Risky Business - Risky Business #809 -- Hackers try to pay a journalist for access to the BBC
Episode Date: October 1, 2025On this week’s show Patrick Gray is on holiday so Amberleigh Jack and Adam Boileau hijack the studio to discuss the week’s cybersecurity news, including: Hackers... learn that trying to coerce a journalist just makes for … a great story? A man in his 40s gets arrested over the European airport chaos. Yep, we’re surprised, too. Adam fanboys over Watchtowr Labs while bemoaning Fortra. Academics pick apart Tile trackers and find them lacking CISA tells agencies to patch their damn Cisco gear This episode is also available on YouTube. Show notes 'You'll never need to work again': Criminals offer reporter money to hack BBC Government to guarantee £1.5bn Jaguar Land Rover loan after cyber shutdown Feds Tie ‘Scattered Spider’ Duo to $115M in Ransoms – Krebs on Security UK authorities arrest man in connection with cyberattack against aviation vendor | Cybersecurity Dive Chinese scammer pleads guilty after UK seizes nearly $7 billion in bitcoin Cyberattack on Japanese beer giant Asahi limits shipping, call center operations | The Record from Recorded Future News Afghanistan plunged into nationwide internet blackout, disrupting air travel, medical care | The Record from Recorded Future News Tile trackers are a stalker's dream, say Georgia Tech researchers Intel and AMD trusted enclaves, the backbone of network security, fall to physical attacks - Ars Technica Supermicro server motherboards can be infected with unremovable malware - Ars Technica China-linked hackers use ‘BRICKSTORM’ backdoor to steal IP | The Record from Recorded Future News Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors Federal agencies given one day to patch exploited Cisco firewall bugs | The Record from Recorded Future News Cisco IOS and IOS XE Software SNMP Denial of Service and Remote Code Execution Vulnerability Is This Bad? This Feels Bad. (Fortra GoAnywhere CVE-2025-10035) It Is Bad (Exploitation of Fortra GoAnywhere MFT CVE-2025-10035) - Part 2
Transcript
Discussion (0)
Hey everyone and welcome along to Risky Business. My name is Amberley Jack and this is, I believe, the first time that a Risky Business weekly show has been produced without Patrick Gray at the helm.
But Pat's on holiday for a couple of weeks and regular listeners of the show will be aware of, I guess you could call it the risky business curse where the idea is if Pat goes away, the internet will go boom in his absence and there'll be no one to talk about it.
So we figured we'd do what we can and keep the show going in his absence.
So joining me in his regular spot behind the microphone is Mr. Adam Walo.
Adam, thank you so much for joining me.
Yeah, it's great to be here, Amberley.
And you're right.
This is, you know, it's historic.
Pat and I have been doing the show.
I think I've been here more than 15 years.
And Pat's been doing it before that without me.
Yeah.
So, yeah, a Pat-free show is pretty miraculous.
So let's give it a go.
I guess we should also point out this is not sponsor.
This is just us kind of doing it for fun because, you know, we're sitting around the office anyway.
We're already talking about the news in chat.
So, you know, why not get in front of the microphone and do what we always do?
Yeah, for sure.
And I want to jump straight into it, actually, with a news that as a journalist really piqued my interest when I saw it this week.
Journalists love money.
Journalists love money.
But a BBC reporter, Joe Tidy, has written a first-person piece about being contacted on Signal by hackers who asked him to hand over his BBC credentials in exchange for a percentage of whatever the hackers would manage to extort from BBC.
And this one made me laugh because, and it also made me a little bit envious as a journalist.
Because if I was still working in a newsroom and I received a message like that, my first thought would not be, how can I extort my company and make lots of money?
My first thought would be, I'm going to run straight to my editor and say, look at this great story that I have in my hot little hands.
How would you like to approach us?
But, Adam, it's the question I wanted to ask you is, as a journalist, we don't have a lot of permissions with our accounts.
I mean, if you hacked into a journalist account, you can maybe, I don't know, add some typos to a story or a cab picture on the front page.
But it's not about that as it.
It's just literally about getting access.
Yeah, I mean, of the things that ransomware crews are good at, one of their core competencies is taking any sort of initial access and turning that into, you know, enterprise-wide compromise and onwards to ransom.
and getting access to any one individual user's account,
be it a journalist or a janitor or a receptionist or, you know,
a call center person, that's where they land anyway.
