Risky Business - Risky Business #781 -- How Bybit oopsied $1.4bn
Episode Date: February 26, 2025On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news: North Korea pulls off a 1.5 billion dollar crypto heist Apple pulls Ad...vanced Data Protection from the UK Black Basta ransomware gang’s internal chats leak Russians snoop on Signal with QR codes And Myanmar ships thousands of freed scam compound workers to Thailand Regular guest Lina Lau joins to discuss her work reading Chinese incident response reports on WeChat, and how that has people thinking that … she outed the NSA? This week’s episode is sponsored by Airlock Digital, and allow-listing tragics Daniel Schell and David Cottingham are along with an amusing tale of using Windows’ own allow-listing software to block EDR from loading. This episode is also available on Youtube. Show notes Hackers drained $1.4 billion of cryptocurrency from Bybit exchange, CEO confirms | The Record from Recorded Future News CertiK - Bybit Incident Technical Analysis Hackers use ‘sophisticated’ macOS malware to steal cryptocurrency, Microsoft says | The Record from Recorded Future News EU sanctions North Korean tied to Lazarus group over involvement in Ukraine war | The Record from Recorded Future News Sanctions: Iranians Flock to Crypto; Int'l Actions Target Russia - Chainalysis Apple turns off iCloud encryption feature in UK following reported government legal order | The Record from Recorded Future News Swedish authorities seek backdoor to encrypted messaging apps | The Record from Recorded Future News Leaked chat logs expose inner workings of secretive ransomware group - Ars Technica Russian state hackers spy on Ukrainian military through Signal app | The Record from Recorded Future News Meta Sues Alleged Violent Extortionist For Holding Instagram Accounts Hostage Weathering the storm: In the midst of a Typhoon Thailand to take in 7,000 rescued from illegal cyber scam hubs in Myanmar | The Record from Recorded Future News Genea confirms cyber breach after ‘unauthorised third party’ accesses data | news.com.au — Australia’s leading news site Managed healthcare defense contractor to pay $11 million over alleged cyber failings | The Record from Recorded Future News Botnet looks for quiet ways to try stolen logins in Microsoft 365 environments | The Record from Recorded Future News Director-General's Annual Threat Assessment 2025 | ASIO An inside look at NSA (Equation Group) TTPs from China’s lense
Transcript
Discussion (0)
Hey everyone and welcome to another edition of Risky Business. My name is Patrick Gray.
We'll be chatting through the week's security news in just a moment with Adam Bualo. We're
going to talk about the Bybit hack and Apple withdrawing, advanced data protection out
of the UK market, all sorts of fun stuff to talk about there. And then we're going to
chat with Lena Lau, who is a regular guest on Risky Business
and she wrote a blog post about where she took a bunch of like Chinese incident response
reports that attributed activity to the NSA and then rewrote them into a good English report,
English language report and that's gone viral and everybody's talking about it so we bring her onto
the show to have a bit of a chat about that.
And then we will be hearing from this week's sponsor which is Airlock Digital and I chat
with Dave Cottingham and Daniel Schell from Airlock about some kind of hilarious research
work some people did, a third party, I can't remember who, where they basically figured
out how they could get, how they could use disk write access,
like privileged disk write access
to essentially create a Windows WDAC rule,
which would prevent EDR from loading,
which is a funny way to solve that particular problem.
So we'll talk to them about that a little bit later on,
but Adam, let's get into the news now.
And obviously a big story this week
is the biggest crypto theft in history.
We're talking 1.4 billion US dollars and frankly I hoped it would be a little bit
harder to do this and that's what we're going to talk about now.
Yes, so this was an exchange called Bybit and they appeared to have been hacked by North Koreans.
The blockchain evidence suggests it was probably North Koreans plus some of the tradecraft.
And the way this went down should have been, as you say, a little bit harder than, you know,
to steal $1.5 billion, it ought to be a little more work. So the basic shape of this is, this exchange has most of their funds stored
in a cold wallet, like that is a wallet
where the key material is not on the computers
that run the exchange.
In this case, I think they have hardware wallets,
ledger hardware wallets, I believe.
And when they wanna move from the cold wallet
into the hot wallet, a group of them have to get together
and authorize that transfer using their hardware wallets to do so. And this kind of like multi-signature
setup where you need, you know, like three out of five people or whatever to sign office. But you
know, kind of we see similar controls in regular, you know, financial institutes or businesses or
whatever else. So they were compromised by some North Koreans
who managed to get, it looks like they managed to get malware onto the
computers, the desktops or whatever of some of the staff, including the boss of
Bybit, and then fake up a user interface for their multi-signature process that
convinced them they were signing a normal
looking transaction to move some money from their cold wallet to their hot wallet.
But instead what actually happened is they signed a transaction that essentially gave
the North Koreans control of their entire cold wallet.
Whoops.
Which not ideal.
And you might ask how could this possibly happen?
How can you look at your hardware wallet, you know part of the thing of these like a
ledger hardware wallets or other hardware wallets is they have a little screen which shows you
what you're going to be signing and then you can decide do I approve this
transaction yes no and so the attackers in this case have fooled them with a
fake user interface on their computers,
but then presumably the point of the hardware wallet is to allow you to make an informed
decision about what you're signing.
Because you can't trust your computer screen, thus hardware wallets exist.
Exactly, that is the whole point of hardware wallets.
It's a screen you can trust, so that's the one you want to look at.
Glad we understand this.
Yes, yeah, exactly. So that makes sense so far.
Now the North Koreans are smart and what they did was
So normally if you were transferring money around on the blockchain
This is all Ethereum blockchain
And if you just wanted to move coins from wallet A to wallet B the hardware wallet, the ledger or whatever
wanted to move coins from wallet A to wallet B, the hardware wallet, the ledger or whatever, understands that transaction. It will show you, you are from this account, paying to this account
this much money and then your wallet will give you good information. You say yes or no. In this
case, because they're using multi-signature for security, they're not actually moving coins around.
They are calling into a multi- a multi signature smart contract on the blockchain
Calling into an API in that mean a smart contract and asking it to transfer the coins around and
The smart wallet doesn't know about that kind of transaction
Because that's kind of custom to so they were using a gnosis safe wallet
Which is a probably the most common multi-sig, you
know, kind of wallet smart contract. So they were using an instance of that to hold their
coins. And so their ledger wallets are signing an API call into a function in their smart
contract. And I don't have a ledger smart, like a ledger, like hardware wallet. So I'm
not 100% sure. But the documentation suggests that signing these kinds of transactions
involves the wallet showing you the API it's gonna call
and then all the parameters for that API
and you have to approve each one.
And so you're gonna be sitting there clicking
like 17 times to be able to approve this transaction.
