Security Conversations

Three Buddy Problem - Episode 22: We discuss Volexity’s presentation on Russian APT operators hacking Wi-Fi networks in “nearest neighbor attacks,” the Chinese surveillance state and its impact on global security, the NSA's strange call for better data sharing on Salt Typhoon intrusions, and the failures of regulatory bodies to address cybersecurity risks.

We also cover two new Apple zero-days being exploited in the wild, the US Government’s demand that Google sell the Chrome browser, and the value of data in the context of AI.

Cast: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh) and Ryan Naraine (SecurityWeek).

Links:

• Transcript - (unedited, AI-generated)
• Russian APT WiFI Nearest Neighbor Attack
• Russian Spies Jumped From One Network to Another Via Wi-Fi
• Advisory: New exploited Apple zero-days
• NSA Director Wants Industry to Disclose Details of Telecom Hacks

Three Buddy Problem - Episode 21: We dig into an incredible government report on Iranian hacking group Emennet Pasargad and tradecraft during the Israel/Hamas war, why Predatory Sparrow could have been aimed at deterrence in cyber, and the FBI/CISA public confirmation of the mysterious Salt Typhoon hacks.

Plus, discussion on hina’s cyber capabilities, the narrative around “pre-positioning” for a Taiwan conflict, the blending of cyber and kinetic operations, and the long tail of Chinese researchers reporting Microsoft Windows vulnerabilities. The future of CISA is a recurring theme throughout this episode with some speculation about what happens to the agency under the Trump administration.

Cast: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh) and Ryan Naraine (SecurityWeek).

Links:

• Transcript (unedited, AI-generated)
• CISA/Israel gov report on Iranian hacking operations
• Check Point: A deep-dive of Iran's WezRat malware
• Trend Micro report on Earth Estries
• FBI/CISA on China hacking US telcos
• US accuses China of vast cyberespionage against telecoms
• Volt Typhoon hackers hit SingTel in Singapore
• New Palo Alto firewall 0day attack
• CVE-2024-43450 - China reports Windows DNS Spoofing vuln

Three Buddy Problem - Episode 20: We revisit the ‘hack-back’ debate, the threshold for spying on adversaries, Palo Alto watching EDR bypass research to track threat actors, hot nuggets in Project Zero’s Clem Lecinge’s Hexacon talk, Apple’s new iOS update rebooting iPhones in law enforcement custody, the mysterious GoblinRAT backdoor, and physical ‘meatspace’ Bitcoin attacks and more details on North Korean cryptocurrency theft.

Cast: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh) and Ryan Naraine (SecurityWeek).

Links:

• Transcript (unedited, AI-generated)
• iPhones mysteriously rebooting themselves
• Apple quietly ships iPhone reboot code
• FBI on China hacking US presidential campaigns iPhones
• Chinese hackers Targeted Phones of Trump, Vance, Harris Campaigns
• Palo Alto: EDR Bypass Testing Reveals Threat Actor's Toolkit
• Palo Alto CVE-2024-5910 marked as exploited
• Toronto crypto company CEO kidnapped
• A list of known 'meatspace' crypto attacks
• North Korea crypto thieves targets macOS

Three Buddy Problem - Episode 19: We explore Ivan Kwiatkowski’s essay on the limits of threat intelligence, Sophos using kernel implants to surveil Chinese hackers, the concept of ‘hack-back’ and legal implications, geopolitical layers of cyber espionage, CIA malware in Venezuela, Vatican/Mossad mentioned in high-profile Italy hacks, and Canada bracing for .gov attacks from India.

Cast: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh) and Ryan Naraine (SecurityWeek).

Links:

• Transcript (unedited, AI-generated)
• Ivan Kwiatkowski: Threat intel truths inside
• JAG-S LABScon keynote
• Sophos Used Custom Implants to Surveil Chinese Hackers
• Sophos Pacific Rim report
• NCSC details ‘Pygmy Goat’ network backdoor
• NCSC 'Pygmy Goat' report
• Massive hack-for-hire scandal rocks Italian political elites – POLITICO
• Vatican, Israel implicated in Italy hacking scandal
• Wired on CIA hack of Venezuela military payroll system
• Is Now on VT!

Three Buddy Problem - Episode 18: This week’s show covers the White House's new Traffic Light Protocol (TLP) guidance, Reuters expose of Appin as a hack-for-hire mercenary company, Fortinet zero-day exploitation and missing CSRB investigations, major cryptocurrency heists, Apple opening Private Cloud Compute to public inspection, Russians removed from Linux kernel maintenance and China’s Antiy beefing with Sentinel One over APT reporting.

Cast: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh) and Ryan Naraine (SecurityWeek).

