Risky Business - Risky Business #790 -- Bye bye Signal-gate, hello TeleMessage-gate
Episode Date: May 7, 2025On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news: White House’s off-brand Israeli Signal fork logs cleartext messages wi...th hard coded creds while getting hacked (twice). Just … Wow. Ransomware attacks on UK retailers are linked, and Marks & Spencer has it extra bad After six years dormant, a Magento eCommerce platform backdoor comes to life The North Korean IT worker scam is truly webscale NSO group owes Meta $168m for hacking WhatsApp This week’s episode is sponsored by vulnerability management wranglers, Nucleus Security. Aaron Unterberger joins to talk through the complexities of tracking vulnerabilities in cloud components - left to the source, right to the deployments, and …sideways into the sidecars? This week’s show also features an excerpt from Pat’s interview with Senator Mark Warner - Scoot back one in your podcast feed to check out the full chat, or find it on Youtube. This episode is available on Youtube too. Show notes Mike Waltz Accidentally Reveals Obscure App the Government Is Using to Archive Signal Messages Despite misleading marketing, Israeli company TeleMessage, used by Trump officials, can access plaintext chat logs The Signal Clone the Trump Admin Uses Was Hacked App used by Mike Waltz suspends services after hacking claims Senator Demands Investigation into Trump Admin Signal Clone After 404 Media Investigation MG on X: "Looks like TeleMessage was probably procured and rolled out under Biden. There are public records for it. https://t.co/XCuZpi8PL3" / X Harrods becomes latest retailer to announce attempted cyberattack | The Record from Recorded Future News Co-op DragonForce cyber attack includes customer data, firm admits Co-op cyber attack: Staff told to keep cameras on in meetings Hundreds of e-commerce sites hacked in supply-chain attack - Ars Technica Microsoft’s new “passwordless by default” is great but comes at a cost - Ars Technica Windows RDP lets you log in using revoked passwords. Microsoft is OK with that. - Ars Technica North Korean operatives have infiltrated hundreds of Fortune 500 companies | CyberScoop US wants to cut off key player in Southeast Asian cybercrime industry | The Record from Recorded Future News Myanmar militia leader sanctioned by US over cyber scam connections | The Record from Recorded Future News Trump proposes major cut to CISA’s budget, citing false ‘censorship’ claims | Cybersecurity Dive NSA to cut up to 2,000 civilian roles as part of intel community downsizing | The Record from Recorded Future News NSO Group owes $168M in damages to WhatsApp over spyware infections, jury says | CyberScoop
Transcript
Discussion (0)
Hey everyone and welcome to Risky Business, my name's Patrick Gray.
This week's show is brought to you by Nucleus Security which makes a vulnerability management
platform and we'll be joined by Nucleus Security's very own Aaron Unterberger in this week's
sponsor interview and we're talking to him about how vulnerability management as a discipline and a
tool set hasn't really kept pace with cloud. Not that cloud's new, but yeah, it's just like things got a little bit weird there
and he'll be joining us to talk through some of the issues involved in trying to apply decent VM practices
to cloud-based tech that is coming up later. But first up, of course, it is time time for a check of the week security news with our good friend Adam Boileau and
Adam obviously the big story of the week is it turns out Signalgate in which a
bunch of senior Trump administration officials were discussing sensitive
stuff over Signal turns out Signalgate wasn't actually SignalGate after all. Yes, we have seen reports that they were using a SignalFork
called TeleMessage, by a mobile company called TeleMessage called TM Signal.
And the Internet has gone pretty nuts over the last couple of days,
understanding what that means.
And it turns out not very good things at all.
Yeah, I think you would have to describe it as extremely not great.
And there's irony here, right?
Because what TM Signal allows you to do is to keep records of conversations.
Now, a big feature of us talking about Signalgate is, you know, a lot of people have really
honed in on the idea that they're bypassing record keeping requirements and whatnot when having these conversations.
Looks like that's not the case.
Unfortunately, though, it looks like, you know, this app, which keeps records of the
conversation, doesn't really do it in a sensible way.
No, it really does not look sensible.
So the deal here is that Telemessage, the company, which is an Israeli company that's now owned, as of 2024 by an American firm,
they make messaging apps forked from the various popular messengers that implement record keeping.
And it does that by modifying the client, replacing the client, which you then deploy out to your devices using some variety of side loading,
sort of the enterprise side loading
that you get from MDM solutions and so on.
And then that basically just carbon copies
all of your messages off to a tele-message controlled server,
which then archives them into whatever mechanism
you have as the administrator have configured,
which is typically going to be, it just emails them to an archive place
or integrates with the Office 365 or whatever else.
But it does so, of course, in the clear,
which already not really what you want.
Hang on, hang on. In the clear?
Or like just not end to end encrypted? Well, in the clear? Or like just not end-to-end encrypted?
Well, in the clear from the archive point of view,
the point of the archive is to have a clear text copy
of the message.
How that's stored on disk is kind of up
to the individual implementations.
And in this case, we're probably talking transport crypto-wise.
Yes, it's crypto TLS to tele-message
and then probably SMTP TLS to Microsoft 365 or Google or whatever
mail server if you're using that or SFTP or whatever other transport mechanism.
But in the end, the content of that message is delivered to the archive endpoint and is
in those archives and obviously traverses telemessage's services in those archives. And obviously traverses tele-messages services
in the clear.
Now, this is not necessarily a bad thing.
There is still a security benefit, right?
From if you're gonna have, use an archive messenger,
being able to use an end-to-end encrypted messaging platform
that allows you to have things like expiring messages
so that those messages are only stored in one place, you know, if that archive is handled sensibly that
is still going to be a net security gain. So let's see, if I'm building this
I'm gonna make sure that these messages are forwarded into some
sort of cloud service via an account or an API that has write-only access and
I'm sure that's the way they did this here.
Isn't that right, Adam?
Right?
Right?
It just keeps getting worse.
