Risky Business - Risky Business #787 -- Trump fires NSA director, CISA cuts inbound
Episode Date: April 9, 2025On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news: Oracle quietly cops to being hacked, but immediately pivots into pretend...ing it didn’t matter NSA and CyberCom leaders fired for not being MAGA enough US Treasury had some dusty corners it hadn’t found China in yet, looked, found China in them …which is a great time to discuss slashing CISA’s staffing Ransomware crews and bullet proof hosting providers are getting rekt, and we love it And Microsoft patches yet another logging 0-day being used in the wild. This episode is sponsored by Yubico, makers of Yubikey hardware authentication tokens. Yubico’s Vice President of Solutions Architecture and Alliances Derek Hanson joins to discuss how the consumer-centric passkey ecosystem has become a real challenge for enterprises. One that Yubico is actually ideally positioned to solve. Show notes Oracle privately confirms Cloud breach to customers Oracle have finally issued a written notification to customers about their cybersecurity incident. Head of NSA and US Cyber Command reportedly fired | Cybersecurity Dive Trump fires numerous National Security Council staff - The Washington Post Trump administration under scrutiny as it puts major round of CISA cuts on the table | Cybersecurity Dive Hackers Spied on US Bank Regulators’ Emails for Over a Year - Bloomberg This is how Jeffrey Goldberg got added to the Signal chat Cybercriminals are trying to loot Australian pension accounts in new campaign | The Record from Recorded Future News $500,000 stolen in Australian super fund data breach | Superannuation | The Guardian Australian regulator pulls licenses of 95 companies in effort to crack down on investment scams | The Record from Recorded Future News Everest ransomware group’s darknet site offline following defacement | The Record from Recorded Future News On March 28, 2025, a threat actor leaked internal data from Medialand, a major bulletproof hosting (BPH) provider long linked to Yalishanda (LARVA-34). There's a ransomware group named DragonForce going around hacking its rivals. After Mamona and BlackLock, the group has now hacked RansomHub The DragonForce ransomware group hacked two rivals this month CISA, experts warn of Crush file transfer attacks as ransomware gang makes threats | The Record from Recorded Future News Kill Security Campaign Targets CrushFTP Servers National Vulnerability Database | NIST Microsoft patches zero-day actively exploited in string of ransomware attacks | CyberScoop Exploitation of CLFS zero-day leads to ransomware activity | Microsoft Security Blog Is The Sofistication In The Room With Us? - X-Forwarded-For and Ivanti Connect Secure (CVE-2025-22457)
Transcript
Discussion (0)
Hey everyone and welcome to another edition of the Risky Business Podcast. My name is
Patrick Gray. We're going to talk about all of the week's cyber security news in just
a moment with our co-host, Mr Adam Boileau. And then it'll be time for this week's sponsor
interview and this week's show is brought to you by Ubico which makes obviously the YubiKey and we are joined by Derek Hansen this week who works at
Ubico and we're going to be talking about all things pass keys right?
Because I mean you would have heard Adam and I talking about how pass keys are
like a little bit confusing to users at the moment and now they've become this
sinkable thing that are going into people's keychains instead of into like
secure enclaves on devices.
It's all got a little bit confusing.
We're going to talk to Derek all about that after this week's news, which starts now.
And Adam, last week's show headline was Oracle is lying.
Guess what? Turns out we were right.
Yes, which is probably good given Oracle's, you know, 80% lawyers by volume.
Yes, which is probably good given Oracle's, you know, 80% lawyers by volume.
But yes, Oracle, last week we were talking about how Oracle
got their cloud, Oracle Cloud breached.
They have, at the time they were kind of denying it, they've now kind of confirmed that they had a breach.
But don't worry, it wasn't an Oracle Cloud. It was in a thing that looks very like Oracle Cloud, but is totally not because it's old.
No, I mean, what they said is, don't worry, everybody,
because a hacker did access and publish usernames
from two obsolete servers.
So these would be the ones in your cloud
you didn't decommission.
Is that what you're telling us?
But don't worry, because they're obsolete.
I mean, this whole thing has been a shmozzle.
Yes, it has been a total mess.
They, along with claiming that they didn't get breached because those servers were not really in the main cloud, they also said
that the hacker did not expose usable passwords because the passwords that they did get were encrypted and or hashed.
That's my favorite bit. Don't worry everybody, we hashed passwords so it's fine right? And just
for the avoidance of any doubt when we're talking about this, you know you get into an older like
legacy machine there, you're probably going to recover some passwords or certificates that you
could use on current machines because it's not like they're going to rotate through absolutely
everything during a migration and you might also find that the box
you're on has multiple interfaces and is attached to multiple networks and
there's all sorts of opportunities for a real good time once you're on there and
of course we're hearing rumors about you know pretty current data being passed
around I'm hearing this you know these rumors from you know you're seeing them
on social media and hearing them from various CTI folks that this ain't old data.
So I think this story still has a little bit to run,
but just wanted to update everyone that Oracle is privately confirming
that there has been a breach of an obsolete box in the Oracle cloud that
totally is an Oracle cloud.
So I hope that clears up.
Oracle Classic is what they say it is.
It's the classic one, not the current Oracle cloud. It looks nothing like it. It just happens
to have domain names. Sure look like it, but no. It's just, it's a totally different thing.
And we did not just slap a fresh coat of paint on this very old sun, you know, old Solaris
box and totally pretend that it's not part of the cloud. We got some feedback. I can't
remember if it was an email or a YouTube comment or someone who was very upset that you were giving,
that you were making fun of Sun Microsystems.
And I'm like, oh, cause Sun was so good back in the day.
And it's like, yeah, well,
it ain't back in the day anymore, is it?
And I mean, they're not wrong.
Sun was great.
It's just, yeah, it's not 1997 AD anymore.
It's not 19 diggity doo.
