BTS #68 - Attacking Power Grids
In this episode, the hosts discuss various cybersecurity threats, including Russian cyber attacks on critical infrastructure, the vulnerabilities in firewalls and VPNs, and the implications of AI in cybersecurity. They explore the increasing trend of using Python for malicious purposes and the challenges posed by gaming anti-cheat drivers. The conversation also touches on the escalation of cyber warfare and the confused deputy problem in AI, highlighting the need for better security measures and awareness in the industry.
Subscribe
Transcript
Paul Asadoorian(01:54.541)
Welcome to Below the Surface. is episode number 68 being recorded on Thursday, February 5th. I am Paul Ascadorean joined by Mr. Chase Snyder. Chase, welcome. Vlad Babkins here too. Vlad, welcome. As always, we’ve got a lot of stories to talk about. Before we dig into it, Below the Surface listeners can learn more about Eclypsium by visiting Eclypsium.com forward slash go. You can get the ultimate guide to supply chain security and on demand webinar. Chase Snyder (02:04.61) Hey Paul, hey Vlad.
Paul Asadoorian(02:23.193)
called Unraveling Digital Supply Chain Threats and Risk, a paper on the relationship between ransomware and the supply chain, and a customer case study with Digital Ocean. Of course, if you’re interested in seeing our product in action, you can sign up for a demo at Eclypsium.com forward slash go. Lots of fun things happening in the news this week. I think maybe we start with the alleged hacking done by the Russians against Polin’s power grid and one of the reasons that that is relevant is they were exploding some Fortinet firewalls. don’t want to make it seem like we’re picking on Fortinet. I didn’t choose that. We chose the article and the threat actors chose to go after Fortinet firewalls in VPN devices.
Chase Snyder(03:15.874)
And why did they choose that? Why do bank robbers rob the bank? Because that’s where the money is.
Paul Asadoorian(03:21.239)
Yeah. So it says in the notes, and I’ve been reading through this report that the initial access stemmed from internet exposed FortiGate firewall slash VPN concentrators lacking MFA and often using reused default credentials, reused or default credentials. Those are two different things, enabling admin access and lateral movement across sites. And this is a continuing trend that we’ve been talking about.
Chase Snyder(03:49.624)
So much low hanging fruit there to discuss basic stuff, enabling MFA, not using default credentials. but the thing about it being the firewall, the number of times recently where the firewall, the thing that’s supposed to protect you turned out to be the way that the adversary got in in the first place.
Paul Asadoorian(03:53.292)
Right.
Chase Snyder(04:18.462)
is really concerning and we’ve talked about it on numerous episodes in a row now and it was one of our trends.
Paul Asadoorian(04:21.516)
Yeah. And it’s because it’s not, they’re not just firewalls. I’m, I’m fairly certain that most of the firewalls on the market from Fortinet, Palo Alto, Cisco might be slightly different. Although ASA probably has, all of these have VPN functionality baked in that does not require a separate license to make it work. And so I’ll give you, know this is true in all cases, but hear me out. I bought a Fortinet firewall on eBay for $46. Okay. And it came with a really old version of firmware. Chase Snyder (04:53.23) Yeah, okay. Paul Asadoorian (05:10.16) I created an account with Fortinet and I was like, let me register it. Like, what do do? I get stuff if I register it and it allowed me to register it. And then it was like, well, I mean, it’s registered, but they’re like, it’s not supported. So you can’t open up support tickets and you can’t download new firmware for it. And so now I have this. So now that I’m actually using some of this gear, right. And I’m not just picking on Fortinet. I’ve got other other gear from Avanti and, Palo Alto. Collectively, I spent less than $200 to acquire three different hardware appliances.
Chase Snyder(05:47.288)
That wasn’t MSRP. That’s not what they go for.
Paul Asadoorian(05:49.621)
No, and eBay is filled with them, right? And I was trying to be strategic as to which appliance I acquired and trying to figure out if that runs the version of firmware that is vulnerable to a lot of those vulnerabilities, right? But it also says here, like, credentials, which I’ll get to. So setting up the device that is unregistered. I mean, like basically unsupported, I was able to enable the SSL VPN on it. So administratively, I can log into the device via the web interface or SSH or Telnet, depending on what I enable. I can enable that on all the interfaces, like the WAN interface. That’s part of the problems that we’ve seen is the web or SSH access is available on the WAN port. That’s just a couple of clicks to either enable or disable that. And then when you go to… You define the port, but typically it’s like 8443. So if you go to the WAN address, port 443, it’ll prompt you to log in. Now you can download the clients, the VPN clients, but the SSL VPN functionality, you can actually log in to the firewall. And then you have something called quick connections, which I haven’t been able to get to work, but there is a screen in there once I sign in with a local VPN account. I haven’t connected this to Active Directory. I just created a local VPN user and I was able to establish a SSL VPN connection and then I was able to go to a separate screen called quick connections and in there from the web interface I can initiate SSH telnet RDP requests to the internal network. So I think when we see some of these attacks, we don’t have all the nitty gritty details necessarily, they may not. them, an attacker can basically create a VPN account for themselves. Like once you gain access to a Fortinet firewall. Now that doesn’t mean access as what Vlad and I were just talking before the show, right? There’s a memory corruption vulnerabilities where I exploit a running service on the device and gain control, gain code execution control. That would be in the underlying Linux subsystem, which, you know,
Paul Asadoorian(08:14.326)
Many vendors don’t want users accessing, but attackers could. That’s like the most deep level of access an attacker would get. Now I’m on the underlying system. And typically what they would do in that scenario is hook or configure the system in such a way that as new VPN users authenticate, in some cases that authentication can be saved in plain text, clear text, into a file. So they can basically bug the system to start recording all the logins. then they come back later on, they grab those logins, and if those are Active Directory logins, that’s now the pivot point, right? So now I have an Active Directory login, and I have access to a VPN concentrator, so I can connect to the VPN concentrator, then go start scanning what systems I want to connect to. I have credentials, I could potentially RDP in or do other things. that’s, like I’m not making that stuff up or theorizing, that is based on… numerous campaigns that I’ve been reading about as to how it happens and not just on Fortinet by the way other platforms,
Vlad Babkin(09:17.591)
So like to be honest, what I would say about all of this is that I cannot stress it enough how I use the word as it is, how stupid it is that the critical system like this does not allow access to the underlying file system for the defender, does not allow access to the Zarn OS for the defender. It’s plain stupid at this point. Like there is no justification for this. Like zoned justification is by companies who say, we don’t want user touching internals to not break their device. Look where this gets you. A device which…
Paul Asadoorian(09:50.082)
Right. Yeah, could you just move your microphone a little closer to your mouth? Does it bend a little bit? Yeah. no, doesn’t. Yeah, sounds a little crackly.
