CyberWire Daily - Updates on Russia’s hybrid war. Pegasus spyware in the service of espionage. CISA issues alerts and vulnerability warnings. C2C markets. Extradition for Assange? A guilty plea in a US cyberstalking case.
Episode Date: April 20, 2022A Shuckworm update. Pegasus spyware found in UK government officials’ phones. CISA issues six ICS security alerts and adds three entries to its Known Exploited Vulnerabilities Catalog. Gangs succeed... when criminals run them like a business. Julian Assange moves closer to extradition to the US. Tim Eades from Cyber Mentor Fund on cyber valuations. Our guest is Wes Mullins from deepwatch discussing adversary simulations. And a guilty plea in a high-profile cyberstalking case. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/76 Selected reading. Shuckworm: Espionage Group Continues Intense Campaign Against Ukraine UK Government Reportedly Infected With NSO Group Spyware ‘CatalanGate’ Spyware Infections Tied to NSO Group Pegasus Spyware and Citizen Surveillance: What You Need to Know Julian Assange extradition order issued by London court, moving WikiLeaks founder closer to US transfer . Former eBay executive to plead guilty to cyberstalking campaign targeting couple Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A shuckworm update.
Pegasus spywares found on UK government officials' phones.
Gangs succeed when criminals run them like a business. Julian Assange moves closer to
extradition to the US. Tim Eads from the Cyber Mentor Fund on cyber valuations.
Our guest is Wes Mullins from Deep Watch discussing adversary simulations
and a guilty plea in a high-profile cyber-stalking case.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, April 20, 2022. As Russia's firepower-intensive tactics continue the reduction of cities in the Donbass and
along the Sea of Azov, a familiar FSB threat actor returns to prominence in Russia's hybrid war against Ukraine.
Symantec this morning updated their research on the Russian threat actor Shukwurm,
also known as Armegadon and Gameradon, and its activities against Ukraine.
Shukwurm first appeared in 2014 during Russia's earlier aggression against Ukraine that resulted in its
annexation of Crimea, and the group is generally held to be an FSB operation staged from that
conquered province. Its principal focus has since its inception been Ukraine. Symantec is tracking
four variants of the Terado backdoor Shuckworm installs in its victim systems.
Installation of multiple versions of essentially functionally equivalent malware
is one of the group's characteristic bits of tradecraft.
The practice seems to be a crude method of establishing and maintaining persistence.
If the defenders find and kick one version, well, there are three others they might overlook.
Semantek writes, while Shukwurm is not the most tactically sophisticated espionage group,
it compensates for this in its focus and persistence in relentlessly targeting Ukrainian
organizations. It appears that Terodo is being continuously redeveloped by the attackers
in a bid to stay ahead of detection.
Semantek adds,
while Shukwurm appears to be largely focused on intelligence gathering,
its attacks could also potentially be a precursor to more serious intrusions
if the access it acquires to Ukrainian organizations is turned over to other Russian-sponsored actors.
That's not surprising.
Developing intelligence is always an early stage in battle space preparation.
According to Bloomberg, Ukraine continues to augment its cyber defenses
with significant help from domestic and international corporations.
The University of Toronto's Citizen Lab reports that it's found multiple infestations of NSO Group's Pegasus intercept tool in British government devices,
specifically in phones used by the Foreign Commonwealth and Development Office and the Prime Minister's Office. blogged, the suspected infections relating to the FCO were associated with Pegasus operators
that we link to the UAE, India, Cyprus, and Jordan. The suspected infection at the UK
Prime Minister's office was associated with a Pegasus operator we link to the UAE.
Much of the concern about Pegasus in particular, and NSO Group products and services in general,
has been their ready abuse by governments who use them against private citizens.
The British case is clearly different.
The UK government had been prospected by foreign actors presumably engaged in intelligence collection.
As far as private citizens are concerned,
the European Union has decided not to organize an investigation of such cases, EU reporter says.
This is really something for the national authorities, a spokesperson for the European Commission said yesterday.
CISA has released six industrial control system advisories.
They have also added to the known exploited vulnerabilities catalog.
All federal civilian agencies must patch by May 10th. VMware describes a fundamental restructuring
of cybercrime cartels thanks to a booming dark web economy of scale. Gangs operate like
multinational corporations, and they now engage in more destructive behaviors than before.
In particular, the criminal-to-criminal market is thriving, with more commodity tools available,
and that's enabled the gangs to scale their attacks quickly and easily.
The gangs are also becoming more destructive.
The reasons for this are complex.
Sometimes victims' files are destroyed in an apparent attempt to dispose of
evidence. Sometimes destruction serves as revenge for victims' failure to comply with the criminal's
demands and as an incentive for future victims to be more cooperative. WikiLeaks impresario Julian
Assange is now closer to extradition to the U.S., CNN reports, where he faces espionage charges.
After receiving assurances from U.S. authorities that Mr. Assange would be decently treated while he's tried in the U.S. and afterwards should he be convicted,
the high court overturned an earlier magistrate's court decision blocking the extradition.
court decision blocking the extradition. His extradition now goes to Home Secretary Patel for approval, but Mr. Assange still has an appeal left in his quiver.
