Risky Business

On this week’s show, Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including:

• Cleo file transfer products have a remote code exec, here we go again!
• Snowflake phases out password-based auth
• Chinese Sophos-exploit-dev company gets sanctioned
• Romania’s election gets rolled back after Tiktok changed the outcome
• AMD’s encrypted VM tech bamboozled by RAM with one extra address bit
• Some cool OpenWRT research
• And much, much more.

This week’s episode is sponsored by Thinkst, who love sneaky canary token traps. Jacob Torrey previews an upcoming Blackhat talk filled with interesting operating system tricks you can use to trigger canaries in your environment. You wont believe the third trick! Attackers hate him!

This episode is also available on Youtube.

Show notes

• Cleo Software Actively Being Exploited in the Wild CVE-2024-50623 | Huntress
• Blue Yonder investigating data leak claim following ransomware attack | Cybersecurity Dive
• Snowflake to phase out single-factor authentication by late 2025 | Cybersecurity Dive
• Treasury Sanctions Cybersecurity Company Involved in Compromise of Firewall Products and Attempted Ransomware Attacks | U.S. Department of the Treasury
• Another teenage hacker charged as feds continue Scattered Spider crackdown | The Record from Recorded Future News
• Germany arrests suspected admin of country’s largest criminal marketplace | The Record from Recorded Future News
• FCC, for first time, proposes cybersecurity rules tied to wiretapping law | CyberScoop
• Russian state hackers abuse Cloudflare services to spy on Ukrainian targets | The Record from Recorded Future News
• Cloudflare’s pages.dev and workers.dev Domains Increasingly Abused for
• Romania annuls presidential election over alleged Russian interference | The Record from Recorded Future News
• EU demands TikTok 'freeze and preserve data' over alleged Russian interference in Romanian elections | The Record from Recorded Future News
• Research Note: Meta’s Role in Romania’s 2024 Presidential Election - CheckFirst
• Key electricity distributor in Romania warns of ‘cyber attack in progress’ | The Record from Recorded Future News
• Backdoor slipped into popular code library, drains ~$155k from digital wallets - Ars Technica
• AMD’s trusted execution environment blown wide open by new BadRAM attack - Ars Technica
• New dog, old tricks: DaMAgeCard attack targets memory directly thru SD card reader – PT SWARM
• Telegram partners with child safety group to scan content for sexual abuse material
• Apple hit with $1.2B lawsuit after killing controversial CSAM-detecting tool - Ars Technica
• Compromising OpenWrt Supply Chain via Truncated SHA-256 Collision and Command Injection - Flatt Security Research
• How do I turn on the Do Not Track feature? | Firefox Help

In this interview Patrick Gray talks to Yubico’s COO and President Jerrod Chong about a new Yubikey feature: pre-registration.

You can now ship pre-registered Yubikeys to your staff so you don’t need to rely on your staff to enrol them. They’ve achieved this with really slick Okta and Entra ID integrations.

Jerrod also talks about a recent trip to Singapore and concerns he has about the cybersecurity of critical infrastructure in the energy sector.

On this week’s show, Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including:

• The FTC decides its time to take another look at Microsoft
• Exxon’s opponents targeted by hackers
• Russian hackers keep getting sentenced and it confuses us
• The Feds recommend Signal, because throwing hackers out of telcos ain’t gonna happen
• A South Korean set-top-box manufacturer shipped a DDoS client for corpo-combat
• And much, much more.

This week’s sponsor interview with Vijit Nair from Corelight. We talk to him about doing detection in cloud environments, and how the varied nature of cloud systems makes the old ways - network monitoring - useful in new and interesting ways.

If you’re in Sydney, Pat is recording a live episode of the Wide World of Cyber with Chris Krebs on 5 December. There might still be tickets left!

This episode is also available on Youtube.

Show notes

• SentinelOne: Risky Business LIVE
• FTC opens Microsoft antitrust investigation | AP News
• Exclusive: Exxon lobbyist investigated over hack-and-leak of environmentalist emails, sources say | Reuters
• Costa Rica state energy company calls in US experts to help with ransomware attack | The Record from Recorded Future News
• Blue Yonder Security Rating, Vendor Risk Report, and Data Breaches
• ENGlobal IT systems impacted by ransomware attack | Cybersecurity Dive
• Ransomware suspect Wazawaka reportedly arrested by Russia | The Record from Recorded Future News
• Russia delivers historic life sentence to suspected founder of darknet marketplace | The Record from Recorded Future News
• Vodka maker Stoli says August ransomware attack contributed to bankruptcy filing | The Record from Recorded Future News
• Hacker in Snowflake Extortions May Be a U.S. Soldier – Krebs on Security
• Uganda confirms cyberattack on central bank but minimizes extent of breach | The Record from Recorded Future News
• Press Release: HOME > Announcements/News > Announcements > Press Release
• U.S. officials urge Americans to use encrypted apps amid cyberattack
• With Threats to Encryption Looming, Signal’s Meredith Whittaker Says ‘We’re Not Changing’ | WIRED
• Japanese crypto service shuts down after theft of bitcoin worth $308 million | The Record from Recorded Future News
• He Got Banned From X. Now He Wants to Help You Escape, Too | WIRED
• cyberundergroundfeed on X: "🚨 Pro-Russian Group Allegedly Hacks #Australia #Melbourne Sewage System 🚨 Hackers claim to have compromised the Riversdale sewage pumping station in #Melbourne, #Australia, switching it to manual control and placing it in emergency mode."
• Pump station fears rebuffed - New Zealand News - NZ Herald
• NZ Navy ship runs aground off Samoa, catches fire and sinks

On this week’s show, Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including:

• A ransomware attack has crippled US supply chain software provider Blue Yonder
• Russian spies hack nearby wifi to get to their targets, but that doesn’t seem surprising?
• Salt Typhoon’s attacks on telcos are hard to solve and big on impact
• China’s surveillance state workers sell their access at home
• Palo Alto is bad and should feel bad
• And much, much more.

In this week’s sponsor interview Patrick Gray chats with Matt Muller from Tines about Gartner’s “spicy take” that the SOAR category is dead. SOAR is dead! Long live SOAR!

This episode is also available on Youtube.

Show notes

• Retailers struggle after ransomware attack on supply chain tech provider Blue Yonder | The Record from Recorded Future News
• Customer Update
• Russian Spies Jumped From One Network to Another Via Wi-Fi in an Unprecedented Hack | WIRED
• China’s Salt Typhoon hackers target telecom firms in Southeast Asia with new malware | The Record from Recorded Future News
• Emerging Details of Chinese Hack Leave U.S. Officials Increasingly Concerned
• Top senator calls Salt Typhoon “worst telecom hack in our nation’s history” - The Washington Post
• Privacy-focused mobile phone launches for high-risk individuals | CyberScoop
• China’s Surveillance State Is Selling Citizen Data as a Side Hustle | WIRED
• Former Verizon employee gets four-year sentence for sharing cyber secrets with Chinese government | The Record from Recorded Future News
• Surveillance Legislation (Confirmation of Application) Bill 2024 – Parliament of Australia
• ParlInfo - BILLS : Surveillance Legislation (Confirmation of Application) Bill 2024 : Second Reading
• ParlInfo - Surveillance Legislation (Confirmation of Application) Bill 2024
• ParlInfo - Surveillance Legislation (Confirmation of Application) Bill 2024
• Chris Bing: "Regarding the reported hack of the Gaetz-ethics committee report, the file storage platform (FileShare) that held the document said they weren't hacked. But rather: "this file was shared anonymously which allowed anyone to download. This was not a breach"" — Bluesky
• Tether Has Become a Massive Money Laundering Tool for Mexican Drug Traffickers, Feds Say
• Palo Alto Networks boasts as customers coalesce on its platforms | Cybersecurity Dive
• Palo Alto Networks pushes back as Shadowserver spots 2K of its firewalls exploited | Cybersecurity Dive
• RSF investigation: the Indian cyber-security giant silencing media outlets worldwide | RSF
• Patrick Gray (@patrick.risky.biz) — Bluesky
• metlstorm (@metlstorm.risky.biz) — Bluesky
• Catalin Cimpanu (@campuscodi.risky.biz) — Bluesky
• Tom Uren (@tom.risky.biz) — Bluesky

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including:

• Microsoft introduces some sensible sounding post-Crowdstrike changes
• Palo Alto patches hella-stupid bugs in its firewall management webapp
• CISA head Jen Easterly to depart as Trump arrives
• AI grandma tarpits phone scammers in family-tech-support hell
• Academic research supports your gut-reaction; phishing training doesn’t work
• And much, much more.

This week’s episode is sponsored by Greynoise. The always excitable Andrew Morris joins to remind us that the edge-device vulnerabilities Pat and Adam complain about on the show are in fact actually even worse than we make them out to be. Andrew also tells us about a zero-day Greynoise’ AI system truffle-pigged out of their data set.

This episode is also available on Youtube.

Show notes

• Windows security and resiliency: Protecting your business | Windows Experience Blog
• Microsoft revamps how it will disclose vulnerabilities | Cybersecurity Dive
• NIST says exploited vulnerability backlog cleared but end-of-year goal for full list unlikely
• Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474
• Palo Alto Networks customers grapple with another actively exploited zero-day | Cybersecurity Dive
• Unpatched zero-days in Fortinet and Palo Alto Networks software
• Palo Alto Networks’ customer migration tool hit by trio of CVE exploits | Cybersecurity Dive
• Readout of President Joe Biden’s Meeting with President Xi Jinping of the People’s Republic of China | The White House
• Easterly to step down from CISA director role on Inauguration Day | Cybersecurity Dive
• Top White House cyber official urges Trump to focus on ransomware, China
• Ransomware gang Akira leaks unprecedented number of victims’ data in one day
• Hacker Is Said to Have Gained Access to File With Damaging Testimony About Gaetz
• 1,400 Pegasus spyware infections detailed in WhatsApp’s lawsuit filings
• NSO Group admits cutting off 10 customers because they abused its Pegasus spyware, say unsealed court documents | TechCrunch
• Ransomware gang Akira leaks unprecedented number of victims’ data in one day
• Ohio man behind Helix cryptocurrency mixer gets 3-year sentence
• O2 unveils Daisy, the AI granny wasting scammers’ time - Virgin Media O2
• Understanding the Efficacy of Phishing Training in Practice
• Bunnings facial recognition cameras breach Privacy Act, retailer to challenge ruling | news.com.au — Australia’s leading news site
• Nudity, punches in newly released Bunnings CCTV as company found to breach Privacy Act | news.com.au — Australia’s leading news site
• Bitfinex Hack Launderer Heather 'Razzlekhan' Morgan Sentenced to 18 Months in Prison

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including:

• Apple frustrates law enforcement with iOS auto-reboot
• CISA says most KEV vulnerabilities in 2023 were first used as zero days
• Russians roll incident response on some sweet Linux spookware
• Regular users can create mailboxes in M365?
• Tor tracks down the source of its joe-job abuse complaints
• And much, much more.

This week’s feature guest is former FBI agent Chris Tarbell, who arrested Silk Road operator Ross Ulbricht way back in 2013. As suggestions swirl that an incoming Trump administration might release Ulbricht, Chris talks about the reality of the Dread Pirate Roberts.

This episode is sponsored by software supply chain security firm Socket.dev. Founder Feross Aboukhadijeh thinks that we need a CVE-like catalogue for supply-chain attacks, and he makes a solid argument.

The show is also available on Youtube.

Show notes

• Jason Koebler: "New: We’ve confirmed Apple quietly introduced a feature in the new iOS that is preventing cops from hacking iPhones that they have confiscated as evidence. Apple really did say ACAB www.404media.co/apple-quietl..." — Bluesky
• Apple Quietly Introduced iPhone Reboot Code Which is Locking Out Cops
• Exclusive | U.S. Agency Warns Employees About Phone Use Amid Ongoing China Hack - WSJ
• Surge in exploits of zero-day vulnerabilities is ‘new normal’ warns Five Eyes alliance
• The Elusive GoblinRAT: How a Linux Backdoor Infiltrated Government Infrastructures
• Microsoft Bookings – Facilitating Impersonation | Cyberis Limited
• TrustedSec | EKUwu: Not just another AD CS ESC
• Russia’s internet watchdog blocks thousands of websites that use Cloudflare's privacy service
• Defending the Tor network: Mitigating IP spoofing against Tor | The Tor Project
• Law enforcement operation takes down 22,000 malicious IP addresses worldwide - Ars Technica
• Press Conference - Parliament House, Canberra | Prime Minister of Australia
• DHS nominee Kristi Noem stood alone for rejecting department cyber grants to state, local governments | CyberScoop
• Patrick Gray: "Allies will feel comfortable until these guys get fired in their first 100 days for opposing Trump’s proposed annexation of Iceland or something. People have forgotten… Trump is out of his gourd" — Bluesky

In this edition of the Risky Business Soap Box we’re talking all about email security with Sublime Security co-founder Josh Kamdjou.

Email security is one of the oldest product categories in security, but as you’ll hear, Josh thinks the incumbents are just doing it wrong. He joins Risky Business host Patrick Gray for this interview about Sublime’s origin story and its new approach to email security.

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including:

• Sophos drops implants on Chinese firewall exploit devs
• Microsoft workshops better just-in-time Windows admin privileges
• Snowflake hacker arrested in Canada
• Okta has a fun, but not very impactful auth-bypass bug
• Russians bring dumb-but-smart RDP client attacks
• And much, much more.

Special guest Sophos CISO Ross McKerchar joined us to talk about its “hacking back” campaign. The full interview is available on Youtube for those who want to really live vicariously through Sophos doing what every vendor probably wants to do.

This week’s episode is sponsored by attack surface mapping vendor runZero. Founder and CEO HD Moore joins to talk about marrying up the outside and inside views of your network.

You can also watch this episode on Youtube

Show notes

• Okta AD/LDAP Delegated Authentication - Username Above 52 Characters Security Advisory
• Does bcrypt have a maximum password length? - Information Security Stack Exchange
• Local Administrator Protection | Privilege Protection
• Inside Sophos' 5-Year War With the Chinese Hackers Hijacking Its Devices | WIRED
• A Deeper Look at FortiJump (FortiManager CVE-2024-47575) | Bishop Fox
• Man Arrested for Snowflake Hacking Spree Faces US Extradition | WIRED
• Google uses large language model to discover real-world vulnerability
• GreyNoise Intelligence Discovers Zero-Day Vulnerabilities in Live Streaming Cameras with the Help of AI
• Thousands of hacked TP-Link routers used in yearslong account takeover attacks - Ars Technica
• CISA warns of foreign threat group launching spearphishing campaign using malicious RDP files | Cybersecurity Dive
• Chinese state-backed hackers breached 20 Canadian government networks over four years, agency warns
• India-Canada row: Canadian officials confess to leaking 'intel' against India to Washington Post - India Today
• Amid diplomatic row, Canada names India in ‘cyberthreat adversary’ list, accuses it of ‘likely spying’ | World News - The Indian Express
• The Untold Story of Trump's Failed Attempt to Overthrow Venezuela's President | WIRED
• Risky Biz News: The mystery at Mango Park
• North Korean hackers seen collaborating with Play ransomware group, researchers say

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including:

• CSRB to investigate China’s telco-wiretapping hacks
• Euro law enforcement takes down the Redline infostealer
• Someone steals Fed crypto… and then tries to quietly sneak it back in
• Russia sentences REvil guys to … jail? Really?
• Apple private cloud compute gets a proper bug bounty program
• And much, much more.

This week’s episode is sponsored by Material Security, who help navigate the mess of cloud productivity data security. Daniel Ayala - Chief Security and Trust Officer at Dotmatics - is a Material customer, and joins Pat and Material Security’s Rajan Kapoor to talk about how to wrangle securing data that ends up in corporate cloud email and file stores.

This episode is also available on Youtube.

