Risky Business - Risky Business #778 -- Musk's child soldiers seize control of FedGov IT systems
Episode Date: February 5, 2025On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: DeepSeek leaves an unauthed database on the internet Russia... hacked UK prime minister’s personal mail Australia sanctions a Telegram group… which is more sensible than it sounds Medical device backdoor turns out to be just poorly thought out upgrade feature Google abuses weak hashing to patch AMD CPU microcode And much, much more. This week’s episode is sponsored by email security boffins Sublime. Their co-founder and CEO Josh Kamdjou joins to talk about how attackers’ abuse of legitimate services like Docusign is a challenge for email security vendors. This episode is also available on Youtube. Show notes Exclusive: Musk aides lock workers out of OPM computer systems | Reuters Wiz Research Uncovers Exposed DeepSeek Database Leaking Sensitive Information, Including Chat History | Wiz Blog Криптостилер SparkCat в магазинах Google Play и App Store | Securelist Russian hackers suspected of compromising British PM’s personal email account | The Record from Recorded Future News PowerSchool hack: missed basic security step resulted in data breach Australia sanctions ‘Terrorgram’ white supremacist online group | The Record from Recorded Future News ‘Paid actors’ could be behind some antisemitic attacks, Albanese says | Australian security and counter-terrorism | The Guardian Interview with James Glenday, ABC News Breakfast | Australian Minister for Foreign Affairs WhatsApp says spyware company Paragon Solutions targeted journalists Spyware maker Paragon confirms US government is a customer | TechCrunch Former Polish justice minister arrested in sprawling spyware probe | The Record from Recorded Future News Sweden releases suspected ship, says cable break ‘clearly’ not sabotage | The Record from Recorded Future News Backdoor found in two healthcare patient monitors, linked to IP in China Attackers exploit zero-day vulnerability in Zyxel CPE devices | Cybersecurity Dive AMD: Microcode Signature Verification Vulnerability · Advisory · google/security-research · GitHub 22-year-old math wiz indicted for alleged DeFI hack that stole $65M - Ars Technica A method to assess 'forgivable' vs 'unforgivable'... - NCSC.GOV.UK Living Off the Land: Credential Phishing via Docusign abuse Living Off the Land: Callback Phishing via Docusign comment B2B freight-forwarding scams on the rise to evade financial fraud crackdowns Callback phishing via invoice abuse and distribution list relays Enhanced message groups: Improving efficiency in email incident response
Transcript
Discussion (0)
Hi everyone and welcome to Risky Business. My name is Patrick Gray. We've got a great show for you today. We're going to be chatting with Adam Boileau in just a moment about all of the most modern one and lets you do things like
write your own detections and it has like amazing customizations and whatnot and sublime's co-founder
and chief executive josh camdrew is this week's sponsor guest and he'll be joining us to talk
about how attackers are abusing trusted services these days and they're really getting quite
creative he's got a laundry list of really frankly quite cool tricks uh that spammers and hackers are using uh via email and using trusted
services and he'll also talk a little bit about like what email providers can do to deal with
them because it's um it's hard right uh so that's a fun chat and it's coming up soon but uh first up
it is time for a check of the week security news with Adam Boileau. And, mate, we're going to start with, but not get bogged down in, some news from the United States, which is that Elon Musk has assembled a team of bright young things who are sort of forcibly taking over various arms of the U.S. government and doing God knows what with the data. Now, as much as I think that, you know, US government systems could, having dealt
with them recently to renew a visa, could do with a kick in the pants and maybe some re-engineering
by said bright young things, you would have to worry about the data governance side of what's
happening at the moment. Yeah, it's definitely been a pretty wild ride watching some of the
reporting. Reuters has a piece about the Office of Personnel Management,
and, you know, Musk's people have gone in there
and, you know, apparently dragged sofa beds
onto the executive floors,
or they can sleep there and work around the clock,
and are going through, you know,
doing things that feel, you know,
quite reminiscent of what happened at Twitter,
which, you know, I don't feel like that went super well for them,
but, yeah.
Well, that depends on who you ask, right?
That's a bit of a Rorschach test right there.
Yes, yes.
But, yeah, the data governance aspects of this,
we've seen plenty of people concerned around what's happening with the data,
where it's going to end up, what kind of things being,
what it's being used for.
Although, on the other hand, I guess the Office of Personnel Management
did famously get hacked by the Chinese as well.
So, you know, they weren't doing a super great job
of managing the data, you know, by themselves to start with.
Well, you know, I don't think the argument
that we should let that happen again is a solid one, to be honest.
But it's not just OPM, you know, like they've got their hands
into all of these treasury systems and stuff.
And yeah, it's just the possible lack of oversight here.
We don't know.
They might be being very careful, but you sort of just, you do wonder.
Yeah.
I mean, it's possible they're doing everything right.
Yeah.
But it's also possible that they're not.
And I guess the important thing is that we don't know, which.
That's right.
Yeah.
Especially with OPM and treasury.
These are important systems.
And, you know, seat of the pants has its place,
but I don't know if that's it.
Yeah.
It's like, yeah, amateur brain surgery, I don't know,
on the government's brain.
Let's see how that goes.
But the treasury thing, interestingly enough,
I've spoken to a few
govies and policymakers and whatever about all of this and the thing that they're concerned about
is a possible like accidental default on a debt payment from the treasury like stuff like that
is what's keeping a lot of people up at night because that would have potentially some serious
knock-on effects although i do wonder like perhaps if there's a missed payment and people explain, oh, you know, it was just a batch job
that didn't fire or something in some new system,
you know, what would the market reaction actually be like to that?
But either way, yeah, things are getting spicy in the United States.
But let's move on to some more sort of bread and butter,
meat and potatoes, InfoSec News.
We've got a great write-up here from Wiz,
where they've found a whole bunch of exposed data from DeepSeek, which is the Chinese, of course, the Chinese AI startup that everybody of goes viral seems to have this moment where someone takes a look at their infrastructure and it's just a mess.
