Risky Business - Risky Business #723 -- MGM and Caesars: Western youths are working with ransomware gangs
Episode Date: September 27, 2023On this week’s show Patrick Gray and Dmitri Alperovitch discuss the week’s security news. They cover: How western youths are working with Russian ransomware crew...s Russia has changed its targeting in Ukraine A massive breach of historical Russian flight information is god’s gift to OSINT orgs Cisco buys Splunk for $28bn Much, much more This week’s show is brought to you by Panther. Its field CISO Ken Westin is this week’s sponsor guest. Links to everything that we discussed are below. Show notes MGM Resorts says hotel, casino operations back up and running | Cybersecurity Dive MGM Resorts warns customers of fraud as it faces class action lawsuits | Cybersecurity Dive mgmkirwan - DocumentCloud Cross-Tenant Impersonation: Prevention and Detection | Okta Security 'Power, influence, notoriety': The Gen-Z hackers who struck MGM, Caesars | Reuters Youth hacking ring at the center of cybercrime spree | CyberScoop UK logistics firm blames ransomware attack for insolvency, 730 redundancies Philippines state health org struggling to recover from ransomware attack Bermuda’s premier attributes system outages to ‘Russia-based’ attackers Russian hackers target Ukrainian government systems involved in war crimes investigations (4) Oleg Shakirov on X: "Huge data breach in Russia A previously unknown group claims it stole data from Russia's major flight booking system Sirena Travel. The whole dataset includes 665 mil entries and spans 16 years; they posted a sample with 3 mil lines. I was able to verify one flight. Looks legit" / X Hackers break into Russian database with data on hundreds of millions of flights Canada blames border checkpoint outages on cyberattack Air Canada says hackers accessed limited employee records during cyberattack 3 iOS 0-days, a cellular network compromise, and HTTP used to infect an iPhone | Ars Technica Yes, you have to update your Apple devices again, because spyware is bad | TechCrunch GPUs from all major suppliers are vulnerable to new pixel-stealing attack | Ars Technica CISA's catalog of must-patch vulnerabilities crosses the 1,000 bug mark after 2 years Hong Kong crypto business Mixin says hackers stole $200 million in assets Cisco to buy Splunk for $28B | Cybersecurity Dive British Army general says UK now conducting ‘hunt forward’ operations World on the Brink: How America Can Beat China in the Race for the Twenty-First Century: Alperovitch, Dmitri, Graff, Garrett M.: 9781541704091: Amazon.com: Books Starlink in Ukraine: Why the Story Is Not So Simple | Geopolitics Decanted by Silverado
Transcript
Discussion (0)
Hi everyone, this is Risky Business and I'm Patrick Gray and sorry we're a day late.
Adam and I were supposed to record the news yesterday but he wound up having to deal with
a medical issue.
You don't need to worry, he basically just had a blood nose that wasn't stopping so he
had to go to a doctor and have it checked out and you know he turned up drenched in blood so they're like you have to go to the ER and then he had to go to a doctor and have it checked checked out and you know he turned up
drenched in blood so they're like you have to go to the er and then he had to sit around for hours
and by the time he got out of there it was super late uh so we missed our recording window uh and
now he's resting up he's actually on vacation in the u.s right now too so um it wasn't the best
start to his holiday unfortunately but um hope you're feeling better mate if you're listening
uh and yeah dimitri alperitch is going to fill in this week.
So we'll be talking through all the week's security news with him in just a moment.
For those of you who don't know Dmitry, he co-founded CrowdStrike, but these days he
runs a geopolitical think tank in Washington, D.C. called the Silverado Policy Accelerator.
And he also serves on the U. the US government's Cyber Safety Review Board,
which is super relevant to this week's news discussion,
as you'll hear in a moment.
This week's show is brought to you by Panther.
They're a SIEM platform that can handle
gargantuan volumes of high-velocity logs.
They're one of these newfangled
and modern detection-as-code thingies.
And Ken Weston from Panther is joining us
to do a chat about SIEM stuff in this week's sponsor interview.
Really, it's just a discussion about trends in SIEM.
And of course, they're going to plug the fact
that they're now able to feed your existing SIEM
if you don't want to rip and replace,
but they'll do all of the first stage filtering
and detections and whatnot.
So, you know, you can use it in concert with your existing seam and wind up saving a bundle
of money.
So that's a fun chat and it's coming up after this week's news segment, which starts now.
And Dimitri, it turns out the people responsible for the ransomware attacks against MGM and
Caesars, they're likely youths of a similar stripe to Lapsus.
So yeah, those type of kids are now getting in league
with Russian ransomware gangs.
This feels like something we absolutely don't need.
Now, you worked on the CSRB report into Lapsus
and Lapsus-style attacks.
I'm sure you'd agree this is a worrying development.
It is.
And in fact, when we started the Lapsus review
at the Cyber Safety Review Board, the CSRB, earlier this year, we very quickly, almost I think on the first day of our investigation, of our review, realized that this was a much bigger problem.
That there were groups of teenagers, predominantly in Western countries, that were doing very similar things to Lapsus.
And in fact, there were loose connections between these groups that were getting radicalized in the same places. And in this case,
with MGM, the group that everyone believes is responsible, the scattered spider group,
appears to be in a similar vein of Western teenagers that are really, really good at
social engineering. This has really been the big revelations in our review at CSRB
is that these groups, whether it's Lapsus or Scattered Spider
or about half a dozen other groups that we looked at during our review,
many of them don't have great technical skills.
Most of them don't build malware.
They use off-the-land tools.
But what they're really, really good at is calling people up
and social engineering them on the phone, it's it hub desks whether it's business process outsourcers getting
them to reset their multi-factor authentication convincing people in the malls and telcos to
do sim swapping attacks to get the two-factor code to the new phone numbers and with those
techniques you can get pretty much into any company. So it's really not surprising that this happened to MGM. Very unfortunate, of course,
but there's been literally hundreds of victims that have fallen to the same types of attacks
over the last couple of years. Yeah. Now, I remember when we talked about
Lapsus in the past on this show, it was very clear that Lapsus was just a tiny little offshoot of something bigger,
which is what we called a vibe, right?
Like Lapsus is a vibe.
And AJ Vicenze over at Cyberscoop
has probably the best story, I think,
on all of this week,
where I think he was at a Sentinel One conference
and they did like a small briefing for some...