Now moving on, other big news that happened over the last week is the Trump administration
has fired Timothy Hoag, depending on who you listen to, for the pronunciation there.
They fired him as head of NSA and also the deputy director of NSA Wendy Noble. So there's
the what's been described to me as the quote-unquote Fox News explanation
which is that the leadership at NSA were reluctant to start targeting Mexican
drug cartels. I'm told that's not true and that really this is just because they
are not MAGA basically. They got moved on for not being MAGA.
Did an interesting interview with Chris Krebs
and Alex Stamos yesterday,
which I hope to publish this week.
That's for the Wide World of Cyber podcast.
Chris is of the opinion that, you know,
this is a leadership reset,
and what they're planning to do is split the role
of NSA director and, you know, Cyber Command,
the head of Cyber Command.
So that's an interesting thought
there. But you know, like it's just more chaos, isn't it? Yeah, like it has just been all over
the place and there's just so much uncertainty about, you know, where, who's going to be running
these organizations. We've seen all the uncertainty around CISA and you know, the whole thing is just
kind of a real mess. And it's hard to judge what's you know how it's all gonna shake out and we just
we just got to ride this you know this roller coaster and see where we end up
which I mean it's not a great place to be especially if you work there. I mean one
of the craziest things about this is apparently Trump did this at the urging
of Laura Luma who is a you know very far right-wing activist. This is the same woman who
sewed a star of David onto her clothes and chained herself to the front door of Twitter
something like a decade ago. So this was apparently her thing and I read her post
about why these people needed to go and it was really the scribblings of a deranged idiot.
Because they were connected to this person who served on the board of the...
You know, it was real pepid of silver, you know, string on a cork board sort of stuff, right?
It reminded me of your Atlantic Ocean, Atlantic Magazine, Atlantic...
Yeah.
Whatever it was.
Atlantic Council, yeah.
Atlantic Council, yes.
Like, it's...
Ah, dear, oh dear.
It's just...
It's so dumb.
It's just so dumb and I don't know... I'm sorry, Americans. I's just, it's so dumb. It's just so dumb.
And I don't know.
I'm sorry, Americans.
I don't know what you're doing.
Well, there's been a couple of names floated
that I'm hearing.
One is Trey Stevens, who's a co-founder of Andiril,
the defense contractor.
We're also hearing that Ezra Cohen,
who's been kicking around in NatSec circles
in the US government for quite a while.
You know, he's another name who's been suggested. They're you know definitely MAGA so we'll just
have to see what happens there. I don't know even what the confirmation process is going to be
is going to look like once they split these roles. It's all you know a little bit confusing but
you know again Project 2025 did outline the splitting of these roles.
And we're seeing a lot of stuff, you know, materialized out of that policy roadmap. So, you know, I just don't understand why they had to let the leadership go.
And you do wonder.
Yeah, you do wonder what the future direction of NSA will look like under very,
you know, hyperpartisan leadership.
Let's just let's just put it like that.
There's also been a clean out at the National Security Council, a bunch of staff let go.
Again, I believe this is at the urging of Laura Loomer.
It's pretty nutty stuff, you know, kind of having someone with, as you say, like deranged,
deranged rantings, deranged ramblings, whatever it was, kind of changing up such important
parts of the leadership structure.
Like it's, yeah, I don't know what, where we're going to head with that. Like it's just nutty.
Yeah, I mean, look, there's plenty of people in the United States who don't feel free to
express their feelings about the government there at the moment, which is a very strange place to
be. I mean, people in industry are scared that if they speak up against a lot of the things that
the administration is doing, that all of a sudden their government contracts will
go away, they might get audited by the IRS, and also have mobs of modern day brown shirts
sicced onto them.
And this is a thing that's happening, believe me, this is a thing that's happening.
People don't feel free to speak.
But I think we can say from the safety of here in Australia that this is not good and is not well
thought through and just things over there just seem to be spinning out a little bit, especially
with all of this trade stuff. But look, staying with intelligence community and cyber security
related cuts and changes, Trump is apparently going to cut something like 1300 jobs at CISA.
There is some reporting that this is going to affect the threat 1300 jobs at CISA. There is some reporting that this is going to affect
the threat hunt mission at CISA.
I think that's a poor place to cut, if I'm honest.
People might think NSA does this sort of stuff,
but they only do that on government, on defence networks
and on defence industrial based networks.
They don't do this sort of work for the civilian government that is CISA's remit.
And do you want to lose visibility there?
That doesn't seem great.
Yeah, it really doesn't seem to make much sense.
And the numbers that we've been hearing are going to be like half of CISA's workforce,
right?
I think it's between like a third and a half, somewhere like that.
It's a significant whack.
And then of course there's a bunch of know contractors and people that help them out as well
and it's just really important work that they do and
You know this of all of the points in history to cut
The ability to find adversaries in your environment. It just seems like a poor choice, you know
Yeah, I mean look look, that said,
there's obviously always gonna be places
you can cut from a government agency,
which aren't gonna result in disaster.
I mean, CISA has tried various public-private partnerships
and sharing things and stuff that we've seen
haven't really worked, right?
So obviously there's, and you know,
that's not to cast aspersions on anyone involved
in some of those programs, you know,
some of them just haven't worked. But, you know, if the not to cast aspersions on any, anyone involved in some of those programs. You know, some of them just haven't worked.
But you know, if the reporting that I've seen
that this is going to affect freight hunting,
you know, is accurate, that is bad.
And you know, right on cue,
we've got this piece from Bloomberg here,
which says, which is talking about a,
another intrusion at US Treasury,
which apparently happened in 2023, but has just been identified.
This was the, what is it, the silk typhoon or whatever, a Chinese group had got into,
what is it, the office of the Comptroller of the Currency at Treasury and observed the
email, you know, spied on the email of about 100 staff.
Yeah, this is exactly the sort of thing that, you know,
Cicero is there to cope with and deal with.
