Risky Business - Risky Business #786 -- Oracle is lying

Episode Date: April 2, 2025

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news: Yes, Oracle Health and Oracle Cloud did get hacked The fallout from Si...gnalgate continues North Korean IT workers pivot to Europe Honeypot data suggests a storm is brewing for Palo Alto VPNs Canadian Anon gets arrested for hacking Texas GOP This week’s episode is sponsored by Trail of Bits. Tjaden Hess, a Principal Security Engineer at Trail of Bits who specialises in cryptography, joins the show this week to talk about what a responsible crypto-currency exchange cold wallet setup looks like, and … contrasts that with Bybit. This episode is also available on Youtube. Show notes Oracle Health breach compromises patient data at US hospitals FBI probes Oracle hack tied to healthcare extortion: Report - Becker's Hospital Review | Healthcare News & Analysis Oracle Still Denies Breach as Researchers Persist Hacker linked to Oracle Cloud intrusion threatens to sell stolen data | Cybersecurity Dive Publius on X: "🚨 SIGNAL SCANDAL: Katherine Maher, the leftist NPR CEO, is currently the Chair of the Board of Signal! WHAT ARE THE ODDS? https://t.co/jWNTeAt3Jz" / X Mike Waltz Is Losing Support Inside the White House - WSJ Waltz and staff used Gmail for government communications, officials say - The Washington Post Pete Hegseth, Mike Waltz, Tulsi Gabbard: Private Data and Passwords of Senior U.S. Security Officials Found Online - DER SPIEGEL Even More Venmo Accounts Tied to Trump Officials in Signal Group Chat Left Data Public | WIRED You Need to Use Signal's Nickname Feature SignalGate Is Driving the Most US Downloads of Signal Ever | WIRED Wickr - Wikipedia When Getting Phished Puts You in Mortal Danger – Krebs on Security DPRK IT Workers Expanding in Scope and Scale | Google Cloud Blog How the FBI Tracked, and Froze, Millions Sent to Criminals in Massive Caesars Casino Hack Defense contractor to pay $4.6 million over third-party provider’s security weakness | The Record from Recorded Future News Surge in Palo Alto Networks Scanner Activity Indicates Possible Upcoming Threats CISA warns new malware targeting Ivanti zero-day vulnerability | Cybersecurity Dive Canadian hacker arrested for allegedly stealing data from Texas Republican Party | The Record from Recorded Future News British intel intern pleads guilty to smuggling top secret data out of protected facility | The Record from Recorded Future News

Transcript
Discussion (0)
Starting point is 00:00:00 Hey everyone and welcome to Risky Business, my name is Patrick Gray. We'll be getting into the news in just a moment with Adam Boileau and then it'll be time for this week's sponsor interview. And this week's show is brought to you by Trailor Bits, which is a security engineering firm based mostly in the United States. And we're talking to Jaden Hess from Trailor Bits this week. He works on their cryptography team. Trailer Bits does a lot of work with cryptocurrency exchanges and we're going to be having a bit of a chat about what went wrong at Bybit, whether or not the sorts of practices they were engaging in are common and you know what exchanges really need to be doing to avoid having 1.5 billion
Starting point is 00:00:40 dollars stolen out of their wallets which is, I still can't believe I get to say that out aloud. But yeah, let's get into the news now with Mr Adam Boileau and mates let's talk about the lying liars at Oracle. Oracle is having a really bad time because it looks like they've had two breaches which are completely distinct and disconnected from each other although I'm not quite sure you're the one who's done the research on this and they are spinning hard on this one and kind of, you know,
Starting point is 00:01:11 it's veering from sort of spin into outright porky pie lies. So why don't you walk us through what's happened with Oracle starting off with the Oracle health breach? Yes. So Oracle has a health data subsidiary which was previously called Cerner before it was acquired a couple of years ago. Now they spent you know quite some billions of dollars acquiring a very big you know health technology firm and some of that environment has been integrated into you know Oracle's Oracle cloud and into their modern world.
Starting point is 00:01:46 But it looks like some kind of legacy, some bits and pieces of the original Surna Health was still kicking around the internet. Somebody has bust into it and helped themselves to a whole bunch of electronic health record data. One of their main products for CERNA is tools for building health data management platforms and then the person who is doing it, who broke in there, appears to be kind of trying to
Starting point is 00:02:16 ransom that data back both to hospitals and medical companies themselves as well as Oracle. The person behind it doesn't appear to have any affiliation with a known ransomware gang, but they do say that their name is Andrew. So that's the case. That'll narrow it down. So Oracle has been kind of quiet about this. Much like the other breach we'll talk about in a second,
Starting point is 00:02:42 they haven't been saying a whole bunch publicly, but they have been reaching out to their health industry customers and the word on the street is that those customers are being sent letters on like non like plain paper no oracle letterhead signed by some you know oracle exec basically saying look we've lost a whole bunch of your data it's a kind of a you problem. So you should figure out whether the data that we lost, uh, you know, is violating, you know, HIPAA or whatever other regulations, uh, you may be subject to. And, uh, yeah, off you go, let your customers know, uh, Oracle has very generously offered to pay, uh, for some form of credit monitoring or the usual
Starting point is 00:03:27 sorts of things you do when you have a data breach, but otherwise they are leaving their health customers out to dry. People are not particularly happy, I think it's fair to say. No, and apparently their customers are being instructed to only talk about this with Oracle's CISO over the phone and not via email. And their communications have said, you know, the data may contain patient data, but all the customers know that it does, because I'm guessing they've been sent samples.
Starting point is 00:03:50 So not a good look at all. And this comes hot on the heels of one that I think we spoke about last week, which is a bigger breach at Oracle where they owned some sort of auth box and just got an absolute ton of info out of it. So we did briefly touch on it last week, but now we've looked into it a little bit more. This is a breach that Oracle denied happened. They said, oh this, this, this totally was not a breach of Oracle's production environment.