Vlad Babkin(09:58.401)
that’s a problem.
Vlad Babkin(10:03.425)
Yeah, I’m not sure why. Let me check. That’s bent a little bit if you try it. Should help. Anyways, yeah, like I cannot really stress it enough just how incredibly stupid it is. Like defenders get no visibility, attackers get all of the visibility and this system potentially sitting in front of the energy grid or like your water supply or wherever the hell you want it to sit and you cannot defend it.
Paul Asadoorian(10:28.385)
Right.
Vlad Babkin(10:33.365)
Like literally, like, okay, great. It has some built-in security tooling. Sometimes it works. What happens when it doesn’t? And that happens all of the time. Like there is like potentially a weekly vulnerability in one of the systems by now, maybe even a day. Like I just, I just cannot stress it enough. Just how much pressure must be put on those providers to actually start doing something different.
Paul Asadoorian(10:39.234)
Mm-hmm.
Vlad Babkin(11:00.947)
And it’s possible to make a system which gives underlying OS access which is stable. Again, I will name the ropowender just as one example. Look at the FIFE which allow bash access with root privileges. That doesn’t stop their big IP products from working nicely and finely. Like, there is no logical problem to do this. So the only thing the companies are afraid of is somebody stealing their intellectual property. Somehow that doesn’t happen to others.
Paul Asadoorian(11:12.984)
Mm-hmm.
Vlad Babkin(11:29.355)
But it will of course happen to them. But now that I look at all of the problems we have from it. Like at some point somebody gonna step down the foot and start like either evicting those companies from the government and replacing them with companies that do allow such access and do allow some defender tools on their systems. Or this is never gonna change because like losing government contracts is probably what’s gonna scare them into, you know, doing something better. But at this point like…
Paul Asadoorian(11:44.696)
Mm-hmm.
Vlad Babkin(11:58.488)
There is just not a lot. I’m not speaking about just one company. Like, Fortinet in this case is like yet another unlucky company in the streak of unlucky examples. Quite a lot of companies do this. Like, I can pick a router and like there is a 70 to 30 chance that it doesn’t allow access to the underlying OS tools. So it’s not just one of them. Paul Asadoorian (12:09.93) Mm.
Chase Snyder(12:20.782)
Do you think that it’s really that they’re concerned about the theft of the intellectual property? I mean, we’ve talked many times about the underlying operating system being some flavor of Linux. So a lot of the stuff that’s in there, like I don’t super know what they’re changing about. You know, what’s the intellectual property that they’re concerned is getting stolen? I think a lot of companies are worried about that. And really it’s like the code is not their moat.
Vlad Babkin(12:42.679)
I mean…
Vlad Babkin(12:49.653)
Mm-hmm. Yeah, look Yeah Chase Snyder (12:50.7) The moat is the deployments that they already have. It’s the contracts that they already have is their ability to execute and deliver on the surface service. Even if someone got the full source code, which the attackers did for F5 in the F5 attack. like, it seems like there’s no, I didn’t see anybody expressing any concerns like, the attackers have F5. They’re going to, they’re going to build a better ADC. and they’re going to outdo us their own business. It’s like, no, that’s not the, I feel like it’s just a fake concern. It feels like a red herring.
Vlad Babkin(12:55.796)
Mm-hmm.
Vlad Babkin(13:07.541)
Yeah, there is no…
Vlad Babkin(13:12.054)
Yep. Chase Snyder (13:20.3) Like what are they really doing? And I think it’s because there’s fundamentally just kind of.
Vlad Babkin(13:20.736)
Yah.
Chase Snyder(13:29.194)
It’s a little bit of not security by obscurity, but it’s like there there’s something under the covers there that they don’t want people to look too closely at because people would just be like, this is kind of there’s there were poor choices made and how this is built. They don’t want people. They don’t want people to see the spaghetti code under the covers. Not that they’re going to steal it, but because it’s just like. Not yeah.
Vlad Babkin(13:44.407)
Probably, like.
Paul Asadoorian(13:52.726)
Well, think it’s support. If you mess something up in the underlying Linux OS, you could cause issues with the functionality of the device, and I don’t think they want to support it. Chase Snyder (14:04.59) Yeah, for sure. And also then you’ve got to buy. Yeah, you rely on them a lot then, too. It’s like how nobody can work on their own car anymore now because you have a car with all these parts. It’s just like it’s too complicated. And that’s how they want it. Because it’s like easier to do planned obsolescence and easier to, you know, more and more people have to like buy the extended warranty and have the dealer do the service on it because you just can’t do it yourself anymore.
Vlad Babkin(14:05.297)
case in this case like yeah i don’t know the true reason
Paul Asadoorian(14:12.704)
Yeah.
Vlad Babkin(14:20.609)
Mm-hmm.
Paul Asadoorian(14:27.563)
Well, that could be their concern as well, that if I have access to the underlying Linux OS, and let’s just say they stop supporting… firmware updates on there for me applying the future versions, I could go into the Linux and say, you know what, why don’t we try and install this new version and take out any constraints they might have around it. So, you know, I think they’re probably fearful that people won’t upgrade their devices if you have access to the underlying Linux. You could potentially like maintain it and tweak it yourself and not have to go buy a new license or firewall.
Chase Snyder(14:48.055)
Mm-hmm.
Chase Snyder(15:02.178)
I don’t want to hard pivot into a different topic that we’re going to talk about already, which is AI stuff and AI agents. But this feels like there’s this discourse around, now that anybody can vibe code anything, companies are going to stop paying for enterprise SaaS and they’re just going to build it themselves internally. And it’s like, no, no, they are not. Nobody is going to build their own like a sauna or workday in house. What they want is that.
Paul Asadoorian(15:18.294)
Mm.
Chase Snyder(15:27.042)
that company to do that thing and be responsible for it. Like the cost and ability for someone to internally vibe code and maintain that is not worth it. There is still going to be enterprise B2B SaaS. They might vibe code it. Those companies might vibe code their own thing, but the government’s still going to buy their thing and not build it themselves.