And I don't know that their threat hunting teams
were involved, but it is kind of the sort of thing
you would imagine that they would be.
And this particular campaign,
so we saw the other two intrusions into bits of treasuries,
the, what was it, the SIFIUS part and the OFAC,
the sanctions part.
It does seem like this
is probably the same bit of China's capacity being doing this.
And this one may have predated some of those based on a timeline that we've seen.
So either way, it kind of seems like if China is interested in being in there, that the
US ought to be interested in keeping them out.
Well, yeah, that's how it normally works.
But anyway. We are not in normal times out. Well yeah, that's how it normally works but anyway.
We are not in normal times anymore.
We are not, we are not.
We got a little bit of follow-up reporting on Signalgate here too.
We're not going to talk about this for very long but it's just so funny.
The mystery as to how Jeffrey Goldberg, who is the editor-in-chief or whatever
his title is at the Atlantic, how he wound up in that Signal group,
The Guardian thinks they've figured it out and it is absolutely as hilarious as
you would think it would be.
I mean, the assumption was that someone just added the wrong Jeff, right?
And Goldberg was in one of these people's, you know, address books.
Turns out that's not actually how it happened.
And the real way is just, it's so much funnier.
So apparently Goldberg had at some point emailed the Trump admin to ask for comment about some
particular story.
That request got forwarded around by some staffers and eventually ended up in Mike Waltz's
chat by virtue of a block of text being copy pasted out of Goldberg's email into a text
message or something.
It sounds like it's the, you know when you send messages around with iMessage
and sometimes it'll be like, hey, do you want to update the contact
because it's got a new picture or a new whatever else?
It seems like maybe he got trapped by that
because they copy pasted the signature block
and then it was like, do you want to update it?
And he just smashed yes, presumably.
And it ended up putting Goldberg's phone number into the address book entry for this
You know kind of other staffer that had forwarded the message
Which I mean I couldn't kind of imagine falling for that like it's not
But again, let's let's just go back to our let's just go back to our mantra on this
Which is that this is why you don't use civilian systems for these sorts of things.
Because things like this happening, you know, a little bit too easy and you just don't want, you know,
you don't you can't accidentally add someone to a conversation in a skiff who's not, you know, also
in a skiff.
Yeah, exactly. Ultimately, this is convenience for civilian use, right?
This is not for war plan group chat.
No, no.
I go and have a steak once a week with everybody,
my mates around here,
just to keep my iron levels healthy
and get out of the house.
You know, everyone's changing their group chat names.
I think ours is HuthyPC steak chat now, steak group.
So yeah, lots of fun.
Anyway, moving on, because we've all talked about
Signalgate to death.
Big news in Australia, like this was such a big story here,
which is that some scammers were targeting
our superannuation funds, right?
So for Americans, like our superannuation
are like a cross between a 401k and social security.
So employers pay into essentially like a mandatory 401k and we call it superannuation.
It's a pension fund.
So everybody has one, right?
Everybody has an account and someone that looks like they were just using like stolen
creds from various, you know, data breaches and whatever to, you know, do mass logons
and whatnot into these super funds
and try to get money out.
Now, I think the saving grace is here.
It looks like maybe half a million went missing,
which is why I'm surprised it turned into such a big story
because it was everywhere.
And I think it's because everybody has one,
all of a sudden everybody's worried about their money.
And you know, that's what made it such a big news story.
But I think the saving grace here is that
really until you turn 60 and you're actually drawing this money out like there's not really a lot you
can do in most super accounts when you log into them like you can have a look at a couple
of statements and whatever but if you want to do something like transfer to another fund
like with most of them it's like you know you're going to need to fill in a form and
that form needs to be processed and whatever And it's like a pretty clunky administrative process.
But that said, you know, I don't expect that it's always going to be that way. And these funds operate on paper thin margins, right? Because it's a very competitive space. And you sometimes,
you know, sometimes it's good to for something like this to happen, so that regulators can
really take a look at what their security controls are like and if they need to be adjusted regulation-wise.
Yeah, it did seem, I was kind of surprised at the numbers being so low as well
given how much coverage and traction it was getting.
Because we saw some numbers that said something like 20,000 accounts were targeted.
There's like a bunch of different providers for this kind of superannuation
scheme and so we got different degrees of information from different providers. So like
one provider, Australian Super said 600 accounts were compromised through stolen passwords,
but we've seen numbers that are more like 20,000. But as you say, the fact that we only saw half a million dollars actually managed to be moved out
suggests that there isn't a great path to rapidly monetizing this because as you said,
of the friction involved in doing something with this money, but it does seem like the
superannuation industry in Australia, you know, we've seen some industry bodies and staff come out and say hey,
remind all their members to member companies to kind of improve
the quality of the controls.
So I think maybe this is a pretty good wake up call
and hopefully the four or five people or whatever
that has actual significant money taken
will get reimbursed by the funds
or will they find some way to claw it back.
But yeah, it's just a good reminder
because a service that you don't use very often or access very frequently
plus potentially an older user base are a pretty ripe target.
Yeah, I mean, just to put things into context here, you know, the total amount of funds in Australian superannuation schemes is 4.2 trillion Australian dollars,
which is what I don't know about 2.5 trillion US dollars, right? It is a lot of money.
It is an incredible target.
Everybody's got one.
And I think that's probably why this made such big news.
And also we saw a similar story, I guess, here from this one's covered by James Reddick
at the record, which is that the Australian corporate regulator has deregistered 95 companies
that were spun up by the looks of things to make
various scams like pig butchering scams look legit.
So it sort of concerns me when we're starting to see sort of organized crime attempts to start
playing around with our financial system a little bit.
