CentreStack Vul & the Future of the NVD (CVEs)
In this week’s CyberCall, MSPs were urged to take immediate action in response to a serious CenterStack vulnerability, as well as prepare for major changes in how the industry tracks and shares threat data. CenterStack, a file-syncing platform used by many MSPs and clients, was found to have a critical CVE allowing remote code execution. The attack method is low-effort and publicly available, making it a prime target for threat actors. Once inside, attackers are using tools like PowerShell and Mesh Agent—often misconfigured or overlooked—to maintain persistence. MSPs were encouraged to patch immediately, run Huntress’ free detection script, and evaluate remote access tools across their environments.
The second half of the call tackled a looming challenge: the uncertain future of CVEs (Common Vulnerabilities and Exposures). With funding cuts impacting CISA and MITRE, concerns are rising about the long-term viability of the NVD (National Vulnerability Database). CVEs serve as a critical backbone for every major security tool, scanner, and compliance framework. Without a robust and funded CVE system, MSPs risk losing a shared language for managing and communicating about vulnerabilities—impacting both threat detection and GRC efforts.
Key takeaways for MSPs included prioritizing immediate patching, assuming compromise until proven otherwise, hardening perimeters, improving inventory management of remote tools, and building a proactive security culture. The complexity of modern environments—especially with the rise of cloud and AI—demands a more collaborative and resilient approach to vulnerability intelligence. This Cyber Call served as a reminder that staying ahead of threats requires speed, strategy, and community engagement.
Guests
Video Transcript
All right. All right. We are live. Welcome, welcome everybody. And as usual, I'm just gonna do a quick, uh, something in chat here and just guys out there, gals, if you could just let me know we're coming through. Audio, visual, everything good? Happy. Yeah. Easter Monday to you as well. Lisa Mitchell, good to see you out there. Um, and I, there's a touch of a delay, so I'm just gonna keep an eye out here for, for chat and make sure we're a okay to go gar.
Um, few announcements today, they're only gonna take up about, you know, maybe four or five minutes, maybe 10. 'cause I know that's your favorite, favorite part when I do that. No, um, but it, but I do want to ask you a little bit about what you just mentioned offline. 'cause I think that's really cool. I do want to ask you about peer, 'cause you get together once a quarter with hundreds and what, six, 700 now?
I forget how many Yeah, well in North America last week in Orlando, that, that, uh, cohort was about 500 MSPs. But we have nearly a thousand worldwide and virtual now. Okay. So we're gonna come to that in a minute. The first thing, um, I, I do want to kind of get out there to, to everybody. Um, actually I'll hold off on this 'cause people are coming in. But Garrett may, maybe you can bring, bring us up to speed a little bit every quarter. I like to ask you pulse of the industry.
We just got done with, you know, QQ one, we're into Q2. Can you give us kind of a lay of the land of the pulse and what you're seeing? Yeah, so I mean, first quarter across, you know, our aggregate was strong with like average growth rate of growing MRR by annualized by between 18 and 20%. So, you know, I, I think that's really good. But we did spend a lot of the meeting, you know, talking about, um, you know, preparing for potentially we don't know what's gonna happen with the economy.
Um, but at this point I think there's enough data that we need to start preparing. Like what are the things we do, uh, in order to, um, you know, protect our business, have a plan and thrive. And it's my strong feeling that this is when, these are the times when there's, like, it, it, once we get to, it's not a matter of when of if, but when we have an economic setback, as, you know, angio, I predicted eight of the last four recessions.
Um, but it, it, it's really kind of sorts out all businesses, but MSPs are no different. And so how do you think about like how efficiently you're running your business, what your ability to add new logos look like? Um, are you above like your turning point or your break even? If not, what's your cash position staying on top of ar Like, there's so many things to do to make sure that you have, have options that other people don't to take advantage of.
What, for some people will be the worst thing that ever happened in their business. Mm-hmm. I, I remember distinctly Gary, two periods. Um, and I, you know, one, I worked kind of tangentially with you and that was the 2008, you know, crisis and how people, what they did and how they approached it and, and then obviously the pandemic. Um, and we also had 2016 a little bit in there. These, these really, these quote unquote downturns.
And it's just really interesting being prepared and how you approached customers and your advice to MSPs. It's, it's something you definitely should prepare for. Maybe we, maybe a cyber call episode if you're open to Yeah. I mean, we have a lot of people that are listening today that, other than the pandemic right. Which is different than other kind of downturns and bounce backs. They've never experienced it. Like they weren't in business like in 2008. It's been a long time, right? Yeah.
Since, um, we're, we're like overdue. And so some people, if you've not experienced it, you may not know how to get prepared. Yeah, yeah. We'll do it. We'll do that. And maybe, and, and maybe a good segue, I just wanna show something to everybody and, and I'd love for you to all share this. We're gonna do a big marketing campaign around it. 'cause I think it's significant. Can you guys see my screen, uh, this piece here? Mm-hmm. Is that coming through the fifth, fifth year anniversary? Yes.
Yes. Okay. Yeah. So Gar, um, you, you're the sole holdout and I thank you for you're, you're the original. Um, but, but we're gonna bring the band back together. Um, May 19th, we will hit, you know, we're gonna hit five years of the cyber call and, um, you know, far north of 200 Mondays of, uh, of, of education from business and the business of cyber, uh, et cetera.
Um, and we're gonna be looking at, you know, the past, the past present and future, you know, 2020 when we were just coming out of the pandemic and we started this 'cause everything was virtual. Um, and, you know, I just want to, you know, really, uh, first all thank you, Gary for, for spending those five years with us and, and helping educate and then bringing back Wes and, and Kyle, the, the, the, the originals.
Um, yeah, so, well, I Didn't realize that I would've asked for a raise, Andrew, what would be like 30% raise on zero, Mr. Blut? Toski? Uh, yeah, so I'm not sure what happened here, but I have everybody this way now. Let me see if I can get back my, my screen. But, uh, I'll, I'll figure that out anyway. But, but yeah, I think it's pretty cool, Gary, that, um, you know, it's, it's far north of 10,000, uh, MSPs that we've educated in that, in that timeframe.
