PODCASTS

BTS #63 - F5 Breach, Linux Malware, and Hacking Banks

In this episode of Below the Surface, Paul Asadoorian and Chase Snyder delve into various cybersecurity topics, including the use of Raspberry Pi in cyber attacks, the implications of the F5 breach, and the emergence of Polar Edge malware targeting QNAP devices. They also discuss the innovative Two-Face Rust binary technique, the critical nature of authentication bypass vulnerabilities, and the evolving landscape of air-gapped systems. The conversation highlights the increasing risk posed by old vulnerabilities and the need for improved security measures in the face of advancing cyber threats.

Subscribe

Transcript

Paul Asadoorian (00:00.345): And we’re off. Connect to LinkedIn.

Chase Snyder (00:16.078): I’m just seeing your your LinkedIn post congrats on your new 5090. That’s like the four air conditioners all stacked

Paul Asadoorian (00:21.529): Right?

Paul Asadoorian (00:26.905): Yeah, dude, even like a 4090, even refurbished is still like two grand, a little north of two grand.

Paul Asadoorian (00:38.905): Which is crazy. Because the start of the thing in my system at home is five years old, like this month. And I’m like, hmm, could be time to upgrade. Just because I want to, not necessarily because I need to. But I’m like, yeah. Now that I run a lot of VMs and containers and security research stuff, basically.

Chase Snyder (00:55.43): Yeah, I was like, what are you trying to play? What are you trying to play?

Paul Asadoorian (01:06.073): But I have a 40 90 in my other system and I was thinking of consolidating rather than fork out the $2,100 for a new one. Like I have one, it’s another system. Probably just consolidate it down.

Paul Asadoorian (01:20.289): Alrighty, we are, hey, we’re ready to go. You ready? Let’s do it. This week we discuss Polar Edge Raspberry Pi’s being used in a bank heist. Has F5 really contained the breach? Two-face malware, authentication bypass on a storage manager, and zero disco. Stay tuned below the surface, coming up next.

Chase Snyder (01:24.962): Yah.

Paul Asadoorian (01:47.738): Welcome to Below the Surface. It’s episode number 63 being recorded on Wednesday, October 29th, 2025. I’m your host, Paul Asidorian, joined by Mr. Chase Snyder. Chase, welcome. Oh, I see we’re both wearing the, microphone’s in way. We’re both wearing Eclypsium branded gear today, almost as if we planned it, right? It almost as if we planned it, which is great. We got a packed show for you. Before we get started, Below the Surface listeners can learn more about Eclypsium.

Chase Snyder (01:58.83): What’s up, Paul? Good to be here.

Chase Snyder (02:05.57): You gotta rep the things you love, right?

Paul Asadoorian (02:16.685): by visiting Eclypsium.com forward slash go. There you’ll find the ultimate guide to supply chain security, an on-demand webinar I presented called Unraveling Digital Supply Chain Threats and Risk, a paper on the relationship between ransomware and the supply chain, and a customer case study with DigitalOcean. If you’re interested in seeing our product in action, you can sign up for a demo. All that at Eclypsium.com forward slash go. We’ve got some good news stories to talk about this week. I took a… took some liberties to to add some stories there based on stuff that i’ve been observing in chase you will you have the raspberry pie when we can start there you would certainly like this is older i’m like we’ve doesn’t we can talk about

Chase Snyder (02:57.986): Yeah, 100%. Yeah, okay, I was excited about that one. I was looking into just cyber attacks on banks. No reason, just curious. There was the thing relatively recently where Iran’s state bank got targeted by Israel. I think it was like hacktivists. And then J-PAL, the chairman of the US Federal Reserve said, basically watch out we’re a target to if you’re a bank or the Fed or major financial services institution you are potentially a target in like the global geopolitical conflicts that are heating up. like okay have there been any cyber attacks on banks and he came up with this one that was like straight straight of a hacker movie right. They literally made a Raspberry Pi that had I think the tiny shell back door like installed on it and plugged it in into.

Paul Asadoorian (03:48.973): Mm-hmm.

Chase Snyder (03:53.25): What sounded vaguely like an ATM server, like some sort of ATM management device, not actually an ATM, right? Not an individual ATM machine.

Paul Asadoorian (04:03.194): see, I thought it was an individual ATM machine.

Chase Snyder (04:06.21): I think it was a switch. Now I’m to go back and dig and just double double check. I don’t think they I think they had to like sneak it into the actual data center. But yeah. Yeah, yeah, yeah, exactly. Yeah, because imagine if you could plug a Raspberry Pi with like some widely available open source hacker software on it and just plug it into the ATM itself.

Paul Asadoorian (04:14.873): like the almost not the data center but or the the network closet or whatever at the bank. Yeah, they had a switch on it. I gotcha. Okay.

Paul Asadoorian (04:26.903): Mm-hmm.

Chase Snyder (04:34.766): Every single time I have to hold myself back from saying ATM machine stands for machine My ATM machine pin number But yeah, so it’s like yeah, you wrote it down great in this little note where it’s like this intersection of hardware based and sort of skull-duggery like physically sneaking in and plugging in this device but then exploit exploiting network access and putting in a kernel rootkit on a separate

Paul Asadoorian (04:38.987): Yes. It’s true.

Chase Snyder (05:03.694): Separate machine inside the environment that the defenders then had a really hard time getting this attacker out of there And so they like wormed their way in Wormed I shouldn’t use that because that means something specific that’s different But you know, they squirreled their way into the into the environment through this Raspberry Pi they plugged in and made it onto an Oracle Solaris machine with this with this rootkit that they then had a really hard time, you kicking the bad guys out of there, even though they say that they stopped the attack before it succeeded in its ultimate goal of stealing customer information or money or whatever they’re going after.

Paul Asadoorian (05:41.977): I guess people still use Solaris. Interesting.

Chase Snyder (05:49.122): I’m going to look up right now what an ATM switch is. I should have done this.

Paul Asadoorian (05:53.881): Hmm.

Chase Snyder (05:57.678): should have done this. Yeah, that controls the ATMs. yeah, yeah.

Paul Asadoorian (05:57.743): My guess is it’s just a network switch that the ATM was plugged into, right? Because most ATMs are just the operating system is like you see when they run Windows, right? Embedded Windows under the covers.

Chase Snyder (06:08.394): Mm Yeah, you’ll sometimes see the like a boot screen or the like blue bio screen safe mode screen or whatever on it in public, which is very funny and annoying.

Paul Asadoorian (06:12.686): Yeah.

