The CyberWire Daily Podcast 8.22.22
Ep 1646 | 8.22.22

Bogus DDoS protection pages distribute malware. Estonia deals with DDoS attacks. Roskomnadzor's Internet panopticon.And data-tampering attacks are regarded as a growing risk.


Tre Hester: Bogus DDoS protection pages distribute malware. Estonia deals with DDoS attacks. Roskomnadzor's internet panopticon. Rick Howard on the RSA security breach of 2011 and the Equifax breach of 2017. Caleb Barlow on, what does a recession mean for cybersecurity venture capital, and what is the impact of this on the industry? And data-tampering attacks are regarded as a growing risk.

Tre Hester: From the CyberWire studios at DataTribe, I'm Tre Hester, filling in for Dave Bittner, with your CyberWire summary for August 22, 2022.

Bogus DDoS protection pages distribute malware.

Tre Hester: Researchers at Sucuri warn that fake DDoS protection pages, the sort that ask visitors to perform a browser check before proceeding, are distributing malware in drive-by attacks. Sucuri writes, quote, "Unfortunately, attackers have begun leveraging these familiar security assets and their own malware campaigns. We recently discovered a malicious JavaScript injection affecting WordPress websites, which results in a fake Cloudflare DDoS protection popup," end quote. "Since these types of browser checks are so common on the web, many users wouldn't think twice before clicking this prompt to access the websites they're trying to visit. However, the prompt actually downloads a malicious .iso file onto the victim's computer, end quote." The file is a remote access Trojan. The malicious site is an impostor, and there's no compromise of Cloudflare itself. 

Estonia deals with DDoS attacks.

Tre Hester: Infosecurity Magazine speaks with Estonian officials concerned to mitigate the effects of distributed denial-of-service attacks the country has sustained this month. Tonu Tammer, head of the Incident Response Department of the Estonian Information Systems Authority, said that the campaign peaked last week on the 16 and 17. Quote, "The attack against the website of, which is the homepage of Estonian Tax and Customs Board, on August 17 had the most visible effect, with the website being unavailable from 12:30 p.m. to 1:40 p.m. After changing the settings and implementing additional defense mechanisms, it was possible to use the website again. Still, all the services were functional, and only the webpage itself was affected," end quote. Tammer credits defensive preparations and adequate resourcing with having given Estonia the means of mitigating the effects of the attack. 

Tre Hester: The campaign was claimed by Killnet. The proximate cause of recent attacks has been, as it was seen in 2007, Estonia's removal of Soviet-era Second World War memorials. There may be more pretexts for follow-on attacks. Russia's FSB has claimed that the assassin who killed Russian ultranationalist media personality Darya Aleksandrovna Dugina has taken refuge in Estonia, from where Russia has demanded her extradition. The identification of the assassin is unconfirmed, and there's no reason beyond the FSB's word to think that the assassin has taken refuge in Estonia. 

Tre Hester: Latvia's government, undeterred by recent cyber operations against Estonian online resources, has begun dismantling a very large Second World War memorial in Riga. This one was erected in 1985, Bloomberg reports, near the end of Soviet power, it's come to be regarded as a symbol of nationalism, which is why the Latvian government is taking it down. 

Roskomnadzor's Internet panopticon.

Tre Hester: Citing Kommersant, BleepingComputer reports that Roskomnadzor, the Russian internet watchdog, has contracted for the development of a tool that will automate internet scanning to identify objectionable material. The projected tool, known as Oculus, is described as a neural network that will use artificial intelligence to scan websites for prohibited information. The automatic scanner will analyze URLs, images, videos and chats on websites, forums, social media, and even chat and messenger channels to locate material that should be redacted or taken down. Roskomnadzor wants Oculus to be ready on December 12 of this year. The agency has lowballed the contract at 57.7 million rubles, or about $965,000, which observers think is grossly inadequate to fund such an ambitious project. 

Data-tampering attacks regarded as a growing risk.