Yeah, they did a small briefing for some journalists and he was there and it looks like
a lot of this stems from an online community called The Comm. I actually asked AJ to just
give us some thoughts on what he learned there and here's what he said. The people behind the
Caesars and MGM hacks were actually probably kids or people in their early 20s who come out of this
group called the comm,
which is actually an ecosystem of a bunch of splinter groups
of cliques and gangs and others who sort of organize real-world violence
like shootings, throwing bricks through windows, attacking people,
but other things too like SIM swapping, swatting, and cyber intrusions.
These kids are getting better at penetrating large corporations.
Think of Lapsus and all the damage they did. And they're becoming more and more consequential in
the real world. Researchers say it's becoming clear that these kids and young adults are
working with or acting as initial access brokers with ransomware gangs and super disturbing
development. And the MGM and Caesar's
situation only sort of highlights where this is all headed.
So, I mean, this is a really fascinating development where you've now got presumably
Western, you know, American and British teenagers to, you know, like 17 to 20, basically, who are
now in league with ransomware crews based out of Russia. So, so many feelings here.
One is I think they're going to get caught.
Like I'd be very surprised if, you know,
the FBI and authorities in the UK don't, you know,
aren't parked outside their houses now, you know,
logging their movements and correlating them against sessions and, you know, preparing evidence.
That's one thing that strikes me.
But, you know, you actually said something there
that I want to push back on a little bit,
which is that, oh, they're not known for having amazing technical skills.
So first of all, that warning that we spoke about on the show a few weeks ago that came out of Okta
that said, that talked about socially engineering a help desk to reset MFA on like super admin
accounts in Okta. And then, you know, doing uh malicious idp federation like it turns out that
that was these guys right and i i happened to speak to someone who uh had a front row seat
for the response at caesars and they're you know the way that they tell it dimitri these attackers
are quite technical and are really quite good and really know what they're doing.
So they had issues where like their patch management solutions were turned against them.
And it was the same trick used at Caesars.
So that was a MFA reset on a global admin because they were an Azure shop.
And then they used that global admin to then pivot.
You know, we saw the Russians in SolarWinds go from on-prem into cloud. In this
case, they've gone the other way around. So they've got the global admin account in Azure
and then pivoted to on-prem and deployed ransomware from there. So yeah, I don't know.
Let me clarify a little bit what I meant. So what I meant was that they don't use exploits.
They don't find zero days. They don't write their own malware. They rely on living off
land tools. And you're right that some of these groups are really, really good sysadmins, right?
They know the ins and outs of Windows and Active Directory, and they can move really, really
quickly using the credentials that they had been able to acquire. But that's where hacking came
from, you know, like exploits and buffer overflows and stuff. I mean, all that jazz came later.
You're right. You're right.
You're right.
So if you look back in the 90s where you're kind of using Unix tools,
absolutely.
But things have evolved since then, and to find a zero-day,
let's say, in an iPhone or even in a Windows kernel these days
takes a lot of capabilities that is way beyond just learning
Windows commands.
So it's another level
of sophistication that a lot of these nation-state actors obviously have and my only point was that
with these guys and some of them have no technical skills at all depending on the group
in this case uh obviously with scattered spiders that is not the case um but my point overall point
was that you don't even need in many of cases, to have technical skills as long as you're really good on the phone and can sweet talk your way into an IT help desk.
Yeah, I don't know, though, because it's what they did after that point that I found really interesting, right?
And just in talking to who I spoke to, the thing that came across was just how good they were at getting to know an environment and being able to move around in a really slippery way, right? So they were going hand to hand with these guys for a
while. And there has been, you know, we've seen a lot of confusion around the attribution, you know,
is this Scattered Spider? Is it Alfie? Is it this or is it that? And it really does seem that a lot
of this is just this, you know, this amorphous sort of online community of like
psychopathic teens what this appears to be is actually much more straightforward right so
black cat or alf v is this believed to be russian ransomware group that provides no but i'm talking
about the attribution to the people who who did the initial entry right like scattered spider might
not be just one thing i guess is what i'm getting at. Well, what usually happens with these groups, and we're not sure, of course, what happened
at MGM, is that they often buy access, right?
So they go to these identity brokers and they acquire credentials that they can use.
And then they also use social engineering attacks to reset credentials once they're
inside and elevate them to get admin level.
But what seems to have happened with AlfV or Black Hat is that they just provide ransomware as a service so you can go to them, sign up as an affiliate, as is the case with many
of these groups, right, and get the malware and start using it and they'll provide all
the infrastructure to negotiate ransomware and everything else.
So it appears that Scattered Spider
was an affiliate of Alfie or Black Hat.
What I'm getting at though
is that it wasn't a one-to-one overlap
in the people who did Caesars versus MGM.
It appears that like maybe
there's some common membership, right?
But it's not just one group.
And that's why I keep coming back to this idea
that it's a vibe, okay?
So when you guys released the CSRB report into
Lapsus, you know, I can't remember, did we get you on to talk about that? Oh no, we got Heather
Adkins on. Yeah. Yeah. Yeah. So we got Heather Adkins on to talk about that. And I described
that report as a must read for every CISO. Right. And staggeringly though, and I'd really want to talk about this, you've told
me that some people have been critical of CSRB's decision to look at lapsus. I just find that
bizarre. I think that report was just sensational. And what we've seen in Las Vegas over the last
month kind of proves it, right? Like why on earth were people critical of the board's decision to pick up Lapsus
as a topic to examine? Well, this has been the case since the board really began that every time
we do a report, we've done two of these so far, Lock4J and Lapsus. The immediate question is,
well, when are you going to do SolarWinds and why haven't you done SolarWinds, this attack that's
now, you know, what, almost four years old? Well, because Mandiant did SolarWinds, this attack that's now, what, almost four years old?
Well, because Mandiant did SolarWinds, right?
But there's specific questions.
Why aren't you doing a specific intrusion?
Why are you looking at a group of threat actors?
Why are you looking at a particular vulnerability?
And A, most people don't seem to appreciate that we don't, as a board,
don't actually pick what to review.
