PODCASTS

BTS #60 - HybridPetya and UEFI Threats

In this episode of Below the Surface, the hosts discuss various cybersecurity topics, including the evolution of malware with a focus on Hybrid Petya, the implications of UEFI vulnerabilities, and the security risks associated with Windows 10’s end of life. They also explore the vulnerabilities of Cisco ASA devices, the rise of supply chain attacks exemplified by NPM worms, and the persistent threat of Row Hammer attacks on DDR5 technology. The conversation highlights the significance of visibility in cybersecurity and the necessity for enhanced security practices to counter evolving threats.

Subscribe

Transcript


Paul Asadoorian (01:28.35): Welcome to Below the Surface. Is episode number 60 being recorded on Wednesday, September 17th, 2025. I’m your host, Paul Asadorian. Joined by my co-workers, Mr. Chase Snyder is here with us. Chase, welcome.

Chase Snyder (01:40.703): Hey Paul, hey Vlad.

Paul Asadoorian (01:42.238): Mr. Vlad Babkins here.

Vlad Babkin (01:44.718): Hello.

Paul Asadoorian (01:45.78): Vlad, you just kept adding stories to the show, which I thought was great. We got a lot to talk about. I love it. I love it.

Vlad Babkin (01:51.266): Yeah, this week was very productive. Or unproductive, depending on what perspective you’re looking.

Paul Asadoorian (01:55.112): Yeah, there was some stuff going on. Depending on which side you’re on, right? Before we dive into things, just a reminder that below the surface listeners can learn more about Eclypsium by visiting Eclypsium.com forward slash go. There you’ll find the ultimate guide to supply chain security. An on demand webinar I presented called Unraveling Digital Supply Chain Threats and Risk, a paper on the relationship between ransomware and the supply chain and a customer case study with Digital Ocean. If you’re interested in seeing the product in action, you can sign up for a demo. All that at Eclypsium.

Paul Asadoorian (02:32.152): Also, October 2nd and the 3rd, I will be at Gurkon with my other coworker, Jeff. We have a booth there, we’re sponsoring the show, and I will have all kinds of hacking little devices there with me. Much like I did last year, there will be different hacking devices. In fact, I just did a technical segment on my other show on this little T. Laura Pager device. Which I have running Meshtastic as well as the Bruce, like pen testing firmware distribution for ESP32 devices. So I don’t have these to give away because I’m relatively new. This is the first one I got and I just kind of figured it out. But I’ve got some other LilyGo gear, T-embeds, T-embed CC1101s. I’ve got some card puters and I’ve got some also from LilyGo, the T, the USB one. That has a little display on it. So I’ll be hacking with those, giving those away. I also have for the giveaway, I will have three bus pirate fives that’ll be giving away as well. So I’m excited because I get to cool hacking stuff at the conference and you can come hang out with me and we can do cool hacking stuff together. So it’s better than that. Let’s dive into, let’s start with hybrid Petya. What you guys take on this is discovered by ESET researchers found a sample on virus total that exploits CVE 2024. Is it 7344? That’s the, how YAR signed bootloader that has a vulnerability in it. It exploits that to install a boot kit. Uh, and that malware contains similarities to both Petia and not Petia. But I know you were talking about the Petia not Petia things. Because that was that was all the rage. That was certainly an incident. Right. I don’t remember all the specifics. I don’t know how much you remember about the Petia attacks.

Vlad Babkin (04:29.14): Yeah. Yeah.

Vlad Babkin (04:34.414): So, not petty attacks, it was a destruction malware disguised as pretty much stuff asking for a cryptocurrency, right? But it was actually a destruction malware.

Paul Asadoorian (04:45.832): Yeah. It was just it was kind of like ransomware. It was kind of like ransomware with no intention of collecting the ransomware. It was there just to cause destruction.

Vlad Babkin (04:53.218): Yeah, it was, yeah. And as far as I remember, NotPetya had a special vector specifically targeting Ukraine. So they specifically infected a company called Midoc. And what they did was infect their update servers. And where that software got from there, from those servers, because it didn’t check signatures, it was to basically every single financial computer in Ukraine. And because of how…

Paul Asadoorian (05:00.64): Mm-hmm.

Paul Asadoorian (05:20.19): Right. Because it was like tax. It’s like tax. So is it like tax software or something like financial tax software? Yeah.

Vlad Babkin (05:23.864): Yep, yep. And at the time, the tag software was running as administrator. Like it could run as a non-admin user. So what you get is update with malware that arrives to you and that automatically gets run by a software that runs as administrator and that’s across the entire country. So yeah. And as far as I remember…

Paul Asadoorian (05:41.578): Right. In petia petia was ransomware software and that’s why they called it not petia because it yeah yeah i remember the whole thing now

Vlad Babkin (05:51.79): Yeah, it didn’t quite run somewhere. Yeah, obviously it also had other vectors as far as I remember, it was trading over SMB. And it also had impact outside of Ukraine, but I think the biggest impact was in-country. So now we have a UEFI copycat of that malware, copycat judging by how asset called it, I think, or whatever is written in articles I see online.

Paul Asadoorian (06:03.551): Mm-hmm.

Paul Asadoorian (06:08.318): Great.

Paul Asadoorian (06:19.646): Mm-hmm.

Vlad Babkin (06:20.32): And in this case my question is, is it even the same author?

Paul Asadoorian (06:25.631): Yeah, or is it just someone that got ahold of the code and decided to create their own strain? More likely. Yeah, and then, but they put the infection vector of a boot kit in there. So they brought their own vulnerable bootloader, basically, that I described before, the how, how you are, I think that’s how you pronounce it. How that’s how I say how you are, which was a discovery by ESET.

Vlad Babkin (06:30.774): Yep. Yep. And that’s the biggest question. Like, this is…

Vlad Babkin (06:43.064): Mm-hmm. Yeah, that makes sense.

Paul Asadoorian (06:51.647): That discovered that vulnerability in that bootloader that was signed by Microsoft. Until they brought their own and they used that to install a bootkit. It was like a cloak.dat file. And it encrypts the MFT table in the Microsoft NTFS file system. So the MFT is like your file allocation table. It’s like the mapping of your file system for lack of a better term. And so if you encrypt that, like, your files aren’t encrypted, but the map of how to get to your files is encrypted, which doesn’t mean you can’t couldn’t recover it. You just wouldn’t get file name. Think my co-host said you wouldn’t get file names or anything like that. But I also think they encrypted the files as well as the MFT, if I’m not mistaken.

Vlad Babkin (07:41.582): Maybe, and this question is not even, like for me the biggest question is why target UFI? Right? So, like it’s not even just, okay, it’s scripted malware, obviously they’re gonna create something, and they’re gonna encrypt the most valuable thing at the lowest level possible, that’s also quite obvious. Like let’s just encrypt the bootloader of the computer just as a final hello to the user, right?

Paul Asadoorian (08:03.103): Mm-hmm.

Vlad Babkin (08:11.36): Okay, that makes sense. But, it’s interesting that normal ransomware now uses UEFI bootloader thingies and secure boot bypasses. That’s the…

Paul Asadoorian (08:23.474): Right.

Chase Snyder (08:25.075): You mean in this case, the hybrid Petya case, or you’re saying there are other examples of malware using UEFI?

Vlad Babkin (08:28.518): Yup.

Paul Asadoorian (08:31.069): There are other examples of malware using, yeah.

Vlad Babkin (08:31.278): I’m saying about ransomware already targeting this. Like ransomware is usually not a high hanging fruit attack. Like, okay, you’ve got code execution, what are you gonna do? Let’s encrypt a bunch of files and see what happens. This is one of the lowest hanging fruit attacks you can imagine, which is like, unless it’s actually a destruction malware disguised as ransomware or something like this, it’s normally just script key distraint to earn some money.

Paul Asadoorian (08:47.209): Mm-hmm.

Vlad Babkin (09:00.679): Or even if not script kdls, it’s usually not a very high skill attackers. But now it’s paired up with Secure Boot Bypasses and UFI attacks, which are normally associated with much higher skill. And the question is, what does it tell us? So in my book, it tells us that Secure Boot Bypass attacks and UFI malware is now much lower skills than you might expect.

