1 00:00:00,043 --> 00:00:03,643 Cybersecurity today, we'd like to thank Meter for their support in bringing you. 2 00:00:03,643 --> 00:00:09,433 This podcast Meter delivers a complete networking stack, wired, wireless and 3 00:00:09,433 --> 00:00:14,473 cellular in one integrated solution that's built for performance and scale. 4 00:00:14,713 --> 00:00:18,148 You can find them at meter.com/cst. 5 00:00:19,431 --> 00:00:23,541 We've got an interview for you this week following up on an interesting story about 6 00:00:23,541 --> 00:00:26,331 a malware that was authored by an ai. 7 00:00:26,781 --> 00:00:30,021 It certainly wasn't the first malware that's been written using 8 00:00:30,021 --> 00:00:32,751 ai, but it was a little different. 9 00:00:33,471 --> 00:00:37,011 Now, just to refresh your memory, here's the story I did. 10 00:00:37,491 --> 00:00:38,841 It's only a couple of minutes long. 11 00:00:40,896 --> 00:00:41,376 Void. 12 00:00:41,376 --> 00:00:45,606 Link appears to be one of the first clearly documented cases of 13 00:00:45,606 --> 00:00:51,786 advanced malware authored almost entirely by artificial intelligence. 14 00:00:52,686 --> 00:00:53,826 Checkpoint says void. 15 00:00:53,826 --> 00:00:58,236 Link represents a break from earlier example of AI assisted malware, which 16 00:00:58,236 --> 00:01:03,096 were usually tied to inexperienced threat actors, or simple rewrites 17 00:01:03,216 --> 00:01:05,526 of existing open source tools. 18 00:01:05,916 --> 00:01:07,626 In contrast, they say void. 19 00:01:07,626 --> 00:01:12,306 Link shows evidence of structured engineering, including documented 20 00:01:12,486 --> 00:01:18,606 development sprints and coding guidelines suggesting deliberate disciplined design 21 00:01:18,786 --> 00:01:20,581 rather than simple experimentation. 22 00:01:21,286 --> 00:01:25,306 what makes this discovery unusual is how early it happened. 23 00:01:25,846 --> 00:01:30,766 Researchers believe they caught Void Link largely by chance after a compiled 24 00:01:30,766 --> 00:01:33,466 test version was uploaded to virus. 25 00:01:33,466 --> 00:01:39,286 Total, very early in development, One recovered artifact timestamped. 26 00:01:39,286 --> 00:01:43,936 December four, roughly a week after the project appears to have begun, 27 00:01:44,206 --> 00:01:50,896 shows the framework already functional with more than 88,000 lines of code, 28 00:01:51,736 --> 00:01:55,876 That early submission gave the defenders a rare look inside the project. 29 00:01:55,876 --> 00:02:01,486 That likely would've been far harder to analyze once it was fully operational. 30 00:02:02,776 --> 00:02:06,466 Checkpoint notes that while the project was presented as a 30 week engineering 31 00:02:06,466 --> 00:02:10,636 effort, the available evidence suggests it was built much faster. 32 00:02:10,846 --> 00:02:16,006 Highlighting how AI can dramatically compress development timelines for even 33 00:02:16,006 --> 00:02:21,676 complex malware, and despite the listings of various teams in the documents, it's 34 00:02:21,676 --> 00:02:25,876 quite likely according to Checkpoint, that this was actually done with 35 00:02:25,876 --> 00:02:29,656 AI and perhaps a single individual. 36 00:02:30,616 --> 00:02:32,746 So the concern isn't just speed. 37 00:02:33,556 --> 00:02:36,676 It's also originality and technical innovation. 38 00:02:37,156 --> 00:02:39,646 This wasn't a remix of known tools. 39 00:02:39,766 --> 00:02:42,946 It was a custom framework produced that scale. 40 00:02:44,341 --> 00:02:48,481 This doesn't mean that AI written malware is suddenly everywhere, but Void. 41 00:02:48,481 --> 00:02:54,301 Link shows what happens when capable developers use AI as a force multiplier, 42 00:02:54,541 --> 00:03:00,331 shrinking the time between concept and deployment, and leaving defenders with far 43 00:03:00,331 --> 00:03:02,761 less warning than they might be used to. 44 00:03:03,481 --> 00:03:06,151 we put a link to the checkpoint paper in our show notes. 45 00:03:06,241 --> 00:03:11,521 Check tech newsday.com or do ca under podcasts, and we've reached out 46 00:03:11,521 --> 00:03:15,391 to Checkpoint to see if we can get an interview for our weekend show. 47 00:03:16,171 --> 00:03:20,911 And thanks to a very responsive PR person at Checkpoint, I was able to 48 00:03:20,911 --> 00:03:24,631 get an interview with the researcher who found the malware and the head of 49 00:03:24,631 --> 00:03:28,021 the team, because as you'll find out, this is pretty much a team effort, 50 00:03:28,381 --> 00:03:32,611 it not only gives you some deeper insight into the story, but I think 51 00:03:32,641 --> 00:03:37,446 it might give you an idea of how some of this type of research is done. 52 00:03:38,791 --> 00:03:43,651 My guests are Pedro Dremmel, who heads the cyber crime research 53 00:03:43,651 --> 00:03:49,711 team at Checkpoint and Ro, who is a security researcher based in Vienna. 54 00:03:50,071 --> 00:03:53,191 Sven is on Pedro's team and did the initial research. 55 00:03:53,401 --> 00:03:56,521 I reached them on Friday morning, my time, which is late 56 00:03:56,521 --> 00:03:58,351 afternoon for them on Friday. 57 00:03:58,621 --> 00:04:02,311 Thanks for sticking around guys, and we'll jump into the discussion. 58 00:04:05,081 --> 00:04:09,521 My name is Pedro Dral and I'm, team leader at the best research team at Checkpoint. 59 00:04:09,581 --> 00:04:13,221 we call ourselves the Cybercrime Research Team, which is Venice part of. 60 00:04:13,221 --> 00:04:15,821 And, we basically, track, emerging threads. 61 00:04:15,821 --> 00:04:19,491 We try to find, new potentially unknown threads, that we 62 00:04:19,491 --> 00:04:20,791 can learn for that we can. 63 00:04:21,381 --> 00:04:25,401 Better provide protections to our customers and also through, our 64 00:04:25,401 --> 00:04:29,451 research community, via our blog and also at, security conferences. 65 00:04:30,621 --> 00:04:30,921 Great. 66 00:04:32,796 --> 00:04:33,936 What's your role at Checkpoint? 67 00:04:34,306 --> 00:04:34,546 sure. 68 00:04:34,546 --> 00:04:34,756 Yeah. 69 00:04:34,756 --> 00:04:36,826 I'm a security researcher at Checkpoint. 70 00:04:36,826 --> 00:04:40,826 I joined just a few months ago, before I've been working on offensive security. 71 00:04:41,066 --> 00:04:44,906 So I've seen, I've written malware, I've used malware, and I'm on the other side. 72 00:04:44,906 --> 00:04:48,686 I'm hunting malware and I don't emulate for actors anymore. 73 00:04:48,736 --> 00:04:49,786 I hunt for them basically. 74 00:04:50,651 --> 00:04:51,881 I can't let you get away with that. 75 00:04:51,891 --> 00:04:54,351 you used malware, now you're hunting malware. 76 00:04:54,351 --> 00:04:55,281 Tell me more about that. 77 00:04:55,821 --> 00:04:59,871 Yeah, so before doing the security research of Fred Research at Checkpoint, 78 00:05:00,181 --> 00:05:02,011 I was doing pen testing and red teaming. 79 00:05:02,161 --> 00:05:04,841 So essentially, yeah, emulating the bad guys. 80 00:05:04,921 --> 00:05:07,441 and we, of course, we wrote a lot of malware because we have to 81 00:05:07,441 --> 00:05:09,051 simulate what the Fred actors do. 82 00:05:09,511 --> 00:05:12,221 so I, I know both sides, of the spectrum. 83 00:05:13,361 --> 00:05:14,201 It's an interesting thing. 84 00:05:14,201 --> 00:05:18,461 I have other friends who are researchers and they say the same thing and one 85 00:05:18,461 --> 00:05:22,421 of them was talking about you can, and it's, she's not going to, but 86 00:05:22,451 --> 00:05:25,631 you can almost get sucked into the mentality because you have to start 87 00:05:25,631 --> 00:05:28,421 to think like they do to do research. 88 00:05:28,471 --> 00:05:28,891 that fair? 89 00:05:28,891 --> 00:05:29,761 Is that a fair comment? 90 00:05:30,421 --> 00:05:31,321 I would say so, yeah. 91 00:05:32,101 --> 00:05:34,421 It definitely helps to know how the other side looks like. 92 00:05:36,161 --> 00:05:36,311 Yeah. 93 00:05:36,881 --> 00:05:38,591 Pedro, somebody told me you were with. 94 00:05:39,071 --> 00:05:40,121 Blackberry at one point. 