We've seen it happen to the IRS, we see this sort of stuff in other countries,
and I just hope this isn't the start of something here,
you know. Yeah, well I mean hopefully the Australian government's, you know, kind of
moved towards a little hound release on occasion just to remind people Australia
is not such a soft and easy target. Maybe there's some deterrent factor in
that, I don't know. When Anthony Albanese, our Prime Minister, was asked about this
he said he'd been informed about the attack and said, we will respond in time.
We're considering what had occurred, but bear in mind the context here.
This is a cyber attack in Australia about every six minutes.
This is a regular issue.
We have beefed up funding for the Australian Signals Directorate.
We will have a considered response to it.
But the agencies, of course, will work very strongly on it.
So, you know, there you have an example of the leader of a country saying well you know we're
going to kick this to ASD and figure out what they want to do right, which is just
you know this is such a positive development in policy in the last
sort of five years right, because this was unthinkable ten years ago that
ASD or NSA or you know Cyber Command or GCHQ or GCSB,
that any, and the Canadian one, that's always my joke, the Canadian one that I
always forget. Um, yeah. So the idea that, um, they would be sort of emboldened to,
you know, uh, empowered, I'm sorry, to, uh, uh, do anything about cyber crime.
Like that was unthinkable 10 years ago. And now, yeah, the prime minister comes
out first thing they say as well. I guess we'll respond to this with ASD.
Yeah. I mean, and I guess that's a
You know, what other options have you got? Because we tried a bunch of our stuff. We tried multilateral, you know
kind of law enforcement
We tried all sorts of international consensus and norms and whatever else and where did that get us? Not particularly far
But they're having a lot of fun with the RMRF shark
As we've discovered through various bits of reporting now speaking of fun with the RMRF shark
Now speaking of drama in the criminal underground
Man, there's a series of stories this week. Like all hell is breaking loose among ransomware crews. There's this group called What are they called dark something?
What are they called? Yeah Dragon Force Dragon Force
have
owned and defaced like ransom Hub, Momona and Blacklock.
Now we're seeing the Everest Ransomware Group's Darknet site is offline and has been defaced.
Alexander Martin has that report.
We've also seen, and we're not sure, I'm not entirely sure if that's Dragonforce as well.
And then we've seen the threat actor behind the Black Buster leaks take down MediaLand, which is a major
bulletproof hosting provider, and they have just laid out
all of that data.
So there's all the customer records, all of the data they
were hosting, just bang, dump it on the internet.
The CTI people I know, they're wetting their little pants over
this because it is the most exciting data drop they've had in ages and they you know I mean they spend a lot of time
just figuring out who's who and this is a gold mine so I mean obviously it looks
like some of this is you know red on red but you've got to wonder about some of it
too like I don't know what's happening here I don't have any information to
suggest that there's you know what's happening here. I don't have any information to suggest that there's any intelligence action here, but
I really hope there is, especially on the bulletproof host.
Yeah, because we did see that Australian government takedown of another bulletproof hosting provider
in Siberia, wherever it was.
We covered that a few weeks ago.
And just dumping all of the business records
and who's paying for what with what cryptocurrency,
with what other payment mechanisms,
that's all super useful data for clustering together
some of these actors and their activity.
And then also correlating bulletproof hosted services
with who was paying for them, how they're being used,
all those, it's just a wonderful goldmine.
I'm very sure that all the people are super excited about it.
And, you know, even if it is just in fighting,
like normal kind of organic infighting as opposed to being provoked or whatever else.
Like, we love to see it.
Yeah.
The the Everest Ransomware Group one that you mentioned. So that one wasn't DragonForce,
but the people who defaced their site, defaced it with, don't do crime, crime is bad,
hugs and kisses from Prague. Oh, there was a conference happening at the same time,
wasn't there? There was a security event happening at the same time.
I think. Maybe there was, yeah. It's kind of hard to keep track of because all this is also dark websites
and understanding the authenticity of these things requires a whole bunch of other,
am I looking at the real one? Was this the one last week? Is it the same one? Is it like,
yeah, this is why threat intel people are such know, are such a crazy bunch when you have
to go out and have a beer with them and they're all like, you know, crazy-eyed and this is
their life, tracking all this kind of underground madness.
But it just feels like I see seen wars from the 90s, which I know is an analogy we've
used a lot of times.
And you know, we just love to see it like chaos in these communities is just good.
Yeah. Now I'm not exactly sure precisely what data like what hosted data.
I think I saw I saw some reporting somewhere that hosted data was also exposed,
but I'm not sure how that was exposed.
I know there was a telegram channel and according to this, you know, post on X,
I'm looking at the leak was published exposing media land back end system.
So maybe that's how people were able to access data
that was being hosted by their customers. So you would think if it is exposing things
like data stolen from companies around the world, you know, exposing that sort
of information I don't think is something that an intelligence agency, you
know, Western Intelligence Agency or a Five Eyes agency would do. So, you know,
your options here are it's a CTI person just going rogue and having a good time.
Hats off to you, sir.
Yes, exactly.
It's crime on crime.
Or possibly it's some operator in a government building with no windows.
Or second order effects from any of those things like law enforcement or Intel jumping
creds and then somebody else jumping on and, you know,
kind of pulling the thread and turning it into a bigger thing.
Like there's just so many ways this can go down and they're all ultimately all bad
for the undergoing crime groups.
So, yeah, I'm here for it.
Yeah, it's fun.
Now, look, last week we actually cut this from the run sheet, which is, uh, there
was reports of exploitation in a
piece of software called Crush FTP. And you know, Crush FTP has been around since what?
The Jurassic era. And you just sort of think, well, who cares? But it turns out that Crush
FTP has sort of evolved. Like what was the other one? I can't even remember. There was
another one with FTP and the name was an old FTP, which is now like a fully fledged file
transfer appliance. And now CIS is warning about this because apparently people do use this
crush FTP file transfer appliance or file transfer software.
I had a look at their website.
They support a zillion different protocols, right?