And finally, Reuters reports that James Bao, eBay's former senior director of safety and security,
has taken a guilty plea in a very strange federal case of cyber-stalking.
While he was at eBay, Mr. Bao has admitted he organized a campaign of harassment against e-commerce bites,
a mom-and-pop newsletter run from Natick, Massachusetts, that Mr. Bao perceived as critical of his then-employer.
The newsletter's content always struck us is fairly neutral and anodyne, only moderately and politely critical, and not at all a threat to the online auction behemoth eBay.
Apparently, the motivation came from some will-no-one-rid-me-of-this-troublesome-priest complaints expressed by two executives, including then-Chief Executive Officer Devin Wenig, who's also left the company.
According to Reuters, prosecutors said the Steiners, in August 2019,
began receiving anonymous harassing private messages on Twitter and disturbing deliveries to their home that also included fly larvae, spiders, and a funeral wreath.
Five other eBay staffers have also taken guilty pleas
to other charges arising from the incident.
Mr. Wenig has not been charged.
He says he had no idea of what his subordinates were up to
in and around Natick in both physical and cyberspace.
Before we wrap up, thanks for reading and listening,
especially this week.
It's our sixth anniversary as an independent company.
For the past six years, the CyberWire has delivered your daily dose of the top cybersecurity news,
and we're pleased to have become a trusted source for the industry.
To celebrate our big six, and as a special thanks to all of our CyberWire listeners and readers,
for one week we're offering a discount of 60% in annual subscriptions of
CyberWire Pro. Use code CyberWireAnniversary2022 by April 25th to take advantage of this celebratory
discount. Subscribe and save now. But above all, thank you for listening to the CyberWire.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and
their families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
These days, many organizations approach security with an assumed breach mindset,
considering when rather than if an attack will happen.
I recently checked in with Wes Mullins, CTO at MDR security company DeepWatch,
on the utility of adversary simulations and red teaming.
The best way today is, you know, set up a lab.
There's a lot of open source tools and platforms out there
that will allow you to, you know, quote unquote,
break things in your home lab on the internet
without worrying about, you know,
doing anything nefarious or coming off
as malicious in nature on the internet.
You got to practice, though, the skills and techniques
that are used in offensive security and breach simulation,
whether it's red team, purple team, blue team.
They are very practical in nature. There's no book that you're going to take or an exam that
you're going to study for that's going to really give you that. It's practice and practice makes
perfect. Can you sort of walk us through how an internal team would go about this, what a typical
process would look like? Yeah, I would say it's standing up a lab and then having the lab kind
of devised
in multiple subsets of web app,
which is where a lot of people
typically get their feet wet,
breaking into web apps,
doing basics with session state handling,
user-supplied input validation,
and then going more into the,
what I would call the in-depth
exploit development, reverse engineering,
and kind of having different pillars
and saying, hey, you go solve this challenge and once you solve this challenge, then you get another challenge.
And that will vary across whether it's web app or reverse engineering, exploit development,
and then everything that is red-tinging traditional pen testing in the middle,
including brute force and social engineering and all of the alike.
Is there a cultural element to this as well? I mean, I suspect it's important to make sure
that your various teams don't inadvertently
end up adversarial with each other.
There is, but that's also part of the fun, I would say.
And done right, there are a lot of opportunities
to build the rapport and build the relationships
with those teams.
And it does very much become a purple team exercise
where you have the ones emulating the adversaries and doing the offensive campaigns, also challenging
the ones responsible for identifying and mitigating those attacks successfully done. Like, it is a
great thing to do inside of an organization that just pushes everyone's boundaries every single
day and allows them to grow and mature.
And how do you make sure that the things that are found are actionable,
that there's follow-through, that the vulnerabilities are being fixed?
I guess what I'm getting at is it would be frustrating
for your red team to come up with all these things
and nothing to be done afterwards, right?
Yeah, that's a great call out there. I think the key thing is when you do these exercises,
what has been identified, make sure it goes through a very traditional process on identifying
criticality, impact, and severity. And then throwing in an acute along with everything else,
whether that's regular bug fixes or feature enhancements or anything, making sure that there
is a path to remediation. One of the key aspects in that, though, is validating that it is, in fact,
a issue. Something that we commonly see or, you know, spray and pray from a slew of, you know,
pen tests and red team providers that are out there. And a lot of it's very theoretical.
If you can't prove it, you can't provide a screenshot,
you can't reproduce the scenario in a live situation,
that's going to make it really hard for the team on the back end
that's then being tasked to go remediate it.
So make sure that your findings are legit.
Make sure they can be repeated and validated at scale.
Do you have any words of wisdom for organizations
that are looking to spin up something like this?
Are there any areas where people usually fall short?
I would say the labs.
A lot of people hire the red teamers, the purple teamers, the offensive capabilities, the adversary emulators,
and they don't give them the same lab that would be your internet presence.
the same lab that would be your internet presence.
