Risky Business - Risky Business #800 — The SharePoint bug may have leaked from Microsoft MAPP
Episode Date: July 30, 2025On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news: Did the SharePoint bug leak out of the Microsoft MAPP program? Expel r...etracts its FIDO bypass writeup The mess surrounding the women-only dating-safety app Tea gets worse Broadcom customers struggle to get patches for VMWare hypervisor escapes Aeroflot gets hacked by the Cyber Partisans, disrupting flights This week’s episode is sponsored by Push Security. Daniel Cuthbert joins and explains how having telemetry about identity from inside the browser is a key pillar for investigating intrusions in the browser-centric future. This episode is also available on Youtube. Show notes Microsoft Probing Whether Cyber Alert Tipped Off Chinese Hackers Microsoft says Warlock ransomware deployed in SharePoint attacks as governments scramble | The Record from Recorded Future News What we know about the Microsoft SharePoint attacks | Cybersecurity Dive An important update (and apology) on our PoisonSeed blog Tea User Files Class Action After Women’s Safety App Exposes Data A Second Tea Breach Reveals Users’ DMs About Abortions and Cheating Top Lawyer for National Security Agency Is Fired From Help Desk to Hypervisor: Defending Your VMware vSphere Estate from UNC3944 VMware prevents some perpetual license holders from downloading patches Pro-Ukrainian hackers take credit for attack that snarls Russian flight travel - Ars Technica КИБЕРУДАР ПО АЭРОФЛОТУ РФ!v Treasury sanctions North Koreans involved in IT-worker schemes | Cybersecurity Dive Minnesota governor activates National Guard amid St. Paul cyberattack | StateScoop Outage was result of cyberattack, Post Luxembourg says Clorox files $380 million suit blaming Cognizant for 2023 cyberattack | Cybersecurity Dive Cisco network access security platform vulnerabilities under active exploitation | CyberScoop Arizona woman sentenced to 8.5 years for running North Korean laptop farm | The Record from Recorded Future News Cybercrime forum Leak Zone publicly exposed its users' IP addresses | TechCrunch
Transcript
Discussion (0)
Hey everyone and welcome to Risky Business. My name is Patrick Gray. And as you can tell
from my voice and probably my appearance, if you're joining us on YouTube this week,
I am a little bit under the weather. I've spent the last few days in bed, but I am feeling
well enough to record today's podcast. So that's, that's, uh, that's great. Um, this week's show is brought to you by Push Security and we're going to be joined
by Dan Cuthbert, uh, who is a fairly well-known guy in InfoSec,
the old cybersecurity. And these days, Dan works for Santander bank, uh,
where he does all sorts of interesting cybersecurity work.
And he's joining us to talk about, uh,
products like Push and what you
could do with them from like a detection engineering standpoint and just like generally what you
could do with the types of data that come out of products like Push. For those who don't
remember Push primarily is a, is a browser plugin based solution that captures stuff
like login events, whether that's yeah, like login events into third
party SaaS basically. So you can get all of that information. You could also put controls around
third party SaaS using push and just generally it's turning out to be a very useful thing. So
Dan is joining us later to talk through all of that. But first up, of course, it is time for a check of the week's news headlines with Adam Bailao and mates, um, what looks to be a brewing scandal. Uh,
this week, last week, of course, we talked about how, uh, you know, everyone's SharePoints
were getting owned by the Chinese government, which was, uh, you know, not a good time for
people with SharePoint boxes. But, um, now it looks like there might've been a leak out of Microsoft
relating to these, to these bugs, but it's all a little bit like, I don't know. I don't
know if there's any like smoking gun here yet, but something weird definitely happened
with the, with Microsoft's so-called map program. Walk us through this.
Yeah. The timing of these leaks or of the exploitation is certainly, you know, it's interesting at the very least.
So the story goes that the original SharePoint bug was disclosed at Pone to Wone in Berlin by a Vietnamese hacker.
He handed off during that competition to a Microsoft representative to go off and do the patching thing.
About 60 days later, Microsoft came up with a patch in the map program is kind of like two
levels there's a like quite highly vetted one where you get like five days advanced notification
patches and then there's the more like the slightly broader map program where you get a day
worth of prior notification the day before the patch is due to be released, it gets sent out to map, and then that day
it starts to be attacked in the wild.
And there are a number of Chinese companies that are members of the map program, and there's
some like, Microsoft says they're investigating whether or not these facts are related, but
the glove does fit a little bit as to what I'm not.
I mean, kind of, but like, do we really expect that someone, say some, someone close to the
government working for one of these companies in China, because there's a plenty, there's plenty
of Chinese companies that are part of the map program, right? Are we seriously saying that
someone worked at that, at one of those Chinese companies, saw that Microsoft was going to patch
at one of those Chinese companies saw that Microsoft was going to patch these bugs and what they had time to like reverse into the patch and come up with a functioning exploit
in that time? Or do we think it's more likely that it's the case where, you know, maybe
there was a leak and someone realized, oh my God, our SharePoint bugs that we've been
using at low volume are about to get patched. Let's go big with these now. Because that,
that to me feels like kind of the more realistic scenario.
Yeah.
I mean, the bug in question isn't super complicated.
Like it is just.NET deserialization and then was an auth bypass that was related
so you could get to that end point without auth.
So in that respect, like finding the bug, if you'd seen the patch and then
turning it into an expert probably is feasible within the timeframe we're talking about but I do
feel like your instinct of that probably it's a bug that was already being used
and the fact that it's about to get burnt all of a sudden means you may as
well hand it out or let a bunch of people off the you know off the leash
that have been a bit more tightly controlled in its use, you know, that's kind
of more, you know, that sounds pretty believable as well. But I don't think it would be impossible
for it to be the other explanation.
Yeah, I mean, either way, though, like a program like this leaking is extremely not great.
I still feel like programs like this develop more good than bad, though, like even if you're
going to have the occasional leak like this.