But this is, oh boy, this is really bad.
Like they're exposing basically everything, right?
Yeah, it's not super great.
And Wiz does a lot of very technical, very advanced things.
But in this particular case, I don't think they really needed to bring their A game.
They found some database services on DeepSeek's address space. They brute forced some domain names to discover what was available. And on
dev.deepseek.com, they found some stuff listing on a high port. And the thing that was listing
on a high port was a database system called click house which i guess is kind
of like a snowflake competitor and has no auth and has an interface where you can just browse
through in this case port nine eight one two three uh and you get a web interface where you
can just type sql queries in and run them um and so that's not great uh and then this system was ingesting log data and a
bunch of the logs had api keys and query strings and all sorts of gubbins from the inside of their
operation which yeah when you're going viral and everyone's trying stuff out not a super great look
but as you point out just like every other startup so maybe startup culture you know in
china is very much like that's right culture in the u.s we're all just people you know it's that
it's that sort of story right uh but i mean in whiz is right up there like oh yeah you can just
straight up plug in sequel queries and they kind of did that and i wonder i guess that's not
controversial anymore like i remember the days when you wouldn't do that because it would be
considered cyber crime and now it's just i mean they've got some line in there about how
oh we just enumerated stuff like to adhere to ethical boundaries and whatever but like
you know firing off a command to show tables like that would have been that would have been
considered controversial not that yeah i mean in the old days you would have done that via talk
as you were doing crimes unless you had a bug bounty agreement
which said that you could
because otherwise you're doing computer crimes.
But as you say, the world has changed enough
that apparently that doesn't matter anymore.
You can just do as you please
and you rely on the discretion of the prosecutors.
Yeah, which I don't think American prosecutors
are going to go after him for this sort of thing.
Probably not.
Maybe the Chinese will, but yeah, it's funny, right?
So it's sort of like a cyber Overton window
of what's acceptable to do.
But the other funny thought I had is like,
this is normally the situation where Alex Stamos
would parachute in and start writing press releases
and implement some sort of program.
But I don't think he can do that here
because they're Chinese.
Probably not.
He might be somewhat constrained
about doing that over in China.
But, oh dear.
One thing I thought was particularly funny in this
is that ClickHouse, the database system,
was actually originally developed by Yandex.ru.
It's a Russian database, Chinese startup.
I think Wizz is Israeli.
Israeli cloud security firm.
And here we are in Australia talking about.
So truly a global firm, a global industry that we're in.
A multipolar world.
Yes.
As they like to say.
All right.
So we're going to talk about some research from Kaspersky now.
And, you know, this one we were alerted to via our colleague, Katalin Kimpanu's reporting. So this one's going out in today's newsletter edition. Go subscribe at risky.biz if you haven't already. And you can subscribe to Risky Bulletin where you can get all of our other podcasts. Find that wherever you get your podcasts but yeah this is really interesting the original post is a it's in russian we'll drop
a link into um this week's uh show notes but basically some apps popped up in the ios and
you know apple's app store and the google play store that was trying to steal crypto through a
really interesting technique and i just i love this walk us through it yeah so this was a
set of malicious mobile apps uh there were a bunch in the android app store uh and kaspersky did find
one using the same uh like backdoor sdk uh in the apple app store and what it would do is uh when
you were using one of these apps so the the apps were like legitimate, I think legitimate like food delivery applications,
and they had a support function
where you could chat with support if you had some trouble.
And when you fired up the support functionality,
it would ask you for access to your pictures
so that you could submit, you know,
look, here's my wrong food order or whatever else.
And it would use the photo access
to run optical character recognition
on photos in your photo gallery
and look for crypto recovery phrases.
So it would look for patterns of like five words
or whatever your recovery phrase,
wallet recovery phrase would have to be.
And if it found something that matched that,
it would upload that image off to the attacker systems and then they would use that to recover your crypto wallet key
and drain your wallet which it's that's pretty clever because a lot of people you don't gotta
hand it to them right like it's that it's it's that whole vibe and i i mean i just think who
among us hasn't taken the occasional sneaky photo of a secret right as a way a way to stash it. Well, yeah, exactly, right?
I mean, like whether it's a, you know,
I'll often do that with stuff that I don't want to keep the physical object.
Like sometimes it's warranty codes
or, you know, like sometimes you get a device
that has a set up QR code.
You think, well, one day I might need this again.
I'm not going to keep the box with the sticker.
So why not?
And yeah, I guess recovery phrases, why not?
And before the age of ubiquitous machine learning you know scanning
of your pictures it wouldn't have really occurred to you that someone was going to OCR you know
stuff out of your photos but I mean these days Apple does that by default right you can search
for text in your in your photo spool and you can search for objects too like if you if you put if
you put car into your apple
photos thing it will show you all of the photos you've taken of cars yeah i mean it's honest
machine learning sometimes actually useful weird i wonder though if there's like some mechanical
turk thing going on and there's a whole bunch of people in a building you know just just tagging
them yeah probably not just a joke yeah everybody don't get alarmed. But look, as you pointed out,
like it's a little bit unclear
exactly how this malicious code
got into these apps in the first place
because it does look like they're legitimate.
It's again, it's not entirely clear,
but it does look like they were legitimate apps
and possibly, and it's, you know,
maybe it's the translation or whatever.
It's not entirely clear,
but it looks like possibly the developers
of these apps used a malicious SDK.