And in this case, the thing, so there's like an you know the
transaction that they were doing basically had sort of like an opaque blob
of hex and a couple of option parameters and they were supposed to approve that
and clearly they didn't have a written procedure or something to verify that
against or they had just turned that stuff off because there was a mode called
blind signing where you just go look this wallet doesn't understand I'm
just hit yes don't bother me with the details which is kind of what most
people will tell you to do when signing smart contract you know transactions
but doesn't this I mean might be a crazy question here Adam but doesn't that
sort of negate the purpose of having a smart wallet in the hardware wallet in the first place? $1.5 billion says yes Pat, it does negate the point. There's also a few other
interesting nuances here like of how the North Koreans actually pulled it off
because if the function in the smart wallet they were calling into
kind of allowed them,
so this is sort of a pattern in Ethereum land
where when you store code in the blockchain,
which is kind of what smart contracts are,
you can't change it.
So if you want to change code in the future,
there's kind of a mechanism for extending code.
So like, I guess you could think of like logic
and kind of like inheritance in regular software programming,
but there's sort of a mechanism where one smart contract
can proxy execution of a particular bit of logic
to some future upgraded version of the same smart contract.
And the North Koreans deployed a malicious contract
some days in advance that pretended to be
the transfer function of the legitimate smart wallet,
but actually basically changed the ownership,
like allowed the North Koreans to just kind of take control
of the entire cold wallet.
And that way they laid that groundwork in advance
and then tricked them into signing a transaction
that they thought was normal.
Anyway, while I was unraveling all this,
I went and dug through the Ethereum blockchain history,
because the question I wanted to know was,
is this the normal process for Bybit to move money around?
And like, did they normally call this kind of opaque API
end point where they didn't really know what they were signing?
And then just smash the yeah whatever button.
And just smash yes.
And the blockchain suggests that they did.
Like before they moved money between wallets,
between Cold Wallet and Hot Wallet,
there is an API call that does the multi-sec process.
And they did that basically every time
that they were moving money around.
So I feel like the complacency of just smacking yes
on their hardware wallets came along and, you know,
the North Koreans used it to bite them in the ass.
And that's, you know, on the one hand,
deeply understandable
because humans love just clicking next, next, next.
But on the other hand, when you are securing $1.5 billion
in a giant cryptocurrency exchange,
you kind of need to do better than this.
And all they needed to do was have a single standalone,
you know, iPad or whatever to run the front end
for this, you know, multi-seg wallet.
Like presumably they had windows boxes or Mac desktops or something like that.
Well, well, well, so this is, this is where I want to jump in.
Right.
So first of all, one note is you might see similar processes at banks.
Yes.
The thing is when $1.5 billion gets transferred out of the bank, people are
going to notice pretty quick and then recovery efforts begin and because this has gone to other
banks and whatnot, you're going to get most of it back. You might lose a little
if the attackers or thieves can outrun you, but if 1.4 billion goes, you get, I
mean let's just say 1.3 of it's coming back, right? Minimum, right? Like that,
that's fine. So whereas with crypto, man, once it's gone, it's gone. So you know, as you point out, quite rightly, you do need to step it
up.
So I've got questions about what the malware was, because you could do this with a malicious
Chrome extension. And we've seen people trojan-ing that supply chain. I mean, do we actually
have any detail here on what the malware was? Because it was on five, apparently five boxes
that were, you know, involved in this, in signing this transaction. And I would suspect, I mean really if I'm them,
I want to be in the browser. I don't really care about touching the OAS and getting snapped by EDR.
Yeah. I mean, I think like if you were going to do this cross-platform, then my first, like if you
weren't sure if they were Chrome on Mac or Windows or whatever else,
like my feeling would be drop a browser CA certificate
on the OS and then do it in the network with a proxy.
But there's also multiple,
because the NoSysSafe has a browser-based interface,
but also has apps that presumably make API calls
to a backend.
And they have, I think,
that you can run your own version of
their interface as well. So depending on kind of how that software was working in their
case would kind of lead to how you did it. You could absolutely, if like if they're running
a thick client application, you know, or the thing that's not running in a regular browser,
like maybe you would do it in the user interface on the end, on the computer, you could do
it if it's in the browser with a browser plugin kind of style thing, you would do it in the user interface on the end use on the computer You could do it if it's in the browser with a browser plug-in kind of style thing
You could do it with TLS intercept if you can control the browser
Certificate well, I'd say this is why I wondered about like you I wondered about well
Why not use an iPad that has this app on it and you can connect that to your hardware wallet
You don't use that device for anything else
And I thought this would seem to be a sensible way to do it. First of all though, is there MDM involved?
For iPads, can you put certificates onto iPads
through MDM?
I don't actually know if you can.
I mean, yeah, you can.
But then it got me thinking more,
well, when we're talking about $1.4 billion,
some sort of iOS ODA is kind of worth using at that point.
So even then at that point, is it actually worth,
how much is that gonna get you out of trouble? Right.
And I'm just not sure. I think at the very least that would be a recommendation is
to use standalone, like kind of unmanaged locked down.
Single purpose, right? That's the main thing is you want something that you don't
use for other stuff because that just reduces attack surface. And sure,
you could probably get ODayed, but it's just I would much rather a single-purpose and all like
they've got multi-sig even if one person in the multi-sig pool is doing it on a
single-purpose device right or you have you know and this is and this is where
I was going right which is ultimately okay you can use a standalone device but
with a 1.4 billion dollar payday I don't know how much you can use a standalone device, but with a $1.4 billion dollar payday,
I don't know how much you can rely
on the security of that device,
which is why hardware wallets work in the first place.
And ultimately the thing that would have prevented this
is having robust and serious procedures
around which transactions are approved
and that's what they didn't have.
So bye bye $1.4 billion.
Yeah, exactly, exactly.
If this was a real financial institution,
you would hope that they had some process for managing a billion dollar
transaction. But again, you know, it's less critical in the traditional
financial system because you can recover funds when this happens.
Like compensating controls or... But you know, thanks to the immutability of the
blockchain, that money's gone. Right. Yes. And gone off towards North Korea,
but not quite there yet. And the money laundering is in fly. I think Zach XBT has been
following some of the coinage around and it's going through the normal
kind of North Korean laundering patterns and I don't know what kind of loss rate
they get on laundering. Even a very small percent of 1.4
billion dollars is still quite a lot of dollars, especially if you're a, you know,
largely isolated hermit kingdom.
But yeah, I, $1.4 billion,
whether pressing a button on a little USB wallet like man.
But I mean, this is just, we keep seeing,
I'm just amazed really anyone has confidence
in this stuff anymore, right?
Yes.
Like it is incredible to me that people have confidence in it when you can see these sorts
of, and look, this is the biggest, but we've seen billions of dollars worth of crypto go
walkies and you know, North Korea has dedicated its state resources to doing this.
I mean, you know, at what point do you just say, I don't know, that being involved in
this stuff is a great idea?
I mean, there's many reasons why being involved in the cryptocurrency world is
not a great idea, and this is one of them, but there are certainly plenty of others
as well, you know, environmental concerns and the giant thing, the whole thing kind
of being a giant effect, kind of giant Ponzi scheme like this.
Yeah, yeah, yeah.
Just don't, dear listeners, just don't.
