Risky Business - Risky Business #807 -- Shai-Hulud npm worm wreaks old-school havoc
Episode Date: September 17, 2025On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: Shai-Hulud worm propagates via npm and steals credentials J...aguar Land Rover attack may put smaller suppliers out of business Leaked data emerges from the vendor behind the Great Firewall of China Vastaamo hacker walks free while appeal is underway Why is a senator so mad about Kerberos? This week’s episode is sponsored by Knocknoc. Chief exec Adam Pointon joins to talk through the surprising number of customers that are using Knocknoc’s identity-to-firewall glue to protect internal services and networks. This week’s episode is also available on Youtube. Show notes Self-Replicating Worm Hits 180+ Software Packages – Krebs on Security Jaguar Land Rover: Some suppliers 'face bankruptcy' due to hack crisis Jaguar Land Rover production shutdown could last until November U.S. Investors, Trump Close In on TikTok Deal With China - WSJ U.S. Investors, Trump Close In on TikTok Deal With China - WSJ How China’s Propaganda and Surveillance Systems Really Operate | WIRED Mythical Beasts: Diving into the depths of the global spyware market - Atlantic Council Hacker convicted of extorting 20,000 psychotherapy victims walks free during appeal | The Record from Recorded Future News US national charged in Finnish psychotherapy center extortion | The Record from Recorded Future News BreachForums administrator given three-year prison stint after resentencing | The Record from Recorded Future News Microsoft, Cloudflare disrupt RaccoonO365 credential stealing tool run by Nigerian national | The Record from Recorded Future News Senator blasts Microsoft for making default Windows vulnerable to “Kerberoasting” - Ars Technica Exclusive: US warns hidden radios may be embedded in solar-powered highway infrastructure | Reuters Israel announces seizure of $1.5M from crypto wallets tied to Iran | TechCrunch
Transcript
Discussion (0)
Hi everyone and welcome to risky business. My name's Patrick Gray. We'll be chatting with
Adam Boiloh in just a moment about all of the week's cyber security news. And then in this week's
sponsor interview, we're going to hear from Adam Pointon, who is the chief executive of
Knock Knock. And yeah, we're going to be talking to him about how many people are applying
Knock Knock's network controls to internal networks. So there are people using it to do external
attack surface reduction, but the internal use case has really taken off, frankly, to a surprising
degree. That conversation is coming up later, but first up, Adam, we are going to start off
this week's show by talking about Shailud, the beloved sandworm of the desert.
Yes, Brian Krebs has a write-up of this attack against the MPM package repository, so some
people have uploaded like a self-replicating credential thieving worm to NPM.
So if you're a package maintainer and you get infected, like you run a piece of this,
you run JavaScript that's infected by the software, it will rummage around your system,
find whatever credentials you've got, publish them off, you know, to the web somewhere
for the attacker to retrieve, but if you have a token for NPM and you have some packages
that you maintain it will download those packages insert itself into them repackage them and then
publish them for everybody else uh so yeah that's an honest to god it's an honest to god internet worm which
you know hell yeah it's been a while since we've seen like those right there's like the sammy worm or something
but it's npm you neglected one important detail here which is what it does with the secrets
when it finds them so it uses trufflehog to actually find the secrets and then it actually
spins up a GitHub public repo for that developer
and just dumps the secrets in it for the entire world to see.
Which, you know, why not, right? Why not?
And it's kind of a good way of laundering them, I suppose,
because you're not directly linked to it.
So that's, I guess, kind of smart in a way.
A little chaotic, but smart.
Yeah, well, I mean, last week we were talking about,
well, what could they have done differently?
In fact, I woke up this morning to a message from someone saying,
can you please stop giving these guys tips, right?
Giving them ideas about how to do, better get persistence and stuff
because that was a big part of the discussion last week.
But, I mean, you know, this is, I mean, it's still, it ain't subtle, right?
Like, this ain't subtle.
And you do wonder how far are they going to get,
like doing something like this,
if they're actually going to manage to rack off with some crypto.
Because I believe it's actually the same people
who were talking about last week that had just done a more manual.
supply chain attack against NPM.
Yeah, like it is, is that?
Like, it's kind of chaotic and you, you know,
it hasn't gone absolutely wild.
And it may still,
just because of the nature of this kind of self-replication,
you don't really know how wild it's going to go until it gets there.
For now,
it's kind of calmed down a bit,
but people got onto it pretty quickly.
And it seems to,
like a number of the compromise packages have already been pulled and so on.
Well, you'd also think NPM would be able to throttle this, right?
Like, once you know,
what it's doing.
Unless the attackers are just constantly
playing the detection
evasion game, surely NPM would have
some detections in place for this.
Yeah, and like there's a lot of things that you
can use to spot it and put
the, you know, put the brakes on it.
And I guess in some respects, this is
one of the advantages of centralized repositories
is that there is kind of a way to be able to
control this in one place versus
a more traditional internet world that's kind of
propagating independent of any one
sort of central oversaw.
you know, someone who's in a position to be able to stop it easily.
But, you know, it's, you just got about, I'm an honest.
I don't want to have to hand it to them, but I, you know, I'm kind of here for the, just, like,
the chaos of it.
And, look, man, I mean, we've been doing this a long time and the pace of, like,
cool stuff happening has definitely slowed.
So I'll admit to being a little bit stoked when I woke up today on a show day and this
had happened.
I'm like, hell yeah, let's see this is going to be fun, you know?
Oh, we should also mention, too.
Apparently, some are CrowdStrikes packages.
I don't know what they were using them for,
but they're like, oh, they've got nothing to do
with the Falcon sensor or whatever, and everything is fine.
I don't know.
I mean, that seems a little light on detail there, guys.
But yeah, apparently some packages,
what maintained or used by CrowdStrike,
got impacted by this?