And we used to see that back in the day with like people using xcode that they got over torrents
because downloading the actual xcode could be a bit you know of a pain or whatever so people would
just torrent it and they'd get a trojan version develop their app publish it to a store and it
would be loaded with malicious code and i think possibly that's what's happened here yeah it could be like it's it's not super clear i mean one of the like the most prevalent
app and the one that was on the apple app store it was also on the google app store
that one the backdoor didn't appear until like version two something of the of the app so it's
possible that it was you know compromised developer or compromised supply chain or added you know at some point after it had been through its initial onboarding process
and vetting and so on so yeah we don't really know um but either way like makes you think twice
perhaps about storing important stuff in your in your photo reel yeah i mean i love that they've
got a way to actually you know there's the dumb way to do it, which is to just look for OCR phrases like recovery phrase, you know what I mean? And things like that. But you do wonder if they're actually trying to identify like strings that look like they could be recovery phrases. Because, you know, that's actually quite hard. That's when you've got, you know, you're almost re-implementing your own version of Trufflehog just to find crypto seed phrases or recovery phrases or whatever and then
you know matching it to ocr i dig this i i'm not gonna lie like i think it's they also did um
multi-language support so like this would was looking for phrases in like korean and japanese
and english and italian and polish like it was um uh actually you know probably quite good uh and
the apps they were targeting generally weren't English first language countries
like they were other places around the world.
So, you know, kind of a,
I suspect this probably worked pretty good.
Yeah, impossible to know, right?
Like sometimes you see something really cool
and you think, you know, wow, they must've got paid.
You find out later, they just absolutely didn't.
And meanwhile, someone who just hacked a WordPress,
you know, you remember back in the day
when people used to have initial coin offerings
and they'd host the websites for them on WordPress,
someone would just pop the WordPress
and change the address for the Bitcoin.
And like, they'd make gajillions of dollars
because no one noticed that the address had changed.
Oh God, this whole industry is so stupid.
Yeah, man.
I mean, we don't really see that anymore.
I mean, it's not like crypto is not going missing,
but at least they have to work for it now.
That was like, that's a time back then.
I don't know.
When was that like last crypto boom nonsense,
you know, six years ago or whatever.
I mean, that's a time when I was tempted to like,
just say, Adam, let's lead a life of crime instead.
Let's go do some crimes.
It's all there for the taking.
One WordPress shell, millions of dollars.
Anyway, moving on.
And the Times newspaper is serializing a book
and publishing bits of it.
It's about Keir Starmer, who's now the British PM.
And it looks like, according to this book,
his personal email address,
I'm guessing some sort of webmail, Gmail, whatever,
it got owned. And he was alerted by security services who just told him, don't go anywhere near that
account again. Apparently he wasn't, it was very obviously his address and quite easily discoverable.
So I'm guessing it had been linked to him publicly somehow and he wasn't using MFA and this is just
what happens. In a way, this is good
news, though, if they're having to go after their personal email accounts, but I don't know, that
might be reading too much into it. But yeah, an unsurprising bit of news. And I guess the,
the most fascinating thing about this is it has been reported widely, but it's there's no buzz
around it. Like nobody is like, Oh, is like oh my god wow you know it is just
everyday stuff these days so that's what i found interesting about this one yeah i think you're
right i mean so many people have had their email hacked at some point that maybe it doesn't seem
like the big deal it used to be and you know public figures i mean he wasn't prime minister
then he was i think one leader of the opposition when when this happened you know reasonable to
expect him to be targeted,
reasonable that they would find a credential in a data dump
that they could reuse or something like that.
I did notice that The Times characterised this
as a sophisticated campaign, which, you know...
Well, I mean, he wasn't the only one targeted.
I think that's sort of where they're going with this.
And they make the point that, you know,
there was nothing particularly tactically sensitive in there, but it would give them insight
into how the leader of the opposition, so it was Russia that did this shortly after it invaded
Ukraine. And, you know, the thinking is they were looking for insight into his thinking about,
you know, sort of strategic affairs. And it's just, it's just a great example of how,
you know, stuff that doesn't necessarily have immediate tactical value can still have strategic value because you can start to get it you know you read someone's email you
start to get a sense of how they think and you know what they how they might feel about certain
issues so yeah yeah no it makes total sense i mean i would absolutely read people's mail spills when
we're on the job because it lets you see how the sausage is made and what's happening and you know
it's just useful situational awareness so yeah you know i'm a good job rusher i guess well um anyway moving on and uh last week we spoke
about that company what were they called power school yeah power school uh who makes sass that's
used for uh you know by all sorts of schools around the world something like 16 000 of them
uh they got breached it looks like they've paid you know the hacker sent sorts of schools around the world, something like 16,000 of them. They got breached. It looks like they've paid, you know,
the hacker sent them a video of deleting the data or whatever,
but you never know.
You know, sometimes they want to preserve their credibility,
so they actually do do it.
But according to this report from Kevin Collier,
there's like a leaked draft of a CrowdStrike incident report into this,
and it looks like really what happened is they got creds for one staff, like no MFA.
There was some like maintenance portal
that they just logged into with those creds
and got all of the data.
And this really underlines that point I was making last week,
which is that we're gonna see more and more
of this sort of thing targeting,
specialized SaaS platforms
that just dominate particular sectors.
And in this case, it's schools,
but next time it might be hospitals,
it might be psychology clinics,
it might be, you know, whatever.
Yeah, this ain't good.
Yeah, I mean, really just deeply, deeply underwhelming. You know, of course there's a one-factor off,
you know, maintenance interface.
I mean, it's one step away from an open bucket really yes exactly right and you know data breaches of you
know and credential reuse are just so common and so such a widely used entry vector that you know
this is you know as you it's just deeply predictable and it's going to happen on every
little niche SaaS provider because you know you grow, you don't have time to go back and clean up these things.
And no one really thought that we would just put everything on the internet like this.
And simple stuff like 1FA actually matters these days.
Yeah, I mean, I think there's some technical work that could go towards fixing this to a degree.
And you look at some old approaches to things like card data,
like tokenization and whatever, and you've got field encryption,
and you can do stuff like distribute Kemat to each individual site.
And there should be things you can do to prevent this sort of thing
from being quite this bad.
