Podcast Page Sponsor Ad
Display ad placement on specific high-traffic podcast pages and episode pages
Monthly Rate: $50 - $5000
Exist Ad Preview
Risky Business - Risky Business #792 -- Beware, Coinbase users. Crypto thieves are taking fingers now
Episode Date: May 21, 2025On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news: TeleMessage memory dumps show up on DDoSecrets Coinbase contractor brib...ed to hand over user data Telegram does seem to be actually cooperating with law enforcement Britain’s legal aid service gets 15 years worth of applicant data stolen Shocking no one, Ivanti were weaseling when they blamed latest bugs on a third party library This week’s episode is sponsored by Prowler, who make an open source cloud security tool. Founder and original project developer Toni de la Fuente joins to talk through the flexibility that open tooling brings. Prowler is also adding support for SaaS platforms like M365, and of course, an AI assistant to help you write checks! This episode is also available on Youtube. Show notes TeleMessage - Distributed Denial of Secrets How the Signal Knockoff App TeleMessage Got Hacked in 20 Minutes | WIRED Coinbase says thieves stole user data and tried to extort $20M Hack could cost Coinbase up to $400M: filing | Cybersecurity Dive Severed Fingers and ‘Wrench Attacks’ Rattle the Crypto Elite Money Stuff: US Debt Rates Itself | NewsletterHunt 2 massive black market services blocked by Telegram, messaging app says | Reuters Telegram Gave Authorities Data on More than 20,000 Users GovDelivery, an email alert system used by governments, abused to send scam messages | TechCrunch ATO warning as hackers steal $14,000 in tax returns: ‘Be wary’ Hack of SEC social media account earns 14-month prison sentence for Alabama man | The Record from Recorded Future News 19-year-old accused of largest child data breach in U.S. agrees to plead guilty Beach mansion, Benz and Bitcoin worth $4.5m seized from League of Legends hacker Shane Stephen Duffy | 7NEWS Pegasus spyware maker rebuffed in efforts to get off trade blacklist - The Washington Post Ransomware attack hits supplier of refrigerated groceries to British supermarkets | The Record from Recorded Future News UK government confirms massive data breach following hack of Legal Aid Agency | The Record from Recorded Future News Ivanti Endpoint Mobile Manager customers exploited via chained vulnerabilities | Cybersecurity Dive Expression Payloads Meet Mayhem - Ivanti EPMM Unauth RCE Chain (CVE-2025-4427 and CVE-2025-4428)
Transcript
Discussion (0)
Hey everyone and welcome to Risky Business, my name is Patrick Gray.
We're going to check in with Adam Bailo in just a moment and talk about the week's security
news and then we'll be hearing from this week's sponsor.
Tony Della Fuente is the founder of Prowler.
Prowler is an open source cloud security platform which is really awesome.
It's also a company but Tony is
going to be joining us later on today just to talk about the latest open source completely free
release of Prowler and some associated tools and like a portal and whatnot. It's very cool stuff.
So yeah, Tony's basically coming along to give you all free beer. So stick around for that one, very interesting.
But we're going to get into the news now, Adam, and we've got a bunch of really awesome stuff to
talk about. Let's start with the fact that DDoS Secrets, which I guess is, I mean, you would call
it like a leaks site run by Emma Best. It's Emma Best, isn't it? it is yes. Yeah run by Emma Best. Apparently got
its hands on 400 gig of like heap dumps from tele messages, message archiving
servers. They've zipped them up, put them online and if you're a journalist or a
researcher you could write to them and get access to those messages but who
knows what's in there. It seems like it's gonna be a can of worms that is going to be opened very shortly
Yeah, yeah, it certainly is the specific details of how that hack went down have also kind of come out and that's really interesting
Michael Lee did a guest piece for wired kind of talking through this process
And it turns out that the person who, you know, stole
message content, stole these these heap dumps from Teller Message, the headline is it took 20
minutes and like actually now reading the story, yeah it really did. This person pointed like a
brute force discovery tool that just makes a whole bunch of web requests to a web server and finds endpoints
You know that maybe they didn't think about
The tele message back end is written in Java and they're using the spring boot framework and one of the common
misconfigurations in old spring or in spring boot or in particularly an old spring boot is
There is an endpoint that lets you dump the heap memory of the Java process
for debugging purposes or whatever else. And in old Springs is on by default and
not controlled, like authenticated by default, and in more
recent releases you have to make sure it requires auth. And yeah, somebody
found this with a brute forcer and just started scraping memory every few
minutes. So they would get like, you know, 150 meg dump every time they hit this endpoint.
They presumably sat there in a while loop,
scraping 400 gig of memory out.
And that's how they ended up getting messages
that were going through the server,
along with creds and all sorts of other, you know,
interesting bits and pieces in there.
Well, the creds bit is interesting, right?
Cause you skipped a part here.
And by the way, for anyone who's lost,
lost about what TeleMessage is,
for those who haven't been following this story, tele-message
is the signal clone that archives messages in a very insecure way and was
being used by like the National Security Advisor to the United States President
and blah blah blah blah blah. But you missed a part, which is where they
went and had a look at like their admin panel, which is secure.telemessage.com
and discovered that the way that they were handling
passwords and I read this story, I had to read this a couple of times to actually understand
what they were saying because I'm like it just didn't occur to me that it was like as written.
But yeah they're doing client-side MD5 hashing of passwords then submitting the hash. So not even
hashing the passwords on the server which meant that if you scrape a hash
out of a heap dump, then there you go. You just use that to log in with.
