Risky Business - Risky Business #787 -- Trump fires NSA director, CISA cuts inbound

Episode Date: April 9, 2025

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news: Oracle quietly cops to being hacked, but immediately pivots into pretend...ing it didn’t matter NSA and CyberCom leaders fired for not being MAGA enough US Treasury had some dusty corners it hadn’t found China in yet, looked, found China in them …which is a great time to discuss slashing CISA’s staffing Ransomware crews and bullet proof hosting providers are getting rekt, and we love it And Microsoft patches yet another logging 0-day being used in the wild. This episode is sponsored by Yubico, makers of Yubikey hardware authentication tokens. Yubico’s Vice President of Solutions Architecture and Alliances Derek Hanson joins to discuss how the consumer-centric passkey ecosystem has become a real challenge for enterprises. One that Yubico is actually ideally positioned to solve. Show notes Oracle privately confirms Cloud breach to customers Oracle have finally issued a written notification to customers about their cybersecurity incident. Head of NSA and US Cyber Command reportedly fired | Cybersecurity Dive Trump fires numerous National Security Council staff - The Washington Post Trump administration under scrutiny as it puts major round of CISA cuts on the table | Cybersecurity Dive Hackers Spied on US Bank Regulators’ Emails for Over a Year - Bloomberg This is how Jeffrey Goldberg got added to the Signal chat Cybercriminals are trying to loot Australian pension accounts in new campaign | The Record from Recorded Future News $500,000 stolen in Australian super fund data breach | Superannuation | The Guardian Australian regulator pulls licenses of 95 companies in effort to crack down on investment scams | The Record from Recorded Future News Everest ransomware group’s darknet site offline following defacement | The Record from Recorded Future News On March 28, 2025, a threat actor leaked internal data from Medialand, a major bulletproof hosting (BPH) provider long linked to Yalishanda (LARVA-34). There's a ransomware group named DragonForce going around hacking its rivals. After Mamona and BlackLock, the group has now hacked RansomHub The DragonForce ransomware group hacked two rivals this month CISA, experts warn of Crush file transfer attacks as ransomware gang makes threats | The Record from Recorded Future News Kill Security Campaign Targets CrushFTP Servers National Vulnerability Database | NIST Microsoft patches zero-day actively exploited in string of ransomware attacks | CyberScoop Exploitation of CLFS zero-day leads to ransomware activity | Microsoft Security Blog Is The Sofistication In The Room With Us? - X-Forwarded-For and Ivanti Connect Secure (CVE-2025-22457)

Transcript
Discussion (0)
Starting point is 00:00:00 Hey everyone and welcome to another edition of the Risky Business Podcast. My name is Patrick Gray. We're going to talk about all of the week's cyber security news in just a moment with our co-host, Mr Adam Boileau. And then it'll be time for this week's sponsor interview and this week's show is brought to you by Ubico which makes obviously the YubiKey and we are joined by Derek Hansen this week who works at Ubico and we're going to be talking about all things pass keys right? Because I mean you would have heard Adam and I talking about how pass keys are like a little bit confusing to users at the moment and now they've become this sinkable thing that are going into people's keychains instead of into like
Starting point is 00:00:44 secure enclaves on devices. It's all got a little bit confusing. We're going to talk to Derek all about that after this week's news, which starts now. And Adam, last week's show headline was Oracle is lying. Guess what? Turns out we were right. Yes, which is probably good given Oracle's, you know, 80% lawyers by volume. Yes, which is probably good given Oracle's, you know, 80% lawyers by volume. But yes, Oracle, last week we were talking about how Oracle
Starting point is 00:01:12 got their cloud, Oracle Cloud breached. They have, at the time they were kind of denying it, they've now kind of confirmed that they had a breach. But don't worry, it wasn't an Oracle Cloud. It was in a thing that looks very like Oracle Cloud, but is totally not because it's old. No, I mean, what they said is, don't worry, everybody, because a hacker did access and publish usernames from two obsolete servers. So these would be the ones in your cloud you didn't decommission.
Starting point is 00:01:39 Is that what you're telling us? But don't worry, because they're obsolete. I mean, this whole thing has been a shmozzle. Yes, it has been a total mess. They, along with claiming that they didn't get breached because those servers were not really in the main cloud, they also said that the hacker did not expose usable passwords because the passwords that they did get were encrypted and or hashed. That's my favorite bit. Don't worry everybody, we hashed passwords so it's fine right? And just for the avoidance of any doubt when we're talking about this, you know you get into an older like
Starting point is 00:02:15 legacy machine there, you're probably going to recover some passwords or certificates that you could use on current machines because it's not like they're going to rotate through absolutely everything during a migration and you might also find that the box you're on has multiple interfaces and is attached to multiple networks and there's all sorts of opportunities for a real good time once you're on there and of course we're hearing rumors about you know pretty current data being passed around I'm hearing this you know these rumors from you know you're seeing them on social media and hearing them from various CTI folks that this ain't old data.
Starting point is 00:02:46 So I think this story still has a little bit to run, but just wanted to update everyone that Oracle is privately confirming that there has been a breach of an obsolete box in the Oracle cloud that totally is an Oracle cloud. So I hope that clears up. Oracle Classic is what they say it is. It's the classic one, not the current Oracle cloud. It looks nothing like it. It just happens to have domain names. Sure look like it, but no. It's just, it's a totally different thing.
Starting point is 00:03:12 And we did not just slap a fresh coat of paint on this very old sun, you know, old Solaris box and totally pretend that it's not part of the cloud. We got some feedback. I can't remember if it was an email or a YouTube comment or someone who was very upset that you were giving, that you were making fun of Sun Microsystems. And I'm like, oh, cause Sun was so good back in the day. And it's like, yeah, well, it ain't back in the day anymore, is it? And I mean, they're not wrong.