Starting point is 00:04:17 Like why don't you walk us through exactly what it is the attackers apparently did here, what they obtained and then why Oracle's response is a lie, you know, a liar's lie. Yeah, so some person who goes by like rows 8, 7, 1, 6, 9 on some underground forums is flogging off some data that they have stolen that they claim from a login portal, an auth portal in Oracle Cloud. And they claim to have shelled one of the Oracle Cloud login boxes using a known floor in a particular CV,
Starting point is 00:04:54 which I think is a deserialization floor in Oracle's identity and access management product, which is part of the wider kind of Fusion applications, Fusion middleware Oracle suite. That bug is a couple of years old now, I think 20 gets a 2021 bug and it's a little fiddly to exploit but that is what the attacker says that they used and then they claim to have got something like six million records worth of customer, you know, of like login information and this varies between LDAP kind of auth passwords, a bunch of certificates and other bits and pieces and they have provided some of this data as evidence of their access on the
Starting point is 00:05:37 forums and then to a couple of researchers. They also posted a text file on Oracle's login server with their email address in it, so they could verify to I think one of the outlets that they were talking to that it was in fact them, so they pasted in the text file x.txt with their Proton mail email address in it. And then a few people who've got hold of this data have, you know, cross-referenced it with a few customers listed, and those customers say, yes, this looks like our information. Oracle has flat out said, this didn't happen. It's a load of bunkum.
Starting point is 00:06:13 And I can imagine that Oracle wants to believe it didn't happen, but it certainly looks like it did. So I had a good run around yesterday into what the data looked like, but it certainly looks like it did. So I had a good rummage around yesterday into what the data looked like, where it came from, and what some of the similar systems in Oracle's cloud environment look like. Now, this is where it starts getting tasty. So the 11G release of Oracle's Fusion middleware and so it's like that whole kind of stack is a thing that I have some personal experience of shelling so like I you know I
Starting point is 00:06:52 I when I first read this I'm like yes, I a hundred percent believe the hacker and I zero percent believe Oracle but then I went and had a rummage around and there is quite a lot of 11g era bits and pieces of plumbing in Oracle Cloud and the kind of login server that this person claims to have hacked, you know, the headers suggest that it's running the 11G release which is from, I want to say like 2009 or something. Importantly that release is no longer supported by Oracle. They wouldn't support it for their customers, although the funny thing is that Oracle's definition
Starting point is 00:07:29 of end of life is not, they don't call it end of life, they call it sustaining support, which is available indefinitely. And that sustaining support means you get access to the patches they've already made. You don't get any access to any new patches because they're not making new patches, but you can have access to the patches they've already made. You don't get any access to any new patches because they're not making new patches. But you can have access to the things that you already
Starting point is 00:07:48 had forever, if you so wish, which is very generous of you. Jeez, helpful. Thanks, Oracle. But such double corpo, double speak there. But yeah, there is a lot of very shonky old look in Oracle Gubbins lying around in Oracle Cloud. And most of this, like some of the bits that I was pasting in our internal Slack
Starting point is 00:08:05 yesterday for your amusement, have certificate names like Cloud Admin, CloudAdmin.us9.oraclecloud.com, or star.usgov.oraclecloud.com, which doesn't feel particularly good. So I mean, to be clear, what you did is you hit up census. You're looking within the IP range of Oracle's cloud and you're finding ancient out of, you know, end of life boxes there with interesting certificate names. And this is while Oracle is claiming, Oh, this never happened.
Starting point is 00:08:36 So you have a theory about what actually went down here. And I think it's a plausible one. Yeah. So, I mean, my vibe is probably they have updated these things, they've built new ones or they've forked them or copied the virtual machine or whatever it is, and there are modern versions of these things on more modern Oracle software stacks and they just haven't turned off the old ones. And when Oracle sees this, they're going to, when they see someone mails in and says, hey, I've breached your stuff, give me millions of dollars worth of crypto, they're going
Starting point is 00:09:08 to go, but we already updated that without stopping to think actually the old stuff is still around. And I went and had a look when I was rummaging through sensors, I checked that a few of those boxes are in fact still live and answering requests. They're still there, went and looked at the login prompt and it sure looks like an ancient Oracle login prompt. So yeah, I think that they are going, well, this is legacy old stuff, so it doesn't matter. So therefore we can say our production Oracle Cloud didn't get hacked.
Starting point is 00:09:35 But when it's custom-acquired. Yeah, I mean, but that's crossing the line. You know, Microsoft is amazing at putting out press responses where they're obfuscating and they're using doublespeak, but they're not going this far. This feels like an outright lie. Having been a cybersecurity journalist now for nearly 25 years, I can tell you that Oracle are pretty much the worst offender when it comes to this sort of stuff. Microsoft used to be worse.
Starting point is 00:10:07 They were quite good for a while. They're sort of back to being not so great. But I have a feeling that's changing because they keep getting in trouble with the US government. And yeah, but I mean, Oracle just don't really have great practices. They tend to scapegoat researchers as well. I mean, who could forget Marianne Davidson's blog post a while ago where she was essentially threatening. She's the CISO at Oracle and has been basically since the Jurassic era, and was basically threatening legal action against people for reversing
Starting point is 00:10:31 their products because it's against the terms of service. Like, Oracle is a company that does not get it, it has a weird culture, it's a closed ecosystem, sort of like, you know, very cult-like company, and they don't really appear to know what they're doing. And, you know, this is the sort of stuff that happens when you are running a large company with a weird insular culture that doesn't listen to anyone else, when you also don't really quite know what you're doing.
Starting point is 00:10:54 You know, this is what it looks like. This is what it looks like. And I feel like, you know, in the depths of Oracle, there are plenty of smart people who work there who understand that they got themselves wrecked, but somewhere in the 47 levels of management upwards from them that message gets massaged into something that's just
Starting point is 00:11:13 Looks to me like straight-up bollocks Yeah I mean when I say that they don't know what they're doing I am talking about management in case there's anyone rage listening at Oracle who actually because of course they're gonna have good people there but they're clearly not getting listened to if you can pull up census and Find this stuff in their IP space like you know in a minute Yes, yeah, yeah, it's it's it's nasty like I haven't seen some of those old son You know kind of old very very old
Starting point is 00:11:43 You know I want to say son style It's not this is obviously Oracle software, not Sun software, although some of it is baguette from the Sun acquisition, which does kind of put an edge on some of this stuff. Cause it's, it just like, it has a particular look if you've been a Unix hacker for a long time, you just know what that stuff, when you see it,
Starting point is 00:12:01 it smells like old, you know, it's got that sort of, you know, old grandma curtain vibe. I've worked with a bunch of, you know, asset discovery startups, right? So Asset Note was one and then HD Moreover at RunZero as well. And I've had a front row seat when some of these tools have been thrown at extremely large clouds, right?
