you know, RDP, for example,
even though you've got a TLS certificate, which has, you know, expiration date, serial number, all this great stuff you can fingerprint,
you can also start the NZLM SSP authentication process and leak out the DNS domain name and some other bits about the authentication handshake,
which you can then use to confirm that it's the same machine.
So most protocols, the SMB is another good example.
There's two or three unique values in the SMB session that are monotonically incrementing
on that particular server.
So if you see the session ID bumping up
within a certain range,
you know it's the same physical box.
Yeah, right.
So I understand that this isn't released yet.
This is going to be early December release,
but I'd imagine you would have some beta testers out there
who are using this.
What sort of stuff are they turning up with it, right?
Because normally when I talk to someone like yourself, who's released a new feature like this,
they will say, you know, we, we created this feature for all of these use cases, but this one
is killer. Like, is there anything there that people are just going, Oh my God, like, you know,
this has turned out to be very useful in this specific situation. That's a question. So we
haven't released it to a big beta group yet.
We've been using it internally and doing a lot of kind of like
boiled ocean research to figure out, you know,
what percentage of customers have particular exposure.
And we're doing it in a way that's kind of like the, you know,
have I been potent model where we're not taking like internal data
and pushing it out to the internet, right?
We're taking a database of the whole internet
and then querying a hash of that against an internal only service
so that we're not having to like leak information with internal systems out to any kind of third party
hosted service so in doing it that way we're able to you know quickly say like does this
does this partial hash of this internal server exist in the public database yes or no and what
we've found so far is like obviously you find lots of misconfigurations lots of hard-coded mac
addresses things like that but we are seeing cases where there's a crypto keys that were previously
unknown to be you know widely shared across customers are there. So they're popping up out of the weeds
immediately. We see those everywhere. That's kind of like step one is look for any duplication
across more than one customer. If you see more than one in one place, like it's already a problem.
Dig into it, figure out why. Why is that? Why is that happening? It's usually lazy vendors. It's
an appliance that is a hard-coded key. It's a firmware. It's a lot of systems where it has either the key always gets generated a certain way
because of the way the RNG is, or it's hard-coded to the firmware itself.
Those things are easy.
So we take all those out of the equation, throw them away, and say, great, those are
ones that we can flag as being weak crypto key, but not emergency.
Now what else is out there?
And this is where we're starting to find the really fun stuff.
So we're finding a lot of cases where an internal core router that's responsible for
like segmenting like PCI networks, non-PCI is also internet phasing with SNP exposed.
Whoops.
Yeah. You don't expect it to be quite that prominent. Like it's amazing how many,
what should be internal networking devices have external attack surface. And that's probably the
biggest surprising so far. And how are people usually, and I know that these particular
features aren't out there yet,
but I'd imagine people are already using just like the external discovery component to find
that sort of thing. What are they generally doing when they, like how successful are they at
actually cleaning up stuff that gets discovered by Chasm? Because that's always something that I've
wondered about because, you know, Chasm's a great thing to do, right? It's great to do some external, you know, attack surface mapping and all of that.
But sometimes people get a list of a hundred things and they, and they, you
know, they're limited in what they can do.
Right.
So like 50 of them, okay.
Boneheaded stuff, like you just described, just nuked it off the internet, but other
stuff might be a little bit more tricky.
Like what, you know, how, how successful are people at dealing with the results of external scanning,
I guess is the question.
I guess that's kind of my claim
for why you need to have the internal side as well
and the kind of full chasm picture
is because if you're starting with external only,
all you have is like, okay, when is machine exposed
or we see SH exposed?
You don't really know if it matters.
So the nice thing about the chasm piece
is you can overlay your volume management data,
your EDR data, all your internal controls
on top of that and say, okay, this device is exposed, but it doesn't have an EDR on it.
Does it actually have access to this network? Does it have a critical vulnerability? So you
can start really narrowing down how much you have to care about that exposure with that other data.
Right. So it's not just this thing is vulnerable. It's this thing is vulnerable,
unmanaged and has access to a lot of stuff, which yes, is more of a five alarm fire.
Yeah. And for anything else, like let's say you do have a jump box, it's RDP and you know,
it's exposed, that's fine, right? You know, it's contained to your VDI environment or something
like that. It's not the end of the world if that's hanging on the internet because of the way it's
set up. But then again, if you see a machine that absolutely should not be on the internet,
you know, an executive laptop where it's got an LTE card and RDP is exposed to a random IPv6
address, that's a bigger issue. So talk to me too, because it's been a LTE card and RDP is exposed to a random IPv6 address, that's a bigger issue.
