Risky Business - Risky Business #797 -- Stuxnet vs Massive Ordnance Penetrators
Episode Date: June 25, 2025On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news: We roll our eyes over the “16 billion credentials” leak hitting main...stream news Some interesting cyber angles emerge from the conflict in Iran Opensource maintainer of libxml2 is fed up with this hacker crap Shockingly, there are yet more ways to trick people into pasting commands into Windows Veeam “patches” its backup software RCE like it’s 2002 … by breaking the public PoC This week’s episode is sponsored by Internet-wide honeypot reconnaissance platform, Greynoise. Founder Andrew Morris joins to talk about their journey spotting Chinese ORB-builders hacking thousands of ASUS routers, and why they’re destined for the woodchipper. This episode is also available on Youtube. Show notes No, the 16 billion credentials leak is not a new data breach Canadian telecom hacked by suspected China state group - Ars Technica Telecom giant Viasat breached by China's Salt Typhoon hackers WarTranslated on X: "Iran’s jamming GPS in the Strait of Hormuz, messing with ~970 ships, per Windward. UKMTO confirms the interference. Faulty AIS coordinates are screwing up navigation in the Persian Gulf. The IRGC threatens to shut the strait down in hours. https://t.co/kdMJvshOGC" / X Dmitri Alperovitch on X: "Chairman of the Joint Chiefs Gen. Dan Caine says @US_CYBERCOM supported this strike mission" / X Top Pentagon spy pick rejected by White House - POLITICO DHS warns of heightened cyber threat as US enters Iran conflict | Cybersecurity Dive Exclusive: Early US intel assessment suggests strikes on Iran did not destroy nuclear sites, sources say U.S. braces for Iran's response after overnight strikes on nuclear sites Assessing the Damage to Iran’s Nuclear Program Iran Hacks Tirana Municipality in Retaliation Over MEK - Tirana Times Iran's government says it shut down internet to protect against cyberattacks | TechCrunch Aflac discloses cyber intrusion linked to wider crime spree targeting insurance industry | Cybersecurity Dive Tonga Ministry of Health hit with cyberattack affecting website, IT systems | The Record from Recorded Future News Alleged Ryuk ransomware gang member arrested in Ukraine and extradited to US | The Record from Recorded Future News Russia releases REvil members after convictions for payment card fraud | The Record from Recorded Future News OneLogin, Many Issues: How I Pivoted from a Trial Tenant to Compromising Customer Signing Keys - SpecterOps Triaging security issues reported by third parties (#913) · Issue · GNOME/libxml2 README: Set expectations straight (35d04a08) · Commits · GNOME / libxml2 · GitLab What’s in an ASP? Creative Phishing Attack on Prominent Academics and Critics of Russia | Google Cloud Blog FileFix - A ClickFix Alternative | mr.d0x Address bar shows hp.com. Browser displays scammers’ malicious text anyway. - Ars Technica Researchers urge vigilance as Veeam releases patch to address critical flaw | Cybersecurity Dive ASUSpicious Flaw - Millions of Users’ Information Exposed Since 2022 | MrBruh's Epic Blog Perth dad who created ‘evil twin’ Wi-Fi did so to access pictures of women GreyNoise Discovers Stealthy Backdoor Campaign Affecting Thousands of ASUS Routers
Transcript
Discussion (0)
Hey everyone and welcome to Risky Business, my name's Patrick Gray.
We've got a great show for you this week, Adam Bualo will be joining me in just a moment
to go through what is a really fun grab bag of news items this week and then we'll be
hearing from this week's sponsor and this week's show is brought to you by Gray Noise
Intelligence which means Andrew Morris is this week's sponsor guest which is always a good
time and we're talking to Andrew about a botnet they detected comprised of ASUS
routers and yeah there's some interesting stuff to do with that botnet like it
didn't use malware it just you know would insert dodgy SSH keys and stuff
which meant that even if you
firmware updated these things, the botnet would persist.
So that is a fun chat and it is coming up soon.
But first up, Adam, let's get into the news now.
And did you hear that there's been a huge password leak of 16 billion passwords?
Of course, this has been a dodgy news item that has somehow managed to escape
from a niche outlet into the mainstream media. And well, it's not, it's not, it's not really true.
Yes. So this, the story broke that, you know, this giant repository of passwords have been found,
you know, what, like at least two passwords per person
for the entire planet or something like that,
which clearly ridiculous.
It is as many people kind of expect,
just a repackaging with a bunch of additional
of existing credential dumps,
a bunch of things from info leaks
or from info stealers, sorry,
and no efforts been made for denuplication.
Like if Troy Hunt were to take this data set
and load it into Have I Been Pwned,
I don't know he'd be sending very many new alerts out.
Like that's the kind of vibe that we get.
But of course that's a nuance that's well and truly lost
when it escapes into the mainstream press,
which it has very much done so.
Yeah, and it's funny, right,
because I think,
so I saw someone on social media somewhere,
like, link to another version of basically the same story
that the same guy published at the same outlet
like a year ago.
So it's like, well, it's June, time
to write a story about the latest aggregation
of previously stolen credentials.
And yeah, it just took on a life of its own.
I even wound up doing a hit on ABC radio
about this. Just crazy. It is kind of nuts. I mean if we had a story that was like you know
100 million cars have crashed and it's like yes if you count every car crash in the history of
automotiveness. Yes. That's kind of what these these stories are like and it just you know.
I mean on the one hand anything that makes people think about how they use passwords and where
they reuse them, and if the net result of all of this mainstream coverage is a few more
people start using their password manager or start using pass keys, then okay, that's
good.
That's probably still a good outcome, but it is just a bit tedious when your grandparents
or whatever are ringing up in a panic because
they think their Googles have been hacked.
Yeah, and there's been some quality humor on this one as well.
I think someone pre-generated every four and six and eight digit number or something, whacked
it in a database and described it as a breach of every single OTP code.
Your OTP code is in there and then someone else generated every possible password or
whatever. Every possible phone number leaked and giant data.
Yeah, yeah, yeah. Exactly. Exactly. But to your point, that's exactly what I was saying
on ABC radio, which is like this isn't new, but there's still some important lessons here,
which is do not use unique passwords. I'm sorry for every single service and explaining
why that is.
You know, where possible, you know, use a password manager.
Don't listen to what Tavis Ormandy was saying years ago.
Use a password manager.
Try to use MFA where possible
and pass keys are a good thing.
So I guess, I guess, you know,
let's be glass half full about this and say,
you know, this is good.
Yeah, good job, whatever the outlet was called.
I think it's got cyber news.
I don't think they are serious people.
Let's just put it that way.
That's being charitable, I think.
Okay, so we've got some updates here,
a couple of logos to talk about.
So, you know, in the startup world,
cybersecurity startups are all about getting logos
on their website of their customers
and design partners and whatnot. APT crews, I guess, do something similar, right? Which is they
get access somewhere and they've collected that logo. We've got two telcos that look
like they've been taken over by Salt Typhoon, which is the more sort of intelligence oriented
of the big typhoons, the other one being vault typhoon of course.