Show notes

• Apple 10 day certificates
• Chinese hackers said to have collected audio of American calls
• U.S. Panel to Probe Cyber Failures in Massive Chinese Hack of Telecoms
• How a series of opsec failures led US authorities to the alleged developer of the Redline password-stealing malware
• Operation Magnus
• Hacker Returns $19.3 Million to Drained US Government Crypto Wallet
• Meet ZachXBT, the Masked Vigilante Tracking Down Billions in Crypto Scams and Thefts | WIRED
• Radar systems in Iran breached prior to Israel's Saturday counter-strike - report
• Delta sues CrowdStrike after widespread IT outage that caused thousands of cancellations
• Tens of thousands of taxpayer accounts hacked as CRA repeatedly paid out millions in bogus refunds
• Microsoft CEO asked board to cut pay in connection with security overhaul | Cybersecurity Dive
• Four REvil members sentenced to more than four years in prison
• Russia says it might build its own Linux community after removal of several kernel maintainers
• Nigerian court drops charges against detained Binance executive Tigran Gambaryan
• Apple will pay security researchers up to $1 million to hack its private AI cloud | TechCrunch
• SonicWall firewalls the common access point in spreading ransomware campaign | Cybersecurity Dive
• Fortinet zero-day attack spree hits at least 50 customers | Cybersecurity Dive
• Cisco warns actively exploited CVE can lead to DoS attacks against VPN services | Cybersecurity Dive
• Chinese influence operation targets US down-ballot races, Microsoft says | Reuters
• Exclusive: Accused Iranian hackers successfully peddle stolen Trump emails | Reuters
• Viral video of ripped-up Pennsylvania ballots is fake and Russian-made, intelligence agencies say
• Product Demo: Securing M365 and Google Workspace with Material Security

In this Soap Box edition of the podcast Patrick Gray chats with Thinkst Canary founder Haroon Meer about his “decade of deception”, including:

• A history of Thinkst Canary including a recap of what they actually do
• A look at why they’re still really the only major player in the deception game
• A look at what companies like Microsoft are doing with deception
• Why security startups should have conference booths

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including:

• SEC fines tech firms for downplaying the Solarwinds hacks
• Anonymous Sudan still looks and quacks like a Russian duck
• Apple proposes max 10 day TLS certificate life
• Oopsie! Microsoft loses a bunch of cloud logs
• Veeam and Fortinet are bad and should feel bad
• North Koreans are good (at hacking)
• And much, much more.

This week’s episode is sponsored by Proofpoint. Chief Strategy Officer Ryan Kalember joins to talk about their work keeping up with prolific threat actor SocGholish.

This episode is also available on Youtube.

Show notes

• Four cyber companies fined for SolarWinds disclosure failures
• U.S. charges Sudanese men with running powerful cyberattack-for-hire gang
• Hacker Charged With Seeking to Kill Using Cyberattacks on Hospitals | WIRED
• Risky Biz News: Anonymous Sudan's Russia Links Are (Still) Obvious
• Microsoft confirms partial loss of security log data on multiple platforms | Cybersecurity Dive
• Risky Biz News: Apple wants to reduce the lifespan of TLS certificates to 10 days
• Encrypted Chat App ‘Session’ Leaves Australia After Visit From Police
• Crypto platform Radiant Capital says $50 million in digital coins stolen following account compromises
• North Korean hackers use newly discovered Linux malware to raid ATMs - Ars Technica
• Brazil Arrests ‘USDoD,’ Hacker in FBI Infragard Breach – Krebs on Security
• Here’s how SIM swap in alleged bitcoin pump-and-dump scheme worked - Ars Technica
• Critical Veeam CVE actively exploited in ransomware attacks | Cybersecurity Dive
• FortiGate admins report active exploitation 0-day. Vendor isn’t talking. - Ars Technica
• Hackers reportedly impersonate cyber firm ESET to target organizations in Israel
• The latest in North Korea’s fake IT worker scheme: Extorting the employers

On this week’s show Patrick Gray and Adam Boileau discuss the week’s infosec news, including:

• Chinese spooks all up in western telco lawful intercept
• Jerks ruin the Internet Archive’s day
• Microsoft drops a great report with a bad chart
• The feds make their own crypto currency and get it pumped
• Forti-, Palo- and Ivanti-fail
• And much, much more.

This week’s episode is sponsored by detection-as-code vendor Panther. Casey Hill, Panther’s Director Product Management joins to discuss why the old “just bung it all in a data lake and… ???… “ approach hasn’t worked out, and what smart teams do to handle their logs.

This episode is also available on [Youtube].(https://youtu.be/86zy6DcwtbE)

Show notes

• White House forms emergency team to deal with China espionage hack - The Washington Post
• DDoS attacks on Internet Archive continue after data breach impacting 31 million
• Microsoft Digital Defense Report 2024
• Ransomware encryption down amid surge of attacks, Microsoft says | CyberScoop
• Russian court websites down after breach claimed by pro-Ukraine hackers
• Ukrainian anti-corruption agency reportedly finds no violations in disclosures of top cyber official
• Trump campaign turns to secure hardware after hacking incident | Reuters
• FBI creates its own crypto token to nab suspects in alleged fraud scheme
• District of Massachusetts | Eighteen Individuals and Entities Charged in International Operation Targeting Widespread Fraud and Manipulation in the Cryptocurrency Markets | United States Department of Justice
• Critical CVE in 4 Fortinet products actively exploited | Cybersecurity Dive
• Fortinet FortiGate CVE-2024-23113 - A Super Complex Vulnerability In A Super Secure Appliance In 2024
• Palo Alto Expedition: From N-Day to Full Compromise
• Ivanti up against another attack spree as hackers target its endpoint manager | Cybersecurity Dive
• 1 bug, $50,000+ in bounties, how Zendesk intentionally left a backdoor in hundreds of Fortune 500 companies · GitHub
• Recently-patched Firefox bug exploited against Tor browser users
• Two never-before-seen tools, from same group, infect air-gapped devices - Ars Technica
• A Single Cloud Compromise Can Feed an Army of AI Sex Bots – Krebs on Security
• Opinion | The Cyber Sleuth - Washington Post

In this edition of Snake Oilers we hear pitches from three security vendors:

• Sandfly Security: An agentless Linux security platform that actually sounds very cool
• Permiso: An identity security platform founded by ex FireEye folks
• Wiz: The cloud security giant is getting in on code security scanning

You can watch this edition of Snake Oilers on YouTube here.

Patrick Gray and Adam Boileau discuss the week’s infosec news with everyone’s favourite ex-NSA big-brain, Rob Joyce. They talk through:

• Musk and Durov bow to government pressure
• Tiktok rushes to ban authoritarian propagandists
• The US doesn’t want Chinese software in its cars
• Kaspersky replaces itself with an AV no one has ever heard of
• Aussie police chalk up another crimephone takedown
• Press Win-R Ctrl-V to prove you’re human
• And much, much more.

This week’s show is brought to you by Stairwell, and Stairwell’s founder Mike Wiacek will be along to talk about how people are using their platform to hunt down detection resistant malware.

A video version of this episode is also available on Youtube.

Show notes

• Elon Musk backs down in his fight with Brazilian judges to restore X | Elon Musk | The Guardian
• Telegram says it will share phone numbers and IP addresses of ‘bad actors’ to authorities
• Jane Lytvynenko on X: "Ukrainian cybersecurity officials are limiting the use of Telegram for military, critical infrastructure, and other authorities. Budanov said he has “substantiated data” on Ru authorities having access to personal messages on TG, including removed ones. https://t.co/xOcnf7am9R" / X
• TikTok blocks dozens of Kremlin-backed media accounts
• Biden administration proposes rule banning Chinese, Russian connected vehicles and parts
• Some Kaspersky customers receive surprise forced-update to new antivirus software | TechCrunch
• Russian cyber firm Dr.Web says services are restored after ‘targeted cyberattack’
• Police announce takedown and arrest mastermind behind criminal comms platform 'Ghost'
• Turning Everyday Gadgets into Bombs is a Bad Idea « bunnie's blog
• Iranian-linked election interference operation shows signs of recent access | CyberScoop
• Republicans demand FBI hearing on Iran theft of Trump documents
• Ermittlungen im Darknet: Strafverfolger hebeln Tor-Anonymisierung aus | tagesschau.de
• DOJ charges hackers for stealing $230 million in crypto from individual
• This Windows PowerShell Phish Has Scary Potential – Krebs on Security
• You can now use Apple’s best iPhone Mirroring feature on your Mac and iPhone | TechRadar

On this week’s show, Patrick Gray and Adam Boileau discuss the weeks security news, including:

• Hezbollah’s attempts to avoid SIGINT with pagers ends in explosions
• The US shines many bright lights on RT’s disinfo role
• Australia counters Chinese bullying in the Pacific
• Valid accounts are the most prevalent entry point, says CISA’s data
• Ivanti and Fortinet vie for worst vendor of the week
• Krebs writes up the shift towards charging The Com with terrorism
• And much, much more…

This week’s episode is sponsored by Push Security, who bring security visibility to where it needs to be these days – the browser. Luke Jennings joins this week’s show to discuss how phish-kit crews are driving the arms race forward, and how detection has to adapt and go where the users are.

This episode is also available on Youtube.

Show notes

• Israel planted explosives in Hezbollah's Taiwan-made pagers, sources say | Reuters
• How Hezbollah used pagers and couriers to counter Israel's high tech surveillance | Reuters
• Biden administration unveils new evidence of RT’s key role in Russian intelligence operations globally | CNN Politics
• Meta bans RT days after U.S. accused Russian outlet of disinformation
• U.S. to file charges in Trump campaign hacking case, officials say
• China suspected of hacking diplomatic body for Pacific islands region
• Chinese-made port cranes in US included 'backdoor' modems, House report says
• Stolen account info still chief risk for federal agencies, annual CISA audit finds
• Notice of Recent Security Incident | Fortinet Blog
• WordPress.org to require two-factor authentication for plugin developers | CyberScoop
• Multiple attacks force CISA to order agencies to upgrade or remove end-of-life Ivanti appliance
• Ivanti Endpoint Manager and Ivanti Endpoint Manager Security Suite and Ivanti Cloud Service Application (CSA) - End Of Life (EOL)
• The Dark Nexus Between Harm Groups and ‘The Com’ – Krebs on Security
• Feds sentence 12 crypto thieves behind SIM swaps, home invasions
• Ex-CrowdStrike employees detail rising technical errors before July outage | Semafor
• Post-CrowdStrike Fallout: Microsoft Redesigning EDR Vendor Access to Windows Kernel - SecurityWeek
• Apple seeks dismissal of its NSO Group lawsuit, citing risk of exposing ‘vital security information’
• US hits Intellexa spyware maker with more sanctions
• (1) BolivarCucuta on X: "Encuentran muerto al ciudadano israelí Yariv Bokor en Medellín En un apartamento de El Poblado, Medellín, fue encontrado sin vida el ciudadano israelí Yariv Bokor, con aparentes signos de violencia. Bokor estaba vinculado a la empresa Sandvine, la cual tiene relación con NSO https://t.co/EeY1os1omW" / X
• Instagram to bolster privacy and safety features for millions of teen users
• Mastercard buys Recorded Future for $2.65 billion | CyberScoop

On this week’s show, Patrick Gray and Adam Boileau discuss the weeks security news, including:

• Russia’s disinformation peddlers face multifaceted sternness from the DoJ
• Telegram is now law enforcement’s bestest new pal, all of a sudden
• Iran’s banking industry arranges a payment plan for a ransom
• Columbia investigates how it sent private jets full of cash to pay for Pegasus
• Microsoft innovates with Un-Patch Tuesday
• And much, much more.

This week’s sponsor is Kroll Cyber, and one of their incident responders Paul Wells joins to discuss that one weird trick that actually helps - preparing for an incident before hand, rather than learning all those hard lessons in the middle of a crisis.

This week’s episode is also available on Youtube.

Show notes

• Risky Biz News: Doppelganger gets a kick in the butt from Uncle Sam
• Russia focusing on American social media stars to covertly influence voters | Reuters
• Russian pro-democracy nonprofit investigates alleged data breach by Kremlin-backed hackers
• Biden administration hits Russia with sanctions over efforts to manipulate U.S. opinion ahead of the election
• US hits Chinese companies with new sanctions over Russia-Ukraine war
• Elon Musk’s Starlink backtracks to comply with Brazil’s ban on X | Elon Musk | The Guardian
• Why It's So Hard to Fully Block X in Brazil | WIRED
• Durov says Telegram will tackle criticism of how it moderates content | Reuters
• Navalny allies accuse Telegram and other platforms of censorship | Economy News | Al Jazeera
• How India tamed Twitter and set a global standard for online censorship - The Washington Post
• 2 white supremacists tried to spark race war by soliciting murder and hate crimes on Telegram, feds say
• Matthew Garrett: "Why clone a yubikey when you c…" - Nondeterministic Computer
• Iran pays millions in ransom to end massive cyberattack on banks, officials say – POLITICO
• Four Delaware men charged in international sextortion scheme that netted nearly $2 million | CyberScoop
• Colombian president suggests prior administration illegally sent $11 million in cash to Israel for spyware
• Poland’s constitutional court finds commission investigating use of Pegasus spyware unconstitutional | Notes From Poland
• CISA says SonicWall bug being exploited as experts warn of ransomware gang use
• SonicWall SSLVPN access control flaw is now exploited in attacks
• Bug Left Some Windows PCs Dangerously Unpatched – Krebs on Security

In this edition of Snake Oilers Patrick Gray gets pitches from three cybersecurity companies:

• Authentik, an open source identity provider that a lot of large organisations are deploying on prem as an alternative to cloud-based IDPs
• Dropzone AI, an LLM-based agent that can do the work of a Tier 1 SOC analyst
• SlashID, an identity security company that can crunch your logs to find attackers

You can watch this edition of Snake Oilers on YouTube here.

Show notes

• Welcome | authentik
• Dropzone AI: Reinforce your SOC with AI Analysts
• The identity stack to protect users and non-human identities | SlashID

On this week’s show, Patrick Gray and Adam Boileau discuss the weeks security news, including:

• Brazil’s supreme court bans X-formerly-Twitter,
• Iranian cyber teams cooperate with ransomware crews
• While North Koreans wield chrome-windows 0-day
• Yubikey cloning attack is impressive, but doesn’t have us binning our keys quite yet
• The White House is coming for your unsigned BGP announcements
• And much, much more.

This week’s episode is sponsored by Okta, and specifically their Identity Security Posture Management product. Okta recently acquired Spera Security, and co-founder Ariel Kadyshevitch joins to talk through the messy reality of modern identity. Pat even gets the giggles at how terrible everything is!

You can also watch this episode on Youtube.

Show notes

• Brazil X ban: Top court judges uphold block of Musk's platform
• Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations | CISA
• Malicious North Korean packages appear again in open source code repository
• North Korean threat actor Citrine Sleet exploiting Chromium zero-day | Microsoft Security Blog
• SEC.gov | SEC Charges Transfer Agent Equiniti Trust Co. with Failing to Protect Client Funds Against Cyber Intrusions
• Chinese ‘Spamouflage’ operatives are mimicking disillusioned Americans online
• Researchers uncover ‘SlowTempest’ espionage campaign within China
• City of Columbus sues man after he discloses severity of ransomware attack | Ars Technica
• Bypassing airport security via SQL injection
• Cyberattack hits agency responsible for London’s transport network
• German air traffic control agency confirms cyberattack, says operations unaffected
• White House calls attention to ‘hard problem’ of securing internet traffic routing
• Cambodian scam giant handled $49 billion in crypto transactions since 2021, researchers say
• YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel | Ars Technica
• CrowdStrike takes a revenue hit as global IT outage reckoning lingers | Cybersecurity Dive
• Owners of 1-Time Passcode Theft Service Plead Guilty – Krebs on Security

On this week’s show, Patrick Gray and Adam Boileau discusses the week’s security news, including:

• Telegram founder’s arrest in France
• Volt Typhoon 0days some SD-WAN gear
• Russia frets about Ukraine all up in Kursk’s webcams
• Cybercriminals social engineer payment card NFC relay attacks in the wild
• The slow burn of Active Directory name collisions
• And much, much more.

This week’s episode is sponsored by Nucleus Security. Aaron Unterberger joins to discuss how vulnerability management starts out easy, but gets serious very quickly.

You can also watch this week’s show on Youtube.

Show notes

• Pavel Durov: Telegram CEO's arrest part of larger investigation
• Keep Pavel Durov LOCKED UP
• Internet mogul Kim Dotcom to be extradited to the US, NZ justice minister says
• New 0-Day Attacks Linked to China’s ‘Volt Typhoon’ – Krebs on Security
• Oil industry giant Halliburton confirms 'issue' following reported cyberattack
• Seattle airport confronts 4th day of cyberattack outages | Cybersecurity Dive
• Russia calls for restrictions on surveillance cameras, dating apps in cities under attack from Ukraine
• In a Kyiv hangar, Ukraine launches a cyber range for everyone
• U.S. military, on Tinder, says to swipe left on Iran-backed militants - The Washington Post
• CISA officials credit Microsoft security log expansion for improved threat visibility | Cybersecurity Dive
• Suspect in $14 billion cryptocurrency pyramid scheme extradited to China
• Android malware used to steal ATM info from customers at three European banks
• Novel technique allows malicious apps to escape iOS and Android guardrails | Ars Technica
• Local Networks Go Global When Domain Names Collide – Krebs on Security
• Attack tool update impairs Windows computers
• SonicWall pushes patch for critical vulnerability in SonicOS platform | CyberScoop
• “YOLO” is not a valid hash construction

Mike Burgess is the director general of ASIO. But the thing about Mike is he’s actually a cybersecurity guy. He joined ASD, Australia’s NSA, back in 1995 when it was still the Defence Signals Directorate. He was there for 18 years before he bounced out to the private sector for a while to work as the CISO for Australia’s largest telco, Telstra. In 2017 he returned to ASD to run it, and in 2019 he was appointed director general of ASIO.

