Airlock Blog

Risky Business - LockBit is down but not out. Yet.

Written by David Cottingham | 29 February 2024

Risky Business Podcast

LockBit is down but not out. Yet.


In this episode of  Risky Biz, Airlock Digital’s Daniel Schell talks about his adventures with WDAC, and Dave Cottingham predicts Windows 12 will go all in on signed code. Also Patrick Gray and Adam Boileau discuss the week’s security news. They talk about:

  • LockBit gets back up after takedown
  • Russia arrests Medibank hacker… for something else
  • ConnectWise gives out free updates, but customers aren’t happy
  • And much more 

 

 

TRANSCRIPT BELOW

Hi, everyone and welcome to Risky Business.

My name is Patrick Gray.Adam Vlo will be joining me in just a moment to walk through the week's news and we'll also be joined by a special guest this week.

My good friend Dmitri Alperovitch, who'll be talking to us about the latest Elon Musk slash Star Shield slash Starlink Taiwan flap.per press reports.

The US House Committee has fired off an angry letter to SpaceX claiming that the Star Shield service the company provides to the US military has been disabled over Taiwan in breach of contract.

It's supposed to be a global service.

So, yeah, more Starlink drama for the Starlink drama, Gods.

Basically, this week's show is brought to you by allowlisting company Airlock Digital and its founders, Daniel Shell and Dave Cottingham joined me this week to talk through a couple of things.

Daniel has spent a couple of months pulling WDA apart to see if Airlock could instrument it.

That's windows defender, application control.and that would mean they could launch a driverless version of their software.

I got some mixed results when sort of pulling this thing apart, Dave Cottingham.

Meanwhile chimes in with his prediction that Windows  is going to involve mandated signed code everywhere, basically.

And,, you know, he makes a pretty compelling argument on that one and we'll sort of talk through about like what that'll get us and what it won't. Because that is an interesting conversation that's coming up later.

But first up it's time for a check of the week's security news. 

Adam. Welcome.

Hello there, Pat. Let's start off with a bit of a follow up on lock bitt.

Locked is dead long live.

Lock Bitt.

Yes.

After the law enforcement takedown of lock bit, I think we discussed it last week,, which was, you know, quite flashy and, and, you know, had all of the right ingredients.

Lock Bitt seems to have bounced back pretty quick.

We've seen a number of organizations being hit with locked.

I mean, presumably those are campaigns that were in flight already as the takedown was going on.

But the locked admin locked sup, himself or it's a group have come out with a very long and almost unreadable diatribe against the US government and, you know, saying he'd vote for Trump and so on and so forth.

But the net result is,, you know, locked has hidden services up and running and appears to be still providing, locked as a service service.

And it's all rather a mess.

So we've seen.

I mean, let's hold our horses for a moment, shall we?

It's only been about a week or a week and a bit and I just don't know how much confidence I'd have in lock bits, you know, freshly restored infrastructure at this point.

This sort of reminds me of back in the day where it's like, oh, Silk Road's down and look.

Silk Road Two, just like the other Silk Road, except with more Feds.

Yes.

Silk Road Two is back up and running.

You know, and that didn't last long at all.

And if you read through the diatribe, that Lock Bitts Sub has published, I mean, there's a, there's a, I think I said this on, on Twitter which is, you know, there's, there's really strong, this is fine vibes in it, you know, where they're like, oh, we think they got us through PHP.

We're not entirely sure, but we've spun everything up with patch PHP.

It's like, well, if you're not sure that's how they got you.

I mean, what's to say they're not in there again?

I don't know.

And I think was it last week you made the joke?

It's not like they could just hire Mandy to a crowd strike or someone to come and help with the incident response.

And as we know, incident response is legitimately hard and throwing a motivated actor out of your environment is hard.

And when that actor is, you know, nation state capability like you, you're in for a rough time.

So, like there was a lot of bravado here and there are organizations still being ransomed.

And so, you know, that's,, you know, as metrics go, the fact that there's still crime being done in their name, I guess is not great.

But yeah, it's just been a real, a real mess.

Look, I think it's premature.

I think it's premature to say lock bit is back.

You know, this could be like, you know, I guess I, I'll steal a, a term from finance here.

It could be a bit of a dead cat bounce.

Yeah.

Yeah.

And like, for example, Andy Greenberg has a piece over on wired entitled ransomware groups are bouncing back faster from law enforcement buss where he looks at the lock.

But one and the black cat ransomware gangs take down and said, like both of these groups are back up and running very quickly.

Therefore, this process doesn't work anymore, which I think is a bit one dimensional in terms of, of an analysis.

But, you know, these groups are distributed and made up of all sorts of different groups of people.

And there's no doubt that the lock bit takedown did pick up a lot of affiliates and people who were, you know, involved in this overall process, like there was a lot of people and a lot of moving parts.

So it is still, as you say, kind of too soon to say, but that's probably not, you know, super reassuring for the organizations that are being lock bitt this week.

No, of course not.

But I mean, another thing that the, the lock bit, you know, admin has, has claimed is the reason the British, you know, pulled the trigger on this operation when they did is because they have court files from Fulton Auntie Georgia and they're gonna release them and,, you know, and there's Trump stuff in there and blah, blah, blah, blah, blah, blah, blah, which, you know, that seems like a coincidence to me.

But now of course, they're, they, they still have that material and it looks like they're gonna release it.

And, Krebs on security has a great report up here where they've looked at the, the sample set that they've released and it looks like they certainly do have the goods here.

So we might start seeing all sorts of juicy, you know, sealed court information coming out of Fulton County,, and, and onto the internet, including, like, you know, stuff that should be sealed to protect, you know, sources and identities and whatnot.

Like this is a pretty big deal.

Yeah, it's certainly gonna be a mess.

And the lock bits up persona, you know, really did seem to be picking a fight with the US and picking a fight with,, you know, the feds and the people who've been busting him and, you know, we've all seen, ise, well, not everyone, those of us who are old enough to have seen wars, you know, this can have all sorts of collateral damage that spills out into other people's systems and environments.