Starting point is 00:12:23 And I'm talking, you know, name brand big clouds to find stuff like this. And they have come up really with very little with, you know, running these sorts of scans against some of the very big cloud operators, right? So the fact that you were able to find this in census boggles my mind. You're telling me there's no one whose job it is at Oracle to flag something like that and maybe get something done? Because that's just that's that ain't good enough. No, I mean, it's it's really not but I mean that's unfortunately that's kind of the Oracle Jam, right? They That's just what they do. I mean I've seen
Starting point is 00:12:59 Like I don't like I guess I can probably tell this story now But like at some point we looked at some systems that were old, solaris stuff that was being lifted and shifted into Oracle Cloud for a big customer. And the Oracle engineers did the Oracle consultancy and brought in people to do that lift and shift. And they picked up these boxes, moved them into Oracle's cloud, put them on the internet as they were, as you would expect. That's what they asked for.
Starting point is 00:13:21 We want as like for like, migration, blah, blah, blah, blah. But that included leaving the like internal Telnet interfaces that previously were in the middle of a bank on 10.yada yada. Now they're on the internet with terrible passwords, like the normal kind of configuration of those boxes, but they just lifted the shift and dumped it right on the internet without even a word to the customer.
Starting point is 00:13:42 You may have let that one slip over a beer once upon a time many, many years ago. But yes, Oracle putting your telnets on the internet. Yeah, and especially when we had that telnet fbin bug where you could just log in with no crates, which. Yeah. I mean, I think we have, I think some questions need to be asked about the state of Oracle's cloud
Starting point is 00:14:05 with all of this in mind. And of course, the state of their security culture. Look, everybody has incidents. Having two in such a short period of time is unlucky for them. But hopefully, it'll actually put some attention on them. Because you can't imagine having a look at the Azure IP space and finding a bunch of like NT4 boxes.
Starting point is 00:14:26 It sort of feels a bit like that. I mean you'd want to believe that wouldn't happen and probably there wouldn't be any critical NT4 on Azure anymore but yeah Oracle that's just not how they roll. No, no it's not and yeah I mean again the no, it's not. And yeah, I mean, again, the problem when it comes to these mega vendors is like, what's the recourse, right? And the recourse is for the buyers of this sort of stuff to push back.
Starting point is 00:14:53 But we see in the case of government contracts and stuff, these are negotiated at such a high level that they're not really asking detailed questions about, well, have you run discovery tools to look for old versions and decommissioned stuff that hasn't been dec decommission? Like it just doesn't, it doesn't really line up with the questionnaires. You know?
Starting point is 00:15:09 No, no, it really doesn't. And you can't just turn around and ask Oracle salespeople. So explain to me why you don't suck in the year 2025. Yeah. And of course they're going to say, because AI and because best of breed or whatever. Well, unbreakable famously. Unbreakable famously. What was that like 20 years ago they had Oracle Linux that they called Unbreakable and they
Starting point is 00:15:32 called their products Unbreakable. It was a whole campaign and at one point they said things were unhackable. And that's what led to the birth of an industry legend, which is David Litchfield, who I believe is now at Apple. When he was like sitting in a presentation, like watching them describe this thing as unhackable, and he just started shaking their products. And I think he dropped 42 Oday the next day.
Starting point is 00:15:54 Um, so that's Oracle. Oracle have always sucked. The idea that somehow they magically don't suck anymore was always a fantasy. Um, and we just, I guess it's a good week to remind everybody of that. Yes. Yeah. that somehow they magically don't suck anymore was always a fantasy. And we just I guess it's a good week to remind everybody of that. Yes. Yeah, exactly. Try not to put your Oracle stuff on the Internet. You got the database. Keep it in the middle of your network. It's probably all right. But yeah, that all of their applications
Starting point is 00:16:18 stack just just just don't. It's oh, yeah, you're right. I know. I know. As a pen tester, when you saw it on the edge of the network, you rubbed your hands together. You knew it was going to be a bad day at the office because you had to interact with their software and all of the nastiness, but you knew you were going to get shells. Well funnily enough, MSSQL, one of the reasons it really succeeded and became so widely used is because of these security concerns around Oracle's database products back in the day.
Starting point is 00:16:43 So that is one of the rare cases where someone managed to squeeze a win out of a competitor's pretty awful security practices. I will say to Lawrence Abrams over at Bleeping Computer has been doing a lot of work on this and he's been doing a great job. We've linked through to one of his reports. Also kudos to Becker's Health IT who've done some excellent reporting on this. And I love it when you get these industry journalists who are doing some of the best this. And I love it when you get these industry journalists who are doing some of the best coverage. I remember the attack against, what was it like, JB Meats or JBS or something. They got ransomware and like the best coverage was coming from like a beef industry journalist, which kind of put the rest of the tech media
Starting point is 00:17:19 to shame. So we've got a bunch of stuff linked through in this week's show notes that people can take a look at. Now, unfortunately, we have to do some follow-up reporting on Signalgate. Since we recorded last week, we had the question of like, well, was Pete Hegseth copying and pasting stuff into Signal from a high-side document? It doesn't look like that was the case. The journalist Jeffrey Goldberg released the full Signal messages. It was interesting actually because if you look back at the conversation, most people were actually being pretty restrained and controlled and there were references to like you know go check things in your high side mailbox and whatever and it was Hegseth who just started dumping
Starting point is 00:17:57 like specifics into the chat and the vice president JD Vance you know trash-talking Europeans and stuff. still not good to use Signal for this purpose, but they were the ones who really, you know, were the most indiscreet in this conversation. Now since then, of course, we've seen unbelievably the US administration starting to smear Signal itself. Like, there's even been this allegation that Catherine Ma, who's on the board of Signal, is, I think she's the NPR CEO as well. And she's like got links to the Atlantic Council, Atlantic Magazine, Atlantic Council, put it together, Sheeple.
