Risky Business - Risky Business #791 -- Woof! Copilot for Sharepoint coughs up creds and keys
Episode Date: May 14, 2025On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news: Struggling to find that pesky passwords.xlsx in Sharepoint? Copilot has ...your back! The ransomware ecosystem is finding life a bit tough lately SAP Netweaver bug being used by Chinese APT crew Academics keep just keep finding CPU side-channel attacks And of course… bugs! Asus, Ivanti, Fortinet… and a Nissan LEAF? This week’s episode is sponsored by Resourcely, who will soothe your Terraform pains. Founder and CEO Tracis McPeak joins to talk about how to get from a very red dashboard full of cloud problems to a workable future. This episode is also available on Youtube. Show notes Exploiting Copilot AI for SharePoint | Pen Test Partners MrBruh's Epic Blog Ransomware group Lockbit appears to have been hacked, analysts say | Reuters "CONTI LEAK: Video they tried to bury! 6+ Conti members on a private jet. TARGET’s birthday — $10M bounty on his head. Filmed by TARGET himself. Original erased — we kept a copy." Mysterious hackers who targeted Marks and Spencer's computer systems hint at political allegiance as they warn other tech criminals not to attack former Soviet states The organizational structure of ransomware groups is evolving rapidly. SAP NetWeaver exploitation enters second wave of threat activity China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures DOGE software engineer’s computer infected by info-stealing malware Hackers hijack Japanese financial accounts to conduct nearly $2 billion in trades FBI and Dutch police seize and shut down botnet of hacked routers Poland arrests four in global DDoS-for-hire takedown School districts hit with extortion attempts after PowerSchool breach EU launches vulnerability database to tackle cybersecurity threats Training Solo - vusec Branch Privilege Injection: Exploiting Branch Predictor Race Conditions – Computer Security Group Remote Exploitation of Nissan Leaf: Controlling Critical Body Elements from the Internet PSIRT | FortiGuard Labs EPMM Security Update | Ivanti
Transcript
Discussion (0)
Hey everyone and welcome to Risky Business. My name is Patrick Gray. We're going to chat
with Adam Bialo about all the week's security news in just a moment and then we'll be hearing
from this week's sponsor and this week's show is brought to you by Resourcely. Resourcely
is a company that makes a fantastic platform for helping you wrangle terraform, right?
Like if you've ever seen a demo of this, we've got one on our YouTube page, it looks like I guess what
the interface for a cloud computing provider should look like instead of
what they actually do look like. So if you're a heavy Terraform user you
definitely want to check out Resourcely. But Travis McPeak who is the founder
and CEO, he's joining us this week to talk about a completely new thing they're
doing which is called Resourcely Fix where they can actually help you fix is the founder and CEO. He's joining us this week to talk about a completely new thing they're doing,
which is called Resourcely Fix,
where they can actually help you fix systemic security issues
in your cloud infrastructure.
So if you're like, you know,
Wizz is lighting up red with a million things
that you don't have time to fix,
they can actually help you, you know,
go back to the source and stop these things
from happening and remediate them.
So yeah, Travis will be joining us a little bit later on to talk
through all of that. But of course, it is time for the news now. And Adam, we're
actually going to start off, start off with a couple of interesting research
blog posts this week. And the first one is from Pentest Partners. And they've
taken a look at the way Microsoft has implemented AI assistance into SharePoint.
And it is about as horrible as you would expect where if you get some sort of access to these
agents, you could just start asking them like, hey, I'm an admin and I'm really concerned about
security. So could you please go and find any secrets that shouldn't be in documents on the
SharePoint server and point me towards them.
Like, and it does it.
Like, oh.
Yeah.
I mean, you say horrible, but as a person who has spent, you know, probably weeks of
my adult life rummaging in other people's SharePoints, looking for that stuff, right?
Yeah.
Not having to like put that in my brain because at the end of the workday, when you spent
your whole day in somebody else's enterprise SharePoint,
like you don't feel good,
whereas being able to just make it AI do it.
And in this case, co-pilot for SharePoint,
which I'm sure all of the SharePoint admins,
people who are responsible for this out there,
are already like holding their head in their hands.
Like you pay enough for SharePoint as it is,
and now you're
going to have to pay for an AI to ingest it and help attackers find the way around. Anyway,
it's the apprentice partners have done a good write-up of kind of like what's the basic
functionality. You know, in terms of security boundaries being crossed, the only like real
boundary there is being able to read docs without showing up in the like people who have recently accessed your documents in SharePoint and normally it will show you some history of who's looked at your stuff and if you're rummaging in
SharePoint you're always a little bit mindful of
You know someone looking at you know who last opened your passwords dot xlsx
Yeah, why has this why has this one user from our HR team looked at like six thousand documents in the last 24 hours?
user from our HR team looked at like 6,000 documents in the last 24 hours. Yeah, so that's a thing that people have alerted on in the past or sometimes nosy admins will
just notice.
So being able to proxy your activity through the AI kind of handy.
And then people can also implement their own kind of like custom co-pilots.
So there's the default one that Microsoft provides, but people can also implement their
own ones to have other capabilities. So those are kind of interesting as well.
But yeah, overall, if you are a professional rummager in SharePoint for juicy, juicy stuff,
then yeah, definitely read, have a read of this post and yeah, it will make your life
less miserable. Unless of course the AI hallucinates domain admin creds in the SharePoint. And then you
go down a rabbit hole.
Then you get snapped because you keep using made up credentials.
That'd be funny.
But I mean there's some sort of funny behavior around document access and whatnot as well.
Like asking it to give you a document and it says, no, I can't do that.
And then you just ask it to read it out and it does.
Yeah, yeah.
There's a few of the usual kind of weird AI
guardrail stuff where you have to kind of like lie to the AI
and give it good reasons.
Like I need this, you know, I need the contents of this file
to save poor Timmy from being run over by a train.
And then it's like, oh, well, I better give it to you then.
So yeah, it's like the world is kind of strange
and this sort of computers can speak English now.
So now you have to kind of sweet talk them to give you the data.
Like I don't know how I feel about that.
You know, I feel bad enough tricking humans, you know, with phishing emails or whatever else.
And now we have to trick the computers too.
Like that used to be honest work, tricking computers.
And now it feels kind of sleazy.
It's funny, actually, like just as a bit of a tangent, you and I were talking earlier this morning
and I was telling you about, excuse me,
I did a great interview with Tony Della Fuente,
who's the founder of Prowler,
which is like a open source cloud security platform.
Very cool stuff, by the way,
completely free as an open source thing too,
if people wanna check it out.
But you know, they've got this really cool thing now
where they've got like Prowler Hub,
where you can go, you know, all of this stuff, all of their detections just used to be
as code in GitHub and now there's like Prowler Hub where you get descriptions
of what the detections are doing and whatnot and that's, you can access that
via API so if you've got some weird cloud misconfiguration detected that
gets pumped to the seam there's actually going to be some context there and
whatnot and then I was thinking well hey what about if like Dropzone which is an
AI SOC agent starts ingesting that text as well
and interpreting it?
Essentially, you've got two computers speaking
to each other in English, which is, is this better or,
I mean, it's definitely less efficient than Jason,
but is this better or worse?
Is this progress?
And who can say, really?
I think probably worse, except that being
able to sit in the middle and read it would be kind of interesting
And it's more fun than looking at you know, TZB dump, but it works
Like it actually works and actually saves time. So I mean, I think just teaching computers how to speak
And do things based on English. I think we will I think in the end
We will decide that teaching computers to speak was a terrible idea much like computers full stop
Maybe they can was a terrible idea, much like computers full stop were a terrible idea.
Maybe they need to teach each other how to speak, Jason,
which I think is another thing that they're kind of doing.
But anyway.
I hate this world.
But look, we've got another bit of research to talk about this week.
And this isn't the sort of thing that you normally bring up the front of the show,
but it was just so good.
I was reading it's actually done by, as best I can tell, a young guy in New Zealand.
He's a, he's a, you know, from Discord and stuff, right? Yeah, yeah. Like he's in one of the show, but it was just so good. I was reading, it's actually done by, as best I can tell, a young guy in New Zealand. He's a, he's a, you know him from Discord and stuff, right?
Yeah, yeah, like he's in one of the Discords,
the local New Zealand Hacker Discords that I hang out in.
And yeah, he's done this research which,
like, he bought a motherboard,
a ASUS motherboard, was trying to get the WiFi working,
went to go install some drivers.
The easy way to install drivers with ASUS is to use their,
like, just magically make
my drivers install thing that they drop on you. And he started pulling the thread and
then it turns out like it's a piece of software you're installing a machine that then the
user interfaces via a browser and it's got a local socket. And he started looking at
well what stops any other website just talking to the ASUS driver install service that's now running on machine turns out like substring matching on the domain name so if you
have so like was it driverhub.asus.com something like that in your URL not the
whole URL so in his case you know he just made because he controls his own
DNS made a driverhub.asus.com.mrbra.com,
which is his, you know, his domain, and then works that up into basically remote code exec.
You can just drop EXEs on people with very little user interaction required.
And Bob is your remote code exec having uncle.
Yeah, I mean, I was just reading this and just going, no, no.
And you know, there is, they're doing stuff like code, you know,
code signing and whatnot, but he's found ways around it.
And, you know, basically you get a file, right.
And then, you know, this and that.
And, you know, essentially what this means is for anyone who's using this
like driver hub software from ASUS, it's single click to ask it to like drop
an executable on someone and run it.
Like, in a highly privileged context as well. And I'm just like,
Oh my God, this is horrible. And, and man,
right at the top of this blog post, they're like,
there's a part two to this and it's worse. And you think, how could it be worse?
Yeah. I mean, it used to be that essentially all software that you installed that
had a browser based interface was kind of
vulnerable to sort of dumb things like I'm thinking back in the old days like
VMware would drop a you know OCX control and ActiveX control in your
Internet Explorer to control virtual machines and of course any attacker
could come along and mess with that or if there were bugs in it so like this is
a you know this kind of like, local browser with a privileged context,
backend server thing is a very common pattern
10 years ago.
And ASUS, I guess, is still doing it like 10 years ago
and clearly with kind of control from 10 years ago.
I mean, it's just such fertile ground, right?
Like I remember years ago,
there was so many similar sorts of horror show bugs
in all of the stuff that used to ship by default on Dell hardware, you know?
And what's funny is, and I've told this story a few times, forgive me listeners if you've
heard it already, but I remember once I got, I helped Airlock Digital get in for a POC at
an organization that had a SoE where they stripped all of that Dell's crapware out of
their SoE and then they ran Airlock and it was still everywhere.
Like, it's real hard to make sure you're not running any
of this stuff in your environment.
Yeah, it is, because you don't really
inspect how this stuff works.
And especially if it's a thing that you need, like in this case,
making wireless drivers work, that's a thing you do once.
And especially in an enterprise context,
I guess ASUS is probably not a thing in the enterprise context do once, and especially in an enterprise context, I guess ASUS is probably not a thing
in the enterprise context quite so much,
but in an enterprise context,
you build this one time,
and you probably don't have resource
to send every different kind of make and model of device
out for pen testing.
It's quite often,
at Bayonet, Spackett, and Sommier,
we would get, here is our standard
SoE build for Windows 10 or whatever,
can you review it?
And we'd get a representative hardware,
the laptop or whatever else, we wouldn't get every config.
And when you've got Intel drivers or graphics drivers
or the things that you use for like,
controlling external displays or laptops
that have multiple display chips
for different power levels and stuff,
you don't see all of those things. And there are lots of bugs in that kind of enterprise crap where you know,
drivery, OEM-y kind of stuff. It's nasty.
Yeah, so to you Mr. Bra, aka Paul from New Zealand, bra.
Basically, nice work.
The real kicker though, the real kicker is he went through this whole process, found
all of these bugs, didn't get anything from ASUS from it, his Wi-Fi still doesn't work.
Yes, yes.
And I think the response like ASUS when they wrote this up, their CVE description is, this
issue is limited to motherboards and does not affect laptops or desktop computers.
And he's like, well, it does.
And it also says it may allow untrusted sources to affect system behavior, which is a very polite way
of describing may let randos run executables on your machines.
Look, in an enterprise context, the thing
that will save you here, though, and it's worth remembering,
is you got a good shot at detecting
random unwashed executables popping off on your machine
if you're running properly configured
EDR with good monitoring, right?
But still like that's your last line at that point, right?
Yeah, it should it should not get that far the whole rest of the team has to fail before the goalie has to stop it
Yes, this is definitely fail way up the field
Yeah
Now let's talk through some ransomware news because there's been a bit going on actually and I guess we'll kick it off
With lock bit and it looks like what's left of Lockbit has been
owned like their leaked site got defaced with like crime is bad or whatever.
Yeah, don't do crime, crime is bad, xoxo from Prague with a link to all of their leaked
data.
I mean, surely this is the nail in LockBit's coffin.
They haven't been the same since they faced a serious,
you know, five-izing a while ago.
And you know, God, how embarrassing.
Yeah, yeah, it's not great.
I mean, they have reinvented themselves in the past,
as have other ransomware gangs,
but yeah, it's not particularly a great look.
And I think there was another ransomware crew
that got taken out with the same message.
I wanna say a month ago, is it like that?
I think we reported on it.
I don't remember which ransomware crew it was,
but yeah, clearly someone has taken a swing at them.
And that whole kind of,
the stalwarts of the ransomware as a service ecosystem that we've grown used to over the last three or four years of ransom wearing,
you know, wheels are kind of falling off, you know, things are getting a bit more difficult for them.
And yeah, I guess this iteration of Lockbit also has ended badly by the look of it.
I mean, Lockbit with a Coca-Cola of ransomware, right?
Like they were the giants, they were responsible for, you know, as ransomware as a service platform, responsible for so much of the
activity going on. And you know, ever since they were taken down and they've sort of reconstituted
it just hasn't been the same. Yeah, this is bad. And also, you know, we've seen some more Conti
leaks, including videos from like inside private planes and things like that. And you know,
this is just more fuel for the CTI types who say thank you very much you know ingest and analyze all of this
data and you know bad bad bad. Yeah yeah it's kind of funny stuff this particular
someone is leaking this on to X and we don't really know how authentic it is or
any kind of origin of where the data came from but it seems like someone has
hacked their Instagrams maybe and has pulled a bunch of maybe unposted, maybe deleted or private posted
or whatever stuff from Insta. And either way, very funny regardless of exactly how and who
and what the motivations are.
Now of course the big ransomware story that's been in the news the last few weeks are these
attacks on the retail sector in the United Kingdom. So we've got Marks & Spencer, we had what someone went after
Harrods as well, didn't get very far in the case of Harrods. Co-op as well has
been owned. Now all of these attacks, what's been interesting is there's been
early coverage saying yeah this was like scattered spider-esque activity using
Dragonforce ransomware as a service a service to actually deploy this stuff and try to make their money and monetise.
Dragonforce though keeps now being reported by a bunch of media outlets as having been behind the attack, which isn't really quite the case.
The interesting thing here is the affiliate appears to be, as best we can tell, young Westerners, right? Like not hardcore cyber criminals operating in Russia
or whatever, these are like hardcore young people
who just are all gonna get caught.
But what's interesting here is Dragonforce,
well first of all, tell us about Dragonforce
because you know, you've done a bit of research,
done a bit of a look at them over the last few days
and they're a bit different to your typical ransomware as a service organization, aren't
they?
Yeah, Dragonforce is a crew that started out as...
I think Malaysia was the origin story for some of their early work, but it's turned
into a pretty standard ransomware as a service operation.
They're built on top of
earlier Lockbit and earlier Conti ransomware tooling, built their own platform to run it,
but they've kind of pivoted into being sort of a white label ransomware as a service tool vendor.
So they're ransomware as a service as a service. Yes. Rassas. Ransomware as a service as a service,
so that you can use components of their tooling. If you wanted to bring your own actual ransomware, but plug into their platform for managing
communications and managing data leaks and whatever else.
It's kind of how you would build applications in the cloud on top of Amazon or Google Cloud
or whatever by taking components of their tooling and then building your own sort of
thing out of it.
So that's kind of where they seem to have pivoted.
But the nuance of ransomware as a service,
ransomware as a service as a service,
groups like Scattered Spider, which are not really a group,
more like a loose affiliation of like-minded people
and all that, like that nuance is all obviously lost
when it gets translated into more mainstream
reporting and you know, the British stuff has been very mainstream because it's targeting, you know, high street name brand retailers
Rather than you know, obscure tech stuff. So the coverage is a little bit murky. I think when you're reading
Yeah, you're reading it in the mainstream
Yeah I mean I did also hear too just from that
You know
I mentioned we got an email from someone who was pretty plugged into everything that was happening in the UK as best we can tell
Like it's unverified information, but they did say that the Marks and Spencer and the co-op
Attackers were using the same C2 which definitely suggests a link there
Now it's interesting that dragon because I'd seen the reports about Dragon Force being being, you know, Malaysian in origin, which makes this next bit of news really confusing because
they've apparently issued a statement, this is DragonForce, saying, whatever you do, don't
hit targets in Russia.
You know, don't hit critical infrastructure, hospitals where patients, children and the
elderly are kept, or Russia or the countries of the former Soviet Union. And this is something that we've seen Russian ransomware operators, you know, children and the elderly are kept or Russia or the countries of the former Soviet Union.
And this is something that we've seen Russian ransomware operators, you know, say in the
past.
And indeed we've seen Russian ransomware operators get into trouble before because their affiliates
are hitting Russian targets.
But why don't you just tell us like why is this?
Why do they why do some people think these guys are Malaysian?
So I think the earlier iteration of the name Dragon Force was being used by some Malaysian
activist bits and I think...
So it might have been Malaysian affiliates using this?
Yeah, so these things are pretty fluid because we always see them from the outside, not from
the inside.
I think it's just some people were calling themselves that and maybe some tooling got shared or maybe they were using Russian tools.
We don't really know what the kind of glue was, but it seems pretty clear that the current iteration of DragonForce feels like Russian cybercrime
and kind of begat out of the earlier iterations of Russian ransomware as a service.
Because that whole kind of,
when ransomware as a service was at its peak,
that kind of time feels like it's passed a little bit.
And there's been a bit of re-juggling
as they try and kind of make sense out of
how do I make money out of this expertise,
out of this tooling.
And I think the current iteration of Dragon Force absolutely feels like it's made out of Russian
ransomware yeah yeah criminal groups now now a while ago I said like probably
one of the best things that you know intelligence agencies law enforcement
your cyber commands and whatever of the world one of the most effective things
that they could do to cause headaches for these guys would be to take their
tools and then
Do failed ransomware deployments against Russian companies? So gain access
Start spreading the ransomware around everywhere, but don't pull the trigger
So every time I see a statement from one of these groups
Saying oh my god stop hitting Russian targets. It makes me wonder now
I don't know whether or not that is something that would be legally possible for Western agencies to do, but it makes you think.
It does, it would be a good idea, regardless of whether they're actually doing it. It would
be a fun idea and certainly you do get the impression that somewhere, somehow, somebody
is throwing sand in the gears of the smooth operation of the Russian cybercrime ecosystem.
Now on that, sorry to cut you off there,
we've got this great report from Coveware.
And I think this came out May 1st.
So it's a couple of weeks old now.
But it really does take a high level look
at the ransomware ecosystem and basically says that, yeah, these people are
all fighting each other. Their anonymity is at risk. Their entire ecosystem, all of the vulnerable
points in their ecosystem, whether it's money laundering or, you know, RAS or whatever, are all
being pressed on. And it really does paint a picture that the ransomware ecosystem is under a
bit of pressure at the moment, which we love to see.
Yeah, yeah, we certainly do.
And we've talked a bunch on this show about, you know, the vulnerability of that ecosystem is the trust and communication, right?
The way that all those people can work together and, you know, rely on their, you know, the other bits of the ecosystem providing, you know,
on the other bits of the ecosystem providing, you know, bulletproof hosting or anti-denial of service stuff or like all of the other components that you need to build your just-in-time
crime pipeline.
You know, a few years ago, that ecosystem felt like it was thriving.
Now it feels like it's falling on itself and like they're infighting and stealing from
each other and, you know, at least appearing to be infighting, whether or not it's actually real or whether it's Western,
you know, agencies, we don't know. And that, you know, is just slowing them down. And Coveware
had some stats in this write-up about, you know, the kind of lower size of ransomware
payments, the lower overall volume, the lower rate of kind of their success
at getting paid for each campaign.
And all of those metrics are looking great for us
and not great for ransomware crews.
And I think that's just applying pressure on everybody.
Everybody's feeling the strain of things
are not as easy as they were.
And maybe there's other better ways to monetize
these kinds of skills than doing the sort of ransomware
that people were doing in, you know, like 2022.
Yeah.
So the ransomware payment resolution rates are down from like 85% in 2019, down
to like 27% now, but I think the average payment might actually be ticking up.
Anyway, we've linked through to the report.
People can have a look.
The other thing that I found really interesting here was when you look at the CVEs that these guys
are using, right? So, you know, here we go. We've got one, you know, a bunch of 2025 CVEs
are highlighted as well. So there's Avanti Connect Secure VPNs, Sonic Wall SMA 1000s,
Avanti Connect Secure VPNs again, path traversal vulnerabilities in Mitel MyCollab systems, and of course,
you know, it wouldn't be complete without Palo Alto in there as well.
So they've got a nice breakdown of initial attack vectors between remote access compromises,
which are number one at the moment.
You've got phishing, exploitation of vulnerabilities, and internal, which is tiny.
But look, it's a good report and people can click through
and have a look at it.
Just head over to risky.biz, our website,
and you will find the post for this podcast
with all of the links in there.
Now, it was last week or the week before,
we spoke about a SAP NetWeaver vulnerability,
and we were like, this is gonna be bad.
This is gonna be very bad.
And it turns out, Adam, it's bad.
Shocking, shocking development. It is bad, yes. We are seeing pretty widespread exploitation
of internet facing SAP NetWeaver. There's a bug in one of the components called the
Visual Composer. So that's not great, and as kind of as we predicted. But sort of worse than that, it looks like it's Chinese APTs, in fact the same crew that were behind a bunch of other quite successful large-scale exploitation of internet-pacing bugs and stuff in I think some of the Avanti things.
But they're trash. Like these guys are trash. If you look, we've got a blog post from Eclectic IQ and they're scanning for, so there's been a couple of components to this. Like someone's
gone around and dropped web shells on all of these sap boxes, right? So now there's this second wave
of exploitation and who knows if it's the same actor. But one of the actors, you know, scanning
for this stuff, they've got their box just doing all
the scanning and then an open web server on it where you can drop in and like just read
all of their scan results and stuff.
And you just think, my God, man, that's like, aren't you embarrassed?
I mean, you probably should be, but I guess if you move fast enough, you don't got time
for doing it right.
You just got to shell all of the NetWeavers today so that you can go back
and pick them over at a later date.
But yeah, there's a little bit of orcs when you've got the indexing turned on
on your web server full of all of your shell results.
You get a scan probe from some box, you hit it and there's a web server on it
with the scan results in it.
Like, I mean, it's convenient for everybody else.
And like, maybe you want to muddy the attribution for this source incompetence
seems, seems more likely, but yeah, I mean, regardless of how good they are at
their infrastructure, they do seem pretty good at shelling things.
And, um, there's a collective IQ writer has a bunch of, uh, you know, information
about their specific TTPs and
so on.
One of the ones that leapt out at me as being amusing is some of the C2 traffic goes to
a box whose domain name is sentinelonesblueral.com, which, apropos of you talking to Stamos the
other day about there being a team of people in China tasked to attack, you know, Sentinel-1, you know, go on with their customers.
Kind of funny to see their name in the mouth of the set of attackers as well.
So kind of funny just leapt out at me when I was looking at screenshots.
Yeah, we got links to that of course in the show notes as well this week. Now
let's look at a piece by Dan Gooden.
Apparently a software engineer from Doge had an info stealer on their box that was just
popping up, spewing creds out everywhere basically.
Their creds out everywhere.
I mean, again, this ties into what we've said from day one about the way Doge was doing
stuff, which is they're moving fast and and breaking things but they're not being careful and that was going to present problems and you know,
what is this exhibit, you know, exhibit 437.
Exactly, right?
Yeah, yeah.
So this one was initially when I read it, I thought, eh, because the angle was, oh,
this guy's data doesn't have been pwned.
And let's face it, everybody's data doesn't have been pwned.
But the interesting bit is that this is not just like other people's data breaches, you
know, with cred dumps from big sites.
This is data from InfoStealer Trojans malware on people's boxes that is also ingested by
ever been pwned.
And some of the data is, you know, within the last couple of years, which is not a great
sign for someone that is wandering around the US government helping themselves to you know
enterprise admin level access in their SharePoints and in their you know, Office 365 and so on so not a great look and
you know, we don't know for sure that the machines they're using to do their dozing are filled with Infrastealers, but
certainly possible. Well, I mean, there was that news item
we spoke about a little while ago
where they were spinning up new accounts
for government systems, and then those accounts,
Russians were, Russian IPs were trying to log into them
a couple of minutes later and only denied
because of their like impossible travel restrictions.
And your take on that at the time was,
it was probably just using a Russian VPN or something,
some VPN service, but I don't know, man, I still think we need to take a look
at that, honestly.
Yeah, I do not disagree with you. It does not look good. Like there is definitely a
bit of, you know, where the smoke, this fire kind of situation with several pieces of smoke
around here.
Yes, the smoke is wafting from multiple locations.
Now over the last couple of weeks as well, both here and in our Risky Bulletin podcast,
which everyone should subscribe to too. We do three news bulletins a week, which are
put together by Katalin Kimpanu, edited by you and Amberley and sometimes me, and then
voiced by Claire Aird. It's a great little news bulletin for those who are unfamiliar
with it. You can find that by searching for risky bulletin.
But yeah, we've been covering this thing that's been happening in Asia, particularly in Japan,
where hackers have been breaking into brokerage accounts and then using the funds in those
brokerage accounts to buy penny stocks that they hold.
And this is a way to make millions of dollars.
So initially, it was like we were reporting on this because they said it was something like, you know,
$700 million and we were like, oh my God,
that's so much money.
Turns out, Adam, it's actually much worse.
And we're looking at something like $2 billion
in fraudulent trades in a relatively short period of time.
Like that's really quite an issue.
Yeah, the Japanese Financial Services Agency,
the regulator for this kind of thing
has been looking into it.
And yeah, it is definitely bigger than we originally reported.
And that's so the two billion dollar number, I think, is like the amount of trades that have been done.
So we don't have much money the actual attackers are making.
Clearly, it's enough for them to be able to make this worth doing.
But yeah, the fact that it's that much bigger than we thought, and the
Japanese regulator had some stats that said like in previous years, this kind of thing was much,
much smaller. So it has definitely, you know, tracked up pretty quickly. One theory is that
because AI, chat jpt, etc, etc, are so much better now. You can carry out these kinds of attacks
in languages and environments
that aren't necessarily your own,
because you can interact with these systems
much more easily.
And so that's one plausible explanation
for why we're seeing it tick up in,
you know, like Japan, for example,
has historically been quite a difficult target
because of the language barrier,
versus English-speaking, or other things.
So, yeah.
Yeah.
Ryan, Ryan, uh, Ryan Kalimba from Proofpoint is quoted in this piece as saying that.
And I know Ryan, he's a mate and he's been on this for a while.
Like he's been on this from very early on with AI, uh, working at a place like
Proofpoint where they deal with so much phishing.
He's like, man, this is going to be really useful for attackers to, you know, as it
says in this piece, draft, you know, culturally appropriate fishing lures. It's just like, what
an amazing thing for fishes. And one of the regions that he was particularly concerned about was Japan.
So Ryan, looks like you were right there, buddy. Hey, how you going? Also, and yeah, this piece was
written by John Grieg on over at the record, but you had something else you wanted to add there
Oh, I was just thinking like I'm trying to what other countries have impenetrable languages
I thought ah, they're gonna be coming for Finland next. I
Don't think the models are there yet
Let's see
We got a couple of law enforcement takedowns to talk through here.
We got a TechCrunch piece here from Lorenzo, a joint international law enforcement action
shut down two services accused of providing a botnet of hacked internet connected devices.
This looks like one of those residential proxies which are very useful when you want to hide
your origin, but that one's been taken down.
Yeah, so this is AnyProxies,, I think was the retail name that they used.
And this one was kind of significant because they've been around like 20 years.
This is the OG of residential proxies.
And I was also surprised given they've been doing it for 20 years, that the
number of money they made was something in the order of 40 ish million.
I think the, the DIG said $46 million, which for 20 years work, I mean it's more
money than I've made in 20 years.
Yeah, I mean come on man.
At the same time, you know, like for 20 years cybercrime I feel like you could do better
than $40 million.
Yeah, if you're going to be a criminal, like that's kind of the lower end, right?
It does, it does seem.
But either way, they've been shut down.
Of course, they were, I think, Russians.
So I don't know what consequences they will face.
But yeah, I mean, just continuing
that whack-a-mole of internet crime kind of components.
Because this is another example of Russian cybercrime bits
that are just really useful when you want to go to a crime.
You'll be able to buy access from residential IPs
in another country near your victims.
Yeah, and meanwhile, Dorina Antoniuk, also over at the record, has reported that a few
dudes have been arrested in Poland and they were operating like a stressor botnet
kind of thing.
And, you know, you could give them like 10 bucks and they'd hit a target for you.
I think, was that this one?
Yes.
Yeah.
Yeah.
Yeah.
It was pretty cheap.
They had a lower than 10 euro service or something like that, which I don't know
how much DDoS you get for 10 euro, but I mean, how much do you really need?
You know? Well, I mean, if you, you know, if you're not paying for the DDoS you get for 10 euro, but I mean, how much do you really need, you know?
Well, I mean, if you, you know, if you're not paying for the bandwidth, like you can
sell it cheap, right? So yeah, that's kind of the idea.
This is just worth a quick mention, but you know, there was a PowerSchool, you know,
this is a company that makes software used by schools.
There was a PowerSchool breach a while ago and data was ransomed and they paid.
And unfortunately, it looks like now the people who have that data are going back out to the schools and
ransoming them again. So it looks like this is one of those instances where
paying for deletion just they didn't do it. Most of the time they do and the
reason they do is because they need to be credible when they're asking for
money next time. So I'd imagine there would be other data extortionists who would be quite cheesed about this actually.
Yeah, yeah.
We don't really know exactly how it all worked out, like whether the data was available in
multiple places, like whether, we don't know if it's the people who took the payment also
now doing the subsequent round of extortion, but either way it impacts their reputation.
I imagine they are, as you say, probably quite cheesed off at whoever is behind it if it's
not them.
And if it is them, like maybe they've reached the end of the road and they've decided that
they are going to exit the market soon, so they may as well cash out as much as they
can with the data they've got right now.
Regardless, it still sucks for the schools and the parents and the children and the victims
involved in this campaign.
Yeah, that one was from Kevin Collier over at NBC.
Back to the record now, and Alexander Martin has reported that the EU is launching a vulnerability
database, which is interesting.
So it's kind of been written up as like, oh, NVD is looking shaky and that's why this is
happening.
But really the plans for this, according to our colleague, Caroline Kempanu, the plans
for this were sort of laid out in 2022.
But I think it's a good idea that an organisation like ANISA, which is the EU's cyber security
organisation actually spins up something like this because the stuff in America doesn't
look as reliable or, you know, as it used to.
Let's put it that way.
Yeah, I guess whoever was behind this, starting this in 2022, probably feels quite vindicated
now.
Like actually, yes, Europe probably does need a little bit of independence, you know, from
the US and from other countries, you know, they're going to use the Chinese vulnerability
database.
So yeah, probably feeling pretty forward thinking.
And you know, if the outcome of the madness in America
that it is, we do end up with a more distributed,
more resilient kind of set of international infrastructures
like this.
Because I can imagine Australia and New Zealand,
for example, using the European vulnerability database,
as well as the American one, as well as other countries.
One is much like we now have multiple satellite navigation
networks, and people can rely on GPS and whatever one as well as other countries, one as much like, we now have multiple satellite navigation networks
and people can rely on GPS and whatever
the European one is called and whatever the Russian,
GLONASS, the Russian one, you get multiple ones.
So it's probably good overall.
Yep, and we're gonna head towards the finish now.
We've got a few items to go, but we've got a couple of,
these are these stuff, these things that I never understand, which is like, basically we got a spect items to go, but we've got a couple of these stuff, these things that I never understand, right?
Which is like, basically we've got a spectre style attack here.
Walk us through it.
This one's from Vusec.
Yeah.
So there's these researchers from Vusec, which I think is there Amsterdam, a Dutch, looking
into a kind of a variant of spectre memory side channel attacks.
So the thing that they have done here
is they have figured out how to essentially bypass
some of the constraints that we were relying on,
some of the mitigations we were relying on
to prevent side channel leaking
across trust boundaries in modern CPUs.
They've come up with essentially some tricks
that can bypass
basically all of the existing specter side channel mitigations. And this means that they've got
they have sort of a generic technique that crosses circumference sort of the architectural controls where you shouldn't be able to influence in this case the branch prediction from
some user space to kernel space, for
example.
So they've got some things where you can train the branch predictor in kernel space and then
use that to leak information about what it's doing.
They've also found in the process of this research some CPU bugs that they can then
use to do this, in some cases, across guest-to-host hypervisor boundary.
Yeah, they've got a POC where they can leak hypervisor memory
at 8.5 kilobytes a second, which is gonna be like...
Yeah, which, you know, that's like...
The research is pretty dense, like it's quite heavy going
if you're not familiar with all of the previous work
on side channels, but the end results are pretty convincing,
which is like, wow, yeah, hypervisor, you know,
from a guest up to the hypervisor
onto other virtual machines, not a great look.
And right up to really modern Intel hardware as well.
So that's some great research.
And I pity the people who run cloud infrastructure
who now have to think about this.
Yeah, yeah, that's what I mean.
It's hard enough for me to just think about it
for five minutes talking to you about it.
But yeah, all these speculative execution things are confusing to people like me and we've also got another one and there's something similar from
What is it a Zurich? Yeah, it is Zurich. So this is basically the same
Targets of the branch branch prediction in the CPUs and being able to use that to leak memory
But the ETA Zurich research essentially is a race condition
between when you train the branch predictor,
because I mean the guts of all of these bugs is
you set up the branch prediction in the CPU
and then you let it run code that you want to learn about
and you infer the behavior of that code
by looking at how the branch predictor change state.
And one of the ways that we've worked around this
is by flushing the branch prediction case
when we transition between security boundaries.
So when you move from executing guest code
to executing hypervisor code,
the CPU is meant to be able to throw out
the state of the branch predictor and carry on.
This is a race condition in that process
where the results of branch predictions
that were in flight at the time of the transition
between security zones land after that zone transition
and still impact the state of the cache.
So that race condition means that they can influence
across those security boundaries
and their proof of concept is also pretty compelling.
It's like, I would like to read the system password file
on a Unix box.
Okay, well I mean that's pretty handy.
Yeah, so there's a lot of nerd crap
in these kind of reasons.
They're like super academic, really dense, hard to read.
But the proof of concept, honestly pretty straightforward to understand.
Run, command, receive, root, password, hash, pretty compelling.
Yes, I would agree that's compelling. And apologies to them for calling them ETH Zurich.
The cryptocurrency people have melted my brain.
It is ETH Zurich, of course.
A fun one here, very much at a different end
of the spectrum, which is a slide deck from Black Hat Asia
from April looking at some work a group of people did here.
What's the name?
PC Automotive.
Three researchers, Paulina Smirnova, Mikhail Evdokumov,
and Radu Motspan.
I'm very sorry I massacred your names, but they looked at
doing some security research against a Nissan Leaf, like a 2020 model, and
they could go from Bluetooth to like starting the car.
So, you know, a bit of stunt hacking here, but a really great slide deck with a walkthrough on how they did it.
Yeah, and I mean honestly like going through their research,
I felt this is beyond stunt hacking.
This is actually pretty legit.
Oh, but you know what I mean.
The concept is stunt hacking.
But yeah, it is a good write-up.
Yeah, and so they bought essentially the head end guts
and telematics units and stuff from an S&L,
and then reverse engineered firmware every step of the way and circumvented all the
controls that got in the way and then found memory corruption
via Bluetooth, turned that into command exec on the head end
from there, shelled towards the like CAN bus interface that
talks out to the rest of the car, got code exec on that,
figured out how like the CAN bus message filtering worked.
Bordered test, like the sort of thing that mechanics
would use to send undocumented proprietary CAN bus commands
for the leaf.
Reverse engineered those so that they could get out there.
Net result, whole thing end to end.
Bluetooth, it's not quite zero interaction.
You have to be on the network setting screen
and they're like, yes, we can denial of service the Wi-Fi
so that someone goes, why isn't this connecting,
goes to the Wi-Fi connection screen
and then that's all that's needed
to trigger the Bluetooth bugs
and then onwards from there to route
on the infotainment system and full access to the CAN bus,
control the steering, control the doors.
It's impressive work and they must have had so much fun doing it as well.
So good work.
Yeah, I like how they just went to a wrecker, an auto wrecker and just like grabbed one
of these things and stuck it in a rack.
That's pretty cool.
And we've got just rubbing my temples, right?
What week of risky business would be complete
without talking about some Avanti and Fortinet bugs?
Hey!
Yeah, yeah, so we have Avanti's endpoint mobile manager,
endpoint manager mobile, whatever it is product.
They have some high CVSS bugs in it.
They are blaming open source code that they put in there.
They won't say which open source code, just trust us.
We're getting shelled again, just trust us.
I think Catalin wrote in his script, it was very dry.
I was like, you know, they blamed a bunch of libraries.
They have not named the libraries.
Yes, yeah, exactly.
If you're an Avanti customer,
you are well used to getting owned
and having to patch your stuff.
So go patch your stuff and probably roll into response again.
And then, yes, of course, our friends at Fortinet,
they've got a stack based buffer overflow in the year 2025 of our Lord.
Stack based buffer overflow in like half a dozen products that you would have in your network edge
Including their NDR product, which is just
For those following at home that the NDR stands for network detection and response
So I mean look look to be fair to be fair like NDRs are pretty usually pretty good targets because they have to pause
So much right so they're full of parsers, but still you know woof
Yeah to pause so much, right? So they're full of pauses, but still, you know, woof. Yeah, it's a little bit orcs when you buy your security products, put them on the edge
of your network and then they are the things that get you shelled. So yes, there are a
stack of bugs and the list of products that are affected is pretty huge. The camera products,
their video recording products, N India, mail filtering stuff.
So it's just gross.
They've got a few IOCs,
because of course people are out there
exploiting it in the wild.
We have to assume it's probably Chinese APT as usual.
And they are doing the thing where they like,
the exploitation will also dump log files and stuff
so they can get them later.
And presumably that's for, you know,
if you even if you do manage to evict them,
they've still got an option to go pull enough data
to get back in much like we've seen with other products.
So yeah, pretty standard Fortinet owning day
for Fortinet owners.
Well, mate, that actually brings us to the end
of this week's news segment.
Thank you very much for joining me.
Great fun as always, and we'll do it all again next week. Yeah, we certainly will and I'm sure there'll be yet more footnet bugs for us to talk
about. What fun, yay! That was Adam Boyle-O there with a look at the week's security news. It is
time for this week's sponsor interview now with Travis McPeake who is the founder of Resourcely and Resourcely is an interesting company that makes a
platform that helps you to generate and wrangle terraform right so instead of
your terraform being a complete mess with no sort of procedures there for you
to actually spin up infrastructure Resourcely absolutely solves that
problem but we're talking to Travis today because he has built something new as part of resource-ly which is a the
platform can now fix things right. Now you might say okay and we get into this
in the interview you might say well you know whiz can remediate a lot but as
Travis points out it is a brave cloud admin who selects remediate all with whiz
and just hits the go for it button because that's a recipe
for a really bad day. So he's taking a different approach to
try to more systematically eradicate the source of
problems and the source of misconfigurations in an
environment. So here is Travis McPeak telling us all about
resourcefully fix enjoy.
I think security people rightfully have a ton of anxiety because they have this giant
cloud environment. They go and log into their CNAP dashboard and the thing is just, you know,
red with pages and pages and pages of stuff that they don't have the ability or time to address.
And then they need to do something. Like sometimes when you buy a CNAP, you actually
create a new problem because before you were flying blind, life was good.
You were blissfully ignorant.
Now you buy the solution.
It's like, Oh crap, there's a ton of risk.
And to the extent that you have a funded security team, the job of that team is
to reduce risk for the business and do so in a way that's quantifiable and
provable to leadership, then you get more funding for security.
So that's really why we've built fixes to answer that customer question of how
do we clean up all of the security issues in our brownfield cloud?
Okay, I mean that sounds great, but why
Wouldn't you just use the incumbent solutions out there like whiz or whatever like it seems like maybe you're a little bit late to this party
Like you know isn't that a solved problem? I guess is what I'm getting at. Yeah, so if you
Let's say that whizz had perfect remediation
for every single issue.
So every Cloudmask configuration that they showed you
in Wizz had a little button that you can toggle
that would say, fix this.
They do have that for some,
but let's say that every single one had it.
What security team would have the confidence to go in there
and select all and apply?
Like if you do that, you're gonna cause not just one outage,
you're gonna cause 10,000 outages.
You're gonna be buried in outages for the next 10 years.
Stuff's gonna be on fire like immediately.
Yep, yep.
And I have friends that have run those kinds of projects
where they just started remediating stuff.
They didn't coordinate with devs and it caused outages
and people told the security team to stop.
So yeah, this is really what we're adding
is the ability to coordinate those changes
in a way that's careful.
So one of the projects I ran was ReboKid.
We would actually go and coordinate with developers, ask them, is it okay to make this change?
Sometimes they would say, come back at this later time and make the change.
Then we'd make the change and we'd communicate that we did it and we'd give them a big button
they could press if something was messed up, they would put it back to where it was.
That's really the bit that all of these platforms are missing.
If you're an advanced company, then you might build this yourself.
You might, uh, implement like a SOAR type of tool to do this kind of coordination.
But our position is that you should just have one solution that will both make
the change for you and also do all of this coordination.
It's very manual.
You have to track things in Google sheets and do a bunch of manual Slack reach outs. So we're implementing all of that in one place. Yeah, for those who aren't familiar,
like Travis was on the show something like five years ago when he worked at Netflix,
talking about repo kid, which was a really awesome like open source project. I mean,
you develop for internal use, developed it for internal use at Netflix, but open sourced it. And
use at Netflix, but open-sourced it. And what it would do was monitor like AWS, I think in that instance for unused, like IAM roles, right? Like unused permissions essentially. And it would just
take them away if nobody was using it. So, okay. So going back to this, yeah, the idea being that
you have a third option, right? In the case of some sort of cloud security issue.
So the traditional options have been,
okay, that's great, don't touch it, leave it alone.
And the other option is like, okay, auto remediate that,
cross your fingers, hope for the best.
So I guess what you're proposing here is a third option,
which is like, okay, kick off a workflow here
that's gonna see this thing get fixed.
Like that seems like a management issue, not like so much a hard tech issue.
Like in your platform, when you, when you decide to kick off a remediation here, how
does it know which developer to reach out to and like, what, what does the platform
do then?
How do you actually skin this cat?
Yeah.
So ownership is, is hard in all aspects of security.
It's unsolved in many companies. Hence the question. Yes, yes, yes.
Exactly. So, so we can pick up some, some breadcrumbs. So for example,
if it is managed in infrastructure as code, we're going to get some signals.
Like this is the person that made the pull request for it.
This is who reviewed it. This is who touched it last. Uh,
if you are deploying directly to cloud and you can look at things like cloud
trail in some cases though, like in a lot of companies, security just has a hunch.
Like, oh, this is part of this application.
You know, we've dealt with this, this particular developer on this application
before let's just go and ask them.
But like I said, it's extremely manual.
Yeah.
Okay.
So, um, so how does, how do you do it then?
Like what's the, what's the user experience for an admin who is trying to remediate
some issue that's that this thing's identified? You know, what do they then do as the person driving
your platform?
Yep. So end to end, what we're going to do is they're going to pull up some systemic
fix they want to make across the board. We're going to apply SCPs. We're going to get rid
of this particular class of whiz finding. We're going to get rid of IAM users, whatever
it is. We're going to pull that in. We're going to make a list of all of them.
That is not secret sauce.
Like we all said, visibility solved.
But then at that point,
we're going to ingest these signals of ownership.
That's going to get a bunch of them.
The ones that aren't, you're going to have this list like,
need to figure out the owner for that.
If you have a guest, you can send it out.
It'll send a Slack message, email.
Developer will get something that's basically like,
cloud security wants to change this. Are you responsible for it? They'll'll send a Slack message, email, developer will get something that's basically like, cloud security wants to change this,
are you responsible for it?
They'll get like a nice easy button.
And then if they confirm ownership, great,
you have the right person you're coordinating.
Sometimes that person may not even know.
And then they'll just throw it back to security
and you can continue triaging.
In a lot of cases, they say, I'm not the owner,
this other person over here is.
So instead of, again,
security having to do this weird Slack dance, we'll just automate it for them. And is that the touch point for most of the developers?
It's through Slack or is it like email or dare I say it, God forbid, like Jira tickets or something
like that? Yeah, exactly. Yeah. I thought you were going to say teams. Yeah. Yes, those things. So
what we've learned is developers do not want to log into a security tool and operate out of there.
They want to operate with the tools that they're already using,
whether that be GitHub, Jira.
That's, you know, in a lot of cases when we say we're doing DevSecOps,
that's what we mean is we're going to file Jira tickets
because that's how developers consume their work.
But yeah, we are going to give them easiest communication, lowest friction.
You know, even in the case of a Jira ticket today,
you know, you have some CNAP issue, even in the case of a Jira ticket today,
you know, you have some CNAP issue,
status quo is you create a Jira ticket.
You have some way of assigning that Jira ticket now, right?
If it has a 10.0 CVE vulnerability on it,
you're gonna find out really quickly who's the owner.
But there's instructions.
Log into the console, do this thing, and then change this.
Now you're multiplying that tax on a developer
figuring out how to change their infrastructure on every single developer on every single change you need to make.
So instead of doing all of that, we'll give them a fix it button that'll just go make the change for them and then tell them it's done and give them a unfix it button if it's broken.
Yeah. Okay. So like one example you just gave was like these SCP guardrails, which are that that's an Amazon thing, right?
Yep. One example you just gave was like these SCP guardrails, which that's an Amazon thing, right?
Yep.
Yeah, see, I'm old enough that all of this cloud stuff
is still newfangled and confusing.
But I'm guessing there's gonna be other examples of,
you mentioned like classes and categories of issues
that might be exposed through like whiz, right?
Like what are some of the categories of issues
that you're sort of targeting with this, right?
Because I'd imagine you've got your classics,, you know, you've got your classics like open buckets.
You've got other stuff like, yeah, like these guard rails and whatnot.
But what are some others?
Yeah, so anything that's internet facing is worth at least a look.
Maybe those are designed to be in internet facing, but in those cases,
you'd at least like documentation about why they're internet facing.
And it's not just a mistake.
So all of those, open databases, open buckets,
open virtual machines, any of those would be one class.
And then there's just like common,
awful cloud misconfiguration.
Like IAM users had a place in time.
That place in time was 10 years ago or more.
And today they're just a big tax on your environment.
If you get compromised in cloud,
it's almost certainly gonna be some IAM user static key
that leaked somewhere and then now they're in your cloud.
So any of that kind of stuff, lease privilege,
scoping down IAM rules, applying backups,
making sure that you're replicating things across regions,
making sure that your logging's turned on
all the places you expect.
Basically, like any cloud configuration
that security wanted to have, we're
going to go and assist them in getting their cloud
converge to that state.
Now, one thing you haven't mentioned here, which is
staggering, is AI.
Surely, it's a new feature in a modern security product.
Surely, it uses AI, Travis.
You know, it's not a major focus.
We do not want AI vibe changing your cloud properties.
We, that thing should be done deterministically. It should work really well.
But what we can do is we can use AI cleverly to assist with some of the, the
triage, you know, who's the right owner for this thing, and then also move
things up and down based on context.
So for example, if we see that something that's public facing has stuff around
it that indicates it should be public facing,
then we can add that as notes.
And maybe you don't even bother fixing that thing.
Or you just suggest to the user,
hey, it looks like this thing's deliberately public.
Here's what AI found about it.
And then they can decide the right thing to do.
All of these just reduce human labor for it,
but it's not actually gonna go and make the cloud changes
because that's terrifying.
So Travis, like I believe also, like we can't go through this interview without
discussing your motivations for doing this.
And I believe a primary motivator for you, uh, developing this feature set is
rage rage.
Yes.
Yeah, absolutely correct.
Share with us your anger, uh, right now.
It's, it's, it's, it's a safe space.
Yes.
So security teams that buy a scanner and then file Jira tickets and tell developers
to do all of the work, in my opinion, are adding zero value to the organization. Like
you do not need security in the loop at all. If that is the value that you provide, then
we should just riff the entire security team. What the security team should do is apply
their knowledge of security and then help reduce risk
in a way that's quantifiable. If you can't at the end of a year go to your leadership and say, hey,
we eliminated these classes of issues. These are not things that we have to worry about anymore.
And that was the number one, two, and three on the top cloud misconfiguration list. Then your
security team is not pulling their weight. And I see way too many security teams that are, one, happy with just filing a ticket and calling a day. And two,
they don't even think about that kind of risk remediation. They're thinking about whatever
the compliance auditor is going to come and check so they can have a clean report. And then you
might have an open bucket or an open database that's on the internet that has your crown jewels.
That's not considered a vulnerability.
But if you have this CVE-5 over here
in some system in your sandbox,
that thing's gonna be remediated
because that's what compliance auditors check.
Yeah, yeah.
I mean, yeah, yes.
But I guess, you know, I guess really to sum it up then
as we wrap it up, I mean, this is much more,
I mean, I hate using these sorts of terms,
but it's like kind of more like a shift left idea, you know,
get to the root of a lot of these things that are bubbling up into your cloud
sex scanners and panels and you know, and just being able to, to yeah,
eliminate classes of, of issues rather than just playing whack-a-mole, right?
Yeah. I've always said if you have a security tool and that security tool is telling
you everything's on fire all of the time, what happens? It's just, it's natural human instinct.
We become desensitized to that thing. So we're like, okay, dashboard says we have 12,000 issues.
Like, I guess we're just going to have 12,000 issues. And then people stop paying attention
to it at all. And so you should either take a whole class of issues and say, we're never going
to fix this and make those issues go away from the dashboard.
So you stop looking at it, or you should reduce the risk of those issues.
If you, if you have a thing that's just blinking red all the time,
everybody's going to ignore it and nothing's going to happen from it.
I mean, you're speaking fluent VM. Right now you're speaking fluent,
vulnerability management. It's just amazing that like,
when I talked to nucleus about their stuff, stuff, their vulnerability management platform, you know,
a big thing they say is like, once you get that visibility, you can start looking for root causes.
Why does this division in the company produce these sort of bugs and this division doesn't?
Like what can they learn from each other? And it seems like a similar sort of mindset here.
Travis McPeak, thank you so much for joining us to walk through Resourcely
Fix. Sounds very interesting and I wish you all the best with it.
Thank you.
That was Travis McPeak from Resourcely there. Big thanks to him for that. And that is it
for this week's show. I do hope you enjoyed it. I'll be back soon with more security news
and analysis. But until then, I've been Patrick Gray. Thanks for listening.