Risky Business - Risky Business #786 -- Oracle is lying
Episode Date: April 2, 2025On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news: Yes, Oracle Health and Oracle Cloud did get hacked The fallout from Si...gnalgate continues North Korean IT workers pivot to Europe Honeypot data suggests a storm is brewing for Palo Alto VPNs Canadian Anon gets arrested for hacking Texas GOP This week’s episode is sponsored by Trail of Bits. Tjaden Hess, a Principal Security Engineer at Trail of Bits who specialises in cryptography, joins the show this week to talk about what a responsible crypto-currency exchange cold wallet setup looks like, and … contrasts that with Bybit. This episode is also available on Youtube. Show notes Oracle Health breach compromises patient data at US hospitals FBI probes Oracle hack tied to healthcare extortion: Report - Becker's Hospital Review | Healthcare News & Analysis Oracle Still Denies Breach as Researchers Persist Hacker linked to Oracle Cloud intrusion threatens to sell stolen data | Cybersecurity Dive Publius on X: "🚨 SIGNAL SCANDAL: Katherine Maher, the leftist NPR CEO, is currently the Chair of the Board of Signal! WHAT ARE THE ODDS? https://t.co/jWNTeAt3Jz" / X Mike Waltz Is Losing Support Inside the White House - WSJ Waltz and staff used Gmail for government communications, officials say - The Washington Post Pete Hegseth, Mike Waltz, Tulsi Gabbard: Private Data and Passwords of Senior U.S. Security Officials Found Online - DER SPIEGEL Even More Venmo Accounts Tied to Trump Officials in Signal Group Chat Left Data Public | WIRED You Need to Use Signal's Nickname Feature SignalGate Is Driving the Most US Downloads of Signal Ever | WIRED Wickr - Wikipedia When Getting Phished Puts You in Mortal Danger – Krebs on Security DPRK IT Workers Expanding in Scope and Scale | Google Cloud Blog How the FBI Tracked, and Froze, Millions Sent to Criminals in Massive Caesars Casino Hack Defense contractor to pay $4.6 million over third-party provider’s security weakness | The Record from Recorded Future News Surge in Palo Alto Networks Scanner Activity Indicates Possible Upcoming Threats CISA warns new malware targeting Ivanti zero-day vulnerability | Cybersecurity Dive Canadian hacker arrested for allegedly stealing data from Texas Republican Party | The Record from Recorded Future News British intel intern pleads guilty to smuggling top secret data out of protected facility | The Record from Recorded Future News
Transcript
Discussion (0)
Hey everyone and welcome to Risky Business, my name is Patrick Gray. We'll be getting
into the news in just a moment with Adam Boileau and then it'll be time for this week's
sponsor interview. And this week's show is brought to you by Trailor Bits, which is a
security engineering firm based mostly in the United States. And we're talking to Jaden
Hess from Trailor Bits this week. He works on their cryptography team. Trailer Bits does a lot of work with cryptocurrency exchanges
and we're going to be having a bit of a chat about what went wrong at Bybit,
whether or not the sorts of practices they were engaging in are common and you
know what exchanges really need to be doing to avoid having 1.5 billion
dollars stolen out of their wallets which is, I still can't believe I get to say
that out aloud.
But yeah, let's get into the news now with Mr Adam Boileau and mates let's talk about
the lying liars at Oracle.
Oracle is having a really bad time because it looks like they've had two breaches which
are completely distinct and disconnected from each other although I'm not quite sure you're
the one who's done the research on this and
they are spinning hard on this one and kind of, you know,
it's veering from sort of spin into outright porky pie lies.
So why don't you walk us through what's happened with Oracle starting off with
the Oracle health breach?
Yes. So Oracle has a health data subsidiary which was
previously called Cerner before it was acquired a couple of years ago. Now they
spent you know quite some billions of dollars acquiring a very big you know
health technology firm and some of that environment has been integrated into
you know Oracle's Oracle cloud and into their modern world.
But it looks like some kind of legacy,
some bits and pieces of the original Surna Health
was still kicking around the internet.
Somebody has bust into it and helped themselves
to a whole bunch of electronic health record data.
One of their main products for
CERNA is tools for building health data management platforms and then
the person who is doing it, who broke in there, appears to be kind of trying to
ransom that data back both to hospitals and medical companies themselves
as well as Oracle. The person behind it doesn't appear
to have any affiliation with a known ransomware gang,
but they do say that their name is Andrew.
So that's the case.
That'll narrow it down.
So Oracle has been kind of quiet about this.
Much like the other breach we'll talk about in a second,
they haven't been saying a whole bunch publicly, but they have been reaching out to their health industry customers
and the word on the street is that those customers are being sent letters on like non like plain
paper no oracle letterhead signed by some you know oracle exec basically saying look we've lost a
whole bunch of your data it's a kind of a you problem.
So you should figure out whether the data that we lost, uh, you know, is violating,
you know, HIPAA or whatever other regulations, uh, you may be subject to.
And, uh, yeah, off you go, let your customers know, uh, Oracle has very
generously offered to pay, uh, for some form of credit monitoring or the usual
sorts of things you do when you have a data breach, but otherwise they are leaving their
health customers out to dry.
People are not particularly happy, I think it's fair to say.
No, and apparently their customers are being instructed to only talk about this with Oracle's
CISO over the phone and not via email. And their communications have said,
you know, the data may contain patient data,
but all the customers know that it does,
because I'm guessing they've been sent samples.
So not a good look at all.
And this comes hot on the heels of one
that I think we spoke about last week,
which is a bigger breach at Oracle
where they owned some sort of auth box
and just got an absolute ton of info out of it.
So we did briefly touch on it last week, but now we've looked into it a little bit more.
This is a breach that Oracle denied happened. They said, oh this, this, this totally was not a breach of Oracle's production environment.
Like why don't you walk us through exactly what it is the attackers
apparently did here, what they obtained and then why Oracle's response is a lie, you
know, a liar's lie.
