CyberWire Daily - Waging lawfare against criminal infrastructure. Notes from the cyber underworld. Hybrid war, and cyber ops across the spectrum of conflict. And what do the bots want? (Hint: kicks.)
Episode Date: April 27, 2023Google targets CryptBot malware infrastructure. FIN7 attacked Veeam servers to steal credentials. Ransomware-as-a-service offering threatens Linux systems. Evasive Panda targets NGOs in China. Anonymo...us Sudan is active against targets in Israel. Russian ransomware operations aim at disrupting supply chains into Ukraine. Our guest is Stuart McClure, CEO of Qwiet AI. Microsoft’s Ann Johnson stops by with her take on the RSA conference. And bots want new kicks. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/81 Selected reading. Continuing our work to hold cybercriminal ecosystems accountable (Google) Google Disrupts Massive CryptBot Malware Operation (Decipher) Google disrupts malware that steals sensitive data from Chrome users (TechCrunch) FIN7 Hackers Caught Exploiting Recent Veeam Vulnerability (SecurityWeek) RTM Locker Ransomware as a Service (RaaS) Now on Linux (Uptycs) Evasive Panda APT group delivers malware via updates for popular Chinese software (WeLiveSecurity) NSA sees 'significant' Russian intel gathering on European, U.S. supply chain entities (CyberScoop) Ukraine at D+427: Russian cyberattacks and disinformation before Ukraine's spring offensive. (CyberWire) Releasing leak suspect a national security risk, feds say (AP NEWS) Pentagon leak suspect may still have access to classified info, court filings allege (the Guardian) Netacea Quarterly Index: Top 5 Scalper Bot Targets of Q1 2023 (Netacea) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Google targets cryptobot malware infrastructure.
PIN7 attacked Veeam servers to steal credentials.
Ransomware as a service offerings threatened Linux systems.
Evasive Panda targets NGOs in China.
Anonymous Sudan is active against targets in Israel.
Russian ransomware operators aim at disrupting supply chains into Ukraine.
Our guest is Stuart McClure, CEO of Quiet AI.
Microsoft's Anne Johnson stops by with her take on the RSA conference, and bots want
new kicks.
From the RSA conference in San Francisco,
I'm Dave Bittner with your CyberWire Intel briefing
for Thursday, April 27th, 2023.
Google blogged yesterday explaining steps they're taking to disrupt the CryptBot malware gang's infrastructure
after securing a court order against the malware's operators.
The tech giant has filed litigation against the CryptBot distributors,
who they believe operate out of Pakistan and run what they call a worldwide criminal enterprise.
The legal complaint Google
filed is based on multiple claims, which include computer fraud and abuse and trademark infringement.
The company has been granted a temporary restraining order, Bleeping Computer reports,
that allows for them to take down domains both now and in the future that are linked to the malware.
Google says that this will hinder CripBot's growth and decelerate the infection rate,
which Google estimated at about 670,000 last year.
Google says,
Lawsuits have the effect of establishing both legal precedent
and putting those profiting and others who are in the same criminal ecosystem under scrutiny.
Bravo and good hunting, Google.
With Secure Intelligence reported yesterday that the Fin7 Russian cybercrime group
was likely behind the attack on Veeam backup and replication servers.
The gang was able to steal credentials using a custom PowerShell script
not previously associated with FIN7.
They state,
Our research indicates with high confidence that the intrusion set used in these attacks
is consistent with activities attributed to the FIN7 activity group.
It is likely that initial access and execution was achieved
through a recently patched Veeam Backup and Replication Vulnerability, CVE-2023-27-532.
With secure intelligence, advise as affected companies to follow their recommendations
and guidelines to patch and configure their backup servers appropriately.
The Uptix Threat Research Team released a blog this morning detailing a ransomware-as-a-service offering impacting Linux systems.
This malware is attributed to RTM Group.
Researchers say it appears to be inspired by Babuk Ransomware's leaked source code.
The team reports that they found the hacker group through dark web hunting
and that the malware is focused on ESXi hosts.
The initial point of access remains unknown.
ESET reported yesterday that Evasive Panda,
a Chinese APT group also known as Bronze Highland and Daggerfly,
had conducted a campaign to install its custom message bot backdoor malware
on Chinese users by using malicious software updates for legitimate
applications. Bleeping Computer writes, Evasive Panda is a cyber espionage group active since at
least 2012 that has previously targeted organizations and individuals in mainland China,
Hong Kong, Macau, Nigeria, and various countries in Southeast and East Asia.
ESET explains that the majority of the Chinese victims are members of an international NGO
that operates in two of the previously mentioned provinces.
One additional victim was also discovered to be located in the country of Nigeria.