You can do like SMB over this thing, which is like, Oh, great.
You know?
Um, so yeah, it looks, this one looks pretty bad.
We've also had a group actually claim credit for this,
and it looks like they're doing the same sort of thing
that happens with all of these file transfer
server campaigns, which is they grab the data
and then ransom it.
This one's been claimed by a group called Kill Security.
Yeah, this one has been quite funny
because of some disclosure drama as well.
So the bug in CrashFTP was actually, which is like a race condition in the auth process
where basically they have pluggable auth where you can use your Amazon session tokens or
whatever to auth into this thing for easy integration.
And it was basically a race where you could show up and say, hi, my username is admin and I'm totally going to authenticate you to you with
this Amazon method. And by the way, sorry, I didn't provide you with that.
Can you just log me in anyway? That's the kind of gist of the bug.
A research firm, Outpost 24 found the bug, reported it to Crush FTP.
Crush FTP asked for like 90 day, you know, kind of pause on disclosure,
public disclosure, so they could patch it, notify the customers or whatever.
They released a patch without a CVE.
So it was allocated a CVE early on, but they kept it quiet because they were trying to,
you know, keep the bug quiet for a bit.
Suddenly reversed the patch, figured out the bug, started exploiting it.
Somebody else then applied for another different CVE because they had seen it in the wild and or reversed it off the patch or
whatever it was and then there was lots of angry back and forth about that and it's now turned into
a bug that has two different CVE identifiers and is being you know used in the wild and everyone's
kind of you know a bit confused and upset, I think.
So yeah, a little bit of good old fashioned disclosure drama.
Yeah, we love to see it actually, if we're completely honest.
Now look, speaking of CVEs, this is something we've talked about a few times
over the last year or so, which is the National Vulnerability Database,
maintained by NIST.
It's been an absolute clown show over there. which is the National Vulnerability Database maintained by NIST.
It's been an absolute clown show over there.
They fell behind on enriching the data.
It got so bad that they had to pause it.
Then I think new funding was allocated and they're trying to catch up with this new contractor
and they've basically just given up.
They're saying anything, any bug that dates back to before the 1st of January 2018, they're just
not going to enrich it.
Because they've just realized like they're not going to catch up.
So I mean, yay.
I don't know what to even say about that.
And you know, this is an important database.
Like it's just, oh.
It is.
It's such a, you know, it may seem like a simple thing having consistent naming.
But for those of us that remember what this was like
before CVE numbers existed,
like back when it was just random posts on full disclosure
and random posts on bug track,
and everybody had their own little tracking numbers
and names and whatever else,
like having a taxonomy for this actually was really useful.
And it's kind of, you know,
it's a pity how much of a mess it's turned into.
And, you know, honestly, I'm amazed that NIST still exists at all, given, you know,
the amount of government efficiency going on.
So, you know, I guess the fact that they're still here putting out announcements
about giving up on enriching their bugs, I guess means there's still some people there.
So that's good news, everybody.
We'll take the win.
It is funny, you just like gave me flashbacks to bug track and full disclosure
and it was funny right because full disclosure was basically unmoderated. These were email lists for
people who aren't old like us. Bug track was pretty like controlled and like low volume and you would
get you know details of bugs flowing through a pretty regular. Full disk was interesting because
it was like trolls pretending they had Odeh and just like doing these really
elaborate posts that would like take you a while to figure out
were wrong.
And you know, posting pox, which would just
RMRF people's boxes.
Backdoor.
Exactly, backdoor pox.
And it was fun, right?
Like Full Disc was fun.
But it got like, it just got crazy after a while
and then just sort of went away because, yeah.
If only we had something that was in the middle
yeah something with just just enough you know drama and trolling to be fun but
not so much that it's completely useless exactly like just the middle ground
exactly that's what we want now Microsoft has patched a ODA that's
being used by ransomware crews.
And look, okay, it's a priv-esque,
but it's in the common log file system guts of Windows.
And it is such a cool bug.
They have just patched it.
Adam, walk us through it.
Yes, so they patched this bug,
which I would like to note was one of 126 bugs
they patched this patch Tuesday
where this one is being exported in the wild. The common log file system plumbing has had
so many bugs in it over the last, I don't know, I want to say like two or three years.
It just seems like every patch Tuesday has featured a bug in this thing. Anyway, this
is a user-free memory corruption bug in this log
parsing system that people have been using to to prev-esq which you know like
if you're a logging system you would hope that handling log data and handling
the data in a safe way would be pretty kind of core thing core requirement but
maybe I'm just crazy. Well it's not like they're doing this anywhere important, like in a, you know,
kernel driver.
Yes, up and up in very, very privileged context.
So they are doing it in a kernel driver for anyone listening who did understand that joke.
The whole thing is is kind of messy.
And like, I know not everything can be as simple as like Unix Syslog.
And I understand why Windows Logging subsystem is a little bit crazier but
It's a log system
Well, thankfully, thankfully out of Microsoft has written a pretty decent write-up on this bug and it's not like it's not like single fire
Super easy to exploit. I mean you got to give the ransomware people credit for researching this one and actually finding it.
Yeah, yeah, I mean, this is legit good work all around.
Like I appreciate Microsoft actually doing a decent write
ups like the regular advisory as usual has essentially
nothing, it was like a one line that describes the bug,
but I have written up kind of a blog post,
the threat intel, Microsoft threat intelligence team have.
Yeah, what's the actual process for exploiting this?
It's not like you could just get an application
to write to the logging system and get a shell.
Yeah, this is not like log for shell or something.
It's not that kind of level of just log a bad string.
Like this is a more nuanced memory corruption
that you would use for privilege escalation.
Like a Windows log to shell, log for shell,
that would be a wonderful thing.
Unfortunately, this is not it,
but maybe one day we'll see one.
That would be fun.
Well, you'd hope not, right?
Like you'd hope not.
