The CyberWire Daily Podcast 8.27.21
Ep 1406 | 8.27.21

The T-Mobile hacker speaks (we think). SparklingGoblin enters the cyberespionage ring. Is someone stealing data to train AI? Cellebrite’s availability. Ragnarok ransomware says it’s going out of business.


Dave Bittner: A young man claiming responsibility for the T-Mobile breach talks to The Wall Street Journal. A new cyber-espionage group, SparklingGoblin, seems particularly interested in educational institutions, especially in Southeast and East Asia. Are governments training AI with stolen data? Mitigations for Microsoft issues. Cellebrite tools may still be available to Chinese police. Kevin Magee from Microsoft wonders if leaders have over-pivoted toward technical skills. Our guest is Bill Wright of Splunk on the ongoing geopolitical ransomware trend. And another ransomware gang says it's going out of business. We'll wait and see.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, August 27, 2021. 

Dave Bittner: The Wall Street Journal has been talking with the young American expatriate, one John Binns, residing in Turkey, who claims to be responsible for hacking T-Mobile. The Journal regards John Binns' claims as likely to be credible since, as they say, he seems to have kind of nonpublic knowledge about the data breach only someone involved in the operation would in all probability be familiar with. 

Dave Bittner: Mr. Binns, said to be 21 years of age, says he gained access to T-Mobile's networks through an unprotected router, using this as an entry point to the mobile carrier's data center in the U.S. state of Washington, from where stolen credentials gave him access to more than a hundred servers. He said the telco's security was awful and that he hacked them to make noise. The access he gained, he said, was so extensive that he found it frightening. He texted the Journal, quote, "I was panicked because I had access to something big," end quote. He spent about a week moving through the servers and exploring personal data. 

Dave Bittner: How the claims that Mr. Binns was interested in making noise, drawing attention to some lesson that might be drawn from the breach is consistent with the offers to sell stolen T-Mobile data in a hacker forum isn't entirely clear. Those offers were connected with hacker names Mr. Binns has used, IRDev and v0rtex, the latter being spelled vortex with a leet character zero in place of the noobish letter O. 

Dave Bittner: When the Journal asked him directly, Mr. Binns had no comment on whether he was selling the stolen data or had been paid to compromise T-Mobile. 

Dave Bittner: John Binns, a graduate of northern Virginia's McLean High School, appears to be largely self-taught, cutting his teeth on hacking games like Minecraft and in associating with some bot-herders who've afflicted online gameplay. He also has an ambiguous track record of claiming imprisonment, involuntary sequestration on hospitals and so forth, possibly at the hands or at least the instigation of the FBI, unless it was the CIA. In any case, if it's noise he wanted, it's noise he's made. 

Dave Bittner: An offshoot of the Winnti APT has been exploiting the SideWalk modular backdoor, Threatpost reports. The group, which ESET calls SparklingGoblin, has been hitting targets in East and Southeast Asia. It's also shown interest in usernames and IP addresses from a U.S. computer retailer and Canadian schools, Threatpost says. 

Dave Bittner: Winnti has been associated with Chinese intelligence services. SparklingGoblin appears to have used some code stolen from the U.S. Equation Group as well as Winnti Group tools in its operations. 

Dave Bittner: The exploitation of Microsoft Exchange Server vulnerabilities by Chinese intelligence services, and particularly by the threat actor Microsoft tracks as Hafnium, could have served multiple purposes, the most obvious of which was direct collection of intelligence from the targets Hafnium compromised. Somewhat less obvious was the potential the operation had for the development of target dossiers that could be used to compromise and recruit foreign agents. 

Dave Bittner: But a third possibility also exists, NPR reports. China is engaged in what Beijing views as a race to develop a dominant position in artificial intelligence, and AI needs data to train on. In some respects, the more indiscriminate, the less structured that data may be, the better. 

Dave Bittner: Microsoft has warned customers against a vulnerability in Azure's Cosmos DB database, Reuters reported earlier this morning. Researchers at Wiz discovered and disclosed the issue, which involved access to database keys, earlier this month, and Microsoft has now addressed the problem. 

Dave Bittner: Microsoft has also issued guidance on addressing ProxyShell vulnerabilities in Exchange Server. Users of these products should give Redmond's guidance careful attention. 

Dave Bittner: And we disclose, as always, that Microsoft is a sponsor of the CyberWire. 

Dave Bittner: The Intercept says that although Cellebrite says it exited the Chinese market last year, Chinese police have continued to buy the company's phone-cracking technology. The Intercept describes the ways in which the cracking tools continue to reach China. 

Dave Bittner: Quote, "while Cellebrite did deregister its Chinese subsidiary earlier this year, it appears to have done little about the brokers that peddle its hacking technology. Chinese government procurement awards notices and posts on resellers' websites show that police have continued to purchase powerful Cellebrite software, while resellers have continued to provide updates for the software. In one case, a reseller reported delivering the Israeli company's software to border guards in Tibet and demonstrating how it could be used to search people's WeChat accounts," end quote. 