Starting point is 00:18:38 She probably lives in New York, mate. You know where that is. That's next to the Atlantic Ocean. But you know, we're seeing some of these theories like being reposted by Donald Trump himself, which, I mean, this is a typical sort of Trump strategy. I don't think for a second that he believes that Signal was involved in a conspiracy
Starting point is 00:18:57 to add a journalist from the Atlantic into a Signal group chat. We're starting to see some political fallout. Mike Waltz, the national security advisor in the United States, his job is safe for now but apparently he's lost sway with Trump and he's pretty toxic. He's pretty on the nose at the White House. It turns out also that he was running multiple other signal groups and we obviously mentioned this last week that we expected that to be the case, including signal groups involving
Starting point is 00:19:24 discussions about brokering a peace between Russia and Ukraine. Now when I've spoken to former intelligence community types about, well, what do you think the likelihood is that at least one of the endpoints involved in these signal message chains was compromised? They've all said, look, more likely than not verging on undoubtedly, right? So you have to imagine that these conversations are happening in full view of a foreign intelligence service. We've also seen some reporting that Waltz is, you know, often uses his Gmail account to discuss government business, you know, no
Starting point is 00:19:59 allegation that there was anything classified there, but we got a bit of a theme to talk about this week, right? Which is just like why the civilian internet and civilian applications aren't really the appropriate way to conduct these sorts of discussions. And you know, Dispeagol has this excellent reporting where they've just gone out and looked up the contact details and passwords out of dumps for a whole bunch of prominent US national security figures, including Pete Hegseth,
Starting point is 00:20:30 Tulsi Gabbard and Mike Waltz. So I mean, there's been some good reporting here that just sort of shows like you can't really mix this sort of business with the civilian internet and app ecosystem. Yeah, absolutely. And I get it's probably difficult, especially if you're coming from outside of traditional government circles, which if you're Hegseth, I guess, well, you came from Fox, right? I think he's got a military background, but he was working as a Fox commentator as well.
Starting point is 00:20:57 And with hair like that, I will say he's a very handsome man with terrific hair. I'm very jealous. Those of you watching on YouTube would understand why. I wish I had Pete Hegseth's hair. I suspect that's also a part of why he got the job. But yeah, he's also got like a master's I think from Princeton in public administration and stuff. Like I think it's, you know, people are very, he clearly doesn't have the typical sort of work profile of someone in that job. But you know know he is a well-educated man with at least some experience in the military and terrific hair.
Starting point is 00:21:30 Yeah I guess what I was what I was gonna say was like it must be a bit of an adjustment coming from outside of very regimented communication circles, you know regimented circles of where you have to control how you communicate and where you communicate that aren't civilian IT. Like it's a bit of a shock and must take a bit of adjustment, but if anybody, if any government in the world is equipped to brief these people on the threats
Starting point is 00:21:55 and what they have to do and provide them with alternatives, like it's the US government, they have been working on this stuff for a very, very long time. And so it is pretty inexcusable for them to be falling into these traps. But as the civilian internet becomes so pervasive,
Starting point is 00:22:13 and we see things like having to have an Apple ID to use in Apple products, having to have Microsoft accounts use Microsoft products, the sort of the extent to which you have to interact. It's not just you get software and use it, and you can use it away from the rest of the infrastructure. And as auth gets integrated and identity gets integrated, and that's really where the criticisms of signals interface
Starting point is 00:22:39 in this whole malarkey has been that it is very difficult to determine exactly who you're talking to and navigate to the avatar. What does the avatar look like? How do nicknames work? How do phone numbers tie into this? You know, identifying who you're talking to and who you're adding and getting that through signals interface is kind of fiddly and that's fiddly for everybody because it's civilian tech.
Starting point is 00:23:03 Well, and that explains why Goldberg's, you know, was added to that chain because the signal interface is absolute junk. I remember when they moved to the nickname thing, like it's real hard when someone's using a nickname to understand who they are and like the interface is absolutely terrible. And for a security first app, I've, you know,
Starting point is 00:23:20 always thought, geez, what on earth are they doing? But, you know, funnily enough, this whole thing has made Signal downloads soar to record highs as well, right? So it's been fantastic advertising. Yeah, it's the classic, this thing is bad publicity, right? Cause yeah, they appear to be really cranking
Starting point is 00:23:38 and mostly in the US, you know, it's just, if it's good enough for the national security apparatus, then clearly it's good enough for everybody else's apparatus, then clearly it's good enough for everybody else's group chats. Although I don't know about you, but basically every group chat I am in is posting war plan jokes. At least some point in the last week there's been a war plan joke in every single one of them because it's just really tickled the fancy of so many people seeing the technology
Starting point is 00:24:03 that they use being used in this way. The jokes write themselves. I've been watching even the pop culture stuff in Saturday Night Live or all of the late night talk shows. It's been such good comedy and good reminder for everybody about this kind of opsec, about the importance of identifying who's in your chats and you know it underscores the fact that ultimately crypto is a solvable easy enough problem but identity that's hard. Yeah it is it is. I think my favorite one was like Bom Yemen tonight, Bom Yemen tonight queen. That was a good one. I would also just like to tie all of this off by saying the idea that these people didn't know that this was a risk seems pretty unrealistic to me. Like when I've had conversations, I might be going for a beer with like a senior
Starting point is 00:24:55 official who is like publicly identifiable, right? Like, so adversaries know, will know that this person holds valuable information. Right? Like, so adversaries know, will know that this person holds valuable information. Um, you know, so, you know, I'll be going for a beer with someone like that. The phones get locked into the car during that beer because they treat these phones like they are Chinese listening devices. That is actually the way high enough profile government officials treat these devices. Say, oh, like that is not my phone. That is a Chinese listening device. We're going to leave it in the car so that we can at least have a somewhat relaxed conversation.
Starting point is 00:25:33 And, you know, that is the briefing. That's the standard advice that they get, which is your phone could very well be a Chinese or a Russian listening device. You know, leave it in the car. So, yeah, again, not a good look. I don't think ordinary people quite understand just how, just how sort of reckless all of this has been. One thing that's worth noting too is that there are commercial alternatives that solve some of these problems.