Tre Hester: And finally, Protocol discusses data-tampering attacks with security experts. While the risk remains more potential than actual, such attacks have occurred. And they're regarded as particularly disturbing. They're difficult to detect and can be highly consequential. The risk is the integrity of an organization's own data. It's not simple data theft, as in doxxing or cyber-espionage, or denial of access to data, as in traditional ransomware. But it represents a quiet threat to the data themselves. Information an organization relies on for decision-making could be manipulated, corrupting the decision-making itself. And medical imagery could be altered with damaging, potentially lethal consequences. Or adversarial machine learning could alter the data used to train artificial intelligence with the eventual consequences for the AI's operation. It's a disturbing possibility and another thing for CISOs to worry about. If you can't trust your data, whom can you trust? 

Dave Bittner: And it is always my pleasure to welcome back to the show the CyberWire's own Rick Howard. He is our chief security officer, also our chief analyst. Rick, welcome back. 

Rick Howard: Hey, Dave. 

Dave Bittner: So on this week's "CSO Perspectives (Pro)" podcast, you are covering two infamous cybersecurity espionage attacks conducted by the Chinese government. You've got the RSA Security breach of 2011 and the Equifax breach of 2017. First of all, what made you pick those two to highlight? 

Rick Howard: Well, because they are on opposite ends of the spectrum when it comes to crisis communications planning. On the one end, we have RSA Security, where the Chinese government stole the seed values of the RSA SecurID token product. That's the - I don't know if you remember this, Dave, but that was the two-factor authentication device, and back then, used by tens of millions of users in government and the military agencies, defense contractors, banks and countless corporations around the world. 

Dave Bittner: Yeah. 

Rick Howard: This event - it should have scuttled their company, and it didn't. And it's largely due to how their CEO, Art Coviello, managed the communications plan 'cause within a quarter of the breach, RSA Security made record profits again, all right? So that's an interesting case. And then contrast that with Equifax, where another Chinese government hacker group stole the PII of some 143 million U.S. consumers. That's 60% of the U.S. population. And in the end of that exercise - all right? - four executives lost their jobs, including the CEO and the CSO. The U.S. House Digital Commerce and Consumer Protection subcommittee hauled the CEO in to explain himself. And the total cost to recover was north of $1.4 billion, plus any legal fees. And that was largely due to how the CEO bungled the communications plan. So in this episode of "CSO Perspectives (Pro)," we're going to talk about why, in terms of crisis planning, did RSA Security do so well, and why Equifax didn't. 

Dave Bittner: All right. So that is on the pro side. That's our subscription side. How about on the public side, the ad-supported side this week? 

Rick Howard: Yeah, well, if you remember from last week's show, I was talking about the concept of adversary playbooks. And they're kind of the next step in thinking once you get your head around the Lockheed-Martin intrusion kill chain model, the U.S. Department of Defense's Diamond Model and the MITRE ATT&CK framework. Advisory playbooks are an attempt to pull all that together into one bag. Well, as you might know, Dave, I didn't come up with that idea myself, all right? I'm not smart enough. My partner-in-crime for that paper that we eventually published on the subject was Ryan Olson, currently the VP of threat intelligence at Palo Alto Networks. So I brought him onto the show to discuss the current state of adversary playbooks and what needs to be done now to take the next step. 

Dave Bittner: Well, before I let you go, what is the phrase of the week on your "Word Notes" podcast? 

Rick Howard: This week's word is microsegmentation, OK? And we've come a long way from those early internet days, back in the 1990s, when we thought to segment sensitive information from normal day-to-day network traffic by running separate physical cables and fibers. Today, especially in cloud environments, we can do it all in software, and microsegmentation is the latest tactic that we might use to implement this zero-trust concept. 

Dave Bittner: All right, lots of interesting stuff this week. You can find out more about all of that by visiting our website, Rick Howard, thanks for joining us. 

Dave Bittner: And it is my pleasure to welcome back to the CyberWire Caleb Barlow. He is the CEO of Cylete. Caleb, it's always great to welcome you back. I want to touch base with you today on where we stand in terms of venture capital. And, you know, we have this looming possibility - specter, I would say - of a recession. What sort of things are you hearing about how that might affect venture capital in cyber? 

