Risky Business - Risky Business #782 -- Are the USA and Russia cyber friends now?
Episode Date: March 5, 2025On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news: Did the US decide to stop caring about Russian cyber, or not? Adam stan...s hard for North Korea’s massive ByBit crypto-theft Cellebrite firing Serbia is an example of the system working Starlink keeps scam compounds in Myanmar running Biggest DDoS botnet yet pushes over 6Tbps This week’s episode is sponsored by network visibility company Corelight. Vincent Stoffer, field CTO at Corelight joins to talk through where eyes on your network can spot attackers like Salt and Volt Typhoon. This episode is also available on Youtube. Show notes Sygnia Preliminary Bybit Investigation Report Verichains Bybit Incident Investigation Preliminary Report North Koreans finish initial laundering stage after more than $1 billion stolen from Bybit | The Record from Recorded Future News Risky Bulletin: Trump administration stops treating Russian hackers as a threat - Risky Business Did Trump Admin Order U.S. Cyber Command and CISA to Stand Down on Russia? (Story updated) Russia to redeploy resources freed up by end of war in Ukraine, warns Finnish intelligence | The Record from Recorded Future News FBI urges crypto community to avoid laundering funds from Bybit hack | The Record from Recorded Future News Risky Bulletin: Cellebrite bans bad boy Serbia - Risky Business Belgium probes suspected Chinese hack of state security service | The Record from Recorded Future News Gabbard: UK demand to Apple for backdoor access is 'grave concern' to US | The Record from Recorded Future News Elon Musk’s Starlink Is Keeping Modern Slavery Compounds Online | WIRED U.S. Soldier Charged in AT&T Hack Searched “Can Hacking Be Treason” – Krebs on Security Google Password Manager finally syncs to iOS—here’s how - Ars Technica Gmail Security Alert: Google To Ditch SMS Codes For Billions Of Users Massive Iran-linked botnet launches DDoS attacks against telecom, gaming platforms | Cybersecurity Dive Microsoft-signed driver used in ransomware attacks | Cybersecurity Dive London member of ‘Com’ network convicted of making indecent images of children | The Record from Recorded Future News Volt Typhoon & Salt Typhoon Attackers Are Evading EDR: What Can You Do? | Corelight
Transcript
Discussion (0)
Hey everyone and welcome to Risky Business, my name is Patrick Gray.
We'll be chatting with Adam in just a moment about all of the week's news and then of course
we will hear from this week's sponsor which is Corlite.
And yeah, Corlite make the industry standard NDR sensor so if you're looking for something
to stick on your network just to collect security relevant information from the
traffic traversing your network. That's a great place to start. Of course Coralight
maintains Zeek which is open source so it's an open source NDR sensor and they
also have commercial versions and whatnot as well. Vince Stouffer is Coralight's
field CTO and he's joining us to talk through a few things really. They just published a
blog post about the typhoons, the assault and vault typhoons, and really noting how
attackers are going where the EDR isn't these days and how you know you might want to spin
up some basic network detections which seems like sensible advice in this year of our Lord
2025. That is coming up later but first, let's get into the news with Adam.
And just off the bat, if I seem a little off today, everyone, it's because there's a cyclone
about to land on my head.
So I'm getting today's show out the door and then I'm taking a couple of days off because
it is going to be absolutely wild here.
But yeah, Adam, let's start the discussion with a follow up on the Bybit attack.
Last week, we the thinking was that the North Koreans had actually managed to get
malware onto devices at Bybit.
It turns out that wasn't the case.
But funnily enough, that doesn't actually change most of what we said last week.
Yeah, the details have come out that the
North Korean attackers actually did this by updating the JavaScript. It looks like
in the AWS kind of CDN that belonged to Safewallet, the people who make the
multi-signature wallet that buy a bit use in their environment and these
attackers which like,
I'm just gonna straight up say it,
like we've said lots of nice things
about North Korean technique and hacking,
but I gotta hand it to them with this one.
Like this is so good.
So they did this essentially blind using only write access
to an S3 bucket that contained JavaScript
or maybe indication front of it, we don't know for sure.
And this was set up to only target the wallets of Bybit.
So they had poisoned this JavaScript
for everybody in the world that used the web interface
for SafeWallet, but they only targeted the one wallet
from Bybit that contained a billion and a half dollars.
So that's pretty slick, I gotta say.
Yeah, now finally off last week, there was a bit of a discussion, billion and a half dollars. So that's pretty slick I gotta say. Yeah now funnily
off last week you know there was a bit of a discussion should they have used a
you know single-purpose device like an iPad or whatever and I was saying well
no because you know for 1.5 billion you could probably buy an Oday anyway and
the real thing that you have to do is have a process around being very
careful with when you whack the yeah okay button on your hardware wallet and that advice still stands because indeed you know you could you
could just be dealing with you know poisoned chunk of JS and it's gonna do
the same thing you've got to pay attention to that to that hardware
wallet and funnily enough like even in the week since we published our last
podcast you know just looking through exactly what
they had to approve on the hardware wallet and how similar it was to the regular stuff
they would approve.
I think that was a thing, the thing that really did, I mean, it was a change of a single digit
on a very long string, wasn't it?
Yeah, basically there was a whole bunch of arguments to the kind of the API into the
wallet that they were calling.
And yet in order to spot that difference,
you really would have had to have been checking,
you know, a piece of paper, some kind of process,
or have a wallet that understands
your particular transactions,
which once again, for a billion and a half dollars,
you probably could do with some custom code there as well.
But I mean, overall, none of this really changes
the fact that Bybit needed to verify what they were doing and they didn't.
