Risky Business - Risky Business #783 -- Evil webcam ransomwares entire Windows network
Episode Date: March 12, 2025On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news with special guest Rob Joyce, a Former Special Assistant to the US President ...and Director of Cybersecurity for NSA. They talk through: A realistic bluetooth-proximity phishing attack against Passkeys A very patient ransomware actor encrypts an entire enterprise with a puny linux webcam processor The ESP32 backdoor that is neither a door nor at the back The X DDoS that Elon said was Ukraine is claimed by pro-Palestinian hacktivists Years later, LastPass hackers are still emptying crypto-wallets …and it turns out North Korea nailed {Safe}Wallet with a malicious docker image. Nice! Rob Joyce recently testified to the US House Select Committee on the Chinese Communist Party, and he explains why DOGE kicking probationary employees to the curb is “devastating” for the national security staff pipeline. This week’s episode is sponsored by SpecterOps, makers of the BloodHound identity attack path mapping tool. Chief Product Officer Justin Kohler and Principal Security Researcher Lee Chagolla-Christensen discuss their pragmatic approach to disabling NTLM authentication in Active Directory using BloodHound’s insight. This episode is also available on Youtube. Show notes CVE-2024-9956 - PassKey Account Takeover in All Mobile Browsers | Tobia Righi - Security Researcher Feds Link $150M Cyberheist to 2022 LastPass Hacks – Krebs on Security Camera off: Akira deploys ransomware via webcam Tarlogic detects a hidden feature in the mass-market ESP32 chip that could infect millions of IoT devices Alleged Co-Founder of Garantex Arrested in India – Krebs on Security 37K+ VMware ESXi instances vulnerable to critical zero-day | Cybersecurity Dive Apple patches 0-day exploited in “extremely sophisticated attack” - Ars Technica What Really Happened With the DDoS Attacks That Took Down X | WIRED Eleven11bot estimates revised downward as researchers point to Mirai variant | Cybersecurity Dive Previously unidentified botnet infects unpatched TP-Link Archer home routers | The Record from Recorded Future News Safe.eth on X: "Investigation Updates and Community Call to Action" / X How to verify Safe{Wallet} transactions on a hardware wallet | Safe{Wallet} Help Center and Support. US charges Chinese nationals in cyberattacks on Treasury, dissidents and more | The Record from Recorded Future News Former top NSA cyber official: Probationary firings ‘devastating’ to cyber, national security | CyberScoop U.S. pauses intelligence sharing with Ukraine used to target Russian forces - The Washington Post
Transcript
Discussion (0)
Hey everyone and welcome to Risky Business. My name is Patrick Gray. We're going to be
chatting through the week's news in just a moment with Adam Bailo and our special guest
co-host Mr Rob Joyce and then we'll be hearing from this week's sponsor which is Spector
Ops and I'll be chatting with Lee Christensen and Justin Kohler from Spector Ops about some
new features they've built into Bloodhound
specifically designed to address risks stemming from the continued use of NTLM, the authentication
protocol, which of course is still everywhere even though it's 2025. Kill me now basically,
but it's a good interview. That one is coming up later. But first up, it is time to get into the
news and let's kick it off now. And we're actually starting this week's run sheet with some more technical research and news.
Adam, I want to start off with you talking about CVE 2024 9956, which is a passkey account
takeover technique that requires Bluetooth proximity.
But it's interesting. And we've been talking about pass keys lately, which is why it's been talked about
a lot internally here at Risky Biz over the last few days.
Yeah, this is some really interesting research.
It's from a guy called Tobiah Rigi,
he goes by Master Splinter, and he came up with an attack
that's actually, like it's really clever.
Like, I'm not sure that it's super practical
in the real world, but it's's really clever. I'm not sure that it's super practical in the real world,
but it's just really clever.
So the deal here is, if you're using pass keys
and your pass key is on a separate device,
so like on your mobile phone, for example,
there is what we call the cross-device authentication flow.
So you go to your browser,
you want to authenticate with a pass key
that's somewhere else.
There's a mechanism for having your phone do that passkey step for you. And the way that's normally triggered
is by scanning a QR code. And this guy looked into how those QR codes actually work. So the QR code
sends you to a URL, like a FIDO scheme URL, which the password manager on your phone associates with bringing up the,
you know, kind of the handler for doing passkey or whatever else. And this guy came up with a
trick where if you're nearby somebody who's got a mobile device with passkeys on it,
and you could put a phishing page in front of them, so like a rogue, a rogue wireless AP would be one way of doing this.
You send them off to a phishing login page for LinkedIn
or whatever.
And then on your device that's nearby,
you go to the real LinkedIn, you go to the authentic
or the passkey, get one of the QR codes that would normally
trigger interaction with a passkey on a device, pull out
the URL and then using your phished connection to the victim, you send them to redirect to this URL.
So you can basically make it feel like they had scanned the QR code to their browser, which invokes
the password manager. They then get a legitimate passkey invocation request.
So for LinkedIn, for example, they hit yes.
And the way that this would normally work
is to prove proximity, the phone would Bluetooth back
to the computer during the authentication
to then pass on the response to the challenge response
part of the passkey.
And in this case, that's the attacker in Bluetooth range.
So their browser receives the Bluetooth callback
and then authenticates to real LinkedIn.
At that point, you've got a session token
and off you go to great victory.
And that actually works.
This guy implemented it, you can do this.
And that's actually really cool.
So yeah, like I mean, impressive research. Practically, like I could
see this working in an airport or a hotel or a place where...
Well hang on, hang on, hang on. So you're saying the attacker has proximity. But the
way I'd describe this is a device under the attacker's control has proximity, right? Which
is how these things tend to play out. I mean the good news here is that this is actually
fixable and there have been some patches go out for the major mobile browsers to kind of
address this right? Yeah so the patches remove the ability for the browser to
redirect to a Fido Earl internally. So one of the steps of this process gets
taken out of the chain. The overall thinking though about this kind of like attacking the glue between your hardware
authenticator and your user agent, your browser, like that's, this is just, it's interesting.
It's really interesting.
I think we'll see some other research along similar kinds of lines because, you know,
it's pretty cool.
Yeah.
What did you make of all of this Rob?
Because I did find this, you know, like Adam, I found it interesting because everything's running towards pass keys now and you just sort
of think, oh, you know, we're going to see more of this sort of thing. And like, I don't know. I
mean, it's, look, it's, it's obviously a massive step up from like SMS, multifactor authentication,
when you're having to have Bluetooth proximity and all this sort of stuff. But you know,
you've probably heard us talking about how complicated, you know, modern auth is and how there's, you know, there's going to be badness at some point.
But yeah, what did you make of this?
Yeah, two big points. The first is PESC's were always touted as fishing proof, right?