Starting point is 00:25:59 Like a lot of people would remember Wicca, which was like a signal style app. The free version is no longer available because the whole thing got acquired by Amazon. So it's owned by AWS and that allows for at least semi-secure chats. I'm guessing you could probably put this onto government devices and whatever. Semi-secure chats that at least uphold record keeping requirements and whatever. But again, you wouldn't even use something like Wicca on a personal device to talk about peace negotiations between Russia and Ukraine. Like that's just, that's just mad. Now, look, in a similar vein, when we're talking about communication security, Brian Krebs has a great piece here about some tactics that the Russian
Starting point is 00:26:39 government is using. Well, presumably the Russian, is using to unmask people within Russia who are trying to contact organizations that are anti-Russia. So this could be you know domestic organizations that are opposed to Putin or the Central Intelligence Agency and whatever. So what they do is they spin up look-alike websites for these things and then SEO them in local search engines so people will you know hit a site where they think they can give the CIA a tip, enter their personal information that lands in the in the inbox in someone's inbox at the FSB. And the next thing you know, they get banned. This is a sensible, you know, well, you know, it's not nice, but it is a sensible sort of
Starting point is 00:27:18 strategy for a country at war, I think, to, you know, figure out who's trying to undermine them. It's hard to say that this is a bad strategy. Yeah. Some of the sites that are being spoofed here, you mentioned the CIA, which, you know, clearly if you do want to give tips to the CIA, going to yandex.ru and typing CIA into the search box, probably not the right way to get there, but yeah, some of these other sites are things like
Starting point is 00:27:42 Ukrainian organizations that are doing outreach to Russians that want to contribute to Ukrainian causes, as well as militias and other armed factions and things. But most of these are very low-ranked outside of Russia on search engines, but inside Russia on things like Andex, are way up the top. And it does kind of feel like, you know, this is probably Russian kind of domestic counterintelligence I guess or whatever you would call it. And, you know, I suppose if you are, you know, wanting to sign up for one of these things inside Russia you're probably going to need to be a little bit more careful than just pointy clicking your way through the
Starting point is 00:28:26 regular internet and ending up on a Google form that's going to dob you in to Russian authorities. Yeah, but I mean the average person looking to do this sort of stuff probably isn't going to understand the risks here, right? Which is why it is a smart way to start building a list of like domestic enemies, right? Not that I am, not that I think it's great that, that Russia is able, you know, I would fully support enemies of, of Putin within Russia, but yeah, anyway. Moving on. And it looks like the North Korean fake worker, I, you know, fake IT worker scams
Starting point is 00:29:02 are kicking off in Europe. And I think this is an interesting development because they've had some setbacks in the United States, particularly around the FBI being able to identify these laptop farms where people can, the North Koreans can sort of access a local machine in the US and then they appear to be coming from the US. And those things are pretty easy to identify and pick apart
Starting point is 00:29:23 as we see here in this Google threat intelligence report. So perhaps they're moving to Europe because they've had setbacks in the United States which makes this a good news story. Unfortunately it's going to mean some more work for the European authorities who are going to have to, you know, I guess copy the template of the FBI and start going after these laptop farms. Yeah, I mean I guess it makes sense to go and leverage the scam elsewhere. It's clearly worked for them in the US both in terms of just bringing in revenue from the jobs and also access to organisations and information. And I guess if you've got the people able to pull it off in the US, at least in the English speaking, in Europe English is pretty widely used, so they've got the language skills
Starting point is 00:30:02 for doing it. It kind of makes sense. Google's, I hope this is out of the language skills for doing it. Kind of makes sense. Google's, I hope this is out of the Mandiant bit of Google, they found evidence of at least one laptop farm operating out of London. And they said that there was one case they found where a laptop for a job, a work laptop for a person who was nominally in New York had then showed up in the laptop farm in London.
Starting point is 00:30:26 So there was some kind of coordination across these things. And it's kind of like, it's funny because some of the feedback you get is that actually these North 390 workers are pretty good because they actually have a whole team of people delivering the work. And so, you know, for your money,
Starting point is 00:30:43 you're getting more than one person's worth of expertise and they'll bring in the right person for the job so the quality of the work is quite good but the risks you know clearly a problem. The risks kind of outweigh the benefits on this one Guy. Exactly but it is good news in that it shows that you know focusing on these laptop farms operators like is a great way that you can have some leverage locally. Google did specifically call out the challenges of organizations that use BYOD where you bring your own device and then just make it secure. And I'm making eyebrows here in the YouTube video, make it secure by just running a virtual machine.
Starting point is 00:31:26 And somehow that makes it fine to run a corporate SOE desktop inside a VM on an untrusted piece of hardware. And they are kind of prioritizing companies that do that because it removes that point of dependence on a laptop farm. So yeah. Anyone who thinks that's a good idea, you might want to consider that aspect to it. So, yeah. Anyone who thinks that's a good idea, you might want to consider that aspect to it.
Starting point is 00:31:46 Yeah, indeed. And we got a good news story here out of 404 Media. Joe Cox wrote this one up, and he's looked at how the FBI was able to freeze much of the ransom that Caesars Entertainment paid to, I think that was like a scattered spider in conjunction with Russian ransomware actors or whatever. That was their, you know, joint operation. And yeah, they managed to track down and seize millions of dollars worth of
Starting point is 00:32:12 cryptocurrency. I think most of it, I can't remember. You tell me. Yeah, yeah. So there was something like $15 million worth of ransom that got paid. And the FBI were able to track one cryptocurrency transfer into a bridge where they were trying to move it from whatever cryptocurrency was in, I guess Bitcoin onwards into something else and they managed to freeze almost 300 Bitcoin, so that's like $11-ish million. They froze, they got $11.8 million back out of the 15. Which is pretty good. And then there was also another kind of a bit under five-ish
Starting point is 00:32:51 million that they got from another cryptocurrency exchange. So they're doing pretty well on tracking down those funds and clearly being able to do that fast enough to catch it whilst it's still in a cooperative environment of a bridge somewhere in a reputable place, or a place that at least will cooperate with US law enforcements, that's pretty good work. Yeah, and if you're wondering why those numbers don't add up, where we said 15 was paid and then 12 was covered and then five, because I don't know, cryptocurrency movements, I guess.