So somebody found a source code archive
for the Android version of the TeleMesh signal app,
as well as some people in reverse engineering
the binary versions of the iOS
ones.
And that contained hard-coded credentials which are used to deliver the archive messages
into the tele-messages system, and those credentials appear to have been valid to log into some
manner of tele-message backend system.
Because we have seen at least two reports, two separate reports, where journalists have talked to hackers that
have broken into telemessages systems and have obtained, in some cases, access to messages,
in some cases lists of subscribers and so on. And the assumption is, I don't know if
anyone specifically said this, but the assumption is that it's those hard-coded credentials
giving more access than they should have. Yeah, as in not just write-only, which honestly if it was write-only it would be
probably, you know, verging on okay, right?
I mean, you know, there are better ways to do it, but that would have at least been less terrible.
Yeah.
But, I mean, one of the reports we've seen, I think it was, was it NBC maybe, where it looked
like the attacker memory dumped the server.
So they must have got some relatively privileged access because it looks like the backend is
some kind of Java app.
I've seen some screenshots of what looks like strings on a memory dump of a Java app that
has message fragments in it.
So none of those messages that we've seen so far looked like they were
specifically White House ones, but we have seen other messages from their
signal capture, but also some of the other platforms.
Yeah.
WeChat and WhatsApp and Telegram.
Well, and the assumption is that whoever did these, you know, quote unquote,
attacks was intercepting messages
on the way through tele-messages like archive server on the way to the actual end user archives.
404 Media has been doing a great job covering this. They were early with their coverage and
a lot of it's based on research that's been done by Micah Lee who's really done an excellent job
of pulling this down and even drawing pretty little network diagrams and pictures showing us how it all works.
It looks like this app, and again, look, it's a foreign controlled app as well, which is
a whole other set of issues.
It looks like this app was originally brought in for government use, like with the, I think
the State Department and the CDC in the US under the Biden White
House like when he was president.
So I don't think this is just a failure of the Trump admin.
But certainly, you know, using an app like this to conduct, you know, sensitive policy
conversations seems insane.
TeleMessage has since actually pulled this thing from the market.
They've like nuked their website.
They've gone to ground.
And you just think, you know, where was the evaluation of this technology when it was
being considered for government use?
You know, you do have other providers.
I mean, we've mentioned it a bunch of times over the last few weeks, but Wicca is a well
regarded messaging platform that has archiving features and end-to-end encryption.
And you know, it was acquired by Amazon and it is offered for,
you know, government and enterprise use.
Was there a bake off here?
You know, these guys had a two million dollar contract,
at least with the federal government dating back to last year.
And you just think, you know, who who who looked at this thing?
Yeah, I mean, it's that is a great question.
And we've certainly seen calls for investigation.
I think Ron Wyden has
been out there asking for investigations into how this happened and the storage that kind of led up
to it. And certainly that's a great question. Like who did the eval, what eval was there,
what did this look like in the procurement process, etc. etc. To my mind, I think the
killer feature though with the telemission signal fork is its interoperability with existing signal,
which if you move to a different platform, all of a sudden the rest of the extended
mageverse, you know, and other people that are using signal to communicate with
people who do need to archive, lose that kind of connectivity, which like that's
the reason that you would go down this slightly crazy route.
Yeah, I mean I wonder what the I A implications are of this as well.
Now that, you know, the Democrats understand that there is an archive of a
bunch of these messages, you know, I guess that could get a little bit
interesting, but look all in all just, you know, it's the scandal that,
that keeps on giving, isn't it?
It really is.
And like, I hate to feel sorry for them because you know
the rest of the of the you know of the whole Trumpian experience is not great
but like I do kind of feel a little bit bad because they probably got told if
you want to use Signal you have to use this it looks exactly like Signal it
feels like they're getting everything that they expect from Signal in terms of
its you know confidentiality and so on and so forth, but this just meets those
archiving obligations and then for them to now be mired in this total trash heap
of the story just getting worse and worse. Part of me
enjoys watching everything fall apart, but I feel a little bit bad because, you know, they were
trying to do the right thing, you know, provide archive records and so on, you know.
I tell you who doesn't feel bad for them is the vice chair of the Senate Select Committee
on Intelligence, Senator Mark Warner, who I spoke to yesterday.
And funnily enough, he recognises the irony here of them trying to do the right right thing but it seems to be his position that it's still you know absolutely boneheaded
what they did. I interviewed Senator Warner yesterday, we spoke for about an hour and
we've already published that as a podcast and also onto our YouTube feed but here is
a just a two minute excerpt where he talks about these latest developments in SignalGate.
So here he is, Mark Warner, Vice Chair of
the Senate Select Committee on Intelligence.
What Waltz and the Secretary of Defense, Hegg Theft, they already have not only the foul
of using Signal, which should have been on a classified network, they now have the double foul of using this addendum to signal that, as you indicated,
has been hacked repeatedly to the point that there was at least a report this afternoon
that that add-on service may be being pulled from the market. So again, this starts with,
Again, this starts with whether it's in Australia or in the States or wherever, basic cyber and hygiene 101, particularly if you're dealing with sensitive or classified information.
Don't put it on an unclassified network.
Recognize if possible to make sure there are no ways to have penetrations. And in the case of this so-called Signalgate, this is only one of the reported 20 signal
chats that Walt took place when he was national security advisor.
So we may still be just seeing the tip of what is even a bigger problem.
I mean, I think one of the issues here though is even if they weren't discussing classified information,
that signal version or the modified version of signal that was being used there probably
wouldn't even be suited for non-classified communications.
How much of a concern is that from your perspective?
That's a concern as well.
Now there is, again, I don't wanna,
the only thing I'd say about Waltz was he
at least acknowledged a mistake, something again,
that other folks who were on that chat
didn't even acknowledge.