Paul Asadoorian (09:29.341): Yeah, I agree. And this is the progression we’ve seen with multiple techniques, toolkits and the like. We covered the Jmagic backdoor and we can trace that back to a frac article from 1999, which was new and novel at the time. It was basically similar to like a port knocking or passive backdoor, if you will, right? That looks at packets. That was kind of, in 1999, that was all rage. But fast forward to today and we see that in…

Vlad Babkin (09:30.776): That’s the biggest message to take out of it.

Paul Asadoorian (09:59.08): Attacker campaigns. So I think that there’s a progression of techniques that start out as academic as pure research that transition to higher profile or threat actors that are highly targeting organizations, right. And then others find out about they’re like, well, I can use that too, like more stuff gets published, the code gets passed around.

Vlad Babkin (10:20.75): Mm-hmm.

Paul Asadoorian (10:27.603): And it ends up in your common everyday ransomware. And so here we are today seeing what looks like everyday ransomware that is now bypassing secure boot and installing a boot kit and messing around with boot loaders on the EFI partition.

Chase Snyder (10:41.385): Would you say that, does it make sense to say that the reason, like, less sophisticated attackers wouldn’t need to adopt new, you know, formerly sophisticated, now more accessible techniques like this if their other stuff was working effectively? Like, is there a case to be made here that the reason that less sophisticated, you know, script kiddie, ransomware gangs would…

Vlad Babkin (11:00.63): Yep. Good.

Chase Snyder (11:07.239): Adopt something like this that uses UEFI or can bypass a Cure Boot because other ransomware techniques have been more effectively defended against. Like the old stuff isn’t working as well, so they’re looking around for the new stuff and they’re like, this is out there and I know how to do it.

Vlad Babkin (11:17.577): There as well.

Paul Asadoorian (11:19.773): Mm-hmm.

Paul Asadoorian (11:24.414): Mm-hmm.

Vlad Babkin (11:25.282): That’s true. So in this case, both things are true. So first of all, secure boot stuff is becoming more off the shelf, which is why even brands and reactors are even interested in it. A well-paid actor who can actually develop this from scratch would probably not need money, right? But somebody who is trying to ransom people, getting access to UFI things and can incorporate them in their tools, without a lot of technical knowledge apparently. That’s interesting. And also, why do they need to do this? It’s because all of their older stuff stopped working. Well, maybe not entirely, but okay, there’s a lot more stuff going on with Windows right now. For example, if you move 15, 20 years into the past, Windows doesn’t have any antivirus built in. And Windows firewall is a joke, right? But now, apparently it isn’t. If it would be a joke still, we would not see this. We would not see stuff like this incorporated into common ransomware. So apparently, Microsoft is doing a good job as well at making their systems harder to attack. That’s also part of the message to take out.

Paul Asadoorian (12:38.835): Yeah, is the like EDR and Microsoft Defender type bypasses getting more complex and therefore why not just sidestep that and try and get in before the operating system? Because that’s maybe it’s equally as technically challenging now to bypass an EDR once the OS is loaded. But now you need that a similar level of skill to go, I’m just going to use UEFI and boot loaders to get in before the OS and then have a much easier time bypassing.

Vlad Babkin (12:49.346): Yup. Yup.

Vlad Babkin (12:59.341): Mm-hmm.

Vlad Babkin (13:06.456): Yup.

Paul Asadoorian (13:08.722): EDR.

Vlad Babkin (13:10.082): Yep, so and apparently both are now equalized because first of all EDRs are becoming more more advanced so entry level stuff stopped working against them and now you have to do more sophisticated techniques. Like obviously skill attackers can still bypass and it’s still a joke for them, but for low skill attackers it’s becoming a problem. But at the same time, UFI bypasses are becoming off the shelf so they’re less technically advanced where those same low skilled attackers can actually grab those

Paul Asadoorian (13:21.501): Mm-hmm.

Paul Asadoorian (13:34.59): Mm-hmm.

Vlad Babkin (13:40.424): And they are reaching a point where they are about the same skill level.

Paul Asadoorian (13:44.872): Yeah, because I think we’ve seen we’ve uncovered a lot more software that has been signed with secure boot roots of trust that attackers can now use to bypass. We’ve seen ever since Black Lotus, feel like we’ve had this, you know, we’ve discovered some, ESET’s discovered some, Binance discovered some, like we just we see a lot more disclosures of like, hey, this piece of software can be used to bypass secure boots. And now we’ve got this longer menu list of ways in which we can

Vlad Babkin (13:54.729): Yup.

Paul Asadoorian (14:14.929): Circumvent secure boot.

Vlad Babkin (14:17.517): Yep.

Chase Snyder (14:17.685): So can we speculate a little bit on the sort of like research pathway here? Because the ESET article, they say they discovered new ransomware samples, but they have not seen it being used in the wild yet. And I’m thinking back to our last episode with.

Paul Asadoorian (14:30.749): Yeah, they pulled it from VirusTotal and analyzed it and was like, hey, look at that. There’s a boot kit in there that leverages a secure boot bypass.

Vlad Babkin (14:38.668): Yeah, the question is where it appeared from. Attackers might be testing against VirusTotal, which is, again, if you upload your new shiny thing to VirusTotal before you actually launch it, that indicates your skill. Or it might have been somebody got ransomed, uploaded it to VirusTotal to understand whatever they were looking at.

Chase Snyder (14:38.687): Right. So.

Paul Asadoorian (14:46.44): Mm-hmm.

Chase Snyder (14:55.925): Yeah.

Paul Asadoorian (15:06.056): Right.

Vlad Babkin (15:07.884): Because that’s a completely different pathway. So it’s hard to tell which one of the two happened and if just the set is just not seeing it. But I would call that the set is probably pulling attackers trying to upload that thing and check for detections.

Chase Snyder (15:22.335): So your, your guess, if you had a, if you had a guess, if you had to put a, a bet on it, you would say that it was a low sophistication attacker that was testing it before, before rolling it out, which is an amateur, amateur move.

Vlad Babkin (15:31.0): Yep.

Vlad Babkin (15:34.86): Yup. Yup. Yup.

Paul Asadoorian (15:37.789): I don’t know. It’s also likely that someone was infected and didn’t know what it was and uploaded it as well.

Vlad Babkin (15:43.68): Yeah, but question is where were the news articles? Like where basically all of the noises would have produced? Like…

Paul Asadoorian (15:51.935): Well, I mean it comes down to like who whose disclosing breaches these days if they don’t have to right

Vlad Babkin (15:57.122): Yeah, but then why develop this whole ransomware if you are gonna use it on a single target and use it as ransomware?

Paul Asadoorian (16:07.845): Mm. Right.

Chase Snyder (16:10.151): It seems likely there’s going to be more news. There’s going to be more stories about this. Something more is going to come out. This is not going to be the end of it. It’s going to be like someone’s going to come out as having been attacked or there’s going to where this is just the beginning of this story.

Vlad Babkin (16:17.163): Yup. Yup.

Vlad Babkin (16:24.193): Yup, yup.

Paul Asadoorian (16:24.319): But there’s also been a lot of updates to revocation lists and certificates that combat these types of threats that I think the attackers are banking on people haven’t updated. Because on the long laundry list of things you need to do in IT security, making sure your certificates and DBXs are up to date for secure boot is not high on the list. That’s just my general gut feeling. It’s not high on the list.

Paul Asadoorian (16:57.447): It kind of gets lumped in with firmware, right? Well, and also it’s kind of a dangerous thing to do, which, you know, we’ll get to Windows 10, you know, systems cannot boot. There’s an operational risk of systems not booting if you start messing around with secure boot stuff.

Vlad Babkin (16:57.621): Yep, it probably is not.

Vlad Babkin (17:13.301): Yep, and there is a of operational risk for just updating UFI, like specifically my laptop, like it needs UFI updates from time to time. And when you do, when you reboot, it just sits on a black screen for a few minutes. And if you’re not patient enough, yeah, and if you’re not patient and try to touch it, it locks up, like completely locks up. At one point I just did it without really thinking about it too hard because I didn’t see any messages about UFI update.

Paul Asadoorian (17:17.459): Mm-hmm.

Paul Asadoorian (17:27.109): Isn’t that frightening?

Paul Asadoorian (17:33.276): Mm-hmm.

