CyberWire Daily - Cyber appeasement? Western Digital discloses cyberattack. Rilide malware is in active use. Mantis has new mandibles. Challenges of threat hunting. Small, medium, and large criminal enterprises.
Episode Date: April 4, 2023Did "appeasement" embolden Russia's cyber operators? Western Digital discloses a cyberattack. Rilide is a new strain of malware in active use. The Mantis cyberespionage group uses new, robust tools an...d tactics. The challenges of threat hunting. Joe Carrigan has thoughts on public school systems making cyber security part of the curriculum. Our guest May Mitchell of Open Systems addresses closing the talent gap. And when it comes to criminal enterprise, size matters. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/64 Selected reading. Russia's shadow war: Vulkan files leak show how Putin's regime weaponises cyberspace (The Conversation) Russia's Invasion of Ukraine Heralds New Era of Warfare (VOA) West’s Cyber Appeasement Gave Putin Green Light: James Stavridis (Bloomberg Law) Western Digital Provides Information on Network Security Incident (Business Wire) Western Digital confirms breach, shuts down systems (Computing) Western Digital discloses network breach, My Cloud service down (BleepingComputer) WD says law enforcement probing breach of internal systems (Register) Western Digital investigating MyCloud data breach affecting Mac desktop drives (Macworld) Users fume after My Cloud network breach locks them out of their data (Ars Technica) Typhon Reborn V2: Updated stealer features enhanced anti-analysis and evasion capabilities (Cisco Talos Blog) Mantis: New Tooling Used in Attacks Against Palestinian Targets (Symantec) Inside the Mind of a Threat Hunter: Team Cymru's Latest Report Sheds Light on Challenges Faced by Cybersecurity Analysts (Accesswire) Wages Dominate Cybercrime Groups' Operating Expenses (PR Newswire) Inside the Halls of a Cybercrime Business (Trend Micro) Size Matters: Unraveling the Structure of Modern Cybercrime Organizations (Trend Micro) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Did appeasement embolden Russia's cyber operators?
Western Digital discloses a cyber attack.
Rylide is a new strain of malware in active use.
The Mantis cyber espionage group uses new robust tools and tactics.
The challenges of threat hunting.
Joe Kerrigan has thoughts on public school systems making cybersecurity part of the curriculum.
Our guest is May Mitchell of Open Systems, addressing closing the talent gap. And when it comes to criminal enterprise, size matters.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary
for Tuesday, April 4th, 2023.
The present state of Russia's war against Ukraine, stalled on the ground as it is,
has prompted some reflection
on the lessons that might be learned from that war's cyber phases. Online publication The
Conversation has summarized and placed into context the accounts of the Vulcan papers.
Russian operations have encompassed cyber espionage, disruptive attacks against infrastructure, nuisance-level
hacktivism, and most prominently, influence operations aimed at both domestic and international
opinion. The disruptive attempts may have fallen short of pre-war expectations, but defense experts
find them alarming nonetheless. The Voice of America quotes a U.S. defense official who spoke Friday on condition
of anonymity, stating, the Russian operation in Ukraine as it relates to red lines for conflict
should be of concern to many people. You're willing to drop a bomb on a power station,
or you're willing to drop a bomb on a rail network, then you're certainly willing to execute
a cyber attack against them. As just general common sense sort of military tactics,
I don't believe you would reduce something to rubble
if you had the ability to neutralize it otherwise.
You don't want to use high-end kinetic tools unless you have to.
Retired U.S. Admiral James Stavridis,
a former NATO Supreme Allied Commander for Europe, thinks so.
He argues in an op-ed published by both Bloomberg and the Washington Post that insufficient response to its non-kinetic
military operations helped equip the Kremlin with an effective virtual complement to the
traditional invasion. The West, in effect, conducted a policy of digital appeasement
in response to multiple cyber attacks.
There has been, in Admiral Stavridis' view, a failure of deterrence and diplomacy. He concludes,
the U.S. needs to develop a sense of deterrence in cyber, and doing so will require more aggressive
responses than it has been willing to employ thus far. Now that the Russians have acted so strongly in the physical domain,
we may find them even more emboldened in the cyber domain.
So how does one achieve cyber deterrence?
Discuss amongst yourselves, and take a look at the Admiral's op-ed
for suggestions on how to frame the challenge.
California-based data storage provider Western Digital has disclosed a
breach in which an unauthorized third party gained access to its systems, the Register reports.
Computing reports that the company has shut down its MyCloud consumer cloud and backup service
while it investigates the incident. The company hasn't disclosed the nature of the attack, and the investigation is still in its early stages.