But I think, you know, ultimately, if you're a Russian crime gang trolling law enforcement, it's just not in your best interests.

Right.

And if they are serious about continuing on with their line of work, because they've got enough cover from Russian law enforcement and they feel safe where they are, then the rational thing to do is to not go out trolling, right?

It's to quietly move somewhere else and just get on with your life, collect your money, buy your Lamborghinis.

You know, when it starts to get emotional like this is when you make mistakes, I mean, we did see the the countdown too to the lock lock bit sup identity, which was excellent trolling from law enforcement.

And of course, when it was time to un unveil the identity, they didn't, I mean, you remember in Slack, I was predicting that they'd just replace the countdown timer with a poop emoji, right?

And they did something similar, which is they, you know, they posted a thing that said Lock Bits su has claimed to live in the United States.

He doesn't.

Lock Bitts sub has claimed to live in the Netherlands.

He doesn't Lock Bitts sub has claimed to drive a Lamborghini.

He drives a Mercedes though parts may be hard to source, which says we know who you are.

We know what car you drive and we know you're based in Russia where Mercedes parts might be a little bit difficult to source at the moment.

And then we've got,, you know, AAA follow on message, we know who he is.

We know where he lives.

We know how much he's worth

Lock Bitt sup has engaged with law enforcement smiley face.

And you know, I mean, people took this as to to mean that, oh, lock Bitts is now talking to the cops and it's like, well, maybe they, that, that it's a bit of a troll there.

But, you know, I took it to mean as like engaged you know, in one direction, I guess, engaged in the looking at your webcam direction perhaps.

But yeah, like we are as you know, as you say, we are not gonna know for a while and, and maybe we will never know exactly how much, you know, drama there is going to be because, you know, the chances of being arrested in Russia when you're a cybercrime operator, even when you've been identified is still pretty low.

However, however, however, now this is a great story that I'm very happy to report on.

and funnily enough our colleague, Cataline Kim Panu actually predicted this would happen.

So Alexander Ermak who is the gentleman who is believed to have hacked Medibank, the Australian private health insurer.

This is the guy who was sanctioned,, back in January back last month.

He's been arrested. Arrested in Russia for ransomware crimes.

Now, what's interesting about this is when he was essentially docked by the Australian government, Catalan said,, you know, in our slack, he's like this guy is about to have a real rough time.

Right?

Because now he's been outed as someone who has a lot of money and if he doesn't have protection, you know, he's just in for a rough ride

And now we find out that, you know, by the looks of things soon after he was named, he gets scooped up on some charges related to something else.

My guess is there's a bunch of cops just dividing up his Bitcoin stash right now.

If he doesn't want to get sent to Luhansk.

Yeah, I mean, that, that seems very believable to me.

The reporting that we've seen so far says that he was involved in a group called Sugar Locker that had been doing some ransom rearing and apparently they had ransom weird things

, in Russia Sugar Locker doesn't appear to have a, like a leak blog or anything.

They appear to be just of ransomware without the leaking part of it.

So like we don't really know what they might have hit or anything like what those excuses, what those are but they sure do feel like excuses to pick him up and, and rumble him for, for what he's got.

So, I mean, result.

Yeah, I mean, yeah, it's a result.

and you know, who knows what will happen to him after this.

You know, it may depend on how much money he's got lying around to bribe the cops that have got him or as you say, he may end up you know, contributing to the special operation, the special military operation as a, yes, as a part of one of those meat waves, front line latrine, cleaner Alexander Mentho.

Yeah.

So, you know, this doesn't quite vibe with what Andy Greenberg wrote and wired, which is that doing this stuff is pointless because they just reform.

I mean, here we got a case where, you know, my strong feeling is if you, if this guy wasn't named by the Australian government as a wealthy cyber criminal, he would not have been scooped up by Russian authorities.

Yeah.

And you know, I guess it's probably a chance for the Russian authorities to remind everybody else who's doing this, why they should be paying their, you know, top cover bribes and, and so on, you know, encouraging everybody else is important.

And you know, regardless of how effective taking out ransomware gangs, you know, through legal methods has been this one particular guy, probably not likely to tussle with Australia again.

And you know, even if it's just one person not doing it, that's you know, still a very small success but success.

Nevertheless, for some reason, I, you know, every time I'm thinking about this io guy getting arrested, I keep thinking of Jimmy Pappas from the departed.

Do you remember the departed?

Oh, yeah.

Yes, I got the clip here.

It is.

What happened to Jimmy Pappas.

Jimmy had a rough month.

Jimmy had a heart attack in jail and then he got himself knifed at Boston City Hospital.

I believe it's been in the papers.

You seem quite happy with that result.

F**** result.

Yeah

But quee b though who benefits?

Cui gives a S.

It's got a frigging bow on it.

 

And that's, you know, that's kind, that's how I feel about this guy.

 

Like, you know, result, result now from Nation State from, from we was hacked by a sophisticated Nation State to, well, it was actually ransomware.

 

We've got this this group change health care, which is a healthcare it platform, I believe American.

 

Is that right?

 

Yeah, this is, they are the people that provide services for like a significant number of pharmacies in the United States.

 

Them being offline has caused, you know, some very real grief for people trying to get their medications.

 

But in the sec filings, I think they said that this was like a foreign Nation state group and now it looks like it's ransomware.

 

Yes.

 

So they, they did an eight K filing,, in February, like a week ago now where they said yes, this where a suspected nation state associated cybersecurity threat actor did it to them.

But, unfortunately for them, the black cat slash a V ransomer crew stuck them up on their league side.

So that's, not, not a great look.

And yeah, we've, you know, it's been a while since we've seen the, like, Nation State ate my homework, excuse, being used by people who've been ransomed.

And, you know, I,, I'm dubious about their claims of Nation State attacks now.

Yeah.

Yeah, I mean, it could just be that they got it wrong initially.

Of course, it could be, you know, they saw a Russian IP address and off, they went.

