Risky Business - Risky Business #806 -- Apple's Memory Integrity Enforcement is a big deal
Episode Date: September 10, 2025On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: Apple ruins exploit developers’ week with fresh memory corr...uption mitigations Feross Aboukhadijeh drops by to talk about the big, dumb npm supply chain attack Salesloft says its GitHub was the initial entry point for its compromise Sitecore says people should “patch” its using-the-keymat-from-the-documentation “zero day” Rogue certs for 1.1.1.1 appear to be just (stupid) testing Jaguar Land Rover ransomware attackers are courting trouble This week’s episode is sponsored by open source cloud security tool, Prowler. Founder Toni de la Fuente joins to discuss their new support for Microsoft 365. Time to point Prowler at your OneDrive and Sharepoint! This episode is also available on Youtube. Show notes Blog - Memory Integrity Enforcement: A complete vision for memory safety in Apple devices - Apple Security Research Venezuela's president thinks American spies can't hack Huawei phones | TechCrunch 18 Popular Code Packages Hacked, Rigged to Steal Crypto – Krebs on Security Software packages with more than 2 billion weekly downloads hit in supply-chain attack - Ars Technica Salesloft platform integration restored after probe reveals monthslong GitHub account compromise | Cybersecurity Dive CISA orders federal agencies to patch Sitecore zero-day following hacking reports | The Record from Recorded Future News SAP warns of high-severity vulnerabilities in multiple products - Ars Technica The number of mis-issued 1.1.1.1 certificates grows. Here’s the latest. - Ars Technica Cyberattack on Jaguar Land Rover threatens to hit British economic growth | The Record from Recorded Future News Cyberattack forces Jaguar Land Rover to tell staff to stay at home | The Record from Recorded Future News Bridgestone Americas continues probe as it looks to restore operations | Cybersecurity Dive Qantas penalizes executives for July cyberattack | The Record from Recorded Future News Cyber Command, NSA to remain under single leader as officials shelve plan to end 'dual hat' | The Record from Recorded Future News GOP Cries Censorship Over Spam Filters That Work – Krebs on Security Risky Bulletin: APT report? No, just a phishing test! - Risky Business Media Post by @patrick.risky.biz — Bluesky
Transcript
Discussion (0)
Hey everyone and welcome to Risky Business.
My name's Patrick Gray.
We'll be chatting with Adam Boiloh in just a moment about all of the week's cyber security news.
And then we'll be hearing from this week's sponsor.
And it's Tony Delafonte, who is the founder of Proula.
Proula is, I guess, like, what do you call it?
It's an open source cloud security platform that you can do a bunch of cool stuff with.
And they have just added support for like M365, M3,
ENTR, like sort of SAS scanning, as well as infrastructure as code scanning as well.
So, you know, Proul is just really becoming that one-stop shop where you can get a view
across all sorts of stuff, whether that's like AWS, GCP, and ASU misconfigurations
all the way through to ENTRRA, M365, you know, exposed OneDrive files, bad infrastructure
as code code, and yeah, all sorts of stuff.
So Tony's joining us a little bit later on to walk through the latest feature releases
for prowler which is of course free and open source but adam let's get into the news before we do
all of that and yeah there's a fair bit going on this week the first thing we're going to talk about
is memory integrity enforcement which is a new i guess would you call it feature of apple devices
they've just published this huge blog post about how they're going to uh you know change their
operating systems iOS i'm guessing uh in in particular to make them very very resistant to memory
corruption exploitation. And from, as best I can tell, everybody says this stuff is really
quite comprehensive, really well put together, and it's going to get a lot harder to write
exploits for Apple devices. Yeah, this is definitely some really good work by the security
engineering team over at Apple. They kind of looked through a bunch of the exploit chains that
they've, you know, they've seen in the being used in the wild and kind of worked up, like
given that we control the hardware stack and the compilers and memory allocators and all the
components of that system, you know, how do we build best in class exploit mitigation for memory
corruption? And they've come up with, I guess it's sort of an extension of an approach that
the arm CPU architecture people came up with which kind of tags memory based on its purpose
and then requires you to access memory using that kind of like same tag value. And that kind of means
that buffer overflows, we are writing into a bit of memory that doesn't have the same tag
or use after freeze, we are reading, you know, reading or writing to memory that has been
changed since you originally got it. You have kind of tags that are out of back. And then
the whole system kind of builds on that primitive and, you know, across Apple's tool chain,
you know, ends up being, you know, pretty comprehensive memory corruption kind of set of mitigations.
And part of it is changes to, they've already been.
building secure memory allocators into the operating system and into the compilers for a while.
So there's some changes to those.
There is some support from, you know, kernel things.
And then also some support in hardware.
So they, Apple, had a big product announcement.
They released the iPhone 17 corresponding Apple silicon chips.
So there is some hardware support for this.
Because one of the big problems with mitigations we've seen against things like speculative
execution and other, you know, memory misuse things is that.
the performance cost of the mitigations is unworkable too much.
So through a combination of controlling the whole stack,
they're able to kind of tune which bits need the really expensive mitigations.
For example, they separate out allocations that are big enough
to have kind of page level memory controls for ones that require inside page controls
and they can kind of do a bunch of smart stuff.
You know, net result of all of this is everybody in iOS is going to see,
and presumably the rest of the Apple ecosystem will follow,
we'll see some improvement to defence against memory corruption attacks,
but in particular with the latest hardware, you'll get even more.
So, you know, pretty great work.
And like, they've been working on this by on a long,
you know, they've been working on this for a long time,
according to the blog post, they say, many, many years.