I mean, do you?
You live in hope.
I know, I do.
I'm a bad person, Pat.
I must confess.
I'm in a little, just a little.
You have some redeeming qualities, it's fine.
Now we're gonna talk about a bug
that we've already mentioned on the show
Which is CVE 2025 22457
And yeah, it's been a bug heavy bug heavy show this week
But there's a really funny write-up from watchtower labs about this bug. So this is the Avanti
What's the Avanti connect secure, which I think was pulse secure before being acquired by Avanti I don't even I can't even keep keep track
But this was like the straight- like buffer overflow, like stack overflow bug.
And it's interesting. It's got an interesting history though, because like the other bug you were talking about a couple of items ago,
I don't think anyone was exploiting this until they patched it and someone diffed the patch, found the bug, and then, hoo boy, it just started going everywhere. But they, you know, Avantia talked about this being very sophisticated, and that's why Watchtower
Labs have written up their headline of their write-up of this bug is, is the sophistication
in the room with us?
This bug was good.
So this is a stack-buff overflow in parsing the X forwarded
for header, which is an HTTP header that you use to record
when requests are going through proxies.
And they have a thing that parses the IP addresses,
the numbers out of that X forwarded for header.
Now, originally when Avanti found and fixed this bug,
they put out a security update that said,
this was very unlikely to be exploited.
And part of the rationale for that was
filtering in the parsing meant that you only had
zero through nine and dot, so valid IPv4 characters,
and that they did not think anyone was going to be able
to exploit it with that.
So they rated it quite lowly, gave it a low rating, shipped the thing, and then yeah, somebody figured
it out, presumably reversed the patch, or they had it in the wild, and found some
way to exploit it. And we haven't seen, I have not yet seen an example of what
that exploit looks like, but everyone agrees that this is being exploited in
the wild, and some attackers figured out how to, you know, turn this into an
actual usable bug primitive despite those restrictions. So that's always a great time. And now Avanti
have to admit that actually this is a straight up pre-auth remote code exec. So maybe not
so much of the very low, very low impact variety that they originally reported it. So that's
great fun. I'm looking forward to someone catching the exploit string
and reversing it and figuring out
how this bug actually worked.
I had a quick look in Grey Noise to see if they'd had
caught it in the honey pots yet or anything.
Not yet, so I'm hanging out.
If any listeners have seen an exploit for this on the wire,
I would certainly be keen to have a chuckle.
Now we are gonna end this week's show, Adam, with something funny that happened to me,
which is I was recently targeted by a crypto scammer, right? And it was interesting because
this person was obviously English, right? So English accent. They first called me a couple
weeks ago. I think I'd had a like a bit of a barbecue slash party at my place. And I was like
packing up. it was the evening
they actually rang me and asked for one of my colleagues and I'm like okay that's weird but
just by the tone of voice just by them being a little bit pushy I kind of had I just got a scammy
sense and of course after a full day of you know celebrating um you know I wasn't totally locked
in on on this call and anyway I think I just hung up on them.
They did call me back though.
And it was a two-stage scam thing.
So there's a crypto exchange here in Australia
called CoinSpot.
And they did have an incident that leaked a bunch of data
a few years ago.
One of my colleagues, one of our colleagues
had an account there.
But for some reason, they matched like that account
with my phone number.
So I'm guessing they were pulling together
different data sources and because we work
at the same place, somehow my number wound up
connected to this colleague's account.
So the first call, they ring up and the pretext is,
your CoinSpot account has been breached or whatever
and there's all this money gonna start flying out of it
and whatever, so we're just gonna send you an SMS where you can enroll in multi-factor authentication.
Of course, I was already lying saying, oh, not my coinspot account, you know, that sort of thing,
to string this guy along. And then they say, oh, we're going to send you out. We're going to send
you an SMS message. It'll have everything in there that you need. So I thought, okay, yep, no, I see
you later. Bye. SMS never comes. Then they ring back for a follow through call and they're like,
oh, we've detected
that your mobile phone has malware on it.
Do you know what malware is?
And I'm like, yeah, I've heard of it, you know,
sort of thing.
And meanwhile, I'm in my studio, so I'm recording the guy
and I just want to see where the scam's going.
And eventually, of course, he spells out a URL.
It was like, you know, 773256-coinspot.com or whatever.
So it's gonna take me to a phishing site.
So I enter it in, I'm not really worried
that they're gonna have malware for, you know,
fully patched Chrome that's gonna do me,
like this is clearly a credfish, right?
So I type in the URL and unfortunately,
it doesn't actually bring up a page
because their phishing page had already been squashed.
And that's when I decided to tell the guy that I was gonna make him
famous so here's a clip of that audio now no nothing's loading so I'm gonna
stop you and just tell you something funny which is my my job is I'm the
host of one of the world's most popular cyber security podcasts. Is it?
Yeah. So I've been recording you the whole time.
Looks like this domain's already been flagged.
So that's why it's not loading, which is pretty quick.
Yes.
There's no, uh,
so the podcast is called risky business.
Yeah.
And you probably got about two viewers.
Is that correct?
No, actually.
Probably about 23,000 a week.
And what's it called?
It's called Risky Business.
Risky Business.
Is that a podcast?
It's a podcast.
So we do cover crypto theft, these sort of scams as well.
It's unusual to hear a perfect English accent with someone doing one of them.
I'm just lucky. Last time you called me, I wasn't in my studio.
Oh, what a shame.
I mean, just hilarious.
I think my favourite part of that is that he's like, doesn't believe me, trash talks
my podcast, says it has two viewers, and then when I tell him it's got like 23,000, which
is about the number of downloads that a Risky Business weekly episode gets in its first
week, you know, he's like, and what's it called?
Like that's the first time you hear him start to be a little bit nervous.
That was most enjoyable.
