Updates on Russia’s hybrid war. Pegasus spyware in the service of espionage. CISA issues alerts and vulnerability warnings. C2C markets. Extradition for Assange? A guilty plea in a US cyberstalking case.
Dave Bittner: A Shuckworm update. Pegasus spyware is found on U.K. government officials' phones. Gangs succeed when criminals run them like a business. Julian Assange moves closer to extradition to the U.S. Tim Eades from the Cyber Mentor Fund on cyber valuations. Our guest is Wes Mullins from deepwatch, discussing adversary simulations. And a guilty plea in a high-profile cyberstalking case.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, April 20, 2022.
Dave Bittner: As Russia's firepower-intensive tactics continue the reduction of cities in the Donbas and along the Sea of Azov, a familiar FSB threat actor returns to prominence in Russia's hybrid war against Ukraine. Symantec this morning updated their research on the Russian threat actor Shuckworm, also known as Armageddon and Gamaredon, and its activities against Ukraine. Shuckworm first appeared in 2014 during Russia's earlier aggression against Ukraine that resulted in its annexation of Crimea. And the group is generally held to be an FSB operation staged from that conquered province. Its principal focus has, since its inception, been Ukraine.
Shuckworm update: scattershot and crude, but worth keeping an eye on.
Dave Bittner: Symantec is tracking four variants of the Pterodo backdoor Shuckworm installs in its victims' systems. Installation of multiple versions of, essentially, functionally equivalent malware is one of the group's characteristic bits of tradecraft. The practice seems to be a crude method of establishing and maintaining persistence. If the defenders find and kick one version, well, there are three others they might overlook. Symantec writes, while Shuckworm is not the most technically sophisticated espionage group, it compensates for this in its focus and persistence in relentlessly targeting Ukrainian organizations. It appears that Pterodo is being continuously redeveloped by the attackers in a bid to stay ahead of detection. Symantec adds, while Shuckworm appears to be largely focused on intelligence gathering, its attacks could also potentially be a precursor to more serious intrusions if the access it acquires to Ukrainian organizations is turned over to other Russian-sponsored actors. That's not surprising. Developing intelligence is always an early stage in battlespace preparation. According to Bloomberg, Ukraine continues to augment its cyber defenses with significant help from domestic and international corporations.
Pegasus spyware found in British government devices.
Dave Bittner: The University of Toronto's Citizen Lab reports that it's found multiple infestations of NSO Group's Pegasus intercept tool in British government devices, specifically in phones used by the Foreign Commonwealth and Development Office and the prime minister's office. Citizen Lab blogged, the suspected infections relating to the FCO were associated with Pegasus operators that we link to the UAE, India, Cyprus and Jordan. The suspected infection at the U.K. prime minister's office was associated with a Pegasus operator we link to the UAE. Much of the concern about Pegasus in particular and NSO Group products and services in general has been there ready abuse by governments who use them against private citizens. The British case is clearly different. The U.K. government had been prospected by foreign actors presumably engaged in intelligence collection. As far as private citizens are concerned, the European Union has decided not to organize an investigation of such cases, EUreporter says.. This is really something for the national authorities, a spokesperson for the European Commission said yesterday.
Six new ICS advisories from CISA.
Dave Bittner: CISA has released six industrial control system advisories. They've also added to the Known Exploited Vulnerabilities Catalog. All federal civilian agencies must patch by May 10.
Why are the gangs successful? Because criminals are running them like a business.
Dave Bittner: VMware describes a fundamental restructuring of cybercrime cartels thanks to a booming dark web economy of scale. Gangs operate like multinational corporations, and they now engage in more destructive behaviors than before. In particular, the criminal-to-criminal market is thriving with more commodity tools available, and that's enabled the gangs to scale their attacks quickly and easily. The gangs are also becoming more destructive. The reasons for this are complex. Sometimes victims' files are destroyed in an apparent attempt to dispose of evidence. Sometimes destruction serves as revenge for victims' failure to comply with the criminals' demands and as an incentive for future victims to be more cooperative.
Assange closer to extradition to the US.
Dave Bittner: WikiLeaks impresario Julian Assange is now closer to extradition to the U.S., CNN reports, where he faces espionage charges. After receiving assurances from U.S. authorities that Mr. Assange would be decently treated while he's tried in the U.S. and afterwards, should he be convicted, the high court overturned an earlier magistrate's court decision blocking the extradition. His extradition now goes to Home Secretary Patel for approval, but Mr. Assange still has an appeal left in his quiver.
A guilty plea in a high-profile cyberstalking case.
Dave Bittner: And finally, Reuters reports that James Baugh, eBay's former senior director of safety and security, has taken a guilty plea in a very strange federal case of cyberstalking. While he was at eBay, Mr. Baugh has admitted he organized a campaign of harassment against EcommerceBytes, a mom and pop newsletter run from Natick, Mass., that Mr. Baugh perceived as critical of his then employer. The newsletter's content always struck us as fairly neutral and anodyne, only moderately and politely critical, and not at all a threat to the online auction behemoth eBay. Apparently the motivation came from some will-no-one-rid-me-of-this-troublesome-priest complaints expressed by two executives, including then chief executive officer Devin Wenig, who's also left the company.