Yeah, well, I mean, they thought it was a much smaller transaction, I think, in the order of like $100,000, but that's the point, isn't it?
Yes, that is exactly the point. And the North Koreans, they just, they nailed this. They got it so good.
So yeah, my hat is unironically off for them. I'm totally standing for North Korea now
I mean you're you're totally like hoping for Korean reunification, right?
So that these people get to come in from the cold and we get to talk to them
Absolutely because I bet they got plenty to contribute to the rest of the world if they could do something productive with their time and efforts
Yeah. Yeah. Now this is you know, we, we are not endorsing North Korea or the regime there, but yeah, boy
oh boy, do they have some good hackers over there.
Meanwhile, their laundering is pretty on point too. Something like 20% of the funds they've stolen are already untraceable.
I think, you know, authorities have recovered, you know, tens of millions or something. But yeah, 400 million, gone.
Yep.
They managed to get that through some mixes somewhere and get it to the point where it's
no longer traceable.
The rest of it, I mean, a modular, the very small percentage that's been seized or frozen
or that they understand where it is and have some cooperation.
Everything else is still in the wild.
And yeah, the North Koreans also know how to launder it turns out because there's so much money sloshing around in that kind of Southeast Asian cybercrime
ecosystem that they can use to hide their transactions in that it'll be gone in days
I expect.
Yeah, I mean I said 20% and then I saw from this story that I'm looking at which is John
Griggs one at The Record that that's 400 million which is clearly more than 20%. So this is a fast moving target, right?
Yeah, yeah, it certainly is.
And it's big money.
So yeah, good work.
You know, take it easy, man.
Let's not go too crazy with the praise for the evil empire
over there in North Korea.
Now, there's been a huge flap over the last few days because several reports emerged
saying that various bits of the US government were being ordered to like stop paying attention to
Russia threats, right? So in the case of Cyber Command, the order was apparently that they should
stop preparing attacks and conducting attacks against Russian targets.
And then we saw some reporting about an alleged memo
at CISA where people were told to stop reporting
on Russia stuff as if it was a national security threat,
obviously very controversial.
Then CISA came out and denied it.
And that's become interesting because no one knows
whether or not to trust CISA anymore, which is a hell of a sign of the times, right? When you're actually saying,
well, we're not sure that we believe this statement coming from CISA. And I think that's
the real story here. When it comes to the Cyber Command stuff, that's not actually unusual
given what's happening here. The United States is seeking to, now whether you agree with
this or not, they're seeking to normalise relations with Russia. And putting a pause on offensive
actions is a very standard thing to do when you're entering a period of negotiation that
is seeking to normalise relations. Now you can say that it's a nuts thing to do in terms
of trying to seek that normalisation, but if that's what you're trying to do then this action isn't so weird. The sister stuff
does seem weird though. We've got Catalin's report linked to in this
week's show notes which I think is excellent but then Kim Zetter has come
along and really looked at well what on earth is happening here and who do we
believe and she's done a tremendous job. Yeah, now that there's both of these write-ups are pretty good at kind of
untangling the sort of the complicated back and forth here. So like in the case
of Cyber Command there is the things that are already going on like the
ongoing actions inside Russian networks that may get paused. There's also
planning for future operations and preparatory work for future
operations and pausing that would be, I guess, a bit more unusual in the context of a negotiation
or things going on.
And that's a thing that could have, depending on how long things are paused for, stuff gets
stale, so it can have a longer running effect.
Kim also noted that I think the Department of Defense
has already come out, just recently has come out
and said that that's not the case,
that Cybercom hasn't been told to stand down
on offensive operations.
So we are still stuck in this case of,
well, what do we believe anymore?
What's going on?
Is this happening?
Is it not happening?
Is it, we've seen all sorts of like,
bait and switch stuff with Trump. When I Is it, you know, we've seen, you know, all sorts of like, you know, bait and switch stuff with Trump, with I'll say something,
Trump entities, Trump organizations and staffers and stuff with, you know,
they'll say something crazy and then walk it back immediately after the effect.
And we saw that with like sanctions on Canada or whatever else.
Well, kicking Canada out of Five Eyes, I think is the one you're thinking of.
Kicking Canada out of Five Eyes, that was that was the one.
Yeah. Yeah.
Where, you know, it kind of has the necessary effect,
but they don't have to wear the consequences of saying it.
I don't understand, you know,
American politics is so wacky today, these days.
So, who knows, man, who knows?
Yeah, I mean, I just think Kim's done a really good job
of unpacking the coverage and how it's unfolded
and like what we know and what we don't,
but it's very confusing.
Meanwhile, the Finnish intelligence service, according to this piece by Alexander Martin,
is warning that, you know, if the war in Ukraine wraps up,
that's going to free up Russian operators to do a lot of other stuff,
which I think is a reasonable thing to be concerned about.
I'm sure everybody still wants to see an end to that war.
But this will be one of the effects.
Yeah. Yeah. I mean, Russia's been tooling up, you know, both in terms of arms manufacturing,
in terms of like a war footing for the whole economy, as well as, you know, intelligence
services and hacking and things that we cover, that yeah, like if all of a sudden they have less
to do, they're going to go do something else, and that's a concern, especially for, you know,
the Baltics, you know, people like Finland and Estonia and so on, that are right up in Russia's face as it were.
Now we've got a hilarious headline here from Joe Worminski over at The Record, which is
FBI urges crypto community to avoid laundering funds from Bybit hack.
This is an interesting approach, the FBI just asking people not to launder money. Why didn't they try that before?