So talk to me too, because it's been a while since we've had you on the show. Talk to me
too about just some broader trends in the way people are using Run Zero, because you always
have an interesting answer there. Probably the most surprising trend last year is just the amount
of OT interest. So for us, we always treat OT like anything else. We scan safely. We do so many
things to make sure we don't impact the end device,
the local broadcast segment,
middle devices between us and the device we're talking to.
We rolled that passive detection last year,
which made it easier for folks to just upload PCAPs
or do span port monitoring
if they weren't comfortable doing full-on scanning.
But we've seen a huge increase of people scanning OT environments
in the last six months alone.
That's probably been the biggest trend.
We've also seen other vendors.
That's interesting because I remember when you released that stuff
and it was safe, right?
You could scan an OT environment and not make robots go crazy, right?
Which is fantastic.
But you did hit a lot of resistance in the market
where people just didn't want to actively scan.
So then you released passive tools and what?
Now you're saying they're coming around.
That's kind of what we figured too. We figured putting the passive discovery out there wasn't
necessarily because people are going to use it. It's because it can use it to build trust and
then use that. That's exactly what happened. So what sort of OT environments, just general,
all sorts or, uh, you know, manufacturing, like, um, everything from automotive, uh, we've got a
few customers in that space, telcos um all the way
down to like warehousing uh logistics um one of my favorite customers runs a fish farm and so out of
the middle of like mediterranean there's a bunch of cameras and stuff kind of turning around and
you're looking at some fish and some feeders and some cameras and runs zero monitors all that so
it's a really wide variety but i just love how much stuff is out there and the fact that
we're able to basically provide really detailed data about those assets that you just can't really get any other way.
Look, just going back to a question I had earlier just about how you can't, you know, it's great to have ASM, but, you know, you can't necessarily take stuff down even after you've discovered these vulnerable things on the edge of the network.
I mean, one of the issues here is actually security devices on the outside that need to be accessible or your Fortinet, Fortinets and, uh, you know, Sonic walls and whatnot.
Do you have any sense of like, first of all, do people already always know that they're using
those things or are they having to discover them using discovery tools? And then secondly,
what are they doing in response to that? Cause that is a real pickle at the moment for people.
Yeah, that's a great question. So usually the security team or IT team realized they have at
least one of these devices. So let's say it's Apollo Alto with SLVPN.
They know they have it because that's how they connect to the network. They've got an SLVPN
client. What typically they don't know about is the backup connection. They've got a failover.
They've got a secondary one. They've got one hooked up to a small office someplace.
So it's one thing to know you've got a particular technology in place. It's another to know exactly
where each of those instances of that appliance are. And it's really easy to forget your backup line or your secondary appliance.
So what are they doing when they've then discovered this backup appliance that maybe doesn't have
the correct monitoring controls, things on it that way?
Like what do they do?
Do they just then firewall that?
And then, you know, if they need the backup, they can unfirewall it?
Like what do you even do then?
I mean, typically what folks will do is turn the, uh, turn off the backup options, only have one device left exposed and then monitor the
hell out of it. Um, but if you listen to the vendors, what they recommend is putting another
device in front of it of the same make, which doesn't make any sense. No, it doesn't. It doesn't.
I mean, you know, you know, I've talked to you about it before, but I'm a big fan of, uh, like
knock knock for that particular application because you can actually cut it off.
I don't understand.
And I don't understand why it's up to a third-party vendor to,
like why on earth when we live in a world with SSO,
would you not instrument network connections based on SSO status?
It makes no sense to me that they're not doing it.
But hey, it's an opportunity for other people, right?
There's a great shortcut for it too.
So if you're in a position where you have a VPN device, you need to have a list of IPs that allow access to it, and you need to get that list really quickly, go to your EDR and export the
public IPs of all your assets and you're done. It's literally a two second process. Go and run
zero, search for CrowdStrike, export the egress IP of all your CrowdStrike assets, stick that in
your allow list, and you don't have to worry about it till monday that's a really nice idea actually i like that one that's great and you can update them
you should be able to instrument that dynamically too yeah absolutely you can export it directly out
as a csv from zero pick the fields you want pass it into your ipad should be pretty easy to automate
but i mean the nice thing is you already have the data it's already sitting there on the edr side
just pull it in and use that as your allow list because you know who those clients are. Yeah, that's a great idea. That's a fantastic
idea. All right, H.D. Moore, thank you so much for joining me for that conversation. Always great to
see you. Thanks for having me, Patrick. That was H.D. Moore, the chief executive of this week's
sponsor, RunZero. Big thanks to him for that. And yeah, RunZero is a terrific tool and you should
all absolutely go and check
it out. But that is it for this week's show. I do hope you enjoyed it. I'll be back soon with
more risky business for you all. But until then, I've been Patrick Gray. Thanks for listening and
watching. Thank you.