Starting point is 00:03:38 Sun was great. It's just, yeah, it's not 1997 AD anymore. It's not 19 diggity doo. Now moving on, other big news that happened over the last week is the Trump administration has fired Timothy Hoag, depending on who you listen to, for the pronunciation there. They fired him as head of NSA and also the deputy director of NSA Wendy Noble. So there's the what's been described to me as the quote-unquote Fox News explanation which is that the leadership at NSA were reluctant to start targeting Mexican
Starting point is 00:04:15 drug cartels. I'm told that's not true and that really this is just because they are not MAGA basically. They got moved on for not being MAGA. Did an interesting interview with Chris Krebs and Alex Stamos yesterday, which I hope to publish this week. That's for the Wide World of Cyber podcast. Chris is of the opinion that, you know, this is a leadership reset,
Starting point is 00:04:36 and what they're planning to do is split the role of NSA director and, you know, Cyber Command, the head of Cyber Command. So that's an interesting thought there. But you know, like it's just more chaos, isn't it? Yeah, like it has just been all over the place and there's just so much uncertainty about, you know, where, who's going to be running these organizations. We've seen all the uncertainty around CISA and you know, the whole thing is just kind of a real mess. And it's hard to judge what's you know how it's all gonna shake out and we just
Starting point is 00:05:09 we just got to ride this you know this roller coaster and see where we end up which I mean it's not a great place to be especially if you work there. I mean one of the craziest things about this is apparently Trump did this at the urging of Laura Luma who is a you know very far right-wing activist. This is the same woman who sewed a star of David onto her clothes and chained herself to the front door of Twitter something like a decade ago. So this was apparently her thing and I read her post about why these people needed to go and it was really the scribblings of a deranged idiot. Because they were connected to this person who served on the board of the...
Starting point is 00:05:45 You know, it was real pepid of silver, you know, string on a cork board sort of stuff, right? It reminded me of your Atlantic Ocean, Atlantic Magazine, Atlantic... Yeah. Whatever it was. Atlantic Council, yeah. Atlantic Council, yes. Like, it's... Ah, dear, oh dear.
Starting point is 00:06:02 It's just... It's so dumb. It's just so dumb and I don't know... I'm sorry, Americans. I's just, it's so dumb. It's just so dumb. And I don't know. I'm sorry, Americans. I don't know what you're doing. Well, there's been a couple of names floated that I'm hearing.
Starting point is 00:06:13 One is Trey Stevens, who's a co-founder of Andiril, the defense contractor. We're also hearing that Ezra Cohen, who's been kicking around in NatSec circles in the US government for quite a while. You know, he's another name who's been suggested. They're you know definitely MAGA so we'll just have to see what happens there. I don't know even what the confirmation process is going to be is going to look like once they split these roles. It's all you know a little bit confusing but
Starting point is 00:06:40 you know again Project 2025 did outline the splitting of these roles. And we're seeing a lot of stuff, you know, materialized out of that policy roadmap. So, you know, I just don't understand why they had to let the leadership go. And you do wonder. Yeah, you do wonder what the future direction of NSA will look like under very, you know, hyperpartisan leadership. Let's just let's just put it like that. There's also been a clean out at the National Security Council, a bunch of staff let go. Again, I believe this is at the urging of Laura Loomer.
Starting point is 00:07:12 It's pretty nutty stuff, you know, kind of having someone with, as you say, like deranged, deranged rantings, deranged ramblings, whatever it was, kind of changing up such important parts of the leadership structure. Like it's, yeah, I don't know what, where we're going to head with that. Like it's just nutty. Yeah, I mean, look, there's plenty of people in the United States who don't feel free to express their feelings about the government there at the moment, which is a very strange place to be. I mean, people in industry are scared that if they speak up against a lot of the things that the administration is doing, that all of a sudden their government contracts will
Starting point is 00:07:46 go away, they might get audited by the IRS, and also have mobs of modern day brown shirts sicced onto them. And this is a thing that's happening, believe me, this is a thing that's happening. People don't feel free to speak. But I think we can say from the safety of here in Australia that this is not good and is not well thought through and just things over there just seem to be spinning out a little bit, especially with all of this trade stuff. But look, staying with intelligence community and cyber security related cuts and changes, Trump is apparently going to cut something like 1300 jobs at CISA.
Starting point is 00:08:23 There is some reporting that this is going to affect the threat 1300 jobs at CISA. There is some reporting that this is going to affect the threat hunt mission at CISA. I think that's a poor place to cut, if I'm honest. People might think NSA does this sort of stuff, but they only do that on government, on defence networks and on defence industrial based networks. They don't do this sort of work for the civilian government that is CISA's remit. And do you want to lose visibility there?
Starting point is 00:08:51 That doesn't seem great. Yeah, it really doesn't seem to make much sense. And the numbers that we've been hearing are going to be like half of CISA's workforce, right? I think it's between like a third and a half, somewhere like that. It's a significant whack. And then of course there's a bunch of know contractors and people that help them out as well and it's just really important work that they do and
Starting point is 00:09:13 You know this of all of the points in history to cut The ability to find adversaries in your environment. It just seems like a poor choice, you know Yeah, I mean look look, that said, there's obviously always gonna be places you can cut from a government agency, which aren't gonna result in disaster. I mean, CISA has tried various public-private partnerships and sharing things and stuff that we've seen
Starting point is 00:09:37 haven't really worked, right? So obviously there's, and you know, that's not to cast aspersions on anyone involved in some of those programs, you know, some of them just haven't worked. But, you know, if the not to cast aspersions on any, anyone involved in some of those programs. You know, some of them just haven't worked. But you know, if the reporting that I've seen that this is going to affect freight hunting, you know, is accurate, that is bad.
Starting point is 00:09:54 And you know, right on cue, we've got this piece from Bloomberg here, which says, which is talking about a, another intrusion at US Treasury, which apparently happened in 2023, but has just been identified. This was the, what is it, the silk typhoon or whatever, a Chinese group had got into, what is it, the office of the Comptroller of the Currency at Treasury and observed the email, you know, spied on the email of about 100 staff.