We get assigned by the Secretary of Homeland Security, Alan Mayorkas,
and the head of CISA, Jan Easterly. Those taskings, we don't have a right to refuse. We don't have the
right to say, hey, we want to work on something else. So that's point number one. But point number
two is actually, I do agree, and I think most of the board agrees, with the decision to do Log4J
at the time that had the potential to be one
of the most significant vulnerabilities we've seen in a while and at the intersection of this
interesting topic of open source software and there were questions of who discovered it and was
there you know chinese nexus to it which we ultimately discovered that was not in terms of
usage of that vulnerability by a nation state before public.
This is like the COVID-19 origin investigation, but computer version.
Yeah. And then with Lapsus, here you have, and again, the review was not just about Lapsus,
it was Lapsus and these related groups to include Scattered Spider, is that these are really,
really successful operators. You have teenagers that can break into companies
like Microsoft and Uber and NVIDIA
and so many others that have really good security teams
and spend a lot of money on security.
And I thought it was really important
and I think the rest of the board felt
it was really important to look at
how are these guys being successful,
why and what can we do from a recommendations perspective, which is,
after all, the mission of CSRB to do the lessons learned from these significant attacks to figure
out how we can improve security across the entire ecosystem. And now we've been tasked with looking
at a specific incident, of course, which is the Microsoft Exchange hack that was revealed earlier this summer. So that review is kicking off.
So we do both types of individual investigations or individual reviews, I should say,
into specific incidents, but also at these broader trends. And I think both are important.
Yeah, no, I mean, I just find it bizarre that anyone would think that that was a bad one to do,
you know, because as I say, at the time, we were all about it and um you know after I spoke to you about that I went and asked some journalists I
know I'm like is that for real like are people actually criticizing them for that and they said
yes just anyway it's just weird that I am definitely out of step with the rest of the um
commentariat on that apparently um I guess one thing that's probably worth reiterating is that right
now it would be a very good idea to go and change your directory setup whether you're using Azure
AD or you're using Okta it would be a very good idea to go and remove your help desk's ability
to reset MFA on those accounts. I mean that is something very simple you can do. I mean, that's not necessarily gonna stop
this threat actor, right?
That's not necessarily gonna stop them,
but that is just such a slam dunk way
for them to Insta-own you.
Like I think it's just very simple
and good advice to go and do that right now.
Would you agree with that?
Yes, absolutely.
And also as we recommend in our review,
you should look at other ways to do MFA.
So as much as possible,
get off phone-based, SMS-based authentication
because it's so easy to do some swapping.
We know that push-based methods have their problems as well
because of the push DDoS effectively,
or push DOS, I should say.
Yeah, push spam, right?
Yeah.
Push flooding or whatever they call it.
Exactly.
And really start looking at hardware-based tokens
that are the way to go to make sure that it's much, much harder
to do these types of social engineering attacks.
I mean, but they're no good, right,
if your help desk can reset the FIDO2 hardware authenticator
that your super admin is using, right?
If someone can just trick the help desk
and that's the thing,
you're only ever as strong as you reset procedures
and you need to actually put a little bit of thought
into, okay, well, we can't,
like one idea that I had was you need a different super admin
whose only role is to reset MFA on the primary super admin.
And you take a 502 key for that one and you stick it in a safe somewhere.
Well, what really happens here, and we looked at the subset of this problem actually when we looked at the SIM swapping issue because that was a big chunk of our review.
How do you make it harder to do SIM swaps?
And there's a range of ways in which these groups do that with the telcos.
One way is to obviously social engineer someone at the mall,
the teenager that's working at the mall for one of these resellers
and get them to reset the phone number.
But there are many others.
And there's a legitimate SIM swapping case.
In fact, the vast majority of SIM swaps, as we heard from the telcos when we did our review,
are completely legitimate because someone loses their phone.
Oftentimes they're overseas.
They need to get a new SIM card and activate it.
And how do you do that, particularly if they may not have their credentials with them?
So you may be able to get them on a video call
and ask them to show you your passport. Of course, passports and other documents can be faked as
well. It's a really, really hard problem. Even if you just look at the telcos in smaller organizations
where you should know what people look like, it may be a little bit easier. But again, with the
AI techniques and ability to modify video, that's going to be even harder going forward.
Yeah, no, 100%. And I think our joke a couple of weeks ago was to reset the password or MFA on a
super admin account. The admin needs to present themselves to an Okta office for DNA sequencing,
right? That's probably one of the only things that's going to fix this. But look, we've dropped
a bunch of links into uh into the show notes
this week so uh people can go have a read about this but look honestly it's just a fascinating
case like the reason i said that that lapsus report from csib was a must read is because of
the types of ttps uh they were using like really innovative stuff and kind of nasty as well and
real no limits hacking um so yeah, yeah, drop into
the show notes and have a look through. Oh, one thing I wanted to get your opinion on earlier,
I said, I suspect that these guys are going to get caught. And I mean, by that, I mean,
the American and presumably British affiliates. Is that your feeling as well? Because I can't
imagine, you know, so often these groups or the affiliates themselves are based in Russia and,
you know, the FBI can't do anything.
And now there's an opportunity to actually put some cuffs on someone.
I just can't see it not happening.
Well, yes and no.
Again, when we looked at this at CSRB, when we conducted our review, it's often very easy to catch these guys because their OPSEC is just terrible.
But what happens is that a lot of them are teenagers.
They're juveniles.
So they literally get arrested, let go,
and we've been briefed on cases
where literally 24 hours after leaving jail,
the guy's logging back into Telegram or Discord channel
and saying, I'm back.
I know the one you're talking about.
He's the British one.
But that guy, he's not neurotypical,
let's just say that. He's in a special school for people who have quite severe autism and maybe,
you know, not the best example of how this might play out, right, with all of them. But, you know,
that was clearly, that guy had a compulsion. I know, but this happens a bunch of times and they recruit
specifically juveniles for this very purpose because they know that they can slide out of the
justice system and get off basically scot-free or maybe serve a few months. So that's a real issue
that we heard from Justice Department and other law enforcement in our review that, what do you do about these
juveniles that made a mistake, got tied up in these communities, and now can't get out of it?
Yeah, this guy was hacking from a fire stick plugged into his hotel TV room when I think
he was supposed to be in custody or something. Just absolutely crazy.