And what's really interesting to see is that they've kind of closed that feedback loop
between the people who are doing exploit dev and research
and the people who are doing mitigation research
and then they can walk through the individual chains
and say this particular chain is blocked
by this mitigation at this step.
And not every step of every exploit is going to be blocked,
but only though there was break one step in the chain
and then also ideally break them in a way
that renders the whole chain unusable
because then friends of ours who write exploits
will be having a bad day at the office
and that's generally a good day for everybody else.
Yeah, so speaking of those friends,
I reached out to a couple of them this morning, actually, and I said, is this a big deal?
And they all replied with a single word answer, which was yes.
And then I said, can you come onto the show to talk about it today?
And they're all very busy.
I don't know if it's related to this.
And they've got to go brief a whole bunch of clients.
But either way, yeah, this is apparently a big deal.
We've seen Apple do this sort of thing previously where they introduce a powerful new, you know,
memory corruption, exploit mitigation.
It seems though that the exploit writers will always find a way around these things,
but the costs just go up every time.
So I'm guessing this is going to be another case like that,
where for the people who are purchasing exploits, targeting iOS,
you know, everything just got a lot more expensive.
Yeah, yeah, I think so.
Like anything that raises the cost is going to help.
And, you know, Apple admits in the blog post that there are, you know,
there are some things that are very hard to defend against within the constraints that they've got.
They talk, for example, about one of the variants of Spector,
side channel execution stuff where like they really can't easily like 100% mitigate it but they can
make it statistically more expensive so like it takes you know a whole bunch more tries and every step
of the way increases the chance you're going to get snapped so there's costs you can impose both
you know at an ecosystem point if you're like making exploits end-to-end exports you know zero-click
whatever really expensive but also costs for individual components of these kinds of exploits and the
technical aspects. So they are imposing a whole bunch of costs on a whole bunch of people and yeah,
it's great work. Well, you know, it's funny that they've done all of this because really,
according to Venezuela's president, Nicholas Maduro, we should just be using Huawei phones because
he did a press conference and I love this. He did a press conference on Monday and he showed
off a Huawei smartphone that Xi Jinping himself gave to Nicholas Maduro and he said,
the Americans can't hack it neither their spy planes nor their satellites so there you go
I did not know that the Americans hacked smartphones with spy planes and satellites I just would
have thought you'd see internet what do we know right what do we know maybe the NSA you know
on cybercom maybe they have some amazing planes you know just loaded full of amazing exploits that
they can throw out the window or out the Bombay onto you know the exploit express that sounds
pretty good. That sounds pretty good. I don't know whether he was just talking about this phone
as in it was a special one that Xi Jinping gave him that's like surveillance resistant. But I also
think that's pretty funny when like, you know, the Chinese president gives you a phone and
you're like, this one can't be surveilled. It's like, bro. You know, the MSS is examining every
single keystroke of that device. But anyway, that's just some cheap laughs there. Now we're going
to talk about a big story that's broken over the last few days.
which is 18 extremely popular NPM repos got hacked and then a really dumb payload inserted into them
that was designed to steal crypto and the attackers behind this got away with like, you know, a few hundred bucks kind of thing.
It was a, it fell pretty flat.
Now, instead of you and me just talking about this, you know, we've got, we've got for us, a book of DJ
joining us just for a few minutes to talk through this for us.
of course, runs Socket, which is a company focused on supply chain security around things like
compromised NPM repos and whatnot. They have sponsored risky business in the past, not currently
a sponsor. That's not what this is. This is not a sponsored segment. But for us, thank you for
joining us. My first question, I guess, is, is this a big deal? Because depending on who you ask,
this is either the end of the world and the planet's, you know, melting or it's really not a big deal.
Which is it? The answer is it depends. I think I see it both ways.
On the one hand, this is by download count, probably the biggest supply chain attack that, you know, has happened in the NPM ecosystem and maybe, you know, even beyond that.
We're talking two to three billion downloads per week in the affected packages.
On the other hand, the impact has been like pretty disappointing, I'd say.
Like the attackers managed to snap up about $500 worth of Ethereum and maybe $50 worth of some other miscellaneous cryptos.
So, you know, somewhat of a disappointing, you know, performance for having, you know,
they had access to everything and this is what they did with it. So it's, you know, I don't know,
somewhat, somewhat disappointing. You sound like me and Adam when stuff like this happens when
we're just like, oh man, they could have done so much more with this. You know what I mean? They're
very, very sort of disappointed in them. I mean, I guess one of the positives here is that this thing
was detected like extremely quickly and shut down extremely quickly. So we've seen a lot of headlines
about how these packages get two billion downloads a week. But I mean, do we, do we have any
idea of how many downloads these packages received while they were compromised?
You know, you can generally make some assumptions, but NPM statistics aren't very fine-grained here, and they also don't update in real-time, so you have to do your best and really just extrapolate it out.
So in this case, the package was, you know, live for, you know, on the order of like an hour.
So, you know, we're talking about, you know, in the hundreds of thousands or maybe tens of thousands of downloads.
And so that's the part that's kind of interesting is we might actually see that, you know, like long-tail effects of this over time as this package might be cached in folks is,
artifactories or even, you know, in local caches. And they, you know, so there's still could go
out into, you know, a production build of a piece of software, you know, over the next several
days or weeks. So folks really should actually search through their dependency inventories and make
sure that they're not using the affected versions. There still could be impact of this, even though
it's been taken down from the registry. Now, I believe this is part of a broader campaign that's
actually been going for a couple of months, or it has similarities to a broader campaign that's
been going the last couple of months. What can you tell us about that?