The irony here being that if he was trying
to preserve records, but again, it shows kind of a failure
to understand Cyberhygiene 101,
this notion of this extra add-on being as
vulnerable as it is. And, you know, Patrick, just to be clear, we don't even know if in
the first episode that included all of these senior officials, whether anyone has gone
and checked the actual devices to make sure that there's no malware that's been dropped onto them.
I mean, this is like, you know, headaches loading.
Okay, so you heard from Mark Warner there.
I mean, you know, there's the saying that there will be blood.
I think in this case we can say there will be hearings.
There's going to be so many hearings.
Oh dear, oh dear.
And I mean, of all the things I had on my bingo card,
like that we would be talking about
in this new administration,
like I did not expect non end-to-end signal
to be one of them.
So at least it's been great for us.
We've had something interesting to talk about
for the last couple of weeks.
So yeah, thanks I guess.
It's an end-to-ends messaging platform. Anyway, but look, I think, you know, last couple of weeks. So yeah, thanks. I guess. It's an end to ends messaging platform.
Anyway, but look, I think, you know,
I hope the lesson that comes out of this is really about,
and it's something that we've been talking about a lot on like Seriously Risky
Business, our podcast that focuses on sort of government policy and intelligence.
I hope that what comes out of this is for governments to really sit
down and look at,
you know, how we can give better guidance to government officials on how to communicate,
give them the tools that they need to communicate securely and sometimes privately, you know,
change some of the guidance, you know, to reflect the world that we're living in now.
And hopefully we all wind up in a better place because of this.
Um, but, uh, yeah, wow.
Anyway, moving on and, uh, you know, this ransomware campaign targeting, uh,
British retailers just keeps on trucking.
Harrods is the latest one to be attacked, although it looks like, uh, the
attackers didn't get very far.
Uh, Marks and Spencer is a complete smouldering wreck
of a company at the moment and yeah also big dramas at co-op. The press hasn't linked these,
it says that you know there's they haven't been able to substantiate a link between these attacks
but from what I'm hearing I had an anonymous sort of email come in from someone that looks legit. I mean, I have, you know, it's unverified information, but they're like, yeah, these
two attacks shared the same C2, which would tend to indicate that it's the same crew.
They also say that Scattered Spider obtained initial access to Marks and Spencer through,
you know, socially engineering a help desk, which would, you know, that's pretty typical
of their TTPs.
They moved laterally, got the entire Active Directory environment and absolutely everything in it. There was no NDR
in the environment and you know, they've got third-party IR in there.
They're trying to roll out CrowdStrike and just doing, you know, real hand-to-hand battles.
Apparently the attackers were monitoring like Microsoft Teams archives of meetings and whatnot.
And it's just like, it is, you know, about as bad as it gets.
This person who's emailed me says Marks and Spencer haven't really been sharing information appropriately
with other retailers and people having to do back channeling.
And it's just all bad, bad, bad, bad.
Funnily enough, you know, what this person is saying has sort of been
substantiated somewhat by some subsequent reporting at a BBC where co-op staff have been instructed not to keep records of things like teams conversations. But you know,
Marks and Spencer is saying that it's going to take months for them to restore service and ordering
and whatnot. Yeah, it does sound like a real mess. We've seen a couple of insiders.
I think it was at Sky News in the UK also, we're talking to an insider who said
that it was just pure chaos, I think was the quote inside there because they
didn't really have any plans for how to respond to this sort of incident and
that everything is just complete.
You know, people sleeping in the offices, working over the weekends, trying to,
you know, pull together in an environment where they haven't, you know, people sleeping in the offices, working over the weekends, trying to pull together in an environment where they haven't, you know, they're not even sure they've
managed to throw the attackers out yet.
So that's a, you know, that's hard yakka for all of the people on the ground having to
deal with that.
And you really, you know, you feel sympathy for them.
But at the same time, like being an organization these days and not being ready for this kind
of thing, you know, it's not like Rans ransomware is brand new at this point in the conversation.
So, well, we have, we have seen reports in fact, that Marks and Spencer did not have an IR
plan, which, you know, you know, just those words will be sending shutters down the
spines of all of our listeners who actually work in IR, because that's the
worst thing that you can, you know, it's the worst thing to not have in a situation.
Well, exactly right.
This is not a thing you want to be doing for the first time when you really need it.
Even simple things, well I say simple things, even things as straightforward as how do we
even go through the process of resetting everybody's passwords or locking everybody out or in what
order do we have to do it?
How do we roll the curb TGT?
Those are things that you don't
want to be learning during an active incident when you can't even talk to each other. And some of the
reports are saying like, you know, people are reduced to using personal devices, personal
WhatsApp accounts to try and communicate because all of the normal corporate mechanisms are
untrustworthy or offline or whatever else. So yeah, total mess.
And, you know, I guess, hug ops to everybody involved.
Yeah.
At this point, that's pretty much all we can offer you is hugs, you know?
So, yeah, I do think it's interesting though, that, you know, in the case of
co-op, staff have been told to keep their cameras on during meetings, which
suggests they might've had some uninvited visitors attending prior meetings, right?
So just an absolute mess.
And you would expect that this would rise to the level where you might see a response
out of GCHQ, perhaps, or at least them lending a hand given that it's a sector wide attack
against major British brands.
Yeah.
I mean, Harrods and Marks and Spencer are both very, very, you know, sort of iconic
British brands and clearly co-op is pretty big.
I didn't really know much about them, but clearly they're pretty big.
Apparently they provide funeral services as well as other things.
So that's not a thing you want ransomware.
It's like those Japanese companies that offer everything from fresh seafood to light bulbs.
Yes, exactly.
Yeah. that offer everything from fresh seafood to light bulbs. Yes, exactly, yeah. And like you do wonder given,
you know, we haven't really seen details beyond
like some kind of scattered spider affiliated people,
but it being a whole bunch of British retailers at once
does feel kind of British.
You know, like foreigners may not care that much
about hitting those kinds of brands all in one go.
Whereas if it was someone local, it just feels a bit more.
Yeah. If you want to, if you want to feel like a bad ass, right?