Meanwhile, I'm going to link through also to a piece from Darina Antonyouk over at The
Record talking about how someone's compiling, they're basically putting out those Trojan
versions of Xcode. So when people create apps with them, they're Trojans and they're using
that to steal crypto. And this isn't new. The only reason I mention it is because we
actually talked about that a couple of weeks
ago about like, hey, remember when they were doing that with Xcode?
Turns out they still are.
Another one from Dorina, the EU has actually sanctioned a North Korean general, Lee Chang-ho,
who's a 58-year-old head of the North Korean Reconnaissance General Bureau.
They did a bunch of, you know, Lazarus stuff.
Lee was involved in Lazarus and also involved in deploying North Korean personnel to fight
in Russia, fight Ukrainian troops in occupied areas of Russia. So, you know, a lot going
on there. But then, you know, coincidentally, we have this wonderful report out from Chainalysis talking about crypto and
bad stuff being done with it.
It's a mixed bag because it shows that sanctioned jurisdictions and entities received 15.8 billion dollars of cryptocurrency in 2024,
which accounted for about 39% of all illicit crypto transactions. But more broadly,
illicit transactions were actually down by 25% or
so year on year.
But it's, you know, Chainalysis do great work and this is a terrific report that if people
wanted to understand the state of bad stuff happening in the cryptocurrency ecosystem,
it's not a bad place to start.
Yeah, there's a bunch of interesting insights in here. And I think the thing you said about the volume being kind of down in the last year, I think
the 2023 was kind of an outlier looking at the graphs, these sort of the general trends
where 2023 is just like wildly more than the previous year and 2024 is kind of in line
with that.
Anyway, but there's a bunch of other interesting insights, things like how cryptocurrency gets used in Iran,
for example, and when they saw things kicking off
between Iran and Israel, the kind of amount of cryptocurrency
facilitating capital flight out of Iran.
There's a bunch of details in here
about some of the sanctions,
because we've often talked about you know
There are places in the cryptocurrency ecosystem where it makes sense to apply pressure on exchanges on tumblers
Things that facilitate the use of it for crime and you know, we've seen quite a lot of sanctions
Targeting some of those kinds of areas of that ecosystem. So yeah, like if you are impacted by
You know kinds of areas of that ecosystem. So yeah, like if you are impacted by,
you know, financial cyber crime,
understanding how people cash out and what that looks like, you know, is an important part of that process. So definitely worth a read, I reckon.
Yeah. And funnily enough, tornado cash, according to Chainalysis is down,
but not out. People are still using it, right?
But the volumes are down somewhat. I will say too that like, you know,
you and I, we are crypto skeptics.
We think that there are a lot of illegitimate uses for it that and
and you know the legitimate uses don't seem to sort of outweigh the negatives
often but I will say too that 16 billion dollars in the context of like all
OFAC sanctioned entities doesn't actually seem like that much if I'm if
I'm honest but let's keep an eye on that number over time.
Exactly. if I'm honest, but let's keep an eye on that number over time. I would say. Yeah, exactly. Yeah. Now, crypto wars, crypto wars.
There's been a big spat between Apple and the UK government.
Apparently, you know, a short time ago, some weeks ago,
I think the British government asked Apple to, you know,
develop a capability that would allow them to retrieve evidence from
iCloud accounts that were protected by advanced data protection. And what it looks like
has happened is Apple said, yeah we're not going to do that, so they're just
turning off advanced data protection for the UK market. So that means no one can
actually enroll in advanced data protection and those who are using it,
which means all of their photos and everything are like end-to-end encrypted,
they're going to be given a grace period where they have to turn it off themselves. Otherwise,
Apple's just going to presumably nuke their stuff out of iCloud or maybe just lock it up until they
go through that process. You know, interesting development because we've seen these sorts of
things bubble up before and usually the government's back down. But I guess that's
what's interesting in this case is
that's not how it worked out this time.
Yeah, that is normally how it goes.
And we've seen lots of kind of hand wringing about this,
but there's actually a few bits of nuance, I guess, in here.
Like one is advanced data protection enables end-to-end
crypto with end user control key material
for a reasonable amount of iCloud services and properties, but not all of them. There are some
that are already end-to-end crypto that are not included in this kind of conversation, and I'm
curious as to whether the UK's technical capability or whatever, also extends to some of the other things that are
not ADP but are end-to-end encrypted, like which kind of bits of iCloud, and that certainly could
be clear in Apple's communications. And then, yeah, there's the bigger kind of like given the
relationship between, you know, in America, you know, where Apple being an American company,
like the relationship in America and the rest of the world
and the American political situation at the moment,
now is not a great time for walking back.
It doesn't feel like it's a great time for walking back.
Some of this kind of end to end stuff.
Technical protections for privacy, yes.
Yeah, so it's gonna be an interesting next few years
and I'm not quite sure how this is gonna play out Like it's gonna be an interesting, you know, next few years and, you know,
I'm not quite sure how this is gonna play out, you know,
because we've seen tech companies, you know,
like Signal we're gonna talk about in a second,
kind of playing brinkmanship with governments.
And governments, as you say, mostly have backed down,
but, you know, governments may be feeling
a bit emboldened lately, I don't know.
Well, look, my opinion on this is, I wonder, right,
just ignore what's happening in the United States,
ignore what people's attitudes are with regard
to trusting their government in the United States
at the moment.
Just think about this from a UK perspective.
Are Britons better off, you know,
is their privacy better off
and their general security better off
with Apple having done this?
Cause Apple's whole rationale for introducing these features,
and I was on the press call, right? Their rationale for introducing this feature was very sound.
They're like, look, we see mass scale data breaches quite regularly. We fear that it's a matter of
time before something like this happens to us. And indeed, there was the whole scandal years ago,
like a decade ago, when celebrities photos got leaked
because people were brute forcing iCloud passwords
and whatnot.
So they've kind of been there.
So they're like, we're gonna put ourselves in a position
where if we have an incident,
the impact of that is gonna be somewhat contained.
Excellent rationale, I agree with them.
And now they're just turning it off for everyone.
Like instead of allowing selective decryption.
Now, look, it's one thing for them to say,
oh, but we can't because it's end to end encrypted.
I mean, look, they have control over the handsets.
They could do this if they wanted to.
They could certainly introduce a silent feature
that would migrate their users
away from the encrypted version of their iCloud.
It would take some changes to iOS or whatever and they wouldn't want to do it.
And I think there are good reasons they wouldn't want to do it, but they can't argue with a
straight face to me anyway, that this is something that they are technologically incapable of
doing, right?
That's just, to me, that's just silly and a little bit disingenuous.
So I think this is complicated.
I think that people in the UK are worse off because of this and I think this move
is, you know, there's politics in it, which is that people in the UK can now point to the government
and say, look what you made Apple do, and Apple gets to come out of this looking certainly shinier
than the government does there. But look, you're right, and we don't like to talk about American
politics on this show, but there's been some pretty alarming
developments in the United States with regard to recent appointments to the FBI. We just saw this
morning actually that Trump has revoked the security clearances of everyone at a law firm
that he doesn't like because it had done government work that he disagreed with.
So it does look like, certainly at this point,
that the US is sort of sliding towards
a more authoritarian system of government.