Starting point is 00:33:23 Yeah, yeah, everyone's huddling and it's, yeah, it's kind of, you know, whenever we report about cryptocurrency numbers, it's always kind of approximate and point in time. Yeah, sometimes it doesn't balance at all. We got one from James Reddick now over at The Record, a defense contractor called Morse Corp has, is gonna pay $4.6 million in penalties because it apparently
Starting point is 00:33:47 violated the False Claims Act. We've seen the US government go after companies for violating that act before where they sort of basically are promising that they're in compliance with things that they're not. In this case, it looks like they were using an unaccredited third-party email provider and then when they looked into it more deeply, they weren't complying with all of the NIST standards they were supposed to add. Yeah, they got in trouble. They got in big trouble for that.
Starting point is 00:34:14 They did a self-assessment, they were required to do, did an assessment as part of their kind of like supplier onboarding with the US Gov. They rated themselves 104 on a scale that goes from minus 210 to positive 110. So very, very close to the top. They subsequently got a third party to assess them and that third party scored them at minus 142. That would be the false claim part of this. And then they did not update the USGov with this new information.
Starting point is 00:34:46 They decided to, you know, presumably just quietly try and solve some of this stuff. And yes, that has ended poorly for them. Yeah, it sure has. And speaking about something that's probably going to end poorly for everybody involved, we've got a blog post here out of Grey Noise. And they have observed this massive surge in people scanning for Palo Alto network devices and GreyNoise's take on that, which I think is a reasonable one, is this is like someone's got an exploit and they're trying to find where to throw it basically. So they are
Starting point is 00:35:17 thinking that in the next few weeks there's going to be a pretty big campaign hitting Palo Alto network devices. It's hard to disagree. Yeah, like when you look at the graphs, they have a number of machine scanning. So, Grandways runs the Honeypot network and they've got data which shows I think 23,000 IP addresses in a coordinated manner scanning for Palo Alto devices. And they can look at, like they fingerprint how the tools, the thing that's doing the scanning makes the initial connections. And so they can kind of say like, there are three bits of software doing this
Starting point is 00:35:53 behind this 20,000 IP pool. Most of them are coming from one particular AS, mostly in Finland, the Netherlands and Russia, and mostly towards the US. So they've got a pretty reasonable feel for this. Feels coordinated, feels like one actor doing it behind maybe a bunch of proxies or some kind of pool of machines. And yeah, probably precursor to someone dropping
Starting point is 00:36:18 some sweet, sweet Palo Global Protect VPN bugs. Yeah, hooray. Speaking of, there's some new malware apparently targeting some sort of Ivanti Oday as well. Ciss is talking about this one. Yeah. So this is, it's not actually, well, it's not actually an Oday. It was patched earlier this year, but as you quite rightly pointed out, you know, patched in January for the sort of people that run, um,
Starting point is 00:36:43 the Ivanti products on the edge of the network, it may as well be zero day at that point. Yeah, that was when we were talking about whether to include this one and you're like, ah, it was patched in January. I'm like, it's an Avanti. That may as well have been 10 seconds ago. Like no one's got time to do that. But yeah, you're quite right.
Starting point is 00:36:58 It's not an O day. I was misled by the headline. I mean, maybe it was a zero day when it was dropped or something. I don't know. People misuse that word all the time and also like this is there was a while back with and when we talked about at The time it's a stack buffer overflow. Yeah, it's the year 2025 and a security product on the outside of your network has a stack buffer overflow I mean, okay. Yes, you have to wrap a little bit to get it back to code exact But this perfect concept code out there
Starting point is 00:37:24 I watched our labs did a really good write-up of the bug as they usually do Okay, yes, you have to wrap a little bit to get it back to code exact, but there's proof of concept code out there. I think Watchtower Labs did a really good write up of the bug as they usually do. And yeah, someone has bodged this together into a wider piece of malware. I think this was, I think this is one of the Chinese ones, maybe, which feels kind of like orb hunting to me. So there's, yeah, there's not really a lot you can do
Starting point is 00:37:46 if you're running these sorts of devices, apart from patch them and buckle batten down for the next bug that's coming. God forbid you should patch them. Yeah, I mean, there's one idea that was put to me by HD Moore, which is a reasonable one, is you can pull an IP list out of CrowdStrike if you've got CrowdStrike on every endpoint that's coming through your VPNs. You should be able to get a list of the IPs that people are coming in
Starting point is 00:38:09 from to these VPNs and you can add them to an allow list on these devices. That might get you something. Obviously if you wanted to do that dynamically, there's other solutions there, but I spend way too much time promoting that company, so I won't say their name, but just looking at some basic network controls around this stuff to try to stem the bleeding, not such a bad idea. Now we've got some news here about this guy, Aubrey Cottle, 37. He was arrested on Wednesday in Canada. He's facing charges there.