There's going to be some engineering work involved,
but I don't think the solution is just going to be
more regulation i guess is where i'm going with that yeah i mean being more responsible steward
of your data right understanding that every bit of data you hold you know has a benefit but also
comes with liabilities and that you have options you know like blinding and and tokenizing and so
on to reduce the liability of the data that you need to hold to do business
and so you know there's you know not making these technical mistakes there is regulation options
there's data minimization like you know all of these things work together to just reduce the
likelihood and then failing that reduce the impact and yeah that kind of blended approach is where we
have to get to i mean it used to be really fashionable to say data is the new oil uh and then i think the person i can't remember who it was but someone said no it's the new nuclear
waste which is you know it needs to be stored very carefully and it can it can hurt you um now the
record has a report up on something uh about australia this is uh darina antony has written
this one up. The Australian government
has sanctioned Telegram. Now this is that Telegram channel and sort of online white
supremacist group. We've spoken about them previously because after Pavel Durov was
arrested, one of the first thing that happened was Telegram gave up the identities of a couple
of the operators of this channel. So Australia's wound up sanctioning this. And the reason this is
interesting is because there's been a series of, I mean, they're absolute Nazis, these guys,
and they often encourage people to commit violent acts and whatever all around the world.
And there's been a spate of like anti-Semitic, like vandalism style attacks, right? So burned
cars and someone put some petrol around a synagogue as like really
awful stuff right spray painting swastikas on cars in jewish neighborhoods just the worst
and a couple of weeks ago the prime minister said something curious which is that it looked like
some of the people who were doing this were actually getting paid by people outside of the
country because you would see these arrests and it was just like trailer park meth head type people who had no sort of political ideology or
motivation and now we see these sanctions come in and various comments
by political leaders here which which I don't think it's taking too much to
connect the dots that this is related right so it looks like what might have
been happening is people affiliated
with this group have been paying petty criminals in australia to do this sort of stuff just giving
them money uh to go and do it and then then of course you arrest them you know you can't really
throw someone in prison uh for graffitiing a car or malicious damage of property i mean you can
depends on their their record and everything but if you can bust them for taking money from a sanctioned entity, like that's 10 years.
So I have a feeling that's why this has happened.
And I just wanted to mention it
because in the global press on this,
they haven't really connected those dots.
Yeah, that kind of makes sense.
That gives you an avenue
to kind of take this a bit more seriously,
to hit them in the courts with something
that's a bit more serious than graffiti, right?
And obviously it's tied to kind of hate crimes.
But I imagine like the bar for those kinds
of prosecuting people for hate crime
is probably a little more complicated.
Especially when they're not actually ideologically motivated.
Especially when they can say,
well, I just got paid $200 to do this.
So you're sort of limited in what you can do to someone for doing that.
But now I would think it's a great deal more serious.
Yeah, that seems like a smart move to kind of level up the –
give law enforcement some more options that they wouldn't have otherwise had.
So yeah, an interesting kind of, interesting catch.
Because when I read this at first, I didn't really, you know, flag this as.
Yeah, people are seeing it as like symbolic.
It is the first time that we've sanctioned a purely online group as well.
So that's another interesting dimension to this.
And it really, the reason I wanted to talk about it is because we did spend
a bit of time last year talking about Telegram. And
I think people forget that there are, you know, real world harms from some of these platforms
that just totally yolo it and don't do anything with law enforcement and whatever. But yeah,
the Prime Minister said, what did he say? I'm reluctant to say anything that compromises
investigations, but it's important that people understand where some of these attacks are coming from.
And it would appear, as the AFP commissioner said yesterday,
that some of these are being perpetrated by people
who don't have a particular issue,
aren't motivated by an ideology, but are paid actors.
And indeed, our foreign minister was asked
whether or not there was a link here.
And they said, yeah, she said the same thing.
I'm not going to get into ongoing investigations
because blah, blah, blah, blah, blah.
But this is an online network,
which is all about extremism, white supremacists,
people who spread hate.
And so we have to use all the tools at our disposal
to keep people safe.
So you do just sort of get the impression
they did this for a reason and it wasn't just symbolic.
So I thought that was interesting.
Moving on.
And WhatsApp says paragon which is
that israeli um spyware company that was recently bought by us interests for something like 900
billion dollars uh it turns out they'd been targeting a bunch of journalists and people
who worked for like ngos like civil you know uh civil society groups uh which is you know somewhat nso of them yeah yes exactly that we had something
like whatsapp like minimal interaction like zero click kind of thing where they would drop a pdf
on you via whatsapp and that would lead to code exec on your device and onwards to compromise
which yeah if you're trying to be a slightly more legit than nso spyware company
having a whole bunch of journalists get that uh is is not super great um and we've obviously seen
you know whatsapp go after nso in the courts and i guess this was sort of a you know you get the
feeling this was kind of a bit of a bit of a warning shot uh the bowels. But then we also had a piece from,
was it Lorenzo over at TechCrunch?
Yeah.
Saying that Paragon has said that the US government
is one of their customers.
So that's also a sort of a,
A, not super surprising,
but B, kind of an interesting difference
to kind of how NSO have gone.
Like Paragon was was saying like we only
sell to good governments and we know western interests and so on which of course nso has said
similar kinds of things but you know having the u.s government buying your stuff when you're owned
by a u.s firm and now you're you know targeting journalists via a u.s company well i mean keep in
mind this acquisition is very recent so we're not sure that it happened while under US ownership.
I also wonder if this complicates their deal, you know,
if there's earn-out periods or, like, warranties or whatever.
Like, that could get complicated for the people who've done this deal,
depending on what warranties they've made to their American buyers.
You know, I would have said previously that regardless, you know, them being sold to the United States interests will sort of bring them under the umbrella of the US legal system.
And it would probably, you know, clean them up a little if they had been doing naughty stuff previously.
I think all bets are off at the moment with the way the US government's heading.
Well, yeah, exactly.
I guess it's hard to it's hard to predict at the moment.
I mean, I guess in Paragon,
when they were talked to by media about this,
said that their terms and conditions
prevent their customers from doing this kind of thing
and they shouldn't be able to target civil society
and journalists and blah, blah, blah, blah.
So, you know, I guess we'll see how this develops.