You'd use PESC's because you couldn't be fished and lose your token. While this is demonstrated, there is an angle to fish
and accomplish a defeat of a passkey.
But the second is a point I've made for years,
which is details matter.
And the attackers study the details and implementation
over and over again until they find that crack in the seam.
The good news is this was discovered,
there's gonna be patches.
The WebAuthn FIDO2 ecosystem, pass keys are going to be stronger because of it,
but we're always going to see people going after the seams of authentication.
Yeah, I mean what do you think of, Adam and I, we've been talking about this stuff for a while,
and just the general complexity here and the unevenness of people's passkey implementations,
that's the stuff that makes us feel a bit weird.
Do you share those concerns?
Yeah, those are the cracks in the seams
that you investigate for the oddball interactions like this.
Yeah, yeah.
Now, this one's interesting.
We got a report here from Krebs on security about it.
Basically, it's got to the point where it looks almost certain that the people who
hacked LastPass in 2022 have been cracking the material that they've stolen and
they're using it to steal cryptocurrency tokens, right?
So that's been a theory for a long time. I guess what's changed here is now
sort of prosecutors and various US government agencies seem to agree with that. And indeed,
they've linked this last pass thing to victim one in official documents who looks almost certainly
to be Chris Larson, who's the co-founder of the cryptocurrency platform Ripple, who lost, yeah, 150 million bucks in 2024 because I'm guessing he didn't change his password after
the last pass thing, which is not great.
So I mean, it just kind of looks more and more like we've got confirmation here.
I mean, Adam, we're always talking about North Koreans doing amazing stuff with crypto.
We've been talking a lot about this buybit hack over the last couple of weeks.
This one, I don't believe it was actually North Koreans who were behind it.
But it seems like this is where all the cool hacking is, right? At the moment,
the people doing the most innovative attacks are all doing it to steal crypto. I mean,
you know, incentives, capitalism works.
Yeah, well, yeah, that's exactly it. The incentives push you to do creative things.
And this one was interesting because the,
like it wasn't the passwords that were from last pass here.
It was, I think in the Glasson case
and the others that we have seen as well,
they were storing the seed phrase
that you use to recover the private key,
you know, that is linked to the private key
or lets you get the key, the randomness of the private key. And they were storing that in
the like notes field of last pass. And that was one of the bits that wasn't particularly
well encrypted, especially if you had a very old account with a number of iterations on
the, you know, the hashing or whatever that they were using to derive the keys used to encrypt stuff were
pretty limited. So, you know, I don't know if you can change that without re-homing all of your funds
to another wallet, which LastPass somewhat disingenuously have said that's kind of what
these people should have done and sort of a little bit victim blamey with the stuff. So,
it's kind of not a great look for LastPass that we're still unsure
that this is how this is happening. I'm not sure, they don't know for sure either, but
they could be a little more proactive and responsible in taking some of the blame for
this.
Yeah, I mean, I spoke to LastPass people through all of this and, you know, they were very
sort of realistic and, you know, somewhat forthcoming actually about how little they
knew about what exactly had happened and who and you know what I mean?
Like I think they pieced it together, but it was a lot of work.
But Robert, my question for you is you've been a, you know, observer of tradecraft for
a long time.
I mean, do you agree with my take
that the coolest stuff these days
is happening around crypto thefts?
I mean, obviously I didn't see the sort of stuff
that you got to see at NSA,
but usually when we hear about APT campaigns,
they're not nearly this interesting.
Yeah, well, clearly crypto theft
is paying better than bug bounties.
So I think you're gonna continue to see that innovation.
Now we're going to talk about a story that has been doing the rounds about a
ransomware attack that what the attackers did here is they popped up on some
windows network somewhere, realized there was EDR all over it and went,
Oh, that's not good. So then they owned a web, a Linux based webcam,
went, oh, that's not good.
So then they owned a web, a Linux based webcam and then connected to the networks, SMB shares and just encrypted everything through the webcam.
So they were like pulling files onto the webcam, encrypting them and putting them
back.
And I mean, sure.
But I just, I wonder like maybe the indicator here, the detection would have
been that, you know, why is that webcam so hot? Why is this smoke coming off that webcam? Adam, you and I have talked about this. You
know, you don't find anything particularly novel here. It's making, it's doing, you know,
a lot of headlines because it does seem pretty novel when it comes to ransomware crews. But
your general take here is that we shouldn't be surprised that someone's done this.
No, I mean, you go, you go where things things work and I think it's kind of funny that the actors came in here,
dropped AnyDesk on a Windows box and then brought in their tools to do ransomware.
Those get immediately snapped by EDR and then of course they pivot across using the same AnyDesk
because they've got initial access into the Linux environment on this cam.
And to me that's a thing we've done on engagements
in my Pentesquire.
We would quite often pivot through wireless access points.
Like I've run responder to steal NTLM hashes,
net NTLM hashes, like off the WiFi access point in the roof
because it's a Linux box, convenient place
to run your tooling, no EDR, no pesky antivirus.
So like workaday kind of technique,
but I think the real, like the
thing that is most amusing about this is, you know, I guess this is EDR working,
right? The fact that it scared these cats off the well-monitored Windows boxes and
into the trash Linux IoT environment where they have to encrypt at, you know,
30 kilobytes a second because of portal at risk five core in the web
Yeah, I wondered like how long did this take?
I mean, it's funny because some of the ransomware crews do
Like the ones that write the ransomware tooling like they do try and compete on speed of encryption
Because it's a thing that matters to them and yeah, so I wonder if they you know
Resorted back to you know, resorted back to, you know,
ROT13 or something.
I can't remember if it was CrikeyCon or Tuscon
where they actually used to have like a ransomware race.
Yeah, like a shootout.
Yeah, so you can get there fastest.
See who'd win.
I think there was a betting pool as well
to see which one would do best.
I mean, look, indeed we had a chat with Vince at Corelite last week in the sponsor interview
Talking about how yeah attackers of all stripes are going where the EDR isn't which makes a lot of sense
But this is just a great way to turn a Linux shell into like Windows, you know, ransoming a Windows network
Funnily enough Rob you advise Corelite
You also advise Sandfly security who work on you know know, trying to get their hands around that. But even
then, I don't know, like what can you do about this? Because even if you're like,
you know, Sandfly for people who don't know, basically will log into Linux
devices on your network and look for indications of compromise. I guess, given
that this would have taken a while while it probably would have probably would have got snapped but
this is this is a this is a problem and we're gonna see more of it right? Yeah I
think this is the exact use case that Sandfly stood up to defend against
right the the little Linux servers that could those are scattered all around
these environments and people as Adam points out, just need a shell.
And so if it's unsecured, unmonitored and off somewhere in the dark recesses of your network,
that's where you're going to go. All of this living off the land stuff is focused on that.