Please, how about, how about, just for a moment, how about maybe don't do crimes? That's the FBI's advice to you. Just all be nice to each other.
I've just had an idea, why don't they make laundering illegal? Now that's
something, maybe yeah. What about all of the horrible stuff? We could just make it
all illegal and then that would solve the problem. Good job. Yeah obviously we
screwed up the order there and that story was supposed to be part of the
discussion, the broader discussion about Bybit,
but hey, it's a cyclone coming down. I'm sorry everybody.
Now let's talk about
the system working.
So we've got a write-up here from Catalan, again, in Risky Bulletin,
all about Serbia and Celebrite. And I'm saying it's Celebrite,
we've always said it's Celebrite, but Adam you went off and fact-checked that and apparently it is Celebrite and I'm saying it's Celebrite we've always said it's Celebrite but Adam you went off and fact-checked that and apparently it is
Celebrite. They have banned Serbia so they've fired Serbia as a customer after
it turned out their tools were being used to do things they didn't agree with
which is good but it also looks like what's happened is Amnesty International
has teamed up with Google to figure out exactly what bugs were being exploited by
Celebrite to do this. I think they were planting malware on people's devices. Is that right?
Yeah, so they were unlocking the devices to then plant malware and they were unlocking it using Celebrite tools that appear to from
You know the the work that Amnesty and Google did be kind of USB
Bugs or bugs in the Linux kernel USB stack that then Celebrite was using.
Okay, so the interesting thing is here though,
that not only has Celebrite fired a bad customer,
which we like to see,
but they've also had to pay a cost here,
because Amnesty International and Google
have got together, figured out the bugs,
and they've patched them,
and that's gonna hurt Celebrite.
Now, you know, Celebrite doing the right thing,
so how badly should they be hurt?
This gives them extra motivation to be more careful
about their customers in the future, right?
So that's why I described this whole thing
as a story about the system working.
Yeah, yeah, and I agree.
Like, they are having some cost imposed on them,
and that's good.
It will make them think twice about who they give their tools to or they sell
their tools to. Um, and it also makes, you know,
every bug that we get patched is good overall. Uh, and you know,
it's interesting like Amnesty provided the sort of the technical artifacts off
people's phones and then share them with Google and then they work together to
identify the bugs. And so that cooperation is also quite nice to see, you know, from an organisation
like Amnesty, technical organisation like Google, everyone working together and, you
know, in the end the real losers here I guess are the Serbian government officials who signed
off on this plan.
Yeah, yeah. Dorina Antonyuk over at The Record has a report about the Belgians looking at it.
They're launching an investigation into their state security service, which is the VSSE.
They apparently got owned as part of that whole Barracuda device thing.
So that was back in 2023 when, yeah, it turned out that Chinese APT crews
had a presence on like, you know, zillions of barracuda email gateways. And this is one
of the ones where when authorities sounded the alarm, they just dug in deeper, even though
everyone was going to do an incident response and like those, those devices had to go through
log chippers, you know, pretty awful violation of norms really. But it's just
interesting seeing the fallout of this extend into 2025. Yeah, yeah, it's interesting. Some
interesting detail here is that the barracuda in question was on the outside of their network and
handled, you know, relaying mail to and from some external entities, which included things like
HR communications,
which if you're working in an intelligence service,
personnel files are perhaps kind of more sensitive
than average, plus some other interactions
with government entities and law enforcement and so on.
The reports also said that they had siphoned off
10% of the agency's incoming and outgoing emails
between 2021 and 2023.
And that's interesting because the Barracuda bugs became public in 2023, right?
So I suggest that the Chinese were in there with them a good couple of years beforehand.
So you know, good dwell time there.
Yeah.
And I mean, we've seen time and time again over the years that, you know, you can get
a lot of good stuff by targeting unclassified systems
because this wasn't classified stuff, right? But if you get on the Barracuda belonging
to a defense contractor, we saw this with the Chinese going after various specifications
for the F-35 years and years and years ago. Stuff that wasn't classified probably should
have been, but yeah, it wasn't classified just popping up in mail spools. So you know, there you go. Now we've got a report from Suzanne Smalley where Tulsi Gabbard, who is the Director
of National Intelligence in the United States, is gravely concerned about this alleged technical
capability notice that the Brits dropped on Apple, which resulted in them withdrawing advanced data protection from the UK region.
I think this is an appropriate thing for the DNI to take a look at.
I mean her argument here seems to be, well the Brits wanted to be able to get access to American data as well.
I don't necessarily buy that. I would suspect that a TCN of that type would be limited to a particular region,
right? So they would have been demanding access for a certain region, but that's just me guessing.
Right? So I think a little bit of this is like tub thumping, but I also think it's appropriate
that the DNI take a look at it, right? Where did you land on this one? Yeah, I think I agree
with you there. Like it felt a bit like posturing in the way that
it was being communicated here but ultimately like if Apple has to be in a position to provide that
capability to the UK it increases the chance that other people are going to ask for it and if they
have to make changes to support it that could weaken protections elsewhere or we can you know
make it more straightforward for other people to get hold of that data through legal
or whatever other means.
And that's a concern for American regulators.
I think it makes sense for them to go have a look,
understand the implications, understand from Apple,
you know, like what's the actual implementation
of this gonna look like?
And what are those controls and safeguards
that restrict it to British jurisdiction?
You know, what do they actually look like?
How do they change it?
Well, I mean, there aren't gonna be be any changes, that's the whole point.
But I think it is interesting, like it would be interesting to look at exactly what the Brits were asking for and how,
and what sort of changes that could result in, I think is more what this is about, you know.