Starting point is 00:10:21 Yeah, this is exactly the sort of thing that, you know, Cicero is there to cope with and deal with. And I don't know that their threat hunting teams were involved, but it is kind of the sort of thing you would imagine that they would be. And this particular campaign, so we saw the other two intrusions into bits of treasuries, the, what was it, the SIFIUS part and the OFAC,
Starting point is 00:10:43 the sanctions part. It does seem like this is probably the same bit of China's capacity being doing this. And this one may have predated some of those based on a timeline that we've seen. So either way, it kind of seems like if China is interested in being in there, that the US ought to be interested in keeping them out. Well, yeah, that's how it normally works. But anyway. We are not in normal times out. Well yeah, that's how it normally works but anyway.
Starting point is 00:11:05 We are not in normal times anymore. We are not, we are not. We got a little bit of follow-up reporting on Signalgate here too. We're not going to talk about this for very long but it's just so funny. The mystery as to how Jeffrey Goldberg, who is the editor-in-chief or whatever his title is at the Atlantic, how he wound up in that Signal group, The Guardian thinks they've figured it out and it is absolutely as hilarious as you would think it would be.
Starting point is 00:11:28 I mean, the assumption was that someone just added the wrong Jeff, right? And Goldberg was in one of these people's, you know, address books. Turns out that's not actually how it happened. And the real way is just, it's so much funnier. So apparently Goldberg had at some point emailed the Trump admin to ask for comment about some particular story. That request got forwarded around by some staffers and eventually ended up in Mike Waltz's chat by virtue of a block of text being copy pasted out of Goldberg's email into a text
Starting point is 00:12:03 message or something. It sounds like it's the, you know when you send messages around with iMessage and sometimes it'll be like, hey, do you want to update the contact because it's got a new picture or a new whatever else? It seems like maybe he got trapped by that because they copy pasted the signature block and then it was like, do you want to update it? And he just smashed yes, presumably.
Starting point is 00:12:21 And it ended up putting Goldberg's phone number into the address book entry for this You know kind of other staffer that had forwarded the message Which I mean I couldn't kind of imagine falling for that like it's not But again, let's let's just go back to our let's just go back to our mantra on this Which is that this is why you don't use civilian systems for these sorts of things. Because things like this happening, you know, a little bit too easy and you just don't want, you know, you don't you can't accidentally add someone to a conversation in a skiff who's not, you know, also in a skiff.
Starting point is 00:12:58 Yeah, exactly. Ultimately, this is convenience for civilian use, right? This is not for war plan group chat. No, no. I go and have a steak once a week with everybody, my mates around here, just to keep my iron levels healthy and get out of the house. You know, everyone's changing their group chat names.
Starting point is 00:13:19 I think ours is HuthyPC steak chat now, steak group. So yeah, lots of fun. Anyway, moving on, because we've all talked about Signalgate to death. Big news in Australia, like this was such a big story here, which is that some scammers were targeting our superannuation funds, right? So for Americans, like our superannuation
Starting point is 00:13:41 are like a cross between a 401k and social security. So employers pay into essentially like a mandatory 401k and we call it superannuation. It's a pension fund. So everybody has one, right? Everybody has an account and someone that looks like they were just using like stolen creds from various, you know, data breaches and whatever to, you know, do mass logons and whatnot into these super funds and try to get money out.
Starting point is 00:14:06 Now, I think the saving grace is here. It looks like maybe half a million went missing, which is why I'm surprised it turned into such a big story because it was everywhere. And I think it's because everybody has one, all of a sudden everybody's worried about their money. And you know, that's what made it such a big news story. But I think the saving grace here is that
Starting point is 00:14:23 really until you turn 60 and you're actually drawing this money out like there's not really a lot you can do in most super accounts when you log into them like you can have a look at a couple of statements and whatever but if you want to do something like transfer to another fund like with most of them it's like you know you're going to need to fill in a form and that form needs to be processed and whatever And it's like a pretty clunky administrative process. But that said, you know, I don't expect that it's always going to be that way. And these funds operate on paper thin margins, right? Because it's a very competitive space. And you sometimes, you know, sometimes it's good to for something like this to happen, so that regulators can really take a look at what their security controls are like and if they need to be adjusted regulation-wise.
Starting point is 00:15:08 Yeah, it did seem, I was kind of surprised at the numbers being so low as well given how much coverage and traction it was getting. Because we saw some numbers that said something like 20,000 accounts were targeted. There's like a bunch of different providers for this kind of superannuation scheme and so we got different degrees of information from different providers. So like one provider, Australian Super said 600 accounts were compromised through stolen passwords, but we've seen numbers that are more like 20,000. But as you say, the fact that we only saw half a million dollars actually managed to be moved out suggests that there isn't a great path to rapidly monetizing this because as you said,
Starting point is 00:15:52 of the friction involved in doing something with this money, but it does seem like the superannuation industry in Australia, you know, we've seen some industry bodies and staff come out and say hey, remind all their members to member companies to kind of improve the quality of the controls. So I think maybe this is a pretty good wake up call and hopefully the four or five people or whatever that has actual significant money taken will get reimbursed by the funds
Starting point is 00:16:18 or will they find some way to claw it back. But yeah, it's just a good reminder because a service that you don't use very often or access very frequently plus potentially an older user base are a pretty ripe target. Yeah, I mean, just to put things into context here, you know, the total amount of funds in Australian superannuation schemes is 4.2 trillion Australian dollars, which is what I don't know about 2.5 trillion US dollars, right? It is a lot of money. It is an incredible target. Everybody's got one.
Starting point is 00:16:48 And I think that's probably why this made such big news. And also we saw a similar story, I guess, here from this one's covered by James Reddick at the record, which is that the Australian corporate regulator has deregistered 95 companies that were spun up by the looks of things to make various scams like pig butchering scams look legit. So it sort of concerns me when we're starting to see sort of organized crime attempts to start playing around with our financial system a little bit. We've seen it happen to the IRS, we see this sort of stuff in other countries,
Starting point is 00:17:24 and I just hope this isn't the start of something here, you know. Yeah, well I mean hopefully the Australian government's, you know, kind of moved towards a little hound release on occasion just to remind people Australia is not such a soft and easy target. Maybe there's some deterrent factor in that, I don't know. When Anthony Albanese, our Prime Minister, was asked about this he said he'd been informed about the attack and said, we will respond in time. We're considering what had occurred, but bear in mind the context here. This is a cyber attack in Australia about every six minutes.