Western Digital said in a statement that it detected an incident on March 26, initiated its incident response plans, and began taking steps to remediate the issue.
A new strain of chromium-based browser malware, RyLide, has been uncovered by Trustwave Spider Labs.
This morning, Spider Labs wrote,
RyLide malware is disguised as a legitimate Google Drive extension
and enables threat actors to carry out a broad spectrum of malicious activities,
including monitoring browsing history, taking screenshots,
and injecting malicious scripts to withdraw funds from
various cryptocurrency exchanges. Rylide has been found by Spider Labs in at least two malware
campaigns since April of 2022. The first was involved with the Apikia rat, a remote-access
trojan, malware that used Microsoft Publisher and relied on the user ignoring a warning pop-up and executing a macro.
Spider Labs notes, Microsoft Publisher was not affected by Microsoft's decision to block macros
from executing files downloaded from the internet. The second seems to be using Google Ads,
disguising itself as legitimate TeamViewer installers or an NVIDIA drivers installer.
as legitimate TeamViewer installers or an NVIDIA drivers installer.
Symantec discovered that Mantis, which you may know as Arid Viper, Desert Falcon, or APTC23,
is now mounting attacks against Palestinian targets with a new set of tools.
In its report published today, Symantec explains that although this pattern of targeting isn't new, the tools in
Mantis' mandibles certainly appear to be. Mantis operates from the Palestinian territories against
Palestinian individuals. In 2022, Mantis began using updated versions of its custom Micropsia
and Arid Gopher backdoors to compromise targets before engaging in extensive credential theft
and exfiltration of stolen data. Mantis seems to compartmentalize its attacks by using
three distinct versions of the same toolset on three groups of computers.
This affords redundancy. If one group of tools is discovered and neutralized,
then the other two may remain unaffected. Symantec reports
the attackers also used a custom exfiltration tool to exfiltrate data stolen from targeted
organizations. The researchers describe Mantis as a determined adversary with the demonstrated
ability to compartmentalize attacks against one organization and rewrite malware to maintain an edge against its targets.
Team Simru this morning published a report looking at the challenges faced by cybersecurity
analysts in hunting threats. 59% of the respondents said their organization's threat
hunting program was only somewhat effective, and 38% said their biggest challenge was a lack of appropriate threat
hunting tools. Nearly half said their main goal is to identify threats before an intruder is able
to cause damage. One of the top concerns among threat hunters is the inability to measure the
success of their efforts. Are crooks more successful when they run their crime like a business?
Are crooks more successful when they run their crime like a business?
So it seems.
Trend Micro yesterday released a report discussing the variances in criminal group behavior based on their sizes.
The researchers share that knowledge of the size of a criminal organization can aid in the discovery of cybercrime.
Small criminal businesses, and these make up the majority of cybercriminal enterprise,
are typically comprised of one to five staff members, a single layer of management personnel, and a turnover of under $500,000. Smaller criminal businesses tend to be staffed by moonlighters
who also have a day job. Doing what, you ask? Who knows? We imagine it varies. Dental hygienist,
convenience store staff, paralegal, roofer, pretty much anything. One of our writers knew a guy in LA
who eked out a living by being the 10th caller to radio stations. Mid-sized businesses tend to have
between 6 and 49 employees, two layers of management, and upwards of $50 million in turnover annually.
These businesses tend to be structured as pyramids with one boss at the time.
The big criminal enterprises usually have three layers of management,
50 or more employees, and over $50 million in annual revenue. Lower management and supervisory
management are kings in these businesses,
with the overarching leadership well-versed in cybercrime. The larger cybercriminal businesses,
such as Conti, tend to be run like corporations, containing familiar departments like IT and HR
with benefits and the other trappings of legitimate business. Notice anything about these org charts? As it does everywhere else,
the old law of seven plus or minus three prevails. That's about the number of direct reports you can
have before you start losing track of what the sneetches are up to. Look that one up.
Coming up after the break, Joe Kerrigan has thoughts on public school systems making cybersecurity part of the curriculum.
Our guest is Mae Mitchell from Open Systems addressing closing the talent gap.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Yesterday here, we discussed training trends and how investing in your employees' continuing education can be an important part of retention. May Mitchell is CMO at Ontinu, the recently formed
MDR division of Open Systems. I spoke with her about the challenges of attracting and retaining top talent. It's definitely very challenging.
If you are a manager, a hiring manager looking for top talent, you know, regardless of location, it's still very tough.
Lots of areas where you can find top talent, but finding the specific skill set that fit the needs, it's still challenging.
And then the other challenging thing is that once you do find them, you have to retain them.