You take down the biggest brands in your, in your country. I'd imagine that's the,
that's what you're getting at.
Yeah, I think so. It'd be interesting to see how the investigations unfold cause
scatter spider was not a group that's known for rock solid OPSC. So,
Oh, they're all gonna get caught. Yes.
Absolutely all gonna get caught.
But as we saw after Cesar's and MGM,
I expected the cuffs to go on the week after,
but it took a while.
I wonder now, you would expect that global law enforcement
would just have generally better intelligence
on the comm and all of the groups
and the satellite groups and splinter groups.
And perhaps we'll see a faster,
the handcuffs come out a little bit faster but yeah you know I'm
not expecting these guys to get away with it. I mean you know will they get absolutely
everyone involved? Like probably not but you'll see some arrests here surely.
Yeah surely you would expect and I you know I imagine the people who are sort of spectators
in that environment might be feeling a little bit nervous about being so close to it. So, you know, maybe it'll slow things down there a little bit.
But then again, kids not really known for their threat modeling and cause and effect
and thinking about their actions and all that kind of thing.
Now let's talk about where long term planning and cybercrime meat because somebody has pulled the trigger on a mage
cart style of attack that goes back, like this thing goes back years.
So someone had been subverting mage cart stores for something like the last five or six years
and has finally pulled the trigger and deployed their nastyware onto these e-commerce
websites and you just sort of think, wow, that's a slow burn.
Yeah, yeah, the story is pretty wild. So there are three companies that package up Magento
online shopping sites, like provide the tools for them to run your own. And all three of them seem to have been hacked
at some point between 2019 and 2022
and had backdoors, the same backdoor put in
a bunch of kind of packages that they provide.
And yeah, those have just been sitting around idle.
And there's a like, if you know how to trigger the backdoor,
you can just run arbitrary PHP on a Magento website.
And then that's been sitting around for six years.
Somebody's pulled the trigger
and it started dropping mage cart style,
shopping cart scraping, payment scraping,
payment cart scraping out of the shopping cart malware
on these sites all at once.
And yeah, like that is a pretty slow burn.
Like it's quite a lot of patience. It makes me wonder if, you know,
someone deployed it and then, you know, maybe dropped out of crime.
Maybe they went and did something else with their life. Yeah. Yeah.
I mean, it feels like, it feels like someone's contingency plan, right?
Like that's what it feels like to me is like,
they had this thing bubbling away on the back burner, just in case sort of thing.
And then they're like, okay, well,
I'll go work on that now because whatever their other botnet got rolled up or
something. Yeah, yeah, maybe, maybe. Right maybe right and you know it could have been traded it
could have been you know there's all sorts of ways that these things get you know shared around or
knowledge spreads or whatever else but yeah it's kind of unusual like we don't often see you know
something like this lying around for so long and you know it was not the world's most innocuous
looking backdoor.
Like it's, I guess you probably don't read all the PHP
of all the plugins, of all of the Magento things
that you run, but yeah, kind of,
I don't want to take my hat off to them,
but it's kind of, you know, it's kind of good work
waiting this long and then kaboom.
Well, ain't no one doing code review on that stuff.
Like just, they're not.
You know?
Probably not. Like you're waiting for shells or some weird stuff to get
detected at runtime.
Like that's how this stuff is going to get discovered.
You know, I'm sure there's companies out there who are going to write to me and
go, we do scanning of, you know, Magento packages and whatnot, but like,
ain't nobody paying attention.
No, and so you know, it's paying money to do that.
No, they're absolutely not.
Now let's talk about Microsoft's big push into pass keys.
So according to this piece by Dan Gooden,
Microsoft is making passwordless logins the default means
for signing into new accounts.
I think somewhat sensibly, actually.
I mean, they're criticized a little bit
in this article for this, but they're
requiring the use of the Microsoft Authenticator app. So they're
saying you can't use the Google one, you can't use, you know, whatever like third
party ones. You have to use the Microsoft Authenticator app. I actually think
that's a good idea because it gives Microsoft the ability to like say, no,
we're not gonna have some sort of sync fabric that's gonna send these things to
a million other accounts. So I think keeping it within the Microsoft ecosystem is
actually a positive, not a negative. But you know, Dan's just written a story
here sort of walking through what this could mean. I mean, generally, I think
this is a really good idea. Where I think the drama might exist is when you
start bumping into the enrollment processes, when someone's lost
a phone or needs to be reprovisioned or whatever, and that's going to be where the attack surface
is. But I think by and large, this is going to be a positive thing. What's your immediate
reaction to this, Adam?
My immediate reaction is pass keys are better than passwords. And the problems that we are talking about
around the passkey ecosystem are very legitimate,
like things like onboarding, things like offboarding,
things like dealing with password reset flows and so on.
All of those already exist with passwords,
but at least pass keys are less fishable.
In a modular, we saw some like edge case stuff
with Bluetooth, weird Bluetooth,
passkey fishing the other day.
But by and large, this is absolutely an improvement
over passwords and all of the problems
still existed elsewhere and a perfect solution
is pretty difficult.
So I think there are absolutely valid points
to the criticism, but overall,
if we get to the point where you can't Monday one
your way into a major corporate
because that's how initial passwords are set up by the service desk, then we're in a better
place.
And, you know, the pass keys are less understandable, I guess, is one downside.
Like people don't necessarily have a great mental model for how pass key storage works.
I don't know that I have a great mental model for how password sync fabric pass key sync
fabric works and blah, blah, blah, blah.
And that's to your point about Authenticator.
At least that gives Microsoft the point of control
rather than simultaneously having to solve
the multi-vendor cross-platform syncing problem,
especially when Microsoft doesn't have
its own phone platform anymore.
Well, but this is exactly right.
Do you want to allow people to use Google
Authenticator and then Google make
some sort of decision that, you
know, is probably going to violate
the security policies of all you
all of your enterprise enterprise
clients like I just don't see,
excuse me, how you would do this
without having control
of that piece of this.