But one more point I want to make, and you kind of mentioned this that these guys are not only doing intrusions are not only doing
these ransomware types of operations but increasingly are using physical violence
particularly when it comes to sim swapping uh and other types of operations we've heard briefs on
how they hire uh local gangs like ms-13 uh to intimid intimidate people that are part of the gang party business process outsources to actually do this because either they're being bribed or
someone actually puts a gun to their head and and asks them to do this right so that may be coming
given the direction that this is going into well that's cheery i mean when i think about these
types of groups i think that they do they are more representative of the cyber equivalent of street gangs.
When you look at the Russian ransomware organizations, they're a little bit more like mafia organizations, I guess.
And these guys, very much more like a disorganized street gang, just ruthless and do whatever it takes.
But look, let's move on. And we've got a story here from the record
written by Alexander Martin,
which has really been doing the rounds.
And I think people need to read
beyond the headline on this one.
There's a logistics firm in the UK
called KNP Logistics,
which has gone insolvent basically
and made 730 people redundant.
And this is because they had a ransomware
attack apparently but if you read the story and we've seen almost the exact same story pop up
before where a company is about to go under, they're trying to seek emergency investment,
then they get ransomwared and then the whole thing falls over and it looks like that's what's
happened in this case. The company was in dire straits and then got ransomware and
that was enough to tip them over the edge and ensure that nobody invested to bail out the
company. Yeah. And we don't know whether they were doomed to go out of business to begin with
and ransomware or no ransomware that could have happened either way, right? In this particular
environment. We do have comments from the administrator who's been brought in to wind up the company
along the lines of,
well, they were in quite a lot of trouble, you know?
So I think we can read the tea leaves a little bit there.
And particularly, you know,
they were saying that they were looking for new investors
and obviously the ransomware attack
kind of shut that process down.
But let's be honest,
in this environment,
looking for new investors
is not necessarily an easy process to begin with.
But look, this happens often, not in the sense of going out of business but having significant real world
effects from ransomware group and i'll tell you i also serve on something called the homeland
security advisory council which is part of dhs that advises the sector on various issues and
earlier this year i led a study group a task force to look at supply chain issues and
we went out to port of la lawn beach and looked at issues there and in part what we looked at also
is what happened if you recall with the big backlog of ships that were sitting outside of that port for literally months back in 2021 spring of 2021
having really cascading effects across the entire economy and what we found is that there were a
number of factors that were contributing to all of this but one of them was actually a ransomware
attack against one of the big logistics companies there that was not able to process shipments out
of the port move them out move them out and they kept stockpiling so it was not able to process shipments out of the port, move them out, and they kept
stockpiling. So it was not the contributing factor, but it was one of that actually had
broad impacts on the overall US economy. I think the point you're making is it doesn't
matter whether or not the ransomware is directly responsible for this group going out of business.
It certainly didn't help. Absolutely not.
Yeah, yeah, right. We've got the state healthcare,
the universal healthcare system in the Philippines,
the government org that runs that
is struggling to recover from a ransomware tax.
I mean, that's another example of one.
And also Bermuda having some trouble, Dimitri.
Well, it's Bermuda.
And before that, it was Martinique and trained that in Tobago, Dominican Republic,
and of course, Costa Rica
that you've talked about on the show.
So you now seem to have this trend
of ransomware groups going after governments.
Specific, well, and they go after specific regions.
So we saw them do a tour through the Pacific.
I think that was like, what, earlier this year
and last year as well.
So I think it does seem to be a thing, doesn't it, where they decide to focus on a region,
on a specific region that doesn't necessarily have a great response capability. And then
eventually allies come in to help, maybe, you know, offer some responders and whatever,
and then they move on to the next region, which I mean, you know, it's diabolical, but it seems smart. It is. And, you know, I was thinking back to a year ago, the White House and Ann Neuberger,
the White House Deputy National Security Advisor for Cyber organized this counter ransomware
initiative that includes, I believe, about 30 different nations. And Australia is actually
one of the leaders in that group to look at ways that countries and law enforcement agencies can collaborate against these ransomware groups.
And I imagine that they're getting a bunch of new countries
that are asking to join post all of these different hacks
that have been taking place.
Yeah, that's right.
Now, the Ukrainians have done a report into a bunch of stuff.
So there was one that came out of the Ukrainian cert,
and that was pretty interesting, just looking at the way Russian attacks against Ukraine have
changed over the years. So there's less focus on malware, more focus on phishing and whatever.
I'll just link through to that and people can find it. It is interesting. But we're also seeing
the Russians target Ukrainian organizations that are investigating war crimes by the Russians.
And, you know, this comes on the heels of reports that the International Criminal Court had a cyber
incident that, you know, Russia was presumably behind. So a few pieces sort of falling into place
here. Yeah. And I actually found the report from Victor Zhora, who runs the Ukrainian CERT,
quite interesting. He talked about a couple of different trends.
One of them, obviously, is Russians going after investigations of war criminals,
which is to be expected.
They want to know what the progress is, what the evidence is,
if they're potentially...
Who do they need to give new identities to, etc.?
Or witnesses that they can try to intimidate or worse, right?
That can testify against them.
But they're also talking about this move, they're saying,
a shift that they've been seeing this year of targeting away
from government, military, and critical infrastructure
to doing more law enforcement, private businesses, and media
that I think is very interesting.
Somewhat, I think, maybe timing-related because we know
that the kinetic campaign against the Ukrainian grid pretty much stopped after the end of winter
and is now starting again, literally in the last week or so. So we may see a resumption of the
cyber activity as well, where they were waiting out the summer, and now they want to try to
destroy the grid again in anticipation of a cold winter, another war crime, by the way. Some of it may be actually
trying to get quick wins. The tempo of operations is so high that it might be harder to break into
these hardened targets like military targets. And if there's pressure on them to produce effects,
that they're going to try to pick targets that are much easier, where they can potentially buy access or leverage previous accesses and so forth.
And in fact, the report says that the severity of these intrusions is going down as well.
But in some ways, it's interesting because the speed of XFIL is quite good.
In many cases, they're saying that it takes these actors 30 minutes from entry to
exfil uh which is really really remarkable well and they're going back and they're hitting places
that they've got access to so they're going back doing new exfil and then shoring up their
persistence and it just seems like yeah they're getting a little bit more organized in their day
to day operations but it ain't all beer and Skittles in Russia, Dimitri,
because it looks like their version of these global reservation systems
for flight information, so the Russian equivalent to Amadeus and Sabre,
which is apparently called Serena Travel,
apparently they got popped and something like 665 million flight records over 16 years have been stolen.