So it looks like Viasat and some mob in Canada have disclosed that they've experienced breaches as a result of this group.
Yeah, and I think this is the first example of a telco outside of the US.
We know there's been targeting of telcos outside the US, but I think think this is the first like here is a telco in this country that has been
targeted by or has said that they have been targeted by Saltifone. I think the
Canadian government kind of confirmed that and it's exactly what you'd expect
from these groups. They found they used some bugs in a Cisco iOS XE device that
was patched but they clearly hadn't applied the patch, shelled the box
and then set it up for intelligence collection and presumably moved laterally around the
network and had a good rummage because that's what you do when you hack a telco.
I mean I think it's a sign of the times that when I saw that the bug was only 18 months
old I thought wow they had to actually work for this one.
Some ancient ancient bug and indeed look we know there have been yeah a lot of
other telcos hit all around the world by this but you know the Americans are
actually a little bit more transparent about this stuff than most which is an
interesting little it's just an interesting little detail I think which
is when it happens in the US you're more likely to find out about it
yeah certainly other countries you know do seem a little more reticent about dragging the stuff
out in public and you know the the US reporting guidelines you know for the SEC etc and some of
the oversight and in the government there does seem to draw this out of private sector companies
which you know plenty of other plenty of other Telco incident response jobs I've worked
on end up with, okay, now we cover it up.
Yes.
Great findings.
Now conceal them, please.
Now of course, big, bitter news over the last week has been the United States are hitting
a bunch of targets in Iran.
There's actually a few things to talk about cyber wise here.
I guess the first thing to look at is that there's been
a whole bunch of GPS jamming happening
in the Strait of Hormuz, which has resulted in ships
appearing like they're on land and stuff,
which, you know, I'm no marine expert,
but you look at the map and you're like,
that doesn't seem right.
Yeah, yeah, anything that kind of messes up
with these systems does have some, that doesn't seem right. Yeah, anything that kind of messes up with these systems
does have some downstream consequences.
At the very least, it has made people quite excited
watching some of the ship tracker websites,
because as you say, all of a sudden,
there is a boat in the middle of a mountain,
which, you know, that's not their natural habitat.
No.
But we haven't seen any, I think, safety incidents
or collisions or anything like that yet,
but it's the kind of thing that can happen when you're messing with these
Yeah, that's right. And apparently the chairman of the Joint Chiefs of Staff General Dan Cain
When he was talking about the strikes that America did, you know against the Iranian nuclear program
Mentioned that cyber command was actually, you know part of this strike, which I find interesting
Of course, he didn't actually say what they were doing.
There's a lot of people in the intelligence community who like to joke about how Cyber
Command just does, you know, half baked PsyOps.
So I wonder if they sent them some pop-ups on their screens telling them to think about
what they're doing.
Yeah, maybe, maybe.
You know, we don't know.
And it would be, of course, lovely to see lots of details.
Some of those of us in the commentary at would love details
of these kinds of things, but we don't get them until,
you know, many years after the fact.
And maybe they were jamming air defense.
Maybe they were jamming comms lines
to make response difficult.
Maybe they were dealing with, you know,
making emergency services, you know,
because we've seen like the Israelis, for example,
warn emergency services when stuff's going down.
So it kind of like reverse side up like the Groc says, like you want to be nice with your cybers
to make win hearts and minds or whatever.
We don't know what they're doing, but clearly they were cyber and something.
So yeah, I mean, jamming ain't really their thing.
But you know, using cyber to brick comms is like if I had to guess it's going to be something
like that.
Yeah.
I mean, I guess that's what I meant, like jamming from a network point of view, not
jamming from a RF radio of view, not jamming
from a RF radio comms point of view.
It's interesting though.
It's interesting when you think back to last week when we were talking about the stuff
Andrew Morris from Grey Noise, who's this week's sponsor guest, we were talking about
the stuff he was seeing on the Iranian internet.
And he said the last time he saw that was when the United States assassinated Qasim Soleimani.
Interesting.
It is, isn't it, when you think about it,
that that was almost a early warning
that something was about to go down.
Yeah, it's an interesting point, actually, yeah.
Sneaky, Andrew, sneaky.
Sneaky, yeah.
So look, speaking of Cyber Command,
it's probably worth mentioning that they still
don't have a leader. Cyber Command still does not have a leader. NSA still does not have a leader. They're
both acting. And apparently the guy who was picked by Pete Hegseth and Tulsi Gabbard to be nominated
into that position, that person has now been rejected by the White House as per reporting this reporting from Politico.
So still leaderless. I mean we saw this in Trump v1 right? Like a lot of positions were acting only.
You do wonder when they're gonna get on this and actually nominate someone or if they're gonna try
to split NSA from cyber command. I mean maybe that's a reason they didn't want to do this is
they want to do that split first so they can get civilian leadership into NSA. But I guess it is worth noting that during this somewhat serious military action,
there was no one actually, you know, there's only an acting head of cyber command.
Yeah, that does seem a little concerning. And, you know, as you have so much politicking going on
around these positions, like making sure they're loyalists and all that kind of thing.
So I guess it's taken them a while to find someone.
Now, meanwhile, there are some fears in the United States that the Iranians are going to go and do cyber to them.
There's also a lot of fears from people who seem to be like on the further right side of the spectrum talking about thousands of Iranian sleeper cells that are about to rise up and do terrorism. I would think that would be dangerous for Iran to do that.
So I don't know that I share those fears.
But I think it's reasonable to think that, you know, Iran, which does have a history
of hitting control systems at like municipalities and whatever.
I mean, it's you would think it's possible there's going to be some sort of cyber drama resulting
from all of this.
Yeah, it's certainly one of the tools at their disposal and they have used it in the past,
both in conflict with the US and other places.
But Iranian cyber activity hasn't seemed really super effective in terms of a proportional
response to the sort of things that they're going.
We've seen them carry out missile strikes or whatever on US bases in the Middle East. effect from in terms of like a proportional response to the sort of things that they're going.
We've seen them carry out missile strikes or whatever on US bases in the Middle East.
That's a kind of proportional response.
You know, hacking some small government in Midwest somewhere kind of doesn't really fit
into that framework, but there's still plenty of scope for enthusiasts and activists and
you know, sort of not necessarily state-directed but still,
I'm sure there's a lot of angry Iranians, but we don't really, you know.
I feel like I'd bet dollars to doughnuts a lot of that sort of activity, especially the
stuff that targeted Israel a few years back. I'd bet dollars to doughnuts that that was
actually state-directed. I just find it interesting that Iran has this sort of half-baked offensive cyber program
targeting small-scale critical infrastructure, right?
And they do seem to be very...
I mean, of course they got their intelligence collection bits and whatever, but they do
seem to have this sort of fetish, shall we say, for control system hacking.
And you wonder if that's because of Stuxnet and because that was what was done to them.
So they're sort of trying to emulate the same thing, but on a much smaller scale.