Vlad Babkin (17:42.535): And they got stuck with the laptop that they had to repair for like an hour. And they have skills to do this, so I managed to get it back. But like, if you’re a normal customer and you do this, now what?

Paul Asadoorian (17:45.947): Mm-hmm. Right.

Paul Asadoorian (17:53.831): Yeah. Did you have to break out a spy program or no? Okay. Okay.

Vlad Babkin (17:57.044): No, thankfully no. I don’t remember what exactly I did, but was a lot of googling. And a lot of frustration. And that’s just normal UFI update. What about stuff that can actually block my OS from booting entirely unless, like, you know… You go to, how is it Safe mode, think it’s called? Where it only loads its own drivers. And then you go over all of the drivers and shut them down one by one.

Paul Asadoorian (18:02.172): Mm-hmm.

Vlad Babkin (18:25.173): Yeah, for a lot of people that aren’t frightening. People barely understand what a driver is. Like, in the past, you at least had to install your own drivers from, you know, you have like 20 packages, so at least you know what you installed, right? At least in a good amount of cases. Or at least there’s some technician who knew, whom you can go back to, like, one who installed you as. But now what? You get a laptop with just everything sitting there, and if one of it gets blacklisted, well, good luck.

Paul Asadoorian (18:27.647): Mm-hmm.

Paul Asadoorian (18:41.287): Right.

Paul Asadoorian (18:54.375): Right. And I think most users use the term driver and don’t understand how overloaded that is. UEFI has its own drivers that we call Dixie drivers, driver execution environment. They’re those earlier stage drivers that enable your hardware. Then there’s operating system drivers and there’s obviously different types at different levels for different components. And they’re very separate things. Transitioning to Windows 10,

Vlad Babkin (19:04.128): Mm-hmm. Yep.

Paul Asadoorian (19:23.035): My concern is, because now it’s looming, now we’re starting to see more articles like just this week or last week. I saw commercials watching a football game and I saw a Best Buy commercial that was specifically targeting, hey, if you’re a small business and you’re running Windows 10 and next month it’s going end of life and you need help, you should call us at Best Buy. Because guess what? Best Buy wants to sell you new laptops and desktops for your organization. Because if they don’t support Windows 11…

Chase Snyder (19:49.354): Ha!

Vlad Babkin (19:49.515): Yup.

Paul Asadoorian (19:51.635): You could be stuck on Windows 10. And so they’re trying to cap, I mean, and rightfully so they’re trying to, don’t fault them for that because it is a scenario where people are to have to update their hardware in a lot of cases. My concern is once Windows 10 goes end of life and we’re not getting updates from Microsoft, we’re not going to see updates to revocation lists and other certificates. And one of the concerns is let’s say you put a new peripheral in your

Chase Snyder (19:54.335): Bring in the Geek Squad.

Vlad Babkin (19:54.85): Yup.

Paul Asadoorian (20:20.672): Computer that peripheral has a UEFI Dixie driver on it that’s signed not by the certificates that are on your system but signed by the newer ones not the older ones and you have secure boot enabled your system’s not gonna boot. It’s not gonna match up. Potentially.

Vlad Babkin (20:38.391): The real answer to all of this, in my opinion, is for the customer to actually create their own certificate locally and just have a package that signs everything that’s in the system. And once you have to update, you have to resign. And okay, the question is how do we store that? Well, there is a password you can actually set up in that file and the user can be prompted to it at some point to write it down. And then this problem would be entirely gone.

Paul Asadoorian (20:59.389): Mm-hmm.

Vlad Babkin (21:05.857): The problem is customer now needs to know this password, right?

Paul Asadoorian (21:05.884): Right, but that’s complicated. Well, that’s complicated too. A lot of people pick on secure boot and I’m like, if you’re unhappy with the way the root of trust comes from Microsoft and OEMs, you can do it all on your own. Like don’t call it, don’t pick on secure boot because secure boot totally gives you the flexibility to build your own root of trust. Is it a huge pain in the butt? Yes. That’s the problem.

Vlad Babkin (21:11.682): Yup.

Vlad Babkin (21:18.571): Yup, make your own.

Vlad Babkin (21:30.925): BS. But yeah, but again, for a large organization, that might be an answer. Like imagine like that you have your provision in the thousand laptops and it is a thousand of the same laptop. What you can do for those laptops is create a root of trust and sign all of the drivers specifically for those laptops. Now you control the updates. So the not fun part comes when, oh, hey, that laptop is trying to update and it updates from Windows. Now what? You go to driver and it stopped booting.

Paul Asadoorian (21:38.525): Mm-hmm.

Paul Asadoorian (22:01.958): What happens when you get a new boot? What happens if Microsoft that days the bootloader?

Vlad Babkin (22:06.445): Yep, what happens when Microsoft changes stuff? So there are a lot of questions with this and there is not enough solutions for those. This is why we don’t see it happening. So yes and no. Yes, it does give you flexibility to make your own route of trust. No, it’s not realistic because of how Microsoft handles updates and a lot of other things, right? It doesn’t ask you…

Paul Asadoorian (22:09.578): Right.

Paul Asadoorian (22:27.289): I think a lot of Windows 10 users, they’re just going to end up disabling secure boot if you’re on Windows 10 to avoid these issues.

Vlad Babkin (22:32.557): Yep. And the dumb part is it might be the only option. Like… And even the dumb part is all of the TPM requirements that I think Microsoft is implementing, I don’t think it’s customer-friendly. Let’s say it, let’s put it down on the table as it is. It’s anti-consumer.

Paul Asadoorian (22:39.337): Right.

Paul Asadoorian (22:50.005): Mm-mm.

Paul Asadoorian (22:55.336): Yes. Yeah, they’re for they’re forcing the hardware. I mean, it’s very Apple like, right? They’re forcing a hardware update.

Vlad Babkin (22:56.808): And like…

Vlad Babkin (23:01.333): Yeah, but what happens is in those 12-13, like I assume they will come out eventually. And what then? What anti-consumer practice will Microsoft implement then? Like, it’s not a good trajectory overall for the company. Like, Microsoft is already bleeding customers if you look at numbers, right? I saw articles like this. Like, they’re bleeding like millions of them.

Paul Asadoorian (23:13.716): Mm-hmm.

Paul Asadoorian (23:25.79): Mm-hmm.

Vlad Babkin (23:28.821): Honestly, I would just trust in Microsoft entirely. And if you’re completely honest, a lot of the home market is being held by office software, games, and creative products, right? Like Photoshop and whatnot. But point is, gamers now have SteamOS, which is an alternative, and it’s based on Linux. Office products, there is Google, there is cloud stuff, and then there is also LibreOffice, OpenOffice, which are…

Paul Asadoorian (23:47.711): Mm-hmm.

Vlad Babkin (23:57.784): Let’s just say catching up to just about most of the home user needs. Like obviously Microsoft is still in the lead by far, but do you need all of that in your home for just basic text editing? Not really.

Paul Asadoorian (24:01.535): Yeah.

Paul Asadoorian (24:08.702): Yeah, dude, I’m a Linux user. I’m a Linux user. I use Only Office. Works great.

Vlad Babkin (24:13.325): Yep, and I use Google Docs for most of my document needs and like 99.99 % satisfied, right? And creative software, again, if you need Photoshop, then you’re out of luck. But if you need something simpler, GIMP is good enough for a lot of use cases. Like yeah, it’s by far not as good, sure. Can it handle like quite a few needs? Yes, it can. And consumers now have a lot of alternatives to pick from.

Paul Asadoorian (24:20.746): Mm-hmm.

Paul Asadoorian (24:30.25): Yeah.

Paul Asadoorian (24:43.188): Yeah, I mean, I switched from the I switched from Mac, but also the creative suite. And when I went all Linux, actually this podcast, if you listen and watch this podcast, the post production is all done on Linux with Kaden live for video editing with audacity for audio editing with GIMP for any image manipulation. And there you have it. And that’s not going to satisfy all users.

Vlad Babkin (24:43.637): So eventually…

Paul Asadoorian (25:11.006): Like you said, there is a push. There is a, what is it called? Run Windows 10 something. There’s a website where they’re pushing people towards Linux to get away from Windows. And I think it’s gonna hurt their market share because of all this.

Vlad Babkin (25:15.223): Yo.