Paul Asadoorian (06:19.138): And also I think cool that, well not cool, but bad, but also cool that attackers are using Raspberry Pis. I’m surprised actually, but I was looking at the story. was surprised we haven’t seen more of attackers using Raspberry Pi devices to backdoor networks. Of course your options are vast, but you know, lot of capabilities in a small little computer. I’m surprised it hasn’t been weaponized more by actual threat actors. I know pen test teams do use them. as well. We used to really nerd out on what we call drop boxes, right? If you get physical access and you go into the bathroom and you crawl up in the ceiling and you find the switch and you can plug something into it. think it’s actual. Yeah, yeah. And like, what would that device be and what would it run? Right. And we do all kinds of stuff on it now. So.

Chase Snyder (07:04.022): It’s just more cinematic.

Chase Snyder (07:11.63): Sure, yeah. It’s always really funny when like, hacker movies, like it’s way cooler to watch someone crawling through the ducts and plugging into some thing versus sitting there and typing miscellaneous like, green text on a black background in a terminal that always later gets revealed to just be like, some HTML that they were typing. number of hacker movies where it’s just like, they went inspect element on a browser and that’s what they showed.

Paul Asadoorian (07:18.765): Right.

Paul Asadoorian (07:30.518): Yeah, they’re just catting out HTML files or style sheets and letting it scroll on the screen because it looks cool.

Chase Snyder (07:39.479): You

Chase Snyder (07:46.38): Yeah, I’m reading about ATM switching systems right now. It seems like it’s a separate kind of hardware, a whole separate system. But ultimately, yeah, I don’t know whether it got plugged into the ATM or the switch itself. But I don’t know, thinking about cyber attacks on banks and financial institutions, both just from a perspective of that’s where the money is, right? Why do bank robbers rob the bank? Because that’s where the money is. Why do hackers hack the banks? Because that’s where the money is. But also as this sort of bastion of

Paul Asadoorian (07:53.708): Interesting. It’s interesting.

Paul Asadoorian (08:09.997): Mm-hmm.

Chase Snyder (08:18.836): geopolitical stability. It’s like you can really create social uncertainty by demonstrating that the banks are vulnerable and they obviously invest heavily in cybersecurity, especially the big ones. There’s literally, I think eight banks in the US, maybe 10 globally that are identified as systemically important financial institutions or too big colloquially too big to fail. And it’s like, okay, if those are obviously getting cyber attacked all the time, you don’t hear about it that much.

Paul Asadoorian (08:30.359): Right.

Paul Asadoorian (08:47.576): Mm-hmm.

Chase Snyder (08:53.814): Maybe that’s because they’re doing a really good job of defending it. But I think recently there’s been more of disclosure rules coming out where it’s like if and when they experience a cyber incident or a data breach, there’s a certain amount of time to disclose it and remediate it. And I think that timeline has gotten shorter within the last couple of years. There’s like more and more regulation about it that I would guess is driving more. more investment into both prevention and rapid incident response around it. But I don’t know, I don’t have a whole lot more to say about it other than that I thought it was an interesting example because of this sort of intersection of hardware and software and the root kit and the sort of lateral movement from that hardware plug-in starting point, the drop box as you say. And I’m curious to see

Paul Asadoorian (09:44.227): Yeah, and we used to spend a lot of time trying to figure out ways to identify new devices that come up on the network, if it was in fact plugged into the network, right? Conceivably, it could have been something else that maybe didn’t touch their network, or maybe it did. But if it does, identifying those new devices, there was a lot of things that we went through to discover, mostly like recommendations for customers where we walked in, I walk into a conference room, they go under the table or in the corner and I…

Chase Snyder (09:50.285): Mm-hmm.

Paul Asadoorian (10:12.932): plug something into a network jack and then I walk out and you know a lot of organizations in particular one that I did a pen test on and there were several but this one right there was a conference room that you could go into that you didn’t have to go through security to get to the conference room and so you you make up some kind of ruse as to why you need to be in the conference room or you know while you’re waiting for someone or whatever you go in there and you plug it this thing into the jack and it was like well how do we detect that right we should detect new devices being plugged in, but devices come and go on a network all the time. So like, what do we do specifically to detect and or prevent that access without inconveniencing, inconveniencing legitimate users that are like, I need to plug in my laptop or some other device that is legitimate. And then they can’t because you’ve disabled the port. It’s like, so how do you balance usability and security in that, in that environment? ATMs are different environment, right? Lockdown, shouldn’t be any new devices that are coming up on those networks unless you know about them. interesting.

Chase Snyder (11:17.484): Yeah, ironic too, because putting a trying to discover new devices that are getting plugged in, it’s like, okay, inventory found asset inventory foundational requirement for all cybersecurity, right? And most organizations don’t really have it. There’s already just tons of stuff plugged in that they do not know about. It’s not inventory. It’s not being monitored. So it’s like detecting new stuff. It’s like, why don’t we detect the like 20 % of everything that’s already plugged in that we just do not have cataloged anywhere.

Paul Asadoorian (11:36.73): All right.

Paul Asadoorian (11:44.984): Yeah. Let’s go to F5.

Chase Snyder (11:48.844): Yeah, okay. We can do the whole show on that.

Paul Asadoorian (11:51.535): Because yeah, this article was amazing. I’ll make sure it gets in the show notes It’s kind of a knock on f5 This is just kind of a warning and it does express itself as an opinion piece. However, they did dissect the Earnings report was it an earnings report or an investor call it was an earnings Yeah, and I’m also told that earnings call didn’t go very well like they have they haven’t been meeting their earnings and they haven’t met their earnings and they

Chase Snyder (12:10.914): Yeah, earnings call, yeah.

Paul Asadoorian (12:20.384): lowered the investor expectations or what do call that? Like rep revenue, revenue targets, whatever the stock market language is, right? So it’s not looking good for f5 from a financial perspective. Some analysts that I’ve spoken to, mostly self servingly, because I’m like, so is this like a buy like Chase Cunningham wrote the book, I think it’s called buying buying the breach, right? Buy the breach.

Chase Snyder (12:24.844): guidance.

Chase Snyder (12:46.761): the bridge.

Paul Asadoorian (12:48.674): And I was like, so this is an example of that. And at least one industry expert I talked to was like, well, no, because they’re not meeting their earnings. So their speculation or at least a path that this could go down is that F5 becomes a private company, not a public company because they haven’t met their earnings and their stock price has suffered as a result of this breach. But I think there’s all the reasons why that stock price has dipped in this case, not just as a result of the breach.

Chase Snyder (13:16.716): Yeah, there was famously and I think Chase Cunningham’s book came out after this one maybe, but CrowdStrike’s stock dipped pretty badly when they had the blue screen of death incident that happened last year or two years ago whenever it was that. Yeah, know, caused so much challenges, but ultimately CrowdStrike was in a really strong position, even though, you know, that was a huge slip up, right? But as a company.

Paul Asadoorian (13:29.849): right.

Paul Asadoorian (13:42.071): It was.