And, um, so we're, we're, like I said, we're, we're going to do a big, you know, show quote unquote with that. And I'm excited to have, uh, everybody, uh, back and, and, you know, talk about what, what's transpired over these five years. So, um, okay, let's get on into today. Um, first off, I made a mistake. I had, um, Phyllis let me know that, um, I said, uh, it was, you know, um, the NBD, it was actually support of CDE and Phyllis.
Can you kind of, they, they, they go in tangentially to one another. Can you kind of help everybody understand the funding? Because obviously you need CDEs to update the NVD, but can you kind of educate with a funding, if you will, for everybody? Yeah, sure. So, um, as we all know, CVEs are the common vulnerability enumeration rates. So that's the CVE numbers that we get.
Um, and that is funded, um, through CISA and Mitre and F-F-R-D-C, federally funded Research Development Center are the ones that, um, are the keepers of CVEs, NVD, the National Vulnerability Database, um, which is based off CVEs. In order to make it to the NVD, you have to have a CVE and, um, that's managed and paid for by nist. So nist, um, does that in internally. So the NVD will include the CVE, it'll have the CVSS, the severity score.
It'll, it'll put more, it'll put more context around the CVE. Like these are the versions of the different software that's vulnerable, it'll point to advisories, it may give some remediation steps, so on and so forth. Now, the two are, are separate. However, um, as we all know, um, every agency was getting funding cuts.
Um, and so it could be that NVD does get defunded year over year, less and less funding does get allocated towards NVD, meaning resources, um, because, um, year over year does get funding just like, uh, everyone gets in a recession, federal government does as well, right? So, um, you know, more to come, it'll be interesting to see what happens to CVE and NVD as a result of the NVDD funding. Just, you know, an NVD found, not NVD, sorry, I'm now confusing the CVE losing funding.
Um, there was quickly formed a CVE Foundation. And so, um, folks in the community are concerned and looking at, um, is it really a good model to have federal government fund CVEs or should we be moving to something different? Yeah, it's, it's really, it's really interesting. And, and that's the area, by the way, Bob, you're gonna answer, do you really need CVEs? Well, pretty much every tool that everybody Yeah.
Is relying on it, and then some people have brought in what Europe is doing, so it'll be interesting to see what happens. Yeah. So, so it's interesting this week, and I'm gonna introduce our guests shortly, right? Wait, Andrew, do you know who got more funding based on this nation state? Bad actors? Yeah. Yeah. That's, that's, that's really fun. It's Got 20% more funding. They, they can pin their ears back. Yeah, that's, I'm glad you said it, Gary. Yeah, it needed to be said.
Yeah, it's, it's real. That's, that's a really interesting way of looking at it, Gary, but you're right. Yeah.
Um, so I, I thought it was serendipitous, um, or ironic that, you know, our, our guest today, um, Dre, uh, we're gonna be talking about the center stack vulnerability that the fo like John Hammond, um, initially, and the team there at Huntress uncovered, and this is an, an MSP centric tool, um, that, you know, is used, you know, not solely right, by MSPs, but, but I thought it was interesting that here we have, you know, a very critical high severity CVE come out and, you know, that same week we're like, are we even gonna have the ability to do anything with CVE?
Or is it dead in the water? So I thought the two kind of coming together this week could, um, offer a, you know, a, an important cyber call for us to talk about these things. And, you know, Bob, you know, I I, you always have really awesome ways that you articulate things. So I think it's gonna be interesting for us to talk about, like, so what happens if it wasn't funded or if one day it isn't funded, what, what do we, what's, is the commercial sector gonna step up?
And these are the things I want to talk about, you know, in the lateral heart of the call. But Dre, you've been patient, um, and it's good to have you for a first time. Uh, it's always awesome to have new people, um, on the cyber call. So tell us a little about yourself, welcome and what you do at Huntress. Yeah, so one of ts is talkers. I just talk nonstop.
So they always send me to talk, uh, listen, I'm Dre I'm based in the UK and Ireland, if you could tell, uh, I'm one of the senior SOC managers, and we get to just do an awesome job at ts as one of the MDRs. We kind of get to bridge the threat research, the proactive and the reactive sort of detections, and then get that over into actionable insights, whether that's for folks who pay for hunters or folks that don't.
We just wanna give as much away as we can for MSPs for just anyone in the community. Uh, I take a personal passion in that, by the way, because I, I believe cybersecurity shouldn't be paid to play. Uh, you shouldn't have to have a huge budget to be able to be cyber secure. Uh, I've got a background in it, networking, pen testing, incident response, but it's at interests. I've really found my place that doing the thing that I love, security, but keeping the community safe.
And we were just talking, Andrew, if I'm not working with computers, you're gonna catch me just hanging out with my dog in the forest, a a million miles away from any technology. That's awesome. Thanks Dre. Thanks for coming and joining us. Gary, I'm gonna hand it to you and we'll get on into this one. Um, so thanks and good to see you back there. Yeah, good to be back.
So, uh, Andrew or Drake, can we just talk a little about, um, center stack for people who are not familiar with the, uh, and what the scope of it is, like how, how large it is? Yeah. Um, the Actual company, if you can give an update on that, and then we can jump into this. Yeah. Dre, do you mind kind of taking it away? Yeah, man, it's, as I understand it, they're essentially a file syncing solution, um, which is huge, right? 'cause you need to have, uh, asynchronous filing.
But we've seen it again and again and again where file sharing solutions seem to be the initial access and entry point for, for adversaries. And I also believe Center Stack has overlapped with some other tools, um, which we see, again with file sharing solutions. So I'm not too familiar on Center Stack as a company, what their statements are on all of this.
I think we've tried to get in contact and I think communications are happening behind the scenes, but this won't be the only file sharing solution. They're not unique in this, by the way. It's not like a, a huge corporate lapse in, in security, arguably. And, you know, to, to that point, Dre, I just want to ask you and your opinion on this. So we have to move it, right? We, we know threat actors are looking at these.
Can you give us, you know, from your insights as a security analyst, what is it about these that are so intriguing? You know, why are they focused on these? Is it because it's, hey, obvious Andrew does data it's files, like, or is there something more to it? Yeah, man, so I think on the surface of it, it seems like adversaries would wanna go after file sharing solutions because they are where the files are shared.
And I think an aspect of that is true, but I think what's worth making more salient is there are IT tools that aren't there for security purposes. They're there for business purposes. Often these file sharing solutions, they wanna have a, a frictionless experience for a user who's just trying to get a file up, get it to somebody else. Especially when you're just running huge, huge organizations. Often these present juicy initial access vectors.