Starting point is 00:17:53 This is a regular issue. We have beefed up funding for the Australian Signals Directorate. We will have a considered response to it. But the agencies, of course, will work very strongly on it. So, you know, there you have an example of the leader of a country saying well you know we're going to kick this to ASD and figure out what they want to do right, which is just you know this is such a positive development in policy in the last sort of five years right, because this was unthinkable ten years ago that
Starting point is 00:18:21 ASD or NSA or you know Cyber Command or GCHQ or GCSB, that any, and the Canadian one, that's always my joke, the Canadian one that I always forget. Um, yeah. So the idea that, um, they would be sort of emboldened to, you know, uh, empowered, I'm sorry, to, uh, uh, do anything about cyber crime. Like that was unthinkable 10 years ago. And now, yeah, the prime minister comes out first thing they say as well. I guess we'll respond to this with ASD. Yeah. I mean, and I guess that's a You know, what other options have you got? Because we tried a bunch of our stuff. We tried multilateral, you know
Starting point is 00:18:52 kind of law enforcement We tried all sorts of international consensus and norms and whatever else and where did that get us? Not particularly far But they're having a lot of fun with the RMRF shark As we've discovered through various bits of reporting now speaking of fun with the RMRF shark Now speaking of drama in the criminal underground Man, there's a series of stories this week. Like all hell is breaking loose among ransomware crews. There's this group called What are they called dark something? What are they called? Yeah Dragon Force Dragon Force have
Starting point is 00:19:22 owned and defaced like ransom Hub, Momona and Blacklock. Now we're seeing the Everest Ransomware Group's Darknet site is offline and has been defaced. Alexander Martin has that report. We've also seen, and we're not sure, I'm not entirely sure if that's Dragonforce as well. And then we've seen the threat actor behind the Black Buster leaks take down MediaLand, which is a major bulletproof hosting provider, and they have just laid out all of that data. So there's all the customer records, all of the data they
Starting point is 00:19:55 were hosting, just bang, dump it on the internet. The CTI people I know, they're wetting their little pants over this because it is the most exciting data drop they've had in ages and they you know I mean they spend a lot of time just figuring out who's who and this is a gold mine so I mean obviously it looks like some of this is you know red on red but you've got to wonder about some of it too like I don't know what's happening here I don't have any information to suggest that there's you know what's happening here. I don't have any information to suggest that there's any intelligence action here, but I really hope there is, especially on the bulletproof host.
Starting point is 00:20:33 Yeah, because we did see that Australian government takedown of another bulletproof hosting provider in Siberia, wherever it was. We covered that a few weeks ago. And just dumping all of the business records and who's paying for what with what cryptocurrency, with what other payment mechanisms, that's all super useful data for clustering together some of these actors and their activity.
Starting point is 00:20:57 And then also correlating bulletproof hosted services with who was paying for them, how they're being used, all those, it's just a wonderful goldmine. I'm very sure that all the people are super excited about it. And, you know, even if it is just in fighting, like normal kind of organic infighting as opposed to being provoked or whatever else. Like, we love to see it. Yeah.
Starting point is 00:21:22 The the Everest Ransomware Group one that you mentioned. So that one wasn't DragonForce, but the people who defaced their site, defaced it with, don't do crime, crime is bad, hugs and kisses from Prague. Oh, there was a conference happening at the same time, wasn't there? There was a security event happening at the same time. I think. Maybe there was, yeah. It's kind of hard to keep track of because all this is also dark websites and understanding the authenticity of these things requires a whole bunch of other, am I looking at the real one? Was this the one last week? Is it the same one? Is it like, yeah, this is why threat intel people are such know, are such a crazy bunch when you have
Starting point is 00:22:06 to go out and have a beer with them and they're all like, you know, crazy-eyed and this is their life, tracking all this kind of underground madness. But it just feels like I see seen wars from the 90s, which I know is an analogy we've used a lot of times. And you know, we just love to see it like chaos in these communities is just good. Yeah. Now I'm not exactly sure precisely what data like what hosted data. I think I saw I saw some reporting somewhere that hosted data was also exposed, but I'm not sure how that was exposed.
Starting point is 00:22:34 I know there was a telegram channel and according to this, you know, post on X, I'm looking at the leak was published exposing media land back end system. So maybe that's how people were able to access data that was being hosted by their customers. So you would think if it is exposing things like data stolen from companies around the world, you know, exposing that sort of information I don't think is something that an intelligence agency, you know, Western Intelligence Agency or a Five Eyes agency would do. So, you know, your options here are it's a CTI person just going rogue and having a good time.
Starting point is 00:23:06 Hats off to you, sir. Yes, exactly. It's crime on crime. Or possibly it's some operator in a government building with no windows. Or second order effects from any of those things like law enforcement or Intel jumping creds and then somebody else jumping on and, you know, kind of pulling the thread and turning it into a bigger thing. Like there's just so many ways this can go down and they're all ultimately all bad
Starting point is 00:23:32 for the undergoing crime groups. So, yeah, I'm here for it. Yeah, it's fun. Now, look, last week we actually cut this from the run sheet, which is, uh, there was reports of exploitation in a piece of software called Crush FTP. And you know, Crush FTP has been around since what? The Jurassic era. And you just sort of think, well, who cares? But it turns out that Crush FTP has sort of evolved. Like what was the other one? I can't even remember. There was
Starting point is 00:23:58 another one with FTP and the name was an old FTP, which is now like a fully fledged file transfer appliance. And now CIS is warning about this because apparently people do use this crush FTP file transfer appliance or file transfer software. I had a look at their website. They support a zillion different protocols, right? You can do like SMB over this thing, which is like, Oh, great. You know? Um, so yeah, it looks, this one looks pretty bad.