So getting them trained in the enablement piece and then keeping them engaged throughout is definitely challenging these days,
especially for a hybrid workforce.
Reason being is once you spend all that time and money getting your top talent on board, it's this ongoing career development, making sure that they are getting what they need, they have the right tools in place.
They can easily get tapped by your competitors or someone else that's calling for them.
So it's this constant push and pull in the marketplace today.
And then the second thing is regarding the diversity.
You know, we all know that diversity drives innovation.
and I understand that a lot of companies have put emphasis, starting from the top down in terms of diversity being a top initiative
and there's goals and stats and all that.
But that is something that has to be bought in and it's an ongoing effort.
It is really tough.
You got the balance of meeting those diverse numbers,
but also you want the top talent if you're a hiring
manager. So it's hard to find that. And the number of women that's currently in cybersecurity,
it's a numbers game. There's just not enough of that. I'm curious, in your experience,
what are some of the successful strategies that organizations can use to both attract good talent, but then also, as you say,
retain them? You have to have the right culture. And it's the people business. It's the culture.
People enjoy working with people that, you know, they connect with and that they want to work for
environments where they are inspired. They're inspired by the leadership team. They're inspired by what the leader is saying, you know, and they're bought into that
strategy or that mission. And culture is only built from the top down. It starts at the top.
There's no question about it. And then it cascades. And in every single person within that company,
whether you are a senior leader or individual contributor,
you are part of that culture.
You're resilient, you're strengthened throughout.
So that's number one.
Number two is setting goals, having a common set of goals
and up at the top, three to five goals,
and then those goals are cascaded throughout the organization. And some of those goals could be, you know, building a great culture, having a set
number of, for diversity. And again, that has to be bought in throughout everyone. And then having,
putting that as a top priority, finding the right individuals, having a coordinated effort to hit those numbers.
Your candidate pool should include X number of individuals.
That's part of the, you know, woman.
The other thing is maybe your panel,
your panel should have some women leaders in there as well.
And then also once you do hire that individual,
when they do come on board,
make sure there's a new hire buddy
that they're assigned to.
And you want to pair up.
If you're breeding a top talent female leader
or individual contributor,
maybe you should pair them up with someone like-to-like.
You know, the first 30 days,
even the first two weeks, actually,
first 30 days, really, really important to keep in touch.
Next 90 days, and they'll get a good feel
for whether or not this is the right place for them.
You know, we're seeing layoffs
across the industry right now.
And I think for many people,
particularly those who maybe not have been
in cybersecurity for a while,
this is the first rounds of layoffs that they've experienced. Do you think that changes the
equation here, Annie? You know, everyone is going through this right now. Every single company,
large or small, VC funded and all that, everyone's watching what's happening. It's kind of a changing time. I'd say, you know, everyone's really,
really mindful priorities. Everyone's mindful on budget spend, and that includes a program budget
and hiring even. Everyone wants stability. You know, you need to stabilize your business.
Certainly everyone wants to grow. And also it's like, think about when I think about
being a hiring manager, I also felt times like this, it's about resource allocation.
So there might, there might've been some things that we did in the past. Certainly with the
economic climate that's changed, you have to put a different hat on and think about, okay,
what are the things that we need to do that we can go deep in? Let's do a few things to go really,
really deep. There's some things that we're not going to do, and you want to make sure that the
other departments are okay with it. Again, it's about getting alignment. Number two is when I say
resource allocation, this is really where we have to ask our employees to stretch themselves and try new things.
Maybe we didn't hire them for something, but we do need everyone's help and wear a different hat.
And we may have to move some individuals around to pick up those areas that we really want to do.
But in terms of diversity and all that, yeah, I've been reading a lot of stories about whether or not that has been impacted with these recent layoffs.
Because at the end of the day, there's so much that goes into having layoffs and all that.
The reason is I'm sure it's a very,
very thoughtful process. And again, it goes back to the priorities of the organization.
I am hearing some things that diversity is still a top priority, but then also other
organizations like, look, we're really looking for what do we got to do? It's bootstrapping
right now, stabilizing the business. But I still think that there's a lot of companies
out there that are still hiring. But again, they're very, very mindful of the specific
skill set that they're looking for. So I still think it's a job market. It's still pretty good
out there as far as high tech and as far as cybersecurity as well. That's Mae Mitchell from OnTinU.
And joining me once again is Joe Kerrigan.
He is from Harbor Labs
and the Johns Hopkins University Information Security Institute,
and also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
This article caught my eye.
This is a particular reporting on it.
It comes from a website called K-12 Dive, which is a news website for folks who are in education.
Joe, you have dipped your toes in education with your
profession over at Hopkins. My toes have been in the education pool for about 10 years now.