Dave Bittner: According to Reuters, prosecutors said the Steiners in August 2019 began receiving anonymous, harassing private messages on Twitter and disturbing deliveries to their home that also included fly larva, spiders and a funeral wreath. Five other eBay staffers have also taken guilty pleas to other charges arising from the incident. Mr. Wenig has not been charged. He says he had no idea of what his subordinates were up to in and around Natick, in both physical and cyberspace.
Celebrate with us: our sixth anniversary is this week.
Dave Bittner: Before we wrap up, thanks for reading and listening, especially this week. It's our sixth anniversary as an independent company. For the past six years, the CyberWire has delivered your daily dose of the top cybersecurity news, and we're pleased to have become a trusted source for the industry. To celebrate our big 6, and as a special thanks to all of our CyberWire listeners and readers, for one week, we're offering a discount of 60% in annual subscriptions of CyberWire Pro. Use code CyberWireAnniversary2022 by April 25 to take advantage of this celebratory discount. Subscribe and save now. But above all, thank you for listening to the CyberWire.
Dave Bittner: These days, many organizations approach security with an assumed-breach mindset, considering when rather than if an attack will happen. I recently checked in with Wes Mullins, CTO at MDR security company Deepwatch, on the utility of adversary simulations and redteaming.
Wes Mullins: The best way today is, you know, set up a lab. There's a lot of open-source tools and platforms out there that will allow you to, you know, quote, unquote, "break things" in your home lab on the internet without worrying about, you know, doing anything nefarious or coming off as malicious in nature on the internet. You got to practice, though. The skills and techniques that are used in offensive security and breach simulation, whether it's red team, purple team, blue team, they are very practical in nature. There's no book that you're going to take or an exam that you're going to study for that's going to really give you that. It's practice, and practice makes perfect.
Dave Bittner: Can you sort of walk us through how an internal team would go about this, what a typical process would look like?
Wes Mullins: Yeah. I would say it's standing up a lab and then having the lab kind of devised in multiple subsets of, you know, web app, which is where a lot of people typically get their feet wet - breaking into web apps, doing, you know, basics with session state handling, user-supplied input validation, and then going more into the - what I would call the in-depth - exploit development, reverse engineering - and kind of having different pillars and, you know, saying, hey, you go solve this challenge, and once you solve this challenge, then you get another challenge. And that will vary across whether it's web app or reverse engineering, exploit development. And then everything that is, you know, redteaming, traditional pen testing in the middle, including brute force and social engineering and all of the alike.
Dave Bittner: Is there a cultural element to this as well? I mean, I suspect it's important to make sure that your various teams don't inadvertently end up adversarial with each other.
Wes Mullins: There is. But that's also part of the fun, I would say, is - and done right, there are a lot of opportunities to build the rapport and build the relationships with those teams. And, you know, it does very much become a purple team exercise where you have the ones emulating the adversaries and doing the offensive campaigns also challenging the ones responsible for identifying and mitigating those attacks. Successfully done, like, it is a great thing to do inside of an organization that just pushes everyone's boundaries every single day and allows them to grow and mature.
Dave Bittner: And how do you make sure that the things that are found are actionable, that there's follow-through, that, you know, the things that - the vulnerabilities are being fixed? I guess what I'm getting at is, it would be frustrating for your red team to come up with all these things and nothing to be done afterwards, right?
Wes Mullins: Yeah. It's a great callout there. I think the key thing is when you do these exercises, what has been identified, make sure it goes through a very traditional process on identifying criticality, impact and severity, and then throw it in the queue along with everything else, whether that's regular bug fixes or feature enhancements or anything, making sure that there is a path to remediation. One of the key aspects in that, though, is validating that it is in fact a issue. Something that we commonly see are, you know, spray and pray from a slew of, you know, pen test and red team providers that are out there. And a lot of it's very theoretical. If you can't prove it, you can't provide a screenshot, you can't reproduce the scenario in a live situation, that's going to make it really hard for the team on the back end that's then being tasked to go remediate it. So make sure that your findings are legit. Make sure they can be repeated and validated at scale.
Dave Bittner: Do you have any words of wisdom for organizations that are looking to spin up something like this? I mean, are there any areas where people usually fall short?
Wes Mullins: I would say the labs. A lot of people want to - they hire the red teamers, the purple teamers, the offensive capabilities, the adversary emulators. And they don't give them the same lab that, you know, would be your internet presence. So if you want someone to really be valuable at it and provide the value that we all know that, you know, adversary emulation can provide, invest in giving them something to break. And, you know, I'm not saying give them a blank check, but make sure that if you have something that's on the internet that's very critical to you - whether it's your e-commerce platform or something you're handling payroll or transactions and there are a bunch of different components around identity and database and store and cloud - that individual or that team of individuals that's being responsible for doing that exercise should have, you know, a lab or a testing environment or development environment that is 100% a clone of that. And that is where we will see people struggle is, they don't necessarily give the group that has, you know, the challenge of going and spotting these issues inside of a - what is, in most cases, a very complex, you know, mature enterprise environment, and that's where you find gaps.