Like I think that's absolutely the
right decision.
Yeah, yeah.
I mean, you know, I don't I don't
necessarily love it like I don't I don't necessarily love it.
Like I don't, I don't want another authenticator world as well that I have to
think about how it works, but I think you are right that this is the pragmatic
choice for Microsoft, given that Windows Phone is dead and they can't use this as
a way to, you know, leverage people into the Windows Phone ecosystem.
Yeah.
I mean, I had a great chat with the, it's really funny, actually.
I often interview people from Ubico who are a minor sponsor of the
show, but I'll interview them about what they see as being challenges with
things like, you know, software based pass keys and whatnot. Uh,
and people write in and say, well, of course they're going to say that they're
financially motivated to sell Ubiqui's and it's like, well, yeah,
but they're also right. And it always takes like a year or two and then it's like, oh okay, the points they were
making were pretty good and I think, you know, this restriction to using the
Microsoft Authenticator app is actually a bit of a, you know, recognition of some of
the issues around the portability of Parsekeys. Anyway, I've made that point
well and truly, so let's move on and this one I've read through it I'm
not entirely clear on the ins and outs of it but it's another Dan Gooden story
based on some you know discoveries by I can't I can't remember who I'm terribly
sorry but some people have discovered that RDP like you can still log into a
Microsoft machine with RDP using an expired or revoked credential,
which is not what people would expect the behavior to be.
This has been reported to Microsoft and they're like, no, that's by design.
We're not going to change it. So first of all,
can you walk us through exactly why it is that this condition exists?
And then tell us why they're not changing it.
So the reason this exists is that Microsoft ultimately
don't want you to deal with,
and they don't want to deal with,
the support workload of locking out
the last remaining account on a Windows system.
So there are some special rules that seem to prevent
account expiry or credential expiry working
when it's the only user.
I think that's what Microsoft said,
which is a behavior that I didn't know existed.
So it's, I guess, probably surprising for a bunch of people.
So when you have the combination of centralized auth
or federated authentication and IDP,
and this is the only IDP account,
they don't want you to get in a position
where you have to go
like safe mode the machine to recover it if the, you know,
if the only account that you have gets locked out.
And then in combination with a distributed auth system,
those case, those credentials get cached locally
on the machine for authentication so that it can
authenticate even if the upstream auth source, be it a zero or intro or whatever else, is offline,
you can still locally auth. So that combination of we let you use expired credentials for
the last remaining account and we have local caching kind of means that when you change someone's account credential
in your centralized inter-ID,
people can still log in through these machines
with that old credential,
which is just kind of counter to what you would expect.
Well, I mean, that's okay,
because attackers never use RDP with valid credits.
Well, exactly, and this is not just a Microsoft problem.
There are plenty of other places in the ecosystem
where people's mental model of how credential revocation works
doesn't match the technical reality.
I'm thinking, for example, certificate authentication
in wireless networks.
You can revoke that certificate,
but it doesn't stop current running
authenticated wireless connections from continuing to work
until next re-auth time.
And that could be weeks.
So you wanna kick the network in the guts at that point
and bring it back up.
There is a bunch of nuance to how password expiry
and revocation actually works in the real world
to make it match what people expect.
And I think this is another great example of,
honestly I see why Microsoft made this design choice it is
documented and I think Microsoft have updated the documentation to make it a
little bit clearer. Microsoft have linked through in their response to this guy's
bug report saying we've made this update. It's a pretty small block in a rather a
lot of documentation,
so I think this probably is still surprising to most people, but kind of makes sense I
guess and you can see why they're not triaging it as a security flaw, more as just a surprising
behaviour.
Yeah, so that was Daniel Wade by the way, I had time while you were chatting just then
to look up the guy's name.
Let's move on to our next story now.
And according to Cyberscoop, a piece here from Matcapco,
North Korean, like fake IT workers, are just really kicking some goals at the moment,
and they have infiltrated hundreds of the Fortune 500.
I don't know that I'm tremendously surprised by this, but that's because I spend my days
reading cybersecurity news, right?
I think if you don't spend your days reading cybersecurity news and talking to people about
this, you might not realise just the scale of this.
Yeah.
That was the thing that stuck out to me was the sheer scale.
You read about it and it makes sense that this would work, but you think this is probably
only gonna happen to like a few cryptocurrency exchanges
or, you know, kind of niche targeted kind of things,
not significant swathes of Western companies.
And when you certainly talk to a bunch of organizations
that have had this happen to them personally,
like this is not secondhand, thirdhand kind of stories,
this is our HR department, our hiring process
is getting these come through.
And I think this story on Cyberscoop
is kind of on the back of a bunch of conversation
about this at the RSA conference,
where people are coming out and talking about like,
yes, this is happening to us.
Yes, we are seeing this in a bunch of our customers.
And I think it's just worth calling out to everybody quite how big this is.
And clearly North Korea knows how to do this at scale, and it must be making
them enough money to be worth doing it.
Yeah.
Yeah.
Well, and they get further options as well.
Like once they're in certain places, you know, I've got a great podcast I recorded.
It's a wide, wide world of cyber podcast, um, without Chris Krebs, which is
weird because it's a Sentinel one risky biz sort of joint thing.
And, um, but it's Alex Damos and Steve Stone.
And one of the big things we talk about is all of the North Koreans who tried to
get work at Sentinel one, right.
And they detected them early, but instead of just like throwing their
resumes in the bin, they sort of tried to play it out and, and, and see what they
could learn.
And it's a, it's a very interesting conversation, by the way, for sort of tried to play it out and see what they could learn. And it's a very interesting conversation.
By the way, for anyone wondering, Chris is doing great.
I actually had a good phone call with him this morning and he will be back on Risky
Business at some point.
Probably not Wide World of Cyber, but he'll be back on the show real soon.