But there you go. I mean, some of these scammers now, I mean, they do not sound like they're coming
from a contact center in Burma, I guess is why I wanted to play that for people.
Yeah. Yeah. I mean, that was a pretty good, pretty believable sounding English accent.
So I mean, well, I mean, it's an authentic accent, clearly.
Yeah, it sounded, yeah, certainly sounded it. So, yeah, it was just that little pause.
You know, you could just see him kind of Googling and going, oh, well,
it's time for the hang up button.
Yes, exactly.
It stays on the line a few seconds and you can hear the wheels spinning.
I think the only time he sounds nervous is like, and what's it called?
Just too good. But mate, we are going to wrap it up there. That's actually it called? Just too good.
But mate, we are going to wrap it up there. That's actually it for this week's show.
Thanks a lot for joining me as always, and we'll do it all again next week.
Yeah, thanks, Russ Patton.
I'll talk to you then.
That was Adam Boileau there with a look at the week's security news.
It is time for this week's sponsor interview now,
and this week's show is brought to you by Ubico,
which makes the YubiKey.
We use them here at risky.biz.
They are a phishing resistant,
you know, authentication hardware token.
They're fantastic, and I think everybody should have one.
And we're gonna be chatting with Derek Hansen,
who is the vice President of Solutions Architecture and
Alliances at Ubico and we spoke to him about pass keys. You know you would have
heard Adam and I talking about how pass keys, the user experience, can be a
little bit confusing and you know Derek joined me to talk a little bit about
that and also about how this sync fabric like where the passubikeys, sorry not where the Yubikeys,
where the pass keys actually live. Are they in secure elements? Are they just in your keychain?
Like how are they synced and whatever? And how that that sort of control has been taken away from
users a little bit. He makes some really good points in this interview. So I'll drop you in
here now where he's sort of explaining the scope of the of the pass key problem I guess. Here's
Derek Hanson. Ultimately what people know and what is reality,
unfortunately, are not necessarily aligned right now
because the way the Fido ecosystem has developed,
we've changed the rules a couple of times.
When you used to create a passkey,
it lived on your device and it was bound to that device.
But now in this new world where you have synchronized passkeys,
you're creating a passkey that is actually anchored more to a key chain
that is synchronized with your account and your profile.
Most passkeys by default right now are getting created and stored in a password manager,
whether it's the iCloud keychain in the password solution there
or it's a third party password manager.
Google and Apple are promoting a user experience
for consumers that are saying, hey,
we need you to store your pass keys in our password manager
so that you can find them and we can synchronize them with you.
And the problem is the users are really
struggling to understand both the technical
and the non-technical users, where did that key go?
Where can I access it from?
And how do I sign in?
Because that user experience is very focused
on a single ecosystem.
Yeah, ease of use transportability.
But you know, you're right.
The rules have changed because I was very excited
about pass keys.
Like I have a reasonable degree of trust in my iPhone
and the secure elements, secure enclave,
whatever you want to call it.
Probably some crypto person is gonna write me an email
talking about the differences between those two things
in a 2000 word screen. But anyway, yeah, I mean, my expectation was that
that key wouldn't leave that device. And even based on what you've just said, I'm not even
sure if that is synchronizing. Like that control seems to have been taken out of the user's
hands, right?
Yeah, the user has a lot less visibility
as to what choice they're making.
And I think that is, you know, from a Ubico perspective,
and this is gonna sound vendorish,
but the reality is we believe users should always have
choices to what they're doing with their keys.
And so, you know, if you wanna create one on a security key,
you should be able to plug a UbubiKey in and create it.
That experience should be very low friction as well.
And I think what we've gotten into a place is that users are creating keys.
And I see this actually quite a bit in the PassKey subreddit, or you see it with just
social interactions with people that find out you're working on PassKey and all of a
sudden they've got their latest thing that, you know, I registered a key here, but
it doesn't work there because they don't realize that, you know, the Apple, the Google,
the Microsoft ecosystems may not play the way that they think they should.
We've got a, we've got a state where users are responsible for managing their pass keys
right now.
And there is a lot of effort going on to make that ecosystem easier for users,
but we've got to quickly make some changes
so that we don't start to lose credibility with users
in being able to protect the credentials
that they're enrolling.
Just because if a password ever becomes easier,
even if it's a bad security habit, we've lost the war.
And so we need to make sure that that passkey is the best user experience,
the most secure and the simplest to use, and that the users are placing trust in something
that's very real for them that they understand. My concern with these portable pass keys is the malware risk.
The whole reason I liked the idea of pass keys on a phone using a secure element and
whatever is because they're getting stashed.
That key material is stashed where if there were malware to wind up on my device, that
malware cannot get that key.
It cannot be extracted.
Now when that thing is synchronizing somehow
across to my Mac OS box, malware on that Mac OS box
could theoretically take control of that keymat, right?
That's my issue here.
And I don't think people quite realize
what a big difference that is
when you start exposing keymat to the OS.
Well, it is a big difference.
And I will say, you know, because I'm not here to disparage the work that they've done
to protect those synchronizing mechanisms because they've done a lot of work to protect
them.
But the thing that unlocks all of those synchronizing mechanisms becomes your user account that
is used as these keys migrate from system to system.
And so if you've got your keys that you're trusting that are synced on one device
and can now sync down to another transparently to you as a user,
that's all secured by however you log into your account.
So if your Apple account you've only protected with, you know, very basic, um,
authentication mechanisms that now becomes the attack vector to get all of your
synchronized keys to your point.
I will say though, Apple has,
has done more than any other major company has done an incredible job of
protecting iCloud accounts at scale. Like it is really amazing.
The sort of work they've done in the background to make sure
that if something funny is going on,
they'll just lock that account for 30 days, right?
Like it's amazing.
And I can imagine too, like I've got like a modern Mac now,
just recently upgraded from a Intel, like Xeon,
you know, iMac Pro sort of thing,
which didn't have like these sort of, you know,
secure co-processors kind of thing.