Dave Bittner: How do you measure success? How do you evaluate, you know, the return on your investment here?
Wes Mullins: One could say, you know, you're doing it faster than the bad guys and gals are doing it. I would say success is, as the organization matures all defensive capabilities, are there findings? Are you finding something internally before it is found by a third party that you're paying, in most cases, thousands of dollars or through a bug bounty program? So if there are findings and there are actual remediation, you know, steps that need to happen from quarter to quarter, month over month after the exercises are done, I would consider it a success.
Dave Bittner: That's Wes Mullens from Deepwatch.
Dave Bittner: And joining me once again is Tim Eades. He's the CEO at vArmour and co-founder of the Cyber Mentor Fund. Tim, it is always great to welcome you back to the show. I want to touch today on cyber valuations - obviously something that you work on a lot with the Cyber Mentor Fund. Can you give us some insights - some of the things that you're tracking when it comes to cyber valuations in today's environment?
Tim Eades: Yeah. Thanks, Dave. So last year, you saw this incredible growth of cybersecurity investing and crazy valuations. Companies were getting funded with 2 million annual recurring revenue at $1.7 billion. And, you know, you have to grow into those shoes, and they're really big shoes. And so what you find is people were investing in growth or growth opportunity and were just throwing money at it, as there was so much money in the system. But there's a number of challenges with that. One is, if you take - if you make one misstep in your execution, you're going to look at as a down round. And there's a down around is one thing, but when - down round you're dealing with billions of dollars is crushing. Another one, turns out, is that any of the employees that come after those crazy valuations will almost certainly make no money because they have to go to so many - into their shoes before they do another round of funding. So I actually think, you know, those things are bad.
Tim Eades: And then the third one, a lot of these valuations, again, let's just pick on one where they did 2 million ARR, $1.7 billion. What happens is the founding team or the CEO and the founding team will be pushed by the investors to do what's called a secondary, to actually take some money off the table, you know, to sell some of their shares in order to keep going. But the challenge with that is it separates the CEO and the founders from the rest of the employees because, you know, they've taken money off the table. They've taken 2, 3, 5, 10 million, whatever the number is, off of the table. But nobody else did - right? - unless it was open to everybody. And so then you get an economic separation of interest between the CEO and the founders and the employees. So more and more things will go bad with that. So, yeah, I mean, it went - it was growth, growth, growth.
Tim Eades: And then right towards the end of the year, you know, early December to round about now, it's all become operational excellence. You know, when are you going to get cash flow positive? You know, when are you going to, you know, annual recurring revenue or in your EBITA to employees and been much more the metrics that people are looking at now are much more operational excellence based. And from that, valuations are down. You saw the public markets, the valuations in the public markets have come down, you know, pretty significantly this year. And you'll typically see the private market valuations come down like six or eight weeks later. So you're starting to see that be affected now, yeah, every single day.
Dave Bittner: Is this a cyclical type of thing? I mean, do we see this as, you know, to use your words, these crazy valuations? And does it swing back and forth?
Tim Eades: Yeah, absolutely. It swings back and forth. You know, there, you know, this is the year where - or at least the first nine months of it will be everybody was tightening their belt, looking at, you know, cost efficient, sales efficiency business models and things like that in order to do it. But, you know, the markets have two sides of their brain, right? Fear and greed. And sometimes they move between the two of them really quickly. So greed will come back. And, you know, and that's how that will go. And then we'll go back down to maybe not quite so crazy valuation, but pretty similar for sure.
Dave Bittner: For the entrepreneur, I mean, is it possible to time this sort of thing? Is there a best stage of the pendulum to get into?
Tim Eades: Yeah. Well, I always - I would stay away. I personally would stay away from the valuation dynamic as a reason of when to raise and how much to raise. What I would steer towards is getting the right VC. Getting the right investor alongside you is way more important than getting the right valuation. And so steering towards the right partner that's going to be with you through it. Because there's always going to be bad times. There's always going to be bad times. And getting the right venture person, getting the right board member with you, I always say you should go to the individual, not the firm, because the individual is the one that's going to be in the boardroom, and then focusing on that rather than the valuation. Clearly, you know, raising money when there's a war on, sometimes people would say that's a, you know, a tougher time. But for cybersecurity companies, when it's a cyber war, at least in part, you know, you want to be in the cyber defense business.
Dave Bittner: All right. Well, Tim Eades, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Dave Bittner: Our amazing CyberWire team is Liz Ervin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Dave Bittner: For the past six years, the CyberWire has delivered your daily dose of the top cybersecurity news. And we're proud to be a trusted source in the industry. To celebrate our big six and as a special thanks to all of our CyberWire listeners and readers, for this week only, we'll be offering a discount of 60% off annual subscriptions of CyberWire Pro. Use code CyberWireAnniversary2022 by April 25 to take advantage of this celebratory discount. Subscribe and save now. But above all, thank you for listening to the CyberWire network of shows.