Starting point is 00:38:40 He's facing charges in the United States. This is like an anonymous, adjacent person who know, we first spoke about this guy hacking the epic web host, which used to host a lot of, you know, horrible websites and whatever. And also I think the Texas Republican Party. Yeah, like things are catching up with this guy basically is the is the story here. There's one of these indictments has been unsealed and yeah, he's in he's in big trouble. the story here, one of these indictments has been unsealed and he's in big trouble. Yeah, yeah, he's not particularly shy about it. He posts on his TikTok and on his Insta talking about his hack and exploits and stuff. So it's kind of not really surprising that he's been rolled up for this, but there's already, I saw a hashtag free curtain, which is his name,
Starting point is 00:39:21 floating around somewhere. So it's normal, it's normal, kind of normal, anonymous sort of stuff. But, you know, if you're going to show things and then gloat about it on, you know, on public social media, I kind of don't know what else you expect. I mean, this guy strikes me as one of those sort of committed hacktivist types, right? Who's actually prepared to walk the walk. And I mean, this is the result of that. It's not a good time, but hey, at least you've got the courage and convictions there guy, right? Well, yeah, exactly. Yeah. Yeah. And I think he's very fair. I think he's specifically in trouble for stealing data from the Texas Republican
Starting point is 00:39:54 Party, which is what the charges are centered on. And we're going to end this week with a fun one, kind of. I mean, not for the person involved. Alexander Martin has this report for the record. This guy, Hassan Arshad, who's 25 years old, he was doing an internship at GCHQ and decided in 2022 and just decided to copy a bunch of stuff, top secret data onto his, what is it, laptop or a portable drive or something
Starting point is 00:40:20 and walk out with it and of course got caught. Yes, not really the best plan. I think the story goes that this guy was an intern and he had like a year university placement in the GCH. Gary had done some previous work for them you know under an earlier program in his tertiary education. He got a year placement there and he was working as a developer or something on some tool. And he had come to the end of the year of his placement, and then he copied the code,
Starting point is 00:40:52 and reading between the lines, it's probably he copied like a Git repository or something that said there were like names and source code, names of staff and source code, but it sounds like he probably wanted to keep working on it. And he had aspirations to later get another, you know, go back to working there and he may not have thought it through. Although, on the other hand, the prosecution in this particular case, I think said there
Starting point is 00:41:16 was also examples of him talking about getting bug bounties for information leaks, which maybe is another possible motivation. Either way, taking your phone in, plugging it into your GCHQ box, and he had clearance and stuff, so he must have been through all the relevant trainings and then just copying stuff off and walking it out like... I mean someone's gonna look at that gonna happen. Someone's gonna look at those logs eventually, right? Like, you know. Well, especially in a place like that yeah so yeah not the sharpest not the sharpest move yeah I'm guessing there's probably like a log audit every now and then akin to a stock take at a retail store which
Starting point is 00:41:55 is right that's it we got to do the the annual check to see who we need to yell out yeah so that's actually it for the week's news. Adam Boileau, thank you so much for your time and we'll do it all again next week. Yeah, thanks for having us, Pat. I look forward to it and we'll talk to you then. That was Adam Boileau there with a check of the week's security news. It is time for this week's sponsor interview now with Trail of Bits and we are speaking to Jaden Hess who works on the cryptography team at Trail of Bits. They do all manner of sort of consulting and engineering work and have done a lot of work with cryptocurrency exchanges and people in that space, people
Starting point is 00:42:37 and companies in that space. So I thought this week it was a great opportunity to ask them what they think about the whole Bybit attack in which $1.5 billion worth of cryptocurrency was stolen by the North Koreans. So I started off by asking Jaden for a quick assessment, I guess, of Bybit's procedures. And here's what he had to say. For one thing, if you're going to have a cold wallet, it has to be offline. The kind of root cause of this is that they're connected to an internet wallet provider that North Korea hacked the server for.
Starting point is 00:43:16 And now you've got malicious code running in your cold environment. So you got to keep your cold wallet offline. You can have a warm or hot wallet that maybe is more featureful, but there needs to be a tight separation and you know bounded losses there. Okay. So a hardware wallet is not a cold wallet, right? I think that's kind of what you're getting at there and you say it needs to be completely offline. But if it's completely offline, how are you actually able to do any sort of manipulation of the blockchain? I mean, obviously at some
Starting point is 00:43:49 point data's got to come in, data's got to go out. You know, they were using a hardware wallet for that. You're saying that's not enough and that the computers that are doing these operations need to be disconnected completely from the internet. But in that case, how do you use them? Yeah. So the data that's being transferred is relatively small. So in many cases, you can just use something like a QR code. Or we've seen people use CDs where you burn a read-only CD on the outside of the room, bring it in, burn it on the inside of the room, bring it out. And that kind of gives you a nice isolated way
Starting point is 00:44:25 to transfer relatively small amounts of data in and out. Now, just because this thing is offline, it wouldn't mean that you wouldn't need fairly robust procedures here. Because I'm imagining that if you can get control of the computer that is generating the QR code or writing to that CD, there's going to be subtle ways out there of doing similar sorts of things.
Starting point is 00:44:48 Because in the case of this Bybit transaction that was multi-sig authorized by a bunch of people, the one thing that would have given it away was a single value changed in a very long string of hex. Wouldn't you be facing similar challenges under this scenario? How much of a solution is it, I guess, is what I'm asking. Yeah. So whatever you do, you need to have a user interface on the inside that presents all the relevant data.
Starting point is 00:45:14 And there's sort of two features that went wrong with the Bybit incident. One was that the sort of scope of transactions that could be sent using the normal signing flow included transactions which could totally overwrite any sort of transactions that could be sent using the normal signing flow, included transactions which could totally override any sort of policy that could be put in place on that wallet. So if you restrict the variety of transactions that can be signed during the normal signing flow
Starting point is 00:45:37 so that none of them can bypass your hard stop transaction flow values, then you have less risk if something were to go wrong. And then secondly, your wallet needs to be rich enough to display intuitively all of the different effects of a transaction. And so the safe wallet, you know, if it had been operating properly,
Starting point is 00:46:01 would have put all sorts of red flags up if it was trying to sign a transaction similar to one that was deployed. So in that case, that would have worked okay. But still, there's a lot of nuanced things that that smart contract wallet could do. And for a real cold signing solution, you probably want fewer types of transactions, less contract interactions, simpler guarantees on value per day, for example. Yeah. I mean mean earlier you were talking
Starting point is 00:46:26 about sort of restricting the ability of people to be able to sort of change the contracts right? I mean there's a reason though isn't there that people have this sort of flexibility in the contracts and some of those reasons are related to sort of anti-fraud security and safety which is that hey if you've got a problem with your smart contract you need to be able to fix it to be able to patch it. You need that flexibility, otherwise you're stuck with a vulnerable contract. Isn't this a case of a little bit of you're damned if you do and you're damned if you don't?
Starting point is 00:46:53 A little bit, but there's things that you can do, right? For example, for emergency upgrades that allow you to bypass signing limits, for example, you should need some sort of break glass key, right? You shouldn't be able to do this in doing the normal signing flow, such that people might be confused into accidentally doing it. Someone should have to go to a bank, go to a safe deposit ball and get out a paper key. No, I mean, so that's basically it, right?