Paul Asadoorian(15:30.369)
Right.
Vlad Babkin(15:40.151)
and the sauce.
Vlad Babkin(15:47.288)
It depends a lot on the SaaS. If the SaaS offering is not very useful and can be replicated very easily, people will probably replicate it. But that’s the point. What was stopping them from doing that already, even though there is no web coding? If SaaS products would be as easy to replicate as hiring five developers, while the SaaS product itself costs more than five developers, everybody would just be hiring five developers. AI is currently not at the point where it will replace more than that. It’s great, it’s not that great.
Chase Snyder(16:09.291)
Yeah, exactly.
Paul Asadoorian(16:17.687)
Yeah, it’s a I just I want to see a program from all these vendors where you can add Defensive software monitoring tools to the underlying OS because that would certainly help increase detection, perhaps prevention, depending on how, if they give you features to lock down your devices via the underlying OS a little more. But I’m sure those are features they may want to charge for, like enhanced threat detection on my firewall, which is, don’t agree with that. think.
Vlad Babkin(16:55.307)
That’s like charging for two-factor authentication. This is like the dumbest decision ever. Let’s make a tool that’s great, but then charge it so much money for it that nobody’s gonna use it. Like, that’s not the way forward. Like, I don’t know the real reason why they banned this, so I’ll just turn speedballing just to try to justify it in any way possible. Because at this point, with so much…
Paul Asadoorian(16:57.951)
Yeah, I agree. Yep.
Vlad Babkin(17:19.479)
problems that we face with them and like I use the word problem it’s not issues it’s actual problems when your power grid goes down because somebody broke into a firewall like it’s like the language here should be very very heavy like in this case the question is like how do you force the change like it’s not about like companies are never going to be motivated to become more open and more caring about users they care about earning money so the question is where does the enforcement come from
Paul Asadoorian(17:27.148)
Yep.
Vlad Babkin(17:48.896)
Government is not really doing a good job of it. yeah, in this case, like the question is, SAS tools and like hardware products which are like this, probably should be replaced by AI. Like if your product can be broken once a week by an attacker who found yet another zero day, I would question the sanity of keeping your product in my company. Because it’s not really a great product, especially if it is a firewall. It’s one thing if it would be like a calendar app. Calendar app is not exactly focused on defense, but literal firewall being susceptible to all of this is not a great… Let’s put it this way.
Paul Asadoorian(18:27.553)
for sure. I also think that one of the reasons we have so many exposed devices on the internet that are vulnerable for a lot of these manufacturers is because they charge for those firmware updates. Like I said, you can buy one pretty cheap on the secondhand market, it in your company. It’s an enterprise grade firewall. Like I should use air quotes there. It’s an enterprise grade firewall. And maybe they don’t want to pay the money to update the firmware. It is a budget. It’s a budget constraint. Or like I said, you picked up secondhand with no intention of getting a support contract on it in just using it and that’s one reason why i think we have a lot of these vulnerable devices floating around out there
Vlad Babkin(19:17.515)
Yup. And also the logic flow of like, hey, your device is actually based around OpenVPN, so it’s already as bad as OpenVPN. But it also has some custom web interface, which potentially has extra vulnerabilities. So any solution that’s a boxed-in firewall, which provides some VPN solution, is going to be as weak as the VPN solution at least, and probably weaker because of the web interface, which allows you to somehow sign into the VPN. Because that’s an extra which…
Paul Asadoorian(19:43.415)
Mm-hmm.
Vlad Babkin(19:45.536)
Like so far I haven’t seen companies really get that well. Like where it is not breakable. So like really the best solution for security is like, stop OpenVPN somewhere, configure it really well. And that’s going to be the most secure because pretty much everybody else relies on like WireGuard or OpenVPN.
Paul Asadoorian(20:06.007)
Mm-hmm.
Chase Snyder(20:06.828)
Dude, I’m never going to stop quoting this stat from at-base cyber insurance. That companies that get their cyber insurance from that company had a 6.8 times higher likelihood of filing an insurance claim for a ransomware attack if they had on-prem VPN from Cisco or Citrix. 6.8x more likely to get ransomware if you have on-prem VPN. That is like…
Vlad Babkin(20:36.503)
And this is the reason why I said it like I said it. Like any on-prem VPN is gonna be as weak as the VPN solution it’s based on, plus on top whatever vulnerabilities the vendor introduced in web interface that managing it or whatever other interface you have to manage it. You cannot, like even if like the vendor is absolutely pedantic using the most advanced system imaginable users like a thousand security specialists which scans the code like day and night. Chase Snyder (20:51.98) Yeah. Yeah.
Vlad Babkin(21:05.695)
It’s still going to be as secure as OpenVPN source code is based on. So you’re not sidestepping that. Chase Snyder (21:12.91) Yeah, 100%. And it’s not like all firewalls or VPN are like going cloud or going virtual or whatever. I looked up the stat, someone’s prediction, know, prediction about the CAGR of the hardware firewall market between now and 2030, 31. So the next five years of it. And I think they estimated like a 10 % CAGR. So they thought it was going to approximately double from… in the 20 billions to in the 40 billions dollars spent on hardware firewalls, which are, you know, like front doors for bad guys. We’re just we’re just installing front doors for bad guys. Paul Asadoorian (21:54.54) This also happened, Huntress made a post about an incident that they responded to where threat actors, and they say, leveraged compromised SonicWall SSL VPN credentials to gain initial access to the victim’s network. So this didn’t make it sound like they were fully compromising the SSL VPN appliance from SonicWall. they were just password spraying and successfully authenticated to the VPN as a user and use that to pivot into the internal network where then they did things like drop EDR killer style malware. not sure which driver they used for that but this was a driver that they used in order to kill the EDR. There was a couple of stories floating around this week about EDR killers. One of them used an NCase driver that was signed in was signed in 2010 expired in 2015 2014 and then Windows honored it as a signed driver because it was signed before July 2015 and if you don’t have the hardware, what is it, HVCI, it only uses the hypervisor to basically govern which drivers get loaded or not. If you don’t have that enabled, Windows accepted this as a valid driver even though the certificate had expired. which is great and i’m not sure that was the same case here or if it was a different driver but now there’s like in one week there was a i’d believe two separate instances where not only do we see initial access to edge device but we also saw a technique of bringing your own vulnerable driver
Vlad Babkin(23:48.321)
So, yet another unfortunate firewall name involved in an attack. Somebody got initial access for that and apparently there was no monitoring for that or not sufficient monitoring for that, or they would be able to stop it. then they pivoted to Windows, which, surprise, probably put an important security feature under a paywall, which we just talked about. And… But because of this, this feature is not enabled. Or at the very least, the Windows does not arrive in the default secure configuration. Because, again, how do you load a driver with an expired signature if your OS is configured securely? So, yeah. That’s pretty much exactly what we talked about just from another angle.