So I think that's good.
Yeah, I think so too. It's important information to have and just kind of useful to understand,
because Britain won't be the only jurisdiction that asks for this kind of thing.
Now let's talk about Starlink again.
So I was a Starlink customer for a little while when I had, funnily enough, storm damage to the internet infrastructure around here
and I had to subsist on Starlink for a while. I think it's an incredible service.
Very frustrating to use if you're doing content like I do,
because the upload speeds are atrocious.
I'm talking like three megabits per second, like really bad.
But it is a remarkable achievement.
It's a remarkable product.
But I have never seen so many captures in my life
as when I was using Starlink, right?
Because there is clearly a lot of abuse emanating from Starlink IPs, right?
So every second website, you'd get a capture, which was amazing.
And, you know, this next piece kind of supports the idea that, you know,
of why that might be happening.
We spoke a week or two ago about how the Thai government had cut power to certain
regions to take off, take out the power of these scam
compounds.
They also cut internet connectivity and whatnot.
Funnily enough, at the time we spoke about, well, I wonder how granular that was and whether
it impacted civilians.
I heard subsequently from someone else who pointed me to some work from The Economist
that it did actually affect civilian populations in some remote areas.
They were having trouble getting fuel and electricity and whatever.
So it is a mess.
But it looks like they found at least a solution to the internet connectivity problem,
Adam, and it is Starlink.
Yes, and not just one, like a whole bunch of Starlink dishes
bodged on top of their scam compounds.
We've seen pictures out there of, you know, like these sort of the roofs
festooned with
Starlink dishes at a number of these compounds.
And this story from Wired looks at some of the other options that they've had to do to
get connectivity into these places, which are in many, in this case, are on the border
between Myanmar and Thailand.
So there's quite a lot of using Thai mobile networks, so just buying SIM cards
and getting on the mobile network, you know, even though you're geographically across the
border, you're close enough for signal. They're also buying, you know, wired access from Thai
ISPs. And I think there's some suggestion they might have like strung fiber across the
river between the two countries to get connected. Whatever gets the job done seems to be the
main takeaway here.
And Starlink, it's not fun, but when you're working in a, when you're human trafficked
into enslaved labour, the quality of your internet uplink probably isn't really very
high on the list of concerns of your captors.
So if it gets the job done, then clearly they're using it. And Starlink and SpaceX have, I guess,
received a bunch of information about where these places are.
And maybe there's options for blocking it
based on geographic location.
But that for them has been a thing.
They've been a little bit.
So far, it feels like they've been a little bit reluctant
to actually go ahead and do.
Well, but why?
Why?
That's a good question.
If they can identify which terminals, as opposed to just turning off service in geographic regions,
because we've seen in the war in Ukraine where they were turning off coverage as the borders,
or as the edge of the conflict moved around, that's kind of one way to do it.
The other is if you identify the individual subscriber terminals
and turn them off, then great.
But but styling, styling dishes, self-report GPS coordinates,
you know what I mean?
And there's going to be ways you can mess around with that and do
spoofing or whatever.
But like it just feels like they don't really do a lot.
And as I said, this is this is why I was seeing captures for a few months,
like constantly, right, is because it just doesn't seem like they do a lot to address abuse on the network,
which ties in seemingly with Musk's sort of broader ethos.
You look at X nowadays and it's just crawling with Nazis and whatever.
And, you know, it's just very light touch moderation and abuse.
Yeah, you can definitely see how X's abuse moderation could spill over into SpaceX and how they
police use of the network.
So yeah, it's not good.
It's not good.
Now we've got a spectacularly hilarious follow up here from Brian Krebs about that US Army
soldier who was behind a lot of these snowflake hacks.
What was that? A year or two ago.
This guy basically self-docs himself to Brian or to the world really, but it was Brian who
pulled the threads and found out who he was and then he got arrested.
And now he might be looking at, he's in a bit of trouble, Adam, and the whole thing
just looks worse and worse for this guy.
Why don't you walk us through the guy's Google search history, because that's just so good.
So, Brian's headline, which is a beautiful thing, is,
US soldier charged in AT&T hacks searched. Can hacking be treason?
Which, that's not, if you're Googling that, you're not doing particularly well.
But his other searches are also not great. For example
Where can I defect the US government military which country will not hand me over?
So I mean a bad grammar be not gonna get great results see
That's not again not make good life choices. If you're googling that
He also googled US military personnel defecting to Russia,
he's clearly considering the Snowden route,
and embassy of Russia, Washington DC.
So that might be a handy thing to have
if you are going to be a walk in there.
So yeah, along with his hacking treason,
not a good time.
No, not a good time.
I mean, I don't expect that he's gonna be charged with tre treason but that's not the sort of thing that tends to count in
your favor when it comes time for just to sentencing you know what I mean? Like
it's just it's just innate. No it's really not a good look and yeah I
wouldn't enjoy being his defense lawyer. Now let's talk about the Google password manager being synced to iOS. Man,
credential management in 2025 should not be this hard and confusing. There are steps afoot to try
to make it easier. You're not exactly a huge fan of all of this. Walk us through exactly what's
going on here. Because we've got another story too, about how Google is replacing SMS MFA with
QR codes for Gmail authentication.
Like all of these major services are starting to make big changes to the way
they authenticate their users and sync their various credentials, whether they're
pass keys or passwords or whatever.
And the whole thing, it just feels like a bit of a mess or maybe I'm just getting old.
I don't know.