I'd even point to some of the telco intrusions. why were they operating in the space they operated in when we had
the salt typhoon intrusions?
It's because there's not defenses, EDR,
and other segmentation that protects and keeps
these things out of the space where they can have
a huge blast radius.
Yeah, I mean, I'm guessing I've got an interview
coming up with Benny Lakunashok from Zero Networks
tomorrow night, I think, and I'm guessing he'll be all over this, because one thing that would help here
is micro-segmentation, which has historically been very difficult, but some of the contemporary
tooling is pretty good.
Adam, did you get the same thought when you were reading this?
Yeah, I mean, anything that segments the network up is going to make this more difficult for
attackers, and yeah, I mean, that would be a...
Like, if this was my gig, like it would be a pain
if there was micro segmentation.
I probably wouldn't go down the route of trying
to find a webcam or a printer or something else.
No, because you're gonna get snapped.
Or at least you're gonna get blocked by it.
Like no one's gonna be looking at the firewall drop logs
of your zero networks micro seg,
but it would still have the necessary, you know.
I don't know man, your webcam trying to connect to all of your network shares is probably something that will get noticed in a lot
Yeah, and you want to think about those exposed SMB shares now is exposed internally but still
You know convenience jumps right like they're gonna be accessible
Should that have access? Yeah
Now let's talk now. Let's talk about a backdoor that wasn't they're gonna be accessible. Should that have access? Yeah. You should know.
Now let's talk about a back door that wasn't.
It's funny actually, this story, I first heard of it,
Dmitri Alperovitch, a friend of mine,
co-founder of CrowdStrike, he was traveling,
he texted it to me because he thought
I'd find it interesting, and I said to a man,
it's always something left behind by a developer.
That was my first reaction, and it looks like that's right.
But even more than that, it looks like what researchers have found here
is actually documented functionality.
So there's this ESP32 chipset which is used in IoT devices,
does Wi-Fi and Bluetooth as well.
Some researchers have taken a look at it and looked at how to abuse
functionality in those chips for great victory. But again, like not really exploitable over the air, not really that
bigger deal, but still made a lot of headlines. Why don't you start Adam by walking us through
what the actual research is here?
So the research here is really looking into the internal plumbing of the ESP-30 system
on a chip, which is a
combination of a microprocessor and then the radios for Bluetooth and Wi-Fi. And these
things are cheap and pretty widely available. And so you see them a lot in small IoT devices.
Basically, the researchers here look at a bunch of, I think it's a Spanish research company called
TileLogic, Spanish security firm, and they were looking at ways
to use these devices for more creative
kind of Bluetooth attacks or research.
So as a more flexible kind of general purpose thing,
radio device that they can use.
And they explored the functionality
that the firmware of these devices
uses to control the radio hardware.
And it has a bunch of things that really amount to if you have arbitrary code
execution you can execute arbitrary code. So not really any privilege boundary being crossed here
and where some of the I guess the confusion comes in is that in more full featured devices so like
Android phones or you know anything where you've you've got really user controlled general purpose
applications. The radio chip is kind of separate. And if we were talking about this kind of
functionality being exposed in like a Qualcomm modem on an Android device that you could hit
from an Android app, that would be bad. And sort of all Rob's colleagues back at the NSA,
that's the sort of thing they would love like lamb in a box, pivot sideways into
the baseband, now you've got a great place for you know long-term access, you're
in a privileged place to do interesting stuff, you can abuse other hardware
functionality. Like if you were using an ESP32 in that kind of
context this might be interesting but that's not really what these chips are used. They're small,
they're low power, you know, they're not full featured like that. And so I think the research
in this case either got pumped for marketing, or it's a kind of some confusion between,
you know, if you had some of these really technically gifted, but doesn't necessarily
have enough experience to understand the overall kind of context. You sometimes get this kind of confusion in how research is presented.
So like solid technical work, but it just doesn't mean backdoor like we've seen in the headlines.
Yeah, I mean, you would have probably had the same take on this one, Rob.
Yeah, I think powerful commands that aren't well understood are a poor choice, but not a back door.
For me, I frame this up as it depends a lot
on your threat model.
So Adam talked about some of the fun things you could do
if you had this isolated processor
that somebody had to trust.
I don't want to compromise user space on the host
to automatically guarantee that you can get to
a compromised Bluetooth controller firmware.
So you could do interesting things with that,
but it's a lot of work for something
that you can probably achieve in another way
unless you're protecting against the most serious attackers
with the most well-resourced kind of ideas.
Well, in which case I think the point is those chips are unlikely to be present in those
sort of environments, right?
Yeah, probably.
But you know.
Well, in the United States, in the Five Eyes countries at least.
Yeah, we talked in the first segment about, you know, remote access to then do your bidding to get a passkey fish, right?
You don't have to be local if you can get a local device. Well, here's a little local
radio that might be in your environment. So you reflash that through this vulnerability
and chain it to that other one. And that's how the most advanced attacks happen. Yeah.
Our North Korean crypto bros
may be fishing pass keys on this next week, who knows?
Yeah, let's see, let's see.
ESP32s and Natanz, good target, yeah, good point.
Yeah, yeah, yeah.
So look, we don't really need to talk about this one,
it's just funny.
One of the co-founders of Garantax,
which is doing crypto, it's a cryptocurrency exchange that's done a lot of laundering.
It's been in trouble with the US and sanctioned and dismantled and whatnot.
So years of trouble with these guys.
He got picked up on holiday in India with his family, which is quite funny.
So now he's headed to the United States to be presumably imprisoned for a very long time. And I just, again,
I think it's very funny that these people who are already sanctioned by the US
government take holidays to places where they can be arrested, right?
Like that's the takeaway here.
See, no Patrick, I had a different takeaway too, though. They,
he got sanctioned.
This exchange got sanctioned for facilitating crypto
money laundering and as soon as they were sanctioned there was a surge in the amount
of crypto that was laundered through that exchange. I think the US government sanctioned
announced that they were a bad actor and you could move your currency through there with
impunity. Incredible advertising. Yeah.
It's kind of the old adage, right?
There is no bad press.
Well, it's funny, right?
Because you talked to Brian Krebs and there's like a lot of these people want him to write
about them because for the same reason, right?
Which is like you get covered by Krebs and business goes stonks, right?
That's so funny.
Just how it would be.
But yeah, he's going to have a bad time.
Now let's touch briefly on this story about a VMware ESXi
vulnerability or vulnerabilities, which when chained together
are a guest to host, which is obviously really bad.
VMware, less relevant than it was, say, 10 years ago.
But there's still so much of it out there, right?
Which is what makes this a problem.
But the real story here is that there was a bug in the Broadcom-like licensing panel or whatever
that prevented people from being able to install a fix.