So if you want someone to really be valuable at it and provide the value that we all know that adversary emulation can provide, invest in giving them something to break.
I'm not saying give them a blank check, but make sure that if you have something that's
on the internet that's very critical to you, whether it's your e-commerce platform or something
you're handling payroll or transactions. And there are a bunch of different
components around identity and database and store and cloud. That individual or that team of
individuals that's being responsible for doing that exercise should have a lab or testing
environment or development environment that is 100% a clone of that. And that is where we will
see people struggle is they don't necessarily give the group that has, you know, the challenge
of going and spotting these issues inside of a, what is in most cases, a very complex, you know,
mature enterprise environment. And that's where you find gaps. How do you measure success? How
do you evaluate, you know, the return on your investment here?
One could say you're doing it faster than the bad guys and gals are doing it. I would say success is
as the organization matures out offensive capabilities, are there findings? Are you
finding something internally before it is found by a third party that you're paying,
in most cases, thousands of
dollars are through a bug bounty program. So if there are findings and there are actual remediation
steps that need to happen from quarter to quarter, month over month after the exercises are done,
I would consider it a success. That's Wes Mullins from DeepWatch.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant.
And joining me once again is Tim Eads. He's the CEO at vArmor and co-founder of the Cyber Mentor Fund.
Tim, it is always great to welcome you back to the show.
I want to touch today on cyber valuations,
obviously something that you work on a lot with the Cyber Mentor Fund.
Can you give us some insights, some of the things that you're tracking
when it comes to cyber valuations in today's environment.
Yeah, thanks, Dave.
So last year you saw this incredible growth of cybersecurity investing and crazy valuations.
Companies were getting funded with $2 million annual reoccurring revenue at $1.7 billion.
And you have to grow into those shoes shoes and they're really big shoes.
And so what you find is people are investing in growth or growth opportunity and we're just
throwing money at it as there was so much money in the system. But there's a number of challenges
with that. One is if you take if you make one misstep in your execution, you're going to look
as a down round. And the down round is one thing, but a down round when you're dealing with billions of dollars is crushing.
Another one turns out that any of the employees that come after those crazy valuations will almost certainly make no money.
Because they have to go into so many into their shoes before they do another round of funding.
So I actually think, you actually think those things are bad. And then the third one,
a lot of these valuations, again, let's just pick on one where they did
$2 million in ARR, $1.7 billion. What happens
is the founding team or the CEO and the founding team
will be pushed by the investors to do what's
called a secondary,
to actually take some money off the table,
to sell some of their shares in order to keep going.
But the challenge with that is it separates the CEO and the founders from the rest of the employees
because they've taken money off the table.
They've taken 2, 3, 5, 10 million, whatever the number is,
off of the table, but nobody else did, right, unless it was open to everybody.
And so then you get an economic separation of interest between the CEO and the founders and the employees.
So multiple things will go bad with that.
So, yeah, I mean, it was growth, growth, growth.
And then right towards the end of the year, you know, early December to around about now, it's all become operational excellence.
You know, when are you going to get cash flow positive?
You know, when are you going to, you know, your annual recurring revenue or in your EBITDA to employees?
And it's been much more, the metrics that people are looking at now are much more operational excellence based.
And from that,
valuations are down. You saw the public markets, the valuations in the public markets
have come down pretty significantly this year. And you'll typically see the private market
valuations come down like six or eight weeks later. So you're starting to see that be affected now
every single day.
Is this a cyclical type of thing?
I mean, do we see this as, you know, to use your words,
these crazy valuations and does it swing back and forth?
Yeah, absolutely.
It swings back and forth.
You know, this is the year where at least the first nine months of it
will be everybody who's tightening their belt,
looking at, you know, cost efficient, sales efficiency, business models and things like that in order to do it.
But the markets have two sides of their brain, fear and greed,
and sometimes they move between the two of them really quickly.
So greed will come back, and that's how that will go.
And then we'll back down to maybe not quite so crazy valuation, but pretty similar for sure.
For the entrepreneur, I mean, is it possible to time this sort of thing?
Is there a best stage of the pendulum to get into?
Yeah, well, I would stay away.
I personally would stay away from the valuation dynamic
as a reason of when to raise and how much to raise.
What I would steer towards is getting the right VC,
getting the right investor alongside you is way more important
than getting the right valuation.
And so steering towards the right partner that's going to be with you
through it, because there's always going to be bad times.
There's always going to be bad times. And getting the right venture person, getting the right board that's going to be with you through it. Because there's always going to be bad times. There's always going to be bad times.
And getting the right venture person,
getting the right board member with you.
And I always say you should go to the individual, not the firm,
because the individual is the one that's going to be in the boardroom.
And then focusing on that rather than the valuation.
Clearly, raising money when there's a war on,
sometimes people would say that's a tougher time. But for cybersecurity companies, when there's a war on, sometimes people would say that's a tougher time.
But for cybersecurity companies, when it's a cyber war, at least in part, you know, you want to be in the cyber defense business.
All right. Well, Tim Eades, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.