Paul Asadoorian(24:34.773)
Yeah. and then so that ties to the interlock ransomware that exploited a zero day in a gaming anti-cheat driver to disable EDR and antivirus. That was my second instance of it. So the Huntress, I believe, now that I found a reference to it, it did reference that the Huntress may have been the end case driver, but in this interlock ransomware campaign, this was a gaming anti-cheat kernel driver. which I want to say Vlad you predicted this. Vlad Babkin (25:06.31) Gaming anti-cheat kernel drivers, they should burn them with fire. Imagine that you install a game, you just want to play it, and you’re not gonna cheat like most people don’t. Let’s say that 1 % really want to. What this kernel anti-cheat does is that it runs permanently online on your machine forever. and can monitor whatever you do and now they’re also getting abused. So not only is it a privacy nightmare, it’s now also a security nightmare because if some random gaming company developing the anti-cheat who don’t really care about security of their drivers, they care about anti-cheat bypasses, like suddenly they have like a lot of privileged access to their system because somebody can just bring the driver and abuse it.
Paul Asadoorian(25:57.078)
Right.
Chase Snyder(25:58.774)
Yeah, it’s like when when companies get acquired and all of a sudden all the data that you handed over them belongs to some other company that you may or may not trust there, you know, like when 23 and me got like fire sailed out of bankruptcy or whatever. It’s like, all this genetic data. It’s like, what if some what if Riot Games or some company with one of the really aggro kernel level anti-cheat things gets acquired by some other company that’s like, now we have kernel level access to millions of millions of you. or endpoints. That’s a supply chain attack. That’s real supply chain.
Vlad Babkin(26:30.689)
Yeah, and like some of them some of them already have ties to companies in China. So again, I don’t want to be kind of evil to one specific country, but like it’s a trend. Like Chinese guys love to collect data about people. And I wouldn’t be too surprised if they would want to acquire Riot Games, for example, if not already done so, like third party means.
Paul Asadoorian(27:02.559)
It’s interesting. As I look into this report from some news outlet, but it was was covering what happened. This driver was originally named game driver X64. Sis. They renamed it, but I’m not sure why they renamed it. They renamed it to masquerade as like a firmware update checker. But the driver is vulnerable to a CVE 2025. 61155. and should have been revoked, right? Doesn’t the, I believe the process works very similar if not the same as Secure Boot, where if there’s a vulnerability in a signed component or component that’s trusted by Secure Boot or Windows driver facility, they should revoke it. But they don’t do that as well with drivers because they don’t want to break anything. So if you revoke this driver, then people can’t play the game because the game is going to go look for the anti-cheat kernel driver. When it’s not there, it’s not going to let you play the game. you
Vlad Babkin(28:08.599)
And that’s the point, you cannot really revoke those drivers easily because a lot of users are going to be very unhappy with it. By a lot of users I mean a lot of users, it’s not just one hardware device which you revoke. Like for example, let’s say some drivers are more equal than the others, let’s put it this way. So for example, let’s say there is a vulnerable driver for some obscure mouse, you can just revoke it.
Paul Asadoorian(28:14.763)
Hmm.
Vlad Babkin(28:33.299)
And the hundred people who is affected by this can go and update their driver. They’re probably not going to be too mad about it. But if you work something like a game anti-cheat, especially if it is a very popular title, like let’s say Valorant, there are going to be millions of people unhappy. And the same goes for like very popular hardware. Let’s say Nvidia driver, if suddenly got a vulnerability and got revoked certificates, there will be hundreds of millions of people unhappy, including enterprises. So Microsoft has a very tough choice to make. Either keep…
Paul Asadoorian(28:45.644)
Mmm. Right.
Vlad Babkin(29:02.813)
everybody vulnerable or everybody unhappy.
Paul Asadoorian(29:07.381)
Yeah, and apparently everyone’s vulnerable because this is a great technique that attackers are using today. And you can’t really blame the attackers for going after it, right? It is. is. Like I want a system, all I need to do is manipulate some drivers and I can get rid of anything that might try and detect me.
Vlad Babkin(29:20.299)
to test it.
Vlad Babkin(29:30.519)
If I have an evil clone, that evil clone probably has a collection of hundreds of drivers he can target. Because it’s just way too tasty.
Paul Asadoorian(29:41.025)
there’s too many drivers out there, we actually don’t even know how many drivers Microsoft has signed they don’t maintain a list
Vlad Babkin(29:47.991)
And Microsoft might not even know how much drivers they have signed. Paul Asadoorian (29:52.79) Yeah. I wish there was some kind of like attestation API that Microsoft maintained where you could go check the status of a assigned driver and also allow you to query it to get a list of all the drivers that out there. I mean, I want the same for secure boot software as well from the OEMs. I just don’t see.
Vlad Babkin(30:12.784)
We need CRT.sh but for drivers.
Paul Asadoorian(30:15.893)
Yeah, I just don’t see why that can’t happen. It would allow security tooling to query these attestation endpoints and get information about what could be running on the system.
Vlad Babkin(30:30.007)
There might be stuff you might not want the people find out about. Like imagine that an assay signs a driver. Because like the next step, oh, hey, if your assigned driver is not in this public database of drivers, we will refuse it to load entirely. Like this is the next logical step. That’s what’s happened with certificate transparency for the web. So now if like organizations like an assay will not secretly sign a driver, they can not and it has to be public. So there is a…
Paul Asadoorian(30:33.836)
Yeah.
Paul Asadoorian(30:46.955)
Yeah.
Paul Asadoorian(30:56.982)
Right.
Vlad Babkin(30:58.571)
concerned for government agencies, if this is actually enforced, there is going to be a tool which will try to block everything that’s not in this public database, which would be a very great call.