And I can understand why people would want to cling
to these sort of protections
because they do protect you against governments
that don't respect the rule of law.
And I'm gonna get comments and dislikes on YouTube
and angry emails and stuff, but it does really look like the rule of law and you know I'm going to get comments and dislikes on YouTube and angry emails and stuff but it does really look like the rule of law in the
United States is you know it's not over but it's not on the right trajectory.
No it's certainly not and you know it you know it's defending against your own
government obviously that's kind of not how these things work right but when
you're defending in a global context against multinational companies that,
where other governments in their world have different interests,
things do get kind of complicated.
And end-to-end crypto is one of those controls that ultimately is pretty straightforward.
Math says no.
Well, I disagree with you.
You know I disagree with that.
You know, math said no unless you do something
on the endpoint that makes it say yes.
You know what I mean?
Like, come on, man.
Yeah, yeah.
But in the case of the UK, right, it would, you know,
the only really pragmatic solution is that Apple provides
law enforcement access to end devices, right?
They don't change it globally,
but they provide an entry point for legitimate access to go deploy an implant on a device.
I think, you know, where I've landed on all of this is I think there is actually room for the
lobbyists for the major technology companies to work with legislators and say, look, we will
consider building some sort of access capability,
but we want to overhaul surveillance legislation so that it's deployed only in the in the instances where it's really
important. When there is a murder investigation, large scale corruption, terrorism, counter espionage, you know, these are
the sorts of things where we're happy to help. But it will require changes to the law. And I think that's the only thing I can think of
where the last thing the tech companies want to do
is build some sort of capability
and then the local constable at a police station
is all up in someone's iPhone because reasons, right?
I think there is room for a lot of this to be renegotiated
and I just can't see it happening at the moment,
just in the current climate.
Things that we can't even agree on basic stuff like,
you know, vaccines and climate change,
let alone really complicated nuance issues like this,
where, you know, there are complicated equities
to trade off, you know?
And even we were editing this today's Risky Bulletin,
and there's a story about an Italian priest
getting Paragon's biwared by presumably the Italian government because he was involved in
migrants shipping across the... like he was a priest on a migrant boat across the Mediterranean.
And that doesn't feel like the sort of thing that legitimate law enforcement
thing that legitimate law enforcement access should be used for, but they were buying tools and using them in that context, allegedly.
It's just a really complicated set of issues and we're bad at simple issues.
So yeesh.
Yeah.
Yeah, that's right.
And meanwhile, something similar happening in Sweden at the moment, which is the Swedish
government is demanding some sort of backdoor in Signal or message recovery,
whatever you wanna call it.
And the Signal Foundation president, Meredith Whitaker,
had said, no, we will in fact withdraw
from offering our service to people in Sweden
if this is what you insist upon.
And the Swedish government is saying,
well, look, crime is up over the last decade
and we need this capability to try to get a handle
on serious organized crime and blah, blah, blah, blah, blah, and Signal said no.
So let's see if Signal winds up being withdrawn from Sweden as a region, much like Apple has
withdrawn advanced data protection for iCloud from the UK.
Yeah.
I mean, in the end, Signal will commit corporate seppuku before they do that, whereas Apple
kind of big enough, has enough investors,
you know, they're not gonna in the end
walk away from their whole business
because they get surveillance demands
that are like, the signal probably would
because they're a nonprofit and that's kind of,
that's their whole thing.
So, you know, but both are interesting
to watch how they unfil.
Yeah, that's right.
What else have we got here?
The Black Buster Ransomware crew has had a whole bunch of its messages leaked. Fun.
Fun. I find it interesting that SIGINT agencies get involved in combating
ransomware and all of a sudden there's like massive infighting. But this
probably this actually looks like organic infighting to be honest. Yeah and
why not both right? Yeah. You know These kinds of groups are made up of a whole
bunch of people working online, in forums and message groups and whatever else. I think this
was all chats on the Matrix platform. And yeah, people talk a lot of crap on the internet, so it
makes no surprise that some of this stuff is kind of funny to read. But yeah, like a couple of
hundred thousand messages from Inside BlackBuster over the course of a year, but yeah, like a couple of hundred thousand messages from inside
BlackBuster over the course of a year. So yeah, there's some juicy insight. Somebody's loaded
it into a GPT engine so that you can ask questions of it without having to read all those messages
in Russian. And yeah, it's just kind of funny seeing all of the inner dirty laundry that
comes from running a crime operation.
Well, the most important bit of the goss, I think, and I think we've got Dan
Gooden's version of this piece linked to in the show notes this week is
and I'll quote from it, it turns out that the personal financial interests of Oleg,
the group's boss, dictate the operations disregarding the team's interests.
So, yeah, apparently just like a bad boss situation and, quote,
under his administration, there was also a bad boss situation and quote under his administration
There was also a brute force attack on the infrastructure of some Russian banks
Yeah, which means people were getting a little bit nervous about like hey, maybe don't you know crap where you eat and
Yeah, a lot of them defected to some other crew and whatever
But I would also think too that if you were a Western SIGINT agency with access to a ransomware as a service platform
Maybe doing a few brute force attacks, you know with no payloads deployed against Russian banks might be a good way to stir up
This sort of drama just saying exactly exactly. Yes
Spooks are creative and they will have lots of fun on target. I'm sure yeah now another one from Dorina
Over at the record and we covered this in Risky Business
News the other day, which is now called Risky Bulletin.
I'm sorry, you can subscribe to that at Risky.biz.
But there's some QR code based phishing for the Signal app, basically allowing the attackers
to add a device to a Signal account so that they can then operate that account as if it
were their own.
And they're doing this, it's Russians doing this, and they're capturing devices on the battlefield
and then getting access into those signal accounts and then using that to spread more QR codes and on and on and on.
I mean, I don't like this linking devices feature of Signal.
We've talked about it before. I don't do it. I don't use Signal on the desktop. I like it on my phone.
iOS, I think, is a more secure platform than Mac OS, and I'm totally happy for it to just live there.
But yeah, what are your thoughts on this one, Adam? Adam Backman Yeah, I mean, it's a smart methodology, right?
Because your attack options against Signal are on the endpoint or link a device, right? That's
basically what you've got. And some of the tradecraft here is kind of interesting.
Like they have a group chat.
They'll have a group chat with a bunch
of malicious QR codes in it, and then invite people into it.
And then they read the scroll back
and check out some of the QR codes.
So you've already got like scroll back
that establishes legitimacy,
which is kind of feels different than just, you know,
starting a social engineering fish right from bear. like when you've got that to work with
that's kind of interesting and then yeah as you say using captured devices on the
battlefield as a method to then send it to contacts and so on and so forth so
yeah interesting kind of tricks and yeah to be honest that signal feature it would
be nice if it was kind of off by default or gated behind some kind of thing for the people receiving them. I'm with you but
yeah I just don't like it as a feature I don't think you know you can always
socially engineering people engineer people into turning stuff back on you
know I just don't like it as a feature I understand why they have it it's sort of
table stakes for a messaging platform these days but yeah don't don't like it. Yeah. And also Electron.