If they're fishing for code execution,
if they're fishing for credentials,
whatever initial entry access route that they are going after,
typically they're not going to be landing into a privileged,
you know, an IT privileged account.
And so turning that, you know,
turning any regular account into the kind of privilege they need,
to do ransomware.
That's what they're good at.
And the avenues for doing it are, you know, very well understood in terms of attacking
Windows domain environments and so on and so forth.
So the fact that it's a journalist, and if anything, they probably should have paid
more attention to that.
Because I think of all the sorts of, you know, roles and industries and people you could
go after with this kind of like, hey, we'll just give you, we'll cut you in on the ransom,
journalists seem to me to be the one that's least likely to work
because, you know, as you suggested,
like journalists are not there for the money.
They are there because they want stories.
If they were willing to do journalism for money,
they'd be in corporate comms instead, right?
Getting paid fat bank.
Absolutely.
And instead, no, they are there because they want the stories.
And so the fact that Joe Tidy immediately turned around to his editor
and said, let's write a story about this,
100% predictable.
So, yeah, I don't know.
I don't know what else we expect.
I don't know what they expected out of this whole process.
Yeah, for sure.
And I just, I mean, obviously journalists,
not the best people to try this tactic with,
but this tactic in general, Adam,
is it a good plan?
Is it a plan that is going to work?
And if so, why are we only seeing it now?
It's a great question because the, you know,
we don't see, we've seen some examples of this,
but kind of less than you would expect.
And, you know, as someone who has worked in technical security,
the idea that your users would be co-opted against you is pretty scary because building systems
that are sufficiently robust to survive malicious insiders is not a thing that we're good at.
Like we struggle dealing with, you know, malicious attackers that are inside our environment
and malicious insiders are usually have enough knowledge to be properly dangerous, but they don't
have hacking noise. They have company, you know, environment-specific knowledge.
but if you can pair someone who knows, you know, the foibles of the environment
with someone who understands technical hacking and combine their powers together,
then that's an adversary that most of us, you know, don't want to have to defend against.
But the reason I think we don't see this is that, I mean, what's the outcome going to be?
Let's say you're Joe tidy, you take the, you know, tens of thousands of dollars,
or, you know, you take the punt on however much money, BBC might pay out.
the chances that it's not going to be tracked back to you is basically zero.
Like you are a hundred percent going to take the rap for it.
And Russian cyber criminals at least have the benefit of being in a jurisdiction
that's not going to extradite them.
Like they are immune to law enforcement so long as they pay, you know,
the appropriate cover in Russia, you know, to whoever they're bribing.
But that's not the case everywhere else, right?
If you work at that company and you get them ransomware on purpose for money,
you should expect law enforcement on your doorstep.
You should expect to not work again.
you should expect to face those consequences.
And if anything, you know, the ransomware crews are kind of like buying a fall guy here, right?
Because if they've confined someone, if authorities confine someone to prosecute,
then that takes a bit of pressure off the ransomware crews.
So this is just an all-round bad idea.
And the examples we have seen, like that guy, we reported a couple months ago about this guy in Brazil
who gave up his access to the, like, some payments,
the back-in systems for payment stuff in Brazil,
where he, you know, worked there, wasn't going particularly well in his career, sold his access
at a bar for a few thousand dollars, and sure enough, the attack is breaking, steal a couple
hundred million dollars worth of funds, and now he's facing the rap for it. So it's just,
I don't see that this is a good deal. And much as an attacker, there's been a few times in my career
when we're trying to break into, you know, in my day job as a, my old day job, as a red teamer,
like, when we're trying to break into a hard target, sometimes there's very,
very tempting to go, like, can we just offer someone a couple of thousand bucks to run a command
for us? Because that would be cheaper than the time we are spending trying to technically
hack them. But the reality is, like, this isn't a great initial access vector. And, you know,
although it's kind of scary to have to deal with it, I think, you know, it's not a thing we should
spend a whole bunch of time worrying about as defenders because, you know, clearly if this was
going to happen a lot, it would be.
by now. Yeah, for sure. And I guess the last thing I want to say on this as well is I'd love
that the headline is one of the quotes from the hackers, which is you'll never have to work
again. And then later in the article, it did say he didn't know how much money he was going
to get, but it did say that he was asked to initiate a payment of something like $55,000,
which, I mean, journalists aren't paid great, but $55,000 is not going to be enough to
flee the country and uh retire on so no that's that's not that's not enough money to go on the
land for the rest of your life which is what we're talking about here yeah and and sticking with
the ransomware uh stories adam the jaguar land rover update i mean we've been talking about the story
for a few weeks now uh the UK government has agreed to guarantee a 1.5 billion pound loan to
basically keep Jaguar Land Rover going and help them recover.
