CyberWire Daily - Agent Tesla still hits unpatched systems. Hot wallet hacks. AI and DevSecOps. Notes on Fancy Bear and NoName057(16). And some curious trends in the cyber labor market.
Episode Date: September 6, 2023There’s a new Agent Tesla variant. Lost credentials and crypto wallet hacks. Tension between DevSecOps and AI. Fancy Bear makes an attempt on Ukrainian energy infrastructure. A look at NoName057(16).... Tim Starks from the Washington Post's Cybersecurity 202. Simone Petrella and Helen Patton discuss People as a security first principle. And cybersecurity jobs seem to be getting tougher (say the people who are doing them). For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/170 Selected reading. New Agent Tesla Variant Being Spread by Crafted Excel Document (Fortinet Blog) World's Largest Cryptocurrency Casino Stake Hacked for $41 Million (Hackread) Crypto casino Stake.com loses $41 million to hot wallet hackers (BleepingComputer) Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach (KrebsOnSecurity) Global DevSecOps Report on AI Shows Cybersecurity and Privacy Concerns Create an Adoption Dilemma (GitLab) APT28 cyberattack: msedge as a bootloader, TOR and mockbin.org/website.hook services as a control center (CERT-UA#7469) (CERT-UA) Ukraine's CERT Thwarts APT28's Cyberattack on Critical Energy Infrastructure (The Hacker News) Ukraine says an energy facility disrupted a Fancy Bear intrusion (Record) What's in a NoName? Researchers see a lone-wolf DDoS group (Record) New Research from TechTarget’s Enterprise Strategy Group and the ISSA Reveals Continuous Struggles within Cybersecurity Professional Workforce - ISSA International (ISSA International) Life and Times 2023 Download Landing Page (ISSA International) E-book: The Life and Times of Cybersecurity Professionals Volume VI (ESG Global) Layoffs list extended by Malwarebytes, Fortinet, Veriff, SecureWorks (Cybernews) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
There's a new agent Tesla variant,
lost credentials and crypto wallet hacks, tension between DevSecOps and AI, Fancy Bear makes an attempt on Ukrainian energy infrastructure, a look at no-name 05716, Tim Starks from the Washington Post's Cybersecurity 202, Simone Petrella and Helen Patton discuss people as a security first principle, and cybersecurity jobs seem to be getting tougher.
I'm Dave Bittner with your CyberWire Intel briefing for Wednesday, September 6th, 2023.
Fortinet describes a new variant of the agent Tesla remote access Trojan that's being distributed via malicious Excel documents.
The attackers exploit a pair of long-patched CVE vulnerabilities in Excel to execute the malware.
It's another case in which failure to patch leaves the door wide open to attackers.
As Fortinet notes,
despite fixes being released by Microsoft in November 2017 and January 2018, As Fortinet notes, and mitigating 3,000 attacks per day at the IPS level. The number of observed vulnerable devices is around 1,300 per day.
Cryptocurrencycasinostake.com has disclosed that hackers have stolen $41 million
from its Ethereum, Binance Smart Chain, and Polygon hot wallets.
Bleeping Computer quotes the casino's statement about the incident as saying,
We are investigating and we will get the wallets up as soon as they're completely re-secured.
User funds are safe.
While Stake didn't explain how the intrusion and theft occurred,
it's not the only cryptocurrency operation to sustain a loss,
and some of the other cases may be instructive.
Krebs on security reports that another set of cryptocurrency thefts
may be tied to the November 2022 breach of LastPass.
Krebs cites Taylor Monahan, founder and CEO of Metamask,
who's found that a total of $35 million worth of cryptocurrency
has been stolen from more than
150 individuals since December 2022. According to Monaghan, the victims aren't newbies. He said,
The victim profile remains the most striking thing. They truly all are reasonably secure.
They are also deeply integrated into this ecosystem, including employees of reputable crypto orgs,
VCs, people who build DeFi protocols, deploy contracts, and full-run nodes. Monaghan and
other researchers suspect that the hacks are due to attackers gradually cracking the leaked
LastPass vaults. GitLab has published a report looking at the state of AI in software development,
finding that 83% of those surveyed said that implementing AI in their software development
processes is essential to avoid falling behind. However, 79% noted they are concerned about AI
tools having access to private information or intellectual property.