I assume it's still Electron.
Yeah, the Signal app was Electron.
I'm not sure if it still is, but yeah, I do not do not like Electron either.
Although we haven't really heard.
I think we've heard of a couple of issues in the in the Signal Electron app, but it's,
you know, a cut above, not surprisingly, right?
Yes, it's good.
Now we've got one from Samantha Cole over at 404 Media.
This one's real interesting. Meta is suing this guy Idris Kiba, who ran the Unlocked for Life extortion scheme, where this guy would basically take over or ban people's Instagram accounts, get them banned and then sort of sell them back to them and figure out how to un- he would sell the unbanning of them.
But he was also threatening to kill people whose accounts he'd taken over, like, you
know, you've got to give me money to unban your account and if you don't I'm going to
kill you.
You know, this seems like it would be more of a criminal kind of indictment than a lawsuit,
but I guess Metta has taken things in, you know, taken matters into its own hands and
they're doing it through the civil courts. The reason I wanted to talk about this one is, you know, taking matters into its own hands and they're doing it through the civil courts.
The reason I wanted to talk about this one is, you know, for half a decade now, I've
been talking about how Meta's, like, account handling, particularly with Instagram, is
just terrible.
You know, I've personally worked with people who have had their accounts taken over by
people who've abused things like trademark violation complaints and stuff to say no no this person is impersonating my brand
when really it's the other way around and they'll just do it and there's no
solid appeals process or anything like just truly truly woeful stuff and I mean
you know it's great that they're suing this guy but you would hope that they
would actually put some effort into fixing this. I've always thought a paid for support service for this would make a
lot of sense because meta just stretched their people too thin because they got
so many accounts and this is the result. This stuff like this happens. Yeah, it's
pretty messy. I mean in some cases he was able to ban accounts like basically
same day because he would sell the account banning service to some people
and would also sell the unlocking service and fake likes and all of the other kind of social media fraud
Sorts of things apparently he was making what like six hundred thousand dollars a month
Well, he claims he boasted that he did 600k in one month
And who knows if that was his regular income, but either way it was worth doing for him
Yeah, exactly. I mean all sorts of other, you know nasty stuff that he was doing as well
Yeah, exactly. And then all sorts of other nasty stuff that he was doing as well. So yeah, kind of good that Meta is going after them, but as you say,
their account handling is pretty woeful and too much automation,
not enough sense is the vibe that you get from them.
Well, and impossible to get human review quite often.
And when there is human review, it's obviously someone who's spent five seconds
looking at it and just said, whatever, next. It's a mess. It's obviously someone who's spent five seconds looking at it and just said, whatever next, you know, it's just, it's a mess.
It's a mess. Yeah, it is. I mean,
you give them what it must cost them and lawyers to go after these people.
Like you think you could go plow some of that back into making the process a
little bit. That would be good.
Support costs for something like Instagram, man.
You even want to marginally improve that it's going to cost you money,
but it's not like Matt is broke. And again, I think, you know,
we did see a glimmer of hope. Uh, they've got some, I think, you know, we did see a glimmer of hope. They've got some of these
like, you know, Meta for Business Services and whatever, and that is going to be better, right?
But yeah, they need massive improvement there. Link in the show notes to that one. Now we've
got a blog post from Cisco Talos, who've looked at the way Salt Typhoon is doing its salt typhooning.
And they're doing some cool stuff with basically
what, like, you know, chaining their shells through a bunch of Cisco devices and whatever.
You talk us through this one, Adam.
Yeah, it's a good write-up of their general tradecraft.
Cisco Talos is somewhat at pains to point out that it's nearly all not Cisco bugs.
They're using Cisco's to pivot through, but they're not actually exploiting that many
of them, which, you know,
maybe a bit too much protesting there. There's a lot of credential reuse to get access and then technical means for getting more credentials out of Cisco.
So once you're in the network routing infrastructure, you've got lots of great options for sniffing creds off the wire.
In the case of routers that do authentication via radius or tachac. You can usually turn that into
clear text credentials off the wire. I know I've done that in the wild. It's good times.
And if that's AD integrated, now you've got password access on with interactive directory
and it's great times being in the network plumbing. And that's really kind of where
salt typhoon is and what they're into into There's some other specifics about the things that they do on
The underlying Linux of some Cisco devices, which is good for you know seeing some of their trade graph there
There's also a great trick where they
can use
Routers in the network to pretend to be somewhere else the. Like if you're on the network path between A and B, you can pretend to be anyone from
A to B and they can use that to bypass access lists and other controls for moving onwards.
And that's once again a thing that telco hackers have been doing for a long time.
But when this is described as like super advanced and well resourced and it's a thing that I've
been doing for 15, 20 years, it makes me feel good. Like I feel like I'm super advanced and well resourced. And it's a thing that I've been doing for 15, 20 years.
It makes me feel good.
Like I feel like I'm super advanced.
I'm not well resourced, but I'm super advanced.
Go me.
You're reasonably resourced.
I'm reasonably, Insomni was reasonably resourced, I guess.
But not like Chinese intelligence services resourced.
But yeah, so I quite enjoyed it just because I love
telco hacking gubbins.
And yeah, just useful detail, actual technical detail
about what they do and how they do it.
Yeah, and the way they were pivoting around and stuff.
That's the bit that I found interesting as well,
which is just like router to router comms, but it's them,
and it looks all normal, and it's pretty cool.
That's what I meant by chatting together their shells.
And no EDR on those platforms.
And yeah, it's just. I got an interview with one of the Corelite people coming up next week actually talking about how
yeah like just specifically yeah Salt Typhoon they just go where the EDR isn't which you know
you can read that as like oh EDR doesn't save you it's like well it can only save you where it is
where it exists and the fact that attackers having to go around it and hit stuff that doesn't have it is actually more of a good news story about EDR than
a bad one. But anyway, yet one more from Dorina Antonyuk over at The Record and
Thailand is about to receive 7,000 people who've just been freed from these
scam hubs in Myanmar by a militia. Crazy.
Yeah, I mean, it's so wild around some of these border
reasons in Myanmar.
The militia is, I tried to, I read a bit about
like Myanmar politics and like how these militias
relate to each other and the government and so on.
And it's all very, very confusing.
Anyway, they are handing over 500 people a day into Thailand you know like showing up on a
bridge handing them across to the authorities there and you know I guess
even if the political motivation of these groups are kind of complicated
shutting down scam centers is still is still good so you know yeah thanks.
Yeah that's right I just want to mention it quickly but there's an IVF provider in Australia called Genia
who've apparently had some sort of data breach.