I imagine there's plenty of CISOs listening to this who would have been pulling their hair out over this over the last few days.
I mean, I mean that's basically the story in a nutshell, isn't it Adam?
Yeah, exactly. Broadcom did bad things to your VMware. You're going to have a bad time.
And yeah, I don't know what we expected. This is totally what we expect from Broadcom.
Yeah, and Shadow Server reckon there's like 37,000 of these things on the internet. God.
Does this depress you as someone who was formerly
the cyber security director at NSA?
Like.
Well, the people that have public facing ESXi servers
are not the kind to patch quickly.
Yeah.
So it doesn't surprise me that those numbers are high
and will not go down fast.
Yeah.
In other news, Apple's just patched a couple of WebKit bugs that they say
are extremely sophisticated. So I'm guessing they just rumbled one of the big spyware companies or
an intelligence service that was using one of these bugs, which is unlucky for them, but they
have now patched that. I don't think we really need to talk about that anymore. So, so you do
have something here. Yeah, go here. After you upgrade, go turn
off Apple Intelligence because it gets force enabled after the damn update. Well, that's assuming you
don't want to run Apple Intelligence and I for one love getting my notifications turned into garbled
meaningless text. It's such a great feature. And it pauses through all your signal messages as well.
Yeah, yeah, fantastic.
All right, thanks for the tip.
I'll get onto that.
What else have we got here?
Does it go through your signal messages
or just through your notification,
your signal notifications
as they come through notification services?
Because I don't know,
would they actually go into your archive though?
I thought you have to turn off the access to it but I don't know if that's for notification or the archive. Yeah right it's still yeah I get where you're coming from though so I'm
gonna take a look at that when we're done. Now let's talk about this DDoS against X,
formerly Twitter. They started having outages was that yesterday day before they started having
massive outages and it looked like it was day before, they started having massive outages
and it looked like it was a DDoS attack.
Musk did what Musk's gonna do and came out and said,
probably because there were some Ukrainian IPs
in the data set, he's like, it's Ukraine,
because they don't like me, because I'm,
I don't know, whatever, who knows what goes
through that guy's head.
Because everyone DDoS is from their house, right?
No one does it with other devices.
Exactly, but it's like an interesting enough attack because it looked like the reason this
was possible is because the attackers discovered the like ex-origin servers which weren't being
protected by Cloudflare and just hit them, which is a story as old as time. So, you know,
thankfully it's pretty easy to to mitigate that kind of thing, which shouldn't have really happened
in the first place. But since then, a pro-Palestinian group has claimed credit for this attack.
So, you know, what more do you say about that one?
But the reason we're starting off with that one is because there's actually a bunch of like botnet related news these days.
I mean Adam, you and I started out in this field and certainly Rob did when, you know, botnets were made up of
Windows machines, right? Like they were WinXP boxes, pre-service pack 2, those were your botnets. Now it's all gone.
Mirai. Everything's a Mirai variant these days. We've got people building botnets out of TP-Link
routers. We've got Chinese APT crews building essentially giant
orb networks with IoT.
I mean, this is just where we are, right?
I mean, Twitter, it's almost certain that Twitter was getting
dosed by a Mirai-like variant.
Rob, you were, as I mentioned earlier, NSA's cybersecurity
director until last year.
How much time do you put into worrying
about this sort of stuff from a macro perspective? Because it's always seemed to me to be more of a
nuisance than anything else. Yeah, so the botnets for DDoS are a nuisance and commercial industry
does a really great job of mitigating that. But what we did worry about were the the use of botnets for infrastructure
so everybody knows to block dirty IPs but the attackers have gotten more and
more sophisticated about how to bend their traffic through things that have
reasonably good reputations and so if you can if you can just pwn a bunch of
TP link routers all over the US
You know those endpoints often look like your work from homes. They look like your customers
They look like people that should be touching the edge of your networks
And so that's a good way to get better reputation and shed the stink of dark corners of the internet or attack or origination IPs.
So that's the concern with these botnets
and that's why you hear us talking
about the TP-Link concerns significantly.
TP-Link can-
So that's the headache.
It's less about the DDoS traffic
and more about one that is sitting there compromised,
not having like mass scanning coming out of it
so it doesn't pop up in gray noise, right?
It's just sitting there waiting for someone who needs a jump box to go and do stuff. Right and there's
enough of them you can use it single use and pop out one time and so you will never have that in a
threat feed you will find you know the the ability to block and understand those are very hard
from point data's if you don't have kind of a view above
the fray.
Yeah.
Yeah.
I mean, there's the TP-Link stuff.
If you want really good reputation, you might attack some enterprise kit sitting at the
edge of a small to medium business.
We saw those attacks, Chinese attacks against Sophos equipment where they were able to actually
fight back in hilarious ways.
I'm sure you saw that news and enjoyed it, Rob.
But you know, just on that, do you think the vendors need to be doing a better
job here? Because honestly, I just don't understand how it's 2025 and we've still
got like, you know, equipment designed to sit between an ISP and a user that
doesn't collect or transmit any telemetry.
I would have thought that's table stakes these days.
And even among the enterprise ones, they don't do it.
Like forget about your TP links, even like firewalls
that cost tens of thousands of dollars,
the manufacturers aren't instrumenting them.
Do you think they should?
Yeah, I think we need not only instrumentation,
but we need a lot of care in the firmware
and the underlying code that's inside those
so that they are not as easily exploitable.
Yeah, but they're always going to be exploitable,
which is why I sort of keep leaning
on the telemetry thing, right?
We both.
Because when people start doing stuff at scale
against these boxes, like it would be good to know about it,
I think, I mean, crazy idea.
The TP-Link bug in this case was like
straight up shell meta-character injection
in a web parameter. So
Yeah, clearly more care and then the length software
But I think you're right that you know having visibility of this stuff is good for the big
You know the we're gonna big scale things but you know when when it's a one-off proxy like Rob's talking about then
Yeah, we're just you know, that's a that's a bad time.
Yeah now look something to follow up on last week you and I spoke about this 1111 bot which
apparently did a 6.5 terabit per second DDoS attack and it was coming from Iran, devices in
Iran and we talked about this and said well like it doesn't quite feel right this story.
Turns out your instincts there were pretty pretty on there, Guy. Walk us through this report from Cybersecurity Dive.
Yeah, it looks like we're seeing some walking back of the scale of that particular botnet.
It was a Mirai variant, it turned out, that was heading, I think, high silicon devices
that make cameras and network video recorders and that kind of thing.
The idea that it was all coming out of Iran
certainly didn't stand up from a bandwidth point of view,
but it looks like that is actually smaller than we thought
and kind of just another Mirai,
which can kind of muddy the waters a bit
because people, some of the Mirai botnet users,
because that code is open,
sometimes people will add bugs to them
without even really checking that they work
or that they're usable in the way that they think.