Vlad Babkin (25:24.107): Yep. Yep. Yep. And the biggest game changer in this case is SteamOS, believe it or not. Like another corporate thing, sure. But what it did is solve running games for a lot of, again, younger generation and a lot of entertainment use cases, which is what people use a computer at home for by a lot, by a large.

Paul Asadoorian (25:47.486): Yeah.

Vlad Babkin (25:49.035): Like, it’s entertainment, movies and whatnot, but again, movies is a solved problem on any operating system for a long, time, so I’m not even mentioning it. The game is supposed to be unsolved.

Paul Asadoorian (25:59.743): Yeah, I mean, if you’re if you’re a gamer, if you’re a gamer, and you’re on Windows 10, and you have to enable secure boot, you’re in a tough spot coming up soon, right? You either got to get to Windows 11. I guess that market is probably more likely to upgrade hardware. And that could be what they’re banking on.

Vlad Babkin (26:00.088): So a lot of customers just don’t need it anymore.

Vlad Babkin (26:18.593): Yep, that market is likely to upgrade hardware, but point is, will this hardware upgrade come with SteamOS? It might. It entirely might.

Paul Asadoorian (26:26.056): Right, right.

Chase Snyder (26:26.389): Does Windows 11 have any big launch titles?

Paul Asadoorian (26:30.048): Well, I was also thinking like the justification to your significant other like, hey, sorry, sweetie, I got to build a whole new gaming PC because I’m Windows 10 and I can’t upgrade. I’m I’m sorry. I got to go. I need the latest graphics card from Nvidia in order to play my games. Sneaking that in there, right?

Vlad Babkin (26:31.883): Daming!

Chase Snyder (26:38.421): No.

Vlad Babkin (26:48.557): Yeah, I mean, modern Nvidia graphics cards, they are, okay, cattle enthusiasts and Nvidia graphics cards enthusiasts will have a lot of similar stuff with their electrical wiring in their house very soon. I mean, literally it’s like a kilowatt of energy in a good gaming rig right now, right? Their latest and greatest card is like, what, 500 watts, 600 watts, I think? Some insane number like that.

Paul Asadoorian (27:03.465): Mm-hmm.

Paul Asadoorian (27:11.058): Mm-hmm.

Vlad Babkin (27:17.729): Pair it up with a CPU which can eat like 253-300 watts easily and all of the other little components in the system and you have a kilowatt computer.

Paul Asadoorian (27:26.676): Yeah, like even your 1000 watt power supply is not enough anymore for a modern gaming rig. You need at least like 1500 or more. I was specking that out. Yeah, the draw is insane anyway.

Vlad Babkin (27:28.342): So.

Vlad Babkin (27:32.993): Yup, you’re literally running on your electric kettle.

Paul Asadoorian (27:45.099): So it’s a bad situation for Windows 10 and secure. When I thought about the implications for secure boot and updates on Windows 10, it’s very concerning because upgrading hardware is a process and there’s gonna be a lot of businesses that are gonna be, Windows 10 is gonna be floating out there for a long time and as we’ve seen, attackers take notice of things like this. When things go end of life, when there’s an opportunity for. People to be in organizations to be a more vulnerable position because they’re forced to do an upgrade and that takes time and money and resources, they’re going to lag behind. And attackers are usually right there going, we’re going to take advantage of this situation. Let’s see. Everyone’s going to be running who’s running Windows 10 is likely either going to be running outdated secure boot or disable secure boot entirely. So what a great spot to implement some boot kits, test out some new ransomware. Implement some boot kits and that’s going to be a field day for attackers potentially

Chase Snyder (28:47.323): Yeah, big new attack surface opening up. Plenty of warning. You know, the end of Windows 10 has been coming up for so long. It’s like anybody who’s preparing for this has had ample time to build out their attack stack against people.

Paul Asadoorian (28:52.126): Yeah, right.

Paul Asadoorian (28:58.814): Mm-hmm.

Vlad Babkin (29:03.617): Yup, like I’m expecting people to come up with zero days about a few months after it goes out of business. Maybe even a few days. Like wait enough for Microsoft not to issue any updates or try not to issue any updates and then just start delivering zero days. I wouldn’t be too surprised if some attackers have three or four of them stashed by now and like they deliver it once every few months to test Microsoft Resolve.

Paul Asadoorian (29:24.17): Yeah.

Paul Asadoorian (29:27.648): Stashed by now and yeah and eventually we’ll find out about them but then the question becomes how severe does it have to be for Microsoft to release an out-of-cycle patch? Historically things have to be pretty bad for Microsoft to release an out-of-cycle patch for an end-of-life operating system.

Vlad Babkin (29:41.697): Yup.

Vlad Babkin (29:47.394): Yeah… And then there is a good question like, if it becomes really bad one time, okay, sure, they release the patch. If it becomes bad two times, then what? If it becomes bad three times, now what? Is Microsoft gonna support it forever or are we gonna just force Microsoft to release out of live patches every few months now? So they still have to maintain it but without any formal maintenance.

Paul Asadoorian (29:57.128): Mm hmm. Right.

Paul Asadoorian (30:11.165): The only saving grace is even as a consumer, you can pay Microsoft to get updates on Windows 10. But again, that’s a cost.

Vlad Babkin (30:19.415): Sure, how many people will subscribe to that, especially from whole customers? Sure.

Paul Asadoorian (30:23.187): We actually do that.

Chase Snyder (30:24.561): Yeah, can’t fathom someone choosing to do that instead of instead of just upgrading to Windows 11. Who’s out there doing the extended support for Windows 10 as an as a consumer? But you can.

Paul Asadoorian (30:30.611): Mm-hmm.

Vlad Babkin (30:32.012): Like

Vlad Babkin (30:37.739): I mean, I can imagine it being some organizations, but not consumers, not end users, not people like us, that’s for sure.

Paul Asadoorian (30:46.109): Right. Well, in similar to the Cisco ASA situation that we have, think that’s certainly speaks to attackers looking out on the horizon of what’s going to be end of life. In capitalizing on that.

Chase Snyder (30:57.598): Yup.

Paul Asadoorian (31:00.735): So I want to give props to Gray Noise on this one because they published about it and they collected some great data. So if you dig into the data from Gray Noise, they’re like, hey, in August, all of a sudden we saw this huge spike of like 30,000 or 20,000 IP addresses all scanning for Cisco ASA devices. So I dug a little deeper into the ASA scanning in the Gray Noise data. And like, we also have another spike, not just one in August, but we had one in September as well, a very similar spike. From very similar IP addresses that were all from Brazil, believe it or not. So there were similarities in the spike. I believe, my speculation is there’s a group that controls a botnet. One of the things they wanna do is continuously scan the internet, collect exposed Cisco ASA devices. I think there’s a couple of reasons for that. In the article that I published on our blog, I talked about the available exploits in toolkits. For ASA. Plenty of a whole menu of options for various exploits against the platform, including specialized toolkits. Rapid7 Researcher released, I’m you remember what the packages are you upload to an ASA. It’s like ADSM or something like that. There’s like packages, add-on packages you can upload to the ASA devices. Rapid7 Researcher.

Vlad Babkin (32:18.797): Not really.

Paul Asadoorian (32:25.801): Created a GitHub account, I believe in Python, to allow you to create malicious packages that you can upload to ASA devices. So that exists. There have been threat actor campaigns. Arcane Door was the campaign that was targeting Cisco ASA devices using specific exploits. So it could also be that attackers have exploits for ASA that haven’t been publicly disclosed in our looking for targets. It could be also that in my article, I talk about Cisco’s stance on end of life in the ASA line. So there’s already been products that are going end of sale, end of support, end of life in the ASA line. Think all culminating from what I read in 2026, when the ASA line is like no more, they want everyone moving over to FTD or firepower threat defense, which shares a similar kind of platform. To ASA.

Vlad Babkin (33:26.763): And it has a similar vibe to Windows 10 and of life.