95 00:05:40,121 --> 00:05:41,561 you've had a fairly long career. 96 00:05:41,561 --> 00:05:41,681 I was. 97 00:05:41,831 --> 00:05:42,551 Exactly. 98 00:05:42,551 --> 00:05:42,821 Yeah. 99 00:05:42,821 --> 00:05:46,151 I was, I even, was part of the Blackberry security team when 100 00:05:46,151 --> 00:05:47,961 they use it to sell, cell phones. 101 00:05:47,971 --> 00:05:52,211 initially it was, mal analysts at the, Blackberry Security search team. 102 00:05:52,241 --> 00:05:56,231 So basically analyzing potentially mware uploaded to the Blackberry store. 103 00:05:56,811 --> 00:05:58,701 when it was introduced to Blackberry 10? 104 00:05:58,851 --> 00:06:02,811 Not sure if you remember, like earlier around 2012. 105 00:06:02,811 --> 00:06:03,231 Remember? 106 00:06:03,231 --> 00:06:03,621 I remember it thoroughly. 107 00:06:03,841 --> 00:06:05,931 I did a lot of work with Blackberry myself. 108 00:06:05,961 --> 00:06:06,321 Yeah. 109 00:06:06,371 --> 00:06:09,701 it was, we had some, it was an amazing team we had out there. 110 00:06:09,701 --> 00:06:10,401 It was really good. 111 00:06:10,401 --> 00:06:13,911 and later also rejoined when Blackberry hired Silence, which 112 00:06:13,911 --> 00:06:17,091 was a, And AV engine sort of thing. 113 00:06:17,571 --> 00:06:19,341 but that was, the research was different. 114 00:06:19,341 --> 00:06:23,181 It's pretty, pretty similar to, to, to the research we currently conduct here, 115 00:06:23,181 --> 00:06:25,466 which is more understanding the landscape. 116 00:06:25,466 --> 00:06:28,926 So in a nutshell, but initially, yeah, my first time was as a 117 00:06:28,926 --> 00:06:30,216 MO analyst, so pretty much. 118 00:06:31,211 --> 00:06:36,791 We, evaluated apps submitted to the Blackberry store, trying to find signs 119 00:06:36,791 --> 00:06:42,401 of malicious activities, any sort of malware or any app that was, behaving, 120 00:06:42,771 --> 00:06:47,111 in a way that was unintended for privacy reasons, for example, leaking your phone 121 00:06:47,111 --> 00:06:49,181 number, your contacts and stuff like that. 122 00:06:49,601 --> 00:06:53,501 So it's a bit a mix of looking for signs of malicious activity and also privacy 123 00:06:53,501 --> 00:06:55,691 related concerns on the Black Bear store. 124 00:06:55,831 --> 00:06:55,891 I 125 00:06:56,611 --> 00:06:59,351 gotta bring you back and talk about apps at one point, but let's 126 00:06:59,351 --> 00:07:01,271 talk about Void Link right now. 127 00:07:01,511 --> 00:07:04,901 But before we, we get dive into Void Link and I do wanna do that. 128 00:07:05,921 --> 00:07:11,471 I can you share with our audience what your job is like, what you know, 129 00:07:11,471 --> 00:07:14,011 what you do in this research area. 130 00:07:15,761 --> 00:07:20,831 it's very creative and I don't think there's a definite answer to that because 131 00:07:20,831 --> 00:07:22,481 every researcher has their own style. 132 00:07:23,141 --> 00:07:28,271 so essentially the goal of my role is to find interesting campaigns, 133 00:07:28,271 --> 00:07:31,761 interesting malwares, interesting stories, so to speak, in the cyber 134 00:07:31,761 --> 00:07:33,981 crime ecosystem, and then analyze them. 135 00:07:35,241 --> 00:07:39,751 easily with like in the technical analysis, into it, and then, wrap it 136 00:07:39,751 --> 00:07:43,431 up in an article that is potentially interesting, for the community to read. 137 00:07:43,911 --> 00:07:47,221 this of course has the byproduct of improving our products, right? 138 00:07:47,221 --> 00:07:50,251 Because Checkpoint also does detection products and so on. 139 00:07:50,821 --> 00:07:53,601 but mainly it's about, finding new interesting campaigns in 140 00:07:53,601 --> 00:07:55,341 new malware and how to do. 141 00:07:56,916 --> 00:08:00,886 Completely, undefined so everybody can do what they want, so to speak. 142 00:08:01,156 --> 00:08:04,526 the classic way would be to use, something like virus total, right? 143 00:08:04,526 --> 00:08:09,716 Which is like a crowdsource repository of, or a feed of malware where everybody 144 00:08:09,716 --> 00:08:11,576 can submit malware and you can. 145 00:08:12,016 --> 00:08:15,256 You can filter these samples and you can look for interesting samples, 146 00:08:15,256 --> 00:08:18,196 depending on some capabilities of the binary or whatever. 147 00:08:18,616 --> 00:08:20,296 and then hope to find something interesting. 148 00:08:20,626 --> 00:08:22,216 But you can also, for example. 149 00:08:23,256 --> 00:08:26,016 look for ways that Fred actors could distribute Myra, right? 150 00:08:26,106 --> 00:08:31,086 Because recently we looked at, the YouTube Ghost Network, which was a network of 151 00:08:31,086 --> 00:08:35,606 compromised YouTube accounts and these YouTube accounts uploaded videos with Lu 152 00:08:36,116 --> 00:08:40,166 to, to fake installers for software, for example, a correct Photoshop version, 153 00:08:40,166 --> 00:08:41,726 free download, Photoshop, and so on. 154 00:08:42,026 --> 00:08:45,326 And this would be another approach to find a malware campaign, uncover 155 00:08:45,326 --> 00:08:48,056 the actors behind it, uncover the malware behind it, and so on. 156 00:08:48,146 --> 00:08:50,876 But, yeah, the possibilities are really endless and it's 157 00:08:50,876 --> 00:08:52,216 what's, so fun about this job. 158 00:08:53,386 --> 00:08:55,996 We covered that, and I'll go back to my reminder to anybody 159 00:08:56,056 --> 00:08:57,586 or to our security audiences. 160 00:08:57,956 --> 00:09:03,146 you have to reinforce the people that they don't find their software on YouTube. 161 00:09:04,226 --> 00:09:07,916 They can research it there, but for God's sakes, don't download it. 162 00:09:08,456 --> 00:09:11,756 Yeah, you can read our article then, what's, what's expected. 163 00:09:11,846 --> 00:09:15,686 And I can second the van's opinion on this because every researcher 164 00:09:15,686 --> 00:09:17,596 we have, it's ultimately today. 165 00:09:18,096 --> 00:09:23,106 Most interest area they have a passion for, and that's why they usually 166 00:09:23,106 --> 00:09:24,606 find the most interesting stuff. 167 00:09:24,936 --> 00:09:29,806 So we of course, try to use similar systems and similar tools and everything, 168 00:09:30,106 --> 00:09:34,856 but at the end of the day, the researcher passion and, the way they 169 00:09:34,856 --> 00:09:40,196 think about a given specific topic is what ultimately matters to finding, 170 00:09:40,256 --> 00:09:41,816 these new stories, these new tools. 171 00:09:42,621 --> 00:09:45,741 And the reason I wanted to say that is, and I've had a long history. 172 00:09:45,741 --> 00:09:47,301 I know the people at Checkpoint very well. 173 00:09:47,471 --> 00:09:52,731 and so I'm not, but our audience is the most suspicious about vendors. 174 00:09:52,791 --> 00:09:53,421 They always are. 175 00:09:53,421 --> 00:09:54,171 They always will be. 176 00:09:54,171 --> 00:09:56,211 That's just the way it's going to be, but. 177 00:09:56,266 --> 00:10:00,436 The research areas are largely independent in my understanding and 178 00:10:00,436 --> 00:10:04,966 produce the research, yes, to improve the product, but also to inform the public. 179 00:10:04,966 --> 00:10:07,416 And so I think, we want to enter it with that piece. 180 00:10:07,446 --> 00:10:10,796 now if it happens to be that makes your product better good for everybody. 181 00:10:10,936 --> 00:10:15,116 , and the reason I've prepped this so much is because it is a pretty bold 182 00:10:15,116 --> 00:10:19,546 claim to say that that the era of advanced AI generated malware has begun. 183 00:10:19,696 --> 00:10:23,296 That title got me, and then I started to dig, I went, these 184 00:10:23,296 --> 00:10:27,001 guys might be right, and I've been following this for quite some time. 185 00:10:27,751 --> 00:10:30,181 Can you tell me what Void Link is, first of all? 186 00:10:30,231 --> 00:10:31,491 and then we'll jump from there. 187 00:10:31,996 --> 00:10:32,776 Yeah, sure. 188 00:10:32,936 --> 00:10:35,616 so Void Link is, a Linux malware. 