Starting point is 00:24:22 We've also had a group actually claim credit for this, and it looks like they're doing the same sort of thing that happens with all of these file transfer server campaigns, which is they grab the data and then ransom it. This one's been claimed by a group called Kill Security. Yeah, this one has been quite funny because of some disclosure drama as well.
Starting point is 00:24:46 So the bug in CrashFTP was actually, which is like a race condition in the auth process where basically they have pluggable auth where you can use your Amazon session tokens or whatever to auth into this thing for easy integration. And it was basically a race where you could show up and say, hi, my username is admin and I'm totally going to authenticate you to you with this Amazon method. And by the way, sorry, I didn't provide you with that. Can you just log me in anyway? That's the kind of gist of the bug. A research firm, Outpost 24 found the bug, reported it to Crush FTP. Crush FTP asked for like 90 day, you know, kind of pause on disclosure,
Starting point is 00:25:28 public disclosure, so they could patch it, notify the customers or whatever. They released a patch without a CVE. So it was allocated a CVE early on, but they kept it quiet because they were trying to, you know, keep the bug quiet for a bit. Suddenly reversed the patch, figured out the bug, started exploiting it. Somebody else then applied for another different CVE because they had seen it in the wild and or reversed it off the patch or whatever it was and then there was lots of angry back and forth about that and it's now turned into a bug that has two different CVE identifiers and is being you know used in the wild and everyone's
Starting point is 00:26:02 kind of you know a bit confused and upset, I think. So yeah, a little bit of good old fashioned disclosure drama. Yeah, we love to see it actually, if we're completely honest. Now look, speaking of CVEs, this is something we've talked about a few times over the last year or so, which is the National Vulnerability Database, maintained by NIST. It's been an absolute clown show over there. which is the National Vulnerability Database maintained by NIST. It's been an absolute clown show over there.
Starting point is 00:26:28 They fell behind on enriching the data. It got so bad that they had to pause it. Then I think new funding was allocated and they're trying to catch up with this new contractor and they've basically just given up. They're saying anything, any bug that dates back to before the 1st of January 2018, they're just not going to enrich it. Because they've just realized like they're not going to catch up. So I mean, yay.
Starting point is 00:26:51 I don't know what to even say about that. And you know, this is an important database. Like it's just, oh. It is. It's such a, you know, it may seem like a simple thing having consistent naming. But for those of us that remember what this was like before CVE numbers existed, like back when it was just random posts on full disclosure
Starting point is 00:27:11 and random posts on bug track, and everybody had their own little tracking numbers and names and whatever else, like having a taxonomy for this actually was really useful. And it's kind of, you know, it's a pity how much of a mess it's turned into. And, you know, honestly, I'm amazed that NIST still exists at all, given, you know, the amount of government efficiency going on.
Starting point is 00:27:30 So, you know, I guess the fact that they're still here putting out announcements about giving up on enriching their bugs, I guess means there's still some people there. So that's good news, everybody. We'll take the win. It is funny, you just like gave me flashbacks to bug track and full disclosure and it was funny right because full disclosure was basically unmoderated. These were email lists for people who aren't old like us. Bug track was pretty like controlled and like low volume and you would get you know details of bugs flowing through a pretty regular. Full disk was interesting because
Starting point is 00:28:02 it was like trolls pretending they had Odeh and just like doing these really elaborate posts that would like take you a while to figure out were wrong. And you know, posting pox, which would just RMRF people's boxes. Backdoor. Exactly, backdoor pox. And it was fun, right?
Starting point is 00:28:17 Like Full Disc was fun. But it got like, it just got crazy after a while and then just sort of went away because, yeah. If only we had something that was in the middle yeah something with just just enough you know drama and trolling to be fun but not so much that it's completely useless exactly like just the middle ground exactly that's what we want now Microsoft has patched a ODA that's being used by ransomware crews.
Starting point is 00:28:46 And look, okay, it's a priv-esque, but it's in the common log file system guts of Windows. And it is such a cool bug. They have just patched it. Adam, walk us through it. Yes, so they patched this bug, which I would like to note was one of 126 bugs they patched this patch Tuesday
Starting point is 00:29:05 where this one is being exported in the wild. The common log file system plumbing has had so many bugs in it over the last, I don't know, I want to say like two or three years. It just seems like every patch Tuesday has featured a bug in this thing. Anyway, this is a user-free memory corruption bug in this log parsing system that people have been using to to prev-esq which you know like if you're a logging system you would hope that handling log data and handling the data in a safe way would be pretty kind of core thing core requirement but maybe I'm just crazy. Well it's not like they're doing this anywhere important, like in a, you know,
Starting point is 00:29:47 kernel driver. Yes, up and up in very, very privileged context. So they are doing it in a kernel driver for anyone listening who did understand that joke. The whole thing is is kind of messy. And like, I know not everything can be as simple as like Unix Syslog. And I understand why Windows Logging subsystem is a little bit crazier but It's a log system Well, thankfully, thankfully out of Microsoft has written a pretty decent write-up on this bug and it's not like it's not like single fire
Starting point is 00:30:20 Super easy to exploit. I mean you got to give the ransomware people credit for researching this one and actually finding it. Yeah, yeah, I mean, this is legit good work all around. Like I appreciate Microsoft actually doing a decent write ups like the regular advisory as usual has essentially nothing, it was like a one line that describes the bug, but I have written up kind of a blog post, the threat intel, Microsoft threat intelligence team have. Yeah, what's the actual process for exploiting this?
Starting point is 00:30:45 It's not like you could just get an application to write to the logging system and get a shell. Yeah, this is not like log for shell or something. It's not that kind of level of just log a bad string. Like this is a more nuanced memory corruption that you would use for privilege escalation. Like a Windows log to shell, log for shell, that would be a wonderful thing.
Starting point is 00:31:03 Unfortunately, this is not it, but maybe one day we'll see one. That would be fun. Well, you'd hope not, right? Like you'd hope not. I mean, do you? You live in hope. I know, I do.