ESET assesses that Evasive Panda may have compromised the messaging software Tencent QQ
and its update servers in order to
tailor their targeting list and distribute corrupted updates to targets of interest
while providing legitimate updates to non-targets. This campaign would then be classified as a
supply chain attack, much like the attack on SolarWinds or the more recent 3CX attacks,
since it uses upstream infiltration of third parties
to infect downstream users with malware through updates or software downloads.
Evasive Panda's goal in this campaign seems to be credential theft.
The U.S. intelligence community sees Russian cyber operators devoting more effort toward
disruption of supply chains supporting
Ukraine. CyberScoop quotes NSA's Rob Joyce, the agency's director of cybersecurity, as saying that
NSA is observing a significant amount of intelligence gathering into the Western countries
to include the U.S. in that logistics supply chain. A significant fraction of that supply chain carries humanitarian aid.
Looking apparently for a bigger payday, the Russian cyber-auxiliary Kilnet yesterday announced
that they would become Russia's private military hacker company. What this means for their
operational tempo is unclear, but they promised they would continue distributed denial of service
attacks against NATO sites as they pursue their current objective of destroying NATO infrastructure.
The group says it will now also accept jobs from private individuals and from governments.
They will still work to defend Russian interests. They explained in their post that they will no
longer be making money from donations and
promised sponsorships, and they included an emoji that indicated the sponsorships fell short of
expectations. Earlier this month, Killmilk, the group's nominal leader, explained that he was
tired of waiting for government personnel and businessmen to fund his group's cyber escapades.
Shortly after their announcement,
they changed their channel name to PMHC Killnet.
This could just be a publicity stunt,
as the ramifications of a cybercriminal group
sanctioned by Moscow attacking NATO websites
are unknown, but probably severe.
Killnet has yet to release any information
on pending contracts, either governmental or private, to conduct cyber warfare.
According to the AP, U.S. federal prosecutors have asked that Jack Teixeira, charged with violations of the Espionage Act, be held in custody,
and not, as Airman Teixeira's defense is expected to request, be released to his parents.
as Airman Teixeira's defense is expected to request, be released to his parents.
The prosecutors wrote in their petition,
There simply is no condition or combination of conditions that can ensure the defendant will not further disclose additional information still in his knowledge or possession.
The damage the defendant has already caused the U.S. national security is immense.
The damage the defendant is still capable of causing is
extraordinary. The AP reports that investigators are still working to determine whether Airman
Teixeira retained any other classified information that has so far remained unreleased. Investigators
and prosecutors have also not discussed Airman Teixeira's possible motives for the alleged leaks,
but the consensus among Discord
users who had been in touch with him is that he was simply showing off without any serious
political purpose. And finally, we ask you, what are the scalper bots after nowadays?
Sneakers. Lots of sneakers. Netacea reports that scalper bots are especially partial to black and white Nike
Dunk Low Panda. And while they certainly love some sneakers, the bots don't work via SneakerNet.
Coming up after the break, our guest is Stuart McClure, CEO at Quiet AI.
Microsoft's Anne Johnson stops by with her take on the RSA conference.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora have continuous
visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home. Black
Cloak's award-winning digital executive protection platform secures their personal devices, home
networks, and connected lives. Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
So I am pleased to be joined by Stuart McClure. He is the CEO of Quiet AI and certainly well known
within the industry for some of your previous efforts. Former head of Silance, a company we're
very familiar with, which of course was sold to BlackBerry and still continuing on under their
umbrella. Here we are at RSA 2023. Before we dig into some of the details of the new company, I'd love to get your insights on where you think we stand as an industry facing the challenges that are in front of us.
I was just talking to a good friend last night about this. I mean, I think we're all sort of in agreement that the fog of more is just not working. You know, we keep adding more and more layers and more and more people and more and more technologies and tools.
And we just seem to get more and more problems.
And they're not the kind of problems that are preventative.
They're really more detect and respond problems.
And I think all of us have to think about how can we pivot into a preventative world?
You know, is prevention possible?
You know, let's talk about it.
Let's talk about where all the threats come from
and go to the root cause
and see if we can affect some change there.
Because I think it's probably the only way
we're going to get ahead of this in any substantive way.
So I think we all as an industry have to stop
sort of pandering to the, hey, we need to see more and think about, well,
we need to prevent more. It's interesting. I mean, there are folks who would say,
assume breach. Let's leapfrog right over prevention and get to what we do once they're in.
That's right. You're saying not so fast? I'm saying try to think different.
I think that's the common vernacular and the common thread.