Additionally, 90% of respondents said they're already using or plan to use AI for software development,
though 81% they need more training with AI tools.
Turning to Russia's hybrid war against Ukraine, CERT-UA reported Monday that the GRU's APT-28, Fancy Bear,
QA reported Monday that the GRU's APT28, Fancy Bear,
has attempted to compromise an unspecified energy facility with a phishing campaign that carries a malicious payload in a zip file attached to an email.
If the attachment is opened, the victim is open to remote code execution.
The phishing email is unusual, the record points out,
in that the fish bait it dangles is gaudier than the stodgy and sober come-ons The text of the email often reads like this.
Should the recipients incautiously do so,
they'll be taken to some apparently innocent websites
where the malware will be served up piping hot.
Cert.ua says an alert user tipped them off to the phishing
before any substantial damage was apparently done.
The Record has published a report on the Russian hacktivist auxiliary
no-name 05716.
Like other such auxiliaries, they've specialized in DDoS attacks, most recently against financial institutions in Poland and Chechnya.
Compared to its peers, however, the record finds NoName more disciplined, selecting targets and studying their vulnerabilities before initiating
the attack. The group also doesn't rely on widely traded commodity malware, preferring to rely on
its own bespoke tool, DDoSia. The group lacks a public face, analogous to Killnet's noisy yet
still mysterious figurehead KillMilk. Who funds No Name remains unclear. It obviously acts in the
Russian interest, with a preference for NATO targets, but there haven't been any obvious
signs of money flowing to the group from the Russian government, according to the record.
And finally, there are some curious cross-currents in the cybersecurity labor market.
The first of these is a general shortage of
cybersecurity workers. TechTarget's Enterprise Strategy Group and the Information Systems
Security Association have published research looking at the cybersecurity workforce,
finding that the majority of cybersecurity workers said their jobs have grown more difficult over the
past two years. The problems, about two-thirds of
those surveyed report, are both internal and external to their organizations. Externally,
a more challenging set of threats and more onerous regulatory regimes have made the job tougher.
Internally, workers say staffing shortages, tight budgets, and workload complexity have combined and made their careers more difficult.
71% of organizations say they've been affected by a shortage of workers with cybersecurity skills,
and that, the report says, represents a dramatic increase from 57% in the last study.
The labor shortage has increased cybersecurity team workloads
and contributed to a high rate of staff burnout.
Organizations say they have the most difficulty finding people qualified to work in application security, cloud security, and security analysis and investigations.
Industry has long deplored cybersecurity labor shortages, so this study amplifies a familiar complaint.
It's interesting, however, to see the tension between these reports of a tight labor market
and a more recent trend toward layoffs by cyber security firms. Cyber security news reports that
data from layoffs.fyi show that at least 46 cyber security companies have laid off 4,738 employees since the start of 2023,
and those numbers are probably low since not all companies are required to report layoffs,
and therefore many do not. Many of the layoffs followed mergers or acquisitions,
and therefore are unlikely to be composed entirely of cybersecurity specialists,
but a significant fraction do affect cybersecurity workers proper.
It's curious that these two trends seem to be simultaneous.
It suggests that there are inefficiencies and irrationalities in a labor market that has yet to fully mature. Coming up after the break, Tim Starks from the Washington
Post Cybersecurity 202, Simone Petrella and Helen Patton discuss people as a security-first
principle. Stay with us. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
There's a generally accepted principle in business that your organization is only as good as your people.
Hiring the right people, training them, keeping them up to date and investing in them are all critical to establishing and maintaining an effective and fulfilling workplace culture. Helen Patton is Chief Information Security Officer for Cisco's Security Business
Group and author of the book, Navigating the Cybersecurity Career Path. As part of a series
of segments we call Solution Spotlight, our own N2K President Simone Petrella sat down with Helen
Patton. Here's their conversation.