Yeah, the hash is the password. Yeah. Yeah. Yeah. Which is the sort of thing you see when you get a
developer that is kind of cargo colting security. Like they know they should use Pashy something
when they're doing password submission, but submission better and really understand the specifics of why
Yeah, not not entirely surprising, but yeah, it does seem that
You know that piece of software was probably pretty old and you know
There's been a whole bunch of bugs in the spring framework in the spring frame over the years
But this particular one like the heap dump endpoint
Is pretty well known and you wouldn't have to get
like I don't even know if a pen test is necessary to find this like even if you
ran like some like off the shit like I'm thinking like this is probably the sort
of thing that like you know Nikto would have found you know like a basic scanner
will probably pick it up so that's pretty embarrassing and then yeah that's
of course now turned into you into the 400 gig of dumps
that DDoS secrets have available for people.
So I mean, you don't really expect the story to get stupider,
but I feel like it has.
And yet.
You know, we don't know that there are messages from senior.
I mean, there are messages in this dump, obviously,
but we don't know that there are any from senior, I mean there are messages in this dump obviously,
but we don't know that there are any messages from senior government officials. I mean it's
entirely possible that they stopped using this application pretty early on the piece
when someone who knew what they were doing saw the initial story broken then just said
oh my god stop using that app. So we don't know quite what's in there. It looks like
people from staff at Customs and Border
Protection were using it and indeed the person who obtained this material
scraped some creds out of a heap dump and logged into the portal as a CBP staffer.
So you know there's gonna be stuff in there. I also think this is a bold move
shall we say from DDoS secrets. In fact you know when I first saw this pop up it
was very early I'd just woken up and someone sent me this.
And I said to you, look, because I
thought it was on the open web, I said, look, grab this
before it's gone in five minutes from now,
because I wasn't thinking clearly.
And then I'm like, maybe we don't want this material
because it's absolutely radioactive.
Of course, I didn't tell you that,
and you lodged a ticket to get access to the data which we have since abandoned to any authorities listening.
We do not have that data. We don't want the data. We're not going to collect the
data. But I'm sure you know many media organizations are going to go through
and you know pull out interesting messages that might be newsworthy. From
my perspective I was just more interested to see, to do some secondary
reporting around what those heap dumps looked like, I guess.
Yeah, like what the software looked like on the inside. And you can tell a lot from,
you know, when you've got a memory dump of the server side, you're going to be able to see a
bunch of structural information, you know, and details about dependencies. And yeah, it's kind of,
you know, it's interesting technical stuff, as well as the content that may be in flight where the
dumps were taken.
Yeah, I mean you would have to think that government organizations, particularly like
NSA, needs to get their hands on this material to see what might have been exposed, right?
Because if media's got it, you know, you've got to assume that foreign adversaries have
it as well.
Yeah, exactly.
And of course, this endpoint has probably been exposed since this thing went on the
internet. So, you know, we've got a series of dumps from May the 4th, I
think was the date. But, you know, it really could be literally anybody who looked at that
thing with a hacker's eye would have probably spotted this.
They would have had to have known who was using the app though, you know?
Well, I mean, if you pull the dump out and you had a quick look, you'd be like, huh,
this looks kind of interesting. But yes, who was using TeleMessage, I mean, if you pull the dump out and you had a quick look, you'd be like, huh, this looks kind of interesting.
But yes, who was using tele-message, I guess, interesting.
But given the amount of crypto companies that were using it, makes you think it probably
would be a reasonable target for the people who attack that ecosystem as well as Natsuki.
So I guess instead of looking at these heap dumps, they need to go back and look at the
full archives.
Because they would have those archives cause they're telemessage
clusters.
Yeah.
Which you know, kind of concerning.
Indeed.
Kind of concerning.
That's a, that's a way to put it.
All right.
So, uh, the other big news story of the week is an incident at Coinbase where it
looks like a overseas based Coinbase support agents, support agent was cooperating with some sort of threat actor and
handing over customer data to some extortionist who then tried to ransom it back to Coinbase for
20 million bucks. Now Coinbase has come out and said, no, we're not going to do that. We'll offer
a 20 million dollar bounty to find the people responsible, which I think is fine, you know, good, fine. They are downplaying it a little bit in the
sense that they're saying, well, this stuff might be used in social engineering. Indeed,
it looks like it already has been used in some social engineering incidents. We've got
some additional reporting here from Cybersecurity Dive that suggests they've had a look at SEC
filings and whatnot. And it looks like this might cost Coinbase anywhere from 180 to 400 million dollars between reimbursements
and remediation which is a fair whack of cash. But the one thing that they're kind
of downplaying Coinbase is they're saying oh there might be social
engineering. They're not sort of pointing out that this information is everything
that a thief would need, a violent thief would need to go and
extract Bitcoin from people who just hold it, right?
Like it's got their names, their addresses and their account balances, right?
And it looks like something like 1% of the company's monthly active users.
So there's probably a few whales in there and they are at serious risk at this point,
you would have to say.
Yeah, it's a pretty strange, I mean, the story is strange in a number of levels, right?
It's strange that we're at the point in our cyberpunk dystopia where private companies are, you know, putting up $20 million bounties on people who attack them.
I mean, that's kind of funny in itself.
them. That's kind of funny in itself. But yeah, where we have seen this data used in the past, which is, as you say, for like scam emails. If I send a scam email that says, hi, gives you your
full name, gives you your account balances or some kind of information that only the organization
you're impersonating would have, it increases the legitimacy of your fishing attempt or whatever else. But that's a whole other thing when we're talking about physical attacks in the real
world against people who've got immediately transferable assets of millions, hundreds,
millions, whatever else.
It makes it a very attractive target for physical stuff.
We've seen stories of home invasions.
We've seen stories of people being attacked.
And of course there was,
was it Wall Street Journal had a story
about some people getting like,
was like the wife and the kid or something?
No, it was the daughter of someone who runs Pay Mariam,
which is a French cryptocurrency exchange.
Someone, a couple of guys pulled up in a van
and tried to abduct her.