Chase Snyder (13:43.618): they were kind of crushing it. there was one anecdote that came out in the reporting of that that I thought was super funny, which is that a big investment firm issued a white paper about it that was like, buy more CrowdStrike right now. This is a blue chip stock. They’re doing great. It’s essentially on sale right now because of this, but they couldn’t transmit that white paper out to their investment desks or whatever because of the CrowdStrike outage. They were like sending out the buy a strike message, but the computers were down because of crash rate. Who knows if that’s true, but it was a funny anecdote. it seemed to believable to me at the time.

Paul Asadoorian (14:11.829): Yeah.

Paul Asadoorian (14:20.11): Well then, know, AWS was like, hold my beer. So there’s that.

Chase Snyder (14:22.7): Yeah. I’m generally a believer in buy the dip, not financial advice. but that five, yeah, it’s different. We were talking about this because, know, there’s been breaches at other big IT providers. And to me, I mean, okay, not all of them have, resulted in a CISA emergency directive, which this one did. And it was called out in this.

Paul Asadoorian (14:37.785): Mm.

Chase Snyder (14:51.81): Deep Spectre research article that you mentioned that usually when there’s a breach at a big IT provider, it does not result in a CISA emergency directive. There’ve been CISA emergency directives recently that were about, you know, big products like Cisco ASA. There was, was a CISA ED about that because there was a known exploited in the wild vulnerability.

Paul Asadoorian (15:09.103): right.

Chase Snyder (15:19.842): This one is different. It’s not, there’s no known exploited in the wild vulnerabilities. there were vulnerabilities disclosed. you know, F5 said we had these vulnerabilities that we were working on, which yeah, organizations have that not weird for them to have undisclosed vulnerabilities that they’re trying to patch before they disclose it totally fine. but there’s like, these got disclosed and then they patched them. So it’s like, there’s no known attacks on anybody other than F5, but Sysa put out an emergency directive and that sort of levels up the.

Paul Asadoorian (15:25.284): Right.

Paul Asadoorian (15:32.099): Yeah, right.

Paul Asadoorian (15:37.422): Mm-hmm.

Chase Snyder (15:49.346): the scope or like it makes it seem different and like a bigger deal than the other other breaches that sort of big global IT infrastructure providers that don’t even really make the news.

Paul Asadoorian (15:50.618): Mm-hmm.

Paul Asadoorian (16:02.028): It’s interesting too, the article was talking about IOACTIV and NCC Group, who are amazing companies that do amazing security research. If I remember correctly, IOACTIV is pretty heavy on the product security, at least that’s my understanding. You know, people can correct me if I’m wrong, but they focus more on the security of a product, right? Like, I don’t have any inside knowledge, but let’s just say you’re an automobile manufacturer. and you want a security team to come evaluate how you’re implementing security or not in your automobiles, IOACTIV would do that kind of work. NCC Group I follow very closely for their security research that they publish. And F5 used them to do the investigation to determine the depth and scope of the breach in the context of is our supply chain you know, been compromised basically for how we produce software and the for our devices. And that came under scrutiny in this in this article, which I think is interesting. As it not being quite a fit. don’t know if that’s not necessarily true or not. But, you know, certainly I think everyone’s in the back of everyone’s mind is attackers were in there for a year. What did they really do? A year’s a long time like

Chase Snyder (17:24.717): Yeah.

Paul Asadoorian (17:26.33): So when I read that in this article, I started thinking about it more and I was like, well, you like what, you’re in there for a year, like what if you did stuff and then covered your tracks and then like by the time someone comes to do the analysis, the attackers did stuff six months ago. How would you ever, how would you ever find that? Right? Like logs rotate the whole, you know, the whole thing. So that was one of the things from this article that it got me thinking about. I don’t know what your feelings are Chase, but.

Chase Snyder (17:55.042): Yeah, something that they called out specifically in the article. They mentioned something that had been said in the F5 earnings call. F5 earnings transcript of that call is public, so you can find on Yahoo Finance. They linked to it in the footnotes. And the question from someone who was identified as like a manager of IT infrastructure or something like that was that there had been a statement

Paul Asadoorian (18:07.681): Right, because it’s public company.

Chase Snyder (18:26.196): that the breach equally affected software and hardware. So it was not just virtual additions, but that the breach was equally impactful to software and hardware. And apparently this, the person who had asked about that was not sure about that. Okay, yeah. So the person who asked it was

Paul Asadoorian (18:41.474): Hmm.

Chase Snyder (18:55.81): I won’t read their name out loud, but you can go read it if you want, but their title was Managing Director of Data Infrastructure. And they said, just maybe you could clarify because you’ve got Big IP as the appliance system business, but you have the virtual editions of Big IP. So when you talked about the breach, you said it affected Big IP. Does that mean that the breach affects both software and hardware equally? And then the CEO of F5 said, yes, it does. So.

Paul Asadoorian (18:58.296): Mm-hmm.

Paul Asadoorian (19:21.443): Well, yeah, because it’s basically the same software that you put in a virtual appliance versus on actual hardware. It’s how I would interpret that.

Chase Snyder (19:30.23): Yeah, sure. Yeah, that’s totally fair. But the yeah, so anyway, the earnings transcript is really interesting. But yeah, that question of what does an advanced threat actor, you know, claimed nation state attacker, there’s been speculation about which one it is, but it has not been formally attributed by F5 or anyone else. As far as I know, there’s just been sort of breadcrumbs connecting it to this brick storm back door. that has been connected to a specific threat actor in prior mania research. And so there’s there’s scuttlebutt, right? About who it is. But yeah, if you’re an advanced threat actor, you’re in there for a year. And what comes out at the end of it is like, oh, there was 44 vulnerabilities, but we don’t know if they got breached. And also there’s nothing else going on inside of here that we know of that’s all that bad. So we patched the vulnerabilities and we… I can see why people would be asking the question. And we know because we have customers that are also customers of F5 that are asking questions about what they need to do to stay confident going forward that their systems are not exposed or protected against those exposures.

Paul Asadoorian (20:31.012): Mm-hmm.

Paul Asadoorian (20:50.497): Right. And I think it’s, it’s interesting too, when we, and I don’t know if this came up in the earnings call, but the threat actor stole source code. Now if I didn’t say all source code, so are they obligated to disclose like, okay, but which in how much of which software source code was stolen? Or do they not know? But they just know it wasn’t all, but that’s

Chase Snyder (21:02.647): Right.

Paul Asadoorian (21:18.669): somewhat ambiguous, like, we wrote some source code and it was often a different repository for some utility or something. We know they didn’t gain access to that, but they got everything else. I’m just making stuff up, but what does that really mean? What did they take? What can they definitely prove that was leaked as part of their source code would help us and the customers to understand the depth and scope in what we might want to do. If it was just software for one application.

Chase Snyder (21:33.346): Mm-hmm.

Paul Asadoorian (21:48.973): That would have been nice to know, right? I don’t know. I don’t know there’s anything in there about that.