Helen, we've had some great conversations in the past. And one of the things that I think we
connected on immediately is our mutual belief that successful business outcomes are not possible
without good people and a strategy to have good people. What in your own career path solidified
this notion for you? Well, I think we've all had experiences where you join an organization and you join
to do a specific role. You're very excited about the job that you're excited, you know,
that you're joining for. And then you realize that you actually have to do this work in a
community of people. And sometimes you luck out
and the community of people think like you do and share your values and work the way that you want
them to. And sometimes they don't. And sometimes you're a part of a team that where your immediate
team thinks like you do. And this happens in security a lot. We have this sort of little
bubble of people and they all think the same way and everyone feels great.
But we're completely alienated from the rest of the organization who cares about different things
and prioritizes things differently. And so in my own career, I've experienced all of these
kinds of variations on this theme. And I really got to the point of saying, if you're going to be a leader
of security, you have to control that. Now, you can't control people, and I get that,
but you can have very intentional strategies around. And of course, I remember the lessons
that were the difficult lessons most easily, unfortunately. But I've also been really fortunate to network with people who've
got really great ideas. And so I am all about liberally stealing somebody else's good idea
and applying it if I can do that. You actually wrote a book on this topic,
and it was released in late 2021, just as we were all just kind of sitting at home,
really learning a brave new world. But tell us a little bit about the book
and what inspired you to write about it in the first place. Well, so I had always thought that
in my own career, I would either end up doing a PhD or I would end up writing a book. And I
hit this point where I had a fork in the road, which one am I going to do? And I couldn't work
out how to do a PhD and stay a full-time working adult. And so I decided to write the book. So that was that. And then the question
was, what do you write a book about? Well, at the time I was the CISO at The Ohio State University.
And when you are there, you're always getting asked for career advice. You get asked for career
advice from people, from the students who are trying to hack into cyber for the very first time. But I also would be asked to talk to people who were already in security, but they were
dealing with some issue. How do I deal with being a woman in security? And I found myself being
invited for coffee to talk about these things. And what I was finding was, one, I didn't have enough tolerance
for caffeine that I could meet with as many people as I wanted.
And two, the answers were mostly the same, right?
Like you certainly, everyone's an individual, I get it.
But from an advice perspective, you tend to start from the same point.
So when I was thinking about what do I want to write a book about,
I was thinking maybe if I wrote this down
and my answer's down, I could mentor at scale. One of the sections that has stood out most to me
in our conversations as well, though, is the final section. You have it divided into three parts,
and there's a lot that's geared towards the individual, but there's also a whole section
on leading and for those who are starting to lead in cybersecurity. And a lot of the elements that you discuss is what goes into
building and communicating a strong business case for a security program. It includes things like
having a security strategy and building a diverse team, how to fund that strategy,
how do you talk security to a non-security audience? I'm actually curious, before we even get into kind of what should people do, what are some of the things you see today
that security leaders make as mistakes that's standing in their way to preventing them from
kind of having these principles widely adopted in their organizations? That question is like a whole thesis all on its own.
There's lots.
I think the first thing I would say to answer that question is that security as a professional discipline tends to be everywhere in a business.
You know, we tend to sit in technology and we might originate from technology, but we find
ourselves working with legal or finance or HR or sales or development, whatever. We tend to be
everywhere. And the tendency of a cybersecurity leader who isn't as mature is to try and be all
things to all people. And it's really easy in the security
space to find a reason where you should be involved in everybody's business. And at some
point you burn out. So being able to be clear on what kind of security person are you? Are you a
more of a risk management kind of person? Are you a technologist who runs cyber security
technology? Are you somewhere in the middle? Do you come technologist who runs cybersecurity technology? Are you somewhere
in the middle? Do you come from a privacy background? Like understanding the kind of
security person you are. I think the second thing is then knowing where your boundaries are,
which I know is related, but there are some things you can control and there are some things you
can't. And I think being intentional about what you can do about the things you can control, great,
that goes into your strategy.
That's where you spend your time.
