Matt Radolec and David Gibson discuss how an unknown attacker recently exploited a vulnerability in Proofpoint’s email routing system, allowing them to bypass security measures and send millions of spoofed emails on behalf of major companies. The co-hosts also cover: + The North Korean threat actor hired using AI + The biggest ransomware payment ever made + How X is training its Grok AI LLM with your posts + The EU’s groundbreaking AI act + How anyone can access deleted and private repositories on GitHub + Updates on AMD's silicon-level "SinkClose" processor flaw
Matt Radolec and David Gibson discuss how an unknown attacker recently exploited a vulnerability in Proofpoint’s email routing system, allowing them to bypass security measures and send millions of spoofed emails on behalf of major companies.
The co-hosts also cover:
+ The North Korean threat actor hired using AI
+ The biggest ransomware payment ever made
+ How X is training its Grok AI LLM with your posts
+ The EU’s groundbreaking AI act
+ How anyone can access deleted and private repositories on GitHub
+ Updates on AMD's silicon-level "SinkClose" processor flaw
[00:00:00] We're going to talk about some things that might be posing a risk to your organization under reported crypto theft vulnerabilities that you should be concerned about. 91 ransomware attacks, 1 billion person data breach. Welcome to the State of Cybercrime Podcast. I'm your host, Matt Radolec from Varonis.
The following podcast has been adapted from a live show. Check out our YouTube channel for the full video and sign up on our website to be notified of upcoming live events. My name is Matt Rallick, co hosted by my dearest colleague here, Mr. Gibson, and let's get into it. So, you know, oftentimes in cybersecurity, it's all gloom and gloom, right?
There's another zero day vulnerability or another breach, and it's going to be the thing that gets all of us. But there's often a lot of good things to say, too. You know, most recently, there's been a real crackdown on cybercrime from both the FBI, but also the Central [00:01:00] Bureau of Investigation, which is in India.
So with support from the FBI, the CBI arrested 43 different people, um, in Delhi for operating a global fraud network. This syndicate, which had been active since 2000, uh, 22 basically impersonated legitimate entities, uh, and used malware laid in popups and, and retrieved somewhere around $20 million. Um, during the raid on the call center by the FBI and the CDI, they were, they actually interrupted live cyber crime operations.
So, they called their operation Chakra 3. You know, they even had Interpol involved. They seized laptops and hard drives and mobile phones and all kinds of other incriminating evidence. So, we'll likely see a number of guilty pleas and some charges in successful court cases here. Another win for the good guys.
And, you know, David, I feel like more often than not when we're talking about wins, we're seeing a joint cooperation between [00:02:00] Law enforcement agencies around the world. In this case, we've got the CBI, we've got the FBI, and we have Interpol all working together to take down cybercriminals. Yeah, it's nice to see the teamwork at, uh, at, uh, it's like we're getting our act together.
Yeah, yeah, but this, this type of coalition is one I can get behind. Now, this wasn't the only bit of good news that we had, though. I, I think there was something that you wanted to share, too, something from the UK. Yeah. Yeah, uh, this, I was really happy to see. Um, this is, uh, apparently, uh, we, we, the, the authorities in the UK have disabled, uh, a, a, kind of a, phone, uh, spoofing system, uh, called Russian Comms.
And this allows, uh, attackers to easily spoof people's caller IDs. Uh, and this, I'm sure almost everybody on this call has had somebody fall for this. Uh, I [00:03:00] actually had, uh, A relative of mine, um, fall for this twice, where it looked like Amex was calling. And, you know, it's, uh, this is, it's happening all the time, and anyway, one of these networks that was accessible by a web app and a physical phone, that also came with a bunch of fake apps on it to look like a regular smartphone, um, they dismantled, uh, Uh, this, this infrastructure, I'm sure more will be popping up, because there were 170, 000 victims in the UK alone.
Uh, and that doesn't count, uh, the victims in 107 different countries around the world. Um, so, I know that this is a huge problem. People trust their caller ID, even though we all know they shouldn't. Um, but, uh, hey, Thanks for, thanks UK authorities for taking this down. You said at the front there that you had a relative that went through that.
I also had a relative that fell for one of these. [00:04:00] How many people out there know someone that has fallen for one of these, you know, I don't want to call them financial fraud schemes where they either give up some bank information or they wire some money? They, you know, um, maybe they, they, you know, give up, they send a deposit somewhere expecting to get money back.
I, I feel like I just know too many people that have fallen for this. This is the kind of thing they should be teaching in schools now, along with stuff like taxes and health and stuff like that. Yeah, this is, this is just so dangerous. Oh, one person said the same person more than once. That's tough. Yeah, it, uh, it's sort of like, okay, no computers for you.
Yeah. Well, you know speaking of no more computers, let's jump into our next segment, AI VEY, because nobody is tired of hearing about AI. The good and the bad, you're probably all sitting at home and saying AI VEY to yourselves. But we'll cover some of the good, the bad, and the ugly. First and foremost though, it's got to be the, the, The [00:05:00] first, at least, documented, successful, deepfake hire.
So KnowBe4, which is a US based security awareness and training company, inadvertently, first of all, hats off to them for sharing what happened to them with everyone and being very transparent about it, and the fact that it does not appear that the attacker gots any customer data. Um, they were posing as a remote software engineer, and they, they, they actually conquered quite the interview process to avoid being caught.
They had verified references, they had four video interviews, including one with the CEO of the company, and ultimately what got them was they VPNed in from a known, And so, with the help of the FBI and Mandiant, they were able to figure out that the employee had actually tried to put a Raspberry Pi in a known, bad, mule location of bad laptops.
And so, this Mac that this employee had gotten shipped was being, it was infected with malware and had connected in from a known, bad location. And so, with the help of the FBI and Mandiant, they were able to figure out that the employee had actually tried to put a [00:06:00] Raspberry Pi on their network in order to, to load, um, you know, load the malware and try to load the malware into KnowBe4.
Um, but quite the, quite the deep fake from a North Korean hacker, you know, impersonating a, a valid, legitimate U. S. citizen with legitimate references and legitimate background, um, and, you know, using AI to, you know, remake, re image their face for the interview process. Like, this is, this is the real deal.
This is a APT style threat. Yeah, this is crazy. I, uh, it, the, when we first read about this, we didn't have all these details, but, you know, then it sounds like, okay, they, they, they got through the interview process, which is impressive by itself. Then they got the Mac. Um, and, uh, and started doing their thing.
My, my one question was, didn't they notice they were sending the Mac to North Korea? Yeah, yeah. You know, you'd think that that might be an indicator, but it sounds like, [00:07:00] uh, it sounds like they, they were actually, they got it shipped to, to somewhere that wasn't North Korea, right? Yeah, and talking about AI, what, what's the, what's the deal with the, the AI and, and everything that's going on from the EU firms and AI guidance?
Yeah, I, this is, this was pretty interesting. Um, The, uh, a bunch of stats from, uh, the Financial Pulse 2024 report, uh, by Sapio Research, uh, and that, it's behind, uh, an authentication wall, or you have to put in your personal information to get it, but apparently 750 respondents from UK, Germany, France, um, and other European countries, um, They, they, they polled, uh, and they found a few interesting things.
Um, first, finance firms are early adopters, kind of leading the charge with using AI. Um, kind of makes sense, there's some use cases there with fraud detection, risk management, investment management. [00:08:00] But that's, that's just from a kind of an upside, you know, like what are you productive with this, um, or what are you using it with?
But in terms of the risks associated with it, I thought it was interesting data security was the one that was most commonly cited at 43 percent. Um, then there were also intellectual property risks and legal risks that were cited that were a little lower. Um, the other couple interesting things, most of them had no Access limitations on AI, um, also more than half lacked clear guidance on how to use AI acceptably, um, what they, what can they do with it, uh, and then, uh, like less than half said they have restrictions on what type of data can be inputted into the AI models.
Yeah, and I think 9 in 10 or some 90 plus percent said that it's dangerous. You know, and we don't, like, and we don't know that we're doing anything to stop it. So 50 [00:09:00] percent of the time, it works every time, and 9 times out of 10, it's dangerous. That's the, that's what I gleaned from that. Now, um, speaking of, go, go ahead.
That's just, but, but, a lot of people are just charging ahead and using it anyway. But the regulators appear to be charging ahead, too. Am I right? Yes. In December, we spoke about this. What's the latest on the EU AI Act? Um, so, we, uh, you're absolutely right. Um, this, uh, this was introduced in December. Um, it has moved into the next phase, uh, as of, I think, August 1st.
Um, which is really now a countdown to when the rules will take effect. Now, the way the Act works is, uh, it's basically categorizing AI systems with risk levels. So, there's four of them. There's unacceptable risk, um, Um, there's high risk, there's low risk, and limited risk. Um, there's some, like, unacceptable risks, um, like the, uh, proactive policing, like I thought a minority report when I saw [00:10:00] that.
That's, uh, that's gonna be banned in February, so there's a ban in place in February. Most of the, uh, The AI stuff is being categorized as low risk, right? Like the, you know, chat gpt. Uh, these are set to go into effect next August or rules to govern their use or set to go in effect ne next August. The high risk ones take a little longer.
These are, um, the things that would decide whether you get a loan or not. Uh, also autonomous robots, um, which I, I, I, uh, I, I. I'm glad they at least made the high risk category. Um, those rules go into effect in 2026. And then, um, I guess that the big thing here is that there's, there's fines associated with non compliance, I think up to 7%.
And I was going to say, and it's on revenue. Yeah, it's on revenue, on profits. So that's, that's pretty considerable. Now, um, if I remember correctly, we're going to do a webinar on this in September. And so, um, uh, [00:11:00] for anyone that wants to go to that webinar or have our team register for you, I think we're going to launch a quick poll really quick.
Um, and if you hit yes here, uh, we'll sign you up for that webinar, and if you don't make it, we'll send you the recording. Uh, if you hit no, you can always go up and sign up for it later. Uh, but just wanted to give people a chance, if you want to hear more from Varonis on the EU Artificial Intelligence Act, um, We'll have a full blown, I think it's an hour or 45 minute session just on that topic alone coming up in September.
Yeah, so RSVP for EU AI. Yeah, there you go. That's a mouthful. Say that five times fast. No, thank you. Um, you know, you know, let's, let's talk about, you know, talking about autonomous and self driving cars. I mean, sorry, self driving social media, isn't that going to just be like the greatest thing ever? Can we really do any worse with social media, right?
Like when I, when I hear that RockAI is getting trained, uh, on Twitter by, you know, users posts without their explicit consent, [00:12:00] meaning that, like, it's using by default all the things that you post on Twitter or X or whatever you want to call it, I think to myself, Are we going to get more misinformation?
Are we going to get more, you know, is the AI going to become just as angry as it seems like everyone has come on social media? Or could it actually be better? Like, wouldn't ethical AI actually do better than humans on social media? The other thing I think about, though, is like, if you go pretty far down the rabbit hole here, We're getting to the point where like AI generated news on social media could, you know, be used as like a propaganda and mind control machine in a far greater way than we used it ourselves with the algorithms over the last few years.
You know, I, I see a future where, you know, Zuckerberg is in front of Congress again, and maybe Elon is in front of Congress again, testifying about like what their AI did. Curious to see what our audience thinks about that. Yeah, I, uh, but I have to say, if, [00:13:00] um, the, most of the posts or all of the posts were generated by AI, and then all read by AI, maybe we could just go back to talking to each other.
Yeah, that's true. That's true. That's true. Well, let's jump on the highway to the danger zone. And let's talk about a couple of breaches and cyber attacks that everybody should be aware of. So, um, most notably Dark Angels got a record breaking, which according to Zscaler, a record breaking 75 million ransom from a single victim that they claim was in the Fortune 50.
Now, when, when we look at this, yeah, it's, it's like another company that paid a ransom, but. What it shows for me is that it's, this is a huge business, 75 million is an enormous amount of money to either go to a person, I mean, you probably wouldn't need to work anymore, but more than that, to fund further cybercrime.
We've really seen a particular increase from this group, this Dark Angels group, on [00:14:00] manufacturing, healthcare, and technology companies, and what they're really known for is targeting large companies and exfiltrating a lot of data from those companies, and then hitting them with, you know, A really, really high amount for extortion.
Now, when I was setting up this show and I was talking through this attack with David, he was like, how is it possible? Like, how would you exfiltrate, let's say, a hundred terabytes from one of these big companies? If you were trying to steal data from your company, how would you do it? Okay, you don't have to give us all the specifics, but like, for me, I'm like, I think I think of, well, how many people can email those stuff to Gmail?
How many people have split tunneling enabled on their computer and can just use split tunneling? How many people know that there are segments of their network, so their clouds that are unmonitored? From an ingress egress standpoint, and you could just get the traffic out that way. It's the bigger your company is, the harder it is to get security right everywhere.
And an attacker or a malicious insider only has to find that one gap in your posture to be able to get data out. And, and for me, like. You know, this is a Varonis [00:15:00] webinar, but this, there is nothing more than an attack like this data theft leading to extortion to showcase why it's so important to like lock data down at the source and monitor data at the source.
Because as you're, as you move further and further away from that nucleus where all that data sits, it becomes so much harder to monitor every in and out, every transaction, every, you know, network link or, you know, and deal with things like split tunneling Now, this wasn't the only one though. Now there was some.
Uh, you know, this is the Dark Angels, there was rents, where there was some denial of service attack that was worth mentioning too, right? Back in, like, late July. Yeah, um, the, uh, so late July, I think it was actually July 30th, and I think we have a slide on it with a pretty picture of Microsoft. Services that, uh, leveraged Azure Front Door and Azure Content Delivery Network, which is only, like, rarely used services like Entra and 365 and Purview and Power BI.
I don't know if anybody on the webinar is using those services. There was an outage, actually [00:16:00] mostly in Europe. And the interesting thing, it was a run of the mill DDoS attack, TCP send flood, and apparently they have about 1, 700 of those a day. In this case, the normal mitigations went into effect, but they had a network misconfiguration that caused some congestion and packet loss for a lot of the Azure front door front ends.
And, uh, the, these, essentially the network routes, uh, weren't updated correctly within one specific site in Europe. I'm curious if anybody, curious if anybody experienced that. And it was hard to go through the door. Yeah, exactly. Exactly. Got it. Yeah, and for those, for you guys that don't know, especially if you leverage any of Microsoft's DLP features, the CDN is where those files and objects typically sit that are actively being used by many employees in your company.
So that it's easier and you get faster load times from a [00:17:00] collaboration standpoint. You know, it's like a middleware between the object store where it sits and, uh, and your, you know, your workstation so that Microsoft can support that global network. So it's deeply, deeply integrated into things like 365 and Purview.
Yeah. Go ahead. One, one thing, um, that I thought was hopeful about this, and Microsoft did a really great, like, after action report, you know, um, and analysis, and I thought they were very transparent when I read through, you know, hey, here's exactly what happened. I feel like it's getting to be like a flight crash in some respects, at least for the DDoS, right?
1, 700 a day, they've got all kinds of automated mitigations, and several things have to go wrong. together to result in this kind of outage. When they do, obviously it's horrible, but um, it, uh, I feel like it's getting to be more like airline safety. You know, we're, we're, we're, we're, you know, getting better at these sorts of things.
Yeah, and speaking of [00:18:00] getting better, I, I, we, we got a really thoughtful comment from, uh, and I hope I pronounced this right, Abdullah, Abdullah Seka, um, who was talking about, um, That, uh, there's a NIST special publication, 800 171, that doesn't allow split tunneling for the DoD contract. So, it does look like, you know, the regulation is catching up to, to things in some ways.
Uh, and then, uh, from Jerry, uh, Huff said that, uh, the U. S. East was particularly affected by this Azure denial of service. Yeah. Um, and then a couple of other people asking about where that, where do we get the stories from? This one's right from Microsoft, but we, when we send the follow up, we can make sure we, uh, we, we also send, uh, some of the, some of the links of, of where we, we collect all this great information.
Now, what is the Storm Bamboo? You know, tell me more about this. This is another ISP type breach, right? Yeah, this made my head hurt. Um, the uh, essentially a Chinese cyber gang infiltrated an ISP, and were able to, you know, be somewhat of a man in the middle. [00:19:00] And what they did was they took advantage of insecure software update systems, like ones that weren't, you know, Appropriately using digital signatures to verify that they were talking to the right, uh, update service.
Uh, and instead of getting the software update that they should have gotten, they got malware. And that gave a tech, uh, the attackers remote control of their computers. So, uh, this is from Vilexity. Uh, the Threat Researchers, um, again, you know, China Cyber, Chinese Cyber Espionage Gang, um, but, uh, it's, uh, you know, this is also another one where you've got two, um, kind of bad things happening at once, right?
You've got the compromised ISP, and you've got, you know, the lack of the sign in. Yeah, and the software updates that get deployed from the compromised ISP, it's that, you know, breach within a breach, or targeting the service providers to breach the consumer. We see this a lot with, uh, you know, threat actors, especially Chinese, you know, Chinese APT [00:20:00] actors, thinking back to stuff like SolarWinds.
Now, those are some attacks and threat vectors that we wanted you guys to be concerned about. There's also a host of newly discovered vulnerabilities, the first of which Some are now saying, isn't a vulnerability at all. So let's talk about the findings from Truffle Security. Um, they termed this, this vulnerability that they found, or quote unquote vulnerability they found in GitHub, as cross fork object reference, which would allow someone to access sensitive data from deleted forks, and deleted repositories and even private repositories on GitHub, which remain indefinitely.
Um, the way that this works is the C4, it basically allows someone to commit data back to those posts, um, that shouldn't be visible anymore. Now, as it all turns out, um, the, the, many will say that, well, yes, GitHub to not delete backups when you delete, uh, a, you know, when you delete a particular, uh, uh, repository.
Uh, that you have to go and delete the [00:21:00] backups in addition to that. There's, there's more to do here. Um, you know, uh, Leaving code out there, you could have keys in code that you need to be concerned about. You could have, uh, you know, I think this is more of a security awareness thing. And also just speaks to like how one little misconfig can get turned into something much greater than that.
Where, you know, you're not completely deleting the backups from a repo that you used to manage. And again, a lot of people coming out from Truffle and saying that it's a feature, it's not a, it's not a, it's not a vuln, uh, but if you're interested to see if this applies to you, Truffle Security actually made a tool that they call TruffleHog, which you can point at all your Git repos to find those ghosted forks.
I was curious, uh, whether people prefer chocolate Truffles or the truffle hog kind of truffles. So if you want to chat in, I feel like that's really important. I'm not a big sweets person, so I'm going to go with the truffle hog. I prefer sweet code over, over chocolate. Understood. Understood. What's [00:22:00] going on with this proof point thing that we've kind of brought everybody here for?
This was another one that kind of made my head hurt. Um, so, they, uh, basically, there was a massive, uh, scam, uh, spam campaign, I'll say that five times fast, um, where end users were getting spoofed emails from notable companies, you know, Best Buy, Nike, Walt Disney, um, that served as fish bait. And, uh, the, the way this became Uh, we got by some of the authentication mechanisms, right, that are, that are, that are common now.
Um, you know, like SPF and DKIM. Um, it, uh, is that the attacker was running their own exchange server in an Azure environment. Uh, and then due to what, uh, is going on. is, is a configuration feature in Proofpoint. They [00:23:00] routed the Their emails through, uh, the, uh, the outgoing, the email connector, right, the, uh, the, um, what's it called, the, the, in, uh, in Proofpoint, right, there's a, there's an edge mechanism, right, that routes email, right, based, they basically used each page.
The company's Proof Point server to route the mail to the victims, uh, and because it was coming from the Azure environment, it was marked as valid even though it wasn't. And SPF came from a mail relay that is got a certificate that makes a lot of sense. And it wrapped this all up as echo spoofing?