So from my perspective and what we see at Huntress threat actors aren't necessarily going after, um, move it Clio, uh, uh, I was about to say click house. That's a completely different company sensor stack because they could get data. It's really just a way to get in and, and arguably, and we'll talk about this, that's what we see with their post, uh, post access tradecraft. They aren't, uh, trying to just get as much as they can from these far sharing solutions.
That's just the stepping stone then. Interesting. Thanks for that explanation. All right, Mr. Pika, over To you. Well, first off, Andrew, um, good job working in serendipitous. Oh, thank you. Thank you. It was my, uh, my word of the day, uh, you know, so I'm trying, Yeah, pretty good. It was pretty close, pretty good use. So I'm gonna give it to you. So Drake, let's start with, um, the beginning, uh, April 11th and exactly how this was uncovered.
Yeah, so this is, I think it's an exciting story. So we have a couple of detections that we have for sort of o days. Now, I wanna be clear, this isn't us. It's nothing overly clever. We have these floating out there and we look for these to be correlated 'cause we wanna put these detectors in conversation with each other, see what comes up. And we have dedicated people in our SOC who we just keeping that eye out for when any of these flag. Now, 97% of the time it's a false positive.
There's nothing interesting. What was super interesting on April 11th is we not only had these detectors fire, but at the same time we had a malicious true positive report for what we didn't know at the time, but it was post access tradecraft. And so one of our sort of senior threat hunters took a look and said, well, there's a story being told here. We just need to put it in order.
So we took a look through and that's when sort of you, you raise the, uh, siren at Huntress and the Avengers come running. So we got the John Hammonds, we had all our reverse engineers kind of got into a room. And what we realized is we were seeing a story about this intrusion. The minute we realized that it's as if the entire internet did as well. 'cause we started seeing this pop up everywhere. So the story really became us validating that we were seeing, um, post access from sensor stack.
Then it became, okay, well can we recreate this? The recreation isn't, so we can get a POC and throw it around to everybody and say, the car never. We are, it's actually to conjure detections, to conjure mitigations and to help with hardening. And that's what John, and if you've read the blog, he's done a wonderful job. John Hammond is not just talented, he's also handsome. Um, he did a great job at explaining to folks, here's how Huntress has uncovered this. Here's what you should do next.
From there, we then went and told as many people as we could. And it wasn't just the folks in our community, we tried to push this blog as far as we can with detections and mitigations, but a big part of this was working out how malicious is this? How worried should we be? We don't wanna be the folks who cried wolf. Um, but it was an exciting time. And John stayed up until ungodly hours really routing this down. It was, it was actually really inspiring to be part of. Yeah, it's interesting.
It's good to hear when you say that there sounds like there was pretty quickly so many trip wires, that means that, uh, you know, people are starting to get aligned, right? With that's best practices in terms of detection. So that's really good news. So what makes this CVE so attractive? Like from the bad guy standpoint, um, compared to other vulnerabilities, like some of the things that are low effort with it.
So what's cool about this, and it's, it's mirrors what we were just talking about with the other file sharing solutions. These are publicly accessible holes. You don't need to come up with very clever, um, external perimeter traversals to be able to use these. These are designed for users in the public internet to use great threat. Actors love that. 'cause they can just mass scan all day, all night looking for these things. And that's what they do, by the way.
They poke and prod all the doors and they're just trying to figure out what gets them in what's, and that's ideal for scanning And then mass exploitation. What's pain in the butt about this one is it's giving a remote code execution with just trivial payload delivery. There's, there's hardly any barriers to entry. And that's 'cause of the hard coded secret. It's, it's one of those ones where their actors don't have to put much effort in.
And once A POC is given, all they have to do is point and click. Compare that to what we would call high effort, um, CVEs or high effort attacks. Those are more complicated. They involve various stages. I would arguably point to some of the, uh, exchange, uh, vulnerabilities and exploits. A few years ago, those started complex. By the time folks were done compiling POCs, those also became point and click. So I think CVS sort of arguably, well attacks start high effort, become low effort.
This one, however, is pretty low effort. So does that mean like, when they start low effort, that means it saves time, right? Like they can, those vulnerabilities can get utilized, uh, like there's quicker time to value for bad actors? Absolutely. And as well, it, it, it arguably democratizes, uh, attacks.
So if there are complex cvs or complex attacks, you, you know, those are more for your advanced, uh, either offensive security operators or just nation state actors when A CVE and when an attack is easier to deploy, now you have any kid sitting in his, you know, parents' house able to also point and click and, and gain access when things are lower effort. That usually also means the community has more awareness.
Something being low effort doesn't always translate into the community, should get worried about it. But we can talk about that when we talk about, uh, CVE scoring. 'cause I have opinions on that as well. Gotcha. So you mentioned something they have like hardcoded uh, cryptography keys. So why is this situation with Hardcoded Secrets, why is it, so why, what, why is it such a big problem in 2025? That's a great question.
I mean, the, the, the one answer to that is it's probably just not very good security practices during the development process. And I wanna be clear, software developers aren't, and probably shouldn't be the sole arbiters of security. There should be a good software life cycles with security as part of it. And that should be somebody's dedicated job. But what you've seen here is developers usually just hard code things for convenience.
It's, it's just easy, uh, also testing and, and they could forget to change these things before they push it to production. And, and reiterating it, again, we're all security minded folks. Uh, a lot, a lot of things aren't designed for security. They're designed for functionality. They're not thinking about security hygiene. They're thinking about how, how do we make a thing work?
And that's what we've observed here, that someone was more focused on how an application should work as opposed to thinking about how security minded that application should be. Yeah. Think how hard it is to change that culture, you know what I mean? The same way as MSPs, you know, we're working to change our cultures because you're not thinking about security every time you're trying to help a customer in a specific area, right? That's not, maybe not be the first thing on your mind.
Same thing when you're coding, right? And having a culture change is hard and it's expensive, right? Um, there's a lot of things you have to do today in developing code, and there's a lot of old code, most code, like almost all code if you look at it as a percentage of it is old code, right? So that's, that's an issue. Um, you, so you observed attacks, uh, on around 120 endpoints across seven organizations. Like how quickly do you see these adversaries pivot once they become known?