Chase Snyder (21:57.292): Yeah, I’ll be interested to see. I basically I think we haven’t seen the end of it like. It would be. Very surprising to me if there was not another news cycle at least about the. About the incident and about the. The impact on. Both customers and on F5 as a business, whether it’s about some further incident that happens or just a further disclosure more inf. information about things that had happened in the past. I don’t… I don’t think it’s over.

Paul Asadoorian (22:33.045): No, I agree. They are distributing CrowdStrike’s EDR product on F5 appliances. Is that true? We’ve confirmed that, right?

Chase Snyder (22:43.308): Yeah, which really unusual that came up in the earnings call too. And they talk about something that we talk about all the time, right, Paul, that network companies that make network appliances historically don’t let you put an EDR on there, even though it’s Linux under the cover is that an EDR agents, you know, to varying degrees of success and efficacy EDR agents can work on Linux systems. And I think F5 big IP is.

Paul Asadoorian (22:50.015): Mm-hmm. Mm-hmm. It’s a good thing. Yeah.

Chase Snyder (23:12.904): CentOS, CentOS, flavor of Linux under the covers, all the major network boxes are. This is something I learned from you, that all the network boxes are Linux, it’s Linux all the way down. But this is the first one that has allowed, and it’s relatively limited as far as what I’ve seen in the documentation about it, is that there’s only certain versions, can only go, I think, on the virtual edition.

Paul Asadoorian (23:14.349): Yeah, I think so.

Paul Asadoorian (23:20.377): Mm-hmm.

Paul Asadoorian (23:43.028): interesting. I didn’t know that.

Chase Snyder (23:44.526): And it’s and it’s limited to certain versions that is not all encompassing. I should double check myself on this, but I’m pretty sure it’s a not all not even all of the versions that were affected by the vulnerabilities that were disclosed as part of the breach. OK, I’m curious about this area. Can you say it out loud on the pod?

Paul Asadoorian (23:58.722): Yep. I have a theory. I have a theory as to why. But when you, well, when you, yeah, cause well, cause when you support Linux, because we support Linux, right. And different Linux distributions will use different kernel versions. And if your defensive software, if you will, has to support that Linux kernel version in the context of like a Linux kernel driver, that means you have to compile. your code against that kernel version. And my guess is that CrowdStrike out of the gate probably had agents for this specific kernel version. And if I was like, right, we’re running that kernel version on these systems, but not those. And so therefore support is limited, would be my guess.

Chase Snyder (24:47.01): Yeah, yeah, totally. All right, I pulled up the F5 document, getting started with Falcon Sensor for Big IP, updated October 22nd, so that’s a week ago as of today. And it says, okay, it’s an early access program of Falcon Sensor for Big IP, right? And it’s for Big IP virtual edition 17.1.3 and 17.5.1.3.

Paul Asadoorian (24:55.961): Mmm.

Chase Snyder (25:16.062): environments and it’s got this bullet in there under an important information header that says the EAP Falcon sensor, EAP meaning early access program, Falcon sensor has been tested by CrossFrag F5 using a very specific configuration that balances visibility and detection while preserving system availability and performance. As such, you must use the exact configuration described in this document. Using any other configuration is not supported and strongly discouraged. So there’s some hedging language in there.

Paul Asadoorian (25:39.469): Interesting.

Paul Asadoorian (25:43.969): Wow. Strongly discouraged. Strongly discouraged.

Chase Snyder (25:45.76): It’s still credit. You only only use as written on the label as recommended on the label, still credit to them because, you know, no other network device company so far has put it. Let it you put an endpoint agent on there. So it is big. And hopefully, honestly, this creates a sea change in the industry where it’s like, OK, yeah, we let you monitor under the covers of these network devices because it’s been, you know, We talk about all the time. I cite this at every opportunity. The Verizon DBIR report showed a 8x increase in exploitation of vulnerabilities against network edge devices like VPNs and firewalls and routers and switches and such. It’s like the new, it is the new battlefront, the network devices and to not have such a well-established sort of defensive tool available as EDR for those kinds of devices. really hamstrings defenders.

Paul Asadoorian (26:47.544): Yeah, you know, some are going to say, well, there’s EDR bypasses. And if the EDR detects something, someone in the IT security team has to notice it and pay attention to it. And therefore, like, why bother? Right. You kind of get some of those objections. I think it’s good. I think if you’re doing something, as long as you’re balancing costs, right. Put that aside for a moment. But if you’re doing something to

Chase Snyder (27:05.495): Mm-hmm.

Paul Asadoorian (27:16.256): make an attacker’s life more miserable and increasing the work that they have to do, that’s a good thing, right? And also you’re increasing visibility while they may have a bypass for it. Maybe at some juncture, this happens on Windows systems, the attacker does something that does get caught by an EDR eventually. Now it might be too late, but at least you’ve got an indicator in order to some kind of warning.

Chase Snyder (27:44.483): Yeah.

Paul Asadoorian (27:44.724): Whereas without EDR, you have none of that. You’re completely blind. So I guess the insights that EDR provides is a good thing, is what I’m saying.

Chase Snyder (27:53.026): Yeah, 100%. And it’s like, you know, lock picks exist, but you don’t use that as excuse not to lock stuff.

Paul Asadoorian (27:59.13): Great analogy, great analogy, absolutely, 100%. So I do hope this is a trend. I like it and I hope it’s more than just CrowdStrike. There’s some competition in the market, right? I know our product does some pretty deep forensics, if you will, on these devices as well, which is different from EDR. EDR is more about detecting behaviors. We’re more about detecting integrity failures and threats.

Chase Snyder (28:03.49): Yeah, one really.

Paul Asadoorian (28:26.361): in the actual binaries that are on the system. So there’s some great things happening to help you protect your devices. And I hope people start adopting this, right? Whatever it is, you need, you can’t, I think what we’re coming down to Chase is you can’t just drop the Pulp Fiction briefcase in your network and not do anything else in terms of monitoring. We need to monitor it like everything else, like Windows systems. like Linux systems, like Mac OS systems. Yep.

Chase Snyder (28:55.554): Yeah, gotta look inside.

Paul Asadoorian (29:00.717): So anything else on F5?

Chase Snyder (29:05.357): you Yeah, I don’t know. I’ll be curious which industries end up being the most proactive or impacted. I feel like there’s likely gonna be stuff, any big security threat report comes out, there’s an industry tear down of like, manufacturing is like the most targeted industry by cyber attackers, but the cost of a breach is the highest for banks and financial services. There’s all these reports that I love to read that come out every year. And I’ll be really curious how this. Affects them. There was always one or two big things is on my mind because we’re coming up to the end of the year. Always one or two big things that really skew those reports like a couple years ago was the move it the file transfer thing. That’s like it just hit everybody and it like you changed the shape of every line graph and bar chart and histogram in this reports because it was so widespread.

Paul Asadoorian (29:57.613): I heard from, I think another podcast that the attackers compromised so many different organizations with the move it breach that they were overwhelmed. Excuse me, yeah.

Chase Snyder (30:06.734): Yeah. It’s like success problem. Oh, no. It’s like I’m drowning in the money hose. The money fire hose is literally knocking me up.

Paul Asadoorian (30:10.754): Yeah. Right? Yeah, it’s nuts. Did you happen to read the about the polar edge back door?

Chase Snyder (30:24.086): No, I didn’t, but I read the show notes about it, so we’re doing it live.

Paul Asadoorian (30:26.336): Yeah, so this is, this comes from Sequoia, I believe, whose research we’ve covered before, right? They wrote up, they do great work, right? And in a lot of times it is malware analysis and vulnerability analysis specific to IoT devices, if you will, or network edge enterprise gear. They did some work on Cisco. What was the campaign they uncovered on Cisco called?

Chase Snyder (30:31.982): Ooh, yeah, okay. Yeah, they do good work.

Paul Asadoorian (30:55.936): I came from the same group. think it’s an Israeli company. They publish great work. I can’t remember the name. anyway, Polar Edge is malware that runs on Linux that’s targeting QNAP NAS devices. And they named this the Polar Edge backdoor. So they revealed manipulation of authentication flows, persistent strategies, and network evasion tactics. all things I’m seeing once attackers gain a foothold on these Linux based devices. And it is interesting to me. Well, you we have this discussion, do enterprises run things like QNAP storage devices? And we don’t have the answer to all that, right? I know in the federal government, the SysiKev list will get updated for things that are seemingly consumer based IOT devices, but… As we’ve seen, these devices trickle into your enterprise. But primarily, think the QNAP NAS is a consumer product. Is that your take on it too, Chase?

Chase Snyder (32:01.794): Yeah, it doesn’t seem super enterprise or industrial. Vicious trap was the other thing that we talked about that had covered. but yeah, they’re doing good work. Someone from, from Sequoia should come on the pot.

Paul Asadoorian (32:06.423): Yep.

Paul Asadoorian (32:12.182): Yeah, absolutely.

Chase Snyder (32:15.726): But yeah, I don’t know. Every time we talk about these things that are more consumer-y than enterprise-y products, we still end up coming back to the fact that tons of consumer-ish, mean, routers particularly, like Soho, small office, home office routers, end up being present or connected to enterprise environments. And so the idea that a…

Paul Asadoorian (32:30.808): Mm-hmm.

Chase Snyder (32:44.494): The idea that a non-enterprising seeming device somehow is not a, with a back door like this is somehow not a risk to enterprises is kind of cope.

Paul Asadoorian (32:54.796): Yeah. Cause it’s, I think a lot of it could be Skunk Works IT like, I don’t want to go beg the storage team. Cause that I have to file a ticket and that could take a week. And I really need some storage for my project. And I have a corporate credit card and I have Amazon. So I’ll go buy a QNAP device and I’ll plug it in and then I remote access to it. So, I think on the home side, a lot of folks are deploying.

Chase Snyder (33:04.76): Mm-hmm.

Paul Asadoorian (33:21.546): these QNAP devices and then exposing them to the internet because I got files, I need access to my files. How do I get access to my files? just put it on the internet so that I can get to it, not realizing that so can the entire internet. And I really do believe it’s sometimes not just not realizing what they’re doing in terms of exposure, right? Because there is a certain level of technical sophistication to implement your own VPN in order to do that. So then these devices end up on the internet and they have poor code.

Chase Snyder (33:39.243): Mm-hmm.

Paul Asadoorian (33:50.489): quality just like every other embedded type system or similar to all the other embedded type systems we’ve talked about on the show. And attackers go, this could be a nice little botnet, right? And way into some networks and maybe we’ll get some enterprise networks in there too. So.

Chase Snyder (34:08.696): Yeah, 100%. And it’s also worth noting that it targets a range of vendors too. The Polar Edge, they’ve had a couple articles about Polar Edge, I feel in the last. No, it looks like they did some private research. This post that we’re talking about right now was originally distributed as a private research just to their customers and has since been made public, but they’ve written about it before and talked about.

Paul Asadoorian (34:19.884): They have, yeah, it’s not the first time they’ve talked about it. think this is a,

Chase Snyder (34:38.57): Asus and Synology and Cisco being targeted by this polar edge botnet malware.

Paul Asadoorian (34:38.828): Well, yeah. Yeah. Yeah, yeah. So there were you’re right. I think it did target some Cisco small business devices. So that could also be the target of smaller businesses that aren’t going to go by enterprise level grade storage, you know, from Dell EMC. As an example, they’re going to go by the Synology QNAPs of the world. I’ve been guilty of that. I’ve bought the NAS network.

Chase Snyder (34:49.07): Mm-hmm.

Paul Asadoorian (35:07.734): based or I guess that’s in the name similar to your analogy earlier, right? Network attached storage. So it’s not a network and it literally stands for network attached storage. But you need some, a NAS device on your network and you’re like, well, I can’t afford to go spend hundreds of thousands of dollars on it. But you know, for a thousand dollars or less, I can go buy one of these devices, plug it in. I’ve got a couple of terabytes hanging on my network now. And that’s why they’ve grown in popularity over the years. But they’ve been plagued with security issues for some time. and some are better than others.

Chase Snyder (35:42.924): Yeah, I’ve seen in one of the articles about this, that this polar edge offering something that’s been marketed as a malware as a service operation and then also has been connected with the Luma Stealer. I’ve been reading a lot about info stealers. I feel like that’s going to be the big topic in all of the end of year, you know, 2025 H2 reports is info stealers because that’s just like the new, that’s the

Paul Asadoorian (36:01.476): Yes.

Paul Asadoorian (36:09.623): Yeah, I interviewed someone that did a lot is doing a lot of research into info stealers. And it’s really an attacker progression kind of thing. How does an attacker monetize? Well, if I can break into a system, there’s a number of things I can do to monetize it. I can do ransomware very noisy. Almost some most of the time I want and done kind of thing, although it does come back. You know, or I can persist like nation state threat actors like the f5 one persist and

Chase Snyder (36:19.128): Yeah.

Paul Asadoorian (36:39.477): It’s kind of for a different purpose, maybe not monetarily focused. Or if I get on a system, why can’t I just steal all the information that’s there and then parse through it and then use that to monetize? Then I can sell it. Maybe I can use it to get access to other things to steal more things. Then I can go sell the data that I’m stealing. And that seems to be increasing in popularity.

Chase Snyder (36:53.582): Mm-hmm.

Chase Snyder (37:04.396): Yeah, yeah, totally. It’s the new the new meta we talk about. Yeah, the shifting attacker behaviors. And this one is definitely it’s the business model. They’re like as a service model. You know, there was ransomware as a service. There’s now this malware and botnet as a service. I think a lot of these infos dealers are still just getting initially delivered via basically phishing emails. It’s like very classic initial vector, but then the actual behavior of it and the business model behind it is evolving and being optimized. I see it as like, have you ever seen that, that graphic of where I’m going to do a sports analogy, hold onto your hats folks of where NBA shots are sunk from over the years. If you look back in like the eighties and nineties, people were shooting from all over the place. There’s a lot from the free throw line. It’s like kind of all over the map, very scattered. And as you get up to today, it’s like almost a hundred percent of shots are from right behind the three point line. And it’s like the whole sport has become optimized around taking these three point shots. And it’s like, that’s what it’s like this refinement of technique that’s happening where it’s like, that’s just.

Paul Asadoorian (38:16.473): Hmm.

Chase Snyder (38:30.838): What works? That’s how you win games the most effectively, I guess. And that’s totally what, what cyber attackers are looking for and are doing right now is figuring out like, where’s the three point line in cyber, in cyber attacks where you can shoot, you can hit the shots and just rack up points. you it’s, it’s like, yeah, phishing email to info, stealer, harvest the information, sell it, sell it online. That’s the three pointer. And there’s, there’s always a new, Steph Curry.

Paul Asadoorian (38:31.853): Yeah, right.

Chase Snyder (39:00.558): coming up of like combo combo of the InfoStealer software and then like the distribution network for it.

Paul Asadoorian (39:01.366): Right. Right.

Paul Asadoorian (39:11.641): Did you see the article on creating two-face Rust binary on Linux? This appears to me to be a really awesome, interesting technique, right? And it was written up by Synactive and I think that it’s one of those things where someone does the research, publishes it, maybe they do a conference talk, and then it takes some time to be adopted into different types of malware. This one was pretty crafty, right?

Chase Snyder (39:17.364): Yeah, saw, yep.

Chase Snyder (39:26.4): Mm-hmm.

Paul Asadoorian (39:40.612): basically including cryptographic payloads inside of a binary that only execute on a particular system. And it’ll decide that execution path based on deriving keys from the host uniqueness. So it’s encrypting it differently for each binary. So basically the binary is encrypted for each system. And then it has obfuscation to make it really hard for folks like us to do runtime anti-debug. and it chains multiple loaders to even further confuse just how it’s running and executing code. So they have a complete write-up. I thought it was kind of interesting.

Chase Snyder (40:18.796): It’s sort of a next phase, a next evolution in like the polymorphic malware narrative where it’s like there’s early days there was like, this thing changes a little bit of its code or like changes the strings that it renames files as or whatever. So that becomes harder to detect. This thing has so many different factors that it tweaks based on the specific host specifically to make it really hard to.

Paul Asadoorian (40:25.027): Mm-hmm.

Chase Snyder (40:46.254): hard to detect and also to make it operate on the type of host that it wants to operate on.

Paul Asadoorian (40:53.369): Right. And it’s hard to, you you got to, as a defender or researcher for defense, you got to unpack this and then you have to be creative. How are we going to detect this? You know, does our existing methods detect it? Like we do look for encrypted payloads inside of binaries, which can be suspicious, but can also throw some false positives. There is sometimes a legitimate, I forget the use case, but I remember hearing there are like legitimate binaries that do have that. So.

Chase Snyder (41:03.907): Yeah.

Paul Asadoorian (41:23.243): It’s not the greatest test. So then how do you advance to detect techniques like this, right? Requires a lot of research and you know, now we’re playing catch up basically.

Chase Snyder (41:33.1): Yeah, boy, I’m going to get, I’m going to start asking questions that are going to get me a few steps past my level of technical acumen in this area. But I’m curious from your perspective, whether this, how would this kind of thing apply in a like firmware binaries type of scenario? And part of why I’m asking is because I was looking at some of our own, you know, firmware analysis and unpacking that we do at Eclipsem and something that I didn’t realize about, about firmware is the the wide range in the number of binaries that can be inside of a single like firmware package. It can be anywhere from like one or two to thousands or tens of thousands depending on the system. And each one of those is hypothetically, correct me if I’m wrong, but each one of those is hypothetically like executable or it contains configuration information that affects how other things execute. And so it’s this, to me that seems

Paul Asadoorian (42:11.265): Yes, yes.

Chase Snyder (42:32.405): You know, like a really nice haystack to hide a needle in of something like this. I don’t know how exactly you would get it in there, but, know.

Paul Asadoorian (42:40.888): Well, you can repack firmware to a certain extent and that varies, but you think of firmware as everything bundled into one, right? So it’s your bootloader, your kernel, and all your file system all bundled into one. And when you build a regular desktop or PC, those are typically like different components. They come from various sources that the installer will take care of a lot of that for you, but… it’s installing everything individually with firmware. You have one file and then when you unpack that file, everything is in there. Right. And so that’s how we can, we can put binaries in there. There are a lot of different binaries and different firmware distributions. And that’s why I believe that firmware signature validation is so important. It’s an attack vector that unfortunately is all too common as I’m finding in security research that

Chase Snyder (43:15.32): Mm-hmm.

Paul Asadoorian (43:38.425): Not everyone, I mean this is nothing new or novel, but not everyone validates the firmware signatures before they install them. And this is not just an MD5 hash necessarily, I it could be, and that does provide a certain degree, whether that’s done automatically or whether that’s left up to the user to go, when you install this firmware, it should have this hash. that’s more for like, did the firmware get corrupt in transit rather than… actually cryptographically verifying is this firmware intended to run on here or has it been backdoored. But unfortunately, there’s so many devices that just don’t have that process to cryptographically verify the firmware. And that offers a luxury of putting binaries in there, binaries such as two-phase rust binaries that are very crafty at hiding themselves and having unique signatures.

Chase Snyder (44:34.03): Yeah. If you had, if you suspected that there was a two-faced binary inside of a firmware package that had 10,000 plus different, different binaries in it, how are you? Yeah. Yeah.

Paul Asadoorian (44:46.295): Yeah. Like it’s hard. I mean, talk to our product team because that’s what they do. The engineering team, that’s what they do. And it is difficult. Integrity checking, which is one of my favorite things that we do, helps with this. And going back to like F5 as an example, perhaps F5 doesn’t include Go binaries in their distribution, but if a Go binary appears, Hmm, that could be suspicious, right? So you can do simple things like that when it comes to firmware because it is such a tightly controlled environment and you should know from the firmware image what should be in there, what shouldn’t. But there’s a lot of nuances in art and science in that as well because there’s things that happen when that firmware is installed that changes the behavior and signature potentially of things.

Chase Snyder (45:43.394): Yeah. It’s a tangled web.

Paul Asadoorian (45:47.8): Yeah, for sure. I want to talk a little bit about authentication bypass has been on my mind lately. There’s a very dangerous attack vector when I think about it, right? Because I’m working on my favorite authentication bypass vulnerabilities, different ways to discover them. In this Dell Storage, Manager 1 came up. And you know, it gets a CVS score of 9.8 and it’s a goal. Why? Because an attacker that can bypass authentication completely has access to all the functionalities of that device. Independent of other vulnerabilities that might be present. But what I see is this, the analogy that we used to use for our networks probably still do. The hard and crunchy outside and the soft and chewy center. So many of these devices rely on that authentication to protect from exploitation of vulnerabilities that might require authentication. You see a much lower CVSS score for a vulnerability that requires authentication versus one that does not. However, those vulnerabilities that have a lower score are just one vulnerability away from authentication bypass. So we can bypass authentication. Now all those mediums or whatever, those are all in play. plethora of them right and now like your fair kernel version is out of date that that’s in play now so authentication bypass is something to pay attention to I think that when new vulnerabilities come out if they’re in that class it’s something to pay attention to so this was CV 20 25 4 3 9 9 4 oh no I’m sorry missing authentication sorry yeah sorry

Chase Snyder (47:37.6): think it’s two, it’s four, three, nine, and four, and four, three, nine, and five.

Paul Asadoorian (47:40.442): Five you have four three nine nine five is missing authentication for critical functions And you know, that’s the the hard part is when you’re doing the web application for the device that your management interface and You in that application it’s deciding what? URL endpoints if you will are Require authentication in which ones do not so there might be some that don’t require authentication There might be some that’s hidden somewhere in the code that you don’t know about until you go look at that code and go, I think I can get to this because the way they’re doing authentication, they’re not authenticating that endpoint. So just some tips on discovery and also kind of the heightened severity that these authentication bypasses carry with them.

Chase Snyder (48:30.67): That’s a super interesting concept that one new authentication bypass vulnerability coming out can sort of unlock a new risk level for, or even unlock like exploit ability at all for a bunch of previously disclosed CVEs. We’ve been talking a little bit recently internally about how many new CVEs get created and just like the huge.

Paul Asadoorian (48:40.931): right.

Chase Snyder (48:57.39): the hockey stick growth in the number of CVE is getting created. We’re going to be, it’s easily going to pass 40,000, probably 50,000 or more in 2025, back from, you know, only 20, only 20,000 a couple of years ago. And so it’s, it’s only going up and the number of them, you know, if you think about, okay, each one of those has a risk score, right? It’s got a CVSS score and many of those were assigned based on

Paul Asadoorian (49:00.313): That’s massive, dude.

Chase Snyder (49:26.478): current knowledge about whether there is off by passer authentication sitting in front of it. And I doubt that those get retroactively adjusted when a new. So if an off bypass comes out, that’s like, if this had already been out at the time that these hundreds of volumes were disclosed, they would have been dubbed highly severe. They would have had a high severity.

Paul Asadoorian (49:36.152): Right.

Paul Asadoorian (49:48.6): Yeah, it’s interesting. There’s nothing that really other than doing it manually. It’s not that really correlates it. It’s interesting. I’m working on a Python script to enumerate vulnerabilities from the NVD catalog. there, you know, I can search back. I’ve yeah, I yeah, I’ll share it, but I’m still working on it. But so I can specify a time frame. So I’m like, search for this term in the past month. But then I’m like, show me if there are any exploits for those

Chase Snyder (49:52.941): No.

Chase Snyder (50:02.878): I want that so bad. I’m excited.

Paul Asadoorian (50:17.795): vulnerabilities. And that requires a call that I built an option, I vibe coded it. And I haven’t gone through the code manually yet, which is why I did still working on it. But like, you know, go out to GitHub, and use the GitHub API to see there’s any exploits for that CVE. And it was unreliable. And like, that’s weird. Like, why is it unreliable? In a few more prompts later, Claude was like, it is returning a rate limiting from the API and GitHub. because to your point, there’s so many CVEs. Even in a shortened time frame, in a shortened search, I was coming up against the GitHub API rate limiting because it had to do so many queries because there were so many CVEs. And the Linux kernel ones are, there’s a plethora of them. And I noticed that too, to back up your point, because if I do like string searches, I’ll get Linux kernel CVEs.

Chase Snyder (50:49.752): so many.

Chase Snyder (51:12.27): Mm-hmm.

Paul Asadoorian (51:16.619): associated with my search term, which had nothing to do with Linux kernel CVEs, but it’s because a string was in that Linux kernel one, and in the Linux kernel one, they plop source code or a bunch of text in there, which is hidden keyword searches on CVEs. If you search for checkpoint, for example, but there’s a function call in the Linux kernel CVE that was fixed that had the word checkpoint in it, and therefore it’s false positive.

Chase Snyder (51:34.008): Hmm.

Paul Asadoorian (51:46.743): So for my search, you know, also speaks to, know, Linux kernel was in WordPress or like the number one and two issuers of CVEs.

Chase Snyder (51:47.534): Hmm.

Chase Snyder (51:59.864): That’s, yeah, man. I was trying to build a graph the other day to show the difference in growth rate between the CISA and known exploited vulnerabilities, the Kev that we all know and love and mentioned on every episode of this podcast. and just the number of CVEs and the number of like the Kev doesn’t, well, particularly now that on CISA.com there’s a little note that’s like, by the way, this website is not being actively maintained, because of current

Paul Asadoorian (52:11.605): Mm-hmm.

Chase Snyder (52:32.503): you know, just as wildly at everything. But The kev only grows by maybe a couple hundred vulnerabilities every year that are known to be actively exploited. And a tiny percentage of those that are known to be exploited in ransomware campaigns, which is like for the amount of like air time that ransomware takes up, it all depends on a relatively low number of vulnerabilities. But it’s like, OK, so there’s a huge number of CVEs getting added.

Paul Asadoorian (53:00.3): Mm-hmm.

Chase Snyder (53:06.616): getting created, but relatively few getting added to the known exploited vulnerabilities. I got to imagine at some point that like with authentication bypassing, there’s going to be some unlock in AI vibe coding of exploits for vulnerabilities. That’s just going to look back, someone’s going to write a script that’s going to look back at all of those vulnerabilities are not known exploited yet and figure out how to exploit them very quickly and automatically. and spray and pray and doom. And there’s going to be a whole bunch of those that become that go from not being actively exploited to being actively exploited pretty quickly. And it kind of feels like there’s just a crack in the dam that’s waiting to break and flood us all with these random, seemingly low risk or they’re labeled as low risk, but the risk went up because, you know, there’s like a golden path through there where it’s like an off bypass vulnerability raises the risk level of a bunch of those.

Paul Asadoorian (53:55.609): Mm-hmm.

Chase Snyder (54:03.446): And then some sort of AI vibe coding advance creates exploits for a bunch of those all at once. And it’s going to be, it’s going to be a wild, wild ride when that happens.