And as you say, the US, who knows?
Who knows?
But keep in mind, you know, Donald Trump is not a king.
There are, you know, other politicians with power in the United States
and we might see various committees and whatever look into this eventually.
But yeah, just it's a tumultuous time.
Let's just say that.
Now, we've covered this here and there uh suzanne
smelly has a report up for the record the former polish justice justice minister uh has been
arrested for signing off on the use of spyware to target like political opponents and whatever
um you know poland is still cleaning up after the previous government's you know uh crazy use of of
spyware within their own borders.
And this is just the latest development in that.
So there is some accountability here.
And, you know, ties back to the previous piece, right, where things could get a little bit out of hand under Trump,
you know, depending on who, you know, wins the election in four years from now.
You know, do you really want to roll the dice on doing a whole bunch of stuff that a future government in the united states won't like and you might get poland you know you might get the
same treatment as the former polish justice minister is what i'm getting out there yeah yeah
anyway it is really nice to see the polish government going through this process because
you know we've seen other places in the world where um you know there hasn't really been the
appetite to go pull this thread
and the polls are doing it, which is good on them,
because it's pretty egregious.
And if it warns other people, makes them think a little bit, then great.
Well, I think it's pretty easy for them politically
to target their opposition, right?
Like they win the election, they go after the last people.
But, you know, if they've committed genuine misdeeds,
genuine crimes, then, you know if they've committed genuine misdeeds genuine crimes
then you know fair enough um now last week we briefly touched on the issue of cable breaks
uh in in various oceans and seas and look you know we we said at the time we don't know whether
this is deliberate uh or not the swedish government had detained a ship uh for a while to investigate
whether or not it had deliberately
broken cables they've now released that ship and said that it was clearly not sabotaged so
still as clear as mud yes i mean the swedish authorities are pretty clear that in this case
it was incompetence yeah so i guess that's nice you know you were wondering like how do you drag
your anchor for you know miles and miles and miles and not notice? Apparently, it's possible.
Yeah, so apparently being a bad mariner and bad infrastructure
and bad, you know, seamanship or whatever else they said about it.
So, yeah, not great for your resume as a mariner,
but no longer being detained by the Swedes.
So, you know, I guess that's probably a win for them, the crew of the ship.
I mean, being detained by the Swedes would probably be quite nice
if you're used to spending your time on a, you know,
large boat that smells like diesel.
A Russian tramp steamer, yes.
I'm guessing there would be potted plants and tai chi in the mornings.
It's Sweden.
It's Sweden.
Sounds good.
Now, let's talk about this huge flap about these medical devices sysr put out
this big warning saying that the context cms 8 000 devices which are used to do uh patient
monitoring and health care like i guess in heart rate and whatever uh it you know quietly sent
patient data to a remote ip address and downloads and executes files on the device so big song and dance about this we've got a report here from lawrence abrams over at
bleeping computer and he's updated his to say a report from a company called clarity
says that what sisa is warning about is just the like auto update mechanism for these devices and
to activate it you need to like reboot it while holding a button and what are you talking about sysa so awkward yeah this is a little bit
embarrassing for sysa because the initial reporting was quite breathless and they had
some screenshots of oh my god patient data you know being sent across the network uh and then
there was a little detail it said oh and then they use nfs too and i'm like excuse me you what
now like no hacker is going to rely on nfs to deliver their data across the internet like
that's a terrible idea because you're just not going to get very many callbacks because nfs is
going to get you know blocked in all sorts of places it's terrible idea um and so that to me
didn't ring super authentic it's you know smelt like you know maybe someone was just you know maybe an internal
i mean i hadn't thought it through i can confirm that when this first popped up in out one of our
risky bulletin newsletters and we were preparing the podcast script for that day you did express
reservations you're like i don't know about this one i don't think this looks like malware so you
were you were ahead on this yeah well you know you just got that kind of spidey sense you know for that doesn't i wouldn't do that and i'm a hacker um anyway so clarity uh bought one of these devices
popped the flash chip off its main board dumped the flash out reverse engineered the firmware
went and dug up um uh the kind of functionality that implements this and it actually is just
upgrade functionality in fact the ip address in question is in the manual.
Yeah.
Which, you know...
If you're doing a secret data exfiltration operation,
you wouldn't necessarily put the IP address in the manual.
And, you know, I'll just read a comment here from the report,
as quoted by Lawrence Abrams.
Although the full update process is very dangerous and risky,
to us it does not appear to have a malicious intent behind it,
especially when considering the manual boldly refers to this IP address
and white label vendors ask users to configure their internal CMS
with this IP address.
Yeah.
So that's, I mean, I feel like for CISA, this is a bit of a, you know,
it's a bit embarrassing because, you know,
so many times we are relying on advice from government agencies or whatever else that do have classified sources.
They have, you know, things that we as general public can't see.
And there's a degree of, look, we just have to trust them to get it right because obviously they can't share all of the source material with us.
And there's a degree of we just have to you know accept that but then it's kind
of incumbent upon them to put out good information and not do yeah everybody makes mistakes adam
us included and you know sometimes you just got to chalk it up to well they made a mistake yeah
and and and they did but yeah yeah i think the reason you're particularly firm on this one is because, as I say, you immediately saw that and said, oh, shit.
Yeah.
That does not smell right.
Yeah.
So let's talk about this zero-day vuln in Zyxel.
Is that how you actually say it?
Or is it Zy-shell?
I've always said Zyxel.
Zyxel.
I think that's what I write in the pronunciation notes for Risky Bulletin.
So if I'm wrong, then, you know.
Then you're wrong big, as it turns out.
Yeah, so Gray Noise wrote a post about mass exploitation of these devices.
I guess they're like home routers or whatever, right?
Yeah, yeah, Zyxel makes a bunch of that kind of thing,
home routers and things.
This one I think was interesting because Volnchek originally found the bug, publicized it, reported it to Zyxel makes a bunch of that kind of thing, home routers and things. This one I think was interesting because Volnchek originally found the bug,
publicized it, reported it to Zyxel, who just haven't patched it.