Can you talk about some of the trade craft that they employ? Yeah. So this is the really, I simultaneously exciting but also disappointing apart from threat actors. Now, I find something quite hilarious when threat actors get access to really juicy exploits and POCs. Sometimes even o days, they kind of do the same boring things. And I'll get into why I think they do this in a moment.
But what we saw for this is what we kind of see for everything we observe, sort of, yes, they tried to do some very basic lateral movement, but really they're just trying to consolidate their access. They're not yet trying to achieve an objective, whether that objective is ransomware, whether it's sort of some kind of industrial espionage and exfiltration to consolidate their access. They're getting in remote access tools and they're making configuration changes.
Uh, what I, the reason why I think they're doing this is they're doing it at scale. These are just scripts. These are all automated. But the other thing I think you have a bunch of, um, to be blunt novices who are the operators behind these who don't know what to do? They're like a dog chase and a bone. Um, we usually see threat actors waste their own time by installing Coin Miners sometimes called Coin Miner Exe.
Uh, and it's, it's quite hilarious seeing these really complex intrusions that end end with Coin Miners. Um, but what's really cool about this as well is threat actors sometimes will use, uh, external tools that they'll bring on to a machine like Cobalt Strike. But what they usually do is use tools that are built in or use, uh, legitimate tools to obviously, uh, illegitimate intention.
So PowerShell on every server, it's easier to just, some, do something in PowerShell than it is to bring Carbo Strike. But also Mesh agent. Mesh agent is a legitimate remote access tool. Uh, I imagine there are some cis administrators who wouldn't blink twice, uh, seeing that tool present in their network if they weren't too sure what remote access tools are legitimate or not. Interesting. That's good. Phyllis, I'm gonna hand it over to you.
Phyllis can, before, can you just give us your thoughts and put this in chat? And that is, you know, the whole Secure by Design, you know, initiative which got started under the Biden administration. Just seeing what you're seeing so far, like does this go anywhere and, and have you seen any teeth in it yet? I mean, kudos to you guys on the flip side about, you know, putting in, you know, your white paper on, um, reasonable cybersecurity, which was phenomenal.
But when it comes to Secure by Design, can you just, just give us, you know, your just adlib what you think Phyllis and, and where we're gonna go here? Yeah, sure. So just FYI saw that by Ann, you, as you all know, I, I can't chat, I can't put anything in the chat. So, um, yep. It's just, it's a, it's a by the way, talk about building code in Restream. That's a feature, right? That you can't for, You can't write anything in the chat. So, um, yeah, sure.
So, you know, for those of you who don't know Secure by Design, um, I mean, so I'll just take a step back. Um, for the past few years, the executive office has been trying to put the onus on software developers, right? You see that in, um, national Cybersecurity policy. You saw it in, um, some EOS under Biden, you know, SBO M is one of those, is is kind of a result of some of that.
Um, most recently last year, um, CSA put out a secure by design document of which several nations, um, signed off on as well as some vendors. And it was like, here are best practices, um, when you go and create software. Um, and so, um, the question is, will that turn into national policy? What is that? Right now it is just a self attestation. Now many nations worldwide, um, the eu, you know, and, and another nation and the UK are interested in Secure by Design.
And everyone's kind of creating their version of Secure By Design, um, based off of CI's document. 'cause many of those same nations signed off on that document. Now, the question is for, from us at CIS is, um, how measurable is this? Organizations are self attesting, but what does that really mean? At the end of the day, it's not like auditors may go there and so on and so forth. So conveniently, Andrew, this year we're gonna create a paper on how to, to measure secure by design. Hmm mm-hmm.
It's unclear that we can have national policy at this point because of, you know, all the churn that's going on right now. It doesn't seem like cybersecurity is a priority. And so what we wanna do at CIS is help organizations understand what does it mean to measure against Secure by design versus we just sign a, we just sign up and say, yeah, we did it.
But maybe as a consumer, maybe even as a vendor who's trying to implement best practices around, um, uh, secure by design practices, what is it that I can be doing in a proactive way and perhaps, like I said, consumers, what it is that you can be asking for or rest assured that organizations are implementing?
So we did a look at all the different kind of secure by design documents bs Im, which you've mentioned before, um, and nist, SSDF, um, you know, we have, uh, and we've settled on NIST SSDF to look at, um, FYI, you know, um, years ago, um, Microsoft had, you know, uh, secure Development Lifecycle, uh, written by and started, um, at Microsoft by Steve Lipner. He's now over at Safe Code and he's helping us with this. So, um, a little bit of a long-winded answer.
I think, you know, to directly answer your question, it's unclear that there's gonna be teeth insecure by design. However, everyone realizes it's important. Yeah. Right? And, and so what we wanna do, um, at, well, Not everyone, Well, right, you're right, you're right. Lots of us. So, um, and so at CIS we wanna kind of, you know, move that along.
Um, absent any kind of national policy, It's, it's kind of like right now it's like the old before CMMC 801 71, like, you know, this is what you should do, right? Pinky, pinky swear, we're doing it. Mm-hmm. We, we could, you could do a whole show on software development chains and how that works and how that would even look, right? I mean, that it, it's more complex than, than I think the people who write the regulations know it sometime, but yeah. Biggest thing of anything, Gary, nailed it.
How are you gonna go back and refactor millions a line of code that are being reused over and over and over again? Who's gonna foot the bill for that? Yeah, I mean, can I be honest? Um, that development cycle, having built a software, SaaS software product and been involved with several others, um, I built my IT process twice, okay. Uh, in a pretty short, uh, amount of time.
And it's one of the reasons, uh, why, you know, I have a Kaseya logo, uh, under, you know, true methods because it's ominous Bob to do it and stay competitive. And you have newer competitors come in and you gotta be focused on features and other things. There's just never a time you go back. Hundred percent. Yeah. Yep. I, I think we gotta get realistic. I think that really would be a great call. What are the, what's realistic about that entire effort? Mm-hmm. What's really realistic about it?
And let's quit blowing smoke in everybody's eyes about how we can just put a magic rule up on the wall and in a frame and say, okay, everybody run off and do that. That's just not realistic. So we gotta come, we gotta come up with something else that's not gonna, I wanna get us back on track.