This is obviously making the news here and I just sort of wonder at what sort of response
we're going to see or what sort of response are we not going to see that still occurs
as a result of this given, you know, ASD and the AFP have this whiz bang task force that
was put together by our previous Home Affairs Minister, Claire O'Neill. So it'll just be interesting. I'll be watching out for signs of
activity on that one. We've got another story from James Reddick over at The Record, which is a
federal contractor that supports the US military's healthcare system will pay an $11 million fine,
basically to settle allegations that it lied about hitting federal government cyber security
compliance standards. So we'll drop a link into this week's show notes on that. And just quickly, Adam, one thing that's like our reading list item
this week is Mike Burgess, who is the Director General of ASIO, has given his annual threat
assessment for 2025. It's available as a YouTube video and also there's a transcript here that I've
published. It's just an interesting read. One thing I admire about Mike Burgess is he has always been much more sort of transparent about what Australia's domestic intelligence agency is actually focused into the thinking of, you know, an intelligence leader from a five eyes country.
You know, although he does focus mostly on, you know, domestic stuff.
It's still a very interesting read, but mate, that's actually it for the week's
news, but do hang around because now we're going to chat with this week's
feature guest, who is Lena Lau.
Lena is the founder of Sintra, which does cybersecurity training and makes all
sorts of cool like a cyber ranges and stuff and she wrote a blog post this week or last
week actually called an inside look at NSA TTPs from China's lens and what she
essentially did was pulled together a whole bunch of Chinese incident response
write-ups and wrote them up in a, more in the sort of Western way, I guess.
And this has gone massively viral, resulted in a bunch of press coverage and controversy.
Lina Lau, thank you for joining us.
Thank you for having me.
How did I go with the summary there?
Yeah, I mean, I assumed most Western people weren't sitting there on WeChat reading Chinese blog articles in Chinese. So
that's exactly what I did. I took a bunch of articles that were written about a specific
incident that happened and then just rewrote it to match the Western audience. Because Chinese
threat intel write-ups tend to be a little scattered in how they approach the writing.
Yeah, like they don't write their reports the same way that we do in the West, right?
No, no. Yeah.
And that's been the interesting thing here. But the response to this, I mean, first of all,
why don't we just talk about what you learned by actually going through this process? What was
interesting here? I guess for me, because my background is an incident response, I came at
it from the angle of wanting to understand the TTPs that were used. So for me, what was interesting
was that they actually tracked three different
threat actors that they attribute to North America. So the NSA Tau group is APTC 40. They also track
the CIA as a separate unit, they break that out. And then there's also a third group called APTC
57 that they haven't really published much about. So they actually track three different
orgs in America.
Yeah. Well, I mean, that makes sense because they are, they do have separate crews much
like, much like everyone else. Now, to be clear too, this, this campaign was first,
it was, it was a hack of like, what was it? Like some sort of university in China. And
they first spoke about it publicly in 2022, but it looks like it was a very like long
running campaign. And there's some nice overlap there with things like the shadow brokers And they first spoke about it publicly in 2022, but it looks like it was a very like long-running campaign
And there's some nice overlap there with things like the shadow brokers tools, which eventually got
You know disclosed publicly and what 2016 or whatnot
But to be clear like this is not ongoing like as far as we know this isn't describing activity that's happening now
This is historical stuff. This is historical stuff. No. This is not 2025, 2024. This is in 2022, they received phishing emails that they attribute
to the NSA. And then that led to the convergence of two security firms, 360 and then Cverk,
which is like Chinese cert team, to collaborate on an incident response investigation. And
basically the write-up that I wrote were my learnings from the IR reports
that they had published. And these are the only two companies that published these IR reports on
what actually happened. But based on the IR reports, it was clear that the NSA was allegedly
breaking into this university over the course of an entire decade.
Yeah. I mean, I was just thinking, like, as you said, that if they received these phishing
emails in 2022, and that's what led them to discover this,
holy dwell time, Batman, basically,
is what I was thinking.
Yeah.
Yeah.
So look, you alluded to the differences in the way
that Chinese companies write IR reports.
Like, what are the most striking differences there?
Because you did mention things like not only just differences
in reporting, but differences in thinking
in the way that they do IR.
Yeah, I guess the first thing is normally in Western reports, you just get a report
that says, oh, Mustang Panda hacked into X company without much attribution as to why
do we think it's Mustang Panda? Most of their IR reports start off with attribution
and how they performed the attribution and how they linked it, which isn't something
that we normally get in our classic Intel reports.
You just get, okay, this tool is linked to this, but not much more than just like an
IOC being linked.
The second thing that I noticed was a lot of the IR activity that happened from the
two firms was based on a lot of collaboration with even foreign governments.
They didn't specify which ones, but I'm guessing it was some of the neighboring countries that were also used as proxy servers for the attack.
So there was a lot of collaboration going on.
Yeah, right. And included, they actually managed to dock some of the front companies that were
used to like obtain IPs and whatnot. And it's just amazing. Like as you say, like this is
all stuff that's been out there publicly, but no one actually, I think because of the
language barrier, no one really tore it down and like rewrote it into something sensible like
you have here. Yeah, I think it's more than that. Like Chinese firms don't really, they don't rely
on publishing blogs on their website like, you know, Western companies do. They rely on pushing
news cycles through WeChat, which is WeChat, and most of the security researchers read these write-ups
on WeChat in Chinese. So unless you're sitting there stalking WeChat, and most of the security researchers read these write-ups on WeChat in Chinese.
So unless you're sitting there stalking WeChat, you're not going to be refreshing 360's company site and finding every single report there,
because they don't publish everything on their website.
Yeah, right. So basically you have to be a Chinese speaker who hangs out on WeChat, which apparently you are.
I've got to talk to my family somehow.
Yeah, that's right. All right.
So what do you make of the reaction to this?
Because it has been uneven.
Everybody seems to have an opinion on this.
I think initially when we spoke the other day about it, you were like,
yeah, I put this on my personal blog because I didn't want to link it to my company
because I thought it might be a bit controversial.
So you were expecting that perhaps it could be controversial, but maybe not this controversial?
Yeah. I mean, I think that everyone is reluctant in the Western world to really publish or talk
about what's going on, especially with Five Eyes threat actors. But at the same time, I think,
you know, there is something there that we could learn from in terms of how we perform
detections and just get a better understanding of what it is that we're doing and how the whole ecosphere works and how all the different countries interact.
I wasn't really expecting people to think that I was the one saying that the NSA hacked into China.
That I thought was very clear that I'm not the one saying this. That surprised me.
Yeah, right. So you're just saying the Chinese said this?
Yeah, I'm just getting information that's on WeChat
and expressing it to the Western audience, basically.
And I guess the final point that I wanted to say
was that it surprised me a little bit
and made me realize that most Western audiences
probably aren't as attuned to what's going on, allegedly,
with the Five Eyes governments and what their operations are, what their toolkits are. It kind of elucidated that maybe we're not as educated on
what, you know, the Eastern countries are saying about Five Eyes. Yeah, I think there's also reasons
why, you know, we don't talk about that because Five Eyes agencies aren't typically targeting the
sort of companies that Western IR firms are doing IR work for, right?
So I think also when people do stumble across like Five Eyes infrastructure, perhaps by
accident, it's not something they're going to put in a report because they don't want
to undermine the goals of the governments, right?
And that's just how it be.
And that's a question for you.
I can't imagine that you would have done original reporting, right?
If you had to found Five Eyes stuff, you'd be like, well, I'm going to leave this alone,
right? Yeah, of course. Yeah. Yeah.
Did you think that, like the way the Chinese attribute this to the US was like, do we do
we expect the Five Eyes to be better at not getting snapped? Because that's kind of their
whole shtick, right? Is not being caught in the first place. It's like, do you think that how they got snapped here was interesting? Or is this just
work a day, you know, every day in Chinese universities? So I think that the attribution
to the NSA, they can only base that on the evidence that they uncover during the incident
report. But with that said, it's not unusual for different threat actors and
APT groups to leverage tools that are attributed to a different threat actor and try to get
a misattribution occurring. So that's definitely something to think about.
Yeah, I mean, I did find it interesting here that when they went back and looked at some
of this stuff, they found tools that had since been publicly disclosed in the Shadow Brokers
League, right? Which made the attribution pretty solid.
But yeah, it is, and again, I mean,
their dwell time was a decade, right?
Some of these exploits, some of the things they're using,
like exploits in Solaris boxes and tooling,
because there was so much good stuff in Shadowbrokers.
And yeah, it's fun seeing it all used in the wild in a way,
seeing how they use Fox Asset,
which was their exploit from the side,
using their passive collection network
and seeing some of the other stuff they were using.
I did like the bit about attribution
based on unique US public holidays.
Yeah, no hands on keyboard during Memorial Day and weekends.
I like it, I like it.
Yeah, that's it. All right Day and weekends. I like it, I like it. Yeah, yeah.
Yeah, that's it.
All right, we're gonna wrap it up there,
but look, thanks so much for joining us on the show
to talk through your blog posts.
We're gonna drop a link into this week's show notes
for everyone to read.
Thanks again.
Thank you.
And Adam, that concludes us as well.
Thanks a lot for joining us for the news
and to chat with Lena and we'll do it all again next week.
Thanks. We certainly will, Pat Lena and we'll do it all again next week.
We certainly will, Pat, and I'll see you then.
That was Lena Lau and Adam Boileau there with a check of the week's news and a chat about Lena's blog post.
It is time for this week's sponsor interview now with David Cottingham and Daniel Schell from
Airlock Digital. Airlock Digital makes an allow listing platform which I love. I
think it's a terrific bit of technology and you know if you run a high security
environment it's one that you should definitely take a peek at. But they
uncovered some really funny research actually. One of the reasons airlock does so well is because the baked in windows allow listing stuff like wdac
Is actually pretty difficult to use at scale
But some some people have done some research on this which is quite funny
Which is if you can get disk write permission on a targeted host
You can actually rewrite the wdac rules to prevent
host, you can actually rewrite the WDAC rules to prevent EDR from loading. So you can introduce an allow listing rule that says if it's not signed by Microsoft, don't let it run, which is obviously
very useful to attackers. So I'll drop you in here where Daniel Schell explains that research. Enjoy.
So yeah, so some research came out late last year. It was really interesting where someone thought
about how can they disable security controls on Windows? And what they did decide to try was using So some research came out late last year. It was really interesting where someone thought about,
how can they disable security controls on Windows?
And what they did decide to try was using the Windows Defender
Application Control, so they allow listing functionality
natively in the Windows 11 platform,
to block all non-Microsoft code from running.
And they then built some tradecraft around this
to package it so you can run it against robot machines, run it locally,
deploy it as an EXC or through inline assembly and such like that.
But at the end of the day, I guess what the research showed or
what they've proven is that if you've got admin rights as a user,
you can drop a WDAC policy file into a folder on Windows, reboot the system, and
it will read that and it will then respect that policy.
And you know, the one, I guess the example policy
is like only trust Microsoft signed files
and therefore all EDR and other drivers and everything
is just not allowed to run.
Yeah, I mean, it's a really clever idea
when you think about it,
which is if you've got write permission,
you know, privileged write permission on a disk somewhere,
you can just implement that as a policy
and the next time there's a reboot, all of those protections are gone.
That's it. The services won't start, the drivers won't load. It's as if it wasn't there.
Now they've implemented this as like an executable, right? Which obviously you would be able to
block because, you know, allow listing, et cetera. But ultimately the only primitive
you would need is that disk write.
Yeah, that's it. So yeah, they've made some tooling around it.
They call it Kroger is the name of their project.
And yeah, but they drop the file in the folder and reboot.
Now from a WDAC side of things, like you think about, well, what's the controls in that?
It's sort of an interesting story as well because by default, anyone with admin rights
can apply a WDAC policy.
But if you want to protect yourself from that occurring, you actually need to implement
a WDAC policy that's signed.
And then you can have a flag as well that requires that future updates to that policy
will also be signed.
So you have to turn that on.
Well, and I'm guessing not many people have actually done that, right?
Because they're not using WDAC.
So why would you bother?
Yeah, and that's exactly it. And there? Because they're not using WDAC. So why would you bother? Yeah, and that's exactly it.
And there's no way to turn off WDAC.
And in fact, that's probably a bad idea anyway,
because you've got the Windows,
the recommended driver blockless rule.
And so there's all these Windows security functionality
that's all like built into WDAC at the moment.
There are some deny only policies in there
at the moment as well.
So you can go remove all the policies but
again, someone can just copy that file and it's back. You can only disable policies,
you can't disable the feature.
Theoretically they could do this with your software as well, couldn't they? Or are your
policies all signed when they're written to disk?
Well, yeah, I guess at the end of the, it would stop out code from loading as well.
Because again, that policy that they create.
No, no, I just mean like,
could they also write to like the Airlock policy file
and get Airlock to start blocking stuff?
Yeah, that's a little bit different
because we've got tons of sort of encryption and such.
So I guess rather than signing,
you can't just go modify our policy.
And also our policy sort of like,
don't transfer between customers and
Stuff like that very easily and there's a lot of protections in our agent like anti-tampering. I guess the admin rights isn't enough
Because you wouldn't be able to stop the service to replace the files and all this other stuff as well
But there's a lot of layers there that would be less effort and if you have admin rights at that point
It's probably not the best use of your time
Yeah, yeah. So I guess the question becomes like how should the EDR companies best deal with this?
Do they have to have some sort of, you know, would they just have to watch that file for changes sort
of thing and like be able to detect when someone's writing a malicious WDAC policy? I mean that seems
like it would be pretty hard to do. Yeah, it's a tricky thing because it's okay. There's a couple things. I guess one part would be
Just detecting maybe that your ourselves write a policy file to the folder that Windows stores them in I guess that could be a detection
But then if a customer is legitimately running W DAG that's gonna happen all the time
It's not there's sort of like it's not a malicious policy file
It's one that's generated through the Windows app control wizard.
It's saying trust is the default one to trust Microsoft files.
So it's yeah, it's a challenge.
So here's a question for you.
Can you use Airlock to actually allow list a WDAC config file?
We could at the end of the day, as far as preventing it being implemented
while our service is running.
I think that's at that level of control.
So the stuff that me and David talked about was when someone writes a WDAC, like they
will see a header, like a magic header to these files.