So we've seen exploits that straight up don't work
added to Mirai botnets and then all of a sudden
you see thousands of exploit attempts
hitting stuff on GrayNoise or whatever else
and in fact actually it's never worked.
I mean it ends up in the CISSA Kev list
even though the bug never actually worked. So yeah, some of these metrics can be confusing. Yeah. Yeah, that's funny, right? A known exploited made up bug. That's great. Yeah
known tried exploit
Now we got some follow-ups here on the Bybit thing, you know, this will be our third stab at this story
so as it stood last
week we talked about how it was a developer at what's the company called?
Safe Wallet. Yeah, they'd got owned. Now it looks like we know how they got
owned. Yes, so the developer Safe Wallet apparently downloaded a malicious docker
image from somewhere, ran it up on his Mac, and it
compromised them with some fairly like common garden Mac malware that we've seen North Koreans
using before. And then the North Koreans attempted to gain access, to enroll MFA devices for this
guy's AWS accounts. So he was logging into AWS to go about his business
in Safe's Wallets infrastructure.
They called the API endpoints to add a new MFA token, failed.
And then at that point, the North Koreans were like,
okay, we are going to have to stay on this guy's box
and only use AWS when he's active,
because they can post auth,
grab a session token out of his AWS command line
or whatever tooling he's using. So they started aligning their work hours to his and then
they used that access onwards into SafeWallet's AWS from there as we saw Trojan the CDN to
deliver bad JavaScript and onwards to $1.5 billion worth of crypto. So good job. We've seen SafeWallet
published a bunch of details, Mandiant's in there investigating at the moment. And this seems to be
they've got a timeline of kind of what this looked like. But overall, as I have said every time we
talk about this, like North Korea, hell yeah, like these guys know how to hack, they're so good at it. Yeah, bring on reunification so that we can have them on as guests.
Yes, exactly.
Because this is like state activity, I mean is it criminal or is it a state activity,
like are they going to get in trouble when they're just doing their jobs for the military
and under duress?
We can probably have them on as guests.
That would be amazing, yeah, I'm so here for this, we should absolutely do that.
One other tiny bit of safe wallet things
that I stuck in the news list this week was.
Well, hang on, hang on, before you go there,
I mean, there's an interesting thing
that you didn't touch on here,
which is how did that Docker container
like wind up getting onto their computer?
And this to me is like, the North Koreans
have such an amazing track record
of throwing out Trojant and compromised
tooling that is used by people in the crypto space. So the question is, were they targeting
SafeWallet specifically or did they just throw this out there and they accidentally caught a whale?
It's a good question. The Docker image was called MC-based stock invest simulator main.
like the the docker image was called MC based stock invest simulator main.
So that sounds like it may well have been pretty broad brush targeting and just see where you land.
And clearly they very much landed in a good place.
In which case this completely validates their approach, right?
Which is to hit the supply chain and then, you know, instead of just doing
oh, well, we got code execution and then really leaning, and then really leaning into a, to a proper operation.
Like again, I'm with you on this, man.
It's impossible not to like respect this and, and, you know, respect the game.
Game is game.
Yeah, yeah.
I mean, I imagine Rob, you must feel like if this was your guys doing this, you'd be
like, hell yeah, beers on me buddies.
Yep.
Pretty proud.
But I think, you know, in this space, they got them
to accept a Docker image because it's a container.
It's gotta be safe.
But if you provision that the wrong way,
again, the devil's in the details, right?
The details make you secure or insecure.
They lit them up, they lit them up.
So help me settle an argument here
that I've been having with Dimitri
for like a couple of years now where he says
You know during his crowd strike time
He always thought the North Koreans were he thinks the perception of the North Koreans is like a second-rate actor
Historically are wrong and that they were they were you know always really creative and really really good
My argument is more that okay that might be true
But they hadn't really scaled their capability
until more recently, and it seems like they're sort of everywhere at once.
You know, what's your feeling on that as someone who was, you know, more actually
directly concerned with this in recent times?
Yeah, I think they had a couple high-end actors who were world-class, even in the early days,
even in the early days, but they couldn't do the scope and scale. And now they've trained out that tradecraft, they've developed a larger pool, they've got some
standard methodology they use, and then you can bring in the next generation who
brings new thought and ideas. But necessity is the mother of invention,
right? They don't have things, they they need things they're gonna try stuff nobody else will maybe we can have a new
operation paperclip after reunification you know what I mean get these get these
guys a condo in the DC area you know what do you think what do you think Rob
yeah I don't know about that all right now Adam you were gonna follow up to on
another angle to the buybit thing. Yes.
So they also published some advice about how you should verify transactions that are going
through SafeWallet multi-signature process if you're using a hardware wallet, which was
like, this was the core guts of how Bybit got hacked.
And so they published some advice and I've linked through to it because I think people would want to see like what do you actually see in this interface?
What do you actually sign on your hardware wallet?
They've got some screenshots of the interface from SafeWallet's WebUI and then also what you also see on your hardware token.
And you will note when you read it that one of the things you have to do is look at the raw, what they call raw data value in the screenshot,
decode it using some third party tool
to see if it's what you expect.
And then check that that matches the same kind of string
of hex that you're signing on your wallet.
And when you read this process and then you ask yourself,
does this feel appropriate for authorizing
a $1.5 billion transaction?
And the answer of course is hell to the no it does not
What were you thinking and people are wondering how this happened? This is how this happened. Thanks
Yeah, yeah, I mean I kept thinking back you ever see the Adam Sandler movie the wedding singer
Yeah, I mean I just keep thinking okay you've published this advice
But you remember when he gets left at the altar altar towards the start of his movie by his fiance and she
winds up explaining to him, no, I'm just not ready to get married and blah, blah, blah,
blah, blah. And he says, that's great, but this would have been useful information yesterday.
That's kind of where I'm at with that one. But you know, great that they've published
the advice, $1.5 billion later.
We've got John Grieg report from the record here about indictments against a whole
bunch of criminal charges against, you know, Chinese government backed, you know,
some in government, some working for contractors, including iSoon.
They were apparently behind the Treasury hack and a bunch of other things.
This is when they actually got on Yellen's computer.
It occurs to me here that there's a very solid reason to do an indictment like this, because
the argument is that China was using contractors to kind of be hands off and to try to provide
a little bit of deniability.
An indictment like this says to China,
nice try, we know it was you,
we see what you were doing, it didn't work.
I mean, is that, you know, Rob,
I think you're the right person to answer this.
I mean, do you think that's a reasonable take
on this indictment?
That is certainly one of the pieces, right?
I love the ISOO and LEAKS.
Those are the gift that keeps on giving.