Yeah, it's certainly possible.
And also, I guess that stuff does get some media coverage.
So like in terms of having some Psyop result, you know, for your site, because as Tom and
Grak have talked about a bunch on Between Two Nerds, like making cyber war useful for anything
is quite difficult and so latching onto psychological effects
is easier to kind of justify as being effective
because it's more fuzzy around the edges
versus like melting steel plants down, whatever it was.
Was it the Israelis that?
Yes, yeah and they got the video and everything.
So I mean, yeah, it's just, I just, man, you know, I just, I just don't feel like,
I feel like the Iranians are running a program that's designed to look cool, uh,
as opposed to actually being cool, maybe a way to impress their bosses and whatnot.
I think it's also interesting to have a bit of, to at this point, reflect on Stuxnet,
right?
Because you would say, oh, okay, Stuxnet didn't work, bombs worked.
But we're seeing reporting now, there's a report in CNN today that says there was a
leaked battle damage assessment from the Defense Intelligence Agency that says that, you know,
this bombing campaign has hardly put a dent in Iran's nuclear ambitions.
So there will need to be subsequent bombing.
This will be a continuous bombing campaign if it is designed to suppress Iran's nuclear
ambitions.
And I can't figure out if all of this makes Stuxnet look better or worse, more effective
or less effective in retrospect,
I think it's really hard to know.
If we consider that they drop these giant bombs
on these facilities and didn't manage to really destroy
that program, I think it kind of makes Stuxnet
look pretty good in that it was able to achieve
a similar effect without doing that. Yeah, and for a pretty reasonable period of time.
It took them a long time to recover.
Although it is hard to isolate these effects because in the wider context where we've
also got Israel assassinating scientists and a whole bunch of domestic Israeli-led campaigns
inside Iran.
It's hard to unpick all these aspects,
but it does feel like Stuxnet perhaps did more
than we gave it credit for at the time
because we don't have the visibility.
But then again, here we are dealing with the potential,
nuclear Iran regardless.
So whether it bought us one year, two year, five know, nuclear Iran, Iran regardless. So, you know, whether it bought us one year, two years,
five years, 10 years, you know,
if the end outcome is that they still have the will
and the political leadership has the will to get there,
you know, all of these things are gonna be necessary
to stop them, right?
Yeah, I mean, what's the solution here?
Maybe they just build a deeper hole to do this stuff. Well, I mean, they've built some pretty deep holes already. They just dig a deeper hole, I mean, what's the solution here? Maybe they just build a deeper hole to do this stuff.
Well, I don't know. They've built some pretty deep holes already.
They just dig a deeper hole. I don't know. So look, for those who are really interested in
this whole issue, Dmitri Alperovitch, who's a friend of this podcast, he did an excellent
podcast with Arms Control Wonk, Dr. Jeffrey someone, I can't remember his last name, but
podcast with arms control wonk Dr. Jeffrey someone I can't remember his last name but fantastic, absolutely fantastic podcast all about Iran's nuclear program and all of the
bits that make it up because there's a you know there's the factory that actually manufactures
the centrifuges for doing enrichment and there's the plant that turns the yellow cake into
gas and then the enrichment plants and then turning it back into metal and all of that.
So it's a really good listen. I'll link it in this week's show notes and you can check it out.
Now Iran-
Ask the Draw One is good fun. I listen to that recreationally anyway. Jeffrey Lewis.
Jeffrey Lewis, that's right. Yeah, yeah, yeah.
Yeah, so if you want to hear Dimitri interviewing Jeffrey Lewis about that, I highly recommend it.
to hear Dimitri interviewing Jeffrey Lewis about that. I highly recommend it. Now Iran has still managed to find time in all of this to actually do some cyber against a municipality.
And this is in connection with all of the MEK stuff that, oh God, does this link to
Albania? This is in Albania, right?
Yes, yes. The capital city of Albania is's local municipal council was what they act because Albania
does host their opposition in exile in the MEK.
Yeah, so for people missing the context, there's an opposition group, an Iranian opposition
group called MEK, who've set up shop in Albania and do cyber attacks against Iran and stuff
from Albania.
And they're also really not great as well,
because you think, oh, Iranian opposition, they've got to be good.
And that's like, well, not really.
They're quite horrible as well.
So yeah, now Iran's attacking Albanian municipalities
and stopping them from being able to do municipal government functions.
And they specifically disabled the ability of people
to sign up their children for kindergarten.
So the registration system for children going into early childhood education.
So great proportional response to an attack on your nuclear facilities.
I know it's Albanian, not the US, but you know, cyber, cyber war right there.
And just look, one last detail on all of this before we move on to some more bread and butter cyber security stories is that at one point Iran actually killed its internet access to the outside world to try to slow down the Israelis, which is like, you know, things are going great when you're like ripping the cable out.
Yeah, yeah. And they know they're clearly pretty afraid of Israeli capability. And we've seen pretty widespread penetration of their, you know, all banner of systems.
You know, we had that bank we talked about last week.
And in the past, the Israelis have just been all up in their business.
So yeah, just pulling the plug out and hoping that, you know, there's nothing else the Israelis
have remote access to, you know, via some other non-internet channel, which, you know,
pages come to mind.
Yeah, bad time for Iran all around.
Yeah. you know, pages come to mind. Yeah, bad time for Iran all around. Yeah, and I haven't had a chance really to ask around about what the current status of
the that Iranian bank is. I mean, I'm keeping an eye on, you know, various social media platforms
and stuff and trying to find out like, have they reopened? Have they recovered? Are the branches
still there? Like what's going on? Can't really find anything yet. I think the
the only thing I could find is that the bank was somehow reconnected back into their banking transaction network. But I don't know if that means that
they've recovered everyone's balances and loans and whatever. So still on it, just don't
know yet. Now, last week, was it last week or the week before? We spoke about the advanced
persistent teenagers, the comm style kids,
transitioning from going after British retailers
into now targeting the insurance industry.
We have one insurer who's come forward
and has disclosed an intrusion
that they say they were able to repel
over the course of a few hours,
which I would absolutely call that a win,
but I would expect that we're gonna see
a few more of these in coming weeks.
Yeah, we've seen a bit of kind of scuttle
about that there's some underway and more coming,
but yeah, this one I think they,
the company Aflac disclosed in the SEC filing,
so there's certainly some value to the,
speaking to US oversight as we were earlier,
like we got to see some detail there
that we might not have seen this early otherwise,
but yeah, they don't seem to have suffered
in the same way that say
Marks and Spencer did.
Yeah.
Now turning our attention to the Pacific and your region, Adam, the, you know,
look, if you wanted, I don't think we need to prove that ransomware
actors are scumbags anymore.
I think we've established that.
Yes.
But it looks like they, some crew has managed to disable Tonga's
ministry of health. They are being ransomware. And you know, this is a country,
a small country with a population, you know, with a tiny population,
a hundred thousand people and a GDP per capita of about 5,000 bucks.
And they're ransom wearing them. And you just think, man,
bring back the death penalty kind of vibes.