Paul Asadoorian (33:30.235): Yes, exactly. So I think attackers are banking on all these things. They’re like, wait, we can scan the internet for this stuff. There’s in my research, Vlad, double check this, right? If you search Shodan, you can find about 119,000 exposed Cisco ASA devices. But that’s just a web interface, right? That’s not that’s not SSH. I don’t think we had a good query for SSH, but

Vlad Babkin (33:46.241): Yeah, very easily. Yeah, if you’re clever, you can find a lot more devices than what Shodan sees. Like, not every device is… Like, some devices are telling not to scan as in Shodan, but still remain exposed. So, if you have your private-owned Shodan, you can probably find quite a bunch more devices. I would bank on there being at least 150,000, maybe 200,000. Right? And that’s just web interfaces. Yeah.

Paul Asadoorian (34:16.126): Yeah, and that’s a pretty good number. I mean, in terms of numbers we’ve compared before about targets hanging out on the internet, we talked about BMCs, right? It’s a lot more ASA devices hanging out there. So it’s a ripe attack landscape.

Vlad Babkin (34:27.881): Yup. And from those ISA devices you can probably jump to BMC devices and lot of other interesting places. Like it’s not one one-stop shop, like you can just penetrate the internal network from there. Like a lot of attacks begin, like quite a lot of organizations they maintain an interesting stance in the modern day and age where they have really strong perimeter which is guarded by different firewalls and whatnot. But once you are on the firewall itself…

Paul Asadoorian (34:34.634): Mm-hmm.

Paul Asadoorian (34:57.183): Mm-hmm.

Vlad Babkin (34:58.325): And go inside the network is just, you know, free for all. Attackers just destroy everything, that’s… Yeah…

Paul Asadoorian (35:02.622): Yeah, we didn’t patch that because it’s not on the internet. Hey look, I get it. You definitely want to defend your perimeter because that’s what’s on the internet, but you also got to show up things inside the network too.

Vlad Babkin (35:11.745): Yeah, yeah, like your networking sites should not be squishy anymore. Like we are in the day and age where you can allow yourself to have that. So attacker sitting on your firewall should not be suddenly getting all of the possible and impossible accesses to basically everything and everywhere. Like that’s just not supposed to be a thing anymore. Like squishy on the inside is not a thing.

Paul Asadoorian (35:20.981): Mm-hmm.

Vlad Babkin (35:41.421): Should not be.

Paul Asadoorian (35:41.537): Well, much like Windows 10, mean, people have ASA and it’s been around for a while. They’ve got it deployed. It’s out there. It’s not easy to rip and replace it again. It’s time. It’s money and it’s resources to upgrade to migrate to either a different platform or a platform, you know, that, is supported by Cisco. So, uh, not necessarily Cisco’s fault. They can’t support products forever. Um, but the the clock is ticking, right? Like attackers are now, we can see attackers paying attention to this. So if you have, the first thing is knowing which ASA devices you have and where they are, knowing if you have them or not. You might be sitting there going, I don’t have any ASA. Did you look? Because what if you do, right? Especially in larger enterprises that have a lot of infrastructure. The second thing is once you do have them, what do you do about it? Again, you can’t easily just rip and replace an SSL VPN or a firewall because people are actively using it. So what do you do? I hate to pitch our product, right? But that’s one of the reasons I wrote the article is because we have great coverage for ASA devices in terms of firmware integrity support, vulnerability support for ASA devices. And that’s the kind of monitoring you need to do. You need to monitor for vulnerabilities, monitor for threats, monitor for firmware tampering. And that’s not always easy. But that’s one of things we help people with,

Chase Snyder (37:10.837): I’m wondering whether the whole end of life devices thing already a huge problem as covered in the article, but it’s going to get even more extreme due to various supply chain megatrends that are happening right now. Basically supply chain constraints or just costs driven by tariffs slash geopolitical mumbo jumbo whatever. It’s like, we’ll just leave this old gear in service for another year or two.

Paul Asadoorian (37:27.189): Yeah.

Paul Asadoorian (37:33.171): Right.

Chase Snyder (37:40.885): Or focus all our you know, we’re building out our AI stuff. We’re buying the AI stuff We’re not gonna refresh the network stuff. I don’t know that could be different teams different budgets It’s complicated, but I wouldn’t be at all surprised to see the end-of-life network infrastructure Attack surface get bigger because of supply chain trends

Paul Asadoorian (37:47.284): Mm-hmm.

Paul Asadoorian (37:59.935): I mean, the frustrating thing for me is the ASA’s that are out there are probably working just fine. Like there’s there’s probably no other reason to upgrade them. Like throughput and capacity wise. I mean, I would take an older ASA. Think my friend Josh on our previous show was looking on eBay for ASA devices and he found one for like sixty five dollars. I’m like that would like a five thousand series ASA would probably be fine for your firewall. Right. It would probably push gig.

Chase Snyder (38:13.833): Yeah.

Paul Asadoorian (38:29.16): Not without a problem. But now it’s not supported. So you have to replace a perfectly working, you know, piece of gear. And we see this with IoT as well. That you know, and IoT manufacturers end of life gear. And I’m like, yeah, but that key would probably run for another five or 10 years and be fine.

Vlad Babkin (38:39.149): So yeah.

Vlad Babkin (38:46.187): The answer to all of this is very simple. You might not need to be exactly super hard on the inside, but the only exposed port on the outside that you have in your firewall should only ever be the VPN port. And I’m not speaking about web VPN port. I’m speaking about OpenVPN, WireGuard. I’m speaking about ports that allows you to connect to VPN and nothing else.

Paul Asadoorian (39:09.344): Mm-hmm.

Paul Asadoorian (39:15.828): Yeah, not the SSL VPN that runs usually on 443. Yeah.

Vlad Babkin (39:16.213): And a SolVPN is usually the same pothole as an open router entirely. Historically, they are not much more safe. So if you open up your OpenVPN port with a well-configured OpenVPN or well-configured WireGuard or well-configured IPsec, it’s not exactly a port, but kind of the same idea.

Paul Asadoorian (39:23.924): Yeah, yeah. Mm-hmm.

Vlad Babkin (39:41.709): Good luck breaking into that, because now your attack surface on the outside is just this one thing, which is designed to be handling untrusted connections well.

Paul Asadoorian (39:53.28): Right. Mean, not to there aren’t vulnerabilities. Think, um, is it, is it, is it, it, I sell Zick Zill, whatever, however you say it had vulnerabilities in their IP sec VPN, uh, component.

Vlad Babkin (39:56.161): Yah, they are but-

Paul Asadoorian (40:08.243): But hopefully that device is supported and you patch it and move on with life.

Vlad Babkin (40:08.365): Sure. Yeah, but point is, how many of them are specifically in the VPN part, like the VPN port itself? Maybe like one or two bugs you can find, but 99.9 % of them are in web management interface, not in the VPN port itself. And even then, if you don’t wanna deal with this built-in device stuff, you can buy yourself a Raspberry Pi for home. Or if your organization buy a decent box in your office.

Paul Asadoorian (40:20.767): Mm.

Paul Asadoorian (40:26.759): Right, right.

Vlad Babkin (40:39.501): Okay, if you’re a large organization, how much is it gonna cost you? A couple thousand bucks to set up a full Linux box which can support a lot of VPN connections? Expose that and be in full control of it.

Paul Asadoorian (40:52.745): Right.

Vlad Babkin (40:54.195): And make a certificate based on your own certificates, based on your own OpenVPN daemons that you run. Just forward the port into that. And that’s it. You are not exposing anything on the firewall itself. It will be much easier to actually defend that. And your Cisco essay box might stand for quite a lot more.

Paul Asadoorian (41:19.325): Right.

Vlad Babkin (41:19.447): So, yeah, like it might be cheaper than replacing all of that infrastructure.

Paul Asadoorian (41:21.765): It’s mean, it’s that is that trade off. Right is trade off how much maintenance do you want to incur by rolling it yourself or you know, this is why people go to the vendors because they want to push that work out to the vendors and just and just pay me like just give me a box that does VPN. But now the attack surface as we’ve uncovered in the past few years is vast on these devices.

Vlad Babkin (41:38.795): Yup.

Vlad Babkin (41:45.294): The problem is I don’t think there is any single vendor which actually does what I said. Make a web interface which is not exposed to the outside, make a nice VPN config generator and just give that to customers. No, every single vendor is trying to make some more bells and Because, hey, now you have a thing that logs into some box which is exposing the port online to get a bunch of certificates for you to connect to corporate Wi-Fi for no reason.

Paul Asadoorian (41:50.943): Mm.