I don't know whether the device is the end of life or whatever.
So there's no real information.
Then Graenoys saw mass exploitation start to kick off.
I think this got added to one of the Mirai variants.
So it's hitting the internet and there's a bunch of devices
that are vulnerable out there.
But yeah, Zyxel just haven't really publicized it,
haven't patched it.
So yeah, Gray Noise was blowing the whistle a little bit,
saying, hey, pay attention.
Yeah, so is this like Discord kids or state-backed behavior?
Who knows these days, right?
Why not both?
Why not both?
Exactly.
What else have we got here oh now this is one
where again i don't you know it's all greek to me uh but talk to us about this um amd research
out of google security which looks at what is it like being able to update uh cpus with like
malicious microcode is that about yeah yeah okay this is the research uh i think this only got
dropped uh i think like today or yesterday so pretty recently uh amd have published an advisory
there's not really any details yet uh but what google has reported and demonstrated is the
ability to as a like ring zero so like root or administrator on an operating system running on amd zen cpus they
can patch the microcode patch the firmware of the cpus and that lets you do basically anything and
the google's demo is they change it so that the id rand instruction which returns random numbers
always returns four and the bug appears to be some kind of like either hash collision or like google described as you
know an insecure hashing process when they're validating the microcode patches um the specifics
we'll have to wait and see once google does actually drop those uh but yeah like great
research and obviously in a cloud environment um you know this is a thing where you could probably
do this in a guest vm but you're patch patching the CPU microcode that is shared across other instances
Or up in the hypervisor
So interesting class of bug
And the sort of thing that you would expect Google to be paying attention to
Given that they operate large public cloud
They have a few computers
They do have one or two CPU cores to worry about, I am sure
But yeah, good work them
And yeah, good work then.
And yeah, like, cool bug.
Yeah, nice.
Now, let's talk about a 22-year-old in Canada who can control smart contracts.
He stole 65 million bucks, like, by manipulating smart contracts.
So really smart with the math,
but then gets caught in a really really dumb way
yes so a while ago we talked about um an attack on a blockchain crypto thingy called uh kyber swap
ky uh br and this uh guy from canada called andean Medjevic,
Medjevic, 22,
had come up with a bug where he could kind of manipulate... Medjidovic, I think.
Medjidovic.
But yes.
He could manipulate some smart contracts
and basically use that to drain a pool of equity
run by KyberSwap.
And he stole, you know, 40-ish million dollars,
$48.8 million dollars worth of cryptocurrency
using this and he did a basically similar kinds of tricks where he would take out a big flash loan
use that to manipulate the value of a pool of cryptocurrency that smart contracts are operating
on and then kind of trick them basically through a rounding error into, you know, making a transaction that was beneficial to him.
He stole a bunch of money.
He then went onwards to try and launder it through, you know,
various mixes and so on, extracted a bunch.
And he has now been indicted by the US, but he's on the lam.
He's on the run with, we don't really know how much cryptocurrency,
but unfortunately for him, he, when the run with we don't really know how much cryptocurrency um but
unfortunately for him uh he when he went to go and you know launder these funds some of it was
being blocked because the people had blacklisted the source of the funds um in the exchanges and
so on and he was actually submitting like support tickets to the exchange threatening to call the
police on them if they didn't launder his funds for him which i don't know how that worked uh and bribing them to launder his
funds and one of the people that he struck up a relationship with in this process uh turned out
to be an undercover cop uh which may not go well for him if he gets arrested if he actually
figure out where he's got to but uh yeah the story is pretty grim because
he was like a math like had a master's in math from some university in Canada and he had these
you know detailed schemes he made lots of notes about his you know criminal conspiracy
about how he was going to launder and how he's going to get away with it so on and so forth
but yeah we will see whether you, his very smart but not very,
you don't get social adept from the indictment notes.
We'll see whether that, you know, stands him in good step
while he's on the run.
Now, finally, Adam, we're just going to preview this one
because our colleague Tom Uren is writing up,
this is one of the things he's looking at for tomorrow's
Seriously Risky Business newsletter, and I'll be talking about it with him in detail tomorrow.
Again, head to risky.biz and subscribe to both the Risky Bulletin newsletters and podcast feed.
But yeah, NCSC, I think this goes back to, yeah, January 28th.
So it is very, very recent. They have written some guidance
on what is a forgivable vulnerability
and what is not a forgivable vulnerability.
And you really get the sense that this is targeted
towards the makers of these edge devices,
like your Palo Altos, your Fortinets, your Avantis.
Like that's what this feels like to me.
Yeah, absolutely.
And I really love that characterization
because it's so easy to weasel on CVSS scores
or weasel on technicalities.
But I think like forgivable versus unforgivable
really nails the thing that's aggravating
when you read about some of these bugs, right?
I mean, you know, the,
especially like the Fortinet's new advantage
is you read them and you just go like,
how can you possibly do this and still be in business so i like this characterization um and it it speaks to
me yeah so i'll be going over that with uh tom tomorrow because i think you know this could form
this could really inform policy this sort of thing it's about time someone actually sat down
and explained in simple terms like you can have a bug in this and
it's not the end of the world like even a serious bug if it was like a whole bunch of weird stuff
happened and you know there are forgive even high cvss bugs can be forgivable and there are others
that aren't and i think i don't know that that's something that's well understood by the sort of
people who are responsible for making the laws and regulating this space. So well done, NCSC.
But, mate, that is it for the week's news.
Thank you so much for joining me to chat about it all.
Always a fun time, and we'll catch you again next week.
Yeah, thanks, Matt.
Pat, I will talk to you then.
That was Adam Boileau there with a look at the week's security news.
We're going to hear from this week's sponsor guest now, which is Josh Kamju from Sublime Security.
He's a co-founder and the chief executive there.
And a full disclaimer, I am also an advisor to Sublime Security.