Yeah, it's pretty hard.
It sounds like Australia has dispatched some incident responders to help, which unfortunately
in the Pacific is a pretty common occurrence that Australia's help has been needed.
So that's good.
I guess some people are over there doing the needful.
But yeah, it's just scummy.
And I'm in New Zealand where I live,
like there's almost the same amount of Tongans here as there are in Tonga. So like there's a big expat population of Tongans here. So, you know, I think people are feeling it not just in Tonga,
but also all their family back at home and so on. So yeah, it's just, it's horrible and scummy and
nasty and bleh. Yeah. I got to say too, I think it's really good that our government here actually sends
help to these nations.
I think it's, look, in addition to it being just the right thing to do, I think it is
really good diplomacy and something really good to do in the region.
And, you know, congratulations to everyone who's involved in that.
It's a worthwhile endeavor.
All right, so now we got one from the record. Dorina Antoniuk has reported that a Ryuk, an initial access broker who was somehow
connected to Ryuk was arrested in Ukraine and has been extradited to the US. So
yeah, I guess someone who was selling shells are now gonna have a bad time.
Yes, yeah, this guy, I think they see something like what, $600,000 worth of
crypto, nine
luxury cars and 24 bits of land.
So I guess he was doing all right out of his initial access broken.
But yeah, I guess the world has changed around cyber criminals operating in Ukraine quite
a bit over the last few years.
You know, they're, you know, the cover that you might have had being part of the wider
sort of runic-edge Russian-speaking
cybercrime ecosystem doesn't really hold when your country is at war with Russia.
So, yeah, extradited.
No, it doesn't.
And another one from Daruna here, which is Russia has released a bunch of Reval crew
people.
They've been imprisoned since 2022 awaiting trial on payment card fraud actually.
So they were arrested for carding and yeah they've now been released for time served
after a few years.
I mean look at least they did some time which is not the usual thing in Russia.
Yeah I mean I think this kind of case dated from the era before the Ukraine conflict when they were like this
was some cooperation with the US and then yeah, they've just kind of let them go now.
But yeah, any time in custody in Russia for doing cybercrime like pretty amazing.
Now let's talk about some research out of SpectorOps, which as an advisor to SpectorOps,
I think is awesome. And as an advisor to an IDP, Authentic,
sends a chill down my spine because something like this,
you really don't wanna see in an IDP.
This is to do with a different IDP, which is OneLogin.
But I mean, this is pretty brutal stuff.
Walk us through it.
It's pretty comedy, yes.
So they were looking at the connector for one login
and active directory.
So if you have on-premise active directory
and you want to glue your web facing identity
into your active directory,
so they have a connector product.
And they were rummaging through kind of understanding
how the auth worked.
And they got to the point where you can kind of get
a directory access token out of
the configuration of this agent and then make queries into the one login AD connector and it
will return a bunch more data. Amongst that was some other authentication tokens and they went
rummaging around trying to understand what they were. One of them was for a Amazon S3 bucket for
storing logs in.
And they're like, oh, I wonder what's in that bucket.
And they went, look, the bucket wasn't registered.
So they did the obvious thing,
which is go register that bucket with Amazon.
And of course, Amazon bucket names are kind of globally
unique, so they have this bucket there.
They said it's gonna be world writable.
And then at some point later on,
somebody's one login,
single sign-on solution, just started putting logs in it.
And that log data contained enough kind of key material
for them to then query this other company's one login system,
pull out the necessary key material to then just straight up sign authentication tokens.
So at that point, you can impersonate every user in that particular company's single sign-on system,
which not great. No, not great. And as I said, like reading this, I'm like, man, this is awesome
because I know the SpectorOps team and they're really good. And I'm like, oh, I just I'm living
for this. And then, you know, when I take off my SpectorOps hat and put on my authentic hat,
I'm like, God, I hope nothing like this ever happens to those guys.
Well, the disclosure timeline when they reached out to OneLogin, which I think is Quest is
the upstream kind of like the company that owns OneLogin, reached out to them.
And then the disclosure timeline reads like, you know, anyone who's ever tried to
report a bug to a big company that doesn't know how to deal with these things.
It just, I felt this.
I felt this in my bones when I was reading it because they're like, the person tries
to report a bug and they're like, where's, check with your account manager.
I'm like, I'm not a customer.
I don't have an account manager or a support contract.
I'm trying to tell you about a problem with your product.
And then they spend months in a email loop who asked me who their
account manager is because no one is capable of identifying what this is
escalating to the right person and getting something to happen.
So I think eventually they did find someone like out of band to talk to about
it. Um, but yeah, just, I mean, the normal process,
the bug part of this is forgivable in that it happens.
Stuff like this happens, right?
And you can see how you wouldn't necessarily notice it.
You can you can see how this could have happened.
But the disclosure timeline, as you point out, like that is that is the unforgivable part of this.
Yeah, I mean, I think in the end, it took them what, like three or four months to get to the
point where one login had fixed the bug, or at least thought about doing something about it.
But yeah, it's, this is the problem with putting everything up in the cloud is right, you end up
with, you know, relying on some opaque organizations on the other side of the world to do some critical
thing for you and you don't necessarily know there's anyone there who understands or understands
the importance to you as a customer of their software, which, good times.
Now let's talk about my favourite story of the week, which is what's going on with LibXML2.
This is just so good.
Dear, oh dear. So libXML2, open source piece of software for doing XML related stuff,
pretty widely used. All the major operating systems use it in some form or the other.
The maintainer of libXML2 is a guy called Nick Velenhofer, and he is just kind of sick and tired of dealing with security bugs. Like he for fun maintains an XML library, which let's face it, it's not my idea of
fun but hey you do you buddy.
And he is the sole maintainer of this piece of software and so he has decided that he
is just going to let people file security bugs in this piece of software in the bug
tracker like every other bug and he will deal with them when he gets to it.
Like one Saturday, he feels like working
on his open source project, yeah,
maybe he'll fix the bug or two.
Unless someone else feels like maybe writing a patch
for that issue.
Yeah, and there's somebody else who shows up with a patch,
which, you know, as, I mean, I grew up
in the open source community,
like I totally understand how open source maintainers feel,
and it's really hard to be mad at the guy.
Like, you know, he kind of throws a little bit of snark understand how open source maintainers feel and it's really hard to be mad at the guy.
You know, he kind of throws a little bit of snark at Google and specifically Project Zero who have reported bugs in LibXML because Google Project Zero's mandate is find internet critical software
and go find bugs in it so as to improve the ecosystem as a whole. But this one guy is like,
you know, this is a multi-billion dollar company's crack team showing up at me one
You know volunteer maintainer in his weekend and expecting me to triage and fix bugs that they found
Yeah, and that's you know, that would feel a little
And to be clear LibXML 2 is like
You know, it's everywhere
It is right some lots of people process XML and it's just you know
It's one of the standard operating system libraries that people will be using.