But, you know, if you're going to tell the SEC,, and your investors that then you kind of need to at least be reasonably sure.

And,, yeah, it's not a great look.

I don't think they would have just seen a Russian.

I think we're past those days.

You want to believe that we're past those days.

I like good quality in response teams.

Yes, it's clearly past their point, but we don't know who's doing their incident response.

You know, it may be,, Jim's mowing an incident response.

Right.

I mean, I don't think that's a franchise that exists outside of Australia, but you know, Jim's mowing is the lawn mowing franchise of some repute.

The Mounties in a bit of trouble.

Adam.

Yes.

Reports are that the Canadian mounted police, they're kind of, they're feds,, have some sort of cyber incident.

They haven't said ransomware, they haven't said it was Nation State Attackers.

They have asked that,, you know, cops who work at the RC MP be vigilant,, and they have reassured people that there is no, you know, like safety or security impact to Canadians.

 

But, you know, having your federal police owned, however it goes down.

 

It's probably not a great look.

Lock bitt revenge could be, could be, I mean, that's what you do when you get taken down by the Brits and the Americans, you flail around looking for anyone you can smack that looks vaguely like it so much.

Right?

English speaking the five eyes alliance.

That'll do.

Yeah, close enough, close enough.

Now let's talk about connectwise screen connect

So this was the CVS S  that we talked about last week.

A couple of interesting things have happened here.

First of all, ransomware, crews of all stripes have just piled in to exploit this bug, which I guess is not so surprising, but the company, the vendor itself like initially handled this really, really badly.

And has since turned around and actually got it together probably too late for most of the customers still running on prem versions of their,, of their software, but walk us through exactly what happened here because it, it wasn't pretty.

No, it really wasn't.

So, Connectwise is a company, that makes screen connect as a product.

They've been around for a while and they sell this kind of desktop support, you know, interface, you know, used by a lot of managed service providers to provide desktop support to, to fleets of people.

And this product's been around for a while and it was originally licensed in a mechanism where you bought it once you got a perpetual license to use it, but you had a subscription for updates.

So many people bought it, it was relatively inexpensive, provided good features and then they would pay for upgrades to be continue to be current with it.

At some point, that company was bought out by somebody else.

The new owner moved to a cloud model where, you know, previously you had on prem appliances that, you know, people would phone into and your support people would connect into and, and get screen sharing.

The new owners moved it to a cloud service with a subscription model and the they removed the perpetual license plus upgrade model and replaced it with you just pay per month.

And for many managed service providers that change was a  X increase in cost.

So there were a lot of people who kept using the on prem ones that were perpetually licensed but were not paying for the upgrades.

And so when this bug comes out, there was no upgrade path for these people who are out of license.

And there was,, so then the company initially said,, you know, if you don't have it tough, you know, you don't get an upgrade per the, the original license agreements that obviously didn't go well when it's the CV SS  that leads the remote code executive system.

They released,, quietly released a, a free upgrade to an older version, sort of like the last maintained one of their previous release and said you can upgrade to that.

But they were very quiet about the fact that you could do that.

And everyone else who showed up basically got ups sold to the new versions.

And then they changed their mind after that and decided they were gonna make it available for everybody to download and use.

But net result was very big mess.

A lot of very unhappy managed service providers because this was used a lot by kind of small medium managed service providers that are very price sensitive.

And in the meantime, everybody's getting owned who doesn't patch well, but then they went out and they bricked,, well, they disabled all unpatched appliances as well for people who hadn't patched.

I think they only took that step when it was possible to, to upgrade them for free.

But that feels like, oddly, you know, it feels like the right thing to do because there would have been some people who were unaware that that was so the security boss of Connectwise showed up on his linkedin and had a bunch of posts and honestly, they read pretty well, like he seemed sensible, he seemed smart.

It felt like there had been a, you know, a fight internally about this.

It feels like someone who, someone who's in a bad suit who is like someone who you and I would sit down and agree on most things with that.

That's what it felt like.

It felt like after a while he had convinced them of the, you know, the company of the pr risks that they were facing, they had decided we upgraded free, they released a new upgrade that disabled the license check during the upgrade process.

And yes, they, their licensing mechanism allows them to temporarily revoke a license.

So they revoked anyone who phoned home with an old enough version to be vulnerable.

And then there was a process that if you patched it, your license got automatically re enabled, which, you know, smart solution, you know, stop some of the bleeding.

But in combination with the previous history about how the licensing used to work and so on, there was just a lot of very angry customers that were confused and mad about the whole process and they could have perhaps handled it a little bit better.

Yeah.

So, all in, all, all in all just, I think this is a story that, to me just sums up where we are with a lot of this type of kit, you know, and it's stuff that's been around a while.

It's changed hands a couple of times, you know, it hasn't really been modernized in any particular way.

Some of the businesses have some funny approaches.

I mean, a lot of this stuff winds up bought by larger companies that are just, you know, it's almost like the pe model, right, which is to just squeeze as much money out of these existing, out of this existing client base as possible while the thing dies.

I mean, not all pe companies do it that way, some of them bring in companies and then revitalize them, but often it's just squeeze the last drop of blood out of the stone like the open text Broadcom, you know, that thing like what we're seeing with vmware right now, right?

And this is sort of like the end stage of, of what that of what that looks like.

But look again, I I got the same vibe out of the linkedin post from the co as you did, which is like, here's someone who's trying to do the right thing in a bad situation.

I saw some other staff members from the company posting in reddit threads and so on and they all seemed pretty genuinely upset around the situation that customers were finding themselves 

So, like, clearly there's still some good people there.

But, yeah, the, you know, the world appears to have changed around both users of that software and probably some of the people who work on it.

And the prevalence of a model where, you know, you could sell perpetually licensed software and then charge for updates like that business model, I think is dead, right.

Security has meant that that's just not a, you know, a viable way to sell your products anymore.

Yeah.

No, agreed.

Agreed.