And it's self-perpetuating because if you believe that prevention is not possible and you have to assume breach, you then create an industry and a machine that you can't stop anymore. It's now self-perpetuating
because the more people you hire and the more tools you deploy, the more sensors and the more
dashboards you employ, the more you have to manage it and the more budget you need to do so. And,
you know, we're in a time of real concern about the economy and where budgets are going and our timelines extending on acquiring solutions and getting real help.
And having a detect and folks that run it
that are invested in adding more and more and more.
And therefore, you can't ever get to a place of true prevention.
But if you understand how every attack works,
I mean, every single cyber attack,
they all go down to some fundamental elements that if you were to inject
yourself with the right viewpoint and way of managing those elements of those the core of
the attacks you can actually prevent and you can prevent at the 99.9 percent level even if you
don't believe 100 you can you can prevent at the 99 and if you prevent it the 99 well then now
you've shrunk your world of what you have to go chase and assume is breached down to the one or
0.1 now you can really reallocate resources to go after the 0.1 which is a much harder challenge to
go find and identify than it is to prevent the 99.9, which is pretty obvious,
pretty well known, not a lot of secrets there. You just need to think ahead and you need to
put your resources and attention to the places that matter.
And I guess that's a good segue into Quiet AI, your new venture.
a good segue into Quiet AI, your new venture.
When you wrapped up your time with Cylance and with BlackBerry,
you had lots of options available to you.
What made you decide that this is the one you wanted to pursue?
Well, yeah, and a little bit of full disclosure. I mean, I had largely let cybersecurity be a part of my past.
Once I had left BlackBerry and put it in good hands,
I had decided I was going to just apply AI into non-cybersecurity endeavors.
I really am passionate about machine learning
and be able to predict the future by learning from the past.
I've always been focused on that predictive AI element versus the generative AI
element, although there's plenty of use cases for that as well. But for me, it was the predictive
side. And I was approached by a good dear friend to consider coming back into the space here in
AppSec and DevSecOps. And I started to look at the tech
and I started to realize this is the real deal.
We might be able to apply machine learning,
predictive machine learning into the code science space
to be able to actually prevent the 99.99 inside of code,
which is where all cyber attacks start.
If you look at the taxonomy of all attacks and you boil it down to the bottom basal elements,
you really are talking about one of two things.
Either it's a vulnerability in the code that was never considered,
or there was a missing feature or a design flaw that should have been implemented.
I mean, we know how to secure
things. We really, really do. We just don't do it early enough and in the beginning development
efforts, even the design elements of a particular piece of software or hardware. We just don't.
I mean, I've spent my whole career exposing that fact with Hacking Exposed and all of the
hacks that we've demonstrated on stage right here at RSA
countless years, year after year.
And I can tell you,
we know how all these attacks work.
It is not rocket science
in any way. So if we know how
they all work, why can't
you go prevent it? I mean, it's
man-made. All of these things are man-made,
not alien-made. So we know how to
go... Is it a matter
of scale not not really i mean there certainly are countless hardware endpoints out there and
there are countless software endpoints and it's it is scaling quite a bit but if you go back and
just look at down at the bottom of where it all begins, inside of the design of code,
no one thinks about it from a secure mindset or a viewpoint.
You have developers that really aren't trained in cybersecurity.
You have AppSec that really aren't trained in development.
And you need to bridge that gap between these two cultures
into a blended, efficient, effective culture
of knowing how to solve the
problem and then being very comfortable with making the changes to get secure. And this would
include not just, of course, vendors, proper Microsoft, Adobe, Apple, et cetera, but it includes
every single company that ever creates a single line of code. And that number is growing, it seems, exponentially.
But everybody's developing code,
and no one considers what to do about securing that code
before they start writing it.
So what is the take-home for you,
the recommendation for the coders out there in terms of the mindset?
Is this a different approach? What are you suggesting here?
I'm sort of suggesting what I've been suggesting for almost 30 years, but it hasn't stuck,
is think evil, do good. If you're a developer out there, think evil, do good. Try to understand the core of the attacks and how they all work.
Your role in that is not intentional. It's unintentional, but you have the power to prevent
countless attacks by simply thinking like a bad guy and incorporating the changes that you know
very well could prevent that attack going forward. We're doing a talk tomorrow.
It's going to be, basically, we're hacking SEC into DevOps.
So we're taking the world of code and DevOps and AppSec,
and we're finding the techniques,
and we're going to expose a few techniques
that the adversary is using today
to get into not just open source software,
but your software and everything in between
and make it look like a feature, but it's not.
These are very easily prevented features
that if you just understood
sort of where all these techs come from
and are comfortable with it,
literally you could prevent 100% of cyber attacks.
All right.
Well, Stuart McClure is the CEO of Quiet AI.