Paul Asadoorian(31:09.687)
Yeah, I I look at it as an extension or a form of a build of materials, right? Like a cryptography bomb is a thing. But I also want to first secure a boot. I want to know what software was signed to work on my system. in that to me that information should be public so that at least researchers could if they wanted to go evaluate that software for any vulnerabilities. we’re not because how do you figure out that Dell Lenovo HP or whomever has signed something to work on their systems, right? Maybe it’s just an OEM specific software that’s been signed with their keys. But I don’t have that list. we kind of basically we get lucky. We find the software and we’re like, look, it’s signed to work on every Dell laptop of a certain model year or whatever and there’s a vulnerability in it. We have to do so much guessing to find that software. We might not ever find it or be looking for it all, but if there was some kind of API we could query, I think it would be helpful.
Vlad Babkin(32:23.255)
My man believe in the world, but it’s worse. You sometimes get software which specifically is coded in such a way that you cannot analyze it. Like for example, updates for network devices which come encrypted and you don’t have a decryption tool. So the only way for you to decrypt it is to disassemble your device, attach special hardware tools to actually dump it off the chip and then maybe you get to analyze the software. Or for example,
Paul Asadoorian(32:34.625)
Yeah.
Vlad Babkin(32:50.571)
games which use stuff like Denuvo, which pretty much just encrypts the code to a point where even if you use reverse engineering, it will take you months to actually get down to the source code or to the binary which you can actually look at. And not only does it slow down the binary, if the binary wanted to do something nefarious, there is a good question, how does antivirus do something about it? Because now the code is so obfuscated that just obfuscation itself should figure.
Paul Asadoorian(33:11.424)
Yeah.
Vlad Babkin(33:18.583)
warnings and issues with antivirus. But it doesn’t, because games use it and you wanna play your game. So antivirus cannot just, oh hey, this has way too much obfuscation, it’s probably doing something nefarious like it should. But it cannot, because now legit software does this. Yeah, it becomes a security nightmare very very quickly.
Paul Asadoorian(33:41.975)
Yeah, mean then you have to almost rely on behaviors, you by that time it’s too late. We want to keep the malicious software off of our machines. And vulnerable software. And if we don’t know if it’s malicious or vulnerable and have a really hard time figuring that out, then we’re at a disadvantage.
Vlad Babkin(33:50.261)
Yup, like…
Vlad Babkin(33:57.408)
Like, we’re not even like, I want to get the list of all of the software that potentially can run on my machine. You cannot even touch software which is already running on your machine. And it’s becoming worse and worse. Like look at Windows and all of their interesting decisions, like security wise. Let’s say Windows Recall is just one name which made a lot of security of like waves and like news, right? And by the way, like public service announcement, Microsoft, I believe like last time I read about it, they wanted to bring it back. So somebody might want to take a look if they did or not, because that’s terrifying if they did.
Paul Asadoorian(34:39.047)
chase was there any else on the report that was published
Chase Snyder(34:48.398)
I mean, we talked about the firewall aspect of it. That’s one. The other aspect is that it’s critical infrastructure that’s being targeted. so that sort of interface between the traditional IT stuff, network edge devices like firewalls, and then more operational technology like remote terminal units, programmable logic controllers, et cetera. what was reported was that the attack was intended to be destructive. So the point of it was to get in there and do something to the operational technology devices that would damage them and hinder the operations of this renewable energy providers. And it didn’t succeed. was caught and thwarted before that happened. But the general arc of targeting critical infrastructure and I feel like there’s kind of like there’s the doomsday clock where whatever miscellaneous organization manages that is always moving the second hand for how close we are to doomsday. It’s like the line of what counts or where you cross the line from cyber warfare to kinetic warfare. It’s like, well, if a nation state targets another nation states energy infrastructure with the intent to do physical damage using cyber. weapons, know, Stuxnet style, Stuxnet is kind of the iconic example. like, okay, this was a malware that was intended to, and I think succeeded in damaging uranium refining centrifuges. Okay, that’s not what this is, but this is, you know, it’s supposed to do physical damage to energy infrastructure, but it’s a cyber tool. I think. A, I think that the operational technology or cyber physical systems as it’s sometimes being rebranded is gonna keep being a more and more important focus for cybersecurity. There’s already a handful of cybersecurity companies that focus on OT stuff and I think it’s gonna be more and more of a thing as more instances like this come out. But yeah, I don’t know, they used. Chase Snyder (37:10.2) Got in through the VPNs, that was the pivot point. Then they tried to deploy DinoWiper, so wiper technology that would hypothetically spread around in the OT environment and damage the HMIs and damage the various actual OT devices. Yeah, not a whole lot more to say about it. I’m glad they stopped it, I guess, but it seems like more of this kind of thing. can contribute to sort of an escalated sense of fear because hearing about a cyber attack that could affect the grid or the water system or whatever, there’s been more and more of these as various global conflicts have heated up. And yeah, I don’t know. Take away what you want from the rising tide of critical infrastructure attacks. I feel like when people think of critical infrastructure, you think about stuff like energy. and yeah, water systems, things like that. But there’s also like manufacturing and even finance, like big banks are also considered critical infrastructure. And those are the kinds of things where these these types of attacks don’t have to really have any physical component in order to really be disruptive to you know whatever society they are enacted against.
Paul Asadoorian(38:33.781)
Yeah, it’s interesting too. So the other story I had was some new Linux malware that was observed and this article talked about weaponizing Python and Linux malware targeting executives in cloud systems. But there is an increasing threat of people using Python to live off the land in Linux devices. And this is, I mean, nothing new. know, living off the land on a Linux device is great. I oftentimes don’t need necessarily malware if the device I’m using device means could be any Linux system. Let’s talk about firmware based devices has built into it things like Python utilities such as W get you can even i mean everyone trained in pen testing or offensive security knows how to can show you how to construct callback just using a born shell or bash in dev tcp so that exists in linux kinda hard to remove that functionality you know short of some firewalling rules that might prevent that or you know some kind of zero trust on the system like you have pythons here but if you try and use the python interpreter to connect back out to the internet it’s denied because of some security control on your linux system
Vlad Babkin(40:06.391)
In this case, a lot of devices, including IoT devices, come with Python embedded. It’s more often than not a very old Python, like Python 2.7, which doesn’t stop it from being useful. But in this case, because you have no access to those systems, in many cases, especially if you’re speaking about IoT environments or IoT environments or whatever environments you might care about the most with these Python scripts.