But anyway, so this guy has made his feelings felt and there's, you know, lots of debate
in the bug tracker about, you know, whether he has done a bad thing or a good thing and
in the end it's his project he can do as he please.
And the thing I really liked was he's updated the README file to reflect the security policy
of LibXML2.
And I would like to quote from it because it's wonderful. He says,
this is open source software written by hobbyists, maintained by a single
volunteer, badly tested, written in a memory unsafe language and full of
security bugs. It is foolish to use this software to process untrusted data.
Yep, mic drop.
I mean, let's face it, that's honest and I love it.
So good job Mr. Villanhofer. I mean my reaction to this was in
GIF form in our internal slack this morning which was that GIF of the
comedian Shane Gillis holding a gun inside his mouth and then pulling it out
and pointing it at other people.
That's the vibe here. And I don't hate this.
I think that this does have potential to cause some real problems, but it has
potential to cause real problems for the sort of organizations who should be
offering real solutions.
So I'm just like, good on him.
Yeah.
I mean, in the end, like if you bootstrap yourself using other people's open source code,
like you have to take some responsibility as the user if it doesn't do what you need, right?
Either by contributing patches or by contributing resources,
or by writing and using your own software.
Like go buy another XML processing library instead of, you know,
Apple and Google and Microsoft relying on one guy and I know
where he's from, you know, to write some important internet critical library.
But that's kind of the open source model and, you know, I don't mind if he wants to change
his security policy.
Good for him.
Yeah.
Now, last week we spoke about the Russians going after the inboxes of various academics
and think tankers to collect intelligence from them. One of them was Kier Giles.
Or Giles? I don't know if it's a soft or a hard G actually. But we've got some detail now on how
these compromises may have happened. It's like a social engineering campaign. It's a very clever one, very clever.
But the goal of the social engineering campaign
is to get people to generate a Gmail
like application specific password
and then provide it to the attackers.
Now you'll walk us through the pretext and everything.
But this does dovetail nicely with the conversation
we had recently about, well, when you're doing an old
auth versus a this versus that kind of authorization, do you even know what you're doing? And that's
what this exploits, which is the complexity of modern authorizations and authentication
and whatnot. There's a really interesting thing in this Google write up of it, which
is towards the end of the piece, it says, look, our solution for this is if you're using
advanced protection or whatever, if you've got that set up in your account, our solution is, well, we just won't let you generate one of these passwords, which I think on one hand, okay, that's cool.
But on the other hand, that's your solution here is just to turn it off.
Like, I don't know if that gets you very far in a detailed social engineering campaign where you've proved your, you know, to the
targets satisfaction that you are legit. At that point, you could just tell them to disable
that from your account. Oh, well, you can't use it, you know, blah, blah, blah. Anyway,
walk us through the pretext here because it is, as I say, very interesting.
Yeah, it's pretty cunning. Essentially, what they do is they show up with, you know, a
little claiming to be some, you know, particular, I think this was the US State Department, what they were impersonating here, and they said to gain access to our,
or you know, to share documents with us or to interact with us, you have to, you know,
register for our, you know, interface thing. And the way you do this is by going to your
Google dashboard, going to app password, typing in the name of our service that you're
going to authenticate to, which was like ms.state.gov, and then hit generate, and it will generate
you a password for our server. So they're letting the user be confused as to the fact
that, you know, as to what the password is for, right? Is it for authenticating to us
or authenticating to you? And they present it as it's authenticating to us, but the reality is they've made a password to authenticate
as the victim to Google.
And then they pretext to hand it over as a person
signing up and registering.
They tell them to name the application specific password
because you can name them either ms.state.gov
or in a different campaign,
Ukrainian and Microsoft themed ASP.
So it really is that idea. That's where they're able to create that point of
confusion, which is to say, you're creating a password for our service,
not giving us a password to your service.
Yes, which is a cunning campaign, right?
Because it exploits that lack of understanding about how all these systems
work, because it's not reasonable for people to understand how these systems work, right?
Nerds who have to build this kind of stuff
presumably understand, but the average person
working at a think tank in the UK
as the Keir Giles guy was,
you can't expect them to understand
the nuance of these things.
So yeah, clearly actually worked
and pretty slick campaign to be honest. So yeah, and I'm less mad about Google just turning off app specific passwords because most people
Do not need app specific passwords and I think the use case for them over time has really declined
I mean the original use case was I map access to Google for mail clients that didn't support web-based
MFA they don't be able to invoke browser, get a token and then sign in.
And that, you know, they have also been really kind of making other mechanisms and we have so much better ways of doing
integrated auth than app specific passwords. So I'm less mad at Google about just turning it off for well-prepared accounts.
Yeah, I don't know. Maybe you're right. I don't know. I don't know.
And of course, you know, Google doing business at massive scale. That was a really interesting thing for me getting to know Alex Stamos well when he was the security guy at Facebook,
which is it forces you to think differently about, you know, how to deal with just like
mega scale threats, right? Like, you know, I remember at the time people are very critical
of SMS
based authentication and he's like, yeah, it is fishable but then that means that
they have to fish the token, which instead of just using a username and
password and like, do you have any idea when you have billions of users like
what that control saves you? And it's like, yeah, no, I do, I get it. Alright, now
let's speak of, speaking of like sort of dumb social engineering stuff,
we've got two here which are just like so brain dead that you just sort of wonder why
people are doing them, but if they're doing them it's because it works.
So let's just recap what ClickFix was and then talk about FileFix because these are
two very dumb things and there's the new dumb thing which is becoming more popular than
the old dumb thing.
Yeah, so ClickFix which I'm going to prefix by saying it's a dumb name and I tried my best to not use it in our coverage
because it's a name that bears no reflection to what the thing actually is.
This is the attack where you show up on a website and it says to prove that you're a human, please complete this capture.
And the capture is press Win R, which opens the run dialog box in Windows, and then Control V, which pastes.
And of course, the site has preloaded your clipboard buffer
with some PowerShell commands or DOS shell commands to run,
and it compromises your box.
Now, technical users probably are going to be a little sus
about opening the command prompt and pasting in a command
to prove that, you know, to bypass,
to prove that they're human through a capture.
But plenty of people fall for it. I know, you know, I was surprised when I saw this
and went, you know, like, surely, surely no one would, but clearly people have. So FileFix
is a new variant where somebody has been looking around and thinking like, where else can I
paste commands into Windows in a way
that I can trick a user in the same thing and so this is doing the same thing but pasting into the
Windows Explorer file bar so you can straight up just paste shell commands into the address bar in
Explorer and so they construct a lure which is like to read this HR policy,
copy paste this file path into your explorer.
And then it preloads the copy paste buffer
with a bunch of PowerShell commands.
And then something to make some white space
so that in the end it looks like you've pasted a path
or it looks like a path.
And of course that runs commands.
And I'd like to say this is just super dumb,
but it's gonna work and people will use it.
So, I, and I guess we are going to see people
finding all sorts of other places
that you can trick Windows into running commands
by having people paste them in and spamming into themselves.