Starting point is 00:31:13 I'm a bad person, Pat. I must confess. I'm in a little, just a little. You have some redeeming qualities, it's fine. Now we're gonna talk about a bug that we've already mentioned on the show Which is CVE 2025 22457 And yeah, it's been a bug heavy bug heavy show this week
Starting point is 00:31:36 But there's a really funny write-up from watchtower labs about this bug. So this is the Avanti What's the Avanti connect secure, which I think was pulse secure before being acquired by Avanti I don't even I can't even keep keep track But this was like the straight- like buffer overflow, like stack overflow bug. And it's interesting. It's got an interesting history though, because like the other bug you were talking about a couple of items ago, I don't think anyone was exploiting this until they patched it and someone diffed the patch, found the bug, and then, hoo boy, it just started going everywhere. But they, you know, Avantia talked about this being very sophisticated, and that's why Watchtower Labs have written up their headline of their write-up of this bug is, is the sophistication in the room with us? This bug was good.
Starting point is 00:32:20 So this is a stack-buff overflow in parsing the X forwarded for header, which is an HTTP header that you use to record when requests are going through proxies. And they have a thing that parses the IP addresses, the numbers out of that X forwarded for header. Now, originally when Avanti found and fixed this bug, they put out a security update that said, this was very unlikely to be exploited.
Starting point is 00:32:47 And part of the rationale for that was filtering in the parsing meant that you only had zero through nine and dot, so valid IPv4 characters, and that they did not think anyone was going to be able to exploit it with that. So they rated it quite lowly, gave it a low rating, shipped the thing, and then yeah, somebody figured it out, presumably reversed the patch, or they had it in the wild, and found some way to exploit it. And we haven't seen, I have not yet seen an example of what
Starting point is 00:33:15 that exploit looks like, but everyone agrees that this is being exploited in the wild, and some attackers figured out how to, you know, turn this into an actual usable bug primitive despite those restrictions. So that's always a great time. And now Avanti have to admit that actually this is a straight up pre-auth remote code exec. So maybe not so much of the very low, very low impact variety that they originally reported it. So that's great fun. I'm looking forward to someone catching the exploit string and reversing it and figuring out how this bug actually worked.
Starting point is 00:33:51 I had a quick look in Grey Noise to see if they'd had caught it in the honey pots yet or anything. Not yet, so I'm hanging out. If any listeners have seen an exploit for this on the wire, I would certainly be keen to have a chuckle. Now we are gonna end this week's show, Adam, with something funny that happened to me, which is I was recently targeted by a crypto scammer, right? And it was interesting because this person was obviously English, right? So English accent. They first called me a couple
Starting point is 00:34:18 weeks ago. I think I'd had a like a bit of a barbecue slash party at my place. And I was like packing up. it was the evening they actually rang me and asked for one of my colleagues and I'm like okay that's weird but just by the tone of voice just by them being a little bit pushy I kind of had I just got a scammy sense and of course after a full day of you know celebrating um you know I wasn't totally locked in on on this call and anyway I think I just hung up on them. They did call me back though. And it was a two-stage scam thing.
Starting point is 00:34:48 So there's a crypto exchange here in Australia called CoinSpot. And they did have an incident that leaked a bunch of data a few years ago. One of my colleagues, one of our colleagues had an account there. But for some reason, they matched like that account with my phone number.
Starting point is 00:35:03 So I'm guessing they were pulling together different data sources and because we work at the same place, somehow my number wound up connected to this colleague's account. So the first call, they ring up and the pretext is, your CoinSpot account has been breached or whatever and there's all this money gonna start flying out of it and whatever, so we're just gonna send you an SMS where you can enroll in multi-factor authentication.
Starting point is 00:35:28 Of course, I was already lying saying, oh, not my coinspot account, you know, that sort of thing, to string this guy along. And then they say, oh, we're going to send you out. We're going to send you an SMS message. It'll have everything in there that you need. So I thought, okay, yep, no, I see you later. Bye. SMS never comes. Then they ring back for a follow through call and they're like, oh, we've detected that your mobile phone has malware on it. Do you know what malware is? And I'm like, yeah, I've heard of it, you know,
Starting point is 00:35:51 sort of thing. And meanwhile, I'm in my studio, so I'm recording the guy and I just want to see where the scam's going. And eventually, of course, he spells out a URL. It was like, you know, 773256-coinspot.com or whatever. So it's gonna take me to a phishing site. So I enter it in, I'm not really worried that they're gonna have malware for, you know,
Starting point is 00:36:11 fully patched Chrome that's gonna do me, like this is clearly a credfish, right? So I type in the URL and unfortunately, it doesn't actually bring up a page because their phishing page had already been squashed. And that's when I decided to tell the guy that I was gonna make him famous so here's a clip of that audio now no nothing's loading so I'm gonna stop you and just tell you something funny which is my my job is I'm the
Starting point is 00:36:39 host of one of the world's most popular cyber security podcasts. Is it? Yeah. So I've been recording you the whole time. Looks like this domain's already been flagged. So that's why it's not loading, which is pretty quick. Yes. There's no, uh, so the podcast is called risky business. Yeah.
Starting point is 00:37:04 And you probably got about two viewers. Is that correct? No, actually. Probably about 23,000 a week. And what's it called? It's called Risky Business. Risky Business. Is that a podcast?
Starting point is 00:37:21 It's a podcast. So we do cover crypto theft, these sort of scams as well. It's unusual to hear a perfect English accent with someone doing one of them. I'm just lucky. Last time you called me, I wasn't in my studio. Oh, what a shame. I mean, just hilarious. I think my favourite part of that is that he's like, doesn't believe me, trash talks my podcast, says it has two viewers, and then when I tell him it's got like 23,000, which
Starting point is 00:37:50 is about the number of downloads that a Risky Business weekly episode gets in its first week, you know, he's like, and what's it called? Like that's the first time you hear him start to be a little bit nervous. That was most enjoyable. But there you go. I mean, some of these scammers now, I mean, they do not sound like they're coming from a contact center in Burma, I guess is why I wanted to play that for people. Yeah. Yeah. I mean, that was a pretty good, pretty believable sounding English accent. So I mean, well, I mean, it's an authentic accent, clearly.