But moving on, oh, and I'll publish that because that was like a live event,
I was supposed to be in the US to record it but instead they like I joined by
Zoom and they put me on a screen in the room and you know it actually worked
better than you would have thought so I'll be publishing that one in a couple
of days. Moving on, oh and we got some great news here actually so these are
both pieces from the record, one's by Joe Worminski, the other one is by James
Reddick.
But the United States government
is making some meaningful moves,
like Treasury is making some meaningful moves
against these scam compounds.
And in our coverage, particularly the work
that we've done here with Tom Uren,
who's our seriously risky business,
policy and intelligence editor,
we've been talking about this as the way to take action
against scam compounds for a long time, because quite often there are obviously corrupt relationships
between, you know, large companies, politicians, you know, government officials and these scam
groups, and you can deal with that to a degree with sanctions.
So what we're seeing now is we're seeing US Treasury sanctions against a Cambodia-based conglomerate,
which is, you know, they're saying, primarily a money laundering concern.
We're also seeing specific sanctions against a militia leader in Myanmar over his involvement in scam compounds.
I mean, this is a good start.
Yeah, yeah, it absolutely is.
I mean, that Huion group that runs a whole bunch of e-commerce
and online financial services and stuff in Cambodia,
that has been a pretty clear target.
I mean, they are laundering something like $4 billion worth of illicit proceeds
is what the US Treasury said.
And that's very, very real money.
And when you're operating at that sort of scale, that's when sanctions hurt too.
Yes, exactly right.
Because they also have, like, to launder that kind of money,
you have to have a big enough business to kind of move that through.
So like they are a pretty real enterprise.
And it makes sense for them to be targeted by the Senate.
They have ties to the ruling leadership there, political leadership in the country, so it's
not a thing that domestically they seem particularly inclined to deal with.
So dealing with this on the international stage kind of makes sense. So that's good.
And then the individuals from,
there's like one particular border province
with Thailand where a whole bunch of the scam compounds
are actually physically located.
And that's an area that has had a whole bunch of,
you know, political intrigue and the sort of rebel forces
and all sorts of mad
stuff. And the Karen National Army is like a, I think, Buddhist separatist? I don't
know. The politics in Myanmar are very difficult to follow. It's very, very complicated. But
they've been designated for sanctions and their leadership and I think some family members of their leader have
also all been sanctioned. So like tying all of these bits together is the logical place to target
this stuff. So you know, good work. Yeah and it is complicated right because we've seen China
sponsoring militias in Myanmar in order to get them to free people from scam compounds.
And I remember saying at some point, some of these militia leaders are going to say,
you know what, there's real money in this stuff.
And, you know, maybe that's what's happened with this militia.
I don't know if they were involved from the get-go.
But the point is the amount of money involved is just staggering.
So it is, you know, I think there was a stat that the turnover of this sort of stuff is equivalent to like 40% of the GDP of
Laos, Cambodia and Myanmar combined. Now anytime you've got that much
economic share in one thing, particularly if it's illicit, the tail is gonna start
wagging the dog. Oh yeah, yeah, absolutely. And you could see this in, you know, you can see this in narco states back in the day, right, when you would have certainly
all sorts of issues in places like Colombia in the in the 80s and 90s. So yeah, same sort of stuff,
good to see some action there. Moving on to our next story now, and Trump is proposing major cuts
to CIS's budget. I think it's in the order of like 17%.
You know, they have a $3 billion budget
and the proposed cut here is 491 million.
Justification for the cut is they were censoring
conservative voices and you know, the usual sort of stuff.
So we'll see if that actually becomes reality.
And also there's a proposal to cut up to 2,000 civilian roles out of NSA, so they want to
downsize NSA.
I mean, I don't know enough about the internal, you know, bits and pieces of NSA to know if
this would be crippling or, you know, or doable, but yeah, it's certainly on the cards.
Links to those ones are in this week's show notes.
One is from Eric Geller over at Cybersecurity Dive.
The other one there is from Martin Matyshak at The Record.
We're going to end with some news about NSO Group because there's been this long running
lawsuit between Meta, which of course owns Facebook and WhatsApp. Meta has been suing NSO
Group over a campaign that was conducted against its users using NSO Group tooling back in 2019.
Looks like that case has finally come to a conclusion. We saw previously that there was an order to pay something like $444,719
from NSO2 Meta to cover the direct costs involved in dealing with this campaign.
Now come the punitive damages of $168 million, which is going to hurt.
Yeah, that's certainly a fair whack of cash I imagine
I was surprised at how low Facebook's betas costs were. I mean me too they talk
about efficiency. Yeah yeah exactly like clearly I must have used my AI or
something. No they used one of their 100x engineers who'd sorted it out in a bay.
That's probably it yes so yeah 16 yeah, 168 million bucks, that's got to suck for NSO Group.
I imagine they're going to appeal.
They haven't indicated that they're going to yet, but I mean, when does a lawsuit in
the US ever not end with an appeal?
Well, especially when it's such a large amount of money.
And NSO has not been doing as well, really, over the last five years or so.
So you'd think they have to.
Yeah, I imagine they would.
At the very least, I'm sure their lawyers would be like,
well, you can come back for another round
and then we'll keep getting paid for another few years.
So, yeah, I expect we will see an appeal.
But you know, it's a great outcome.
You know, it's been a long time coming.
And you know, you think about the fights
between software companies and some of the companies
that make exploits,
well, sell this kind of tooling.
A lot of people have walked away from really pushing these
through the courts, and kind of good on meta
for actually seeing this one through.
Yeah, I mean, I think one of the differences
between NSO Group and some of the tool makers
who supply governments in developed nations
is the extent to which they actually support the campaigns.
You know what I mean? They run the infrastructure and that's different because with a lot of these
companies they will provide the tools to an agency they don't know how they're used. Do you know what
I mean? That's why they have to have a high level of trust in these agencies so that they
trust that they're going to go use these tools to do sensible things and not go and conduct a whole bunch of human
rights violations.