Vlad Babkin (42:15.307): You expose a bunch of surfaces in that box. Now what? That’s exposed. Like, your Wi-Fi security now costs you an exposed box. Which you don’t even know what the content of is. You cannot even monitor it that well. So if somebody finds a zero-day in that, your organization will have a lot of fun. A lot more fun than from somebody stealing your old password on Wi-Fi and just running.

Paul Asadoorian (42:32.512): Mm.

Paul Asadoorian (42:37.322): Whoa.

Paul Asadoorian (42:42.72): But that’s the trade off is visibility. You go get the box from the vendor and they don’t want you to look inside the box. Can’t look inside the box. You can put the box on your network. You can configure it to do its job, but you can’t, don’t look inside the box because we don’t want you doing that. What’s in the box, right? Then it’s like, what’s in the box? But they don’t want you, they don’t want you in the box. They want you to live outside the box. And you’re like, yeah, but attackers are inside the box. Why can’t I look and see what they’re doing? And you can’t.

Chase Snyder (42:59.635): What’s in the box?

Vlad Babkin (43:04.343): Yeah!

Chase Snyder (43:12.137): They can’t get there if you deploy it per spec. The attackers can’t get to it.

Vlad Babkin (43:12.365): Because you cannot.

Paul Asadoorian (43:14.674): Right, that’s what they say, attackers can’t get there. But that’s obviously not true.

Vlad Babkin (43:20.193): Yeah, attackers can get there and have done the getting there. Getting there part is not even that easy. And then you will have a lot of fun. And that’s the whole point. If you really want a secure solution, you will have to invest some cost. But at this point, my question that I’m raising here is how much pricier it is to actually have a bunch of admins just administrating your own VPN box versus outsourcing it to this box and risking

Paul Asadoorian (43:23.519): Mm-hmm.

Vlad Babkin (43:50.039): Getting your organization systematically exposed.

Paul Asadoorian (43:53.025): Yeah, so I did the lazy way out and I use tail scale. And I think we’ve talked about on the show, can enterprises use tail scale? How much does it scale? Like they should, right? The trade off is you’re shifting the security responsibility off to the provider, in this case tail scale. How much do you trust tail scale versus the other vendors versus rolling your own solution, right? And these are the,

Chase Snyder (44:03.541): Oh yeah, 100%. They can, it’s,

Paul Asadoorian (44:22.206): Risk equation has stayed the same for 30 years, right? Since I started working in IT and IT security. And it’s like, we get a vendor? Do we host it somewhere else in the cloud, let someone else take care of it? Or do we put in the work ourselves and build our own solution using open source software?

Vlad Babkin (44:44.301): Yup. Yup. Yup.

Chase Snyder (44:46.517): Doing the risk analysis math is beyond the capacity or the resources for most organizations. It’s so complicated and there’s just a lot of information that you need to do that risk analysis and decide what you’re willing to accept versus mitigate versus transfer. Like the appliance companies that won’t let you see inside the box, that’s obfuscating something that you need.

Paul Asadoorian (44:49.042): Mm-hmm.

Vlad Babkin (44:55.02): Yup.

Vlad Babkin (45:11.405): Yatt Yatt

Chase Snyder (45:14.389): To accurately do the risk analysis. So supply chain risk management has these intentional blind spots introduced by the supply chain, by the vendors, that make it difficult and impossible to get an accurate view of what risk you’re accepting.

Paul Asadoorian (45:14.431): Yeah.

Vlad Babkin (45:17.229): Yup.

Vlad Babkin (45:23.053): You

Vlad Babkin (45:28.778): And… And then there is like, you cannot really do that anymore because now there’s compliance where it must have no CVs in your Docker images or whatever it deploy to customers. Like yet companies that, okay, so like imagine just what situation we are in personally, like we are obviously developing the product, right? We are under some regulations to do this. And one of the regulations that we have, which is again, not a large surprise considering it’s not just us is that…

Paul Asadoorian (45:40.873): Mm-hmm.

Vlad Babkin (46:00.088): Docker images that we deploy must not have CVEs and then whatsoever. Yet, we allow VPN vendors to fly free and the organizations that develop those Docker images to be CVE free are using products which they cannot even see into and enforce their compliance. Like, this is…

Paul Asadoorian (46:03.871): Mm-hmm.

Paul Asadoorian (46:15.872): I mean maybe that’s what people want. Maybe we just need a hardware appliance and then just tell people don’t look in the box.

Vlad Babkin (46:22.421): Yup, like, don’t look at the box that Eclipseim delivers you, that’s great, but like, for some reason…

Paul Asadoorian (46:26.472): Yeah, you won’t find any vulnerabilities if you can’t look inside of it.

Vlad Babkin (46:31.041): Yup. And that’s the stupid part. Like, what I’m challenging here is the view that those bugs actually save you costs, they give costs. Like, you pay the vendor a lot of money to manage them, then they get exposed, exploited, you get ransomed, you get your data stolen, you pay all of the price of that, and the question is what you just paid in this one time ransomware attack that happens one every few years, is not greater, sorry, not less than what you have been paying a normal administrator to manage your… Supply chain, like to pretty much make your own open VPN based solution, which is much less likely to be ransom.

Paul Asadoorian (47:08.576): Right. But I think a lot of the reasons why people buy the higher end enterprise gear is, I think one is throughput, right? Like if I was, when I worked for the university, if I had proposed at that time, you know, going back to almost 20 years, but if I had proposed, Oh, I’m going to build this solution on Linux to route traffic or do VPNs. Maybe like, you know, it’s going to get crushed under the weight of the throughput we need to push through it. And that’s why we go to vendors such as Cisco and and others for the throughput. But then also, you know, in a larger environment, we go, well, we just, don’t need a couple of firewalls. We need hundreds or thousands of firewalls in the enterprise vendors. Like, sure, we’ll sell you all that and we’ll give you some management software, right? Fortinet has this. When I studied this for one of the attack scenarios that Fortinet had, right? You got a bunch of firewalls now. You got so many firewalls. You need management, more software and potentially hardware.

Vlad Babkin (47:38.711): Tour.

Paul Asadoorian (48:07.636): To manage all of your firewalls and VPNs from one central location. And that’s why they go with the large enterprise vendors. But the flip side, as we’re pointing out, is you’re increasing your attack surface, you’re limited on visibility.

Vlad Babkin (48:22.807): Yep, and in this case, like, we’ve managed VPNs, like, I don’t know about firewalls, like, obviously firewalls are more complicated. VPNs, if you configure your OpenVPN well, what you really need to do is just issue new certificates, and it will work, and then you need your OpenVPN to just update CRLs. Like, your evoke a certificate, there should be some process which will pull the evoked certificate into every single box. That’s it. You just…

Paul Asadoorian (48:51.359): Mm-hmm.

Vlad Babkin (48:51.979): Revoked access to somebody and suddenly you have management across the board. Now, again, there are a lot of enterprise management tools that are answerable. So with answerable, you can manage configuration changes.

Paul Asadoorian (49:04.426): But the third reason why enterprises choose the larger enterprise gear is not even so much support, but it’s skill of the IT and IT security workers. So if you roll your own solution, let’s just say for VPN, right? What happens when people leave, people come and go, and the new people are like, I don’t know what that is. Whereas if you deploy a Cisco, Fortinet, whatever, there are people that have experience with all that gear. So you can get people, can be like, I need another

Vlad Babkin (49:15.489): Yup.

Vlad Babkin (49:19.766): Yup.

Vlad Babkin (49:27.991): Yup.

Vlad Babkin (49:32.694): Yup.

Paul Asadoorian (49:34.152): Cisco person, right? And Cisco has a whole certification program that that’s part of Cisco’s mission, right? Make sure we have certified professionals so companies buy our gear and can always find talent to go work on said gear.

Vlad Babkin (49:35.158): Yup.

Vlad Babkin (49:46.712): Yup, and another huge point about this is that before the entry-level skill into making your own system was really high up. There was no Ansible, there was no easy-to-manage OpenVPN with PKI support. Making your own PKI was a whole headache. Now you can make it within a few hours in the most basic bare-bone way, right? So the entry bar into using open-source tools to manage all of this is much lower.

Paul Asadoorian (49:58.249): Yeah, Right.