Back in April, Burgess made a series of comments on the topic of encrypted messaging during a Press Club speech in Canberra. Our right to privacy, he said, is not absolute, and he implied that if certain providers didn’t start helping Australian authorities out a little more, he’d use some of the provisions in Australia’s Assistance and Access bill to force them to provide access to certain content.

So I reached out to organise this interview to get some more detail from him about exactly what sort of cooperation he’s seeking and why.

On this week’s show, Patrick Gray and Adam Boileau discuss the week’s security news including:

• Microsoft did a good thing! Soon all Azure admins will require MFA
• The three billion row National Public Data breach mess, courtesy Florida Man
• US govt confirms that it was Iran that hacked the Trump campaign
• Is TP-Link the next Huawei, or just not very good at computers?
• Major Chinese RFID card maker has hardcoded backdoors
• And much, much more.

This week’s episode is sponsored by Specter Ops, makers of Bloodhound Enterprise. VP of Products Justin Kohler joins to talk about how they’ve joined their on-prem AD and cloud Entra attack path graphs, so you can map out that juicy, real-world attack surface.

Show notes

• Announcing mandatory multi-factor authentication for Azure sign-in | Microsoft Azure Blog
• phishing resistant mfa - Google Search
• Microsoft will require MFA for all Azure users
• NationalPublicData.com Hack Exposes a Nation’s Data – Krebs on Security
• National Public Data Published Its Own Passwords – Krebs on Security
• Bloomberg Law
• How the government's proposed 'Trust Exchange' digital ID scheme would work - ABC News
• German Cyber Agency Wants Changes in Microsoft, CrowdStrike Products After Tech Outage - WSJ
• Joint ODNI, FBI, and CISA Statement on Iranian Election Influence Efforts — FBI
• Crypto firm says hacker locked all employees out of Google products for four days
• ZachXBT on X: "Seven hours ago a suspicious transfer was made from a potential victim for 4064 BTC ($238M)" / X
• Bitcoin News Today: $238 Million Bitcoin Heist Linked to Genesis Global Trading
• Routers from China-based TP-Link a national security threat, US lawmakers claim
• Hardware backdoors found in Chinese smart cards
• Unmasking Styx Stealer: How a Hacker's Slip Led to an Intelligence Treasure Trove - Check Point Research
• Hardware backdoors found in Chinese smart cards
• Man who hacked Hawaii state registry to forge his own death certificate sentenced to 81 months

In this conversation Risky Business host Patrick Gray speaks with SentinelOne’s Chris Krebs and Alex Stamos about what sort of cyber enabled interference we can expect in the 2024 US presidential race.

Alex was the CISO at Facebook during the 2016 election, and Chris Krebs was responsible for US election security as the director of CISA in 2020.

Watch the video version of this episode on Youtube.

On this week’s show, Patrick Gray and Adam Boileau discuss the week’s security news and recap the best research presented at Black Hat and DEF CON in Las Vegas last week. They cover:

• Iran tries an election hack’n’leak like its still 2016
• Crowdstrike takes home the Pwnie for Epic Fail at DEF CON
• UK healthcare SaaS faces six million pound fine for lack of MFA
• US circuit courts disagree on geofence warrants
• Our roundup of juicy Blackhat/DEF CON research
• And much, much more.

This week’s episode is sponsored by Trail of Bits. CEO Dan Guido is fresh back from the DARPA AI Cyber Challenge at DEF CON, where the Trail of Bits team moved through into the finals. Dan talks through the challenge of finding, reporting and fixing bugs with AI systems.

You can also watch this week’s show on Youtube.

Show notes

• Trump campaign points finger at Iranian hackers for documents leak
• FBI says it's investigating efforts to hack Trump and Biden-Harris campaigns
• Iranian hackers ramping up US election interference, Microsoft warns
• State Dept puts $10 million bounty on IRGC-CEC hackers
• CrowdStrike snafu was a ‘dress rehearsal’ for critical infrastructure disruptions, CISA director says | Cybersecurity Dive
• Dominic White 👾 on X: "CrowdStrike accepting the @PwnieAwards for “most epic fail” at @defcon. Class act. https://t.co/e7IgYosHAE" / X
• Russia's Kursk region suffers 'massive' DDoS attack amid Ukraine offensive
• Elon Musk on X: "@markpinc Yeah" / X
• Progress Software says SEC declines to pursue action related to MOVEit exploitation spree | Cybersecurity Dive
• NHS software supplier Advanced faces £6m fine over ransomware attack failings
• Security bugs in ransomware leak sites helped save six companies from paying hefty ransoms | TechCrunch
• 5th Circuit rules geofence warrants illegal in win for phone users’ privacy | Ars Technica
• Customs and Border Protection agents need a warrant to search your phone - The Verge
• Hackers could spy on cell phone users by abusing 5G baseband flaws, researchers say | TechCrunch
• ‘Sinkclose’ Flaw in Hundreds of Millions of AMD Chips Allows Deep, Virtually Unfixable Infections | WIRED
• Downgrade Attacks Using Windows Updates | SafeBreach
• Listen to the whispers: web timing attacks that actually work | PortSwigger Research
• Bucket Monopoly: Breaching AWS Accounts Through Shadow Resources
• Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server! | DEVCORE
• Trail of Bits Advances to AIxCC Finals | Trail of Bits Blog

In this sponsored Soap Box edition of the show we talk to Proofpoint’s Chief Strategy Officer Ryan Kalember about making security tech more people centric.

We often talk about how we can use signals from users to drive some of our security tech. But what about using our security tech to drive user behaviour?

Ryan thinks there are some opportunities here, particularly around identity security.

On this week’s show, Patrick Gray and Adam Boileau discuss the week’s security news, including:

• Crowdstrike talks loud in its postmortem, but says very little
• Digicert fears the CA-Browser Forum, gets lawsuit from a customer
• Dmitri Alperovitch joins the show to talk about the Russian prisoner swap
• Cloudflare continues to harbour scum and villainy
• Professional ransomware crew … is an improvement?
• And much, much more.

This week’s episode is sponsored by Thinkst Canary. Marko Slaviero joins to discuss the unfashionable choice they made in hosting their platform one-VM-per-customer.

Show notes

• CrowdStrike investors file class action suit following global IT outage | Cybersecurity Dive
• CrowdStrike rebukes Delta’s negligence claims in fiery letter | Cybersecurity Dive
• Channel-File-291-Incident-Root-Cause-Analysis-08.06.2024.pdf
• Sparks fly when lawyers meet a certificate revocation
• crt.sh | Alegeus
• U.S. releases Russian hackers in Evan Gershkovich prisoner swap
• U.S. Trades Cybercriminals to Russia in Prisoner Swap – Krebs on Security
• Who are the two major hackers Russia just received in a prisoner swap? | Ars Technica
• Hackers remotely wipe 13,000 students’ iPads and Chromebooks after breaching safety software
• Mobile Guardian Device Management Application to be removed | MOE
• Ford wants patent for tech allowing cars to surveil and report speeding drivers
• I'm Sorry, Dave, You're Speeding | WIRED
• Cloudflare once again comes under pressure for enabling abusive sites | Ars Technica
• Low-Drama ‘Dark Angels’ Reap Record Ransoms – Krebs on Security
• Bumble and Hinge allowed stalkers to pinpoint users’ locations down to 2 meters, researchers say | TechCrunch
• Unfashionably secure: why we use isolated VMs – Thinkst Thoughts
• Defending AI Model Files from Unauthorized Access with Canaries | NVIDIA Technical Blog

On this week’s show, Patrick Gray and Adam Boileau discuss the week’s security news, including:

• The insurance industry’s reaction to CrowdStrike’s mess
• Google’s Workspace email validation flaw and its consequences for OAuth’d applications
• Is the VMWare ESX group membership feature a CVE or an FYI?
• Secureboot continues to under-deliver
• North Korea’s revenue neutral intelligence services
• And much, much more

This episode is sponsored by allowlisting software vendor Airlock Digital. Airlock uses a kernel driver on Windows, so Chief Executive David Cottingham joined to discuss what the CrowdStrike kernel driver bug drama means for security vendors.

This episode is also available on Youtube. If you want to ruin the magic of radio and see the faces behind the show, well, now you can!

Show notes

• Business interruption claims will drive insurance losses linked to CrowdStrike IT disruption | Cybersecurity Dive
• Delta hires David Boies to seek damages from CrowdStrike, Microsoft
• CrowdStrike disruption direct losses to reach $5.4B for Fortune 500, study finds | Cybersecurity Dive
• (1145) Why CrowdStrike's Baffling BSOD Disaster Was Avoidable - YouTube
• CrowdStrike offers a $10 apology gift card to say sorry for outage | TechCrunch
• Crooks Bypassed Google’s Email Verification to Create Workspace Accounts, Access 3rd-Party Services – Krebs on Security
• Hackers exploit VMware vulnerability that gives them hypervisor admin | Ars Technica
• Microsoft calls out apparent ESXi vulnerability that some researchers say is a ‘nothing burger’ | CyberScoop
• AMI Platform Key leak undermines Secure Boot on 800+ PC models
• Chrome will now prompt some users to send passwords for suspicious files | Ars Technica
• Google Online Security Blog: Improving the security of Chrome cookies on Windows
• A Senate Bill Would Radically Improve Voting Machine Security | WIRED
• U.S. told Philippines it made ‘missteps’ in secret anti-vax propaganda effort | Reuters
• Cyber firm KnowBe4 hired a fake IT worker from North Korea | CyberScoop
• North Korean hacker used hospital ransomware attacks to fund espionage | CyberScoop
• North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs
• North Korean hacking group makes waves to gain Mandiant, FBI spotlight | CyberScoop
• ServiceNow spots sales opportunities post-CrowdStrike outage | Cybersecurity Dive
• Chaining Three Bugs to Access All Your ServiceNow Data
• Cyber Supply Chain Risk Management Conference (CySCRM) 2024 | Conference | PNNL

In this episode of Wide World of Cyber, Risky Business host Patrick Gray discusses the recent CrowdStrike incident and its implications for security software that operates in kernel space with Chris Krebs and Alex Stamos of SentinelOne, a CrowdStrike Competitor. The conversation also delves into Microsoft’s role in this whole disaster and the potential changes it could make to its operating system to prevent similar incidents in the future.

A video version of this episode is also available on Youtube!

The Risky Biz main show returns from a break to the traditional internet-melting mess that happens whenever Patrick Gray takes a holiday. Pat and Adam Boileau talk through the week’s security news, including:

• Oh Crowdstrike, no, oh no, honey, no
• AT&T stored call records on Snowflake and you’ll never guess what happened next
• Squarespace buys Google Domains and makes a hash of it
• Some but not all of the SECs case against Solarwinds gets thrown out
• Pity the incident responders digging through a terabyte of Disney Slack dumps
• Internet Explorer rises from the grave, and it wants SHELLS RAAAAARGH SSHHEEELLLS
• And much, much more.

This week’s show is brought to you by Sublime Security, a flexible and modern email security platform. If you’re sick of using a black box email security solution, Sublime is a terrific option for you.

Show notes

• Risky Biz News: CrowdStrike faulty update affects 8.5 million Windows systems
• Low-level cybercriminals are pouncing on CrowdStrike-connected outage | CyberScoop
• CrowdStrike says flawed update was live for 78 minutes | Cybersecurity Dive
• Crooks Steal Phone, SMS Records for Nearly All AT&T Customers – Krebs on Security
• Researchers: Weak Security Defaults Enabled Squarespace Domains Hijacks – Krebs on Security
• Teenage suspect in MGM Resorts hack arrested in Britain
• Majority of SEC civil fraud case against SolarWinds dismissed, but core remains | Cybersecurity Dive
• How Russia-Linked Malware Cut Heat to 600 Ukrainian Buildings in Deep Winter | WIRED
• Kaspersky Lab Closing U.S. Division; Laying Off Workers
• Hackers Claim to Have Leaked 1.1 TB of Disney Slack Messages | WIRED
• Wallets tied to CDK ransom group received $25 million two days after attack | CyberScoop
• UnitedHealth’s cyberattack response costs to surpass $2.3B this year | Cybersecurity Dive
• Ransomware ecosystem fragmenting under law enforcement pressure and distrust
• Threat actors exploited Windows 0-day for more than a year before Microsoft fixed it | Ars Technica

This Soap Box edition of the show is with Mike Wiacek, the CEO and Founder of Stairwell.

Stairwell is a platform that creates something similar to an NDR, but for file analysis instead of network traffic. The idea is you get a copy of every unique file in your environment to the Stairwell platform, via a file forwarding agent. You get an inventory that lists where these files exist in your environment, at what times, and from there you can start doing analysis.

If you find a dodgy file you can do all the usual malware analysis type stuff, but you can also do things like immediately find out where else that file is in your organisation, or even where else it was. From there you can identify other files that are similar – variants of those files – and search for those. And you can unpack all this very, very quickly.

This is the type of tool that EDR companies use internally to do threat hunting, but it’s just for you and your org – you can drive it. And as you’ll hear, the idea of a transparent, customisable and programmable security stack is something that’s on-trend at the moment. Mike lays out the case that doing this sort of file analysis in your organisation makes a whole lot of sense.

In this podcast Alex Stamos, Chris Krebs and Patrick Gray discuss the relationship between cybercrime and the state, which is often more complicated than it should be.

While the US Government and its allies fight the scourge of ransomware, other governments are using it to either raise revenue or irritate their foes. North Korea sees ransomware as a money spinner, while the Kremlin enjoys poking the west in the eye with it.

Join us for a breakdown of the relationships between governments who should know better and the worst types of people on the planet.

On this week’s show, Patrick Gray and Adam Boileau discuss the week’s security news, including:

• Widely used polyfill javascript gets hijacked by its new owners
• MacOS supply chain disaster bullet dodged
• That OpenSSH remote code exec OH MY <3
• Entrust gets its CA business kicked to the kerb by Google
• South Korean telco intentionally viruses 600k customers
• Microsoft continues to deeply underwhelm
• And much, much more.

This week’s episode is sponsored by Greynoise. Founder Andrew Morris joins to talk about ways to track attackers across NAT and VPNs, as well as how you can join in the fun of running an internet-scale honeypot network.

Show notes

• Polyfill, Cloudflare trade barbs after reports of supply chain attack threatening 100k websites
• 3 million iOS and macOS apps were exposed to potent supply-chain attacks
• regreSSHion: RCE in OpenSSH's server, on glibc-based Linux systems (CVE-2024-6387)
• Google Online Security Blog: Sustaining Digital Certificate Security - Entrust Certificate Distrust
• TeamViewer: Hackers copied employee directory data and encrypted passwords
• South Korean telecom company attacks customers with malware — over 600,000 torrent users report missing files, strange folders, and disabled PCs | Tom's Hardware
• CDK eyes service restoration for all car dealers by Fourth of July
• ‘I don’t see it happening’: CISA chief dismisses ban on ransomware payments
• Patelco Credit Union ransomware attack halts banking services for nearly half a million members
• LockBit claims cyberattack on Croatia’s largest hospital
• Inside a Violent Gang's Ruthless Crypto-Stealing Home Invasion Spree
• Suspected Chinese gov’t hackers used ransomware as cover in attacks on Brazil presidency, Indian health org
• Nearly 4,000 arrested in global police crackdown on online scam networks
• USD 257 million seized in global police crackdown against online scams
• Microsoft alerts additional customers of state-linked threat group attacks
• Midnight Blizzard Microsoft Email Data Sharing Request: Legit? : r/Office365
• Polish Parliament strips official of immunity, clearing path for prosecution in spyware scandal
• Stolen credentials could unmask thousands of darknet child abuse website users
• WA man set up fake free wifi at Australian airports and on flights to steal people’s data, police allege
• Bytecode Breakdown: Unraveling Factorio's Lua Security Flaws
• iOS 17 lockdown mode blocking CarPlay? : r/ios

This is a sponsored Soap Box edition of the Risky Business podcast.

Abhishek Agrawal is the CEO and co-founder of Material Security, an email security company that locks down cloud email archives. Attackers have been raiding mailspools since hacking has existed, and with those mailspools now in the cloud with services like o365 and Google Workspace, guess where the attackers are going?

Material built a product that helps you lock up your email data, to archive and redact sensitive information. The idea is to really just limit what an attacker can do with email data if they pop an account.

Abhishek joined me to talk about a few things, like how non phishing resistant MFA is basically dead, how email content is very useful to security programs, and about how the gen AI won’t really change much on the defensive control side.