Starting point is 00:38:22 Yeah, it sounded, yeah, certainly sounded it. So, yeah, it was just that little pause. You know, you could just see him kind of Googling and going, oh, well, it's time for the hang up button. Yes, exactly. It stays on the line a few seconds and you can hear the wheels spinning. I think the only time he sounds nervous is like, and what's it called? Just too good. But mate, we are going to wrap it up there. That's actually it called? Just too good. But mate, we are going to wrap it up there. That's actually it for this week's show.
Starting point is 00:38:49 Thanks a lot for joining me as always, and we'll do it all again next week. Yeah, thanks, Russ Patton. I'll talk to you then. That was Adam Boileau there with a look at the week's security news. It is time for this week's sponsor interview now, and this week's show is brought to you by Ubico, which makes the YubiKey. We use them here at risky.biz.
Starting point is 00:39:11 They are a phishing resistant, you know, authentication hardware token. They're fantastic, and I think everybody should have one. And we're gonna be chatting with Derek Hansen, who is the vice President of Solutions Architecture and Alliances at Ubico and we spoke to him about pass keys. You know you would have heard Adam and I talking about how pass keys, the user experience, can be a little bit confusing and you know Derek joined me to talk a little bit about
Starting point is 00:39:39 that and also about how this sync fabric like where the passubikeys, sorry not where the Yubikeys, where the pass keys actually live. Are they in secure elements? Are they just in your keychain? Like how are they synced and whatever? And how that that sort of control has been taken away from users a little bit. He makes some really good points in this interview. So I'll drop you in here now where he's sort of explaining the scope of the of the pass key problem I guess. Here's Derek Hanson. Ultimately what people know and what is reality, unfortunately, are not necessarily aligned right now because the way the Fido ecosystem has developed,
Starting point is 00:40:14 we've changed the rules a couple of times. When you used to create a passkey, it lived on your device and it was bound to that device. But now in this new world where you have synchronized passkeys, you're creating a passkey that is actually anchored more to a key chain that is synchronized with your account and your profile. Most passkeys by default right now are getting created and stored in a password manager, whether it's the iCloud keychain in the password solution there
Starting point is 00:40:47 or it's a third party password manager. Google and Apple are promoting a user experience for consumers that are saying, hey, we need you to store your pass keys in our password manager so that you can find them and we can synchronize them with you. And the problem is the users are really struggling to understand both the technical and the non-technical users, where did that key go?
Starting point is 00:41:14 Where can I access it from? And how do I sign in? Because that user experience is very focused on a single ecosystem. Yeah, ease of use transportability. But you know, you're right. The rules have changed because I was very excited about pass keys.
Starting point is 00:41:31 Like I have a reasonable degree of trust in my iPhone and the secure elements, secure enclave, whatever you want to call it. Probably some crypto person is gonna write me an email talking about the differences between those two things in a 2000 word screen. But anyway, yeah, I mean, my expectation was that that key wouldn't leave that device. And even based on what you've just said, I'm not even sure if that is synchronizing. Like that control seems to have been taken out of the user's
Starting point is 00:42:01 hands, right? Yeah, the user has a lot less visibility as to what choice they're making. And I think that is, you know, from a Ubico perspective, and this is gonna sound vendorish, but the reality is we believe users should always have choices to what they're doing with their keys. And so, you know, if you wanna create one on a security key,
Starting point is 00:42:22 you should be able to plug a UbubiKey in and create it. That experience should be very low friction as well. And I think what we've gotten into a place is that users are creating keys. And I see this actually quite a bit in the PassKey subreddit, or you see it with just social interactions with people that find out you're working on PassKey and all of a sudden they've got their latest thing that, you know, I registered a key here, but it doesn't work there because they don't realize that, you know, the Apple, the Google, the Microsoft ecosystems may not play the way that they think they should.
Starting point is 00:42:56 We've got a, we've got a state where users are responsible for managing their pass keys right now. And there is a lot of effort going on to make that ecosystem easier for users, but we've got to quickly make some changes so that we don't start to lose credibility with users in being able to protect the credentials that they're enrolling. Just because if a password ever becomes easier,
Starting point is 00:43:21 even if it's a bad security habit, we've lost the war. And so we need to make sure that that passkey is the best user experience, the most secure and the simplest to use, and that the users are placing trust in something that's very real for them that they understand. My concern with these portable pass keys is the malware risk. The whole reason I liked the idea of pass keys on a phone using a secure element and whatever is because they're getting stashed. That key material is stashed where if there were malware to wind up on my device, that malware cannot get that key.
Starting point is 00:44:01 It cannot be extracted. Now when that thing is synchronizing somehow across to my Mac OS box, malware on that Mac OS box could theoretically take control of that keymat, right? That's my issue here. And I don't think people quite realize what a big difference that is when you start exposing keymat to the OS.
Starting point is 00:44:24 Well, it is a big difference. And I will say, you know, because I'm not here to disparage the work that they've done to protect those synchronizing mechanisms because they've done a lot of work to protect them. But the thing that unlocks all of those synchronizing mechanisms becomes your user account that is used as these keys migrate from system to system. And so if you've got your keys that you're trusting that are synced on one device and can now sync down to another transparently to you as a user,
Starting point is 00:44:55 that's all secured by however you log into your account. So if your Apple account you've only protected with, you know, very basic, um, authentication mechanisms that now becomes the attack vector to get all of your synchronized keys to your point. I will say though, Apple has, has done more than any other major company has done an incredible job of protecting iCloud accounts at scale. Like it is really amazing. The sort of work they've done in the background to make sure
Starting point is 00:45:26 that if something funny is going on, they'll just lock that account for 30 days, right? Like it's amazing. And I can imagine too, like I've got like a modern Mac now, just recently upgraded from a Intel, like Xeon, you know, iMac Pro sort of thing, which didn't have like these sort of, you know, secure co-processors kind of thing.