Yeah, so like somebody who is a maintainer
has the ability to upload packages
to the CrowdStrike's account on MPM got hit by this.
The kind of the nature of the bits
a code that are there and not particularly fancy.
They're things like some stuff for integrating with logging and a few other bits and pieces.
So like not major parts of their overall ecosystem, but still, it's not a great look when
you're a security company like CrowdStrike to have someone supply chaining your code,
even if it isn't particularly, you know, super exciting parts of the product.
Yeah, I mean, I think there was, yes, I've just Googled it here.
CrowdStrike Falcon prevents supply chain attack involving compromised NPM packages.
is one of their blog entries there.
As you say, it's like throwing themselves in front of the bullet.
The optics of it just aren't great, right?
And it's just, yeah, I don't know.
It's just every time something happens that makes CrowdStrike look bad,
their response seems to make it look even worse.
But I'll just leave that one there.
Let's move on.
We've talked about it over the last couple of weeks,
but this ransomware attack that is impacting Jaguar Land Rover
look, I mean, some production could still be shut down until November.
Some of their upstream suppliers who make, you know,
all the little bibs and bobs and pieces that go into cars could face bankruptcy.
So there's already, you know, I would say premature talk
that there might need to be some sort of government bailout
for the automotive industry in the UK.
Now, keep in mind that the alleged attackers here are domestic, right?
So they're English-speaking sort of scattered spidery, you know, the com-style kids.
They are going to get caught.
Like, I mean, I would bet solid money that within the next year, they're getting caught.
Yeah, I mean, it was one thing to go after, you know, Marx and Spencer and co-op and, you know, sort of retail things in the UK.
But, I mean, Jagger Land Rover is a particularly, you know, large part of the British export economy.
And I don't see British authorities, you know, being relaxed or gentle about this.
like they are not going to let this one go it's not just kids having fun right you know
they are not so i mean you know you certainly got that sort of sense from that you know the british
part of the con that there was a sort of a bit of escalation where they were just going bigger and bigger
because they could and you know i think they may be reaching the find out phase at some point soon
i mean i do find it interesting though that the threat actors in this case are homegrown right
so when we used to see stuff like jbs meets or the cloning a pipeline i mean this was very much
you know, Russian organized crime.
I mean, I don't think we can infer too much from this, to be honest,
but it ties into that bigger discussion we've had in recent months
about how gauging the impact of recent counter-ransomware initiatives
is actually very, very difficult.
We don't really know how much has worked.
One thing I will say, though, is I've heard that data extortion is really on the rise, right?
Like, that seems to be the crime du jour for a lot of these crews.
is I would say that if we convince Ransomware actors to get into data extortion,
I would call that actually a massive win.
Because even though this is a crime type that's making them lots of money,
it's way less disruptive than something like Ransomware.
It's not going to stop a car maker from being able to make cars, for example.
You know what I mean?
Yeah, yeah.
It is, you know, it's kind of the impact is still bad, but it's kind of more gentle, right?
Because, you know, everyone who's got a, you know, your data has been stolen,
you know, kind of privacy notification from some company.
You know, once you've lost it once or twice, the third or fourth time stop kind of mattering so much.
And that is, you know, even though it's not great, it's still better than, you know, your meat
supply chain shutting down or your car factory is not working, right?
So the availability impact does hurt more than the, you know, the confidentiality part.
Yeah, 100%.
I mean, I would say that, yeah, it's a much less impact from these sort of incidents.
And I don't think, I would say that ransomware that can shut down.
factories and these sorts of things like that is a national security issue i would say data extortion is not i
would not think that using sort of hound release uh against those types of crews unless we're talking
about extremely sensitive uh types of data um i i just wouldn't think that's an appropriate use of
resources to be honest yeah i mean you can certainly see it in the in the case of like you know
medical data or you know back when uh what was it the people who did the clearances in the u s got
and all of the data taken.
But in that case, your hound release might be limited to try to destroy the data that is in the possession of the attack.
You don't need to do the full disruption, I don't think.
I just think it's a completely different sort of paradigm.
Yeah, I mean, the Australians burning down that, you know, bulletproof hosting provider in Siberia or whatever it was to get rid of stolen medical data.
Yeah, like you could see that response being, you know, kind of more practical and less, you know, less big, like just kind of smaller scale, which, you know, I guess that's an improvement.
Yeah, well, I will just, the last thing I want to say on this, too, is this is exactly why it really gives me the irrits when people conflate ransomware with data extortion attacks.
So we've seen, you know, vendors, other media, you know, through things like these file transfer appliance compromises that resulted in a lot of, you know, customer records and stuff going missing.
People referring to that as a ransomware campaign, it's not.
It's a data extortion campaign and we really need to start making that difference clear because that's going to help us.
you know, form policies and plan for the future and do all of those sorts of things.
So, you know, that's just my pet peeve, just had to mention it again.
Yeah, I certainly agree.
You know, those things were pretty well conflated early on as it started to come in.
And then now that distinction is more important because, as you say, the disruption attempts,
the things to counter it are different the way approaches that we take.
So, yeah, they should have different names.
Now, we've had some big news relating to TikTok, not strictly a cybersecurity,
story, but it is one we've covered over the years.
There's been many, many twists and turns, and the latest is that apparently, according to
the Wall Street Journal, TikTok's U.S. business could wind up being controlled by an investor
consortium that includes Oracle, Silver Lake, and Andresen Horowitz.
And the idea is that the, you know, the Chinese company is going to license the technology
to the Americans, but not sell it to them.
and the, you know, the algorithm will be trained on US data.
And honestly, Adam, when I saw this as an Australian who likes TikTok and enjoys TikTok,
it may be really sad because it looks like we're going to have to choose between,
well, we won't even get the choice in the end, but the choice is going to be made for us
and we're either going to wind up with a TikTok that's controlled by a bunch of lunatic Americans
or a TikTok that's controlled by the Chinese Communist Party.
and at the moment, I don't know which one I would prefer.
Like, I actually don't.
Like, do I want to be scrolling?
Like, the muskification of TikTok, like, would be awful.
You know, CCP also bad, but, like, I'm just like,
oh, this, I don't know what to think here.
I'm kind of right here with you.
Like, some of the bits of the story suggests that maybe a, like,
TikTok may fork into a separate app in the US.
And maybe in, you know, in the provinces, like you and I in Australia, New Zealand,
maybe we will have the option of, you know, Chinese, real, you know, authentic OG TikTok.
Yeah, can we keep the Chinese one, please?
Crazy Maga TikTok.
Yeah.
And honestly, yeah, I'm, I mean, if current TikTok is the Chinese Communist Party version,
like I can't imagine the American one is going to be better than current TikTok, right?
It's only going to be worse in ways that, for those of us not in America, probably aren't better.
I mean, when Cohn had in France,
take it over, it ain't going to get better.
The interesting thing is here, like, there's a bit of a question as to whether or not
this deal, which people are describing as like the ultimate taco deal, you know, the Trump
always chickens out thing, because this is not a forced sale, right?
And it's very unclear at the moment whether or not this is even legal and whether it lines up
with the bill that passed the US Congress that would force this divest.
So who knows if this is even going to happen, right?
But like, wow, what a world, what a world we find ourselves in.
Yes, it's pretty well, it's a wild ride is what it is.
Now, speaking of Chinese propaganda, there's been a big leak out of China that's detailed the Great Firewall.
And we've learned a whole bunch about the so-called Great Firewall of China about how sort of, you know, content access control and censorship and stuff is implemented and what some of the,
strategic objectives of that are. I don't know that we've discovered anything that's surprising
here, but it certainly hit the headlines. What have we learned, Adam? I mean, so I guess we've
learned that, you know, China is pretty good at capitalism. And the, like, the idea of a monolithic
great firewall of China, the reality is that, you know, there's a bunch of commercial companies
and in particular one, quite big one, Gedge, Gedge, I don't know how one says that, was one
of the companies behind the technology and that they are, you know, they've spun out of university
research and it works, you know, a lot like it does in the West, you know, where technology
firms, you know, come out of good ideas in academic institutions, partner with government
agencies to sell their services and so on, and actually also have been packaging up and selling
like a great firewall in a box to other countries in the world that have, you know, similar
sorts of censorship goals. I think the leak of data that we saw from inside G-edge, they
used code names for the countries so like it was a number like a letter and then some numbers after
a bit of you know research work has suggests that one of them was Kazakhstan one was Pakistan
one was Ethiopia one was Myanmar there's another that starts with a might be Algeria who
knows so we've got an idea of what those customers are and some of the specifics of the details
one thing that was actually quite funny was I think one place maybe was Pakistan
Sandvine, the Canadian company
was originally in Pakistan, helping them build
censorship, and after that kind of
went a little bit wrong for them geopolitically
and they pulled out, GED's
got a contract to go in and kind of take
over the sandvine gear, repurpose it
and then ultimately replace it with
their great firewall in a box. So
a few interesting details like that
a bit of a peek behind the curtain
of how this all comes together
and yeah, nothing super
surprising, but just kind of interesting.
Yeah, well, I mean, trying to
has innovated in this massive censorship at scale stuff.
I mean, I'm old enough to remember when people in the West,
you know, us nerds in the West, would ridicule the Great Firewall of China
because they're like, you can't stop the internet.
How ridiculous.
People are always going to find a way around it.
Go try.
Right?
Because you can't.
And, you know, I've got mates who have to go to China for work and they will try to tunnel stuff.
It doesn't work.
And like, it'll work for five minutes and then you get detected.
And then you get sent into like a little.
little cordoned off area of the Chinese internet where all you can access is like, you know,
Xi Jinping correct thoughts of the day sort of thing. So you sort of get panellized for a couple
of days. You sort of get, you know, cordoned off. And then gradually it'll sort of open up access
again. But if it detects anything weird, like, oh, DNS tunneling, boom. More some more, more
ghi thoughts for you, bud, you know. Yeah, yeah. They've got a bunch of real smarts and, you know,
looking for like, yes, sure, stuff inside TLS is encrypted, but they can do kind of traffic analysis
they can look at metadata, they can use machine learning tricks.
There's all sorts of, you know, kind of smart tricks that work well enough to, as you say,
spot something that looks like tunneling, spot something that looks out of the pattern of regular web traffic.
And then, like, it doesn't cost them anything to throw you in the naughty bin for, you know, a few days, right?
There's no real downside to them to doing that.
So they can afford to be quite aggressive, whereas, you know, if you were in a corporate environment
and your, you know, your outbound proxy was really aggressive at blocking people,
Well, you get a bunch of pushback from the users, management would get angry, like, you have to tune it to be less aggressive.
But when you're the Chinese Communist Party, we don't really have that kind of degree of feedback.
So, you know, they have a slightly easier problem than perhaps it looks sometimes.
Well, and everything gets done on WeChat anyway, right?
So between WeChat and all of the mini apps and everything, and that's all sort of state controlled or state observable,
and that's turned into the inspiration for stuff like the Max Messenger app in Russia, right?
So China, it seems, has really perfected this sort of control, digital control at scale,
information control, access control, messaging, messaging environment control and everything.
And, you know, other countries have learned from this.
And as you point out, this is turning into an export industry for them.
So other wonderful governments can decide that they just want a piece of this and write them a check and away they go.
I mean, it's depressing, isn't it?
It is depressing, but also, like, it's kind of what the world looks like these days.
know, somebody's innovating, and China is the place where, you know, there is demand,
and clearly now there is also supply to match it, and, you know, opportunities for export follow.
So, yeah, capitalism, I doubt.
Yeah, well, what is it, free market communists, I think I call them.
Yeah.
Now, let's take a look at this Atlantic Council report into the global spyware market.
I mean, based on the write-ups that I've seen, the key takeaway here seems to be that more and more U.S. capital is investigating,
investing in this market, I'm sorry.
And, you know, I think it's kind of funny that people have dumped a whole bunch of money
into the spyware market just as Apple releases the, you know, memory integrity stuff,
which is going to make life extremely difficult for exploit developers.
But, you know, you and I and Tom Uren were actually having a conversation before we got started.
And it's hard to know whether that's going to be bad for the investors or good for the investors
because the rewards for people who can get around that.
are just going to be astronomical.
But, you know, what's the gist of this report here?
So this is a report that they have been kind of maintaining for a few years now,
and they update it regularly.
And this is this year's, or 2024, I guess, the data from 2024 updated.
And it pulls in some changes in ownership.
It pulls in a bunch of details of new operations that have come up.
But basically, it's just their work at, you know,
keeping a holistic view of what the spyware industry looks like,
who's buying, who's selling the people involved.
They have quite a nice, like, pointy-clicky diagram thing.
You can kind of click through and explore the relationships between entities and so on.
And in terms of new things in this, I guess there's a few new players in the market.
You know, they tracking the money, you know, from sources and investment firms in America
into mostly Israeli firms.
You know, that doesn't seem like a new insight, but it's good to have some kind of details of the scale of that.
But it's just, you know, overall, it's just really good that someone is keeping tabs on this
and producing good quality work that you can then build further research,
build other things on top of.
Yeah, I mean, you say it's nothing new,
but then you look at the actual chart of the number of investors
who are getting involved in this market from the United States,
and it looks like someone made a mistake on the graph.
It's going to the moon, which is, I mean, I don't know what that tells us
about the amount of money or whether there are details in there.
Anyway, look, for those who are interested in that market
and understanding it, like this is some solid work from the Atlantic Council,
and of course we've linked through to it from this week's show notes.
Now, let's talk about the Vastamo case.
Of course, Vostamo was this psychology clinic in Finland that was hacked and the data was, you know,
the patient data was extorted back to them.
I mean, there were suicides as a result of this attack.
Eventually the, what was the guy's handle?
I've got his name here, but what was his handle?
Z-Kill, I think it was.
Z-Kill, that's right.
This Z-Kill guy was eventually convicted for doing this and sent off to prison.
Looks like he's out, though, at the moment, Adam.
halfway through his sentence, why is that?
So he is appealing an aspect of a sentence
and apparently under Finnish law
you're presumed innocent during that appeals process
and so he has been allowed out
whilst that appeal is underway
and it hasn't overturned his previous conviction
and he still got that sentence of six years
but I think like he is innocent whilst he's appealing
and so he's out whilst he goes through that process.
Now I don't know if that means
he then goes back to do the rest of it
if he fails at an appeal, but either way, he's out walking a frown free, which feels pretty bad
for the people that were impacted by this particular attack, which was just horrible, you know,
like ransoming people's therapy notes back to them, just, you know, disgusting.
So him walking free regardless of the legal process doesn't feel great.
And if anyone wants to read about that Vastamo case, there is a book by Joe Tidy, who is a listener
and a BBC journal called Control Alt Chaos.
which is very good.
So you can go and look that one up.
It's a good book.
I haven't finished it yet.
Sorry, Joe, but I did crack into it and read a few chapters
and it is typically good stuff from him.
But meanwhile, like relating to the same case,
there's been another arrest, actually.
Someone, was it, an American, has been indicted by the Finnish.
By the Finns, I'm sorry.
This is an American guy who was living in Estonia
and I think was involved in the scene,
because I think Zikil, Alex Santeri, Kivamaki, he was Lizard Squad back in the day.
So this is someone else from that kind of orbit.
They found that he had, this guy had some shells on some boxes that Kiviraki was operating
and was involved in some of the extortion.
I think of the actual company Vastamo, as opposed to the individual patients.
Anyway, he was arrested on request of Finnish authorities, so we'll kind of see how that goes.
But it's kind of funny because it's been, you know, it's been a few.
years now so seeing a fresh arrest now was a little surprising yeah and look staying with law and
order john gregg over at the record is reporting that uh cona fitzpatrick aka pom pom puren who is one of
the breach forums administrators because there's been so many breach forums since that you can't just say
it was the you know i guess maybe it was the o g breach forum but i don't even know if that's the case but
anyway a big breach forum uh admin pom pom puren who got off real light and you and i have always thought
that was really weird, has now been given a three-year prison sentence.
He's been resentenced.
So, what, wow.
Yeah, yeah.
He had originally argued that he wasn't going to do well in prison because of his
autism or something like that.
The DOJ didn't really enjoy that.
Went back and appealed, and yet now he's going to face three years.
He was originally going to get, what was it, 20 or something,
20 years of supervised release, and then they asked for 15 years in jail,
and now they settled on.
on less than that.
So either way, he's going to see some time inside a jail.
And, yeah, I guess, you know, breach forums was pretty big
and a lot of bad stuff happened there.
So I guess I don't feel too bad about him seeing the inside of the prison.
No, me neither.
Don't do crime, kids.
Another one here from John Gregg.
Microsoft has disrupted some sort of fishing as a service operation.
Is that right, Adam?
Yes, they went after Raccoon 0365,
which was a fishing as a service platform.
that was being used to fish their users.
They took out a bunch of the domains.
I think Cloudflare was also involved in shutting down some of the infrastructure.
And there's, yeah, there's Nigerian guy that they have identified behind it.
I don't know that he has any immediate threat of arrest.
I think this was just the technical infrastructure being shut down.
But, you know, I guess anything that allows people to fish Microsoft users effectively,
you know, that's a thing that's worth Microsoft's time to take care of.
Yeah, I mean, we could argue about other stuff they should be doing.
And in fact, that's what Ron Wyden is doing, the senator in the United States.
This is the most widen of widening things we've ever seen.
He's writing letters about kerber roasting.
This is a very specific thing.
So why don't you start off by telling, explaining to the audience who might not be Ophay,
exactly what Kerber roasting is, and why Ron Wyden, a US senator, is jumping up and down about it?
All right, so Kerber Ross is an authentication mechanism that, you know, grew out of, I think, MIT in the 80s.
Microsoft adopted it with Windows 2000 for, you know, corporate network orth, and it's, you know, a core part of on-premative directory.
Kerber roasting is a specific attack where any authenticated user in a corporate environment can request, you know, essentially a password hash for another account, which then they can crack offline.
And this is a workhorse technique that people breaking into Windows corporate networks I've been using for years
because, yeah, getting a password hash or a privileged account, cracking it offline with your GPU and then pivoting into that account, super, super useful.
And Wyden's complaint here is that one of the reasons Kerber roasting is viable is that Microsoft uses RC4 crypto or RC4 as a mechanism in part of the,
this process. It's not actually a hash. You get like a ticket signed with a hash of the
part. Near results, you can still crack it offline. It functions like a password hash, but the use
of RC4 in it basically meant that you could do this at speeds in the order of, you know,
like gigahashes per second, you know. Well, I mean, RC4 is not known as being the state of the
art in encryption, right? Like it has been, it has been broke forever. Yeah, it's a very old, like
1980s stream cipher. So like, yeah, it's a little long in the tooth. And that kind of combined
with the other problems with Microsoft or the ecosystem in Active Directory, you know, it was a
pretty sore spot. And there were a few common patterns where particularly Microsoft SQL
server, like the way that people installed Microsoft SQL server ended up resulting in accounts that
were often specifically vulnerable to this type of attack. There's a few prerequisites to it.
and SQL server installs often met those prerequisites and were often privileged.
So, you know, if you land it on a network, you'd go find all the Microsoft SQL server accounts,
get an author request token out of it, offline crack them.
And chances are you'd get ideally a domain admin password, you know,
within a few hours of cracking time.
And, you know, super useful technique.
And as to exactly why Wyden is mad about it specifically, I mean...
Well, apparently his own.
office has been looking into the breach at ascension, which is a, which is a healthcare play.
I think there was a ransomware incident there and Kerber roasting was involved, but it just
seems an odd thing to zero in on because say Kerber roasting wasn't a thing, right?
They updated the crypto, broke some backwards compatibility so that, you know, and just did
the right thing.
Do we think that breach wouldn't have happened?
Like, I don't know.
It just seems odd to go so specifically toward one thing, you know?
Like you sort of had the same take as well, which is like, yeah, like Microsoft, should
fix this and it is ridiculous that they haven't but like surely uh if you're a senator you might
be able to find some sort of you know broader message then hey update from rc4 to stop curber roasting
it's just the whole thing's a bit strange and even if like so microsoft uh c4 is not the best
way to do this anymore like microsoft has a more modern crypto there's an aes backed
version of this uh encryption type 17 and 18 if you if you're wondering um and you can still offline
crack those. It's just three orders of magnitude slower.
But what's the issue here is that by default can you request one that's like
RC4 Cryptode or is it that people are, is that?
Yeah. So I mean, the RC4 crypto ones are very, very fast to crack and they are still
present in nearly everywhere because backwards compatibility primarily is the reason.
So Microsoft hasn't turned it off as a default. Like you can still request them.
So Microsoft hasn't made it not the default. And, you know, they could turn it off and they might
break some interop with other enterprise stuff that uses it. But,
really they should have just turned it off a long time ago.
But, you know, if you ask the like Bloodhound Spectreops guys, you know, like if you don't
have Kerber Oast, how many other paths are there through your Bloodhound graph?
They'd be like, lo, like a thousand.
Infinity.
So it really is just one little piece.
And it used to be that kerber roasting was, like, when I was doing, you know, sort of red-teamy kind
of stuff and you'd end up in Windows networks, kerber roasting was one of the really big kind
a, like, it was a big deal at the time.
Its time was probably 10 years ago now,
and there are so many other techniques
through certificate services
and whatever other new stuff they've come up with,
that this isn't the big deal that it was.
And to be honest, like, if you were going to criticize Microsoft's,
you know, security engineering choices,
like you might as well go beat them up for, you know,
landman password hashers or NTLM challenge response or, like,
there's so many things in the Access Directory that Ron White,
could go shake the Wyden's stick about.
But it's just weird that he picked this particular one.
And, you know, if it makes Microsoft change the default, then good, I guess.
But it's just a little weird.
Yeah, so that's the takeaway, isn't it?
It's like, good, but weird job, dude.
Yeah, exactly.
You know, you sort of get that feeling that Wyden's office has that sort of, you know,
Pepe to Silver board on the wall filled with a million things they can go complain at Microsoft about.
And he's just, you know, picked the one of the day to go write a press release.
about or write a letter about to the FTC but you know and I'm not bad I you know in the end I am just
not mad that a senator cares about whether you're using you know RSI 4 or AES for your curb
service tickets but at the same time like don't you have anything else to be doing buddy yeah
yeah now look let's move on to our next story we've got a report here uh from raphael
sata and uh jana or yana winter uh over at roiders and uh there's communists adam there are
communists in the roadside weather stations.
Yes, this is...
Communists everywhere.
This is another report about, you know,
sort of industrial equipment or equipment deployed out in the field
in kind of critical infrastructure-ish roles
that has hidden secret radios in it.
In this case, I think there were cell modems in, you know,
like weather stations and traffic cameras and things like that.
And that's a threat to, you know, America's way of life
because the communists might turn out weather stations against us.
The thing that makes me a little mad about this reporting specifically
and other examples of it in the past is the idea that there is a radio
in these pieces of equipment is not that wild, right?
I mean, many of these things probably have it as an option.
Maybe it's just the equipment is there by default because it's easy to build one device.
It could be a system on a chip sort of stuff, right?
Could be a sock that's just got a motor in it.
Like there's no detail here about were these devices,
were the radios enabled?
Did they have sim cards or e-sims or service available to them?
You know, were they being used for anything?
You know, because there's a big difference between
there's a radio chip on this board
because economies of scale meant it was easier to put it in
and not use it than sell as an add-on.
Or this stuff is actively plumbed in
and, you know, active on the network
without the operators being aware of it.
I mean, look, I'll just be...
I just want to read to the lead here,
which is U.S. officials say solar-powered highway
infrastructure including charges roadside weather stations and traffic cameras
should be scanned for the presence of rogue devices such as hidden radios
secreted inside batteries and inverters so it's like the solar kit they're
worried about that is powering stuff like I don't know speed cameras I mean
what are they gonna do man they gonna mess with it so that people start getting
fined for speeding when they're not speeding I don't know it just seems an
odd place to focus I understand when you're dealing with like
the cranes were a good example right so like cranes installed at ports you know shipping with
with radios installed in them undocumented probably connecting back you know that's something you want
to know about it's it could be there for entirely innocent purposes which is that the the
people who manufactured the cranes might need to be able to troubleshoot remotely if there's
something wrong with them you know the other case is well maybe the CCP wants to monitor
container movements at that port and that would be a good way to do it right so there are
instances where you want to look at it, it's just, this seems like an odd one to be, you know,
this is an odd one. It's a strange. It's a strange one to be excited about. I just, like, I feel like
the important detail is missing, which is that they were doing something with it or that it was even,
you know, that it's not just that this was present, that it was actually active or in a state
where it could become active. And, you know, you could imagine a, you know, if you could
instantly conjure a botnet out of, you know, a hundred million embedded devices on the,
on the mobile network, you could, you know, destroy the mobile network, right? It would stop work.
And I can see that being a, you know, like beyond the impact of a particular road sign or a particular,
you know, crane, right? There are things you could do with that kind of scale. But, you know,
China Telecom already has quite big pipes. Like, if your goal was denial of service of comms
infrastructure between BGPI hacking and telco hacking and just having very big pipes, there
a lot of ways to skin that cat and it just feels like rolling out you know modems in battery
packs on solar things on the side of the road just seems like a weird way to go about it so i'm
you know i'm just kind of dubious that this is a huge threat you know yeah i mean we've seen
there look i understand that around solar inverted so australia has the highest uptake of
so rooftop solar in the world uh no surprises we got lots of sunshine i mean i got 10 kilowatts
on my roof right now we are literally having a solar powered conversation um
Right. Now, a lot of that equipment is made in China. Mine isn't. So I understand that there can be some concerns around that stuff. But yeah, we've seen some crazy politics around that as well. I remember an Australian senator, James Patterson, who's with the Liberal Party, which not to confuse the Americans, the Liberal Party in Australia is the Conservative Party. I think he's the shadow like home affairs guy. And he put out a release saying that the government's renewable energy targets were putting Australian national security at
risk because the solar inverters were made in China. So we should burn more coal or something
like that. Like it was the, it was one of the worst releases I've ever seen. So yeah, so look,
there's a, there's a time to like have a serious look at some of these call home features.
And in those cases, those inverters that are installed domestically in Australia, we know
they connect back because they connect through, you know, they're an IoT thing that connects via
your Wi-Fi back to something in China where you get your console and whatever and can see
how much energy you've generated that day.
change configurations and stuff like that.
So in that case, I think it is actually a thing worth taking a look at.
But, yeah, it just seems like people sometimes grasping at straws,
like for the China threat, when really there's a lot of stuff they are doing,
which is a lot more threatening than maybe having, you know,
some non-sim carded radios in a solar panel controlling a speed camera on an American highway.
Anyway, yeah, exactly.
Moving on.
And Israel has apparently seized a bunch of crypto wallets that I think,
tied to the Iran's IRGC. There was something like $1.5 million in these crypto wallets. But
crucially, they say something like $1.5 billion had passed through them. I can't imagine
that seizing crypto wallets, you know, crypto wallets are not hard to replace. I can't imagine
that this is really going to inconvenience, the IRGC, all that much. But why don't you tell
me how did they actually seize these wallets? Was this through a court action or through some
8,200ing.
So I think in this case, instead of actually being specifically seized, probably they
have just added them to the like block lists that exchanges use to, you know, flag accounts
that have been doing particular stuff.
I think U.S. authorities have, you know, put out of like a seizure notice saying that
they are seeking to, you know, get the one particular guy's cryptocrine says it was a guy that
was arrested in Italy, but is actually physically in Iran.
And that was like half a million dollars worth.
So I don't know that they are actually seizing in the sense of, you know, like going and stealing the guy's wallet,
taking the guy's wallet out of his back pocket. But the net result is that those accounts are probably burnt, you know, in terms of their utility for use on, you know, the open exchanges.
As you say, you know, make it a new crypto wallet, not particularly complicated. But I think this does send a message that, you know, hey, we are watching you. And we're not really clear how Israel knew about
the specific accounts like knew which ones and that may have involved them 80200 and one assumes
that that's kind of what they do um but yeah the important thing is that iran knows that people are
watching them and you know 1.5 billion dollars you know we don't really know where it came from we
don't know what iran's using it for but the point is that uh they will feel a little bit seen and
may make them you know be a bit sneakier about how they do it in the future yeah well i do
wonder how they were actually paying people in australia to go and commit uh commit crimes uh you know
I'm guessing there was a crypto element there.
Interestingly enough, they were using USDT,
which is Tethers' US dollar stable coin.
So it's funny when we talk about the decline of the US dollar.
Even the IRGC can't de-dollarize, Adam, which I find quite fascinating.
I imagine it's because they don't want to wear the cryptocurrency speculator, you know,
like up and down.
The risk, exactly.
So they choose the greenback, buddy.
They are greenback all the way.
So that's a bit funny.
All right, mate, we're going to wrap it up there.
Thank you so much for joining me to talk through all of that.
Interesting as always.
Now, I should mention, too, you're actually on a break next week.
You are off to a beautiful sunny place in the Pacific,
and you'll be having some fun over there.
And then when you come back, I'm off.
So next week, I think it's Rob Joyce,
who's going to come in and be you next week.
And then I think when I'm away for the school holidays here,
you might be putting together an episode without me,
which will be the first ever pat-free edition of Risky Business,
which is very exciting.
That is that we are plotting around the,
office to have a little fun while the bosses away. So yeah, we may have a, there may be an
extra special episode coming out to listeners whilst you are out of mobile coverage and can't
see what we're up to. Oh, God. So I'll chat to you in four weeks from now, mate. Have a great
break and I'll catch you soon. I'll see you then, Pat.
That was Adam Bwalo there with the check of the week's security news.
Big thanks to him for that.
It is time for this week's sponsor interview now,
and we're going to be chatting with Adam Pointon,
who is the chief executive and a co-founder of Knock Knock.
Now, Knock, many of you would know.
I'm actually on the board of directors of Knock,
and I do hold some shares in the company.
It's a company that I'm really, really, really,
into basically what it does is it takes identity information or identity status,
authentication status and ties it to other events like network controls, for example.
So, you know, you can have a firewalled service on the border of your network that no one can
reach, but then when they authenticate through their IDP, they can then just hit a little
button on a web app, which opens up a port to that service.
So we use it at risky biz HQ to manage the applications in the cloud that we access.
But what's been really crazy is the extent to which this has taken off as a control for internal networks.
Because internal networks are just so messy these days, particularly at big organizations.
And quite often, people have just got really risky assets sitting there on flat networks
that maybe the entire workforce doesn't even need to be able to access.
And they just want to be able to seal these things off quickly and easily.
And that's becoming a huge use case.
So I'll drop you in here where Adam explains that, like, one customer who came to them recently,
they just needed to get some controls on some KVM over IP switches, Pronto,
and they chose Knock Knock to do that, which just, you know, really solved the problem for them in half a day.
So here's Adam Pointin talking about that and also further internal use cases for Knock Knock. Enjoy.
KVM over IP devices, you know, they're embedded. There's a lot of unknowns in them.
They run some sort of Linuxy thing.
and they're straight into keyboard.
So it's a real problem if they're exposed.
And they kind of brought in to solve a problem about access, right?
You need to use these things to get access,
and then you can't necessarily control them because you need that access.
So what do you do?
And that's where people have come to us saying,
can you solve this problem?
Yes, we're looking at our edge.
Yes, we're looking at how we carve up internally.
But actually, we've got these things we want to introduce,
but we don't want to just put them on the network
and hope for the best.
can you help us with that?
All right.
So that's the KVM over IP use case thing.
Pretty easy to restrict, pretty straightforward pitch.
I did also want to talk to you today about the biggest customer, actually, that you have.
And their use case is really interesting, right?
Because they have essentially a global flat network where users in a risky region
are sort of required to have to access global resources on that network.
But the customer wants to put in the ability to do user attribution, to users from that region on the network,
and also to be able to restrict that region or specific parts of that region very, very quickly if they have to.
So this is almost like micro segmentation that isn't micro segmentation.
Can you walk us through this one place?
Yeah, it's sort of common in a way where organizations have firewalls, internal firewalls all over the place,
but they allow or deny.
So if they're allow, you've got network transit
from different remote offices,
manufacturing environments, etc.,
which are essentially result in a flat network
and always on access.
So being able to reduce that exposure down to human identity
is sort of what they're also doing,
but it's also the ability to cut access,
so turn access off based on whatever decisions they're making.
So organizations have these internal controls and firewalls, but they're open.
So the angle really is about having time-based access but using existing network layer controls
as opposed to needing to go up the complexity, looking at different applications and saying,
well, how do we do time-based or limited access on this application or that application?
You know, rolling in knock-knock allows them to just do it at the network layer,
which makes it simpler and more, you know, yes,
or no, as opposed to, well, there's identity here and how do we restrict that up the application
stack. They just cut it off at the network, which then, you know, which is sort of alluding to,
allows them to control broader things like that office is offline as of right now, turn it off,
depending on whatever their, you know, response and needs are. Yeah, well, I mean, you can start
to set like pretty fine-grained access policies, right, that apply immediately to network resources,
which is nice.
I mean, I can't think of another real way to do that.
Well, you end up doing it at the identity level.
So this user has access to...
Yeah, but that's what I'm saying.
Like, at the network level, you can't, right?
No, that's right.
And the identity layer is a great way to do it
because you've got attribution at the individual identity,
but it's complicated.
Yeah, but if someone's on the network
and they're unauthenticated,
that doesn't slow them down because they're on the network.
I mean, I think that's the point, right?
Like, if you're going after some pre-Orth RCE on a flat network,
You don't need to be an authenticated user.
No, that's right.
And that's a lot of the aha moments that customers have are, why do we have always on network access?
What?
These systems, the IPKBM, the servers, whatever those, why are they always accessible all of the time?
To everyone.
Like pre-off, yeah.
Yeah.
Well, look, they may not be accessible to everybody.
Like, the admins have access to the lights out management network.
The manufacturing team have access to the machines that go being over here.
but they have that access all of the time 24 hours a day seven days a week you know that's not
necessarily required and then it's harder to then go and say we need to carve this section out
all these users out it's retrospectively going and tying it down and that's the aha moment that
a lot of people what customers have is what why am i allowing access all of the time that just
seems crazy yeah now to be clear knock knock in most instances you don't need to
install a new box or anything like that, it's very much about just instrumenting what you already
have, right? So plumbing your identity provider, you know, sort of authenticated state
information through to network controls. So that's, that's really how that works. But in the case
that people do need some hardware in there to control things, like you just roll in with a proxy,
right? Yeah, that's right. So people have, like, we orchestrate firewalls control layers
if they have them if they're there.
But in some environments recently,
whether they've got a flat network
or a section of their environment that's flat,
they want to add another layer of control in there,
so there's not always a firewall we can orchestrate.
And they don't necessarily want to put another Bastion,
you know, jump box or VPN box with two sides on it
in this case.
So we're actually working to drop in a reverse proxy
that can either do TCP or HTTP layer 7 filtering.
and we just drop it in, knock knock orchestrates it
and it gets them kind of protecting those assets really quickly
because that's the other philosophy we have
is don't have a big project
because you're talking to a firewall
because you're talking to an existing control system
it's not a re-architecture.
It's not an insulation of every single machine.
It's sort of drop in, solve the problem quickly,
remove that attack surface at speed.
So I've mentioned the like KVM over
IP case. I've mentioned the geographic restriction case. Like, what's another one that you would
want to think to name right now? Because again, as I keep saying, like, you know, originally
the idea was, man, you're going to be able to cut your external attack surface so efficiently
with this. And there are people doing that. But the big ticket deals are all people doing this.
And funnily enough, it's like people for whom trying to do a full scale micro segmentation project
is just a non-starter. The environments are just too big. Like, forget it.
But if they could carve out initial, you know, it's almost like micro-asset-specific micro-segmentation.
So you're just micro-segmenting each asset instead of the entire network.
But what's another example that you could think of off the top of your head, of another use case?
Yeah, recent ones outbound access or the kind of east-west access.
So to start with the outbound access, we've got customers that have air-gap networks,
traditionally air gap networks, they may not have been updated in a while because they're not
getting patches. They don't want to sneak in their updates, you know, run around with the USB
key with the patches on them. They need those machines or those test environments or those
experiment or air gap networks to get outbound network access for an hour while the admin
logs in, seeks updates, pulls them down, applies them, blah, blah, blah, and then access is
revoked egress, right? It's all that. It's funny, right, because I know, I know the customer you're
talking about there, and that's when they, that's when they,
have to do build testing environments that are temporary and are relatively static and have to be
disconnected. I mean, so we're not talking about like in this case classified air gap networks which
cannot be connected to the internet. We're talking about like, yeah, like in this case, it's a test
network that's important and testing important stuff and has to be static, has to be air gaped,
but also would be nice if it got updated every now and then. Yeah, correct. And similarly, they don't
want the machines just automatically updating either because it changes their test bed, which can skew
results. So it's about having a static environment until you intentionally want those systems to have
access, egress access to download updates, etc. So it's about creating a static environment and
Knock Knock's being used to, an admin will log in and say, I now want this segment, this network
environment to go out to the internet or to go east-west and go across to these other systems
and pull updates. And that actually ties into a new feature we built to support those customers.
So traditionally, Knock-Nock has been all about the person.
and their IP address, so when they log in, their IP address goes places and allows direct
trust from them into the systems. And this new feature that we've built in response to this
is they can pre-configure a network. So a user will log in and then say, open up this network
to this network, which is all preconfigured, they're not typing in random stuff, to allow those
machines to go out, get updates, do whatever maintenance they need to do, again, without changing
that static test environment, whatever it is. It's really about putting
them in control of network flows without an admin needing to go and make a change.
It's pre-configured.
They're just pressing the button saying, allow it, an hour later, it blocks it again.
Why don't you just rattle off a few new updates, like a few new things that you've added to
the product recently?
Yeah, one of them's the network feature I mentioned, where it's not all about the user's IP
address, but about preconfigured or pre-defined networks.
We've had a lot of support for new firewall, Cisco, soft files, other devices that
customers have come to us around. We had a really in-depth security review, which is fantastic.
So we had an external party, and internally we sort of paired with them, went really deep on
that. And we're just sort of adding additional. Got to give him a shout out. Shout out to Matt and
Eltham, who did that work, because it was, it was, they did a great job. Yeah, they did a great job.
We sort of went around the world to look at who, you know, who would really give us the most
in-depth review and Elton came out. So, yeah, they've done a great job.
job. So it fixes in for that. We sort of hardened a few things as well, like the agent can do
things by default and we're like, well, not everybody's going to do that. Let's turn that functionality
off. And that kind of flows into our threat modeling as well. We spend a lot of time thinking
about our threat model. It's evolved a little bit in the last six months, but it's sort of been
thought through prior to that. And I'll say it here, Patrick, we're thinking of actually publishing
it, you know, I think it's the healthy right thing to do. We're comfortable.
with our threat model. Everything can always be better, but we actually want to share it and publish it
because we think our customers will appreciate it. And I'd love to see other vendors doing that as well.
You know, there's the S-bomb and there's sharing what's inside, but actually sharing a threat model and
saying, here's how we think about it, here, where we think the risks and threats are, here's how
we respond and handle those. So, you know, put it in your environment. We recommend these things,
but at least we've done the thinking and shared it. So you can understand what introducing another
new technology to your environment actually means to your threat, your own threat model and risk
profile. Well, as soon as you release it, we can talk about it here on the show, but that's all
we got time for today. Adam Pointin, thank you so much for joining us to talk about all things
Knock Knock. Thanks, Patrick. Great to be here.
That was Adam Pointin there from Knock Knock, which is KNOC, KNOC, and yeah, I mean,
Knock Knock is terrific. I love it. Go get yourself some knock-knock. But that is it.
for this week's show. I do hope you enjoyed it. I'll be back soon with some more security
news and analysis, but until then, I've been Patrick Gray. Thanks for listening.