Certainly the auth ecosystem is a lot more complicated
than it used to be, but that's because we used to have
username and password and most people had one password
that they just reused everywhere and that kind of level
of simplicity is not realistic.
And I guess that's what we're kind of comparing again.
So yes, it's getting more complicated,
but no, it was not working well.
So what they're proposing at this point is is if you are using pass keys for authentication, right
now if you use pass keys across, like if you only use pass keys in Chrome on a
desktop, then everything works as you would expect. The browser stores your
pass keys, you use them to auth, everything is great. If you're in the Apple world and you use Safari on your Mac
desktop or you use iOS, those pass keys are stored in your iOS keychain or in your in the Apple
iCloud keychain so they're synchronized between your Apple devices but they don't they aren't
shared with other browsers and if you are a person that moves between Chrome on desktop and
you know mobile Safari on a phone,
then your pass keys are not shared,
and it's kind of confusing.
So what Google has done is done the necessary integration
work with Google's password manager on iOS
that you can use Google Password Manager's synchronized
and stored pass keys in Apple apps and in
the browser and then they will also sync across to your desktop and everything. So
in that particular use case everything now synchronizes well and it's that's
that's a good user experience improvement you know for the subset of
users that are in that kind of you know in that configuration. Well but I mean
that that is kind of the default configuration these days which is people
use Chrome on their computers and they just use Safari on
their iPhone. I'm one of those people. Yeah, and me too, right? And that's
how I work as well. And this, you know, I have been kind of, you know, it's a
pain having two sets of pass keys, one in the Google key store and one in the, you
know, in the Apple Life key store. So synchronizing, that's useful and good. But
the problem with passkeys overall
is that they are just more difficult to understand,
and the threat model is more difficult to understand,
and trying to explain a passkey to a boomer is difficult.
And if it syncs more, that's good,
but then of course there's also the risks
of how far does that syncing spread in corporate environments things get more complicated.
And this is where the whole Pascy ecosystem starts to get concerning as if you're a CISO and you're trying to understand where are the authenticators for my staff.
Now things are a bit more complicated.
So this is funny because like a very minor sponsor of this show is Ubico and their COO comes on basically once a year
and does a soapbox conversation where he'll always say something like, well, these things are a bit
complicated and difficult to manage for enterprises or whatever. And you know, this is why hardware
keys have a role, blah, blah, blah. And you always get comments and mail saying, well, of course he'd
say that he's the COO of Ubico. And it just consistently plays out
the way he says it's going to play out a year later,
which is funny.
So I'm presuming that this also synchronizes
passwords and whatever.
Yeah, so passwords were already synced
across Google Password Manager.
And you could use Google Password Manager in Chrome
on iOS or on Mac OS.
So yeah, that was already the case.
I don't like credential managers,
which is why I didn't know that, but anyway.
I've got it written down on a piece of paper somewhere.
That's perfectly, perfectly Cromulan solution.
Yeah, exactly.
It's not a normal piece of paper, I like it.
Exactly.
The other thing, SMS.
Oh yeah, yeah, yeah, yeah.
Yes, so there was an article in Forbes
which quoted a source at Google saying
that they are going to introduce QR code authentication
as a replacement for SMS second factor,
which I think is a pretty universally good thing.
It's not perfect, but it's definitely better
than the current situation.
So the way this will play out is instead of doing,
when you're user and password auth the Google
and then you have to provide a second factor,
instead of SMSing your code,
which we've seen some swapping make complicated,
you will instead be shown a QR code,
which you have to scan with your phone.
And that QR code is going to,
we haven't seen the implementation detail,
but the way I imagine that will work
is that will launch Google Password Manager,
or Google Authenticator, sorry, on your phone,
which will then call back into Google and say,
hey, this is device number 437 blah, blah, blah, blah.
I have seen this QR code.
And that does the same thing as SMS second factor,
because the ultimate thing you're trying to do
is bind the phone that existed in the user's possession
at the time of enrollment to a phone
that's in the user's possession at time of authentication.
And that will be able to do this in a way
that's less fishable and also avoids
SMS traffic pumping schemes which unfortunately is
probably the main reason they're doing this rather than security is because it
will save them some bucks. I mean this is this is the one time that we defended
Musk on on this program which is when they they binned SMS MFA for like
non-subscriber you know for people who weren't paying for a subscription and
people are saying oh they're making security, you know, something you
have to pay extra for. But that really wasn't it. It was just that the fraud, they were having to
pay so much for fraudulent SMSs going to virtual telcos in Tuvalu or whatever. It was actually kind
of reasonable that they did that. But I do wonder, because one of the reasons the majors have not wanted to do this previously
is because there are a subset of users out there
who don't have smartphones, right?
So I don't know how this is gonna play out for them.
Yes, I mean, I think if you are in that circumstance,
this is going to be a hard problem.
And the alternative of what, falling back to phone call,
same problem with SIM swapping.
Yeah. And same problem with call forward. But then again, I mean, if you're someone who's just using a dumb phone, you're probably call or same problem with sim swapping yeah and then again I mean if you're someone is just using a dumb
phone you're probably not a prime target for sim swapping you know what I mean I
mean probably once again yeah probably not you're right but you know also
older people with those kind of setups are probably also reasonable targets for
scams so like it is difficult to come up with something.
Cause you know, if you're sitting there at Google
and you're trying to design the auth scheme,
you've got to design something that works from,
you know, everywhere on the planet,
all the different, you know, like amounts of coverage,
of quality of devices, of, you know, social circumstances,
of all of the like other complicated things that happen.