So that's information on 664 million flights,
which I'm guessing is going to include passenger manifests and whatnot.
That's been stolen and the people who did it are offering to share it
with anyone who has a good reason to have it.
We know how valuable this sort of information is
to investigators.
And, you know, it's just such an advantage for the West
having access into things like Amadeus and Sabre.
And we've seen adversary nations targeting those systems as well.
So we know this stuff is valuable.
I think this is probably a slightly bigger deal.
The fact that I have to include a link from Yahoo News discussing this, which is a
syndicated piece from the Ukrainian Pravda, would suggest that this isn't getting enough attention.
Would you agree? Absolutely. In fact, you had Bellingcat come out and say that they were looking
at a much narrower leak from the system just three years from 2014 to 2017. And that was responsible for over a dozen investigations
they had done in Russia on Russians,
including presumably some of these GRU assassinations
that they have unveiled,
where they were tracking folks that were trailing Navalny
and flights between Moscow and Great Britain
for this Kripal attempted assassination.
And now actually we have a quote from one of the team members from Navalny's group
saying that they're really hoping to get access to this data.
So far these hackers have only released 3 million out of the 665 million records.
And I really love this quote.
The guy says, if we can get access to this information,
there's enough material there to last us several lifetimes.
Yeah, yeah.
I mean, it's an absolutely amazing source for groups like Bellingcat.
And I would be very surprised if they don't wind up getting access to the full kit.
Because it looks like whoever did this is a pro-Ukraine group and probably the biggest headache you could cause
Russia with this is to give this information to Bellingcat like that's a slam dunk right
absolutely and they validated that the data is real they checked some of the flights and
they really add up to known flights yeah that's it um all right, so moving on. And we've had some border checkpoint outages in Canada
that are apparently a result of a Russian DDoS.
Is that right?
Well, it's not clear.
There were kiosks and electronic gates
at some of the border points in Canada that were shut down.
Not clear whether it was DDoS or not.
There was another pro-Kremlin hacktivist DDoS
being directed against some Canadian entities early in the week. So some people are trying to tie the two together,
but this could actually be yet another ransomware attack that we're seeing in Canada as well with
regards to these kiosks. Yeah, I mean, I wondered too, like everyone's quick to blame Russia for
everything at the moment, but you just look at what's going on between Canada and India at the
moment. And in particular, sort of Indian nationalists are very annoyed at Canada.
And they're the types, you know, nationalists of all stripes
are the types who tend to do those sorts of things, right?
When I think back in the day, 20 years ago, it was the Chinese nationalists.
They loved a good DDoS.
And then, you know, you've got your Russians and your Turks.
And, you know, when you annoy nationalists, you get DDoS.
That's like a cyber truth. Although we know what happens to these nationalists that get into this
judging by the chinese example they get recruited over 20 years ago exactly they join the security
services and that happens in russia as well yeah now we did have an interesting spyware story pop
up over the last week which is the ip iPhone of an Egyptian presidential candidate got hacked with a
Oday chain for the third time and for the third time.
And they had the predator spyware this time,
not Pegasus predator spyware dropped on them.
You know,
I think it's,
is this a good news story where increasingly we're seeing this stuff turn up
on high value targets, you know, like
really prominent journalists and presidential candidates and stuff. I mean, you know, it feels
like the target set might be narrowing a bit. Is that good news, Dimitri? Well, I wouldn't jump
that far. It might be that you're right, but of course we don't know the full set of the victims
here. So there could be many, many not soimate people that have no idea that they've been hacked.
Well, that's right.
And Citizens Lab, who actually identified this along with Google Tag,
have not been tracking it as closely.
So I wouldn't go that far.
But the compromise here, again,
speaks to the sophistication of these entities.
In this case, it was Citrox in Macedonia
that was responsible for building Predator.
But three zero days, right? The privilege escalation zero day or remote code execution in Safari.
Really, really sophisticated stuff. And just tells you that despite all of the improvements in iOS,
and there were Android zero days as well, that Google has patched, these companies are able to
uncover them every single time. So I don't think anything is stopping them at the moment.
I mean, we've seen some Russia-based
exploit broking service all over Twitter.
This has gone massively viral in InfoSec circles.
They reckon they're offering like 20 mil USD
for a zero-click iOS exploit chain.
To me, that feels a bit like bullshit. But,
you know, do you think the Russians would have to pay that much because not many people want
to work with them? They need to make it that appealing? Did you see this? What did you make
of it? I did. I'm not quite sure. I mean, there's certainly lots of people still that are working
for Russian intelligence services that have significant capabilities. There's lots of people still that are working for russian intelligence services that have significant
capabilities there's lots of domestic contractors working with fsb and gru and others so i'm not
sure that you can say from that that you know they need to buy exploits because they can't find them
themselves obviously lots of really um highly uh expert people in russia that have done a lot of
exploit developments in the past so i I wouldn't jump that far.
I mean, it didn't feel right to me either.
I mean, it feels like you're skeptical as well,
that this seems like maybe a bit of marketing.
Yeah.
What I found interesting about this Egyptian case, though,
is that the Citizen Lab folks believe that the initial compromise
was delivered via Sandvine,
the telco-based equipment that did a network injection into the device.
So it tells you that there's quite likely,
if not almost certainly, government involvement there.
Yeah.
Now, look, we've got some research
that I don't think anyone has to worry about here,
but it's the sort of like academic security research
that is just kind of
clever enough that you kind of have to include it, right? Dan Gooden's written it up from Ars
Technica and it's called a pixel stealing attack and it affects GPUs. And the idea is you can steal
content from like GPU memory, like so you can reconstruct images from the GPU, if you're a
malicious website, you might be able to like, look at another tab or something like that. I mean,
I it's real hard to imagine this ever being used in anger. But I still, you know, I have to admit
enjoying work like this. Very, very clever. But as you said, not extremely practical. And as I was
diving into the details of this research they're basically leveraging the
fact that gpus compress data to save memory bandwidth and improve performance and as a result
of that compression you can infer what the pixels are likely to be and basically the way this attack
works is that you need to take a destination website from which you're trying to steal the
pixels let's say a username that is being entered into a particular website,
and you need to put it inside an iframe,
and that destination can't deny embedded cross-origin sites,
so there are a bunch of restrictions.