Yeah, so some person who goes by like rows 8, 7, 1, 6, 9 on some underground forums is
flogging off some data that they have stolen that they claim from a login portal, an auth
portal in Oracle Cloud. And they claim to have shelled
one of the Oracle Cloud login boxes using a known floor
in a particular CV,
which I think is a deserialization floor
in Oracle's identity and access management product,
which is part of the wider kind of Fusion applications,
Fusion middleware Oracle suite. That bug is a couple of years old now, I think 20 gets a 2021 bug and it's a little
fiddly to exploit but that is what the attacker says that they used and then they claim to have
got something like six million records worth of customer, you know, of like login information and this varies between LDAP
kind of auth passwords, a bunch of certificates and other bits and pieces
and they have provided some of this data as evidence of their access on the
forums and then to a couple of researchers. They also posted a text file
on Oracle's login server with their email address in it, so they could verify to
I think one of the outlets that they were talking to that it was in fact them, so they pasted in the
text file x.txt with their Proton mail email address in it. And then a few people who've got hold of
this data have, you know, cross-referenced it with a few customers listed, and those customers say,
yes, this looks like our information.
Oracle has flat out said, this didn't happen.
It's a load of bunkum.
And I can imagine that Oracle wants
to believe it didn't happen, but it certainly looks like it did.
So I had a good run around yesterday into what the data looked like, but it certainly looks like it did. So I had a good rummage around yesterday
into what the data looked like, where it came from,
and what some of the similar systems in Oracle's cloud
environment look like.
Now, this is where it starts getting tasty.
So the 11G release of Oracle's Fusion middleware and so it's like that whole kind of stack is a thing that I have some personal experience of shelling so like I you know I
I when I first read this I'm like yes, I a hundred percent believe the hacker and I zero percent believe Oracle
but then I went and had a rummage around and there is quite a lot of
11g era bits and pieces of
plumbing in Oracle Cloud and the kind of login server that this person claims to
have hacked, you know, the headers suggest that it's running the 11G release
which is from, I want to say like 2009 or something. Importantly that release is no
longer supported by Oracle. They wouldn't support it for their customers,
although the funny thing is that Oracle's definition
of end of life is not, they don't call it end of life,
they call it sustaining support,
which is available indefinitely.
And that sustaining support means you get access
to the patches they've already made.
You don't get any access to any new patches
because they're not making new patches, but you can have access to the patches they've already made. You don't get any access to any new patches because they're not making new patches.
But you can have access to the things that you already
had forever, if you so wish, which is very generous of you.
Jeez, helpful.
Thanks, Oracle.
But such double corpo, double speak there.
But yeah, there is a lot of very shonky old look
in Oracle Gubbins lying around in Oracle Cloud.
And most of this, like some of the bits
that I was pasting in our internal Slack
yesterday for your amusement, have certificate names
like Cloud Admin, CloudAdmin.us9.oraclecloud.com,
or star.usgov.oraclecloud.com, which
doesn't feel particularly good.
So I mean, to be clear, what you did is you hit up census.
You're looking within the IP range of Oracle's cloud and you're finding ancient
out of, you know, end of life boxes there with interesting certificate names.
And this is while Oracle is claiming, Oh, this never happened.
So you have a theory about what actually went down here.
And I think it's a plausible one.
Yeah. So, I mean, my vibe is probably they have updated these things, they've built new ones
or they've forked them or copied the virtual machine or whatever it is, and there are modern
versions of these things on more modern Oracle software stacks and they just haven't turned
off the old ones.
And when Oracle sees this, they're going to, when they see someone mails in and says,
hey, I've breached your stuff, give me millions of dollars worth of crypto, they're going
to go, but we already updated that without stopping to think actually the old stuff is
still around.
And I went and had a look when I was rummaging through sensors, I checked that a few of those
boxes are in fact still live and answering requests.
They're still there, went and looked at the login prompt and it sure looks like an ancient
Oracle login prompt.
So yeah, I think that they are going, well, this is legacy old stuff, so it doesn't matter.
So therefore we can say our production Oracle Cloud didn't get hacked.
But when it's custom-acquired.
Yeah, I mean, but that's crossing the line.
You know, Microsoft is amazing at putting out press responses where they're obfuscating and they're
using doublespeak, but they're not going this far.
This feels like an outright lie.
Having been a cybersecurity journalist now for nearly 25 years, I can tell you that Oracle
are pretty much the worst offender when it comes to this sort of stuff.
Microsoft used to be worse.
They were quite good for a while.
They're sort of back to being not so great.
But I have a feeling that's changing because they keep getting in trouble with the US government.
And yeah, but I mean, Oracle just don't really have great practices.
They tend to scapegoat researchers as well.
I mean, who could forget Marianne Davidson's blog post a while ago where she was essentially
threatening. She's the CISO at Oracle and has been basically since the
Jurassic era, and was basically threatening legal action against people for reversing
their products because it's against the terms of service.
Like, Oracle is a company that does not get it, it has a weird culture, it's a closed
ecosystem, sort of like, you know, very cult-like company, and they don't really appear to know what they're doing.
And, you know, this is the sort of stuff that happens
when you are running a large company
with a weird insular culture
that doesn't listen to anyone else,
when you also don't really quite know what you're doing.
You know, this is what it looks like.
This is what it looks like.
And I feel like, you know, in the depths of Oracle,
there are plenty of smart people who work there
who understand that they got themselves wrecked,
but somewhere in the 47 levels of management
upwards from them that message gets
massaged into something that's just
Looks to me like straight-up bollocks
Yeah
I mean when I say that they don't know what they're doing I am talking about management in case there's anyone rage
listening at Oracle who actually because of course they're gonna have good people there
but they're clearly not getting listened to if you can pull up census and
Find this stuff in their IP space like you know in a minute
Yes, yeah, yeah, it's it's it's nasty like I haven't seen some of those old son
You know kind of old very very old
You know I want to say son style
It's not this is obviously Oracle software,
not Sun software,
although some of it is baguette from the Sun acquisition,
which does kind of put an edge on some of this stuff.