But being able to say, you know, this thing over here, the way this leader thinks or the
fact that I haven't got money right now or these things I can't control.
right now or these things I can't control. So being able to then be able to let that go gracefully or being able to then have a reactive strategy to that is really important as well. So
those would be the first two places I would start. Well, and you know, the old adage goes,
you only are as successful as the people that are around you. And that includes the team you built underneath you. But if we don't have the right team, it's going to actually contribute
to that burnout. Yeah, for sure. This usually first comes up when people are thinking,
do I stay an individual contributor or do I become a people manager? And so they're learning
on the job. If they have any accountability, they realize that their failures as a manager has direct
implications to the success and happiness of the people who are on their team. And some people go,
yay, I love this responsibility and they rise to the challenge. And other people go, hell no,
I didn't sign up for this. So, you know, understanding what it takes in terms of
coaching and mentoring, there's a lot of parenting overlap, actually,
that goes into people managers, right? Often as a manager, you don't feel like you've got a lot of
time. So it's a big balance. It's a challenge. The last question I have for you is once you
apply all those principles, or if you do apply all those principles, how do you measure whether
the things that you're putting in place or those strategies are having
the impact on the business or they're successful the way that you want them to be? There is no
magic metric. I know there's meantime to detect and meantime to repair and there's all those
things. But I think whether or not you're successful is very contextual to the organization you're in. I think sometimes the measurement of
success isn't a security metric. It should be. There's got to be something in that balance
scorecard that is a security metric. But it might be something like the turnover rate of your
employees. What's your voluntary turnover rate in your team? If it's super high, you're probably getting something
wrong, right? Maybe if you're trying to do cultural change in the organization, you're going to measure
the engagement of the non-security employees at your company with your security team.
So there isn't one metric, but for me internally within my own team,
one metric, but for me internally within my own team, I am looking for engagement.
You can spend your whole life trying to get the right metric and never find it.
Well, it just goes to prove that it's a, you know, a hard, a hard problem and one that can't be solved overnight. As you said, there's no magic wand. Well, Helen, thank you so much for joining me today. And for those who are looking
for an opportunity to read more on the topic, but Helen will still potentially get a cup of coffee
with you. The name of the book is Navigating the Cybersecurity Career Path by Helen Patton.
Helen, thank you so much. Thank you for having me.
That's Helen Patton, Chief Information Security Officer for Cisco's Security
Business Group and author of the book, Navigating the Cybersecurity Career Path.
She spoke with our own N2K President, Simone Petrella.
And it is always my pleasure to welcome back to the show Tim Starks.
He is the author of the Cybersecurity 202 at the Washington Post.
Tim, great to have you back.
Dave, Dave, Dave.
Couple of interesting stories that you have shared on the 202 in the past couple days. First of all,
a bit of a scoop here. You had the story of Mudge coming back to public service. What's going on here, Tim? Yes, the famed hacker known as Mudge, born Zatko, either name seems suitable to me. He has decided to join CISA as a technical advisor.
His real job will be to be a part-time person focusing on their Secure by Design initiative.
That's the thing they've been working on to try to get software makers to put cybersecurity into the product as they're developing it.
Not just tacking it on at the end or making it a constant source of updates.
So pretty big scoop for them
in terms of the hire,
scoop for me, scoop for them.
The hire is high-profile one.
He is a person who has
significant credibility in our community
and is coming off of being an employee
who maybe people would be scared to hire
given the fallout that he had with Twitter
as the big whistleblower of their security problems there
when he was their security chief.
He left, filed a whistleblower complaint with a number of federal agencies.
And so a bold hire a little bit too,
in terms of you know he's going to be a truth teller,
you know he's going to be a truth teller perhaps at your expense.
So interesting development. Yeah, I raised my eyebrows a little bit at the fact that he's going to be a truth teller. He's going to be a truth teller perhaps at your expense. So interesting development.
Yeah, I raised my eyebrows a little bit at the fact that he's part-time.
Just is there such a thing in that sort of position, right?
Other than the name only.
I can't imagine that he'll be short on hours.
Yeah, you know, Sys has done this kind of thing before.
I think they might have done it with Josh Corman,
where they've had people come in as these kind of
outside advisors, help them in these
roles, and then move on not long after.
So I don't know how long he's going to be sticking around.
He obviously had been showing
some interest in staying in industry,
working with Rapid7 after Twitter.
So it might be a sort of
thing where they had an opportunity to snag him for a bit,
and they're taking advantage of the moment.
Yeah.