Yeah, so, you know, the technique used by the attackers here was a phishing email that impersonates NPM.
So it looks like it's, you know, asking you to set up some 2FA on your account.
Socket actually wrote about this about two months ago back in July when one of the engineers on our team received a phishing email.
And what was interesting about the phishing email was it came from actually a legitimate domain that NPM uses, NPMJS.org.
But they actually use NPMJS.com to send emails.
And so they didn't set up DMARC or any of the other email security headers on the dot-org domain.
And so an attacker was able to kind of send an email from this legitimate domain, and it got through because DMARC wasn't set up.
So one learning there is, folks, you should set up DMRQ on all domains that you use, even the ones you don't send email from here, because that's how it was able to get through.
And that ended up affecting a couple of packages about two months ago.
So Prettier was a big one, a big style kind of code formatting tool.
And then the other one is, you're going to love this, a package called Is?
So what this is is a type checking library.
It tells you, is it a number?
Is it a string?
But yeah, you'd think this should be part of the JavaScript language.
It's kind of a basic bit of functionality.
But unfortunately, you know, JS is one of these languages that has been around for 20.
years now and the rule is don't break the web so they can never delete things or change things in the
language. They can't go back and fix mistakes. And so, you know, this is quite a popular library and
it was one of the ones that was backdoored. And it's basically there to kind of create a bit of a
better developer experience for folks who want to do type checking, which is a common thing.
So just one more question. When you talked about how these phishing emails shared similarities and
whatnot, do we think it's the same group of people who've been doing this for a couple of months and
this whole thing's just sort of culminated now, or it's just word got out that you could sort of
do this email sending? I think word got out. They're using similar techniques, but it's a different
payload over the course of the last two months. So the thing they do is when you click the link in the
email, it takes you to a full proxied version of the site. So everything about the site looks the
same and they're just transparently proxying through to the real site. So you get the two of a code
and everything. Everything works as it's supposed to. And so, you know, it's interesting that
you know it does seem like this has been picked up by folks and we're seeing a lot of different payloads now using the same kind of initial phishing email hook
but they're very disappointing payloads as you pointed out right like everybody's very disappointed that someone managed to get all of this access and then just deploy something so crappy
Adam I got a question for you if you were going to you know so clearly you do something like this at this sort of scale you're going to get snapped pretty quickly like as we found out these packages were live for like an hour the malicious code was live for like an hour if you wanted to pivot your access
from like being able to own these NPM packages
and pivot that into some sort of persistent access,
how would you actually go about doing that?
I mean, you could do something really dumb,
like, you know, popping up, you know, unsigned malware
into people's browsers for downloads and whatever.
Like, that's one way you could go,
but there must be a more elegant way here.
What would it be?
I mean, the answer is you need to be subtle, right?
When you're doing something at this kind of scale,
you can't do anything obvious
because it only takes one person to start pulling,
and the thread. And like with that backdoor, what was it, the Microsoft guys found in, was it
Postgrease? No, it was an S.H for POSGGGGF. Yeah. I'm like, yeah, that's, you know, you kind of want to be
subtle like that. Well, that's still got detected very, very quickly. It's still got detected. So, like,
you need to be real subtle. If you were subtle, like Adam's saying, and you, uh, and you waited for,
um, I mean, the thing that these attacks, they're doing wrong is they're not subtle. They do
things like, like try to shut down the system or try to remove your files or they do all this
noisy stuff, if you were just a little bit subtle and then you could get away with this
being in the, you know, out there in the wild for even just like seven days. We saw that with
an attack. The first attack that turned me on to this whole thing was event stream in 2017,
and they were able to persist for about seven days before they were caught. And that meant
that the package got built into some real desktop software that was using electron and it got
shipped out to users. And so I think that's the thing they're doing wrong is they're just getting
caught in an hour. So I don't know if that's, that would be somewhat persistent because now you
have literally built artifacts that are signed that are out there for users to install that they've
put on their systems that are backdoored, right? And that's what these folks are doing wrong and
what we're getting really lucky with is they're just being super noisy and super kind of childish
about what they do when they get when they get access to these things. All right. Well, for
us, Bukadija, thank you so much for joining us for a quick chat about all things NPM supply chain.
Always good to see. Cheers. Glad to be here. Thanks.
Now, Adam, we're going to stick with the theme of supply chain.
Now, just for a moment, you know, last week we were talking about this sales loft breach and the Drift AI and whatnot.
People who are unfamiliar can go back and listen to last week's show.
But in essence, what happened is someone stole a bunch of OAuth tokens, I guess, from Salesloft.
And the interesting thing was there was no detail on how Salesloft itself was breached and these tokens went missing.
Mandiant has some answers now, according to this piece by Cybersecurity Dive.
Yeah, so it turns out VAT.
the GitHub account of Sales Loft got itself compromised, you know, a few months are back.
The attackers spent a while, you know, kind of learning what they could from that
before eventually starting the journey that led to them breaking into Sales Loft systems
and helping themselves to OAuth tokens and onwards to great victory.
So we, I think we speculated at the time that that's kind of what it felt a bit like,
but it's nice to have that, you know, kind of have a timeline for it.
And, yeah, once again, just, you know, GitHub account access leads your whole.
onwards into the depths and, you know, steal the great many things.
Yeah, so what would that look like, a pivot from GitHub into internal?
I mean, you don't even need to go internal.
You just need to affect their apps in some way.
They get them to spew out the tokens, right?
Yeah, and it may be a case that, you know, that Git may have been the source for code
that was being built, so that would have been pulled into a build system.