Cause it's, it just like, it has a particular look
if you've been a Unix hacker for a long time,
you just know what that stuff, when you see it,
it smells like old, you know,
it's got that sort of, you know,
old grandma curtain vibe.
I've worked with a bunch of, you know,
asset discovery startups, right?
So Asset Note was one and then HD Moreover at RunZero as well.
And I've had a front row seat when some of these tools
have been thrown at extremely large clouds, right?
And I'm talking, you know, name brand big clouds to find stuff like this.
And they have come up really with very little with, you know,
running these sorts of scans against some of the very big cloud operators, right?
So the fact that you were able to find this in census boggles my mind.
You're telling me there's no one whose job it is at Oracle to flag something like that and maybe get something done?
Because that's just that's that ain't good enough.
No, I mean, it's it's really not but I mean that's unfortunately that's kind of the Oracle Jam, right? They
That's just what they do. I mean I've seen
Like I don't like I guess I can probably tell this story now
But like at some point we looked at some systems that were old, solaris stuff that was being lifted and shifted into Oracle
Cloud for a big customer.
And the Oracle engineers did the Oracle consultancy and brought in people to do that lift and
shift.
And they picked up these boxes, moved them into Oracle's cloud, put them on the internet
as they were, as you would expect.
That's what they asked for.
We want as like for like, migration, blah, blah, blah, blah.
But that included leaving the like internal Telnet
interfaces that previously were in the middle of a bank
on 10.yada yada.
Now they're on the internet with terrible passwords,
like the normal kind of configuration of those boxes,
but they just lifted the shift and dumped it right
on the internet without even a word to the customer.
You may have let that one slip over a beer once upon a time
many, many years ago.
But yes, Oracle putting your telnets on the internet.
Yeah, and especially when we had that telnet fbin bug
where you could just log in with no crates, which.
Yeah.
I mean, I think we have, I think some questions need
to be asked about the state of Oracle's cloud
with all of this in mind.
And of course, the state of their security culture.
Look, everybody has incidents.
Having two in such a short period of time
is unlucky for them.
But hopefully, it'll actually put some attention on them.
Because you can't imagine having a look at the Azure IP space
and finding a bunch of like NT4 boxes.
It sort of feels a bit like that.
I mean you'd want to believe that wouldn't happen and probably there
wouldn't be any critical NT4 on Azure anymore but yeah Oracle that's just not how they roll.
No, no it's not and yeah I mean again the no, it's not. And yeah, I mean, again, the problem
when it comes to these mega vendors is like,
what's the recourse, right?
And the recourse is for the buyers of this sort of stuff
to push back.
But we see in the case of government contracts and stuff,
these are negotiated at such a high level
that they're not really asking detailed questions about,
well, have you run discovery tools
to look for old versions and decommissioned stuff that
hasn't been dec decommission?
Like it just doesn't, it doesn't really line up with the questionnaires.
You know?
No, no, it really doesn't.
And you can't just turn around and ask Oracle salespeople.
So explain to me why you don't suck in the year 2025.
Yeah.
And of course they're going to say, because AI and because best of breed or whatever.
Well, unbreakable famously.
Unbreakable famously.
What was that like 20 years ago they had Oracle Linux that they called Unbreakable and they
called their products Unbreakable.
It was a whole campaign and at one point they said things were unhackable.
And that's what led to the birth of an industry legend, which is David Litchfield, who I believe
is now at Apple.
When he was like
sitting in a presentation, like watching them describe this thing as unhackable,
and he just started shaking their products.
And I think he dropped 42 Oday the next day.
Um, so that's Oracle.
Oracle have always sucked.
The idea that somehow they magically don't suck anymore was always a fantasy.
Um, and we just, I guess it's a good week to remind everybody of that. Yes. Yeah. that somehow they magically don't suck anymore was always a fantasy.
And we just I guess it's a good week to remind everybody of that.
Yes. Yeah, exactly. Try not to put your Oracle stuff on the Internet.
You got the database. Keep it in the middle of your network.
It's probably all right. But yeah, that all of their applications
stack just just just don't.
It's oh, yeah, you're right.
I know. I know. As a pen tester, when you saw it on the edge of the network, you rubbed your hands
together.
You knew it was going to be a bad day at the office because you had to interact with their
software and all of the nastiness, but you knew you were going to get shells.
Well funnily enough, MSSQL, one of the reasons it really succeeded and became so widely used
is because of these security concerns around Oracle's database products back in the day.
So that is one of the rare cases where someone managed to squeeze a win out of a competitor's pretty awful security
practices. I will say to Lawrence Abrams over at Bleeping Computer has been doing a lot of work on
this and he's been doing a great job. We've linked through to one of his reports. Also kudos to
Becker's Health IT who've done some excellent reporting on this. And I love it when you get
these industry journalists who are doing some of the best this. And I love it when you get these industry
journalists who are doing some of the best coverage. I remember the attack against, what
was it like, JB Meats or JBS or something. They got ransomware and like the best coverage
was coming from like a beef industry journalist, which kind of put the rest of the tech media
to shame. So we've got a bunch of stuff linked through in this week's show notes that people can take a look at.
Now, unfortunately, we have to do some follow-up reporting on Signalgate.
Since we recorded last week, we had the question of like, well, was Pete Hegseth copying and pasting stuff into Signal from a high-side document?
It doesn't look like that was the case.
The journalist Jeffrey Goldberg released the full Signal messages. It was interesting actually because if you look
back at the conversation, most people were actually being pretty restrained
and controlled and there were references to like you know go check things in your
high side mailbox and whatever and it was Hegseth who just started dumping
like specifics into the chat and the vice president JD Vance you know
trash-talking Europeans and stuff. still not good to use Signal for this purpose, but they were the ones who really,
you know, were the most indiscreet in this conversation.
Now since then, of course, we've seen unbelievably the US administration starting to smear Signal itself. Like, there's even been this allegation that Catherine Ma, who's on the board of Signal,
is, I think she's the NPR CEO as well.
And she's like got links to the Atlantic Council,
Atlantic Magazine, Atlantic Council,
put it together, Sheeple.