Paul Asadoorian(40:17.301)
Yeah, sure, but it doesn’t matter.
Vlad Babkin(40:35.145)
You cannot really configure something like an IP tables which will just ban the attacker from going out. And moreover, that Python script is often will be running as root immediately because those devices don’t really have good security boundaries. Like if you get called execution, you are immediately root. So in Windows, like you will at least have to bring something with you to do this. Even though with PowerShell, it’s not as hard to actually come up with a script that just bypasses all of the security policies and just runs stuff. But…
Paul Asadoorian(40:47.296)
Right.
Paul Asadoorian(41:03.212)
Yep.
Vlad Babkin(41:05.257)
Still, like, Python is much more handy in doing all of this stuff for attackers than PowerShell.
Paul Asadoorian(41:13.909)
Yeah. But I think, Chase, we had some stats about… So the reason I added the story, now that I remember, is I was evaluating a device and on a certain version of firmware, because you can unpack the firmware and decrypt it, you can look at what’s included. And there was no Python there in a certain version. Then I went to a newer version and… I was like, there’s Python in this one that wasn’t in the previous one. And I actually observed that, right? The addition of the Python interpreter into the firmware. in in chiseling we have some stats on that we published late last year right that this is an increasing trend not just any particular manufacturer or product but this is a trend where firmware images are getting larger and having more capabilities in including things like scripting languages such as python no j s in the lake Chase Snyder (42:15.66) Yeah, totally. was, yeah, we’ll name the vendor, but we, published our hitchhackers guide to the galaxy shout out available in PDF and video form, at our website near you. but yeah, we, analyze a ton of firmware, right? You know, and so we published some stats about various outlier, Instances and trends and the biggest firmware, the biggest like update package, you know, it’s debatable. What do you get? Do you call it firmware? If it’s the whole underlying OS of a network device, is that the firmware? We call it that sometimes that some people get in. Some people don’t, but the biggest update package that we analyzed had over 19,000 individual files in it. We’ve analyzed the update packages from this vendor for several years and the size, the number of files in it had gone up a hundred X in the past. like six years since 2020. So, and 10X since like 2023. So hugely increasing just number of things in there. I think it went from one language that the binaries would compile to, which I think was C or C++, whatever makes sense, to there being four different languages. it included, it from zero to like 130 or 140.
Paul Asadoorian(43:32.759)
Mm-hmm.
Chase Snyder(43:43.246)
Python imports, at least one of which had a known vulnerability in it. And so just the, that was the biggest one. The smallest one that we did, which I think was like some IOT device was like 10 files. So firmware can contain multitudes or not, but for these network edge devices, the size of the potential attack surface, if you think of it as like, this thing was like three gigs.
Paul Asadoorian(43:48.756)
Mm-hmm.
Chase Snyder(44:10.866)
of, you know, it’s, it’s Linux under the covers. It’s got 19,000 plus different binaries in there, multiple different languages that that stuff could compile out to. And it has a bunch of Python imports in it. That’s a lot of exposure. That’s a big attack surface that you are bringing into an area of your environment that’s fundamentally invisible and not manageable to you. You’re downloading this update from a network device vendor. Paul Asadoorian (44:26.06) Yeah.
Chase Snyder(44:40.814)
and running it on this box that’s in your environment that you don’t have root access to that you can’t you know we did this analysis but you and your environment probably couldn’t realistically do that yeah
Paul Asadoorian(44:53.431)
Yeah, and this is the problem. I this is a whole class of devices. I think you might have asked earlier, like, how do we constitute firmware? What’s an appliance? What’s not? I mean, over the years, I’ve developed some criteria for that. I think the first one is it doesn’t have a monitor, mouse, and keyboard interface. There might be some exceptions to that, but I think my kind of that requirement really stems from it’s not something the user sits down and uses as a computer. A Raspberry Pi, is a computer. Some may call it an embedded system or device or appliance, but it’s intended for you to be able to have control of the operating system and interface with it with a monitor, mouse, and keyboard. Now you may create special purpose versions of your Raspberry Pi, many have, for various projects, but to me that’s a device, maybe it could be either one. But I think it’s important that when we think about these appliances, IoT device, firmware based, part of the other criteria is maybe it uses firmware or at least the software and or firmware you’re putting on it comes in one package, right? So your bootloader, all of your user data, file systems, everything is lumped in one file. It’s put on there. And importantly, as we’ve talked about, you don’t have access necessarily to the underlying subsystem. Maybe you do, but it’s not really like that’s not why you would use it. And because the other like third criteria is it’s a specially special purpose device. So it’s a KVM and it was designed, there may be a computer running Linux, but it was designed to behave like a KVM with a device with a special purpose. Firewalls and VPN concentrates the same way, right? Firmware comes from the vendor. You’re not using it as a computer. There’s no monitor, mouse and keyboard. And that device has special purpose to provide firewalling.
Paul Asadoorian(46:52.509)
and you don’t have control over the underlying operating system. don’t have to. install an operating system yourself and then put software on top of it, it comes bundled all into one. And so those are the kind of, when we talk in research and development about what should we support, right? What should we discover vulnerabilities on? What should we do threat hunting on and discover threats on it? And it’s that category where the user doesn’t control the operating system. If you do control the operating system, that’s great. You can take our agent or any number of agents along with ours, put it on the underlying operating system, and gain great visibility. Our endpoint, for example, gives great visibility. EDR and other things, and vulnerability management, great visibility, and you have control over those things. But when it’s a shiny box that manufacturers don’t give you access to, you don’t have those luxuries. I mean, and you do sometimes, right? There’s a research that goes into this product from this vendor. Is it install the software, or does the vendor provide basically like an image that I have to run. And that’s how I start in a catalog. I wish there was some kind of programmatic way to discover that. Right now, you basically have to query an LLM. And the LLM will hopefully give you the right answer of going, nope, this is software you install in an operating system of your choosing, or it’s delivered as an appliance, virtual or physical. That’s how I draw lines.
Chase Snyder(48:26.902)
It’s tough. It’s really, you know, kind of a, know, when you see it situation and you have to be very informed and experienced as you are to be able to draw those distinctions in any sort of way that makes sense. And it gets muddier and muddier, but fundamentally when you’re installing a big bundle like that three gig, you know, update on a box that then you don’t have. Root. Yeah. You don’t have root on.