And I guess, I mean, you and Pat have sort of discussed about how important and how big
Jaguar Land Rover is in terms of the British economy.
And I guess this kind of cements that.
Yeah, it really does underscore, like, how much grief this is causing, I mean, to Jaguar Land Rover,
but kind of more importantly to all of the smaller little companies that are in the supply chain,
because those are the ones that, you know, can't really weather a multi-month shutdown.
And so, you know, the government's, I guess, like, we've seen some headlines describe this
as a bailout, which, you know, kind of isn't really.
They're underwriting a loan if Jaguar Land Rover fails.
They were probably going to get nationalized anyway.
So it's not like the government's going to lose, and, you know, they can back this loan
that some, you know, private bankers are going to extend to Jaguar Land Rover.
And I think then their plan is that they would then use that to provide some assistance
to their suppliers and kind of just try and get the whole enterprise
and all its downstream, you know, related companies through this process
and back to the point where they can start making cars again.
And that, you know, seems like a smart move, pretty low risk for the government.
But it's kind of, yeah, it's interesting that it's kind of, it's, that it is this bad.
And, you know, I don't know what ransomry crews take from this or whether they even
think it through, but, you know, it's certainly a mess for all of the people who work at
those suppliers and this will at least provide them with some certainty for the next, you know,
months. I have to say, Adam, I am looking forward to the day where we can see a court sketch
of some very miserable Land Rover hackers in the same vein as the amazing picture that is
featured in Brian Krebs' On Security write-up of the Scattered Spider-teens, Thala Joubert
and Owen Flowers, who were arrested for the Transport for London hack last year. And they sort of saw
their day in court and charges have been laid and Brian Crabs has done what Brian Craves
does and has pieced all the all the pieces together in this great write-up.
Yeah, some of these kids, and in particular the Jubea kid, has been in the hacking scene
for a while, in that kind of extended comm universe.
And Brian ties together some of the previous exploits of this kid and some of the other shady
stuff he was involved in, you know, things like swatting and the attacks against.
the casinos in Las Vegas a couple of years ago now.
So, like a pretty long rap sheet,
even if they're not, you know,
he's not facing charges that relate to all of those things.
But like he's been involved and his name goes back through, you know,
so many things.
So, yeah, Krebs that got a good write-up.
I don't think there's anything that we didn't already kind of know and understand.
But when you see it, like, Krebbs does those great write-ups where, you know,
when you lay it all out like that, you do see, like,
this kid's, you know, been doing bad stuff for a long time.
I mean, he's only 19 now, so he must have started this stuff pretty young,
which, you know, I do despair for having to have good OPSEC
as a 13 or 14-year-old hacker kid on the internet.
Like, you just can't, right?
You can't have good obsec and be that young because it's, you know, it's complicated.
And, you know, especially for these kids in the UK,
they're all going to end up in jail.
And, you know, the opportunities for becoming a productive,
member of society are a bit more limited.
I think you and Tom talked about that on SIB.
It's just kind of difficult these days.
So it sucks to be there.
But these kids are not, you know, they're not good dudes, unfortunately.
They're not.
And yeah, you sort of met, you know, Tom and I were talking about how even just in the
past decade, the violence and the money and the just all around nastiness of all of this
is just getting so much more intense.
and there really is no kind of path to redemption for these kids.
Yeah, I mean, you grew up alongside a teenage hacker kid, right?
Yes, I did.
We were goofy and, you know, a bit of a menace and made a little bit of trouble,
but ultimately weren't bad people, right?
And many of us ended up in careers that were, you know, useful members,
you know, were useful contributors to society.
And it's kind of hard to see some of these kids in that same light,
which, you know, maybe this is just old people, you know, yelling at thousands.