It also doesn't work in Safari and Firefox
because of how these browsers handle things,
so really a lot of restrictions
from this being able to be used in the real world effectively.
But the main one is that it takes about 30 minutes
to render targeted pixels
only with about 97% accuracy.
So as I was reading this,
I was thinking there's much, much easier ways
to steal usernames.
Yeah, I know, right?
Like it is one of the most elaborate ways
to skin a cat ever.
Yeah, it's-
Most of the time you're not even going to get the password
because it's going to be masked.
It's going to be...
Yeah, exactly.
It's going to be like a bunch of asterisks.
So yeah, completely pointless,
but also quite cool and I dig it.
Now, Sysachev.
There's now a thousand bugs on it, right?
So we've had a bit of a debate,
a bit of a back and forth on this show
about the virtues of Sysachev because it did get big pretty quick.
And we wondered if it would lose its efficacy.
What's interesting here is CISA has released some info on it.
John Greig has this right up over at the record that we've linked through to. on the Kev list get patched quicker, like a fair bit quicker, and bugs in internet-facing stuff
that are on Kev get patched like really quite a lot faster. So it looks like it's actually
doing what it's supposed to do. So good one, Cesar. Yeah, you know, most people don't appreciate this,
but there's a bunch of inertia inside companies to patch specific systems. You will get businesses, business units
that will object to it. You will have IT people saying they always have higher priorities.
So for security teams to be able to point at something and say CISA is focused on these
vulnerabilities. They know they're being exploited. You really, really must patch these five
and you can wait on the other three. I think that's really helpful.
And if it gets some of these organizations to patch faster, I think it's a good thing.
Yeah, 100%. We have a new record for the year for crypto thefts. The Hong Kong crypto business
Mixin has lost $200 million in crypto assets. I mean, these things are so regular, they're barely
even worth talking about at this point. I mean, I things are so regular, they're barely even worth talking
about at this point. I mean, I think they had, you know, they've got like a gajillion dollars,
you know, billions in their control. So 200 million, they can absorb the hit,
but it's hardly confidence inspiring in the crypto ecosystem, is it?
Yeah, but has any of this news affected people's desires to invest in crypto? I don't think it's
having any effect whatsoever. And people are continuing to invest in crypto. I don't think it's having any effect
whatsoever. And people are continuing to spend money getting Bitcoin and Ethereum and all these
other coins. I mean, that stuff survived, but stuff like NFTs, is it essentially that market
went to zero? Yeah, but not because of cyber concerns. Yeah, that's true. That's a good point.
It's kind of depressing, but it's a good point. Now, look, a bit of industry news and Cisco is buying Splunk for
$28 billion. And what do you think Cisco's, you know, we don't normally talk about deals
in the show, but what do you think Cisco is going to do with Splunk? Are they going to,
you know, invest in it and innovate? Probably not, is my feeling. Or are they just going to,
you know, maintain it and it and you know absorb all of
those customers into the Cisco Borg cube well this takes me back about two decades when I was working
at a email security startup that was competing with a company that Cisco had bought Ironport
and I can tell you for about two years they were an absolute menace to us because what Cisco did
is they double comped their sales people to sell iron port along with their existing solutions and they saw
just a boatload of it uh and then after two years they stopped and all the people left because they
were vested and the product pretty much started dying a slow death so i think there might be a
short-term spike in Splunk sales.
And then it'll wither on the vine.
Because of bundles, and then it'll wither, yeah.
But, you know, other solutions like Sentinel from Microsoft
are giving them really, really good competition
these days, too.
Dimitri, thank you so much for stepping in
to fill in for Adam.
And, yeah, it was really fascinating stuff,
and we'll do it again soon.
Sounds great.
That was Dimitri Alperovitch there with a check of the week's security news.
And I've linked through also to a pre-order page in this week's show notes.
It's the Amazon pre-order page for Dmitry's upcoming book, which is called World on the Brink,
How America Can Beat China in the Race for the 21st Century.
And the book is mostly about how vital it is to deter China from attempting to
invade Taiwan. And I've read a few bits of it already, and it's great stuff. It's out next year,
but you can pre-order it at the link that is in this week's show notes. I've also linked through
in the show notes to a podcast Dimitri and I did together. I think that was last week.
It all blurs together at a certain point. But we did a podcast all about Starlink in Ukraine
and that one was published into his feed and his podcast is called Geopolitics to Cancer
and yeah that recording that we did got a great reception so I think a bunch of you who listen
to Risky Business will also enjoy that one. Adam will be back on deck next week and for those who
have been asking which has been quite a few of you yes Lena Lau will be back on deck next week. And for those who have been asking, which has been quite a few of you,
yes, Lena Lau will be back in a couple of weeks also.
Everyone really enjoyed her contributions
to last week's show.
And, you know, we hope she'll be back regularly.
And I think she's coming not next week,
but the week after she'll be back.
But yeah, in that news segment towards the end,
you just heard us talking about Seam and Splunk.
And Dimitri mentioned the fact that splunk has real competition now and one of those competitors is
this week's sponsor panther ken weston is the field cso there and panther makes a seam and i
guess the best way to describe it is it's modern it's a detection as code type of deal with proper
you know data infrastructure behind it it can handle high volume and high velocity logs.
And it also won't bankrupt you, which is a nice feature.
But this conversation is really about what's changed in SIEM over the last few years.
And look, usage really has changed.
As you'll hear, a lot of SIEM deployments,
they don't even bother tracking stuff like firewall logs anymore.
Ken is a SIEM veteran. And yeah, he joined me for this chat about the state of seam and what's changed
well it's kind of tough right now i think with sim because a lot of people have had bad experiences
with it in a lot of respects many organizations i think see sim as a four-letter word um you know
my talks i always ask like who loves their sim and you know i think i've had one person raise
their hand and you know i think there was might always ask, like, who loves their SIM? And, you know, I think I've had one person raise their hand.
And, you know, I think there might have been something wrong with them.
Did you have your, like, Steve Barmer moment?
I love SIM! Yeah!
Yeah, I mean, nobody really loves their SIM, which is unfortunate.
I mean, I think analysts do.
Like, once you get it up and running, you know, it's great.
Like, you know, I spent years at Splunk.