Paul Asadoorian(48:51.339)
control over it, yeah. Chase Snyder (48:53.9) That’s a risk. You don’t get to pick and choose. You don’t get to look at that ahead of time, be like, we’re going to not accept the vulnerable Python imports. Yeah.
Paul Asadoorian(48:56.512)
No.
Paul Asadoorian(49:00.947)
Yeah, but it’s still a shared responsibility model for security. I I expect if the manufacturer’s not going let me have access to the underlying operating system, I have to give them that responsibility the same way in the cloud. If I spin up a Lambda container in AWS, I have to trust that Amazon is taking care of security, everything else down the stack, right down to the hardware. My responsibility is the application. Same thing with the firewall or VPN device. Yes, it’s my responsibility to make sure it’s updated on firmware, to make sure it has multi-factor authentication, to make sure it’s configured and networked correctly, that I’m not exposing the web management interface to the internet. If I do, maybe there’s multi-factor authentication, it’s up to date on patches. even with all those things you could get yourself in trouble exposing it to the internet. But that’s my responsibility, right? Because that’s my device. Those are the things that I can use and affect change. If I can’t get in the underlying OS, the vendor has to do that for me. And now I’m lacking that visibility. Chase Snyder (50:12.46) Yeah, dude, I’m so curious. We talked about the cyber insurance stat. So all these companies are filing cyber insurance claims for ransomware attacks that involved or started with a compromised VPN. What’s the conversation like between those companies that had the ransomware attack and the VPN provider after that? Is it like?
Paul Asadoorian(50:34.295)
Mm.
Chase Snyder(50:35.148)
Hey, you’re, you know, I guess there’s probably a bunch of investigation that has happened. It was like, did they not configure it right? I’m sure that there’s just a gazillion pages of fine print about, because every time one of these big vulnerabilities comes out, the vendor is like, well, that’s not reachable. If you configure it right. If you set it up right, if you use it as, as required in the manual, then that wouldn’t be a problem for you. is there, it’s like, there’s a little bit of a shifting.
Paul Asadoorian(51:02.038)
Yeah.
Chase Snyder(51:05.304)
There’s a little bit of a blame game that has to happen. And I’m sure that when insurance gets involved, get the game gets really technical. They start looking, looking closely at the fine print and the configs.
Paul Asadoorian(51:15.701)
Yeah, I’m curious how like, how does it? And how does it flesh out if it’s a zero day? Like let’s say the attackers were exploiting it as a zero day before the manufacturer even knew they had a vulnerability. And now as the end user, even if I’m on the latest firmware, it doesn’t matter because it was a zero day. There was no fix for it yet. Sure, I might do everything I can as the user to harden it, but in most cases, from what I’ve seen, that exploit is still going to work. If it’s fully patched with multi-factor authentication, as long as the attacker can reach it somehow, maybe it’s on the internet, maybe it’s not, maybe it’s on the internal network and they’re pivoting to it, but the better attack is it is exposed to the internet. And if it’s a VPN concentrator functionality, it has to be exposed to the internet. And that’s where a lot of remote code execution exploits target, right? Is that VPN underneath the covers, there’s a service, a binary that’s running in the background.
Chase Snyder(51:46.914)
Yeah.
Paul Asadoorian(52:16.377)
that’s listening on that port that potentially has a memory corruption flaw. We’ve seen that. It’s not always the way that the vulnerabilities shake out, but there are cases of that. So in that case as the defender, there’s not much I can do. I can be on the latest version. I have to expose it to the internet to let people use it as a VPN, and I may give the user multi-factor authentication. That’s all fine and well, but again, if there’s a memory corruption vulnerability in that service, an attacker going to exploit it and gain control, gain deep level control on the device. And like Vlad said, probably be root. And if you’re not making that jump to root, it probably is not all that difficult in Linux, unfortunately. mean, Windows is kind of the same way, right? Linux even more so, especially if it’s some older code that has an older utility on there that you can do that privilege escalation with.
Chase Snyder(53:14.542)
The question of whether, what happens if it’s a zero day in like the sort of responsibility for that reminded me that I, my immediate thought about that was, well, even a lot of the zero days are in these products, right? The zero days that end up being
Paul Asadoorian(53:22.134)
Hmm.
Chase Snyder(53:36.576)
exploited against VPNs that lead to successful attacks, you know, it’s still in these products that we know are associated with higher risk. And I read an article recently from a cyber insurer that was essentially about how they set their insurance rates and how they respond on the basis of this to be able to provide an insurance premium rate to these different organizations based on these risk factors. And so they do, they look at
Paul Asadoorian(54:02.999)
Hmm.
Chase Snyder(54:06.102)
whether the organization that’s seeking the insurance runs one of the high risk on-premises VPNs and they basically recommend that you take some steps to mitigate that risk in order to get your insurance premiums down. And I know that some of the insurers have their own MDR associated with them or they’ll recommend they have like a partner MDR that they’ll recommend. And so they have these
Paul Asadoorian(54:31.435)
They have a partnership, yeah.
Chase Snyder(54:35.926)
It’s wild that it’s like the insurer has its own cybersecurity company attached with it where they’re like, all the same skills that they need, all the same capacity that they need to be able to do the assessment in the first place, to be able to set an insurance rate is the same set of capacity and competencies that they need to just be able to provide, manage, detection and response. Which is so weird, but also makes total sense. you know, it’s like, okay, if it’s a zero day, well, was a zero. They’re just looking at what represented risk in their prior years. And they’re saying, okay, this type of product, this type of VPN represent a bunch of risk. Here’s what you can do to reduce that risk. You can do this assessment. You can get an MDR. You can migrate to a SASE, which is what? Secure Access Service Edge or something. They’re basically saying do something different to get better insurance rates because you’re borderline uninsurable if you’re running this risky VPN without other mitigations in place.
Vlad Babkin(55:47.803)
It gets even better if you start to really think about it. Imagine that you buy a security appliance and suddenly your cyber insurer tells, hey, now you have more risk, even though you just bought an appliance which was supposed to make you more secure. This should raise quite a few questions in executives’ heads. How did we arrive here? Like what happened for us to, you know, be in a position where we have more risk from a security appliance. Because if that’s the thing. then I have questions to cybersecurity vendor at that point. And if this question is not properly asked, then we have a problem.