So yeah, those of you who run, you know,
bigger states of windows users,
probably this should be on the list of things that you should spot.
But presumably your EDR would already be spotting PowerShell being spawned from
Explorer. But hey, who knows.
Yeah. I don't think this is as much of a risk to corporate environments as just,
you know, normal home users. That's what, that's the vibe I get. But look,
this isn't the stupidest thing we're talking about this week.
This next one is from Dan Gooden.
And you just sort of think, how does this work?
And look, if people are doing it, it's got to work, right?
So walk us through this.
Yeah, so people have been seeding links or taking out
ads that get indexed by search engines
that when you click on them, take you to a legitimate site, so like
hp.com, FQLA Packard, and then the path of the URL links through to the search system on that site with a query.
And that query is, you know, call us for tech support and here is a phone number and that of course gets reflected back in the page output as although it's a phone number or whatever other
message they put in there so it's kind of like cross-site scripting but for
brains instead of for browsers and the hope is people will show up to Google
type in you know how do I fix my HP printer one of these malicious ads will
come up that links to the real HP.com, then they phone the number that they see
on the first screen without looking at the fact
that they're on the search results page for HP.com
and then get scanned out of their credit card details.
So pretty bottom of the barrel stuff,
but on the other hand, it's probably gonna work.
Yeah, yeah, well let's just talk about
a little bit more fail. We're
on the home stretch now. Veeam, this is the backup technology. They tried to
patch a critical bug a while back. I think we spoke about it at the time.
Patch didn't stick, they're patching it again. I guess let's see if they get it
done this time or if third time's the charm. So the bug in question that they
patched is a.NET deserialization bug.
So the software's written in.NET.
They were deserializing stuff unsafely.
Their fix was to blacklist the specific deserialization technique that the exploit
was using. So of course, now they're playing cat and mouse, whack-a-mole,
whatever you want to call it, with exploit researchers finding new.NET
deserialization gadgets for their software.
And that's a game that will go on for the rest of time until Veeam understands that
they need to actually implement, you know, kind of whitelist based filtering, you know.
I mean, this is that we used to see this sort of stuff from the majors like 20 years ago,
like Microsoft would patch some bug by disallowing a very specific string or whatever.
You could just add like a dot to it
and it would work. You know, same sort of vibes here. Yes, yeah exactly. So they may need a
slightly more defensive approach to what they're doing, but yeah it's not a great look for Veeam
to now be on their third round of just putting exclusions for specific deserialization gadgets
into their software and calling it patched. So boo to Veeam.
Now, we spoke a few weeks back about some research
from a young Kiwi who goes by the name of Mr. Brr, who
looked at ASUS.
It was like the ASUS driver manager
that you get on an ASUS laptop or whatever.
It was really cool research.
For those who don't remember it, he
got to the point where you could just go single click URL
to Codex, exactly, in a privileged context.
It was really cool.
And he promised a part two, and here it is.
Yeah, part two is also pretty dumb.
So he looked at the MyASA support app
that they use if you wanted to organize
RMAs for defective products or file support tickets
or whatever else.
So this app had hard-coded credentials in it.
And it was making API calls back into the back end system
in ASUS in a pretty privileged context to lodge RMAs
or whatever else.
And so yeah, he extracted the hard-coded API keys
from the binary.
And then you can call into it and retrieve user records
with all people's addresses and phone numbers
and all that sort of thing,
and their ticket details and so on and so forth.
And this bug looks like it has been there
since this application was launched back in 2022.
So yeah, they did a little bit of a boo-boo there, Mr. Asus.
I mean, it's not as cool as the first post,
which was the single-click RCE in a privileged context
But you know it's still like hard-coded hard-coded creds in a DLL like bad aces
Yeah, bad aces and of course aces also has no bug bounty so Mr. Brough does not even get paid for it
So well, but Mr. Brough does get talked about in risky biz and I think you sent me a screen cap of him asking
Is this one cool enough for me to get a mention?
It's like yes, mr. Bra definitely cool enough definitely cool enough
Good job. All right, and we're gonna finish now with a story that like I think is interesting and I'll get to that bitness in a moment
But a guy in Perth
Has pleaded guilty to spinning up fake Wi-Fi access points around airports
And I think even on airplanes as a way to do like cred harvesting from people who are connecting to this access point what's
really interesting here is like I think it was aircrew or someone who noticed
something weird and that's how he got caught so I think like excellent
vigilance on behalf of airline staff there because yeah impressive to
actually catch this guy the reason and I think his ultimate goal was to collect
nudes from people's
like iClouds or whatever, which is just very, very dumb.
I think awaiting sentencing at this point.
But this happened back in like April last year.
Like it rings a bell.
We may have even talked about it at the time.
I guess the reason this is interesting for me is it cuts against.
So you know there's always been some of that advice that we give like,
don't worry about juice jacking. It's not a real thing.
Like this is some of the advice that we give and no,
you don't need to worry about connecting to public wifi.
And I think, do we need to reconsider that advice?
Yeah. I mean, I, you know,
people who buy VPNs to save themselves in public wifi,
like clearly are being scammed by VPN companies. But on the other hand, like,
the plurality of ways that you authenticate to public Wi-Fi, we have to click through
use agreements or whatever else. And that's kind of what he was exploiting here, is the expectation
people have to show up to public Wi-Fi, get sent to a captive portal, which then says,
give us your email address so that we can send you marketing information in order to be able
to use our free, you our free public Wi-Fi.
And then extending that to log in with Facebook, log in with Google, because people are used
to federated logins.
The expectations people have of what they have to provide and the impact of giving sites
those things, I guess, is the thing that does make it actually a little bit risky.
I mean, and fun, fun fact here, a VPN ain't going to do anything to help you in
that situation.
I was going to say like all of the Nord VPN in the world ain't going to help you
because you aren't getting to Nord VPN until after you've been through this
captive portal process. So,
So I mean, it's not like this sort of crime type is rife, right? But you know,
when I think back to how we're like, Oh no, that's,
that's actually kind of redundant, silly advice.
It's like, well, I don't know, maybe it's not.
I mean, if you have the option of using a mobile network,
it's generally going to be safer to use mobile
than it is to use public wifi,
random public wifi you find lying around.
But on the other hand, all your devices ought to be safe
to use on the internet full stop.
Ought to like a modern fully passion, you think ought to be safe to use on the internet full stop. Or like a modern fully passion,
you think ought to be safe on a dirty internet connection,
regardless of whether it's malicious wifi or mobile net.
Yeah, but in this case, it's like credfish, right?
So that's not, anyway, identity.
What are you gonna do?
And yeah, log in with Google.
Log in with Google, log in with Facebook.
We couldn't, oh well, please enter your password.
And it's hard to explain.
Again, it's hard to explain to people like why that's,
what the distinction is there.
Yeah, and I guess this is the value of pass keys.
Cause like, if you could only author Google with a pass key,
you couldn't be tricked into giving him your password.
The pass key would just fail when you're being, you know,
sent to a fake login site.