I'm now on Apple Silicon.
So I'd imagine that like in their sync fabric,
they should be able to do some crypto magic
to zap a passkey from my phone
into a secure element in that computer.
But that's, you know, I'm pure Apple ecosystem, right?
And I trust that they're working
on the engineering solutions around that right now.
They may or may not be there already.
But then I'm also a Chrome user and other people use Windows and then the Windows like Windows runs on
a really fragmented hardware ecosystem. And I can't imagine that most pass keys are going
to be created are going to have Apple's team of, you know, incredibly brainy, you know,
incredible brainiac engineers working out how to solve this problem because it can't
really be approached in the same way. So yeah, this whole idea of like syncable pass keys, I think it's a matter
of time before we see sort of perhaps key map being obtained by malware, mostly most
likely in the in the windows ecosystem.
Yeah, we work very closely with a lot of these, the organizations you just talked about, and
all of them have brilliant people working on these problems,
but it's the cross ecosystem challenges
that are gonna create user experience issues.
And as we try to make user experience better,
that's where I think we're going to potentially
run into scenarios where synchronized pass keys,
those ones that are copied from device to device,
are gonna be trusted
at a different level from the ones that are created in a device that never leave a device.
And so I think you'll even see that in some of the guidance that like US NIST has put
out around synchronized pass keys, where the idea of pass keys is, yeah, you'll prevent
phishing, but now the entire conversation
gets focused on what are you doing to manage that private key material?
Yeah.
If it's copying-
I mean, here's the thing, right?
I trust the secure processor on my iPhone more than I trust Windows DP API, right?
That's really what it comes down to.
Exactly.
I think organizations need to be able to make that trust decision.
And that is to me,
that is the big thing that's going on right now is how do I get the right
signal to make a trust decision on exactly that?
Maybe that's how you feel about it. And somebody else feels differently.
We need to be able to allow organizations to throw the levers
of how their systems work based on where those private
keys live.
And that is, that's the crux of the issue.
If you replace a shared secret with a private key, everything comes down to where does that
private key live and the controls around accessing it.
Yeah.
I mean, look, we should point out too, that we're not taking a dump on pass keys because
pass keys are leading us to a better place.
I mean, Adam, while I have some concerns around the user experience and
whatnot, but you know, it's a good thing.
I also can't imagine that it's bad for Ubico, right?
Because even though it's like technically a competing sort of technology or a
competing approach to solving the same problem, I'm guessing that with like a
lot of enterprises looking at pass keys, because there's this
pass key revolution right now, they might start looking at that for internal auth, or
start thinking about getting rid of user names, password-based auth, and code generator auth
and whatnot.
So they might be looking at that and then saying, oh, maybe we want to go with a hardware
key instead, just so we don't have to deal with some of these issues.
Is that kind of the experience right now for Ubico as a company?
Like is all of this actually working out well for you?
I actually think, you know,
to go back to that foundational point,
I actually am not intending to just shred
what's going on in the synchronized paskey world.
Cause I think it's addressing an availability thing
that is a very big concern in a lot of environments.
I wanna make sure my pass keys are always available.
But to the organizations that are looking at,
I need to modernize my MFA.
I've got a lot of legacy systems
that I have not actually pushed
into this new fishing resistant world.
They are looking at where are those private keys gonna live?
And we are talking to a lot of organizations that are very concerned about the
threats of phishing. Can I trick you into giving access to my
synchronized pass keys? That's a whole nother risk that is starting to be
evaluated. When you have a key on a device that
never leaves,
whether it was the secure enclave or a YubiKey
or somewhere else, there's a security framework
that you can build around that because you have assurances
about certain properties.
And so, yeah, I think we are seeing an adoption of pass keys
for the enterprise and a focus on how do I do something bigger
than just passwordless.
It's like I can get rid of phishing as a problem
for my organization, for all of my users,
and they're going to pick and choose
whether it is a passkey in an app
or it's a passkey on a hardware,
and that's gonna come down to the app that they're accessing,
the data that they're accessing, and where they're at accessing, the user group right as well, which is like this
group of users they're probably okay with a software-based passkey, this group
of users not so much. Correct and I think even well even if it's user-based it's
also gonna be how do I get access to that software-based passkey the first
time because that is a chicken-and-egg problem. If I get all my pass keys stored somewhere and I go to a new device or I'm trying to
register my authenticator for the first time, how do I sign in?
And so a lot of our story for enterprises has been that user lifecycle is all about
how do I trust a device the first time?
How do I enable my pass keys to sync to that device?
Moving pass keys around is a new identity security event that we are all going to have to start looking at. Just like registering a device to my account is a security event.
Yeah, so I guess, I mean, my question was, though, has this movement, I guess, to pass keys,
which don't necessarily involve using a YubiKey, has that actually resulted
in increased interest in hardware keys?
I'm guessing from what you've said, yes.
Yes, absolutely.
Yes.
There is a lot of increased interest because people are trying to figure out exactly how
do they change their business and where YubiKey fit in that.
Pass keys are becoming a significant component of people's strategies for zero trust or password
lists or these other initiatives that have been going on for a while in their organizations.
All right, Derek Hansen, great to talk to you, man.
That was really interesting stuff.
A pleasure to meet you and we'll chat again soon.
Sounds great.
Thank you, Patrick.
That was Derek Hansen from Ubico there.
Big thanks to them for that and big thanks to Ubico for being a sponsor
of the Risky Business podcast. But that is it for this week's show. I do hope you enjoyed
it. We're going to be publishing two podcasts tomorrow, Seriously Risky Business with Tom
Uren in the Risky Bulletin podcast feed and also an episode of Wide World of Cyber featuring
Alex Stamos and Chris Krebs. But until then, I've been Patrick Gray. Thanks for listening.