That's right. Full name, uh, Guardio Labs came up with this, uh, or did the research on this. Um, but it, uh, you know, essentially, how do we make an email that looks like it's coming from Disney? Well, we'll go access, uh, their Proofpoint server, which is, is on the web, right? It's pphosted. [00:24:00] com, the endpoint there.
Um, any, anyone that has that configuration. Yeah, now, um, when we were prepping for the show, you also brought up this, uh, Sync Close, which is a hardware vulnerability, quite a big one. So, um, uh, in AMD processors, there's this, uh, uh, uh, you know, very difficult to detect, Almost impossible to fix, uh, vulnerability in the firmware of AMD chips dating back to 2006.
So keep in mind that this vulnerability has been under wraps for just about 20 years. And that with the faulty configuration, You, if you, what you can do is this platform secure boot, where essentially you could put, you know, you could flash a malicious code onto that processor and have it continue to run.
And I mean, you know, there are electric cars, you know, gaming systems, streaming devices, smart TVs, there [00:25:00] is absolutely so much that runs on these AMD chips. Um, it's, yeah. It seems, it, it seems to me like, like how do you, how do you come out of this? Like what you, what do you recall? Millions of chips. You push out updates.
You just hope that people, you know, kind of accept, like accept it? Well, the good news is you can open up the hood of your computer. and, uh, use, basically attach to the, the, the memory chip, uh, or I guess to the processor with a hardware based programming tool known as an SPI flash programmer. You use those all the time, right?
And then you just need to scan all the memory there and then, then maybe you could remove the network. Now you kind of throw the computer away. I don't know what else you can do. Yeah, well, you know, get an Intel processor, right? Um, but I mean, I don't want to start that debate on the end of the show here of AMD versus Intel.
I No, clearly am an Intel [00:26:00] processor person. Uh, I, uh, there, there, apparently there are some mitigation options coming, so it, uh, you know, that it, it, hopefully there will be at least some help. Um, but yeah, the, the fact that they're running in some very popular makes of electric cars, um, is, uh, you know, a a along with all, I mean, there's just so many other systems here and, uh, I don't know if you could hide this better if you tried.
Right, I mean, I won't even get into the conspiracy theories that a vulnerability like this makes me think of. You know, we promised we wouldn't do that today. Now, I did have one more story that came. We couldn't even get it into the show today, right when we were prepping. Um, and it's just a friendly reminder that it was Patch Tuesday this week.
There are six zero days that bundled into that Windows Patch Tuesday. Uh, Frank, I don't know if you don't mind, um, Uh, can you drop that, uh, Frank's one of our hosts, by the way, for all our audience members, can you drop that link that Brian Krebs put out that article for? Usually, we don't retweet [00:27:00] Microsoft VONs, um, because everybody knows Patch Tuesday comes once a month and there's lots of VONs in it, but there are a number of zero days in here.
Um, that you should take action on if you haven't read about that or haven't seen that yet. Uh, I know a lot of organizations can sometimes deprioritize Microsoft patches, but this month looks like a doozy. Um, and did we get any questions or anything in the chat that you want to cover before we wrap up, David?
I know we had a lively chat today. I, uh, I, I saw a lot of comments. Oh, firmware, processor, microcode. I think it's in the processor, right? Not the firmware. Yeah, specifically, again, just trying to think back and we'll make sure we cover this in the, in the written summary. Um, there's a secure mode that you can boot into on that processor, and if you flash that processor as you're booting into that secure mode, that's how you can get your malicious code to run.
So, I'm going to guess that it's, uh, processor code. Yeah. And, let's see, if anything else, yeah, if your AMD processor isn't, from Lawrence, if your AMD processor isn't [00:28:00] messing you up, your Microsoft updates will. Yeah, as always, um, this show is made possible by you, our audience. And so we really, really appreciate you being here.
And if you wouldn't mind taking a couple minutes giving us some feedback, we would love that. If there's something that you talked about today, you want to have a conversation with a member of the Varonis security team about it, you know, just hit yes on that third question. And otherwise, that wraps up another episode of State of Cybercrime.
Thanks so much for being here with us and making it possible to do the show. We really enjoy it and stay tuned for our next episode.