That showed us a whole bunch
about the ecosystem, the tradecraft, the types of tools. And the fact that some of these
companies are just frocked to go out there and operate on behalf of China or even independently
to pull back data which they have every intention of selling and marketing back into the intelligence services and
the military. So it really just outlines the ecosystem and the way they
operate. Yeah I mean it's a wild idea right which is you know the
equivalent here would be Adam go pull together a few people, go hack a bunch of
stuff in Beijing, collect a bunch of data and then see if ASD wants it.
Sounds like fun honestly. I mean it does but it also doesn't sound like a really, you know, good way to run intelligence
services.
It's only a problem if I wanted to go to Hong Kong or Macau right? I mean if I don't want to go on holiday in China.
I wouldn't recommend it already pal but you know.
Yeah exactly right so in that case like what's my what's my incentive not to if ASD was buying?
Who knows maybe in the future you'd get arrested
in going on holiday in India down at the coast.
APT for hire.
Yeah.
Mm-hmm.
That's it.
All righty.
So now we're going to talk, Rob, about you and comments
you made to a committee in the United States.
It was the House Select Committee
on the Chinese Communist Party.
So you turned up and said that you had some pretty serious concerns about some of this
sort of doge stuff about various people being laid off in the US government and in the intelligence
community specifically.
You said, you know, so for those who haven't't been who aren't caught up and it is hard to keep up at the moment,
it looked like the US government, a bunch of US government agencies started
laying off people whose employment status was listed as probationary.
And the thinking presumably among the people who made this decision is if you're
probationary, you're a new hire. It subsequently transpired that, well no, you know, if you're promoted, you know,
if you're moving up through the ranks, you know, there's a good chance you're in a probationary role
and these people were losing their jobs.
Your testimony basically said this is a problem for the national security of the United States.
Do you want to just give us a quick recap
of the guts of what you said?
Sure, Patrick.
So the reason I was there was talking about
that Chinese threat and what we need to be doing about it.
And I talked about three legs of a stool.
There is some actions to deter,
there's some actions to defend,
and there's actions to make us resilient.
And in that defend space, you've gotta have talent.
And industry has talent, but government needs talent
as well, and the current environment is just undercutting
a lot of the talent base, the special capabilities we have.
I spent 34 years at NSA.
I could have added a zero to my salary
at multiple times during my career
had I walked out the door, but I stayed for the mission.
There was cool stuff to do, but it was the mission.
It was the importance of that.
But I felt safe and secure.
Now when I came into NSA, for NSA,
the first two years after you're hired,
you're in probationary status.
It's perfunctory.
It is, you know, unless you're, you know,
you're screwing up and you're doing good things,
you expect to be able to ride
through your probationary period.
Well, this took away the understanding that, you know,
people were safe in that two-year period.
But those two-
And to be clear, this isn't just new staff, is it?
This includes people promoted into other roles?
So in some cases, there's some special programs
that were established that required people
to enter probationary status.
So NSA has always had special hiring authorities
and some specialty pay scales
for technologists. CISA got some new authorities and part of those authorities took people
who were in jobs and transitioned them into these new roles and at that point in time
part of the transition was they had to enter a probationary period, so put them at risk.
For NSA, the other place it impacts
was the military hires.
So we get people who have served a full military career,
they're retiring.
They've done jobs inside NSA, inside cyber command,
inside the cyber service.
They're skilled, they're exceptionally talented,
now they're coming on board,
and they enter this probationary period,
and again, we've already tested them in the chair
that they're in now,
but they just wore a uniform at the time,
so we know they're performing,
so it's perfunctory, but now they're at risk.
And so there were carve-outs for national security,
but there's a lot of ambiguity
about what that did or didn't apply to.
And so what you've got are all these probationary employees
who are panicked to be able to support their families,
and so they're looking at the options.
So the best of the best are the people
who are gonna have options, feel secure,
to be able to pull the ripcord,
and to leave the national security pipeline
and go out and do something
else.
And, you know, those are the people that were impacted.
The other thing we do is, you know, we have a lot of skills that aren't taught in university.
So we bring in people and we put them in development programs for a couple or three years.
And you know, those programs are just our talent lifeblood
of exceptional people that will come up through the ranks.
And what you had here was those programs
were almost entirely probationary employees.
So this is a huge problem.
And not only is it a problem for today,
but all the recruits that we would wanna bring in
next year and the year after and the year after are going to wonder, you know, am I
going to come in and a few months later be the subject of this probationary reductions
in force?
Yeah.
It's good times.
We were chatting earlier too and it looks like Elon Musk is making some noise also criticizing
the NSA for trying to recruit new talent
at historically black universities as well, is that right?
There's been some posts, you know,
our recruiting pipeline is diverse
in both schools, people, and skills.
So, you know, that's important.
I mean, to be clear- And it doesn't equate to DEI.
Well, I mean, this is the thing, right?
I mean, I think people might misunderstand,
some people at least, might misunderstand that,
you know, recruiting is a challenge for agencies like NSA
and reaching out to, you know,
reaching out to a diverse number of candidates,
it's not about being nice to minorities per se, right?
It's about actually fulfilling a need
Which is to get bums on seats as we'd say and to get people in recruited and actually working on the mission
Yep, so you know my mantra all the way along has been cyber security is national security
And so we don't want to erode the special talent and pipeline we have yeah, yeah, so
Look first of all it is kind of unusual
that someone of your standing is actually prepared
to come out and actually criticize
the Trump administration.
The silence from everybody is quite deafening.
You know, did you have any reservations
about saying what you said in that committee?
Yeah, it's important.
I talked about the concerns that the workforce has,
but it's important for them to see somebody speaking up
for them.
I'm not NSA anymore.
I don't speak for NSA.
But they understand that I get it,
and I understand the stresses and the concerns.
And so it was nestled into a much larger,
thoughtful, I think, conversation I had with Congress.
But, you know, yes, it did get plucked out
and got some press.
Yeah, I mean, I guess my question is more about,
were you concerned about blowback?
Yeah, this is important.
And, you know, at times it's important to talk about those truths.
You mean sometimes it's important to show a spine and actually speak the truth.
Good, good for you.
Now look, one other thing we're going to talk about here is the United States withdrawing
signals intelligence support from Ukraine.
And then overnight, just as we record record this they have now restored that sharing
You know, I imagine that would have been difficult to watch from your perspective
Do you have any short thoughts that you can share on that? Yeah, I just know how important that intelligence sharing is right
It enables the understanding of what attacks are coming, you know, the
the technical capabilities from cyber to kinetic that people are up against.
And so if you're going to defend and save lives and face it, there are a lot
of civilians in the path of these attacks. You need intelligence and so I
am really, really pleased to see
that we got that turned back on.
Alrighty, well look, we're gonna wrap it up there.
Rob Joyce, thanks so much for joining us
on this week's show to talk through the news.
You know, pretty technical run sheet this week as well,
so that was a lot of fun.
And of course, thank you for sharing the details
of your congressional testimony.
It's always great to talk to you, Pat and Adam.
Thanks.
And Adam, that's it for us, mate.
I'm going to wrap it up there and on to this week's sponsor interview.
Thanks for joining me.
We'll do it all again next week.
Yeah, thanks so much, Pat.
And thanks a lot, Rob.
Always great to have you along.
That was Adam Boileau and special guest co-host Rob Joyce there with a recap of the week's
news and a bit of a discussion there about Rob's testimony to the US Congress.
It is time for this week's sponsor interview now with Lee Christensen and Justin Koller
of SpectorOps.
SpectorOps of course makes the Bloodhound tool which can help you work out an attack graph
basically for your Windows network and really help you to improve things there so that it's not just
a free-for-all if someone gets a shell like anywhere. So you know always a worthwhile exercise
to go through some bloodhounding. But they've been doing some work recently on figuring out how to
doing some work recently on figuring out how to address some of the risks presented to networks by the legacy authentication protocol NTLM, which despite being something like 30
plus years old is still rattling around and functional on Windows networks and quite difficult
to turn off.
This is going to be a problem for another 10 years.
So yeah, Justin and Lee, join me to talk through all of that.
And here is Lee Christensen, first of all, to kick off that interview. Enjoy.
NTLM is an authentication protocol, first and foremost. So Active Directory has a lot of
different ways that you can authenticate. NTLM is one of them, but it also supports things like
Kerberos or Active Directory certificates. Now, NTLM has been enabled in Active
Directory for like, what, 25 years since the early 90s. So, it's been around since the NT days,
and just due to compatibility, it's stuck around all these years. And because of that, like,
naturally, attackers want to abuse it because it's still here, it's still enabled, it's used for authentication.
That's our favorite thing to abuse as an attacker is trying to impersonate people.
So obviously if it's there, we're going to use it and abuse it as much as we can.
So look, it has inherent weaknesses.
For those who weren't around in the...
And by the way, early 90s, that makes it more like 35 years old, man.
That's how far time's got away from us. But like, why don't you tell us what those inherent weaknesses
are for those who might not be familiar? Yeah. So there's a lot of different ways that we abuse it,
unlike our pentesting or red teaming engagements. But some of the different ways that it can be
abused are the hashes it uses are just weaker.
So if you get access to the hashes, you can crack them much quicker.
There's also weaknesses in terms of when you use,
when you try to authenticate with NTLM,
you can potentially relay that somewhere else.
So let's say I coerce Justin here to authenticate to me as the attacker.
When he authenticates to me, I can relay that or just pass that on to another machine and
impersonate Justin when I log into that other machine.
So basically, once you're on the network, it's pretty easy to impersonate basically
anyone if you're on the right bit of the network.
Yep. Yep.
Yeah. Which as a pen tester comes in handy. Yeah and
I'd say as a pen tester like when I was first getting started in this industry
like this is one of the first things I learned you know you spin up responder
do like arc poisoning and then you'll coerce somebody to authenticate to you
and then NTLM relay to get access into Active Directory. So super old like pen
test 101 technique. Yeah so I, how many people are actually using this
as their authentication method these days?
Because as you pointed out earlier,
there are better alternatives now available
for you to use in Active Directory.
Like why aren't people turning this off?
Yeah, I'd say the biggest reason
is just because it's on by default.
Like it's been there since, you know,
Active Directory started
and Microsoft just hasn't disabled it.
You can disable it in a variety of different ways, but out of the box,
it's not disabled.
And so people aren't going to change it if it's not breaking things.
Are they changing this though? Cause I did see something. I mean, I'm just,
it's a bell ringing in my head that they're ripping it out of like future
versions of server or turning it off by default.
I can't remember exactly what the change is,
but it does sound like Microsoft is glacially moving
towards kind of trying to address this.
Like where's that all at?
Yeah, I'd say glacially is the right choice of words there.
They've stated that they are going to be removing it,
but so far I have not seen any movement towards that.
So Windows 11 is slated to have it removed in, I don't know, this year.
But we haven't seen it that happen yet.
There's been a lot of improvements in the server versions of Windows, but they've stated
still in the release notes that it's now deprecated, but it's still enabled.
So it's still there. It's just now deprecated, but it's still enabled. So it's still there. It's
just considered deprecated. Like it's not going anywhere yet. So I...
So like for an organization that is using a different authentication protocol for Active
Directory, you say it's turned on by default. Like is NTLM still the default way that the
clients talk to the server or it's just enabled by default as an additional method?
It's enabled by default as additional method. So yeah, it'll try and use something more secure like Kerberos if it can but
NTLM is still there and like I as an attacker can choose to use that if I want to and it'll still work
Yeah, so you can ARP spoof and then say I'm your directory, you must authenticate to me with NTLM,
and the client will do it.
Yes.
Yes.
OK, that seems extremely not great.
So the question becomes, if this is such a glaring issue,
and as best I understand it, for the last 25 years it has been,
what is stopping people from then just disabling NTLM
as an authentication method?
Yeah, so there's a few different reasons.
So Microsoft allows you to disable it
at a variety of different levels.
You could do it throughout the entire domain itself,
but that's very difficult to do
because of compatibility issues,
whether that's with older versions of Windows,
or maybe there's third-party
appliances or Linux products that are out there that use NTLM underneath.
It's a much simpler protocol, so a lot of application developers, if they
want to integrate with Windows, they'll just choose to use NTLM because it's a
simpler protocol rather than trying to set up Kerberos. So there's
a lot of these compatibility problems.
Microsoft itself, for a long time,
had hard-coded the usage of NTLM.
So part of this effort that they're having now
to get rid of NTLM is they've gone through
their entire code base and removed hard-coded usage
of NTLM in a lot of their services and client applications.
Yeah, I'd imagine things like printers and whatnot are gonna use NTLM in a lot of their services and client applications. Yeah.
I'd imagine things like printers and whatnot are going to use NTLM, right?
If you want to join them into your Windows network, that's how they're going to do it.
Yeah, exactly.
There's also some weird fallbacks that happen in Active Directory environments.
If you try and authenticate to... You're trying to access a machine by its IP address that
uses NTLM it doesn't use Kerberos underneath. So to use Kerberos you got to
use like proper host names and whatever. Yeah yeah right so I mean obviously it's
still a problem otherwise we wouldn't be talking about it in this year of our
Lord 2025 can't believe we're still having this conversation but you know I
guess the question is with it being difficult to disable because it's you
know because it's you know
Because it pops up so often like how prevalent is it out there you guys do an awful lot of pen tests Like how often are you seeing it?
everywhere like there's only been a
I'd say a couple organizations that I've been into that have disabled
Like quote-unquote disabled NTLM and even in those organizations, it was enabled domain wide still.