But I will say this, I, I know that there's already a, there's already a tax, there's already a software tax because there's a decent percent of budgets now at every software company at scale, you know, devoted to security that used to be devoted to scalability, new features, innovation. And, you know, you can only pass on so much. So it really comes out of those other categories because you don't have a choice.
There has to be a decent percentage of your budget now that's going that besides what you always had with fixing bugs. And you start, that pie gets cut down more and more, and that's what slows down innovation. Good stuff. All right. All right. We got off track a little bit. Let's get back on track. Phyllis. Um, so Dre, um, when you look at the timeline, um, of this exploitation, you can see it almost happens immediately after, after CSA added the C-E-V-C-V-E to its Kev database.
Um, so how fast is fast, um, in vulnerability weaponization, and, um, you know, what all considering what happened to C vs. What are your thoughts on everything? What are your thoughts on everything, Phyllis? What an unfair question. All of it. Tell me everything. Well, all of it. And in one sentence, no, I said what what's interesting is exploitation begins like nearly instantly.
Um, just because something is put on a website and says, Hey, we know about it now, threat actors may have had to jump on you for for hours, days, weeks. Uh, is is also the importance of yeah, sure you wanna patch and mitigate once something's known, uh, exploited in, in the wild. What we see at Huntress, and maybe this is just the benefit we've got of our install base. You've kind of got split the IT world into two.
You've got the SIE sort of 1000, so very wealthy companies, and then you've got kind of everyone else, right? Mm-hmm. And interests, you know, with everyone else. We see threat actors there. A good couple hours, days, weeks, depends on what particular bit of malware exploit, then the fortune 1000 seats. Now I have a hypothesis. That's where threat actors go to test, right?
They're gonna go to test in the smaller spaces, the smaller businesses, the medium businesses before they go over to the bigger juicier targets. So I think there's also that disparity of fast is fast, but it really depends. If you are a more juicy target, their actors are gonna be super quick, gonna get in and cause more damage. If you're a tougher target, they're gonna prod, they'll probably move on, right?
Doesn't mean by the way that having a hardened external perimeter can completely stop attacks. But it, it's, it's the point of it. The other thing we're thinking about is hasty exploitation. Great. You don't patch, uh, things still get exploited years later. We're still seeing like exchange from 2021. We, we still sometimes at Hunter Sea folks, um, join hunters and we'll be like, Hey, so this is still actively being attacked. Um, sometimes the patching isn't just gonna be enough.
Yes, you wanna be quick to patch, but assume compromise. I can't tell you the number of times where folks patch. Uh, we see that there is underlying persistence that was not swept for Hunter says, Hey, so we're seeing this activity, it's probably stemmed from this. And they go, I patched that back in 2018. I, you know, I patched that night. And we go, oh, we're really sorry you didn't sweep for persistence.
Uh, I mean, even with the center stack, you know, threat actors were making web configuration changes. So you may undo all of the mesh and all the power, everything they did. If you don't check your web config, the front door is still open. So there's the weaponization of something, but there's also that reciprocating. How are we responding as defenders and what are we doing? And I would say patching and then assuming compromises are two things that need to go hand in hand. Yeah.
And you know, what you just said also backs. You know, the data that the V-D-B-I-R last year said that, hey, you small mediums, um, you're getting exploited with the same attacks as large enterprises. So we're not gonna separate you out as a different, you know, um, um, a population getting attacked by hackers. And so, you know, just another data point for everyone, which is why, um, here on this call, it's important to really pay attention to all the attacks that are going going on.
Um, so I believe the blog mentioned PowerShell payloads and, um, mesh Central being dropped, post exploitation PO post exploitation. Um, so why do you think attackers are favoring these kinds of tactics? Yes. No, it's a, it's an interesting one. So I, I think I said before, like they just do the same things over and over. I think part of this is automation. They just have these scripts ready to do it. And really for, for, for this story, there are three tools that threat actors use.
The first is Cobot Strike. Uh, but that's quite boring and uninteresting. 'cause that is a threat act or an offensive security bit of tooling that allows command and control and other functionality. But that gets flagged pretty quick. It's a pretty known bit of offensive security software. And you understand why threat actors wanna use that. The real interesting story is, okay, why are they sticking to PowerShell and why mesh agent of all the things to use, we'll start with PowerShell.
Well, it's built in. Mm-hmm. It's there waiting for you. Uh, I've read some blogs sometimes that talk about Windows hardening and it says, just uninstall PowerShell. Right? Don't do that. That sounds terrible. You'll never get any system administration done. Right? And that's the side of this, right?
It's, uh, I wouldn't call PowerShell a LOL bin, uh, living off the land binary itself, but it's built in Windows functionality that IT folks use to get system administration done throughout actors use for their own gain. So it's built in, it's there. The other thing though, with mesh agent, now we are seeing mesh agent used more and more and more. What I find fashion fascinating, fascinating about mesh agent is its simplicity.
There are other remote access tools that require a little bit more of a careful choreography between client sides to the target and the server side mes mesh agent, super flexible, super dispensable. Uh, you can rename it, you can do all these things and it doesn't break. I think threat actors are using this 'cause they just want a low barrier to entry when it comes to remote access tooling. Why? Because it's persistent, right?
If you don't have the best inventory hygiene as a, uh, defender, you don't know how many remote access tools are actually used in your environment. And maybe you use multiple, heck, maybe you even use Mesh agent as one of your legitimate tools. Threat actors are also using it. And so that's a persistence. Remote persistence for them is gold dust. You can patch, you can mitigate, but if you didn't catch that, they've still got access to your network. And that's terrifying.
That is, that is so for the non-techies on the call, um, can you explain why V State zero des serialization is such a dangerous attack vector in asp.net applications? Yes. Oh, explaining deserialization sterilization is always fun. So we'll do it the best way that I can and someone in chat can tell me where I've missed something and I've been egregious. So it's worth talking about serialization first. What, what, what's, we Have different ideas of fun. First off, Fun.
I, I'm, I'm boring though, Gary, so I, I, you know, I, I know my idea of fun isn't everybody's. Um, so serialization is just packaging stuff up, right? You just wanna package stuff up, makes it easier to send. That's literally it. It's just you package stuff up, gets sent easier, and then it can be de serialized when it's received. So you've taken something complex, packaged it up, 'cause you know it's gonna be uncomplicated later.