Chase Snyder(56:42.316)
Yeah, a hundred percent. Yeah.
Vlad Babkin(56:42.647)
Do you see my point? Paul Asadoorian (56:43.88) yet i’d sorry i just i want to run out the show with talking about the agent again i in the confused deputy attack
Chase Snyder(56:52.179)
yeah. Paul Asadoorian (56:53.15) I love the term confused deputy. think it’s great. And Quark’s lab does a great job with a one sentence reminder that a confused deputy is used to describe a situation where a privileged component is manipulated by a less privileged entity, an application user, et cetera, to abuse its access rights. And we’ve seen this. A lot in UEFI, Vlad, right, with function calls and processes that implement SMM state in UEFI, and there’s a lesser privilege or user accessible that goes outside of controls and then lets you take control of SMM when you should not have those privileges. Some of those attacks have been dubbed a confused deputy attack. Quark’s Labs, as described, is how agents
Vlad Babkin(57:19.786)
No.
Paul Asadoorian(57:46.408)
they talk about how agent systems actually work and then talk about how they can be manipulated so that less privileged apps or users can basically interface with your agent in that system to pull down sensitive data. I’ve not done a lot with agentic LLMs. I don’t know if you guys have played around with them. It’s something on my list that I need to explore, but the article does a great job of breaking it down.
Chase Snyder(58:14.114)
big story I’m tracking on that right now is Claude Bott. Have you guys been reading about that? Yes, yeah, multbook.
Paul Asadoorian(58:18.686)
Is that what they’re called? Is that the one that changed names? that Moltz book and open claw? What is it called now? Is it open claw or no?
Chase Snyder(58:28.046)
I think it’s maybe it’s open claw and multbook is the like Reddit for agents. It’s like the social platform or the these agents, but yeah, people are buying up, buying up Mac minis and just given setting up. like, okay, this cloud thing with all this different, capabilities and tool use and stuff can just take it. I think a lot of it is kind of kayfabe if we’re being honest, it’s like there’s.
Paul Asadoorian(58:37.184)
Yeah. Yeah, okay. Chase Snyder (58:56.95) A lot being published about it. That’s like, this is it. This is a GI. and it, but, but I do think that there is real people. Okay. To tie it back to the corks lab, agentic AI and confused deputy problem that involves a situation where you have a, you have an agent or you have a component that has a certain purpose that, is, know, it has some sort of guardrails on it where it’s not supposed to do certain things. Cloud bot is kind of the opposite where they’re just like, people are like, you know what? I’m just going to give this thing its own computer and access to my everything and see what it can do. And people are definitely suffering real consequences from that because it’s it’s great. Yeah.
Paul Asadoorian(59:27.018)
They wanted to do things. Yeah, which now- Yeah, I, the security is abysmal on it, but like I’m starting to understand the use case. The more I use LLMs in my daily workflow when let’s just talk about, I need to upgrade my computer. Well, now I have to maybe go run some commands on my computer, figure out what hardware that I have if I don’t have that documented already. Or maybe I want to double check because I’ve documented it but it’s not up to date. So what hardware do I have? Then I need to know what parts are compatible. with an upgrade and which parts are worth upgrading, right? So am I getting a speed increase? Am I not? So traditionally, we would start doing this research using Google, reading articles, maybe use PC Part Picker. Then I want to know, OK, what are the best deals on these upgraded components? Like, I can actually open these components, give me the best deals, and then just go buy them. And then print me out some or send me some instructions on how to update them. I don’t want to have to do all that manually. use case is maybe using verbal commands going… maybe you just give it access to your computer and say, figure out what the best upgrades are for this and give it direct access to your computer to run the commands, to enumerate the hardware, to figure it like it should just do that based on my prompt. Like, hey, help me upgrade my computer, right? Should be basically the prompt and it should go do all that hard work for me. Sure, I could do it manually, but it’s a lot of searching, tedious and manual stuff. And I think why people are setting these systems up is, hey, go look at my inbox and tell me what, top three emails I should respond to, right, is the other similar kind of use case. But security around this is abysmal. Every single week we talk about, you I see articles about how this could be, you know, the Quark Labs one is just one of many that talk about how this can be severely broken and it is not secure.
Chase Snyder (01:01:17.975) Yeah. The appeal of an AI agent that can do the stuff that I want to do, it’s a great mirror. It’s a great mirror to hold up to your own life and be like, which parts of my own life do I not actually want to live? Because it’s like, if you want an AI agent that can go manage, you’re like, it’d be great if I could just have it do that kind of thing. Or if you’re like, I really want to, I wish I could automate these all parts of my job with this AI agent.
Paul Asadoorian (01:01:45.066) Yes.
Chase Snyder (01:02:01.932) Maybe you don’t actually like that part of your life. Maybe you don’t actually like your job. Maybe you don’t actually like whatever those people or those services that are emailing you that you’re like, God, I wish I could just hand that off to a robot and not think about it. but you know, there’s parts of our lives that we love that would still be good to automate, some tedium. but yeah.
Paul Asadoorian (01:02:04.351) Yeah. It’s just super, it’s super hard to maintain security controls when it gets to that, right? Like, yeah, I’d love to take a picture inside my fridge of the model number and with one query, like just have the new water filter show up, right? Don’t show up. I don’t want to do anything else in between because that can all be automated, right? But the problem is…
Vlad Babkin (01:02:38.028) Mm-hmm.
Chase Snyder (01:02:38.976) Amazon, subscribe and save, baby. You can do that without the LLM.
Paul Asadoorian (01:02:42.536) If security controls aren’t there, means maybe anyone could get a prompt in there that goes and buy stuff and ships it to a different address. Right? I mean, that’s kind of what we’re talking about with the agentic stuff.
Chase Snyder (01:02:54.252) Yeah, I want to play with it so badly, the risk reward calculation based on what I know about it is not, it’s not there for me yet. My, my, my, my threat model is too high for it currently. Not everybody’s is clearly.
Paul Asadoorian (01:03:00.202) Yeah, it’s not good.
Paul Asadoorian (01:03:08.372) Right. Well, awesome, Vlad and Chase. Thank you so much for appearing on today’s show. Thank you, everyone, for listening and watching. That concludes our episode today. We’ll see you next time. Over and out.