Paul Asadoorian (50:16.704): Mm.

Vlad Babkin (50:17.485): Then it’s getting a little worse. So it’s only going to get better.

Paul Asadoorian (50:21.152): I want to transition to, we talked a little bit about supply chain, right? The NPM attack is super interesting. This is all a rage right now.

Vlad Babkin (50:28.917): Yeah. Yeah. NPM attack ties into what we have been talking about since forever. Like, so just, okay, what attacker calls their worm shy hulu. Okay, so that’s way too epic of a name to just use it consistently, just call it NPM worm, right? So what they did was pretty much find their way in into some package. What the worm does when you install it,

Paul Asadoorian (50:36.606): Yeah, it’s a supply chain.

Paul Asadoorian (50:48.788): Mm-hmm.

Paul Asadoorian (50:57.62): They fit but they fish to maintain a right they the social engineer to a maintainer to gain access to that

Vlad Babkin (51:01.957): This doesn’t… Yeah, the point is, whatever they need to get into the first package is less interesting. What happens next is, once you get that code into some popular enough package, it gets downloaded, it runs, and it looks for NPM tokens across the machine. And if it finds some, it warms its way into other packages. And keeps going that way. And this way they’ve warmed like 180 packages or something like this. So…

Paul Asadoorian (51:08.786): Yeah, yeah.

Vlad Babkin (51:29.997): The scary part about this is not the part where it pretty much found their way into one popular package, no. They found their way into at least 180 packages which we know of and sit there. And they can sit there indefinitely. We don’t know if we got them all. And at some point the developer wakes up, installs the package and surprise.

Paul Asadoorian (51:49.667): So the tokens that they’re looking for are for the maintainers of other packages so they can modify the code of another NPM package. Now that package is backdoored. I gotcha.

Vlad Babkin (51:59.042): Yep, and then they also look for GitHub tokens and for other tokens as well. They have successfully found quite a few of them and the dumb part about it all is like all of this has a solution. It’s called signatures. Your software has to be signed, but… Okay, supply chains that I know don’t quite sign their software. GoLang, Python, Node… Tell me…

Paul Asadoorian (52:04.235): Mm-hmm.

Paul Asadoorian (52:14.546): Yeah, I know and there was

Vlad Babkin (52:27.745): Just about any single package manager which actually does proper signatures. Like, okay, there is Upt which does signature checks. Sure. Linux packages are signed. I’m speaking about software supply chain. Node is not signed, Python is not signed, Golang is using GitHub clones which don’t quite require any signatures. And the absolutely stupid part is that if maintainers get ransom somehow,

Paul Asadoorian (52:36.158): Right.

Paul Asadoorian (52:51.508): Mm-hmm.

Vlad Babkin (52:57.491): Get their tokens exposed, you can just push new code and there is no way to verify if this code is coming from the user or from the attacker. And this is why

Paul Asadoorian (53:08.084): Well, that’s the problem. It’s the lack of validation. I can’t validate all the packages that are installed on my system from any particular environment. And what most of us do is we watch the screen scroll by as it installs all of those dependencies, right? If you use Go or use NPM or like me, I do some platform IO development, which is an ESP32 development framework, I should say. Yeah. So the first thing I do, so this is frightening.

Vlad Babkin (53:14.167): Yup. Yup.

Vlad Babkin (53:20.705): Yup. Yup.

Vlad Babkin (53:30.029): Mm-hmm, you just look at it go. And so, so, so.

Paul Asadoorian (53:37.601): So the first thing I do is I get clone the repository or if I’m creating my own code, I create my own directory and make it a Git repository. Then I have to install platform IO. So I create a Python virtual environment and I pip install platform IO. It installs a whole bunch of Python dependencies to get there. So now I got the Python code. The next thing I do is I use platform IO commands to install the platform IO dependencies for whatever board or firmware that I’m working with and it goes out and it pulls on a whole bunch of stuff that are specific to like ESP32 development libraries. You need one for your, you you need the IDF from Expressive Systems. You need the Arduino, whatever. If you have a display, you need the libraries for your display. And it goes in, it pulls all of that software down. I sent you guys screenshots in our chat, right? Like it installs all this software. Then I can build the firmware. And I’m like, wow, I just pulled down from like two different

Vlad Babkin (54:30.539): Yup. Yep, yep, yep.

Paul Asadoorian (54:37.446): Ecosystems, whole bunch of software that I did zero validation of what I’m getting.

Vlad Babkin (54:42.413): Yep. Yeah. There’s right list of few partial solutions. So, Python package manager poetry and npm built-in. It actually is actually when you install packages, they build a log file where they write the hash of the stuff. So it prevents you from like getting the package which is, which you don’t, you didn’t know about. So you can install specific packages from specific log file in your production builds. Sure, that’s a partial answer.

Paul Asadoorian (54:51.423): Mm-hmm.

Vlad Babkin (55:08.893): And while I made signature sound like a ready-made solution for it all, it’s not quite so simple to manage keys at this scale. Like, okay, there is like…

Paul Asadoorian (55:15.494): Mm-hmm. Well, that was the point of, was it Six Store? What do they call that? There is an effort to allow developers to sign their package. Is Six Store?

Vlad Babkin (55:25.395): Yup, yup, and the point is APT somehow did it. So there is, and why attackers call this worm shy hulud? It’s because it’s not gonna be gone within a few months at the very least, probably years. And like while NPM might clear this specific worm, nothing stops attacker from doing this attack again and again and again and in a different ecosystem as well because like all of them work in a similar fashion. If you got the token,

Paul Asadoorian (55:29.6): Mmm.

Paul Asadoorian (55:39.41): Mm-hmm.

Paul Asadoorian (55:46.752): In a different ecosystem, yeah.

Vlad Babkin (55:54.926): You are done, you can publish packages. And there is nothing the defender can do to ensure there is no surprises. And if attacker really wants to just annoy as hell out of everybody, they can just keep repeating this attack over and over and over and over until something happens.

Paul Asadoorian (56:11.637): Yeah. And I don’t think it’s interesting. Don’t think attackers, I don’t think attackers care so much about poisoning the software that you’re, you’re developing or creating. They just care about getting access to all of the credentials that you have as a developer and then building on that and spreading it and compromising more, more developers and more, more. So it’s the developer that’s at risk, not, I don’t think they care about backdooring my ESP32 firmware. That’s cause that’s not really going to get them very far, right?

Vlad Babkin (56:23.105): Yup.

Vlad Babkin (56:27.149): Yup. Yup.

Vlad Babkin (56:37.687): Yup, they don’t… Yeah, but for example, let’s think about some high-privileged developer in a big company. Imagine them, run them in somebody high-seating in Microsoft. Suddenly you get access to Windows source code for editing it.

Paul Asadoorian (56:39.957): But if they steal all my…

Paul Asadoorian (56:48.394): Yes.

Paul Asadoorian (56:54.215): Yes, exactly. Right. You’re going to steal my SSH keys or whatever and pivot from there. It’s a pivot point from the developer. It’s a way into the developer’s ecosystem. Yep.

Vlad Babkin (57:02.017): Yup. Yup. Yup. And like, this is why the name, even though it’s like incredibly epic sounding and everything, this one time attacker actually did a good job naming it.

Paul Asadoorian (57:16.577): What is the term mean, Vlad?

Vlad Babkin (57:19.805): Shyhulloot is like, think, worms from Dune series. Like the huge he… The great worms of Arrakis or something like this and like… They were really tied to the plot in there and everything. So it’s like really really massive worm. Yeah, so this…

Chase Snyder (57:22.963): Yeah, it’s the big worm from Dune, the sandworm, yeah.

Paul Asadoorian (57:23.46): Yeah, yeah, yeah. It’s a Dune reference. It’s a Dune reference. Yes, yes.

Paul Asadoorian (57:30.859): Yes.

Chase Snyder (57:36.169): They’re running out of Lord of the Rings references. All the Lord of the Rings references are taken by defense tech companies. And so the attackers are going doon.

Paul Asadoorian (57:38.86): Right.

Paul Asadoorian (57:42.881): Mm-hmm.

Vlad Babkin (57:46.552): Yeah, so… And in this case, like, yeah, we should go some unexpected universe. Like, you know, instead of like all of the epic sounding movies, just take some child cartoon and take stuff from there and name products from that. I think it will be so fresh that it will actually…

Paul Asadoorian (57:55.498): Mm-mm.