That build system's got access to key material and whatever else.
Or it may have been, you can modify it supply chain, or it may have been something else.
We don't really know the nature of that.
that particular GitHub repo, but whatever it was, it was enough to give them, you know,
presumably key material or some other kind of access onwards into systems, you know,
that then had access to production environments with real key mat and, yeah, good time.
Now we're going to have a really annoying discussion about what is an O'Day.
John Grego over at the record has reported on this one.
Sisa has issued an order asking federal agencies or ordering federal agencies to patch a bug.
They're calling it a zero day in something called SiteCore, but this is,
First of all, what is SiteCore?
And isn't this just like a hard-coded key or something?
Yeah, so SiteCore is like I guess a content management system for like building enterprise
apps.
So like quite big e-commerce, you know, big enterprise apps use it as a framework to build
their things.
It's in turn built on top of Microsoft.net.
And the crux of this vulnerability is that the installed documentation for SiteCore
had some example key material in it.
And normally we need to deploy a dot net application.
One of the things you have to configure is the,
they call it the machine key.
Essentially, it's a piece of key material that's used to encrypt the cookies
that are used by the dot net framework.
And if you know that cookie, you can craft a cookie.
So if you know that key material, you can craft a signed cookie,
and that signed cookie is a serialized.
Dotnet object.
So in the process of normal operation, dotnet apps deserialized data from,
that came back from the user and rely on this machine key
to secure it against tampering.
you can tamper it by design you get code exec which that's a whole other like what kind of
design choice is that but we'll leave that one aside for now um so the site core documentation
uh had some example came at back in like i think 2017 and prior is what their advisory said and
some customers copy pasted that into their configurations and rolled with it live
i mean it's hard to know who to blame because sadly it is kind of foreseeable that that would
happen. Well, yeah, it is. And I actually tried to rummage up the documentation from the time to
see how strident it was about, you know, you needing to do this properly and this key material
being really quite important. Because I can't imagine that the documentation said, if you do
this, if you don't make this unique, you will get remote, you know, pre-author remote code
exec against your systems. And probably said you need to configure key mat. Here's what it looks like.
that's and the interesting thing is that in dot net deployments like if you have a single
like a single server instance generally it will auto generate it and it's stored in the windows
registry and you never have to think about it and if you use a cloud deployment so um cycle
popper like it has a service version then they take care of it the middle ground is if you have a
cluster like a high availability system they need to all have the same machine key available to them
so they can share requests and at that point it's up to the customer to set it and manage how it's
stored and whatever else. And if you're in a, like an AWS or in a zero environment,
you might put it in the key store in those platforms. But if you're just running it on bare
windows boxes by yourself, everyone's just going to stick it in the web.comfile. And then those
config files get put into Git and onwards and, you know, that key material loses its magic
value of remote code exec. So, you know, there's a lot of pieces in this puzzle that lead to
the situation that we're in. And honestly, none of them is zero day. But everybody's a little bit
at fault here, because everybody played their part in this really ultimately footgun design
of the system, which, yeah, what did we learn? What did we learn, Adam? What did we learn? We learned
that the documentation should be clear when there is a security critical setting, I think,
is the main thing. I think it's funny. I mean, they're talking about patching it. There's actually a
patch. Is it a patch or are they just using patches like a term of art here? I think they're using
patches are like, you can fix it by setting your own key match. Yeah, right. Okay.
That's not really what patch means, but, you know, words.
What are they, why do they even have meanings anymore?
I mean, we are in the post-truth world, so why do words even, you know, meanings don't matter anymore?
Yes.
Patch your duplicated keymat by not using duplicated keymat sounds like a good plan.
And we've got some absolute lull bugs going around in SAP, SAP NetWeaver or something, the ERP.
I don't even know, I don't know SAP very well, but apparently there's a CVS-10 out there.
being exploited so that's fun yeah there's actually a bunch of them so uh sap make generally
enterprise resource planning products uh sap net weaver is their web server component that a whole bunch
of the products run on uh some of the bugs are in net weaver itself some are in applications that run
on top but there's like three or four 10 out of 10 cve you know cvs bugs um on the list that got
patched and there was another one that was being exploited in the wild that was patched i think a month
to go so it's not a good time because these systems are generally pretty serious business i expect
that probably people are just running crypto miners on them and getting you know four dollars worth of
free money out of these giant enterprise platforms 50 cents in manaro woo yeah exactly so um you know
in that respect probably better than what you could do with access to these systems but yeah
SAP stuff is is it's real like i've been inside a bunch of sap systems over the years it's hoary and
nasty and just like it's a thicket of dirty deserialization nastiness.
And I think one of the tenets is a straight up deserialization bug again because
it's a bug class we just love to use.
Yeah.
And I should point out that Adam was saying hoary as in H-O-A-R-W.
Oh yeah, yeah, true.
Just in case anybody had a reaction there.
All right.
We're going to chat about something that happened last week.
CA, I think what were they?
Croatian.
CA, finer CA, they pumped out a whole bunch of TLS certificates for 1.1.1.1, which is Cloudflare's
encrypted DNS service. I mean, I guess my question here would be why would someone try to, I don't
even know if this is malicious, you tell me, but why would someone try to obtain TLS certificates
for 1.1.1.1 to use, like, what would be the malicious use there? So, I mean, the malicious use
would be that you could man in the middle
DNS over TLS or
other encrypted DNS options.
The why I think
is as dumb as they were just testing stuff
internally and 1.1.1 is a super
easy address to type because
the CA has said that they have the private
key mat, which if it was a customer
getting them to issue it, they wouldn't
have the key mat. So they said they had stored it
internally, it sounds like
it was just testing certificates and it went
through their process. He ended up in the certificate
transparency logs, which is good.
But yeah, I think it was actually that dumb,
and probably no one ever had these in the while and used them.
We are just taking their word for it, though.
So, like, it may be that they actually issued it for some nefarious purpose,
but the reality is probably Occam's Razor is on the side of dumb.
Yeah, I mean, that was my reaction here.
I did not know the subsequent reporting that you just mentioned
that they had discovered that they did this internally,
which was, yeah, probably just a test run.
But, you know, I think we're in a position where, you know,
Because I was thinking, okay, say you're doing a malicious certificate, what, you want to, you know, be adversary in the middle, swap out an IP for a domain you're targeting, what, for a software update or something?
I mean, that doesn't really work these days because people sign their software updates, but you'd hope.
You'd hope, right?
And if you're going to do something mega, like, subtle, you know, and targeted and whatnot, you're probably not going to pump out, like, a whole bunch of certificates there are going to be immediately spotted in search transparency logs.
So, yeah, it feels like, I don't know, it sort of feels like progress in a way.
where something like this happens
and it's just, yeah, someone like
just doing something dumb
instead of it being a malicious thing
which is what it would have been a few years ago.
Yeah, and it's also useful
because Cloudflare has definitely learned
a few lessons about how close and I
they keep on the CT logs.
There's a few other bits and pieces of,
you know, anytime one of these things happens,
the process of thinking through what does it mean,
what could they have done,
how would they have done it?
You know, it leads to improvements
for everyone else's,
everyone else's infrastructure.
And I think, you know,
one of the things
the story is brought into focus is Microsoft's lack of curation of its root CA list because this
root CA was only trusted by Microsoft which let's face it that's quite a lot of the planet well i
remember when we were doing the um doing the risky bulletin rate of this i was talking about this
it was like i think it was catalan said well they're only trusted by one browser maker
and i'm like oh yeah which one he's like microsoft and i'm like well that seems kind of newsworthy
you know that's the that's the important one really
Yeah, so maybe Microsoft will take a few lessons and be a little bit more active in how they curate their root CA store.
Like in one of the things that Mozilla's stewardship of it and Google's stewardship of their respective stores,
they're pretty aggressive about stomping on people that are being bad CAs.
Well, they were way too permissive.
Way too permissive back in the day, right?
So it was actually kind of controversial when they started booting people out.
But, you know, yeah, I think there's, I mean, still, if you take a wander through, like, who's trusted, it's, it's.
It's still pretty wild, man.
There's some dodgy-looking stuff in everybody's root stores,
and it does not make you feel good.
No, it doesn't.
All right, so moving on,
and Alexander Martin has some reporting for the record on this,
and there's reporting everywhere on this,
because this is probably the most consequential ransomware attack
we've seen in a while,
which has been targeting Jaguar Land Rover.
Now, that's the same company that make Jaguar vehicles and Land Rover vehicles.
Jaguar's not really being produced at the moment.
They are retooling and developing a whole bunch of new models
that will come out sometime in the future.
I'm a car guy, I've mentioned that before on the show.
This is how I know these weird things.
But yes, look, Land Rover is obviously a very large British manufacturer of vehicles,
you know, mostly SUVs and four-wheel drives and whatnot, you know, Range Rover and the like.
And account for something like 4% of all goods exported by the UK every year.
So, you know, it's getting to the point where they've had to stand down enough of their workforce
that this could even turn into like this could actually have a measurable economic impact on
the UK economy, which is crazy.
Yeah, we've seen some reports that, like, staff are being furloughed at downstream
suppliers, upstream vendors, I guess, upstream suppliers from Jaguar Land Rover.
So, like, you know, it's a pretty, I didn't realize quite how significant.
I think one of the numbers we saw was, what, like roughly 4% of exports out of Britain
last year are Jaguar Land Rover products, right?
That's pretty significant.
And I think, you know, this is, I don't know if we've seen any attribution, but it certainly
feels like it's just the comm, scattered spider, lapsus, you know, the bunch of kids doing it.
And, you know, they bit off a pretty big British properties with Marx and Spencer and so on recently.
But this one's kind of a next level up again.
And if they are asking for attention from the British security services, like, this is how they're going to get it.
Like, they're kind of getting off the end of law enforcement into, like, they're going to have some real trouble if they're causing, you know, tens of thousands of people to be without work.
yeah yeah i would imagine so as well but i mean this show i mean this shows us that the big game
ransomware uh still exists i mean what will be interesting is to see whether or not the people
who did this actually get paid are actually able to expel the money i mean if they're a professional
group of russians maybe they'll be able to do that scattered spider kidlets probably not right
like it's just they are not going to be able to do it if they are trying to commit these sorts
of crimes from within western jurisdictions just forget it yeah they're going to have a very very
bad time if they are and I think it didn't feel like the world's most competent ransomware I think
from some of the things we'd seen but yeah we don't we don't know yet so let's see as I'm sure
the British spooks and police are all over it yeah one interesting thing to note I guess at the
moment is that the United States government is now executing criminals extrajudiciously in foreign
countries which is interesting you saw that they blew up a you know alleged drug boat in
Venezuela, which apparently, oddly, for a drug boat, had 11 people on it. You'd think you would
want fewer people and more, you know, I don't know, drugs on your drug boat. But like, okay,
Trump had designated these things through AIPA as like terrorist organizations, but that
doesn't mean you could just go and kill everyone who, you know, is a part of one of these
organizations. Like, that's not how those designation works. So essentially what we've got is
the United States government murdering people for committing crimes, which I, you know, internationally,
like very, very illegal, I don't think we're there yet for ransomware operators.
I'm just saying that we are in a position now where the United States is on
presidential order executing people for committing crimes without a trial.
So maybe something to think about if you're a ransomware operator.
I don't know, like, you know, if you become enough of a pain in the ass,
at what point are you going to get, you know, hell fired or whatever?
It's a crazy world.
And I know we've advocated with some hound release over the years,
but it's generally not straight up, you know, extrajudicial drone murder.
Yeah.
So there's some middle, there should be some middle ground, you know.
Maybe some middle ground.
Maybe just kneecap them.
I don't know.
Tell them not to do it again.
Turn their computers into a bomb.
Apparently Bridgestone, too, is having some ransomware trouble,
but they are recovering.
I mean, you know, it's so often the arc of these stories is like,
you see a story pop up saying, oh, there's been an incident, but they're recovering.
And then a week later, you know, no one's talking about it anymore.
Or you see, like, Marks and Spencer was one of them where, oh, we've got a little problem, just a little problem.
You know, it'll be fine.
And then like two months later, it's like, you know, where it's amazing that we'll, if we're even able to survive this sort of thing.
But, yeah, Bridgestone, which is Bridgestone, which is the American, you know, of Bridgetone, which is a Japanese company.
They've been having some trouble and restoring.
Another one from John Greig, writing about events close to home for me.
had that data breach some time ago and their executives have taken a bonus haircut despite
record profits. So I guess is that what accountability looks like?
I mean I guess it's non-zero accountability and you know I think you know compared to
we take your privacy and security very seriously have some free credit monitoring. I feel like
you know $250,000 bonus cut you know it's not nothing but on the other hand I think it's what like
15% of their pay so maybe it's only 15% of their bonuses i don't know like it wasn't it's it's not
a lot um when you put it in context like that but hey i mean i guess you know the fact that the board
is making the execs take at least some financial penalty on this is a good thing and and honestly
like as breaches go this was far from the worst yeah exactly it was like a third party thing as well um
so my guess is this is optics quantus bonuses have been controversial in the past when they're like
taking the money that would buy new airplanes and just putting it in the pockets of the of the
executives i don't know man so i don't think a 15 percent um you know it's not going to hurt him let's
put it that way they're doing uh they're doing well and and quantis is an interesting one right because
you know most national carriers have some sort of subsidy quantis the way they've done it with
quondis it's very different it's an indirect subsidy which is all federal government travel
is through quranus that's how they get their subsidies so they basically charge the federal government
whatever they want um for tickets and that's how they uh they stay a nice and fat national carrier
and uh who pays for that adam uh that's right me and my fellow taxpayers my friend um
but you know i'm glad they gave up a couple hundred k each of their massive bonuses that's
wonderful now uh will they or won't they split out the cyber command and nsa
roles apparently like we do we have not had a director of NSA for a while well the
United States hasn't had a job I'm not American but the United States hasn't had a
director of NSA for a while since they fired the last one because a very
online right-wing influencer apparently didn't like him so we'd be waiting for a
replacement to come along and there's been a question mark as to whether or not
they would split the role one advantage to the Trump White House of splitting the
role would have meant that he could appoint a civilian into NSA leadership because the reason
it has to be a military person is because it's a dual hat role with Cyber Command, which
is military.
It looks like that's not happening this time around.
And indeed, I think we've even got a frontrunner for the position.
Yes, it sounds like Army Lieutenant General William Hartman is the name we've talked a couple
times, I think, as an option for this role.
So it sounds like he has done the necessary maneuvering and so on around.
DC to get everyone lined up behind him.
And yeah, it seems like the idea of actually having to split up NSA and cybercom at the head
just proved too complicated.
It would have taken, you know, years, it seems, to, you know, tease them part in the first place
and then build a new structure to replace it.
And, you know, I guess the Trump administration doesn't like thinking that far ahead anyway.
So I guess, you know, we will be back to dual hat normality,
assuming this guy does make it through the process
and doesn't get thrown out at the last minute
like some of the other nominations
in that administration.
I think what is it the new Sissar guy
was doing a talk somewhere where he was talking about
how they need to radically embrace
Trump's America first policies
but for the internet security or something.
I don't know, it was very strange
but I figured that's like just him
trying to say the right things to keep the boss happy, right?
Because I don't know, what is it America first?
I mean, it's already an America first internet.
like most of what we use on the internet's American.
Like, how much more America first do you...
Anyway, maybe they're going to start tariffing our packets.
What do you think?
Don't get the ideas.
Now, actually speaking of...
This is straying into something almost political, I guess.
This is the stupidest story I think we've ever covered.
I'm not even going to try to explain it.
You just take it away, Adam.
Oh, dear.
So the U.S. Federal Trade Commission sent a letter to Google complaining that Google
preferentially spam filters Republican fundraising emails and that that's undue influence in the political
process and they're trying to use their, you know, leftist work agenda to, you know, tip the scales of U.S. politics.
The actual fact of the matter seems to be that the organization that does Republican fundraising
acts way more like a spammer
than the organisation that does Democrat fundraising
and they've ended up
on all sorts of spam lists, spam block lists
because of the way they send email,
the volume of email that they send,
the way that their unsubscribe processes
don't work so well.
So they look like spammers
and so they get put in the spam folder
and the FTC I guess in this administration
feels like it needs to do something about this.
and I don't know.
Presumably Google will just tell them to knob off
and that would be the end of that, but...
They'll probably adjust their filters, man.
It's a letter from the FTC, right?
And, you know, fine.
I mean, if I'm them, I just adjust the filters.
You know, I spin up and allow list
for the big orgs that are sending this sort of stuff
and then I don't hear from them anymore.
You know, but it's so dumb.
It's so dumb.
It is. It is so dumb.
They are censoring, censoring the internet
with that pesky spam filtering
that's getting rid of spam.
Now here's a fun one that Catalan reported on in the Risky Bulletin newsletter, which is the state-owned oil company in Kazakhstan.
There were reports that some brand-new Russian APT had targeted this state-owned oil company and was like, you know, doing all sorts of bad stuff.
Turned out it wasn't actually a new Russian APT, Adam.
Yes, Kazmunei Gas.
They came out and said, actually, this was us.
This was a regular fishing test that we were running, and it just happened to look like.
a Russian APT was targeting us because that's kind of how you want the fishing campaign to go.
So this Indian firm Secright, I think, found a zip file, you know, in virus total.
And they pulled it apart and looked at it.
And they had some targeting information, had some related infrastructure.
The infrastructure was in like a sanctioned hosting provider in Russia.
It had a bunch of like open-sourcy, you know, like a power shell post-exploitation and bits and pieces.
And they said, yeah, this looks like an attacker, wrote it up.
and you know I kind of
a part of me feels like
whoever put this fishing campaign together
for the oil and gas company
like clearly they did a pretty good job
as kind of an attaboy like you know I know when
back in the insomnia days
you know when we had our stuff show up
and people's threat until as a like this looks
kind of nation's 80 we're like hell yeah we did a good
that's good day around the office so I guess
you know I don't know whether this was in-house
at the gas company or whether they you know
had an outsource company do it but whoever
I did it, like, I guess, good job.
Yeah, I mean, that's either the case that they did a really good job,
or they've made up the story about it being a fishing test
because they don't want people to know they're being targeted by a Russian APT group.
You never know.
Yeah, you never know.
So we're going to wrap it up there, but I just want to mention something real quick,
which is I had a ticket to the United States booked a business class ticket,
thank you very much, to travel to RSA earlier this year.
Obviously, I had to cancel that trip.
It's a non-refundable ticket, which I didn't know when I bought it.
And to the travel agents, like, no problem, we can change the name on the ticket.
We'll just wait for someone else to buy a business class return ticket to the United States.
The problem with that is travel from Australia to the United States has cratered.
People are just not really traveling there like they used to, and they have not been able to onsell the ticket.
So if you, dear listener, in Australia, would like to buy my business class ticket to America.
You can use it between now and January sometime, I think.
You know, if you want to go to the US, I can, you know, I can do you a little.
a deal on my business class ticket with United. Let me know. Contact me, I guess, by LinkedIn
or Blue Sky or whatever. But, mate, we're going to wrap it up there. That's it for the week's
news. Thank you so much for joining me and we'll do it all again next week. Thanks for much, Pat.
I will talk to you next week.
That was Adam Boyleau there with a check of the week's security news. Big thanks to him for that.
It is time for this week's sponsoring of you now with Tony Dela Fuente from Proula.
Now, Proula is an open source cloud security platform.
So if you want to find, you know, misconfigurations in AWSGCP as you're, it's very, very good at that.
It can also do automatic remediations like all of the checks and remediations are like Python.
It's very, very cool.
You can run it online or you can even use a command line utility if you don't want to just throw highly privileged credits into an online platform to get it to go and remediate stuff.
just run it off your laptop.
So yeah, Proula is very cool.
They've just added a whole bunch of new stuff though,
which is doing SaaS scanning.
So you can look for misconfigurations across M365,
across Entra.
They're also doing GitHub.
They're also doing infrastructure as code.
So yeah, a whole bunch of new features in Proula.
Tony join me to explain why they,
why Proula introduced them and here's what you had to say.
So we are focused on the most important services.
services from the admin center defender entra ID exchange peer review sharepoint and
teams the most important services looking for of course for entra ID from you know to
making sure you are following all the best practices to not to expose resources users
users to have MFA from the basics to the most advanced type of security best
practices, all the, the requirements, for example, for a sharepoint to not to have exposed one drive, one drive, you know, resources and to have a proper authentication in place.
So it's almost like, you know, the one drive stuff is almost like what you would think of as like an exposed S3 bucket. I mean, ultimately same thing, right?
And I think you and I have indeed had this conversation about how is it SaaS, is it infrastructure, who can even tell anymore, right?
Exactly. When you talk about an attack surface, we always think about RDS database in AWS or S3 buckets. But when you move to the Microsoft ecosystem, there are many other services that can be exposed. And we wanted to be in that party as well, right? We wanted to be able to tell our community, our users, our customers, hey, you have more than this.
Was it easy to do this once you've already got the experience with Azure was then building like checks for an Azure application or Azure suite like M365 Easy?
And I can tell by the look on your face that no, it was indeed not easy.
No, I mean, we started, as you said, we started as an AWS only security tool, but now we are not only multi-cloud providers, but also multi-cloud SaaS, right?
And no, I may say that nothing related to Microsoft is easy at the first try.
Yeah.
I mean, of course, the learning curve is important for everybody.
But actually, we had to develop a wrapper around Clouds, around PowerShell in order to do many different things.
Actually, you have in Azure the intra-IED service and in Microsoft 6th, the Entra ID service.
and in Microsoft 6th, the Entra ID service as well.
And it's not exactly the same way to interact with the same service
through different kind of meta service, you know?
Yeah, right.
So it was like different teams with different priorities
and here's how you wind up with two different Enter ID services.
Is that kind of what happened?
Yeah, yeah.
And also, if you don't do certain things using PowerShell,
you cannot do it, or you have to tweak your own tool.
So we did a wrapper.
Actually, we open source that wrapper as well to use Python and interact with Microsoft stuff easier
because in Prater everything is Python and we want to make sure we can scale, right?
Because Prater can be run from the CLI, but also from an application from our SaaS.
service from Prouder Cloud. So that is like the big challenge, you know, to interact
with our providers with with a way, using a way that can scale, scale up.
I mean, I remember like some years ago, one of my big criticisms for the way Microsoft
were handling their business was in order to get information about what applications were
like OAuth into your tenant. The only way to do that back then was via PowerShell, right?
Right. So I think for a while, Microsoft's expectation was, well, we don't need to buy the, you know, we don't need to build the pointy-clicky interfaces for this stuff because that's for the, you know, that's for the third-party vendors like you, right? And then the third-party vendors, those, you know, five, four or five years ago did not materialize. So it turned into a bit of an issue and then they had to do the pointy-clicky. But it does feel like that's always been the way that Microsoft has expected third-party vendors to build security features for Azure and whatnot is just like, get.
get really good at PowerShell.
Yeah, well, the point is, actually, when we released Microsoft 3605 integration,
the same week that we released, let's say, a Monday.
And Wednesday that week, they changed it the way applications can connect to them.
And we realized on Thursday, so we had to launch a new version with the fixes the following week.
So that is the challenge.
That is the challenge of also adding value using third parties, right?
But, I mean, it is where it is with Microsoft happens.
I don't know if it's because they go very fast or because it's just as it is.
But they are adding more security capabilities that are making the life of third parties not very easy.
Another thing you've been working on is infrastructure as code.
and doing some stuff around, you know, securing infrastructure.
I mean, what are you actually looking at there?
Are you looking at the terraform that companies have?
And are you, like, scanning Terraform looking for issues?
Because, again, this is different to the sort of traditional stuff you've done
around looking at cloud configure.
I mean, it's almost like it's a, you know, by the time you're looking at Terraform,
it's like static analysis, right?
So what exactly are you doing around infrastructure?
Are you looking at the actual Terraform or are you looking at what the
Terraform does after it's done it.
So something that we have seen in this open source cloud security world is that
we can take advantage of multiple tools to solve multiple problems, right?
Like, Browler helps many companies fixing the runtime cloud, cloud runtime security, right?
If you have something running in the cloud, Prouder can see the security status of those
resources, but at the same time, people come to Prouler because they want to make sure
their cloud overall, in general, is secure. So we realized that we had an empty spot on the
developer, pure developer side, on the left-hand side, right? So we wanted to add support for
GitHub. So if you are a GitHub developer, you have GitHub, your code, your cloud code, or whatever
other code is on GitHub, we want to tell you, hey, this is secure, this is not secure,
in terms of security best practices around your repositories, organizations, etc. With that done
in Prouler, we have multiple checks for that. By the way, everybody can see everything that we do
in hub.prowler.com. We call it Prouler hub. It's our knowledge base of checks, the central
of knowledge of our checks and compliance frameworks.
With having that in mind, the GitHub support, we said, okay, now let's use, for example, we have underneath 3B, checkoff, and other open source tools underneath Proudre now in order to bring that service, right?
So what do we do? We can scan either locally or remotely in a Git repo, whatever Git repo you use, the Terraform.
So you can plug into a Git repo, find the code, and then you can throw another open source tool at it and say, is this, is this suicidal? Yeah.
GitHub actions, secrets, terraform code, cloud formation code, all that best practices now can be done with our AAC provider in problem as well.
So we are adding more and more providers, like we are planning to add an LLM scanner provider as well in order to scan
LLMs for the most common security issues in LLMs if you are doing your own or scanning
third-party LLMs and also you know the cloud is when it comes to to AI you say okay
AI is cloud security as well because AI has resources content right that is in the
cloud data that is in the cloud it has APIs and those APIs are
mostly in the cloud as well, right?
So you have to secure those APIs as well
that are built with, in many cases,
with other cloud security cloud providers.
And GPU.
And where is the GPU?
Unless you want to buy your own and have your own data center,
the GPU is in the cloud as well.
So securing AI is securing the cloud.
So that is something that we can do as well with product.
Actually, we are releasing our very comprehensive
MCP, where you are going to be able to do pretty much anything with Proller using our MCP,
from creating new controls to configuring Proller as well, and running scan, pulling scan,
creating your custom reports, everything, because everything that we do is in an API as well.
So it's kind of a straightforward.
I've taken to saying recently on the show that, like, if you're not doing that sort of thing
with your security product now, you know, you're going to get left behind. You know,
especially any product that's trying to do something, you know, diverse and complicated like
this, touching a lot of systems in a lot of different ways. Like you can't, it's, it's right
for this sort of thing. When's that coming? Actually today. So today is going to be released
in our GitHub repo. That is where you can go to prara.com and find our link to
Kithak and today is going to be released.
We are doing that actually today.
And by the time that this is going to be published, it's going to be out for sure.
Yeah, excellent.
All right, Tony Delafonte, fantastic to chat to you, my friend, about your march towards
world domination.
It's always good to see you and we'll catch you again soon.
Thank you, Patrick.
That was Tony Delefonte from Praula there.
Big thanks to him for that.
And that is it for this week's show.
I do hope you enjoyed it.
I'll be back real soon with more security news and analysis.
But until then, I've been Patrick Gray.
Thanks for listening.