Caleb Barlow: Well, you know, first of all, everybody is debating are we in a recession or not? But I do think there's a few things we can acknowledge, right? Labor markets are still red hot, even though some companies are starting to slow down as, you know, supply chain issues start to get worked out. But just as, you know, cybersecurity was becoming a mainstream industry in the last recession, you know, kind of back in 2008 or so, we don't really have a good baseline on what the likely impact is of recessionary trends in cybersecurity. Now, one of the things, as I was looking at this, Dave, that I think is really important to underscore is nearly every CEO in a security vendor has growth-focused skills - right? - because that's all we've been dealing with over the last 10 years or so, is growth in this industry. And as we switch back to profitability-focused skills, this could be a real challenge for some leaders to be able to kind of pivot and shift gears. And we're already seeing examples of where venture capital is slowing down or pausing a bit. Valuation and funding rounds will probably be a bit lower. So, you know, I do think there's a bit of a cautionary tale here of maybe pumping the brakes a bit. But at the same time, you know, we ought to talk a little bit about, you know, what's likely to happen in labor markets and what's likely to happen, you know, in terms of funding rounds? 

Dave Bittner: Yeah. I mean, how do we reconcile the two sides of - the stories still come out about how there aren't enough people to hire. There are all these empty jobs. And on the other hand, I'm starting to hear stories of some cybersecurity companies doing rounds of layoffs. 

Caleb Barlow: Well, I mean, I think one of the things we have to recognize is that, you know, we still have over 700,000 open, unfilled jobs just in the United States in this field. So, you know, we're probably likely to see slowdowns in people filling jobs. You know, think outside of kind of the vendor market but in, you know, more traditional critical infrastructure companies where maybe those businesses are slowing down in general. There's certainly a good chance you may see hiring freezes, potentially even layoffs or hiring holes. But I do think what's - you know, that doesn't necessarily mean if you're a cybersecurity professional, you're going to be unemployed. What it might mean is you change jobs or that 700,000 open jobs starts to maybe reduce down a few hundred thousand jobs as people start to fill the gap that's been open for so long. 

Dave Bittner: What about on the venture capital side? Is there pumping of the breaks happening there? 

Caleb Barlow: Well, you know, I mean, we're in a world where lots of people were taking down $100 million-plus rounds if you look at kind of the cybersecurity vendors. And the big thing you're going to see a shift in is a movement from growth-focused metrics to profitability and EBITDA-focused metrics. You know, and this is going to be the case in any kind of recessionary trend. What investors are going to look to see is, you know, can you turn this company into a profitable one? And of course, there's a couple of strategies there. One is to bring down enough money to weather the storm. Figure three to four years at a minimum. But the problem there is, you know, if you don't pump the brakes a bit on your spending, you don't want to come out of a recessionary trend still not profitable when all of your peers focused on profitability and have a really high burn rate. You know, on the other hand, if you're a company that can maybe pump the brakes a bit, switch your leadership in thinking to free cash flow and profitability versus rapid growth, you know, you might be in a position where not only can you weather the storm longer with the capital you have, but you're going to look much better coming out the other side when everybody's focused on those types of metrics. 

Dave Bittner: What's your advice then? I mean, for that CEO, that board of directors who's looking to maybe weather this storm - any words of wisdom there? 

Caleb Barlow: Well, I mean, I think the first thing is recognize the skills you have and the skills you don't, right? I mean, the folks in leadership positions that really weathered the last storm - and, you know, 2008 was mostly an impact on, for example, the auto industry and banking. It really didn't have an impact on the cybersecurity or technology industries, even. You have to go all the way back really to 2000. So you're talking about leaders that - the last leaders that weathered this are probably in their 50s now, which, you know, is not the demographic that makes up a lot of CEOs in cybersecurity companies. So the first thing is, you know, have those mentoring relationships, have those peers, and understand the metrics on which you're going to be measured are probably totally different than the metrics on which you've been measured for the last five or 10 years. You know, in addition to that, really watch your term sheets when you're going forward for another round. What's in those term sheets? You know, preferred stock, anti-dilution provisions - I mean, now is the time to pay attention to what are you signing up for. And the best deal might not be just the biggest deal, which is what I think everybody always used to get enamored with. But also watch what's happening. You know, we already see public software - you know, public security software companies are down in the first half, along with the rest of the market. But this is going to be a proxy for valuations, Dave, which are already showing signs of impact and people slowing down. 

Dave Bittner: All right. Interesting times. Caleb Barlow, thanks for joining us. 

Tre Hester: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Tre Hester, filling in for Dave Bittner. Thanks for listening. We'll see you back here tomorrow.