She probably lives in New York, mate.
You know where that is.
That's next to the Atlantic Ocean.
But you know, we're seeing some of these theories
like being reposted by Donald Trump himself,
which, I mean, this is a typical sort of Trump strategy.
I don't think for a second that he believes
that Signal was involved in a conspiracy
to add a journalist from the Atlantic
into a Signal group chat.
We're starting to see some political fallout.
Mike Waltz, the national security advisor in the United States, his job is safe for
now but apparently he's lost sway with Trump and he's pretty toxic.
He's pretty on the nose at the White House.
It turns out also that he was running multiple other signal groups and we obviously mentioned
this last week that we expected that to be the case, including signal groups involving
discussions about brokering a peace between Russia and Ukraine.
Now when I've spoken to former intelligence community types about, well, what do you think
the likelihood is that at least one of the endpoints involved in these signal message
chains was compromised?
They've all said, look, more likely than not verging on undoubtedly, right?
So you have to imagine that these conversations are
happening in full view of a foreign intelligence service. We've also seen some reporting that
Waltz is, you know, often uses his Gmail account to discuss government business, you know, no
allegation that there was anything classified there, but we got a bit of a theme to talk about this week, right?
Which is just like why the civilian internet
and civilian applications aren't really the appropriate way
to conduct these sorts of discussions.
And you know, Dispeagol has this excellent reporting
where they've just gone out and looked up
the contact details and passwords out of dumps
for a whole bunch of prominent US national security figures, including Pete Hegseth,
Tulsi Gabbard and Mike Waltz. So I mean, there's been some good reporting here that just sort of
shows like you can't really mix this sort of business with the civilian internet and app
ecosystem. Yeah, absolutely. And I get it's probably difficult,
especially if you're coming from outside
of traditional government circles, which if you're
Hegseth, I guess, well, you came from Fox, right?
I think he's got a military background,
but he was working as a Fox commentator as well.
And with hair like that, I will say
he's a very handsome man with terrific hair.
I'm very jealous.
Those of you watching on YouTube would understand why.
I wish I had Pete Hegseth's hair. I suspect that's also a part of why
he got the job. But yeah, he's also got like a master's I think from Princeton in public
administration and stuff. Like I think it's, you know, people are very, he clearly doesn't
have the typical sort of work profile of someone in that job. But you know know he is a well-educated man with at least some experience in the military and terrific hair.
Yeah I guess what I was what I was gonna say was like it must be a bit of an adjustment
coming from outside of very regimented communication circles, you know
regimented circles of where you have to control how you communicate and where
you communicate that aren't civilian IT.
Like it's a bit of a shock
and must take a bit of adjustment,
but if anybody, if any government in the world
is equipped to brief these people on the threats
and what they have to do
and provide them with alternatives,
like it's the US government,
they have been working on this stuff
for a very, very long time.
And so it is pretty inexcusable for them to be falling
into these traps.
But as the civilian internet becomes so pervasive,
and we see things like having to have an Apple ID
to use in Apple products,
having to have Microsoft accounts use Microsoft products,
the sort of the extent to which you have to interact.
It's not just you get software and use it,
and you can use it away from the rest of the infrastructure.
And as auth gets integrated and identity gets integrated,
and that's really where the criticisms of signals interface
in this whole malarkey has been that it is very difficult to determine exactly
who you're talking to and navigate to the avatar.
What does the avatar look like?
How do nicknames work?
How do phone numbers tie into this?
You know, identifying who you're talking to and who you're adding and getting that through
signals interface is kind of fiddly and that's fiddly for everybody because it's civilian
tech.
Well, and that explains why Goldberg's, you know,
was added to that chain because the signal interface
is absolute junk.
I remember when they moved to the nickname thing,
like it's real hard when someone's using a nickname
to understand who they are and like the interface
is absolutely terrible.
And for a security first app, I've, you know,
always thought, geez, what on earth are they doing?
But, you know, funnily enough,
this whole thing has made Signal downloads soar
to record highs as well, right?
So it's been fantastic advertising.
Yeah, it's the classic,
this thing is bad publicity, right?
Cause yeah, they appear to be really cranking
and mostly in the US, you know, it's just,
if it's good enough for the national security apparatus,
then clearly it's good enough for everybody else's apparatus, then clearly it's good enough for
everybody else's group chats.
Although I don't know about you, but basically every group chat I am in is posting war plan
jokes.
At least some point in the last week there's been a war plan joke in every single one of
them because it's just really tickled the fancy of so many people seeing the technology
that they use being used in this way.
The jokes write themselves. I've been watching even the pop culture stuff in Saturday Night Live or
all of the late night talk shows. It's been such good comedy and good reminder for everybody about
this kind of opsec, about the importance of identifying who's in your chats and you know it underscores the fact that ultimately crypto is a solvable easy enough problem but identity that's hard.
Yeah it is it is. I think my favorite one was like Bom Yemen tonight, Bom Yemen tonight queen.
That was a good one. I would also just like to tie all of this off by saying the idea that these people
didn't know that this was a risk seems pretty unrealistic to me.
Like when I've had conversations, I might be going for a beer with like a senior
official who is like publicly identifiable, right?
Like, so adversaries know, will know that this person holds valuable information.
Right? Like, so adversaries know, will know that this person holds valuable information. Um, you know, so, you know, I'll be going for a beer with someone like that.
The phones get locked into the car during that beer because they treat these phones like they are Chinese listening devices.
That is actually the way high enough profile government officials treat these devices.
Say, oh, like that is not my phone.
That is a Chinese listening device.
We're going to leave it in the car so that we can at least have a somewhat relaxed conversation.
And, you know, that is the briefing.
That's the standard advice that they get, which is your phone could very well be a Chinese or a Russian listening device.
You know, leave it in the car.
So, yeah, again, not a good look.
I don't think ordinary people quite understand just how, just how sort of reckless all of
this has been.
One thing that's worth noting too is that there are commercial alternatives that solve
some of these problems.
Like a lot of people would remember Wicca, which was like a signal style app.