Paul Asadoorian (54:11.16): Yeah.

Paul Asadoorian (54:15.746): Well, the last one we had on here was the Cisco SNMP vulnerability that we wrote about 2025-20352. And I think we predicted this. We saw this come out. Was this added to the kev? It has been now, probably as a result of I think the Trend Micro research. Was it Trend that did the research on this one?

Chase Snyder (54:20.866): Yeah.

Chase Snyder (54:32.864): It has been now, it was… Yeah.

Chase Snyder (54:38.712): Yeah.

Paul Asadoorian (54:42.53): think it was yeah in

Chase Snyder (54:43.148): Yeah, yeah, I was. Yeah, I think the first thing I saw about it was just an article that was like, by the way, two million devices are vulnerable to this SNMP thing, but it wasn’t known to be exploited. And it’s like, well, that’s coming.

Paul Asadoorian (54:53.312): Right. Then I started seeing articles that were like, hey, it’s being exploited. I’m like, really? like, who has the details on that? And I traced it back to the Trend Micro article. I’m like, So Trend Micro released some IOCs, really just hashes of some of the files. But some of those file hashes were zip files. So we don’t have the hashes of what’s inside the zip file. However, the toolkit or malware that they’re using, I don’t have all my notes on it. But it’s in very detailed The techniques included file list persistence ARP spoofing traffic manipulation full log erasure and Creating backdoor. I think their backdoor Backdoor password was disco. And so this operation is dubbed zero disco and so if you want to read about it if you search in Google or your favorite LM for zero disco, it’ll give you some some resources on that but Yeah, the capabilities they had in this malware was pretty staggering when I started reading about it. Now, I have been unable to find any public samples of this malware. It’d be nice if we could share those samples. That’d be awesome because with the samples, then we can do deeper detection.

Chase Snyder (56:15.052): Yeah, they’ve got like little screenshots of the malicious SNMP packet and various things. But yeah, I haven’t seen any, there hasn’t been a full, full release of any, any samples yet that I’ve seen around. I think you’re more tuned into that than I am, but.

Paul Asadoorian (56:28.6): Yeah, me neither, which is kind of, yeah, it’s kind of disappointing. But yeah, some amazing techniques what they were doing. And then she got to read the article. It was pretty good. Do we have a link to that? Yeah, I’ll put a link to the article in the show notes.

Chase Snyder (56:42.574): Which man this this raises another sort of axe that I have to grind about old Like if you look at this is a kev we talked about this Look at this is a kev the distant the lag time from when a vulnerability was disclosed, you know the date that’s in the CVE Designation to when it got added to the kev some of them are short and some of them are many years And I think there is an under

Paul Asadoorian (57:02.38): Mm-hmm.

Chase Snyder (57:11.438): It is under recognized or under accounted for. It’s not the amount of risk that is represented by old vulnerabilities is not priced in enough by organizations because there’s stuff on there from like 2008 that got only got added to the kev within the past couple of years. And it’s that thing where it’s like these old vulnerabilities are just sitting there. They didn’t go away. Like maybe everybody has patched or updated their stuff, but I mean, not everybody. And

Paul Asadoorian (57:20.779): Mm-hmm.

Paul Asadoorian (57:25.975): Right.

Paul Asadoorian (57:38.456): Yeah, right. Those that have but from if you go back to 2008, though, those that were going to patch have patched. That’s kind of the theory we have is that what’s left out there are people that just aren’t going to patch right for whatever reason.

Chase Snyder (57:44.172): Yeah, exactly.

Chase Snyder (57:50.764): Yeah. Yeah. And if those all of those vulnerabilities all of a sudden become actively exploited or exploitable, you know, some sort of little bottleneck to exploiting them programmatically gets opened up like the auth bypass thing or just someone develops an exploit.

Paul Asadoorian (57:57.56): Yeah, then you’re in it.

Paul Asadoorian (58:04.449): Right. In vulnerability management, there was something to be said for how old the vulnerabilities are that are being discovered. Because if it’s missing a patch from 2008, it’s likely also missing all the patches that came out after 2008. And now, not only do have a ripe attack surface for a threat actor, but now you’ve got a lot of work to do. You’ve got a lot of technical debt. if the patches are old enough,

Chase Snyder (58:21.902): Uh-huh.

Paul Asadoorian (58:33.431): to go back to your example of 2008, maybe that device isn’t even supported anymore in its end of life. And even if it’s not, even if it’s still supported, if you’re that far behind, getting up to the latest is so much more work than if you were to break that work up into smaller chunks. I use the DevOps analogy all the time with respects to vulnerability and patch management is that you have to break up into smaller chunks and

Chase Snyder (58:38.722): Yeah, highly likely.

Paul Asadoorian (58:58.313): do the work as you go, otherwise you’re going to incur too much technical debt, and then you’re not going to be able to catch up easily. And you’re not going to be resilient. So

Chase Snyder (59:07.758): Yeah, one thing I found when I was more working in the area of industrial control systems and operational technology is that there’s a lot of environments out there that historically were supposed to be air gapped or they consider themselves air gapped. And the whole concept of air gapped systems has been super eroded over the past like two decades or so to where it used to be. Yeah, systems could be.

Paul Asadoorian (59:23.577): Yeah.

Chase Snyder (59:35.758): pretty much air-gapped and not have any external network connectivity. And then gradually, vendors who were providing critical operational systems were like, we have to, you can’t buy this product that goes in your manufacturing line or your offshore oil rig or whatever. You’re not allowed to buy it without buying a support contract from us, because we’re the ones that know how to maintain it. And if it goes out on you, stops working or whatever, you’re not gonna be able to fix it.

Paul Asadoorian (59:54.201): Mm-hmm.

Chase Snyder (01:00:04.246): And we’re not going to take the liability for that. So you have to buy a support contract. And in order for us to be able to execute on that support contract, you have to allow us remote access because you can’t chopper us out to the offshore oil rig every time you update. so there, there have gradually snuck in all these, this network connectivity and these back doors, you know, manufacturer, vendor, service provider back doors that mean that. Environments that used to be required to be air gapped or considered to be air gapped just aren’t anymore. And they would use that as an excuse or as a reason to not update stuff. They’re like, yeah, it’s OK to keep this thing around. It would be too costly and too difficult to update off this Windows 7 box that we have controlling this critical machinery. And it’s air gapped. You know, you can’t. And it’s it’s just not anymore. And so I feel like, at that sort of age of exploits, there’s a whole really critical infrastructure attack surface that’s at significant risk that still has that kind of air gap mindset even though it’s not true in practicality anymore.

Paul Asadoorian (01:01:12.183) sure. Well, Chase, thank you very much for coming on the show today. Thank you, everyone, for listening, watching this edition of Eclypsium’s Below the Surface. We’ll see you next time.

Back to all Podcasts