So we could go, someone's trying to write a thing to this folder, don't deny it.
Or unless the file itself is allow listed.
So we just treat it as a script or like in the product. Yeah, just treat it as a you know as a script or like you know
Just treat it as any other file. Yeah, so we go well before WDAC can be applied it needs to be trusted by Airlock but
No customer should be running WDAC and Airlock really side-by-side anyway that they understand
Crazy, so you should be able to just nuke that or a policy anyway
I'm just thinking of the edge case that only comes in when Windows Update comes and pulls down some new driver block list
Well, they have a new driver like they update the driver block list all the time and stuff like that
So it's gonna be interesting. But then again, which process is allowed to do the Windows updates. Okay to do it
Well, that's it. Yeah, so there's a way around that Kruger.exe is not
Mitigation is a lot of the endpoint vendors have
You know tried to stop the executable
or flag the packing of that Kruger executable.
So, Windows Defender, when you get that XE on the box
and try and run it, it actually detects it as a WDAC.
What did it, what was it called, Daniel?
It was WDAC something.
The detection was like, it was a malicious WDAC policy
because it came from the executable,
but the policy itself wasn't necessarily the bad thing.
Yeah, like as soon as I compiled it, the defenders like, eight different detections, right?
Because it's, you know, they've put that in the DEFs.
The tooling's in the DEFs but the tooling is not the problem here possibly.
The tooling is good on mass scale.
You know, this is just one facet of a bigger problem right now which is just, you know,
attackers using LOL bins. You know, attackers using lull bins.
You know, it's not new, right? This has been around for a very long time, but it's become
just standard attacker behavior. And you really get the sense, David, and I want to hear from you
on this. You really get the sense that this is because they have to do this because EDR is
actually doing a reasonable job of detecting like malicious binaries and files and when
those things execute and start doing weird stuff. So, you know, I guess you might say
this is a good news story.
Yeah, absolutely. The bar has been raised so high now that it is a more viable option
for, you know, many more sophisticated attackers to utilize lol bins to achieve their objectives
than to, you know, try and, then to try and write code which is avoiding
signature or behavioral based detection.
At the end of the day, if you can become the administrator, just like the identity boundary,
you want to steal creds, you want to blend in.
If you can become the shadow admin in the environment, that's the best place you want
to be as an attacker and lol bins are just across that path and enable that to happen because it's not unusual for an administrator to use
an administrative tool.
Yeah. I mean, I think also it's not just about LOL bins per se, but abuse of, you know, other
trusted bits of services and platforms. Like we saw from the, the cyber CX report recently
that we spoke about on the show, actually it was a case study that
kind of was released around the same time about an attack against a Pacific organization. Gee,
I wonder who could have been behind that one. Where they were using Microsoft's eDiscovery tool
to do exfil and how are you going to instrument a detection for that? So I think it's spreading
it's spreading, you know, beyond the OS and, you know, platforms, OS platforms and into like cloud service platforms as well.
But this just seems to be the, you know, the, the contemporary way that attackers think, I guess.
Yeah. And I think as a vendor, you know, your Microsoft, you want to make the platform more
usable and more, you know, oh great, I've got this functionality at my, my fingertips,
but that value cuts both ways.
Like for example, they put open SSH in Windows Server 2025.
So now you've got a native Microsoft signed
open SSH capability inside the OS.
You don't need to bring it or even, you know,
install the feature.
It's just on disk or ready to be invoked.
And I actually did a bit of work where I looked at,
you know, the number of files that were
included in Windows operating systems over the last 10 years. And Windows 10 long-term
servicing branch between Windows 11, 23H2, saw a 46% increase in files. And I know that file
counts don't necessarily equal features. However, it highlights a significant increase in code,
at the very least and therefore
complexity.
And it's hard for us as consumers, even us in our position where we look at abuse of
these utilities, to understand all those changes because it's not really readily available
unless you really dive in and reverse this out yourself. And what I would say is that organizations should really
preference the use of long-term servicing channel builds of Windows wherever possible,
because between Windows 10 LTSB 2015 and Windows 11 LTSC 2024,
there was a 21 percent increase in the number of files
rather compared to the consumer edition,
which was that 40 percent odd number.
So it's sort of showing that the consumer version of Windows has about 20% more stuff
than what the actual enterprise builds do. So, you know, if you as a company can use
the enterprise builds, build your SOE on that and that just cuts out a whole bunch of stuff
that's just kicking around that you're probably not going to use anyway.
Yeah, but you're still looking at an awful lot of stuff there that will be used.
And I guess, I mean, I guess this comes back to the point of like Windows host hardening.
There's not all that many tools that do it well.
I mean, obviously yours is one of them.
And I do feel that like with the EDRs as this stuff becomes more and more popular,
they're going to need to have a bit of a think about, you know,
they're going to have to think about some fundamentals here in terms of how to deal with this because they were the
next generation of sort of AV. I mean they're very good at spotting funny
stuff happening right, but they do sort of come from a time when endpoint
security was a lot about files executing on your Windows box and that's not, you know,
that's changing, I guess.
Yeah, the challenge is, you know, at the end of the day, security is about constraint.
And the challenge for any security company is how do I implement security and not impact
anyone ideally, you know, so that constraint is this gigantic circle which is drawn around the entire customer base.
I think the tooling where we need to get to is you can define your constraints as a customer.
So you as a customer are the only ones that know that you don't need WMIC anymore,
or you're not using WMI in your environment.
Well, to find that out is a difficult thing and far more difficult than it should be as it is. But let's say you could, you know you're not using it, then to be able to define that and
say I want to turn that off really starts to provide that security uplift. And it's something
that we're pushing into in our tooling, you know, allow listings a great control. But it's really
about beyond that, let's start to cut down on that attack surface by commonly
abused utilities.
And that's where you, you get another significant bump in security improvement.
But context is king.
Yeah, we did a demo recording recently, which is published to our YouTube, just showing
off the latest version of Airlock.
And that was something that was interesting there, which is you can kind of use an allow
list to constrain the use of a platform to something
that resembles an SOE actually better because you've got more granular control. But you know,
it almost feels like the days of trying to rely on a standard corporate SOE are like kind of done
at this point because there's just too much stuff. There's too much stuff.
Too much stuff. You used to be able to pair it back much better. You know, I would encourage
people as well to use Windows Server Core
wherever they can for their workloads, at least it cuts out a lot of the GUI aspects
and a lot of the applications just won't run because they need a user interface to actually load.
So, you know, deploy that, that cuts down on it.
Again, Windows long-term servicing builds and then when you're building your images,
just try and cut out as much as you can if you don't need it.
Less is more. It really is. Yeah. Alright Dave Cottingham, Daniel Shell,
thank you so much for joining me for that discussion. Interesting as always.
Thanks Patrick. Thanks Patrick. That was Dave Cottingham and Daniel Shell there
from Airlock Digital and that is it for this week's show. I do hope you enjoyed
it. I'll be back soon with some more news and analysis for everyone, but until
then I've been Patrick Gray. Thanks for listening.