So view State very specifically, um, to, to not overcomplicate it. It just helps you maintain, um, knowledge between webpages, between requests. Fantastic. If it's not particularly secure, a threat actor can inject malicious code and package it up. And then when it's de serialized that malicious code is executed, essentially threat actors are able to smuggle their malicious code into very legitimate web requests. That's terrible. That's bad.
And what we saw was threat actors were able to use, and again, it's not unique to sensor stack, uh, view State de serialization is across the as net sort of, uh, infrastructure. So I'm sure this one, this hasn't been the only time it's used. And there are threat tooling that is designed to this exact kind of serialization to des serialization attack.
Uh, why so Serial is, is one of those kind of tools, um, at risk of getting too technical under the premise of non-technical folks, essentially threat actors can smuggle stuff in. But serialization is ridiculously interesting and complex. I think John spent a good three hours just trying to make the serialized, uh, attack work when he was doing his POC. So it's, it's an interesting attack, but it, it arguably allows a threat act to do the same thing that they all wanna do, gain access.
So their goal isn't to serialize a des serialize for fun. They just want to get in, Right? I mean, I, I would say serialization and des serialization has been around a while and is is, um, something that, um, folks, folks have been able to exploit for a while. But that was a, a very good explanation. Thank you. Thank You. I was on the spot. I, I, no, you talked about PowerShell and Mesh Central and even the serialization and derealization.
These are all things, um, that exist because we need them to exist, right? Um, and so what it is, and so it can very easily look quote unquote normal. So what are the warning signs or what indicators can MSP be looking for, um, if something, you know, to detect if something malicious is going on. So, um, what is the quickest like smoke test that you would recommend? Yes. So you wanna have a look for any view state payloads or anything going on in the portal.
So the, one of the problems of this, it, it'll rely on you having, it's like a vicious cycle. You need to have some defensive monitoring to know that this is going on to check. Um, if you don't wanna do all of that, tres will have a script that will tell you if you are, it's free, just use it. Uh, could tell, could tell you where you're vulnerable and things like that. If you are saying, okay, well I wanna know about this now go and have a look for, uh, outbound connections that are unusual.
Mm-hmm. Anything to do with mesh agent. Preferably you can go and have a look for that. If you know that you don't use that in your environment, that's not good. You also wanna go and review any PowerShell scripts, uh, and scheduled tasks. So PowerShell scripts in your scheduled tasks, you probably don't do that as a legitimate system administrator. You don't just have random PowerShell scripts.
Actually, I was a CIS admin, so I definitely did have random PowerShell scripts in my scheduled tasks. Um, but the unfortunate thing is to really be ahead of these kind of attacks, you actually need to have a little bit more proactive defensive security. So locking things behind firewalls and VPNs were possible. So you preferably don't wanna have file sharing solutions that are publicly accessible. But again, it's that convenience versus security. It's also good inventory management.
So knowing the remote access tools that you use and being able to have systems that alert you to say, Hey, you only use ConnectWise Screen Connect, there's one agent in all of your networks that, that has mesh Central that's anonymous. Um, and you want good application allowed listing. So again, if their actors are bringing tools on, you wanna make sure you're locking down where they can do these things. But that is all easier said than done. Right. And again, these things all come with costs.
They're not always free, but Yeah. And, and you can't go wrong with having a good, um, good security solution. I'm not here to tell you which one to go for, go for the one that works for yourself, but essentially paying somebody else to think about these things can sometimes just be the easier way to solve that problem. Right, right. Okay. Over to you, Bob. Thanks Dre. Yeah, thank you.
You know, it's, um, it's always interesting when everything we're talking about DES serialization, and then you, you're right, Dre, though, I mean, I think all that's happening here is that it's getting put into the evil as a service kind of SaaS platforms that these people are using. They're just reusing 'em over and over again, right? So I think you're exactly right on that front.
Um, and we're gonna, we're we're, I'm gonna be talking about CVS here since this is, you know, pretty close to everyone's heart and soul, especially those of us that are practicing MSPs, where a lot of our, um, our MSPs where we're using vulnerability management as one of the services that we do, right? I mean, it really does pretty much hinge on having some sort of standard to, um, you know, to manage by.
So I'm curious, you know, in this case, I'm, the one thing I've noticed over the last year and a half is how complex, um, configurations have gotten for different elements of our ecosystem, right? So cloud services have a high, you know, highly complex configuration element to 'em. And then on top of that, right?
'cause I just got finished doing this is the reason, this is very close to my heart, but ai, you know, AI in general, the, the complexities and of configuration of that particular aspect of, you know, information systems now takes on an even bigger sort of an aspect. Because if you get that wrong now they don't have to go file by file to try to find the stuff that's important. They can just ask your LLN that's parked on your network.
If you're misconfigured, they can say, Hey, just gimme all the stuff I wanna know and here's a list of it. Send it back to me and, you know, include a Starbucks coupon so that I can actually get some coffee later and do all that and walk away from it, right? And go. So as it relates to that, how do you see that really evolving with the future of CVEs, right?
I mean, because this is getting to be, this is gonna get even, it's gonna get more complex, especially having spent a lot more time recently dealing with these AI factors. Um, you know, what's, what do you see happening on the CVE front when it comes to these misconfigurations and those being part of what CVEs indicate and then how that's gonna have to evolve over the next few years? No, that's a fascinating one. 'cause there's two sort of stories there.
There's the high tech part of this, which yes, is, uh, AI and it's cloud, but there's also the simpler but still complex part of this story of CVEs need to capture context beyond just the, the score, the CVSS score. Okay? They, they need to do that. There's all kinds of factors to take into account. Um, 'cause arguably, you know, something that has a score of, of a million, but it's only for a privilege escalation. Don't worry about it. Like, no, don't worry about it. But that's, that's fine.
Um, you need to think about exploitability in the wild. You need to think about like, how does this map out to, uh, threat actors path? So is this part of initial access? If so, hey, you actually really want to pay attention to that and CVS need to be able to call that out. So there's that simpler story of can we just think of these things in choreography?
But then there's, yes, the complicated part of, I don't think right now that as a vocabulary CVEs and, and much to do is defense really can accommodate AI and cloud. Um, I think we Struggle. I agree with, I would agree with you. I mean, just because, and digging in with this, the, the, the, the number, because in some cases there, there are no elements or no aspects of some of these LLMs and or the what's running 'em, the operating system that's helped support 'em and everything.