189 00:10:36,366 --> 00:10:39,636 So maybe I can tell the story how I found it because it's also funny. 190 00:10:39,636 --> 00:10:40,086 That'd be great. 191 00:10:40,546 --> 00:10:44,716 so essentially I was doing what I said earlier, I was looking on virus total. 192 00:10:44,766 --> 00:10:48,546 Through various, hunting route, looking for suspicious binaries. 193 00:10:48,786 --> 00:10:52,386 And my goal that I set myself was to find some interesting in no malware 194 00:10:52,386 --> 00:10:54,566 because, most malware is based on Windows. 195 00:10:54,926 --> 00:10:58,246 Linux has a little bit less of a share in the malware ecosystem. 196 00:10:58,586 --> 00:11:00,956 but it doesn't mean that there's no interest in Linux malware. 197 00:11:01,226 --> 00:11:05,206 So I set up for the Quest to basically find something interesting, and then. 198 00:11:05,386 --> 00:11:09,376 I had a rule which was looking for like root kit components and there 199 00:11:09,376 --> 00:11:11,446 were a few samples coming in each day. 200 00:11:11,446 --> 00:11:12,406 I was looking at them. 201 00:11:12,896 --> 00:11:16,136 and mostly it's just like open source malware compiled 202 00:11:16,136 --> 00:11:17,696 and uploaded to Vivir total. 203 00:11:17,936 --> 00:11:21,356 So it was not interesting, but this one binary stood out, which was the 204 00:11:21,356 --> 00:11:24,626 voiding binary, and there were a few things that were special about. 205 00:11:25,446 --> 00:11:28,836 So the first thing was it was written in a very unorthodox programming 206 00:11:28,836 --> 00:11:32,946 language, which is Zig, it's like a rather new systems programming language. 207 00:11:33,156 --> 00:11:36,246 this was the first thing that popped out to me because it was very unusual. 208 00:11:36,756 --> 00:11:39,036 And then I, decided to analyze it further. 209 00:11:39,276 --> 00:11:40,986 And it had the really big feature set. 210 00:11:40,986 --> 00:11:43,326 Like it had loads of different modules. 211 00:11:43,381 --> 00:11:47,166 It had the plugin system, it had a development, API for plugins. 212 00:11:47,166 --> 00:11:50,076 It was very modular, it was very well engineered. 213 00:11:50,496 --> 00:11:54,756 And also it had this Cloud and container focused that you very rarely see. 214 00:11:54,756 --> 00:11:59,046 So it had like modules for enumerating, different cloud providers for moving 215 00:11:59,106 --> 00:12:00,936 laterally in container ecosystems. 216 00:12:01,116 --> 00:12:05,736 and in addition to that, it had multiple root kits, like not one root kit, but 217 00:12:05,796 --> 00:12:07,946 multiple root grids, integrated into it. 218 00:12:08,886 --> 00:12:11,976 It had a focus on EDR detection and EDR evasion. 219 00:12:11,976 --> 00:12:14,826 And now that might not be special if you're talking on Windows malware. 220 00:12:15,216 --> 00:12:20,166 But on Linux, the EDR ecosystem is not as sophisticated as it is on Windows and it's 221 00:12:20,556 --> 00:12:24,996 not as prevalent to find EDRs on Linux systems, especially container systems. 222 00:12:25,326 --> 00:12:26,736 So this was also very special. 223 00:12:26,736 --> 00:12:29,406 Like this malware was engineered specifically to 224 00:12:29,406 --> 00:12:31,836 evade security products on ux. 225 00:12:31,936 --> 00:12:34,366 All these components together were like, very special. 226 00:12:34,846 --> 00:12:38,476 and you can say there's nothing really groundbreaking, like there's 227 00:12:38,476 --> 00:12:42,916 not a new technique, in this whole framework, but it's just very well 228 00:12:42,916 --> 00:12:46,696 engineered and, it has a lots of features and that's what stood out. 229 00:12:46,996 --> 00:12:50,791 yeah, and the part of the cloud as well was something that stood out right then 230 00:12:50,941 --> 00:12:55,501 where it's not very common, even on the Windows side, especially because 231 00:12:55,981 --> 00:13:00,441 then it would, target potentially software developers that, that use 232 00:13:00,441 --> 00:13:04,581 their, development, environment on a daily basis, which could lead to 233 00:13:04,581 --> 00:13:06,051 potentially more interesting attacks. 234 00:13:06,411 --> 00:13:07,866 So the victims was also. 235 00:13:08,286 --> 00:13:11,856 More widespread and we didn't really know which victim could 236 00:13:11,856 --> 00:13:13,296 be at our first analysis. 237 00:13:13,296 --> 00:13:13,506 Right? 238 00:13:14,286 --> 00:13:15,306 Yeah, exactly. 239 00:13:16,096 --> 00:13:19,066 , If you found it, there's evidence that people are trying to use it. 240 00:13:19,366 --> 00:13:20,476 is that fair? 241 00:13:20,876 --> 00:13:22,766 it's not really clear because. 242 00:13:23,156 --> 00:13:26,546 Oftentimes you find malware developers uploading binaries to various 243 00:13:26,546 --> 00:13:30,266 total, because various total also shows this, this statistic, how 244 00:13:30,266 --> 00:13:32,126 many engines detected in malware. 245 00:13:32,126 --> 00:13:34,676 So it's a classic way you're writing a malware, you're 246 00:13:34,676 --> 00:13:35,966 uploading it to various total. 247 00:13:36,236 --> 00:13:40,436 It has five detections out of, I don't know, 40 engines. 248 00:13:40,826 --> 00:13:43,996 and then you as a developer, okay, I have to refine this because I want 249 00:13:43,996 --> 00:13:47,856 zero detections, or, the product that I want to detect doesn't detect it. 250 00:13:48,306 --> 00:13:49,386 According to the scanner. 251 00:13:49,386 --> 00:13:50,076 So it's fine. 252 00:13:50,256 --> 00:13:52,596 So you, it doesn't mean it was found in the wild. 253 00:13:52,596 --> 00:13:53,946 It could at well be, yeah. 254 00:13:54,006 --> 00:13:56,376 That the developer himself or herself uploaded it. 255 00:13:57,306 --> 00:14:01,741 So you found a piece that developers were working on and they're testing it out 256 00:14:01,741 --> 00:14:03,811 to see using virus total to test it out. 257 00:14:04,801 --> 00:14:07,186 likely you, we, you don't know, right? 258 00:14:07,396 --> 00:14:10,336 It could be somebody found it on the internet, somebody was 259 00:14:10,336 --> 00:14:11,926 infected, could also be possible. 260 00:14:12,346 --> 00:14:13,246 You don't know, but. 261 00:14:14,521 --> 00:14:16,651 At the same time, it doesn't mean somebody was infected. 262 00:14:16,651 --> 00:14:17,731 Ven and virus Total. 263 00:14:18,091 --> 00:14:18,181 Yeah. 264 00:14:18,261 --> 00:14:18,291 okay. 265 00:14:18,291 --> 00:14:19,551 It could be coming from anywhere. 266 00:14:20,391 --> 00:14:24,531 So how did you know it was, you've, and we've said this 267 00:14:24,531 --> 00:14:25,971 before, it was sophisticated. 268 00:14:26,071 --> 00:14:29,521 It had a number of modules, had a lot of functions that it could do. 269 00:14:29,821 --> 00:14:33,481 It had a, a real architecture to it. 270 00:14:33,481 --> 00:14:34,411 And I can't, I. 271 00:14:40,636 --> 00:14:42,336 Display of its architecture. 272 00:14:42,336 --> 00:14:43,416 It's pretty sophisticated. 273 00:14:43,626 --> 00:14:45,151 How did you know it was AI generated? 274 00:14:46,236 --> 00:14:48,456 Yeah, that's where the funny part of the story comes in. 275 00:14:48,556 --> 00:14:52,886 so I felt the malware, it had a string, like it's a piece of text in it, which 276 00:14:52,886 --> 00:14:55,646 said void link implant core version 3.0. 277 00:14:55,946 --> 00:14:59,156 So this was suggesting to me, okay, version 3.0, this 278 00:14:59,156 --> 00:15:00,536 is sophisticated framework. 279 00:15:00,746 --> 00:15:01,616 It's a big framework. 280 00:15:01,616 --> 00:15:04,496 It's already in deferred iteration, and I've never heard about it before. 281 00:15:04,826 --> 00:15:08,256 I'm onto something big, I was, analyzing it, so I was writing down 282 00:15:08,256 --> 00:15:10,086 my notes for the technical analysis. 283 00:15:10,506 --> 00:15:14,736 And at the same time, also because in the malware, usually you have. 284 00:15:15,271 --> 00:15:17,971 Baked in the IP of a commander control server, right? 285 00:15:17,971 --> 00:15:22,111 The server connects back to, so I was also looking at the server and you could 286 00:15:22,111 --> 00:15:24,001 pull the new versions from it basically. 287 00:15:24,451 --> 00:15:28,021 so I pulled up new versions and it had even more features than yesterday, 288 00:15:28,081 --> 00:15:31,321 and I analyzed this and I could barely keep up because the next day 289 00:15:31,321 --> 00:15:32,911 they implemented even more features. 290 00:15:33,281 --> 00:15:36,851 so I was bled like how fast they can actually develop this thing. 291 00:15:37,421 --> 00:15:40,411 Then I gave the IP to our, threat intelligence team, and I said, 292 00:15:40,411 --> 00:15:41,791 Hey, can you please monitor this? 293 00:15:41,941 --> 00:15:44,911 Because I'm going on Christmas vacation now, and I was two 294 00:15:44,911 --> 00:15:46,261 weeks on Christmas vacation. 295 00:15:46,261 --> 00:15:51,361 I was like, ah, man, I hope no one publishes about this before we do this. 296 00:15:51,361 --> 00:15:52,141 Really interesting. 297 00:15:52,141 --> 00:15:53,641 I couldn't wait to get back to work. 298 00:15:54,031 --> 00:15:58,921 And then I got back to work and basically our threat intelligence team 299 00:15:58,921 --> 00:16:02,911 was like, Hey man, glad you're back because we have, Access to the panel. 300 00:16:02,911 --> 00:16:05,671 So the command and control panel that, the actors would use. 301 00:16:05,911 --> 00:16:07,021 We have the source code. 302 00:16:07,081 --> 00:16:11,651 We have 37 plugins downloaded, and we have the documentation for the framework. 303 00:16:11,751 --> 00:16:15,621 because the threat actor or the developer of avoid linked editor, 304 00:16:15,981 --> 00:16:17,451 very big mistake, which was. 305 00:16:18,036 --> 00:16:21,766 For a small window in time, they had, their server open unauthenticated, 306 00:16:22,126 --> 00:16:25,456 so you could access the web panel where you would, administer void link. 307 00:16:25,966 --> 00:16:29,746 And they also had the misconfiguration in their server, which is called an 308 00:16:29,746 --> 00:16:34,096 open directory, which essentially just means you could list all the files 309 00:16:34,096 --> 00:16:35,326 on that server and download them. 310 00:16:35,686 --> 00:16:38,776 And in there was the source code, there was the documentation, the 311 00:16:38,776 --> 00:16:40,036 plugins, and basically everything. 312 00:16:40,966 --> 00:16:43,846 From this documentation to come back to your original question, 313 00:16:43,846 --> 00:16:45,596 we could infer that it was, yeah. 314 00:16:45,746 --> 00:16:47,336 In fact, completely written by ai. 315 00:16:48,606 --> 00:16:51,546 and part of what I was reading through your paper, you said that it looked, 316 00:16:51,726 --> 00:16:57,456 it had all of these different teams and all of these different stages and stages 317 00:16:57,456 --> 00:17:01,896 of development, but basically had done this work in next to no time at all. 318 00:17:01,896 --> 00:17:04,696 So it became obvious that it was AI developed. 319 00:17:05,236 --> 00:17:09,106 And do you have an idea of how many developers they have working on it? 320 00:17:09,886 --> 00:17:12,796 We're pretty much sure that it's one developer. 321 00:17:13,706 --> 00:17:14,846 and that's the crazy thing. 322 00:17:15,026 --> 00:17:18,866 we initially, we were like, we read the documentation where it says 323 00:17:18,866 --> 00:17:20,456 there's three teams working on this. 324 00:17:20,706 --> 00:17:24,666 and it's like in sprints, like sprint one, implement this and that week 325 00:17:24,666 --> 00:17:26,376 10, implement this and that feature. 326 00:17:26,556 --> 00:17:28,446 So this is all very thoroughly documented. 327 00:17:28,446 --> 00:17:32,166 So we fell into the trap and we thought, oh, this is like a team of developers. 328 00:17:32,526 --> 00:17:35,916 But then we realized the timeline in this documentation doesn't. 329 00:17:36,801 --> 00:17:40,881 Match the extra development pace at all because I pulled the binaries and 330 00:17:40,931 --> 00:17:44,261 they were moving much quicker than it was implied in this documentation. 331 00:17:45,251 --> 00:17:46,661 So something weird was going on. 332 00:17:47,261 --> 00:17:47,481 and then. 333 00:17:48,266 --> 00:17:54,026 Essentially we found out that this documentation was just the documentation 334 00:17:54,026 --> 00:17:57,086 that the developer gave to an AI agent. 335 00:17:57,416 --> 00:18:00,386 And this AI agent is then simulating these teams. 336 00:18:00,476 --> 00:18:03,756 So basically, running through the documentation and implementing 337 00:18:03,756 --> 00:18:06,546 the framework by itself according to the specifications. 338 00:18:07,146 --> 00:18:09,576 This is known as spec driven development. 339 00:18:09,626 --> 00:18:13,736 it's a software development methodology and it's basically how 340 00:18:14,036 --> 00:18:15,686 modern software development works. 341 00:18:16,226 --> 00:18:20,096 but yeah, looking at the timestamps, we then realized this whole thing 342 00:18:20,096 --> 00:18:21,446 has been written in six days. 343 00:18:22,246 --> 00:18:22,396 So 344 00:18:22,396 --> 00:18:26,356 what you're saying is one of the thing, and as a former development guy myself, 345 00:18:27,406 --> 00:18:30,676 one of the things you're saying is your suspicion was raised because they 346 00:18:30,676 --> 00:18:32,566 actually adequately documented it. 347 00:18:33,946 --> 00:18:34,396 Basically. 348 00:18:34,546 --> 00:18:35,116 Basically 349 00:18:35,411 --> 00:18:35,591 the 350 00:18:35,591 --> 00:18:35,891 interest. 351 00:18:35,891 --> 00:18:38,591 I joke, but I've spent a lot of time trying to get people to document 352 00:18:38,591 --> 00:18:41,891 their work and these guys seem to have done a pretty good job at it. 353 00:18:42,241 --> 00:18:46,021 Yeah, the thing is that Gwen is Van left for vacation and was, going through the, 354 00:18:46,021 --> 00:18:51,161 all the analysis and everything, we had one idea where, oh, maybe they could 355 00:18:51,161 --> 00:18:56,591 be creating a new competitor for other MAR frameworks as a commercial product. 356 00:18:56,891 --> 00:19:00,251 They could be potentially be associated with nation state as 357 00:19:00,251 --> 00:19:02,351 well, given how advanced it was. 358 00:19:02,806 --> 00:19:05,486 How, maybe a big group was creating this. 359 00:19:05,846 --> 00:19:09,616 And then when we were found, it was AI created and likely a single author 360 00:19:09,856 --> 00:19:13,546 that was like, okay, that fooled us because we thought could be something 361 00:19:13,906 --> 00:19:16,576 fully, advanced by a big group. 362 00:19:16,576 --> 00:19:20,056 And at end of the day, it was very likely just single, individual creating it. 363 00:19:20,526 --> 00:19:23,766 I would say that AI fooled us as researchers as well in our 364 00:19:23,766 --> 00:19:26,896 initial thoughts, before we had access to the remaining, of 365 00:19:26,896 --> 00:19:28,186 the source code and everything. 366 00:19:29,806 --> 00:19:34,141 So just to recap the you found this, it's interesting, the 367 00:19:34,261 --> 00:19:36,901 thank heaven the developer is. 368 00:19:37,421 --> 00:19:41,531 Sloppy on their own server and leaves it open so that you can get this. 369 00:19:41,711 --> 00:19:44,621 'cause otherwise you may not have seen this type of window. 370 00:19:45,011 --> 00:19:48,461 And that was the thing that, that most amazed me was to say, I, we 371 00:19:48,461 --> 00:19:52,271 don't know how much of this is going on in the real world, but 372 00:19:52,271 --> 00:19:54,611 we've seen this in real life now. 373 00:19:55,451 --> 00:19:55,871 Exactly. 374 00:19:55,871 --> 00:19:57,636 and that's a very good point, Jim, because. 375 00:19:59,651 --> 00:20:00,581 Just to stress it. 376 00:20:00,581 --> 00:20:04,421 Again, this is not the first malware that was fully AI created. 377 00:20:04,421 --> 00:20:08,711 We see fully AI written malware scripts all the time, like power share scripts. 378 00:20:08,891 --> 00:20:11,471 You can see all the hallmarks of LLM generated stuff. 379 00:20:11,471 --> 00:20:14,256 You see all the documentation, like the comments in the power share 380 00:20:14,586 --> 00:20:16,596 scripts with emojis and everything. 381 00:20:16,746 --> 00:20:21,426 No, Fred actor would do that, but because it's generated by Che GPT or whatever 382 00:20:21,571 --> 00:20:23,071 you can spot it almost immediately. 383 00:20:23,431 --> 00:20:27,361 What's new about Void is that we're not talking about the power share script 384 00:20:27,361 --> 00:20:29,641 or a simple loader or drop or whatever. 385 00:20:29,641 --> 00:20:32,821 We're talking about the whole framework with like multiple 386 00:20:32,821 --> 00:20:34,441 components, plugins, and so on. 387 00:20:36,116 --> 00:20:40,346 It's fully written end to end by ai, but also this is likely, and this is the 388 00:20:40,346 --> 00:20:44,006 point we also make in the article, this is likely not the first time a malware 389 00:20:44,006 --> 00:20:47,936 was written like this, but it's the first time, at least to our knowledge, that 390 00:20:48,086 --> 00:20:51,266 we could actually see the development artifacts and we could basically 391 00:20:51,416 --> 00:20:52,976 prove that it is written this way. 392 00:20:53,026 --> 00:20:55,936 And you don't know what other sophisticated malware was fully 393 00:20:55,936 --> 00:20:58,926 written by ai, because it's just the state of software development. 394 00:20:59,196 --> 00:21:02,856 But what's special about this research is that we actually have insights into all 395 00:21:02,856 --> 00:21:07,176 these, and proofs for all these documents, processes, dev development processes. 396 00:21:08,286 --> 00:21:10,686 Is there any way to tell what tools they were using? 397 00:21:11,476 --> 00:21:11,506 I 398 00:21:11,506 --> 00:21:13,966 mean, there should have been, there should have been guardrails 399 00:21:13,966 --> 00:21:16,936 that kept them from being able to do something this sophisticated. 400 00:21:17,396 --> 00:21:21,296 So we have evidence that they use the tray ai, 401 00:21:21,656 --> 00:21:21,806 Okay. 402 00:21:21,806 --> 00:21:26,416 Which is like an IDE, so a development environment similar to VS code 403 00:21:26,416 --> 00:21:28,306 or Google anti-gravity or coor. 404 00:21:28,786 --> 00:21:31,626 So it's just an IDE, with agent support. 405 00:21:32,166 --> 00:21:33,276 I think it's by, by then. 406 00:21:33,276 --> 00:21:35,976 So it makes sense that somebody from China uses this software. 407 00:21:36,456 --> 00:21:40,266 We don't know which model exactly they used, but you're right. 408 00:21:40,266 --> 00:21:45,156 Usually the models they have guardrails to not help people in malware development. 409 00:21:45,606 --> 00:21:48,096 but we found a document which basic basically, Could 410 00:21:48,096 --> 00:21:51,606 potentially, or was likely used as a jailbreak for these models. 411 00:21:52,046 --> 00:21:55,911 so what they did was they have this document, which they also feed to the 412 00:21:55,911 --> 00:21:59,691 agent, and they basically brainwashed the agent to think that this is not 413 00:21:59,691 --> 00:22:01,401 malware, but a legitimate framework. 414 00:22:01,651 --> 00:22:02,191 I don't have it. 415 00:22:02,776 --> 00:22:06,466 Perfectly in mind right now, but it basically says this is not malware. 416 00:22:06,526 --> 00:22:08,926 This is a legit remote administration tool. 417 00:22:09,106 --> 00:22:13,916 It is compliant to all, all legal, implications, whatever, and so on. 418 00:22:13,916 --> 00:22:17,906 So it's basically whitewashing the language so that the agent afterwards, 419 00:22:17,966 --> 00:22:21,326 or the model afterwards, accepts that this is not malware development, 420 00:22:21,326 --> 00:22:22,886 but legitimate software development. 421 00:22:24,896 --> 00:22:29,086 So if it's doing this, and the reason I bring this up is because if we say 422 00:22:29,086 --> 00:22:34,046 we really are at a point where we might see , a wave of malware developed, 423 00:22:34,196 --> 00:22:38,486 sophisticated malware developed by ai, this case, they're jailbreaking. 424 00:22:38,816 --> 00:22:43,226 I've heard from other researchers that you can find ais that are pretty 425 00:22:43,226 --> 00:22:47,636 sophisticated in development, that are, that have no guardrails at all. 426 00:22:48,206 --> 00:22:48,356 Yep. 427 00:22:48,421 --> 00:22:49,976 That, that many of them work with. 428 00:22:50,666 --> 00:22:54,536 that's true, but usually you have to run this locally and this, if you wanna have 429 00:22:54,536 --> 00:22:58,766 a good model, this replies, requires a lot of computation power, a lot of 430 00:22:58,766 --> 00:23:01,756 GPU memory, which not everybody has. 431 00:23:01,876 --> 00:23:06,336 I think we know this was written on a MacBook, which has good chips for ai, but. 432 00:23:06,736 --> 00:23:09,566 To have a real estate of the art coding model, you would need a 433 00:23:09,566 --> 00:23:14,456 dedicated GPU cluster so it, it's easier or it's, not easier, but it's 434 00:23:14,456 --> 00:23:18,806 costs less money to daybreak and, an externally hosted model than to 435 00:23:18,806 --> 00:23:20,306 run your own state of the art model. 436 00:23:21,446 --> 00:23:22,166 Absolutely. 437 00:23:22,166 --> 00:23:24,496 But bike dance is open source as well, right? 438 00:23:24,706 --> 00:23:25,756 you could run it, couldn't you? 439 00:23:26,656 --> 00:23:27,211 I guess you could. 440 00:23:28,531 --> 00:23:32,961 But as I said, not everybody has 20 GPUs in the cluster at home, so 441 00:23:33,141 --> 00:23:33,711 lying around, 442 00:23:33,771 --> 00:23:34,251 yeah, I couldn't 443 00:23:34,251 --> 00:23:38,721 personally, although eight MacBook Minis stacked together, you'd be surprised. 444 00:23:39,471 --> 00:23:39,681 Yeah. 445 00:23:39,686 --> 00:23:39,956 Not bad. 446 00:23:39,976 --> 00:23:41,876 But I also don't have eight MacBook Minis, 447 00:23:41,946 --> 00:23:42,126 Yeah, 448 00:23:42,131 --> 00:23:42,741 but yet it's, 449 00:23:42,771 --> 00:23:43,261 it's possible. 450 00:23:43,261 --> 00:23:45,506 But the reason why I'm trying to get this is because we're trying to assess the 451 00:23:45,506 --> 00:23:47,186 sort of threat that we're working with. 452 00:23:47,186 --> 00:23:51,426 And in understanding this, we know that we're now seeing a more sophisticated 453 00:23:51,426 --> 00:23:53,166 form of malware that can be created. 454 00:23:53,406 --> 00:23:56,676 And I've done research interviews with people to, they've gone from, 455 00:23:56,896 --> 00:24:02,026 from really up a zero day to a threat in 15, 20 minutes being able 456 00:24:02,036 --> 00:24:03,506 to get something simple together. 457 00:24:03,506 --> 00:24:03,566 Yeah. 458 00:24:03,836 --> 00:24:05,946 But this is a sophisticated piece of software. 459 00:24:06,796 --> 00:24:08,641 How well would this work in your opinion? 460 00:24:11,396 --> 00:24:13,376 How well would it work to write something like that? 461 00:24:13,376 --> 00:24:13,436 Yeah, 462 00:24:13,796 --> 00:24:15,836 no, if Yeah, would, how big a threat is this? 463 00:24:16,366 --> 00:24:18,286 if they actually successfully pulled this off? 464 00:24:18,676 --> 00:24:22,316 I think it, it ups the ante, it means it lowers the barrier. 465 00:24:23,096 --> 00:24:25,816 It means, customer work can be developed quicker. 466 00:24:26,056 --> 00:24:30,646 So this could also mean that signature based detections are gonna 467 00:24:30,646 --> 00:24:32,596 be pretty much useless soon, right? 468 00:24:32,596 --> 00:24:36,821 Because signature based detections, they signature basically, or they 469 00:24:36,821 --> 00:24:38,411 write signatures on the code base. 470 00:24:38,651 --> 00:24:41,831 But if the threat actor just has to tell them all, Hey, rewrite this, in 471 00:24:41,831 --> 00:24:45,221 another programming language or whatever, all these detections become useless. 472 00:24:45,311 --> 00:24:49,151 And if the cost of that refactoring is near zero, then yeah. 473 00:24:49,386 --> 00:24:53,096 As I said, signature based detections become more and more useless, which 474 00:24:53,096 --> 00:24:56,566 would mean defenders would've to switch to more behavioral, detections. 475 00:24:57,136 --> 00:24:58,576 I think this is an implication. 476 00:24:58,636 --> 00:25:04,236 And the other implication is, that it's easier to develop malware, but this 477 00:25:04,236 --> 00:25:09,706 is only partly true because, this, the author of Void Link is not somebody 478 00:25:09,706 --> 00:25:12,526 who's not knowledgeable in all this. 479 00:25:12,526 --> 00:25:12,586 Yeah. 480 00:25:14,331 --> 00:25:15,921 Do the spec driven development. 481 00:25:15,921 --> 00:25:18,471 You have to be really good at actually writing out these specs. 482 00:25:18,471 --> 00:25:19,901 You have to know system engineering. 483 00:25:19,901 --> 00:25:20,681 You have to know malware. 484 00:25:20,681 --> 00:25:22,991 You have Linux, you have to know all these things. 485 00:25:25,556 --> 00:25:29,096 You don't have to code it manually anymore, but you still have to design 486 00:25:29,096 --> 00:25:30,686 it and write the specifications. 487 00:25:30,866 --> 00:25:35,576 So it doesn't mean just everybody can go there and say, Hey, she GPT, write 488 00:25:35,576 --> 00:25:39,136 me a Linux Commander Control framework because, yeah, that's not gonna work. 489 00:25:39,136 --> 00:25:40,156 can I challenge you on that? 490 00:25:40,156 --> 00:25:42,316 'cause if we're talking about development with a friend of mine who's another 491 00:25:42,316 --> 00:25:48,246 developer And he was, we were testing out, Opus 4.5 and he shrugged at me and said, 492 00:25:48,486 --> 00:25:50,016 of course, I did the specs with Chatt. 493 00:25:52,236 --> 00:25:52,536 yeah, 494 00:25:53,016 --> 00:25:53,346 definitely. 495 00:25:53,346 --> 00:25:58,091 And you can give pretty, he, now, it wasn't malware, but he had, he was doing 496 00:25:58,146 --> 00:26:00,056 a pretty sophisticated Linux application. 497 00:26:00,406 --> 00:26:01,906 and he wrote, he just, he used. 498 00:26:02,111 --> 00:26:03,701 Cha to write all the specs. 499 00:26:04,151 --> 00:26:06,791 Yeah, the specs and voiding are also LLM generated. 500 00:26:06,851 --> 00:26:08,141 that's clear from the language. 501 00:26:08,141 --> 00:26:10,391 It's in Chinese, but it has also all the hallmarks. 502 00:26:10,391 --> 00:26:12,371 It has these grandiose statements and so on. 503 00:26:12,581 --> 00:26:17,471 So this actor also wrote the specs, with the assistance of LLM. 504 00:26:18,201 --> 00:26:23,871 I would still argue you cannot just say, chat, GBT, write me specs for 505 00:26:24,081 --> 00:26:25,671 Linux Commander Control Framework. 506 00:26:25,671 --> 00:26:28,401 You still need to know, Hey, I want this feature, I want that feature. 507 00:26:28,831 --> 00:26:33,091 the validation as well, has specific validation requirements to check if e 508 00:26:33,091 --> 00:26:34,891 every stage is working fine and all that. 509 00:26:35,886 --> 00:26:40,796 because I would say, in terms of when we started looking for potential threats 510 00:26:40,826 --> 00:26:47,746 use within AI usage are created by ai, we knew that at some point anything major 511 00:26:47,746 --> 00:26:51,406 would come from major threat actors, because all we've seen before, like Ven 512 00:26:51,406 --> 00:26:56,836 mentioned, were like those scripts or even functions created by ai, which were 513 00:26:56,836 --> 00:27:00,646 very random functions, like something very simple that anybody could write. 514 00:27:01,176 --> 00:27:01,746 but these. 515 00:27:01,826 --> 00:27:06,836 Was a way more advanced than we've seen before, and the same way that 516 00:27:06,836 --> 00:27:11,996 we still believe when AI will become much higher threat to security. 517 00:27:12,436 --> 00:27:14,926 it's coming from experiencing threat actors. 518 00:27:15,256 --> 00:27:17,196 This is proves a little bit this case because. 519 00:27:17,421 --> 00:27:21,411 It needed some sort of experienced developer, not a very junior one 520 00:27:21,681 --> 00:27:23,451 would be able to write such code. 521 00:27:23,871 --> 00:27:29,331 I think proves a little bit what we thought before come those AI threads 522 00:27:29,451 --> 00:27:35,631 would be very, would be more dangerous coming from most experienced actors or 523 00:27:35,631 --> 00:27:39,871 developers, not from the, the script kids, if we can call it them this way. 524 00:27:41,421 --> 00:27:48,061 But still being able to use and modify and, we talked about signature based, 525 00:27:48,301 --> 00:27:53,541 detection, being more or less overwhelmed by the ability to make changes. 526 00:27:53,761 --> 00:27:57,751 And apparently they're pretty good at, they may be crappy at maintaining 527 00:27:57,751 --> 00:28:00,801 their servers, pretty good at knowing they should test their stuff 528 00:28:00,801 --> 00:28:02,901 against signature based detection. 529 00:28:03,411 --> 00:28:09,941 But if you can modify your software fairly rapidly, doesn't that give 530 00:28:09,941 --> 00:28:14,221 you an advantage as a hacker to be able to constantly be coming up 531 00:28:14,221 --> 00:28:16,081 with new generation, new variations? 532 00:28:17,361 --> 00:28:18,921 I think it goes both ways. 533 00:28:18,921 --> 00:28:19,701 Yeah, definitely. 534 00:28:19,711 --> 00:28:22,171 so AI is just a force accelerator, right? 535 00:28:22,351 --> 00:28:26,611 The bad guys get quicker and get better, but it also works the other way, right? 536 00:28:26,611 --> 00:28:27,661 The good guys, they get better. 537 00:28:27,991 --> 00:28:33,031 This goes in many, areas of the blue teaming side or the defender side. 538 00:28:33,301 --> 00:28:35,421 There's AI detections, which. 539 00:28:36,021 --> 00:28:38,691 Obviously, benefit from advancements in ai. 540 00:28:39,081 --> 00:28:43,181 but there's also our security researchers, regarding the reverse engineering. 541 00:28:43,511 --> 00:28:47,951 we as reverse engineers when we analyze malware, We definitely leverage ai. 542 00:28:48,191 --> 00:28:53,571 So for a framework like Void Link me using AI to, to analyze it and to have, have it 543 00:28:53,571 --> 00:28:57,651 interpret the decumulation or whatever, it, it speeds up my process as well. 544 00:28:57,821 --> 00:28:59,321 and this goes in for every role. 545 00:28:59,321 --> 00:29:03,146 It just, I. The pace of everything just gets faster, but I don't think 546 00:29:03,146 --> 00:29:07,986 any site really has the bigger advantage, maybe slightly, but 547 00:29:08,036 --> 00:29:09,386 it's not a big step, I would say. 548 00:29:09,716 --> 00:29:11,606 Pedro, I don't know if you agree with me on that one. 549 00:29:12,176 --> 00:29:12,986 No, I totally agree with you. 550 00:29:12,986 --> 00:29:17,246 I think it's, it just demonstrates like the, if we compare to the 551 00:29:17,246 --> 00:29:18,806 software engineer award as well. 552 00:29:18,806 --> 00:29:22,976 if you hear from senior developers, the AI just make their. 553 00:29:24,021 --> 00:29:26,631 Job much faster, better in a certain way. 554 00:29:26,631 --> 00:29:28,131 The same will be for the trajectory. 555 00:29:28,131 --> 00:29:31,121 The same will be for defenders, but I guess we are in the same pace. 556 00:29:33,281 --> 00:29:33,581 Wow. 557 00:29:33,941 --> 00:29:37,131 So what does this mean in terms of, I know what it means in terms of research, 558 00:29:37,131 --> 00:29:40,671 but in terms of the people who are out in the field working on this right now, what 559 00:29:40,671 --> 00:29:46,491 should they be knowing about the this and how it's gonna have an impact on them? 560 00:29:48,321 --> 00:29:48,921 that's actually. 561 00:29:49,526 --> 00:29:50,786 Not an easy question. 562 00:29:51,056 --> 00:29:54,476 I guess everybody was more or less aware that the AI malware 563 00:29:54,476 --> 00:29:56,621 development age is already here. 564 00:29:57,101 --> 00:30:00,081 This is essentially just the proof that it is, which was something 565 00:30:00,081 --> 00:30:01,851 that we haven't had before. 566 00:30:02,811 --> 00:30:07,731 What you can take away from White, white Link specifically, I would say is, that 567 00:30:07,731 --> 00:30:09,531 it shows that Linux is also threat. 568 00:30:09,721 --> 00:30:11,941 just to move away from AI for once. 569 00:30:12,221 --> 00:30:15,281 because as I said, traditionally most mobile focuses on Windows. 570 00:30:15,441 --> 00:30:17,361 but with the age of the cloud, a lot of. 571 00:30:17,736 --> 00:30:19,836 interesting services for every company. 572 00:30:20,046 --> 00:30:22,026 All the interesting data lies in the cloud. 573 00:30:22,346 --> 00:30:26,306 and this is different from the classic active directory, two domain controllers, 574 00:30:26,336 --> 00:30:28,526 one file server enterprise that we have. 575 00:30:28,706 --> 00:30:29,726 It's all distributed. 576 00:30:29,726 --> 00:30:32,006 It's in cloud systems, it's on Linux servers. 577 00:30:32,216 --> 00:30:34,286 It's not necessarily even on the same network. 578 00:30:34,336 --> 00:30:37,156 it's, in VPNs and the different cloud clusters and so on. 579 00:30:37,156 --> 00:30:40,836 So attackers obviously have to modify their toolkits, and adapt 580 00:30:40,836 --> 00:30:41,851 to the Linux age, although. 581 00:30:42,191 --> 00:30:45,461 I don't wanna say Linux, edge, the cloud and container edge. 582 00:30:45,561 --> 00:30:48,651 so I would say that's definitely a takeaway. 583 00:30:48,711 --> 00:30:52,121 Just don't try to keep your focus on your own windows. 584 00:30:52,171 --> 00:30:53,761 also look at your cloud system, which is 585 00:30:53,761 --> 00:30:55,411 easy because there's a lot happening there. 586 00:30:55,411 --> 00:31:00,271 But this week in particular, this is the second one for me this week, came up with 587 00:31:00,296 --> 00:31:02,306 a story from, you're looking at Void Link. 588 00:31:02,606 --> 00:31:05,366 And then we did another story about an 11-year-old bug. 589 00:31:05,961 --> 00:31:09,471 In Linux this week that could give root access. 590 00:31:10,101 --> 00:31:15,751 So it's, we might, we're proud of Linux and how well as an 591 00:31:15,751 --> 00:31:20,371 open source development, it's kept to be fairly secure. 592 00:31:20,791 --> 00:31:24,221 but I think it's something that we really need to be look, taking another look at 593 00:31:24,491 --> 00:31:26,171 saying, are we a little too confident? 594 00:31:26,171 --> 00:31:26,861 Is that fair? 595 00:31:27,837 --> 00:31:29,127 Too confident on? 596 00:31:29,287 --> 00:31:32,027 Maybe, every system has their vulnerabilities. 597 00:31:32,177 --> 00:31:36,207 I think a big part is not, that's why you have to assume breach mindset, right? 598 00:31:36,277 --> 00:31:38,317 you can assume everything gets compromised. 599 00:31:38,557 --> 00:31:41,707 Every actor can compromise anything if they have enough resources. 600 00:31:41,762 --> 00:31:45,272 so the way you should look at security is not, can I be compromised, 601 00:31:45,272 --> 00:31:48,732 but will I be com when I will be compromised, how will I see it? 602 00:31:48,732 --> 00:31:49,422 How will I react? 603 00:31:49,622 --> 00:31:49,942 I would say. 604 00:31:51,710 --> 00:31:55,065 There's no, you cannot be confident in the security of any system, 605 00:31:55,065 --> 00:31:58,545 but you have to be confident in to your visibility into it and in. 606 00:32:02,190 --> 00:32:05,820 That's the, also the offensive security pentest red team speaking out of me. 607 00:32:07,450 --> 00:32:07,990 I always assume. 608 00:32:08,465 --> 00:32:12,515 That there's two types of people, those who have been hacked already and those 609 00:32:12,515 --> 00:32:14,515 who haven't found how they got hacked. 610 00:32:14,815 --> 00:32:14,905 Yeah, 611 00:32:15,005 --> 00:32:15,245 exactly. 612 00:32:15,905 --> 00:32:18,305 So it, it's happening all the time. 613 00:32:18,305 --> 00:32:19,805 The question is how severe is it? 614 00:32:20,015 --> 00:32:21,035 How long did they stay? 615 00:32:21,035 --> 00:32:23,015 And how much of a problem did they cause you? 616 00:32:23,375 --> 00:32:24,635 And I think that's a pretty fair. 617 00:32:24,909 --> 00:32:25,089 What 618 00:32:25,089 --> 00:32:25,834 you guys working on 619 00:32:25,834 --> 00:32:25,954 next? 620 00:32:26,294 --> 00:32:26,634 Oh, sorry. 621 00:32:26,634 --> 00:32:30,119 Sorry, just one last thing 'cause I wanted to mention this as well. 622 00:32:30,299 --> 00:32:34,379 So we've been talking about how AI makes it so easy for 623 00:32:34,379 --> 00:32:35,789 developers to create malware. 624 00:32:36,119 --> 00:32:40,599 but the funny thing is, AI is also very bad at operational security. 625 00:32:40,809 --> 00:32:44,289 So if you look at void link, every build chip with debug symbols, 626 00:32:44,289 --> 00:32:48,159 so essentially you put the binary in a decompiler, you saw all the 627 00:32:48,159 --> 00:32:49,859 function names, all the information. 628 00:32:49,889 --> 00:32:51,119 Usually you strip that away. 629 00:32:51,119 --> 00:32:54,329 So it's not easily reverse engineered, but the AI. 630 00:32:54,829 --> 00:32:57,859 Thinking because it was brainwashed at this is legitimate software. 631 00:32:58,069 --> 00:32:59,239 It doesn't do any of that. 632 00:32:59,299 --> 00:33:03,789 It doesn't strip away debug symbols or, if you were talking to the HTT P 633 00:33:03,789 --> 00:33:07,299 server, avoid link, it answered with I'm the void link C two server, which 634 00:33:07,299 --> 00:33:09,789 is also very bad operational security. 635 00:33:09,939 --> 00:33:13,194 And then there's the open directory because, yeah, the Fred actor 636 00:33:13,244 --> 00:33:14,834 just open the random web server. 637 00:33:15,104 --> 00:33:18,194 There's other things which AI is not good in, or the things 638 00:33:18,194 --> 00:33:19,784 that people still do manually. 639 00:33:20,204 --> 00:33:23,594 yeah, it's, it doesn't necessarily make the people smarter just 640 00:33:23,594 --> 00:33:24,974 because their tools get smarter. 641 00:33:25,244 --> 00:33:25,994 That's what I wanna say. 642 00:33:27,374 --> 00:33:29,594 But we have to count on the fact that they're gonna learn too. 643 00:33:31,334 --> 00:33:32,234 Maybe, let's see. 644 00:33:33,434 --> 00:33:34,604 Hopefully not too much. 645 00:33:34,884 --> 00:33:39,129 I'm hoping, I would rather have stupid hackers, believe me, but I don't 646 00:33:39,129 --> 00:33:42,579 really count on that, particularly if they're nation states or some of the 647 00:33:42,579 --> 00:33:44,109 groups that are pretty sophisticated. 648 00:33:45,339 --> 00:33:48,669 I know it makes lazy, so maybe they're even aware, but they 649 00:33:48,669 --> 00:33:51,879 don't care because I know when I'm coding and I'm like, ah, come on. 650 00:33:51,939 --> 00:33:52,959 I don't want to go there. 651 00:33:53,259 --> 00:33:54,189 Do this manually. 652 00:33:55,269 --> 00:33:56,889 So let's see. 653 00:33:56,939 --> 00:33:58,859 yeah, I totally agree with you. 654 00:33:59,249 --> 00:34:00,509 What are you guys working on next? 655 00:34:00,899 --> 00:34:01,869 What do, what's up? 656 00:34:01,989 --> 00:34:04,349 What's, what do you think is interesting that you're gonna be 657 00:34:04,349 --> 00:34:06,889 pursuing, I'm not telling you to give away your next paper, but what are 658 00:34:06,889 --> 00:34:07,939 the areas you're most looking at? 659 00:34:08,539 --> 00:34:13,319 I believe, I, we believe that void link puts in, us in 660 00:34:13,319 --> 00:34:14,639 perspective that, all right. 661 00:34:15,269 --> 00:34:17,279 Threat actors use AI rapidly. 662 00:34:17,969 --> 00:34:21,659 Develop their software and they are advanced, they're capable and everything. 663 00:34:22,179 --> 00:34:24,294 what I'm looking to see now is. 664 00:34:25,149 --> 00:34:30,789 When are we going to see AI being used by threat actors to really 665 00:34:30,789 --> 00:34:32,529 make their operation quicker? 666 00:34:32,829 --> 00:34:37,059 So for example, in, in a case of a compromise, how they can 667 00:34:37,059 --> 00:34:41,794 use AI to speed the time between compromise to, a lateral movement 668 00:34:41,894 --> 00:34:43,794 and transfer deployment, for example. 669 00:34:44,574 --> 00:34:45,074 so the. 670 00:34:45,579 --> 00:34:47,379 The AI generated malware. 671 00:34:47,379 --> 00:34:48,159 We've seen that. 672 00:34:48,289 --> 00:34:52,609 we've seen simple examples and this of course the real example with Void Link. 673 00:34:53,359 --> 00:34:55,359 But, what about using AI to adapt? 674 00:34:56,289 --> 00:35:00,999 Within the code, for instance, or after ex after compromise is made 675 00:35:01,329 --> 00:35:05,409 to quickly assess which victims is interesting or which victim is not. 676 00:35:05,879 --> 00:35:09,604 I believe that's what we, we should be looking for next, in the horizon. 677 00:35:12,009 --> 00:35:16,109 It's going to be interesting and I'm also following up on, I'm not gonna say 678 00:35:16,109 --> 00:35:20,639 too much because I don't wanna give it away, but, I'm also following up on, 679 00:35:20,639 --> 00:35:26,519 on Void Link and focusing on container ecosystems right now and different dangers 680 00:35:26,519 --> 00:35:28,414 that are, inherit in those ecosystems. 681 00:35:28,474 --> 00:35:29,574 But I'm not gonna say more. 682 00:35:30,119 --> 00:35:33,599 Maybe it's gonna be fruitful, then you're gonna read an article, but maybe not, you 683 00:35:33,599 --> 00:35:35,639 never know with the research and before 684 00:35:36,509 --> 00:35:37,904 or you'll come back and talk to us. 685 00:35:38,384 --> 00:35:38,534 Yeah. 686 00:35:38,534 --> 00:35:38,834 Maybe. 687 00:35:39,584 --> 00:35:39,824 Yeah. 688 00:35:40,304 --> 00:35:43,004 No, I think the container piece is an interesting piece and something 689 00:35:43,004 --> 00:35:47,074 that I can't say I know a lot about the security of, I just know that it 690 00:35:47,074 --> 00:35:51,084 is an area that probably may not get as much attention as it needs and, 691 00:35:51,204 --> 00:35:51,714 I believe so. 692 00:35:51,714 --> 00:35:51,924 Yeah. 693 00:35:53,069 --> 00:35:53,399 Cool. 694 00:35:53,519 --> 00:35:55,889 And the, the, also the idea of lateral movement. 695 00:35:56,399 --> 00:35:58,769 If they get faster at that's a problem. 696 00:35:59,159 --> 00:36:03,469 I still don't, I still want to talk about networks and I'm gonna do a try and do 697 00:36:03,469 --> 00:36:08,109 a show on networks and how people can stop lateral movement because I hear 698 00:36:08,109 --> 00:36:12,429 so much that people find ways to move around, and I'm always mystified by that. 699 00:36:12,429 --> 00:36:14,259 How can they stay that long? 700 00:36:14,499 --> 00:36:18,009 How can they have the time to find. 701 00:36:18,154 --> 00:36:20,224 The lateral movements and nobody spots them. 702 00:36:20,644 --> 00:36:22,234 Now, that's already something. 703 00:36:22,234 --> 00:36:24,814 But if they get faster and better at it, that's even worse. 704 00:36:25,204 --> 00:36:25,414 Yeah. 705 00:36:27,214 --> 00:36:27,634 Good stuff. 706 00:36:28,264 --> 00:36:29,044 Thank you gentlemen. 707 00:36:29,044 --> 00:36:29,884 I appreciated this. 708 00:36:29,884 --> 00:36:30,514 this was great. 709 00:36:30,724 --> 00:36:33,844 I, is there anything else you want that I've missed that you want 710 00:36:33,964 --> 00:36:36,299 tell the audience or that you want, you think you wanna share with it? 711 00:36:39,154 --> 00:36:40,054 not from my side. 712 00:36:40,054 --> 00:36:43,429 I guess we, we covered well, what we have found out. 713 00:36:43,429 --> 00:36:48,259 I just wanted to acknowledge the rest of other teams within Checkpoint research, 714 00:36:48,829 --> 00:36:52,399 the threat intelligence team and other research team and other people as well. 715 00:36:52,609 --> 00:36:55,574 If I say names, we'll likely be forgetting someone maybe not worth it. 716 00:36:55,964 --> 00:36:59,624 it's a team effort and Van is the main research of this, but it was a 717 00:36:59,624 --> 00:37:03,874 pretty much a team effort analyzing everything we found, debating on the 718 00:37:03,874 --> 00:37:05,854 conclusions, on the findings and all that. 719 00:37:05,854 --> 00:37:07,354 it's, pretty much a big team effort. 720 00:37:08,464 --> 00:37:09,634 Yeah, it was great teamwork. 721 00:37:10,504 --> 00:37:11,734 yeah, I don't have anything to add. 722 00:37:11,734 --> 00:37:12,809 Thanks to him for having us. 723 00:37:12,994 --> 00:37:13,594 It was very fun. 724 00:37:13,744 --> 00:37:13,954 Yeah. 725 00:37:14,499 --> 00:37:14,519 thank you. 726 00:37:14,519 --> 00:37:17,829 And I'll post a link to this and I urge people to go and read it. 727 00:37:17,979 --> 00:37:19,329 It's very accessible. 728 00:37:19,389 --> 00:37:21,469 I, and I do, I compliment you on that. 729 00:37:21,579 --> 00:37:24,909 it's a very readable document and it'll at least bring you up to date 730 00:37:24,909 --> 00:37:26,709 and fill in anything that we missed. 731 00:37:27,099 --> 00:37:27,729 Thanks a lot guys. 732 00:37:27,729 --> 00:37:28,299 Appreciate it. 733 00:37:28,659 --> 00:37:28,959 Thank you. 734 00:37:28,959 --> 00:37:29,649 Good one. 735 00:37:29,649 --> 00:37:29,709 Yeah. 736 00:37:29,799 --> 00:37:30,069 Thank you 737 00:37:30,069 --> 00:37:30,234 very much. 738 00:37:30,904 --> 00:37:31,594 Have a good one. 739 00:37:32,910 --> 00:37:33,870 And that's our show. 740 00:37:34,845 --> 00:37:37,635 There's a link to the research report in the show notes. 741 00:37:37,785 --> 00:37:39,135 I wasn't just being polite. 742 00:37:39,225 --> 00:37:43,305 I've read a lot of reports and this was well written and it will fill you 743 00:37:43,305 --> 00:37:47,085 in on the story if you want to dive a little deeper and see some of the 744 00:37:47,085 --> 00:37:49,995 research processes and diagrams as well. 745 00:37:50,630 --> 00:37:54,590 You can find the link@technewsday.ca or.com. 746 00:37:54,590 --> 00:37:58,430 Take your pick, look under podcasts, and if you're watching this on 747 00:37:58,430 --> 00:38:01,850 YouTube, there's a link right under the video in the show notes. 748 00:38:02,540 --> 00:38:03,770 Love to hear what you think. 749 00:38:04,220 --> 00:38:08,240 Use the contact us form on the site when you're there, or leave a comment 750 00:38:08,240 --> 00:38:12,200 under the video, or as a number of you do hunt me down on LinkedIn. 751 00:38:12,410 --> 00:38:17,450 I'm always pleased to talk to you, and if you find stories or things where 752 00:38:17,450 --> 00:38:19,340 you'd like to see us do a deeper dive. 753 00:38:19,740 --> 00:38:20,400 Let me know. 754 00:38:20,730 --> 00:38:26,040 I'm pleased to reach out and thanks to people like Anna at Checkpoint who put 755 00:38:26,040 --> 00:38:30,150 this together so quickly, we can do a little deeper dive into the topic. 756 00:38:31,410 --> 00:38:33,510 I'd also like to thank Meter for their support. 757 00:38:34,170 --> 00:38:39,420 We're totally supported by your donations and sponsors who will only ask for a 758 00:38:39,420 --> 00:38:42,510 mention and no editorial control at all. 759 00:38:42,900 --> 00:38:46,260 All we offer them is a description of what they do, and in this 760 00:38:46,260 --> 00:38:48,270 case, lemme go ahead with that. 761 00:38:48,870 --> 00:38:54,120 Meter delivers a full stack networking infrastructure, wired, wireless and 762 00:38:54,120 --> 00:38:56,070 cellular to leading enterprises. 763 00:38:56,400 --> 00:39:00,840 Working with their partners, meter designs, deploys and manages everything 764 00:39:00,840 --> 00:39:05,970 required to get performant, reliable and secure connectivity in a space. 765 00:39:06,300 --> 00:39:09,780 They design the hardware, the firmware, build the software. 766 00:39:09,850 --> 00:39:12,190 Manage deployments and run support. 767 00:39:12,520 --> 00:39:16,570 It's a single integrated solution that scales from branch offices, 768 00:39:16,720 --> 00:39:20,560 warehouses, and large campuses all the way to data centers. 769 00:39:21,070 --> 00:39:24,190 Book a demo at meter.com/cst. 770 00:39:24,400 --> 00:39:32,165 That's METE r.com/cst and that way they'll know you found them through our show. 771 00:39:33,575 --> 00:39:34,655 I'm your host, Jim Love. 772 00:39:35,675 --> 00:39:38,555 Thanks for listening and have a great weekend.