You recently spent time at the Billington Cybersecurity Summit,
and you wrote about some comments from General Paul Nakasone.
Share with us that story.
Yeah, so those of us who have covered General Nakasone for a long time
are probably well aware of how cautious he can seem when he's speaking publicly.
He definitely wants to stay on track on what he's trying to say.
This one felt a little bit more reflective for him.
He's been running the Cyber Command.
He's been running NSA since 2018.
was due to leave this year, but has been stuck in a Senate kerfuffle that is not of his making,
that is of a general dispute over the military and abortion. So he's a little bit stuck in the role waiting to leave the role. And maybe that made him feel more reflective, the fact that he
was revisiting a speech that he'd given five years ago at Billington itself. But he talked a good
deal about how different things are now compared to where
they were in 2018 and talking about not just the threat picture from 2018 to now, but also
the way the government has changed. And also talked a bit about where he thinks things are
going, the things he has been working on as he's departing and where he's looking at the future of
those two agencies. Some interesting comments about Russia and China
and our relationship with those two in the cyber realm.
What did he say there?
Yeah, so one of the things we've heard a lot from top cyber officials these days
is that China is this generation, this era-defining cyber threat.
Where I think he took it a little further than what we've heard from some other officials
is that I think he referred to it as a pacing threat
and also talked about it being something
that we're going to be having,
I think he said our children,
our children's children are going to be dealing with
as the main competitive threat,
not just talking about it in the cyber context,
but certainly including that cyber context.
That was taking it a little further
and saying that this is going to be a really long-term problem for the United States
in cyber. And then talking about Russia as an acute threat, one that they're dealing with,
you know, a more peaceful basis, probably perhaps a more urgent basis in certain ways.
A little chance for him to brag a little bit about the way they feel as though they've been
able to counter Russia's information operations in Ukraine just by speaking to them aloud,
just by talking about the existence of them and making it so that Russia feels like they're on the back foot.
And then quickly, you covered the story here about Verizon agreeing to a $4 million settlement
with some allegations of coming up short in some government contracting?
Yeah, kind of a late-breaking story.
The other night, when I first read it, I thought it said $4,000.
And I was like, that's not much of a fine for Horizon.
I think they'll be just fine.
That's the money they find in the couch cushions, right?
Yeah.
So yeah, $4 million fine for not following some required cybersecurity standards.
And we'll see how much of a dent that puts into the midst. fine for not following some required cybersecurity standards.
We'll see how much of a dent that puts into the Mitzvah. I actually don't know
how much of a difference $4 million is
for Verizon compared to $4,000.
It's interesting.
I'm making a joke, but it's interesting
to see a company of that size
being held to account. I think
it's a reflection of
this administration's desire to put people
on notice that not following these cybersecurity standards is going to cost you.
Yeah. And I found it interesting that both sides of this sort of threading the needle
of Verizon saying that we're not really acknowledging we did anything wrong, and the government saying we're not acknowledging
that you didn't not do anything wrong.
There's a weird sort of dance that happens
with these kinds of settlements and agreements.
We see them more often with the FTC saying,
we think you did this, but here's the settlement,
and then a sort of vaguely worded non-apology that says,
maybe we did it, maybe we didn't.
So it's fairly standard in that regard.
Yeah, interesting sort of regulatory shot across the bow, I suppose.
Yeah, maybe a little bit rarer to see it on the Justice Department side, though.
All right, well, Tim Starks is the author of the Cybersecurity 202 at The Washington Post.
Tim, thanks so much for joining us.
Yeah, thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant. This episode is brought to you by RBC Student Banking. Here's an RBC student offer that turns a feel-good moment into a feel-great moment.
Students, get $100 when you open a no-monthly fee RBC Advantage Banking account
and we'll give another $100 to a charity of your choice.
This great perk and more, only at RBC.
Visit rbc.com slash get 100, give 100.
Conditions apply.
Ends January 31st, 2025.
Complete offer eligibility criteria by March 31st, 2025.
Choose one of five eligible charities.
Up to $500,000 in total contributions.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
of cybersecurity. We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private
sector, as well as the critical security teams supporting the Fortune 500 and many of the world's
preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence
optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by our editorial staff.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.