The free version is no longer available because the whole thing got acquired by Amazon.
So it's owned by AWS and that allows for at least semi-secure chats.
I'm guessing you could probably put this onto government devices and whatever.
Semi-secure chats that at least uphold record keeping requirements and whatever.
But again, you wouldn't even use something like Wicca on a personal device to talk about peace negotiations between Russia and Ukraine.
Like that's just, that's just mad. Now, look, in a similar vein, when we're talking about
communication security, Brian Krebs has a great piece here about some tactics that the Russian
government is using. Well, presumably the Russian, is using to unmask people within Russia who are trying to contact organizations that are anti-Russia.
So this could be you know domestic organizations that are opposed to
Putin or the Central Intelligence Agency and whatever. So what they do is they
spin up look-alike websites for these things and then SEO them in local search
engines so people will you know hit a site where they think they can give the CIA a tip, enter their personal information that lands in the in the inbox
in someone's inbox at the FSB.
And the next thing you know, they get banned.
This is a sensible, you know, well, you know, it's not nice, but it is a sensible sort of
strategy for a country at war, I think, to, you know, figure out who's trying to undermine
them.
It's hard to say that this is a bad strategy.
Yeah.
Some of the sites that are being spoofed here, you mentioned the
CIA, which, you know, clearly if you do want to give tips to the CIA,
going to yandex.ru and typing CIA into the search box, probably not the
right way to get there, but yeah, some of these other sites are things like
Ukrainian organizations that are doing
outreach to Russians that want to contribute to Ukrainian causes, as well as militias and
other armed factions and things.
But most of these are very low-ranked outside of Russia on search engines, but inside Russia
on things like Andex, are way up the top. And it does kind of feel like, you know, this is probably Russian kind of domestic counterintelligence
I guess or whatever you would call it. And, you know, I suppose if you are, you know,
wanting to sign up for one of these things inside Russia you're probably going to need
to be a little bit more careful than just pointy clicking your way through the
regular internet and ending up on a Google form that's going to
dob you in to Russian authorities. Yeah, but I mean the average person looking to
do this sort of stuff probably isn't going to understand the risks here, right?
Which is why it is a smart way to start building a list of like
domestic enemies, right? Not that I am, not that I think it's great that, that Russia is able, you know,
I would fully support enemies of, of Putin within Russia, but yeah, anyway.
Moving on.
And it looks like the North Korean fake worker, I, you know, fake IT worker scams
are kicking off in Europe.
And I think this is an interesting development
because they've had some setbacks in the United States,
particularly around the FBI being able to identify
these laptop farms where people can,
the North Koreans can sort of access a local machine
in the US and then they appear to be coming from the US.
And those things are pretty easy to identify and pick apart
as we see here in this Google threat intelligence report. So perhaps they're moving to Europe because they've
had setbacks in the United States which makes this a good news story. Unfortunately it's going to
mean some more work for the European authorities who are going to have to, you know, I guess copy
the template of the FBI and start going after these laptop farms. Yeah, I mean I guess it makes
sense to go and leverage the scam elsewhere. It's clearly worked for them in the US both in terms of just bringing in revenue from
the jobs and also access to organisations and information.
And I guess if you've got the people able to pull it off in the US, at least in the
English speaking, in Europe English is pretty widely used, so they've got the language skills
for doing it.
It kind of makes sense. Google's, I hope this is out of the language skills for doing it. Kind of makes sense.
Google's, I hope this is out of the Mandiant bit of Google,
they found evidence of at least one laptop farm operating
out of London.
And they said that there was one case they found
where a laptop for a job, a work laptop for a person who
was nominally in New York had then showed up in the laptop farm in London.
So there was some kind of coordination
across these things.
And it's kind of like, it's funny
because some of the feedback you get is that
actually these North 390 workers are pretty good
because they actually have a whole team of people
delivering the work.
And so, you know, for your money,
you're getting more than one person's worth of expertise and they'll bring in the right person for
the job so the quality of the work is quite good but the risks you know
clearly a problem. The risks kind of outweigh the benefits on this one Guy.
Exactly but it is good news in that it shows that you know focusing on these
laptop farms operators like is a great way that you can
have some leverage locally. Google did specifically call out the challenges of
organizations that use BYOD where you bring your own device and then just make it secure.
And I'm making eyebrows here in the YouTube video, make it secure by just running a virtual machine.
And somehow that makes it fine to run a corporate SOE
desktop inside a VM on an untrusted piece of hardware.
And they are kind of prioritizing companies
that do that because it removes that point of dependence
on a laptop farm.
So yeah.
Anyone who thinks that's a good idea,
you might want to consider that aspect to it. So, yeah. Anyone who thinks that's a good idea, you might want to consider that aspect to it.
Yeah, indeed.
And we got a good news story here out of 404 Media.
Joe Cox wrote this one up,
and he's looked at how the FBI was able to freeze
much of the ransom that Caesars Entertainment paid to,
I think that was like a scattered spider
in conjunction with Russian ransomware actors or whatever. That was their, you know, joint operation.
And yeah, they managed to track down and seize millions of dollars worth of
cryptocurrency. I think most of it, I can't remember. You tell me.
Yeah, yeah. So there was something like $15 million worth of ransom that got
paid. And the FBI were able to track one cryptocurrency transfer into a bridge where
they were trying to move it from whatever cryptocurrency was in, I guess Bitcoin onwards
into something else and they managed to freeze almost 300 Bitcoin, so that's like $11-ish
million.
They froze, they got $11.8 million back out of the 15.
Which is pretty good. And then there was also another kind of a bit under five-ish
million that they got from another cryptocurrency exchange. So they're
doing pretty well on tracking down those funds and clearly being able to
do that fast enough to catch it whilst it's still in a cooperative
environment of a bridge somewhere in a reputable place, or a place that at least will cooperate
with US law enforcements, that's pretty good work.
Yeah, and if you're wondering why those numbers don't add up, where we said 15 was paid and
then 12 was covered and then five, because I don't know, cryptocurrency movements, I
guess.
Yeah, yeah, everyone's huddling and it's, yeah,
it's kind of, you know, whenever we report
about cryptocurrency numbers, it's always kind of approximate
and point in time.
Yeah, sometimes it doesn't balance at all.
We got one from James Reddick now over at The Record,
a defense contractor called Morse Corp has,
is gonna pay $4.6 million in penalties because it apparently
violated the False Claims Act. We've seen the US government go after companies for violating that
act before where they sort of basically are promising that they're in compliance with things
that they're not. In this case, it looks like they were using an unaccredited third-party email
provider and then when they looked into it more deeply,
they weren't complying with all of the NIST standards
they were supposed to add.
Yeah, they got in trouble.
They got in big trouble for that.
They did a self-assessment, they were required to do,
did an assessment as part of their kind of like
supplier onboarding with the US Gov.
They rated themselves 104 on a scale that goes from minus
210 to positive 110. So very, very close to the top. They subsequently got a third party
to assess them and that third party scored them at minus 142.
That would be the false claim part of this.
And then they did not update the USGov with this new information.
They decided to, you know, presumably just quietly try and solve some of this stuff.
And yes, that has ended poorly for them.
Yeah, it sure has.
And speaking about something that's probably going to end poorly for everybody involved,
we've got a blog post here out of Grey Noise.
And they have observed this massive surge in people scanning for Palo Alto
network devices and GreyNoise's take on that, which I think is a reasonable one, is this is like
someone's got an exploit and they're trying to find where to throw it basically. So they are
thinking that in the next few weeks there's going to be a pretty big campaign hitting Palo Alto
network devices. It's hard to disagree. Yeah, like when you look at the graphs, they have a number of machine scanning. So,
Grandways runs the Honeypot network and they've got data which shows I think 23,000 IP addresses
in a coordinated manner scanning for Palo Alto devices. And they can look at, like they fingerprint
how the tools, the thing that's doing the scanning
makes the initial connections.
And so they can kind of say like,
there are three bits of software doing this
behind this 20,000 IP pool.
Most of them are coming from one particular AS,
mostly in Finland, the Netherlands and Russia,
and mostly towards the US.
So they've got a pretty reasonable feel for this.
Feels coordinated, feels like one actor doing it behind
maybe a bunch of proxies or some kind of pool of machines.
And yeah, probably precursor to someone dropping
some sweet, sweet Palo Global Protect VPN bugs.
Yeah, hooray.
Speaking of,
there's some new malware apparently targeting some sort of Ivanti Oday as well.
Ciss is talking about this one.
Yeah. So this is, it's not actually, well, it's not actually an Oday.
It was patched earlier this year, but as you quite rightly pointed out, you know,
patched in January for the sort of people that run, um,
the Ivanti products on the edge of the network, it may as well
be zero day at that point.
Yeah, that was when we were talking about whether to include this one and you're like,
ah, it was patched in January.
I'm like, it's an Avanti.
That may as well have been 10 seconds ago.
Like no one's got time to do that.
But yeah, you're quite right.
It's not an O day.
I was misled by the headline.
I mean, maybe it was a zero day when it was dropped or something.
I don't know. People misuse that word all the time and also like this is there was a while back with and when we talked about at
The time it's a stack buffer overflow. Yeah, it's the year
2025 and a security product on the outside of your network has a stack buffer overflow
I mean, okay. Yes, you have to wrap a little bit to get it back to code exact
But this perfect concept code out there
I watched our labs did a really good write-up of the bug as they usually do Okay, yes, you have to wrap a little bit to get it back to code exact, but there's proof of concept code out there.
I think Watchtower Labs did a really good write up
of the bug as they usually do.
And yeah, someone has bodged this together
into a wider piece of malware.
I think this was, I think this is one of the Chinese ones,
maybe, which feels kind of like orb hunting to me.
So there's, yeah, there's not really a lot you can do
if you're running these sorts of devices,
apart from patch them and buckle batten down
for the next bug that's coming.
God forbid you should patch them.
Yeah, I mean, there's one idea that was put to me by HD Moore,
which is a reasonable one, is you can pull an IP list out
of CrowdStrike if you've got CrowdStrike on every endpoint
that's coming through your VPNs. You should be able to get a list of the IPs that people are coming in
from to these VPNs and you can add them to an allow list on these devices.
That might get you something.
Obviously if you wanted to do that dynamically, there's other solutions there, but I spend
way too much time promoting that company, so I won't say their name, but just looking at some basic network controls around this stuff to try
to stem the bleeding, not such a bad idea.
Now we've got some news here about this guy, Aubrey Cottle, 37.
He was arrested on Wednesday in Canada.
He's facing charges there.
He's facing charges in the United States.
This is like an anonymous, adjacent person who know, we first spoke about this guy hacking the epic web host, which used to host a
lot of, you know, horrible websites and whatever. And also I think the Texas Republican Party.
Yeah, like things are catching up with this guy basically is the is the story here. There's one
of these indictments has been unsealed and yeah, he's in he's in big trouble.
the story here, one of these indictments has been unsealed and he's in big trouble. Yeah, yeah, he's not particularly shy about it. He posts on his TikTok and on his Insta
talking about his hack and exploits and stuff. So it's kind of not really surprising that he's
been rolled up for this, but there's already, I saw a hashtag free curtain, which is his name,
floating around somewhere. So it's normal, it's normal, kind of normal, anonymous sort of stuff.
But, you know, if you're going to show things and then gloat about it on, you know, on public social
media, I kind of don't know what else you expect. I mean, this guy strikes me as one of those sort
of committed hacktivist types, right? Who's actually prepared to walk the walk. And I mean,
this is the result of that. It's not a good time, but hey, at least you've got the courage and convictions there guy, right?
Well, yeah, exactly. Yeah.
Yeah. And I think he's very fair.
I think he's specifically in trouble for stealing data from the Texas Republican
Party, which is what the charges are centered on.
And we're going to end this week with a fun one, kind of.
I mean, not for the person involved. Alexander Martin has this report for the record.
This guy, Hassan Arshad, who's 25 years old,
he was doing an internship at GCHQ and decided in 2022
and just decided to copy a bunch of stuff,
top secret data onto his, what is it,
laptop or a portable drive or something
and walk out with it and of course got caught.
Yes, not really the best plan. I think the story goes that this guy was an
intern and he had like a year university placement in the GCH.
Gary had done some previous work for them you know under an earlier program
in his tertiary education. He got a year placement there and he was
working as a developer or something on some tool.
And he had come to the end of the year of his placement,
and then he copied the code,
and reading between the lines,
it's probably he copied like a Git repository or something
that said there were like names and source code,
names of staff and source code,
but it sounds like he probably wanted to keep working on it.
And he had aspirations to later get another, you know, go back to working there and he
may not have thought it through.
Although, on the other hand, the prosecution in this particular case, I think said there
was also examples of him talking about getting bug bounties for information leaks, which
maybe is another possible motivation. Either way, taking your phone in, plugging it into your GCHQ box, and he had clearance and
stuff, so he must have been through all the relevant trainings and then just
copying stuff off and walking it out like... I mean someone's gonna look at that
gonna happen. Someone's gonna look at those logs eventually, right? Like, you
know. Well, especially in a place like that yeah so
yeah not the sharpest not the sharpest move yeah I'm guessing there's probably
like a log audit every now and then akin to a stock take at a retail store which
is right that's it we got to do the the annual check to see who we need to yell
out yeah so that's actually it for the week's news. Adam Boileau, thank you so much for
your time and we'll do it all again next week.
Yeah, thanks for having us, Pat. I look forward to it and we'll talk to you then.
That was Adam Boileau there with a check of the week's security news. It is time for this
week's sponsor interview now with Trail of Bits and we are speaking to Jaden Hess who works on
the cryptography team at Trail of Bits. They do all manner of sort of consulting and engineering
work and have done a lot of work with cryptocurrency exchanges and people in that space, people
and companies in that space. So I thought this week it was a great opportunity to ask them
what they think about the whole
Bybit attack in which $1.5 billion worth of cryptocurrency was stolen by the North Koreans.
So I started off by asking Jaden for a quick assessment, I guess, of Bybit's procedures.
And here's what he had to say.
For one thing, if you're going to have a cold wallet, it has to be offline.
The kind of root cause of this is that they're connected to an internet wallet provider that
North Korea hacked the server for.
And now you've got malicious code running in your cold environment.
So you got to keep your cold wallet offline.
You can have a warm or hot wallet that
maybe is more featureful, but there needs to be a tight separation and you know bounded losses there.
Okay.
So a hardware wallet is not a cold wallet, right?
I think that's kind of what you're getting at there and you say it needs to be completely offline.
But if it's completely offline, how are you actually able to do any sort of manipulation of the blockchain? I mean, obviously at some
point data's got to come in, data's got to go out. You know, they were using a hardware
wallet for that. You're saying that's not enough and that the computers that are doing
these operations need to be disconnected completely from the internet. But in that case, how do
you use them?
Yeah. So the data that's being transferred is relatively small. So in many cases, you
can just use something like a QR code. Or we've seen people use CDs where you burn a
read-only CD on the outside of the room, bring it in, burn it on the inside of the room,
bring it out. And that kind of gives you a nice isolated way
to transfer relatively small amounts of data in and out.
Now, just because this thing is offline,
it wouldn't mean that you wouldn't need fairly robust
procedures here.
Because I'm imagining that if you
can get control of the computer that is generating the QR code
or writing to that CD, there's going to be subtle ways out there of doing similar sorts
of things.
Because in the case of this Bybit transaction that was multi-sig authorized by a bunch of
people, the one thing that would have given it away was a single value changed in a very
long string of hex.
Wouldn't you be facing similar challenges under this scenario?
How much of a solution is it, I guess, is what I'm asking.
Yeah.
So whatever you do, you need to have a user interface on the inside that presents all
the relevant data.
And there's sort of two features that went wrong with the Bybit incident.
One was that the sort of scope of transactions that could be sent using the normal signing
flow included transactions which could totally overwrite any sort of transactions that could be sent using the normal signing flow,
included transactions which could totally override
any sort of policy that could be put in place
on that wallet.
So if you restrict the variety of transactions
that can be signed during the normal signing flow
so that none of them can bypass your hard stop
transaction flow values,
then you have less risk if something were to go wrong.
And then secondly, your wallet needs to be rich enough
to display intuitively all of the different effects
of a transaction.
And so the safe wallet, you know,
if it had been operating properly,
would have put all sorts of red flags up
if it was trying to sign a transaction
similar to one that was deployed.
So in that case, that would have worked okay.
But still, there's a lot of nuanced things that that smart contract wallet could do.
And for a real cold signing solution, you probably want fewer types of transactions,
less contract interactions, simpler guarantees on value per day, for example.
Yeah. I mean mean earlier you were talking
about sort of restricting the ability of people to be able to sort of change the contracts right?
I mean there's a reason though isn't there that people have this sort of flexibility in the
contracts and some of those reasons are related to sort of anti-fraud security and safety which
is that hey if you've got a problem with your smart contract you need to be able to fix it
to be able to patch it.
You need that flexibility, otherwise you're stuck with a vulnerable contract.
Isn't this a case of a little bit of you're damned if you do and you're damned if you
don't?
A little bit, but there's things that you can do, right?
For example, for emergency upgrades that allow you to bypass signing limits, for example,
you should need some sort of break glass key, right?
You shouldn't be able to do this in doing the normal signing flow,
such that people might be confused into accidentally doing it.
Someone should have to go to a bank,
go to a safe deposit ball and get out a paper key.
No, I mean, so that's basically it, right?
Is that there's a...
The normal signing flow has some level of privilege,
and in order to surpass that level
of privilege, you need another actor, another piece of authentication, which never comes out
except in emergency cases. Yeah. I mean, so really what you're describing is actually for them to
have done some engineering work and put some thought into it. Yeah. So that also threat modeling,
right? Yeah. You should have an actual document which goes through all of the different
potential attack vectors and the consequences if they were to be exploited. If they had
done that, they would have seen someone pops the Bybit web server, all of our money's gone,
right?
Yeah, yeah, yeah. So look, when we look at, and you're much more likely to have an answer
to this question than most people, which is when you look out there at
the way most exchanges are operating, would you say that Bybit were about par? Were they doing it
about how most exchanges and crypto orgs are doing it? Are they that blasé or were they being a little
bit more lax than most in your experience? No, I think they little bit more lax than most in your experience?
No, I think they were being more lax than most.
From seeing sort of US based organizations handling large amounts of cryptocurrency, they seem to have much more thorough threat modeling procedures, operational guidelines.
I mean, of course, we've never sort of audited Bybit specifically, so I can't say what
their internal documentation
and threat modeling and procedures look like, but clearly they're relying on a website for
cold signing transactions out of a $1.5 billion wallet.
So I'd say that's not normal.
Yeah.
What is normal?
Like I was actually surprised when I saw that this safe wallet service actually existed
because I'm like, hang on,
you've got a hardware signing wallet and whatnot, and this is all going out to a cloud service
that runs JS in your browser.
And I'm like, I'm already thinking
this could go wrong that way.
So I mean, I just,
we scratch our heads a little bit over here,
often when we look at the crypto world. Like, what is that service actually for?
Yeah, so normally you would need something like this for your sort of hover warm wallets, right?
You need some way to, in the day-to-day operations, propose, approve, and sign transactions out of
some wallet, right? And it's nice to have a rich,
featureful wallet that can have various sorts of policies
and authentication flows and different targets
and all that.
And that's just part of normal operations.
I'd say that like what broke down here is that
there should be another layer of value isolation.
You shouldn't be using your like,
normal warm wallet signing,
you know, featureful system to do signing out of your full cold wallet. So in other institutions,
they will have a similar sort of web-based transaction proposal, right? You have employees
who need to make trades or send money from account A to account B, and you don't want those people to have to go into a cold room and, you know,
move CDs around. But you should only be holding, I don't know, $10 million in that wallet or
something that you're sort of willing to potentially lose in case of a major breach.
So I guess, you know, I guess really what you're saying is, you know, it takes a bit
of work to sit down, work out your threat model, come up with some compensating controls, procedures, just the usual boring stuff that we do.
I mean, it boggles my mind that often this isn't done and this is why the North Koreans are having such a big party time.
It's almost like we often make the joke on the show that the cryptocurrency world is speed running the need for a lot of these financial regulations
that apply to the banking sector.
It does feel like that sometimes, doesn't it?
Yeah.
I mean, there's sort of a very short time between you know, f**k up and find out, right?
And it actually is kind of nice because it shows you exactly what not to do very quickly
if you're someone observing.
On the other hand, could go very badly for anyone at
any time. So trade-offs. Do you also find yourself, you know, looking at incident reports from,
you know, North Korean hacks and just thinking, wow, okay, that's nice. Or even further, wow,
I didn't think that someone would think to do that. You know, like how much have you been able
to learn from the way they do this stuff? Yeah, they're very impressive, right? You know, like how much have you been able to learn from the way they do this stuff?
Yeah, they're very impressive, right? I mean, there's few countries which have sort of that
much dedicated offensive capability willing to do things in the public, right? That's
the thing about North Korea is I think everyone has cyber offensive teams, but rarely are they going around stealing a billion dollars in plain sight.
And so it's very impressive. We know that they can do advanced social engineering attacks.
But on the other hand, a lot of these things are actually not that complex.
It's just a matter of having a lot of eyes on a lot of different protocols. Right? So, I mean, even in this case,
this was an impressive attack,
but ultimately it was, you know, some malware on someone's computer.
It was nothing that required, you know, a huge, huge amount of...
That wasn't the bit that we found impressive.
The bit that we found impressive is poisoning the JS
just for one organization and manipulating the transaction so that it
looked really legitimate. They understood the smart contract, they
understood the workflows, they understood the multi-signing. And that's the bit that we find
impressive is that you know the degree to which they
understand these processes internally with the you know like ah chef's kiss.
Yeah and I mean of course. But's kiss. Yeah. And I mean, of course.
But I guess, I guess what you're saying, I mean,
the question was like, are you learning stuff
from these attackers and thinking of new things
to think about?
And I mean, your answer seems to be not really.
I mean, yeah, to some extent, right?
But often it's, you know, the sort of thing
that we would find if we did a review, right?
So, like I would say in this case, yeah, like we said, like basic threat
modeling, you know, it's a website, you're pulling it every time you do a signature,
that's going to be a threat vector.
Yeah. Now, Trail of Bits has been offering services to the sort of cryptocurrency world
actually for quite a long time. You know, what are the security services that are most
popular? I'm guessing they're more on the smart contract audit side. I know that's a
big thing for you.
Are you coming in though and doing the sort of consulting around these transaction signing
flows and all of that, or is it mostly just on the smart contract side?
Yeah.
So actually I'm on the cryptography team, so I do less of the smart contract auditing,
but we do a lot of sort of HSM signing consulting, key ceremonies, the sort of accommodation of like operational concerns
and how to use cryptographic tools appropriately.
So we've done several engagements
that involve some sort of review of signing procedures,
key generation ceremonies, that sort of thing.
All right, so it's top to bottom.
It's, you know, look at the smart contracts,
look at the signing procedures, do the consulting,
build the systems.
Sometimes, literally.
Yeah.
All right, Jaden Hess, thank you so much for joining us on Risky Business to walk through
what Bybit could have done differently and what should have been done differently.
And the answer is, I guess, to both of those questions, well, quite a lot.
Great to chat to you and we'll do it again one day.
Cheers.
Yeah, cheers.
That was Jaden Hess there from Trail of Bits.
A big thanks to Trail of Bits for being this week's risky business sponsor.
You can find them at trailofbits.com.
But that is it for this week's show.
I do hope you enjoyed it.
We'll be back real soon with more security news and analysis.
But until then, I've been Patrick Gray.
Thanks for listening.