But yeah, look, we'll just wait for the inevitable appeal.
But that's it for the news, Adam.
Thank you so much for joining me as always.
It was a great conversation and we'll do it all again next week.
Yeah, thanks so much, Pat.
I will talk to you then.
That was Adam Boileau there with a look at the week's Security News Headlines.
It is time for this week's sponsor interview now with Aaron Unterberger, who is the director of sales engineering with Nucleus Security.
And Nucleus has been a, Nucleus is a risky business baby startup, right?
Cause when they first signed up with us,
they were just a couple of people.
And now, you know, they're a fully fledged vendor
offering a vulnerability management platform.
The idea is you just get all of your vulnerability
scanning tools and whatnot, you know,
and also asset discovery tools.
They can all report into their platform.
Then once you've got all that data in the one place,
you can normalize it, slice and dice it,
distribute it to the correct teams and whatnot.
And just generally much better than relying
on a bunch of spreadsheets.
I mean, it's just, it's a big step forward from that.
But what we're talking about today
is how cloud vulnerability management is a bit of a mess,
frankly.
And that's really got a lot to do with,
I suppose there's two factors here.
One factor is that the technology for doing VM
in the cloud hasn't really caught up
to contemporary practices.
And the other one is that just the way assets
tend to operate in the cloud is very different to the way
that they operate on prem.
So joining me to explore that issue
is Aaron Unterberger from Nucleus Security.
And here's what he had to say.
So cloud basically differs a lot from traditional VM, right?
Traditional VM is in our data centers, is with our assets.
And so things are a lot more static and stable.
So first cloud just introduces a level of speed and scale where stuff is constantly changing.
So environments can spin up and down dynamically and vulnerability management tools have to kind of operate within that constantly changing landscape. Also, things like asset discovery and asset inventory
has to keep in lockstep with what you're scanning
and what you're assessing.
And then also with infrastructure as code and containers
and other ephemeral assets,
there's been more of a push towards shifting left
and addressing things before they get into the environment.
So for example, if you've got a scanner that's scanning an EC2 instance or a VM,
but it's been deployed through some kind of Terraform or infrastructure as code script,
patching the system isn't fixing the root problem, right? So shifting left and...
I mean, I just keep thinking back to when the vulnerability management firms thought,
OK, we're going to solve this cloud problem, which
is to make our scanners get visibility into containers.
Ah, there we go.
And they dusted their hands.
And they patted themselves on the back.
And they said, job well done.
And that was fine when people were running static systems.
Like EC2 is another great example, right?
Like when cloud started, you would just spin up a, you know,
a virtual box in EC2 and you would leave it there, but that's yeah.
Now it's, it is all very ephemeral, right?
So I guess now the sort of tools that we're using to detect issues,
you know, they'd less likely to be your neccesses and whatever,
and more likely to be your sort of whizzes. Yeah.
Yes. Well, so, so actually before there was a whizz or an orca
or a lacework, there were still a lot
of the traditional VM tools.
And it started out with kind of the frictionless scanning,
network-based scanning.
And you can imagine how that just didn't keep up
with the pace of change.
It doesn't integrate well with cloud APIs.
It doesn't have the dynamic inventory awareness.
And it definitely doesn't shift left.
And so then we start to roll out cloud agents.
And there's some acknowledgment of the difference in the cloud.
Better synchronization with asset inventory.
But still doesn't really shift left.
And that's really where I think WIS and Orca and the CNAP tools
came into prominence as they kind of
reduced the friction of an agent-based scan, but had all of the dynamism of the kind of
latest iteration, but they integrated through APIs to get this really robust picture.
And they also introduced things like CSPM, cloud security posture management, misconfigurations,
right?
Focusing a lot more on the inventory
and more context across systems.
And now we're even starting to see
more shift left capabilities within those tools as well.
So for example, if I have a container
and that container has a base image,
and then that base image is used across multiple other images,
and maybe one of those images is a sidecar shared service.
So its deployment or its runtime could be many different applications,
internally facing Skunkworks to mission-critical publicly facing.
That whole continuum of context is really difficult to grasp when you're thinking about container security.
So that's one of the areas where we sought to kind of collapse the full kind of lineage of a container and give you a persistent context across everything, what we call a container workload, right? So if I have a vulnerability that appears in a base image, I know that I'm patching the base image.
Or if I have a vulnerability that persists through versions,
I know that we're not resetting the clock
on when it should get patched.
Because we pushed a new version,
the SLA still is when it first showed up
in the previous version of that image.
So giving more context to address the challenge because
along with all of this, you know, dynamism that cloud brings, it also brings quite a headache in
terms of managing risk, right? Understanding that full picture. I understand now what you mean by
shifting left because in this context it really means, especially when you're dealing with ephemeral,
you know, workloads, you've got to get to the point where they're first being created, right? And fix it there, because there's no
point finding, hey, oh, look at that, we've got 100 of these vulnerable workloads out
there. You go patch them all, and then someone spins up one tomorrow, and it's vulnerable
again, right?
Yeah. Yeah, this game of whack-a-mole, right? And that is, I think, the promise of Shift
Left, especially when we think about cloud, and it's not just containers. There's there's there's IAC
even EC2 or VMs have images that that deployments are based off of and
So a lot of cloud is built off of you know, pre-configured
automated scripts CICD pipelines
Things that if you don't address them at the root,
you're actually playing whack-a-mole. It's the never ending.
Once you've addressed them at the root, what do you do about the ones that have been spawned from
that original image? Like, do you then go kick them in the guts and have them rebuilt? Or like,
how are you supposed to address it at both ends there, right? Because I understand you need to
shift left and solve the source, solve the problem at the source.
But what do you do about the stuff that's already out there?
Yes, well, so that's where having the full continuum,
visibility across the full continuum comes into play
is because you want to make sure that you're fixing at the source,
that otherwise you'll never really fix it.
But then you also want to find out who's not actually updating
their pipelines and using the latest versions
of images, for example. And so that's where having the deployment context also comes into
play and seeing, hey, we're still seeing persistence of these vulnerabilities because, you know,
while we've made our patches to the upstream asset or artifact, it hasn't propagated out
to runtime, right? And so that's where you can hold accountable those teams.
Now, here comes the important question.
Why on earth are you talking about this, right?
So Nucleus is a company that makes, you know,
tools to better manage vulnerability programs, right?
Normalizes ingest and normalizes data
from all sorts of stuff.
You know, allows you to slice and dice it, spin up tickets,
you know, crap stuff out into Slack,
all of that good stuff
Right instead of spreadsheets and emails and ticketing nightmares. This is just the way that you do it
I'm guessing if
The wizards of the world and the lace works and whatever we're doing a good job of this. We wouldn't be talking about it
Yeah, well
They are they're doing an excellent job for what they're focusing on, and they're
focusing on the assessment of cloud.
And so really what Nucleus does to kind of broadly generalize, Nucleus is a platform
that unifies data from different sources. And so when it comes to traditional VM,
it's integrating with your CMDBs,
your scanners, endpoint,
and downstream ticketing and change management.
Within cloud, it's very much the same.
And also a lot of organizations are maybe multi-cloud.
They've inherited multiple different CNAP tools.
And so, you know, it's having a single
place, a single source of truth, and then it's also having visibility. So a lot of our kind of end
customers for data are also executives who need to answer to a board and say, what is our
organizational risk across all domains, right?
And so it's really about being able to manage
all of these different domains effectively.
And what these tools are doing really well
is they're assessing the vulnerabilities,
but not necessarily providing a normalized view of risk.
And then also the downstream orchestration and visibility.
So being able to tick ticket and remediate, but
also give that normalized view for executives, team leads and application owners to know
what their true risk is in a way that's normalized across an organization.
When I think you pointed out before, like if you've gone back and fixed something at
the source and yet this team over here keeps spinning up vulnerable
images
You know, you know someone's not doing their job, right? So it can be good to have that sort of helicopter view
I guess yeah. Yeah, it's it's having the visibility across the the entire spectrum, right?
Going back to the the container workloads. I
Guess I guess the reason I mentioned that is like, it's not just about giving executives something pretty
they can screen cap for a, you know, for a board deck, right?
It's actually gonna be useful.
Yeah, yeah, much more operational.
And the way that that's achieved is actually integrating
with beyond just the scanners, right?
It requires integrating with inventory,
with your image registries, and understanding what
your golden images are, understanding the ownership and application context, understanding
the runtime.
Now, oftentimes those are multiple tools, not a single scanner that's doing that assessment.
So they don't really have the ability to stitch together that entire picture.
And so who's, you know, what sort of orgs are kind of jumping on this, right?
Because always when, you know, a sponsor is out there talking about something like
this, it's usually because there's customer demand, right?
It's usually like, well, they're having this problem.
So that's why we're out there talking about it and what our, what our approach is.
Like what sort of companies are actually having issues around this?
Yeah.
The problem I think kind of manifests in a couple of different ways.
One is the visibility, right?
That kind of executive audience of, you know, if I were to ask my teams, what's our organizational
risk, we wouldn't be able to answer it this month, right?
But then there's also organizations that are struggling with the the volume of vulnerabilities with the the complexity of managing a cloud environment and
And also with the the overall workflow, maybe it's a manual process, right being able to make the assessment
Prioritize because there's way too much to actually do in any given day with any any team size that I've ever seen
And so you have to focus on what to remediate and then efficiently
orchestrate those remediations.
So that way you're managing risk as effectively as possible.
Right?
So being able to automatically triage, being able to automatically route and
ticket, orchestrating the bidirectional sync of tickets so folks can focus on fixing
rather than reporting back on what they've done.
And then also providing thoughtful analysis on what types of fixes are actually going
to move the needle in the most meaningful way for my risk.
And it might be more of a software-driven approach where, hey, we're out of date on
Google Chrome.
If we fix this, we fix 100 CDEs, right?
So providing all of those operational and analytical tools
to aid in the efficiency of how a team manages
their VM program or their cloud security.
It's real funny, but in a recent interview,
I brought up actually people doing NASA scans,
like 15, 20 years ago, when they'd run it the first time and
they'd just be horrified by what they saw. And what's really funny is, you know, thinking about
a tool like yours, which gives you that helicopter view, I'm guessing people start using it and then
they're horrified by what they're seeing, not in terms of the number of bugs, because they know
about that, but they're horrified in terms of what they see, you know, in terms of their own
capability to do something about it, right? Yeah, yeah, it's, um, and that's what this is about. It's like figuring out, you know, well,
what should we do given this mountain of data? Like, what is it telling us we need to get better at?
Yeah, and a big part of how, so my team specifically is on the kind of pre-sales consultative side.
And so a big part of how we engageage with our customers. It's not just providing the technology but also the guidance
Because we one we can kind of talk them down from the ledge where it's like yes
You do have log4j and it's a year old
And we're gonna get it fixed
Yeah, but these are things that you can do to make it to where that doesn't become a routine thing a lot of it
It's like process. Yeah, when you see stuff and you're like look we've had a dozen clients a dozen customers
We've had this problem and here's what they did and here's what worked right like I'm guessing it's sort of like that
Yeah, all right Aaron Unterberger. Thank you so much for joining me for this conversation. It's always good to see you and
Yeah, talk to you again soon. I guess. Yes, look forward to it.
Thanks, Patrick.
That was Aaron Unterberger there from Nucleus Security with this week's sponsor interviews.
So yeah, if you're still trying to manage your enterprise vulnerability management program
through a bunch of spreadsheets and you know, that is making you a sad panda, you might
want to go and check out Nucleus Security.
But that is it for this
week's show. I do hope you enjoyed it. I'll be back real soon with more security news
and analysis. But until then, I've been Patrick Gray. Thanks for listening..