So we see it everywhere all the time.
And like even our most, I'd say our best
Bloodhound enterprise customers,
we've gone in there and like our consulting teams
have gone in there and they're secure against,
you know, what was present in Bloodhound enterprise,
but we come in and just do these relay attacks again
and we'd have plenty of success.
So even these super mature companies that have,
you know, a lot of resources, they're fixing things,
they're still vulnerable to a lot of like these same attacks.
Okay, so that is the state of NTLM.
Justin Coller is also joining us.
So now Justin, the question becomes, what do?
What do about NTLM? What do?
Yeah, so that's the problem.
Probably why Lee sees it so much on the attacking side, right?
Like Lee said, they see it all the time.
And I know from talking to a bunch of our pen testers,
it's probably the one or two top most like prevalent ways
that we take over Active Directory environments.
It's just so common, like why not use it? You can't really do anything against it too, because people can't disable it,
because it's such a like an unwieldy thing to tackle. So that was kind of our basis for like
trying to model this in Bloodhound. So if we could, we knew that when we executed it in
pen testing engagements, the results that we were delivering were actionable.
So it wasn't like, hey, we abused NTLM in your environment,
and you should disable NTLM across the domain
to prevent that from happening again.
That's not the type.
Yeah, I mean, that's not a helpful finding, right?
No, no, no, no.
I mean, it's kind of like, I kind of feel like
this is the same experience that we had with
Bloodhound and Active Directory, right? Active Directory was an unsolvable problem and then Bloodhound comes in and makes it
Approachable, right? And now we can pinpoint where we should fix problems
So that was kind of our our genesis for NTLM when we would engage
Or relay attacks, you know, like execute relay attacks in customer environments
The advice that we gave them
was actionable and it removed the risk.
So we're like, well, okay, well, if we can do that
in a pen testing engagement, can't we do that in Bloodhound?
And now it's really hard, there's a lot of moving pieces
around that, but we've been known to do hard things,
so that's what we tackled in Bloodhound.
Yeah, so how do you actually tackle this
as an issue with Bloodhound?
And is this kind of newer?
Or, I mean, I imagine you've been doing this for a while, right?
This is actually, so we've been working on it for quite some time.
The research was like, I'm passing the mic back over to Lee here in a second,
but the research was started late last year.
We've been testing it and we're-
So this is new?
This is releasing in March.
Yeah, okay, right. Cool, cool, cool.
This is gonna be brand new.
Excellent. Okay, well, Lee, walk us through that cool. This is going to be brand new. Excellent.
Okay, well Lee, walk us through that.
Like, what are you doing with Bloodhound to try to get a handle on this?
Because, you know, I like the way you described that, Justin, in terms of like,
and it's good to hear a vendor say,
we make this problem with Active Directory approachable,
not we come in and pew pew, single click, solved, right?
So I'm guessing you're taking the same approach with the NTLM staff.
Like, how do you take this problem and turn it into something
that you've got a better chance of getting your hands around?
Yeah, so I'd say we're gonna be introducing some new edges in the Blood
Hound. So for people who haven't seen Blood Hound, it's just as an
attacker, it gives me an attack path of how to compromise, you know, a host or a
machine in Active Directory environments. So what this is going to do is it's going to add some new
edges that state, you know, I can use NTLM Relay to compromise this IT administrator's machine or
this server machine over there. And in particular, we're adding in three new type of edges.
We call them the coerce and relay edges, which is basically
we're able to coerce a machine to authenticate to us.
And then we can relay that and impersonate that machine
that's authenticating to us, whether it's a tactic
directory or to log into another server and impersonate
that.
This sounds great from an attacker's perspective, but like how...
The talk through the defensive case here.
I can try to take some of that.
So for like, we have two different versions of Bloodhound, right?
Bloodhound Community Edition, which is free and open source in Bloodhound Enterprise.
So first, starting with Bloodhound Community Edition, everybody's going to be able to visualize
the attacks and understand the risk posed by certain principles within their organization.
So for a pen tester, they can understand what they would abuse to get to their objective.
For a defender, they can articulate the risk of that configuration and then take steps
to remove it.
On the Bloodhound Enterprise side, they're going to do that at scale.
So again, that unwieldy problem of let's disable NTLM across the domain is a non-starter.
We can pinpoint the servers that have the most amount of risk
for NTLM relay attacks and then give you specific guidance
to remove that.
And that, again, is approachable guidance.
We've seen work for our customers on consult engagements.
I'm getting it now, right?
Which is the idea is that it can narrow it down.
So the advice which might come out of the pen test report,
you know, 10 years ago, which is, hey, just turn off NTLM
and everyone ignores it and throws the report in the bin.
Whereas now it's like, well, hey,
maybe if you could disable NTLM here, here, and here,
that's going to put you in better shape.
Or even better, like disable it for this protocol,
but preserve it for this protocol,
for this legacy system only that is not supporting more modern
authentication protocols.
And a Windows service like capable of supporting those sort of configurations quite easily?
Yes, so Lee can back me up here,
but you can disable on the protocol level, on the host level, or at the domain level, all with different levels of like difficulty,
right? And that's where we can help organizations understand and take that action.
It sounds worthwhile.
I'm guessing, Lee, that you've been through, as you pointed out, this is going into the
product in March, but I'm guessing you've used this on professional services engagements
already.
How would you rate the success here once your customers have been through that process?
Well, I will say that on Engagements, I haven't used this because I've just been on the research
side, but I can guarantee that this is going to find a lot of stuff that has not been highlighted
before. Just because, like I said, our most impactful, our most mature customers have fallen
to these attacks. And I know it's going to light up a lot of people's networks
as well.
Yeah.
Yeah.
All right.
Well, we're going to wrap it up there.
Lee Cigola-Christensen and Justin Kohler,
thank you so much for joining me on the show to walk through,
yeah, some new features coming to Bloodhound,
which will let you pinpoint where MTLM in your Windows
networks is most problematic.
Great to chat to both of you.
Thank you.
Thanks, Patrick.
That was Lee Christensen and Justin Kohler
of SpectreOps there.
Big thanks to them for that.
And yeah, you can find Bloodhound Enterprise
just by Googling Bloodhound Enterprise, I guess.
And definitely a worthwhile exercise
if you're operating any sort of Windows network at scale.
It's an exercise you wanna go through. Just even the attack graph stuff, the NTLM
stuff, nice to have as well. But yeah, Bloodhound is something you should be
looking at. But that is it for this week's show. I do hope you enjoyed it.
I'll be back tomorrow with Seriously Risky Business with Tom Uren in the Risky
Bulletin RSS feed. But until then, I've been Patrick Gray. Thanks for listening.