You know, even things like naming people
is different around the world like it's just hard
To come up with a universal solution and there will be losers whenever they make any change like this
Yeah, I'm just wondering if they're gonna completely kill us MS auth
That's all or whether or not they're just gonna change some defaults or whatever. I guess we just have to wait and see
Yeah, we will just have to wait and see because there are probably gonna be some edge cases where you know
It really is the only option, but it would be nice if it wasn't to the default.
Because right now, getting to the point with many services where you don't want, where
you want to disable SMS-based auth, you just have to take your phone number away from them,
because otherwise they'll use it.
And so it's difficult to disable that if that's the only tool that you've got as a user.
Yeah. Now let's talk about a confusing botnet.
We got some reporting here from David Jones over at Cybersecurity Dive.
There's this massive botnet that's been linked to Iran
that is responsible for the biggest DDoS in history.
But we've looked at the numbers. Well, you've looked at the numbers.
And it's really hard to tell like what's going on here
because like apparently this botnet has more capability than there should be like
connectivity going into Iran in the first place.
And like apparently most of the botnet is actually based in Iran on Iranian devices.
It's all just very confusing.
Like what do we know here?
So this botnet 1111 bot seems to be mostly made up
of compromised HIC vision devices,
so cameras and network video recorders.
Some researchers from, I think it was Nokia's,
like network defense unit, said they had seen
six and a half terabit sustained or sustained traffic from this thing which
like that is a lot of packets from about 30,000 sources. Graynoise set up
some set up there you know kind of honeypot network to detect connections
or packets from devices running this malware and they saw something in the
order of a thousand endpoints hitting their sensors over a month. So you know a
small fraction of the overall estimate of 30,000 devices and of those thousands
something like 60% were in Iran. Now that doesn't necessarily say the whole
botnets in Iran and certainly getting six and a half terabits out of Iran.
Like I went and tried to look up like how much international capacity is there out of
Iran and numbers range between three and maybe six terabits.
But those numbers are also very hard to, that's like Iranian government boasting numbers.
And then looking at the actual cable capacity of like subsea cables in the
Persian Gulf. You know you can't just look at a cable number and go all of that capacity is
available to Iran because it's shared with all its other players and blah blah blah. Anyway,
the net results we don't really know except there is quite a lot of packets flying around
and you know anyone getting hit by six and a half terabits of traffic
is probably gonna fall off the networks.
They're probably quite effective,
but as usual, who knows, right?
It's so hard to say when you're operating on a fraction
of the information and a fraction of the visibility.
Yeah, I mean, I think it's just, yeah.
I mean, that's a big number, right?
So that's why we're talking about it.
Wish we had better Intel for everyone out there
to tell you exactly what's going on.
The why as well, we don't quite know, but yeah, I suspect we'll be talking about that
one a little bit more in the future.
Just a pretty workaday story here from Rob Wright over at Cybersecurity Dive, which is
that there is a, what is it, Paragon Partition Manager driver.
So this is one of those legitimate Windows signed drivers.
It's being used in ransomware attacks because it has a bug in it. This is, you know,
bring your own vulnerable driver is something that we've seen a zillion
times but I guess it's a good news story because Microsoft will probably just add
this driver to the recommended driver block list which will be rolled out I'm
guessing through some sort of update and then they'll have to find another
vulnerable driver to do this sort of thing
Yeah, exactly. That's exactly the other the driver lets you basically have arbitrary kernel exec kernel write. So that's a bad time. But yes
If you're running Microsoft's updates, then you're probably not vulnerable. So that's good Yeah, and these sort of drivers often used to do things like what stop EDR encrypt disks all that
So we saw that with like Shamoon in like 2010
or whatever it was.
You know like.
As I said.
But back then no one checked the signatures on anything.
So it doesn't matter, you could just, yeah.
So it's a good news story.
It's a good news.
The fact that we actually check signatures
on kernel drivers, that's good news.
It is, it's a good news story.
Yeah.
And finally a piece from Alexander Martin
that we're not really gonna dwell on is that this guy Richard Aamer, I
don't know how you pronounce that, he's from East London, linked to the comm,
he's been convicted of making indecent images of children, looks like you know
the typical thing where they you know befriend quote unquote a youth online
and then coerce them into producing that sort of material.
I mean this is the sort of stuff that's revolted in you know real trauma, suicides, all sorts of
stuff, horrible horrible stuff. He's been arrested, hope he goes to prison forever and has a really bad
time there. Yep amen I am with you on that one. And yeah just for those who aren't aware people
who harm children generally do not have fun in prison,
which is why they're often segregated, but not always.
Sometimes there's clerical errors,
so something to keep in mind.
But that is actually it for the week's news.
Adam, thank you so much for joining me.
And I should let everyone know too,
like normally tomorrow I would be posting
Seriously Risky Business and whatnot,
but I'm actually gonna be, well, I'll be in my office the next couple of days, but I'm actually gonna be well
I'll be in my office the next couple of days but I'm probably gonna be sleeping
in it with my family because it's the strongest part of the house so I'm not
gonna be around so thanks in advance for filling in for me for all of my risky
business duties and big thanks also to our new producer and editor Amberley
Jack so thanks thanks to you guys and I guess hopefully I'll catch
you next week mate.
Yes, yeah yeah well best of luck to you Pat, time to go batten down your hatches and yeah
good luck.
That was Adam Boileau there with a check of the week's security news. It's time for this week's sponsor interview now with Vincent Stouffer, who is the field CTO at Corelite Networks.
Or is it Corelite Networks or just Corelite? Anyway, it's Corelite. They maintain Zeek, which is the open source network detection and response thingy.