There's just no, there's no facility for knowing what people are doing once they're inside of that particular engine. Right? And if you can't really see that, you can log requests and prompts, but if someone's doing something naughty with that AI engine, and you know, there, there's a lot that can be hidden, which I think is part of the problem that you're kind of illuminating right there, right?
So I think it's gonna take a lot more work, personally, my opinion, on the CVE process too, which may be unpopular, but I think us as an industry are gonna have to take control of that. We've gotta, we're gonna have to build something that spans political wills clearly. You know, we, we see that now. And I think my opinion, we need to be thinking in terms of how can we make this an industry effort and not just depend, you know, depending on who we have been depending on, on that.
But that's again, personal opinion. So, you know, there's a, there's all the turbulence, right? With CISA and trying to figure out how the CVE program, you know, the funding's gonna work, you know, what are your, some of your concerns as it relates to just the stability of CVEs as a global standard, which we have right now, but it would not take much to de we have seen that you could pull the plugs outta the wall and tear stuff up in a really short amount of time.
So how does, um, you know, how does that impact your opinion on, you know, what's the future of CVEs are as a standard? Yeah, no, so I mean, we all saw the, the funding letter or lack thereof funding. We all probably had thoughts about the, uh, internal politics of it all. I sitting a little bit over the pond considered the geopolitics of this, all that.
There, there is an over decentralization, there is a dependency on essentially not just the United States, but like one federal contact and one maintainer Mier. So there's the geopolitics and then there's the sort of internal politics. I couldn't possibly comment on the internal politics, but the geopolitical Side, I can't either, by the way, Dre, so it's okay, yes, we're in the same boat.
Um, but on this side of it, I think the eu, the uk, they definitely thought, oh, shoot, okay, well we're, we're relying, we're centralizing, how can we decentralize? How can we share these things out? I can't comment on if there should be, that should be done or not. But having a more stable ecosystem for these things, having the industry exactly as we said, like take control, own more of it, having good funding, good governance, it, it just builds that trust in.
Because overnight you had folks sort of saying, you know, the sky is falling and, and maybe it could have, I don't know if the letter was a clever move to definitely secure more funding or not, I don't know. But it was definitely a eyeopener for some folks of what does a world where you can't or it's more difficult to allocate cvs, um, look like. I think we've all gotten quite used to it. And I think there are a lot of things that we're gonna struggle with if we continue to over centralize.
And I think decentralization is a good thing, but also having trust in a handful of maintainers and a handful of, um, institutions is probably a good thing. But I don't know what it looks like in sort of 10, 20 years time what an ideal would look like. Yeah, yeah. I understand. But I, I'm kind of with you. I think we're gonna have to find a way that is not single sourced, but that, that has its own problems as we, as we all kind of know, right? So we'll have to figure that out as we go.
Uh, what I do know is, is that being, again, a practicing M-S-P-M-S-S-P, but I wanna get, I'm interested in your opinion from your perspective, right? So what, what does it look like if you have an, if you have a elapse, let's just say cv, so the lights went out at the CVE office, even if it's short term lights going out, what are the broader security industry issues? You know, fallout from that? What does that really start? How does that felt, right? How does it affect response?
How does it affect vulnerability management, that sort of thing, in your opinion? Yeah, so I, I had to think about this. 'cause again, I, I read that funding letter and I thought, man, what, what's the biggest thing we're losing? I think we lose a vocabulary because I really tried to think, 'cause cvs, if you're, if you're a techie, you think of these things that, okay, the CV is the label, but there's, there's things underneath it that are involved with scripts and POCs and all those things.
But there are other people in, in our industry. So you've got folks in GRC, you have the C-suite and the language that we've trained everybody to use, CVEs is exploitation. If you take that away, we've suddenly now lost the standard vocabulary to explain to somebody, Hey, I need more budget. Why? Well man, we had these exploits of this. We've trained folks to be able to rely on CVEs and Mitre, and that's a good thing that we've got that training.
But if you lose that, well now you've lost that ability to speak that language. Um, you've also lost the ability to explain and convey and, uh, the urgency of something when there's a CVE, you can kind of just click, send it over to someone and say, Hey man, we, we have to do something about this when there isn't. Oh, potentially wouldn't have been that. How do you explain to somebody, Hower how urgent this is? Um, right. They're gonna Google something.
They're gonna come up with something very different than what you've explained it. So yeah, I think there's, the loss of vocabulary is the single thing that I thought to myself of this is irreplaceable. 'cause you can, we can find other ways to coordinate with vendors and help highlight something that's worth patching and all those things. But the one thing that we lose is that vocabulary that we've helped train a whole industry on of urgency. Yeah, Go ahead Andrew.
But Phyllis, I have a question to you on this. You know, if you were looking at, through the lens of the MSIs sac one, I'd love your opinion to this, to this question, but does this impact threat sharing also, right? Oh, these, we're seeing these IOCs for said, you know, CVE, like this is a ripple effect. It's not just the vulnerability in its severity, isn't it? It's there's more to it, Right?
I mean, I think you know what Dre's talking about that common vocabulary, you know, really affects everything and everybody, it's also this idea is there's a trusted source, right? When someone says, this is A CVE and it's severe, and, and, and, and whatever, it's being exploited, we all believe it because it's been validated by, in this case, MITRE, right? And so, um, it allows everyone to threat share like the MS I Sac based on CVEs.
Additionally, the tail of that is the NVD when it makes into the NVD, which it says, this is how you remediate, these are where the patches are, these are the versions of software that are affected. So it's also like that, that most important step of how can I defend against it? So, um, the loss of A CVE is really, it just affects the whole entire ecosystem, right? The tools that everyone is relying on all those tools, they all use CVEs to, to say, okay, here's this vulnerability.
This is where you're vulnerable. Then they, you know, use the NVD, this is how you patch. This is what, you know, every software vendor, um, who create, you know, those that, that are exploited and are subject to CVEs. Every tool vendor that is relying on CVEs and all those ISACs, not just ms. I sac, all the different ISACs, um, that rely on CVEs to do that information sharing, that threat advisory threat intel information, information sharing across their membership.