But I mean it is embarrassing right because the Hafnium, like the exchange stuff that
Hafnium used in like when was that 2021, AliExchange hacks like that apparently leaked out a map
as well.
So like this isn't the first time.
It's not a good look.
No, it's not.
And you know these programs are always going to be this kind of trade off right?
I mean the, you know, every sort of private vulnerability disclosure group, you know, These programs are always going to be this kind of trade off, right?
Every sort of private vulnerability disclosure group, going back to like Zados, have been
sources of leaks or have been sources of hacks.
People used to break into security researchers to get access to their stash back in the 90s
as well.
Trading in this kind of information makes a lot of sense and the net
benefit probably still worth it.
Yeah, yeah, exactly.
But yeah, let's see if there's a complete investigation from Microsoft there.
I suspect this is the last we're ever going to hear of it.
But anyway, now look, just starting on the SharePoint thing.
Apparently, we've graduated from Chinese APTs using this bug and now various attackers based out of China also using
the bug to deploy something called the Warlock ransomware so good news
everyone. It's now being used for ransomware as well as espionage I guess
that great news. Good job everybody. I mean it makes sense when you've got groups that
do both of these things, like do espionage
and also do ransomware to pay the bills.
So not that surprising.
But we have seen, you know, I think what, like 400 companies, agencies, government departments,
whatever breached using the bug.
So that's, you know, a lot of people have SharePoint on the internet and, you know,
some of those are pretty big organizations.
I think one victim we saw talked about the US Department of Energy said its National
Nuclear Security Administration was a victim and that's not good.
No.
But you would imagine that the National Nuclear Security Administration does not rely on its Windows network in such a way that it getting owned would cause mushroom clouds or you know,
dirty material to be sprayed about everywhere. Like, you know, it makes for a good headline, but I mean the people who work there,
they're not dumb, right?
It's just, it's still not good though.
No. No, it ain't.
So yeah, we got another story here here also from what Cybersecurity Dive
talking about this stuff as well. That goes into the Department of Energy thing. So we've,
we've linked through to those in this week's show notes. We need to update something we
spoke about last week. So we spoke about this work out of a company called X-Bell where
they'd figured out apparently how to bypass FID U2F-Auth using cross device authentication.
And you even mentioned at the time, now normally there's a proximity check for that via Bluetooth
to make sure that the device is in the right place and blah, blah, blah.
And in some reason it didn't work here.
Well Adam, turns out this bypass that they claimed just didn't happen.
They misread the logs.
They've now published a Mia Culper blog post.
But yeah, so it turns out that that skipping of that step
just like never happened.
Yeah, so it turns out they were working off,
I think, logs from Okta.
So the attacker in this case was authenticating to Okta.
And yeah, either they misinterpreted the logs
or the logs weren't super clear.
Sometimes logs from cloud services can be difficult to interpret when you don'ted the logs or the logs weren't super clear. Sometimes logs from cloud services
can be difficult to interpret
when you don't have the context of the system
that's behind the scenes,
the implementation that you can't necessarily see.
But it's one of those extraordinary claims
requires extraordinary proof,
and they kind of didn't have it.
So I feel a little bit vindicated in the sense
that I'm reading this and going well
Like it feels like there's something missing here
But I mean if they're saying it happened then I guess I don't know what that missing thing is
But turns out yes, the missing thing was it didn't happen. It's real funny, right? Because I think that's um
headline hit my podcatcher
Like the last day I was in Fiji and I I just remember seeing it, a headline from us saying,
oh yeah, there's a FIDO or U2F bypass. And I just remember going, Ooh, you know, reminded me of like,
you know, earlier in my career, I remember around 2000, you know, like early 2000s,
like every week someone would claim to have broken SSL, right? And every week it was like some really
like weird exotic config. You could get it to maybe do a thing that was strange
And you might recover a couple of bytes or something like that
But it was always good traffic to do it. Yeah, exactly
But it was always written up as like SSL completely smashed
You know
And I like I just I just had a had a flashback in the moment that I saw that notification come up on the on
The phone so I mean from our point of view. There's not much you can do when a, um, you know, security company writes up. We saw these sequence of events, you know,
you don't, I mean, you don't really think to,
to vet and cross check that, you know,
like in a technical blog post,
you kind of would think that they know what they're doing.
Yeah. I mean,
and usually companies will publish as much technical detail as they are able to.
And if the technical detail that you want as a reader isn't there,
it's because they can't publish it for some reason, whatever that is. They don't have it,
they don't know, they're not allowed to, it's a customer's details, whatever it is.
And so yeah, you do just have to take it a little bit on faith that when they say,
we saw this and these other conclusions that they've done their work.
And yeah, in this case, they didn't.
They had not, dear listener.
Now, let's talk about Tea.
Now, Tea is a app that bills itself
as being for women's safety.
And I think the idea seems to be that you can do some research
on men in your area, see if they've
got criminal convictions, and see if any other Tea user has
said, oh, we found out this guy's dating like six people
at once, that sort of thing, or this guy's really dangerous and creepy and everybody should stay away
from him. That's kind of the idea behind this app. Unfortunately, it looks like the people who built
the app didn't do it in a very secure way. So there's been a fairly major breach. There's been
two, right? There's the major one that,
that this whole story began with where someone grabbed, it looks like their user verification
database like containing selfies and pictures of IDs going up to some time in 2023. Uh,
they've moved to some sort of new verification process where they're not storing that sort
of information, which is what they should have been doing in the first place, but it looks like, yeah,
some of the older stuff got out.
This has been all over 4chan with people saying
horrible things about the women who are users of this app,
and just exactly the sort of discussions you would expect
from a bunch of 4chan incels
when something like this happens.
But since then, other people have gone and looked
at this app as well and discovered that the
security situation there is extremely not great.
Someone was able to recover a whole bunch of messages between users talking
about extremely personal things. Um, and then, uh, showed that,
that material off to people who work at 404 media,
unsure whether or not that,
that second tranche of information involving very personal messages
has been obtained by anyone else. You would think that's a possibility, but we don't know
that yet. Either way, if you're going to provide people with an app like this, you know, you
really want to make sure you do a better job than usual is my feeling, right? Especially
when women might be having discussions with each other about violent men, you know,
about creepy men.
The last thing you want is what you've said
about a creepy man being made public, right?
Because that seems quite dangerous to me.
Yeah, it's certainly a really good example
of a place where like the normal,
like minimum viable product, let's just, you know,
I don't know if they vibe coded this,
but let's just kind of come up with something that does what we need and then iterate as we get more users and's just, you know, I don't know if they vibe-coded this, but let's just kind of come up with something
that does what we need and then iterate
as we get more users and we get, you know,
a bit bigger and able to afford it.
Sometimes that's not the right approach.
And in this particular case where you're dealing with,
you know, I mean, foreseeing that a group like 4chan
would sink its teeth into something like this
isn't a big stretch,
especially when they are, as you say, the subject of many of the conversations being had in apps like this.
And yeah, it's I mean, the second bug you're talking about,
the second league that you're talking about with the direct messages,
we some of the reporting said that that was as an authenticated user,
you could talk to the direct messaging API endpoint and you get that via that, you an authenticated user, you could talk to the Directive Messaging API endpoint,
and via that, you could get other people's messages.
So like a pretty straightforward kind of, you know,
API security, you know, cross-role,
cross-account sort of thing.
The sort of pretty standard type of pen testing,
or pretty standard sort of security view
would ideally spot.
So that is kind of concerning when you're dealing with sensitive data like this,
that there's basic things like that,
that ideally you should do before you launch something like this.
Yeah, how did the other data get out, the pictures of the IDs and whatever?
So the initial, so that breach, it looked like it was some kind of unsecured database.
Just like an open bucket or an open database? I think it's some kind of unsecured database. Just like an open bucket or an open database?
I think it's some kind of open database.
I imagine it's probably some kind of NoSQL
database-y kind of thing.
I think this thing was built on Google Firebase.
I'm not sure what the standard kind of data store
that people would use with Firebase apps is.
But that felt like a pretty normal,
we are early in our dev cycle and we just forgot about it
off in the backend system that we're using. Or we moved away from that system and we just forgot about it in the backend system that
we're using or we moved away from that system and then just forgot about it instead of actively
decommissioning it.
So yeah, not good.
Yeah, I mean, the fact that some of this data, it's old data and finishes from some date
in 2023 suggests that this app is years old and you would have to think nobody did a pen
test or a review on this.
That's kind of what it feels like or it was pretty flimsy or like if you had even opened this up to like bug bountying like it would not have lasted with this kind of bug very long. It's exactly the
sort of thing that you know people who review mobile apps for security for a living will find.
So yeah it does feel like probably they just kind of winged it early
startup phase and then never really got back to doing it properly.
Yeah. So anyway, let's hope that that second tranche of information does not wind up in
the public domain because I have a feeling that would be the really dangerous stuff that
would actually put people at risk. So, you know, let's hope that it just stays as, you
know, but even the IDs and stuff, they've got people's addresses on them and it's just,
it's just not good. It is really not good. Now we've got some reporting from the New York Times
here where the top lawyer at the NSA, April Falcon Doss, she was appointed general counsel
in April, 2022 by the Biden administration and she has now been fired.
And this is due, it looks like to Laura Lumer not liking her. Now, of course,
it was Laura Lumer who complained about the director and deputy director of NSA and got
them fired. And now it looks like she's done it again. And you search on X for this woman's name
and you see stuff like, here we go.
Deep state, Biden borrowed a far left Democrat activist
into the NSA before he left office.
April Falcon-Doss has written extensively
about her hatred of President Trump
and supported the prosecution of Michael Flynn
and Carter Plagin, blah, blah, blah, blah, blah, blah.
So it looks like it's this sort of stuff
bubbling up through the online fever swamp
of mega and then winding up with the swamp queen, Laura Luma.
And from there, you know, then she gets fired.
So I mean, look, on one hand, this is bad, right?
But on the other hand, I kind of feel like it's encouraging that the reason she's being
fired is so stupid.
Does that make sense?
Like she's not being fired because she was refusing to allow the administration to do
something extremely illegal.
She's fired because a bunch of like weirdos on the internet think she's a deep state far
leftist, you know, Biden plant.
And that's, I mean, that's a, that's a good sign.
Is that a good sign?
We really do want any sort of good sign at this point would be great.
So it's, you know, we are kind of looking for them, but yeah, it's, it's just no way
to run a sensible, legitimate country.
When they review this in five, 10 years time when the US comes out of this mad phase.
Oh, do not make assumptions like that, my friend.
Do not make assumptions like that,
that the United States is coming out of a phase, man.
Like, that is a dangerous assumption, my friend.
Dear, I guess we live in hope, right? But maybe, maybe, maybe I will be wrong. I hope I'm wrong.
I hope I'm not wrong. Yeah. Well, I mean, look, you know, I can't imagine someone who's risen
through the ranks to become general counsel at an organization like NSA is going to have a
terrifically, you know, a terribly hard time finding work.
So I think she will be fine. It'll be interesting to see who they try to put into that job. I mean, I think that's going to be the more important news to see whether they get someone who's just boring,
who says the right things on social media, that's fine. Or whether or not they just select some
absolute lunatic, which we've seen a few times, right? So fun times, fun times.
We have some research to talk about here from Gugient, Mandu- Mandugil, from Mandiant, which
is of course now part of Google, looking at what these scattered spider kids have been
getting up to when it comes to VMware. Some of this stuff is interesting, like some of
the walkthroughs of how they're avoiding detection
when they're working their way through all of this vSphere
stuff is interesting in that it works,
but they're also doing unnecessary steps.
And they obviously don't understand
how this stuff works 100%.
But the point is they know it well enough to get the job done.
But I just generally thought this was an interesting write-up.
Yeah, yeah.
It was kind of talks through how they, you know, once they've landed on a network, typically
through social engineering to get a password reset, and then onwards from there, you know,
into privileged access and active directory leverage that onwards to VMware vCenter.
And the fact that they will then typically connect directly to the ESX, you know, the underlying hypervisor hosts, which have
different kind of sets of logging, a lot of people focus
their VMware logging on vCenter, because that's where the real
administrators do their work. And the ESX hosts typically are
not end user, you know, end admin, you know, used much. And
some of the logging, unfortunately, is off by
default, which is not great either. And they talk through some of the other tradecraft that they use.
And the one that we've seen making some comedy on social media, infosec-focused social media,
is them attacking domain controllers from the hypervisor,
so pulling the disks off the domain controller and using that to steal the underlying ndds.dip file
that gives you all of the underlying ndds.dip file that gives you all the credentials for the environment.
The funny thing is the scattered spider the kids have been like turning off the domain controller VM so they can unmount the disk and then mount it somewhere else to access the files without
realizing you could just snapshot it, you can read it out of the underlying block device on the ESX.
There's plenty of ways to do this that don't involve interrupting service and getting snapped,
but on the other hand, probably it doesn't matter because if you're about to ransomware
them anyway, they're going to notice.
That's kind of the point.
So...
Yeah, I mean if they've got 10 minutes to stop you, like, what's the difference?
Yeah, exactly.
I guess how many organizations are going to be able to identify the cause of a domain
controller being shut down?
And typically you'd pick a secondary DC in some obscure location you know at least I would if it was me but yeah I mean
it's kind of funny because in the end it just works and as we often say on the
show it's really not dumb if it works yeah so you know but I do find it funny
I do find it funny that like people who do know how this stuff works well I
sort of being a little bit superior on social media
Just saying oh look at these silly spiders. Yeah
They don't need to do that. We do this off the block device like real
Hand against the job done and you stole the NTDS dot-tet. What more do you need?
That's right. Now look speaking of VMware
We've got a story here from the register written by an old mate of mine, actually, Simon Sherwood. Hello Simon, if you happen to be listening.
And Broadcom playing funny buggers with patches again. So if you've got, what is it? Some
of these tiers like perpetual licenses to VMware. You know, Broadcom made all the noises
last time this was an issue about how, no, no, it's fine. You'll be able to get security
patches. Don't worry, even if you're not paying for support and whatever. Looks like that
process ain't working at the moment. And there's a bunch of people who just can't get patches
for their VMware stuff, which look, you know, and I actually spoke to Simon as he was writing
this one. We just had a chat. We caught up. And, uh, you know, if you've got VMware on
the internet, you know, you're going to have a bad time. So I don't know, patched versus unpatched VMware, I mean, it's only marginally a worst
time if you're unpatched, right?
Eventually you're going to have a bad time anyway.
But this is extremely not great.
This is really not good by Broadcom.
And it's like, this is the sort of stuff that VMware customers have been complaining about
since day one, since Broadcom took it over.
Yeah, exactly.
And you sort of get the feeling that the organisation as a whole,
it's not a priority of them to make this process work,
and the actual support people are like,
eh, this may take some time, and sometime maybe months in this case.
Which is especially not great when some of the most recent VMware bugs patched,
I think this month
There's like three guests to host VM escapes all of which were
ZDI Pwn2Own competition ones so like VMware's like yeah, these are not really zero days They're not really in the wild. It's like if people are dropping them at Pwn2Own
Like you're kind of... I mean, yeah, you could say sure, okay
at Pontoone, like you're kind of... I mean, yeah, you could say, sure, okay.
They're technically not in the wild,
but you know how much, let's spin up a polymarket
on whether they're gonna be in the wild in a month.
Yeah, yeah, exactly, right.
So we easily buy WorldCom all the way down,
which is unfortunately what we expect.
And you know, VMware has just turned into such technical debt
for so many organizations that built their whole
stacks on this stuff in that kind of early 2000s era when it was good.
And now it's not.
Well, but the problem is it still works, doesn't it?
And I've got mates who admin some of this stuff and they love it.
Yeah.
I mean, the other options of virtualization at scale, other than pre-cloud, like pre-infrastructure as a service cloud,
VMware was the best option.
And as you say, it does still work
so long as you don't consider guests to host
VM escapes as not working.
But that's what I mean, they don't.
Because that's sort of, ah, don't worry about that.
This is the way we've always done it.
Yeah, no, it's certainly a mess. And I don You know, like this is the way we've always done it. Yeah. No, it's, it's certainly a mess and I don't know.
Broadcom.
Why you got to be like this Broadcom?
Why?
Why?
Now, Aeroflot having a bad time.
This is Russia's largest airline, of course, and they got themselves owned by two groups.
One of them was the cyber partisans who are mostly
associated with activity targeting the government in Belarus or the regime in Belarus and some other
other hacktivists. Yeah, Silent Crow is this other group. So it's Silent Crow and the Belarusian
cyber partisans have really done a number on Aeroflot. Apparently they were in there for a while
and they managed to RMRF 7,000 servers.
And this led to the cancellation of 100 flights
and stranded travelers and a bunch
of extremely satisfying images being
put all over social media.
What else do we know here?
Did Aeroflot recover?
Is this it?
You know, is this just a, you know,
did we just get some nice images and that's it out of this?
So the cyberpartisans have said that they
ex-filled a whole heap ton of information.
So some of it's passenger records, which they said they're going to make available for independent
investigators.
So like the Belling cats of this world will have access to flight records and passenger
manifests and all those kinds of things inside Russia and outside, which that's the sort
of information that a group like that really makes hay out of. And we've also seen some bits about internal conversations and
some other kind of scandalous sorts of things. So they have said that they're going to leak
a bunch of it, and I imagine they probably will because why wouldn't you? As to how
fast AirFloat are recovering, I mean, it seems like they've got the planes back to functioning. But, you
know, having been inside airline and airport networks, those things are quite complicated
and putting them back together in a way where everything works and all the integrations
with third party systems and crew management. There's just a lot of moving parts in a modern
airline. So I don't imagine this will be a particularly quick process. There wasn't any mention in this one of like one of the previous breaches of a big Russian organization.
It was the Gazprom one. The Ukrainians said they destroyed the biases, the biases of many of the systems.
And like that's the sort of thing that making, you know, if you have to go replace motherboards or reflash BIOS chips to the extent that you even can, you know, pull them and reflash them, you know, anything that
involves having to go physically touch a whole bunch of computers really slows down recovery.
So they didn't seem to do this here. And I'm kind of, you know, I'm always surprised now
when we don't see people, you know, physically destroy the hardware in this way when you're
doing a destructive attack, because hey, why wouldn't you if you can you know flash a bunch of stuff so they
seem to you know you seem disappointed you seem underwhelmed you would have
preferred a little bit more carnage I wanted a little more you know like
overriding the ROM chips on the network cards and on the video cards and on the
biases like why not just you know make it so you can't boot these things ever
again yeah well apparently the network made heavy use of Windows XP and Win 2K3.
The CEO Sergey Aleksandrovsky has not changed his password since 2022.
So, you know, there's some interesting stuff that came out of there.
There's lots of, you know, screenshots of like ancient windows
with like passwords dot text files on the desktop.
And so you get the impression reading through this that perhaps Aeroflot's security wasn't
in amazing shape.
Ah, now Minnesota, the state of Minnesota is having a bad time.
St. Paul, the city, its systems have been really worked over by attackers unknown to
the point that the governor, Tim Walz, has activated the state's National Guard to help respond.
And what's interesting here is I did not realize that the National Guard in the United States
has 50 dedicated cyber units, according to the Department of Defense. So that's good.
I mean, having a group like that where you can break the glass and hit the old emergency
button, that's handy.
Yeah. And especially if you do have a big network that you've got to rebuild in a hurry,
having a group of people you can bring in who do at least know how to build domain controllers,
reset people's accounts, do all of that kind of scaled, fiddly technical work.
It's not sophisticated, but it is, you've got to get it right.
And you don't want people who've never done that stuff before
being the ones who have to do it in a crisis. So, you know, having this is seems like the sort of
thing that a National Guard is for. So there's not a lot of details like we don't know if this is
ransomware, we don't really know if it's not ransomware. Now it's not just Minnesota where
people are having trouble. There's been a pretty serious outage targeting Post Luxembourg, which
apparently also offered telco services, right? So their stuff's all been down. There was a major outage. It looks
like they're back up and running now though, but what do we know about this one?
So the details are a little bit slim in terms of the technical part, but it sounds like
there was some kind of major cyberness going on post Luxembourg. It's the main state-owned
telco as well as post, you know, postal service there.
And the impact of this seems pretty bad.
There were flights delayed at the airport,
emergency services, communications weren't working.
So the local government told people that, you know,
if you want to report a fire,
go walk down to the local fire station, right?
And let them know, and same with the police.
So that's not a great situation to be in.
They seem to have pulled it back together relatively quickly,
but yeah, pretty, you know, it's underscores kind of
how important comms is to all sorts of things
because when phones were down,
home internet services were down,
emergency services, planes,
point of sale systems, payment systems.
So, you know, pretty widespread,
although Luxembourg's obviously not a very big place.
No, but apparently pro-Russian hacker groups have claimed responsibility for similar attacks in the past, right? So, you know, that might give us some indication as to what's happened here.
Now, I love a good legal catfight, and that's exactly what this is, right? So Clorox,
we all remember back, I can't believe that was in 2023.
Yeah, time flies, man.
It's like I blinked and like it's what? Two years later? How did that happen? So Clorox,
the, you know, the bleach company got owned hard in 2023. And to the point where like,
supermarkets weren't getting their deliveries of Clorox. Like for people who don't remember,
like it was a really serious attack. Andorox as it turns out is a surprisingly
huge company. Anyway, turns out they had outsourced like a bunch of their help desk stuff to Cognizant
and this is how Scatterd Spider owned them. You know, this is how they got the creds to
own them, right? So now they're suing Cognizant saying, you know, you have to give us $380 million
because these people owned us because of your negligence and you reset creds completely outside of
our policy and we have the customer service calls that prove this.
And Cognizant's response, I got to say, and that seems like a reasonable complaint.
That's a reasonable complaint.
But then you look at Cognizant's response, which is basically like,
hey, we didn't run your network. We just managed some help desk stuff and your security is
inept. What did they say? It is shocking that a corporation the size of Clorox had such
an inept internal cybersecurity system to mitigate this attack. Clorox has tried to
blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of help desk services which
Cognizant reasonably performed. Cognizant did not manage cybersecurity for
Clorox. So question to you Adam, do you think if you're doing outsourced help
desk for someone and one of your people gets socially engineered because they
went outside of policy, I mean you would think that there should be a penalty for that, but do you think they
should be blamed for the whole thing and pay $380 million?
Because personally, I actually don't think so.
No, and I think clearly delivering those services per the spec of the contract, and it's kind
of up to the buyer to ensure that the spec of that contract is actually appropriate.
I think there probably should be some reasonable penalties there.
I would certainly like to see organizations that do deliver this kind of outsourced functions
take those obligations really seriously.
But that said, if one user account gets compromised and that results in your entire company getting
ransomed into the ground, that's kind of a bigger problem than just your outsource provider,
right?
And the job of enterprise security is to deal with that inevitable failure of that someone's
account is going to get compromised, there's going to be malicious insider, whatever it
happens to be, and then not have that turn into catastrophic
enterprise-wide failure.
That's the job of your enterprise security architecture.
So, you know, there's definitely-
Did you never tabletop or ponder or consider
the possibility that the help desk
might actually reset creds for someone
when it's social engineering?
Like, that is just something
that you never thought could happen?
Yeah, yeah, exactly, exactly.
Like, come on.
Yeah.
I mean, I would like to see everybody take
a little bit more responsibility.
And people do outsource stuff without really thinking
about thinking that they can outsource responsibility.
You can't outsource blame.
That's not how this works.
But there's plenty of places that think you can.
So yeah, everybody needs to do a better job,
except maybe Skatted Spider,
who clearly are doing all right.
Now we're going to talk about a Cisco bug. Now you explained it
to me earlier and I did laugh but I'm sick so I've forgotten
but it involves something of like just throwing Python code
at these what devices and they just run run the Python code.
I mean, that is basically the summary of it. Yes, this is the
Cisco identity services engine, which is basically the summary of it. Yes, this is the Cisco Identity Services Engine,
which is basically like their radius and tachac,
like authentication service.
So pretty core security component
in most people's environments.
And yeah, there is an API endpoint
and you can just post Python to it and it runs it.
That seems to be the bug.
Like I found some proof of concept code
to like on GitHub to make sure I understood this.
Really, that seems to be all it does.
They post to an API endpoint, here's the Python, and it runs it.
Do you need to give it some special characters first or not?
Just cut and paste some Python and away she goes.
No, you seem to just post Python to an API.
The API endpoint is literally slash admin slash API,
and then it runs to Python. it's the API endpoint is like literally slash admin slash API.
And then it runs the Python, um, which I love me some Python. So I'm into Python being executed,
but uh, in the context of your auth system.
And this is the sort of thing that people would use for like sit like tying
certificate authed wifi networks to your AD, for example,
does that kind of like important auth glue situation so really
You'd hope Cisco would have done a little bit better, but then again, you know
Statistically, it's best practice for Cisco I suppose so I wonder if there's also hard-coded creds
On this box where you could use the use the Python to get you there probably Probably. That is how Cisco be.
Just amazing. Now this one we are not going to spend a lot of time talking about, but
there is an interesting detail in it. John Greig has the write-up for The Record, a woman
in Arizona, and we've talked about her getting arrested before. She was running one of these
laptop farms for North Korean remote workers. As you do, right? It's what do the Americans like to call it?
It's a side hustle, right?
Her side hustle was running a basement laptop farm for the North Korean government.
She's been sentenced to eight and a half years for running her North Korean laptop farm,
which I suppose seems like a reasonable penalty for someone who knew that that's what they
were doing and wound up generating $ million dollars for the North Korean government. That's
not great. But there's a fun detail in this one Adam. Yes so she was an average
user of TikTok and at some point on one of her posts to TikTok she was
making a video about important topics. She said that she'd been very busy
because her clients were quite demanding,
the North Koreans, being quite demanding that day.
And she didn't have time to make breakfast,
but she had been doing a diet challenge.
And so she had just popped out to the shops
to get a breakfast smoothie bowl,
rather than, because she didn't have time.
She was so busy installing remote access tools
and posting laptops to China and whatever else.
She didn't, you know, so she went out,
bought the smoothie bowl, brought it home,
made a TikTok about her smoothie bowl
and the success of her, you know, of her diet program.
Unfortunately, she did it in the room
where her laptop farm was,
and the laptop farm was clearly visible in the background,
you know, with the desktop screens up
and the windows moving and the mouses going around as the Koreans were remotely using them.
And apparently the FBI found that quite compelling when they were preparing
the search warrants for her house.
So what do we learn about our criminal conspiracies?
Don't post them on TikTok.
Don't post them on TikTok.
If you are making your smoothie video and you're panning around your room and there's the bullet riddled bodies behind you, maybe don't post them on TikTok. If you are making your smoothie video and you're panning around your room
and there's the bullet riddled bodies behind you,
maybe don't post.
Same thing that goes for all of the scales and pots
covered in white powder, guns lying around.
Maybe don't post.
Maybe don't post.
Hashtag Opsac.
Yeah.
Yeah.
Ah, and we got one more skateboarding dog, so that was kind of a skateboarding dog.
We've got two this week, two skateboarding dogs to close out the news.
Talk to us about the cybercrime forum, Leak Zone.
Yes, so there is a cybercrime forum called Leak Zone, where you post much as you would
expect, you know, leaked data, stolen data, data dumps. The bad news for users of Leaked Zone is that they appeared to leave one of their databases
lying around on the internet without authentication.
And UpGuard found it and had a rummage through, and it's user records, so like access records
for the forum, so IP addresses, times and dates and so on.
So yeah, that's quite funny, I suppose,
when you are called leaked zone
and you have all your stuff leaked.
Indeed.
All right, well, that is actually it for the week's news.
I do wanna mention an announcement from a sponsor.
And the reason I'm gonna mention this now
is because it's quite funny,
because a little while ago,
we had Rad Security in the show as a sponsor, but I'd actually messed
up the weeks.
So we published the show with the wrong sponsor in it, which as you can imagine, Taron Ferriero,
who runs sponsorships here at Risky Business, I think he nearly had a stroke when this happened.
Because RadSecurity wanted to run it like this week because they had a big announcement
coming up, which is, and it's like everybody else's announcement, not to diss it, right? But they've got these things now called Radbots, which are agentic
AI powered digital workers, right? And it does all of the stuff that these AI agents
are proving to be good at things like triage and, you know, alert triage and, you know,
automating compliance help and whatever. So they've done that now. They're going to be
a black hat. So you can go check that out. But I guess I did have a thought that's sort of relevant to the, to the general
show about this, which is, I think if you're not doing this sort of thing in your security product
now, I think you're going to get left behind because everybody's introducing some sort of
agentic something that is making their products easier to use. And I just sort of feel like, unless the product is really outside of an area where that's
useful, you just have to do this now.
Yeah.
I mean, it seems to be a thing that, despite there being all sorts of kind of concerns
and skepticism, a skepticism has some real point in many cases, it is still really very useful in how people interact
with complicated technical data,
talking about it and accessing it in ways
that are kind of more human friendly, more human centric.
Like that really is a force multiplier
for a lot of these systems.
So yeah, I mean, much as it sometimes pains me
that we bolt AI into everything,
it kind of also makes like, it's,
I've found so many legitimate use cases for it
and stuff that we do even, you know?
And it's always a bit confronting
when your skepticism meets the actual,
hey, this is quite useful.
Yeah, yeah, I regret to inform you what works
is kind of the vibe there. So I did just
want to mention that because I made a boo-boo with the sponsorship thing. So sorry about that
Rad Security and everybody go check out their agentic AI at Blackout. But that is it for this
week's news. Adam Bailori, thank you so much for joining me and we'll do it all again next week. Yeah. Thanks so much, Pat. And hopefully you'll be feeling better by then.
That was Adam Bailo there with a check of the week's security news. It is time for this
week's sponsor interview now. And this week's sponsor is Push Security. This is a company
that I advise. They're part of that group of companies that I advise.
And they do identity security, I guess. What they're really incredibly useful for is as a phishing control.
So they plug into your browser and your users' browsers, and it can really track where users have SaaS accounts,
if they're using vulnerable passwords, if they're using personal accounts at work and whatnot. And it really just does build a very complete picture of where users are going
and what sort of accounts they're using. It can also detect fish kits very reliably. So
say a link comes in, your mail gateway misses it. This is that last mile defense where if
someone actually loads it in the browser, it's going to find, it's going to detect that fish
kit and prevent users from being able to enter credentials into it. So it is a very, very
useful product. Dan Cuthbert works for Santander bank and he is here to speak to us about push
instead of it being someone from push. We're going to speak to Dan about, about push. And
you know, Dan does a lot of sort of cyber security research and detection engineering
and cool stuff like that. And,
uh, he wanted to join us to talk about like what you can do with the type of data that products
like push, uh, can give you in terms of telemetry. And he sees this as a future area, which is going
to be, you know, very, very useful to, uh, detection teams at large organizations. So here's Dan
Cuthbert talking about that. I think for me, what I'm getting out of this now, especially what push gives us is the
whole context.
So I know that a user's authentication is happening against an app, right?
So you've got the normal flow user logs in.
What push gives you is how they've logged in, what kind of authentication process.
And once you delve into the authentication
world, God, it's a mess. It's just, there are so many different ways you can authenticate
and cross authentication and so on. But along with that, you've also got the pattern of
life. So have they ever logged in from this user agent before from this IP address before?
Have they gone in before with SSO, but now they're using a username and password? Has
that username and password been seen in the breach? Is it a different time of day?
There was a great quote, I think it was the Microsoft CISO who said it's an EDR for the
browser and I totally agree with that. You're now getting all this rich data that you can actually
do stuff with, say, hey, that deviation of pattern of life happened. Why did that happen? You can dig
deeper. One thing I've always wondered, right, is like, the reason this is useful is kind of because SaaS
apps could never agree on some sort of uniform approach to logging, right? Like, if they were
doing their jobs right, like if they all got together in some big little SaaS, you know,
circle around a fire and beat their chests or whatever,
or did an incantation and figured out how to do uniform log sources. Like we wouldn't
need this, but they never did that. So I guess we kind of do.
Yeah. And I think you nailed it on the head. Most of the sass apps out there, frankly put,
I don't think do authentication properly. It's a mishmash of rush to markets, MVPs being done.
Oh crap, we need to do this.
Okay, but why is all the admin accounts not mandatory MFA
by default out of the box, right?
Why is it that I can't get any form of decent logs
like you just said, where I can extract to say
that user's never logged in from this place, weird.
Cause they know that they've got that data, right?
Yeah.
Just it's never presented to the end point. I think that's where push comes along and says, actually,
we will give you that data. You know, like stupid things like the agent itself, right?
Or the browser. You've never seen that user use Chromium before, but now all of a sudden
they're using Chromium at 9pm at night.
And they're in Lagos.
Yeah, in a weird place.
You would think that a SaaS app would give that date to you, but it's just, you don't.
You don't get it.
It's really frustrating.
I think one thing that mitigates this though is for a lot of that impossible travel and
checking to make sure the endpoint is roughly in line with what it usually is and whatever.
I mean, don't the IDPs give you a little bit there?
Not as much as they should do. The way I almost look at the detection flow at the moment is
my triangle of love, right? Everybody's mostly got an EDR, everybody's mostly got an IDP
and then they've got something hopefully like push. I want all that data to be thrown into
a pool somewhere where you can then map out to say, okay, we're
seeing an anomaly there. We're not at that stage yet. Each of those components still operate really
separately. And I think that's the frustrating part. And if you look at how most adversaries
are now owning stuff, they are targeting one of them because you, whilst you have visibility
there, you don't have visibility to the other things. And I think that's the frustrating part.
And what I'm finding with push is that you can start to join these up really nicely.
So you're finally having that first stage of wow, it was 2025.
I can get that impossible travel, but then I've got all the context I'm adding on top
of it saying, we've never seen this browser, we've never seen this user agent.
They're doing a weird IP.
And I get you can spoof all of that.
But for the pattern of life, you start to pull out the dead and go, actually, this is really bad. The stolen credential user journey is
fascinating. You know, we know that stolen credentials are very much a thing. We know
that identity brokers make an obscene amount of money doing this kind of game. It was putting
the pieces in place to show that, hey, a credential was used to try and authenticate to something. And I think
that was really useful. That's the first one. I think the next thing is, for the first time
ever, I've been able to build a tool that allows me to have this massive data set, where
I can really understand from A to B, the entire journey of the authentication process. That's
beautiful. And then the third one is finding SaaS providers that should know better.
Hey, here's that OWASP ASVS. Why are you not doing this? Like it's a standard used by everybody. Why
are you not adopting this? And I think that's probably for me the biggest bang for buck at the
moment. What is having push snitch on your SaaS providers? Holding them to account now saying why
is it that, you know, MFA is not mandated for all high privilege accounts. Yeah sounds super simple, right?
Yeah, and when you and Adam do your weekly thing and you talk about a breach most of the times
It's because somebody's grabbed a privilege token. They've done something with it because there was no mandatory
Extra security bolt of time. Why why not?
Hmm. It's sort of surprising. Don't you think that we haven't had much, I mean it's not just
push anymore, there's a couple more companies sort of moving around in this space like doing
a little bit more in terms of collecting data from the browser.
I don't think quite as successfully if I'm frank, I mean I'm biased obviously because
you know I work with push but I just don't think they're quite there.
But it's sort of surprising, isn't it, that this is a new field, that this is a new category,
that this is a new thing.
Because it's one of those things that in retrospect, it's really obvious that you would want to
have some sort of visibility into the browser.
But I think a large part of why we got here is because for a long time, we thought we
were going to get this information with break and inspect.
And you know, if, if,
if push could just do one thing by ending that, uh,
they will have done the world a huge service. I think.
Yeah. It's I, I'm with you.
I don't understand why it took us this long to have this mindset
up here. You know, we're well-grained with how EDRs work.
Great, everybody's now building EDR.
It's not an uncommon thing.
But it seems the browser space is still,
everybody uses a browser.
In fact, if I dare to argue,
if you look at most organizations now,
most employees will spend most of their time
in a browser of sorts, right?
Over say, fat clients, or you might still have some of them, but every browsing right? That's how you interact with stuff
Well, and it's completely it's completely opaque to EDR as well
Like people don't see it EDR doesn't see it until something goes wrong and it starts like spawning weird processes, right?
But like what is actually happening within the context of the browser? It's like a big old mystery for CrowdStrike and whatever.
Yeah.
Like I feel like the browser is still that frontier where people are going,
we've got no insight. We don't know what's happening there. It's just a browser.
Oh, it uses TLS so we can't see inside of it.
But that's where all the juicy stuff is happening.
And I think that's where the efforts that we're seeing at the moment from an
engineering perspective with push on the others is pretty exciting because it's
we're closing that circle now, hopefully.
Yeah. I mean, do you see it as like, you know, what do you think about what I was saying
before about how like this could be like us moving away from that break and inspect is
the way to do this thing. If you want insight into web traffic, you do break and inspect,
which has just been getting more and more brittle and like more and more people are
realizing it's just like not a great way to do stuff. You know, do you, do you think that's one of the reasons we're starting
to see tooling pop up here? Yes. I don't think the breaking the spec model is, it's really hard to
get right. Um, you then have the problems of, okay, if you're doing full interception like that,
where are you storing the keys? Is that going to be targeted? It's just messy. Whereas this model, it's less overhead,
I feel. There's less impact on the end user, especially if sites are doing proper security,
they're not going to get all the errors like they do. And you get far more telemetry.
I guess from what you're saying, it seems like what using a product like this has been good for
it so far has been surfacing issues. Like, Whoa, that SaaS provider is like doing something silly like username, you know, there's
username and password auth for this admin and the password has popped up in a dozen
leak dumps.
You know what I mean?
Like we have a problem.
It's, it's that sort of thing, right?
Just surfacing those issues.
Yeah.
And stuff that we all suffer with as industry.
There was a great piece yesterday in the BBC about nights of old, how the 158 year old company got lost because of a weak
password being used. And you're like, okay, that shouldn't be the case. And it was unfortunate
that did happen. But that is how companies are still getting owned. It's a very simple
attack, but you just don't have the insight or the visibility.
Yeah. And it's all, it also snitches on users who are not using MFA for like
important stuff as well, right? Like just across the board, not just administrators.
You can say like, show me who's not using MFA for these services.
Yeah. Also, I think if you now look at people,
we don't just have a dedicated work life and a personal life.
It's very much intermingled.
During lunch break, I might go into PayPal and try and pay something for the kids or
I might buy something and I'm logging into this. I think it gives a good insight and
I think it was one of the last pass that was owned this way. Remember you and Adam talking
about how they went off to the personal account of the admin. Right. So that kind of attack is still very much
prevalent. And I think something like push and being in the browser allows you to see
the part that an attacker might abuse to jump in and get tokens for something else if they
own the browser and can get, you know, extract tokens that way.
Now look, I'm led to believe that you're actually working on some detection engineering that
uses these log sources, but I'm also told you're going to be quite coy about exactly what it is that
you're putting together.
Can you give us some hints?
I will try and be as non-coy as possible.
I think having all these sources now, so for example, knowing when a user is logging in
and logging into a high risk app and you can can enrich it using GrayNoise or IPinfo
or VirusTotal or Falcon. And you can do all the detection engineering stuff you've wanted to do
for the last five years, but never could. Now all the pieces are there. So now it's a case of just
adding it all, querying the data set, in this case, Postgres and saying, show me any kind of deviation
or show me something that it's almost like minority report with the three cogs. Show
me something that could be bad happening in the future so I can preempt it now. Whereas
everything else before was very reactive, bad thing happened, crap, we need to do something
about it. Now we're at a stage I feel with the data we've got where we can say,
hey, if you keep on doing this, you're probably going to be owned. And that for me is a very exciting place.
Yeah, makes sense. All right, Dan Cuthbert. Great to see you, my friend. It's been a while.
Great to talk to you. Great to see you. And
thanks for coming along to talk a little bit about how you are using
telemetry captured from the browser
to do some fun detections. Always good to
see you mate.
Thanks Matt.
That was Dan Cuthbert there. Big thanks to him for that and big thanks to Push Security
for being this week's sponsor. And that is it for this week's show. I do hope you enjoyed
it. I'll be back next week with more security news and analysis. But until then, I've been
Patrick Gray. Thanks for listening.