So that's the world we're ending up at eventually,
is that the human doesn't have to make that choice.
But we ain't there yet.
No, we're a long way off.
In fact, that'll happen after my career is over, I suspect.
But Adam Barlow, that is it for the week's news.
Great discussion this week.
Always enjoy it.
And yeah, I'll catch you soon.
Yeah, thanks so much, Pat.
I will talk to you next week.
That was Adam Bailo there with a look at the week's security news.
Big thanks to him for that.
It is time for this week's sponsor interview now with Andrew Morris, who is at Grey Noise
Intelligence.
He's one of the founders there. I think the founder, I don't know if he's a sole founder or a
co-founder, but nonetheless Andrew is at Grey Noise and he joined me for this
interview about a botnet of orbs made up of ASUS routers. So this is something
that they detected in the Grey Noise sensors all around the world and they
just sort of gradually unpicked it. It has some interesting features. So he joined me to talk all about that. And here's what he had to
say.
The story starts in January, February of this year. So we were looking at, we saw large
spikes of traffic against gray noise sensors that looked like login attempts, authentication,
you know, credential stuffing, stuff like this.
We see it all the time.
What are you going to do?
And it was to a certain API endpoint, an HTTP endpoint.
We dug into that, and it was reasonably
we could figure out, hey, this is a login endpoint that
would be targeting an ASUS.
Whatever the check was or the credential stuff was,
we weren't passing it because we didn't have any ASUS routers
on the grid at the time. So Remy went to the store and bought some ASUS routers
and then came home and both plugged them in
and packet forwarded them onto the GreyNoise grid
and also used the hardware to actually like pull
the firmware off of them and like decrypt the firmware
so that we could run these different services.
Once we were running the actual services of the ASUS firmware,
we started quote unquote, passing
the check of whatever the credential stuffers were
kind of looking for.
And that was when we found a combination of, OK,
so they're using these default credentials,
but then they're also doing some authentication bypasses
that in order to gain access to the system without
even having to know the, the creds.
So then using a combination of authentication bypass and OS command
injection, these actors were compromising these routers out of the box.
Uh, because that particular chained combination of exploits was not patched.
And so they're popping these routers out of the box.
And then you'd expect that maybe they would drop malware at this point, but they did not.
They did not drop malware.
They used the baked in SSH, the drop bear SSH.
They spawned it on a high port, a new one on a high port, and they injected in a SSH public key
that they would allow.
And they disabled logging, all logging and all telemetry
on these routers.
And that was that.
So we scanned the entire, we actually
worked with Census and Shadow Server
and looked at how many routers on the internet
have SSH and DropAirar listening on that high port
and were accepting that SSH public key.
And it was like 6,000.
And they were mostly in the United States
and in Western Europe.
And so we worked with Shadow Server
to do victim notification.
We worked with Census to obviously do the scanning.
We worked with RunZero for them to actually build out
a detection for their customers for,
if anybody was infected.
And we worked with US intelligence community
and law enforcement to kind of get the word out
to everything.
And we weren't going to publish it
and then somebody else published something about it.
So we're like, well, all right, time to publish it.
So we did.
And that was that. Yeah. Now the thing so we were like, oh, well, all right, time to publish it. So we did. And that was that.
Yeah.
Now, the thing about this is, I think if you patched this, the backdoor survived somehow.
How did that work?
Even it would survive firmware updates.
How is that possible?
Because from what you've described, surely a firmware update
would just overwrite that key, unless, I guess, Asus is like, well,
we don't want people having to do firmware updates
and then drop their keys in again.
So was it the case that it was just like a convenience feature?
Yeah, it was the place that the backdoor was actually
stored was non-volatile.
And so it wasn't going away.
It was persistent throughout both reboots and persistent through firmware updates, which made it wasn't going away. It was persistent throughout both, you know, reboots
and persistent through firmware updates, which made it kind of particularly terrifying.
Yeah. So what do you do about like you would actually have to get hands on and like reconfigure
it?
Rip it off the wall. Rip it off the wall.
Yeah. But do you throw it into a into a wood chipper or can you actually fix it?
You can fix it. So you can you could. I need to actually think about this before I say it because I'm saying you can fix it. And the more I think about it, I'm you could I need to actually think about this because I'm
saying you can't fix it in the morning think about it I'm like I don't know you
can fix it yeah I mean for such cheap I mean ASUS routers are not exactly
expensive so probably the wood chipper is the best option at that point I think
the wood chipper is the best option I think that what we're gonna find and and
I'm on my soapbox a little bit right now, so to speak, no pun intended, literally. But like I do think that the end of the journey of a lot
of these embedded systems getting compromised is I think people are over intellectualizing
it a little bit. I think the end of the journey is finding where they are physically sitting
and ripping them off of the wall.
And into the woodchipper.
And into the woodchipper. Yeah.
Yeah, yeah, no.
Or mailed to Andrew at GrayNoise
so that we can run them on our grid,
which you can't see this in my camera right now,
but maybe three feet to my left
is like nine different routers
that I'm about to hook onto our grid.
Yeah, yeah, fantastic.
So, I mean, obviously you would think
that this is a botnet being built.
I mean, often it's state actors building it, not building them, not always.
Sometimes it's just crime networks.
But the one thing that I find fascinating about this whole phenomenon of botnets, is
it a phenomenon if it's just a continuation?
Probably not.
Like, you know, I just find it amazing that there's still this need among attackers for
these sorts of things.
And I think the one thing that's kept them relevant, that's kept driving the bot herders
maintaining these sorts of networks is increasingly they need them to bypass impossible travel
restrictions thanks to identity providers like Okta.
If you had to attribute it to one thing, why is it we're seeing so many of these botnets now? Is it, is it just that?
The question really should be like,
what's the value to an attack to an advanced attacker of having tons of
accesses inside of a country that you want to be doing stuff against, right?
Cause they're in lots of countries, they're in residential networks.
The people behind them probably pose very little intelligence value.
I can say that like we'll call them, you know, a lot of people are referring to them
as orbs, right?
So these operational relay box networks.
The fact, like, a lot of the attacks that we were seeing were coming through these.
So it actually renders a little bit of like threat intel, like a lot of the IP based threat
intel kind of useless because attacks can be coming from many of these.
I do think though that your point is a good one
about stuff like Okta and stuff like
any of these different kind of authentication providers,
multi-factor auth providers.
Yeah, like Entra, Okta, Ping, whatever, yeah.
Yeah, all of them, right?
Yeah, it's gonna be just for the same reason
that GreyNoise can't put router sensors in AWS.
Bad guys can't log in with stolen credentials
through an EC2 node, right?
Because that doesn't happen.
So I think that's a big part of the value of it.
Another part of it is really just like,
what do attackers love about embedded systems so much?
And it's the biggest things is that you
can't run EDRs on them.
They're Swiss cheese, so they're really easy to hack.
They've got traffic to and from them.
There's always going to be more stuff behind them.
They have high uptime, so you're going
to have, if your implant lives in memory,
you can live there for a million years
until this thing gets rebooted. So it's nightmare fuel.