And they make their money by selling basically Zeek setups that can deal with unimaginable amounts of network data.
Very cool stuff.
And yeah, so Vincent has written up a blog post
for Corelite, which we've linked through to
in the show notes, which is really looking
at how Salt Typhoon, Vault Typhoon,
these Chinese APTs that are doing some pretty scary stuff
about how they're just going where EDR isn't, right?
They're going to these blind spots of enterprise IT environments and critical
infrastructure environments because yeah, you can't put EDR on your ancient Cisco
box that's vulnerable to CVEs first disclosed in like 2018 or whatever, right?
So that's basically the gist of the blog post.
But, you know, the good news here is that Vincent, I guess, you know, for anyone at
CoreLite they
feel a bit crazy because anyone who's just doing some extremely basic NDR is going to
spot this activity.
So I talked to Vincent all about that and I started off by asking him what sort of detections,
what sort of simple detections are getting the best results or the best yields?
And here's what he had to say.
Yeah, I think for the stuff we talked about in the blog specific to kind of salt
Typhoon and volt typhoon finding some of those initial access attempts are places where we can shine, right? So we identify
I don't know a few hundred different types of VPNs and we look across a bunch of different protocols, right?
So it could be IP sec it could be you know over TLS
It could be a bunch of different protocols. So we use a variety of techniques to identify those.
And then just label them and put them into the metadata so you can examine, ah, let's
see, who's using which VPN type from what place to where.
So it'd be pretty quick to pick out an unusual set of originating hosts and using it as a
strange VPN provider and going to, let's say, something
like a router or a firewall or a switch that you would not expect to be having that sort
of traffic come from.
So I think even examining something as simple as management access to places that you wouldn't
expect to or from is super powerful and something that the network level visibility can get
you at all devices that you have that sort of level of monitoring at. Yeah, well, how do you recommend people control access to those devices,
management interface? I mean, this is something that I work on with another startup, but like,
what's your, you know, recommended approach there? I mean, I think there's, you know, a pretty simple set of kind of risk-based management ideas
there that are not rocket science, right?
I mean, you want to use kind of local networks
for management, you wanna have those locked down,
you don't wanna have things available from the outside.
I mean, some of the examples of what we saw
in these breaches were routers and switches
being exposed to the internet, for goodness
sake, right?
Even if it's over SSH, that's just not common sense, nor is it part of a good security program.
So you want to have layers of defense, and one of those layers should be managing your
devices with good ACLs, with segmentation, with management infrastructure that's controlled
and is using a least common denominator approach so that
only the right people are getting in there.
But that sounds like a lot of work, Vince.
Let's just put it on the internet and cross our fingers, I think seems to be most people's
approaches, right?
Yeah, and I think things like Showdan and others have limited that in know, almost blaming and shaming people for doing that sort of thing.
But it's certainly still out there. And when a new vulnerability comes out or, you know, even one that's been around where these devices aren't patched,
then people are going to be scanning for it. People are going to find it and people will abuse it.
So you may have been safe six months ago, even though this thing was exposed to the Internet.
But now someone else has published a nice little blog about a new way to get into a
Cisco router and you haven't updated your router.
So I think a lot of the guidance that Cisa provides is just this really common sense,
straightforward approach to making sure your devices are patched, making sure your ACLs and access control and user access
is maintained and use a belt and suspenders to make sure that you're watching these things with
not just network tools but also with your logs, with your syslog, making sure that you're auditing
the access and any sort of changes that are happening with these devices as well. Yeah, I mean that's all good advice. I mean what would you say the lift is in terms of
being able to get spun up with some basic NDR? I mean Zeek is open source, right? So
it's not like people have to write some huge check to get started. I mean as you pointed
out like a lot of your enterprise customers, they're pushing a lot of packets, right? And
that's where you guys really make your money.
And you know, the open source version of Zeke is perfectly adequate for
probably most organizations out there.
You know, what, what would you recommend they do in terms of like a strategy
just for rolling out the, the open source version of this?
I mean, are you talking about just putting one North South San
Sarin and like what, you know, what sort of GUI or monitor, what is your
recommendation for a bare bones Zeek deployment for anyone who might be listening to this
who thinks, yeah, it's probably a good idea that we watch some of this.
Yeah, I mean, it's a good question.
There are certainly a lot of projects out there that attempt to bundle Zeek with some
other tools, probably Security Union is the most popular out there, right?
But if you just go and download ZEKE and install it yourself
it can take quite a bit of a learning curve just to get it kind of up and
running even though it's you know it's become easier with package managers and
such but I think going for one of the pre-bundled distros and just being able
to spin up a VM, plug into a span port at the edge of your network somehow and
start getting that data into a place where you can search and store it.
You know, there's plenty of ways to get started on that without a big investment and it will immediately yield results, right?
If nothing more than being able to identify what's coming in and out of your network in terms of, you know,
the number of devices, the sort of software they're running, the types of unencrypted traffic that you can see right out of the gate, and then thinking about how you could go and start building some detections or using
some other packages that the community has available.
Yeah, I mean, ultimately you want to be doing something internally as well, but what you
seem to be saying is like, for goodness sakes, just start by dropping a sensor at the point
that your network connects to the internet.
Seems like a sensible idea.
Yeah, I mean, I think we generally
see a maturity curve of that sort of network monitoring,
and that's where it starts, right?
So you've got to start by just finding out what's
coming in and out of the door.
And once you have that, then you'll
start to become addicted to that data, right?