Paul Asadoorian (58:02.741): There you go.

Chase Snyder (58:02.933): K-pop Demon Hunter. We’re doing K-pop Demon Hunter viruses now.

Vlad Babkin (58:08.353): Yeah, better, better yet, defensive software that’s titled like, you know, take some Sailor Moon names and just name your defensive software based on that. I mean, I mean, it will be so fresh in all of the Palantir’s and then Shaihulu and all of the Apex only names that people are gonna notice it.

Chase Snyder (58:17.589): Tuxedo mask defense tech. Like it.

Paul Asadoorian (58:18.139): Mm-hmm.

Paul Asadoorian (58:25.482): That’s crazy.

Paul Asadoorian (58:32.286): Right. We did have some new, what was the Rohammer attacks? I saw the story. I didn’t really dig into it, but.

Vlad Babkin (58:37.747): Yeah, the fresh raw hammer attack is again very productive weak or very unproductive weak depending on what end of the stick you’re on. A bunch of researchers found a raw hammer attack against a modern DDR5 chip in a desktop system and managed to demonstrate that. So what they… Well, they circumvented all of those and they could…

Paul Asadoorian (58:57.982): I thought there was protections in DDR5 to prevent row hammer, right? Is that what they circumvented? Mmm.

Vlad Babkin (59:06.189): The raw hammer is the stuff out of your memory within like 100 seconds or something. Not very high value, let’s put it this way. And they could achieve beat flips.

Paul Asadoorian (59:17.96): Which essentially lets them read memory they’re not supposed to read.

Vlad Babkin (59:21.911): Yup, they get access to stuff they’re not supposed to get access to and that’s it, that’s the fun part. And it’s a DDR5 chip that’s desktop-grade, that’s a massive vendor, so a lot of people are not going to be replacing that for years and years to come. About secure boot, you at least know that you’re on Windows 10. Good luck finding out if you’re on that specific chip vendor for your DDR5 RAM, because again, what you got was like…

Paul Asadoorian (59:35.488): Mmm.

Paul Asadoorian (59:41.546): Yeah.

Vlad Babkin (59:51.31): Kingston Fury rumbled, you don’t know what kind of chips they are using in there. Because, like, okay, let’s say Kingston issues a new chip. Now you have a new Kingston Fury which is defended from all of this. How do you differentiate as a customer?

Paul Asadoorian (59:55.505): Yeah, yeah.

Paul Asadoorian (01:00:05.878): That’s interesting. Can we not glean which memory chips are on the system?

Vlad Babkin (01:00:12.919): Potentially, if you collect a lot of data, you might find out. So I think this will be a part of what Eclypsium should be researching at one point to help answer this question, because this is not an easy question. Let me put it this way. It’s not at all an easy question.

Paul Asadoorian (01:00:16.672): Mmm.

Paul Asadoorian (01:00:26.152): No.

Paul Asadoorian (01:00:30.058): Well, because I would assume that supply chain with DRAM is similar to a lot of the supply chains we talk about with hardware that you might get, like you said, the Kingston branded, I hate to pick on Kingston, but any memory manufacturer is this line, but they could swap out the chips in the back end, much like a lot of OEMs do.

Vlad Babkin (01:00:41.857): Yeah, yeah, j-j-j-j-

Vlad Babkin (01:00:47.127): Yeah, just in case what I don’t remember is if it was Kingston specific, I’m just using it as an example of like a off the shelf RAM you can actually find. I just know this one specific name easily from my memory. But like it can’t be any RAM vendor, any RAM line.

Paul Asadoorian (01:00:54.196): Mm. Mmm.

Paul Asadoorian (01:01:06.824): Yeah, like I of course they are vengeance and the system may report to me I’ve got this model and it’s whatever but I don’t know exactly which ships

Vlad Babkin (01:01:13.047): Here you go, you named… You named another one, do know what chips Corsair uses? No, you don’t. Most customers don’t, even advanced customers, even geek customers.

Paul Asadoorian (01:01:18.706): Yeah, exactly.

Paul Asadoorian (01:01:23.136): And so they could be susceptible to row hammer now.

Vlad Babkin (01:01:28.673): Yep. Yep. And like in older RAM you have chips exposed so you can theoretically take it out, take a lens, look at them, read what the chip is. But on the modern RAM it’s under heatsink. So you cannot even take out the RAM to actually look at the chips. You have to take out the RAM, disassemble the heatsink, then look at the chip, then reapply whatever thermal transfer element was in there.

Paul Asadoorian (01:01:36.244): Mm-hmm.

Paul Asadoorian (01:01:41.056): All right, right.

Vlad Babkin (01:01:54.868): Then assemble the heatsink back, then you can insert it and then you can be sure what chips you have. That’s… YUP!

Paul Asadoorian (01:01:58.45): Yeah, I’m not doing that in my DRAM, because I just saw an article that DRAM prices are skyrocketing now because of supply. Yeah.

Vlad Babkin (01:02:05.677): Exactly, even geek customers will probably not do that.

Paul Asadoorian (01:02:10.385): Yeah, I would not be taking the heat sinks off of my round, especially at the cost, you know, the prices are getting formed now.

Vlad Babkin (01:02:14.454): Yeah. Yup, neither will I, neither will anybody sensible. So, zoos.

Paul Asadoorian (01:02:20.669): Yeah, well, some of the gaming systems, right, the RAM has LED lights on it and stuff and good luck getting all that apart.

Vlad Babkin (01:02:26.241): Yeah, and better yet, just blindly lopracing RAM is not even gonna work for you because now you have, okay, you found, okay, let’s say that you are crazy enough. You disassembled your heatsink, you assembled it back, you know your chips, you checked with researcher and the researcher confirmed you personally that it’s vulnerable. Or you got a PIC from him, it’s vulnerable. Now what do you do? You go to the website and you try to buy your RAM.

Paul Asadoorian (01:02:36.543): Mm.

Paul Asadoorian (01:02:48.991): Mm.

Vlad Babkin (01:02:54.093): And now what do you do? Because you have to order RAM, which arrives with the heatsink, and you don’t know what’s in it. And you cannot disassemble it without voiding your warranty and killing your ability to return it. So you can order your RAM, disassemble it, and find out that it’s the same chip.

Paul Asadoorian (01:03:00.723): Right.

Paul Asadoorian (01:03:04.158): Mm-hmm.

Paul Asadoorian (01:03:10.163): Wow.

Vlad Babkin (01:03:11.853): So there is not a lot of answers on how to, even if you find out how to detect that you’re vulnerable, how exactly do you fix it? If it is a hardware bug and not a software bug that can be patched. And again, this is the problem of black boxes. Like we must push supply chain everywhere. All of the questions we discussed today, Cisco SA, Windows 10, Rowhammer, NPM,

Paul Asadoorian (01:03:13.055): That’s crazy.

Paul Asadoorian (01:03:22.271): Mm.

Paul Asadoorian (01:03:32.286): Yeah.

Vlad Babkin (01:03:40.873): Everything is about visibility and signing stuff. Like if your computer arrives to you with an HBOM, a list of hardware components in this computer, or HBOM, list of components specifically in this RAM that’s arriving to you. In this specific stick you have this specific list of hardware components. It will not be much easier for you to, you know, do your security stuff. And then if you solve signatures, hey,

Paul Asadoorian (01:04:04.797): Yeah, agreed.

Vlad Babkin (01:04:10.865): Sure, maybe Signature and NPM are optional, or you need to know a bunch of public key servers. But let’s say you’re a security conscious company, can just list, okay, we’re using default NPM, we’re using these three vendors, we accept their key servers, and suddenly they have signature checks. So all of those just have no answer right now. We need all of those. Eclypsium has been pushing for those things forever and…

Paul Asadoorian (01:04:33.439): Mm.

Vlad Babkin (01:04:39.817): Literally the entirety of today’s almost all are about this exactly.

Paul Asadoorian (01:04:47.935): Well, here’s to the bill of materials. I guess it’s the good way to close out the show. I want thank Vlad and Chase for appearing on today’s Below the Surface. Thanks everyone for listening and watching. We’ll see you next time.

Back to all Podcasts