Starting point is 00:47:17 Is that there's a... The normal signing flow has some level of privilege, and in order to surpass that level of privilege, you need another actor, another piece of authentication, which never comes out except in emergency cases. Yeah. I mean, so really what you're describing is actually for them to have done some engineering work and put some thought into it. Yeah. So that also threat modeling, right? Yeah. You should have an actual document which goes through all of the different potential attack vectors and the consequences if they were to be exploited. If they had
Starting point is 00:47:51 done that, they would have seen someone pops the Bybit web server, all of our money's gone, right? Yeah, yeah, yeah. So look, when we look at, and you're much more likely to have an answer to this question than most people, which is when you look out there at the way most exchanges are operating, would you say that Bybit were about par? Were they doing it about how most exchanges and crypto orgs are doing it? Are they that blasé or were they being a little bit more lax than most in your experience? No, I think they little bit more lax than most in your experience? No, I think they were being more lax than most.
Starting point is 00:48:34 From seeing sort of US based organizations handling large amounts of cryptocurrency, they seem to have much more thorough threat modeling procedures, operational guidelines. I mean, of course, we've never sort of audited Bybit specifically, so I can't say what their internal documentation and threat modeling and procedures look like, but clearly they're relying on a website for cold signing transactions out of a $1.5 billion wallet. So I'd say that's not normal. Yeah. What is normal?
Starting point is 00:48:59 Like I was actually surprised when I saw that this safe wallet service actually existed because I'm like, hang on, you've got a hardware signing wallet and whatnot, and this is all going out to a cloud service that runs JS in your browser. And I'm like, I'm already thinking this could go wrong that way. So I mean, I just, we scratch our heads a little bit over here,
Starting point is 00:49:22 often when we look at the crypto world. Like, what is that service actually for? Yeah, so normally you would need something like this for your sort of hover warm wallets, right? You need some way to, in the day-to-day operations, propose, approve, and sign transactions out of some wallet, right? And it's nice to have a rich, featureful wallet that can have various sorts of policies and authentication flows and different targets and all that. And that's just part of normal operations.
Starting point is 00:49:54 I'd say that like what broke down here is that there should be another layer of value isolation. You shouldn't be using your like, normal warm wallet signing, you know, featureful system to do signing out of your full cold wallet. So in other institutions, they will have a similar sort of web-based transaction proposal, right? You have employees who need to make trades or send money from account A to account B, and you don't want those people to have to go into a cold room and, you know, move CDs around. But you should only be holding, I don't know, $10 million in that wallet or
Starting point is 00:50:33 something that you're sort of willing to potentially lose in case of a major breach. So I guess, you know, I guess really what you're saying is, you know, it takes a bit of work to sit down, work out your threat model, come up with some compensating controls, procedures, just the usual boring stuff that we do. I mean, it boggles my mind that often this isn't done and this is why the North Koreans are having such a big party time. It's almost like we often make the joke on the show that the cryptocurrency world is speed running the need for a lot of these financial regulations that apply to the banking sector. It does feel like that sometimes, doesn't it? Yeah.
Starting point is 00:51:11 I mean, there's sort of a very short time between you know, f**k up and find out, right? And it actually is kind of nice because it shows you exactly what not to do very quickly if you're someone observing. On the other hand, could go very badly for anyone at any time. So trade-offs. Do you also find yourself, you know, looking at incident reports from, you know, North Korean hacks and just thinking, wow, okay, that's nice. Or even further, wow, I didn't think that someone would think to do that. You know, like how much have you been able to learn from the way they do this stuff? Yeah, they're very impressive, right? You know, like how much have you been able to learn from the way they do this stuff?
Starting point is 00:51:45 Yeah, they're very impressive, right? I mean, there's few countries which have sort of that much dedicated offensive capability willing to do things in the public, right? That's the thing about North Korea is I think everyone has cyber offensive teams, but rarely are they going around stealing a billion dollars in plain sight. And so it's very impressive. We know that they can do advanced social engineering attacks. But on the other hand, a lot of these things are actually not that complex. It's just a matter of having a lot of eyes on a lot of different protocols. Right? So, I mean, even in this case, this was an impressive attack, but ultimately it was, you know, some malware on someone's computer.
Starting point is 00:52:32 It was nothing that required, you know, a huge, huge amount of... That wasn't the bit that we found impressive. The bit that we found impressive is poisoning the JS just for one organization and manipulating the transaction so that it looked really legitimate. They understood the smart contract, they understood the workflows, they understood the multi-signing. And that's the bit that we find impressive is that you know the degree to which they understand these processes internally with the you know like ah chef's kiss.
Starting point is 00:53:02 Yeah and I mean of course. But's kiss. Yeah. And I mean, of course. But I guess, I guess what you're saying, I mean, the question was like, are you learning stuff from these attackers and thinking of new things to think about? And I mean, your answer seems to be not really. I mean, yeah, to some extent, right? But often it's, you know, the sort of thing
Starting point is 00:53:18 that we would find if we did a review, right? So, like I would say in this case, yeah, like we said, like basic threat modeling, you know, it's a website, you're pulling it every time you do a signature, that's going to be a threat vector. Yeah. Now, Trail of Bits has been offering services to the sort of cryptocurrency world actually for quite a long time. You know, what are the security services that are most popular? I'm guessing they're more on the smart contract audit side. I know that's a big thing for you.
Starting point is 00:53:45 Are you coming in though and doing the sort of consulting around these transaction signing flows and all of that, or is it mostly just on the smart contract side? Yeah. So actually I'm on the cryptography team, so I do less of the smart contract auditing, but we do a lot of sort of HSM signing consulting, key ceremonies, the sort of accommodation of like operational concerns and how to use cryptographic tools appropriately. So we've done several engagements that involve some sort of review of signing procedures,
Starting point is 00:54:16 key generation ceremonies, that sort of thing. All right, so it's top to bottom. It's, you know, look at the smart contracts, look at the signing procedures, do the consulting, build the systems. Sometimes, literally. Yeah. All right, Jaden Hess, thank you so much for joining us on Risky Business to walk through
Starting point is 00:54:31 what Bybit could have done differently and what should have been done differently. And the answer is, I guess, to both of those questions, well, quite a lot. Great to chat to you and we'll do it again one day. Cheers. Yeah, cheers. That was Jaden Hess there from Trail of Bits. A big thanks to Trail of Bits for being this week's risky business sponsor. You can find them at trailofbits.com.
Starting point is 00:54:53 But that is it for this week's show. I do hope you enjoyed it. We'll be back real soon with more security news and analysis. But until then, I've been Patrick Gray. Thanks for listening.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.