You'll start becoming reliant on it and saying,
oh, I wish I had this on my data center A,
or maybe I wanted on some high value assets, my AD servers,
or my DHCP and DNS servers, some of these things
where you put network monitoring right in front of,
you will then start to get a lot more context
about that other data that you're capturing elsewhere,
including from other tools like EDR or others.
Well, and I would have thought the more interesting thing
is when you actually see something from
Zeke which you're not seeing anywhere else because that's what these
Attackers seem to be doing is they're just avoiding the most common detection stacks assuming people aren't monitoring networks
So, you know, you might actually find well
Let me ask you is it the case that quite often people find stuff that is only
Showing up in Zeke and it can't be correlated against other log sources.
That is a big red flag right there.
Yeah, absolutely.
I think primarily these dark corners of the network that just end up hiding devices and
things that people forget are either on the network or unintentionally put them on the
network. at or either on the network or unintentionally put them on the network, right? For an example, we run a bunch of OT protocol analyzers, and so we've got maybe a dozen
of those that run BACnet and Modbus, et cetera, and show those off.
We don't focus like some of the other companies on that specific part of the market, but we've
got visibility for it on the network.
When we were introducing this capability, we went to a bunch of our customers and said, okay, we're going to test
some of these OT analyzers out and on your network because we have some research partners where they
allow us to do that. And they said, sure, go ahead. You won't find anything, right? There's none of
that stuff connected to our IT network. You got to love it when they say that, right? Yeah. You know
where this is going. So every single one, we found, you know, at least one if not several devices that whether they were, you know, HVAC controllers or cameras
or, you know, door stuff, machinery from, you know, the actual manufacturing side of things,
whatever. We found them at every single organization that we looked at. And so even just
being able to find that sort of dark corner or a connected
device that you did not expect will be worth the investment in some simple NDR. Yeah, I mean,
it's something that people tend to experience when they run something, a tool like RunZero as well.
I mean, you've got the passive approach, which is to do it via this NDR sort of stuff. You've got
the active approach, which is like RunZero and stuff. But yeah, it's rare that people don't find stuff they're not expecting to,
you know. And it's all network. You can't do that any other way except for throwing
some packets around or observing some packets.
Yeah, absolutely. Yeah. And I mean, the passive approach, you know, we would argue is probably
the place to start, right? I mean, it's less disruptive to operations and also...
Well, this is a holy war discussion that you're getting us into right there, right? I mean, it's less disruptive to operations and also, well, this is a holy war discussion that you're getting us into right there,
right? Because HD Moore is a good friend of mine. I do work with RunZero and they
would say, well, that is true for most of them, that it's can be disruptive,
but there are people who've put a lot of work into being able to do active
scanning of that stuff and not, you know, knock things over. Basically.
I think that's, you know, And it over basically. I think that's, you know.
And it's pretty valuable to have that sort of capability. I wouldn't suggest you don't go with both.
I would just suggest that you start with passive if you're going to start somewhere.
Well, and I just think the, you know, reward to effort ratio on just doing some sort of network monitoring is pretty high, especially now. Are you seeing, you
know, cause quite often when you're a company like Coralight, right? Like where you're seeing
the adoption might not necessarily be where you would want the adoption to be when it
comes to the, you know, comes to your salt typhoons and your vault typhoons and whatever.
Like among the likely target set of those campaigns, are you actually seeing decent uptake?
In terms of customers of ours that are in those segments?
Well, I mean, it's hard, right? Because there's a lot of open source
Zeek out there as well. I just thought maybe anecdotally, you would have a sense of
how much those target sets are sort of embracing some basic network monitoring.
Well, let's take Volt Typhoon, for example.
So we have, I think, often seen that the targets
for that campaign were very unsophisticated municipal
government waste facilities or some energy.
This is why I'm asking, right?
Yeah, and you're right.
Those people are not coming to Corelite
to write a big check for NDR. In fact, they're barely scraping by trying to get their operations done and do the basic levels of
security. So you're right. Now, the question is, would they have the capabilities in time and
know-how and resources to even do something like NDR on their own? Maybe not. So there's programs like Cyber Sentry that is sponsored by CISA that helps actually
protect some of these critical infrastructure companies that are-
Is that like a managed gateway sort of thing?
It's almost like a managed monitoring or managed response. So they provide sensor, they do a
centralized correlation of the data that's coming back,
and then they watch for indicators and even do threat hunting against their...
Well, that's an extremely worthwhile and useful thing for a government to be doing in my view.
Absolutely.
Yeah.
And so they do use Coralight and Zeke as part of that effort.
That's why I mentioned it.
Yeah.
And I'm guessing though that these municipalities and whatnot, they need to opt into that.
Yeah.
I don't know what the opt-in procedure is, but yeah, most of them I think are probably like,
yeah, sure, we would love that. We, you know, because we have regulations coming down upon us
and we need to be able to meet those. And if you're telling us you can do that for free or
for a very low cost, sign us up. Well, there you have it. Investing in some basic NDR,
probably not the worst thing people listening to this could be doing if you're completely not doing that and you are operating any sort of network of scale, that's probably a bad idea.
Vince Stofer, thank you so much for joining me for that conversation. Very interesting stuff.
Thank you, Patrick Gritsbir.
That was Vincent Stofer from Corlite there. Big thanks to him for that and big thanks to Corlite for being a long-term sponsor now of the Risky Business podcast. I really like Corlite. I like what they're about.
Community driven, lots of people submitting stuff to it. It's like the industry standard for NDR.
Yeah, go check them out. And that is it for this week's show. I do hope you enjoyed it. I'll be
back next week with more security news and analysis. But until then, I've been Patrick Gray. Thanks for listening.