Dave Bittner: Cellebrite responded to The Intercept through its public relations representatives. 

Dave Bittner: Quote, "Cellebrite has developed a strong compliance framework, and our sales decisions are guided by internal parameters, which consider a potential customer's human rights record and anti-corruption policies. Cellebrite remains committed to safeguarding human rights and has developed strict controls, ensuring that our technology is used appropriately in legally sanctioned investigations," end quote. 

Dave Bittner: And, finally, the ransomware gang responsible for Ragnarok says it's shuttering its operations and has released a decryption key for Ragnarok, according to The Record. The Ragnarok gang had been active since 2019. Ragnarok had long made a meal of Citrix ADC gateways and was also the gang responsible for the quickly thwarted campaign to exploit a Sophos XG Firewall zero-day. 

Dave Bittner: The decryptor seems to be real, but whether this represents a genuine twilight of the bad gods or simply indicates a rebranding remains to be seen. 

Dave Bittner: Bill Wright is director of federal affairs at Splunk and formerly staff director for the Homeland Security and Governmental Affairs Committee for the U.S. Senate. I caught up with Bill Wright recently for his take on the seemingly relentless march of ransomware and what he thinks might be done to slow the pace. 

Bill Wright: So I think, you know, at least a year and a half ago, ransomware was really seen primarily as a - what I would call a nuisance cybercrime in schools, hospitals, businesses, sure, but the disruptions were considered pretty isolated. No one was known to have died, and the ultimate effects were limited primarily to those entities that were hacked. 

Bill Wright: Then came Colonial Pipeline, disrupting nearly half of the East Coast's fuel supply, quickly followed by another attack that threatened the nation's largest meat supplier, JBS, and then, of course, Kaseya last month, along with many countless others that maybe didn't make the headlines. So it quickly moved from an economic nuisance to a national security, public health, safety threat. And I think that's the way our government is treating it now. 

Dave Bittner: You know, we've had the public statements from President Biden, you know, where he has said that he's spoken with President Putin about this issue and are trying to apply diplomatic pressure and so on. Are we seeing any effects from that? Is - has there been any change since we've seen those public declarations that this is important? 

Bill Wright: First off, a threshold matter - I think that that public declaration is very important. Also, this likely goes without saying, but there is no silver bullet for this. Smarter people than me have been grappling with this problem. I thought a lot of the ideas and some of the recommendations that came out of the ransomware task force were interesting. And one of those was to publicly acknowledge at a high senior level some of the problems around ransomware. 

Bill Wright: The Biden administration, I think, is taking some really good steps to help modernize our cyberdefenses. The EO, for instance, was a great start, among other things. If you read between the lines of the EO, I think there's really broad recognition that security is first and foremost for us a data problem. The life cycle of a threat response is relying on data to detect a threat, monitor for impact, find a solution, prepare for that next attack. So at its core, and as we like to say here at Splunk, all data is security data. And I think the EO goes a long way to recognizing that. 

Bill Wright: So the way I look at it is, clearly, organizations themselves need to better defend themselves, but we really also need to go after their business model. You know, we mentioned ransomware as a service has really opened it up to the masses. DarkSide, I think, is a classic example of this ransomware-as-a-service criminal gang but that is primarily being run outside of U.S. authorities. You know, some would argue, including DarkSide themselves, that they were not even directly responsible for those Colonial attacks. They're certainly responsible as creators and operators of this ransomware as a service. So we need to find a way to go after that business model. 

Bill Wright: There's a number of things being considered, policy considerations around, you know, what we do about cryptocurrency, reporting requirements on acknowledging ransomware payments. There's a number of ideas that are circulating now. 

Bill Wright: And then I think the last leg of this stool for going after ransomware is that the U.S. government and our allies really need to take a more aggressive approach against the ransomware actors, wherever they might reside. Until they feel the pinch, this criminal business model is going to continue to grow. 

Bill Wright: So to circle back to your original statement about Biden and Putin, I think this was an excellent start. But I think it is part of a holistic strategy across the government and across the whole of society, frankly. 

Dave Bittner: That's Bill Wright from Splunk. There's a lot more to this conversation. If you want to hear the full interview, head on over to CyberWire Pro and sign up for "Interview Selects," where you'll get access to this and many more extended interviews. 

Dave Bittner: And joining me once again is Kevin Magee. He's the chief security officer at Microsoft Canada. Kevin, it is always great to have you back. I wanted to touch base today with something that I know is near and dear to your heart, and that is how we approach leadership in the cybersecurity world, some things that you've been focused on here. What can you share with us today? 

Kevin Magee: I think we've talked a lot about the skills gap as an industry, and we tend to make the skills gap out to be just the technical skills required to meet the needs of our industry. And while there definitely are some challenges in that area - I certainly won't discount it - I think we've over-pivoted to that topic at, really, the detriment of leadership and management skills. And are we really thinking about, as we onboard, develop and grow our industry of technical professionals, who will be those people that lead them? What are the skills that they will need? And what are we doing to get ahead of this problem before it becomes the next skills gap that really cripples our industry? 