So Sublime makes the most modern sort of kick-ass email security platform that there is these days. So one of the things
that makes it different is it's sort of customized per environment and you can do things like write
your own detection rules, do threat hunting. It's just a modern redevelopment of a email
security platform and it's sort of like what email security platforms should be this day.
And obviously they're in the coal face now.
They've got a bunch of customers and yeah, they see all of the cool new stuff, all of
the new attacks that are hitting their users and hitting them as well as you'll hear like
DocuSign abuse to send malicious stuff to people through DocuSign.
But it turns out this is a big trend at the moment is people using trusted services to
distribute malicious stuff.
So here is Josh Kamju to walk us through how some of the bad actors out there are actually abusing trusted services to do all sorts of creative things.
Enjoy.
Ultimately, the idea is to blend in with normal behavior, normal traffic to evade detection. And the translation to the email layer
is leveraging similar types of trusted infrastructure that you see legitimately being
sent to and from an organization's email domain. So examples of this are like DocuSign or SharePoint
or Dropbox or Google Drive. So there's a lot of overlap, actually,
between the types of services that we see malware abuse
that we also see adversaries use to send email attacks.
Yeah, I mean, I was just thinking as you were talking
that the sort of phase one of this
would have just been people hosting malware
on trusted domains.
Like OneDrive malware was a big thing for a long time,
right? Like huge. And now they're going one step further and actually generating
mails from those types of services. And that's the mail part as well, right? So how does that work?
Yeah. So we see a few different types of abuse. There's really two categories of trusted
infrastructure abuse that we see. There is the infrastructure abuse that
ends up delivering mail from the trusted infrastructure service itself as the sender.
So that's where you receive an email from DocuSign.net. And it's literally from DocuSign.net.
It's passing all sender authentication, SPF, DKIM, DMARC. So that's category one of the abuse that we see.
And then the category two is the infra abuse of links embedded in the message.
So we see for malware delivery, like link-based malware delivery in particular, or credential
phishing delivery, we end up seeing sites hosted on DocuSign, on SharePoint, on even Freshdesk or
Zendesk subdomains. And so these are all inheriting the reputation of these legitimate services.
So they tend to be much more difficult to detect. I mean, you haven't mentioned the big one,
which is Cloudflare. Oh my God, don't get me started god don't get me started god there's so much of
cloudflare like it is it is amazing like how much badness there is on cloudflare and like
you know just with the flexibility of their cdn like people are actually hosting fully
featured phishing sites on like you know trusted yeah domain so yeah i mean as a detection signal
it's hard enough uh to figure out when a mail bad, when it's only got legitimate links in it.
But when you've then got the added complexity of the messages themselves coming from trusted services, from actually DocuSigns.
And, you know, I've got a blog post of yours that I'm going to link through to so people can have a look at it themselves.
But it shows that, you know, you can deliver like a pdf through docusign that it's like click click
click through and that eventually takes you to like credfish or or whatever um so it's like an
end-to-end attack handled on docusign i mean how do you deal with that as an you know as a company
that's like filtering email i'm guessing it's going to be deep inspection of those sort of
payloads and are there any complexities there like
you know you operating a mail server a mail security platform can you go and then get that
pdf and then analyze it and i'm i'm guessing that's the game right we can yeah so it's really
tricky and we've seen other folks get this wrong recently and it's it's caused a ton of pain. Um, we've seen like, there's been
Google in particular has been really causing like a lot of frustration here as we've seen
DocuSign in particular get abused. Even us, like as you know, our company, we've seen
tons of like legit DocuSigns for our sales team, literally getting sent to spam by Google. And
we're hearing this, we're hearing this from like a lot of other people. I mean, this is exactly what a startup
needs is signed purchase orders being deleted, right? Like, thank you, Google.
Seriously, like we see these like docu signs that are just sitting in spam for the last like week
or two weeks. And some of these are like legitimate communications that are getting sent after like
multiple replies from the sender.
I mean, it's really hard basically to solve this purely using like a global ML model basically
because so much gets scooped up with that because there's so much legitimate mail coming
from DocuSign.
So you have to really get granular and know what specific signals that you're looking
for. So when we saw this, the way Sublime works is we've got our models that run behind the scenes,
but we have an abstraction layer above our models that lets us describe attacker behavior. And we
can push that out to all of our customers. So it's a DSL. So our team can actually build really granular behavioral detections. So when we see this evolution of
DocuSign, we can build a really targeted detection that says, okay, when we see a message come from
DocuSign and it's passing sender authentication, so all the checks are green there. But the reply to domain is a domain
that you've never spoken to before, because that's what a lot of them will do is they'll
set the reply to domain. So if you reply, they'll get the response, the attack.
And then they can say, yes, no, this is absolutely a legitimate document. Please go ahead.
Yeah, please. Yeah, this is all legit. Exactly. So we can actually get granular with the signals and say, yeah, this is a recently registered
reply to domain.
We can go out to the link.
And if we see like a PDF icon that, you know, they're like they're impersonating a PDF document
on the legitimate DocuSign document, we can like detect that as a signal.
So we can adapt really, really rapidly to any changes in the landscape that we see. And we can push that that as a signal. So we can adapt really, really rapidly
to any changes in the landscape that we see
and we can push that out to our customers.
So you really have to have like a granular detection engine
to do this super well, at least to do it quickly.
And often you can't even get to the payload, right?
Because they put them behind things
or the final phishing page
because they put them behind things like turnstile, right?
That's right, that's right. In which case you really need to you you really need to use the fact that it's hosted on cloudflare as a signal well this is actually this is actually
what i was going to ask you i was thinking surely if there's a docusign thing with a link in it that
goes and hits a turn style like i'm thinking that's actually a pretty solid signal that yeah well but the thing yeah exactly um you have to be able to go out to the link in the docu sign
and it's actually the the actual payload is hosted on docu sign.net like a fish like a document that
you sign so they actually are creating a template in docuSign that you send. You click on like, yes, I want to sign.
It opens up DocuSign.net.
There is like a fake PDF there.
And then you click and then it goes to wherever, Cloudflare, Turnstile or whatever.
So yeah, if you can get multiple layers deep there and see where it's going, you're good.
Yeah, yeah.
So I mean, it's always like that with mail, right?
You've got your big signals, your medium signals, and then you start getting a little bit more granular. And that's,
I think that's really where most mail providers compete, right? It's less on the big stuff and
more on the, on the little stuff. Although, you know, the example you just gave of Google,
like they're, they're kind of failing at the big one there. It's tough. It's a tough problem to
solve with like, with just training a model. Yeah. Yeah. So talk to us too. You sent me something about using legitimate sites distribution lists
or something. It was something that I don't completely understand. Explain this one to me,
please, Josh. This was super clever. So it's a way that we've seen an evolution of the abuse of these infrastructure services to send it at mass volume without getting blocked by the provider.
So if you start to send if I start to abuse DocuSign, let's say, or PayPal or Microsoft or whatever it might be, and I start to send like thousands and thousands of messages, some of those services will have by now had some like volumetric detection to say,
hey, you can't send this many in this short a period of time or something.
Not all of them have that to be clear, but some of them do.
Well, they will eventually, right?
Because this is the trend, you know what I mean?
Like it's everyone's having their happy time right now using this as a vector.
And then, yeah, eventually it turns into enough of a headache for the providers that they have to
right limit it. That's right. So what we started to see was is super is kind of clever. So they
would go into Microsoft and they would create a distribution list. So they would spin up an
account. They would create a DL and they would add all of their targets to that distribution list.
And then they would go into whatever service that they were abusing, whether it's like,
I'm going to send a callback fish through PayPal, or I'm going to send a fake Microsoft
invoice.
I'm going to abuse Microsoft invoicing to send it to them.
So they'll send it from PayPal to the D to the dl and then the dl will fan out
from there so from the the infrastructure from the trusted services perspective you're only sending
one message uh yeah and then and then the dl does from like microsoft's perspective and they're just
like yeah this is what a dl does it just it just fans out so tell tell me how like a callback fish
with um you know tell me how I can generate a callback fish
with something like PayPal and why I might do that.
Like what sort of control does an attacker have
over those sort of messages?
Yeah, so you would basically go into PayPal
and you would generate an invoice
for, you know, a quote unquote customer.
And in that invoice,
you would embed a phone number
for like customer support
or if you don't recognize this
or PayPal support,
there's a bunch of different variants of this.
And then there would be a charge
of like 500 bucks or whatever.
And so that,
and then you say you go,
you click send
and it sends the invoice to the
dl or to the target and then they end up calling the number and then for callback fish it's typically
like a rat that they're installing and and then there's uh there's a lot of consequences from
there what so they click i mean there's a phone number but is there also a link there or something
where they can click through and that's where they get malware. Typically not for callback phish.
So callback phish will be like the payload list style,
which is actually why it was such a big deal and still continues to be.
So there is no link.
There is no malware directly on the email.
It gets delivered after you call the phone number
and it gets routed to one of these scam centers.
Okay, right.
So that's how they do it.
And then they're like, hey, yeah, like happy to support you.
Install this, you know, remote access tool.
And then they have control over your computer.
And then they'll do all sorts of nefarious things from there.
So before we wrap it up, Josh, you've built a few, you know, we've got some platform updates to talk about. Basically, you've got some, you know, improved incident response features and sender domain
exclusions, which, you know, just to make life a bit easier, just give us a quick rundown
on the latest bells and whistles in Sublime.
Oh, yeah.
So we've released some pretty rad stuff recently.
The most recent one is our fuzzy grouping algorithm.
So this is a way that we cluster similar campaigns together.
So if you imagine in particular for like mass volume attack, spray and pray type stuff where
you're hitting like thousands of people at an org, they're typically targeted or tailored
to each one.
So like there's the first name and there's like some special, you know, the subject is
customized and there's like all kinds of different variations that you might see.
So we built like a clustering algorithm that'll be able to see all those changes and like
cluster those together.
And so we can basically present those to, we can remediate them all at once and then
we can present those to analysts if and when they want to review it in a single
alert so they're not seeing like a thousand or ten thousand or their or
their sock is not getting like a thousand alerts so that's a really cool
one it just makes in IR more efficient to like if you're looking for a campaign
you'll see all of them at once and you you can see if it was remediated or
remediate it with one click if you want. So that's one of the big ones. We also released some really
cool new reporting for tactics and techniques that we see hitting an environment. So we have
this taxonomy that we've created that describes that's that's super like granular
and it's it's it describes like the tactics and techniques or the attack type of the attack
and we started to to show that in our reporting now so you can see hey i'm getting hit with like
uh qr codes or um you know pdf uh links to pdfs or htuggling, you know, you can get down to the actual tactics
and techniques being used.
And then the, you know, there's a bunch more, but the last one I'll mention is the sender
domain exclusions, which is just this like huge pain point that people would typically
have with any sort of real time detection engine, really, but in particular with email
security is when you
have a false positive and everyone has false positives, what happens when you have a false
positive? Well, typically you end up just filing a ticket and then waiting for it to be resolved
one day. We released a super granular exclusions feature where in two clicks, you can just mitigate at a really granular level without creating a
global exclusion. So it's like specifically for this behavior, we will no longer flag it. So it
lets you instantly resolve false positives. So that's a really, really rad one that we also
released recently. Awesome. All right. Well, Josh Kamju, thank you so much for joining me. It's
always good to see you, my friend.
And we'll be chatting again a bunch of times throughout 2025.
It's so, so good to see you.
Thanks for having me on.
That was Josh Kamju there from Sublime Security with this week's sponsor interview.
And that is it for this week's show.
I do hope you enjoyed it.
I'll be back tomorrow in the Risky Bulletin podcast feed with my weekly discussion with Tom Uren about his newsletter. But until then,
I've been Patrick Gray. Thanks for listening.