Links:

• Transcript (AI-generated)
• White House TLP guidance
• Applin -- How an Indian startup hacked the world
• Burning Zero Days: FortiJump FortiManager Flaw
• Mandiant on FortiManager Zero-Day Exploitation
• Fortinet bulletin on new 0day exploitation
• Radiant Capital $50M cryptocurrency theft
• DPRK's Lazarus steals cryptocurrency with decoy MOBA game
• Apple opens Private Cloud Compute to security inspection
• Russians booted from Linux kernel driver maintenance
• Antiy paper responding to SentinelOne

Three Buddy Problem - Episode 17: News of a wiper malware attack in Israel implicating ESET, threats from wartime hacktivists, China's strange response to Volt Typhoon attribution and Section 702 messaging, an IE zero-day discovery and web browser rot in South Korea, the ongoing isolation of Kaspersky due to sanctions, and the geopolitical influences affecting cybersecurity reporting.

Cast: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh) and Ryan Naraine (SecurityWeek).

Links:

• ESET Israel wiper attacks
• ESET comment on Israel wiper incident
• Dakota Cary on China’s Volt Typhoon Influence Ops
• Volt Typhoon III (PDF)
• US Sanctions 12 Kaspersky Executives
• Kaspersky closing down its UK office
• MAPP vendor list
• VirusTotal
• Transcript (AI-generated)

Three Buddy Problem - Episode 16: We break down the new GCHQ advisory on the history and tactics of Russia’s APT29, the challenges of tracking and defending against these sophisticated espionage programs, the mysterious Salt Typhoon intrusions, the absence of technical indicators (IOCs), the risks of supply chain attacks. We also touch on the surge in zero-day discoveries, the nonstop flow of exploited Ivanti security bugs, and why the CSRB should investigate these network edge device and appliance vendors.

Cast: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh) and Ryan Naraine (SecurityWeek).

Links:

• NCSC exposé on SVR/APT29 history and tactics
• APT29 / Midnight Blizzard
• VIDEO: A Surprise Encounter With A Telco APT
• The Athens Affair - IEEE Spectrum — How some extremely smart hackers pulled off the most audacious cell-network break-in ever
• Wikipedia: The Athens Affair
• WSJ report on Salt Typhoon hacks
• In-the-wild zero-day counter
• Microsoft Confirms Exploited Zero-Day in Windows Management Console

Three Buddy Problem - Episode 15: Juanito checks in from Virus Bulletin with news on the return of Careto/Mask, a ‘milk-carton’ APT linked to Spain. We also cover the latest controversy surrounding IDA Pro's subscription model, a major new YARA update, and ongoing issues with VirusTotal's value and pricing. The conversation shifts to North Korean cyber operations, particularly the infiltration of prominent crypto companies, Tom Rid's essay on Russian disinformation results, and the US government's ICE department using commercial spyware from an Israeli vendor.

Cast: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh) and Ryan Naraine (SecurityWeek).

Links:

• Transcript (unedited, AI-generated)
• VB abstract: The Mask has been unmasked again
• Discover IDA 9.0
• Binary Ninja
• Vertex Synapse
• YARA-X
• Microsoft on Star Blizzard disruption
• Tom Rid: The lies Russia tells itself
• North Korea caught targeting German missile manufacturer
• How North Korea infiltrated the crypto industry
• ICE signs $2M contract with spyware maker Paragon

Three Buddy Problem - Episode 14: The buddies are back together for a discussion on Juan’s LABScon keynote and mental health realities, Microsoft rewriting the Windows Recall security architecture, a new CVSS 9.9 Linux CUPS flaw, Kaspersky's controversial transition to Ultra AV, and the intelligence operations surrounding exploding pagers in Lebanon.

(This episode is dedicated to the memory of Jeff Wade from Solis, who was an important part of the LABScon family.)

Cast: Juan Andres Guerrero-Saade (SentinelLabs), Costin Raiu (Art of Noh) and Ryan Naraine (SecurityWeek).

Links:

• The Consolation of Threat Intel (JAG-S LABScon keynote)
• LABScon - Security Research in Real Time
• Windows Recall gets major security makeover
• David Weston on Windows Recall security reboot
• Critical Linux CUPS remote code execution
• How Israel Built Exploding Pagers — How Israel Built a Modern-Day Trojan Horse: Exploding Pagers
• Apple Suddenly Drops NSO Group Spyware Lawsuit
• CrowdStrike Overhauls Testing and Rollout Procedures
• Microsoft Redesigning EDR Vendor Access to Windows Kernel - SecurityWeek
• Kaspersky Sparks Outrage as UltraAV Takes Over Systems Without Consent
• Transcript (unedited, AI-generated)

Three Buddy Problem - Episode 13: This is a special edition of the show, featuring Juan Andres Guerrero-Saade's full keynote day remarks at LABScon2024. In this talk, Juanito addresses the current state of the threat intelligence industry, expressing a need for a difficult conversation about its direction and purpose. He discusses feelings of disenfranchisement among professionals, the void in meaningful work, and the importance of reclaiming control and value in cybersecurity. Juan emphasizes the need for researchers, journalists, and even VCs, to be the change to reinvigorate the industry and ensure its relevance and impact.

Cast: Juan Andres Guerrero-Saade (SentinelLabs). Costin Raiu and Ryan Naraine are listening to this episode.

Links:

• LABScon 2024
• J. A. Guerrero-Saade on Twitter