Dave Bittner: Can you take us through some of the specifics of that? I mean, is this training people up from within for leadership positions? What sort of things do you have in mind? 

Kevin Magee: Yeah, I think we look at, why are we disconnected, often, from the business and from operations and from strategy, and we - you know, you see those cartoons about we need to finally get a seat at the table at the board and whatnot. So there's a lot of discussion, a lot of interest in, you know, in the challenge of why there's a disconnect, but very little being done, I think, to solve it. So I have a couple of theories of what we could be doing to solve it. 

Kevin Magee: One would be taking folks out of other areas of the business and embedding them in the security teams and teaching them security skills, so sort of a cross-pollination of skills. 

Kevin Magee: The other thing is - and this would sound crazy in an industry where, you know, we have a skills gap and not enough talent - why not export some of our talent to other areas of the business? Why not take security professionals and put them in marketing or put them in sales or put them in other aspects of the business? 

Kevin Magee: This is really what we saw years ago when we were having financial challenges within companies, where we took the chartered accountants and we made - we gave them the opportunities to finally be the CEO or we embedded them in other areas of the business. And now it's not uncommon to see an accountant or someone from finance or a CFO rise to the level of CEO. You don't often see CIOs or CISOs move up the ranks into the larger chairs as well. And I think that's holding us back and our detriment that we're not thinking differently about how to embed security throughout the business. 

Dave Bittner: You know, it gets my dander up when I hear folks refer to some of these things as being soft skills. Like the people skills, they refer to them as soft skills. You know, to me, they are both fundamental and critical to a business' success - these abilities to communicate. To me, if you're going to be a leader, that is something that is critical. It just has - it's not optional. And yet, to your point, I think particularly when it comes to some of the folks on our technical teams, it seems to me that that's a part of their well-roundedness that we aren't always nurturing. 

Kevin Magee: And I think as an industry, we started focusing on bringing in people who were just curious. And it didn't matter what background they came from. They didn't need computer science degrees. We were all, in the good sense of the word, hackers. It was our curiosity. It was our interest in taking things apart and figuring out how they work that really drove the industry. 

Kevin Magee: And I worry, as we're trying to professionalize our industry, that we may over-pivot and make it all about computer science, and then we'll lose the soul of what made our industry great, which is the old hackers. So how do we professionalize our industry, 'cause we definitely need to do that? We need to come up with standards, and we need to come up with ways of really assessing skills and abilities. But how do we do that without losing those characteristics that really made, you know, some of the greatest security professionals of our generation, and how do we pass it on to the next generation is what I spend a lot of time thinking about. 

Kevin Magee: And I certainly don't have the answers. But it won't be based on modeling what another profession did - say, accountants or lawyers or whatnot - in professionalizing their business. We have a unique challenge as cybersecurity professionals. We have a unique need for different skills. And so we're going to have to come up with unique solutions. 

Kevin Magee: Taking an MBA and adding a cybersecurity course to it is not going to solve the problem. Taking a master's in cybersecurity core set and adding, you know, two electives for leadership or business is not going to solve the problem. I think there needs to be, really, a third way. 

Dave Bittner: When you're looking through applications from folks who want to come work with you, what attracts your attention? What are the things that catch your eye for you to say, OK, this is probably someone who has those particular types of skills? 

Kevin Magee: I think most folks that show up to an interview think we're going to talk just about work, and I often surprise them 'cause that's probably where I not start the conversation. We always end up there. But I look at volunteer experience. What do you do with your free time? Because work, you're directed off on what to do, especially in your early career, but what you choose to do with your time really tells me more about you than anything else. 

Kevin Magee: If you choose to volunteer, if you choose to get behind certain, you know, challenges you want to take on, if your passion is helping young women enter the STEM careers and whatnot, that tells me a lot - much more about your character than whether you did a certification or not as well. So I really try and get behind the motivation and thinking of what drives that person, what makes them curious. You know, what other aspects of the business are they interested in? And then how do they learn? How do they approach problems? How do they keep up? 

Kevin Magee: Those are the type of questions I spend a lot of time discussing with potential candidates. And you can see sort of the look on their face. They're often puzzled at the beginning of the interview that - why am I not asking them technical questions? I think we definitely need to explore those other aspects of, you know, what makes a great cybersecurity professional. And it's not simply yes or no answers or understanding, you know, how - technical concepts or certifications. There's much more to us as cybersecurity professionals and leaders. 

Dave Bittner: Well, Kevin Magee, thanks for joining us. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. 

Dave Bittner: Be sure to check out this weekend's "Research Saturday" program and my conversation with Deepen Desai from Zscaler. We're going to be discussing "Joker Joking in Google Play: Joker Malware Targeting Google Play Store With New Tactics" (ph). That's "Research Saturday." Check it out. 

Dave Bittner: Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.