There you go. So you're at least ankle deep. Right. So this article is titled,
North Dakota becomes first state to require K-12 cybersecurity education.
That is excellent. Yeah. What's going on here,
Joe? Well, first off, I'd like to know why North Dakota is the first state to do this and not
Maryland. Okay, fair enough. Our home state. Yeah, our home state. But also, kind of like the
Silicon Valley of cybersecurity companies, right? A lot of cybersecurity companies around here.
And we've done a lot over the last
two decades to try to attract them, but we haven't made this as part of the education
requirement for students graduating from high school. So there's a new bill that has been
signed into law. It is to graduate from high school in North Dakota, the law requires that
students take at least one course
in either computer science
or cybersecurity.
And they are saying
that this underpins
everything that we do now.
So it's an imperative part
of education
that students understand
cybersecurity and computer science.
What do you make of this?
I like it.
I think it's a good,
I think it's a long time overdue. I'm amazed that we don't have other computer science requirements in
our education around the country. Everybody should know how to do at least some kind of basic
scripting, right, or something. You know, and then there's the argument, well, not everybody is good at that,
but you don't need to do super excellent work or anything.
I don't think you should, but I think you should understand how computers work
and what's under the covers in these things.
When I hand you a cell phone that has all these pretty lights on the front of it,
what's actually going on in the back?
Yeah.
I think it's important to know.
It's not just for computer science, but also it does relate to the cybersecurity stuff.
And it also relates to privacy and human rights in that way.
You need to know what's going on, and you need to have an idea of how it works.
And cybersecurity, I think, I don't know how I feel about it being either computer science or cybersecurity.
I would like to see both of those be some kind of requirement.
If I had to pick one I was going to make mandatory, I'd make security mandatory over computer science.
Yeah, maybe it's a matter of giving some kids a choice so that the kids who are more technically oriented can choose that computer science class.
But if beyond that, you can take cybersecurity and hopefully that will be something that will serve you well as you go through life.
And maybe that is exactly what I'm describing here, some kind of technical class that puts you in the right frame of mind for this.
Yeah.
that puts you in the right frame of mind for this,
for thinking analytically and, you know,
in terms of computers and how they work.
I think it's worth noting here also that this is really part of a push on North Dakota's part to really embrace technology.
They've really got a strong vision here.
They have this initiative.
They call it the PK-20W initiative.
I have no idea why they call it 20W,
but it's supposed to be pre-kindergarten through PhD plus.
Okay.
So they're saying that they should have cybersecurity education
all along this spectrum of people.
And I think that's a valid goal. Yeah. I think that's a valid goal.
I think that's a good idea.
We should be training people in cybersecurity all the time,
even at the end user level,
throughout their education careers.
And the reason for that is because
this internet thing isn't really a fad.
It's not going away.
Despite what people thought in the 90s and 2000s,
that's demonstrated that it's going to be around forever.
As long as we have,
as long as we can power it and keep the lights on,
it'll stay on.
Yeah, again, I'll just point out that it's come,
I've learned that folks that I've interviewed
that North Dakota has really embraced kind of a whole-of-government approach to cyber from the top down.
Yeah, they have one organization or one set of policies that goes across all of their organizations of government and not just at the state level, but it also protrudes down to the county and local level as well.
Right, right.
So they're really resourcing everybody and trying to provide that higher level protection
to at all levels, starting at the top and then sort of, you know, making its way down
to the smaller organizations who are going to have more of a challenge funding this on
their own.
That's right.
It's a really interesting experiment from North Dakota
and interesting to see how it plays out for them.
I think this is, I personally, I think this is good news
that they're putting this in the curriculum.
And I think it's something to keep an eye on.
I agree.
I think it's the curriculum part is good news.
Now, if you're thinking about the whole of government thing,
I don't know how easy that would be to do in Maryland.
Because in North Dakota,
you're talking about fewer than a million people, like three quarters of a million people.
And about one third of those people in some way use the internet or the network or something on
that, which means there's users. If you think about your Maryland E-ZPass, that makes you a
user of the Maryland government systems, right?
A quarter million is a lot less than we have in Maryland.
And I don't know how that whole of government thing would work in Maryland.
I'd like to see it.
But something we could certainly do in Maryland is make cybersecurity education a requirement to graduate from high school.
That should be easy.
Yeah.
I mean, it really is the whole notion of, you know, the States being places where
these things are tried. The experiments happen in the States. That's a great example of that.
So something to keep an eye on. All right. Well, Joe Kerrigan, thanks for joining us.
It's my pleasure, Dave. Thank you. ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester, with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilby,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.