On this week’s show, Patrick Gray and Adam Boileau discuss the week’s security news, including:

• Julian Assange finally cuts a deal, pleads guilty, and goes free
• USA to ban Kaspersky - even updates
• Car dealer SaaS provider CDK contemplates paying a ransom
• Intolerable healthcare ransomware attacks continue
• We revisit Windows proximity bugs via wifi and bluetooth
• And much, much more.

This week’s episode is sponsored by enterprise browser maker Island. Crowdstrike co-founder Dmitri Alperovitch is an investor in Island, and joins on its behalf to discuss why an enterprise browser is really starting to make sense.

Show notes

• Julian Assange released from prison and has left UK, WikiLeaks says
• US to ban Kaspersky Lab software nationwide later this year
• Cyberattack on CDK Global stymies work at car dealerships across US
• Almost 200 cancer operations postponed as ransomware group publishes London hospitals data
• UK government weighs action against Russian hackers over NHS records theft
• South Africa’s national health lab hit with ransomware attack amid mpox outbreak
• Ransomware victims are becoming less likely to pay up | Cybersecurity Dive
• Lawmakers in Philippines push for probe into Pentagon's anti-vax propaganda operation | Reuters
• Telegram says it has 'about 30 engineers'; security experts say that's a red flag | TechCrunch
• Two bluetooth vulnerabilities in Windows
• Thread on reversing the patch
• Basic concept for the latest windows wifi driver CVE

On this week’s retreat special, the entire Risky Business team is together in a tropical paradise for the first time. The team takes a break from the infinity pool to discuss the week’s security news:

• Microsoft recalls Recall, but why did it have to be such a mess
• And a Windows kernel wifi code-exec, really?
• Passkeys and identity are hard
• Scattered Spider bigwig arrested in Spain
• The pentagon runs a deeply flawed info-op
• Is it time E2E crypto nerds accept their place in the world?
• And much, much more.

This week’s show is brought to you by Corelight… Corelight’s CEO Brian Dye will be along in this week’s sponsor interview to make a really compelling case for something that shouldn’t exist… which is NDR in cloud environments.

Show notes

• Microsoft shelves Recall feature release after security uproar
• Microsoft’s Recall puts the Biden administration’s cyber credibility on the line | CyberScoop
• Microsoft’s cybersecurity vulnerabilities endanger America
• US lawmakers grill Microsoft president over China ties, hacks | Reuters
• Microsoft Refused to Fix Flaw Years Before SolarWinds Hack — ProPublica
• CVE-2024-30078 - Security Update Guide - Microsoft - Windows Wi-Fi Driver Remote Code Execution Vulnerability
• Security bug allows anyone to spoof Microsoft employee emails | TechCrunch
• Patrick Gray on X: "I was wrong about some things I said about iCloud accounts in this week’s show and I’ll tell you all exactly how I was wrong in next week’s show"
• Passkeys in Microsoft Authenticator and Entra ID
• Hackers Detail How They Allegedly Stole Ticketmaster Data From Snowflake | WIRED
• MFA plays a rising role in major attacks, research finds | Cybersecurity Dive
• Luke Jennings on LinkedIn: saas-attacks/techniques/ghost_logins/description.md at main ·…
• Alleged Boss of ‘Scattered Spider’ Hacking Group Arrested – Krebs on Security
• EXPOSED: Identities of Iranian Hackers Targeting Israel and Other Countries Revealed | Matzav.com
• Ransomware attackers quickly weaponize PHP vulnerability with 9.8 severity rating | Ars Technica
• Windows flaw may have been exploited with Black Basta ransomware before it was patched
• Crown Equipment Corporation victim of a Ransomware attack | Born's Tech and Windows World
• City governments in Michigan, New York face shutdowns after ransomware attacks
• Cleveland confirms ransomware attack as City Hall remains closed
• Authorities investigating extended ‘network outage’ at organization that runs TheBus
• Pentagon ran secret anti-vax campaign to incite fear of China vaccines
• Shashank Joshi on X: "Just finished “Information Operations”, a new book by @TathamSteve. Includes this anecdote on a British effort to stop children throwing stones at a base in Afghanistan. “LRGR was the abbreviation for the Long-Range Gonad Reducer.” https://t.co/zmoxb45Cgz"
• Dmitri Alperovitch on X: "@shashj They also allegedly hacked the email of the lieutenant leading the medical service of the 960th unit and retrieved the medical certificates of 150 officers and enlisted personnel"
• Signal president Meredith Whittaker criticizes EU attempts to tackle child abuse material

On this week’s show Patrick Gray and Adam Boileau are joined by long-time NSA boffin Rob Joyce. Now Rob’s left the government service, he’s hobnobbing with us pundits, talking through the week’s news:

• Apple announces a big leap for confidential cloud computing into the mass market
• While at the same time, letting you just mosey around your iPhone from your Mac
• Mandiant reports in about the Snowflake breach
• Moody’s say credit ratings might consider cyber incidents
• Microsoft fixes an Azure flaw with a… “comprehensive documentation update”
• And much, much more.

This week’s show is sponsored by Yubico, maker of the Yubikey hardware authentication token. Jerrod Chong, Yubico’s COO and President joins to talk about the challenges of the passkey and hardware authenticator ecosystem.

Show notes

• Apple makes a password manager play in a heavily targeted market | Cybersecurity Dive
• macOS Sequoia takes productivity and intelligence on Mac to new heights - Apple
• The Wiretap: Apple’s AI Announcement Promises Big Security Boosts–Not Everyone Is Convinced
• Matthew Green on X: "Ok there are probably half a dozen more technical details in the blog post. It’s a very thoughtful design. Indeed, if you gave an excellent team a huge pile of money and told them to build the best “private” cloud in the world, it would probably look like this. 14/" / X
• Risky Biz News: Microsoft budges on Windows 11 Recall
• Tenable finds an Azure flaw, Microsoft calls it a feature • The Register
• LendingTree confirms that cloud services attack potentially affected subsidiary
• Hackers steal “significant volume” of data from hundreds of Snowflake customers | Ars Technica
• 7,000 LockBit decryption keys now in the hands of the FBI, offering victims hope | Ars Technica
• Urgent call for O-type blood donations following London hospitals ransomware attack
• Darknet site for Qilin gang, suspected in London hospitals ransomware attack, goes down
• Cyberattacks pose mounting risks to creditworthiness: Moody’s | Cybersecurity Dive
• Apple refused to pay bug bounty to Russian cybersecurity firm Kaspersky Lab
• FCC moves ahead on internet routing security rules | CyberScoop
• House Republicans propose eliminating funding for election security | CyberScoop
• New DJI policy: No flight record syncing for US drone pilots
• Semiconductor giants Nvidia and Arm warn of new flaws in their graphics processors
• Critical PHP CVE is under attack — research shows it’s easy to exploit | Cybersecurity Dive
• A US Company Enabled a North Korean Scam That Raised Money for WMDs | WIRED

On this week’s show Patrick Gray and Mark Piper discuss the week’s security news, including:

• What on earth happened at Snowflake?
• A look at operation Endgame
• Check Point’s hilarious adventures with dot dot slash
• Report says the FTC is looking at Microsoft’s security product bundling
• More ransomware hits Russia
• Much, much more

404 Media co-founder Joseph Cox is this week’s feature guest. He joins us to talk about his new book, Dark Wire, which is all about the FBI’s Anom sting.

This week’s show is brought to you by Resourcely. If your Terraform is a mess or your CSPM dashboards are lighting up with insane and stupid things, you should check out Resourcely. Its founder and CEO Travis McPeak will be along in this week’s sponsor interview to talk about all things Terraform.

Show notes

• The Snowflake breach and the need for mandatory MFA
• Snowflake at centre of world’s largest data breach | by Kevin Beaumont | Jun, 2024 | DoublePulsar
• Cloud company Snowflake denies that reported breach originated with its products
• ‘Operation Endgame’ Hits Malware Delivery Platforms – Krebs on Security
• Treasury Sanctions Creators of 911 S5 Proxy Botnet – Krebs on Security
• TikTok warns of exploit aimed at 'high-profile accounts’
• SEC clarifies intent of cybersecurity breach disclosure rules after initial filings | Cybersecurity Dive
• SEC.gov | Disclosure of Cybersecurity Incidents Determined To Be Material and Other Cybersecurity Incidents[*]
• Nurses at Ascension hospital in Michigan raise alarms about safety following ransomware attack
• London hospitals declare emergency following ransomware attack | Ars Technica
• North Korea’s ‘Moonstone Sleet’ using fake tank game, custom ransomware in attacks
• OpenAI models used in nation-state influence campaigns, company says
• National Vulnerability Database | NIST
• More than 600,000 routers knocked out in October by Chalubo malware
• Hackers steal $305M from DMM Bitcoin crypto exchange | TechCrunch
• Germany's main opposition party hit by ‘serious’ cyberattack
• Cyberattack disrupts operations of supermarkets across Russia
• Rare earths miner targeted in cyber attack prior to removal of Chinese investors - ABC News
• Check Point - Wrong Check Point (CVE-2024-24919)
• Kevin Beaumont: "The latest Risky Business epis…" - Infosec Exchange
• This Hacker Tool Extracts All the Data Collected by Windows’ New Recall AI | WIRED
• FTC-industry talks over possible Microsoft probe raised recent hacking incidents - Nextgov/FCW
• Tim Schofield 🏴󠁧󠁢󠁥󠁮󠁧󠁿 🇬🇧 🇪🇺🗺: "@riskybusiness @metlstorm I d…" - Infosec Exchange
• Dark Wire: The Incredible True Story of the Largest Sting Operation Ever: Cox, Joseph: 9781541702691: Amazon.com: Books
• Distant Field Labs

On this week’s show Patrick and Adam discuss the week’s security news, including:

• Russian delivery company gets ransomware-wiper’d
• A supply-chain attack targets video software used in US courts
• Checkpoint firewalls get hacked, details as clear as mud
• Microsoft Recall delights hackers
• Aussie telco Optus gets told its IR report isn’t legal advice
• Cyber insurer says you’re 5x more likely to get rekt if you have a Cisco ASA
• And much, much more.

This week’s episode is sponsored by Kroll Cyber. Alex Cowperthwaite, Kroll’s technical director research and development for offence joins to talk about how his team attacks AI models, in ways both classic and new.

Show notes

• Major Russian delivery company down for three days due to cyberattack
• Stark Industries Solutions: An Iron Hammer in the Cloud – Krebs on Security
• CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack | Rapid7 Blog
• Check Point Software customers targeted by hackers using old, local VPN accounts | Cybersecurity Dive
• US pharma giant Cencora says Americans' health information stolen in data breach | TechCrunch
• Microsoft’s New Recall AI Tool May Be a ‘Privacy Nightmare’ | WIRED
• Kevin Beaumont: "I got ahold of the Copilot+ so…" - Cyberplace
• Kevin Beaumont: "For those who aren’t aware, Mi…" - Cyberplace
• Patrick Gray on X: "You know it’s coming… Microsoft Defender Advanced Security for Recall"
• Microsoft Edge for Business: Revolutionizing your business with AI, security and productivity - Microsoft Edge Blog
• Optus loses appeal to keep Deloitte report on cyberattack secret
• Optus says it will defend allegations it failed to protect confidential details of 9 million customers in cyber attack - ABC News
• Nearly 3 million affected by Sav-Rx data breach
• Spyware app pcTattletale was hacked and its website defaced | TechCrunch
• #F**kStalkerware pt. 6 - tattling on pcTattletale
• Spyware maker pcTattletale shutters after data breach | TechCrunch
• Jeremy Kirk: "Cyber insurer Coalition releas…" - Infosec Exchange
• Coalition_2024-Cyber-Claims-Report
• TikTok says it disrupted 15 influence operations this year — including one from China
• Israeli private eye accused of hacking was questioned about DC public affairs firm, sources say | Reuters
• RansomHub claims attack on Christie’s, the world’s wealthiest auction house
• Open-Source Assessments of AI Capabilities: The Proliferation of AI Analysis Tools, Replicating Competitor Models, and the Zhousidun Dataset
• Shashank Joshi on X: "Additionally, OpenAI will retain and consult with other safety, security, and technical experts to support this work, including former cybersecurity officials, Rob Joyce [@RGB_Lights], who advises OpenAI on security, and John Carlin."

This week’s episode was recorded in front of a live audience at AusCERT’s 2024 conference. Pat and Adam talked through:

• Google starts using security as a marketing tool against Microsoft, along with steep discounts
• Microsoft announces a creepy desktop recording AI
• UK govt proposes ransom payment controls
• Arizona woman runs a laptop farm for North Korea
• Julian Assange just keeps on with his malarky
• And much, much more

This week’s episode is sponsored by Tines. Its CEO Eoin Hinchy joins the show to talk about how AI can be genuinely useful in automation.

Show notes

• (1) Dina Bass on X: "Google is offering deep discounts to government and corporate customers to entice them to switch from Microsoft Office as it attacks Microsoft's cybersecurity over recent breaches, citing US gov't cybersecurity review board report https://t.co/43sIJmBWi5" / X
• Microsoft president set to testify before Congress on ‘security shortcomings’ | Cybersecurity Dive
• Chairman Green, Ranking Member Thompson Announce Microsoft President Will Testify on Company’s Security Shortcomings Following Hack of Government Accounts – Committee on Homeland Security
• Google leverages Microsoft’s cyber gaps to woo Workspace customers | Cybersecurity Dive
• CSRB report highlights the need for a new approach to security
• (1) vx-underground on X: "tl;dr Microsoft introduces 24/7 surveillance functionality for the NSA and/or CIA but markets it as a feature that you'll like" / X
• Everything You Need to Know About Windows 11's Recall Feature
• Australian government warns of 'large-scale ransomware data breach'
• (1) National Cyber Security Coordinator on X: "The Australian Government continues to assist MediSecure, an electronic prescriptions provider, respond to a cyber incident. We are still working to build a picture of the size and nature of the data that has been impacted by this data breach impacting MediSecure. This https://t.co/oyNeRonurZ" / X
• HHS offering $50 million for proposals to improve hospital cybersecurity
• Remote-access tools the intrusion point to blame for most ransomware attacks | Cybersecurity Dive
• UK insurance industry begins to acknowledge role in tackling ransomware
• Exclusive: UK to propose mandatory reporting for ransomware attacks and licensing regime for all payments
• Hacktivists turn to ransomware in attacks on Philippines government
• Arizona woman accused of helping North Koreans get remote IT jobs at 300 companies | Ars Technica
• US offers $5 million for info on North Korean IT workers involved in job fraud
• FCC might require telecoms to report on securing internet's BGP technology
• FCC to probe ‘grave’ weaknesses in phone network infrastructure
• EPA says it will step up enforcement to address ‘critical’ vulnerabilities within water sector
• EPA takes steps to address cybersecurity weaknesses at water utilities
• British signals agency to protect election candidates’ phones from cyberattacks
• Feds seize BreachForums platform, Telegram page
• Dark web narcotics market’s alleged leader arrested and charged in New York
• WikiLeaks’ Julian Assange Can Appeal His Extradition to the US, British Court Says | WIRED

In this podcast SentinelOne’s Chief Trust officer Alex Stamos and its Chief Intelligence and Public Policy Officer Chris Krebs join Patrick Gray to talk all about AI.

It’s been a year and a half since ChatGPT landed and freaked everyone out. Since then, AI has really entrenched itself as the next big thing. It’s popping up everywhere, and the use cases for cybersecurity are starting to come into focus.

Threat actors and defenders are using this stuff already, but it’s early days and as you’ll hear, things are really going to change, and fast.

This week Patrick Gray and Adam Boileau along special guest Lina Lau discuss the week’s news, including:

• The ongoing Ascension healthcare disruption, and
• Whether its reasonable for healthcare orgs to be pushing back
• Platforming cybercriminals for interviews
• Own the libs by… not using E2EE messaging?
• CISA’s secure by design, we want to believe!
• The $64billion scale of indusrialised fraud
• And much, much more.

This week’s sponsor is network discovery specialist, Run Zero. Director of research Rob King joins to talk about the weird and wonderful delights in their new Research Report.

Show notes

• Federal agencies assisting Catholic health network amid cyberattack
• After Ascension ransomware attack, feds issue alert on Black Basta group
• As White House preps new cyber rules for healthcare, Neuberger says backlash is unwarranted
• Stolen children’s health records posted online in extortion bid
• Guidance for organisations considering payment in... - NCSC.GOV.UK
• How Did Authorities Identify the Alleged Lockbit Boss? – Krebs on Security
• In interview, LockbitSupp says authorities outed the wrong guy
• A (Strange) Interview With the Russian-Military-Linked Hackers Targeting US Water Utilities | WIRED
• UK 'increasingly concerned' about Russian intelligence links to hacktivists
• Civil society under increasing threats from ‘malicious’ state cyber actors, US
• Elon Musk Weighs in on the Encryption Wars Between Telegram and Signal
• Encrypted services Apple, Proton and Wire helped Spanish police identify activist | TechCrunch
• Christie's Website Offline For A Fifth Day And The Company Is Still Silent On The Extent Of Last Week's Security Breach
• 68 tech, security vendors commit to secure-by-design practices | Cybersecurity Dive
• UK government urges caution over blaming China for Ministry of Defence breach
• Black Basta group spam-bombs victims and then calls to help
• Southeast Asian scam syndicates stealing $64 billion annually, researchers find
• The $2.3 Billion Tornado Cash Case Is a Pivotal Moment for Crypto Privacy | WIRED
• ADVANCED APT EMULATION LABS
• Download the runZero Research Report

Patrick dials in from RSA in San Francisco to discuss the week’s security news with Adam, including:

• The west doxxes LockbitSupp, who must now hide his hundred million dollars
• Revil hacker behind Kasaya breach gets 14 years
• Microsoft makes some positive sounding* noises on security
• A fun flaw in nearly all VPN clients
• Gitlab admins continue their never-ending incident response
• And much, much more.

This week’s sponsor is Stairwell. Long time infosec researcher Silas Cutler joins us to talk through his adventures in attacker C2 systems, and how this feeds into Stairwell’s data.

* we’re still sceptical they’ll get it right, but they do at least seem to realise how deep the doo-doo they’re in is… Pat speculates they have … tentacles, and a regulatory-threat-gland.

Show notes

• 'ArcaneDoor' Cyberspies Hacked Cisco Firewalls to Access Government Networks | WIRED
• Andy Greenberg: "@metlstorm @riskybusiness no w…" - Infosec Exchange
• U.S. Charges Russian Man as Boss of LockBit Ransomware Group – Krebs on Security
• Ukrainian sentenced to almost 14 years for infecting thousands with REvil ransomware
• Microsoft ties security goals to exec compensation
• China suspected of hacking British military payment system, reports say
• Germany recalls ambassador to Russia over cyberattacks
• Blinken unveils State Dept. strategy for ‘vibrant, open and secure technological future’
• Microsoft plans to lock down Windows DNS like never before. Here’s how. | Ars Technica
• Novel attack against virtually all VPN apps neuters their entire purpose | Ars Technica
• The Breach of a Face Recognition Firm Reveals a Hidden Danger of Biometrics | WIRED
• Dropbox says hacker accessed passwords, authentication info during breach
• Maximum-severity GitLab flaw allowing account hijacking under active exploitation | Ars Technica
• Our new research: Enhancing blockchain analytics through AI
• Reconstructing the Mind’s Eye: fMRI-to-Image with Contrastive Learning and Diffusion Priors
• Kevin Collier on X: "Oh my God. @riskybusiness is already the name of what is by a longshot the most established cyber podcast. There are a million possible names out there and Mr Decision Making over here went with one that's been in use for more than 15 years."

On this week’s show Patrick and Adam discuss the week’s security news, including:

• Microsoft reassures* us that they take security very seriously*
• Cisco ASA firewalls get sneakily backdoored, but no one’s quite sure how
• Change Healthcare was 1FA Citrix all along
• The FTC, FCC and other government sticks get waved at tech
• Lizard Squad Finn who hacked the Vastaamo therapy chain gets sentenced
• And much, much more.

This week’s sponsor is Zero Networks, who make a network micro-segmentation product that is actually usable. Zero Networks CEO Benny Lakunishok joins us to talk through why firewalling everything everywhere is finally workable.

* You’ll forgive us for being… a tad sceptical.

Show notes

• 'ArcaneDoor' Cyberspies Hacked Cisco Firewalls to Access Government Networks | WIRED
• Change Healthcare hackers broke in using stolen credentials — and no MFA, says UHG CEO | TechCrunch
• Microsoft CEO says security is its No. 1 priority | Cybersecurity Dive
• TrustedSec | Full Disclosure: A Look at a Recently Patched Microsoft…
• Vintage Microsoft flaw resurfaces, threat actors attack with golden GooseEgg | Cybersecurity Dive
• FTC commercial surveillance rules could arrive within months, sources say
• FCC takes $200 million bite out of wireless carriers for sharing location data | CyberScoop
• Know-your-customer executive order facing stiff opposition from cloud industry
• Tech companies must help the fight aganst extremists using encryption: ASIO boss
• Josh Taylor on X: "Yess, excellent question from @Paul_Karp on why AFP et al aren't using the powers they already have. They say one technical assistance or capability notice has recently been issued. https://t.co/pEXrvjK5Q4" / X
• (720) IN FULL: ASIO and AFP respond to X chairman Elon Musk, issues social media warnings | ABC News - YouTube
• China-linked PlugX malware infections found in more than 170 countries
• Belarus secret service website still down after hackers claim to breach it
• Man Who Mass-Extorted Psychotherapy Patients Gets Six Years – Krebs on Security
• Sweden's liquor shelves to run empty this week due to ransomware attack
• Congress picked a direct fight with ByteDance and TikTok. The privacy implications are less clear.
• Telegram blocks, then unblocks, chatbots used by Ukraine’s intelligence services
• Elon Musk’s X takeover crushed Twitter’s profit to just $4804 in Australia
• Australian court orders Elon Musk’s X to hide Sydney church stabbing posts from users globally | Australia news | The Guardian
• After the Christchurch attacks, Twitter made a deal with Jacinda Ardern over violent content. Elon Musk changed everything - ABC News
• World on the Brink: How America Can Beat China in the Race for the Twenty-First Century - Kindle edition by Alperovitch, Dmitri, Graff, Garrett M.. Politics & Social Sciences Kindle eBooks @ Amazon.com.

In this edition of Snake Oilers we’ll be hearing from:

• Push Security: A browser plugin-based security company that combats identity-based attacks. (Much more compelling that it sounds in this description.)
• Knocknoc: The tool Risky Business uses to protect our own applications and services. (Restrict network/port access to users who are authenticated via SSO.)
• iVerify: Mobile security and threat hunting for iOS and Android. (Caught Pegasus in the wild!)

In this special edition of the Risky Business podcast Patrick Gray chats with former Facebook CSO Alex Stamos and founding CISA director Chris Krebs about sovereignty and technology.

China and Russia are doing their level best to yeet American tech from their supply chains – hardware, software and cloud services. They’ll be rebuilding these supply chains – for government systems, at least – from components that they have complete visibility into, and control over.

Meanwhile, America’s government faces different supply chain challenges. It has a supply chain that won’t be weaponised against it by its adversaries, but it lacks the same sort of visibility and control that its adversaries will eventually achieve over their supply chains. So where does this leave the west? Where does it leave China and Russia?

On this week’s show Patrick and Adam discuss the week’s security news, including:

• Palo Alto’s firewalls have a ../ bad day
• Sisense’s bucket full of creds gets kicked over
• United Healthcare draws the ire of congress
• FISA 702 reauthorisation finally moves forward
• Apple warns about “mercenary exploitation” but what’s the India link?
• And much, much, more

This week’s sponsor is Panther, a platform that does detection as code on massive amounts of data. Panther’s founder Jack Naglieri is this week’s sponsor guest, and we spoke with him about some common detection-as-code approaches.

Show notes

• Palo Alto Networks releases fixes for zero-day as attackers swarm VPN vulnerability
• CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect
• Rapid7 Technical Analysis
• Why CISA is Warning CISOs About a Breach at Sisense – Krebs on Security
• Congress rails against UnitedHealth Group after ransomware attack | CyberScoop
• The US Government Has a Microsoft Problem | WIRED
• House GOP bridges divide to reauthorize FISA surveillance bill - The Washington Post
• Top officials again push back on ransom payment ban | Cybersecurity Dive
• Ex-White House cyber official says ransomware payment ban is a ways off | CyberScoop
• Over 500 people targeted by Pegasus spyware in Poland, officials say
• Apple drops term 'state-sponsored' attacks from its threat notification policy
• “All Your Secrets Are Belong To Us” — A Delinea Secret Server AuthN/AuthZ Bypass
• PuTTY vulnerability vuln-p521-bias
• Security engineer jailed for 3 years for $12M crypto hacks | TechCrunch
• Alleged cryptojacking scheme consumed $3.5M of stolen computing to make just $1M | Ars Technica
• Twitter’s Clumsy Pivot to X.com Is a Gift to Phishers – Krebs on Security

On this week’s show Patrick and Adam discuss the week’s security news, including:

• Ransomware: down but not out
• Zero day prices on the rise…
• … and what it means for enterprise software
• Geopolitical conflict comes to computers in Palau
• Ukraine cyber chief Illia Vitiuk suspended
• More x86 microarchitectural bad times
• And much much more

Proofpoint’s chief strategy officer Ryan Kalember is this week’s sponsor guest. He takes aim at some recent vendor trends, like security companies describing themselves as “platforms”.

Show notes

• CyberCX_Report_DFIR 2023 Year in Review_Online.pdf
• Ransomlook Stats
• Vlad Styran 🇺🇦 on X: ".@riskybusiness has noted recently that there is an “orthodox Easter”-like low season in the ransomware village. Although my sources do not support this assessment, if true, there might be a simple explanation https://t.co/kM8lu6KbyY" / X
• Price of zero-day exploits rises as companies harden products against hackers | TechCrunch
• Mandiant spots advanced exploit activity in Ivanti devices | Cybersecurity Dive
• Pricing - Knocknoc
• ALPHV steps up laundering of Change Healthcare ransom payments | CyberScoop
• Extortion group threatens to sell Change Healthcare data | CyberScoop
• Attempted hack on NYC continues wave of cyberattacks against municipal governments
• Missouri county declares state of emergency amid suspected ransomware attack | Ars Technica
• Medusa cybercrime gang takes credit for another attack on US municipality
• Omni Hotels & Resorts hit by cyberattack | Cybersecurity Dive
• Targus says cyberattack is causing operational outage | TechCrunch
• German database company Genios confirms ransomware attack
• Researchers discover new ransomware gang ‘Muliaka’ attacking Russian businesses
• ‘An attack on the reputation of Palau’: officials question who was really behind ransomware incident
• 'They’re lying': Palau denies claims by ransomware gang over recent cyberattack
• Ukrainian security service’s cyber chief suspended following media investigation
• Russia seeks criminal charges against executives at flight booking service accused of failing to protect consumer data
• House hurtles toward showdown over expiring surveillance tools | CyberScoop
• D-Link tells customers to sunset actively exploited storage devices | Cybersecurity Dive
• A Vigilante Hacker Took Down North Korea’s Internet. Now He’s Taking Off His Mask | WIRED
• Ahoi Attacks
• Linux Kernel Patched For Branch History Injection "BHI" Intel CPU Vulnerability - Phoronix
• Ransomware gang’s new extortion trick? Calling the front desk | TechCrunch
• Evolving Threat Landscape: A Deep Dive into Multichannel Attacks Targeting Retailers | Proofpoint US

In this edition of Snake Oilers you’ll hear pitches from three companies:

• Kodex: Makes a platform companies can use to interact with law enforcement (Solves the law enforcement impersonator problem, among others.)
• ClearVector: Cloud security startup from former FireEye/Mandiant SVP/CTO John Laliberte
• Censys: Scans the entire internet, identifies assets you didn’t know were yours, helps you track attacker infrastructure like C2

On this week’s show Patrick and Adam discuss the week’s security news, including:

• The SSH backdoor that dreams (or nightmares) are made of
• Microsoft gets a solid spanking from the CSRB
• Ukraine uses an old Russian WinRAR bug to hack Russia
• Push-notifications and social-engineering combined-arms vs Apple
• And much, much more.

We have a special guest in this week’s show, Andres Freund, the Postgres developer who discovered the backdoor in the xz Linux compression library.

This week’s show is brought to you by Island, a company that makes a security-focussed enterprise browser. Island’s Bradon Rogers is this week’s sponsor guest and he’ll be joining us to talk about how people are swapping out their Virtual Desktop Infrastructure for enterprise-focussed browsers like theirs.

Show notes

• Risky Biz News: Supply chain attack in Linuxland
• oss-security - Re: backdoor in upstream xz/liblzma leading to ssh server compromise
• Andres Freund (Tech) on X: "@binitamshah FWIW, I didn't actually start looking due to the 500ms - I started looking when I saw failing ssh logins (by the usual automated attempts trying random user/password combinations) using a substantial amount of CPU. Only after that I noticed the slower logins." / X
• Andres Freund (Tech) on X: "@riskybusiness Absurdly enough, I was listening to the episode on a cooking break while writing the xz issue up. Couldn't make it up." / X
• GitHub - amlweems/xzbot: notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094)
• research!rsc: The xz attack shell script
• DHS report rips Microsoft for ‘cascade’ of errors in China hack - The Washington Post
• Review of the Summer 2023 Microsoft Exchange Online Intrusion
• Russian researchers say espionage operation using WinRAR bug is linked to Ukraine
• Recent ‘MFA Bombing’ Attacks Targeting Apple Users – Krebs on Security
• Ransomware gang leaks stolen Scottish healthcare patient data in extortion bid
• Ross Anderson, professor and famed author of ‘Security Engineering,’ passes away

On this week’s show Patrick and Adam discuss the week’s security news, including:

• FVEY protests China’s widespread hacking of western politicians
• China bans western CPUs, Windows and databases
• Apple’s leaky M-chip prefetcher
• Nigeria holds ex-IRS investigator hostage in Binance stoush
• Researchers bring Rowhammer to AMD Zen and DDR5
• And much, much more.

This week’s show is brought to you by Thinkst Canary. Its founder Haroon Meer joins this week’s show to make a passionate case that security vendors don’t all have to go for explosive growth. Slow and steady with a focus on excellent and relevant products will win the race, he says.

Show notes

• Justice Department indicts 7 accused in 14-year hack campaign by Chinese gov
• Parliament network breached in China-led cyberattack, Judith Collins reveals
• China blocks use of Intel and AMD chips in government computers
• Announcement of Safety and Reliability Evaluation Results (No. 1, 2023)
• Unpatchable vulnerability in Apple chip leaks secret encryption keys | Ars Technica
• How Ukraine is using mobile phones on 6ft poles to stop drones
• Russian military intelligence may have deployed wiper against multiple Ukrainian ISPs | CyberScoop
• US penalizes Russian fintech firms that helped others evade sanctions
• UN probing 58 alleged crypto heists by North Korea worth $3 billion
• Detained execs, a bold escape, and tax evasion charges: Nigeria takes aim at Binance
• The DOJ Puts Apple's iMessage Encryption in the Antitrust Crosshairs | WIRED
• Mark Zuckerberg told Facebook execs to 'figure out' how to track encrypted usage on rival apps like Snap and YouTube, unsealed documents show
• ‘Far-reaching’ hack stole information from Python developers
• ZenHammer: Rowhammer Attacks on AMD Zen-based Platforms
• One Man’s Army of Streaming Bots Reveals a Whole Industry’s Problem
• Apex Legends hacker said he hacked tournament games ‘for fun’ | TechCrunch

In this Soap Box edition of the podcast Patrick Gray talks to Nucleus Security co-founder Scott Kuffer about whether or not cloud service vulnerabilities should get CVEs, what on earth is happening with NIST’s National Vulnerability Database (NVD) and more.

On this week’s show Patrick and Adam discuss the week’s security news, including:

• Turns out AI is still bad code review after all,
• Mintlify loses a bunch of Github tokens,
• Everything old is new again with the UDP loop DoS,
• Know-your-(recon satellite)-customer is hard,
• Microsoft takes away Russia’s powershell, solving living off the land,
• And much, much more

This week’s show is brought to you by Material Security. In this week’s sponsor interview we speak with Material’s Rajan Kapoor, VP of Customer Experience at Material. We’re also joined by Chaim Sanders, who heads Security and Privacy at Lyft.

Show notes

• Anthropic’s CISO drinks the AI kool aid - backpedals frantically on security analysis claim
• Incident report on March 13, 2024 - Mintlify
• Loop DoS: New Denial-of-Service attack targets application-layer protocols
• State of IP Spoofing
• Pharmaceutical development company investigating cyberattack after LockBit posting
• Exclusive: After LockBit’s takedown, its purported leader vows to hack on
• Russian-Canadian hacker sentenced for global ransomware scheme to be extradited | CTV News
• A Suspicious Pattern Alarming the Ukrainian Military - The Atlantic
• Exclusive: Musk's SpaceX is building spy satellite network for US intelligence agency, sources say | Reuters
• Elon Musk’s SpaceX Forges Closer Ties With U.S. Spy and Military Agencies - WSJ
• Russians will no longer be able to access Microsoft cloud services, business intelligence tools
• Rostelecom blocks the SIP protocol for clients of Russian hosters / Sudo Null IT News
• Researchers spot updated version of malware that hit Viasat | CyberScoop
• Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks | Trend Micro (US)
• PRC State-Sponsored Cyber Activity: Actions for Critical Infrastructure Leaders | CISA
• US is still chasing down pieces of Chinese hacking operation, NSA official says
• 875 workers rescued in Tarlac POGO raid | Philippine News Agency
• Fujitsu says it found malware on its corporate network, warns of possible data breach | Ars Technica
• Mike Lindell must pay a Nevada man after election data dispute - The Washington Post

On this week’s show Patrick and Adam discuss the week’s security news, including:

• Weather forecast in Redmond is still for blizzards at midnight
• Maybe Change Healthcare wasn’t just crying nation-state wolf
• Hackers abuse e-prescription systems to sell drugs
• CISA goes above and beyond to relate to its constituency by getting its Ivantis owned
• VMware drinks from the Tianfu Cup
• Much, much more

This week’s feature guest is John P Carlin. He was principal associate deputy attorney general under Deputy Attorney General Lisa Monaco for about 18 months in 2021 and 2022, and also served as Robert Mueller’s chief of staff when he was FBI director.

John is joining us this week to talk about all things SEC. He wrote the recent Amicus Brief that says the SEC needs to be careful in its action against Solarwinds. He’ll also be talking to us more generally about these new SEC disclosure requirements, which are in full swing.

Rad founder Jimmy Mesta will along in this week’s sponsor segment to talk about some really interesting work they’ve done in baselining cloud workloads. It’s the sort of thing that sounds simple that really, really isn’t.

Show notes

• Risky Biz News: The aftermath of Microsoft's SVR hack is rearing its ugly head
• Swindled Blackcat affiliate wants money from Change Healthcare ransom - Blog | Menlo Security
• BlackCat Ransomware Group Implodes After Apparent $22M Payment by Change Healthcare – Krebs on Security
• Change Healthcare systems expected to come back online in mid-March | Cybersecurity Dive
• LockBit takes credit for February shutdown of South African pension fund
• Ransomware gang claims to have made $3.4 million after attacking children’s hospital
• Jason D. Clinton on X: "Fully automated vulnerability research is changing the cybersecurity landscape Claude 3 Opus is capable of reading source code and identifying complex security vulnerabilities used by APTs. But scaling is still a challenge. Demo: https://t.co/UfLNGdkLp8 This is beginner-level… https://t.co/mMQb2vYln1" / X
• Jason Koebler on X: "Hackers are hacking doctors, then using their digital prescription portals to "legitimately" prescribe themselves & their customers adderall, oxy, and other prescription drugs https://t.co/6elTKQnXSB" / X
• How Hackers Dox Doctors to Order Mountains of Oxy and Adderall
• CISA forced to take two systems offline last month after Ivanti compromise
• VMware sandbox escape bugs are so critical, patches are released for end-of-life products | Ars Technica
• A Close Up Look at the Consumer Data Broker Radaris – Krebs on Security
• Brief of Amici Curiae Former Government Officials
• Securities and Exchange Commission v Solarwinds Corp

In this week’s show Patrick Gray and Adam Boileau discuss the week’s security news. They talk about:

• The serious consequences from the Change Healthcare ransomware, and the need for a … nastier response
• Predator spyware maker getting a stern sanctioning
• A German military WebEx meeting gets snooped
• Mem-corrpution is still king
• And much, much more

In this week’s sponsor interview Patrick Gray speaks to Karl McGuinness, Okta’s chief architect, about some new security improvements they’ve built into their IDP.

Show notes

• U.S. Air Force employee charged with giving classified information to woman he met on dating site
• Ransomware attack on U.S. health care payment processor ‘most serious incident of its kind’
• AlphV’s hit on Change Healthcare strikes a sour note for defenders | Cybersecurity Dive
• Office of Public Affairs | Justice Department Disrupts Prolific ALPHV/Blackcat Ransomware Variant | United States Department of Justice
• Developing: AlphV allegedly scammed Change Healthcare and its own affiliate (1)
• Hackers Behind the Change Healthcare Ransomware Attack Just Received a $22 Million Payment | WIRED
• Ciaran Martin on X: "“We have to find a way of making a ransom ban work” - me for @thetimes
• US launches antitrust investigation into UnitedHealth, WSJ reports | Reuters
• Brett Callow on X: "#Lockbit has de-listed Fulton County.
• Predator spyware endures even after widespread exposure, analysis shows | CyberScoop
• Predator spyware infrastructure taken down after exposure | CyberScoop
• U.S. bans maker of spyware that targeted a senator's phone
• Spyware maker NSO Group ordered to turn over Pegasus code in WhatsApp case
• Whatsapp Inc vs NSO Group
• Russia’s chief propagandist leaks intercepted German military Webex conversation
• The White House's Oddly Specific, and Really Quite Good, Software Engineering Advice
• A leaky database spilled 2FA codes for the world’s tech giants | TechCrunch
• In ConnectWise attacks, Play and LockBit ransomware exploits developed quickly | Cybersecurity Dive
• How to Secure the SaaS Apps of the Future | Okta Security

In this week’s show Patrick Gray and Adam Boileau discuss the week’s security news. They talk about:

• LockBit gets back up after takedown
• Russia arrests Medibank hacker… for something else
• ConnectWise gives out free updates, but customers aren’t happy
• Microsoft gives in to demands for more logs
• Sandvine gets entity-listed
• And much much more.

Dmitri Alperovitch also joins the show to discuss Starlink, Starshield and a row with Congress about its availability in Taiwan.

In this week’s sponsor interview, Airlock Digital’s Daniel Schell talks about his adventures with WDAC, and Dave Cottingham predicts Windows 12 will go all in on signed code.

Show notes

• LockBit group revives operations after takedown | Cybersecurity Dive
• Lockbit ransomware group administrative staff have released a lengthy response to the FBI and bystanders
• FBI’s LockBit Takedown Postponed a Ticking Time Bomb in Fulton County, Ga. – Krebs on Security
• Russia detains hacker behind Australia’s Medibank attack
• Russia arrests three alleged SugarLocker ransomware members
• Change Healthcare incident drags on as report pins it on ransomware group
• Ransomware Groups Are Bouncing Back Faster From Law Enforcement Busts
• ‘Alarming’ cyberattack hits Canada’s federal police, criminal investigation launched
• ConnectWise ScreenConnect faces new attacks involving LockBit ransomware | Cybersecurity Dive
• Microsoft rolls out expanded logging six months after Chinese breach | CyberScoop
• Sandvine added to US Entity List
• Earth Lusca Uses Geopolitical Lure to Target Taiwan Before Elections
• FACT SHEET: ONCD Report Calls for Adoption of Memory Safe Programming Languages and Addressing the Hard Research Problem of Software Measurability
• Risky Biz News: Backdoor code found in Tornado Cash
• House China committee demands Elon Musk open SpaceX Starshield internet to U.S. troops in Taiwan
• The UK Is GPS-Tagging Thousands of Migrants | WIRED
• How the Pentagon Learned to Use Targeted Ads to Find Its Targets—and Vladimir Putin | WIRED
• New Biden order would stem flow of Americans’ sensitive data to China - The Washington Post

In this week’s show Patrick Gray and Adam Boileau discuss the week’s security news. They talk about:

• LockBit has been taken down by law enforcement
• Some mega-juicy leaks out of Chinese offsec/APT contractor I-SOON
• GRU gets its Moobot network shutdown
• Signal adding usernames is… complicated
• Much, much more

In this week’s sponsor interview Devicie’s Tom Plant joins the show to talk about problems orgs run into when it comes to Windows policies. There’s an expectation out there that Windows policies are set and forget, but sadly, this is not so.

Show notes

• Feds Seize LockBit Ransomware Websites, Offer Decryption Tools, Troll Affiliates – Krebs on Security
• Law enforcement disrupt world’s biggest ransomware operation
• Shanghai Anxun’s information is unreliable and is a trap for national government agencies.
• China spy agency renews foreign cyber intelligence warning after data breaches
• US Justice Department says it disrupted Russian intelligence hacking network | Reuters
• Several Ukrainian media outlets attacked by Russian hackers
• Polish PM says previous ruling party used Pegasus spyware against ‘very long’ list of victims
• Hackers are targeting Asian bank accounts using stolen facial recognition data
• Signal Finally Rolls Out Usernames, So You Can Keep Your Phone Number Private | WIRED
• Code injection or backdoor: A new look at Ivanti’s CVE-2021-44529
• “the "AB" trigger has similar vibes to the Unreal IRCd and ProFTPD backdoors of the same timeframe.”
• FLATLINED: ANALYZING PULSE SECURE FIRMWARE AND BYPASSING INTEGRITY CHECKING
• CVSS 10 RCE in Screen Connect
• National Security Agency Announces Retirement of Cybersecurity Director
• Hunting M365 Invaders: Navigating the Shadows of Midnight Blizzard

The need to properly secure Entra ID tenants has been made pretty obvious this year thanks to a large-scale attack on them by Russia’s SVR intelligence agency. In this interview Andy Robbins from SpecterOps, the maker of Bloodhound Enterprise, talks through how he thinks those attacks actually went down, about how if you’re an o365 customer you’re using Entra ID whether you like it or not, and about how you can lock down your Entra ID tenant.

In this week’s show Patrick Gray and Adam Boileau discuss the week’s security news. They talk about:

• Somehow there are still more Ivanti and Fortinet exploits
• Volt Typhoon have been at it for years
• Starlink in Ukraine gets complicated
• Canadians hate poor Flipper
• Much, much more…

In this week’s sponsor interview Feross Aboukhadijeh from Socket joins the show to talk about the sheer volume of malicious packages being committed to code repositories and why older SCA tools aren’t well equipped to deal with them.

Show notes

• Microsoft Azure customers hit by phishing, account takeover attacks | Cybersecurity Dive
• Ivanti publishes urgent warning about new vulnerability
• How is Pulse Secure Formed
• Attackers hit more networking gear, this time a critical Fortinet CVE | Cybersecurity Dive
• End Of General Availability of the free vSphere Hypervisor (ESXi 7.x and 8.x) (2107518)
• Coker: ONCD is studying ‘liability regimes’ for software flaws
• Chinese hackers spent 5 years in US infrastructure, ready to attack
• CISA, FBI warn of China-linked hackers pre-positioning for ‘destructive cyberattacks against US critical infrastructure’
• Russia using Starlink
• Canada declares Flipper Zero public enemy No. 1 in car-theft crackdown | Ars Technica
• Health insurance data breach affects nearly half of France’s population, privacy regulator warns
• Hackers attack 25 Romanian hospitals
• Catalin on the Rhysider ransomware decrypter going public
• A password manager LastPass calls “fraudulent” booted from App Store | Ars Technica
• From Cybercrime Saul Goodman to the Russian GRU – Krebs on Security

In this Soap Box interview Greynoise founder and absolute legend Andrew Morris joins the show to talk about:

• Why Greynoise hasn’t seen a substantial drop off in Volt Typhoon’s network of compromised routers after the US Government’s takedown action
• How vendors are using Greynoise as an early warning system to identify exploitation of their products
• How he’s using large language models to reverse exploitation attempts into actual exploits

It truly is a great conversation, we hope you enjoy it!

In this week’s show Patrick Gray and Adam Boileau discuss the week’s security news. They talk about:

• Thought eels were slippery? Check out AnyDesk’s PR!
• Why Microsoft’s 365 is a nightmare to secure
• Cloudflare’s needlessly hostile blog post
• US Government introduces “Disneyland ban” for spyware peddlers
• Much, much more…

This week’s feature guest is Eric Goldstein, the executive assistant director for cybersecurity at CISA. He’s joining the show to talk about CISA’s demand that US government agencies unplug their Ivanti appliances. He also chimes in on why the US government is so rattled by Volt Typhoon and addresses a recent report from Politico that claims CISA’s Joint Cyber Defense Collaborative is a bit of a shambles.

This week’s sponsor guest is Dan Guido from Trail of Bits. He joins us to talk about their new Testing Handbook. Trail of Bits does a bunch of audit work and they’ve committed to trying to make bug discovery a one time thing – if you find that bug once, you shouldn’t have to manually find it on another client engagement. Semgrep for the win!

Show notes

• AnyDesk initiates extensive credentials reset following cyberattack | Cybersecurity Dive
• AnyDesk says software ‘safe to use’ after cyberattack
• Former CIA officer who gave WikiLeaks state secrets gets 40-year sentence
• Arrests in $400M SIM-Swap Tied to Heist at FTX? – Krebs on Security
• Microsoft Breach — What Happened? What Should Azure Admins Do? | by Andy Robbins | Feb, 2024 | Posts By SpecterOps Team Members
• Cloudflare hit by follow-on attack from previous Okta breach | Cybersecurity Dive
• Thanksgiving 2023 security incident
• US announces visa restriction policy targeting spyware abuses
• Announcement of a Visa Restriction Policy to Promote Accountability for the Misuse of Commercial Spyware - United States Department of State
• Deputy Prime Minister hosts first global conference targeting ‘hackers for hire’ and malicious use of commercial cyber tools - GOV.UK
• New Google TAG report: How Commercial Surveillance Vendors work
• A Startup Allegedly ‘Hacked the World.’ Then Came the Censorship—and Now the Backlash | WIRED
• American businessman settles hacking case in UK against law firm
• Crime bosses behind Myanmar cyber ‘fraud dens’ handed over to Chinese government
• Another Chicago hospital announces cyberattack
• Deepfake scammer walks off with $25 million in first-of-its-kind AI heist | Ars Technica
• As if 2 Ivanti vulnerabilities under exploit weren’t bad enough, now there are 3 | Ars Technica
• Two new Ivanti bugs discovered as CISA warns of hackers bypassing mitigations
• Agencies using vulnerable Ivanti products have until Saturday to disconnect them | Ars Technica
• The far right is scaring away Washington's private hacker army - POLITICO
• Our thoughts on AIxCC’s competition format | Trail of Bits Blog
• How CISA can improve OSS security | Trail of Bits Blog
• Securing open-source infrastructure with OSTIF | Trail of Bits Blog
• Announcing the Trail of Bits Testing Handbook | Trail of Bits Blog
• 30 new Semgrep rules: Ansible, Java, Kotlin, shell scripts, and more | Trail of Bits Blog
• Publishing Trail of Bits’ CodeQL queries | Trail of Bits Blog
• The Unguarded Moment (2002 Digital Remaster) - YouTube
• Boy Swallows Universe | Official Trailer | Netflix - YouTube

In this week’s show Patrick Gray and Adam Boileau discuss the week’s security news. They talk about:

• More details on sanctioned Medibank hacker Aleksandr Ermakov
• More details on alleged Scattered Spider hacker Noah Michael Urban
• RUMINT that the number of Microsoft customers impacted by the SVR oauth/365 campaign is huge
• Ron Wyden did something useful…
• …then did something stupid
• Ivanti’s clown car collides with dumpster fire
• Much, much more

This week’s feature guest is Australia’s assistant foreign minister (and cybersecurity tragic) Tim Watts. He joins us to talk about why the Australian government sanctioned Aleksandr Ermakob.

Sublime Security founder and CEO Josh Kamdjou is this week’s sponsor guest. He joins us to talk about combating QR-code phishing.

Show notes

• Exclusive: US disabled Chinese hacking network targeting critical infrastructure | Reuters
• Medibank’s Attacker: IT Businessman, Claimed Psychologist… | Intel471
• Who is Alleged Medibank Hacker Aleksandr Ermakov? – Krebs on Security
• Fla. Man Charged in SIM-Swapping Spree is Key Suspect in Hacker Groups Oktapus, Scattered Spider – Krebs on Security
• Microsoft says Russian hackers also targeted other organizations | TechCrunch
• HPE hit by a monthslong cyberattack on its cloud-based email | Cybersecurity Dive
• (99+) Microsoft's Dangerous Addiction To Security Revenue | LinkedIn
• Microsoft critics accuse the firm of ‘negligence’ in latest breach | CyberScoop
• N.S.A. Buys Americans’ Internet Data Without Warrants, Letter Says - The New York Times
• Trading platform EquiLend down following cyberattack | Cybersecurity Dive
• Ivanti Connect Secure zero-day patches delayed | Cybersecurity Dive
• Popular CI/CD tool Jenkins discloses critical CVE | Cybersecurity Dive
• MOVEit liabilities mount for Progress Software | Cybersecurity Dive
• Tim Watts bio:
• Pennywise - Down Under [Men at Work Cover] - YouTube

In this week’s show Patrick Gray and Adam Boileau discuss the week’s security news.

• Microsoft honks its clown car horn
• Australia’s hounds, released, catch their man
• The beginning of the end for Scattered Spider
• SEC was SIM swapped but had MFA off any way
• Ivanti learns a lesson…
• … while Progress does not
• and much more

DHS undersecretary for policy and Cyber Safety Review Board head Rob Silvers is this week’s feature guest. He joins the show to talk about how the CSRB handles possible conflicts of interests from board members with industry day jobs.

In this week’s sponsor interview Resourcely’s founder Travis McPeak talks about why we need to help developers with “paved roads” instead of relying on dashboard products to tell us when things have gone wrong.

Show notes

• Microsoft network breached through password-spraying by Russia-state hackers | Ars Technica
• Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard | MSRC Blog | Microsoft Security Response Center
• Medibank cyber attack: The weakness that saw Medibank hacker Aleksandr Ermakov exposed | Exclusive
• Russian man identified as Medibank hacker, hit with sanctions by Australian government - ABC News
• Middle District of Florida | Palm Coast Man Arrested For Wire Fraud And Aggravated Identity Theft Charges | United States Department of Justice
• SEC.gov | SECGov X Account
• Owner of BreachedForums sentenced to time served plus 20 years supervised release with special conditions
• CISA issues emergency directive for federal agencies to mitigate Ivanti vulnerabilities | Cybersecurity Dive
• Ivanti Connect Secure exploitation accelerates as Moody’s calls impact credit negative | Cybersecurity Dive
• Progress Software shakes off MOVEit’s financial consequences, maintains customers | Cybersecurity Dive
• Cyberattack on Ukraine’s largest telecom provider will cost it about $100 million
• Ransomware attacks leave small business owners feeling suicidal, report says
• Canadian Man Stuck in Triangle of E-Commerce Fraud – Krebs on Security
• Experts call for US Cyber Safety Review Board rethink • The Register

On this week’s SURPRISE edition, Patrick Gray and Adam Boileau discuss the week’s security news. They cover:

• Their disappointment over last week’s SEC Twitter hack
• China rainbow-tables Airdrop
• Enterprise bugs galore…
• … and why patching fast is hard when there isn’t even a patch yet
• UEFI flaws get trad-BIOS-era vendor response
• and much, much more…

This week’s show is unsponsored, we’re just here for the fun of it.

Show notes

• The SEC’s Official X Account Was ‘Compromised’ and Used to Post Fake Bitcoin News | WIRED
• Apple AirDrop leaks user data like a sieve. Chinese authorities say they’re scooping it up. | Ars Technica
• FireChat – the messaging app that’s powering the Hong Kong protests
• End-of-life Cisco routers targeted by China’s Volt Typhoon group
• Ivanti Connect Secure attacks part of deliberate espionage operation | Cybersecurity Dive
• Ivanti Connect Secure VPN Exploitation Goes Global
• NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-6548 and CVE-2023-6549
• Aria Automation Missing Access Control Vulnerability (CVE-2023-34063)
• Security Bulletin - January 16 2024
• Stable Channel Update for Desktop
• “MyFlaw” — Cross Platform 0-Day RCE Vulnerability Discovered in Opera’s Browser
• PixieFail: Nine vulnerabilities in Tianocore's EDK II IPv6 network stack.
• LeftoverLocals: Listening to LLM responses through leaked GPU local memory
• Bigpanzi TV Botnet
• Southeast Asian casino industry supercharging cyber fraud, UN says

On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news. They cover:

• SEC Twitter account hack moves bitcoin price
• Kaspersky admires Triangulation hackers’ fine work
• Telcos hacked all over
• Israel hacks Iranian gasoline pumps again
• Iran up in Albania, Sudan, Egypt and Tanzania
• and much, much more…

This week’s show is brought to you by Nucleus Security. Co-founder Scott Kuffer joins us to talk about why patch management is more nuanced than just “patch fast!”

Show notes

• U.S. Securities and Exchange Commission on X: "The @SECGov X account was compromised, and an unauthorized post was posted. The SEC has not approved the listing and trading of spot bitcoin exchange-traded products." / X
• Mandiant, the security firm Google bought for $5.4 billion, gets its X account hacked | Ars Technica
• 4-year campaign backdoored iPhones using possibly the most advanced exploit ever | Ars Technica
• Spyware attack chain used previously unknown iPhone hardware feature, report says
• "Dutch engineer carried out Iranian nuclear sabotage": VK - DutchNews.nl
• Russian hackers infiltrated Ukrainian telecom giant months before cyberattack
• Ukraine telecom cyberattack one of ‘highest-impact’ hacks of the war
• Pro-Ukraine hackers claim breach of Russian internet provider
• Ukraine says Russia hacked web cameras to spy on targets in Kyiv
• Optus outage: Banks, telcos to be quizzed at Senate hearing
• A “ridiculously weak” password causes disaster for Spain’s No. 2 mobile carrier | Ars Technica
• Albanian parliament, telecom company hit by cyberattacks
• Paraguay military warns of ‘significant impact’ of ransomware after attack on internet provider
• Iran confirms nationwide cyberattack on gas stations
• Hackers disrupt Beirut airport with anti-Hezbollah message
• Telecom organizations in Africa targeted by Iran-linked hackers
• Myanmar rebels take control of ‘pig butchering’ scam city amid Chinese pressure on junta
• AlphV ransomware site is “seized” by the FBI. Then it’s “unseized.” And so on. | Ars Technica
• BreachForums administrator detained after violating parole
• Autistic teen behind spate of Lapsus$ hacks sentenced to indefinite hospital stay
• Global law enforcement seizes $300 million, arrests 3,500 involved in transnational cybercrime operation
• Toronto Zoo says it remains open after ransomware attack
• Central Bank of Lesotho facing outages after cyberattack
• Kansas City-area hospital transfers patients, reschedules appointments after cyberattack
• Cyberattack on Massachusetts hospital disrupted records system, emergency services
• LockBit claims November attack on New Jersey hospital that disrupted patient care
• First American becomes latest real estate industry giant hit with cyberattack
• Ivanti warns of critical vulnerability in its popular line of endpoint protection software | Ars Technica
• US officials say Russian targeting JetBrains servers for potential SolarWinds-style operations | Reuters
• SSH protects the world’s most sensitive networks. It just got a lot weaker | Ars Technica
• LastPass enforces 12-character master password lengths | Cybersecurity Dive
• FTC soliciting contest submissions to help tackle voice cloning technology
• Biden signs short-term FISA extension before year-end deadline
• Foone: "The 37C3 talk on TEA1 encrypti…" - Infosec Exchange
• Crypto hedge fund CEO may not exist; probe finds no record of identity | Ars Technica

In this week’s edition of the show Patrick Gray and guest co-host Dmitri Alperovitch discuss:

• Major telco in Ukraine taken down by Russia
• Apple and Facebook go all in on e2ee
• Why 702 reauthorisation is looking a bit sketchy
• The USG wants your push notifications
• The year in review, plus some predictions for 2024

This week’s show is brought to you by Thinkst Canary. Haroon Meer, Thinkst’s founder, is this week’s sponsor guest. He joins us to talk about APT groups pivoting to living-off-the-land techniques.

In this Soap Box edition of the Risky Business podcast Patrick Gray talks to Island’s Bradon Rogers about security-focussed, enterprise browsers.

You can use Island to do stuff like grant third parties access to corporate applications on unmanaged devices in a not insane way – that’s a huge pain point for a lot of CISOs, and something that is bringing a lot of new customers through Island’s doors. Obviously for devices you do manage, you can roll Island out as your default enterprise browser. There are a lot of security benefits to doing that.

On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news. They cover:

• Iran-linked attacks on US water infrastructure
• Why the ownCloud bug isn’t the end of the world
• The D-Link 0day that… never existed?
• In defence of Okta
• Much, much more

This week’s show is brought to you by Proofpoint. Ryan Kalember, Proofpoint’s EVP of Cybersecurity Strategy, is this week’s sponsor guest.

Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that’s your thing.

Show notes

• CISA warns of threat groups exploiting Unitronics PLCs in water treatment hacks | Cybersecurity Dive
• North Texas water utility the latest suspected industrial ransomware target | Cybersecurity Dive
• Florida water agency latest to confirm cyber incident as feds warn of nation-state attacks
• ownCloud vulnerability with maximum 10 severity score comes under “mass” exploitation | Ars Technica
• Staples hit by cyberattack during critical Cyber Week sales push | Cybersecurity Dive
• New Jersey, Pennsylvania hospitals affected by cyberattacks
• 60 credit unions facing outages due to ransomware attack on popular tech provider
• HHS warns of ‘Citrix Bleed’ attacks after hospital outages
• Payments processor Tipalti investigating ransomware attack | Cybersecurity Dive
• CISA's Goldstein wants to ditch 'patch faster, fix faster' model | CyberScoop
• Threat Actors Exploit Adobe ColdFusion CVE-2023-26360 for Initial Access to Government Servers | CISA
• Kremlin-backed hackers attacking unpatched Outlook systems, Microsoft says
• Latest severe Chrome bug prompts CISA warning
• Google researchers report critical 0-days in Chrome and all Apple OSes | Ars Technica
• Okta again promises it is taking security seriously | Cybersecurity Dive
• Okta: Breach Affected All Customer Support Users – Krebs on Security
• Russian and Chinese interference networks are ‘building audiences’ ahead of 2024, warns Meta
• Meta says it broke up Chinese influence operation looking to exploit U.S. political divisions
• Clandestine online operations now require sign-off by senior officials - The Washington Post
• Feds seize Sinbad crypto mixer allegedly used by North Korean hackers | TechCrunch
• US sanctions North Korean ‘Kimsuky’ hackers after surveillance satellite launch
• ‘Fugitive’ Spanish aristocrat behind North Korea cryptocurrency conference arrested
• Used by only a few nerds, Facebook kills PGP-encrypted emails | TechCrunch

On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news. They cover:

• The Citrixbleed ransomware crisis
• Why the FBI hasn’t arrested Scattered Spider members
• DPRK is in your supply chains
• Microsoft has a brainwave and buys a HSM
• When civil war meets pig butchering
• Much, much more

This week’s show is brought to you by Airlock Digital. David Cottingham and Daniel Schell are this week’s sponsor guests.

Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that’s your thing.

Show notes

• ‘Citrix Bleed’ vulnerability targeted by nation-state and criminal hackers: CISA
• Australian ports operator recovering after major cyber incident
• Minister lashes DP World hack failure
• Gang says ICBC paid ransom over hack that disrupted US Treasury market | Reuters
• Cyberattack on US hospital owner diverts ambulances from emergency rooms in multiple states | CNN Politics
• Fidelity National Financial investigating cyberattack that led to service disruption | Cybersecurity Dive
• Potentially hundreds of UK law firms affected by cyberattack on IT provider CTS
• North Texas water utility serving 2 million hit with cyberattack
• Healthcare manufacturer Henry Schein expects platform restored this week after cyberattack
• High-profile ransomware gang suspects arrested in Ukraine
• FBI struggled to disrupt dangerous casino hacking gang, cyber responders say | Reuters
• Chinese spies had acces to Dutch chip maker NXP's systems for over two years: report | NL Times
• North Korean supply chain attacks prompt joint warning from Seoul and London
• North Korean attack on CyberLink impacted devices around the world, Microsoft says
• North Korean ‘BlueNoroff’ group targeting financial institutions with macOS malware
• Microsoft upgrades security for signing keys in wake of Chinese breach | CyberScoop
• (14) Microsoft Should Look to the Past for Its Security Future
• Sacked Ukrainian cyber chief released on bail amid corruption probe
• Second top Ukrainian cyber official arrested amid corruption probe
• Report claims to reveal identity of Russian hacktivist leader
• Rebel offensive in Myanmar takes aim at online scam industry
• Myanmar Rebel Offensive Helps China's Cybercrime Crackdown
• Shadowy hacking group targeting Israel shows outsized capabilities | CyberScoop
• Nearly two dozen Danish energy companies hacked through firewall bug in May
• Senate proposes surveillance bill without FBI warrant requirement
• The FCC says new rules will curb SIM swapping. I’m pessimistic | Ars Technica
• EU urged to drop new law that could allow member states to intercept and decrypt global web traffic
• Google researchers discover 'Reptar,’ a new CPU vulnerability | Google Cloud Blog
• Spavor blames fellow prisoner Kovrig for Chinese detention, alleges he was used for intelligence gathering - The Globe and Mail
• The Mirai Confessions: Three Young Hackers Who Built a Web-Killing Monster Finally Tell Their Story | WIRED

In this Soap Box podcast Patrick Gray talks to Material Security’s CEO and co-founder Abhishek Agrawal about the security problems inherent to modern productivity suites.

Does it make sense that threat actors can authenticate to o365 and Workspace accounts and clean them out entirely? Years of mail, years of files?

Material Security has built a product that tackles this issue. It can lock up email archives behind MFA challenges, redact PII from inboxes, better control files share via Google Drive and OneDrive, and just generally limit the damage a threat actor can inflict when they compromise a cloud productivity account.

Even if you’re not interested in buying a product to tackle this, we think this one is a great listen.

On this week’s show Patrick Gray talks through the news with Chris Krebs and Dmitri Alperovitch. They discuss:

• The SEC enforcement action against Solarwinds’ CISO
• The White House AI Executive Order
• CitrixBleed exploitation goes wide
• How Kaspersky captured some (likely) Five Eyes iOS 0day
• Elon Musk’s Gaza Strip adventures
• Much, much more

This week’s show is brought to you by Greynoise. Andrew Morris, Greynoise’s founder and CEO, is this week’s sponsor guest. He talks about how Greynoise is using large language models to help them analyse massive quantities of malicious internet traffic.

Show notes

• comp-pr2023-227.pdf
• Biden signs executive order to oversee and invest in AI tech
• Risky Biz News: CitrixBleed vulnerability goes from bad to disastrous
• Andrew Morris on X: "Confluence bug is popping off. VAST majority of it is blasting thru Tor, similar to the first wave of Log4J exploitation two years ago. If you haven't patched, it's probably popped. https://t.co/4JC0uiTaqc https://t.co/wLDgQpq7r0" / X
• Andrew Morris on X: "Confluence bug is popping off. VAST majority of it is blasting thru Tor, similar to the first wave of Log4J exploitation two years ago. If you haven't patched, it's probably popped. https://t.co/4JC0uiTaqc https://t.co/wLDgQpq7r0" / X
• How Kaspersky obtained all stages of Operation Triangulation | Securelist
• Kaspersky reveals 'elegant' malware resembling NSA code | CyberScoop
• Sophisticated StripedFly Spy Platform Masqueraded for Years as Crypto Miner
• A cascade of compromise: unveiling Lazarus' new campaign | Securelist
• Near-total internet and cellular blackout hits Gaza as Israel ramps up strikes
• Amichai Stein on X: "Israel's Communications Minister @shlomo_karhi in response to Elon Musk: Israel will use all the means at its disposal to fight this. Hamas will use this for terrorist activity. There is no doubt about it. We know it, and Musk knows it. Hamas is ISIS." / X
• Shashank Joshi on X: "Wonder what encryption, if any, they use? Vulnerable to tapping. "Hamas has maintained operational security by going “stone age” and using hard-wired phone lines while eschewing devices that are hackable or emit an electronic signature." https://t.co/ALVSXb55Zn" / X
• Hackers that breached Las Vegas casinos rely on violent threats, research shows | CyberScoop
• Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction | Microsoft Security Blog
• GitHub - cloudflare/har-sanitizer
• Russia to launch its own version of VirusTotal due to US snooping fears
• iPhones have been exposing your unique MAC despite Apple’s promises otherwise | Ars Technica
• VMware warns of critical vulnerability affecting vCenter Server product
• Judge tosses Khashoggi widow’s lawsuit against NSO Group

In this edition of the Soap Box we hear from Mike Wiacek and Eric Foster from Stairwell.

Stairwell makes a product that collects and analyses every executable file in your environment. You deploy file collectors to your systems and they forward all new files to Stairwell for manual and automated analysis. You can do a lot of really cool analysis once you have all that stuff in the same place.

But as you’ll hear, Stairwell is broadening out the use cases for its platform. You don’t want to forward files from every system? You don’t have to. It’s still very useful as an analysis platform. It’s sort of like VirusTotal, but private and with a bunch more bells and whistles. There’s also a bunch of sharing tools in the platform, which gives it a “social network for CTI nerds” flavour.

On this week’s show Patrick Gray talks through the news with Dmitri Alperovitch, NSA Cybersecurity director Rob Joyce and NSA CCC director Morgan Adamski. They discuss:

• The Okta breach
• 40-50k feral Ciscos
• Why the http/2 protocol flaw is a real headache
• The Ragnar Locker takedown
• What the NSA CCC has been thinking about

This week’s show is brought to you by Socket. Socket’s founder Feross Aboukhadijeh joins us this week to talk about their actually-not-crazy use of large language models in their product.

Show notes

• Hackers Stole Access Tokens from Okta’s Support Unit – Krebs on Security
• Almost 42K Cisco IOS XE devices exploited, no patch available | Cybersecurity Dive
• Critical Atlassian Confluence CVE under exploit by prolific state-linked actor | Cybersecurity Dive
• JetBrains vulnerability being exploited by North Korean gov’t hackers, Microsoft says
• Citrix Netscaler patch for critical CVE bypassed by malicious hackers | Cybersecurity Dive
• HTTP/2 Rapid Reset: A New Protocol Vulnerability Will Haunt the Web for Years | WIRED
• How North Korean Workers Tricked U.S. Companies into Hiring Them and Secretly Funneled Their Earnings into Weapons Programs
• Ragnar Locker takedown
• Europol: ‘Key target’ in Ragnar Locker ransomware operation arrested in Paris
• Hacker accused of breaching Finnish psychotherapy center facing 30,000 counts
• The US Congress Was Targeted With Predator Spyware
• Lloyd’s of London finds hypothetical cyberattack could cost world economy $3.5 trillion

Patrick Gray speaks to Yubico’s Jerrod Chong about how organisations can better verify the identities of users when performing MFA resets. In other words, how to not get MGM’d.

He also talks about the chain-of-trust issues inherent to synchronisable passkey implementations.

On this week’s show Patrick Gray and Lina Lau discuss the week’s security news. They cover:

• Microsoft has killed VBScript
• Google to make passkeys the new default sign-in method
• MGM losses to exceed $100m
• Clorox has a bad quarter
• Why a bug in cURL could be really bad news
• Much, much more

This week’s show is brought to you by KSOC. Jimmy Mesta, KSOC’s co-founder and CTO, is this week’s sponsor guest. He talks to us about how we can start applying real, actual IAM to Kubernetes environments.

Show notes

• Deprecated features in the Windows client - What's new in Windows | Microsoft Learn
• Google Makes Passkeys Default, Stepping Up Its Push to Kill Passwords | WIRED
• AWS kicks off cloud race to mandate MFA by default | Cybersecurity Dive
• MGM Resorts’ Las Vegas area operations to take $100M hit from cyberattack | Cybersecurity Dive
• Clorox warns of quarterly loss related to August cyberattack, production delays | Cybersecurity Dive
• Blackbaud agrees to $49.5 million settlement with AGs of nearly all 50 states
• Cybercrime gangs now deploying ransomware within 24 hours of hacking victims
• Microsoft: Human-operated ransomware attacks tripled over past year
• Ukraine, Israel, South Korea top list of most-targeted countries for cyberattacks
• Microsoft: State-backed hackers grow in sophistication, aggressiveness | CyberScoop
• 67 X accounts spread coordinated Israel-Hamas disinformation: report
• John Hultquist🌻 on X: "We are currently seeing pro-Iran information operations actors promoting content across various social media channels, in favor of Hamas and critical of Israel’s response to the attacks. 1/x" / X
• Hacktivism erupts in response to Hamas-Israel war | TechCrunch
• ‘War has no rules’: Hacktivists scorn Red Cross’ new guidelines
• Joe Truzman on X: "Israeli Police Spokesperson: The Cyber Unit of the Police at Lahav 433 has frozen accounts of cryptocurrencies that served Hamas' terrorist organization to solicit donations on social networks. The Cyber Unit of Lahav 433, in cooperation with the Ministry of Defense, the…" / X
• Cloud giants sound alarm on record-breaking DDoS attacks | Cybersecurity Dive
• Israel's Failure to Stop the Hamas Attack Shows the Danger of Too Much Surveillance | WIRED
• Edward Snowden on X: "Netanyahu nurtured a zillion-dollar industry selling spying tools to despots that use them to break into the iPhones of critics, elected opponents, human rights lawyers, and even students (these are all real examples). Turns out they're not very useful for spying on Hamas, tho.…" / X
• HTTP/2 Zero-Day Vulnerability Results in Record-Breaking DDoS Attacks
• NVD - CVE-2023-44487
• Maintainers warn of vulnerability affecting foundational open-source tool
• 23andMe user data targeting Ashkenazi Jews leaked online
• 23andMe User Data Stolen in Credential Stuffing Attack
• Thousands of WordPress sites have been hacked through tagDiv plugin vulnerability | Ars Technica
• From AI with love: Scammers integrate ChatGPT into dating-app tool
• Inside FTX’s All-Night Race to Stop a $1 Billion Crypto Heist | WIRED

On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news. They cover:

• Ransomware crews target WS_FTP and Jetbrains servers
• Global energy supply shapes up as big target
• The Dossier Center drops another banger
• Indian nationalists DDoS Canadian targets
• A look at the Exim drama
• Much, much more

This week’s show is brought to you by Kroll Cyber. George Glass is this week’s sponsor guest.

Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that’s your thing.

Show notes

• Multiple exploits hit Progress Software’s WS_FTP Server | Cybersecurity Dive
• Progress Software discloses 8 vulnerabilities in one of its other file-transfer services | Cybersecurity Dive
• Progress Software says business impact ‘minimal’ from MOVEit attack spree | Cybersecurity Dive
• NEXTA on X:
• Гостайна по электричеству - Досье
• Russian flight booking system suffers ‘massive’ cyberattack
• Cyberattacks hit military, Parliament websites as India-based group targets Canada | CBC News
• NATO investigating breach, leak of internal documents | CyberScoop
• Chinese hackers stole emails from US State Dept in Microsoft breach, Senate staffer says | Reuters
• FBI warns energy sector of likely increase in targeting by Chinese, Russian hackers
• Cisco routers abused by China-linked hackers against US, Japan companies | Cybersecurity Dive
• Suspected China-based hackers target Middle Eastern telecom, Asian government
• North Korean hackers posed as Meta recruiter on LinkedIn | CyberScoop
• Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company
• Ransomware gangs destroying data, using multiple strains during attacks: FBI
• Critical vulnerabilities in Exim threaten over 250k email servers worldwide | Ars Technica
• NSA is creating a hub for AI security, Nakasone says
• Privacy watchdog recommends court approval for FBI searches of spy data | CyberScoop
• Vulnerable Arm GPU drivers under active exploitation. Patches may not be available | Ars Technica
• ‘Snatch’ Ransom Group Exposes Visitor IP Addresses – Krebs on Security
• IronNet, founded by former NSA director, shuts down and lays off staff | TechCrunch

On this week’s show Patrick Gray and Dmitri Alperovitch discuss the week’s security news. They cover:

• How western youths are working with Russian ransomware crews
• Russia has changed its targeting in Ukraine
• A massive breach of historical Russian flight information is god’s gift to OSINT orgs
• Cisco buys Splunk for $28bn
• Much, much more

This week’s show is brought to you by Panther. Its field CISO Ken Westin is this week’s sponsor guest.

Links to everything that we discussed are below.

Show notes

• MGM Resorts says hotel, casino operations back up and running | Cybersecurity Dive
• MGM Resorts warns customers of fraud as it faces class action lawsuits | Cybersecurity Dive
• mgmkirwan - DocumentCloud
• Cross-Tenant Impersonation: Prevention and Detection | Okta Security
• 'Power, influence, notoriety': The Gen-Z hackers who struck MGM, Caesars | Reuters
• Youth hacking ring at the center of cybercrime spree | CyberScoop
• UK logistics firm blames ransomware attack for insolvency, 730 redundancies
• Philippines state health org struggling to recover from ransomware attack
• Bermuda’s premier attributes system outages to ‘Russia-based’ attackers
• Russian hackers target Ukrainian government systems involved in war crimes investigations
• (4) Oleg Shakirov on X: "Huge data breach in Russia A previously unknown group claims it stole data from Russia's major flight booking system Sirena Travel. The whole dataset includes 665 mil entries and spans 16 years; they posted a sample with 3 mil lines. I was able to verify one flight. Looks legit" / X
• Hackers break into Russian database with data on hundreds of millions of flights
• Canada blames border checkpoint outages on cyberattack
• Air Canada says hackers accessed limited employee records during cyberattack
• 3 iOS 0-days, a cellular network compromise, and HTTP used to infect an iPhone | Ars Technica
• Yes, you have to update your Apple devices again, because spyware is bad | TechCrunch
• GPUs from all major suppliers are vulnerable to new pixel-stealing attack | Ars Technica
• CISA's catalog of must-patch vulnerabilities crosses the 1,000 bug mark after 2 years
• Hong Kong crypto business Mixin says hackers stole $200 million in assets
• Cisco to buy Splunk for $28B | Cybersecurity Dive
• British Army general says UK now conducting ‘hunt forward’ operations
• World on the Brink: How America Can Beat China in the Race for the Twenty-First Century: Alperovitch, Dmitri, Graff, Garrett M.: 9781541704091: Amazon.com: Books
• Starlink in Ukraine: Why the Story Is Not So Simple | Geopolitics Decanted by Silverado

In this edition of Snake Oilers you’ll hear product pitches from:

• Sublime Security: e-mail security for people who want to tune their detections
• VulnCheck: Provides vulnerability intelligence to governments, large enterprises and vendors
• Devicie: Manage your devices with Intune without pulling your hair out

Show notes

• sublime.security
• VulnCheck - Outpace Adversaries
• Cloud-native device management platform | Devicie

On this week’s show Patrick Gray, Adam Boileau and Lina Lau discuss the week’s security news. They cover:

• Microsoft’s 38TB oopsie
• MGM’s Okta compromised, was this what Okta was warning us about?
• Why we need a cyber knife fight
• Google Authenticator sync abused in the wild
• Much, much more

This week’s show is brought to you by Push Security. Co-founder Adam Bateman is this week’s sponsor guest.

Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that’s your thing.

Show notes

• Microsoft AI researchers exposed sensitive signing keys, internal messages | CyberScoop
• Wiz on X: "🚨 BREAKING: Wiz Research discovers a massive 38TB data leak by Microsoft AI researchers, including 30,000+ internal Teams messages. Here's what you need to know 🧵 https://t.co/2V8u9IekGV" / X
• Microsoft mitigated exposure of internal information in a storage account due to overly-permissive SAS token | MSRC Blog | Microsoft Security Response Center
• (6) Microsoft's Security Culture Just Isn't up to Scratch
• Threat actors claim to have compromised MGM Resorts’ Okta environment | Cybersecurity Dive
• MGM, Caesars attacks raise new concerns about social engineering tactics | Cybersecurity Dive
• I Gambled in MGM's Hacked Casinos
• ‘Scattered Spider’ group launches ransomware attacks while expanding targets in hospitality, retail
• MGM Resorts disruption linked to recent attacks against hospitality industry | Cybersecurity Dive
• Caesars Entertainment says it was also a victim of a cyberattack
• Clorox warns of product shortages a month after disclosing cyberattack | Cybersecurity Dive
• DHS: Ransomware attackers headed for second most profitable year
• (1) chrisrohlf on X: "I can think of multiple occasions where well respected experts assured the world that taking offensive actions would put an end to this ransomware problem. Unfortunately 1) it won’t end that easily and 2) they’re still seen as experts. This is an economics problem that is enabled…" / X
• White House urging dozens of countries to publicly commit to not pay ransoms
• Cyberattack on Kansas town affects email, phone, payment systems
• Major trucking software provider confirms ransomware incident
• Several Colombian government ministries hampered by ransomware attack
• Manchester police officers’ data stolen following ransomware attack on supplier
• Upstate New York nonprofit hospitals still facing issues after LockBit ransomware attack
• Evidence points to North Korea in CoinEx cryptocurrency hack, analysts say
• How Google Authenticator made one company’s network breach much, much worse | Ars Technica
• Chinese Spies Infected Dozens of Networks With Thumb Drive Malware | WIRED
• Mozilla, CISA urge users to patch Firefox security flaw
• UK passes the Online Safety Bill — and no, it doesn’t ban end-to-end encryption
• Exiled Russian journalist hacked using NSO Group spyware | Hacking | The Guardian
• Три журналиста рассказали, что получали оповещение от Apple о хакерской атаке. Такое же приходило Галине Тимченко, в телефоне которой нашли шпионскую программу Pegasus — Meduza
• War crimes tribunal ICC says it has been hacked | Reuters
• XINTRA - Cybersecurity Training
• CrikeyCon 2022 - Lina Lau - Inside the Persistent Mind of a Chinese APT - YouTube
• SaaS attack techniques
• SaaS attack matrix: The shadow workflow’s evil twin
• SaaS Attack: How to SAMLjack a poisoned tenant
• SAMLjacking a poisoned tenant demo - YouTube
• SaaS Attacks: Shadow workflows + Evil twin integration demo - YouTube

On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news. They cover:

• How Storm-0558 stole Microsoft’s signing key
• Cisco 0day being used by ransomware crews
• We were right about Elon stumbling into the Ukraine war
• Someone’s amazing image library 0day just got crushed
• Much, much more!

This week’s show is brought to you by Nucleus Security. Co-founder Scott Kuffer is this week’s sponsor guest.

Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that’s your thing.

Show notes

• Results of Major Technical Investigations for Storm-0558 Key Acquisition | MSRC Blog | Microsoft Security Response Center
• Microsoft reveals how hackers stole its email signing key… kind of | TechCrunch
• Kevin Beaumont: "One extra thing to highlight -…" - Cyberplace
• Preventing Authentication Bypass: A Tale of Two Researchers - YouTube
• BEC phishing kit hits thousands of Microsoft 365 business accounts | Cybersecurity Dive
• Microsoft Teams phishing attack pushes DarkGate malware
• CISA warns of attacks using Microsoft Word, Adobe bugs
• New Emergency Chrome Security Update After Critical iOS 16.6.1 Release
• Mozilla patches Firefox, Thunderbird against zero-day exploited in attacks
• Cisco security appliance 0-day is under attack by ransomware crooks | Ars Technica
• Cisco BroadWorks vulnerability snags highest CVSS score | Cybersecurity Dive
• High-profile CVEs turn up in vulnerability exploit sales | Cybersecurity Dive
• MGM Resorts takes systems offline following cyberattack
• Save the Children International hit with cyberattack, but says operations weren’t impacted
• Sri Lankan government loses months of data following ransomware attack
• (6) Risky Biz News: US and UK dox and sanction 11 more Trickbot/Conti members. Charges included too.
• Opinion | The untold story of Elon Musk’s support for Ukraine - The Washington Post
• Elon Musk on X:
• SpaceX unveils Starshield, a military variation of Starlink satellites
• China-Linked Hackers Breached a Power Grid—Again | WIRED
• Just waiting for a mate - YouTube
• North Korea-backed hackers target security researchers with 0-day | Ars Technica
• Cars are collecting data on par with Big Tech, watchdog report finds
• Crypto Town Hall on X: "Crypto Kingpin's Downfall: 11,196 Years Behind Bars!"https://t.co/1RCNJ8um4c" / X

In this edition of Snake Oilers you’ll hear product pitches from:

• ConductorOne: PAM, account cycle management and access auditing for cloud and SaaS accounts
• Bloodhound Enterprise: Enumerate attack paths in your environment and shut them down
• Zero Networks: Agentless: heavily automated microsegmentation and a VPN product that won’t get you insta-owned

Show notes

• ConductorOne - Identity security & access control
• Home - BloodHound Enterprise
• Microsegmentation in a Matter of Minutes | Zero Networks

On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news. They cover:

• Why everyone should pay attention to some recent attacks on Okta customers
• Why third party comms apps are risky af
• Why are Russian espionage opps using Tor for C2?
• Surveillance firms abuse Fiji Telco Digicel’s SS7 access
• Much, much more!

This week’s show is brought to you by Gigamon. Mark Jow, Gigamon’s EMEA Technical Director is this week’s sponsor guest.

Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that’s your thing.

Show notes

• Cross-Tenant Impersonation: Prevention and Detection | Okta Security
• BadBazaar espionage tool targets Android users via trojanized Signal and Telegram apps
• NCSC-MAR-Infamous-Chisel.pdf
• Ukraine says an energy facility disrupted a Fancy Bear intrusion
• Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach – Krebs on Security
• Telstra-owned Pacific mobile network likely exploited by spies for hire - ABC News
• CISA, MITRE shore up operational tech networks with adversary emulation platform
• LogicMonitor customers hit by hackers, because of default passwords | TechCrunch
• Barracuda thought it drove 0-day hackers out of customers’ networks. It was wrong. | Ars Technica
• Why is .US Being Used to Phish So Many of Us? – Krebs on Security
• UK cyber agency announces Ollie Whitehouse as its first ever CTO
• Embattled consulting firm PwC swept up in global cyber breach of file service MOVEit by cybercrime group C10p
• ONLINE-SCAM-OPERATIONS-2582023.pdf
• Unmasking Trickbot, One of the World’s Top Cybercrime Gangs | WIRED