Staying with vendors behaving badly,, or bad vendor situations, I guess because I think we kind of landed that the people who were charging for the patches were all trying to do the right thing, which is an odd, odd place to be when you're talking about a story like that.

But looks like Microsoft has finally turned on some additional logging after this incident that involved a stolen signing key that allowed, you know, Chinese a PT crews to like just fabricate and mint valid tokens that would be accepted for a while.

My God anyway, can't wait for that CS RB report because that's gonna be a cracker.

It is.

But yeah, so finally here they are, they've turned on some additional logging.

You and I had a conversation about this yesterday and it's interesting because I actually do understand the dilemma when it comes to Microsoft, offering to retain this stuff for, for everybody.

Because the volume of data you're talking about, if they're to offer comprehensive logging to every single customer, I can kind of understand why they think, you know, some customers should pay more.

I disagree with them but it's not a trivial amount of storage.

It's not a trivial amount of compute to sort of pull all this, all this stuff together.

It's good that they've come through in this case.

But, you know, a mom and pop store probably doesn't need as detailed logging as the state department.

I think where, where it got ridiculous is the idea that they would want to charge an organization like the state department extra for keeping rudimentary logs, right?

Like that is ridiculous.

If you want to do business with us, government federal agencies or, you know, mainstream large enterprise, you need to be able to offer them those logs for free.

And that's kind of where we landed, isn't it?

Yeah, a a agreed completely.

And you know, anyone who's ever tried to ingest windows logs normally, like just off a, you know, off a domain control or even off Windows workstations, right?

That logging is messy to start with like it's high volume pulling signal out of that noise is real hard, storing it for a long time is hard.

And I cannot imagine how many logs Azure makes, you know, and so you, yeah, I think you're, you know, you're absolutely right.

There are volume concerns.

There be performance concerns, like even just searching and indexing that stuff is expensive.

But clearly it's necessary.

And so what they've been, what they're doing now is they're offering extended logging to federal agencies and they're increasing the log retention period from  to  and  days.

And I assume without charging more.

But, you know, obviously that involves more cost for Microsoft and doing that for the whole platform.

I mean, go fire up.

you know, your, your chrome web inspected and look at how much noise just using teams makes all day every day, right?

I mean, so many API calls, so much stuff to do like comprehensive logging of that platform, you know, at a useful level is gonna be hard and expensive and, you know, I don't know, I mean, I, I think even rudimentary logs would be useful here.

Right.

And I think Microsoft is in a pretty good position and now they've got an incentive now that they're expected to offer this stuff for free.

They've got an incentive to do some tuning here and actually figure out like what really do we need to keep and what, what do we not need to keep?

And if you're, you know, spending a million dollars a day on hard disks or whatever store logs, then you've got budget to go do log tuning because all of a sudden it makes sense whereas an individual, you know, consumer of Azure has no real incentive or, or means to be able to go tune that stuff.

Like only Microsoft can do that.

So, yeah, if it pushes them towards it, then hell yeah.

Yeah.

Now moving on, let's talk about Sand Vine, which is a company based out of Canada that does network based kind of Spooky collection gear.

I remember back in  they pulled out of Belarus when it was revealed that their technology was being used to crack down on protesters and whatever.

And they said, well, you know, butter wouldn't melt in our mouth.

We're out of there.

And they were trying to do business with the US government at certain points like the DEA and whatever and US government didn't touch them.

largely because they'd done business with a bunch of undesirable places.

This has, you know, obviously they, they have been doing a lot of that because they just got sanctioned and you have to be behaving real bad before you get hit with the sanctions stick, especially as a Canadian company.

tell us about this.

Yeah.

So they, they've been placed onto the entity list along with people like NSO group and, and so on.

For their the one that's been cited is them selling surveillance gear to the government of Egypt.

Bloomberg reported, I think back in  that they had done business with a whole laundry list of countries.

So Algeria, Afghanistan, Qatar, Russia, Thailand Turkey, the UAE Uzbekistan, Kuwait Pakistan, like a whole, a whole bunch.

And they've been clearly shopping this gear around.

So sticking them on the US entities list along with a whole bunch of their subsidiaries in other countries, you know, means that US technology companies are not going to be able to do business with them, not be able to sell them services, which, you know, I don't know where San Wan gets their hardware from or whether they, you know, use Azure, they can have a rough time, I guess.

with the US ecosystem being pulled out from under them, it's a pretty big stick to hit him with.

Yeah, it is, it is.

Now just quickly we've got a bit of a follow up on the IUN leak that we spoke about last week.

Trend Micro has a post up sort of that ties some of this is soon stuff to some activity.

It's seen targeting people in Taiwan.

Yes.

So Trend Micro has linked it with a group that they track as Earth Lska.

So this is a group that they've seen, you know, most recently interfering with elections in Taiwan.

And they've looked at the overlap of some of the targeting in information places.

They've seen Earth LSKA and data we've got from the IUM leak that had details of some of their victims.

There's also overlaps in tools and they had previously said that Earth Laska operated out of Chengdu, which is where I soon seem to be operating from.

So a number of indicators that kind of pointed together, which is, you know, we, we figured that there was enough information in that leak to tie them to.

Yeah, like I mean, I said it last week, over time, we're just gonna get more and more linking and whatever, you know.

So we're seeing some of that happen now.

The White House, I mean, it is just, you know, it's awesome to see this on a White House, you know, press release.

You know, on CD report calls for adoption of memory, safe programming languages and addressing the hard research problem of software measurability.

So the office of the National Cyber director has published a technical report, called back to the building blocks a path towards secure and software.

And they're saying, you know, that's it.

Everybody needs to use MEMS Safee languages.

And, you know, again, you and I were talking about this one through the week and we agreed that this was the best advice that they could have given anyone  years ago.

Yeah, exactly.

I mean, it's, it's, as you say, it's nice to see it on White House letterhead.

But, you know, mem corruption bugs have been on the downward trend for a, for a long time.

Although it is, you know, it's just kind of rewarding.

I'm trying to imagine, you know, as a, as a teenage kid reading, smashing the stack and frack, you know, back in  or four, whatever it was.

And we, you know, first got introduced to, to buffer overflows in the more general, you know, beyond the Rob Morris worm kind of world, like it's wild that it's, you know, we finally got to the point where this is a thing that, you know, the White House is, is, you know, weighing in on, but as you say, rather too late, I mean, we're gonna really have to see what steps the US government takes to put, you know, to, we're gonna have to keep an eye on what sort of demands they make from industry, right?

Because I think there is still a little bit too much thinking along the lines of if we just get them to do this, do you know what I mean?

Like a lot of problems are gonna go away and you just, you know, it's like squeezing a balloon in a lot of ways, right?

You just push the problem somewhere else.

So, you know, this won't save you from all of the dumb logic bugs and it won't save you from all those sort of, you know, cross site request forgery in admin interfaces on appliances and like there's just so much here that it, that it won't touch.

And I do worry that eventually we're gonna wind up with a bunch of checkbox prescriptive rules that don't actually do anything.

And,, you know, that often happens when you introduce rules, although, you know, you see other ones where, you know,, things have to have a mechanism to be update and things like that.

So, so some of it's quite sensible, some of it's,, not, but, and, you know, I have no problem with the White House saying encouraging the use of mesa languages.

That's great.

I just do worry that,, yeah, I just do worry about the bigger picture here and, and where it's going to wind up.

But, you know, I'm prepared to be pleasantly surprised.

Let's just leave it at that.

At the very least we get to have a whole bunch of jokes on Infra Mas on about how they're taking our pointers.

That's right.

That's right.

They're taking our, what have we got here.

Finally, Adam, Tornado Cash.

There was some weird, like someone was having a go at Torna now, this is, of course the sort of, you know, stand alone Blockchain app that Launders Bitcoin for people, you know, mostly ransomware actors and like the worst type of people imaginable.

You know, people have been sanctioned over it.

Like, I think as soon as your Bitcoin touches this thing, it's automatically added to some sort of list, right.

But there's been some sort of supply chain attack against it.

Is that right?

Yeah.

So tornado cash is these days an open source implementation of a Cryptocurrency mixer that you can run on different blockchains.

North Koreans have been using a lot of tornado cash over the years to obscure their their stolen crypto.

In this case, a developer or someone who was operating an instance of tornado cash on IP FS the interplanetary file system, which is kind of a sort of Blockchain adjacent, I guess in this context.

And they had backdoor at the front end where you submit your funds to be mixed such that it basically could, then they basically kept the private keys of the mixed funds so they could later steal or track where they went or whatever else

In this case, I think it was just a developer attempting to make profit personally, it didn't feel any more sophisticated than that.

It's just the usual, you know, kind of snake pit that is the Cryptocurrency world.

But yeah, we've seen at least one case of mixed funds then being subsequently stolen and used.

But I mean, I mean, it, it did give me some ideas.

Yeah.

Yeah, I mean, there's, there's some value in the overall thinking of you know, there being no good Cryptocurrency mixes that aren't operated by feds.

Yeah.

Yeah.

So I'm thinking, you know, maybe if you, if you're one of the, you know, us Treasury or FBI or you know NSA or Cyber command, you might want to, you know, just put your little thinking caps on and have a bit of a read about this.

I've linked through to Catalan Kanu's right up on this one.

Yes.

Yeah, Catalan did good work on this.

I didn't see much other coverage of this anywhere else.

Yeah.

Alright, Adam.

That is actually it for the week's news, but let's bring out our feature guest now.

Dmitri Alperovitch is best known in the cyber community as the co-founder of Crowdstrike, but he's been out of that for years now.

And these days he runs a think tank called the Silver Policy Accelerator.

He also has his own podcast called Geopolitics Decanted, which I help to produce and sometimes appear on as well.

And yeah, Dimitri's interests these days are less about the cyber and more about geopolitics.

Dimitri, welcome to the show.

Thanks for having me on now.

Tell us about this latest Starlink slash Star Shield slash SpaceX flap because it looks like some sort of what is it?

The House Committee on the CCP has written an angry letter to SpaceX saying our Star Shield terminals aren't working in Taiwan.

You know, this is a breach of our contract, this is outrageous, blah, blah, blah, blah, blah.

And meanwhile, then you've got spacex on Twitter saying that's wrong.

Why are you going to the media?

It's a mess

But can you walk us through exactly what's happened here?

Oh boy, Starling GEO fencing is like the saga that never dies.

We spent so much time on this podcast on my own podcast talking about Ukraine.

Now we have Taiwan, right?

So here's what happens.

So Mike Gallagher, who's the chairman of the Committee on China in the House of Representatives on the Chinese Communist Party, just went to Taiwan this past weekend and got back from Taiwan, learning apparently from talking to presumably us servicemen who are there that the Star Shield Service which as your, your listeners may recall is the separate service that the US government has just procured this past summer, which probably relies on a lot of the same infrastructure starlink, but is dedicated to the US military.

Supposed to not have any Geof GEO fencing whatsoever.

It's supposed to work everywhere that this Star Shield Service apparently is not working in Taiwan.

So Representative Gallagher wrote a letter to spacex demanding to know why and when that's going to be turned off, accusing them of a breach of contract.

Look, my own view here is that spacex probably messed up.

Starlink almost certainly is GEO fenced in Taiwan because Elon wants to have a good relationship with China and probably because of the shared infrastructure, they didn't anticipate or they forgot that they were also geo fencing Star Shield and given that they do have a contract to provide a global service.

And given the fact that Elon really is the world's richest defense contractor.

Right.

I mean, SpaceX basically lives off us, taxpayer money.

Both NASA and various intel agencies that are sending up satellites through,, through spacex.

He really can't afford to piss off the US government.

So I think you're probably gonna see a resolution to this coming soon.

I think you're probably right.

But the thing that surprises me about this is that it got to the point where a house committee felt that it needed to write a letter and then leak it to the media.

Like why, why could this not have been resolved more directly and, and, and in a simple way, you know, it just suggests to me that the relationship between the US government and spacex, which is now a major, you know, as you point out it's a major government contractor is not particularly good that the lines of communication are not particularly clear and, you know, and, and, and then this, this sort of mess happens like it just, it's, it's weird.

Yeah, I mean, part of it, of course, is Elon and his own interesting ideas, shall we say that he expresses on his ex service?

But part of it is also, I think that SpaceX really is not a traditional defense contractor, they're not sort of the beltway Bandit as we call them here in America where, you know, people come out of the government, they're embedded in these companies.

They know and have very good relationships with the US government.

They're sort of a California Silicon Valley firm that also happens to do a lot of us government work and defense work, but really wants to treat itself as a Silicon Valley company.

And Silicon Valley traditionally has a lot of disdain for Washington DC.

Doesn't wanna learn how the city operates and, and how to work with politicians.

So I think that's part of the problem.

But look, I think the, the other reality here is that there is tremendous amount of concern amongst the grunts if you will inside us, government in spice inside a space command and other units within us military about the reliability of spacex.

I can tell you that I've heard sort of discussions going on about the use of what's known as DP A Defense Production Act Authority, which is our way to compel companies to act in service of the nation.

So we did that famously during COVID where we asked a bunch of people to produce ventilators when we thought we were running out of ventilators.

And it's used actually now fairly frequently in a lot of national security purposes.

And they're sort of rumblings of like, well, maybe we should use DP A on Elon if he's not going to cooperating and do what we want because that's the way that we can force the issue.

So I think spacex really needs to figure out how to make a better relationship with all elements of the US military.

Obviously, their NASA relationship I think is actually quite good.

But on the US intelligence side, military side, perhaps not as good.

I mean, we saw a recent flap in Ukraine as well where there was a GEO fence introduced along the front lines and there might have been some good reasons for that to, for example, stop Russians from being able to use the Starlink terminals on their side of the lines and whatnot.

But the Ukrainians were like saying, look, we can't really push forward anymore and maybe you could turn, you know, this GEO fence off and it looks like Starlink has done that, which is great.

But now Russians are in fact using Starlink and, you know, the conversation has shifted to, well, you know, maybe you could help us ban certain accounts that we know are used by Russians or, or whatever it just seems like like spacex isn't very responsive in these sort of situations.

The fact that the this Ukraine thing has turned into a, into a flap, this Taiwan thing has turned into a flap, you know, as you say, you know, I, I I'm not surprised that people within, you know, the US defense and Intelligence establishment are sort of questioning the company's reliability.

Yeah.

Although I would separate Ukraine because it's one thing to say no to us government, which spacex really can't afford to do at the end of the day.

It's another thing to say no to Ukraine, which, you know, is getting a lot of these terminals as charity, of course, from SpaceX directly and then from others that are paying for it.

So Star Shield is not Star Starlink, right.

But it's also kinda is.

So Adam, I know you did a bit of research on this this morning to see if you could actually figure out whether this infrastructure is shared and it looks like Star Shield, which is the, you know, the military version, the ultimate goal of Star Shield is that there'll be a couple of  satellites that offer, you know, Starlink style capability.

but they, they're gonna be completely controlled, owned, operated by the US by the US government, but they ain't up yet by the looks of things.

So there's probably some shared infrastructure which would support what Dimitri was saying earlier, which is this is probably a mistake and just because Starlink service isn't available around the Taiwan area, that that might be why, why the Star Shield stuff isn't working.

But that, that's what this looks like right where there's a little bit of shared infrastructure happening until they can spin up the the US government's very own.

Yeah, I mean the contracts for Star Shield are still pretty fresh and there's like what $. billion worth I think signed for SpaceX to put star shield related governs up into the sky.

But people who keep track of starlink launches and kind of other SpaceX launches with us government stuff on it, have got like maybe a half a dozen satellites that they can attribute to being, you know, plausibly star shield related.

And some of those have been on other non starlink launches for some of their transporter, you know, rideshare launches up to orbit.

So like right now, my guess is that the, you know, the Star Shield service such as it is, is probably just running as a, you know, a virtual service over the top of Starlink whilst they put satellites up.

And part of the plan for Star Shield was to also provide you know, hosting space for other payloads, other US gov payloads on SpaceX satellite buses that are, that are going up.

And so all of that takes time.

So I mean, my guess reading this is that probably there was just a miscommunication about how the service is provided in Taiwan.

obviously, according to spacex's kind of, you know, retail presence, you can't just go buy Starlink in Taiwan.

It's listed as unknown on their like ordering page.

But you know, I imagine in the interim, they provided the US government with a Starlink service branded Star Shield that just uses off the shelf, starlink everything in the meantime, and perhaps that's not working in Taiwan for whatever reason.

Given Elon's business relationships with China.

I could imagine that being a sore point.

, but we don't know that well.

All right.

I think we're gonna wrap it up there.

Gents, Adam Barlow.

Thank you very much for everything this week.

Always great to chat to you and we'll catch you again next week.

Thanks so much, Pat.

I'll talk to you then and Dimitri.

Thanks so much for being our, you know, our special guest to talk about all things.

Starlink and Star Shield

Always great to have you on the show and we'll have to get you back for a full news slot later this year.

Cheers, great to be with you guys.

It's time for this week's sponsor interview now with David Cottingham and Daniel Shell from Airlock Digital.

They make an allow listing solution that's actually usable at scale.

So, you know, a true Australian success story.

These, these guys lots and lots of happy customers all over the world.

And yeah, Daniel who is Airlock CTO has spent time with W DAC lately, which is Windows defender application control.

So Daniel was curious to see how easy it would be to instrument allow listing policies via W DAC and currently Airlock uses its own kernel driver, but Daniel's gonna talk about whether or not they can use WDAC in lieu of their own kernel driver.

And Dave's joining us with a prediction and his prediction is that Windows , there's gonna be a big push to only allow, only allow signed code to run on Windows  basically.

But here's Daniel to kick things off by talking about his journey of WD a discovery.

Enjoy.

I guess when I look at W deck, I'm looking at comparing it against, you know, airlock's feature set because I'm trying to do a mapping, right?

Cos I'm thinking like, hey, maybe there's some ability that we can actually manage like a driverless Airlock where we manage the W deck policy, you know, how feasible is that and where are the limitations around that?

And that, and that's been really interesting journey because we've really found that we can actually implement some of our functionality into W deck in a funny way.

So we can like, we can actually add some of the exception hanging.

We have a feature, we call a one time pads which is like exclusions where the help desk gives them a code that lets them unlock their PC for temporary for a period of time, lets them get on with it, you know, then of a workflow to trust those files afterwards and then apply that to policy.

We can actually do the same thing in W DC, but it's not saying that W DC itself can do natively, I guess, you know, it, because what it's missing, I guess at the end of the day is the orchestration to, you know, collect those events back to the server, do the management, et cetera, I guess.

And, you know, we were talking actually before we got recording and this isn't your road map, right?

We shouldn't, we shouldn't tell customers that, hey, you know, the next version of Airlock is gonna be doing, you know, all of its actions on a box via WD A.

But you know, is that something, do you think that, you know, do you think you could actually use WD A in lieu of a driver to get done what you need to get done on a box?

Yeah, we, we, we definitely can, technically, I don't think there's any reason you can't.

But what we found is, you know, just, there's some, some core ways that W DC works a little bit differently than we do today, but it really, at the end of the day, it just means that we have to collect a little bit more information or different types of information to make trust decisions on because, you know, they all use different hashing hashing algorithms for certain use cases.

Publishers are treated a little bit differently.

So we, we just need to make sure that we can, you know, operate the same way.

So at the end of the day we have to be able to generate the XML.

So all the information that we need to put in the XML, we need to collect from, you know, from that operating system.

So, so, so do you think there's a chance that, like, we'll see some other companies and not necessarily pure play, allow listing companies but other security companies coming in and trying to do some level of instrumentation through WD?

Do you think that's kind of what it's for?

I don't, Dave's got his hand up here.

So it's interesting because in the Apple ecosystem, you have the import security framework.

That's why I'm asking like, do you think it's a nicely instrumented here?

Go consume this feed

Same with fa notify even on a Linux kernel but on Windows WD A is really a closed system.

You know, Microsoft are building it as part of a defender offering and it's, it's kind of like powershell, it's sort of kind of closed and you can hack things around and, and throw things into the system in order to influence it, but it's not sort of API driven and easily reverse engineer.

What does this tag in the XML mean?

And then e exactly like, you know, I, I still think even if we were able to use it in a driverless way, we'd still need some sort of agent sure that agent could be user mode.

But it, it's, it's not simple.

Unlike Apple and, and and maybe a little, we should point out too that you use that API on Macos to make your stuff work.

Right.

And, and I remember when you built that client, it didn't appear to take very long to get that one.

No, it was far quicker to develop, you know, and it was, it was just interesting working with the different ecosystems

You know, what, what the changes were.

But,, well, it's a shame, isn't it?

That, that Apple's probably like % of the devices that you allow less and, you know, Windows is like %.

It would be nice if it was the other way around.

In, in your case, I'm not, you know, this isn't supposed to be, you know, I mean, I know that MAOs isn't exactly a business operating system, but yeah, I mean, they definitely got that part of it.

Right.

Yeah, %.

I, and I think I'd add on top of just the W deck sort of instrumentation there.

Like I, I've been doing a loud listening for a while.

And, and the fact that I sit here, you know, with looking at XML files for moms banging my head against the wall, like just screaming, like why, you know, it, it, it, it's so this is them making a play to encourage an ecosystem where people are going to use this as an instrumentation layer.

That's what I was wondering, you know, So I think so.

So then what, what the F are they doing?

II I think what they're doing right now is they're enroll in making it better into in Microsoft intune with the idea being is that if your organization deploys an app through intune, it will be trusted on the endpoint for a capability to have called managed installer.

And then that's the play, like if you, if you push software this way.

So this is like a intune, this is, this is gonna be some sort of intune integration so that like your soy is a allow listed, I guess.

Yeah.

Yeah.

Yeah.

And, and that's correct.

I five Microsoft, that's a, that's a wonderful thing to introduce to their product set.

But it ain't, it ain't really, yeah.

Again, like it's not really, it's not really the full kitten Caboodle, is it?

No, no, but it's really interesting how they've actually instrumented all that.

Because what's actually happening is you have to actually turn on App Locker again.

So you have to bring that back and then you need to make all these dummy policies so it can actually properly start.

And then there's a new type of sort of hidden policy called a man installer policy where you can then make a rule that says, hey, well, this executable, let's say it's the intune agent is now trusted as a man installer and, you know, independent of WD A, you can even just turn off WD A completely.

And what that means is that every time that this installer does actions on the disk, it's actually tagging extended ntfs attributes of those files and saying that, hey, this is a managed installer.

It was installed by this app at this time.

And then when you turn on WD A, there's an option for W DC which is like trust managed installer and then it trusts those ntfs extended permissions.

So what are they, are they stuffing like,, signatures or hashes into,, like NTFS ultimate streams or like, how are they doing that?

No, there's a feature called like extended attributes.

It's like, so it's not an alter stream, it's a different feature.

That's why I wondered intf knowledge is like, frozen in time from about  years ago.

But, yeah, and these probably existed back then for some reason, right

But the, the way that, and this is interesting as well and there's been some research in the past where people have found out ways that you can select, copy these files off and modify the tributes.

And then now you've tricked, you know, there's been CV S in the past about people tricking systems that rely on these.

But what Microsoft have done with WD A is that when or I guess from the kernel now is that when you make extended,, attribute modifications from the kernel, they actually are protected that they can only be changed by the kernel.

So there's like user mode, extended attributes and then there's kernel extended attributes.

So, since WDX is doing this stuff, all this stuff's happening from kernel tagging with the app locker drivers at that stage, what's going on is that you can't remodify.

I mean, I think that's kind of cool, you know, like having a massively overkill, overly complex

Like that's one place where I'll accept the complexity, sir.

Clearly, the engineering's brilliant.

I mean, and also the,, you know, your database becomes the file system of trust, you know.

Well, long story short, I mean, it sounds like WD A is interesting but you won't be ditching your colonel driver anytime soon.

I think that's when.

No.

Yeah.

Yeah, so it's, yeah.

So look, Dave, you wanted to talk about something else, while we got you here, which is a bit of a prediction and you think in Windows  Microsoft's gonna do a big push towards, you know, only signed code, but they're gonna like democratize code signing and there's gonna be everything's gonna be signed and what you described to me, it just sort of sounds like, you know, let's encrypt but for signed executables.

So when let's encrypt democratized, you know, SSL certificates you wound up with like signed phishing pages and this sounds like what we're gonna wind up with is like signed malware.

Hooray.

I mean, what's the, what's the plan here, I mean, look and in, in my opinion, all of this engineering that we've talked about in Windows core isn't for in tune deployments, right?

For businesses like you, you do this to build it into the operating system and, and with smart app control, you know, what I think will happen is in Windows , that all user mode code signing will be enforced and you won't be able to run Binaries without having signed code.

And what that means is that there's just more traceability on all code, but I feel as though it will also cause a Windows vista UAC type moment where people will upgrade to  and go.

Oh my app doesn't run anymore.

Why not?

And that will just be mandatory and it will sort of, you know, rise the tide, make all developers sign their code if they want it to run on the new version of Windows.

And the way that Microsoft's trying to get people to sign code is through this thing that's been in preview for the last four years, which is Azure code signing, which is they're trying to give people a free way to actually you know, have an Azure account through pipelines, get their code automatically signed through keys that are stored in their Azure account.

And you know, it will give you spit out signed Binaries and you build and also WD A trusts Azure code sign code by default in the actual core policies.

So, you know, I, I really feel as though this is the way we're heading in the ecosystem Apple does this already, you know, you have to notarize everything that you, that you run and are allowed to run.

And I feel as though it's one of those changes, what you said is true.

It introduces a sort of modicum of traceability for everything, right?

It, it, it does and, and you know, I, I don't think the the current ecosystem of software signing, like for us to sign code, you know, we might have, you know AAA system where we'll go to Digic Cert or whatever, get a USB key, we have the private keys and I, that, that doesn't work at scale if we're gonna get all developers across the world to actually make sure they code decide.

So, you know, we need systems like Apple's notarizing service where you can contact them, say sign my code and it gives it back in an easy way and that's what Azure code signing is trying to do.

Well, I guess I'm, I'm guessing it's gonna make like in a lot of ways it'll make your life a lot easier too when just everything is signed because that's one of the biggest dramas, right?

When you're trying to run an allow list is dealing with unsigned code and there's so many vendors out there

Like I, because I know, you know, you'll go into an environment and then there'll be this some niche software that they just don't bother signing and it's, it's a drag is what I'm getting.

So, like Microsoft kind of forcing people to do this.

It's gonna be great for you.

Yeah, definitely.

And I think that, you know, we're still gonna have a long tail, long legacy, of course.

But,, you know, I, it's really gonna improve things overall as much as it's gonna cause headaches.

I think in the short term and again, this is just our opinion and we, we will see how quickly it happens, but,, it's inevitable.

I think that it will happen.

You know, at some point and the engineering sort of points to that.

Now, I guess the question is if you democratize code signing, how easy does it become to sign malware?

And that we're just gonna see malware sign code.

But, well, we will, but it's like, I guess, you know, from an auditability, traceability point of view, it's good from making your life easier.

It's good as well.

So I think it's one of those things where, yeah, it's just, it's worth doing Daniel.

You've been trying to jump in for quite a while.

We gotta keep it quick though because we're going over time.

Yeah.

Yeah, no worries.

I, I guess it was just cos it just said let's encrypt, I guess, you know, the difference here might be to some degree is sort of that identity stage is still there, the Microsoft code signing.

So might, well, what I was just gonna say is the Microsoft code signing, you know, or code sign preview project, you know, what's interesting about that is, you know, yeah, you sign up for that or you get, when you get that enabled, when it comes out preview, finally, you then get your organization still does get verified as it does with other CS.

So there is that stage, you know, and you still verify your own the domain and all this other stuff and then yeah, you can sign the code.

But the difference is at the end of the day is that, you know, your code signing, sign your private keys and such are protected by your or credentials, right?

So they're not, you know, today there's a lot of situations where your certs are on disc developers have them, they lose, they get stolen, they get uploaded to github that that whole attack vector gets gone.

I don't know because then at that point, you know, someone just needs an Azure account, right?

Like instead of actually hacking into a place where the keys are stored.

So I don't know, I think, I think there's a lot more controls there.

Right.

Right.

That sort of scale, I'm skeptical because, you know, Microsoft can barely handle all of the account takeovers on its platform.

Dave does that does that give the ability for code revocation globally?

What if this system is running?

Like, hey, your stuff, your account got compromised, there's malware out there sign or do you think that that's just antivirus?

Would they leverage this as well?

There'll be all sorts of weird and wonderful ways that this is gonna go sideways, right?

But,, Daniel Dave,, always such a pleasure to chat to you both.

Thank you so much for joining me and,, you know, thanks for your continued sponsorship of the Risky Business Podcast My Friends.

And,, we'll catch you again through the year.

Cheers, bye.

Thanks, Patrick.

Thanks, Patrick.

That was Dave Cottingham and Daniel Schell there with this week's sponsor.

Interview big.

Thanks to them for that and you can find them at airlockdigital.com and that is it for this week's show.

I do hope you enjoyed it.

I'll be back next week with more security news and analysis.

But until then I've been Patrick Gray.

Thanks for listening