I was one of the first
security specialists. And back then it was amazing. I could search all this data and
it was a lot of fun. But back then we were also selling to a lot of corporate entities, right?
So we're selling to companies that were maybe selling services and widgets, but they weren't
necessarily tech companies themselves. So we're selling mostly at the IT departments.
And what's interesting is
when I, you know, I spent four years at Splunk, then I spent about three years at Elastic, where
I led security strategy and competitive intelligence, doing a lot of like teardowns and things like that.
And I was, I started noticing this shift to SIEM, where it was not just corporate security, it's more
developer focused. You start to see a lot of organizations were migrating to cloud, started building a lot of custom applications. And so you sort of saw this
observability and security sort of overlapping quite a bit. And that really changed the demands
for SIEM. There was a lot more demand for being able to run searches faster, being able to leverage
automation and things like that as well. It's strange to think that SIEM is actually
old enough to drink now. It's like, what, 22 years old? I think when this one ARC site actually came
onto the market in the first place. So when I came to Panther, I was looking at what data
people are ingesting. What's different here? And I saw a real big difference was it was more on the
DevOps side. We're bringing in maybe Okta, we're bringing in GitHub logs, which is
very strange, I think, for SIEM. And we're also bringing a lot of cloud trail logs, things like
that, that might be really expensive to bring into some of the more traditional SIEM platforms,
or I kind of refer to them now as legacy SIEMs. And so you have a higher volume of logs, you have
a higher velocity of logs. You also have more demands again for near real-time
detections, automated response and things like that. So that's what I've really seen change.
And then we built a work proper app. It's less about events on Windows networks and more about
what's happening in custom applications for at least a subset of the market.
Yeah, exactly. I was shocked when I was looking at it and nobody was bringing in firewall logs,
like no Palo Alto or anything like that. And I was like, why the heck is that? And I looking at it and nobody was bringing in firewall logs, no Palo Alto or anything like
that. And I was like, why the heck is that? And I looked at it and all of our customers were really
tech companies. They're highly distributed. They really didn't need some of these firewalls. It
didn't actually map to their network architecture and the things that they're trying to protect.
So are they doing stuff like bringing in like Zeek instead? Yeah, there was a lot of Zeek,
but I think one of the top log sources we had was custom.
So we actually-
Well, I mean, I was actually going to ask you about that
because one of the advantages
when you're doing your own applications
is you can get them to log whatever you want, right?
And if you've got a decent SIEM platform,
you can pump them into that
and know what you need to know, right?
Yep. Yeah, I mean, exactly.
We make it very easy to, you can just actually drag and drop a log sample and it'll actually infer a schema for you right there.
So make it really easy to, you know, onboard custom log sources.
So there's that.
And then GitHub was interesting to me.
So I actually built a workshop around it because I was curious, like, what sort of threats that people were facing.
Yeah, I was going to ask on that because you mentioned that it's weird and it is weird.
But I'm guessing there's – and always when you hear about something like this, it's like, well, that's strange.
And then someone gives you a really good reason.
You're like, oh, okay.
Well, it sort of makes sense if you look at, like, some of the threat actors, like we saw, like Lapsus.
You know, they were trying to get into
Compromise and Okta, and then they would get into GitHub repositories, and they would be looking in,
you know, private repos for any sort of secrets or keys. You also add Lazarus, who are the North
Korean APT actors that were also targeting developers, and they were actually using social
engineering and inviting people to these sort of private GitHub repos
with the goal of getting them to download this code and execute it.
And then it had malicious dependencies.
So it would actually be downloading this malicious code
from these other servers.
Again, they were targeting developers.
So then they get into the developer system
and then they can hopefully compromise,
again, get other GitHub repos for that company. They were targeting mostly like gambling companies, cybersecurity entities, as well as a lot of cryptocurrency startups as well. And we've actually just seen it's been very successful for North Korea. I think they were trying to sell almost like $40 million worth of cryptocurrency recently yeah i mean it's um staggering how much they've made out of that i do wonder how successful they've been in actually turning the stolen crypto into um cash but also
if they were having too much trouble doing that they wouldn't be stealing it in the first place
so they must be finding a way yeah i mean it's uh it's one thing i see my cryptocurrency is that it
makes money laundering a lot easier yeah yeah, yeah. Well, I don't know.
I think that's an open question given how good like blockchain analysis has got these days.
I think that used to be true.
Yeah, maybe shifting to Monero or something.
That's what they're going to start requesting.
So are people de-emphasizing
the sort of on-prem networks part of SIEM
or is it just that these days
doing SIEM for that sort of environment
is just kind of well understood and old hat and you can stand up a program pretty easily because
you know i think these days you know standing up a seam program to monitor an on-prem windows network
it's not some crazy art meets science thing anymore it's a pretty well understood um uh program to stand up
so is that why now people are sort of extending it out into this area or i or i guess it's just
because more company assets are uh now devopsy you know custom yeah i kind of blame the pandemic
for it a lot i mean there was a shift there's always been a shift to cloud right and i think
that really accelerated during the pandemic um you you're you became a cloud first company whether
you liked it or not well i'd like to believe you but i think we really accelerated during the pandemic. You became a cloud-first company, whether you liked it or not.
Well, I'd like to believe you, but I think we really became VPN-first companies initially,
which was quite depressing.
But yeah, I do know what you mean.
Yeah.
But then, you know, I think with that too, there's been a lot more like development to
like tech development where it is every company now is a tech company at some point, whether
they like it or not.
They're building custom application, custom scripts, particularly as you start to migrate to the cloud.
You may just have a shared GitHub repository of scripts that you use for automating processes and things like that.
So there's been much more of a dev focus.
And I kind of refer to this as the sort of shift left mentality when it comes to SEM, where, again, we're not just deploying into corporate environments.
As you said, a lot of
on-prem environments, that's kind of well understood. But I think the challenge that a lot of people had
is when they did the shift to cloud, there is an increase in volume when it comes to logs. I'm not
sure if you've ever tried to bring in CloudTrail logs from AWS. It can be incredibly expensive if
you have your pricing based on data ingest, especially if you want to have long-term data retention.
So most SIMs have 30, 60, if you're lucky, maybe 90 days.
One thing that we offer is one year of searchable data.
So that's kind of a big differentiator,
but just the way we're much more efficient with how we leverage
our security data lake.
So we're able to save a lot of costs by doing that.