She was walking down the street with her, uh, with her husband and child.
And I mean, it was pretty cool.
The husband, like big ups to the husband because he just would not let her go.
They were beating him over the head and he was bleeding and he just like, would
not let her go and they gave up.
Um, but you know, they, this wall street journal piece documents a whole bunch of
incidents of this happening, including one of the co-founders of Ledger being abducted along with his partner and
actually having a finger cut off.
And this is something that has happened multiple times.
People are actually losing fingers over this stuff.
And I'm glad that's not where I store my wealth because the last thing I need is for my details
and my balances to be leaked in some sort of bribery incident, a la this Coinbase thing,
and then to have a bunch of guys with balaclavas and rubber hoses turn up at my house with
a set of bolt cutters to start chopping off my fingers.
No thanks.
Yeah, yeah, yeah, exactly right.
I mean, there's a reason we kind of invented banking, you know, so that you didn't store your gold
or your treasure under your bed where people could come in and steal it.
And you know, the crypto ecosystem is very keen that we, you know, do things differently.
But there's a reason we kind of do it like this.
I remember 20 years ago interviewing an executive from Commonwealth Bank, which is one of Australia's
major banks.
And he had a John Gertz was his name.
And he would be long since retired by now, I would imagine.
But he was the head of group security.
And this is when, you know, digital threats were becoming more of a big deal.
And he said something really interesting to me back then.
He said, look, banks are security companies.
We've always been security companies.
The whole point is we, you know, you give us your money, we keep it safe.
Right.
And I think about that a lot. But I want to quote from this. Look, I've mentioned on the show
in the past, there's a terrific newsletter from Bloomberg written by a guy called Matt Levine
called Money Stuff. And I'm not particularly interested in finance, but Money Stuff like Matt
Levine is just such a good writer that I read his newsletter because it's often just really hilarious.
And he wrote something really interesting on this in an edition this week and we've
linked through to it in the show notes.
But he said, I think sometimes about the term structure of crypto futures.
Buying a Bitcoin for delivery in seven months costs about $4,000 or 3.8% more than buying
a Bitcoin today. Some of that is time value of money.
I could get interest on my dollars for the seven months, which is probably less true
of the Bitcoin, but some of it is what I have half-jokingly referred to as storage costs.
If I buy a Bitcoin future, I don't have to put the Bitcoin anywhere for seven months.
If I buy actual Bitcoin, I do have to store it. It's not like storing crude oil in that I don't need a big storage tank.
The Bitcoin is electronic and storing it just means remembering the password.
But it turns out that storing your Bitcoins is very expensive.
You have to remember the password and pay bodyguards. Similarly,
I am perpetually baffled by the fact that MicroStrategy Inc is a publicly traded pot of Bitcoin and trades at roughly twice the value of its Bitcoins.
But presumably you won't get kidnapped for your shares in MicroStrategy.
Perhaps that's worth paying a premium for.
Yeah, I mean, yeah, amen, right?
There's, you know, considering whole lifecycle cost is a thing that you
know if I held a lot of Bitcoin you know you're not gonna see well no that's
right so yeah let's just see if ranch attacks start raining down on the coin
base customers they're about to go public too so anyway what a time now
let's talk about some more bread and butter. Infosec here, tell me about this incident affecting
GovDelivery, which is an email alert system used
by governments.
It looks like someone got their account compromised
and it was being used to send scam messages.
Yeah, that's basically the nuts and bolts about this company
does email delivery for a number of government agencies.
I think in this particular case, it was the state of Indiana.
And somehow their user account with the service got taken over
and was being used to send spam messages out.
They were saying, you know, like, pay your fines here or, you know,
give us money in this particular way,
kind of using the reputation of the government as the as the way to do it.
And I thought that was, it's a thing we've seen done before, but it kind of underscores
the importance of assuming the identity of things that are valid and important and have
some reputation these days.
You can't just spam people and say you're a Nigerian prince anymore.
And these days you have to come from a princely house in Nigeria's email domain or
something to add legitimacy to it.
And we're seeing people do that.
You know, the Coinbase example, exactly that, like getting information to
impersonate Coinbase successfully, same kind of thing here.
Yeah.
And I think this is another interesting example of where exposure to an extra,
like, obviously I would, I would expect that these credentials were
fished somehow, right? From the original user. Yeah, either fished or, you know, like, um,
infastealers, right? You know, but the amount of risk that you've got to deal with from these
external services, like everyone goes, oh yeah, we've got SSO. And then this happens, you know,
because it's great for protecting your internal services and some external SAS.
But yeah, you got to sort of cover everything and there's not many easy ways to
do that.
Yeah. I mean,
it just underscores that identity really is the critical thing now because
everything's so distributed and you can pop up in interesting places in people's,
you know, software systems because they're all on the internet.
Yeah. I mean gratuitous plug here for push security. We've just, um, interesting places in people's software systems because they're all on the internet.
Yeah, I mean gratuitous plug here for push security.
We've just actually set it up internally to deal with stuff like this, right?
For phishing risk and it's just, you know, I do sleep a little bit better using it, if
I'm honest.
What else have we got here?
We've got some Telegram related news actually, a lot going on with Telegram at the moment.
They've blocked a couple of massive black market services apparently.
So Telegram seems to be playing ball to a degree that it really wasn't before the French
put handcuffs on Pavel Durov.
They've also released a transparency report where they're talking about how they've coughed
up data on more than 20,000 users, which is like, you know, quadrupled or something
since the equivalent period prior to that arrest. So it really does look like Telegram's doing stuff now.
Yeah, exactly. And about goddamn time. The two services that we were talking about getting shut
down on Telegram, one of them is Huayuan Guarantee, which is the big Cambodian money laundering front,
which is laundering tens of billions of dollars
for pigbutchery scams.
The other one was Zinbi Guarantee,
or Zinbi Guarantee,
which is a kind of Chinese language equivalent of that.
So those are, you know,
on the face of it looks like a pretty big blow
for that pigbutchering ecosystems ability to money launder at scale
Whether there's you know a dozen that will pop up in a smaller ones that will pop up in their place. We don't really know
but you know our instincts about
That being the place to hit this particular crime type. I think makes sense and the fact they're on telegram
I suppose is a good sign that you know telegram really was a haven for
And the fact they're on Telegram, I suppose, is a good sign that, you know, Telegram really was a haven for poor manner of criminality.
What's been really interesting over the last week is watching Telegram trying to
juggle doing things like that, like taking down scam marketplaces and whatnot,
and coughing up data on criminals versus watching them having to maintain a very
pro-Russian line on things like the Romanian election.
Cause you know, before the Romanian election, Durov was saying, Oh, the French were telling
me to censor conservative voices and blah, blah, blah, blah, blah, which, you know, you talk to
Catalin, our colleague, who is Romanian in Romania. And he's like, yeah, no, that's not really what was
what was going on. There were like disinformation networks and stuff and perhaps there were a few
you know users where it's like okay these are disinformation things and you know this always
turns into conservative voices are being silenced when it's some you know Russian bot and now he's
like offering to go and testify in EU courts and trying to get the Romanian you know trying to get
a the Romanian election overturned because Russia's guy lost and you know So it's really interesting this guy is sort of caught between the EU
Who will put him in prison or the Russians who will put him out a window, right? So
Many things bad, so I guess he has to lie out. But yeah, I don't envy that choice. It's not good
Yeah, I guess he's got billions of dollars to sort of make up for that. I guess you know
Now let's talk about some pretty sweet cross-site scripting attacks that have
been used to do things like set up mail forwarding rules, which I think is, as I say, pretty
sweet.
Like cookie theft, you know, you need the Drake meme.
Cookie theft, you know, don't want that.
You know, using cross-site scripting to set up mail forwarding rules and dumping boxes. Yeah.
Yeah.
That's more like it.
So this looks like a campaign that is ABT28 or Fancy Bear Russians behind it.
And they've been going around hitting a bunch of open source web mail platforms.
So M. Dame and Roundcube, Hoard, Zimbra, the sorts of things that if you are not willing to be
a Google shop or a Microsoft shop,
that you end up running because those are the options.
In some cases, these are bugs that have been around
for a long time, in some cases,
they were slightly fresher ones.
But yeah, the sophistication of the payload
that was being emailed around really is the thing
that was interesting here.
So you get an email and it gets rendered
by the webmail thing in the context of your browser,
then it could do whatever it pleases.
And in this case, they were ex-filling your mail spool
and then also setting up mail forwarding rules
to send your email off to the Kremlin for ingest
into their intelligence pipeline,
which intelligence agencies love that kind of thing.
So I guess good work, Russians. And if you are one of the people that runs this kind of
like you know early 2000s era open source webmail software I mean you're
probably already having a bad time but might be worth double checking you
applied all the patches. I mean there's a lot of Zimbr out there man you know
especially when you think about governments that don't want to pay all of that money like maybe in lower cost you know countries with
smaller economies that don't want to just you know shovel money at Microsoft or Google
like they wind up using this stuff right so apparently this was targeting governments
in Africa, the EU and South America and it was APT 28, fancy bear living up to their
name.
Yeah, yeah, yeah, solid work, you know, good job, good job Russians.
Yeah, yeah, I just wanted to mention this one quickly,
but we've seen a spate of like fraudulent tax returns lodged here in Australia based on people getting their like mygov accounts
compromised. It looks like it's pretty small, but I do find it interesting that we've, you know, because a lot of this sort of highly organized scam
activity, we don't see a lot of it in Australia, you know, stuff this sort of
fraud because we saw them going after superannuation funds not so long ago as
well and now they're going after tax refunds. So don't know how they're going
to go but it's always interesting when I see these sort of headlines pop up in
Australia because I wonder if we're about to get smashed with a whole bunch of it, or if they're just going to,
you know, give up and go away because our bureaucracies are as frustrating as everyone else is.
That's a good question. We've certainly seen that the scale of tax fraud in the US
has been pretty significant. And it makes sense. It's a transferable way to turn,
you know, personal information or account information into something. I think in the Australian case,
there's kind of like, there's a central,
like my gov, like the government identity part of it.
And then once you've taken over that account,
people can use that to authenticate
for other government services, like your tax returns.
So being able to either cred stuff or info dump
or whatever else your way into individual's accounts, and then you go figure out which ones have things that you know how to monetize.
And off you go.
And some of the scale of tax fraud that was being reported,
it's in tens, fifties, thousands of dollars,
that's reasonable for a day's work.
Yeah, but it's not something that's going to cause a massive pile on.
When fraudsters really dialed in on their ability to defraud the IRS, and they figured
out how to basically industrialize the process.
They were off to the races.
That's what I mean about whether or not they're just going to get bored and go away, because
it's not worth it, and they can pile back into America.
Now let's talk about Eric Council Jr.
He is the guy from Alabama who did the sim swap and account takeover of the SEC's Twitter
account and he of course was the guy who posted that Bitcoin ETFs had been approved causing
the price of Bitcoin to rise by like $1,000.
Not all that much because I think that news was already kind of priced in. It wound up being announced the next day anyway.
It looks like he was actually paid to do this. He got paid 50 grand to do it.
Yeah, been busted. He's 25 years old and he's been sentenced to 14 months in prison and ordered to forfeit the 50k.
I figure this is a pretty good result for him, if I'm honest.
Yeah, exactly.
Given the kind of high profile nature of this thing, yeah, I mean, 14 months, probably not
too bad.
I'm surprised he only got 50 grand for the kind of amount of risk that he was taking.
And clearly he's probably thinking about that as well at the moment.
But yeah, I guess it just kind of fits into that bigger
picture of, you know, kind of crime as a service in these underground worlds where you can
go and buy, you know, in this case, presumably someone paid him to go down to the Apple store,
buy a phone, go to the telco office, do the sim swap, plug it in, retrieve the multifactor
auth token that was being text message out to to the SEC's account and then send it
onwards to whoever had paid him to do it.
Just being able to kind of buy that as a service is a thing that when you see the scale of
– I'm thinking like a scattered spider, that kind of wider crowd.
When you see how they can kind of like glue all those bits together, you know, you can see how they end up in Marks and Spencer and in, you know, all these other kind of
organizations when you can just go buy these services really easily. So, you know, getting a
bit of prison time, I think here is good, also good for deterring other people.
Yeah, but I mean, it is that that's the way that whole thing works, right? Which is
you've got a problem. Well, I know a guy for that. Yeah. You know what I mean? Like that's kind of the,
that's why it's not so much a group, but more of a community, which is like,
Oh, you know, this guy knows how to do that. Like let's loop him in, you know,
it's very modern, very modern structure.
Exactly. Just in time crime groups. Now look,
speaking to someone who is probably going to have a much rougher time,
we've talked about this, this breach at power school where someone stole a bunch of data relating to school children
and was trying to ransom it back and they paid and then the data got out there anyway
and it's blah blah blah blah blah.
This guy Matthew Lane, 19 years old, a guy from Massachusetts, he signed a plea agreement.
And you know, he's looking at something like nine years over this thing, which is, yeah, pretty serious.
And he got credentials for like a user account
at Power School, logged in and used that
to gain access to data and things.
So, you know, as hacking goes,
not really like, you know, wild zero day,
et cetera, et cetera, et cetera, like not really like, you know, wild zero day, etc, etc, etc,
like we'd like to think, pretty boring stuff.
But in terms of impact, right, I mean, extorting, using the data of what,
like 60 million kids or something like that.
And whether he did the actual extortion part or whether he passed it on to something else,
we don't know.
But, you know, you have to kind of think about what you're getting messed up in, you know?
And that prison sentence kind of reflects that.
Yeah, but he's 19 years old, brain not fully formed.
Like, I get it. I get that this is a serious thing.
Look, we don't know what his sentence is going to be,
but he's agreed as part of his plea agreement
not to challenge a prison sentence shorter than nine years and four months.
That's according to this piece here by Kevin Collier over at NBC.
But you know, and I don't think it is clear if he was doing the extorting or not. It's, I don't
know. It's just, I hate seeing someone flush their life. Yeah. You know, over something this dumb.
So yeah, I feel sorry for the person extorting children.
It's a funny world somehow, isn't it?
Now, let's look at a piece from 7 News Australia.
And we would actually have to go back to when this guy was 19 as well, or thereabouts.
Because apparently he's in possession of some Bitcoin that was allegedly stolen in 2013
from a French exchange. So the story here is that
this guy in Queensland, which is a state in Australia, has had to forfeit four and a half
million dollars worth of stuff. So that's what looks to be a fairly nice house. An AMG E63S,
which I got to say, little bit jelly there, I am a petrolhead and that's a very nice car. So he's had to forfeit all of this stuff. This is the guy who was previously convicted over the
Riot Games hack. And now the federal police have sort of gone after him for proceeds of crime,
getting him to forfeit all of this stuff, which they say these bitcoins, and he's had to forfeit
bitcoins as well. They say these bitcoins are linked to a theft from a French currency
cryptocurrency exchange back in 2013.
So they don't, they're not actually charging him over that crime,
but they're saying that that's where they came from.
They're not saying that he stole them. It's just that way.
That's where they came from.
These are the proceeds of crime and you need to forfeit all of this stuff.
And I just think, wow, you know, like, is he getting off light? Or is he getting off heavy? I can't, I can't figure it out. He's losing all his money,
but he's staying out of prison.
Yeah. And that, well, I guess it's also like how much of that Bitcoin, you know, because
like the Bitcoin from 2013 is worth quite a lot now. I think they said what like 150 million ish, you know, if you had huddled
all of that Bitcoin. It's kind of funny that, you know, that you can show up and go look,
you clearly did not earn all of this money. You don't have a way to have afforded a 4 million
dollar, you know, house and car and whatever else. So I guess you better hand it over son.
You know, avoiding jail, if you had stolen $150 million,
I think you'd be pretty happy with that as an outcome.
Yeah.
And to be clear, we do not know whether or not he was...
No allegation is being made about whether he actually stole the money.
It's just the courts are saying,
yeah, you didn't work for this money.
But apparently he was, in 2013,
he made 32 grand by selling access to inactive League of Legends accounts. So there you go.
It's your claim to fame.
Full spectrum threat. But yeah, just a fun story there. Now we've got one from the Washington Post,
which says that NSO Group's efforts to lobby
the US government to get off various sanctions, trade blacklists and whatnot, has not been
going so well.
No, apparently a bunch of lobbyists, a bunch of Israelis in the area, Washington lobbyists,
were planning to meet some people at the White House to talk about taking NSO Group off the
Department of Commerce's entity list that kind of stops people from doing business with them.
And there's really a kind of a black mark globally
in terms of trying to do business.
So yes, they were hoping that the Trump administration
would look kindly upon them.
And no, not the case.
They have apparently that meeting got canceled
or replaced with something else.
And yeah, they're gonna go home empty handed.
Yeah I think it's sort of like you can still trade, you can still run your business,
but it's sort of like trying to swim through honey you know when you've got these sort of
restrictions on you. It's not terminal but it's not helpful. It's definitely not helpful.
Now Alexander Martin over at The Record has a report here about a logistics company called
Peter Green Chilled which is apparently some sort of refrigerated logistics company, you know,
cold logistics, cold supply chain logistics company in England, which supplies supermarkets.
And there's been some sort of disruption there, but the company says there's been a disruption,
but not to its trucking.
And it's all a little bit confusing.
Pretty light on details, this report, but you know, you would have to wonder
whether or not this clusters together with the other activity we've seen in
England recently affecting, you know, companies like Marks and Spencer, the
co-op and Harrods, although Harrods got out alive by the looks of things after a
ransomware attempt. But yeah, you do sort of wonder if this is part of the same
cluster of activity.
Yeah. And even if it isn't in sort of wonder if this is part of the same cluster of activity. Yeah.
And even if it isn't, in terms of public opinion and feeling kind of about the vulnerability
of retail and supply chain in the UK, you know, people got to be feeling a bit worried
about that.
I imagine the government is kind of thinking, what can they do to address this, you know,
in a way that reassures people because consumer confidence is, you know, such an important
part of this. It's not just, you know, what technically happened, who technically did it, you know, in a way that reassures people because consumer confidence is, you know, such an important part of this. It's not just, you know, what technically happened,
who technically did it, you know, being able to rely on, I can get up in the morning and go to
the supermarket and, you know, buy milk. You know, that's the thing that people expect of
their government. So, yeah, it's been a bit of a mess in the UK retail sector lately, and this is
not really going to help that. Yeah. Alexander Martin has another one also at the record
about a massive data breach at their legal aid organization,
the government legal aid organization there.
So it looks like, yeah, all sorts of sensitive data
has been coughed up in that one.
You know, it's data on everyone who applied
for legal aid since 2010.
Yes, like the scale of that is pretty bad.
They had some kind of, it smells like ransomware,
someone got in, helped themselves with the data.
Well, I'd call it data extortion, not ransomware.
It irits me when people conflate those two things,
but anyway.
But yeah, they were investigating a breach,
but then it turned out that actually, yeah,
it was more data effective than I thought.
And, you know, these are pretty vulnerable people.
You know, if you're applying for legal aid and it's got details about,
you know, your financial situation, the case that you're involved in,
all of the personal details, like those are people who are, you know,
you don't really want them being victimized again. Um, and just, you know,
for 14 years, 15 years with the data that's pretty
significant so yeah you know I don't know what you do about that like that's
you know you get free credit monitoring I don't know great yeah I think this is
just one more example of where it is appropriate to get some of the more
heavy-duty agencies involved in a response yeah you know you need to at
least have a team
with the authorities to try to find this stuff
and destroy it.
Yeah, agreed, right?
Because-
Even if that means popping a shell on some hacker's laptop
so that you can get to it and RMRF their box.
Yeah, well like that's an appropriate response.
That bulletproof hosting provider
that was storing a whole bunch of this kind of data.
Like, yeah, I mean, whatever gets the job done
and gets this stuff, you know, unstolen
to the extent that you can cause data to be unstolen,
feels like a job for the government
because who else can do it?
Yeah.
Now we're gonna wrap up this week's show, Adam,
as we often do, by talking about some Ivanti bugs.
And I watched our write-upup again, very, very entertaining.
Take it away, Adam.
We have talked about Avanti so many times.
So same company, same product, basically the same bugs as always.
There was a bug chain being exploited in the wild to compromise Avante
endpoint management You know management platforms that people use for mobile devices or whatever else
Avante
patched the bugs and they said in their patch notes that these were bugs in a
third party open source component that they used and And the wording of that was very much like,
this isn't our bug, we are just, you know,
this wasn't our fault, it's kind of what they're saying.
Watchtower looked at the patches
and actually pulled apart the bug.
And it's not really as clear cut
as Avanti would like you to believe.
So Avanti use an open source library
called Hibernate Validator.
And there was a floor in the version of Hibernate Validator
that we're using where it was unsafe to put,
attacker supplied data into a particular kind of error
message because if you control that data,
then you could put expressions in there that would get
evaluated and leverage that with the code exec. So they were using this open source library
in a vulnerable way and a way that's documented. So that was the first bug which kind of more of
Auntie's fault than the open source projects bug. Open source projects bugs.
So these are the same bugs that we talked about last week right where they were like oh it's not
or did that just come up in Risky Bulletin?
I can't remember.
I think we did mention it last week.
I think on the main show.
So this is the one where it's like,
oh, it's in an open source library,
but we're not gonna tell you which one.
Yes, yeah, exactly.
And then they said there was a second bug
that was like auth bypass that lets you reach this bug.
So what they actually mean is,
they did not put access control on this endpoint.
So you could show up.
Well, that is an auth bypass.
I get, well, no, it's not an auth bypass if there's no auth, I guess.
Well, that's, that's a good question.
Like, is it really an auth bypass if there wasn't any auth?
And is it the open source libraries fold that you didn't put auth on this endpoint?
And the answer is no, it's really not the open source libraries.
Well, you did not configure it to have auth. That's not on them. That's on you, buddy.
Anyway, so what's how I have the usual kind of write that you'd expect from them, reverse
the patch, figure it out, the bug, come up with a, you know, an exploit for it, a few
good comedy memes in the process, and, you know, egg on Avanti's face. I kind of know, I don't know that Avanti's face
is already so covered in egg, what's another egg?
But either way, I enjoyed the Watchtower write-up
and I feel bad for Avanti customers.
Yeah, and according to a story from David Jones
about all of this over at Cybersecurity Dive,
these bugs have been added to the Sysakev list.
So good job, Ivanti.
Yes, good job.
Dear, oh dear.
Well, mate, that is actually it for the week's news.
A pleasure to chat to you as always, my friend, and we'll do it all again next week.
Yeah, we certainly will, Pat.
I'll talk to you then.
That was Adam Boileau there with a look at the week's security news. It is time for this week's sponsor interview now with Tony Della Fuente who is the founder
of Prowler.
Prowler is a terrifically popular open source cloud security platform.
I guess you could think of it a little bit like an open source whiz where you can fire it up, point it towards your cloud infrastructure and
it's going to check for a whole bunch of stuff. I think there's something like a
thousand checks and growing and you know they they do offer a hosted version of
this but you can just run it like the whole platform is open source. If you
want to run it for free you absolutely can. Now, Prowler just released
a new release, a new version of Prowler, of the Prowler platform, and they've also released
a couple of new things called Prowler Hub and Prowler Studio, which are both extremely
worthwhile additions to the project. So Tony De La Fuente joined me, he was not at home,
he was in Madrid, he joined me to talk through the changes to Prowler and here's what he had to say.
Enjoy.
Two days ago we released Prowler 5.6, fully loaded on features and a few,
and two more services slash products, free products.
First of all, now in Prowler 5.6, we have added a new cloud provider. It's
the first time that we add something to monitor that is not a SaaS or infrastructure, let's
say, is Microsoft 365. It's the first thing that we add a pure SaaS to monitor, right?
It's like we have realized that a lot of people
is using Microsoft products
and in top of what we already support like Microsoft Azure,
we support Microsoft 365.
That is to make sure you-
Yeah, I mean, it's probably worth pointing out.
You just started with, you know,
like most people in this space,
you started with AWS and then grew out from there, right?
Now it's like all of the big three cloud providers
and now you're starting to do the SaaS
and the N365 and all of that.
Exactly, on top of AWS, Azure, GCP and Kubernetes,
and on any of those flavor of Kubernetes
on top of those cloud providers,
we have added Microsoft 365 and other providers,
new providers are coming.
So we are adding security checks and detections for Teams,
SharePoint, of course, EntraID. What sort of stuff are you checking? Are you just checking for like
no auth hyper of users or like what's the idea or checking for MFA gaps, things like that?
Exactly, the security best practices and configurations. And we start by those checks
that are for security best practices
and also covering CIS, Center for Internet Security,
the level one and level two.
And on top of that, we build more controls and remediations.
But our baseline, let's say,
is to support the CIS
for any cloud provider,
but we have more than 40 cloud security compliance
and framework support now.
I mean, what else is there that will do that for free?
Because I can't think, I mean,
there's probably some obscure tool that I just don't know,
but there's not much out there that you can just
use to do this, right?
To secure Microsoft 365,
all the most popular cloud providers,
there are not many tools,
not either command line or with UI,
with an API, with a scheduler
that you have to just configure it,
and the platform is going to do everything for you
once a day, or you can configure it manually,
and get insights all the time
to see what is your security posture.
Right. I don't want to say CSPM because that is very current nerdish, but you know the point is
beyond cloud security posture. Now we do also IAM, we do any flavor of Kubernetes, et cetera,
and growing because the idea is for Prowler
to be the holistic cloud security platform.
Yeah, yeah, you want the whole thing, right?
And that's cool, I love it.
So tell us about also there's,
I got a note from your team over there
and they said you've just launched a couple of things,
one called Prowler Hub and one called Prowler Studio.
What are these things?
Yes, Prowler Hub is a service that we realize we need it
for our community of users, of course, and customers,
which is the main point to know what Prowler does
in terms of detections, remediations, and compliance.
So Prowler Hub is like Docker Hub for Docker images, but for Prowler artifacts.
So, you can go to hub.prowler.com and see all our detections, remediations, and compliance
frameworks by cloud provider, by severity, by categories, et cetera. So, that is the
best way to know what you can do with P Proler, of course, but also to learn
about security best practices, about remediations, about risk, about severity, and of course
about compliance in the cloud.
So this is about taking a whole bunch of stuff that was scattered throughout GitHub and putting
it in one place and actually explaining what it is?
Exactly, exactly.
Basically, this is pulling all the information
that actually we have in code,
but nice and well explained for everybody to consume easily.
Yeah, exactly.
Instead of just like some weird check
that someone's committed to GitHub
that nobody really explained well.
That makes sense. Exactly.
It's something that we needed because it's like,
okay, Parler does a lot of cool things.
And let's explain well in a knowledge-based way and in a half way, let's say, to the community.
And the good thing of this is a way to learn about cloud security, because also we are highlighting
the new checks and new compliance frameworks where you can get up to date easily.
But also, every single piece of information that we are showing in
Prowler Hub is exposed in a free access API.
So for example, if you want to get,
what is the risk of this problem with this service and this category?
You can pull that bit of information and embed it
in your own application.
So Prowler is the knowledge base and the unique source of truth for cloud security.
I mean, that's going to be handy if you want to kick some of this stuff out into a seam,
right?
And actually be able to have SOC operators click on it and say, you know, and understand
whether or not it's a big deal or not, because quite often, I'm guessing you're going to get like cloud misconfiguration alerts that get kicked to some
level one sock person who doesn't really understand that what they're seeing is a big deal,
right? Is that kind of why you did that? Exactly. What do these do, right? And to understand what
you have to, why this is important, how to perform the remediation.
If we have the fixer, the remediation handy,
the command to do it.
If you have an account in Prowler Cloud,
you can run it directly in Prowler Cloud.
So it's the knowledge base,
let's say the actionable knowledge base.
Yeah, yeah, that makes sense.
All right, now Prowler Studio, what's that?
Okay, something that we have also realized
is that people wants to write more Prowler controls,
what we call checks, right?
And remediations with Prowler Studio is a command line tool
and also a chat bot that you can download it,
you can use it from the CLI or in a Docker container
and create new checks for Prowler.
And remember, this is important because this is totally
different from Prowler and any other CSPM or Cloud Security
Platform.
We do checks pulling that information from the cloud
provider, not just querying our database.
And this is important because the cloud itself
is inconsistent.
And with Proudly, we are pulling that information
directly from the cloud provider.
So with Proudly Studio, you can tell Proudly Studio,
hey, I have this issue, I want to know
how is the security group configured or my workload
to make sure that is secure or not.
And Proudly Studio understands that using AI
and creates the code for you.
The code for Prowler is basically a metadata file in JSON
and the Python code itself using the SDK
for every cloud provider.
Which in theory is very simple,
but we have created everything around it
to give you, in some cases, the
fully working check, but in other cases, about 90 to 95% of the code for you to review, test,
and done.
Run it and detect stuff.
It's real funny you say that because there's another company I'm working with and same
thing, right? with and same thing right like they use an AI agent to write Sigma and it gets you 90% of the
way there but you definitely want to have a little bit of a look at it before you throw it into prod
right and and this is where AI is at the moment I think in a lot of these applications is it's 90%
of the way there but it's not that it's just that last little bit of quality assurance. It's not quite there. Yeah.
They, it's not quite there.
It's not quite there.
And even we have tested many different models and still need a lot of work from our side.
I mean, it's like, it helps a lot to, to, to do the job for something that you may take.
It may take two hours now is going to be five to ten minutes.
It helps someone who can do it themselves do the job. When we're there is when it helps an idiot
do that job. Yeah, exactly. So if you don't know about cloud security or the SDK, this is not going
to save your day. So you need to know the stuff, right? But this is, again, this is from something that took three hours, now it's 10 minutes, literally.
So, and you can create your own custom checks
because in Prowler we have our baseline foundation
of controls, almost a thousand controls
that you can see all of them and learn about them
in Prowler Hub, but with Prowler Studio,
you can create your own and contribute them back
into Prowler, but also your custom checks and you can run them with Prowler Studio, you can create your own and contribute them back into Prowler,
but also your custom checks and you can run them with Prowler without having to push them
into the repo or anything.
You can use them.
That is a feature that is in Prowler from long, long ago.
But now with Prowler Studio, there is no limit on what you want to check, but also what you
want to check, but also what you want to fix,
because Prior Studio is going to give you the information
about how to remediate it.
And if you give the proper instructions
that you have in the documentation,
it can help you also to update
or improve existing compliance frameworks,
because this is one of the most challenging part
that we do have in the cloud,
is to keep compliance frameworks updated with new services and new threats in the cloud
that are growing every day, right?
Well, I got to ask you too at this point, right?
Because a bunch of people might be listening to this and going,
okay, so he's here to promote a whole bunch of open source stuff, right?
So you're basically standing here holding a sign that says free beer, right?
And people are like, okay, they're probably thinking at this point,
what's the catch, right? Like, where's the business here?
Right. Just just refresh.
You know, for those who don't know, I mean, essentially the idea here is build
this thing, make it huge, figure out how to make money out of it later is the thinking.
Right.
Yeah, yeah.
Basically, so the business model of open later is the thinking, right? Yeah, basically.
So the business model of open source is nothing new.
So we are not going to get a Nobel Prize inventing
the business model of open source.
This is a matter of helping the community,
helping organizations to address their problems.
And if you want to do it by yourself,
you're welcome using the CLI, using everything
maintaining by yourself, using the whole application
maintaining by yourself, updating it,
making sure it works 24-7, and all the work that
is needed to back up all the platform by yourself.
Or if you don't want to do it, come to our SaaS platform
to what we call Prowler Cloud and pay for it.
That simple.
That simple.
We should point out, too, I would like to point out at least,
that the SaaS version of this is not expensive.
It's not expensive at all.
So we can just do it.
Anyone listening to this who wants to do it can just do it, right?
Yeah, we share it based on resources in two different models.
One is scan-based results or scan-based or resource-based.
That means that in some cases, you do need only to scan once a week,
your infrastructure, once every,
twice a week or whatever, and you pay for that.
But in other cases, you want to make sure
everything is scanned and you know
how everything is configured every day.
It's like every 24 hours, you get scans,
or every time that you need to scan
By yourself or manual scans because you are doing your fixing you are doing your your hardening you can do it as well
So it's very flexible and you pay only for the number of resources that you have that is very
Very much how AWS works, right? You pay per use literally
Yeah
so match how AWS works, right? You pay per use, literally. Yeah. Well, and the thing is like you get people on both ends of that spectrum because
there's people who are like, well, I just need to do this point in time scan just to
check on something and make sure that these other things are working. I'm not going to
spin up a whole open source platform to do that. I'll just get my credit card and, you
know, do this one time scan. So you get people on that end and then you get the other people
on the other end who are using it to scan every hour who need high availability and it needs to be robust and
reliable and they don't want to do that either right so either way you win. All right we're
going to wrap it up there Tony Della Fuente thank you so much for joining me for that conversation.
Always great to chat to you and yeah we're going to check in with you again throughout the year.
Thanks again. Thank you Patrick. That was Tony Della Fuente
there from Prowler and yeah Prowler is good stuff. You should absolutely go play
around with it. I love personally that it has a command line version that works
just the same as the Webby pointy clicky version which also means that you know
you can use the hosted version to find problems and then if you need to use
like a privileged role to fix the problems you can just do that from the command line so you don't
need to yeet highly privileged credentials into someone else's web
application. So yeah I think that's really cool and yeah Prowler is a good
time. So big thanks to them for sponsoring this week's show but that is
it from us this week. I'll be back soon with more security news and analysis,
but until then, I've been Patrick Gray.
Thanks for listening.