Starting point is 00:45:43 I'm now on Apple Silicon. So I'd imagine that like in their sync fabric, they should be able to do some crypto magic to zap a passkey from my phone into a secure element in that computer. But that's, you know, I'm pure Apple ecosystem, right? And I trust that they're working on the engineering solutions around that right now.
Starting point is 00:46:01 They may or may not be there already. But then I'm also a Chrome user and other people use Windows and then the Windows like Windows runs on a really fragmented hardware ecosystem. And I can't imagine that most pass keys are going to be created are going to have Apple's team of, you know, incredibly brainy, you know, incredible brainiac engineers working out how to solve this problem because it can't really be approached in the same way. So yeah, this whole idea of like syncable pass keys, I think it's a matter of time before we see sort of perhaps key map being obtained by malware, mostly most likely in the in the windows ecosystem.
Starting point is 00:46:37 Yeah, we work very closely with a lot of these, the organizations you just talked about, and all of them have brilliant people working on these problems, but it's the cross ecosystem challenges that are gonna create user experience issues. And as we try to make user experience better, that's where I think we're going to potentially run into scenarios where synchronized pass keys, those ones that are copied from device to device,
Starting point is 00:47:03 are gonna be trusted at a different level from the ones that are created in a device that never leave a device. And so I think you'll even see that in some of the guidance that like US NIST has put out around synchronized pass keys, where the idea of pass keys is, yeah, you'll prevent phishing, but now the entire conversation gets focused on what are you doing to manage that private key material? Yeah. If it's copying-
Starting point is 00:47:33 I mean, here's the thing, right? I trust the secure processor on my iPhone more than I trust Windows DP API, right? That's really what it comes down to. Exactly. I think organizations need to be able to make that trust decision. And that is to me, that is the big thing that's going on right now is how do I get the right signal to make a trust decision on exactly that?
Starting point is 00:47:54 Maybe that's how you feel about it. And somebody else feels differently. We need to be able to allow organizations to throw the levers of how their systems work based on where those private keys live. And that is, that's the crux of the issue. If you replace a shared secret with a private key, everything comes down to where does that private key live and the controls around accessing it. Yeah.
Starting point is 00:48:18 I mean, look, we should point out too, that we're not taking a dump on pass keys because pass keys are leading us to a better place. I mean, Adam, while I have some concerns around the user experience and whatnot, but you know, it's a good thing. I also can't imagine that it's bad for Ubico, right? Because even though it's like technically a competing sort of technology or a competing approach to solving the same problem, I'm guessing that with like a lot of enterprises looking at pass keys, because there's this
Starting point is 00:48:45 pass key revolution right now, they might start looking at that for internal auth, or start thinking about getting rid of user names, password-based auth, and code generator auth and whatnot. So they might be looking at that and then saying, oh, maybe we want to go with a hardware key instead, just so we don't have to deal with some of these issues. Is that kind of the experience right now for Ubico as a company? Like is all of this actually working out well for you? I actually think, you know,
Starting point is 00:49:11 to go back to that foundational point, I actually am not intending to just shred what's going on in the synchronized paskey world. Cause I think it's addressing an availability thing that is a very big concern in a lot of environments. I wanna make sure my pass keys are always available. But to the organizations that are looking at, I need to modernize my MFA.
Starting point is 00:49:34 I've got a lot of legacy systems that I have not actually pushed into this new fishing resistant world. They are looking at where are those private keys gonna live? And we are talking to a lot of organizations that are very concerned about the threats of phishing. Can I trick you into giving access to my synchronized pass keys? That's a whole nother risk that is starting to be evaluated. When you have a key on a device that
Starting point is 00:50:04 never leaves, whether it was the secure enclave or a YubiKey or somewhere else, there's a security framework that you can build around that because you have assurances about certain properties. And so, yeah, I think we are seeing an adoption of pass keys for the enterprise and a focus on how do I do something bigger than just passwordless.
Starting point is 00:50:26 It's like I can get rid of phishing as a problem for my organization, for all of my users, and they're going to pick and choose whether it is a passkey in an app or it's a passkey on a hardware, and that's gonna come down to the app that they're accessing, the data that they're accessing, and where they're at accessing, the user group right as well, which is like this group of users they're probably okay with a software-based passkey, this group
Starting point is 00:50:51 of users not so much. Correct and I think even well even if it's user-based it's also gonna be how do I get access to that software-based passkey the first time because that is a chicken-and-egg problem. If I get all my pass keys stored somewhere and I go to a new device or I'm trying to register my authenticator for the first time, how do I sign in? And so a lot of our story for enterprises has been that user lifecycle is all about how do I trust a device the first time? How do I enable my pass keys to sync to that device? Moving pass keys around is a new identity security event that we are all going to have to start looking at. Just like registering a device to my account is a security event.
Starting point is 00:51:35 Yeah, so I guess, I mean, my question was, though, has this movement, I guess, to pass keys, which don't necessarily involve using a YubiKey, has that actually resulted in increased interest in hardware keys? I'm guessing from what you've said, yes. Yes, absolutely. Yes. There is a lot of increased interest because people are trying to figure out exactly how do they change their business and where YubiKey fit in that.
Starting point is 00:52:00 Pass keys are becoming a significant component of people's strategies for zero trust or password lists or these other initiatives that have been going on for a while in their organizations. All right, Derek Hansen, great to talk to you, man. That was really interesting stuff. A pleasure to meet you and we'll chat again soon. Sounds great. Thank you, Patrick. That was Derek Hansen from Ubico there.
Starting point is 00:52:21 Big thanks to them for that and big thanks to Ubico for being a sponsor of the Risky Business podcast. But that is it for this week's show. I do hope you enjoyed it. We're going to be publishing two podcasts tomorrow, Seriously Risky Business with Tom Uren in the Risky Bulletin podcast feed and also an episode of Wide World of Cyber featuring Alex Stamos and Chris Krebs. But until then, I've been Patrick Gray. Thanks for listening.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.