And also I think a lot of organizations are facing that,
just trying to bring all these SaaS apps in,
trying to bring in cloud applications, everything from Zoom,
they all generate logs and it's a higher volume of logs
than I think they were ever dealing with before.
And that sort of like scale,
the economy of scale doesn't really map well
when you're used to the on-prem environment where maybe you're bringing in, you know, maybe 100 gigabytes a day of data.
When all of a sudden I was just talking to a customer today and they're bringing in like a couple of petabytes of data per month.
Right. So it can be, yeah, it can grow exponentially and it can become a real problem.
That'd be a hell of a Splunk bill, that one.
Yeah, you're right.
It could be.
I'm sure they probably offer some deep discounts and things like that.
But yeah, you ask them for a quote and they're like, sorry, our standard computers can't display a number that large.
Can we finance this?
Exactly.
But, you know, look, speaking of the incumbents, right?
They're dug in pretty good.
I got to admit to being surprised that they've managed to hang around
and be as dominant for as long as they have been.
I think it's one of the reasons I find, you know,
what Panther's doing so interesting because we've seen a lot of people
kind of innovate around seam helpers and things like that for splunk
but not so much the ground up rebuild right which is what you guys are trying to do i mean we've
seen elastic do some stuff and you know you yourself used to work there but what why is it
that the incumbents have just been able to stay so dominant for so long even when like everybody
knows that they're with splunk in particular the amount they charge is just taking the piss, right?
And everyone keeps paying the Splunk tax.
Why is it, do you think?
Well, I wouldn't want to say it's a ransomware model, but it kind of is a little bit.
And it's a good thing because...
It's the old semantic model of, you know, it's the cancer that once it gets into the enterprise, it's very difficult to cut out. Well, that means a huge kudos to Splunk because they were able to get and show people how they
can get value out of their data. Like a lot of times, you know, people didn't realize, you know,
how much value they could actually get out of their logs. So I think they did a really good job
of not just targeting IT, but also, you know, going after other areas of the business, everything from,
you know, the security groups, talking to the development groups.
I used to do a lot of workshops with them,
and they would go and they would say,
well, holy crap, this is great.
We want to bring this data in for threat hunting,
but that's going to increase our response bill by 10x.
And then I would say, well, now you know why the workshops are free.
But that was kind of the model,
was really to get them to become dependent on it. And I really think it shows that, you know, the people really need that
visibility, they need to be able to have access to that data, understand what's happening in their
environments. And so, you know, kudos to Splunk, because they really tapped into that. And they're
able to show people the value. And that's why the tools become so popular. I love using Splunk still,
I use it all the time.
In fact, we're building integration with Splunk. There's a lot of things our platform can't do that Splunk does really well. But now what we're doing is we can bring in the high volume lock
sources and then we can send those alerts into Splunk. So if that's where they have their security
workflow, we can go ahead and we can integrate and work really hand in hand. And I think that's important is don't try to do rip and replace.
Don't try to, you know, say it's one or the other.
I think the more you sort of align with the security ecosystem,
you can actually meet the customer where they're at,
help solve the customer problems,
not necessarily trying to, you know,
get in there and try to replace a Splunk or Elastic or anything like that.
I think it's better to go in and identify what are you trying to accomplish um let's see how we can
get these tools to integrate and maybe we'll save you some money along the way yeah i mean it really
the pitch makes a lot of sense there when you're like look send your absolute crazy volumes of logs
to us we'll do the processing on them and when there's an alert that's kind of confirmed and
contextualized and whatever then you pump it into the seam for 10 cents you know instead of just trying to do all of that work in Splunk. It's interesting what you
said about Threat Hunt there, because I got a demo of Splunk, I think it was like over 10 years ago,
you know, 10, 15 years ago, something like that. You know, I got my first demo of it with someone
from Splunk. And it was pretty amazing. They were showing C2 traffic via a fake flash agent,
you know, that they'd managed to find on a network.
So for ThreatHunt, it was really good.
But, you know, I kind of feel like
that's not really how you do ThreatHunt anymore.
You know what I mean?
You would much more be using your EDR instrumentation
and whatever.
So some of those use cases are just like,
you know, I'm not saying Splunk isn't useful.
I'm just saying like there are things
that do that better now.
So I guess that's why I'm saying I'm surprised at how well entrenched they've been able to keep themselves.
Yeah. I mean, I think also Splunk was around when people didn't understand their data. They
didn't understand the shape of it. They didn't know what fields to look for. And I think even
some of the data sources you're bringing into Splunk, that's still true. You kind of use Splunk
to make sense of the data you're ingesting.
But I think when it comes to cloud and SaaS applications and custom logs,
we have a better understanding of what's important in those data sets. We used to say, when I was at Splunk and some others, all data security relevant. Yeah, all security log sources
might be relevant, but not every field is going to be important. So being able to provide the flexibility for organizations to filter out some of the noise or some of the
data that you don't need, I think that's critically important and can actually save organizations a
lot of money. But if your entire business model is just on ingestion alone, you know, are you
cannibalizing yourself by offering those features? So I think we have to kind of, you know, as
vendors, we have to say, you know, what's the right thing for the customer? You know, if we do the
right things, then, you know, we're going to make money. We don't need to say you have to ingest
everything. If we can play filters and you can save money, then I think that's the best thing
for us to do. So of your customers, what percentage of them are using Panther standalone versus using
them as a feeder for their existing seam?
Kind of the feeder model, it's fairly new.
So we've just started getting a few customers that were interested in that.
And so I would say, you know, just a handful, but it's becoming much more common, particularly again, for those high volume use cases.
Well, I was going to say, I mean, there's just such an obvious business case there,
right?
Which is that we can just save you money
off your outrageous scene bill.
Yeah, well, we're just ramping it up
and you're going to hear a lot more
about it in the future for sure.
But it's still fairly new for us.
Yeah, all right.
Well, Ken Weston,
that was really interesting stuff, man.
All the best with it.
Sounds great.
And we'll talk to you again soon.
Great.
Thanks a lot, Patrick.
That was Ken Weston there from Panther.
And you can find them at panther.io.
And that is it for this week's show.
I do hope you enjoyed it.
I'll be back later today with another episode of the Seriously Risky Business podcast with Tom Uren.
But until then, I've been Patrick Gray.
Thanks for listening. Thank you.