Thanks so much for taking the time for us today.
Thank you so much.
It is always my pleasure to welcome back to the show Anne Johnson.
She is a Corporate Vice President for Cybersecurity at Microsoft.
But more important than any of that, she is the host of the Afternoon Cyber Tea podcast.
Anne, it's great to see you again.
It's great to be here. Thank you for having me. Yeah. So we are winding down another year of the RSA conference.
I would love to get your insights on the things that caught your attention or you think deserve
our attention. You know, it's been a great show. It's been really high energy. I think RSA is back.
You know, RSA 2023 was busy. There were a lot of people here. A lot of enthusiasm and optimism for
the industry. I saw, of course, artificial intelligence represented in a lot of different vendor solutions.
Microsoft had our security co-pilot that we announced in March that we did a lot of work on here
and telling people about how chat GPT is going to be great for the next generation of cyber defenders and incident response.
There were folks, you know, that were on the show floor.
I always walk the edges of the show floor looking for innovation,
saw innovative solutions related to industry-specific verticals like healthcare,
saw folks that were really trying to solve the hard problems of data security.
It was a really interesting week.
There's an AI lens on everything.
It was the year of AI.
I really would love to dig into that with you
because as we were coming into the show this year,
I was kind of half joking that I expected to see half of the booths saying we're chat GPT enabled
and then the other half saying we protect you from things that are chat GPT enabled, right?
Like where do you feel as though people are landing with that in the real world here?
We could have used a little more of the, we're going to protect you on the AI
side because they're, so the company Hidden Layers run the innovation sandbox and companies like that
and Cranium came out of stealth from KPMG and there's a, you know, robust intelligence in that
space and a few others. But I think we still need to invest and have innovation in the actual
protection of AI, the protection of data that's going into AI, model poisoning, model theft,
model drift, data poisoning.
There's an opportunity in that space
for companies to really differentiate themselves
and for a lot of innovation to take place.
I saw a ton of our security solutions
are enabled by chat GPT or open AI
or natural language models
or large language models.
I saw a ton of that.
I didn't see quite as much of the
we're going to protect that infrastructure. Yeah. What about on the personnel side of things? I
think, you know, this, I think it's fair to say this is the first year that our industry has been
hit with some economic headwinds. Are you sensing the tone of that out there on the show floor or is
it mostly positive energy still? No, it was really positive energy. I mean, that show floor was
enthusiastic. I think that, you know, I ran into a couple of folks and, you know, not humorously,
who had been impacted that I know, and they were job shopping and they were saying tons of people
are hiring. So I think there's a transition of folks, but I think there are plenty of opportunities
for people. What's your outlook for the year ahead now? I mean, the information you've gathered here, how does that inform your thoughts
as we ride out the rest of 2023?
Yeah, because my day job is M&A and strategic partnerships
for the Microsoft cybersecurity business,
RSA is always a really important event for me, right?
Because I get to see all the newest startups.
I talk to the investment bankers.
I talk to the PEs, the VC community.
You know, what are they seeing?
Where's money flowing?
What's the next wave of startups?
So it's going to inform the strategy.
As we're thinking about our ecosystem,
we're building a huge and robust system around security co-pilot.
As we're thinking about that, what type of vendors, what categories,
and then who's interesting so they can build killer apps on top of the co-pilot.
You mentioned security co-pilot.
Can you describe to us what exactly that is?
Yeah,
absolutely. So it is our implementation of ChatGPT, GPT-4 specifically, to enable cyber
defenders. That's the first use case, right? It will enable cyber defenders to do better incident
response, to do better forensics, to do better investigations, better reporting, because it will
give that, we'll be able to use command prompts, we'll be able to rationalize tools. It will be able to get real data much more quickly and understand what to investigate.
But I think the power of it is actually not the use cases.
I think the power of it is it extends and makes cybersecurity much more egalitarian.
So you could spin up like a cyber reserve.
You could train your whole IT department on how to do command prompts.
So if you suddenly have an incident, you suddenly could spin up these resources. You don't have to be a full-time cyber analyst to help in the event of an incident.
And I think that's going to be the real power of the solution, that we can bring cyber to more
people, we can educate more people, and we won't have this talent shortage we have now.
No, that's a really interesting insight. Time will tell, right?
Absolutely. Look, the promise of it is great, but it has to be trustworthy, responsible, and secure.
Yeah, absolutely.
All right.
Well, Anne Johnson, always a pleasure.
Thank you so much for joining us.
Thank you so much for having me.
Cyber threats are evolving every second, Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast. You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like the Cyber Wire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, Thank you. We make you smarter about your team while making your team smarter. Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.