You know, it all relies on CVEs. And so, um, it has great impact worldwide. Um, and, and you know, that's why there was such a rumbling, and that's why, um, the 180 was done so quickly Do it also, are you saying that if you knew even one thing about cybersecurity, you wouldn't have any defunding? Is that a rhetorical question? Gary Pika and his rhetorical question, But Phyllis, wouldn't it also have a ripple effect in essence also on like CIS and, and the framework and, and your framework?
I mean, like, hey, this is how, you know, if we're talking about patching as an example and mitigating controls and things like that, you would have immediate appendix need right away. Like, how are you going to deal with this when you don't have the tooling and everything we've advised, Right? Right. So we talk about patching, we talk about using EDR, we talk about having a vulnerability management program, all those things.
And while not explicitly written and maybe even not explicitly thought about when creating the framework, what we all just kind of assumed, I think was like, oh, we all know CVEs are a part of this lifecycle. Right? Excuse me. So if there is no kind of national standard or worldwide standard in which you can describe a vulnerability and perhaps rank it, rank 'em and stack em, stack bracken, stack em, then maybe vulnerability management as a control looks way different.
Kind of like rank em and sta them. You Should stick with that one. Yeah. Rank them. And Somehow that one's, I think that's closer to the truth. Look, I, I, I'm, I'm with Gary. The point is, is that it shouldn't be touched, right? If you don't understand what you're messing with, don't touch it. Especially when we have automation tools and we've got training. How many thousands of man hours have been put into this process, right?
How many, how many thousands of businesses have built their, their, their damn early warning systems around the fact that you have to have this common vocabulary and standard to work with? And the thought that someone would just pull the plug out on that without understanding it, just, it, you know, again, you should never do that. Let's just leave it at that. That's not something that I would do. I would suggest other people not do it either.
So, um, and we've really kind of talked about this a little bit, Dre, but the last thing I had was, you know, having the ability to have some diversity in, in the source, right? Because that is what the, if anything, what's been highlighted here is that, um, is that, that's a vulnerability, right? We've now got a CVE for the CVE system, is that we got a single source, right? And, and, and we've been shown that it, that it can be threatened.
So, you know, what do you think, you know, what's a good healthy redundancy look like if we're gonna go after that? No, I'm with you. I mean, the, the first thing to recognize is exactly, we talked about CVE is kind of a, it's the backbone of a lot of other things, whether consciously or unconsciously, there's cascading impact if you just take that out of the equation, which yes, nearly happened, but it didn't. Fantastic.
There was some folks on, it's, it's always on LinkedIn and Twitter, um, who said, no, this is great. This is a good thing. 'cause it means we can start to have, uh, more redundancy for vulnerability feeds and threat and tell and community. And I, I think those things are wonderful, but I think a lot of those commentators are forgetting that the CV vocabulary, motor attack, all these things allow folks to kind of not have to overthink someone's already done the thinking, thinking.
If you're a CIS admin, you have a billion other things to think about. You don't wanna have to now put your threat intel hat on, stroll through and figure out what is this threat intel fee trying to tell me? 'cause I don't have a CV anymore. I don't know. And I think a lot of commentators who say, you know, we can democratize this, are forgetting that we're security practitioners, we're security minded folks.
There are plenty of IT folks who, who rely on security, uh, frameworks to do this for them, with them to imagine that these folks overnight can employ threat intel people like, man, even pay for threat intel feeds. Let's not forget this. There are plenty of successful businesses who will sell you updating, Hey, this is getting exploited. I, we don't sell that, but I'm sure it'd be useful.
Um, there's, there's, yes, there's transparency in community participation, but at the end of the day, somebody has to curate this. Yeah. And there has to be a very careful cultivation and choreography. Otherwise, what you end up with is folks just saying, Hey, I think I'm glad that we'll think it, but what should I do? I'm a practitioner. I'm a CIS admin. Do I need to patch now tomorrow? How long can I leave this? I think having CVE gives us that common vocabulary to take it away.
I mean, maybe there's a future where we have an ISO standard like way of talking about things and vulnerabilities. Uh, that sounds great. I terrible to try and coordinate all the countries, but that would be ideal, right? That everyone could participate in. It's very set and standardized. But for now, I think, yes, we're too reliant on CVE, but I don't think there's any, uh, second place alternative ready to step in. Uh, Andrew, we're getting a couple more minutes.
I have to jump off the call, but I, before I go, I just wanna say, uh, Dre really good. Your really good guest. Awesome job. Yeah. Oh, thank you So much. Yeah, I'd like to have you back again. I agree. Gar, it was so good to see you back and I know, uh, I'll see you next week. I'll See you in Vegas. Yeah, I'll see you in Vegas. Look forward to it. And we'll be, uh, reporting there. Um, see you here. Um, you know, Dre, I'll, I'll just close by this. You are phenomenal.
And you know, Phyllis, it's, it, it makes me kind of chuckle about this, these comments of democratization and things. The reason I say that is, you know, in 2016 when I met Aaron Cher and the folks from Perch, one of their whole thesis was helping banks and healthcare with threat intel because the biggest, the big had all of that capability's, but, but down market, you know, how would a small bank, you know, exactly. Deal with this? Right? That was their whole thesis of perch originally.
Exactly. Right. And, and, and this whole, you know, I'm, I'm so glad you brought it up, Dre, because so much is theory, right? Oh, well, we'll just these smaller companies that will have choice and this and that, but the way you brought home, they, they, they don't even have the bandwidth to do it today. Yeah. Like, right, Bob, let alone Yeah, absolutely. Exactly. Now we're gonna deal, do away with these standards.
So it's, it's, you know, I don't have the answer, but I'm really glad you articulated it that way. 'cause it, it's, it's big. It's a big deal. It would be a big mess. So, um, so anyway, J but as Gary said, Dre, you are phenomenal. It was so good. I'd love to have you back on. You are a great guest and uh, really appreciate it. So, uh, I'm super grateful. It's been a wonderful panel. You guys have been very kind as well. Um, so I appreciate That. Not always. Um, see everybody.
Thanks Bob, as always. Yep. See you later. See you Jay. Take care.
Related Videos

The Vulnerability Crisis No One is Funding
The Vulnerability Crisis No One is Funding

The Vulnpocalypse Is Here & Your MSP Can Survive It
The Vulnpocalypse Is Here & Your MSP Can Survive It

The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois
The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois