CyberWire Daily - The T-Mobile hacker speaks (we think). SparklingGoblin enters the cyberespionage ring. Is someone stealing data to train AI? Cellebrite’s availability. Ragnarok ransomware says it’s going out of business.
Episode Date: August 27, 2021A young man claiming responsibility for the T-Mobile breach talks to the Wall Street Journal. A new cyberespionage group, “SparklingGoblin,” seems particularly interested in educational institutio...ns, especially in Southeast and East Asia. Are governments training AI with stolen data? Mitigations for Microsoft issues. Cellebrite tools may still be available to Chinese police. Kevin Magee from Microsoft wonders if leaders have over pivoted toward technical skill. Our guest is Bill Wright of Splunk on the ongoing geopolitical ransomware trend. And another ransomware gang says it’s going out of business...we’ll wait and see. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/166 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A young man claiming responsibility for the T-Mobile breach talks to the Wall Street Journal.
A new cyber espionage group, Sparkling Goblin, seems particularly interested in educational institutions, especially in Southeast and East Asia.
Are governments training AI with stolen data?
Mitigations for Microsoft issues.
Celebrite tools may still be available to Chinese police.
Kevin McGee from Microsoft wonders if leaders have over-pivoted toward technical skills.
Our guest is Bill Wright of Splunk on the ongoing geopolitical ransomware trend.
And another ransomware gang says it's going out of business.
We'll wait and see.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, August 27th, 2021. The Wall Street Journal has been talking with the young American expatriate,
one John Binns, residing in Turkey, who claims to be responsible for hacking T-Mobile.
The Journal regards John Binns' claims as likely to be credible,
since, as they say, he seems to have kind of non-public
knowledge about the data breach. Only someone involved in the operation would in all probability
be familiar with. Mr. Binns, said to be 21 years of age, says he gained access to T-Mobile's
networks through an unprotected router, using this as an entry point to the mobile carrier's data center in the
U.S. state of Washington, from where stolen credentials gave him access to more than 100
servers. He said the telco's security was awful and that he hacked them to make noise. The access
he gained, he said, was so extensive that he found it frightening. He texted the journal, quote, I was panicked because
I had access to something big, end quote. He spent about a week moving through the servers and
exploring personal data. How the claims that Mr. Binns was interested in making noise, drawing
attention to some lesson that might be drawn from the breach is consistent with offers to sell stolen T-Mobile data in a
hacker forum isn't entirely clear. Those offers were connected with hacker names Mr. Binns has
used, IRDev and Vortex, the latter being spelled Vortex with a leet character zero in place of the
noobish letter O. When the Journal asked him directly,
Mr. Binns had no comment on whether he was selling the stolen data
or had been paid to compromise T-Mobile.
John Binns, a graduate of Northern Virginia's McLean High School,
appears to be largely self-taught,
cutting his teeth on hacking games like Minecraft
and in associating with some bot herders who've afflicted
online gameplay. He also has an ambiguous track record of claiming imprisonment, involuntary
sequestration on hospitals, and so forth, possibly at the hands or at least the instigation of the
FBI, unless it was the CIA. In any case, if it's noise he wanted, it's noise he's made.
An offshoot of the Winty APT has been exploiting the sidewalk modular backdoor,
ThreatPost reports.
The group, which ESET calls Sparkling Goblin,
has been hitting targets in East and Southeast Asia.
It's also shown interest in usernames and IP addresses
from a U.S. computer retailer and Canadian schools, ThreatPost says.
WinT has been associated with Chinese intelligence services.
Sparkling Goblin appears to have used some code stolen from the U.S. Equation Group,
as well as WinT Group tools in its operation.
The exploitation of Microsoft Exchange server vulnerabilities by Chinese intelligence services,
and particularly by the threat actor Microsoft tracks as Hafnium, could have served multiple
purposes, the most obvious of which was direct collection of intelligence from the targets Hafnium compromised.
Somewhat less obvious was the potential the operation had for the development of target dossiers
that could be used to compromise and recruit foreign agents.
But a third possibility also exists, NPR reports.
China is engaged in what Beijing views as a race to develop a dominant position in artificial intelligence,
and AI needs data to train on.
In some respects, the more indiscriminate, the less structured that data may be, the better.
Microsoft has warned customers against a vulnerability in Azure's Cosmos DB database,
Reuters reported earlier this morning.
in Azure's Cosmos DB database, Reuters reported earlier this morning.
Researchers at Wiz discovered and disclosed the issue,
which involved access to database keys earlier this month,
and Microsoft has now addressed the problem.
Microsoft has also issued guidance on addressing proxy shell vulnerabilities in Exchange Server.
Users of these products should give Redmond's guidance careful attention,
and we disclose, as always, that Microsoft is a sponsor of the Cyber Wire.
The Intercept says that although Celebrite says it exited the Chinese market last year,
Chinese police have continued to buy the company's phone-cracking technology.
The Intercept describes the ways in which the cracking tools continue to reach China.
Quote,
While Celebrite did deregister its Chinese subsidiary earlier this year,
it appears to have done little about the brokers that peddle its hacking technology.
Chinese government procurement awards notices and posts on resellers' websites show that police have continued to purchase powerful Celebrite software,
while resellers have continued to provide updates for the software.
In one case, a reseller reported delivering the Israeli company's software to border guards in Tibet
and demonstrating how it could be used to search people's WeChat accounts.
Celebrite responded to The Intercept through its public
relations representatives. Celebrite has developed a strong compliance framework,
and our sales decisions are guided by internal parameters, which consider a potential customer's
human rights record and anti-corruption policies. Celebrite remains committed to safeguarding human
rights and has developed strict controls, ensuring that our technology is used appropriately in And finally, the ransomware gang responsible for Ragnarok says it's shuttering its operations
and has released a decryption key for Ragnarok, according to the record.
The Ragnarok gang had been active since 2019. Ragnarok had long made a meal of Citrix ADC
gateways and was also the gang responsible for the quickly thwarted campaign to exploit a Sophos
XG firewall zero-day. The decrypor seems to be real, but whether this represents a genuine
twilight of the bad gods or simply indicates a rebranding remains to be seen.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's
the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and
ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
Bill Wright is Director of Federal Affairs at Splunk and formerly Staff Director for the
Homeland Security and Governmental Affairs Committee for the U.S. Senate.
I caught up with Bill Wright recently for his take on the seemingly relentless march of ransomware
and what he thinks might be done to slow the pace.
So I think, you know, at least a year and a half ago, ransomware was really seen primarily as a,
what I would call a nuisance cybercrime.
It hit schools, hospitals, businesses, sure,
but the disruptions were considered pretty isolated. No one was known to have died,
and the ultimate effects were limited primarily to those entities that were hacked.
Then came Colonial Pipeline, disrupting nearly half of the East Coast's fuel supply, quickly
followed by another attack that threatened the nation's
largest meat supplier, JBS, and then, of course, Kaseya last month, along with many countless
others that maybe didn't make the headlines. So it quickly moved from an economic nuisance to a
national security, public health, safety threat. And I think that's the way our
government is treating it now. You know, we've had the public statements from President Biden,
you know, where he has said that he's spoken with President Putin about this issue and
are trying to apply diplomatic pressure and so on.
Are we seeing any effects from that?
Has there been any change since we've seen those public declarations that this is important?
First off, threshold matter, I think that that public declaration is very important.
Also, this likely goes without saying, but there is no silver bullet for this.
Smarter people than me have been grappling with this problem. I thought a lot of the ideas and
some of the recommendations that came out of the ransomware task force were interesting,
and one of those was to publicly acknowledge at a high senior level some of the problems around
ransomware. The Biden administration,
I think, is taking some really good steps to help modernize our cyber defenses. The EO, for instance,
was a great start, among other things. If you read between the lines of the EO, I think there's
really broad recognition that security is, first and foremost for for us a data problem. The life cycle of a threat
response is relying on data to detect a threat, monitor for impact, find a solution, prepare for
that next attack. So at its core, and as we like to say here at Splunk, all data is security data.
And I think the EO goes a long way to recognizing that.
So the way I look at it is clearly organizations themselves need to better defend themselves,
but we really also need to go after their business model.
We mentioned ransomware as a service has really opened it up to the masses.
DarkSide, I think, is a classic example of this ransomware
as a service criminal gang, but that is primarily being run outside of U.S. authorities. Some would
argue, including DarkSide themselves, that they were not even directly responsible for those
colonial attacks. They're certainly responsible as creators and operators of this ransomware as a service. So we need to
find a way to go after that business model. There's a number of things being considered,
policy considerations around what we do about cryptocurrency reporting, requirements on
acknowledging ransomware payments. There's a number of ideas that are circulating now.
And then I think the last leg of this stool for going after ransomware is that the U.S. government
and our allies really need to take a more aggressive approach against the ransomware
actors wherever they might reside. Until they feel the pinch, this criminal business model is going to
continue to grow. So to circle back to your original statement about Biden and Putin,
I think this was an excellent start, but I think it is part of a holistic strategy
across the government and across the whole of society, frankly.
That's Bill Wright from Splunk.
There's a lot more to this conversation.
If you want to hear the full interview, head on over to CyberWire Pro
and sign up for Interview Selects,
where you'll get access to this and many more extended interviews. Thank you. solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions
designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
And joining me once again is Kevin McGee. He's the Chief Security Officer at Microsoft Canada.
Kevin, it is always great to have you back.
I wanted to touch base today with something that I know is near and dear to your heart,
and that is how we approach leadership in the cybersecurity world.
Some things that you've been focused on here.
What can you share with us today?
I think we've talked a lot about the skills gap as an industry, and we tend to make the skills gap out to be just the technical skills required to meet the needs of our industry.
And while there definitely are some challenges in that area, I certainly won't discount it, I think we've over-pivoted to that topic at really the detriment of leadership and management skills.
management skills? And are we really thinking about as we onboard, develop, and grow our industry of technical professionals, who will be those people that lead them? What are the skills
that they will need? And what are we doing to get ahead of this problem before it becomes the next
skills gap that really cripples our industry? Can you take us through some of the specifics
of that? I mean, is this training people up from within for leadership
positions? What sort of things do you have in mind? Yeah, I think we look at why are we disconnected
often from the business and from operations and from strategy. And we, you know, you see those
cartoons about we need to finally get a seat at the table at the board and whatnot. So there's a
lot of discussion, a lot of interest in the challenge
of why there's a disconnect, but very little being done, I think, to solve it. So I have a couple of
theories of what we could be doing to solve it. One would be taking folks out of other areas of
the business and embedding them in the security teams and teaching them security skills. So sort
of a cross-pollination of skills. The other thing is, and this would sound crazy in an industry where
we have a skills gap and not enough talent, why not export some of our talent to other areas of
the business? Why not take security professionals and put them in marketing or put them in sales or
put them in other aspects of the business? This is really what we saw years ago when we were having
financial challenges within companies where we took the chartered accountants and we gave them the
opportunities to finally be the CEO or we embedded them in other areas of the business. And now it's
not uncommon to see an accountant or someone from finance or a CFO rise to the level of CEO.
You don't often see CIOs or CISOs move up the ranks into the larger chairs as well. And I think that's holding us back in
our detriment that we're not thinking differently about how to embed security throughout the
business. You know, it gets my dander up when I hear folks refer to some of these things as being
soft skills, like the people skills, they refer to them as soft skills. You know, to me, they are both fundamental and critical to a business's success, these abilities to communicate. To me,
if you're going to be a leader, that is something that is critical. It's not optional. And yet,
to your point, I think, particularly when it comes to some of the folks on our technical teams,
point, I think, particularly when it comes to some of the folks on our technical teams,
it seems to me that that's a part of their well-roundedness that we aren't always nurturing.
And I think as an industry, we started focusing on bringing in people who were just curious.
And it didn't matter what background they came from. They didn't need computer science degrees.
We were all, in the good sense of the word, hackers. It was our curiosity. It was our interest in taking things apart and figuring out how they work that really drove the industry.
And I worry as we're trying to professionalize our industry that we may overpivot and make it
all about computer science. And then we'll lose the soul of what made our industry great,
which is the old hackers. So how do we professionalize our industry? Because we
definitely need to do that. We need to come up with standards. We need to come up with ways of really assessing skills and abilities. But how do we do that without losing characteristics that really made some of the greatest security professionals of our generation? And how do we pass it on to the next generation is what I spend a lot of time thinking about. And I certainly don't have the answers, but it won't be based on modeling what another
profession did, say accountants or lawyers or whatnot, in professionalizing their business.
We have a unique challenge as cybersecurity professionals. We have a unique need for
different skills. And so we're going to have to come up with unique solutions. Taking an MBA and
adding a cybersecurity course to it is not going to solve the problem. Taking a master's in cybersecurity course set and adding two electives for leadership or business is not going to solve the problem.
I think there needs to be really a third way.
When you're looking through applications from folks who want to come work with you, what attracts your attention?
What are the things that catch your eye for you to say, okay, this is probably someone who has those particular types of skills?
I think most folks that show up to an interview think we're going to talk just about work.
And I often surprise them because that's probably where I not start the conversation.
We obviously end up there.
But I look at volunteer experience.
What do you do with your free time?
Because work, you're directed off on what to do, especially in your early career.
But what you choose to do with your time really tells me more about you than anything else.
If you choose to volunteer, if you choose to get behind certain challenges you want to take on,
if your passion is helping young women enter STEM careers and whatnot,
that tells me a lot much more about your character
than whether you did a certification or not as well.
So I really try and get behind the motivation
and thinking of what drives that person,
what makes them curious,
what other aspects of the business are they interested in,
and then how do they learn?
How do they approach problems?
How do they keep up?
Those are the type of questions I spend a lot of time
discussing with potential candidates. And you can see the sort of the look on their face, they're coughed and puzzled at the beginning of the interview that why am I not asking them technical questions?
I think we definitely need to explore those other aspects of what makes a great cybersecurity professional. And it's not simply yes or no answers or understanding, you know, how technical concepts or certifications.
There's much more to us as cybersecurity professionals and leaders.
Well, Kevin McGee, thanks for joining us.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire. Tribe, where they're co-building the next generation of cybersecurity teams and technologies. Be sure to check out this weekend's Research Saturday program and my conversation with
Deepan Desai from Zscaler. We're going to be discussing Joker joking in Google Play,
Joker malware targeting Google Play Store with new tactics. That's Research Saturday. Check it out.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Puru Prakash,
Justin Sabey, Tim Nodar, Joe Kerrigan, Kirill Terrio, Ben Yellen, Nick Valecki,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.