That's all it's happening here.
But, yeah, when you read the whole rap shit like this, it's pretty rough.
Now, Adam, we may be old people yelling at clouds about kids these days,
but I had to laugh because an arrest has been made in connection with the cyber attack against Collins Aerospace,
which is the check-in and boarding technology that caused all the chaos recently at European airports.
But the thing that seems very strange in the story is the person that was arrested as a man in his 40s.
Which, I mean, on the one hand, okay, yeah, you did some hack it.
That's good, I suppose.
Like, good for you, buddy.
Although I think it was ransomware, so not great hacking.
But, yeah, I was surprised to see that age, too, because you would hope that if you're in your 40s, you know, your ability to, to kind of reason about the risks that you would face.
When you live in England, hacking airports that are, you know, amongst other things, in England, like, surely that would give you.
some pause, but apparently not. This guy's been picked up. We haven't seen many other details
other than that. He was in his 40s and I think from like West Sussex or something, facing some
charges. But yeah, like not great risk management, you know, or risk thinking even amongst
middle-aged folks. Yeah, for sure. And it's like you were saying just before. I mean, you and
you and my brother both grew up kind of, I guess, hacking it at similar times in life. And as you
said you grow up and you become functioning members of the hacking community. Mostly. I just feel
like if you've got the technical skills to be able to hack an airport, surely you can also get a
reasonably playing legitimate job in IT, like, you know, which is a better choice than hacking airports
in my opinion. Just one thing though, Adam. I mean, we were talking earlier about the journalist
who was kind of hit up and sort of said, hey, let us buy your creds for a take in this. Do you think
there could be some kind of similar, like, do you think this could be a guy in his 40s who got
caught up in something? It's a good thought, actually, yeah, because that would fit. But the guy
in Brazil, we were talking about briefly, he was in his 40s and, like, hadn't gone places
in his career, was trying to retrain, you know, so, and maybe, that's, that, that's, that's, that's, is another
possible explanation. We've got, you know, no details at all about this guy, so who knows. But, yeah,
that could be a thing, yeah. I mean, it would be an interesting data point of it that turned out
to be the case.
we've got a story here from the record from Jonathan Gregg
a Chinese woman has pleaded guilty in the UK
after the government seized a significant amount of money
$7 billion in Bitcoin
which was from this woman's investment fraud
which feels like a lot
Adam
do you reckon yeah
the story here is that she
she was running at like a Bitcoin,
a cryptocurrency investment kind of Ponzi scheme scam thing
in China in the mid-20 teens
and she stole a bunch of Bitcoin
and it was a significant amount of Bitcoin.
Like it was, I think, by 20, what, 17 or something?
It was about $200 million worth of Bitcoin.
So pretty reasonable money.
At that point, she was starting to get, you know,
some heat in China, fled to the UK,
bought herself a fancy house,
So there's been kind of like laundering the money and on the run for a little bit.
And then, you know, subsequently arrested.
And then the UK government seized her Bitcoin holdings,
which turned out to be 61,000 bitcoins,
which at today's value, as you say,
it's like $7 billion US dollars.
And so, you know, going to this has been prosecuted in the courts and so on.
Some of the original investors from China are actually asking,
the UK government for their money back, which...
So, Adam, they, I believe when they made the investments,
they were promised something kind of crazy, like 300% returns.
But if we take that $7 billion worth of Bitcoin and they do get this money,
what kind of returns are we looking at for this investment?
I did the numbers and it's 11,300% returns.
So the thing I find myself wondering is she was promising this was an investment scheme where they would make 300% returns.
If they now make 11,000% returns, is it even a scam?
Like, I mean, like, are they got a prosecutor?
I mean, if like if the UK government said, okay, we're going to give the money back to the investors, like, they could be very happy with their return.
Like, did she even really do a crime?
That's what I'm wondering, because, you know, Bitcoin is so crazy that you can do fraud.
and yet somehow at the end of it,
maybe not even did a crime.
So the UK government, of course,
wants to keep the $6, 7 billion
because, you know, that'd be handy to have.
It would have to be the first time
where you would be absolutely stoked
to be a victim of fraud.
Well, you see, you would say that,
but in the cryptocurrency world
where everything is topsy-turvy madness,
there's been plenty of other examples
of people who've had their Bitcoin
stolen and then eventually got it back and as a result of that like in forced
toddling they've ended up making heaps of money i think like mount cox in japan was a
cryptocurrency exchange where that kind of happened they had a bunch of crypto stolen and then by the time
people got it back that actually appreciated so much in value that they were doing really well so
yeah i mean it just i mean if anything else it just underscores how absolutely bonkers
cryptocurrency is and how it makes no sense whatsoever and you shouldn't invest in it
even if you are going to get 11,000% returns over a, you know, 10-year period or whatever.
I hear that Bitcoin is absolutely terrible and you should not invest in it.
But also on the other side, having your Bitcoin stolen is potentially the best term deposit possible.
Well, it does at least stop you from touch.
You're going to messing with it.
And yeah, if you eventually get your money back, then it would beat every other financial instrument you could possibly work with.
So, yeah, just don't come to.
risky business for financial advice. I think that's the main takeaway here. I think that is the number
one takeaway you can gain from that conversation. Now people in Japan, Adam, are going without
their beer. A cyber attack on Asai. Yeah, there's been some kind of attack. We don't know that
it's ransomware, but it sure smells like ransomware. It seems to be affecting a bunch of domestic
operations at Asahi, which is a giant Japanese brewing firm.
So far, I think shipping, like call center, order management,
shipping and stuff are all impacted.
I think the actual breweries are still running,
but we don't know how long that will continue.
But yes, it's not affecting the international arms of Asahi
and they own a bunch of international beer brands as well.
But it's pretty rude if it does turn up to be ransomware.
You know, hack and beer, that's just, you know, that's just not on.
Not on.
Don't mess with people's beer, man.
Exactly.
Come on.
And Adam, Afghanistan is having a really rough time.
at the moment, the entire country's had the internet shut off.
We've got a story here from Dorena Antinouk at the record,
and the Taliban have shut down the internet as part of a crackdown on immoral acts.
I mean, to be fair, the internet does have a lot of immoral acts on it,
which, you know, it's the obvious joke to make,
but on the other hand, like, this is not a joke if you're there.
I mean, the internet is so ingrained in modern society,
And even, you know, Afghanistan's, you know, not exactly the, you know, a pinnacle of high-tech, I guess.
But, you know, it's communications is super important.
And, you know, the amount of things that must be broken right now in Afghanistan, I can't imagine.
I can't imagine what our society would be like if the internet just disappeared one day.
But then also there's such huge Afghani diaspora around the world.
They have family back at home, you know, and not knowing what's going on is got to be such a horrible experience as well.
So, like, it's kind of not really cyber news, but, like, just thinking through what it would feel like and what, you know, how we would cope with that kind of impact of your internet being turned off completely, you know, it's pretty sobering.
Yeah. And that's the big thing. I think, you know, I mean, there's the obvious disruptions reading through the story, you know, like airports and banking and everything else. But the isolation would just be phenomenal.
Yeah, we're so used to being such an interconnected, immediately communicate anywhere in the world, you know, kind of place.
And then having that just taken away all, you know, overnight.
And it didn't seem like there was much warning here either.
There's been a few sort of, you know, rumblings and things, something's starting to break.
But just, yeah, waking up one morning and no more internet.
And it's not even being pitched as like a temporary thing.
It's a, you know, they're talking about maybe we're going to build some alternative system instead.
I think we had a quote from some governor, you know, province in our country.
Afghanistan saying, yeah, we're just going to build some kind of other system. And it's like,
excuse me, you what now? And for essential services. It doesn't sound like they're planning on
stopping it any time zone. No, that's a rough, definitely a rough time. And, you know, I guess we don't
have many lists in Afghanistan this week. So, yeah, but our condolences nevertheless.
Now, Adam, tile trackers, we have some research here from Georgia Tech, well, researchers from
Georgia Tech saying there's a few issues with tile trackers. Tell me about this research. Yeah, so
tile make little
like Bluetooth, low-energy
Bluetooth tracking devices
the tile network of these
things, you know, you put them on your key rings
and bags and whatever else and
they send out
local radio, radio
messages, beacons I guess
that are picked up by other devices and people use
that track things. Tile is probably
the second biggest network after
the Apple find my equivalent
and this is I think the first
sort of comprehensive research we've seen
into like how tile works and how it's built.
And I know when Apple find my launch,
there was a lot of criticism about the potential for abuse
of people, you know, tracking people without their consent,
you know, slipping a tracker into somebody's bag and falling around
or of the privacy concerns of, like,
your tracking information being being being around,
other people being able to track you by your devices.
And Apple built a bunch of, you know,
kind of smart engineering into their things
to try and mitigate most of those abuse cases.
This research from a team of Georgia Tech suggests that tile basically didn't implement the same kind of level of rigor.
The core of the criticism is that tile devices broadcast a static identifier.
So the MAC address, the harbor identifier of the radio and a static, you know, unique identifier.
In other tracking networks, those things change quite rapidly.
So, you know, even if you know that there is an Apple, you know, air tag nearby, you don't know
that it's the same one that you saw last week.
In the tile devices, it appears that you can actually identify individual people with them,
and if you can see the same device going past the same place,
you'll be able to spot patterns of life and so on.
There's also some concerns around their resilience to being used surreptitiously
because of the stalking case where you stick a tracker in someone's car
and someone's bag or whatever.
Anyway, their researchers wrote this all up,
reported it to Life 360, who were the parent company of Tile, I think, at the beginning of last year,
and at some point Life 360 kind of stopped replying to them, and there hasn't really been much movement.
And the researchers suggest that these are kind of design-level issues, not like something you could easily patch,
so that may explain some of the slow communication.
The register reached out to Life-360 and got some.
comment back that said basically, we've done some things, but wouldn't specify exactly what
those things are.
So, well, not super confidence-inspiring.
But yeah, just good to see research out there because, you know, this is one of these things
where we build these technological systems, and we don't always think about the ways that
they can be abused.
And the stalking use cases for this stuff is really all pretty gross.
Yeah, yeah, very gross.
And I'd love the kind of, you know, we've made things better, but we won't tell you how
Oh, wonderful, just the ultimate, trust me, bro.
Yeah, exactly, exactly.
And keeping with the research, Adam,
we've got a write-up here from Dan Gooden at Ars Technica Intel
and AMD trusted enclaves.
A bit of research into that.
Can you tell me about it?
Yeah, I mean, this is pretty deep in the weeds,
and this is the sort of story that Pat would be like,
hey, Adam, explain this to me because I don't want to read these research papers.
So I'll excuse you.
So pretty much the same thing then.
If your eyes glows over, you'll, you're totally excused.
It's totally excused.
So this is some research into how AMD and Intel systems implement their, like, secure enclaves
and the systems that support that.
Something's like encrypted memory and so on.
And there's two sets of research by independent researchers that just both happen to occur
at the same time, and both have kind of roughly similar things.
the key of these is both these bits of research look into a use case
that these trusted enclaves weren't really meant to solve
which is an attacker has some ability to modify the hardware
in both the cases the researchers insert a custom hardware device
between the system and its memory and then can read memory accesses
and kind of use that to infer things about the behavior of the
code running in these trusted enclaves or eventually break the crypto through some other
kind of cryptographic attacks that they can do through repeated observation. The net result of all
of this is that these two research papers look at, you know, I guess there's kind of two use cases
for this kind of thing. One is for running code on computers that you don't necessarily
trust. So things like distributed computing networks or cloud computing environments where you want to
kind of have the hardware make some attestations about its robustness and its integrity and so
one. And this is research into how to kind of get around those things. But the real key is
neither of these solutions were designed to be robust against hardware intrusion. And this is
super important research, but ultimately not a thing that end users of this technology really
needs to care about too much. We may see future developments in this kind of like remote
a tested, you know, robust, secured computing kind of thing.
But this is just, you know, research that will contribute to that.
But not really, you know, some of the headlines have been a bit breathy.
And this is not a thing that everyday people really need to concern themselves much about.
There's so many other things to worry about.
And this one probably isn't one of them.
Now, Adam, we've got another write-up here from Dan Gooden at ours about super micro-server
motherboards that can be infected.
And I'm intrigued here with unremovable.
malware.
Explain to me what unremovable malware is, Adam, and why it matters.
So this is a bright up of some research from a company called Bernali, who've been
involved in all sorts of work looking into it into firmware.
And this is a set of vulnerabilities in how super micro motherboards validate firmware updates
into some of their embedded systems.
So there are a number of kind of small embedded computers inside modern computers.
they're made up of, you know, controllers for various peripherals and whatever else.
And all of those also have software, and there's meant to be mechanisms to try and make that
software, you know, robust in the sense that you can't just, once you've had access to a computer,
update it willy-nilly, you have to have, you know, a software signed by the manufacturer.
And by now you have reverse engineered some of the software for the baseboard management
controllers, which is one of the embedded computers that's typically involved in managing,
managing the hardware itself,
how fast are the fans going
and how turning the devices on and off
in a data center context.
These are used to manage power remotely
or manage network interfaces remotely
before the system even necessarily
has an operating system running on it.
So this was work, finding some vulnerabilities
in how the software in these embedded components
are updated and then being able to use it for malice
and in particular implanting it for long-term access.
And this is a thing that nation state hackers particularly really enjoy
because once you've hacked a computer,
if you can get to the point where the only way to throw out the attacker who's broken in
is to physically replace the equipment,
then that bar is very, very high.
And it makes, you know, throwing people out very, very difficult.
And so, yeah, that kind of hardware backdoor is very attractive to motivate the attackers
and really very, very difficult for everyone.
else because I know when I've been involved in instant response cases having to turn around
and say okay in order to you know evict the attackers in your environment you're going to have
to replace every computer that you own and that's quite a high bar you have to be very sure
about your findings before you recommend that a company replaces all of its computing equipment
and very I don't think you know I've never seen anyone do that like probably outside of a
government in military context where they are willing to go and throw computers into a
would shipper as part of the response process.
Yeah, wow.
And we've got a write-up here from Jonathan Greig at the record as well.
And Adam, you and I work together quite a bit in the mornings here at RescueBiz.
We sort of edit bulletins and go through some stories together.
And every so often your eyes kind of light up.
And your eyes light up when you see competent hacking.
So tell me about this competent hacking.
Hacking done properly, as I think you,
You mentioned me.
I do love competent hacking.
We see someone's garbage hacking
and when you see the good stuff,
like it really warms my heart.
So this is a write-up originally from Google Mandiant
about a Chinese actor using a piece of software
they call Brickstorm.
And it's not just because of the storm in the name
that I'm into it.
But this is a write-up of like the techniques
that they have been using, breaking into organizations,
going around doing their espionagey,
you know, nation-state kind of business.
The things that appeal to me really are just like the quality of the, you know, the long-term nature of their access.
So in some cases, the dwell time of this actor in places where they are being seen is, you know, in excess of a year.
And like they've got some cases where the actors have been in these environments for sufficiently long that the logs no longer cover how they got in.
So they don't even know how the conditional access occurred, which as an attacker is wonderful.
Like, that's exactly what you want.
So, yeah, Manden's done the write-up.
Jonathan Gregg for Record has written up.
Mandian's write-up, and there's a bunch of IOCs and various things that you can use
if you are worried about being targeted by Chinese attackers.
But mostly, you know, I'd just like to see competent hacking, and this was a great example
of, you know, there's a sort of in the VMware, in the network fabric, long-term access,
you know, implanting network devices with things that would scrape credentials out of the login forms.
so that you can get access to clear text credentials,
which when everything is domain integrated for authentication
means you can get credentials that you can use for other things.
It's just these are all tricks that I have used.
And I just like other people using, you know,
I like other people doing, you know,
it's sort of affirmational.
Like I feel like I did good hacking and they are doing good hacking.
Therefore, we are all good hackers and good times,
unless you're the victim.
So, yeah.
Nice.
I love to see you loving to see good hacking.
So the stories worked well for both of us.
Adam, I kind of grew up believing that firewalls make things secure, right?
But I think I'm starting to learn that maybe if Cisco is in the name of that, that's not the case.
Why?
So can you tell me about this Cisco firewall bug that federal agencies have basically been given no time to patch?
Yeah.
So CISSA has told, you know, federal civilian agencies and everybody else under their kind of remit to go out and patch their Cisco ASA and Firepower Threat Defense devices.
These are both, you know, firewall products.
And you are correct.
Firewows are meant to make things more robust and more secure, except if they come from Cisco, in which case they are meant to provide attackers with remote coding sec.
So there's a pair of bugs that are being chained together.
One's an orth bypass, and one is a high-privileged service to root code exec on the underlying device that you can kind of chain together.
This is being exploited in the wild.
And yeah, like, when your firewall gets you compromised, like, it's just, it's a bad look for everybody in the industry.
Like, we are meant to be making things better, and clearly we are not.
There's also the added complexity that patching Cisco devices is usually quite complex.
complicated, it's usually quite intrusive in terms of its impact on availability.
No one enjoys doing it, and so no one does.
So when we see...
Oh, that's fun.
Cisco bugs is put in the wild.
Yeah, exactly.
Like, it's a bad time for everybody.
And then, so there was these bugs in ASA.
We've also seen there's some Cisco Zero Days or Cisco bugs that were exploited as
zero days that are now patches available in Cisco router product, Cisco IOS and IOS XE.
And these are like memory corruption via S&E.
which is not very exciting for you, but it is exciting for me.
And so, yeah, once again, everybody needs to patch the Cisco stuff.
No one is patching the Cisco stuff.
These bugs will be, you know, exploited in the wild.
I think I saw some numbers that the SNMP-related floor,
there's something like 30,000 vulnerable devices in Russia.
So, you know, there's going to be plenty of compromised boxes all over the internet.
Good times.
Oh, out.
And Adam, I've spent a bit of time here at RescueViz.
and in my time working here,
I've picked up a couple of what I feel are kind of important points.
Watchtower good, Fortra, less good.
Yes, those are good points to pick up.
Yes, we've got a couple of stories here,
which are this two-part blog post from Watchtower Labs
in which they write up a recent bug or kind of set of bugs
in the Fortra Go Anywhere, MFT, their file transfer system.
And I always have a weak spot for watchtowlaps, write-ups, as you well know, because I like good hacking and they do good hacking, and they write it up with the kind of humor and snark that when I had to write blog posts about vendors' products was exactly the same sort of thing.
So I feel, you know, I feel like we're at one.
These bugs are ultimately a remote code exec via deserializing the licenses.
so you show up to the web interface
and you're supposed to input your license
and those licenses are serialized blobs
that get parsed in a way that results in code exec.
Now, where this gets more interesting is
the bugs in question
require you to be able to craft a license file
and those license files are cryptographically signed
and watchtower lab says
the key material to sign these licenses they don't have
like it's not immediately obvious in the firmware
they don't know how to craft one.
They know how to turn a license file into code execution
because they reverse engineered enough to figure that out,
but making a new one requires key material they don't have.
Normally this would mean it's kind of not really a bug
because in theory only Fortra have those key material.
Right.
But where it gets funny is this is being exploited in the wild
and Watchtower has some logs that they've got from,
they couldn't say where, that shows in the wild exploitation of this.
and Fortra's advisory about it
makes it sound like it's being exploited in the wild
without actually saying that,
like they describe it like it's important and critical
and you should deal to it quickly.
So we don't really know what's going on here
except that probably someone is exploiting this
and exploiting it requires key material
that only Fortra has,
which means that that key material had to get out of Fortra somehow,
which means presumably someone had to steal it from Fortra.
Right.
And we don't know how that happened.
And we've ended up with kind of more,
questions than we started with, but that's the joy of a write-up, like, what's Dara
have done, where they've taken a boring security advisory that says, just perhaps
your thing, nothing really happened here.
And the implication is something much more interesting must have happened here.
And, you know, that's what I like in a write-up, even if there aren't answers.
Maybe, Adam, circling back a little bit, a fortress staff member went to a pub and was offered
a couple of thousand dollars for their orchard.
Nice, yeah, that's good thing.
It could have gone down like that.
never know. So on that note, Adam, we might actually leave it there, but I have had a blast
playing stunt Pat for the week and chatting through the week's news with you. So thank you so
much for that. Now, there won't be a show next week. Pat will still be away, but we will be
publishing a sponsored snake-collar's episode to look up for that one on Wednesday. And Adam,
you will be returning to the regularly scheduled programming with Patch the week after that.
So have a great week, mate, and it's been an absolute blast. Thank you.
Thanks very much, Emily. I'm going to look forward to seeing what horrible things happen while paths away,
and we will discover whether or not we have fixed the curse or not.
Thanks very much.