Yeah. I mean, I think that original use case for using orbs, like when I think back to
old school days, it's like you said, they get into these things, they disable logging,
right? So it sort of walls you off from incident responders to a degree because they might
trace back and attack to one of these devices. They go, aha, pull the device, there's no logs, they don't know where the person
was coming from.
You know, maybe they get a little bit from an upstream ISP or whatever, but it just makes
it harder.
That's right.
Whereas now I feel like that tangible reason is like, well, we can't even log in to these
places unless we've got a residential IP somewhere in this range.
That's right.
So like, do you have any sort of feelings, vibes, thoughts about what type of
actor may be behind this? I guess it would be difficult based on the, you know, the intelligence
that you're collecting. Although, I mean, you might've seen some interesting originating IPs in there.
No, so, okay, like the actual, a lot of the attacks that we saw came from random servers in Malaysia.
And we were working with some people to get those imaged and then like a horrible natural disaster happened
in Malaysia and we're like, okay, well, this feels
much less likely to happen now.
And so what I know is anecdotal and it's from conversations
that I've had with people in or close to government
and then people who know a lot more about this stuff
than I do.
There are groups in China, probably in other countries too, but like China's the, you know,
the a lot of these Chinese actors are the ones that have been going after meta systems like this
and operating and going after telcos and stuff like that. Like the type.
I mean, that's kind of the answer I was fishing for there, man, if I'm honest.
Yeah, I mean, it's, you know, it, you know, there's, there's a lot of these Chinese actors.
And so then inside you've got, you know obviously, you've got people who work for the People's Liberation Army.
You've got folks that work in the intelligence apparatus.
And then you've got folks that are outside of it
that do nothing but.
And maybe they work for the government, maybe they don't.
And their job is to build these orb networks
and build these botnets, gain accesses, and then pass them
along to somebody else.
And in a place like that, you know, people aren't going to be as financially motivated.
People are going to be more motivated by, you know, the notion of currying favor with the party or doing the right thing, being patriotic, you know, like whatever.
Right. And so so there's lots of these actors that whose whose job is literally to build orb networks. And there's also a lot of overlap and a lot of crossover
between people who have vuln research blogs,
who participate in like Defcon China,
kind of CTFs and stuff like that,
who chat with each other on like the QQ networks
and stuff like that,
and who post vuln write-ups and the vulns themselves that are exploited.
In this case, I mean, Remy did some insanely good digging
to try to figure out anyone and everyone who
is doing research on this kind of firmware for these ASUS
routers and found just like this treasure trove of vulnerability search that was written in some Chinese
language blogs from Chinese researchers that and we have no
indication there's no reason to believe that this person had
anything to do with it. But the write ups that they were doing,
all of those same TTPs were used and all those same tactics and
all those same paths. And even like some some vulnerabilities
that nobody would have known except for somebody
who had at least read very closely that research.
Yeah, we got an occasional guest on Risky Businesses,
Lena Lau, who comes and co-hosts every now and then.
And she speaks Chinese and finds the most amazing stuff
on WeChat.
She's like, it's a whole other world there.
And there's all sorts of good stuff being posted there. and the language barrier just means it doesn't often cross over. And
also because you've kind of got to be on WeChat to see that stuff and most people in the West are
not. So yeah, that is all very interesting stuff. Let me ask you though, from a Grey
Noise perspective, tracking these orb networks has got to be a major PITA,
because they're often on residential ranges, right?
And those IPs are going to flap around a bit.
So I know that you've already got a feature in GrayNoise,
which will tell you like when an IP was known to be bad.
Yeah.
But like how often, I guess the question really is like,
how often do residential IPs flap around these days?
How often do those IP leases renew?
And how do you keep track of, well,
we know this device is bad.
It's on this IP now.
When that gets a new lease, how do you actually track it
across to its new IP?
We don't.
So from our perspective, it becomes a net new one.
This is all we, and it's like, we're dogmatic about this at GrayNoise.
So like we only report on things that we know to be true.
So you see combinations of protocol fingerprints.
You see you see, you know, nuances in the implementation of the TCP stack to surmise
that something might have been the same device.
You might see the same banners, right?
You might see actually like whenever,
if any services were being advertised
for something like a census or a showdown,
then you might see some of those same ones.
But we're not really able to track it from that angle,
right?
We only see the stuff.
We're at the mercy of the scanners.
Like, so whatever it is that reaches out and comes to us,
it's as I would say, it's intractable.
So I guess what you can do here though,
like you alluded to it earlier,
which is you can detect these things, right?
If they are connecting to you, you can detect them.
So how much of a demand is there from your customers
to sort of get rule sets that they can use
to understand when one of these things
is connecting to them?
Is that something that they do?
Increasingly.
Yeah, right.
OK, so there you go.
That's kind of what I was wondering,
is what's the value of doing this if you can't track the IPs?
And I'm guessing it's like, you're
giving them the means to detect one of these things
connecting to them.
So what tells are there in the network traffic that's
being generated or tunneled through these things
that the IDPs or the centralized authentication providers
might be able to use to tell that something is being
shoveled through another device.
That's what I was curious about, yeah.
Yeah, so that's where you're going to see more and more.
So we're collecting JAFOR on everything
that we have right now.
And we've got more vendors that are processing stuff
like this that are asking us for these lists of all of the JAW4
fingerprints, all the TLS fingerprints that we know of
that attackers are using for this kind of stuff.
And that's, I think, where a lot of the future
is going for this, because an IP is going to be useless
five seconds from now, but the implementation
of the TCP header and like the MTU overhead
and all the IP options or whatever,
that's work. It's like, yeah, yeah, that's work to redo that. Yeah. Yeah.
That's literally what I was asking is like, you know, I figure like if I'm Octa, I might want to
come to you and ask you for that information so that I can do some filtering, you know, and I just
wonder, is that something happening now? Or is that like more you're hoping that'll happen in the
future kind of thing? I want to see more of it. We're not doing a good enough job like packaging that data and
getting it to people. So it's kind of like, you know, the way that you would get that is to buy
all of Grey Noises everything, which is very expensive. So I think we need to,
we need to do a better job of actually putting that data into this, into the right place,
into the right bucket. Um, so that, you know, it's, uh, it's that it's easier for those customers to buy and consume
and then do something with, right?
Or you just sell it for lots of money,
more ivory back scratches.
You know, I know you.
I know how you roll.
More ACES routers, more TP links.
Yeah, yeah, yeah.
Yep, that's it.
All right, Andrew Morris, we'll wrap it up there.
Great to see you as always, my friend.
Great conversation.
And yeah, we'll talk to you again soon.
Appreciate it, man.
Thanks so much for having me.
That was Andrew Morris from GreyNoise there. Big thanks to him for that. And yeah, big thanks to
GreyNoise for being this week's sponsor. That is it for this week's show. I do hope you enjoyed it.
I'll be back soon with more security news and analysis. But until then, I've been Patrick Gray.
Thanks for listening.